- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a2620f8932fa9fdabc3d78ed6efb004ca409019f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051231-surpass-scone-a484@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2620f8932fa9fdabc3d78ed6efb004ca409019f Mon Sep 17 00:00:00 2001 From: Mikhail Lobanov <m.lobanov(a)rosa.ru> Date: Mon, 14 Apr 2025 20:12:06 +0300 Subject: [PATCH] KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception while the vCPU is in SMM. This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: <TASK> shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN() in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to do _something_ sane with the VMCB, since it's technically undefined, and INIT is the least awful choice given KVM's ABI. So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of SMM to avoid any weirdness (and the WARN). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") Cc: stable(a)vger.kernel.org Suggested-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> Link: https://lore.kernel.org/r/20250414171207.155121-1-m.lobanov@rosa.ru [sean: massage changelog, make it clear this isn't architectural behavior] Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/smm.c b/arch/x86/kvm/smm.c index 699e551ec93b..9864c057187d 100644 --- a/arch/x86/kvm/smm.c +++ b/arch/x86/kvm/smm.c @@ -131,6 +131,7 @@ void kvm_smm_changed(struct kvm_vcpu *vcpu, bool entering_smm) kvm_mmu_reset_context(vcpu); } +EXPORT_SYMBOL_GPL(kvm_smm_changed); void process_smi(struct kvm_vcpu *vcpu) { diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d5d0c5c3300b..c5470d842aed 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2231,6 +2231,10 @@ static int shutdown_interception(struct kvm_vcpu *vcpu) */ if (!sev_es_guest(vcpu->kvm)) { clear_page(svm->vmcb); +#ifdef CONFIG_KVM_SMM + if (is_smm(vcpu)) + kvm_smm_changed(vcpu, false); +#endif kvm_vcpu_reset(vcpu, true); }

8 months

1
0
0 0

FAILED: patch "[PATCH] KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a2620f8932fa9fdabc3d78ed6efb004ca409019f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051230-trickle-unspoiled-1f11@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2620f8932fa9fdabc3d78ed6efb004ca409019f Mon Sep 17 00:00:00 2001 From: Mikhail Lobanov <m.lobanov(a)rosa.ru> Date: Mon, 14 Apr 2025 20:12:06 +0300 Subject: [PATCH] KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Previously, commit ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when KVM forces a vCPU INIT after SHUTDOWN interception while the vCPU is in SMM. This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: <TASK> shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN() in kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper emulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to do _something_ sane with the VMCB, since it's technically undefined, and INIT is the least awful choice given KVM's ABI. So, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of SMM to avoid any weirdness (and the WARN). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") Cc: stable(a)vger.kernel.org Suggested-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> Link: https://lore.kernel.org/r/20250414171207.155121-1-m.lobanov@rosa.ru [sean: massage changelog, make it clear this isn't architectural behavior] Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/smm.c b/arch/x86/kvm/smm.c index 699e551ec93b..9864c057187d 100644 --- a/arch/x86/kvm/smm.c +++ b/arch/x86/kvm/smm.c @@ -131,6 +131,7 @@ void kvm_smm_changed(struct kvm_vcpu *vcpu, bool entering_smm) kvm_mmu_reset_context(vcpu); } +EXPORT_SYMBOL_GPL(kvm_smm_changed); void process_smi(struct kvm_vcpu *vcpu) { diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d5d0c5c3300b..c5470d842aed 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2231,6 +2231,10 @@ static int shutdown_interception(struct kvm_vcpu *vcpu) */ if (!sev_es_guest(vcpu->kvm)) { clear_page(svm->vmcb); +#ifdef CONFIG_KVM_SMM + if (is_smm(vcpu)) + kvm_smm_changed(vcpu, false); +#endif kvm_vcpu_reset(vcpu, true); }

8 months

1
0
0 0

FAILED: patch "[PATCH] KVM: x86/mmu: Prevent installing hugepages when mem" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9129633d568edd36aa22bf703b12835153cec985 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051217-botch-sloped-8d28@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9129633d568edd36aa22bf703b12835153cec985 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Wed, 30 Apr 2025 15:09:54 -0700 Subject: [PATCH] KVM: x86/mmu: Prevent installing hugepages when mem attributes are changing When changing memory attributes on a subset of a potential hugepage, add the hugepage to the invalidation range tracking to prevent installing a hugepage until the attributes are fully updated. Like the actual hugepage tracking updates in kvm_arch_post_set_memory_attributes(), process only the head and tail pages, as any potential hugepages that are entirely covered by the range will already be tracked. Note, only hugepage chunks whose current attributes are NOT mixed need to be added to the invalidation set, as mixed attributes already prevent installing a hugepage, and it's perfectly safe to install a smaller mapping for a gfn whose attributes aren't changing. Fixes: 8dd2eee9d526 ("KVM: x86/mmu: Handle page fault for private memory") Cc: stable(a)vger.kernel.org Reported-by: Michael Roth <michael.roth(a)amd.com> Tested-by: Michael Roth <michael.roth(a)amd.com> Link: https://lore.kernel.org/r/20250430220954.522672-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c index 387464ebe8e8..8d1b632e33d2 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -7670,32 +7670,6 @@ void kvm_mmu_pre_destroy_vm(struct kvm *kvm) } #ifdef CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES -bool kvm_arch_pre_set_memory_attributes(struct kvm *kvm, - struct kvm_gfn_range *range) -{ - /* - * Zap SPTEs even if the slot can't be mapped PRIVATE. KVM x86 only - * supports KVM_MEMORY_ATTRIBUTE_PRIVATE, and so it *seems* like KVM - * can simply ignore such slots. But if userspace is making memory - * PRIVATE, then KVM must prevent the guest from accessing the memory - * as shared. And if userspace is making memory SHARED and this point - * is reached, then at least one page within the range was previously - * PRIVATE, i.e. the slot's possible hugepage ranges are changing. - * Zapping SPTEs in this case ensures KVM will reassess whether or not - * a hugepage can be used for affected ranges. - */ - if (WARN_ON_ONCE(!kvm_arch_has_private_mem(kvm))) - return false; - - /* Unmap the old attribute page. */ - if (range->arg.attributes & KVM_MEMORY_ATTRIBUTE_PRIVATE) - range->attr_filter = KVM_FILTER_SHARED; - else - range->attr_filter = KVM_FILTER_PRIVATE; - - return kvm_unmap_gfn_range(kvm, range); -} - static bool hugepage_test_mixed(struct kvm_memory_slot *slot, gfn_t gfn, int level) { @@ -7714,6 +7688,69 @@ static void hugepage_set_mixed(struct kvm_memory_slot *slot, gfn_t gfn, lpage_info_slot(gfn, slot, level)->disallow_lpage |= KVM_LPAGE_MIXED_FLAG; } +bool kvm_arch_pre_set_memory_attributes(struct kvm *kvm, + struct kvm_gfn_range *range) +{ + struct kvm_memory_slot *slot = range->slot; + int level; + + /* + * Zap SPTEs even if the slot can't be mapped PRIVATE. KVM x86 only + * supports KVM_MEMORY_ATTRIBUTE_PRIVATE, and so it *seems* like KVM + * can simply ignore such slots. But if userspace is making memory + * PRIVATE, then KVM must prevent the guest from accessing the memory + * as shared. And if userspace is making memory SHARED and this point + * is reached, then at least one page within the range was previously + * PRIVATE, i.e. the slot's possible hugepage ranges are changing. + * Zapping SPTEs in this case ensures KVM will reassess whether or not + * a hugepage can be used for affected ranges. + */ + if (WARN_ON_ONCE(!kvm_arch_has_private_mem(kvm))) + return false; + + if (WARN_ON_ONCE(range->end <= range->start)) + return false; + + /* + * If the head and tail pages of the range currently allow a hugepage, + * i.e. reside fully in the slot and don't have mixed attributes, then + * add each corresponding hugepage range to the ongoing invalidation, + * e.g. to prevent KVM from creating a hugepage in response to a fault + * for a gfn whose attributes aren't changing. Note, only the range + * of gfns whose attributes are being modified needs to be explicitly + * unmapped, as that will unmap any existing hugepages. + */ + for (level = PG_LEVEL_2M; level <= KVM_MAX_HUGEPAGE_LEVEL; level++) { + gfn_t start = gfn_round_for_level(range->start, level); + gfn_t end = gfn_round_for_level(range->end - 1, level); + gfn_t nr_pages = KVM_PAGES_PER_HPAGE(level); + + if ((start != range->start || start + nr_pages > range->end) && + start >= slot->base_gfn && + start + nr_pages <= slot->base_gfn + slot->npages && + !hugepage_test_mixed(slot, start, level)) + kvm_mmu_invalidate_range_add(kvm, start, start + nr_pages); + + if (end == start) + continue; + + if ((end + nr_pages) > range->end && + (end + nr_pages) <= (slot->base_gfn + slot->npages) && + !hugepage_test_mixed(slot, end, level)) + kvm_mmu_invalidate_range_add(kvm, end, end + nr_pages); + } + + /* Unmap the old attribute page. */ + if (range->arg.attributes & KVM_MEMORY_ATTRIBUTE_PRIVATE) + range->attr_filter = KVM_FILTER_SHARED; + else + range->attr_filter = KVM_FILTER_PRIVATE; + + return kvm_unmap_gfn_range(kvm, range); +} + + + static bool hugepage_has_attrs(struct kvm *kvm, struct kvm_memory_slot *slot, gfn_t gfn, int level, unsigned long attrs) {

8 months

1
0
0 0

FAILED: patch "[PATCH] selftests/mm: compaction_test: support platform with huge" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ab00ddd802f80e31fc9639c652d736fe3913feae # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051246-book-chase-1d4c@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ab00ddd802f80e31fc9639c652d736fe3913feae Mon Sep 17 00:00:00 2001 From: Feng Tang <feng.tang(a)linux.alibaba.com> Date: Wed, 23 Apr 2025 18:36:45 +0800 Subject: [PATCH] selftests/mm: compaction_test: support platform with huge mount of memory When running mm selftest to verify mm patches, 'compaction_test' case failed on an x86 server with 1TB memory. And the root cause is that it has too much free memory than what the test supports. The test case tries to allocate 100000 huge pages, which is about 200 GB for that x86 server, and when it succeeds, it expects it's large than 1/3 of 80% of the free memory in system. This logic only works for platform with 750 GB ( 200 / (1/3) / 80% ) or less free memory, and may raise false alarm for others. Fix it by changing the fixed page number to self-adjustable number according to the real number of free memory. Link: https://lkml.kernel.org/r/20250423103645.2758-1-feng.tang@linux.alibaba.com Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") Signed-off-by: Feng Tang <feng.tang(a)linux.alibaba.com> Acked-by: Dev Jain <dev.jain(a)arm.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Tested-by: Baolin Wang <baolin.wang(a)inux.alibaba.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Sri Jayaramappa <sjayaram(a)akamai.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/tools/testing/selftests/mm/compaction_test.c b/tools/testing/selftests/mm/compaction_test.c index 2c3a0eb6b22d..9bc4591c7b16 100644 --- a/tools/testing/selftests/mm/compaction_test.c +++ b/tools/testing/selftests/mm/compaction_test.c @@ -90,6 +90,8 @@ int check_compaction(unsigned long mem_free, unsigned long hugepage_size, int compaction_index = 0; char nr_hugepages[20] = {0}; char init_nr_hugepages[24] = {0}; + char target_nr_hugepages[24] = {0}; + int slen; snprintf(init_nr_hugepages, sizeof(init_nr_hugepages), "%lu", initial_nr_hugepages); @@ -106,11 +108,18 @@ int check_compaction(unsigned long mem_free, unsigned long hugepage_size, goto out; } - /* Request a large number of huge pages. The Kernel will allocate - as much as it can */ - if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { - ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", - strerror(errno)); + /* + * Request huge pages for about half of the free memory. The Kernel + * will allocate as much as it can, and we expect it will get at least 1/3 + */ + nr_hugepages_ul = mem_free / hugepage_size / 2; + snprintf(target_nr_hugepages, sizeof(target_nr_hugepages), + "%lu", nr_hugepages_ul); + + slen = strlen(target_nr_hugepages); + if (write(fd, target_nr_hugepages, slen) != slen) { + ksft_print_msg("Failed to write %lu to /proc/sys/vm/nr_hugepages: %s\n", + nr_hugepages_ul, strerror(errno)); goto close_fd; }

8 months

1
0
0 0

FAILED: patch "[PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 95567729173e62e0e60a1f8ad9eb2e1320a8ccac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051236-dense-economy-c808@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 95567729173e62e0e60a1f8ad9eb2e1320a8ccac Mon Sep 17 00:00:00 2001 From: Peter Xu <peterx(a)redhat.com> Date: Thu, 24 Apr 2025 17:57:28 -0400 Subject: [PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN race While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */

8 months

1
0
0 0

FAILED: patch "[PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 95567729173e62e0e60a1f8ad9eb2e1320a8ccac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051235-unusual-viewer-d8fa@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 95567729173e62e0e60a1f8ad9eb2e1320a8ccac Mon Sep 17 00:00:00 2001 From: Peter Xu <peterx(a)redhat.com> Date: Thu, 24 Apr 2025 17:57:28 -0400 Subject: [PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN race While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */

8 months

1
0
0 0

FAILED: patch "[PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 95567729173e62e0e60a1f8ad9eb2e1320a8ccac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051234-legwarmer-usable-d2c7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 95567729173e62e0e60a1f8ad9eb2e1320a8ccac Mon Sep 17 00:00:00 2001 From: Peter Xu <peterx(a)redhat.com> Date: Thu, 24 Apr 2025 17:57:28 -0400 Subject: [PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN race While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */

8 months

1
0
0 0

FAILED: patch "[PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 95567729173e62e0e60a1f8ad9eb2e1320a8ccac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051228-laurel-hypnoses-428f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 95567729173e62e0e60a1f8ad9eb2e1320a8ccac Mon Sep 17 00:00:00 2001 From: Peter Xu <peterx(a)redhat.com> Date: Thu, 24 Apr 2025 17:57:28 -0400 Subject: [PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN race While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */

8 months

1
0
0 0

FAILED: patch "[PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 95567729173e62e0e60a1f8ad9eb2e1320a8ccac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051227-malt-universe-29e7@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 95567729173e62e0e60a1f8ad9eb2e1320a8ccac Mon Sep 17 00:00:00 2001 From: Peter Xu <peterx(a)redhat.com> Date: Thu, 24 Apr 2025 17:57:28 -0400 Subject: [PATCH] mm/userfaultfd: fix uninitialized output field for -EAGAIN race While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */

8 months

1
0
0 0

Re: Patch "s390/entry: Fix last breaking event handling in case of stack corruption" has been added to the 6.6-stable tree

by Heiko Carstens

On Sun, May 11, 2025 at 01:59:02PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > s390/entry: Fix last breaking event handling in case of stack corruption > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > s390-entry-fix-last-breaking-event-handling-in-case-.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. This patch shouldn't be applied as it is to 6.6, 6.1, and 5.15 stable kernels, since it won't compile. I'll provide a slightly modified variant.

8 months

2
1
0 0

FAILED: patch "[PATCH] staging: axis-fifo: Correct handling of tx_fifo_depth for" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2ca34b508774aaa590fc3698a54204706ecca4ba # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051209-visible-hassle-6995@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ca34b508774aaa590fc3698a54204706ecca4ba Mon Sep 17 00:00:00 2001 From: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> Date: Fri, 18 Apr 2025 21:29:37 -0400 Subject: [PATCH] staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Remove erroneous subtraction of 4 from the total FIFO depth read from device tree. The stored depth is for checking against total capacity, not initial vacancy. This prevented writes near the FIFO's full size. The check performed just before data transfer, which uses live reads of the TDFV register to determine current vacancy, correctly handles the initial Depth - 4 hardware state and subsequent FIFO fullness. Fixes: 4a965c5f89de ("staging: add driver for Xilinx AXI-Stream FIFO v4.1 IP core") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> Link: https://lore.kernel.org/r/20250419012937.674924-1-gshahrouzi@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/axis-fifo/axis-fifo.c b/drivers/staging/axis-fifo/axis-fifo.c index 7540c20090c7..04b3dc3cfe7c 100644 --- a/drivers/staging/axis-fifo/axis-fifo.c +++ b/drivers/staging/axis-fifo/axis-fifo.c @@ -775,9 +775,6 @@ static int axis_fifo_parse_dt(struct axis_fifo *fifo) goto end; } - /* IP sets TDFV to fifo depth - 4 so we will do the same */ - fifo->tx_fifo_depth -= 4; - ret = get_dts_property(fifo, "xlnx,use-rx-data", &fifo->has_rx_fifo); if (ret) { dev_err(fifo->dt_device, "missing xlnx,use-rx-data property\n");

8 months

1
0
0 0

FAILED: patch "[PATCH] staging: axis-fifo: Remove hardware resets for user errors" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x c6e8d85fafa7193613db37da29c0e8d6e2515b13 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051251-pardon-stellar-d13f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c6e8d85fafa7193613db37da29c0e8d6e2515b13 Mon Sep 17 00:00:00 2001 From: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> Date: Fri, 18 Apr 2025 20:43:06 -0400 Subject: [PATCH] staging: axis-fifo: Remove hardware resets for user errors The axis-fifo driver performs a full hardware reset (via reset_ip_core()) in several error paths within the read and write functions. This reset flushes both TX and RX FIFOs and resets the AXI-Stream links. Allow the user to handle the error without causing hardware disruption or data loss in other FIFO paths. Fixes: 4a965c5f89de ("staging: add driver for Xilinx AXI-Stream FIFO v4.1 IP core") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> Link: https://lore.kernel.org/r/20250419004306.669605-1-gshahrouzi@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/axis-fifo/axis-fifo.c b/drivers/staging/axis-fifo/axis-fifo.c index 04b3dc3cfe7c..351f983ef914 100644 --- a/drivers/staging/axis-fifo/axis-fifo.c +++ b/drivers/staging/axis-fifo/axis-fifo.c @@ -393,16 +393,14 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, bytes_available = ioread32(fifo->base_addr + XLLF_RLR_OFFSET); if (!bytes_available) { - dev_err(fifo->dt_device, "received a packet of length 0 - fifo core will be reset\n"); - reset_ip_core(fifo); + dev_err(fifo->dt_device, "received a packet of length 0\n"); ret = -EIO; goto end_unlock; } if (bytes_available > len) { - dev_err(fifo->dt_device, "user read buffer too small (available bytes=%zu user buffer bytes=%zu) - fifo core will be reset\n", + dev_err(fifo->dt_device, "user read buffer too small (available bytes=%zu user buffer bytes=%zu)\n", bytes_available, len); - reset_ip_core(fifo); ret = -EINVAL; goto end_unlock; } @@ -411,8 +409,7 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, /* this probably can't happen unless IP * registers were previously mishandled */ - dev_err(fifo->dt_device, "received a packet that isn't word-aligned - fifo core will be reset\n"); - reset_ip_core(fifo); + dev_err(fifo->dt_device, "received a packet that isn't word-aligned\n"); ret = -EIO; goto end_unlock; } @@ -433,7 +430,6 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, if (copy_to_user(buf + copied * sizeof(u32), tmp_buf, copy * sizeof(u32))) { - reset_ip_core(fifo); ret = -EFAULT; goto end_unlock; } @@ -542,7 +538,6 @@ static ssize_t axis_fifo_write(struct file *f, const char __user *buf, if (copy_from_user(tmp_buf, buf + copied * sizeof(u32), copy * sizeof(u32))) { - reset_ip_core(fifo); ret = -EFAULT; goto end_unlock; }

8 months

1
0
0 0

FAILED: patch "[PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f31fe8165d365379d858c53bef43254c7d6d1cfd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051213-regretful-conceded-2379@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f31fe8165d365379d858c53bef43254c7d6d1cfd Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Fri, 2 May 2025 13:18:10 +0530 Subject: [PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer On regular bootup, devices get registered to VMBus first, so when uio_hv_generic driver for a particular device type is probed, the device is already initialized and added, so sysfs creation in hv_uio_probe() works fine. However, when the device is removed and brought back, the channel gets rescinded and the device again gets registered to VMBus. However this time, the uio_hv_generic driver is already registered to probe for that device and in this case sysfs creation is tried before the device's kobject gets initialized completely. Fix this by moving the core logic of sysfs creation of ring buffer, from uio_hv_generic to HyperV's VMBus driver, where the rest of the sysfs attributes for the channels are defined. While doing that, make use of attribute groups and macros, instead of creating sysfs directly, to ensure better error handling and code flow. Problematic path: vmbus_process_offer (A new offer comes for the VMBus device) vmbus_add_channel_work vmbus_device_register |-> device_register | |... | |-> hv_uio_probe | |... | |-> sysfs_create_bin_file (leads to a warning as | the primary channel's kobject, which is used to | create the sysfs file, is not yet initialized) |-> kset_create_and_add |-> vmbus_add_channel_kobj (initialization of the primary channel's kobject happens later) Above code flow is sequential and the warning is always reproducible in this path. Fixes: 9ab877a6ccf8 ("uio_hv_generic: make ring buffer attribute for primary channel") Cc: stable(a)kernel.org Suggested-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Suggested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Tested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250502074811.2022-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index 29780f3a7478..0b450e53161e 100644 --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -477,4 +477,10 @@ static inline int hv_debug_add_dev_dir(struct hv_device *dev) #endif /* CONFIG_HYPERV_TESTING */ +/* Create and remove sysfs entry for memory mapped ring buffers for a channel */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)); +int hv_remove_ring_sysfs(struct vmbus_channel *channel); + #endif /* _HYPERV_VMBUS_H */ diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 8d3cff42bdbb..0f16a83cc2d6 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -1802,6 +1802,27 @@ static ssize_t subchannel_id_show(struct vmbus_channel *channel, } static VMBUS_CHAN_ATTR_RO(subchannel_id); +static int hv_mmap_ring_buffer_wrapper(struct file *filp, struct kobject *kobj, + const struct bin_attribute *attr, + struct vm_area_struct *vma) +{ + struct vmbus_channel *channel = container_of(kobj, struct vmbus_channel, kobj); + + /* + * hv_(create|remove)_ring_sysfs implementation ensures that mmap_ring_buffer + * is not NULL. + */ + return channel->mmap_ring_buffer(channel, vma); +} + +static struct bin_attribute chan_attr_ring_buffer = { + .attr = { + .name = "ring", + .mode = 0600, + }, + .size = 2 * SZ_2M, + .mmap = hv_mmap_ring_buffer_wrapper, +}; static struct attribute *vmbus_chan_attrs[] = { &chan_attr_out_mask.attr, &chan_attr_in_mask.attr, @@ -1821,6 +1842,11 @@ static struct attribute *vmbus_chan_attrs[] = { NULL }; +static struct bin_attribute *vmbus_chan_bin_attrs[] = { + &chan_attr_ring_buffer, + NULL +}; + /* * Channel-level attribute_group callback function. Returns the permission for * each attribute, and returns 0 if an attribute is not visible. @@ -1841,9 +1867,24 @@ static umode_t vmbus_chan_attr_is_visible(struct kobject *kobj, return attr->mode; } +static umode_t vmbus_chan_bin_attr_is_visible(struct kobject *kobj, + const struct bin_attribute *attr, int idx) +{ + const struct vmbus_channel *channel = + container_of(kobj, struct vmbus_channel, kobj); + + /* Hide ring attribute if channel's ring_sysfs_visible is set to false */ + if (attr == &chan_attr_ring_buffer && !channel->ring_sysfs_visible) + return 0; + + return attr->attr.mode; +} + static const struct attribute_group vmbus_chan_group = { .attrs = vmbus_chan_attrs, - .is_visible = vmbus_chan_attr_is_visible + .bin_attrs = vmbus_chan_bin_attrs, + .is_visible = vmbus_chan_attr_is_visible, + .is_bin_visible = vmbus_chan_bin_attr_is_visible, }; static const struct kobj_type vmbus_chan_ktype = { @@ -1851,6 +1892,63 @@ static const struct kobj_type vmbus_chan_ktype = { .release = vmbus_chan_release, }; +/** + * hv_create_ring_sysfs() - create "ring" sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * @hv_mmap_ring_buffer: function pointer for initializing the function to be called on mmap of + * channel's "ring" sysfs node, which is for the ring buffer of that channel. + * Function pointer is of below type: + * int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + * struct vm_area_struct *vma)) + * This has a pointer to the channel and a pointer to vm_area_struct, + * used for mmap, as arguments. + * + * Sysfs node for ring buffer of a channel is created along with other fields, however its + * visibility is disabled by default. Sysfs creation needs to be controlled when the use-case + * is running. + * For example, HV_NIC device is used either by uio_hv_generic or hv_netvsc at any given point of + * time, and "ring" sysfs is needed only when uio_hv_generic is bound to that device. To avoid + * exposing the ring buffer by default, this function is reponsible to enable visibility of + * ring for userspace to use. + * Note: Race conditions can happen with userspace and it is not encouraged to create new + * use-cases for this. This was added to maintain backward compatibility, while solving + * one of the race conditions in uio_hv_generic while creating sysfs. + * + * Returns 0 on success or error code on failure. + */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)) +{ + struct kobject *kobj = &channel->kobj; + + channel->mmap_ring_buffer = hv_mmap_ring_buffer; + channel->ring_sysfs_visible = true; + + return sysfs_update_group(kobj, &vmbus_chan_group); +} +EXPORT_SYMBOL_GPL(hv_create_ring_sysfs); + +/** + * hv_remove_ring_sysfs() - remove ring sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * + * Hide "ring" sysfs for a channel by changing its is_visible attribute and updating sysfs group. + * + * Returns 0 on success or error code on failure. + */ +int hv_remove_ring_sysfs(struct vmbus_channel *channel) +{ + struct kobject *kobj = &channel->kobj; + int ret; + + channel->ring_sysfs_visible = false; + ret = sysfs_update_group(kobj, &vmbus_chan_group); + channel->mmap_ring_buffer = NULL; + return ret; +} +EXPORT_SYMBOL_GPL(hv_remove_ring_sysfs); + /* * vmbus_add_channel_kobj - setup a sub-directory under device/channels */ diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..69c1df0f4ca5 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -131,15 +131,12 @@ static void hv_uio_rescind(struct vmbus_channel *channel) vmbus_device_unregister(channel->device_obj); } -/* Sysfs API to allow mmap of the ring buffers +/* Function used for mmap of ring buffer sysfs interface. * The ring buffer is allocated as contiguous memory by vmbus_open */ -static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, - const struct bin_attribute *attr, - struct vm_area_struct *vma) +static int +hv_uio_ring_mmap(struct vmbus_channel *channel, struct vm_area_struct *vma) { - struct vmbus_channel *channel - = container_of(kobj, struct vmbus_channel, kobj); void *ring_buffer = page_address(channel->ringbuffer_page); if (channel->state != CHANNEL_OPENED_STATE) @@ -149,15 +146,6 @@ static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, channel->ringbuffer_pagecount << PAGE_SHIFT); } -static const struct bin_attribute ring_buffer_bin_attr = { - .attr = { - .name = "ring", - .mode = 0600, - }, - .size = 2 * SZ_2M, - .mmap = hv_uio_ring_mmap, -}; - /* Callback from VMBUS subsystem when new channel created. */ static void hv_uio_new_channel(struct vmbus_channel *new_sc) @@ -178,8 +166,7 @@ hv_uio_new_channel(struct vmbus_channel *new_sc) /* Disable interrupts on sub channel */ new_sc->inbound.ring_buffer->interrupt_mask = 1; set_channel_read_mode(new_sc, HV_CALL_ISR); - - ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr); + ret = hv_create_ring_sysfs(new_sc, hv_uio_ring_mmap); if (ret) { dev_err(device, "sysfs create ring bin file failed; %d\n", ret); vmbus_close(new_sc); @@ -350,10 +337,18 @@ hv_uio_probe(struct hv_device *dev, goto fail_close; } - ret = sysfs_create_bin_file(&channel->kobj, &ring_buffer_bin_attr); - if (ret) - dev_notice(&dev->device, - "sysfs create ring bin file failed; %d\n", ret); + /* + * This internally calls sysfs_update_group, which returns a non-zero value if it executes + * before sysfs_create_group. This is expected as the 'ring' will be created later in + * vmbus_device_register() -> vmbus_add_channel_kobj(). Thus, no need to check the return + * value and print warning. + * + * Creating/exposing sysfs in driver probe is not encouraged as it can lead to race + * conditions with userspace. For backward compatibility, "ring" sysfs could not be removed + * or decoupled from uio_hv_generic probe. Userspace programs can make use of inotify + * APIs to make sure that ring is created. + */ + hv_create_ring_sysfs(channel, hv_uio_ring_mmap); hv_set_drvdata(dev, pdata); @@ -375,7 +370,7 @@ hv_uio_remove(struct hv_device *dev) if (!pdata) return; - sysfs_remove_bin_file(&dev->channel->kobj, &ring_buffer_bin_attr); + hv_remove_ring_sysfs(dev->channel); uio_unregister_device(&pdata->info); hv_uio_cleanup(dev, pdata); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 675959fb97ba..d6ffe01962c2 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -1002,6 +1002,12 @@ struct vmbus_channel { /* The max size of a packet on this channel */ u32 max_pkt_size; + + /* function to mmap ring buffer memory to the channel's sysfs ring attribute */ + int (*mmap_ring_buffer)(struct vmbus_channel *channel, struct vm_area_struct *vma); + + /* boolean to control visibility of sysfs for ring buffer */ + bool ring_sysfs_visible; }; #define lock_requestor(channel, flags) \

8 months

1
0
0 0

FAILED: patch "[PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f31fe8165d365379d858c53bef43254c7d6d1cfd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051212-blah-famine-0e8e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f31fe8165d365379d858c53bef43254c7d6d1cfd Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Fri, 2 May 2025 13:18:10 +0530 Subject: [PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer On regular bootup, devices get registered to VMBus first, so when uio_hv_generic driver for a particular device type is probed, the device is already initialized and added, so sysfs creation in hv_uio_probe() works fine. However, when the device is removed and brought back, the channel gets rescinded and the device again gets registered to VMBus. However this time, the uio_hv_generic driver is already registered to probe for that device and in this case sysfs creation is tried before the device's kobject gets initialized completely. Fix this by moving the core logic of sysfs creation of ring buffer, from uio_hv_generic to HyperV's VMBus driver, where the rest of the sysfs attributes for the channels are defined. While doing that, make use of attribute groups and macros, instead of creating sysfs directly, to ensure better error handling and code flow. Problematic path: vmbus_process_offer (A new offer comes for the VMBus device) vmbus_add_channel_work vmbus_device_register |-> device_register | |... | |-> hv_uio_probe | |... | |-> sysfs_create_bin_file (leads to a warning as | the primary channel's kobject, which is used to | create the sysfs file, is not yet initialized) |-> kset_create_and_add |-> vmbus_add_channel_kobj (initialization of the primary channel's kobject happens later) Above code flow is sequential and the warning is always reproducible in this path. Fixes: 9ab877a6ccf8 ("uio_hv_generic: make ring buffer attribute for primary channel") Cc: stable(a)kernel.org Suggested-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Suggested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Tested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250502074811.2022-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index 29780f3a7478..0b450e53161e 100644 --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -477,4 +477,10 @@ static inline int hv_debug_add_dev_dir(struct hv_device *dev) #endif /* CONFIG_HYPERV_TESTING */ +/* Create and remove sysfs entry for memory mapped ring buffers for a channel */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)); +int hv_remove_ring_sysfs(struct vmbus_channel *channel); + #endif /* _HYPERV_VMBUS_H */ diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 8d3cff42bdbb..0f16a83cc2d6 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -1802,6 +1802,27 @@ static ssize_t subchannel_id_show(struct vmbus_channel *channel, } static VMBUS_CHAN_ATTR_RO(subchannel_id); +static int hv_mmap_ring_buffer_wrapper(struct file *filp, struct kobject *kobj, + const struct bin_attribute *attr, + struct vm_area_struct *vma) +{ + struct vmbus_channel *channel = container_of(kobj, struct vmbus_channel, kobj); + + /* + * hv_(create|remove)_ring_sysfs implementation ensures that mmap_ring_buffer + * is not NULL. + */ + return channel->mmap_ring_buffer(channel, vma); +} + +static struct bin_attribute chan_attr_ring_buffer = { + .attr = { + .name = "ring", + .mode = 0600, + }, + .size = 2 * SZ_2M, + .mmap = hv_mmap_ring_buffer_wrapper, +}; static struct attribute *vmbus_chan_attrs[] = { &chan_attr_out_mask.attr, &chan_attr_in_mask.attr, @@ -1821,6 +1842,11 @@ static struct attribute *vmbus_chan_attrs[] = { NULL }; +static struct bin_attribute *vmbus_chan_bin_attrs[] = { + &chan_attr_ring_buffer, + NULL +}; + /* * Channel-level attribute_group callback function. Returns the permission for * each attribute, and returns 0 if an attribute is not visible. @@ -1841,9 +1867,24 @@ static umode_t vmbus_chan_attr_is_visible(struct kobject *kobj, return attr->mode; } +static umode_t vmbus_chan_bin_attr_is_visible(struct kobject *kobj, + const struct bin_attribute *attr, int idx) +{ + const struct vmbus_channel *channel = + container_of(kobj, struct vmbus_channel, kobj); + + /* Hide ring attribute if channel's ring_sysfs_visible is set to false */ + if (attr == &chan_attr_ring_buffer && !channel->ring_sysfs_visible) + return 0; + + return attr->attr.mode; +} + static const struct attribute_group vmbus_chan_group = { .attrs = vmbus_chan_attrs, - .is_visible = vmbus_chan_attr_is_visible + .bin_attrs = vmbus_chan_bin_attrs, + .is_visible = vmbus_chan_attr_is_visible, + .is_bin_visible = vmbus_chan_bin_attr_is_visible, }; static const struct kobj_type vmbus_chan_ktype = { @@ -1851,6 +1892,63 @@ static const struct kobj_type vmbus_chan_ktype = { .release = vmbus_chan_release, }; +/** + * hv_create_ring_sysfs() - create "ring" sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * @hv_mmap_ring_buffer: function pointer for initializing the function to be called on mmap of + * channel's "ring" sysfs node, which is for the ring buffer of that channel. + * Function pointer is of below type: + * int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + * struct vm_area_struct *vma)) + * This has a pointer to the channel and a pointer to vm_area_struct, + * used for mmap, as arguments. + * + * Sysfs node for ring buffer of a channel is created along with other fields, however its + * visibility is disabled by default. Sysfs creation needs to be controlled when the use-case + * is running. + * For example, HV_NIC device is used either by uio_hv_generic or hv_netvsc at any given point of + * time, and "ring" sysfs is needed only when uio_hv_generic is bound to that device. To avoid + * exposing the ring buffer by default, this function is reponsible to enable visibility of + * ring for userspace to use. + * Note: Race conditions can happen with userspace and it is not encouraged to create new + * use-cases for this. This was added to maintain backward compatibility, while solving + * one of the race conditions in uio_hv_generic while creating sysfs. + * + * Returns 0 on success or error code on failure. + */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)) +{ + struct kobject *kobj = &channel->kobj; + + channel->mmap_ring_buffer = hv_mmap_ring_buffer; + channel->ring_sysfs_visible = true; + + return sysfs_update_group(kobj, &vmbus_chan_group); +} +EXPORT_SYMBOL_GPL(hv_create_ring_sysfs); + +/** + * hv_remove_ring_sysfs() - remove ring sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * + * Hide "ring" sysfs for a channel by changing its is_visible attribute and updating sysfs group. + * + * Returns 0 on success or error code on failure. + */ +int hv_remove_ring_sysfs(struct vmbus_channel *channel) +{ + struct kobject *kobj = &channel->kobj; + int ret; + + channel->ring_sysfs_visible = false; + ret = sysfs_update_group(kobj, &vmbus_chan_group); + channel->mmap_ring_buffer = NULL; + return ret; +} +EXPORT_SYMBOL_GPL(hv_remove_ring_sysfs); + /* * vmbus_add_channel_kobj - setup a sub-directory under device/channels */ diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..69c1df0f4ca5 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -131,15 +131,12 @@ static void hv_uio_rescind(struct vmbus_channel *channel) vmbus_device_unregister(channel->device_obj); } -/* Sysfs API to allow mmap of the ring buffers +/* Function used for mmap of ring buffer sysfs interface. * The ring buffer is allocated as contiguous memory by vmbus_open */ -static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, - const struct bin_attribute *attr, - struct vm_area_struct *vma) +static int +hv_uio_ring_mmap(struct vmbus_channel *channel, struct vm_area_struct *vma) { - struct vmbus_channel *channel - = container_of(kobj, struct vmbus_channel, kobj); void *ring_buffer = page_address(channel->ringbuffer_page); if (channel->state != CHANNEL_OPENED_STATE) @@ -149,15 +146,6 @@ static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, channel->ringbuffer_pagecount << PAGE_SHIFT); } -static const struct bin_attribute ring_buffer_bin_attr = { - .attr = { - .name = "ring", - .mode = 0600, - }, - .size = 2 * SZ_2M, - .mmap = hv_uio_ring_mmap, -}; - /* Callback from VMBUS subsystem when new channel created. */ static void hv_uio_new_channel(struct vmbus_channel *new_sc) @@ -178,8 +166,7 @@ hv_uio_new_channel(struct vmbus_channel *new_sc) /* Disable interrupts on sub channel */ new_sc->inbound.ring_buffer->interrupt_mask = 1; set_channel_read_mode(new_sc, HV_CALL_ISR); - - ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr); + ret = hv_create_ring_sysfs(new_sc, hv_uio_ring_mmap); if (ret) { dev_err(device, "sysfs create ring bin file failed; %d\n", ret); vmbus_close(new_sc); @@ -350,10 +337,18 @@ hv_uio_probe(struct hv_device *dev, goto fail_close; } - ret = sysfs_create_bin_file(&channel->kobj, &ring_buffer_bin_attr); - if (ret) - dev_notice(&dev->device, - "sysfs create ring bin file failed; %d\n", ret); + /* + * This internally calls sysfs_update_group, which returns a non-zero value if it executes + * before sysfs_create_group. This is expected as the 'ring' will be created later in + * vmbus_device_register() -> vmbus_add_channel_kobj(). Thus, no need to check the return + * value and print warning. + * + * Creating/exposing sysfs in driver probe is not encouraged as it can lead to race + * conditions with userspace. For backward compatibility, "ring" sysfs could not be removed + * or decoupled from uio_hv_generic probe. Userspace programs can make use of inotify + * APIs to make sure that ring is created. + */ + hv_create_ring_sysfs(channel, hv_uio_ring_mmap); hv_set_drvdata(dev, pdata); @@ -375,7 +370,7 @@ hv_uio_remove(struct hv_device *dev) if (!pdata) return; - sysfs_remove_bin_file(&dev->channel->kobj, &ring_buffer_bin_attr); + hv_remove_ring_sysfs(dev->channel); uio_unregister_device(&pdata->info); hv_uio_cleanup(dev, pdata); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 675959fb97ba..d6ffe01962c2 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -1002,6 +1002,12 @@ struct vmbus_channel { /* The max size of a packet on this channel */ u32 max_pkt_size; + + /* function to mmap ring buffer memory to the channel's sysfs ring attribute */ + int (*mmap_ring_buffer)(struct vmbus_channel *channel, struct vm_area_struct *vma); + + /* boolean to control visibility of sysfs for ring buffer */ + bool ring_sysfs_visible; }; #define lock_requestor(channel, flags) \

8 months

1
0
0 0

FAILED: patch "[PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f31fe8165d365379d858c53bef43254c7d6d1cfd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051211-renewably-acclimate-72f0@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f31fe8165d365379d858c53bef43254c7d6d1cfd Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Fri, 2 May 2025 13:18:10 +0530 Subject: [PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer On regular bootup, devices get registered to VMBus first, so when uio_hv_generic driver for a particular device type is probed, the device is already initialized and added, so sysfs creation in hv_uio_probe() works fine. However, when the device is removed and brought back, the channel gets rescinded and the device again gets registered to VMBus. However this time, the uio_hv_generic driver is already registered to probe for that device and in this case sysfs creation is tried before the device's kobject gets initialized completely. Fix this by moving the core logic of sysfs creation of ring buffer, from uio_hv_generic to HyperV's VMBus driver, where the rest of the sysfs attributes for the channels are defined. While doing that, make use of attribute groups and macros, instead of creating sysfs directly, to ensure better error handling and code flow. Problematic path: vmbus_process_offer (A new offer comes for the VMBus device) vmbus_add_channel_work vmbus_device_register |-> device_register | |... | |-> hv_uio_probe | |... | |-> sysfs_create_bin_file (leads to a warning as | the primary channel's kobject, which is used to | create the sysfs file, is not yet initialized) |-> kset_create_and_add |-> vmbus_add_channel_kobj (initialization of the primary channel's kobject happens later) Above code flow is sequential and the warning is always reproducible in this path. Fixes: 9ab877a6ccf8 ("uio_hv_generic: make ring buffer attribute for primary channel") Cc: stable(a)kernel.org Suggested-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Suggested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Tested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250502074811.2022-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index 29780f3a7478..0b450e53161e 100644 --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -477,4 +477,10 @@ static inline int hv_debug_add_dev_dir(struct hv_device *dev) #endif /* CONFIG_HYPERV_TESTING */ +/* Create and remove sysfs entry for memory mapped ring buffers for a channel */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)); +int hv_remove_ring_sysfs(struct vmbus_channel *channel); + #endif /* _HYPERV_VMBUS_H */ diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 8d3cff42bdbb..0f16a83cc2d6 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -1802,6 +1802,27 @@ static ssize_t subchannel_id_show(struct vmbus_channel *channel, } static VMBUS_CHAN_ATTR_RO(subchannel_id); +static int hv_mmap_ring_buffer_wrapper(struct file *filp, struct kobject *kobj, + const struct bin_attribute *attr, + struct vm_area_struct *vma) +{ + struct vmbus_channel *channel = container_of(kobj, struct vmbus_channel, kobj); + + /* + * hv_(create|remove)_ring_sysfs implementation ensures that mmap_ring_buffer + * is not NULL. + */ + return channel->mmap_ring_buffer(channel, vma); +} + +static struct bin_attribute chan_attr_ring_buffer = { + .attr = { + .name = "ring", + .mode = 0600, + }, + .size = 2 * SZ_2M, + .mmap = hv_mmap_ring_buffer_wrapper, +}; static struct attribute *vmbus_chan_attrs[] = { &chan_attr_out_mask.attr, &chan_attr_in_mask.attr, @@ -1821,6 +1842,11 @@ static struct attribute *vmbus_chan_attrs[] = { NULL }; +static struct bin_attribute *vmbus_chan_bin_attrs[] = { + &chan_attr_ring_buffer, + NULL +}; + /* * Channel-level attribute_group callback function. Returns the permission for * each attribute, and returns 0 if an attribute is not visible. @@ -1841,9 +1867,24 @@ static umode_t vmbus_chan_attr_is_visible(struct kobject *kobj, return attr->mode; } +static umode_t vmbus_chan_bin_attr_is_visible(struct kobject *kobj, + const struct bin_attribute *attr, int idx) +{ + const struct vmbus_channel *channel = + container_of(kobj, struct vmbus_channel, kobj); + + /* Hide ring attribute if channel's ring_sysfs_visible is set to false */ + if (attr == &chan_attr_ring_buffer && !channel->ring_sysfs_visible) + return 0; + + return attr->attr.mode; +} + static const struct attribute_group vmbus_chan_group = { .attrs = vmbus_chan_attrs, - .is_visible = vmbus_chan_attr_is_visible + .bin_attrs = vmbus_chan_bin_attrs, + .is_visible = vmbus_chan_attr_is_visible, + .is_bin_visible = vmbus_chan_bin_attr_is_visible, }; static const struct kobj_type vmbus_chan_ktype = { @@ -1851,6 +1892,63 @@ static const struct kobj_type vmbus_chan_ktype = { .release = vmbus_chan_release, }; +/** + * hv_create_ring_sysfs() - create "ring" sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * @hv_mmap_ring_buffer: function pointer for initializing the function to be called on mmap of + * channel's "ring" sysfs node, which is for the ring buffer of that channel. + * Function pointer is of below type: + * int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + * struct vm_area_struct *vma)) + * This has a pointer to the channel and a pointer to vm_area_struct, + * used for mmap, as arguments. + * + * Sysfs node for ring buffer of a channel is created along with other fields, however its + * visibility is disabled by default. Sysfs creation needs to be controlled when the use-case + * is running. + * For example, HV_NIC device is used either by uio_hv_generic or hv_netvsc at any given point of + * time, and "ring" sysfs is needed only when uio_hv_generic is bound to that device. To avoid + * exposing the ring buffer by default, this function is reponsible to enable visibility of + * ring for userspace to use. + * Note: Race conditions can happen with userspace and it is not encouraged to create new + * use-cases for this. This was added to maintain backward compatibility, while solving + * one of the race conditions in uio_hv_generic while creating sysfs. + * + * Returns 0 on success or error code on failure. + */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)) +{ + struct kobject *kobj = &channel->kobj; + + channel->mmap_ring_buffer = hv_mmap_ring_buffer; + channel->ring_sysfs_visible = true; + + return sysfs_update_group(kobj, &vmbus_chan_group); +} +EXPORT_SYMBOL_GPL(hv_create_ring_sysfs); + +/** + * hv_remove_ring_sysfs() - remove ring sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * + * Hide "ring" sysfs for a channel by changing its is_visible attribute and updating sysfs group. + * + * Returns 0 on success or error code on failure. + */ +int hv_remove_ring_sysfs(struct vmbus_channel *channel) +{ + struct kobject *kobj = &channel->kobj; + int ret; + + channel->ring_sysfs_visible = false; + ret = sysfs_update_group(kobj, &vmbus_chan_group); + channel->mmap_ring_buffer = NULL; + return ret; +} +EXPORT_SYMBOL_GPL(hv_remove_ring_sysfs); + /* * vmbus_add_channel_kobj - setup a sub-directory under device/channels */ diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..69c1df0f4ca5 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -131,15 +131,12 @@ static void hv_uio_rescind(struct vmbus_channel *channel) vmbus_device_unregister(channel->device_obj); } -/* Sysfs API to allow mmap of the ring buffers +/* Function used for mmap of ring buffer sysfs interface. * The ring buffer is allocated as contiguous memory by vmbus_open */ -static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, - const struct bin_attribute *attr, - struct vm_area_struct *vma) +static int +hv_uio_ring_mmap(struct vmbus_channel *channel, struct vm_area_struct *vma) { - struct vmbus_channel *channel - = container_of(kobj, struct vmbus_channel, kobj); void *ring_buffer = page_address(channel->ringbuffer_page); if (channel->state != CHANNEL_OPENED_STATE) @@ -149,15 +146,6 @@ static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, channel->ringbuffer_pagecount << PAGE_SHIFT); } -static const struct bin_attribute ring_buffer_bin_attr = { - .attr = { - .name = "ring", - .mode = 0600, - }, - .size = 2 * SZ_2M, - .mmap = hv_uio_ring_mmap, -}; - /* Callback from VMBUS subsystem when new channel created. */ static void hv_uio_new_channel(struct vmbus_channel *new_sc) @@ -178,8 +166,7 @@ hv_uio_new_channel(struct vmbus_channel *new_sc) /* Disable interrupts on sub channel */ new_sc->inbound.ring_buffer->interrupt_mask = 1; set_channel_read_mode(new_sc, HV_CALL_ISR); - - ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr); + ret = hv_create_ring_sysfs(new_sc, hv_uio_ring_mmap); if (ret) { dev_err(device, "sysfs create ring bin file failed; %d\n", ret); vmbus_close(new_sc); @@ -350,10 +337,18 @@ hv_uio_probe(struct hv_device *dev, goto fail_close; } - ret = sysfs_create_bin_file(&channel->kobj, &ring_buffer_bin_attr); - if (ret) - dev_notice(&dev->device, - "sysfs create ring bin file failed; %d\n", ret); + /* + * This internally calls sysfs_update_group, which returns a non-zero value if it executes + * before sysfs_create_group. This is expected as the 'ring' will be created later in + * vmbus_device_register() -> vmbus_add_channel_kobj(). Thus, no need to check the return + * value and print warning. + * + * Creating/exposing sysfs in driver probe is not encouraged as it can lead to race + * conditions with userspace. For backward compatibility, "ring" sysfs could not be removed + * or decoupled from uio_hv_generic probe. Userspace programs can make use of inotify + * APIs to make sure that ring is created. + */ + hv_create_ring_sysfs(channel, hv_uio_ring_mmap); hv_set_drvdata(dev, pdata); @@ -375,7 +370,7 @@ hv_uio_remove(struct hv_device *dev) if (!pdata) return; - sysfs_remove_bin_file(&dev->channel->kobj, &ring_buffer_bin_attr); + hv_remove_ring_sysfs(dev->channel); uio_unregister_device(&pdata->info); hv_uio_cleanup(dev, pdata); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 675959fb97ba..d6ffe01962c2 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -1002,6 +1002,12 @@ struct vmbus_channel { /* The max size of a packet on this channel */ u32 max_pkt_size; + + /* function to mmap ring buffer memory to the channel's sysfs ring attribute */ + int (*mmap_ring_buffer)(struct vmbus_channel *channel, struct vm_area_struct *vma); + + /* boolean to control visibility of sysfs for ring buffer */ + bool ring_sysfs_visible; }; #define lock_requestor(channel, flags) \

8 months

1
0
0 0

FAILED: patch "[PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f31fe8165d365379d858c53bef43254c7d6d1cfd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051210-wieldable-haunt-9fa2@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f31fe8165d365379d858c53bef43254c7d6d1cfd Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Fri, 2 May 2025 13:18:10 +0530 Subject: [PATCH] uio_hv_generic: Fix sysfs creation path for ring buffer On regular bootup, devices get registered to VMBus first, so when uio_hv_generic driver for a particular device type is probed, the device is already initialized and added, so sysfs creation in hv_uio_probe() works fine. However, when the device is removed and brought back, the channel gets rescinded and the device again gets registered to VMBus. However this time, the uio_hv_generic driver is already registered to probe for that device and in this case sysfs creation is tried before the device's kobject gets initialized completely. Fix this by moving the core logic of sysfs creation of ring buffer, from uio_hv_generic to HyperV's VMBus driver, where the rest of the sysfs attributes for the channels are defined. While doing that, make use of attribute groups and macros, instead of creating sysfs directly, to ensure better error handling and code flow. Problematic path: vmbus_process_offer (A new offer comes for the VMBus device) vmbus_add_channel_work vmbus_device_register |-> device_register | |... | |-> hv_uio_probe | |... | |-> sysfs_create_bin_file (leads to a warning as | the primary channel's kobject, which is used to | create the sysfs file, is not yet initialized) |-> kset_create_and_add |-> vmbus_add_channel_kobj (initialization of the primary channel's kobject happens later) Above code flow is sequential and the warning is always reproducible in this path. Fixes: 9ab877a6ccf8 ("uio_hv_generic: make ring buffer attribute for primary channel") Cc: stable(a)kernel.org Suggested-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Suggested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Tested-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250502074811.2022-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index 29780f3a7478..0b450e53161e 100644 --- a/drivers/hv/hyperv_vmbus.h +++ b/drivers/hv/hyperv_vmbus.h @@ -477,4 +477,10 @@ static inline int hv_debug_add_dev_dir(struct hv_device *dev) #endif /* CONFIG_HYPERV_TESTING */ +/* Create and remove sysfs entry for memory mapped ring buffers for a channel */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)); +int hv_remove_ring_sysfs(struct vmbus_channel *channel); + #endif /* _HYPERV_VMBUS_H */ diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 8d3cff42bdbb..0f16a83cc2d6 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -1802,6 +1802,27 @@ static ssize_t subchannel_id_show(struct vmbus_channel *channel, } static VMBUS_CHAN_ATTR_RO(subchannel_id); +static int hv_mmap_ring_buffer_wrapper(struct file *filp, struct kobject *kobj, + const struct bin_attribute *attr, + struct vm_area_struct *vma) +{ + struct vmbus_channel *channel = container_of(kobj, struct vmbus_channel, kobj); + + /* + * hv_(create|remove)_ring_sysfs implementation ensures that mmap_ring_buffer + * is not NULL. + */ + return channel->mmap_ring_buffer(channel, vma); +} + +static struct bin_attribute chan_attr_ring_buffer = { + .attr = { + .name = "ring", + .mode = 0600, + }, + .size = 2 * SZ_2M, + .mmap = hv_mmap_ring_buffer_wrapper, +}; static struct attribute *vmbus_chan_attrs[] = { &chan_attr_out_mask.attr, &chan_attr_in_mask.attr, @@ -1821,6 +1842,11 @@ static struct attribute *vmbus_chan_attrs[] = { NULL }; +static struct bin_attribute *vmbus_chan_bin_attrs[] = { + &chan_attr_ring_buffer, + NULL +}; + /* * Channel-level attribute_group callback function. Returns the permission for * each attribute, and returns 0 if an attribute is not visible. @@ -1841,9 +1867,24 @@ static umode_t vmbus_chan_attr_is_visible(struct kobject *kobj, return attr->mode; } +static umode_t vmbus_chan_bin_attr_is_visible(struct kobject *kobj, + const struct bin_attribute *attr, int idx) +{ + const struct vmbus_channel *channel = + container_of(kobj, struct vmbus_channel, kobj); + + /* Hide ring attribute if channel's ring_sysfs_visible is set to false */ + if (attr == &chan_attr_ring_buffer && !channel->ring_sysfs_visible) + return 0; + + return attr->attr.mode; +} + static const struct attribute_group vmbus_chan_group = { .attrs = vmbus_chan_attrs, - .is_visible = vmbus_chan_attr_is_visible + .bin_attrs = vmbus_chan_bin_attrs, + .is_visible = vmbus_chan_attr_is_visible, + .is_bin_visible = vmbus_chan_bin_attr_is_visible, }; static const struct kobj_type vmbus_chan_ktype = { @@ -1851,6 +1892,63 @@ static const struct kobj_type vmbus_chan_ktype = { .release = vmbus_chan_release, }; +/** + * hv_create_ring_sysfs() - create "ring" sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * @hv_mmap_ring_buffer: function pointer for initializing the function to be called on mmap of + * channel's "ring" sysfs node, which is for the ring buffer of that channel. + * Function pointer is of below type: + * int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + * struct vm_area_struct *vma)) + * This has a pointer to the channel and a pointer to vm_area_struct, + * used for mmap, as arguments. + * + * Sysfs node for ring buffer of a channel is created along with other fields, however its + * visibility is disabled by default. Sysfs creation needs to be controlled when the use-case + * is running. + * For example, HV_NIC device is used either by uio_hv_generic or hv_netvsc at any given point of + * time, and "ring" sysfs is needed only when uio_hv_generic is bound to that device. To avoid + * exposing the ring buffer by default, this function is reponsible to enable visibility of + * ring for userspace to use. + * Note: Race conditions can happen with userspace and it is not encouraged to create new + * use-cases for this. This was added to maintain backward compatibility, while solving + * one of the race conditions in uio_hv_generic while creating sysfs. + * + * Returns 0 on success or error code on failure. + */ +int hv_create_ring_sysfs(struct vmbus_channel *channel, + int (*hv_mmap_ring_buffer)(struct vmbus_channel *channel, + struct vm_area_struct *vma)) +{ + struct kobject *kobj = &channel->kobj; + + channel->mmap_ring_buffer = hv_mmap_ring_buffer; + channel->ring_sysfs_visible = true; + + return sysfs_update_group(kobj, &vmbus_chan_group); +} +EXPORT_SYMBOL_GPL(hv_create_ring_sysfs); + +/** + * hv_remove_ring_sysfs() - remove ring sysfs entry corresponding to ring buffers for a channel. + * @channel: Pointer to vmbus_channel structure + * + * Hide "ring" sysfs for a channel by changing its is_visible attribute and updating sysfs group. + * + * Returns 0 on success or error code on failure. + */ +int hv_remove_ring_sysfs(struct vmbus_channel *channel) +{ + struct kobject *kobj = &channel->kobj; + int ret; + + channel->ring_sysfs_visible = false; + ret = sysfs_update_group(kobj, &vmbus_chan_group); + channel->mmap_ring_buffer = NULL; + return ret; +} +EXPORT_SYMBOL_GPL(hv_remove_ring_sysfs); + /* * vmbus_add_channel_kobj - setup a sub-directory under device/channels */ diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..69c1df0f4ca5 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -131,15 +131,12 @@ static void hv_uio_rescind(struct vmbus_channel *channel) vmbus_device_unregister(channel->device_obj); } -/* Sysfs API to allow mmap of the ring buffers +/* Function used for mmap of ring buffer sysfs interface. * The ring buffer is allocated as contiguous memory by vmbus_open */ -static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, - const struct bin_attribute *attr, - struct vm_area_struct *vma) +static int +hv_uio_ring_mmap(struct vmbus_channel *channel, struct vm_area_struct *vma) { - struct vmbus_channel *channel - = container_of(kobj, struct vmbus_channel, kobj); void *ring_buffer = page_address(channel->ringbuffer_page); if (channel->state != CHANNEL_OPENED_STATE) @@ -149,15 +146,6 @@ static int hv_uio_ring_mmap(struct file *filp, struct kobject *kobj, channel->ringbuffer_pagecount << PAGE_SHIFT); } -static const struct bin_attribute ring_buffer_bin_attr = { - .attr = { - .name = "ring", - .mode = 0600, - }, - .size = 2 * SZ_2M, - .mmap = hv_uio_ring_mmap, -}; - /* Callback from VMBUS subsystem when new channel created. */ static void hv_uio_new_channel(struct vmbus_channel *new_sc) @@ -178,8 +166,7 @@ hv_uio_new_channel(struct vmbus_channel *new_sc) /* Disable interrupts on sub channel */ new_sc->inbound.ring_buffer->interrupt_mask = 1; set_channel_read_mode(new_sc, HV_CALL_ISR); - - ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr); + ret = hv_create_ring_sysfs(new_sc, hv_uio_ring_mmap); if (ret) { dev_err(device, "sysfs create ring bin file failed; %d\n", ret); vmbus_close(new_sc); @@ -350,10 +337,18 @@ hv_uio_probe(struct hv_device *dev, goto fail_close; } - ret = sysfs_create_bin_file(&channel->kobj, &ring_buffer_bin_attr); - if (ret) - dev_notice(&dev->device, - "sysfs create ring bin file failed; %d\n", ret); + /* + * This internally calls sysfs_update_group, which returns a non-zero value if it executes + * before sysfs_create_group. This is expected as the 'ring' will be created later in + * vmbus_device_register() -> vmbus_add_channel_kobj(). Thus, no need to check the return + * value and print warning. + * + * Creating/exposing sysfs in driver probe is not encouraged as it can lead to race + * conditions with userspace. For backward compatibility, "ring" sysfs could not be removed + * or decoupled from uio_hv_generic probe. Userspace programs can make use of inotify + * APIs to make sure that ring is created. + */ + hv_create_ring_sysfs(channel, hv_uio_ring_mmap); hv_set_drvdata(dev, pdata); @@ -375,7 +370,7 @@ hv_uio_remove(struct hv_device *dev) if (!pdata) return; - sysfs_remove_bin_file(&dev->channel->kobj, &ring_buffer_bin_attr); + hv_remove_ring_sysfs(dev->channel); uio_unregister_device(&pdata->info); hv_uio_cleanup(dev, pdata); diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 675959fb97ba..d6ffe01962c2 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -1002,6 +1002,12 @@ struct vmbus_channel { /* The max size of a packet on this channel */ u32 max_pkt_size; + + /* function to mmap ring buffer memory to the channel's sysfs ring attribute */ + int (*mmap_ring_buffer)(struct vmbus_channel *channel, struct vm_area_struct *vma); + + /* boolean to control visibility of sysfs for ring buffer */ + bool ring_sysfs_visible; }; #define lock_requestor(channel, flags) \

8 months

1
0
0 0

[PATCH v2] clk: meson-g12a: fix missing spicc clks to clk_sel

by Da Xue

HHI_SPICC_CLK_CNTL bits 25:23 controls spicc clk_sel. It is missing fclk_div 2 and gp0_pll which causes the spicc module to output the incorrect clocks for spicc sclk at 2.5x the expected rate. Add the missing clocks resolves this. Fixes: a18c8e0b7697 ("clk: meson: g12a: add support for the SPICC SCLK Source clocks") Cc: <stable(a)vger.kernel.org> # 6.1 Signed-off-by: Da Xue <da(a)libre.computer> --- Changelog: v1 -> v2: add Fixes as an older version of the patch was incorrectly sent as v1 --- drivers/clk/meson/g12a.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c index 4f92b83965d5a..892862bf39996 100644 --- a/drivers/clk/meson/g12a.c +++ b/drivers/clk/meson/g12a.c @@ -4099,8 +4099,10 @@ static const struct clk_parent_data spicc_sclk_parent_data[] = { { .hw = &g12a_clk81.hw }, { .hw = &g12a_fclk_div4.hw }, { .hw = &g12a_fclk_div3.hw }, + { .hw = &g12a_fclk_div2.hw }, { .hw = &g12a_fclk_div5.hw }, { .hw = &g12a_fclk_div7.hw }, + { .hw = &g12a_gp0_pll.hw, }, }; static struct clk_regmap g12a_spicc0_sclk_sel = { -- 2.39.5

8 months

2
1
0 0

[PATCH v2] drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc()

by Fabio Estevam

From: Fabio Estevam <festevam(a)denx.de> Since commit 559358282e5b ("drm/fb-helper: Don't use the preferred depth for the BPP default"), RGB565 displays such as the CFAF240320X no longer render correctly: colors are distorted and the content is shown twice horizontally. This regression is due to the fbdev emulation layer defaulting to 32 bits per pixel, whereas the display expects 16 bpp (RGB565). As a result, the framebuffer data is incorrectly interpreted by the panel. Fix the issue by calling drm_client_setup_with_fourcc() with a format explicitly selected based on the display's bits-per-pixel value. For 16 bpp, use DRM_FORMAT_RGB565; for other values, fall back to the previous behavior. This ensures that the allocated framebuffer format matches the hardware expectations, avoiding color and layout corruption. Tested on a CFAF240320X display with an RGB565 configuration, confirming correct colors and layout after applying this patch. Cc: stable(a)vger.kernel.org Fixes: 559358282e5b ("drm/fb-helper: Don't use the preferred depth for the BPP default") Signed-off-by: Fabio Estevam <festevam(a)denx.de> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> --- Changes since v1: - Improved the commit log. - Added Thomas' Reviewed-by tag. - Added more maintainers on Cc as panel-mipi-dbi.c has been marked as orphan. drivers/gpu/drm/tiny/panel-mipi-dbi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/tiny/panel-mipi-dbi.c b/drivers/gpu/drm/tiny/panel-mipi-dbi.c index 0460ecaef4bd..23914a9f7fd3 100644 --- a/drivers/gpu/drm/tiny/panel-mipi-dbi.c +++ b/drivers/gpu/drm/tiny/panel-mipi-dbi.c @@ -390,7 +390,10 @@ static int panel_mipi_dbi_spi_probe(struct spi_device *spi) spi_set_drvdata(spi, drm); - drm_client_setup(drm, NULL); + if (bpp == 16) + drm_client_setup_with_fourcc(drm, DRM_FORMAT_RGB565); + else + drm_client_setup_with_fourcc(drm, DRM_FORMAT_RGB888); return 0; } -- 2.34.1

8 months

3
3
0 0

[PATCH] wifi: mt76: disable napi on driver removal

by Fedor Pchelkin

A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: <TASK> mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org). Fixes: 2ac515a5d74f ("mt76: mt76x02: use napi polling for tx cleanup") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- drivers/net/wireless/mediatek/mt76/dma.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index 844af16ee551..35b4ec91979e 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -1011,6 +1011,7 @@ void mt76_dma_cleanup(struct mt76_dev *dev) int i; mt76_worker_disable(&dev->tx_worker); + napi_disable(&dev->tx_napi); netif_napi_del(&dev->tx_napi); for (i = 0; i < ARRAY_SIZE(dev->phys); i++) { -- 2.49.0

8 months

2
1
0 0

[PATCH 6.1.y 2/2] drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()

by jianqi.ren.cn＠windriver.com

From: Abhinav Kumar <quic_abhinavk(a)quicinc.com> [ Upstream commit aedf02e46eb549dac8db4821a6b9f0c6bf6e3990 ] For cases where the crtc's connectors_changed was set without enable/active getting toggled , there is an atomic_enable() call followed by an atomic_disable() but without an atomic_mode_set(). This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in the atomic_enable() as the dpu_encoder's connector was cleared in the atomic_disable() but not re-assigned as there was no atomic_mode_set() call. Fix the NULL ptr access by moving the assignment for atomic_enable() and also use drm_atomic_get_new_connector_for_encoder() to get the connector from the atomic_state. Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") Reported-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/59 Suggested-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Tested-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> # SM8350-HDK Patchwork: https://patchwork.freedesktop.org/patch/606729/ Link: https://lore.kernel.org/r/20240731191723.3050932-1-quic_abhinavk@quicinc.com Signed-off-by: Abhinav Kumar <quic_abhinavk(a)quicinc.com> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c index c7fcd617b48c..94f352253c74 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c @@ -1101,8 +1101,6 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc, cstate->num_mixers = num_lm; - dpu_enc->connector = conn_state->connector; - for (i = 0; i < dpu_enc->num_phys_encs; i++) { struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i]; @@ -1192,6 +1190,9 @@ static void dpu_encoder_virt_atomic_enable(struct drm_encoder *drm_enc, dpu_enc = to_dpu_encoder_virt(drm_enc); mutex_lock(&dpu_enc->enc_lock); + + dpu_enc->connector = drm_atomic_get_new_connector_for_encoder(state, drm_enc); + cur_mode = &dpu_enc->base.crtc->state->adjusted_mode; trace_dpu_enc_enable(DRMID(drm_enc), cur_mode->hdisplay, -- 2.34.1

8 months

1
0
0 0

[PATCH] usb: cdnsp: Fix issue with detecting command completion event

by Pawel Laszczak

In some cases, there is a small-time gap in which CMD_RING_BUSY can be cleared by controller but adding command completion event to event ring will be delayed. As the result driver will return error code. This behavior has been detected on usbtest driver (test 9) with configuration including ep1in/ep1out bulk and ep2in/ep2out isoc endpoint. Probably this gap occurred because controller was busy with adding some other events to event ring. The CMD_RING_BUSY is cleared to '0' when the Command Descriptor has been executed and not when command completion event has been added to event ring. To fix this issue for this test the small delay is sufficient less than 10us) but to make sure the problem doesn't happen again in the future the patch introduce 3 retries to check with delay about 100us before returning error code Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: stable(a)vger.kernel.org Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- drivers/usb/cdns3/cdnsp-gadget.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/cdnsp-gadget.c b/drivers/usb/cdns3/cdnsp-gadget.c index f773518185c9..0eb11b5dd9d3 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.c +++ b/drivers/usb/cdns3/cdnsp-gadget.c @@ -547,6 +547,7 @@ int cdnsp_wait_for_cmd_compl(struct cdnsp_device *pdev) dma_addr_t cmd_deq_dma; union cdnsp_trb *event; u32 cycle_state; + u32 retry = 3; int ret, val; u64 cmd_dma; u32 flags; @@ -578,8 +579,23 @@ int cdnsp_wait_for_cmd_compl(struct cdnsp_device *pdev) flags = le32_to_cpu(event->event_cmd.flags); /* Check the owner of the TRB. */ - if ((flags & TRB_CYCLE) != cycle_state) + if ((flags & TRB_CYCLE) != cycle_state) { + /* + *Give some extra time to get chance controller + * to finish command before returning error code. + * Checking CMD_RING_BUSY is not sufficient because + * this bit is cleared to '0' when the Command + * Descriptor has been executed by controller + * and not when command completion event has + * be added to event ring. + */ + if (retry--) { + usleep_range(90, 100); + continue; + } + return -EINVAL; + } cmd_dma = le64_to_cpu(event->event_cmd.cmd_trb); -- 2.43.0

8 months

2
2
0 0

[merged mm-nonmm-stable] ipc-fix-to-protect-ipcs-lookups-using-rcu.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ipc: fix to protect IPCS lookups using RCU has been removed from the -mm tree. Its filename was ipc-fix-to-protect-ipcs-lookups-using-rcu.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jeongjun Park <aha310510(a)gmail.com> Subject: ipc: fix to protect IPCS lookups using RCU Date: Thu, 24 Apr 2025 23:33:22 +0900 syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da371 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c(a)syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vasiliy Kulikov <segoon(a)openwall.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/ipc/shm.c~ipc-fix-to-protect-ipcs-lookups-using-rcu +++ a/ipc/shm.c @@ -431,8 +431,11 @@ static int shm_try_destroy_orphaned(int void shm_destroy_orphaned(struct ipc_namespace *ns) { down_write(&shm_ids(ns).rwsem); - if (shm_ids(ns).in_use) + if (shm_ids(ns).in_use) { + rcu_read_lock(); idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); + rcu_read_unlock(); + } up_write(&shm_ids(ns).rwsem); } _ Patches currently in -mm which might be from aha310510(a)gmail.com are mm-vmalloc-fix-data-race-in-show_numa_info.patch

8 months

1
0
0 0

[merged mm-nonmm-stable] watchdog-fix-watchdog-may-detect-false-positive-of-softlockup.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: watchdog: fix watchdog may detect false positive of softlockup has been removed from the -mm tree. Its filename was watchdog-fix-watchdog-may-detect-false-positive-of-softlockup.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Luo Gengkun <luogengkun(a)huaweicloud.com> Subject: watchdog: fix watchdog may detect false positive of softlockup Date: Mon, 21 Apr 2025 03:50:21 +0000 When updating `watchdog_thresh`, there is a race condition between writing the new `watchdog_thresh` value and stopping the old watchdog timer. If the old timer triggers during this window, it may falsely detect a softlockup due to the old interval and the new `watchdog_thresh` value being used. The problem can be described as follow: # We asuume previous watchdog_thresh is 60, so the watchdog timer is # coming every 24s. echo 10 > /proc/sys/kernel/watchdog_thresh (User space) | +------>+ update watchdog_thresh (We are in kernel now) | | # using old interval and new `watchdog_thresh` +------>+ watchdog hrtimer (irq context: detect softlockup) | | +-------+ | | + softlockup_stop_all To fix this problem, introduce a shadow variable for `watchdog_thresh`. The update to the actual `watchdog_thresh` is delayed until after the old timer is stopped, preventing false positives. The following testcase may help to understand this problem. --------------------------------------------- echo RT_RUNTIME_SHARE > /sys/kernel/debug/sched/features echo -1 > /proc/sys/kernel/sched_rt_runtime_us echo 0 > /sys/kernel/debug/sched/fair_server/cpu3/runtime echo 60 > /proc/sys/kernel/watchdog_thresh taskset -c 3 chrt -r 99 /bin/bash -c "while true;do true; done" & echo 10 > /proc/sys/kernel/watchdog_thresh & --------------------------------------------- The test case above first removes the throttling restrictions for real-time tasks. It then sets watchdog_thresh to 60 and executes a real-time task ,a simple while(1) loop, on cpu3. Consequently, the final command gets blocked because the presence of this real-time thread prevents kworker:3 from being selected by the scheduler. This eventually triggers a softlockup detection on cpu3 due to watchdog_timer_fn operating with inconsistent variable - using both the old interval and the updated watchdog_thresh simultaneously. [nysal(a)linux.ibm.com: fix the SOFTLOCKUP_DETECTOR=n case] Link: https://lkml.kernel.org/r/20250502111120.282690-1-nysal@linux.ibm.com Link: https://lkml.kernel.org/r/20250421035021.3507649-1-luogengkun@huaweicloud.c… Signed-off-by: Luo Gengkun <luogengkun(a)huaweicloud.com> Signed-off-by: Nysal Jan K.A. <nysal(a)linux.ibm.com> Cc: Doug Anderson <dianders(a)chromium.org> Cc: Joel Granados <joel.granados(a)kernel.org> Cc: Song Liu <song(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: "Nysal Jan K.A." <nysal(a)linux.ibm.com> Cc: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/watchdog.c | 41 +++++++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 14 deletions(-) --- a/kernel/watchdog.c~watchdog-fix-watchdog-may-detect-false-positive-of-softlockup +++ a/kernel/watchdog.c @@ -47,6 +47,7 @@ int __read_mostly watchdog_user_enabled static int __read_mostly watchdog_hardlockup_user_enabled = WATCHDOG_HARDLOCKUP_DEFAULT; static int __read_mostly watchdog_softlockup_user_enabled = 1; int __read_mostly watchdog_thresh = 10; +static int __read_mostly watchdog_thresh_next; static int __read_mostly watchdog_hardlockup_available; struct cpumask watchdog_cpumask __read_mostly; @@ -870,12 +871,20 @@ int lockup_detector_offline_cpu(unsigned return 0; } -static void __lockup_detector_reconfigure(void) +static void __lockup_detector_reconfigure(bool thresh_changed) { cpus_read_lock(); watchdog_hardlockup_stop(); softlockup_stop_all(); + /* + * To prevent watchdog_timer_fn from using the old interval and + * the new watchdog_thresh at the same time, which could lead to + * false softlockup reports, it is necessary to update the + * watchdog_thresh after the softlockup is completed. + */ + if (thresh_changed) + watchdog_thresh = READ_ONCE(watchdog_thresh_next); set_sample_period(); lockup_detector_update_enable(); if (watchdog_enabled && watchdog_thresh) @@ -888,7 +897,7 @@ static void __lockup_detector_reconfigur void lockup_detector_reconfigure(void) { mutex_lock(&watchdog_mutex); - __lockup_detector_reconfigure(); + __lockup_detector_reconfigure(false); mutex_unlock(&watchdog_mutex); } @@ -908,27 +917,29 @@ static __init void lockup_detector_setup return; mutex_lock(&watchdog_mutex); - __lockup_detector_reconfigure(); + __lockup_detector_reconfigure(false); softlockup_initialized = true; mutex_unlock(&watchdog_mutex); } #else /* CONFIG_SOFTLOCKUP_DETECTOR */ -static void __lockup_detector_reconfigure(void) +static void __lockup_detector_reconfigure(bool thresh_changed) { cpus_read_lock(); watchdog_hardlockup_stop(); + if (thresh_changed) + watchdog_thresh = READ_ONCE(watchdog_thresh_next); lockup_detector_update_enable(); watchdog_hardlockup_start(); cpus_read_unlock(); } void lockup_detector_reconfigure(void) { - __lockup_detector_reconfigure(); + __lockup_detector_reconfigure(false); } static inline void lockup_detector_setup(void) { - __lockup_detector_reconfigure(); + __lockup_detector_reconfigure(false); } #endif /* !CONFIG_SOFTLOCKUP_DETECTOR */ @@ -946,11 +957,11 @@ void lockup_detector_soft_poweroff(void) #ifdef CONFIG_SYSCTL /* Propagate any changes to the watchdog infrastructure */ -static void proc_watchdog_update(void) +static void proc_watchdog_update(bool thresh_changed) { /* Remove impossible cpus to keep sysctl output clean. */ cpumask_and(&watchdog_cpumask, &watchdog_cpumask, cpu_possible_mask); - __lockup_detector_reconfigure(); + __lockup_detector_reconfigure(thresh_changed); } /* @@ -984,7 +995,7 @@ static int proc_watchdog_common(int whic } else { err = proc_dointvec_minmax(table, write, buffer, lenp, ppos); if (!err && old != READ_ONCE(*param)) - proc_watchdog_update(); + proc_watchdog_update(false); } mutex_unlock(&watchdog_mutex); return err; @@ -1035,11 +1046,13 @@ static int proc_watchdog_thresh(const st mutex_lock(&watchdog_mutex); - old = READ_ONCE(watchdog_thresh); + watchdog_thresh_next = READ_ONCE(watchdog_thresh); + + old = watchdog_thresh_next; err = proc_dointvec_minmax(table, write, buffer, lenp, ppos); - if (!err && write && old != READ_ONCE(watchdog_thresh)) - proc_watchdog_update(); + if (!err && write && old != READ_ONCE(watchdog_thresh_next)) + proc_watchdog_update(true); mutex_unlock(&watchdog_mutex); return err; @@ -1060,7 +1073,7 @@ static int proc_watchdog_cpumask(const s err = proc_do_large_bitmap(table, write, buffer, lenp, ppos); if (!err && write) - proc_watchdog_update(); + proc_watchdog_update(false); mutex_unlock(&watchdog_mutex); return err; @@ -1080,7 +1093,7 @@ static const struct ctl_table watchdog_s }, { .procname = "watchdog_thresh", - .data = &watchdog_thresh, + .data = &watchdog_thresh_next, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_watchdog_thresh, _ Patches currently in -mm which might be from luogengkun(a)huaweicloud.com are

8 months

1
0
0 0

[merged mm-stable] mm-fix-ratelimit_pages-update-error-in-dirty_ratio_handler.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix ratelimit_pages update error in dirty_ratio_handler() has been removed from the -mm tree. Its filename was mm-fix-ratelimit_pages-update-error-in-dirty_ratio_handler.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jinliang Zheng <alexjlzheng(a)tencent.com> Subject: mm: fix ratelimit_pages update error in dirty_ratio_handler() Date: Tue, 15 Apr 2025 17:02:32 +0800 In dirty_ratio_handler(), vm_dirty_bytes must be set to zero before calling writeback_set_ratelimit(), as global_dirty_limits() always prioritizes the value of vm_dirty_bytes. It's domain_dirty_limits() that's relevant here, not node_dirty_ok: dirty_ratio_handler writeback_set_ratelimit global_dirty_limits(&dirty_thresh) <- ratelimit_pages based on dirty_thresh domain_dirty_limits if (bytes) <- bytes = vm_dirty_bytes <--------+ thresh = f1(bytes) <- prioritizes vm_dirty_bytes | else | thresh = f2(ratio) | ratelimit_pages = f3(dirty_thresh) | vm_dirty_bytes = 0 <- it's late! ---------------------+ This causes ratelimit_pages to still use the value calculated based on vm_dirty_bytes, which is wrong now. The impact visible to userspace is difficult to capture directly because there is no procfs/sysfs interface exported to user space. However, it will have a real impact on the balance of dirty pages. For example: 1. On default, we have vm_dirty_ratio=40, vm_dirty_bytes=0 2. echo 8192 > dirty_bytes, then vm_dirty_bytes=8192, vm_dirty_ratio=0, and ratelimit_pages is calculated based on vm_dirty_bytes now. 3. echo 20 > dirty_ratio, then since vm_dirty_bytes is not reset to zero when writeback_set_ratelimit() -> global_dirty_limits() -> domain_dirty_limits() is called, reallimit_pages is still calculated based on vm_dirty_bytes instead of vm_dirty_ratio. This does not conform to the actual intent of the user. Link: https://lkml.kernel.org/r/20250415090232.7544-1-alexjlzheng@tencent.com Fixes: 9d823e8f6b1b ("writeback: per task dirty rate limit") Signed-off-by: Jinliang Zheng <alexjlzheng(a)tencent.com> Reviewed-by: MengEn Sun <mengensun(a)tencent.com> Cc: Andrea Righi <andrea(a)betterlinux.com> Cc: Fenggaung Wu <fengguang.wu(a)intel.com> Cc: Jinliang Zheng <alexjlzheng(a)tencent.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page-writeback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/page-writeback.c~mm-fix-ratelimit_pages-update-error-in-dirty_ratio_handler +++ a/mm/page-writeback.c @@ -520,8 +520,8 @@ static int dirty_ratio_handler(const str ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); if (ret == 0 && write && vm_dirty_ratio != old_ratio) { - writeback_set_ratelimit(); vm_dirty_bytes = 0; + writeback_set_ratelimit(); } return ret; } _ Patches currently in -mm which might be from alexjlzheng(a)tencent.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte has been removed from the -mm tree. Its filename was mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Barry Song <v-songbaohua(a)oppo.com> Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte Date: Fri, 9 May 2025 10:09:12 +1200 As David pointed out, what truly matters for mremap and userfaultfd move operations is the soft dirty bit. The current comment and implementation��which always sets the dirty bit for present PTEs and fails to set the soft dirty bit for swap PTEs��are incorrect. This could break features like Checkpoint-Restore in Userspace (CRIU). This patch updates the behavior to correctly set the soft dirty bit for both present and swap PTEs in accordance with mremap. Link: https://lkml.kernel.org/r/20250508220912.7275-1-21cnbao@gmail.com Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/02f14ee1-923f-47e3-a994-4950afb9afcc@redha… Acked-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/userfaultfd.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/mm/userfaultfd.c~mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte +++ a/mm/userfaultfd.c @@ -1064,8 +1064,13 @@ static int move_present_pte(struct mm_st src_folio->index = linear_page_index(dst_vma, dst_addr); orig_dst_pte = mk_pte(&src_folio->page, dst_vma->vm_page_prot); - /* Follow mremap() behavior and treat the entry dirty after the move */ - orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); + /* Set soft dirty bit so userspace can notice the pte was moved */ +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_dst_pte = pte_mksoft_dirty(orig_dst_pte); +#endif + if (pte_dirty(orig_src_pte)) + orig_dst_pte = pte_mkdirty(orig_dst_pte); + orig_dst_pte = pte_mkwrite(orig_dst_pte, dst_vma); set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte); out: @@ -1100,6 +1105,9 @@ static int move_swap_pte(struct mm_struc } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_src_pte = pte_swp_mksoft_dirty(orig_src_pte); +#endif set_pte_at(mm, dst_addr, dst_pte, orig_src_pte); double_pt_unlock(dst_ptl, src_ptl); _ Patches currently in -mm which might be from v-songbaohua(a)oppo.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/page_alloc: fix race condition in unaccepted memory handling has been removed from the -mm tree. Its filename was mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Subject: mm/page_alloc: fix race condition in unaccepted memory handling Date: Tue, 6 May 2025 16:32:07 +0300 The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: /* * Warn about the '-1' case though; since that means a * decrement is concurrent with a first (0->1) increment. IOW * people are trying to disable something that wasn't yet fully * enabled. This suggests an ordering problem on the user side. */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether. Link: https://lkml.kernel.org/r/20250506133207.1009676-1-kirill.shutemov@linux.in… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory") Link: https://lore.kernel.org/all/20250506092445.GBaBnVXXyvnazly6iF@fat_crate.loc… Reported-by: Borislav Petkov <bp(a)alien8.de> Tested-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reported-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> [6.5+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 1 mm/mm_init.c | 1 mm/page_alloc.c | 47 ---------------------------------------------- 3 files changed, 49 deletions(-) --- a/mm/internal.h~mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling +++ a/mm/internal.h @@ -1590,7 +1590,6 @@ unsigned long move_page_tables(struct pa #ifdef CONFIG_UNACCEPTED_MEMORY void accept_page(struct page *page); -void unaccepted_cleanup_work(struct work_struct *work); #else /* CONFIG_UNACCEPTED_MEMORY */ static inline void accept_page(struct page *page) { --- a/mm/mm_init.c~mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling +++ a/mm/mm_init.c @@ -1441,7 +1441,6 @@ static void __meminit zone_init_free_lis #ifdef CONFIG_UNACCEPTED_MEMORY INIT_LIST_HEAD(&zone->unaccepted_pages); - INIT_WORK(&zone->unaccepted_cleanup, unaccepted_cleanup_work); #endif } --- a/mm/page_alloc.c~mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling +++ a/mm/page_alloc.c @@ -7172,16 +7172,8 @@ bool has_managed_dma(void) #ifdef CONFIG_UNACCEPTED_MEMORY -/* Counts number of zones with unaccepted pages. */ -static DEFINE_STATIC_KEY_FALSE(zones_with_unaccepted_pages); - static bool lazy_accept = true; -void unaccepted_cleanup_work(struct work_struct *work) -{ - static_branch_dec(&zones_with_unaccepted_pages); -} - static int __init accept_memory_parse(char *p) { if (!strcmp(p, "lazy")) { @@ -7206,11 +7198,7 @@ static bool page_contains_unaccepted(str static void __accept_page(struct zone *zone, unsigned long *flags, struct page *page) { - bool last; - list_del(&page->lru); - last = list_empty(&zone->unaccepted_pages); - account_freepages(zone, -MAX_ORDER_NR_PAGES, MIGRATE_MOVABLE); __mod_zone_page_state(zone, NR_UNACCEPTED, -MAX_ORDER_NR_PAGES); __ClearPageUnaccepted(page); @@ -7219,28 +7207,6 @@ static void __accept_page(struct zone *z accept_memory(page_to_phys(page), PAGE_SIZE << MAX_PAGE_ORDER); __free_pages_ok(page, MAX_PAGE_ORDER, FPI_TO_TAIL); - - if (last) { - /* - * There are two corner cases: - * - * - If allocation occurs during the CPU bring up, - * static_branch_dec() cannot be used directly as - * it causes a deadlock on cpu_hotplug_lock. - * - * Instead, use schedule_work() to prevent deadlock. - * - * - If allocation occurs before workqueues are initialized, - * static_branch_dec() should be called directly. - * - * Workqueues are initialized before CPU bring up, so this - * will not conflict with the first scenario. - */ - if (system_wq) - schedule_work(&zone->unaccepted_cleanup); - else - unaccepted_cleanup_work(&zone->unaccepted_cleanup); - } } void accept_page(struct page *page) @@ -7277,20 +7243,12 @@ static bool try_to_accept_memory_one(str return true; } -static inline bool has_unaccepted_memory(void) -{ - return static_branch_unlikely(&zones_with_unaccepted_pages); -} - static bool cond_accept_memory(struct zone *zone, unsigned int order, int alloc_flags) { long to_accept, wmark; bool ret = false; - if (!has_unaccepted_memory()) - return false; - if (list_empty(&zone->unaccepted_pages)) return false; @@ -7328,22 +7286,17 @@ static bool __free_unaccepted(struct pag { struct zone *zone = page_zone(page); unsigned long flags; - bool first = false; if (!lazy_accept) return false; spin_lock_irqsave(&zone->lock, flags); - first = list_empty(&zone->unaccepted_pages); list_add_tail(&page->lru, &zone->unaccepted_pages); account_freepages(zone, MAX_ORDER_NR_PAGES, MIGRATE_MOVABLE); __mod_zone_page_state(zone, NR_UNACCEPTED, MAX_ORDER_NR_PAGES); __SetPageUnaccepted(page); spin_unlock_irqrestore(&zone->lock, flags); - if (first) - static_branch_inc(&zones_with_unaccepted_pages); - return true; } _ Patches currently in -mm which might be from kirill.shutemov(a)linux.intel.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-page_alloc-ensure-try_alloc_pages-plays-well-with-unaccepted-memory.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/page_alloc: ensure try_alloc_pages() plays well with unaccepted memory has been removed from the -mm tree. Its filename was mm-page_alloc-ensure-try_alloc_pages-plays-well-with-unaccepted-memory.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Subject: mm/page_alloc: ensure try_alloc_pages() plays well with unaccepted memory Date: Tue, 6 May 2025 14:25:08 +0300 try_alloc_pages() will not attempt to allocate memory if the system has *any* unaccepted memory. Memory is accepted as needed and can remain in the system indefinitely, causing the interface to always fail. Rather than immediately giving up, attempt to use already accepted memory on free lists. Pass 'alloc_flags' to cond_accept_memory() and do not accept new memory for ALLOC_TRYLOCK requests. Found via code inspection - only BPF uses this at present and the runtime effects are unclear. Link: https://lkml.kernel.org/r/20250506112509.905147-2-kirill.shutemov@linux.int… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: 97769a53f117 ("mm, bpf: Introduce try_alloc_pages() for opportunistic page allocation") Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) --- a/mm/page_alloc.c~mm-page_alloc-ensure-try_alloc_pages-plays-well-with-unaccepted-memory +++ a/mm/page_alloc.c @@ -290,7 +290,8 @@ EXPORT_SYMBOL(nr_online_nodes); #endif static bool page_contains_unaccepted(struct page *page, unsigned int order); -static bool cond_accept_memory(struct zone *zone, unsigned int order); +static bool cond_accept_memory(struct zone *zone, unsigned int order, + int alloc_flags); static bool __free_unaccepted(struct page *page); int page_group_by_mobility_disabled __read_mostly; @@ -3611,7 +3612,7 @@ retry: } } - cond_accept_memory(zone, order); + cond_accept_memory(zone, order, alloc_flags); /* * Detect whether the number of free pages is below high @@ -3638,7 +3639,7 @@ check_alloc_wmark: gfp_mask)) { int ret; - if (cond_accept_memory(zone, order)) + if (cond_accept_memory(zone, order, alloc_flags)) goto try_this_zone; /* @@ -3691,7 +3692,7 @@ try_this_zone: return page; } else { - if (cond_accept_memory(zone, order)) + if (cond_accept_memory(zone, order, alloc_flags)) goto try_this_zone; /* Try again if zone has deferred pages */ @@ -4844,7 +4845,7 @@ unsigned long alloc_pages_bulk_noprof(gf goto failed; } - cond_accept_memory(zone, 0); + cond_accept_memory(zone, 0, alloc_flags); retry_this_zone: mark = wmark_pages(zone, alloc_flags & ALLOC_WMARK_MASK) + nr_pages; if (zone_watermark_fast(zone, 0, mark, @@ -4853,7 +4854,7 @@ retry_this_zone: break; } - if (cond_accept_memory(zone, 0)) + if (cond_accept_memory(zone, 0, alloc_flags)) goto retry_this_zone; /* Try again if zone has deferred pages */ @@ -7281,7 +7282,8 @@ static inline bool has_unaccepted_memory return static_branch_unlikely(&zones_with_unaccepted_pages); } -static bool cond_accept_memory(struct zone *zone, unsigned int order) +static bool cond_accept_memory(struct zone *zone, unsigned int order, + int alloc_flags) { long to_accept, wmark; bool ret = false; @@ -7292,6 +7294,10 @@ static bool cond_accept_memory(struct zo if (list_empty(&zone->unaccepted_pages)) return false; + /* Bailout, since try_to_accept_memory_one() needs to take a lock */ + if (alloc_flags & ALLOC_TRYLOCK) + return false; + wmark = promo_wmark_pages(zone); /* @@ -7348,7 +7354,8 @@ static bool page_contains_unaccepted(str return false; } -static bool cond_accept_memory(struct zone *zone, unsigned int order) +static bool cond_accept_memory(struct zone *zone, unsigned int order, + int alloc_flags) { return false; } @@ -7419,11 +7426,6 @@ struct page *try_alloc_pages_noprof(int if (!pcp_allowed_order(order)) return NULL; -#ifdef CONFIG_UNACCEPTED_MEMORY - /* Bailout, since try_to_accept_memory_one() needs to take a lock */ - if (has_unaccepted_memory()) - return NULL; -#endif /* Bailout, since _deferred_grow_zone() needs to take a lock */ if (deferred_pages_enabled()) return NULL; _ Patches currently in -mm which might be from kirill.shutemov(a)linux.intel.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-fix-incorrect-fallback-for-subpool.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: hugetlb: fix incorrect fallback for subpool has been removed from the -mm tree. Its filename was mm-hugetlb-fix-incorrect-fallback-for-subpool.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wupeng Ma <mawupeng1(a)huawei.com> Subject: mm: hugetlb: fix incorrect fallback for subpool Date: Thu, 10 Apr 2025 14:26:33 +0800 During our testing with hugetlb subpool enabled, we observe that hstate->resv_huge_pages may underflow into negative values. Root cause analysis reveals a race condition in subpool reservation fallback handling as follow: hugetlb_reserve_pages() /* Attempt subpool reservation */ gbl_reserve = hugepage_subpool_get_pages(spool, chg); /* Global reservation may fail after subpool allocation */ if (hugetlb_acct_memory(h, gbl_reserve) < 0) goto out_put_pages; out_put_pages: /* This incorrectly restores reservation to subpool */ hugepage_subpool_put_pages(spool, chg); When hugetlb_acct_memory() fails after subpool allocation, the current implementation over-commits subpool reservations by returning the full 'chg' value instead of the actual allocated 'gbl_reserve' amount. This discrepancy propagates to global reservations during subsequent releases, eventually causing resv_huge_pages underflow. This problem can be trigger easily with the following steps: 1. reverse hugepage for hugeltb allocation 2. mount hugetlbfs with min_size to enable hugetlb subpool 3. alloc hugepages with two task(make sure the second will fail due to insufficient amount of hugepages) 4. with for a few seconds and repeat step 3 which will make hstate->resv_huge_pages to go below zero. To fix this problem, return corrent amount of pages to subpool during the fallback after hugepage_subpool_get_pages is called. Link: https://lkml.kernel.org/r/20250410062633.3102457-1-mawupeng1@huawei.com Fixes: 1c5ecae3a93f ("hugetlbfs: add minimum size accounting to subpools") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> Tested-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ma Wupeng <mawupeng1(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-fix-incorrect-fallback-for-subpool +++ a/mm/hugetlb.c @@ -3010,7 +3010,7 @@ struct folio *alloc_hugetlb_folio(struct struct hugepage_subpool *spool = subpool_vma(vma); struct hstate *h = hstate_vma(vma); struct folio *folio; - long retval, gbl_chg; + long retval, gbl_chg, gbl_reserve; map_chg_state map_chg; int ret, idx; struct hugetlb_cgroup *h_cg = NULL; @@ -3163,8 +3163,16 @@ out_uncharge_cgroup_reservation: hugetlb_cgroup_uncharge_cgroup_rsvd(idx, pages_per_huge_page(h), h_cg); out_subpool_put: - if (map_chg) - hugepage_subpool_put_pages(spool, 1); + /* + * put page to subpool iff the quota of subpool's rsv_hpages is used + * during hugepage_subpool_get_pages. + */ + if (map_chg && !gbl_chg) { + gbl_reserve = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -gbl_reserve); + } + + out_end_reservation: if (map_chg != MAP_CHG_ENFORCED) vma_end_reservation(h, vma, addr); @@ -7239,7 +7247,7 @@ bool hugetlb_reserve_pages(struct inode struct vm_area_struct *vma, vm_flags_t vm_flags) { - long chg = -1, add = -1; + long chg = -1, add = -1, spool_resv, gbl_resv; struct hstate *h = hstate_inode(inode); struct hugepage_subpool *spool = subpool_inode(inode); struct resv_map *resv_map; @@ -7374,8 +7382,16 @@ bool hugetlb_reserve_pages(struct inode return true; out_put_pages: - /* put back original number of pages, chg */ - (void)hugepage_subpool_put_pages(spool, chg); + spool_resv = chg - gbl_reserve; + if (spool_resv) { + /* put sub pool's reservation back, chg - gbl_reserve */ + gbl_resv = hugepage_subpool_put_pages(spool, spool_resv); + /* + * subpool's reserved pages can not be put back due to race, + * return to hstate. + */ + hugetlb_acct_memory(h, -gbl_resv); + } out_uncharge_cgroup: hugetlb_cgroup_uncharge_cgroup_rsvd(hstate_index(h), chg * pages_per_huge_page(h), h_cg); _ Patches currently in -mm which might be from mawupeng1(a)huawei.com are

8 months

1
0
0 0

[PATCH] clk: meson-g12a: fix missing spicc clks to clk_sel

by Da Xue

HHI_SPICC_CLK_CNTL bits 25:23 controls spicc clk_sel. It is missing fclk_div 2 and gp0_pll which causes the spicc module to output the incorrect clocks for spicc sclk at 2.5x the expected rate. Add the missing clocks resolves this. Cc: <stable(a)vger.kernel.org> # 6.1.x: a18c8e0: clk: meson: g12a: add Signed-off-by: Da Xue <da(a)libre.computer> --- drivers/clk/meson/g12a.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c index 4f92b83965d5a..892862bf39996 100644 --- a/drivers/clk/meson/g12a.c +++ b/drivers/clk/meson/g12a.c @@ -4099,8 +4099,10 @@ static const struct clk_parent_data spicc_sclk_parent_data[] = { { .hw = &g12a_clk81.hw }, { .hw = &g12a_fclk_div4.hw }, { .hw = &g12a_fclk_div3.hw }, + { .hw = &g12a_fclk_div2.hw }, { .hw = &g12a_fclk_div5.hw }, { .hw = &g12a_fclk_div7.hw }, + { .hw = &g12a_gp0_pll.hw, }, }; static struct clk_regmap g12a_spicc0_sclk_sel = { -- 2.39.5

8 months

2
1
0 0

[PATCH v2] kbuild: Disable -Wdefault-const-init-unsafe

by Nathan Chancellor

A new on by default warning in clang [1] aims to flags instances where const variables without static or thread local storage or const members in aggregate types are not initialized because it can lead to an indeterminate value. This is quite noisy for the kernel due to instances originating from header files such as: drivers/gpu/drm/i915/gt/intel_ring.h:62:2: error: default initialization of an object of type 'typeof (ring->size)' (aka 'const unsigned int') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] 62 | typecheck(typeof(ring->size), next); | ^ include/linux/typecheck.h:10:9: note: expanded from macro 'typecheck' 10 | ({ type __dummy; \ | ^ include/net/ip.h:478:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] 478 | if (mtu && time_before(jiffies, rt->dst.expires)) | ^ include/linux/jiffies.h:138:26: note: expanded from macro 'time_before' 138 | #define time_before(a,b) time_after(b,a) | ^ include/linux/jiffies.h:128:3: note: expanded from macro 'time_after' 128 | (typecheck(unsigned long, a) && \ | ^ include/linux/typecheck.h:11:12: note: expanded from macro 'typecheck' 11 | typeof(x) __dummy2; \ | ^ include/linux/list.h:409:27: warning: default initialization of an object of type 'union (unnamed union at include/linux/list.h:409:27)' with const member leaves the object uninitialized [-Wdefault-const-init-field-unsafe] 409 | struct list_head *next = smp_load_acquire(&head->next); | ^ include/asm-generic/barrier.h:176:29: note: expanded from macro 'smp_load_acquire' 176 | #define smp_load_acquire(p) __smp_load_acquire(p) | ^ arch/arm64/include/asm/barrier.h:164:59: note: expanded from macro '__smp_load_acquire' 164 | union { __unqual_scalar_typeof(*p) __val; char __c[1]; } __u; \ | ^ include/linux/list.h:409:27: note: member '__val' declared 'const' here crypto/scatterwalk.c:66:22: error: default initialization of an object of type 'struct scatter_walk' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] 66 | struct scatter_walk walk; | ^ include/crypto/algapi.h:112:15: note: member 'addr' declared 'const' here 112 | void *const addr; | ^ fs/hugetlbfs/inode.c:733:24: error: default initialization of an object of type 'struct vm_area_struct' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] 733 | struct vm_area_struct pseudo_vma; | ^ include/linux/mm_types.h:803:20: note: member 'vm_flags' declared 'const' here 803 | const vm_flags_t vm_flags; | ^ Silencing the instances from typecheck.h is difficult because '= {}' is not available in older but supported compilers and '= {0}' would cause warnings about a literal 0 being treated as NULL. While it might be possible to come up with a local hack to silence the warning for clang-21+, it may not be worth it since -Wuninitialized will still trigger if an uninitialized const variable is actually used. In all audited cases of the "field" variant of the warning, the members are either not used in the particular call path, modified through other means such as memset() / memcpy() because the containing object is not const, or are within a union with other non-const members. Since this warning does not appear to have a high signal to noise ratio, just disable it. Cc: stable(a)vger.kernel.org Link: https://github.com/llvm/llvm-project/commit/576161cb6069e2c7656a8ef530727a0… [1] Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/CA+G9fYuNjKcxFKS_MKPRuga32XbndkLGcY-PVuoSwzv6VWbY=w… Reported-by: Marcus Seyfarth <m.seyfarth(a)gmail.com> Closes: https://github.com/ClangBuiltLinux/linux/issues/2088 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- Changes in v2: - Disable -Wdefault-const-init-var-unsafe as well, as '= {}' does not work in typecheck() for all supported compilers and it may not be worth a local hack. - Link to v1: https://lore.kernel.org/r/20250501-default-const-init-clang-v1-0-3d2c6c185d… --- scripts/Makefile.extrawarn | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn index d88acdf40855..fd649c68e198 100644 --- a/scripts/Makefile.extrawarn +++ b/scripts/Makefile.extrawarn @@ -37,6 +37,18 @@ KBUILD_CFLAGS += -Wno-gnu # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111219 KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow-non-kprintf) KBUILD_CFLAGS += $(call cc-disable-warning, format-truncation-non-kprintf) + +# Clang may emit a warning when a const variable, such as the dummy variables +# in typecheck(), or const member of an aggregate type are not initialized, +# which can result in unexpected behavior. However, in many audited cases of +# the "field" variant of the warning, this is intentional because the field is +# never used within a particular call path, the field is within a union with +# other non-const members, or the containing object is not const so the field +# can be modified via memcpy() / memset(). While the variable warning also gets +# disabled with this same switch, there should not be too much coverage lost +# because -Wuninitialized will still flag when an uninitialized const variable +# is used. +KBUILD_CFLAGS += $(call cc-disable-warning, default-const-init-unsafe) else # gcc inanely warns about local variables called 'main' --- base-commit: 92a09c47464d040866cf2b4cd052bc60555185fb change-id: 20250430-default-const-init-clang-b6e21b8d03b6 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

8 months

2
3
0 0

[PATCH] rtc: fix data race in rtc_dev_poll()

by Jeongjun Park

I found data-race in my fuzzer: ================================================================== BUG: KCSAN: data-race in rtc_dev_poll / rtc_handle_legacy_irq write to 0xffff88800b307380 of 8 bytes by interrupt on cpu 1: rtc_handle_legacy_irq+0x58/0xb0 drivers/rtc/interface.c:624 rtc_pie_update_irq+0x75/0x90 drivers/rtc/interface.c:672 __run_hrtimer kernel/time/hrtimer.c:1761 [inline] __hrtimer_run_queues+0x2c4/0x5d0 kernel/time/hrtimer.c:1825 hrtimer_interrupt+0x214/0x4a0 kernel/time/hrtimer.c:1887 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline] .... read to 0xffff88800b307380 of 8 bytes by task 11566 on cpu 0: rtc_dev_poll+0x6c/0xa0 drivers/rtc/dev.c:198 vfs_poll include/linux/poll.h:82 [inline] select_poll_one fs/select.c:480 [inline] do_select+0x95f/0x1030 fs/select.c:536 core_sys_select+0x284/0x6d0 fs/select.c:677 do_pselect.constprop.0+0x118/0x150 fs/select.c:759 .... value changed: 0x00000000000801c0 -> 0x00000000000802c0 ================================================================== rtc_dev_poll() is reading rtc->irq_data without a spinlock for some unknown reason. This causes a data-race, so we need to add a spinlock to fix it. Cc: <stable(a)vger.kernel.org> Fixes: e824290e5dcf ("[PATCH] RTC subsystem: dev interface") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- drivers/rtc/dev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/rtc/dev.c b/drivers/rtc/dev.c index 0eeae5bcc3aa..a6570a5a938a 100644 --- a/drivers/rtc/dev.c +++ b/drivers/rtc/dev.c @@ -195,7 +195,9 @@ static __poll_t rtc_dev_poll(struct file *file, poll_table *wait) poll_wait(file, &rtc->irq_queue, wait); + spin_lock_irq(&rtc->irq_lock); data = rtc->irq_data; + spin_unlock_irq(&rtc->irq_lock); return (data != 0) ? (EPOLLIN | EPOLLRDNORM) : 0; } --

8 months

1
0
0 0

+ mm-vmscan-avoid-signedness-error-for-gcc-54.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmscan: avoid signedness error for GCC 5.4 has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmscan-avoid-signedness-error-for-gcc-54.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: WangYuli <wangyuli(a)uniontech.com> Subject: mm: vmscan: avoid signedness error for GCC 5.4 Date: Wed, 7 May 2025 12:08:27 +0800 To the GCC 5.4 compiler, (MAX_NR_TIERS - 1) (i.e., (4U - 1)) is unsigned, whereas tier is a signed integer. Then, the __types_ok check within the __careful_cmp_once macro failed, triggered BUILD_BUG_ON. Use min_t instead of min to circumvent this compiler error. Fix follow error with gcc 5.4: mm/vmscan.c: In function `read_ctrl_pos': mm/vmscan.c:3166:728: error: call to `__compiletime_assert_887' declared with attribute error: min(tier, 4U - 1) signedness error Link: https://lkml.kernel.org/r/62726950F697595A+20250507040827.1147510-1-wangyul… Fixes: 37a260870f2c ("mm/mglru: rework type selection") Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/vmscan.c~mm-vmscan-avoid-signedness-error-for-gcc-54 +++ a/mm/vmscan.c @@ -3163,7 +3163,7 @@ static void read_ctrl_pos(struct lruvec pos->gain = gain; pos->refaulted = pos->total = 0; - for (i = tier % MAX_NR_TIERS; i <= min(tier, MAX_NR_TIERS - 1); i++) { + for (i = tier % MAX_NR_TIERS; i <= min_t(int, tier, MAX_NR_TIERS - 1); i++) { pos->refaulted += lrugen->avg_refaulted[type][i] + atomic_long_read(&lrugen->refaulted[hist][type][i]); pos->total += lrugen->avg_total[type][i] + _ Patches currently in -mm which might be from wangyuli(a)uniontech.com are mm-vmscan-avoid-signedness-error-for-gcc-54.patch ocfs2-o2net_idle_timer-rename-del_timer_sync-in-comment.patch treewide-fix-typo-previlege.patch

8 months

2
1
0 0

[REGRESSION][BISECTED] Commit 60e3318e3e900 in stable/linux-6.1.y breaks cifs client failover to another server in DFS namespace

by Andrew Paniakin

Commit 60e3318e3e900 ("cifs: use fs_context for automounts") was released in v6.1.54 and broke the failover when one of the servers inside DFS becomes unavailable. We reproduced the problem on the EC2 instances of different types. Reverting aforementioned commint on top of the latest stable verison v6.1.94 helps to resolve the problem. Earliest working version is v6.2-rc1. There were two big merges of CIFS fixes: [1] and [2]. We would like to ask for the help to investigate this problem and if some of those patches need to be backported. Also, is it safe to just revert problematic commit until proper fixes/backports will be available? We will help to do testing and confirm if fix works, but let me also list the steps we used to reproduce the problem if it will help to identify the problem: 1. Create Active Directory domain eg. 'corp.fsxtest.local' in AWS Directory Service with: - three AWS FSX file systems filesystem1..filesystem3 - three Windows servers; They have DFS installed as per https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs…: - dfs-srv1: EC2AMAZ-2EGTM59 - dfs-srv2: EC2AMAZ-1N36PRD - dfs-srv3: EC2AMAZ-0PAUH2U 2. Create DFS namespace eg. 'dfs-namespace' in Windows server 2008 mode and three folders targets in it: - referral-a mapped to filesystem1.corp.local - referral-b mapped to filesystem2.corp.local - referral-c mapped to filesystem3.corp.local - local folders dfs-srv1..dfs-srv3 in C:\DFSRoots\dfs-namespace of every Windows server. This helps to quickly define underlying server when DFS is mounted. 3. Enabled cifs debug logs: ``` echo 'module cifs +p' > /sys/kernel/debug/dynamic_debug/control echo 'file fs/cifs/* +p' > /sys/kernel/debug/dynamic_debug/control echo 7 > /proc/fs/cifs/cifsFYI ``` 4. Mount DFS namespace on Amazon Linux 2023 instance running any vanilla kernel v6.1.54+: ``` dmesg -c &>/dev/null cd /mnt mount -t cifs -o cred=/mnt/creds,echo_interval=5 \ //corp.fsxtest.local/dfs-namespace \ ./dfs-namespace ``` 5. List DFS root, it's also required to avoid recursive mounts that happen during regular 'ls' run: ``` sh -c 'ls dfs-namespace' dfs-srv2 referral-a referral-b ``` The DFS server is EC2AMAZ-1N36PRD, it's also listed in mount: ``` [root@ip-172-31-2-82 mnt]# mount | grep dfs //corp.fsxtest.local/dfs-namespace on /mnt/dfs-namespace type cifs (rw,relatime,vers=3.1.1,cache=strict,username=Admin,domain=corp.fsxtest.local,uid=0,noforceuid,gid=0,noforcegid,addr=172.31.11.26,file_mode=0755,dir_mode=0755,soft,nounix,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=5,actimeo=1,closetimeo=1) //EC2AMAZ-1N36PRD.corp.fsxtest.local/dfs-namespace/referral-a on /mnt/dfs-namespace/referral-a type cifs (rw,relatime,vers=3.1.1,cache=strict,username=Admin,domain=corp.fsxtest.local,uid=0,noforceuid,gid=0,noforcegid,addr=172.31.12.80,file_mode=0755,dir_mode=0755,soft,nounix,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=5,actimeo=1,closetimeo=1) ``` List files in first folder: ``` sh -c 'ls dfs-namespace/referral-a' filea.txt.txt ``` 6. Shutdown DFS server-2. List DFS root again, server changed from dfs-srv2 to dfs-srv1 EC2AMAZ-2EGTM59: ``` sh -c 'ls dfs-namespace' dfs-srv1 referral-a referral-b ``` 7. Try to list files in another folder, this causes ls to fail with error: ``` sh -c 'ls dfs-namespace/referral-b' ls: cannot access 'dfs-namespace/referral-b': No route to host``` Sometimes it's also 'Operation now in progress' error. mount shows the same output: ``` //corp.fsxtest.local/dfs-namespace on /mnt/dfs-namespace type cifs (rw,relatime,vers=3.1.1,cache=strict,username=Admin,domain=corp.fsxtest.local,uid=0,noforceuid,gid=0,noforcegid,addr=172.31.11.26,file_mode=0755,dir_mode=0755,soft,nounix,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=5,actimeo=1,closetimeo=1) //EC2AMAZ-1N36PRD.corp.fsxtest.local/dfs-namespace/referral-a on /mnt/dfs-namespace/referral-a type cifs (rw,relatime,vers=3.1.1,cache=strict,username=Admin,domain=corp.fsxtest.local,uid=0,noforceuid,gid=0,noforcegid,addr=172.31.12.80,file_mode=0755,dir_mode=0755,soft,nounix,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=5,actimeo=1,closetimeo=1) ``` I also attached kernel debug logs from this test. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… Reported-by: Andrei Paniakin <apanyaki(a)amazon.com> Bisected-by: Simba Bonga <simbarb(a)amazon.com> --- #regzbot introduced: v6.1.54..v6.2-rc1

8 months

3
12
0 0

[PATCH] ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction

by Peter Ujfalusi

The firmware does not provide any information for capture streams via the shared pipeline registers. To avoid reporting invalid delay value for capture streams to user space we need to disable it. Fixes: af74dbd0dbcf ("ASoC: SOF: ipc4-pcm: allocate time info for pcm delay feature") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Reviewed-by: Liam Girdwood <liam.r.girdwood(a)intel.com> --- sound/soc/sof/ipc4-pcm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/sof/ipc4-pcm.c b/sound/soc/sof/ipc4-pcm.c index 52903503cf3b..8eee3e1aadf9 100644 --- a/sound/soc/sof/ipc4-pcm.c +++ b/sound/soc/sof/ipc4-pcm.c @@ -799,7 +799,8 @@ static int sof_ipc4_pcm_setup(struct snd_sof_dev *sdev, struct snd_sof_pcm *spcm spcm->stream[stream].private = stream_priv; - if (!support_info) + /* Delay reporting is only supported on playback */ + if (!support_info || stream == SNDRV_PCM_STREAM_CAPTURE) continue; time_info = kzalloc(sizeof(*time_info), GFP_KERNEL); -- 2.49.0

8 months

2
1
0 0

[PATCH] ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext

by Peter Ujfalusi

The header.numid is set to scontrol->comp_id in bytes_ext_get and it is ignored during bytes_ext_put. The use of comp_id is not quite great as it is kernel internal identification number. Set the header.numid to SOF_CTRL_CMD_BINARY during get and validate the numid during put to provide consistent and compatible identification number as IPC3. For IPC4 existing tooling also ignored the numid but with the use of SOF_CTRL_CMD_BINARY the different handling of the blobs can be dropped, providing better user experience. Reported-by: Seppo Ingalsuo <seppo.ingalsuo(a)linux.intel.com> Closes: https://github.com/thesofproject/linux/issues/5282 Fixes: a062c8899fed ("ASoC: SOF: ipc4-control: Add support for bytes control get and put") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Reviewed-by: Liam Girdwood <liam.r.girdwood(a)intel.com> --- sound/soc/sof/ipc4-control.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sound/soc/sof/ipc4-control.c b/sound/soc/sof/ipc4-control.c index 576f407cd456..976a4794d610 100644 --- a/sound/soc/sof/ipc4-control.c +++ b/sound/soc/sof/ipc4-control.c @@ -531,6 +531,14 @@ static int sof_ipc4_bytes_ext_put(struct snd_sof_control *scontrol, return -EINVAL; } + /* Check header id */ + if (header.numid != SOF_CTRL_CMD_BINARY) { + dev_err_ratelimited(scomp->dev, + "Incorrect numid for bytes put %d\n", + header.numid); + return -EINVAL; + } + /* Verify the ABI header first */ if (copy_from_user(&abi_hdr, tlvd->tlv, sizeof(abi_hdr))) return -EFAULT; @@ -613,7 +621,8 @@ static int _sof_ipc4_bytes_ext_get(struct snd_sof_control *scontrol, if (data_size > size) return -ENOSPC; - header.numid = scontrol->comp_id; + /* Set header id and length */ + header.numid = SOF_CTRL_CMD_BINARY; header.length = data_size; if (copy_to_user(tlvd, &header, sizeof(struct snd_ctl_tlv))) -- 2.49.0

8 months

2
1
0 0

[PATCH] ASoc: SOF: topology: connect DAI to a single DAI link

by Peter Ujfalusi

From: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> The partial matching of DAI widget to link names, can cause problems if one of the widget names is a substring of another. E.g. with names "Foo1" and Foo10", it's not possible to correctly link up "Foo1". Modify the logic so that if multiple DAI links match the widget stream name, prioritize a full match if one is found. Fixes: fe88788779fc ("ASoC: SOF: topology: Use partial match for connecting DAI link and DAI widget") Link: https://github.com/thesofproject/linux/issues/5308 Signed-off-by: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> --- sound/soc/sof/topology.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c index 2d4e660b19d5..d612d693efc3 100644 --- a/sound/soc/sof/topology.c +++ b/sound/soc/sof/topology.c @@ -1071,7 +1071,7 @@ static int sof_connect_dai_widget(struct snd_soc_component *scomp, struct snd_sof_dai *dai) { struct snd_soc_card *card = scomp->card; - struct snd_soc_pcm_runtime *rtd; + struct snd_soc_pcm_runtime *rtd, *full, *partial; struct snd_soc_dai *cpu_dai; int stream; int i; @@ -1088,12 +1088,22 @@ static int sof_connect_dai_widget(struct snd_soc_component *scomp, else goto end; + full = NULL; + partial = NULL; list_for_each_entry(rtd, &card->rtd_list, list) { /* does stream match DAI link ? */ - if (!rtd->dai_link->stream_name || - !strstr(rtd->dai_link->stream_name, w->sname)) - continue; + if (rtd->dai_link->stream_name) { + if (!strcmp(rtd->dai_link->stream_name, w->sname)) { + full = rtd; + break; + } else if (strstr(rtd->dai_link->stream_name, w->sname)) { + partial = rtd; + } + } + } + rtd = full ? full : partial; + if (rtd) { for_each_rtd_cpu_dais(rtd, i, cpu_dai) { /* * Please create DAI widget in the right order -- 2.49.0

8 months

2
1
0 0

[PATCH] ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms

by Peter Ujfalusi

Keep using the PIO mode for commands on ACE2+ platforms, similarly how the legacy stack is configured. Fixes: 05cf17f1bf6d ("ASoC: SOF: Intel: hda-bus: Use PIO mode for Lunar Lake") Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- sound/soc/sof/intel/hda-bus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/sof/intel/hda-bus.c b/sound/soc/sof/intel/hda-bus.c index b1be03011d7e..6492e1cefbfb 100644 --- a/sound/soc/sof/intel/hda-bus.c +++ b/sound/soc/sof/intel/hda-bus.c @@ -76,7 +76,7 @@ void sof_hda_bus_init(struct snd_sof_dev *sdev, struct device *dev) snd_hdac_ext_bus_init(bus, dev, &bus_core_ops, sof_hda_ext_ops); - if (chip && chip->hw_ip_version == SOF_INTEL_ACE_2_0) + if (chip && chip->hw_ip_version >= SOF_INTEL_ACE_2_0) bus->use_pio_for_commands = true; #else snd_hdac_ext_bus_init(bus, dev, NULL, NULL); -- 2.49.0

8 months

2
1
0 0

[PATCH 5.15 00/55] 5.15.182-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.182 release. There are 55 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 10 May 2025 11:25:42 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.182-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.182-rc2 Tudor Ambarus <tudor.ambarus(a)linaro.org> dm: fix copying after src array boundaries Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Use the new rb tree helpers Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Thomas Gleixner <tglx(a)linutronix.de> irqchip/gic-v2m: Mark a few functions __init Xiang wangx <wangxiang(a)cdjrlc.com> irqchip/gic-v2m: Add const to of_device_id Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix deadlock issue when externel_lb and reset are executed together Sergey Shtylyov <s.shtylyov(a)omp.ru> of: module: add buffer overflow check in of_modalias() Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: add support for external loopback test Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Brett Creeley <brett.creeley(a)intel.com> ice: Refactor promiscuous functions Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Biao Huang <biao.huang(a)mediatek.com> net: ethernet: mtk-star-emac: separate tx/rx handling with two NAPIs Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Jakub Kicinski <kuba(a)kernel.org> net/sched: act_mirred: don't override retval if we already lost the skb Sean Christopherson <seanjc(a)google.com> KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/svm.c | 13 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/x86.c | 3 + drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_scmi/bus.c | 3 + drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 ++--- drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v2m.c | 8 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 ++- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 119 ++++++-- drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 3 + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 61 ++-- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 26 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_fltr.c | 58 ++++ drivers/net/ethernet/intel/ice/ice_fltr.h | 12 + drivers/net/ethernet/intel/ice/ice_main.c | 49 +-- drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 139 ++++----- drivers/net/ethernet/mediatek/mtk_star_emac.c | 339 ++++++++++++--------- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/phy/microchip.c | 46 +-- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/nvme/host/tcp.c | 31 +- drivers/of/device.c | 7 +- drivers/pci/controller/dwc/pci-imx6.c | 5 +- kernel/trace/trace.c | 5 +- net/ipv4/udp_offload.c | 61 +++- net/sched/act_mirred.c | 22 +- net/sched/sch_drr.c | 9 +- net/sched/sch_ets.c | 9 +- net/sched/sch_hfsc.c | 2 +- net/sched/sch_qfq.c | 11 +- sound/usb/format.c | 3 +- 65 files changed, 926 insertions(+), 505 deletions(-)

8 months

6
5
0 0

[PATCH 6.6 000/129] 6.6.90-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.90 release. There are 129 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 10 May 2025 11:25:47 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.90-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.90-rc2 Tudor Ambarus <tudor.ambarus(a)linaro.org> dm: fix copying after src array boundaries Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix possible null pointer dereference at secondary interrupter removal Marc Zyngier <maz(a)kernel.org> usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Use the new rb tree helpers Shyam Saini <shyamsaini(a)linux.microsoft.com> drivers: base: handle module_kobject creation Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: globalize lookup_or_create_module_kobject() Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: param: rename locate_module_kobject Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Limit time spent with xHC interrupts disabled during bus resume Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: support setting interrupt moderation IMOD for secondary interrupters Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: check if 'requested segments' exceeds ERST capacity Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Add helper to set an interrupters interrupt moderation interval Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: add support to allocate several interrupters Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: split free interrupter into separate remove and free parts Lukas Wunner <lukas(a)wunner.de> xhci: Clean up stale comment on ERST_SIZE macro Jonathan Bell <jonathan(a)raspberrypi.com> xhci: Use more than one Event Ring segment Lukas Wunner <lukas(a)wunner.de> xhci: Set DESI bits in ERDP register correctly Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Samuel Holland <samuel.holland(a)sifive.com> riscv: Pass patch_text() the length in bytes Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Rob Herring (Arm) <robh(a)kernel.org> ASoC: Use of_property_read_bool() Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Sathesh B Edara <sedara(a)marvell.com> octeon_ep: Fix host hang issue during device reboot Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Chad Monroe <chad(a)monroe.io> net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Jacob Keller <jacob.e.keller(a)intel.com> igc: fix lock order in igc_ptp_reset Da Xue <da(a)libre.computer> net: mdio: mux-meson-gxl: set reversed bit when using internal phy Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Keith Busch <kbusch(a)kernel.org> nvme-pci: fix queue unquiesce check on slot_reset Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Shannon Nelson <shannon.nelson(a)amd.com> pds_core: remove write-after-free of client_id Shannon Nelson <shannon.nelson(a)amd.com> pds_core: specify auxiliary_device to be created Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make pdsc_auxbus_dev_del() void Shannon Nelson <shannon.nelson(a)amd.com> pds_core: delete VF dev on reset Shannon Nelson <shannon.nelson(a)amd.com> pds_core: check health in devcmd wait Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: copy RX timestamp to new fragments Abhishek Chauhan <quic_abchauha(a)quicinc.com> net: Rename mono_delivery_time to tstamp_type for scalabilty En-Wei Wu <en-wei.wu(a)canonical.com> Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Fix dash warning Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Chen Linxuan <chenlinxuan(a)uniontech.com> drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Check for ld-option support Donet Tom <donettom(a)linux.ibm.com> book3s64/radix : Align section vmemmap start address to PAGE_SIZE Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Robin Murphy <robin.murphy(a)arm.com> iommu: Handle race with default domain setup Sean Christopherson <seanjc(a)google.com> KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Ryan Matthews <ryanmatthews(a)fastmail.com> Revert "PCI: imx6: Skip controller_id generation logic for i.MX7D" Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: extend changes_pkt_data with cases w/o subprograms Eduard Zingerman <eddyz87(a)gmail.com> bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: validate that tail call invalidates packet pointers Eduard Zingerman <eddyz87(a)gmail.com> bpf: consider that tail calls invalidate packet pointers Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: freplace tests for tracking of changes_packet_data Eduard Zingerman <eddyz87(a)gmail.com> bpf: check changes_pkt_data property for extension programs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: test for changing packet data from global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: track changes_pkt_data property for global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: refactor bpf_helper_changes_pkt_data to use helper number Eduard Zingerman <eddyz87(a)gmail.com> bpf: add find_containing_subprog() utility function Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Jethro Donaldson <devel(a)jro.nz> smb: client: fix zero length for mkdir POSIX create context Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not take trace_event_sem in print_event_fields() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: repeat setting reserved region nid if array is doubled Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: pass size instead of end to memblock_set_node() Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/fdinfo: Protect against driver unbind Dave Chen <davechen(a)synology.com> btrfs: fix COW handling in run_delalloc_nocow() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Geoffrey D. Bennett <g(a)b4.vu> ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" ------------- Diffstat: Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 +- arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/boot/wrapper | 6 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 17 +- arch/riscv/include/asm/patch.h | 2 +- arch/riscv/kernel/patch.c | 14 +- arch/riscv/kernel/probes/kprobes.c | 18 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/riscv/net/bpf_jit_comp64.c | 7 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/svm.c | 13 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/x86.c | 3 + drivers/base/module.c | 13 +- drivers/bluetooth/btusb.c | 101 ++++++++--- drivers/cpufreq/cpufreq.c | 42 ++++- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 6 +- drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 +++--- drivers/gpu/drm/drm_file.c | 6 + drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 +++++---- drivers/iommu/intel/iommu.c | 4 +- drivers/iommu/iommu.c | 18 ++ drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 9 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 49 +++--- drivers/net/ethernet/amd/pds_core/core.h | 7 +- drivers/net/ethernet/amd/pds_core/dev.c | 11 +- drivers/net/ethernet/amd/pds_core/devlink.c | 7 +- drivers/net/ethernet/amd/pds_core/main.c | 23 ++- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 ++- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 +++- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 +++++---- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 ++- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/igc/igc_ptp.c | 6 +- .../net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 14 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 194 +++++++++++++++++++-- drivers/net/ethernet/mscc/ocelot_vcap.c | 1 + drivers/net/ethernet/vertexcom/mse102x.c | 36 +++- drivers/net/mdio/mdio-mux-meson-gxl.c | 3 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/pci.c | 2 +- drivers/nvme/host/tcp.c | 31 +++- drivers/pci/controller/dwc/pci-imx6.c | 3 +- drivers/platform/x86/amd/pmc/pmc.c | 7 +- .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- drivers/spi/spi-tegra114.c | 6 +- drivers/usb/host/xhci-debugfs.c | 2 +- drivers/usb/host/xhci-hub.c | 30 ++-- drivers/usb/host/xhci-mem.c | 175 +++++++++++++++---- drivers/usb/host/xhci-ring.c | 4 +- drivers/usb/host/xhci.c | 80 ++++++--- drivers/usb/host/xhci.h | 20 ++- fs/btrfs/inode.c | 9 +- fs/smb/client/smb2pdu.c | 1 + fs/smb/server/auth.c | 14 +- fs/smb/server/smb2pdu.c | 5 - include/linux/bpf.h | 1 + include/linux/bpf_verifier.h | 1 + include/linux/cpufreq.h | 83 ++++++--- include/linux/filter.h | 2 +- include/linux/module.h | 2 + include/linux/pds/pds_core_if.h | 1 + include/linux/skbuff.h | 52 ++++-- include/net/inet_frag.h | 4 +- include/soc/mscc/ocelot_vcap.h | 2 + include/sound/ump_convert.h | 2 +- kernel/bpf/core.c | 2 +- kernel/bpf/verifier.c | 81 +++++++-- kernel/params.c | 6 +- kernel/trace/trace.c | 5 +- kernel/trace/trace_output.c | 4 +- mm/memblock.c | 12 +- net/bluetooth/l2cap_core.c | 3 + net/bridge/netfilter/nf_conntrack_bridge.c | 6 +- net/core/dev.c | 2 +- net/core/filter.c | 73 ++++---- net/ieee802154/6lowpan/reassembly.c | 2 +- net/ipv4/inet_fragment.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_output.c | 9 +- net/ipv4/tcp_output.c | 14 +- net/ipv4/udp_offload.c | 61 ++++++- net/ipv6/ip6_output.c | 6 +- net/ipv6/netfilter.c | 6 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- net/ipv6/tcp_ipv6.c | 2 +- net/sched/act_bpf.c | 4 +- net/sched/cls_bpf.c | 4 +- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- sound/soc/codecs/ak4613.c | 4 +- sound/soc/soc-core.c | 36 ++-- sound/soc/soc-pcm.c | 5 +- sound/usb/endpoint.c | 7 + sound/usb/format.c | 3 +- .../selftests/bpf/prog_tests/changes_pkt_data.c | 107 ++++++++++++ .../testing/selftests/bpf/progs/changes_pkt_data.c | 39 +++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 ++ tools/testing/selftests/bpf/progs/verifier_sock.c | 56 ++++++ 143 files changed, 1763 insertions(+), 662 deletions(-)

8 months

8
8
0 0

Re: [PATCH] scsi: smartpqi: Fix the race condition between pqi_tmf_worker and pqi_sdev_destroy

by Don.Brace＠microchip.com

---------- Forwarded message --------- From: Zhu Wei <zhuwei(a)sangfor.com.cn> Date: Thu, May 8, 2025 at 7:57 AM Subject: [PATCH] scsi: smartpqi: Fix the race condition between pqi_tmf_worker and pqi_sdev_destroy To: <don.brace(a)microchip.com>, <kevin.barnett(a)microchip.com> Cc: <dinghui(a)sangfor.com.cn>, <zengzhicong(a)sangfor.com.cn>, <James.Bottomley(a)hansenpartnership.com>, <martin.petersen(a)oracle.com>, <storagedev(a)microchip.com>, <linux-scsi(a)vger.kernel.org>, <linux-kernel(a)vger.kernel.org>, <stable(a)vger.kernel.org>, Zhu Wei <zhuwei(a)sangfor.com.cn> There is a race condition between pqi_sdev_destroy and pqi_tmf_worker. After pqi_free_device is released, pqi_tmf_worker will still use device. Don: Thank-you for your patch, however we recently applied a similar patch to our internal repo. Don: But more checking is done for removed devices. Don: When this patch has been tested internally, we will post it up for review. Don: I will add a Reported-By tag with your name. Don: So Nak. kasan report: [ 1933.765810] ================================================================== [ 1933.771862] scsi 15:0:20:0: Direct-Access ATA WDC WUH722222AL WTS2 PQ: 0 ANSI: 6 [ 1933.779190] BUG: KASAN: use-after-free in pqi_device_wait_for_pending_io+0x9e/0x600 [smartpqi] [ 1933.779194] Read of size 4 at addr ffff88954c490480 by task kworker/2:2/518186 [ 1933.779201] CPU: 2 PID: 518186 Comm: kworker/2:2 Kdump: loaded Tainted: G U OE 4.19.90-89.16.v2401.osc.sfc.6.11.1.0108.ky10.x86_64+debug #1 [ 1933.779203] Source Version: v6.11.1.0108+0~65323201.20250328 [ 1933.779205] Hardware name: SANGFOR S2122-S12L/ASERVER-P-2000, BIOS TYR.2.00.0100 05/18/2019 [ 1933.779213] Workqueue: events pqi_tmf_worker [smartpqi] [ 1933.779216] Call Trace: [ 1933.779225] dump_stack+0x8b/0xb9 [ 1933.779239] print_address_description+0x65/0x2b0 [ 1933.779249] kasan_report+0x14b/0x290 [ 1933.779255] pqi_device_wait_for_pending_io+0x9e/0x600 [smartpqi] [ 1933.779264] pqi_device_reset_handler+0x174f/0x1f30 [smartpqi] [ 1933.779284] process_one_work+0x65f/0x12d0 [ 1933.806306] worker_thread+0x87/0xb50 [ 1933.806315] kthread+0x2e9/0x3a0 [ 1933.806323] ret_from_fork+0x1f/0x40 [ 1933.843994] Allocated by task 579094: [ 1933.875361] save_stack+0x19/0x80 [ 1933.892366] kasan_kmalloc+0xa0/0xd0 [ 1933.892373] kmem_cache_alloc+0xbb/0x1c0 [ 1933.892378] getname_flags+0xba/0x500 [ 1933.892384] user_path_at_empty+0x1d/0x40 [ 1933.892389] vfs_statx+0xb9/0x140 [ 1933.892397] __do_sys_newstat+0x77/0xd0 [ 1933.913179] do_syscall_64+0xa4/0x430 [ 1933.913187] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 1933.933381] Freed by task 579094: [ 1933.933389] save_stack+0x19/0x80 [ 1933.933392] __kasan_slab_free+0x130/0x180 [ 1933.933396] kmem_cache_free+0x78/0x1e0 [ 1933.933401] filename_lookup+0x216/0x400 [ 1933.933405] vfs_statx+0xb9/0x140 [ 1933.933407] __do_sys_newstat+0x77/0xd0 [ 1933.933417] do_syscall_64+0xa4/0x430 [ 1933.933432] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 1933.956837] [ 1933.956842] The buggy address belongs to the object at ffff88954c490000 which belongs to the cache names_cache of size 4096 [ 1933.956845] The buggy address is located 1152 bytes inside of 4096-byte region [ffff88954c490000, ffff88954c491000) [ 1933.956851] The buggy address belongs to the page: [ 1934.297352] page:ffffea0055312400 count:1 mapcount:0 mapping:ffff888100580f00 index:0x0 compound_mapcount: 0 [ 1934.309566] flags: 0x57ffffc0008100(slab|head) [ 1934.316370] raw: 0057ffffc0008100 0000000000000000 dead000000000200 ffff888100580f00 [ 1934.326518] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 1934.338191] page dumped because: kasan: bad access detected [ 1934.346177] [ 1934.350031] Memory state around the buggy address: [ 1934.357220] ffff88954c490380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.366854] ffff88954c490400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.376474] >ffff88954c490480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.386094] ^ [ 1934.391684] ffff88954c490500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.402601] ffff88954c490580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.412228] ================================================================== Before pqi_sdev_destroy executes pqi_free_device, cancel the pqi_tmf_worker of the corresponding device. Fixes: 2d80f4054f7f ("scsi: smartpqi: Update deleting a LUN via sysfs") Signed-off-by: Zhu Wei <zhuwei(a)sangfor.com.cn> --- drivers/scsi/smartpqi/smartpqi_init.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c index 8a26eca4fdc9..102ed7501f08 100644 --- a/drivers/scsi/smartpqi/smartpqi_init.c +++ b/drivers/scsi/smartpqi/smartpqi_init.c @@ -6581,6 +6581,8 @@ static void pqi_sdev_destroy(struct scsi_device *sdev) struct pqi_scsi_dev *device; int mutex_acquired; unsigned long flags; + unsigned int lun; + struct pqi_tmf_work *tmf_work; ctrl_info = shost_to_hba(sdev->host); @@ -6607,6 +6609,8 @@ static void pqi_sdev_destroy(struct scsi_device *sdev) mutex_unlock(&ctrl_info->scan_mutex); pqi_dev_info(ctrl_info, "removed", device); + for (lun = 0, tmf_work = device->tmf_work; lun < PQI_MAX_LUNS_PER_DEVICE; lun++, tmf_work++) + cancel_work_sync(&tmf_work->work_struct); pqi_free_device(device); } -- 2.43.0

8 months

2
1
0 0

[PATCH] soc: qcom: pmic_glink_altmode: fix spurious DP hotplug events

by Johan Hovold

The PMIC GLINK driver is currently generating DisplayPort hotplug notifications whenever something is connected to (or disconnected from) a port regardless of the type of notification sent by the firmware. These notifications are forwarded to user space by the DRM subsystem as connector "change" uevents: KERNEL[1556.223776] change /devices/platform/soc(a)0/ae00000.display-subsystem/ae01000.display-controller/drm/card0 (drm) ACTION=change DEVPATH=/devices/platform/soc(a)0/ae00000.display-subsystem/ae01000.display-controller/drm/card0 SUBSYSTEM=drm HOTPLUG=1 CONNECTOR=36 DEVNAME=/dev/dri/card0 DEVTYPE=drm_minor SEQNUM=4176 MAJOR=226 MINOR=0 On the Lenovo ThinkPad X13s and T14s, the PMIC GLINK firmware sends two identical notifications with orientation information when connecting a charger, each generating a bogus DRM hotplug event. On the X13s, two such notification are also sent every 90 seconds while a charger remains connected, which again are forwarded to user space: port = 1, svid = ff00, mode = 255, hpd_state = 0 payload = 01 00 00 00 00 00 00 ff 00 00 00 00 00 00 00 00 Note that the firmware only sends on of these when connecting an ethernet adapter. Fix the spurious hotplug events by only forwarding hotplug notifications for the Type-C DisplayPort service id. This also reduces the number of uevents from four to two when an actual DisplayPort altmode device is connected: port = 0, svid = ff01, mode = 2, hpd_state = 0 payload = 00 01 02 00 f2 0c 01 ff 03 00 00 00 00 00 00 00 port = 0, svid = ff01, mode = 2, hpd_state = 1 payload = 00 01 02 00 f2 0c 01 ff 43 00 00 00 00 00 00 00 Fixes: 080b4e24852b ("soc: qcom: pmic_glink: Introduce altmode support") Cc: stable(a)vger.kernel.org # 6.3 Cc: Bjorn Andersson <andersson(a)kernel.org> Reported-by: Clayton Craft <clayton(a)craftyguy.net> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- Clayton reported seeing display flickering with recent RC kernels, which may possibly be related to these spurious events being generated with even greater frequency. That still remains to be fully understood, but the spurious events, that on the X13s are generated every 90 seconds, should be fixed either way. Johan drivers/soc/qcom/pmic_glink_altmode.c | 30 +++++++++++++++++---------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c index bd06ce161804..7f11acd33323 100644 --- a/drivers/soc/qcom/pmic_glink_altmode.c +++ b/drivers/soc/qcom/pmic_glink_altmode.c @@ -218,21 +218,29 @@ static void pmic_glink_altmode_worker(struct work_struct *work) { struct pmic_glink_altmode_port *alt_port = work_to_altmode_port(work); struct pmic_glink_altmode *altmode = alt_port->altmode; + enum drm_connector_status conn_status; typec_switch_set(alt_port->typec_switch, alt_port->orientation); - if (alt_port->svid == USB_TYPEC_DP_SID && alt_port->mode == 0xff) - pmic_glink_altmode_safe(altmode, alt_port); - else if (alt_port->svid == USB_TYPEC_DP_SID) - pmic_glink_altmode_enable_dp(altmode, alt_port, alt_port->mode, - alt_port->hpd_state, alt_port->hpd_irq); - else - pmic_glink_altmode_enable_usb(altmode, alt_port); + if (alt_port->svid == USB_TYPEC_DP_SID) { + if (alt_port->mode == 0xff) { + pmic_glink_altmode_safe(altmode, alt_port); + } else { + pmic_glink_altmode_enable_dp(altmode, alt_port, + alt_port->mode, + alt_port->hpd_state, + alt_port->hpd_irq); + } - drm_aux_hpd_bridge_notify(&alt_port->bridge->dev, - alt_port->hpd_state ? - connector_status_connected : - connector_status_disconnected); + if (alt_port->hpd_state) + conn_status = connector_status_connected; + else + conn_status = connector_status_disconnected; + + drm_aux_hpd_bridge_notify(&alt_port->bridge->dev, conn_status); + } else { + pmic_glink_altmode_enable_usb(altmode, alt_port); + } pmic_glink_altmode_request(altmode, ALTMODE_PAN_ACK, alt_port->index); } -- 2.48.1

8 months

5
9
0 0

[PATCH] ACPI: resource: fix a typo for MECHREVO in irq1_edge_low_force_override

by Mingcong Bai

The vendor name for MECHREVO was incorrectly spelled in commit b53f09ecd602 ("ACPI: resource: Do IRQ override on MECHREV GM7XG0M"). Correct this typo in this trivial patch. Cc: stable(a)vger.kernel.org Fixes: b53f09ecd602 ("ACPI: resource: Do IRQ override on MECHREV GM7XG0M") Signed-off-by: Mingcong Bai <jeffbai(a)aosc.io> --- drivers/acpi/resource.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 14c7bac4100b..7d59c6c9185f 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -534,7 +534,7 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = { */ static const struct dmi_system_id irq1_edge_low_force_override[] = { { - /* MECHREV Jiaolong17KS Series GM7XG0M */ + /* MECHREVO Jiaolong17KS Series GM7XG0M */ .matches = { DMI_MATCH(DMI_BOARD_NAME, "GM7XG0M"), }, -- 2.49.0

8 months

2
1
0 0

[PATCH v2] drm/dp: Fix Write_Status_Update_Request AUX request format

by Wayne Lin

[Why] Notice AUX request format of I2C-over-AUX with Write_Status_Update_Request flag set is incorrect. It should be address only request without length and data like: "SYNC->COM3:0 (= 0110)|0000-> 0000|0000-> 0|7-bit I2C address (the same as the last)-> STOP->". [How] Refer to DP v2.1 Table 2-178, correct the Write_Status_Update_Request to be address only request. Note that we might receive 0 returned by aux->transfer() when receive reply I2C_ACK|AUX_ACK of Write_Status_Update_Request transaction. Which indicating all data bytes get written. We should avoid to return 0 bytes get transferred under this case. V2: - Add checking condition before restoring msg->buffer and msg->size. (Limonciello Mario) - Revise unclear comment to appropriately describe the idea. (Jani Nikula) Fixes: 68ec2a2a2481 ("drm/dp: Use I2C_WRITE_STATUS_UPDATE to drain partial I2C_WRITE requests") Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> --- drivers/gpu/drm/display/drm_dp_helper.c | 54 +++++++++++++++++++++---- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c index 57828f2b7b5a..c71a1395a2d6 100644 --- a/drivers/gpu/drm/display/drm_dp_helper.c +++ b/drivers/gpu/drm/display/drm_dp_helper.c @@ -1857,6 +1857,12 @@ static u32 drm_dp_i2c_functionality(struct i2c_adapter *adapter) I2C_FUNC_10BIT_ADDR; } +static inline bool +drm_dp_i2c_msg_is_write_status_update(struct drm_dp_aux_msg *msg) +{ + return ((msg->request & ~DP_AUX_I2C_MOT) == DP_AUX_I2C_WRITE_STATUS_UPDATE); +} + static void drm_dp_i2c_msg_write_status_update(struct drm_dp_aux_msg *msg) { /* @@ -1965,6 +1971,7 @@ MODULE_PARM_DESC(dp_aux_i2c_speed_khz, static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) { unsigned int retry, defer_i2c; + struct drm_dp_aux_msg orig_msg = *msg; int ret; /* * DP1.2 sections 2.7.7.1.5.6.1 and 2.7.7.1.6.6.1: A DP Source device @@ -1976,6 +1983,12 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) int max_retries = max(7, drm_dp_i2c_retry_count(msg, dp_aux_i2c_speed_khz)); for (retry = 0, defer_i2c = 0; retry < (max_retries + defer_i2c); retry++) { + if (drm_dp_i2c_msg_is_write_status_update(msg)) { + /* Address only transaction */ + msg->buffer = NULL; + msg->size = 0; + } + ret = aux->transfer(aux, msg); if (ret < 0) { if (ret == -EBUSY) @@ -1993,7 +2006,7 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) else drm_dbg_kms(aux->drm_dev, "%s: transaction failed: %d\n", aux->name, ret); - return ret; + goto out; } @@ -2008,7 +2021,8 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) case DP_AUX_NATIVE_REPLY_NACK: drm_dbg_kms(aux->drm_dev, "%s: native nack (result=%d, size=%zu)\n", aux->name, ret, msg->size); - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; case DP_AUX_NATIVE_REPLY_DEFER: drm_dbg_kms(aux->drm_dev, "%s: native defer\n", aux->name); @@ -2027,24 +2041,41 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) default: drm_err(aux->drm_dev, "%s: invalid native reply %#04x\n", aux->name, msg->reply); - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; } switch (msg->reply & DP_AUX_I2C_REPLY_MASK) { case DP_AUX_I2C_REPLY_ACK: + /* + * When DPTx sets Write_Status_Update_Request flag to + * ask DPRx for the write status, the AUX reply from + * DPRx will be I2C_ACK|AUX_ACK if I2C write request + * completes successfully. Such AUX transaction is for + * status checking only, so no new data is written by + * aux->transfer(). In this case, here we have to + * report all original data get written. Otherwise, + * drm_dp_i2c_drain_msg() takes returned value 0 as + * an error. + */ + if (drm_dp_i2c_msg_is_write_status_update(msg) && ret == 0) + ret = orig_msg.size; + /* * Both native ACK and I2C ACK replies received. We * can assume the transfer was successful. */ if (ret != msg->size) drm_dp_i2c_msg_write_status_update(msg); - return ret; + + goto out; case DP_AUX_I2C_REPLY_NACK: drm_dbg_kms(aux->drm_dev, "%s: I2C nack (result=%d, size=%zu)\n", aux->name, ret, msg->size); aux->i2c_nack_count++; - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; case DP_AUX_I2C_REPLY_DEFER: drm_dbg_kms(aux->drm_dev, "%s: I2C defer\n", aux->name); @@ -2063,12 +2094,21 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) default: drm_err(aux->drm_dev, "%s: invalid I2C reply %#04x\n", aux->name, msg->reply); - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; } } drm_dbg_kms(aux->drm_dev, "%s: Too many retries, giving up\n", aux->name); - return -EREMOTEIO; + ret = -EREMOTEIO; +out: + /* In case we change original msg by Write_Status_Update case*/ + if (drm_dp_i2c_msg_is_write_status_update(msg)) { + msg->buffer = orig_msg.buffer; + msg->size = orig_msg.size; + } + + return ret; } static void drm_dp_i2c_msg_set_request(struct drm_dp_aux_msg *msg, -- 2.43.0

8 months

2
1
0 0

[PATCH v5 00/26] Add support for HEVC and VP9 codecs in decoder

by Dikshita Agarwal

Hi All, This patch series adds initial support for the HEVC(H.265) and VP9 codecs in iris decoder. The objective of this work is to extend the decoder's capabilities to handle HEVC and VP9 codec streams, including necessary format handling and buffer management. In addition, the series also includes a set of fixes to address issues identified during testing of these additional codecs. These patches also address the comments and feedback received from the RFC patches previously sent. I have made the necessary improvements based on the community's suggestions. Changes in v5: - Splitted patch 01/25 in two patches (Bryan) - Link to v4: https://lore.kernel.org/r/20250507-video-iris-hevc-vp9-v4-0-58db3660ac61@qu… Changes in v4: - Splitted patch patch 06/23 in two patches (Bryan) - Simplified the conditional logic in patch 13/23 (Bryan) - Improved commit description for patch patch 13/23 (Nicolas) - Fix the value of H265_NUM_TILE_ROW macro (Neil) - Link to v3: https://lore.kernel.org/r/20250502-qcom-iris-hevc-vp9-v3-0-552158a10a7d@qui… Changes in v3: - Introduced two wrappers with explicit names to handle destroy internal buffers (Nicolas) - Used sub state check instead of introducing new boolean (Vikash) - Addressed other comments (Vikash) - Reorderd patches to have all fixes patches first (Dmitry) - Link to v2: https://lore.kernel.org/r/20250428-qcom-iris-hevc-vp9-v2-0-3a6013ecb8a5@qui… Changes in v2: - Added Changes to make sure all buffers are released in session close (bryna) - Added tracking for flush responses to fix a timing issue. - Added a handling to fix timing issue in reconfig - Splitted patch 06/20 in two patches (Bryan) - Added missing fixes tag (bryan) - Updated fluster report (Nicolas) - Link to v1: https://lore.kernel.org/r/20250408-iris-dec-hevc-vp9-v1-0-acd258778bd6@quic… Changes sinces RFC: - Added additional fixes to address issues identified during further testing. - Moved typo fix to a seperate patch [Neil] - Reordered the patches for better logical flow and clarity [Neil, Dmitry] - Added fixes tag wherever applicable [Neil, Dmitry] - Removed the default case in the switch statement for codecs [Bryan] - Replaced if-else statements with switch-case [Bryan] - Added comments for mbpf [Bryan] - RFC: https://lore.kernel.org/linux-media/20250305104335.3629945-1-quic_dikshita@… These patches are tested on SM8250 and SM8550 with v4l2-ctl and Gstreamer for HEVC and VP9 decoders, at the same time ensured that the existing H264 decoder functionality remains uneffected. Note: 1 of the fluster compliance test is fixed with firmware [3] [3]: https://lore.kernel.org/linux-firmware/1a511921-446d-cdc4-0203-084c88a5dc1e… The result of fluster test on SM8550: 131/147 testcases passed while testing JCT-VC-HEVC_V1 with GStreamer-H.265-V4L2-Gst1.0. The failing test case: - 10 testcases failed due to unsupported 10 bit format. - DBLK_A_MAIN10_VIXS_4 - INITQP_B_Main10_Sony_1 - TSUNEQBD_A_MAIN10_Technicolor_2 - WP_A_MAIN10_Toshiba_3 - WP_MAIN10_B_Toshiba_3 - WPP_A_ericsson_MAIN10_2 - WPP_B_ericsson_MAIN10_2 - WPP_C_ericsson_MAIN10_2 - WPP_E_ericsson_MAIN10_2 - WPP_F_ericsson_MAIN10_2 - 4 testcase failed due to unsupported resolution - PICSIZE_A_Bossen_1 - PICSIZE_B_Bossen_1 - WPP_D_ericsson_MAIN10_2 - WPP_D_ericsson_MAIN_2 - 2 testcase failed due to CRC mismatch - RAP_A_docomo_6 - RAP_B_Bossen_2 - BUG reported: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4392 Analysis - First few frames in this discarded by firmware and are sent to driver with 0 filled length. Driver send such buffers to client with timestamp 0 and payload set to 0 and make buf state to VB2_BUF_STATE_ERROR. Such buffers should be dropped by GST. But instead, the first frame displayed as green frame and when a valid buffer is sent to client later with same 0 timestamp, its dropped, leading to CRC mismatch for first frame. 235/305 testcases passed while testing VP9-TEST-VECTORS with GStreamer-VP9-V4L2-Gst1.0. The failing test case: - 64 testcases failed due to unsupported resolution - vp90-2-02-size-08x08.webm - vp90-2-02-size-08x10.webm - vp90-2-02-size-08x16.webm - vp90-2-02-size-08x18.webm - vp90-2-02-size-08x32.webm - vp90-2-02-size-08x34.webm - vp90-2-02-size-08x64.webm - vp90-2-02-size-08x66.webm - vp90-2-02-size-10x08.webm - vp90-2-02-size-10x10.webm - vp90-2-02-size-10x16.webm - vp90-2-02-size-10x18.webm - vp90-2-02-size-10x32.webm - vp90-2-02-size-10x34.webm - vp90-2-02-size-10x64.webm - vp90-2-02-size-10x66.webm - vp90-2-02-size-16x08.webm - vp90-2-02-size-16x10.webm - vp90-2-02-size-16x16.webm - vp90-2-02-size-16x18.webm - vp90-2-02-size-16x32.webm - vp90-2-02-size-16x34.webm - vp90-2-02-size-16x64.webm - vp90-2-02-size-16x66.webm - vp90-2-02-size-18x08.webm - vp90-2-02-size-18x10.webm - vp90-2-02-size-18x16.webm - vp90-2-02-size-18x18.webm - vp90-2-02-size-18x32.webm - vp90-2-02-size-18x34.webm - vp90-2-02-size-18x64.webm - vp90-2-02-size-18x66.webm - vp90-2-02-size-32x08.webm - vp90-2-02-size-32x10.webm - vp90-2-02-size-32x16.webm - vp90-2-02-size-32x18.webm - vp90-2-02-size-32x32.webm - vp90-2-02-size-32x34.webm - vp90-2-02-size-32x64.webm - vp90-2-02-size-32x66.webm - vp90-2-02-size-34x08.webm - vp90-2-02-size-34x10.webm - vp90-2-02-size-34x16.webm - vp90-2-02-size-34x18.webm - vp90-2-02-size-34x32.webm - vp90-2-02-size-34x34.webm - vp90-2-02-size-34x64.webm - vp90-2-02-size-34x66.webm - vp90-2-02-size-64x08.webm - vp90-2-02-size-64x10.webm - vp90-2-02-size-64x16.webm - vp90-2-02-size-64x18.webm - vp90-2-02-size-64x32.webm - vp90-2-02-size-64x34.webm - vp90-2-02-size-64x64.webm - vp90-2-02-size-64x66.webm - vp90-2-02-size-66x08.webm - vp90-2-02-size-66x10.webm - vp90-2-02-size-66x16.webm - vp90-2-02-size-66x18.webm - vp90-2-02-size-66x32.webm - vp90-2-02-size-66x34.webm - vp90-2-02-size-66x64.webm - vp90-2-02-size-66x66.webm - 2 testcases failed due to unsupported format - vp91-2-04-yuv422.webm - vp91-2-04-yuv444.webm - 1 testcase failed with CRC mismatch - vp90-2-22-svc_1280x720_3.ivf - Bug reported: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4371 - 2 testcase failed due to unsupported resolution after sequence change - vp90-2-21-resize_inter_320x180_5_1-2.webm - vp90-2-21-resize_inter_320x180_7_1-2.webm - 1 testcase failed due to unsupported stream - vp90-2-16-intra-only.webm The result of fluster test on SM8250: 133/147 testcases passed while testing JCT-VC-HEVC_V1 with GStreamer-H.265-V4L2-Gst1.0. The failing test case: - 10 testcases failed due to unsupported 10 bit format. - DBLK_A_MAIN10_VIXS_4 - INITQP_B_Main10_Sony_1 - TSUNEQBD_A_MAIN10_Technicolor_2 - WP_A_MAIN10_Toshiba_3 - WP_MAIN10_B_Toshiba_3 - WPP_A_ericsson_MAIN10_2 - WPP_B_ericsson_MAIN10_2 - WPP_C_ericsson_MAIN10_2 - WPP_E_ericsson_MAIN10_2 - WPP_F_ericsson_MAIN10_2 - 4 testcase failed due to unsupported resolution - PICSIZE_A_Bossen_1 - PICSIZE_B_Bossen_1 - WPP_D_ericsson_MAIN10_2 - WPP_D_ericsson_MAIN_2 232/305 testcases passed while testing VP9-TEST-VECTORS with GStreamer-VP9-V4L2-Gst1.0. The failing test case: - 64 testcases failed due to unsupported resolution - vp90-2-02-size-08x08.webm - vp90-2-02-size-08x10.webm - vp90-2-02-size-08x16.webm - vp90-2-02-size-08x18.webm - vp90-2-02-size-08x32.webm - vp90-2-02-size-08x34.webm - vp90-2-02-size-08x64.webm - vp90-2-02-size-08x66.webm - vp90-2-02-size-10x08.webm - vp90-2-02-size-10x10.webm - vp90-2-02-size-10x16.webm - vp90-2-02-size-10x18.webm - vp90-2-02-size-10x32.webm - vp90-2-02-size-10x34.webm - vp90-2-02-size-10x64.webm - vp90-2-02-size-10x66.webm - vp90-2-02-size-16x08.webm - vp90-2-02-size-16x10.webm - vp90-2-02-size-16x16.webm - vp90-2-02-size-16x18.webm - vp90-2-02-size-16x32.webm - vp90-2-02-size-16x34.webm - vp90-2-02-size-16x64.webm - vp90-2-02-size-16x66.webm - vp90-2-02-size-18x08.webm - vp90-2-02-size-18x10.webm - vp90-2-02-size-18x16.webm - vp90-2-02-size-18x18.webm - vp90-2-02-size-18x32.webm - vp90-2-02-size-18x34.webm - vp90-2-02-size-18x64.webm - vp90-2-02-size-18x66.webm - vp90-2-02-size-32x08.webm - vp90-2-02-size-32x10.webm - vp90-2-02-size-32x16.webm - vp90-2-02-size-32x18.webm - vp90-2-02-size-32x32.webm - vp90-2-02-size-32x34.webm - vp90-2-02-size-32x64.webm - vp90-2-02-size-32x66.webm - vp90-2-02-size-34x08.webm - vp90-2-02-size-34x10.webm - vp90-2-02-size-34x16.webm - vp90-2-02-size-34x18.webm - vp90-2-02-size-34x32.webm - vp90-2-02-size-34x34.webm - vp90-2-02-size-34x64.webm - vp90-2-02-size-34x66.webm - vp90-2-02-size-64x08.webm - vp90-2-02-size-64x10.webm - vp90-2-02-size-64x16.webm - vp90-2-02-size-64x18.webm - vp90-2-02-size-64x32.webm - vp90-2-02-size-64x34.webm - vp90-2-02-size-64x64.webm - vp90-2-02-size-64x66.webm - vp90-2-02-size-66x08.webm - vp90-2-02-size-66x10.webm - vp90-2-02-size-66x16.webm - vp90-2-02-size-66x18.webm - vp90-2-02-size-66x32.webm - vp90-2-02-size-66x34.webm - vp90-2-02-size-66x64.webm - vp90-2-02-size-66x66.webm - 2 testcases failed due to unsupported format - vp91-2-04-yuv422.webm - vp91-2-04-yuv444.webm - 1 testcase failed with CRC mismatch - vp90-2-22-svc_1280x720_3.ivf - Bug raised: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4371 - 5 testcase failed due to unsupported resolution after sequence change - vp90-2-21-resize_inter_320x180_5_1-2.webm - vp90-2-21-resize_inter_320x180_7_1-2.webm - vp90-2-21-resize_inter_320x240_5_1-2.webm - vp90-2-21-resize_inter_320x240_7_1-2.webm - vp90-2-18-resize.ivf - 1 testcase failed with CRC mismatch - vp90-2-16-intra-only.webm Analysis: First few frames are marked by firmware as NO_SHOW frame. Driver make buf state to VB2_BUF_STATE_ERROR for such frames. Such buffers should be dropped by GST. But instead, the first frame is being displayed and when a valid buffer is sent to client later with same timestamp, its dropped, leading to CRC mismatch for first frame. To: Vikash Garodia <quic_vgarodia(a)quicinc.com> To: Abhinav Kumar <quic_abhinavk(a)quicinc.com> To: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> To: Mauro Carvalho Chehab <mchehab(a)kernel.org> To: Stefan Schmidt <stefan.schmidt(a)linaro.org> To: Hans Verkuil <hverkuil(a)xs4all.nl> Cc: linux-media(a)vger.kernel.org Cc: linux-arm-msm(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Cc: Neil Armstrong <neil.armstrong(a)linaro.org> Cc: Nicolas Dufresne <nicolas.dufresne(a)collabora.com> Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> --- Dikshita Agarwal (26): media: iris: Skip destroying internal buffer if not dequeued media: iris: Verify internal buffer release on close media: iris: Update CAPTURE format info based on OUTPUT format media: iris: Avoid updating frame size to firmware during reconfig media: iris: Drop port check for session property response media: iris: Prevent HFI queue writes when core is in deinit state media: iris: Remove error check for non-zero v4l2 controls media: iris: Remove deprecated property setting to firmware media: iris: Fix missing function pointer initialization media: iris: Fix NULL pointer dereference media: iris: Fix typo in depth variable media: iris: Track flush responses to prevent premature completion media: iris: Fix buffer preparation failure during resolution change media: iris: Send V4L2_BUF_FLAG_ERROR for capture buffers with 0 filled length media: iris: Skip flush on first sequence change media: iris: Remove unnecessary re-initialization of flush completion media: iris: Add handling for corrupt and drop frames media: iris: Add handling for no show frames media: iris: Improve last flag handling media: iris: Remove redundant buffer count check in stream off media: iris: Add a comment to explain usage of MBPS media: iris: Add HEVC and VP9 formats for decoder media: iris: Add platform capabilities for HEVC and VP9 decoders media: iris: Set mandatory properties for HEVC and VP9 decoders. media: iris: Add internal buffer calculation for HEVC and VP9 decoders media: iris: Add codec specific check for VP9 decoder drain handling drivers/media/platform/qcom/iris/iris_buffer.c | 35 +- drivers/media/platform/qcom/iris/iris_buffer.h | 3 +- drivers/media/platform/qcom/iris/iris_ctrls.c | 35 +- drivers/media/platform/qcom/iris/iris_hfi_common.h | 1 + .../platform/qcom/iris/iris_hfi_gen1_command.c | 48 ++- .../platform/qcom/iris/iris_hfi_gen1_defines.h | 5 +- .../platform/qcom/iris/iris_hfi_gen1_response.c | 37 +- .../platform/qcom/iris/iris_hfi_gen2_command.c | 143 +++++++- .../platform/qcom/iris/iris_hfi_gen2_defines.h | 5 + .../platform/qcom/iris/iris_hfi_gen2_response.c | 56 ++- drivers/media/platform/qcom/iris/iris_hfi_queue.c | 2 +- drivers/media/platform/qcom/iris/iris_instance.h | 6 + .../platform/qcom/iris/iris_platform_common.h | 28 +- .../media/platform/qcom/iris/iris_platform_gen2.c | 198 ++++++++-- .../platform/qcom/iris/iris_platform_qcs8300.h | 126 +++++-- .../platform/qcom/iris/iris_platform_sm8250.c | 15 +- drivers/media/platform/qcom/iris/iris_state.c | 2 +- drivers/media/platform/qcom/iris/iris_state.h | 1 + drivers/media/platform/qcom/iris/iris_vb2.c | 18 +- drivers/media/platform/qcom/iris/iris_vdec.c | 116 +++--- drivers/media/platform/qcom/iris/iris_vdec.h | 11 + drivers/media/platform/qcom/iris/iris_vidc.c | 36 +- drivers/media/platform/qcom/iris/iris_vpu_buffer.c | 397 ++++++++++++++++++++- drivers/media/platform/qcom/iris/iris_vpu_buffer.h | 46 ++- 24 files changed, 1159 insertions(+), 211 deletions(-) --- base-commit: b64b134942c8cf4801ea288b3fd38b509aedec21 change-id: 20250508-video-iris-hevc-vp9-bd35d588500f Best regards, -- Dikshita Agarwal <quic_dikshita(a)quicinc.com>

8 months

3
18
0 0

[PATCH v1] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach

by RD Babiera

This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect SNKAS. tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance testers can interpret the TryWait.Src to Attached.Src transition after Try.Snk as being in Attached.Src the entire time, so ~170ms is lost to the debounce timer. Setting the data role can be a costly operation in host mode, and when completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4 to fail. Turn VBUS on before tcpm_set_roles to meet timing requirement. Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable(a)vger.kernel.org Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 784fa23102f9..e099a3c4428d 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -4355,17 +4355,6 @@ static int tcpm_src_attach(struct tcpm_port *port) tcpm_enable_auto_vbus_discharge(port, true); - ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, - TYPEC_SOURCE, tcpm_data_role_for_source(port)); - if (ret < 0) - return ret; - - if (port->pd_supported) { - ret = port->tcpc->set_pd_rx(port->tcpc, true); - if (ret < 0) - goto out_disable_mux; - } - /* * USB Type-C specification, version 1.2, * chapter 4.5.2.2.8.1 (Attached.SRC Requirements) @@ -4375,13 +4364,24 @@ static int tcpm_src_attach(struct tcpm_port *port) (polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) { ret = tcpm_set_vconn(port, true); if (ret < 0) - goto out_disable_pd; + return ret; } ret = tcpm_set_vbus(port, true); if (ret < 0) goto out_disable_vconn; + ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE, + tcpm_data_role_for_source(port)); + if (ret < 0) + goto out_disable_vbus; + + if (port->pd_supported) { + ret = port->tcpc->set_pd_rx(port->tcpc, true); + if (ret < 0) + goto out_disable_mux; + } + port->pd_capable = false; port->partner = NULL; @@ -4392,14 +4392,14 @@ static int tcpm_src_attach(struct tcpm_port *port) return 0; -out_disable_vconn: - tcpm_set_vconn(port, false); -out_disable_pd: - if (port->pd_supported) - port->tcpc->set_pd_rx(port->tcpc, false); out_disable_mux: tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE, TYPEC_ORIENTATION_NONE); +out_disable_vbus: + tcpm_set_vbus(port, false); +out_disable_vconn: + tcpm_set_vconn(port, false); + return ret; } base-commit: 615dca38c2eae55aff80050275931c87a812b48c -- 2.49.0.967.g6a0df3ecc3-goog

8 months

3
4
0 0

[PATCH] perf/arm-cmn: Fix REQ2/SNP2 mixup

by Robin Murphy

Somehow the encodings for REQ2/SNP2 channels in XP events got mixed up... Unmix them. CC: stable(a)vger.kernel.org Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support") Signed-off-by: Robin Murphy <robin.murphy(a)arm.com> --- drivers/perf/arm-cmn.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c index d4fe30ff225b..aa2908313558 100644 --- a/drivers/perf/arm-cmn.c +++ b/drivers/perf/arm-cmn.c @@ -727,8 +727,8 @@ static umode_t arm_cmn_event_attr_is_visible(struct kobject *kobj, if ((chan == 5 && cmn->rsp_vc_num < 2) || (chan == 6 && cmn->dat_vc_num < 2) || - (chan == 7 && cmn->snp_vc_num < 2) || - (chan == 8 && cmn->req_vc_num < 2)) + (chan == 7 && cmn->req_vc_num < 2) || + (chan == 8 && cmn->snp_vc_num < 2)) return 0; } @@ -882,8 +882,8 @@ static umode_t arm_cmn_event_attr_is_visible(struct kobject *kobj, _CMN_EVENT_XP(pub_##_name, (_event) | (4 << 5)), \ _CMN_EVENT_XP(rsp2_##_name, (_event) | (5 << 5)), \ _CMN_EVENT_XP(dat2_##_name, (_event) | (6 << 5)), \ - _CMN_EVENT_XP(snp2_##_name, (_event) | (7 << 5)), \ - _CMN_EVENT_XP(req2_##_name, (_event) | (8 << 5)) + _CMN_EVENT_XP(req2_##_name, (_event) | (7 << 5)), \ + _CMN_EVENT_XP(snp2_##_name, (_event) | (8 << 5)) #define CMN_EVENT_XP_DAT(_name, _event) \ _CMN_EVENT_XP_PORT(dat_##_name, (_event) | (3 << 5)), \ -- 2.39.2.101.g768bb238c484.dirty

8 months

2
1
0 0

Inquiry

by Philip Burchett

Greetings, Supplier. Please give us your most recent catalog; we would want to order from you. I look forward to your feedback. Philip Burchett

8 months

1
0
0 0

[PATCH] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs

by Gabor Juhos

The two alarm LEDs of on the uDPU board are stopped working since commit 78efa53e715e ("leds: Init leds class earlier"). The LEDs are driven by the GPIO{15,16} pins of the North Bridge GPIO controller. These pins are part of the 'spi_quad' pin group for which the 'spi' function is selected via the default pinctrl state of the 'spi' node. This is wrong however, since in order to allow controlling the LEDs, the pins should use the 'gpio' function. Before the commit mentined above, the 'spi' function is selected first by the pinctrl core before probing the spi driver, but then it gets overridden to 'gpio' implicitly via the devm_gpiod_get_index_optional() call from the 'leds-gpio' driver. After the commit, the LED subsystem gets initialized before the SPI subsystem, so the function of the pin group remains 'spi' which in turn prevents controlling of the LEDs. Despite the change of the initialization order, the root cause is that the pinctrl state definition is wrong since its initial commit 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board"), To fix the problem, override the function in the 'spi_quad_pins' node to 'gpio' and move the pinctrl state definition from the 'spi' node into the 'leds' node. Cc: stable(a)vger.kernel.org # needs adjustment for < 6.1 Fixes: 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board") Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> Signed-off-by: Imre Kaloz <kaloz(a)openwrt.org> --- Notes: 1. DTB check shows a bunch of warnings, but none of those are new: DTC [C] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/watchdog@8300: failed to match any schema with compatible: ['marvell,armada-3700-wdt'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/serial@12000: failed to match any schema with compatible: ['marvell,armada-3700-uart'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/serial@12200: failed to match any schema with compatible: ['marvell,armada-3700-uart-ext'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/nb-periph-clk@13000: failed to match any schema with compatible: ['marvell,armada-3700-periph-clock-nb', 'syscon'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/sb-periph-clk@18000: failed to match any schema with compatible: ['marvell,armada-3700-periph-clock-sb'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/tbg@13200: failed to match any schema with compatible: ['marvell,armada-3700-tbg-clock'] <...>/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: pinctrl@13800: reg: [[79872, 256], [80896, 32]] is too long from schema $id: http://devicetree.org/schemas/mfd/syscon-common.yaml# arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/pinctrl@13800: failed to match any schema with compatible: ['marvell,armada3710-nb-pinctrl', 'syscon', 'simple-mfd'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/pinctrl@13800/xtal-clk: failed to match any schema with compatible: ['marvell,armada-3700-xtal-clock'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/phy@18300: failed to match any schema with compatible: ['marvell,comphy-a3700'] <...>/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: pinctrl@18800: reg: [[100352, 256], [101376, 32]] is too long from schema $id: http://devicetree.org/schemas/mfd/syscon-common.yaml# arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/pinctrl@18800: failed to match any schema with compatible: ['marvell,armada3710-sb-pinctrl', 'syscon', 'simple-mfd'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/ethernet@30000: failed to match any schema with compatible: ['marvell,armada-3700-neta'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/ethernet@40000: failed to match any schema with compatible: ['marvell,armada-3700-neta'] <...>/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: usb@58000: Unevaluated properties are not allowed ('marvell,usb-misc-reg' was unexpected) from schema $id: http://devicetree.org/schemas/usb/generic-xhci.yaml# arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/system-controller@5d800: failed to match any schema with compatible: ['marvell,armada-3700-usb2-host-device-misc', 'syscon'] <...>/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: usb@5e000: phy-names:0: 'usb' was expected from schema $id: http://devicetree.org/schemas/usb/generic-ehci.yaml# arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/xor@60900: failed to match any schema with compatible: ['marvell,armada-3700-xor'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/bus@d0000000/mailbox@b0000: failed to match any schema with compatible: ['marvell,armada-3700-rwtm-mailbox'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /soc/pcie@d0070000: failed to match any schema with compatible: ['marvell,armada-3700-pcie'] arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtb: /firmware/armada-3700-rwtm: failed to match any schema with compatible: ['marvell,armada-3700-rwtm-firmware'] 2. Just for the record, here is the bisect log: git bisect start # status: waiting for both good and bad commits # bad: [7cdabafc001202de9984f22c973305f424e0a8b7] Merge tag 'trace-v6.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace git bisect bad 7cdabafc001202de9984f22c973305f424e0a8b7 # status: waiting for good commit(s), bad commit known # good: [0c3836482481200ead7b416ca80c68a29cfdaabd] Linux 6.10 git bisect good 0c3836482481200ead7b416ca80c68a29cfdaabd # bad: [fcc79e1714e8c2b8e216dc3149812edd37884eef] Merge tag 'net-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next git bisect bad fcc79e1714e8c2b8e216dc3149812edd37884eef # good: [26bb0d3f38a764b743a3ad5c8b6e5b5044d7ceb4] Merge tag 'for-6.12/block-20240913' of git://git.kernel.dk/linux git bisect good 26bb0d3f38a764b743a3ad5c8b6e5b5044d7ceb4 # bad: [5e5466433d266046790c0af40a15af0a6be139a1] Merge tag 'char-misc-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc git bisect bad 5e5466433d266046790c0af40a15af0a6be139a1 # good: [de848da12f752170c2ebe114804a985314fd5a6a] Merge tag 'drm-next-2024-09-19' of https://gitlab.freedesktop.org/drm/kernel git bisect good de848da12f752170c2ebe114804a985314fd5a6a # bad: [962ad08780a5bfb3240bc793e565181eacfceafb] Merge tag 'pinctrl-v6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl git bisect bad 962ad08780a5bfb3240bc793e565181eacfceafb # good: [440b65232829fad69947b8de983c13a525cc8871] Merge tag 'bpf-next-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next git bisect good 440b65232829fad69947b8de983c13a525cc8871 # good: [f8ffbc365f703d74ecca8ca787318d05bbee2bf7] Merge tag 'pull-stable-struct_fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs git bisect good f8ffbc365f703d74ecca8ca787318d05bbee2bf7 # good: [18ba6034468e7949a9e2c2cf28e2e123b4fe7a50] Merge tag 'nfsd-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux git bisect good 18ba6034468e7949a9e2c2cf28e2e123b4fe7a50 # bad: [bb78146c18ac67f22cabb2448b501bcac30f8801] Merge branch 'pci/controller/xilinx' git bisect bad bb78146c18ac67f22cabb2448b501bcac30f8801 # bad: [b893f8ea38c530c2c8a337c3429f9f37e6bf65e8] Merge branch 'pci/controller/brcmstb' git bisect bad b893f8ea38c530c2c8a337c3429f9f37e6bf65e8 # bad: [207bcb73fb08841e242fa1d66e1d0381836da562] Merge branch 'pci/dt-bindings' git bisect bad 207bcb73fb08841e242fa1d66e1d0381836da562 # good: [e642aa6b38762a2af3a7e0c5e6dac5841c15dea0] Merge branch 'pci/iommu' git bisect good e642aa6b38762a2af3a7e0c5e6dac5841c15dea0 # good: [f500a2f1282750fb344ce535d78071cf1493efd1] dt-bindings: PCI: imx6q-pcie: Add reg-name "dbi2" and "atu" for i.MX8M PCIe Endpoint git bisect good f500a2f1282750fb344ce535d78071cf1493efd1 # bad: [d774674f3492740503a3cd3f5da131d088202f1b] Merge branch 'pci/pwrctl' git bisect bad d774674f3492740503a3cd3f5da131d088202f1b # bad: [759ec28242894f2006a1606c1d6e9aca48cecfcf] PCI/NPEM: Add _DSM PCIe SSD status LED management git bisect bad 759ec28242894f2006a1606c1d6e9aca48cecfcf # bad: [4e893545ef8712d25f3176790ebb95beb073637e] PCI/NPEM: Add Native PCIe Enclosure Management support git bisect bad 4e893545ef8712d25f3176790ebb95beb073637e # bad: [78efa53e715e21a97c722dba20f8437a0860521e] leds: Init leds class earlier git bisect bad 78efa53e715e21a97c722dba20f8437a0860521e # first bad commit: [78efa53e715e21a97c722dba20f8437a0860521e] leds: Init leds class earlier --- arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi index 3a9b6907185d0363dff41178543a0210ce99dbf7..24282084570787630cb0beeab3997b943bdf45dc 100644 --- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi +++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi @@ -26,6 +26,8 @@ memory@0 { leds { compatible = "gpio-leds"; + pinctrl-names = "default"; + pinctrl-0 = <&spi_quad_pins>; led-power1 { label = "udpu:green:power"; @@ -82,8 +84,6 @@ &sdhci0 { &spi0 { status = "okay"; - pinctrl-names = "default"; - pinctrl-0 = <&spi_quad_pins>; flash@0 { compatible = "jedec,spi-nor"; @@ -108,6 +108,10 @@ partition@180000 { }; }; +&spi_quad_pins { + function = "gpio"; +}; + &pinctrl_nb { i2c2_recovery_pins: i2c2-recovery-pins { groups = "i2c2"; --- base-commit: 92a09c47464d040866cf2b4cd052bc60555185fb change-id: 20250509-udpu-alarm-led-fix-62828f7e11eb Best regards, -- Gabor Juhos <j4g8y7(a)gmail.com>

8 months

1
0
0 0

[PATCH 0/2] Deal with clang's -Wdefault-const-init-unsafe

by Nathan Chancellor

A new on by default warning in clang aims to flag cases where a const variable or field is not initialized and has no default value (i.e., not static or thread local). The field version of the warning triggers in several places within the kernel that are not problematic so it is disabled in the first patch. The variable version of the warning only triggers in one place, the typecheck() macro, so I opted to silence it in that one place to keep it enabled until it can be proved to be problematic enough to disable it. --- Nathan Chancellor (2): kbuild: Disable -Wdefault-const-init-field-unsafe include/linux/typecheck.h: Zero initialize dummy variables include/linux/typecheck.h | 4 ++-- scripts/Makefile.extrawarn | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) --- base-commit: ebd297a2affadb6f6f4d2e5d975c1eda18ac762d change-id: 20250430-default-const-init-clang-b6e21b8d03b6 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

8 months

5
12
0 0

[PATCH 2/2] nvmem: zynqmp_nvmem: unbreak driver after cleanup

by srini＠kernel.org

From: Peter Korsgaard <peter(a)korsgaard.com> Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") changed the driver to expect the device pointer to be passed as the "context", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed. Fixes: 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Korsgaard <peter(a)korsgaard.com> Reviewed-by: Michal Simek <michal.simek(a)amd.com> Tested-by: Michal Simek <michal.simek(a)amd.com> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> --- drivers/nvmem/zynqmp_nvmem.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvmem/zynqmp_nvmem.c b/drivers/nvmem/zynqmp_nvmem.c index 8682adaacd69..7da717d6c7fa 100644 --- a/drivers/nvmem/zynqmp_nvmem.c +++ b/drivers/nvmem/zynqmp_nvmem.c @@ -213,6 +213,7 @@ static int zynqmp_nvmem_probe(struct platform_device *pdev) econfig.word_size = 1; econfig.size = ZYNQMP_NVMEM_SIZE; econfig.dev = dev; + econfig.priv = dev; econfig.add_legacy_fixed_of_cells = true; econfig.reg_read = zynqmp_nvmem_read; econfig.reg_write = zynqmp_nvmem_write; -- 2.43.0

8 months

1
0
0 0

[PATCH 6.12] sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash

by Omar Sandoval

From: Omar Sandoval <osandov(a)fb.com> commit bbce3de72be56e4b5f68924b7da9630cc89aa1a8 upstream. There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash. The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case: 1. In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), slice is set to cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX. 2. The first for_each_sched_entity() loop dequeues the entity. 3. If the entity was its parent's only child, then the next iteration tries to dequeue the parent. 4. If the parent's dequeue needs to be delayed, then it breaks from the first for_each_sched_entity() loop _without updating slice_. 5. The second for_each_sched_entity() loop sets the parent's ->slice to the saved slice, which is still U64_MAX. This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was: 6. In update_entity_lag(), se->slice is used to calculate limit, which ends up as a huge negative number. 7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number. 8. In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number. 9. The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number. 10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfs_rq->min_vruntime) * load calulation to overflow. 11. Nothing appears to be eligible, so pick_eevdf() returns NULL. 12. pick_next_entity() tries to dereference the return value of pick_eevdf() and crashes. Dumping the cfs_rq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64_MAX on live systems (which was usually "benign" since the rest of the runqueue needed to be in a particular state to crash). Fix it in dequeue_entities() by always setting slice from the first non-empty cfs_rq. Fixes: aef6987d8954 ("sched/eevdf: Propagate min_slice up the cgroup hierarchy") Signed-off-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Link: https://lkml.kernel.org/r/f0c2d1072be229e1bdddc73c0703919a8b00c652.17455709… --- Stable backport to 6.12.y resolving a trivial conflict in the patch context. Thanks, Omar kernel/sched/fair.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index ceb023629d48..990d0828bf2a 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -7182,9 +7182,6 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags) idle_h_nr_running = task_has_idle_policy(p); if (!task_sleep && !task_delayed) h_nr_delayed = !!se->sched_delayed; - } else { - cfs_rq = group_cfs_rq(se); - slice = cfs_rq_min_slice(cfs_rq); } for_each_sched_entity(se) { @@ -7194,6 +7191,7 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags) if (p && &p->se == se) return -1; + slice = cfs_rq_min_slice(cfs_rq); break; } -- 2.49.0

8 months

2
1
0 0

[PATCH 6.6.y v2] btrfs: always fallback to buffered write if the inode requires checksum

by Qu Wenruo

commit 968f19c5b1b7d5595423b0ac0020cc18dfed8cb5 upstream. [BUG] It is a long known bug that VM image on btrfs can lead to data csum mismatch, if the qemu is using direct-io for the image (this is commonly known as cache mode 'none'). [CAUSE] Inside the VM, if the fs is EXT4 or XFS, or even NTFS from Windows, the fs is allowed to dirty/modify the folio even if the folio is under writeback (as long as the address space doesn't have AS_STABLE_WRITES flag inherited from the block device). This is a valid optimization to improve the concurrency, and since these filesystems have no extra checksum on data, the content change is not a problem at all. But the final write into the image file is handled by btrfs, which needs the content not to be modified during writeback, or the checksum will not match the data (checksum is calculated before submitting the bio). So EXT4/XFS/NTRFS assume they can modify the folio under writeback, but btrfs requires no modification, this leads to the false csum mismatch. This is only a controlled example, there are even cases where multi-thread programs can submit a direct IO write, then another thread modifies the direct IO buffer for whatever reason. For such cases, btrfs has no sane way to detect such cases and leads to false data csum mismatch. [FIX] I have considered the following ideas to solve the problem: - Make direct IO to always skip data checksum This not only requires a new incompatible flag, as it breaks the current per-inode NODATASUM flag. But also requires extra handling for no csum found cases. And this also reduces our checksum protection. - Let hardware handle all the checksum AKA, just nodatasum mount option. That requires trust for hardware (which is not that trustful in a lot of cases), and it's not generic at all. - Always fallback to buffered write if the inode requires checksum This was suggested by Christoph, and is the solution utilized by this patch. The cost is obvious, the extra buffer copying into page cache, thus it reduces the performance. But at least it's still user configurable, if the end user still wants the zero-copy performance, just set NODATASUM flag for the inode (which is a common practice for VM images on btrfs). Since we cannot trust user space programs to keep the buffer consistent during direct IO, we have no choice but always falling back to buffered IO. At least by this, we avoid the more deadly false data checksum mismatch error. CC: stable(a)vger.kernel.org # 6.6 Suggested-by: Christoph Hellwig <hch(a)infradead.org> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [ Fix a conflict due to the movement of the function. ] --- Changelog: v2: - Remove the incorrectly included direct-io.c "git am" automatically included the not-yet-exist file into the diff. --- fs/btrfs/file.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index e794606e7c78..f1456c745c6d 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -1515,6 +1515,23 @@ static ssize_t btrfs_direct_write(struct kiocb *iocb, struct iov_iter *from) goto buffered; } + /* + * We can't control the folios being passed in, applications can write + * to them while a direct IO write is in progress. This means the + * content might change after we calculated the data checksum. + * Therefore we can end up storing a checksum that doesn't match the + * persisted data. + * + * To be extra safe and avoid false data checksum mismatch, if the + * inode requires data checksum, just fallback to buffered IO. + * For buffered IO we have full control of page cache and can ensure + * no one is modifying the content during writeback. + */ + if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { + btrfs_inode_unlock(BTRFS_I(inode), ilock_flags); + goto buffered; + } + /* * The iov_iter can be mapped to the same file range we are writing to. * If that's the case, then we will deadlock in the iomap code, because -- 2.49.0

8 months

2
1
0 0

[PATCH] x86/mtrr: Check if fixed-range MTRR exists in `mtrr_save_fixed_ranges`

by Jiaqing Zhao

When suspending, `save_processor_state` calls `mtrr_save_fixed_ranges` to save fixed-range MTRRs. On platforms without MTRR or fixed-range MTRR support, accessing MTRR MSRs triggers unchecked MSR access error. Make sure fixed-range MTRR is supported before access to prevent such error. Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending") Cc: stable(a)vger.kernel.org Signed-off-by: Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> --- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c index e2c6b471d230..ca37b374d1b0 100644 --- a/arch/x86/kernel/cpu/mtrr/generic.c +++ b/arch/x86/kernel/cpu/mtrr/generic.c @@ -593,7 +593,7 @@ static void get_fixed_ranges(mtrr_type *frs) void mtrr_save_fixed_ranges(void *info) { - if (boot_cpu_has(X86_FEATURE_MTRR)) + if (boot_cpu_has(X86_FEATURE_MTRR) && mtrr_state.have_fixed) get_fixed_ranges(mtrr_state.fixed_ranges); } -- 2.43.0

8 months

2
1
0 0

[PATCH v3] wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Ensure that the hdr_trans_tlv command is included in the broadcast wtbl to prevent the IPv6 and multicast packet from being dropped by the chip. Cc: stable(a)vger.kernel.org Fixes: cb1353ef3473 ("wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd") Reported-by: Benjamin Xiao <fossben(a)pm.me> Tested-by: Niklas Schnelle <niks(a)kernel.org> Link: https://lore.kernel.org/lkml/EmWnO5b-acRH1TXbGnkx41eJw654vmCR-8_xMBaPMwexCn… --- v2: add tested-by tag v3: add more info in commit --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index a42b584634ab..fd756f0d18f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -2183,14 +2183,14 @@ mt7925_mcu_sta_cmd(struct mt76_phy *phy, mt7925_mcu_sta_mld_tlv(skb, info->vif, info->link_sta->sta); mt7925_mcu_sta_eht_mld_tlv(skb, info->vif, info->link_sta->sta); } - - mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } if (!info->enable) { mt7925_mcu_sta_remove_tlv(skb); mt76_connac_mcu_add_tlv(skb, STA_REC_MLD_OFF, sizeof(struct tlv)); + } else { + mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } return mt76_mcu_skb_send_msg(dev, skb, info->cmd, true); -- 2.34.1

8 months

2
1
0 0

[PATCHv3] thunderbolt: do not double dequeue a request

by Sergey Senozhatsky

Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: <TASK> ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set. Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: stable(a)vger.kernel.org --- v3: tweaked commit message drivers/thunderbolt/ctl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/thunderbolt/ctl.c b/drivers/thunderbolt/ctl.c index cd15e84c47f4..1db2e951b53f 100644 --- a/drivers/thunderbolt/ctl.c +++ b/drivers/thunderbolt/ctl.c @@ -151,6 +151,11 @@ static void tb_cfg_request_dequeue(struct tb_cfg_request *req) struct tb_ctl *ctl = req->ctl; mutex_lock(&ctl->request_queue_lock); + if (!test_bit(TB_CFG_REQUEST_ACTIVE, &req->flags)) { + mutex_unlock(&ctl->request_queue_lock); + return; + } + list_del(&req->list); clear_bit(TB_CFG_REQUEST_ACTIVE, &req->flags); if (test_bit(TB_CFG_REQUEST_CANCELED, &req->flags)) -- 2.49.0.395.g12beb8f557-goog

8 months

2
2
0 0

FAILED: patch "[PATCH] ksmbd: Fix UAF in __close_file_table_ids" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 36991c1ccde2d5a521577c448ffe07fcccfe104d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050939-activism-hesitant-7576@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001 From: Sean Heelan <seanheelan(a)gmail.com> Date: Tue, 6 May 2025 22:04:52 +0900 Subject: [PATCH] ksmbd: Fix UAF in __close_file_table_ids A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this. The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock. Cc: stable(a)vger.kernel.org Signed-off-by: Sean Heelan <seanheelan(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c index 1f8fa3468173..dfed6fce8904 100644 --- a/fs/smb/server/vfs_cache.c +++ b/fs/smb/server/vfs_cache.c @@ -661,21 +661,40 @@ __close_file_table_ids(struct ksmbd_file_table *ft, bool (*skip)(struct ksmbd_tree_connect *tcon, struct ksmbd_file *fp)) { - unsigned int id; - struct ksmbd_file *fp; - int num = 0; + struct ksmbd_file *fp; + unsigned int id = 0; + int num = 0; - idr_for_each_entry(ft->idr, fp, id) { - if (skip(tcon, fp)) + while (1) { + write_lock(&ft->lock); + fp = idr_get_next(ft->idr, &id); + if (!fp) { + write_unlock(&ft->lock); + break; + } + + if (skip(tcon, fp) || + !atomic_dec_and_test(&fp->refcount)) { + id++; + write_unlock(&ft->lock); continue; + } set_close_state_blocked_works(fp); + idr_remove(ft->idr, fp->volatile_id); + fp->volatile_id = KSMBD_NO_FID; + write_unlock(&ft->lock); + + down_write(&fp->f_ci->m_lock); + list_del_init(&fp->node); + up_write(&fp->f_ci->m_lock); - if (!atomic_dec_and_test(&fp->refcount)) - continue; __ksmbd_close_fd(ft, fp); + num++; + id++; } + return num; }

8 months

1
0
0 0

[PATCH 6.14 000/183] 6.14.6-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.14.6 release. There are 183 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.6-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.14.6-rc1 Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Change btree_insert_node() assertion to error Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Penglei Jiang <superman.xpt(a)gmail.com> btrfs: fix the inode leak in btrfs_iget() David Sterba <dsterba(a)suse.com> btrfs: pass struct btrfs_inode to btrfs_iget_locked() David Sterba <dsterba(a)suse.com> btrfs: pass struct btrfs_inode to btrfs_read_locked_inode() Qu Wenruo <wqu(a)suse.com> btrfs: expose per-inode stable writes flag Shyam Saini <shyamsaini(a)linux.microsoft.com> drivers: base: handle module_kobject creation Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: globalize lookup_or_create_module_kobject() Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: param: rename locate_module_kobject Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: skip reporting zone for new block group Naohiro Aota <naohiro.aota(a)wdc.com> block: introduce zone capacity helper Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Richard Zhu <hongxing.zhu(a)nxp.com> arm64: dts: imx95: Correct the range of PCIe app-reg region Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Ming Lei <ming.lei(a)redhat.com> ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd Ming Lei <ming.lei(a)redhat.com> ublk: simplify aborting ublk request Ming Lei <ming.lei(a)redhat.com> ublk: remove __ublk_quiesce_dev() Uday Shankar <ushankar(a)purestorage.com> ublk: improve detection and handling of ublk server exit Ming Lei <ming.lei(a)redhat.com> ublk: move device reset into ublk_ch_release() Uday Shankar <ushankar(a)purestorage.com> ublk: properly serialize all FETCH_REQs Ming Lei <ming.lei(a)redhat.com> ublk: add helper of ublk_need_map_io() Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7 Kenneth Graunke <kenneth(a)whitecape.org> drm/xe: Invalidate L3 read-only cachelines for geometry streams too Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Fix locking order in ivpu_job_submit Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Abort all jobs after command queue unregister Zhenhua Huang <quic_zhenhuah(a)quicinc.com> mm, slab: clean up slab->obj_exts always Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Sathesh B Edara <sedara(a)marvell.com> octeon_ep: Fix host hang issue during device reboot Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Sagi Maimon <sagi.maimon(a)adtran.com> ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations Jibin Zhang <jibin.zhang(a)mediatek.com> net: use sock_gen_put() when sk_state is TCP_TIME_WAIT Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: fix module unload sequence Alexander Stein <alexander.stein(a)ew.tq-group.com> ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Olivier Moysan <olivier.moysan(a)foss.st.com> ASoC: stm32: sai: add a check on minimal kernel frequency Olivier Moysan <olivier.moysan(a)foss.st.com> ASoC: stm32: sai: skip useless iterations on kernel rate loop Alistair Francis <alistair.francis(a)wdc.com> nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS Alistair Francis <alistair23(a)gmail.com> nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Kashyap Desai <kashyap.desai(a)broadcom.com> bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings() Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix ethtool selftest output in one of the failure cases Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix error handling path in bnxt_init_chip() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Fix built-mic regression on other ASUS models Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Chad Monroe <chad(a)monroe.io> net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Jacob Keller <jacob.e.keller(a)intel.com> igc: fix lock order in igc_ptp_reset Larysa Zaremba <larysa.zaremba(a)intel.com> idpf: protect shutdown from reset Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> idpf: fix potential memory leak on kcalloc() failure Da Xue <da(a)libre.computer> net: mdio: mux-meson-gxl: set reversed bit when using internal phy Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Russell Cloran <rcloran(a)gmail.com> drm/mipi-dbi: Fix blanking for non-16 bit formats Maxime Ripard <mripard(a)kernel.org> drm/tests: shmem: Fix memleak Keith Busch <kbusch(a)kernel.org> nvme-pci: fix queue unquiesce check on slot_reset Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Maulik Shah <maulik.shah(a)oss.qualcomm.com> pinctrl: qcom: Fix PINGROUP definition for sm8750 John Harrison <John.C.Harrison(a)Intel.com> drm/xe/guc: Fix capture of steering registers Keoseong Park <keosung.park(a)samsung.com> scsi: ufs: core: Remove redundant query_complete trace Madhu Chittim <madhu.chittim(a)intel.com> idpf: fix offloads support for encapsulated packets Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Paul Greenwalt <paul.greenwalt(a)intel.com> ice: fix Get Tx Topology AQ command error on E830 Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Remove unnecessary ice_is_e8xx() functions Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Don't check device type when checking GNSS presence Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Shannon Nelson <shannon.nelson(a)amd.com> pds_core: remove write-after-free of client_id Shannon Nelson <shannon.nelson(a)amd.com> pds_core: specify auxiliary_device to be created Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make pdsc_auxbus_dev_del() void Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Justin Lai <justinlai0215(a)realtek.com> rtase: Modify the condition used to detect overflow in rtase_calc_time_mitigation Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: improve TX timestamping FIFO configuration Sathesh B Edara <sedara(a)marvell.com> octeon_ep_vf: Resolve netdevice usage count issue Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: copy RX timestamp to new fragments Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths En-Wei Wu <en-wei.wu(a)canonical.com> Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Avoid redundant buffer allocation Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: ACPI: Re-sync CPU boost state on system resume Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: acpi: Set policy->boost_supported Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Introduce policy->boost_supported flag Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Raju Rangoju <Raju.Rangoju(a)amd.com> spi: spi-mem: Add fix to avoid divide error Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Correct DCT interrupt handling Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: TC, Continue the attr process even if encap entry is invalid Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5e: Use custom tunnel header for vxlan gbp e.kubanski <e.kubanski(a)partner.samsung.com> xsk: Fix offset calculation in unaligned mode e.kubanski <e.kubanski(a)partner.samsung.com> xsk: Fix race condition in AF_XDP generic RX path Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Fix dash warning Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: fix the check for the SCRATCH register upon resume Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: don't warn if the NIC is gone in resume Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: back off on continuous errors Chen Linxuan <chenlinxuan(a)uniontech.com> drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Enable speaker for HP platform Aneesh Kumar K.V (Arm) <aneesh.kumar(a)kernel.org> iommu/arm-smmu-v3: Add missing S2FWB feature detection Chenyuan Yang <chenyuan0y(a)gmail.com> ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Check for ld-option support Hui Wang <hui.wang(a)canonical.com> pinctrl: imx: Return NULL if no group is matched and found Anthony Iliopoulos <ailiop(a)suse.com> powerpc64/ftrace: fix module loading without patchable function entries Donet Tom <donettom(a)linux.ibm.com> book3s64/radix : Align section vmemmap start address to PAGE_SIZE Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Nico Pache <npache(a)redhat.com> firmware: cs_dsp: tests: Depend on FW_CS_DSP rather then enabling it Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF Alan Huang <mmpgouride(a)gmail.com> bcachefs: Remove incorrect __counted_by annotation Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Jethro Donaldson <devel(a)jro.nz> smb: client: fix zero length for mkdir POSIX create context Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in session logoff Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_session_rpc_open Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles Nicolin Chen <nicolinc(a)nvidia.com> iommu: Fix two issues in iommu_copy_struct_from_user() Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Balbir Singh <balbirs(a)nvidia.com> iommu/arm-smmu-v3: Fix pgsize_bit for sva domains Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Janne Grunau <j(a)jannau.net> drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Fix offset for HDP remap in nbio v7.11 Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Ard Biesheuvel <ardb(a)kernel.org> x86/boot/sev: Support memory acceptance in the EFI stub under SVSM Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not take trace_event_sem in print_event_fields() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: repeat setting reserved region nid if array is doubled Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: pass size instead of end to memblock_set_node() Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Only check the group flag for X86 leader Christian Marangi <ansuelsmth(a)gmail.com> pinctrl: airoha: fix wrong PHY LED mapping and PHY2 LED defines Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/fdinfo: Protect against driver unbind Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Dave Chen <davechen(a)synology.com> btrfs: fix COW handling in run_delalloc_nocow() Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Geoffrey D. Bennett <g(a)b4.vu> ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add more HP laptops which need mute led fixup Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" ------------- Diffstat: Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/boot/dts/freescale/imx95.dtsi | 8 +- arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 +- arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/boot/wrapper | 6 +- arch/powerpc/kernel/module_64.c | 4 - arch/powerpc/mm/book3s64/radix_pgtable.c | 17 +- arch/x86/boot/compressed/mem.c | 5 +- arch/x86/boot/compressed/sev.c | 40 ++ arch/x86/boot/compressed/sev.h | 2 + arch/x86/events/core.c | 2 +- arch/x86/events/intel/core.c | 2 +- arch/x86/events/perf_event.h | 9 +- drivers/accel/ivpu/ivpu_drv.c | 32 +- drivers/accel/ivpu/ivpu_drv.h | 2 + drivers/accel/ivpu/ivpu_hw_btrs.h | 2 +- drivers/accel/ivpu/ivpu_job.c | 111 ++++- drivers/accel/ivpu/ivpu_job.h | 1 + drivers/accel/ivpu/ivpu_mmu.c | 3 +- drivers/accel/ivpu/ivpu_pm.c | 18 +- drivers/accel/ivpu/ivpu_sysfs.c | 5 +- drivers/base/module.c | 13 +- drivers/block/ublk_drv.c | 552 +++++++++++---------- drivers/bluetooth/btintel_pcie.c | 57 ++- drivers/bluetooth/btusb.c | 101 ++-- drivers/cpufreq/acpi-cpufreq.c | 14 + drivers/cpufreq/cpufreq.c | 42 +- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 10 +- drivers/cpufreq/intel_pstate.c | 3 + drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + drivers/firmware/cirrus/Kconfig | 5 +- drivers/gpu/drm/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 - .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 +-- drivers/gpu/drm/drm_file.c | 6 + drivers/gpu/drm/drm_mipi_dbi.c | 6 +- drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/gpu/drm/tests/drm_gem_shmem_test.c | 3 + drivers/gpu/drm/xe/instructions/xe_gpu_commands.h | 1 + drivers/gpu/drm/xe/xe_guc_capture.c | 2 +- drivers/gpu/drm/xe/xe_ring_ops.c | 13 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 21 +- drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 9 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 39 +- drivers/net/ethernet/amd/pds_core/core.h | 7 +- drivers/net/ethernet/amd/pds_core/devlink.c | 7 +- drivers/net/ethernet/amd/pds_core/main.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 +- drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 29 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 1 + drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 ++- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice.h | 5 - drivers/net/ethernet/intel/ice/ice_common.c | 208 ++++---- drivers/net/ethernet/intel/ice/ice_common.h | 7 +- drivers/net/ethernet/intel/ice/ice_ddp.c | 10 +- drivers/net/ethernet/intel/ice/ice_gnss.c | 31 +- drivers/net/ethernet/intel/ice/ice_gnss.h | 4 +- drivers/net/ethernet/intel/ice/ice_lib.c | 2 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 137 ++--- drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 235 +++------ drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 11 +- drivers/net/ethernet/intel/ice/ice_type.h | 9 - drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/idpf/idpf.h | 18 +- drivers/net/ethernet/intel/idpf/idpf_lib.c | 76 ++- drivers/net/ethernet/intel/idpf/idpf_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 6 +- .../net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- .../ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 18 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 32 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 6 + drivers/net/ethernet/realtek/rtase/rtase_main.c | 4 +- drivers/net/ethernet/vertexcom/mse102x.c | 36 +- drivers/net/mdio/mdio-mux-meson-gxl.c | 3 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 + drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 28 +- drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 7 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 +- drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 9 +- drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 16 +- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/Kconfig | 1 + drivers/nvme/host/pci.c | 2 +- drivers/nvme/host/tcp.c | 31 +- drivers/nvme/target/Kconfig | 1 + drivers/pinctrl/freescale/pinctrl-imx.c | 6 +- drivers/pinctrl/mediatek/pinctrl-airoha.c | 159 +++--- drivers/pinctrl/qcom/pinctrl-sm8750.c | 4 +- drivers/platform/x86/amd/pmc/pmc.c | 7 +- drivers/platform/x86/dell/alienware-wmi.c | 9 + .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- drivers/ptp/ptp_ocp.c | 52 +- drivers/spi/spi-mem.c | 6 +- drivers/spi/spi-tegra114.c | 6 +- drivers/ufs/core/ufshcd.c | 2 - fs/bcachefs/btree_update_interior.c | 17 +- fs/bcachefs/error.c | 8 + fs/bcachefs/error.h | 2 + fs/bcachefs/xattr_format.h | 8 +- fs/btrfs/btrfs_inode.h | 8 + fs/btrfs/extent_io.c | 2 +- fs/btrfs/file.c | 1 - fs/btrfs/inode.c | 152 +++--- fs/btrfs/ioctl.c | 1 + fs/btrfs/zoned.c | 18 +- fs/smb/client/smb2pdu.c | 1 + fs/smb/server/auth.c | 14 +- fs/smb/server/mgmt/user_session.c | 20 +- fs/smb/server/mgmt/user_session.h | 1 + fs/smb/server/smb2pdu.c | 9 - include/linux/blkdev.h | 67 ++- include/linux/cpufreq.h | 86 ++-- include/linux/iommu.h | 8 +- include/linux/module.h | 2 + include/net/bluetooth/hci.h | 4 +- include/net/bluetooth/hci_core.h | 20 +- include/net/bluetooth/hci_sync.h | 3 + include/net/xdp_sock.h | 3 - include/net/xsk_buff_pool.h | 4 +- include/sound/ump_convert.h | 2 +- kernel/params.c | 6 +- kernel/trace/trace.c | 5 +- kernel/trace/trace_output.c | 4 +- mm/memblock.c | 12 +- mm/slub.c | 27 +- net/bluetooth/hci_conn.c | 181 +------ net/bluetooth/hci_event.c | 15 +- net/bluetooth/hci_sync.c | 150 +++++- net/bluetooth/iso.c | 26 +- net/bluetooth/l2cap_core.c | 3 + net/ipv4/tcp_offload.c | 2 +- net/ipv4/udp_offload.c | 61 ++- net/ipv6/tcpv6_offload.c | 2 +- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- net/xdp/xsk.c | 6 +- net/xdp/xsk_buff_pool.c | 1 + sound/pci/hda/patch_realtek.c | 23 +- sound/soc/amd/acp/acp-i2s.c | 2 +- sound/soc/codecs/Kconfig | 5 +- sound/soc/generic/simple-card-utils.c | 4 +- sound/soc/renesas/rz-ssi.c | 2 +- sound/soc/sdw_utils/soc_sdw_rt_dmic.c | 2 + sound/soc/soc-core.c | 32 +- sound/soc/soc-pcm.c | 5 +- sound/soc/stm/stm32_sai_sub.c | 16 +- sound/usb/endpoint.c | 7 + sound/usb/format.c | 3 +- 194 files changed, 2373 insertions(+), 1773 deletions(-)

8 months

15
198
0 0

[PATCH] wifi: mt76: mt7925: fix host interrupt register initialization

by Mingyen Hsieh

From: Michael Lo <michael.lo(a)mediatek.com> ensure proper interrupt handling and aligns with the hardware spec by updating the register offset for MT_WFDMA0_HOST_INT_ENA. Cc: stable(a)vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Michael Lo <michael.lo(a)mediatek.com> Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 3 --- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c index c7b5dc1dbb34..2e20ecc71207 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c @@ -490,9 +490,6 @@ static int mt7925_pci_suspend(struct device *device) /* disable interrupt */ mt76_wr(dev, dev->irq_map->host_irq_enable, 0); - mt76_wr(dev, MT_WFDMA0_HOST_INT_DIS, - dev->irq_map->tx.all_complete_mask | - MT_INT_RX_DONE_ALL | MT_INT_MCU_CMD); mt76_wr(dev, MT_PCIE_MAC_INT_ENABLE, 0x0); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/regs.h b/drivers/net/wireless/mediatek/mt76/mt7925/regs.h index 985794a40c1a..547489092c29 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/regs.h +++ b/drivers/net/wireless/mediatek/mt76/mt7925/regs.h @@ -28,7 +28,7 @@ #define MT_MDP_TO_HIF 0 #define MT_MDP_TO_WM 1 -#define MT_WFDMA0_HOST_INT_ENA MT_WFDMA0(0x228) +#define MT_WFDMA0_HOST_INT_ENA MT_WFDMA0(0x204) #define MT_WFDMA0_HOST_INT_DIS MT_WFDMA0(0x22c) #define HOST_RX_DONE_INT_ENA4 BIT(12) #define HOST_RX_DONE_INT_ENA5 BIT(13) -- 2.34.1

8 months

1
0
0 0

[PATCH v3 0/3] configfs: fix bugs

by Zijun Hu

Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v3: - To both Andreas Hindborg and Breno Leitao. - Link to v2: https://lore.kernel.org/r/20250415-fix_configfs-v2-0-fcd527dd1824@quicinc.c… Changes in v2: - Drop the last patch which seems wrong. - Link to v1: https://lore.kernel.org/r/20250408-fix_configfs-v1-0-5a4c88805df7@quicinc.c… --- Zijun Hu (3): configfs: Delete semicolon from macro type_print() definition configfs: Do not override creating attribute file failure in populate_attrs() configfs: Correct error value returned by API config_item_set_name() fs/configfs/dir.c | 4 ++-- fs/configfs/item.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) --- base-commit: eae324ca644554d5ce363186bee820a088bb74ab change-id: 20250408-fix_configfs-699743163c64 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

8 months

2
2
0 0

FAILED: patch "[PATCH] firmware: arm_scmi: Fix timeout checks on polling path" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050945-multitude-powdered-34d0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001 From: Cristian Marussi <cristian.marussi(a)arm.com> Date: Mon, 10 Mar 2025 17:58:00 +0000 Subject: [PATCH] firmware: arm_scmi: Fix timeout checks on polling path Polling mode transactions wait for a reply busy-looping without holding a spinlock, but currently the timeout checks are based only on elapsed time: as a result we could hit a false positive whenever our busy-looping thread is pre-empted and scheduled out for a time greater than the polling timeout. Change the checks at the end of the busy-loop to make sure that the polling wasn't indeed successful or an out-of-order reply caused the polling to be forcibly terminated. Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag") Reported-by: Huangjie <huangjie1663(a)phytium.com.cn> Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmai… Signed-off-by: Cristian Marussi <cristian.marussi(a)arm.com> Cc: stable(a)vger.kernel.org # 5.18.x Message-Id: <20250310175800.1444293-1-cristian.marussi(a)arm.com> Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c index 1c75a4c9c371..0390d5ff195e 100644 --- a/drivers/firmware/arm_scmi/driver.c +++ b/drivers/firmware/arm_scmi/driver.c @@ -1248,7 +1248,8 @@ static void xfer_put(const struct scmi_protocol_handle *ph, } static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo, - struct scmi_xfer *xfer, ktime_t stop) + struct scmi_xfer *xfer, ktime_t stop, + bool *ooo) { struct scmi_info *info = handle_to_scmi_info(cinfo->handle); @@ -1257,7 +1258,7 @@ static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo, * in case of out-of-order receptions of delayed responses */ return info->desc->ops->poll_done(cinfo, xfer) || - try_wait_for_completion(&xfer->done) || + (*ooo = try_wait_for_completion(&xfer->done)) || ktime_after(ktime_get(), stop); } @@ -1274,15 +1275,17 @@ static int scmi_wait_for_reply(struct device *dev, const struct scmi_desc *desc, * itself to support synchronous commands replies. */ if (!desc->sync_cmds_completed_on_ret) { + bool ooo = false; + /* * Poll on xfer using transport provided .poll_done(); * assumes no completion interrupt was available. */ ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms); - spin_until_cond(scmi_xfer_done_no_timeout(cinfo, - xfer, stop)); - if (ktime_after(ktime_get(), stop)) { + spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer, + stop, &ooo)); + if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) { dev_err(dev, "timed out in resp(caller: %pS) - polling\n", (void *)_RET_IP_);

8 months

1
0
0 0

Linux 6.14.6

by Greg Kroah-Hartman

I'm announcing the release of the 6.14.6 kernel. All users of the 6.14 kernel series must upgrade. The updated 6.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.14.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 arch/arm64/boot/dts/freescale/imx95.dtsi | 8 arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 arch/arm64/kernel/proton-pack.c | 2 arch/parisc/math-emu/driver.c | 16 arch/powerpc/boot/wrapper | 6 arch/powerpc/kernel/module_64.c | 4 arch/powerpc/mm/book3s64/radix_pgtable.c | 17 arch/x86/boot/compressed/mem.c | 5 arch/x86/boot/compressed/sev.c | 40 arch/x86/boot/compressed/sev.h | 2 arch/x86/events/core.c | 2 arch/x86/events/intel/core.c | 2 arch/x86/events/perf_event.h | 9 drivers/accel/ivpu/ivpu_drv.c | 32 drivers/accel/ivpu/ivpu_drv.h | 2 drivers/accel/ivpu/ivpu_hw_btrs.h | 2 drivers/accel/ivpu/ivpu_job.c | 111 +- drivers/accel/ivpu/ivpu_job.h | 1 drivers/accel/ivpu/ivpu_mmu.c | 3 drivers/accel/ivpu/ivpu_pm.c | 18 drivers/accel/ivpu/ivpu_sysfs.c | 5 drivers/base/module.c | 13 drivers/block/ublk_drv.c | 550 +++++----- drivers/bluetooth/btintel_pcie.c | 57 - drivers/bluetooth/btusb.c | 101 + drivers/cpufreq/acpi-cpufreq.c | 14 drivers/cpufreq/cpufreq.c | 42 drivers/cpufreq/cpufreq_ondemand.c | 3 drivers/cpufreq/freq_table.c | 10 drivers/cpufreq/intel_pstate.c | 3 drivers/edac/altera_edac.c | 9 drivers/edac/altera_edac.h | 2 drivers/firmware/arm_ffa/driver.c | 3 drivers/firmware/arm_scmi/bus.c | 3 drivers/firmware/cirrus/Kconfig | 5 drivers/gpu/drm/Kconfig | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 - drivers/gpu/drm/drm_file.c | 6 drivers/gpu/drm/drm_mipi_dbi.c | 6 drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 drivers/gpu/drm/nouveau/nouveau_fence.c | 2 drivers/gpu/drm/tests/drm_gem_shmem_test.c | 3 drivers/gpu/drm/xe/instructions/xe_gpu_commands.h | 1 drivers/gpu/drm/xe/xe_guc_capture.c | 2 drivers/gpu/drm/xe/xe_ring_ops.c | 13 drivers/i2c/busses/i2c-imx-lpi2c.c | 4 drivers/iommu/amd/init.c | 8 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 21 drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-qcom-mpm.c | 3 drivers/md/dm-bufio.c | 9 drivers/md/dm-integrity.c | 2 drivers/md/dm-table.c | 5 drivers/mmc/host/renesas_sdhi_core.c | 10 drivers/net/dsa/ocelot/felix_vsc9959.c | 5 drivers/net/ethernet/amd/pds_core/auxbus.c | 39 drivers/net/ethernet/amd/pds_core/core.h | 7 drivers/net/ethernet/amd/pds_core/devlink.c | 7 drivers/net/ethernet/amd/pds_core/main.c | 11 drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 20 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 40 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 29 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 1 drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/dlink/dl2k.h | 2 drivers/net/ethernet/freescale/fec_main.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 drivers/net/ethernet/intel/ice/ice.h | 5 drivers/net/ethernet/intel/ice/ice_common.c | 208 +-- drivers/net/ethernet/intel/ice/ice_common.h | 7 drivers/net/ethernet/intel/ice/ice_ddp.c | 10 drivers/net/ethernet/intel/ice/ice_gnss.c | 29 drivers/net/ethernet/intel/ice/ice_gnss.h | 4 drivers/net/ethernet/intel/ice/ice_lib.c | 2 drivers/net/ethernet/intel/ice/ice_ptp.c | 133 +- drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 235 +--- drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 11 drivers/net/ethernet/intel/ice/ice_type.h | 9 drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 drivers/net/ethernet/intel/idpf/idpf.h | 18 drivers/net/ethernet/intel/idpf/idpf_lib.c | 76 - drivers/net/ethernet/intel/idpf/idpf_main.c | 1 drivers/net/ethernet/intel/igc/igc_ptp.c | 6 drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 18 drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 32 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 drivers/net/ethernet/microchip/lan743x_main.c | 8 drivers/net/ethernet/microchip/lan743x_main.h | 1 drivers/net/ethernet/mscc/ocelot.c | 6 drivers/net/ethernet/realtek/rtase/rtase_main.c | 4 drivers/net/ethernet/vertexcom/mse102x.c | 36 drivers/net/mdio/mdio-mux-meson-gxl.c | 3 drivers/net/usb/rndis_host.c | 16 drivers/net/vxlan/vxlan_vnifilter.c | 8 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 28 drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 7 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 9 drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 16 drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 drivers/net/wireless/purelifi/plfxlc/mac.c | 1 drivers/nvme/host/Kconfig | 1 drivers/nvme/host/pci.c | 2 drivers/nvme/host/tcp.c | 31 drivers/nvme/target/Kconfig | 1 drivers/pinctrl/freescale/pinctrl-imx.c | 6 drivers/pinctrl/mediatek/pinctrl-airoha.c | 159 +- drivers/pinctrl/qcom/pinctrl-sm8750.c | 4 drivers/platform/x86/amd/pmc/pmc.c | 7 drivers/platform/x86/dell/alienware-wmi.c | 9 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 13 drivers/ptp/ptp_ocp.c | 52 drivers/spi/spi-mem.c | 6 drivers/spi/spi-tegra114.c | 6 drivers/ufs/core/ufshcd.c | 2 fs/bcachefs/btree_update_interior.c | 17 fs/bcachefs/error.c | 8 fs/bcachefs/error.h | 2 fs/bcachefs/xattr_format.h | 8 fs/btrfs/btrfs_inode.h | 8 fs/btrfs/extent_io.c | 2 fs/btrfs/file.c | 1 fs/btrfs/inode.c | 154 +- fs/btrfs/ioctl.c | 1 fs/btrfs/zoned.c | 18 fs/smb/client/smb2pdu.c | 1 fs/smb/server/auth.c | 14 fs/smb/server/mgmt/user_session.c | 20 fs/smb/server/mgmt/user_session.h | 1 fs/smb/server/smb2pdu.c | 9 include/linux/blkdev.h | 67 - include/linux/cpufreq.h | 86 + include/linux/iommu.h | 8 include/linux/module.h | 2 include/net/bluetooth/hci.h | 4 include/net/bluetooth/hci_core.h | 20 include/net/bluetooth/hci_sync.h | 3 include/net/xdp_sock.h | 3 include/net/xsk_buff_pool.h | 4 include/sound/ump_convert.h | 2 kernel/params.c | 6 kernel/trace/trace.c | 5 kernel/trace/trace_output.c | 4 mm/memblock.c | 12 mm/slub.c | 27 net/bluetooth/hci_conn.c | 181 --- net/bluetooth/hci_event.c | 15 net/bluetooth/hci_sync.c | 150 ++ net/bluetooth/iso.c | 26 net/bluetooth/l2cap_core.c | 3 net/ipv4/tcp_offload.c | 2 net/ipv4/udp_offload.c | 61 + net/ipv6/tcpv6_offload.c | 2 net/sched/sch_drr.c | 16 net/sched/sch_ets.c | 17 net/sched/sch_hfsc.c | 10 net/sched/sch_htb.c | 2 net/sched/sch_qfq.c | 18 net/xdp/xsk.c | 6 net/xdp/xsk_buff_pool.c | 1 sound/pci/hda/patch_realtek.c | 23 sound/soc/amd/acp/acp-i2s.c | 2 sound/soc/codecs/Kconfig | 5 sound/soc/generic/simple-card-utils.c | 4 sound/soc/renesas/rz-ssi.c | 2 sound/soc/sdw_utils/soc_sdw_rt_dmic.c | 2 sound/soc/soc-core.c | 32 sound/soc/soc-pcm.c | 5 sound/soc/stm/stm32_sai_sub.c | 16 sound/usb/endpoint.c | 7 sound/usb/format.c | 3 194 files changed, 2365 insertions(+), 1765 deletions(-) Aaron Kling (1): spi: tegra114: Don't fail set_cs_timing when delays are zero Alan Huang (1): bcachefs: Remove incorrect __counted_by annotation Alexander Stein (1): ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Alistair Francis (2): nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS Aneesh Kumar K.V (Arm) (1): iommu/arm-smmu-v3: Add missing S2FWB feature detection Anthony Iliopoulos (1): powerpc64/ftrace: fix module loading without patchable function entries Ard Biesheuvel (1): x86/boot/sev: Support memory acceptance in the EFI stub under SVSM Balbir Singh (1): iommu/arm-smmu-v3: Fix pgsize_bit for sva domains Benjamin Marzinski (1): dm: always update the array size in realloc_argv on success Chad Monroe (1): net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Chen Linxuan (1): drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Chenyuan Yang (1): ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init() Chris Bainbridge (1): drm/amd/display: Fix slab-use-after-free in hdcp Chris Chiu (1): ALSA: hda/realtek - Add more HP laptops which need mute led fixup Chris Mi (1): net/mlx5: E-switch, Fix error handling for enabling roce Christian Bruel (2): arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Heusel (1): Revert "rndis_host: Flag RNDIS modems as WWAN devices" Christian Marangi (1): pinctrl: airoha: fix wrong PHY LED mapping and PHY2 LED defines Clark Wang (1): i2c: imx-lpi2c: Fix clock count when probe defers Claudiu Beznea (1): ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS() Cong Wang (5): sch_htb: make htb_qlen_notify() idempotent sch_drr: make drr_qlen_notify() idempotent sch_hfsc: make hfsc_qlen_notify() idempotent sch_qfq: make qfq_qlen_notify() idempotent sch_ets: make est_qlen_notify() idempotent Cosmin Ratiu (1): net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover Cristian Marussi (1): firmware: arm_scmi: Balance device refcount when destroying devices Da Xue (1): net: mdio: mux-meson-gxl: set reversed bit when using internal phy Daniel Golle (1): net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array Dave Chen (1): btrfs: fix COW handling in run_delalloc_nocow() David Sterba (2): btrfs: pass struct btrfs_inode to btrfs_read_locked_inode() btrfs: pass struct btrfs_inode to btrfs_iget_locked() Donet Tom (1): book3s64/radix : Align section vmemmap start address to PAGE_SIZE Emmanuel Grumbach (2): wifi: iwlwifi: don't warn if the NIC is gone in resume wifi: iwlwifi: fix the check for the SCRATCH register upon resume En-Wei Wu (1): Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Felix Fietkau (1): net: ipv6: fix UDPv6 GSO segmentation with NAT Geert Uytterhoeven (1): ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Geoffrey D. Bennett (1): ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Greg Kroah-Hartman (1): Linux 6.14.6 Hao Lan (1): net: hns3: fixed debugfs tm_qset size Helge Deller (1): parisc: Fix double SIGFPE crash Hui Wang (1): pinctrl: imx: Return NULL if no group is matched and found Ido Schimmel (1): vxlan: vnifilter: Fix unlocked deletion of default FDB entry Jacob Keller (1): igc: fix lock order in igc_ptp_reset Janne Grunau (1): drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Jethro Donaldson (1): smb: client: fix zero length for mkdir POSIX create context Jian Shen (2): net: hns3: store rx VLAN tag offload state for VF net: hns3: defer calling ptp_clock_register() Jianbo Liu (1): net/mlx5e: TC, Continue the attr process even if encap entry is invalid Jibin Zhang (1): net: use sock_gen_put() when sk_state is TCP_TIME_WAIT Joachim Priesner (1): ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Johannes Berg (1): wifi: iwlwifi: back off on continuous errors John Harrison (1): drm/xe/guc: Fix capture of steering registers Josef Bacik (1): btrfs: adjust subpage bit start based on sectorsize Justin Lai (1): rtase: Modify the condition used to detect overflow in rtase_calc_time_mitigation Kailang Yang (1): ALSA: hda/realtek - Enable speaker for HP platform Kalesh AP (1): bnxt_en: Fix ethtool selftest output in one of the failure cases Kan Liang (1): perf/x86/intel: Only check the group flag for X86 leader Karol Kolacinski (2): ice: Don't check device type when checking GNSS presence ice: Remove unnecessary ice_is_e8xx() functions Karol Wachowski (4): accel/ivpu: Correct DCT interrupt handling accel/ivpu: Abort all jobs after command queue unregister accel/ivpu: Fix locking order in ivpu_job_submit accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW Kashyap Desai (1): bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings() Keith Busch (1): nvme-pci: fix queue unquiesce check on slot_reset Kenneth Graunke (1): drm/xe: Invalidate L3 read-only cachelines for geometry streams too Kent Overstreet (1): bcachefs: Change btree_insert_node() assertion to error Keoseong Park (1): scsi: ufs: core: Remove redundant query_complete trace Kiran K (2): Bluetooth: btintel_pcie: Avoid redundant buffer allocation Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths Kurt Borja (1): platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7 Larysa Zaremba (1): idpf: protect shutdown from reset Leo Li (1): drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF Lijo Lazar (1): drm/amdgpu: Fix offset for HDP remap in nbio v7.11 LongPing Wei (1): dm-bufio: don't schedule in atomic context Louis-Alexis Eyraud (2): net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Luiz Augusto von Dentz (2): Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync Madhavan Srinivasan (2): powerpc/boot: Check for ld-option support powerpc/boot: Fix dash warning Madhu Chittim (1): idpf: fix offloads support for encapsulated packets Maor Gottlieb (1): net/mlx5: E-Switch, Initialize MAC Address for Default GID Mario Limonciello (2): platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Mattias Barthel (1): net: fec: ERR007885 Workaround for conventional TX Maulik Shah (1): pinctrl: qcom: Fix PINGROUP definition for sm8750 Maxime Ripard (1): drm/tests: shmem: Fix memleak Michael Chan (1): bnxt_en: Fix ethtool -d byte order for 32-bit values Michael Liang (1): nvme-tcp: fix premature queue removal and I/O failover Michal Swiatkowski (1): idpf: fix potential memory leak on kcalloc() failure Mikulas Patocka (1): dm-integrity: fix a warning on invalid table line Ming Lei (5): ublk: add helper of ublk_need_map_io() ublk: move device reset into ublk_ch_release() ublk: remove __ublk_quiesce_dev() ublk: simplify aborting ublk request ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd Mingcong Bai (1): iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Murad Masimov (1): wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Namjae Jeon (1): ksmbd: fix use-after-free in ksmbd_session_rpc_open Naohiro Aota (2): block: introduce zone capacity helper btrfs: zoned: skip reporting zone for new block group Nico Pache (1): firmware: cs_dsp: tests: Depend on FW_CS_DSP rather then enabling it Nicolin Chen (2): iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids iommu: Fix two issues in iommu_copy_struct_from_user() Niravkumar L Rabara (2): EDAC/altera: Test the correct error reg offset EDAC/altera: Set DDR and SDMMC interrupt mask before registration Olivier Moysan (2): ASoC: stm32: sai: skip useless iterations on kernel rate loop ASoC: stm32: sai: add a check on minimal kernel frequency Paul Greenwalt (1): ice: fix Get Tx Topology AQ command error on E830 Pauli Virtanen (1): Bluetooth: L2CAP: copy RX timestamp to new fragments Pavel Paklov (1): iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Penglei Jiang (1): btrfs: fix the inode leak in btrfs_iget() Philipp Stanner (1): drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Qu Wenruo (1): btrfs: expose per-inode stable writes flag Rafael J. Wysocki (2): cpufreq: Avoid using inconsistent policy->min and policy->max cpufreq: Fix setting policy limits when frequency tables are used Raju Rangoju (1): spi: spi-mem: Add fix to avoid divide error Richard Fitzgerald (1): ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB Richard Zhu (1): arm64: dts: imx95: Correct the range of PCIe app-reg region Ruslan Piasetskyi (1): mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Russell Cloran (1): drm/mipi-dbi: Fix blanking for non-16 bit formats Sagi Maimon (1): ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations Sathesh B Edara (2): octeon_ep_vf: Resolve netdevice usage count issue octeon_ep: Fix host hang issue during device reboot Sean Christopherson (1): perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Sean Heelan (2): ksmbd: fix use-after-free in kerberos authentication ksmbd: fix use-after-free in session logoff Shannon Nelson (3): pds_core: make pdsc_auxbus_dev_del() void pds_core: specify auxiliary_device to be created pds_core: remove write-after-free of client_id Sheetal (1): ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Shouye Liu (1): platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Shravya KN (1): bnxt_en: Fix error handling path in bnxt_init_chip() Shruti Parab (2): bnxt_en: Fix coredump logic to free allocated buffer bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shyam Saini (3): kernel: param: rename locate_module_kobject kernel: globalize lookup_or_create_module_kobject() drivers: base: handle module_kobject creation Simon Horman (1): net: dlink: Correct endianness handling of led_mode Somnath Kotur (1): bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() Srinivas Pandruvada (1): cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Stefan Wahren (4): net: vertexcom: mse102x: Fix possible stuck of SPI interrupt net: vertexcom: mse102x: Fix LEN_MASK net: vertexcom: mse102x: Add range check for CMD_RTS net: vertexcom: mse102x: Fix RX error handling Stephan Gerhold (1): irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Steven Rostedt (1): tracing: Do not take trace_event_sem in print_event_fields() Sudeep Holla (1): firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Sébastien Szymanski (1): ARM: dts: opos6ul: add ksz8081 phy properties Takashi Iwai (2): ALSA: ump: Fix buffer overflow at UMP SysEx message conversion ALSA: hda/realtek: Fix built-mic regression on other ASUS models Thangaraj Samynathan (1): net: lan743x: Fix memleak issue when GSO enabled Tudor Ambarus (1): dm: fix copying after src array boundaries Tvrtko Ursulin (1): drm/fdinfo: Protect against driver unbind Uday Shankar (2): ublk: properly serialize all FETCH_REQs ublk: improve detection and handling of ublk server exit Vadim Fedorenko (2): bnxt_en: improve TX timestamping FIFO configuration bnxt_en: fix module unload sequence Venkata Prasad Potturu (1): ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Victor Nogueira (4): net_sched: drr: Fix double list add in class with netem as child qdisc net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc net_sched: ets: Fix double list add in class with netem as child qdisc net_sched: qfq: Fix double list add in class with netem as child qdisc Viresh Kumar (3): cpufreq: Introduce policy->boost_supported flag cpufreq: acpi: Set policy->boost_supported cpufreq: ACPI: Re-sync CPU boost state on system resume Vishal Badole (1): amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Vlad Dogaru (1): net/mlx5e: Use custom tunnel header for vxlan gbp Vladimir Oltean (2): net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID net: dsa: felix: fix broken taprio gate states after clock jump Wei Yang (2): mm/memblock: pass size instead of end to memblock_set_node() mm/memblock: repeat setting reserved region nid if array is doubled Wentao Liang (1): wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Will Deacon (1): arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Xuanqiang Luo (1): ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Yonglong Liu (1): net: hns3: fix an interrupt residual problem Zhenhua Huang (1): mm, slab: clean up slab->obj_exts always e.kubanski (2): xsk: Fix race condition in AF_XDP generic RX path xsk: Fix offset calculation in unaligned mode

8 months

1
1
0 0

Linux 6.12.28

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.28 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 arch/arm64/boot/dts/freescale/imx95.dtsi | 8 arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 arch/arm64/kernel/proton-pack.c | 2 arch/parisc/include/uapi/asm/socket.h | 10 arch/parisc/math-emu/driver.c | 16 arch/powerpc/boot/wrapper | 6 arch/powerpc/mm/book3s64/radix_pgtable.c | 17 arch/x86/boot/compressed/mem.c | 5 arch/x86/boot/compressed/sev.c | 40 + arch/x86/boot/compressed/sev.h | 2 arch/x86/events/core.c | 2 arch/x86/events/intel/core.c | 2 arch/x86/events/perf_event.h | 9 block/blk-mq-cpumap.c | 3 drivers/accel/ivpu/ivpu_drv.c | 38 - drivers/accel/ivpu/ivpu_drv.h | 9 drivers/accel/ivpu/ivpu_hw_btrs.h | 2 drivers/accel/ivpu/ivpu_job.c | 125 +++- drivers/accel/ivpu/ivpu_job.h | 1 drivers/accel/ivpu/ivpu_jsm_msg.c | 3 drivers/accel/ivpu/ivpu_mmu.c | 3 drivers/accel/ivpu/ivpu_pm.c | 18 drivers/accel/ivpu/ivpu_sysfs.c | 5 drivers/accel/ivpu/vpu_boot_api.h | 45 - drivers/accel/ivpu/vpu_jsm_api.h | 303 ++++++++-- drivers/android/binder.c | 2 drivers/base/module.c | 13 drivers/bluetooth/btintel_pcie.c | 57 + drivers/bluetooth/btusb.c | 137 +++- drivers/cpufreq/cpufreq.c | 42 + drivers/cpufreq/cpufreq_ondemand.c | 3 drivers/cpufreq/freq_table.c | 6 drivers/cpufreq/intel_pstate.c | 3 drivers/edac/altera_edac.c | 9 drivers/edac/altera_edac.h | 2 drivers/firmware/arm_ffa/driver.c | 3 drivers/firmware/arm_scmi/bus.c | 3 drivers/gpu/drm/Kconfig | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 - drivers/gpu/drm/drm_file.c | 6 drivers/gpu/drm/drm_mipi_dbi.c | 6 drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 drivers/gpu/drm/meson/meson_vclk.c | 6 drivers/gpu/drm/nouveau/nouveau_fence.c | 2 drivers/gpu/drm/tests/drm_gem_shmem_test.c | 3 drivers/gpu/drm/xe/xe_hw_engine.c | 12 drivers/i2c/busses/i2c-imx-lpi2c.c | 4 drivers/iommu/amd/init.c | 8 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-qcom-mpm.c | 3 drivers/md/dm-bufio.c | 9 drivers/md/dm-integrity.c | 2 drivers/md/dm-table.c | 5 drivers/mmc/host/renesas_sdhi_core.c | 10 drivers/net/dsa/ocelot/felix_vsc9959.c | 5 drivers/net/ethernet/amd/pds_core/auxbus.c | 39 - drivers/net/ethernet/amd/pds_core/core.h | 7 drivers/net/ethernet/amd/pds_core/devlink.c | 7 drivers/net/ethernet/amd/pds_core/main.c | 11 drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 20 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 40 + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 29 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 1 drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/dlink/dl2k.h | 2 drivers/net/ethernet/freescale/fec_main.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 +- drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 drivers/net/ethernet/intel/idpf/idpf.h | 18 drivers/net/ethernet/intel/idpf/idpf_lib.c | 76 -- drivers/net/ethernet/intel/idpf/idpf_main.c | 1 drivers/net/ethernet/intel/igc/igc_ptp.c | 6 drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 18 drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 32 - drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 drivers/net/ethernet/microchip/lan743x_main.c | 8 drivers/net/ethernet/microchip/lan743x_main.h | 1 drivers/net/ethernet/mscc/ocelot.c | 6 drivers/net/ethernet/realtek/rtase/rtase_main.c | 4 drivers/net/ethernet/vertexcom/mse102x.c | 36 - drivers/net/mdio/mdio-mux-meson-gxl.c | 3 drivers/net/usb/rndis_host.c | 16 drivers/net/vxlan/vxlan_vnifilter.c | 8 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 1 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 9 drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 13 drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 drivers/net/wireless/purelifi/plfxlc/mac.c | 1 drivers/nvme/host/Kconfig | 1 drivers/nvme/host/pci.c | 2 drivers/nvme/host/tcp.c | 31 - drivers/nvme/target/Kconfig | 1 drivers/pinctrl/freescale/pinctrl-imx.c | 6 drivers/platform/x86/amd/pmc/pmc.c | 7 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 13 drivers/ptp/ptp_ocp.c | 52 + drivers/spi/spi-tegra114.c | 6 drivers/ufs/core/ufshcd.c | 2 fs/bcachefs/xattr_format.h | 8 fs/btrfs/extent_io.c | 2 fs/btrfs/inode.c | 9 fs/smb/client/smb2pdu.c | 1 fs/smb/server/auth.c | 14 fs/smb/server/mgmt/user_session.c | 20 fs/smb/server/mgmt/user_session.h | 1 fs/smb/server/smb2pdu.c | 9 include/linux/cpufreq.h | 83 +- include/linux/iommu.h | 8 include/linux/module.h | 2 include/net/bluetooth/hci.h | 4 include/net/bluetooth/hci_core.h | 20 include/net/bluetooth/hci_sync.h | 3 include/net/xdp_sock.h | 3 include/net/xsk_buff_pool.h | 2 include/sound/ump_convert.h | 2 kernel/params.c | 6 kernel/trace/trace.c | 5 kernel/trace/trace_output.c | 4 mm/memblock.c | 12 mm/slub.c | 27 net/bluetooth/hci_conn.c | 189 ------ net/bluetooth/hci_event.c | 15 net/bluetooth/hci_sync.c | 150 ++++ net/bluetooth/iso.c | 26 net/bluetooth/l2cap_core.c | 3 net/ipv4/tcp_offload.c | 2 net/ipv4/udp_offload.c | 61 +- net/ipv6/tcpv6_offload.c | 2 net/sched/sch_drr.c | 16 net/sched/sch_ets.c | 17 net/sched/sch_hfsc.c | 10 net/sched/sch_htb.c | 2 net/sched/sch_qfq.c | 18 net/xdp/xsk.c | 6 net/xdp/xsk_buff_pool.c | 1 sound/pci/hda/patch_realtek.c | 20 sound/soc/amd/acp/acp-i2s.c | 2 sound/soc/codecs/Kconfig | 5 sound/soc/generic/simple-card-utils.c | 4 sound/soc/sdw_utils/soc_sdw_rt_dmic.c | 2 sound/soc/soc-core.c | 32 - sound/soc/soc-pcm.c | 5 sound/usb/endpoint.c | 7 sound/usb/format.c | 3 169 files changed, 1846 insertions(+), 983 deletions(-) Aaron Kling (1): spi: tegra114: Don't fail set_cs_timing when delays are zero Aaron Ma (1): Bluetooth: btusb: add Foxconn 0xe0fc for Qualcomm WCN785x Alan Huang (1): bcachefs: Remove incorrect __counted_by annotation Alexander Stein (1): ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Alistair Francis (2): nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS Andrew Kreimer (1): accel/ivpu: Fix a typo Andrzej Kacprowski (1): accel/ivpu: Update VPU FW API headers Ard Biesheuvel (1): x86/boot/sev: Support memory acceptance in the EFI stub under SVSM Balbir Singh (1): iommu/arm-smmu-v3: Fix pgsize_bit for sva domains Benjamin Marzinski (1): dm: always update the array size in realloc_argv on success Carlos Llamas (1): binder: fix offset calculation in debug log Chad Monroe (1): net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Chen Linxuan (1): drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Chenyuan Yang (1): ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init() Chris Bainbridge (1): drm/amd/display: Fix slab-use-after-free in hdcp Chris Mi (1): net/mlx5: E-switch, Fix error handling for enabling roce Christian Bruel (2): arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Heusel (1): Revert "rndis_host: Flag RNDIS modems as WWAN devices" Christian Hewitt (1): Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Clark Wang (1): i2c: imx-lpi2c: Fix clock count when probe defers Cong Wang (5): sch_htb: make htb_qlen_notify() idempotent sch_drr: make drr_qlen_notify() idempotent sch_hfsc: make hfsc_qlen_notify() idempotent sch_qfq: make qfq_qlen_notify() idempotent sch_ets: make est_qlen_notify() idempotent Cosmin Ratiu (1): net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover Cristian Marussi (1): firmware: arm_scmi: Balance device refcount when destroying devices Da Xue (1): net: mdio: mux-meson-gxl: set reversed bit when using internal phy Daniel Golle (1): net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array Daniel Wagner (1): blk-mq: create correct map for fallback case Dave Chen (1): btrfs: fix COW handling in run_delalloc_nocow() Donet Tom (1): book3s64/radix : Align section vmemmap start address to PAGE_SIZE Dorian Cruveiller (1): Bluetooth: btusb: Add new VID/PID for WCN785x Emmanuel Grumbach (2): wifi: iwlwifi: don't warn if the NIC is gone in resume wifi: iwlwifi: fix the check for the SCRATCH register upon resume En-Wei Wu (1): Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Felix Fietkau (1): net: ipv6: fix UDPv6 GSO segmentation with NAT Geert Uytterhoeven (1): ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Geoffrey D. Bennett (1): ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Greg Kroah-Hartman (1): Linux 6.12.28 Hao Lan (1): net: hns3: fixed debugfs tm_qset size Helge Deller (1): parisc: Fix double SIGFPE crash Hui Wang (1): pinctrl: imx: Return NULL if no group is matched and found Ido Schimmel (1): vxlan: vnifilter: Fix unlocked deletion of default FDB entry Iulia Tanasescu (1): Bluetooth: hci_conn: Remove alloc from critical section Jacob Keller (1): igc: fix lock order in igc_ptp_reset Janne Grunau (1): drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Jethro Donaldson (1): smb: client: fix zero length for mkdir POSIX create context Jian Shen (2): net: hns3: store rx VLAN tag offload state for VF net: hns3: defer calling ptp_clock_register() Jianbo Liu (1): net/mlx5e: TC, Continue the attr process even if encap entry is invalid Jibin Zhang (1): net: use sock_gen_put() when sk_state is TCP_TIME_WAIT Joachim Priesner (1): ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Josef Bacik (1): btrfs: adjust subpage bit start based on sectorsize Justin Lai (1): rtase: Modify the condition used to detect overflow in rtase_calc_time_mitigation Kailang Yang (1): ALSA: hda/realtek - Enable speaker for HP platform Kalesh AP (1): bnxt_en: Fix ethtool selftest output in one of the failure cases Kan Liang (1): perf/x86/intel: Only check the group flag for X86 leader Karol Wachowski (5): accel/ivpu: Correct DCT interrupt handling accel/ivpu: Use xa_alloc_cyclic() instead of custom function accel/ivpu: Abort all jobs after command queue unregister accel/ivpu: Fix locking order in ivpu_job_submit accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW Kashyap Desai (1): bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings() Keith Busch (1): nvme-pci: fix queue unquiesce check on slot_reset Keoseong Park (1): scsi: ufs: core: Remove redundant query_complete trace Kiran K (2): Bluetooth: btintel_pcie: Avoid redundant buffer allocation Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths Larysa Zaremba (1): idpf: protect shutdown from reset Leo Li (1): drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF Lijo Lazar (1): drm/amdgpu: Fix offset for HDP remap in nbio v7.11 LongPing Wei (1): dm-bufio: don't schedule in atomic context Louis-Alexis Eyraud (2): net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Luiz Augusto von Dentz (2): Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync Madhavan Srinivasan (2): powerpc/boot: Check for ld-option support powerpc/boot: Fix dash warning Madhu Chittim (1): idpf: fix offloads support for encapsulated packets Maor Gottlieb (1): net/mlx5: E-Switch, Initialize MAC Address for Default GID Mario Limonciello (2): platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Mark Dietzer (1): Bluetooth: btusb: Add ID 0x2c7c:0x0130 for Qualcomm WCN785x Mattias Barthel (1): net: fec: ERR007885 Workaround for conventional TX Maxime Ripard (1): drm/tests: shmem: Fix memleak Michael Chan (1): bnxt_en: Fix ethtool -d byte order for 32-bit values Michael Liang (1): nvme-tcp: fix premature queue removal and I/O failover Michal Swiatkowski (1): idpf: fix potential memory leak on kcalloc() failure Mikulas Patocka (1): dm-integrity: fix a warning on invalid table line Mingcong Bai (1): iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Murad Masimov (1): wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Namjae Jeon (1): ksmbd: fix use-after-free in ksmbd_session_rpc_open Nicolin Chen (2): iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids iommu: Fix two issues in iommu_copy_struct_from_user() Niranjana Vishwanathapura (1): drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change Niravkumar L Rabara (2): EDAC/altera: Test the correct error reg offset EDAC/altera: Set DDR and SDMMC interrupt mask before registration Pauli Virtanen (1): Bluetooth: L2CAP: copy RX timestamp to new fragments Pavel Paklov (1): iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Philipp Stanner (1): drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Pranjal Shrivastava (1): net: Fix the devmem sock opts and msgs for parisc Rafael J. Wysocki (2): cpufreq: Avoid using inconsistent policy->min and policy->max cpufreq: Fix setting policy limits when frequency tables are used Richard Fitzgerald (1): ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB Richard Zhu (1): arm64: dts: imx95: Correct the range of PCIe app-reg region Ruslan Piasetskyi (1): mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Russell Cloran (1): drm/mipi-dbi: Fix blanking for non-16 bit formats Sagi Maimon (1): ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations Sathesh B Edara (2): octeon_ep_vf: Resolve netdevice usage count issue octeon_ep: Fix host hang issue during device reboot Sean Christopherson (1): perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Sean Heelan (2): ksmbd: fix use-after-free in kerberos authentication ksmbd: fix use-after-free in session logoff Shannon Nelson (3): pds_core: make pdsc_auxbus_dev_del() void pds_core: specify auxiliary_device to be created pds_core: remove write-after-free of client_id Sheetal (1): ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Shouye Liu (1): platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Shravya KN (1): bnxt_en: Fix error handling path in bnxt_init_chip() Shruti Parab (2): bnxt_en: Fix coredump logic to free allocated buffer bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shyam Saini (3): kernel: param: rename locate_module_kobject kernel: globalize lookup_or_create_module_kobject() drivers: base: handle module_kobject creation Simon Horman (1): net: dlink: Correct endianness handling of led_mode Somnath Kotur (1): bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() Srinivas Pandruvada (1): cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Stefan Wahren (4): net: vertexcom: mse102x: Fix possible stuck of SPI interrupt net: vertexcom: mse102x: Fix LEN_MASK net: vertexcom: mse102x: Add range check for CMD_RTS net: vertexcom: mse102x: Fix RX error handling Stephan Gerhold (1): irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Steven Rostedt (1): tracing: Do not take trace_event_sem in print_event_fields() Sudeep Holla (1): firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Sébastien Szymanski (1): ARM: dts: opos6ul: add ksz8081 phy properties Takashi Iwai (2): ALSA: ump: Fix buffer overflow at UMP SysEx message conversion ALSA: hda/realtek: Fix built-mic regression on other ASUS models Thangaraj Samynathan (1): net: lan743x: Fix memleak issue when GSO enabled Tomasz Rusinowicz (1): accel/ivpu: Make DB_ID and JOB_ID allocations incremental Tudor Ambarus (1): dm: fix copying after src array boundaries Tvrtko Ursulin (1): drm/fdinfo: Protect against driver unbind Vadim Fedorenko (2): bnxt_en: improve TX timestamping FIFO configuration bnxt_en: fix module unload sequence Venkata Prasad Potturu (1): ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Victor Nogueira (4): net_sched: drr: Fix double list add in class with netem as child qdisc net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc net_sched: ets: Fix double list add in class with netem as child qdisc net_sched: qfq: Fix double list add in class with netem as child qdisc Vishal Badole (1): amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Vlad Dogaru (1): net/mlx5e: Use custom tunnel header for vxlan gbp Vladimir Oltean (2): net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID net: dsa: felix: fix broken taprio gate states after clock jump Wei Yang (2): mm/memblock: pass size instead of end to memblock_set_node() mm/memblock: repeat setting reserved region nid if array is doubled Wentao Liang (1): wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Will Deacon (1): arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Xuanqiang Luo (1): ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Yonglong Liu (1): net: hns3: fix an interrupt residual problem Zhenhua Huang (1): mm, slab: clean up slab->obj_exts always Zijun Hu (3): Bluetooth: btusb: Add one more ID 0x0489:0xe0f3 for Qualcomm WCN785x Bluetooth: btusb: Add one more ID 0x13d3:0x3623 for Qualcomm WCN785x Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x e.kubanski (1): xsk: Fix race condition in AF_XDP generic RX path

8 months

1
1
0 0

Linux 6.6.90

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.90 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 arch/arm64/kernel/proton-pack.c | 2 arch/parisc/math-emu/driver.c | 16 arch/powerpc/boot/wrapper | 6 arch/powerpc/mm/book3s64/radix_pgtable.c | 17 arch/riscv/include/asm/patch.h | 2 arch/riscv/kernel/patch.c | 14 arch/riscv/kernel/probes/kprobes.c | 18 arch/riscv/net/bpf_jit_comp64.c | 7 arch/x86/events/intel/core.c | 2 arch/x86/include/asm/kvm-x86-ops.h | 1 arch/x86/include/asm/kvm_host.h | 1 arch/x86/kvm/svm/svm.c | 13 arch/x86/kvm/vmx/vmx.c | 11 arch/x86/kvm/x86.c | 3 drivers/base/module.c | 13 drivers/bluetooth/btusb.c | 101 +++-- drivers/cpufreq/cpufreq.c | 42 +- drivers/cpufreq/cpufreq_ondemand.c | 3 drivers/cpufreq/freq_table.c | 6 drivers/edac/altera_edac.c | 9 drivers/edac/altera_edac.h | 2 drivers/firmware/arm_ffa/driver.c | 3 drivers/firmware/arm_scmi/bus.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 +- drivers/gpu/drm/drm_file.c | 6 drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 drivers/gpu/drm/meson/meson_vclk.c | 6 drivers/gpu/drm/nouveau/nouveau_fence.c | 2 drivers/i2c/busses/i2c-imx-lpi2c.c | 4 drivers/iommu/amd/init.c | 8 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 ++-- drivers/iommu/intel/iommu.c | 4 drivers/iommu/iommu.c | 18 drivers/irqchip/irq-qcom-mpm.c | 3 drivers/md/dm-bufio.c | 9 drivers/md/dm-integrity.c | 2 drivers/md/dm-table.c | 5 drivers/mmc/host/renesas_sdhi_core.c | 10 drivers/net/dsa/ocelot/felix_vsc9959.c | 5 drivers/net/ethernet/amd/pds_core/auxbus.c | 49 +- drivers/net/ethernet/amd/pds_core/core.h | 7 drivers/net/ethernet/amd/pds_core/dev.c | 11 drivers/net/ethernet/amd/pds_core/devlink.c | 7 drivers/net/ethernet/amd/pds_core/main.c | 23 + drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 20 - drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 + drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/dlink/dl2k.h | 2 drivers/net/ethernet/freescale/fec_main.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 ++-- drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 - drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 drivers/net/ethernet/intel/igc/igc_ptp.c | 6 drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 14 drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 drivers/net/ethernet/microchip/lan743x_main.c | 8 drivers/net/ethernet/microchip/lan743x_main.h | 1 drivers/net/ethernet/mscc/ocelot.c | 194 +++++++++- drivers/net/ethernet/mscc/ocelot_vcap.c | 1 drivers/net/ethernet/vertexcom/mse102x.c | 36 + drivers/net/mdio/mdio-mux-meson-gxl.c | 3 drivers/net/usb/rndis_host.c | 16 drivers/net/vxlan/vxlan_vnifilter.c | 8 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 drivers/net/wireless/purelifi/plfxlc/mac.c | 1 drivers/nvme/host/pci.c | 2 drivers/nvme/host/tcp.c | 31 + drivers/pci/controller/dwc/pci-imx6.c | 3 drivers/platform/x86/amd/pmc/pmc.c | 7 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 13 drivers/spi/spi-tegra114.c | 6 drivers/usb/host/xhci-debugfs.c | 2 drivers/usb/host/xhci-hub.c | 30 - drivers/usb/host/xhci-mem.c | 175 +++++++-- drivers/usb/host/xhci-ring.c | 4 drivers/usb/host/xhci.c | 80 ++-- drivers/usb/host/xhci.h | 20 - fs/btrfs/inode.c | 9 fs/smb/client/smb2pdu.c | 1 fs/smb/server/auth.c | 14 fs/smb/server/smb2pdu.c | 5 include/linux/bpf.h | 1 include/linux/bpf_verifier.h | 1 include/linux/cpufreq.h | 83 ++-- include/linux/filter.h | 2 include/linux/module.h | 2 include/linux/pds/pds_core_if.h | 1 include/linux/skbuff.h | 52 ++ include/net/inet_frag.h | 4 include/soc/mscc/ocelot_vcap.h | 2 include/sound/ump_convert.h | 2 kernel/bpf/core.c | 2 kernel/bpf/verifier.c | 81 +++- kernel/params.c | 6 kernel/trace/trace.c | 5 kernel/trace/trace_output.c | 4 mm/memblock.c | 12 net/bluetooth/l2cap_core.c | 3 net/bridge/netfilter/nf_conntrack_bridge.c | 6 net/core/dev.c | 2 net/core/filter.c | 75 +-- net/ieee802154/6lowpan/reassembly.c | 2 net/ipv4/inet_fragment.c | 2 net/ipv4/ip_fragment.c | 2 net/ipv4/ip_output.c | 9 net/ipv4/tcp_output.c | 14 net/ipv4/udp_offload.c | 61 +++ net/ipv6/ip6_output.c | 6 net/ipv6/netfilter.c | 6 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 net/ipv6/reassembly.c | 2 net/ipv6/tcp_ipv6.c | 2 net/sched/act_bpf.c | 4 net/sched/cls_bpf.c | 4 net/sched/sch_drr.c | 16 net/sched/sch_ets.c | 17 net/sched/sch_hfsc.c | 10 net/sched/sch_htb.c | 2 net/sched/sch_qfq.c | 18 sound/soc/codecs/ak4613.c | 4 sound/soc/soc-core.c | 36 - sound/soc/soc-pcm.c | 5 sound/usb/endpoint.c | 7 sound/usb/format.c | 3 tools/testing/selftests/bpf/prog_tests/changes_pkt_data.c | 107 +++++ tools/testing/selftests/bpf/progs/changes_pkt_data.c | 39 ++ tools/testing/selftests/bpf/progs/changes_pkt_data_freplace.c | 18 tools/testing/selftests/bpf/progs/verifier_sock.c | 56 ++ 142 files changed, 1757 insertions(+), 650 deletions(-) Aaron Kling (1): spi: tegra114: Don't fail set_cs_timing when delays are zero Abhishek Chauhan (1): net: Rename mono_delivery_time to tstamp_type for scalabilty Benjamin Marzinski (1): dm: always update the array size in realloc_argv on success Chad Monroe (1): net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Chen Linxuan (1): drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Chris Bainbridge (1): drm/amd/display: Fix slab-use-after-free in hdcp Chris Mi (1): net/mlx5: E-switch, Fix error handling for enabling roce Christian Bruel (2): arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Heusel (1): Revert "rndis_host: Flag RNDIS modems as WWAN devices" Christian Hewitt (1): Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Clark Wang (1): i2c: imx-lpi2c: Fix clock count when probe defers Cong Wang (5): sch_htb: make htb_qlen_notify() idempotent sch_drr: make drr_qlen_notify() idempotent sch_hfsc: make hfsc_qlen_notify() idempotent sch_qfq: make qfq_qlen_notify() idempotent sch_ets: make est_qlen_notify() idempotent Cristian Marussi (1): firmware: arm_scmi: Balance device refcount when destroying devices Da Xue (1): net: mdio: mux-meson-gxl: set reversed bit when using internal phy Dave Chen (1): btrfs: fix COW handling in run_delalloc_nocow() Donet Tom (1): book3s64/radix : Align section vmemmap start address to PAGE_SIZE Eduard Zingerman (10): bpf: add find_containing_subprog() utility function bpf: refactor bpf_helper_changes_pkt_data to use helper number bpf: track changes_pkt_data property for global functions selftests/bpf: test for changing packet data from global functions bpf: check changes_pkt_data property for extension programs selftests/bpf: freplace tests for tracking of changes_packet_data bpf: consider that tail calls invalidate packet pointers selftests/bpf: validate that tail call invalidates packet pointers bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs selftests/bpf: extend changes_pkt_data with cases w/o subprograms En-Wei Wu (1): Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Felix Fietkau (1): net: ipv6: fix UDPv6 GSO segmentation with NAT Geert Uytterhoeven (1): ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Geoffrey D. Bennett (1): ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Greg Kroah-Hartman (1): Linux 6.6.90 Hao Lan (1): net: hns3: fixed debugfs tm_qset size Helge Deller (1): parisc: Fix double SIGFPE crash Ido Schimmel (1): vxlan: vnifilter: Fix unlocked deletion of default FDB entry Jacob Keller (1): igc: fix lock order in igc_ptp_reset Jason Gunthorpe (1): iommu/arm-smmu-v3: Use the new rb tree helpers Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Jethro Donaldson (1): smb: client: fix zero length for mkdir POSIX create context Jian Shen (2): net: hns3: store rx VLAN tag offload state for VF net: hns3: defer calling ptp_clock_register() Joachim Priesner (1): ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Jonathan Bell (1): xhci: Use more than one Event Ring segment Keith Busch (1): nvme-pci: fix queue unquiesce check on slot_reset LongPing Wei (1): dm-bufio: don't schedule in atomic context Louis-Alexis Eyraud (2): net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Lukas Wunner (2): xhci: Set DESI bits in ERDP register correctly xhci: Clean up stale comment on ERST_SIZE macro Madhavan Srinivasan (2): powerpc/boot: Check for ld-option support powerpc/boot: Fix dash warning Maor Gottlieb (1): net/mlx5: E-Switch, Initialize MAC Address for Default GID Marc Zyngier (1): usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() Mario Limonciello (2): platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Mathias Nyman (6): xhci: split free interrupter into separate remove and free parts xhci: add support to allocate several interrupters xhci: Add helper to set an interrupters interrupt moderation interval xhci: support setting interrupt moderation IMOD for secondary interrupters xhci: Limit time spent with xHC interrupts disabled during bus resume xhci: fix possible null pointer dereference at secondary interrupter removal Mattias Barthel (1): net: fec: ERR007885 Workaround for conventional TX Michael Chan (1): bnxt_en: Fix ethtool -d byte order for 32-bit values Michael Liang (1): nvme-tcp: fix premature queue removal and I/O failover Mikulas Patocka (1): dm-integrity: fix a warning on invalid table line Mingcong Bai (1): iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Murad Masimov (1): wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Nicolin Chen (1): iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Niklas Neronin (1): usb: xhci: check if 'requested segments' exceeds ERST capacity Niravkumar L Rabara (2): EDAC/altera: Test the correct error reg offset EDAC/altera: Set DDR and SDMMC interrupt mask before registration Pauli Virtanen (1): Bluetooth: L2CAP: copy RX timestamp to new fragments Pavel Paklov (1): iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Philipp Stanner (1): drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Rafael J. Wysocki (2): cpufreq: Avoid using inconsistent policy->min and policy->max cpufreq: Fix setting policy limits when frequency tables are used Richard Zhu (1): PCI: imx6: Skip controller_id generation logic for i.MX7D Rob Herring (Arm) (1): ASoC: Use of_property_read_bool() Robin Murphy (1): iommu: Handle race with default domain setup Ruslan Piasetskyi (1): mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Ryan Matthews (1): Revert "PCI: imx6: Skip controller_id generation logic for i.MX7D" Samuel Holland (1): riscv: Pass patch_text() the length in bytes Sathesh B Edara (1): octeon_ep: Fix host hang issue during device reboot Sean Christopherson (2): perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Sean Heelan (1): ksmbd: fix use-after-free in kerberos authentication Shannon Nelson (5): pds_core: check health in devcmd wait pds_core: delete VF dev on reset pds_core: make pdsc_auxbus_dev_del() void pds_core: specify auxiliary_device to be created pds_core: remove write-after-free of client_id Sheetal (1): ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Shouye Liu (1): platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Shruti Parab (2): bnxt_en: Fix coredump logic to free allocated buffer bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shyam Saini (3): kernel: param: rename locate_module_kobject kernel: globalize lookup_or_create_module_kobject() drivers: base: handle module_kobject creation Simon Horman (1): net: dlink: Correct endianness handling of led_mode Stefan Wahren (4): net: vertexcom: mse102x: Fix possible stuck of SPI interrupt net: vertexcom: mse102x: Fix LEN_MASK net: vertexcom: mse102x: Add range check for CMD_RTS net: vertexcom: mse102x: Fix RX error handling Stephan Gerhold (1): irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Steven Rostedt (1): tracing: Do not take trace_event_sem in print_event_fields() Sudeep Holla (1): firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Sébastien Szymanski (1): ARM: dts: opos6ul: add ksz8081 phy properties Takashi Iwai (1): ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Thangaraj Samynathan (1): net: lan743x: Fix memleak issue when GSO enabled Tudor Ambarus (1): dm: fix copying after src array boundaries Tvrtko Ursulin (1): drm/fdinfo: Protect against driver unbind Victor Nogueira (4): net_sched: drr: Fix double list add in class with netem as child qdisc net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc net_sched: ets: Fix double list add in class with netem as child qdisc net_sched: qfq: Fix double list add in class with netem as child qdisc Vishal Badole (1): amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Vladimir Oltean (3): net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID net: dsa: felix: fix broken taprio gate states after clock jump Wei Yang (2): mm/memblock: pass size instead of end to memblock_set_node() mm/memblock: repeat setting reserved region nid if array is doubled Wentao Liang (1): wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Will Deacon (1): arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Xuanqiang Luo (1): ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Yonglong Liu (1): net: hns3: fix an interrupt residual problem

8 months

1
1
0 0

Linux 6.1.138

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.138 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/imx6ul-imx6ull-opos6ul.dtsi | 3 arch/arm64/kernel/proton-pack.c | 2 arch/parisc/math-emu/driver.c | 16 arch/x86/events/intel/core.c | 2 arch/x86/include/asm/kexec.h | 18 arch/x86/include/asm/kvm-x86-ops.h | 1 arch/x86/include/asm/kvm_host.h | 1 arch/x86/kernel/machine_kexec_64.c | 45 - arch/x86/kvm/svm/svm.c | 13 arch/x86/kvm/vmx/vmx.c | 11 arch/x86/kvm/x86.c | 3 drivers/cpufreq/cpufreq.c | 42 drivers/cpufreq/cpufreq_ondemand.c | 3 drivers/cpufreq/freq_table.c | 6 drivers/edac/altera_edac.c | 9 drivers/edac/altera_edac.h | 2 drivers/firmware/arm_ffa/driver.c | 3 drivers/firmware/arm_scmi/bus.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 429 +++++----- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.h | 5 drivers/gpu/drm/meson/meson_vclk.c | 6 drivers/gpu/drm/nouveau/nouveau_fence.c | 2 drivers/i2c/busses/i2c-imx-lpi2c.c | 4 drivers/iommu/amd/init.c | 8 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 - drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-gic-v2m.c | 8 drivers/irqchip/irq-qcom-mpm.c | 3 drivers/md/dm-bufio.c | 3 drivers/md/dm-integrity.c | 2 drivers/md/dm-table.c | 5 drivers/md/md.c | 27 drivers/md/md.h | 2 drivers/md/raid0.c | 16 drivers/md/raid5.c | 41 drivers/mmc/host/renesas_sdhi_core.c | 10 drivers/net/dsa/ocelot/felix_vsc9959.c | 5 drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 20 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/dlink/dl2k.h | 2 drivers/net/ethernet/freescale/fec_main.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 drivers/net/ethernet/microchip/lan743x_main.c | 8 drivers/net/ethernet/microchip/lan743x_main.h | 1 drivers/net/ethernet/mscc/ocelot.c | 194 ++++ drivers/net/ethernet/mscc/ocelot_vcap.c | 1 drivers/net/ethernet/vertexcom/mse102x.c | 36 drivers/net/phy/microchip.c | 46 - drivers/net/usb/rndis_host.c | 16 drivers/net/vxlan/vxlan_vnifilter.c | 8 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 drivers/net/wireless/purelifi/plfxlc/mac.c | 1 drivers/nvme/host/tcp.c | 31 drivers/pci/controller/dwc/pci-imx6.c | 5 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 13 fs/smb/server/auth.c | 14 fs/smb/server/smb2pdu.c | 5 fs/xfs/libxfs/xfs_attr_remote.c | 1 fs/xfs/libxfs/xfs_bmap.c | 130 ++- fs/xfs/libxfs/xfs_da_btree.c | 20 fs/xfs/libxfs/xfs_inode_buf.c | 47 - fs/xfs/libxfs/xfs_sb.c | 7 fs/xfs/scrub/attr.c | 5 fs/xfs/xfs_aops.c | 54 - fs/xfs/xfs_attr_item.c | 88 +- fs/xfs/xfs_bmap_util.c | 61 - fs/xfs/xfs_bmap_util.h | 2 fs/xfs/xfs_dquot.c | 1 fs/xfs/xfs_icache.c | 2 fs/xfs/xfs_inode.c | 14 fs/xfs/xfs_iomap.c | 81 + fs/xfs/xfs_reflink.c | 20 fs/xfs/xfs_rtalloc.c | 2 include/linux/cpufreq.h | 83 + include/soc/mscc/ocelot_vcap.h | 2 kernel/trace/trace.c | 5 net/ipv4/udp_offload.c | 61 + net/sched/sch_drr.c | 16 net/sched/sch_ets.c | 17 net/sched/sch_hfsc.c | 10 net/sched/sch_htb.c | 2 net/sched/sch_qfq.c | 18 sound/soc/codecs/ak4613.c | 4 sound/soc/soc-core.c | 36 sound/soc/soc-pcm.c | 5 sound/usb/format.c | 3 101 files changed, 1467 insertions(+), 837 deletions(-) Benjamin Marzinski (1): dm: always update the array size in realloc_argv on success Bhawanpreet Lakha (1): drm/amd/display: Change HDCP update sequence for DM Chris Bainbridge (1): drm/amd/display: Fix slab-use-after-free in hdcp Chris Mi (1): net/mlx5: E-switch, Fix error handling for enabling roce Christian Heusel (1): Revert "rndis_host: Flag RNDIS modems as WWAN devices" Christian Hewitt (1): Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Christoph Hellwig (4): xfs: fix error returns from xfs_bmapi_write xfs: fix xfs_bmap_add_extent_delay_real for partial conversions xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent xfs: fix freeing speculative preallocations for preallocated files Clark Wang (1): i2c: imx-lpi2c: Fix clock count when probe defers Cong Wang (5): sch_htb: make htb_qlen_notify() idempotent sch_drr: make drr_qlen_notify() idempotent sch_hfsc: make hfsc_qlen_notify() idempotent sch_qfq: make qfq_qlen_notify() idempotent sch_ets: make est_qlen_notify() idempotent Cristian Marussi (1): firmware: arm_scmi: Balance device refcount when destroying devices Darrick J. Wong (7): xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 xfs: validate recovered name buffers when recovering xattr items xfs: revert commit 44af6c7e59b12 xfs: allow symlinks with short remote targets xfs: allow unlinked symlinks and dirs with zero size xfs: restrict when we try to align cow fork delalloc to cowextsz hints Felix Fietkau (1): net: ipv6: fix UDPv6 GSO segmentation with NAT Fiona Klute (1): net: phy: microchip: force IRQ polling mode for lan88xx Geert Uytterhoeven (1): ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Greg Kroah-Hartman (2): Revert "x86/kexec: Allocate PGD for x86_64 transition page tables separately" Linux 6.1.138 Hao Lan (1): net: hns3: fixed debugfs tm_qset size Helge Deller (1): parisc: Fix double SIGFPE crash Ido Schimmel (1): vxlan: vnifilter: Fix unlocked deletion of default FDB entry Jason Gunthorpe (1): iommu/arm-smmu-v3: Use the new rb tree helpers Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Jian Shen (2): net: hns3: store rx VLAN tag offload state for VF net: hns3: defer calling ptp_clock_register() Joachim Priesner (1): ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset LongPing Wei (1): dm-bufio: don't schedule in atomic context Louis-Alexis Eyraud (2): net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Maor Gottlieb (1): net/mlx5: E-Switch, Initialize MAC Address for Default GID Mario Limonciello (1): drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Mattias Barthel (1): net: fec: ERR007885 Workaround for conventional TX Michael Chan (1): bnxt_en: Fix ethtool -d byte order for 32-bit values Michael Liang (1): nvme-tcp: fix premature queue removal and I/O failover Mikulas Patocka (1): dm-integrity: fix a warning on invalid table line Mingcong Bai (1): iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Murad Masimov (1): wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Nicolin Chen (1): iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Niravkumar L Rabara (2): EDAC/altera: Test the correct error reg offset EDAC/altera: Set DDR and SDMMC interrupt mask before registration Pavel Paklov (1): iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Philipp Stanner (1): drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Rafael J. Wysocki (2): cpufreq: Avoid using inconsistent policy->min and policy->max cpufreq: Fix setting policy limits when frequency tables are used Richard Zhu (1): PCI: imx6: Skip controller_id generation logic for i.MX7D Rob Herring (Arm) (1): ASoC: Use of_property_read_bool() Ruslan Piasetskyi (1): mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Sean Christopherson (2): perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Sean Heelan (1): ksmbd: fix use-after-free in kerberos authentication Sheetal (1): ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Shouye Liu (1): platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Shruti Parab (2): bnxt_en: Fix coredump logic to free allocated buffer bnxt_en: Fix out-of-bound memcpy() during ethtool -w Simon Horman (1): net: dlink: Correct endianness handling of led_mode Srinivasan Shanmugam (1): drm/amd/display: Clean up style problems in amdgpu_dm_hdcp.c Stefan Wahren (4): net: vertexcom: mse102x: Fix possible stuck of SPI interrupt net: vertexcom: mse102x: Fix LEN_MASK net: vertexcom: mse102x: Add range check for CMD_RTS net: vertexcom: mse102x: Fix RX error handling Stephan Gerhold (1): irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Sudeep Holla (1): firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Suzuki K Poulose (1): irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Sébastien Szymanski (1): ARM: dts: opos6ul: add ksz8081 phy properties Thangaraj Samynathan (1): net: lan743x: Fix memleak issue when GSO enabled Thomas Gleixner (1): irqchip/gic-v2m: Mark a few functions __init Tudor Ambarus (1): dm: fix copying after src array boundaries Victor Nogueira (4): net_sched: drr: Fix double list add in class with netem as child qdisc net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc net_sched: ets: Fix double list add in class with netem as child qdisc net_sched: qfq: Fix double list add in class with netem as child qdisc Vishal Badole (1): amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Vladimir Oltean (3): net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID net: dsa: felix: fix broken taprio gate states after clock jump Wengang Wang (1): xfs: make sure sb_fdblocks is non-negative Wentao Liang (1): wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Will Deacon (1): arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Xuanqiang Luo (1): ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Yonglong Liu (1): net: hns3: fix an interrupt residual problem Yu Kuai (1): md: move initialization and destruction of 'io_acct_set' to md.c Zhang Yi (4): xfs: match lock mode in xfs_buffered_write_iomap_begin() xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset xfs: convert delayed extents to unwritten when zeroing post eof blocks hersen wu (1): drm/amd/display: phase2 enable mst hdcp multiple displays

8 months

1
1
0 0

Linux 5.15.182

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.182 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/imx6ul-imx6ull-opos6ul.dtsi | 3 arch/arm64/kernel/proton-pack.c | 2 arch/parisc/math-emu/driver.c | 16 arch/x86/include/asm/kvm-x86-ops.h | 1 arch/x86/include/asm/kvm_host.h | 1 arch/x86/kvm/svm/svm.c | 13 arch/x86/kvm/vmx/vmx.c | 11 arch/x86/kvm/x86.c | 3 drivers/edac/altera_edac.c | 9 drivers/edac/altera_edac.h | 2 drivers/firmware/arm_scmi/bus.c | 3 drivers/gpu/drm/meson/meson_vclk.c | 6 drivers/gpu/drm/nouveau/nouveau_fence.c | 2 drivers/i2c/busses/i2c-imx-lpi2c.c | 4 drivers/iommu/amd/init.c | 8 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 +-- drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-gic-v2m.c | 8 drivers/md/dm-integrity.c | 2 drivers/md/dm-table.c | 5 drivers/mmc/host/renesas_sdhi_core.c | 10 drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 20 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 + drivers/net/ethernet/dlink/dl2k.c | 2 drivers/net/ethernet/dlink/dl2k.h | 2 drivers/net/ethernet/freescale/fec_main.c | 7 drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 119 +++- drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 3 drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 61 +- drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 26 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 drivers/net/ethernet/intel/ice/ice_fltr.c | 58 ++ drivers/net/ethernet/intel/ice/ice_fltr.h | 12 drivers/net/ethernet/intel/ice/ice_main.c | 49 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 139 ++--- drivers/net/ethernet/mediatek/mtk_star_emac.c | 341 +++++++------ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 drivers/net/ethernet/microchip/lan743x_main.c | 8 drivers/net/ethernet/microchip/lan743x_main.h | 1 drivers/net/phy/microchip.c | 46 - drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 drivers/nvme/host/tcp.c | 31 + drivers/of/device.c | 7 drivers/pci/controller/dwc/pci-imx6.c | 5 drivers/target/target_core_file.c | 3 drivers/target/target_core_iblock.c | 4 drivers/target/target_core_sbc.c | 6 kernel/trace/trace.c | 5 net/ipv4/udp_offload.c | 61 ++ net/sched/act_mirred.c | 22 net/sched/sch_drr.c | 9 net/sched/sch_ets.c | 9 net/sched/sch_hfsc.c | 2 net/sched/sch_qfq.c | 11 sound/usb/format.c | 3 67 files changed, 933 insertions(+), 493 deletions(-) Benjamin Marzinski (1): dm: always update the array size in realloc_argv on success Biao Huang (1): net: ethernet: mtk-star-emac: separate tx/rx handling with two NAPIs Brett Creeley (1): ice: Refactor promiscuous functions Chris Mi (1): net/mlx5: E-switch, Fix error handling for enabling roce Christian Hewitt (1): Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Clark Wang (1): i2c: imx-lpi2c: Fix clock count when probe defers Cristian Marussi (1): firmware: arm_scmi: Balance device refcount when destroying devices Felix Fietkau (1): net: ipv6: fix UDPv6 GSO segmentation with NAT Fiona Klute (1): net: phy: microchip: force IRQ polling mode for lan88xx Greg Kroah-Hartman (1): Linux 5.15.182 Hao Lan (1): net: hns3: fixed debugfs tm_qset size Helge Deller (1): parisc: Fix double SIGFPE crash Jakub Kicinski (1): net/sched: act_mirred: don't override retval if we already lost the skb Jason Gunthorpe (1): iommu/arm-smmu-v3: Use the new rb tree helpers Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Jian Shen (2): net: hns3: store rx VLAN tag offload state for VF net: hns3: defer calling ptp_clock_register() Joachim Priesner (1): ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Louis-Alexis Eyraud (2): net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Maor Gottlieb (1): net/mlx5: E-Switch, Initialize MAC Address for Default GID Mattias Barthel (1): net: fec: ERR007885 Workaround for conventional TX Michael Chan (1): bnxt_en: Fix ethtool -d byte order for 32-bit values Michael Liang (1): nvme-tcp: fix premature queue removal and I/O failover Mike Christie (1): scsi: target: Fix WRITE_SAME No Data Buffer crash Mikulas Patocka (1): dm-integrity: fix a warning on invalid table line Mingcong Bai (1): iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Nicolin Chen (1): iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Niravkumar L Rabara (2): EDAC/altera: Test the correct error reg offset EDAC/altera: Set DDR and SDMMC interrupt mask before registration Pavel Paklov (1): iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Philipp Stanner (1): drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Richard Zhu (1): PCI: imx6: Skip controller_id generation logic for i.MX7D Ruslan Piasetskyi (1): mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Sean Christopherson (1): KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Sergey Shtylyov (1): of: module: add buffer overflow check in of_modalias() Shruti Parab (2): bnxt_en: Fix coredump logic to free allocated buffer bnxt_en: Fix out-of-bound memcpy() during ethtool -w Simon Horman (1): net: dlink: Correct endianness handling of led_mode Suzuki K Poulose (1): irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Sébastien Szymanski (1): ARM: dts: opos6ul: add ksz8081 phy properties Thangaraj Samynathan (1): net: lan743x: Fix memleak issue when GSO enabled Thomas Gleixner (1): irqchip/gic-v2m: Mark a few functions __init Tudor Ambarus (1): dm: fix copying after src array boundaries Victor Nogueira (4): net_sched: drr: Fix double list add in class with netem as child qdisc net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc net_sched: ets: Fix double list add in class with netem as child qdisc net_sched: qfq: Fix double list add in class with netem as child qdisc Vishal Badole (1): amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Wentao Liang (1): wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Will Deacon (1): arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Xiang wangx (1): irqchip/gic-v2m: Add const to of_device_id Xuanqiang Luo (1): ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Yonglong Liu (3): net: hns3: add support for external loopback test net: hns3: fix an interrupt residual problem net: hns3: fix deadlock issue when externel_lb and reset are executed together

8 months

1
1
0 0

[PATCH 6.12 000/164] 6.12.28-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.28 release. There are 164 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.28-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.28-rc1 Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Shyam Saini <shyamsaini(a)linux.microsoft.com> drivers: base: handle module_kobject creation Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: globalize lookup_or_create_module_kobject() Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: param: rename locate_module_kobject Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Richard Zhu <hongxing.zhu(a)nxp.com> arm64: dts: imx95: Correct the range of PCIe app-reg region Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Niranjana Vishwanathapura <niranjana.vishwanathapura(a)intel.com> drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Fix locking order in ivpu_job_submit Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Abort all jobs after command queue unregister Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Update VPU FW API headers Andrew Kreimer <algonell(a)gmail.com> accel/ivpu: Fix a typo Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Use xa_alloc_cyclic() instead of custom function Tomasz Rusinowicz <tomasz.rusinowicz(a)intel.com> accel/ivpu: Make DB_ID and JOB_ID allocations incremental Pranjal Shrivastava <praan(a)google.com> net: Fix the devmem sock opts and msgs for parisc Alan Huang <mmpgouride(a)gmail.com> bcachefs: Remove incorrect __counted_by annotation Zhenhua Huang <quic_zhenhuah(a)quicinc.com> mm, slab: clean up slab->obj_exts always Daniel Wagner <wagi(a)kernel.org> blk-mq: create correct map for fallback case Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Sathesh B Edara <sedara(a)marvell.com> octeon_ep: Fix host hang issue during device reboot Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Sagi Maimon <sagi.maimon(a)adtran.com> ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations Jibin Zhang <jibin.zhang(a)mediatek.com> net: use sock_gen_put() when sk_state is TCP_TIME_WAIT Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: fix module unload sequence Alexander Stein <alexander.stein(a)ew.tq-group.com> ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Alistair Francis <alistair.francis(a)wdc.com> nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS Alistair Francis <alistair23(a)gmail.com> nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Kashyap Desai <kashyap.desai(a)broadcom.com> bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings() Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix ethtool selftest output in one of the failure cases Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix error handling path in bnxt_init_chip() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Fix built-mic regression on other ASUS models Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Chad Monroe <chad(a)monroe.io> net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Jacob Keller <jacob.e.keller(a)intel.com> igc: fix lock order in igc_ptp_reset Larysa Zaremba <larysa.zaremba(a)intel.com> idpf: protect shutdown from reset Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> idpf: fix potential memory leak on kcalloc() failure Da Xue <da(a)libre.computer> net: mdio: mux-meson-gxl: set reversed bit when using internal phy Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Russell Cloran <rcloran(a)gmail.com> drm/mipi-dbi: Fix blanking for non-16 bit formats Maxime Ripard <mripard(a)kernel.org> drm/tests: shmem: Fix memleak Keith Busch <kbusch(a)kernel.org> nvme-pci: fix queue unquiesce check on slot_reset Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Keoseong Park <keosung.park(a)samsung.com> scsi: ufs: core: Remove redundant query_complete trace Madhu Chittim <madhu.chittim(a)intel.com> idpf: fix offloads support for encapsulated packets Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Shannon Nelson <shannon.nelson(a)amd.com> pds_core: remove write-after-free of client_id Shannon Nelson <shannon.nelson(a)amd.com> pds_core: specify auxiliary_device to be created Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make pdsc_auxbus_dev_del() void Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Justin Lai <justinlai0215(a)realtek.com> rtase: Modify the condition used to detect overflow in rtase_calc_time_mitigation Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: improve TX timestamping FIFO configuration Sathesh B Edara <sedara(a)marvell.com> octeon_ep_vf: Resolve netdevice usage count issue Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: copy RX timestamp to new fragments Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths En-Wei Wu <en-wei.wu(a)canonical.com> Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Avoid redundant buffer allocation Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver Iulia Tanasescu <iulia.tanasescu(a)nxp.com> Bluetooth: hci_conn: Remove alloc from critical section Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Correct DCT interrupt handling Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: TC, Continue the attr process even if encap entry is invalid Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5e: Use custom tunnel header for vxlan gbp e.kubanski <e.kubanski(a)partner.samsung.com> xsk: Fix race condition in AF_XDP generic RX path Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Fix dash warning Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: fix the check for the SCRATCH register upon resume Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: don't warn if the NIC is gone in resume Chen Linxuan <chenlinxuan(a)uniontech.com> drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Enable speaker for HP platform Chenyuan Yang <chenyuan0y(a)gmail.com> ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Check for ld-option support Hui Wang <hui.wang(a)canonical.com> pinctrl: imx: Return NULL if no group is matched and found Donet Tom <donettom(a)linux.ibm.com> book3s64/radix : Align section vmemmap start address to PAGE_SIZE Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Jethro Donaldson <devel(a)jro.nz> smb: client: fix zero length for mkdir POSIX create context Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in session logoff Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_session_rpc_open Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles Nicolin Chen <nicolinc(a)nvidia.com> iommu: Fix two issues in iommu_copy_struct_from_user() Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Balbir Singh <balbirs(a)nvidia.com> iommu/arm-smmu-v3: Fix pgsize_bit for sva domains Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Janne Grunau <j(a)jannau.net> drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Fix offset for HDP remap in nbio v7.11 Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Ard Biesheuvel <ardb(a)kernel.org> x86/boot/sev: Support memory acceptance in the EFI stub under SVSM Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not take trace_event_sem in print_event_fields() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: repeat setting reserved region nid if array is doubled Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: pass size instead of end to memblock_set_node() Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Only check the group flag for X86 leader Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/fdinfo: Protect against driver unbind Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Dave Chen <davechen(a)synology.com> btrfs: fix COW handling in run_delalloc_nocow() Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Carlos Llamas <cmllamas(a)google.com> binder: fix offset calculation in debug log Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Geoffrey D. Bennett <g(a)b4.vu> ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Dorian Cruveiller <doriancruveiller(a)gmail.com> Bluetooth: btusb: Add new VID/PID for WCN785x Mark Dietzer <git(a)doridian.net> Bluetooth: btusb: Add ID 0x2c7c:0x0130 for Qualcomm WCN785x Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add one more ID 0x13d3:0x3623 for Qualcomm WCN785x Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add one more ID 0x0489:0xe0f3 for Qualcomm WCN785x Aaron Ma <aaron.ma(a)canonical.com> Bluetooth: btusb: add Foxconn 0xe0fc for Qualcomm WCN785x ------------- Diffstat: Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/boot/dts/freescale/imx95.dtsi | 8 +- arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 +- arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/include/uapi/asm/socket.h | 10 +- arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/boot/wrapper | 6 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 17 +- arch/x86/boot/compressed/mem.c | 5 +- arch/x86/boot/compressed/sev.c | 40 +++ arch/x86/boot/compressed/sev.h | 2 + arch/x86/events/core.c | 2 +- arch/x86/events/intel/core.c | 2 +- arch/x86/events/perf_event.h | 9 +- block/blk-mq-cpumap.c | 3 +- drivers/accel/ivpu/ivpu_drv.c | 38 +-- drivers/accel/ivpu/ivpu_drv.h | 9 + drivers/accel/ivpu/ivpu_hw_btrs.h | 2 +- drivers/accel/ivpu/ivpu_job.c | 125 ++++++--- drivers/accel/ivpu/ivpu_job.h | 1 + drivers/accel/ivpu/ivpu_jsm_msg.c | 3 +- drivers/accel/ivpu/ivpu_mmu.c | 3 +- drivers/accel/ivpu/ivpu_pm.c | 18 +- drivers/accel/ivpu/ivpu_sysfs.c | 5 +- drivers/accel/ivpu/vpu_boot_api.h | 45 +-- drivers/accel/ivpu/vpu_jsm_api.h | 303 ++++++++++++++++++--- drivers/android/binder.c | 2 +- drivers/base/module.c | 13 +- drivers/bluetooth/btintel_pcie.c | 57 ++-- drivers/bluetooth/btusb.c | 137 ++++++++-- drivers/cpufreq/cpufreq.c | 42 ++- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 6 +- drivers/cpufreq/intel_pstate.c | 3 + drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + drivers/gpu/drm/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 -- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 ++-- drivers/gpu/drm/drm_file.c | 6 + drivers/gpu/drm/drm_mipi_dbi.c | 6 +- drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/gpu/drm/tests/drm_gem_shmem_test.c | 3 + drivers/gpu/drm/xe/xe_hw_engine.c | 12 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 +- drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 9 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 39 ++- drivers/net/ethernet/amd/pds_core/core.h | 7 +- drivers/net/ethernet/amd/pds_core/devlink.c | 7 +- drivers/net/ethernet/amd/pds_core/main.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 +- drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 ++- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 29 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 1 + drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 +++--- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/idpf/idpf.h | 18 +- drivers/net/ethernet/intel/idpf/idpf_lib.c | 76 ++---- drivers/net/ethernet/intel/idpf/idpf_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 6 +- .../net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- .../ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 18 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 32 ++- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 6 + drivers/net/ethernet/realtek/rtase/rtase_main.c | 4 +- drivers/net/ethernet/vertexcom/mse102x.c | 36 ++- drivers/net/mdio/mdio-mux-meson-gxl.c | 3 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 + drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 1 - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 +- drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 9 +- drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 13 +- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/Kconfig | 1 + drivers/nvme/host/pci.c | 2 +- drivers/nvme/host/tcp.c | 31 ++- drivers/nvme/target/Kconfig | 1 + drivers/pinctrl/freescale/pinctrl-imx.c | 6 +- drivers/platform/x86/amd/pmc/pmc.c | 7 +- .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- drivers/ptp/ptp_ocp.c | 52 +++- drivers/spi/spi-tegra114.c | 6 +- drivers/ufs/core/ufshcd.c | 2 - fs/bcachefs/xattr_format.h | 8 +- fs/btrfs/extent_io.c | 2 +- fs/btrfs/inode.c | 9 +- fs/smb/client/smb2pdu.c | 1 + fs/smb/server/auth.c | 14 +- fs/smb/server/mgmt/user_session.c | 20 +- fs/smb/server/mgmt/user_session.h | 1 + fs/smb/server/smb2pdu.c | 9 - include/linux/cpufreq.h | 83 ++++-- include/linux/iommu.h | 8 +- include/linux/module.h | 2 + include/net/bluetooth/hci.h | 4 +- include/net/bluetooth/hci_core.h | 20 +- include/net/bluetooth/hci_sync.h | 3 + include/net/xdp_sock.h | 3 - include/net/xsk_buff_pool.h | 2 + include/sound/ump_convert.h | 2 +- kernel/params.c | 6 +- kernel/trace/trace.c | 5 +- kernel/trace/trace_output.c | 4 +- mm/memblock.c | 12 +- mm/slub.c | 27 +- net/bluetooth/hci_conn.c | 189 +------------ net/bluetooth/hci_event.c | 15 +- net/bluetooth/hci_sync.c | 150 +++++++++- net/bluetooth/iso.c | 26 +- net/bluetooth/l2cap_core.c | 3 + net/ipv4/tcp_offload.c | 2 +- net/ipv4/udp_offload.c | 61 ++++- net/ipv6/tcpv6_offload.c | 2 +- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- net/xdp/xsk.c | 6 +- net/xdp/xsk_buff_pool.c | 1 + sound/pci/hda/patch_realtek.c | 20 +- sound/soc/amd/acp/acp-i2s.c | 2 +- sound/soc/codecs/Kconfig | 5 +- sound/soc/generic/simple-card-utils.c | 4 +- sound/soc/sdw_utils/soc_sdw_rt_dmic.c | 2 + sound/soc/soc-core.c | 32 +-- sound/soc/soc-pcm.c | 5 +- sound/usb/endpoint.c | 7 + sound/usb/format.c | 3 +- 169 files changed, 1851 insertions(+), 988 deletions(-)

8 months

10
173
0 0

[PATCH v3 0/4]{topost} dma-mapping: benchmark: Add support for dma_map_sg

by Qinxin Xia

Modify the framework to adapt to more map modes, add benchmark support for dma_map_sg, and add support sg map mode in ioctl. The result: [root@localhost]# ./dma_map_benchmark -m 1 -g 8 -t 8 -s 30 -d 2 dma mapping mode: DMA_MAP_SG_MODE dma mapping benchmark: threads:8 seconds:30 node:-1 dir:FROM_DEVICE granule/sg_nents: 8 average map latency(us):1.4 standard deviation:0.3 average unmap latency(us):1.3 standard deviation:0.3 [root@localhost]# ./dma_map_benchmark -m 0 -g 8 -t 8 -s 30 -d 2 dma mapping mode: DMA_MAP_SINGLE_MODE dma mapping benchmark: threads:8 seconds:30 node:-1 dir:FROM_DEVICE granule/sg_nents: 8 average map latency(us):1.0 standard deviation:0.3 average unmap latency(us):1.3 standard deviation:0.5 --- Changes since V2: - Address the comments from Barry and ALOK, some commit information and function input parameter names are modified to make them more accurate. - Link: https://lore.kernel.org/all/20250506030100.394376-1-xiaqinxin@huawei.com/ Changes since V1: - Address the comments from Barry, added some comments and changed the unmap type to void. - Link: https://lore.kernel.org/lkml/20250212022718.1995504-1-xiaqinxin@huawei.com/ Qinxin Xia (4): dma-mapping: benchmark: Add padding to ensure uABI remained consistent dma-mapping: benchmark: modify the framework to adapt to more map modes dma-mapping: benchmark: add support for dma_map_sg selftests/dma: Add dma_map_sg support include/linux/map_benchmark.h | 46 +++- kernel/dma/map_benchmark.c | 225 ++++++++++++++++-- .../testing/selftests/dma/dma_map_benchmark.c | 16 +- 3 files changed, 252 insertions(+), 35 deletions(-) -- 2.33.0

8 months

3
7
0 0

[PATCH v3 0/4] clk: qcom: Add camera clock controller support for sc8180x

by Satya Priya Kakitapalli

This series adds support for camera clock controller base driver, bindings and DT support on sc8180x platform. Signed-off-by: Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> --- Changes in v3: - Drop Fixes tag in patch [1/4]. Dropped unused gpu_iref and aggre_ufs_card_2 clk bindings. - Move the allOf block below required block in bindings patch. - Remove the unused cam_cc_parent_data_7 and cam_cc_parent_map_7 in the driver patch. Reported by kernel test bot. - Link to v2: https://lore.kernel.org/r/20250430-sc8180x-camcc-support-v2-0-6bbb514f467c@… Changes in v2: - New patch [1/4] to add all the missing gcc bindings along with the required GCC_CAMERA_AHB_CLOCK - As per Konrad's comments, add the camera AHB clock dependency in the DT and yaml bindings. - As per Vladimir's comments, update the Kconfig to add the SC8180X config in correct alphanumerical order. - Link to v1: https://lore.kernel.org/r/20250422-sc8180x-camcc-support-v1-0-691614d13f06@… --- Satya Priya Kakitapalli (4): dt-bindings: clock: qcom: Add missing bindings on gcc-sc8180x dt-bindings: clock: Add Qualcomm SC8180X Camera clock controller clk: qcom: camcc-sc8180x: Add SC8180X camera clock controller driver arm64: dts: qcom: Add camera clock controller for sc8180x .../bindings/clock/qcom,sc8180x-camcc.yaml | 67 + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 14 + drivers/clk/qcom/Kconfig | 10 + drivers/clk/qcom/Makefile | 1 + drivers/clk/qcom/camcc-sc8180x.c | 2889 ++++++++++++++++++++ include/dt-bindings/clock/qcom,gcc-sc8180x.h | 10 + include/dt-bindings/clock/qcom,sc8180x-camcc.h | 181 ++ 7 files changed, 3172 insertions(+) --- base-commit: bc8aa6cdadcc00862f2b5720e5de2e17f696a081 change-id: 20250422-sc8180x-camcc-support-9a82507d2a39 Best regards, -- Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com>

8 months

2
2
0 0

FAILED: patch "[PATCH] mm, slab: clean up slab->obj_exts always" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x be8250786ca94952a19ce87f98ad9906448bc9ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050521-crispy-study-e836@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be8250786ca94952a19ce87f98ad9906448bc9ef Mon Sep 17 00:00:00 2001 From: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Date: Mon, 21 Apr 2025 15:52:32 +0800 Subject: [PATCH] mm, slab: clean up slab->obj_exts always When memory allocation profiling is disabled at runtime or due to an error, shutdown_mem_profiling() is called: slab->obj_exts which previously allocated remains. It won't be cleared by unaccount_slab() because of mem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts should always be cleaned up in unaccount_slab() to avoid following error: [...]BUG: Bad page state in process... .. [...]page dumped because: page still charged to cgroup [andriy.shevchenko(a)linux.intel.com: fold need_slab_obj_ext() into its only user] Fixes: 21c690a349ba ("mm: introduce slabobj_ext to support slab object extensions") Cc: stable(a)vger.kernel.org Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Harry Yoo <harry.yoo(a)oracle.com> Tested-by: Harry Yoo <harry.yoo(a)oracle.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Link: https://patch.msgid.link/20250421075232.2165527-1-quic_zhenhuah@quicinc.com Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/slub.c b/mm/slub.c index dc9e729e1d26..be8b09e09d30 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2028,8 +2028,7 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, return 0; } -/* Should be called only if mem_alloc_profiling_enabled() */ -static noinline void free_slab_obj_exts(struct slab *slab) +static inline void free_slab_obj_exts(struct slab *slab) { struct slabobj_ext *obj_exts; @@ -2049,18 +2048,6 @@ static noinline void free_slab_obj_exts(struct slab *slab) slab->obj_exts = 0; } -static inline bool need_slab_obj_ext(void) -{ - if (mem_alloc_profiling_enabled()) - return true; - - /* - * CONFIG_MEMCG creates vector of obj_cgroup objects conditionally - * inside memcg_slab_post_alloc_hook. No other users for now. - */ - return false; -} - #else /* CONFIG_SLAB_OBJ_EXT */ static inline void init_slab_obj_exts(struct slab *slab) @@ -2077,11 +2064,6 @@ static inline void free_slab_obj_exts(struct slab *slab) { } -static inline bool need_slab_obj_ext(void) -{ - return false; -} - #endif /* CONFIG_SLAB_OBJ_EXT */ #ifdef CONFIG_MEM_ALLOC_PROFILING @@ -2129,7 +2111,7 @@ __alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags) static inline void alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags) { - if (need_slab_obj_ext()) + if (mem_alloc_profiling_enabled()) __alloc_tagging_slab_alloc_hook(s, object, flags); } @@ -2601,8 +2583,12 @@ static __always_inline void account_slab(struct slab *slab, int order, static __always_inline void unaccount_slab(struct slab *slab, int order, struct kmem_cache *s) { - if (memcg_kmem_online() || need_slab_obj_ext()) - free_slab_obj_exts(slab); + /* + * The slab object extensions should now be freed regardless of + * whether mem_alloc_profiling_enabled() or not because profiling + * might have been disabled after slab->obj_exts got allocated. + */ + free_slab_obj_exts(slab); mod_node_page_state(slab_pgdat(slab), cache_vmstat_idx(s), -(PAGE_SIZE << order));

8 months

4
6
0 0

[PATCH net] net: qede: Initialize qede_ll_ops with designated initializer

by Nathan Chancellor

After a recent change [1] in clang's randstruct implementation to randomize structures that only contain function pointers, there is an error because qede_ll_ops get randomized but does not use a designated initializer for the first member: drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer 206 | { | ^ Explicitly initialize the common member using a designated initializer to fix the build. Cc: stable(a)vger.kernel.org Fixes: 035f7f87b729 ("randstruct: Enable Clang support") Link: https://github.com/llvm/llvm-project/commit/04364fb888eea6db9811510607bed4b… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c index 99df00c30b8c..b5d744d2586f 100644 --- a/drivers/net/ethernet/qlogic/qede/qede_main.c +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c @@ -203,7 +203,7 @@ static struct pci_driver qede_pci_driver = { }; static struct qed_eth_cb_ops qede_ll_ops = { - { + .common = { #ifdef CONFIG_RFS_ACCEL .arfs_filter_op = qede_arfs_filter_op, #endif --- base-commit: 9540984da649d46f699c47f28c68bbd3c9d99e4c change-id: 20250507-qede-fix-clang-randstruct-13d8c593cb58 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

8 months

3
2
0 0

[PATCH] LoongArch: Prevent cond_resched() occurring within kernel-fpu

by Tianyang Zhang

When CONFIG_PREEMPT_COUNT is not configured (i.e. CONFIG_PREEMPT_NONE/ CONFIG_PREEMPT_VOLUNTARY), preempt_disable() / preempt_enable() merely acts as a barrier(). However, in these cases cond_resched() can still trigger a context switch and modify the CSR.EUEN, resulting in do_fpu() exception being activated within the kernel-fpu critical sections, as demonstrated in the following path: dcn32_calculate_wm_and_dlg() DC_FP_START() dcn32_calculate_wm_and_dlg_fpu() dcn32_find_dummy_latency_index_for_fw_based_mclk_switch() dcn32_internal_validate_bw() dcn32_enable_phantom_stream() dc_create_stream_for_sink() kzalloc(GFP_KERNEL) __kmem_cache_alloc_node() __cond_resched() DC_FP_END() This patch is similar to commit d021985 (x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs). It uses local_bh_disable() instead of preempt_disable() for non-RT kernels so it can avoid the cond_resched() issue, and also extend the kernel-fpu application scenarios to the softirq context. Cc: stable(a)vger.kernel.org Signed-off-by: Tianyang Zhang <zhangtianyang(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/kfpu.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/kernel/kfpu.c b/arch/loongarch/kernel/kfpu.c index ec5b28e570c9..4e469b021cf4 100644 --- a/arch/loongarch/kernel/kfpu.c +++ b/arch/loongarch/kernel/kfpu.c @@ -18,11 +18,28 @@ static unsigned int euen_mask = CSR_EUEN_FPEN; static DEFINE_PER_CPU(bool, in_kernel_fpu); static DEFINE_PER_CPU(unsigned int, euen_current); +static inline void fpregs_lock(void) +{ + if (!IS_ENABLED(CONFIG_PREEMPT_RT)) + local_bh_disable(); + else + preempt_disable(); +} + +static inline void fpregs_unlock(void) +{ + if (!IS_ENABLED(CONFIG_PREEMPT_RT)) + local_bh_enable(); + else + preempt_enable(); +} + void kernel_fpu_begin(void) { unsigned int *euen_curr; - preempt_disable(); + if (!irqs_disabled()) + fpregs_lock(); WARN_ON(this_cpu_read(in_kernel_fpu)); @@ -73,7 +90,8 @@ void kernel_fpu_end(void) this_cpu_write(in_kernel_fpu, false); - preempt_enable(); + if (!irqs_disabled()) + fpregs_unlock(); } EXPORT_SYMBOL_GPL(kernel_fpu_end); -- 2.20.1

8 months

1
0
0 0

Re: [PATCH] um: work around sched_yield not yielding in time-travel mode

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Summary of potential issues: ⚠️ Found matching upstream commit but patch is missing proper reference to it Found matching upstream commit: 887c5c12e80c8424bd471122d2e8b6b462e12874 WARNING: Author mismatch between patch and found commit: Backport author: Benjamin Berg<benjamin(a)sipsolutions.net> Commit author: Benjamin Berg<benjamin.berg(a)intel.com> Note: The patch differs from the upstream commit: --- 1: 887c5c12e80c8 < -: ------------- um: work around sched_yield not yielding in time-travel mode -: ------------- > 1: aeaee199900ee Linux 6.14.5 --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.14.y | Success | Success | | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Success | Success | | stable/linux-6.1.y | Success | Success | | stable/linux-5.15.y | Success | Success | | stable/linux-5.10.y | Success | Success | | stable/linux-5.4.y | Success | Success |

8 months

1
0
0 0

[PATCH 6.6.y] btrfs: always fallback to buffered write if the inode requires checksum

by Qu Wenruo

commit 968f19c5b1b7d5595423b0ac0020cc18dfed8cb5 upstream. [BUG] It is a long known bug that VM image on btrfs can lead to data csum mismatch, if the qemu is using direct-io for the image (this is commonly known as cache mode 'none'). [CAUSE] Inside the VM, if the fs is EXT4 or XFS, or even NTFS from Windows, the fs is allowed to dirty/modify the folio even if the folio is under writeback (as long as the address space doesn't have AS_STABLE_WRITES flag inherited from the block device). This is a valid optimization to improve the concurrency, and since these filesystems have no extra checksum on data, the content change is not a problem at all. But the final write into the image file is handled by btrfs, which needs the content not to be modified during writeback, or the checksum will not match the data (checksum is calculated before submitting the bio). So EXT4/XFS/NTRFS assume they can modify the folio under writeback, but btrfs requires no modification, this leads to the false csum mismatch. This is only a controlled example, there are even cases where multi-thread programs can submit a direct IO write, then another thread modifies the direct IO buffer for whatever reason. For such cases, btrfs has no sane way to detect such cases and leads to false data csum mismatch. [FIX] I have considered the following ideas to solve the problem: - Make direct IO to always skip data checksum This not only requires a new incompatible flag, as it breaks the current per-inode NODATASUM flag. But also requires extra handling for no csum found cases. And this also reduces our checksum protection. - Let hardware handle all the checksum AKA, just nodatasum mount option. That requires trust for hardware (which is not that trustful in a lot of cases), and it's not generic at all. - Always fallback to buffered write if the inode requires checksum This was suggested by Christoph, and is the solution utilized by this patch. The cost is obvious, the extra buffer copying into page cache, thus it reduces the performance. But at least it's still user configurable, if the end user still wants the zero-copy performance, just set NODATASUM flag for the inode (which is a common practice for VM images on btrfs). Since we cannot trust user space programs to keep the buffer consistent during direct IO, we have no choice but always falling back to buffered IO. At least by this, we avoid the more deadly false data checksum mismatch error. CC: stable(a)vger.kernel.org # 6.6 Suggested-by: Christoph Hellwig <hch(a)infradead.org> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [ Fix a conflict due to the movement of the function. ] --- fs/btrfs/file.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index e794606e7c78..f1456c745c6d 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -1515,6 +1515,23 @@ static ssize_t btrfs_direct_write(struct kiocb *iocb, struct iov_iter *from) goto buffered; } + /* + * We can't control the folios being passed in, applications can write + * to them while a direct IO write is in progress. This means the + * content might change after we calculated the data checksum. + * Therefore we can end up storing a checksum that doesn't match the + * persisted data. + * + * To be extra safe and avoid false data checksum mismatch, if the + * inode requires data checksum, just fallback to buffered IO. + * For buffered IO we have full control of page cache and can ensure + * no one is modifying the content during writeback. + */ + if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { + btrfs_inode_unlock(BTRFS_I(inode), ilock_flags); + goto buffered; + } + /* * The iov_iter can be mapped to the same file range we are writing to. * If that's the case, then we will deadlock in the iomap code, because -- 2.49.0

8 months

4
5
0 0

[PATCH] bcachefs: Change btree_insert_node() assertion to error

by Kent Overstreet

Debug for https://github.com/koverstreet/bcachefs/issues/843 Print useful debug info and go emergency read-only. (cherry picked from commit 63c3b8f616cc95bb1fcc6101c92485d41c535d7c) Signed-off-by: Kent Overstreet <kent.overstreet(a)linux.dev> --- fs/bcachefs/btree_update_interior.c | 17 ++++++++++++++++- fs/bcachefs/error.c | 8 ++++++++ fs/bcachefs/error.h | 2 ++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/fs/bcachefs/btree_update_interior.c b/fs/bcachefs/btree_update_interior.c index e4e7c804625e..e9be8b5571a4 100644 --- a/fs/bcachefs/btree_update_interior.c +++ b/fs/bcachefs/btree_update_interior.c @@ -35,6 +35,8 @@ static const char * const bch2_btree_update_modes[] = { NULL }; +static void bch2_btree_update_to_text(struct printbuf *, struct btree_update *); + static int bch2_btree_insert_node(struct btree_update *, struct btree_trans *, btree_path_idx_t, struct btree *, struct keylist *); static void bch2_btree_update_add_new_node(struct btree_update *, struct btree *); @@ -1782,11 +1784,24 @@ static int bch2_btree_insert_node(struct btree_update *as, struct btree_trans *t int ret; lockdep_assert_held(&c->gc_lock); - BUG_ON(!btree_node_intent_locked(path, b->c.level)); BUG_ON(!b->c.level); BUG_ON(!as || as->b); bch2_verify_keylist_sorted(keys); + if (!btree_node_intent_locked(path, b->c.level)) { + struct printbuf buf = PRINTBUF; + bch2_log_msg_start(c, &buf); + prt_printf(&buf, "%s(): node not locked at level %u\n", + __func__, b->c.level); + bch2_btree_update_to_text(&buf, as); + bch2_btree_path_to_text(&buf, trans, path_idx); + + bch2_print_string_as_lines(KERN_ERR, buf.buf); + printbuf_exit(&buf); + bch2_fs_emergency_read_only(c); + return -EIO; + } + ret = bch2_btree_node_lock_write(trans, path, &b->c); if (ret) return ret; diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c index 038da6a61f6b..6cbf4819e923 100644 --- a/fs/bcachefs/error.c +++ b/fs/bcachefs/error.c @@ -11,6 +11,14 @@ #define FSCK_ERR_RATELIMIT_NR 10 +void bch2_log_msg_start(struct bch_fs *c, struct printbuf *out) +{ +#ifdef BCACHEFS_LOG_PREFIX + prt_printf(out, bch2_log_msg(c, "")); +#endif + printbuf_indent_add(out, 2); +} + bool bch2_inconsistent_error(struct bch_fs *c) { set_bit(BCH_FS_error, &c->flags); diff --git a/fs/bcachefs/error.h b/fs/bcachefs/error.h index 7acf2a27ca28..5730eb6b2f38 100644 --- a/fs/bcachefs/error.h +++ b/fs/bcachefs/error.h @@ -18,6 +18,8 @@ struct work_struct; /* Error messages: */ +void bch2_log_msg_start(struct bch_fs *, struct printbuf *); + /* * Inconsistency errors: The on disk data is inconsistent. If these occur during * initial recovery, they don't indicate a bug in the running code - we walk all -- 2.49.0

8 months

2
1
0 0

[PATCH 5.10.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 3a547793135c..93f08f18f6b3 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -231,14 +231,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 024a4a45fdf87218e3c0925475b05a27bcea103f -- 2.47.2

8 months

2
1
0 0

[PATCH 5.15.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 19c42a9dcba9..f503bb10b10b 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -257,14 +257,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 16fdf2c7111bd6927f16c3e811f5086fecebbf00 -- 2.47.2

8 months

2
1
0 0

[PATCH 5.15.y] btrfs: do not clean up repair bio if submit fails

by bin.lan.cn＠windriver.com

From: Josef Bacik <josef(a)toxicpanda.com> [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/btrfs/extent_io.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 346fc46d019b..a1946d62911c 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2624,7 +2624,6 @@ int btrfs_repair_one_sector(struct inode *inode, const int icsum = bio_offset >> fs_info->sectorsize_bits; struct bio *repair_bio; struct btrfs_io_bio *repair_io_bio; - blk_status_t status; btrfs_debug(fs_info, "repair read error: read error at %llu", start); @@ -2664,13 +2663,13 @@ int btrfs_repair_one_sector(struct inode *inode, "repair read error: submitting new read to mirror %d", failrec->this_mirror); - status = submit_bio_hook(inode, repair_bio, failrec->this_mirror, - failrec->bio_flags); - if (status) { - free_io_failure(failure_tree, tree, failrec); - bio_put(repair_bio); - } - return blk_status_to_errno(status); + /* + * At this point we have a bio, so any errors from submit_bio_hook() + * will be handled by the endio on the repair_bio, so we can't return an + * error here. + */ + submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags); + return BLK_STS_OK; } static void end_page_read(struct page *page, bool uptodate, u64 start, u32 len) -- 2.34.1

8 months

2
1
0 0

[PATCH 5.4.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 7fb870097a84..ee3467730dac 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -213,14 +213,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 2c8115e4757809ffd537ed9108da115026d3581f -- 2.47.2

8 months

2
1
0 0

+ mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Barry Song <v-songbaohua(a)oppo.com> Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte Date: Fri, 9 May 2025 10:09:12 +1200 As David pointed out, what truly matters for mremap and userfaultfd move operations is the soft dirty bit. The current comment and implementation��which always sets the dirty bit for present PTEs and fails to set the soft dirty bit for swap PTEs��are incorrect. This could break features like Checkpoint-Restore in Userspace (CRIU). This patch updates the behavior to correctly set the soft dirty bit for both present and swap PTEs in accordance with mremap. Link: https://lkml.kernel.org/r/20250508220912.7275-1-21cnbao@gmail.com Fixes: adef440691bab ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/02f14ee1-923f-47e3-a994-4950afb9afcc@redha… Acked-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/userfaultfd.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/mm/userfaultfd.c~mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte +++ a/mm/userfaultfd.c @@ -1064,8 +1064,13 @@ static int move_present_pte(struct mm_st src_folio->index = linear_page_index(dst_vma, dst_addr); orig_dst_pte = mk_pte(&src_folio->page, dst_vma->vm_page_prot); - /* Follow mremap() behavior and treat the entry dirty after the move */ - orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); + /* Set soft dirty bit so userspace can notice the pte was moved */ +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_dst_pte = pte_mksoft_dirty(orig_dst_pte); +#endif + if (pte_dirty(orig_src_pte)) + orig_dst_pte = pte_mkdirty(orig_dst_pte); + orig_dst_pte = pte_mkwrite(orig_dst_pte, dst_vma); set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte); out: @@ -1100,6 +1105,9 @@ static int move_swap_pte(struct mm_struc } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_src_pte = pte_swp_mksoft_dirty(orig_src_pte); +#endif set_pte_at(mm, dst_addr, dst_pte, orig_src_pte); double_pt_unlock(dst_ptl, src_ptl); _ Patches currently in -mm which might be from v-songbaohua(a)oppo.com are mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch

8 months

1
0
0 0

[PATCH v3] block, scsi: sd_zbc: Respect bio vector limits for report zones buffer

by Steve Siwinski

The report zones buffer size is currently limited by the HBA's maximum segment count to ensure the buffer can be mapped. However, the block layer further limits the number of iovec entries to 1024 when allocating a bio. To avoid allocation of buffers too large to be mapped, further restrict the maximum buffer size to BIO_MAX_INLINE_VECS. Replace the UIO_MAXIOV symbolic name with the more contextually appropriate BIO_MAX_INLINE_VECS. Fixes: b091ac616846 ("sd_zbc: Fix report zones buffer allocation") Cc: stable(a)vger.kernel.org Signed-off-by: Steve Siwinski <ssiwinski(a)atto.com> --- block/bio.c | 2 +- drivers/scsi/sd_zbc.c | 6 +++++- include/linux/bio.h | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/block/bio.c b/block/bio.c index 4e6c85a33d74..4be592d37fb6 100644 --- a/block/bio.c +++ b/block/bio.c @@ -611,7 +611,7 @@ struct bio *bio_kmalloc(unsigned short nr_vecs, gfp_t gfp_mask) { struct bio *bio; - if (nr_vecs > UIO_MAXIOV) + if (nr_vecs > BIO_MAX_INLINE_VECS) return NULL; return kmalloc(struct_size(bio, bi_inline_vecs, nr_vecs), gfp_mask); } diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c index 7a447ff600d2..a8db66428f80 100644 --- a/drivers/scsi/sd_zbc.c +++ b/drivers/scsi/sd_zbc.c @@ -169,6 +169,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, unsigned int nr_zones, size_t *buflen) { struct request_queue *q = sdkp->disk->queue; + unsigned int max_segments; size_t bufsize; void *buf; @@ -180,12 +181,15 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, * Furthermore, since the report zone command cannot be split, make * sure that the allocated buffer can always be mapped by limiting the * number of pages allocated to the HBA max segments limit. + * Since max segments can be larger than the max inline bio vectors, + * further limit the allocated buffer to BIO_MAX_INLINE_VECS. */ nr_zones = min(nr_zones, sdkp->zone_info.nr_zones); bufsize = roundup((nr_zones + 1) * 64, SECTOR_SIZE); bufsize = min_t(size_t, bufsize, queue_max_hw_sectors(q) << SECTOR_SHIFT); - bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); + max_segments = min(BIO_MAX_INLINE_VECS, queue_max_segments(q)); + bufsize = min_t(size_t, bufsize, max_segments << PAGE_SHIFT); while (bufsize >= SECTOR_SIZE) { buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); diff --git a/include/linux/bio.h b/include/linux/bio.h index cafc7c215de8..b786ec5bcc81 100644 --- a/include/linux/bio.h +++ b/include/linux/bio.h @@ -11,6 +11,7 @@ #include <linux/uio.h> #define BIO_MAX_VECS 256U +#define BIO_MAX_INLINE_VECS UIO_MAXIOV struct queue_limits; -- 2.43.5

8 months

2
1
0 0

[PATCH v2] mm: userfaultfd: correct dirty flags set for both present and swap pte

by Barry Song

From: Barry Song <v-songbaohua(a)oppo.com> As David pointed out, what truly matters for mremap and userfaultfd move operations is the soft dirty bit. The current comment and implementation—which always sets the dirty bit for present PTEs and fails to set the soft dirty bit for swap PTEs—are incorrect. This could break features like Checkpoint-Restore in Userspace (CRIU). This patch updates the behavior to correctly set the soft dirty bit for both present and swap PTEs in accordance with mremap. Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/02f14ee1-923f-47e3-a994-4950afb9afcc@redha… Acked-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Fixes: adef440691bab ("userfaultfd: UFFDIO_MOVE uABI") Cc: stable(a)vger.kernel.org Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> --- mm/userfaultfd.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index e8ce92dc105f..bc473ad21202 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1064,8 +1064,13 @@ static int move_present_pte(struct mm_struct *mm, src_folio->index = linear_page_index(dst_vma, dst_addr); orig_dst_pte = folio_mk_pte(src_folio, dst_vma->vm_page_prot); - /* Follow mremap() behavior and treat the entry dirty after the move */ - orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); + /* Set soft dirty bit so userspace can notice the pte was moved */ +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_dst_pte = pte_mksoft_dirty(orig_dst_pte); +#endif + if (pte_dirty(orig_src_pte)) + orig_dst_pte = pte_mkdirty(orig_dst_pte); + orig_dst_pte = pte_mkwrite(orig_dst_pte, dst_vma); set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte); out: @@ -1100,6 +1105,9 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_src_pte = pte_swp_mksoft_dirty(orig_src_pte); +#endif set_pte_at(mm, dst_addr, dst_pte, orig_src_pte); double_pt_unlock(dst_ptl, src_ptl); -- 2.39.3 (Apple Git-146)

8 months

1
0
0 0

[PATCH v2] wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> The hdr_trans_tlv function call has been moved inside the conditional block to ensure it is executed when info->enable is true. Cc: stable(a)vger.kernel.org Fixes: cb1353ef3473 ("wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Tested-by: Niklas Schnelle <niks(a)kernel.org> --- v2: add tested-by tag --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index a42b584634ab..fd756f0d18f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -2183,14 +2183,14 @@ mt7925_mcu_sta_cmd(struct mt76_phy *phy, mt7925_mcu_sta_mld_tlv(skb, info->vif, info->link_sta->sta); mt7925_mcu_sta_eht_mld_tlv(skb, info->vif, info->link_sta->sta); } - - mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } if (!info->enable) { mt7925_mcu_sta_remove_tlv(skb); mt76_connac_mcu_add_tlv(skb, STA_REC_MLD_OFF, sizeof(struct tlv)); + } else { + mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } return mt76_mcu_skb_send_msg(dev, skb, info->cmd, true); -- 2.34.1

8 months

2
1
0 0

[PATCH] clk: s2mps11: initialise clk_hw_onecell_data::num before accessing ::hws[] in probe()

by André Draszik

With UBSAN enabled, we're getting the following trace: UBSAN: array-index-out-of-bounds in .../drivers/clk/clk-s2mps11.c:186:3 index 0 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]') This is because commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of that struct with __counted_by, which informs the bounds sanitizer about the number of elements in hws, so that it can warn when hws is accessed out of bounds. As noted in that change, the __counted_by member must be initialised with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialisation because the number of elements is zero. This occurs in s2mps11_clk_probe() due to ::num being assigned after ::hws access. Move the assignment to satisfy the requirement of assign-before-access. Cc: stable(a)vger.kernel.org Fixes: f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") Signed-off-by: André Draszik <andre.draszik(a)linaro.org> --- drivers/clk/clk-s2mps11.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/clk/clk-s2mps11.c b/drivers/clk/clk-s2mps11.c index 014db6386624071e173b5b940466301d2596400a..8ddf3a9a53dfd5bb52a05a3e02788a357ea77ad3 100644 --- a/drivers/clk/clk-s2mps11.c +++ b/drivers/clk/clk-s2mps11.c @@ -137,6 +137,8 @@ static int s2mps11_clk_probe(struct platform_device *pdev) if (!clk_data) return -ENOMEM; + clk_data->num = S2MPS11_CLKS_NUM; + switch (hwid) { case S2MPS11X: s2mps11_reg = S2MPS11_REG_RTC_CTRL; @@ -186,7 +188,6 @@ static int s2mps11_clk_probe(struct platform_device *pdev) clk_data->hws[i] = &s2mps11_clks[i].hw; } - clk_data->num = S2MPS11_CLKS_NUM; of_clk_add_hw_provider(s2mps11_clks->clk_np, of_clk_hw_onecell_get, clk_data); --- base-commit: 9388ec571cb1adba59d1cded2300eeb11827679c change-id: 20250326-s2mps11-ubsan-c90978e7bc04 Best regards, -- André Draszik <andre.draszik(a)linaro.org>

8 months

3
2
0 0

perf r5101c4 counter regression

by Salvatore Bonaccorso

Hi, Pasi Kallinen reported in Debian a regression with perf r5101c4 counter, initially it was found in https://github.com/rr-debugger/rr/issues/3949 but said to be a kernel problem. On Tue, May 06, 2025 at 07:18:39PM +0300, Pasi Kallinen wrote: > Package: src:linux > Version: 6.12.25-1 > Severity: normal > X-Debbugs-Cc: debian-amd64(a)lists.debian.org, paxed(a)alt.org > User: debian-amd64(a)lists.debian.org > Usertags: amd64 > > Dear Maintainer, > > perf stat -e r5101c4 true > > reports "not supported". > > The counters worked in kernel 6.11.10. > > I first noticed this not working when updating to 6.12.22. > Booting back to 6.11.10, the counters work correctly. Does this ring a bell? Would you be able to bisect the changes to identify where the behaviour changed? Regards, Salvatore

8 months

2
1
0 0

[PATCH] xenbus: Use kref to track req lifetime

by Jason Andryuk

Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: <TASK> __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0 process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case. It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data. Linux Device Drivers 2nd edition states: "Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns." ... which would match the behaviour observed. Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it. This use of kref matches the description in Documentation/core-api/kref.rst Link: https://lore.kernel.org/xen-devel/ZO0WrR5J0xuwDIxW@mail-itl/ Reported-by: "Marek Marczykowski-Górecki" <marmarek(a)invisiblethingslab.com> Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> --- Kinda RFC-ish as I don't know if it fixes Marek's issue. This does seem like the correct approach if we are seeing req free()ed out from under xenbus_thread. drivers/xen/xenbus/xenbus.h | 2 ++ drivers/xen/xenbus/xenbus_comms.c | 9 ++++----- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 ++++++++++++++++-- 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/drivers/xen/xenbus/xenbus.h b/drivers/xen/xenbus/xenbus.h index 13821e7e825e..9ac0427724a3 100644 --- a/drivers/xen/xenbus/xenbus.h +++ b/drivers/xen/xenbus/xenbus.h @@ -77,6 +77,7 @@ enum xb_req_state { struct xb_req_data { struct list_head list; wait_queue_head_t wq; + struct kref kref; struct xsd_sockmsg msg; uint32_t caller_req_id; enum xsd_sockmsg_type type; @@ -103,6 +104,7 @@ int xb_init_comms(void); void xb_deinit_comms(void); int xs_watch_msg(struct xs_watch_event *event); void xs_request_exit(struct xb_req_data *req); +void xs_free_req(struct kref *kref); int xenbus_match(struct device *_dev, const struct device_driver *_drv); int xenbus_dev_probe(struct device *_dev); diff --git a/drivers/xen/xenbus/xenbus_comms.c b/drivers/xen/xenbus/xenbus_comms.c index e5fda0256feb..82df2da1b880 100644 --- a/drivers/xen/xenbus/xenbus_comms.c +++ b/drivers/xen/xenbus/xenbus_comms.c @@ -309,8 +309,8 @@ static int process_msg(void) virt_wmb(); req->state = xb_req_state_got_reply; req->cb(req); - } else - kfree(req); + } + kref_put(&req->kref, xs_free_req); } mutex_unlock(&xs_response_mutex); @@ -386,14 +386,13 @@ static int process_writes(void) state.req->msg.type = XS_ERROR; state.req->err = err; list_del(&state.req->list); - if (state.req->state == xb_req_state_aborted) - kfree(state.req); - else { + if (state.req->state != xb_req_state_aborted) { /* write err, then update state */ virt_wmb(); state.req->state = xb_req_state_got_reply; wake_up(&state.req->wq); } + kref_put(&state.req->kref, xs_free_req); mutex_unlock(&xb_write_mutex); diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index 46f8916597e5..f5c21ba64df5 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -406,7 +406,7 @@ void xenbus_dev_queue_reply(struct xb_req_data *req) mutex_unlock(&u->reply_mutex); kfree(req->body); - kfree(req); + kref_put(&req->kref, xs_free_req); kref_put(&u->kref, xenbus_file_free); diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c index d32c726f7a12..dcf9182c8451 100644 --- a/drivers/xen/xenbus/xenbus_xs.c +++ b/drivers/xen/xenbus/xenbus_xs.c @@ -112,6 +112,12 @@ static void xs_suspend_exit(void) wake_up_all(&xs_state_enter_wq); } +void xs_free_req(struct kref *kref) +{ + struct xb_req_data *req = container_of(kref, struct xb_req_data, kref); + kfree(req); +} + static uint32_t xs_request_enter(struct xb_req_data *req) { uint32_t rq_id; @@ -237,6 +243,12 @@ static void xs_send(struct xb_req_data *req, struct xsd_sockmsg *msg) req->caller_req_id = req->msg.req_id; req->msg.req_id = xs_request_enter(req); + /* + * Take 2nd ref. One for this thread, and the second for the + * xenbus_thread. + */ + kref_get(&req->kref); + mutex_lock(&xb_write_mutex); list_add_tail(&req->list, &xb_write_list); notify = list_is_singular(&xb_write_list); @@ -261,8 +273,8 @@ static void *xs_wait_for_reply(struct xb_req_data *req, struct xsd_sockmsg *msg) if (req->state == xb_req_state_queued || req->state == xb_req_state_wait_reply) req->state = xb_req_state_aborted; - else - kfree(req); + + kref_put(&req->kref, xs_free_req); mutex_unlock(&xb_write_mutex); return ret; @@ -291,6 +303,7 @@ int xenbus_dev_request_and_reply(struct xsd_sockmsg *msg, void *par) req->cb = xenbus_dev_queue_reply; req->par = par; req->user_req = true; + kref_init(&req->kref); xs_send(req, msg); @@ -319,6 +332,7 @@ static void *xs_talkv(struct xenbus_transaction t, req->num_vecs = num_vecs; req->cb = xs_wake_up; req->user_req = false; + kref_init(&req->kref); msg.req_id = 0; msg.tx_id = t.id; -- 2.34.1

8 months

3
3
0 0

[PATCH 6.6 000/129] 6.6.90-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.90 release. There are 129 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.90-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.90-rc1 Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix possible null pointer dereference at secondary interrupter removal Marc Zyngier <maz(a)kernel.org> usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Use the new rb tree helpers Shyam Saini <shyamsaini(a)linux.microsoft.com> drivers: base: handle module_kobject creation Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: globalize lookup_or_create_module_kobject() Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: param: rename locate_module_kobject Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Limit time spent with xHC interrupts disabled during bus resume Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: support setting interrupt moderation IMOD for secondary interrupters Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: check if 'requested segments' exceeds ERST capacity Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Add helper to set an interrupters interrupt moderation interval Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: add support to allocate several interrupters Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: split free interrupter into separate remove and free parts Lukas Wunner <lukas(a)wunner.de> xhci: Clean up stale comment on ERST_SIZE macro Jonathan Bell <jonathan(a)raspberrypi.com> xhci: Use more than one Event Ring segment Lukas Wunner <lukas(a)wunner.de> xhci: Set DESI bits in ERDP register correctly Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Samuel Holland <samuel.holland(a)sifive.com> riscv: Pass patch_text() the length in bytes Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Rob Herring (Arm) <robh(a)kernel.org> ASoC: Use of_property_read_bool() Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Sathesh B Edara <sedara(a)marvell.com> octeon_ep: Fix host hang issue during device reboot Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Chad Monroe <chad(a)monroe.io> net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Jacob Keller <jacob.e.keller(a)intel.com> igc: fix lock order in igc_ptp_reset Da Xue <da(a)libre.computer> net: mdio: mux-meson-gxl: set reversed bit when using internal phy Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Keith Busch <kbusch(a)kernel.org> nvme-pci: fix queue unquiesce check on slot_reset Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Shannon Nelson <shannon.nelson(a)amd.com> pds_core: remove write-after-free of client_id Shannon Nelson <shannon.nelson(a)amd.com> pds_core: specify auxiliary_device to be created Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make pdsc_auxbus_dev_del() void Shannon Nelson <shannon.nelson(a)amd.com> pds_core: delete VF dev on reset Shannon Nelson <shannon.nelson(a)amd.com> pds_core: check health in devcmd wait Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: copy RX timestamp to new fragments Abhishek Chauhan <quic_abchauha(a)quicinc.com> net: Rename mono_delivery_time to tstamp_type for scalabilty En-Wei Wu <en-wei.wu(a)canonical.com> Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Fix dash warning Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Chen Linxuan <chenlinxuan(a)uniontech.com> drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Check for ld-option support Donet Tom <donettom(a)linux.ibm.com> book3s64/radix : Align section vmemmap start address to PAGE_SIZE Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Robin Murphy <robin.murphy(a)arm.com> iommu: Handle race with default domain setup Sean Christopherson <seanjc(a)google.com> KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Ryan Matthews <ryanmatthews(a)fastmail.com> Revert "PCI: imx6: Skip controller_id generation logic for i.MX7D" Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: extend changes_pkt_data with cases w/o subprograms Eduard Zingerman <eddyz87(a)gmail.com> bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: validate that tail call invalidates packet pointers Eduard Zingerman <eddyz87(a)gmail.com> bpf: consider that tail calls invalidate packet pointers Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: freplace tests for tracking of changes_packet_data Eduard Zingerman <eddyz87(a)gmail.com> bpf: check changes_pkt_data property for extension programs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: test for changing packet data from global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: track changes_pkt_data property for global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: refactor bpf_helper_changes_pkt_data to use helper number Eduard Zingerman <eddyz87(a)gmail.com> bpf: add find_containing_subprog() utility function Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Jethro Donaldson <devel(a)jro.nz> smb: client: fix zero length for mkdir POSIX create context Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not take trace_event_sem in print_event_fields() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: repeat setting reserved region nid if array is doubled Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: pass size instead of end to memblock_set_node() Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/fdinfo: Protect against driver unbind Dave Chen <davechen(a)synology.com> btrfs: fix COW handling in run_delalloc_nocow() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Geoffrey D. Bennett <g(a)b4.vu> ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" ------------- Diffstat: Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 +- arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/boot/wrapper | 6 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 17 +- arch/riscv/include/asm/patch.h | 2 +- arch/riscv/kernel/patch.c | 14 +- arch/riscv/kernel/probes/kprobes.c | 18 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/riscv/net/bpf_jit_comp64.c | 7 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/svm.c | 13 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/x86.c | 3 + drivers/base/module.c | 13 +- drivers/bluetooth/btusb.c | 101 ++++++++--- drivers/cpufreq/cpufreq.c | 42 ++++- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 6 +- drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 +++--- drivers/gpu/drm/drm_file.c | 6 + drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 +++++---- drivers/iommu/intel/iommu.c | 4 +- drivers/iommu/iommu.c | 18 ++ drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 9 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 49 +++--- drivers/net/ethernet/amd/pds_core/core.h | 7 +- drivers/net/ethernet/amd/pds_core/dev.c | 11 +- drivers/net/ethernet/amd/pds_core/devlink.c | 7 +- drivers/net/ethernet/amd/pds_core/main.c | 23 ++- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 ++- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 +++- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 +++++---- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 ++- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/igc/igc_ptp.c | 6 +- .../net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 14 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 194 +++++++++++++++++++-- drivers/net/ethernet/mscc/ocelot_vcap.c | 1 + drivers/net/ethernet/vertexcom/mse102x.c | 36 +++- drivers/net/mdio/mdio-mux-meson-gxl.c | 3 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/pci.c | 2 +- drivers/nvme/host/tcp.c | 31 +++- drivers/pci/controller/dwc/pci-imx6.c | 3 +- drivers/platform/x86/amd/pmc/pmc.c | 7 +- .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- drivers/spi/spi-tegra114.c | 6 +- drivers/usb/host/xhci-debugfs.c | 2 +- drivers/usb/host/xhci-hub.c | 30 ++-- drivers/usb/host/xhci-mem.c | 175 +++++++++++++++---- drivers/usb/host/xhci-ring.c | 4 +- drivers/usb/host/xhci.c | 80 ++++++--- drivers/usb/host/xhci.h | 20 ++- fs/btrfs/inode.c | 9 +- fs/smb/client/smb2pdu.c | 1 + fs/smb/server/auth.c | 14 +- fs/smb/server/smb2pdu.c | 5 - include/linux/bpf.h | 1 + include/linux/bpf_verifier.h | 1 + include/linux/cpufreq.h | 83 ++++++--- include/linux/filter.h | 2 +- include/linux/module.h | 2 + include/linux/pds/pds_core_if.h | 1 + include/linux/skbuff.h | 52 ++++-- include/net/inet_frag.h | 4 +- include/soc/mscc/ocelot_vcap.h | 2 + include/sound/ump_convert.h | 2 +- kernel/bpf/core.c | 2 +- kernel/bpf/verifier.c | 81 +++++++-- kernel/params.c | 6 +- kernel/trace/trace.c | 5 +- kernel/trace/trace_output.c | 4 +- mm/memblock.c | 12 +- mm/memcontrol.c | 9 + net/bluetooth/l2cap_core.c | 3 + net/bridge/netfilter/nf_conntrack_bridge.c | 6 +- net/core/dev.c | 2 +- net/core/filter.c | 73 ++++---- net/ieee802154/6lowpan/reassembly.c | 2 +- net/ipv4/inet_fragment.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_output.c | 9 +- net/ipv4/tcp_output.c | 14 +- net/ipv4/udp_offload.c | 61 ++++++- net/ipv6/ip6_output.c | 6 +- net/ipv6/netfilter.c | 6 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- net/ipv6/tcp_ipv6.c | 2 +- net/sched/act_bpf.c | 4 +- net/sched/cls_bpf.c | 4 +- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- sound/soc/codecs/ak4613.c | 4 +- sound/soc/soc-core.c | 36 ++-- sound/soc/soc-pcm.c | 5 +- sound/usb/endpoint.c | 7 + sound/usb/format.c | 3 +- .../selftests/bpf/prog_tests/changes_pkt_data.c | 107 ++++++++++++ .../testing/selftests/bpf/progs/changes_pkt_data.c | 39 +++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 ++ tools/testing/selftests/bpf/progs/verifier_sock.c | 56 ++++++ 144 files changed, 1772 insertions(+), 662 deletions(-)

8 months

6
134
0 0

[to-be-updated] x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: x86/kexec: fix potential cmem->ranges out of bounds has been removed from the -mm tree. Its filename was x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: fuqiang wang <fuqiang.wang(a)easystack.cn> Subject: x86/kexec: fix potential cmem->ranges out of bounds Date: Mon, 8 Jan 2024 21:06:47 +0800 In memmap_exclude_ranges(), elfheader will be excluded from crashk_res. In the current x86 architecture code, the elfheader is always allocated at crashk_res.start. It seems that there won't be a new split range. But it depends on the allocation position of elfheader in crashk_res. To avoid potential out of bounds in future, add a extra slot. The similar issue also exists in fill_up_crash_elf_data(). The range to be excluded is [0, 1M], start (0) is special and will not appear in the middle of existing cmem->ranges[]. But in cast the low 1M could be changed in the future, add a extra slot too. Without this patch, kdump kernel will fail to be loaded by kexec_file_load, [ 139.736948] UBSAN: array-index-out-of-bounds in arch/x86/kernel/crash.c:350:25 [ 139.742360] index 0 is out of range for type 'range [*]' [ 139.745695] CPU: 0 UID: 0 PID: 5778 Comm: kexec Not tainted 6.15.0-0.rc3.20250425git02ddfb981de8.32.fc43.x86_64 #1 PREEMPT(lazy) [ 139.745698] Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 [ 139.745699] Call Trace: [ 139.745700] <TASK> [ 139.745701] dump_stack_lvl+0x5d/0x80 [ 139.745706] ubsan_epilogue+0x5/0x2b [ 139.745709] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ 139.745711] crash_setup_memmap_entries+0x2d9/0x330 [ 139.745716] setup_boot_parameters+0xf8/0x6a0 [ 139.745720] bzImage64_load+0x41b/0x4e0 [ 139.745722] ? find_next_iomem_res+0x109/0x140 [ 139.745727] ? locate_mem_hole_callback+0x109/0x170 [ 139.745737] kimage_file_alloc_init+0x1ef/0x3e0 [ 139.745740] __do_sys_kexec_file_load+0x180/0x2f0 [ 139.745742] do_syscall_64+0x7b/0x160 [ 139.745745] ? do_user_addr_fault+0x21a/0x690 [ 139.745747] ? exc_page_fault+0x7e/0x1a0 [ 139.745749] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 139.745751] RIP: 0033:0x7f7712c84e4d Previously discussed link: [1] https://lore.kernel.org/kexec/ZXk2oBf%2FT1Ul6o0c@MiWiFi-R3L-srv/ [2] https://lore.kernel.org/kexec/273284e8-7680-4f5f-8065-c5d780987e59@easystac… [3] https://lore.kernel.org/kexec/ZYQ6O%2F57sHAPxTHm@MiWiFi-R3L-srv/ Link: https://lkml.kernel.org/r/20240108130720.228478-1-fuqiang.wang@easystack.cn Signed-off-by: fuqiang wang <fuqiang.wang(a)easystack.cn> Acked-by: Baoquan He <bhe(a)redhat.com> Reported-by: Coiby Xu <coxu(a)redhat.com> Closes: https://lkml.kernel.org/r/4de3c2onosr7negqnfhekm4cpbklzmsimgdfv33c52dktqpza… Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: <x86(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/kernel/crash.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/arch/x86/kernel/crash.c~x86-kexec-fix-potential-cmem-ranges-out-of-bounds +++ a/arch/x86/kernel/crash.c @@ -165,8 +165,18 @@ static struct crash_mem *fill_up_crash_e /* * Exclusion of crash region and/or crashk_low_res may cause * another range split. So add extra two slots here. + * + * Exclusion of low 1M may not cause another range split, because the + * range of exclude is [0, 1M] and the condition for splitting a new + * region is that the start, end parameters are both in a certain + * existing region in cmem and cannot be equal to existing region's + * start or end. Obviously, the start of [0, 1M] cannot meet this + * condition. + * + * But in order to lest the low 1M could be changed in the future, + * (e.g. [stare, 1M]), add a extra slot. */ - nr_ranges += 2; + nr_ranges += 3; cmem = vzalloc(struct_size(cmem, ranges, nr_ranges)); if (!cmem) return NULL; @@ -298,9 +308,16 @@ int crash_setup_memmap_entries(struct ki struct crash_memmap_data cmd; struct crash_mem *cmem; - cmem = vzalloc(struct_size(cmem, ranges, 1)); + /* + * In the current x86 architecture code, the elfheader is always + * allocated at crashk_res.start. But it depends on the allocation + * position of elfheader in crashk_res. To avoid potential out of + * bounds in future, add a extra slot. + */ + cmem = vzalloc(struct_size(cmem, ranges, 2)); if (!cmem) return -ENOMEM; + cmem->max_nr_ranges = 2; memset(&cmd, 0, sizeof(struct crash_memmap_data)); cmd.params = params; _ Patches currently in -mm which might be from fuqiang.wang(a)easystack.cn are

8 months

1
0
0 0

[PATCH 1/2] iio: Fix scan mask subset check logic

by Fabio Estevam

From: Fabio Estevam <festevam(a)denx.de> Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"), verbose and misleading warnings are printed for devices like the MAX11601: max1363 1-0064: available_scan_mask 8 subset of 0. Never used max1363 1-0064: available_scan_mask 9 subset of 0. Never used max1363 1-0064: available_scan_mask 10 subset of 0. Never used max1363 1-0064: available_scan_mask 11 subset of 0. Never used max1363 1-0064: available_scan_mask 12 subset of 0. Never used max1363 1-0064: available_scan_mask 13 subset of 0. Never used ... [warnings continue] Fix the available_scan_masks sanity check logic so that it only prints the warning when an element of available_scan_mask is in fact a subset of a previous one. These warnings incorrectly report that later scan masks are subsets of the first one, even when they are not. The issue lies in the logic that checks for subset relationships between scan masks. Fix the subset detection to correctly compare each mask only against previous masks, and only warn when a true subset is found. With this fix, the warning output becomes both correct and more informative: max1363 1-0064: Mask 7 (0xc) is a subset of mask 6 (0xf) and will be ignored Cc: stable(a)vger.kernel.org Fixes: 2718f15403fb ("iio: sanity check available_scan_masks array") Signed-off-by: Fabio Estevam <festevam(a)denx.de> --- drivers/iio/industrialio-core.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index 6a6568d4a2cb..855d5fd3e6b2 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -1904,6 +1904,11 @@ static int iio_check_extended_name(const struct iio_dev *indio_dev) static const struct iio_buffer_setup_ops noop_ring_setup_ops; +static int is_subset(unsigned long a, unsigned long b) +{ + return (a & ~b) == 0; +} + static void iio_sanity_check_avail_scan_masks(struct iio_dev *indio_dev) { unsigned int num_masks, masklength, longs_per_mask; @@ -1947,21 +1952,13 @@ static void iio_sanity_check_avail_scan_masks(struct iio_dev *indio_dev) * available masks in the order of preference (presumably the least * costy to access masks first). */ - for (i = 0; i < num_masks - 1; i++) { - const unsigned long *mask1; - int j; - mask1 = av_masks + i * longs_per_mask; - for (j = i + 1; j < num_masks; j++) { - const unsigned long *mask2; - - mask2 = av_masks + j * longs_per_mask; - if (bitmap_subset(mask2, mask1, masklength)) + for (i = 1; i < num_masks; ++i) + for (int j = 0; j < i; ++j) + if (is_subset(av_masks[i], av_masks[j])) dev_warn(indio_dev->dev.parent, - "available_scan_mask %d subset of %d. Never used\n", - j, i); - } - } + "Mask %d (0x%lx) is a subset of mask %d (0x%lx) and will be ignored\n", + i, av_masks[i], j, av_masks[j]); } /** -- 2.34.1

8 months

3
17
0 0

[PATCH v2] drm/bridge: cdns-dsi: Replace deprecated UNIVERSAL_DEV_PM_OPS()

by Vitor Soares

From: Vitor Soares <vitor.soares(a)toradex.com> The deprecated UNIVERSAL_DEV_PM_OPS() macro uses the provided callbacks for both runtime PM and system sleep. This causes the DSI clocks to be disabled twice: once during runtime suspend and again during system suspend, resulting in a WARN message from the clock framework when attempting to disable already-disabled clocks. [ 84.384540] clk:231:5 already disabled [ 84.388314] WARNING: CPU: 2 PID: 531 at /drivers/clk/clk.c:1181 clk_core_disable+0xa4/0xac ... [ 84.579183] Call trace: [ 84.581624] clk_core_disable+0xa4/0xac [ 84.585457] clk_disable+0x30/0x4c [ 84.588857] cdns_dsi_suspend+0x20/0x58 [cdns_dsi] [ 84.593651] pm_generic_suspend+0x2c/0x44 [ 84.597661] ti_sci_pd_suspend+0xbc/0x15c [ 84.601670] dpm_run_callback+0x8c/0x14c [ 84.605588] __device_suspend+0x1a0/0x56c [ 84.609594] dpm_suspend+0x17c/0x21c [ 84.613165] dpm_suspend_start+0xa0/0xa8 [ 84.617083] suspend_devices_and_enter+0x12c/0x634 [ 84.621872] pm_suspend+0x1fc/0x368 To address this issue, replace UNIVERSAL_DEV_PM_OPS() with SET_RUNTIME_PM_OPS(), enabling suspend/resume handling through the _enable()/_disable() hooks managed by the DRM framework for both runtime and system-wide PM. Cc: <stable(a)vger.kernel.org> # 6.1.x Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> --- v1 -> v2 - Rely only on SET_RUNTIME_PM_OPS() for the PM. drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index b022dd6e6b6e..5a31783fe856 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -1258,7 +1258,7 @@ static const struct mipi_dsi_host_ops cdns_dsi_ops = { .transfer = cdns_dsi_transfer, }; -static int __maybe_unused cdns_dsi_resume(struct device *dev) +static int cdns_dsi_resume(struct device *dev) { struct cdns_dsi *dsi = dev_get_drvdata(dev); @@ -1269,7 +1269,7 @@ static int __maybe_unused cdns_dsi_resume(struct device *dev) return 0; } -static int __maybe_unused cdns_dsi_suspend(struct device *dev) +static int cdns_dsi_suspend(struct device *dev) { struct cdns_dsi *dsi = dev_get_drvdata(dev); @@ -1279,8 +1279,9 @@ static int __maybe_unused cdns_dsi_suspend(struct device *dev) return 0; } -static UNIVERSAL_DEV_PM_OPS(cdns_dsi_pm_ops, cdns_dsi_suspend, cdns_dsi_resume, - NULL); +static const struct dev_pm_ops cdns_dsi_pm_ops = { + SET_RUNTIME_PM_OPS(cdns_dsi_suspend, cdns_dsi_resume, NULL) +}; static int cdns_dsi_drm_probe(struct platform_device *pdev) { -- 2.34.1

8 months

2
1
0 0

Missing patch in 6.12.27 - breaks UM target builds

by Christian Lamparter

Hi, On 3/14/25 2:08 PM, Benjamin Berg wrote: > From: Benjamin Berg <benjamin.berg(a)intel.com> > um: work around sched_yield not yielding in time-travel mode > > sched_yield by a userspace may not actually cause scheduling in > time-travel mode as no time has passed. In the case seen it appears to > be a badly implemented userspace spinlock in ASAN. Unfortunately, with > time-travel it causes an extreme slowdown or even deadlock depending on > the kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS). > > Work around it by accounting time to the process whenever it executes a > sched_yield syscall. > > Signed-off-by: Benjamin Berg <benjamin.berg(a)intel.com> From what I can tell the patch mentioned above was backported to 6.12.27 by: <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/arc…> but without the upstream |Commit 0b8b2668f9981c1fefc2ef892bd915288ef01f33 |Author: Benjamin Berg <benjamin.berg(a)intel.com> |Date: Thu Oct 10 16:25:37 2024 +0200 | um: insert scheduler ticks when userspace does not yield | | In time-travel mode userspace can do a lot of work without any time | passing. Unfortunately, this can result in OOM situations as the RCU | core code will never be run. [...] the kernel build for 6.12.27 for the UM-Target will fail: | /usr/bin/ld: arch/um/kernel/skas/syscall.o: in function `handle_syscall': linux-6.12.27/arch/um/kernel/skas/syscall.c:43:(.text+0xa2): undefined reference to `tt_extra_sched_jiffies' | collect2: error: ld returned 1 exit status is it possible to backport 0b8b2668f9981c1fefc2ef892bd915288ef01f33 too? Or is it better to revert 887c5c12e80c8424bd471122d2e8b6b462e12874 again in the stable releases? Best Regards, Christian Lamparter > > --- > > I suspect it is this code in ASAN that uses sched_yield > https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_co… > though there are also some other places that use sched_yield. > > I doubt that code is reasonable. At the same time, not sure that > sched_yield is behaving as advertised either as it obviously is not > necessarily relinquishing the CPU. > --- > arch/um/include/linux/time-internal.h | 2 ++ > arch/um/kernel/skas/syscall.c | 11 +++++++++++ > 2 files changed, 13 insertions(+) > > diff --git a/arch/um/include/linux/time-internal.h b/arch/um/include/linux/time-internal.h > index b22226634ff6..138908b999d7 100644 > --- a/arch/um/include/linux/time-internal.h > +++ b/arch/um/include/linux/time-internal.h > @@ -83,6 +83,8 @@ extern void time_travel_not_configured(void); > #define time_travel_del_event(...) time_travel_not_configured() > #endif /* CONFIG_UML_TIME_TRAVEL_SUPPORT */ > > +extern unsigned long tt_extra_sched_jiffies; > + > /* > * Without CONFIG_UML_TIME_TRAVEL_SUPPORT this is a linker error if used, > * which is intentional since we really shouldn't link it in that case. > diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c > index b09e85279d2b..a5beaea2967e 100644 > --- a/arch/um/kernel/skas/syscall.c > +++ b/arch/um/kernel/skas/syscall.c > @@ -31,6 +31,17 @@ void handle_syscall(struct uml_pt_regs *r) > goto out; > > syscall = UPT_SYSCALL_NR(r); > + > + /* > + * If no time passes, then sched_yield may not actually yield, causing > + * broken spinlock implementations in userspace (ASAN) to hang for long > + * periods of time. > + */ > + if ((time_travel_mode == TT_MODE_INFCPU || > + time_travel_mode == TT_MODE_EXTERNAL) && > + syscall == __NR_sched_yield) > + tt_extra_sched_jiffies += 1; > + > if (syscall >= 0 && syscall < __NR_syscalls) { > unsigned long ret = EXECUTE_SYSCALL(syscall, regs); >

8 months

2
1
0 0

[PATCH] riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL

by Nam Cao

When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c Fix it by checking if Supm is available. Fixes: 09d6775f503b ("riscv: Add support for userspace pointer masking") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- arch/riscv/kernel/process.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index 7c244de77180..3db2c0c07acd 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -275,6 +275,9 @@ long set_tagged_addr_ctrl(struct task_struct *task, unsigned long arg) unsigned long pmm; u8 pmlen; + if (!riscv_has_extension_unlikely(RISCV_ISA_EXT_SUPM)) + return -EINVAL; + if (is_compat_thread(ti)) return -EINVAL; -- 2.39.5

8 months

4
7
0 0

[PATCH] f2fs: fix to return correct error number in f2fs_sync_node_pages()

by Chao Yu

If __write_node_folio() failed, it will return AOP_WRITEPAGE_ACTIVATE, the incorrect return value may be passed to userspace in below path, fix it. - sync_filesystem - sync_fs - f2fs_issue_checkpoint - block_operations - f2fs_sync_node_pages - __write_node_folio : return AOP_WRITEPAGE_ACTIVATE Cc: stable(a)vger.kernel.org Reported-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/node.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c index ec74eb9982a5..69308523c34e 100644 --- a/fs/f2fs/node.c +++ b/fs/f2fs/node.c @@ -2092,10 +2092,14 @@ int f2fs_sync_node_pages(struct f2fs_sb_info *sbi, ret = __write_node_folio(folio, false, &submitted, wbc, do_balance, io_type, NULL); - if (ret) + if (ret) { folio_unlock(folio); - else if (submitted) + folio_batch_release(&fbatch); + ret = -EIO; + goto out; + } else if (submitted) { nwritten++; + } if (--wbc->nr_to_write == 0) break; -- 2.49.0

8 months

2
1
0 0

[PATCH 1/6] f2fs: fix to return correct error number in f2fs_sync_node_pages()

by Christoph Hellwig

From: Chao Yu <chao(a)kernel.org> If __write_node_folio() failed, it will return AOP_WRITEPAGE_ACTIVATE, the incorrect return value may be passed to userspace in below path, fix it. - sync_filesystem - sync_fs - f2fs_issue_checkpoint - block_operations - f2fs_sync_node_pages - __write_node_folio : return AOP_WRITEPAGE_ACTIVATE Cc: stable(a)vger.kernel.org Reported-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/node.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c index ec74eb9982a5..69308523c34e 100644 --- a/fs/f2fs/node.c +++ b/fs/f2fs/node.c @@ -2092,10 +2092,14 @@ int f2fs_sync_node_pages(struct f2fs_sb_info *sbi, ret = __write_node_folio(folio, false, &submitted, wbc, do_balance, io_type, NULL); - if (ret) + if (ret) { folio_unlock(folio); - else if (submitted) + folio_batch_release(&fbatch); + ret = -EIO; + goto out; + } else if (submitted) { nwritten++; + } if (--wbc->nr_to_write == 0) break; -- 2.47.2

8 months

2
1
0 0

FAILED: patch "[PATCH] mm: page_alloc: speed up fallbacks in rmqueue_bulk()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 90abee6d7895d5eef18c91d870d8168be4e76e9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042150-hardiness-hunting-0780@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 90abee6d7895d5eef18c91d870d8168be4e76e9d Mon Sep 17 00:00:00 2001 From: Johannes Weiner <hannes(a)cmpxchg.org> Date: Mon, 7 Apr 2025 14:01:53 -0400 Subject: [PATCH] mm: page_alloc: speed up fallbacks in rmqueue_bulk() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test robot identified c2f6ea38fc1b ("mm: page_alloc: don't steal single pages from biggest buddy") as the root cause of a 56.4% regression in vm-scalability::lru-file-mmap-read. Carlos reports an earlier patch, c0cd6f557b90 ("mm: page_alloc: fix freelist movement during block conversion"), as the root cause for a regression in worst-case zone->lock+irqoff hold times. Both of these patches modify the page allocator's fallback path to be less greedy in an effort to stave off fragmentation. The flip side of this is that fallbacks are also less productive each time around, which means the fallback search can run much more frequently. Carlos' traces point to rmqueue_bulk() specifically, which tries to refill the percpu cache by allocating a large batch of pages in a loop. It highlights how once the native freelists are exhausted, the fallback code first scans orders top-down for whole blocks to claim, then falls back to a bottom-up search for the smallest buddy to steal. For the next batch page, it goes through the same thing again. This can be made more efficient. Since rmqueue_bulk() holds the zone->lock over the entire batch, the freelists are not subject to outside changes; when the search for a block to claim has already failed, there is no point in trying again for the next page. Modify __rmqueue() to remember the last successful fallback mode, and restart directly from there on the next rmqueue_bulk() iteration. Oliver confirms that this improves beyond the regression that the test robot reported against c2f6ea38fc1b: commit: f3b92176f4 ("tools/selftests: add guard region test for /proc/$pid/pagemap") c2f6ea38fc ("mm: page_alloc: don't steal single pages from biggest buddy") acc4d5ff0b ("Merge tag 'net-6.15-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net") 2c847f27c3 ("mm: page_alloc: speed up fallbacks in rmqueue_bulk()") <--- your patch f3b92176f4f7100f c2f6ea38fc1b640aa7a2e155cc1 acc4d5ff0b61eb1715c498b6536 2c847f27c37da65a93d23c237c5 ---------------- --------------------------- --------------------------- --------------------------- %stddev %change %stddev %change %stddev %change %stddev \ | \ | \ | \ 25525364 ± 3% -56.4% 11135467 -57.8% 10779336 +31.6% 33581409 vm-scalability.throughput Carlos confirms that worst-case times are almost fully recovered compared to before the earlier culprit patch: 2dd482ba627d (before freelist hygiene): 1ms c0cd6f557b90 (after freelist hygiene): 90ms next-20250319 (steal smallest buddy): 280ms this patch : 8ms [jackmanb(a)google.com: comment updates] Link: https://lkml.kernel.org/r/D92AC0P9594X.3BML64MUKTF8Z@google.com [hannes(a)cmpxchg.org: reset rmqueue_mode in rmqueue_buddy() error loop, per Yunsheng Lin] Link: https://lkml.kernel.org/r/20250409140023.GA2313@cmpxchg.org Link: https://lkml.kernel.org/r/20250407180154.63348-1-hannes@cmpxchg.org Fixes: c0cd6f557b90 ("mm: page_alloc: fix freelist movement during block conversion") Fixes: c2f6ea38fc1b ("mm: page_alloc: don't steal single pages from biggest buddy") Signed-off-by: Johannes Weiner <hannes(a)cmpxchg.org> Signed-off-by: Brendan Jackman <jackmanb(a)google.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Reported-by: Carlos Song <carlos.song(a)nxp.com> Tested-by: Carlos Song <carlos.song(a)nxp.com> Tested-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202503271547.fc08b188-lkp@intel.com Reviewed-by: Brendan Jackman <jackmanb(a)google.com> Tested-by: Shivank Garg <shivankg(a)amd.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [6.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 9a219fe8e130..1715e34b91af 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -2183,23 +2183,15 @@ try_to_claim_block(struct zone *zone, struct page *page, } /* - * Try finding a free buddy page on the fallback list. - * - * This will attempt to claim a whole pageblock for the requested type - * to ensure grouping of such requests in the future. - * - * If a whole block cannot be claimed, steal an individual page, regressing to - * __rmqueue_smallest() logic to at least break up as little contiguity as - * possible. + * Try to allocate from some fallback migratetype by claiming the entire block, + * i.e. converting it to the allocation's start migratetype. * * The use of signed ints for order and current_order is a deliberate * deviation from the rest of this file, to make the for loop * condition simpler. - * - * Return the stolen page, or NULL if none can be found. */ static __always_inline struct page * -__rmqueue_fallback(struct zone *zone, int order, int start_migratetype, +__rmqueue_claim(struct zone *zone, int order, int start_migratetype, unsigned int alloc_flags) { struct free_area *area; @@ -2237,14 +2229,29 @@ __rmqueue_fallback(struct zone *zone, int order, int start_migratetype, page = try_to_claim_block(zone, page, current_order, order, start_migratetype, fallback_mt, alloc_flags); - if (page) - goto got_one; + if (page) { + trace_mm_page_alloc_extfrag(page, order, current_order, + start_migratetype, fallback_mt); + return page; + } } - if (alloc_flags & ALLOC_NOFRAGMENT) - return NULL; + return NULL; +} + +/* + * Try to steal a single page from some fallback migratetype. Leave the rest of + * the block as its current migratetype, potentially causing fragmentation. + */ +static __always_inline struct page * +__rmqueue_steal(struct zone *zone, int order, int start_migratetype) +{ + struct free_area *area; + int current_order; + struct page *page; + int fallback_mt; + bool claim_block; - /* No luck claiming pageblock. Find the smallest fallback page */ for (current_order = order; current_order < NR_PAGE_ORDERS; current_order++) { area = &(zone->free_area[current_order]); fallback_mt = find_suitable_fallback(area, current_order, @@ -2254,25 +2261,28 @@ __rmqueue_fallback(struct zone *zone, int order, int start_migratetype, page = get_page_from_free_area(area, fallback_mt); page_del_and_expand(zone, page, order, current_order, fallback_mt); - goto got_one; + trace_mm_page_alloc_extfrag(page, order, current_order, + start_migratetype, fallback_mt); + return page; } return NULL; - -got_one: - trace_mm_page_alloc_extfrag(page, order, current_order, - start_migratetype, fallback_mt); - - return page; } +enum rmqueue_mode { + RMQUEUE_NORMAL, + RMQUEUE_CMA, + RMQUEUE_CLAIM, + RMQUEUE_STEAL, +}; + /* * Do the hard work of removing an element from the buddy allocator. * Call me with the zone->lock already held. */ static __always_inline struct page * __rmqueue(struct zone *zone, unsigned int order, int migratetype, - unsigned int alloc_flags) + unsigned int alloc_flags, enum rmqueue_mode *mode) { struct page *page; @@ -2291,16 +2301,48 @@ __rmqueue(struct zone *zone, unsigned int order, int migratetype, } } - page = __rmqueue_smallest(zone, order, migratetype); - if (unlikely(!page)) { - if (alloc_flags & ALLOC_CMA) + /* + * First try the freelists of the requested migratetype, then try + * fallbacks modes with increasing levels of fragmentation risk. + * + * The fallback logic is expensive and rmqueue_bulk() calls in + * a loop with the zone->lock held, meaning the freelists are + * not subject to any outside changes. Remember in *mode where + * we found pay dirt, to save us the search on the next call. + */ + switch (*mode) { + case RMQUEUE_NORMAL: + page = __rmqueue_smallest(zone, order, migratetype); + if (page) + return page; + fallthrough; + case RMQUEUE_CMA: + if (alloc_flags & ALLOC_CMA) { page = __rmqueue_cma_fallback(zone, order); - - if (!page) - page = __rmqueue_fallback(zone, order, migratetype, - alloc_flags); + if (page) { + *mode = RMQUEUE_CMA; + return page; + } + } + fallthrough; + case RMQUEUE_CLAIM: + page = __rmqueue_claim(zone, order, migratetype, alloc_flags); + if (page) { + /* Replenished preferred freelist, back to normal mode. */ + *mode = RMQUEUE_NORMAL; + return page; + } + fallthrough; + case RMQUEUE_STEAL: + if (!(alloc_flags & ALLOC_NOFRAGMENT)) { + page = __rmqueue_steal(zone, order, migratetype); + if (page) { + *mode = RMQUEUE_STEAL; + return page; + } + } } - return page; + return NULL; } /* @@ -2312,6 +2354,7 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order, unsigned long count, struct list_head *list, int migratetype, unsigned int alloc_flags) { + enum rmqueue_mode rmqm = RMQUEUE_NORMAL; unsigned long flags; int i; @@ -2323,7 +2366,7 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order, } for (i = 0; i < count; ++i) { struct page *page = __rmqueue(zone, order, migratetype, - alloc_flags); + alloc_flags, &rmqm); if (unlikely(page == NULL)) break; @@ -2948,7 +2991,9 @@ struct page *rmqueue_buddy(struct zone *preferred_zone, struct zone *zone, if (alloc_flags & ALLOC_HIGHATOMIC) page = __rmqueue_smallest(zone, order, MIGRATE_HIGHATOMIC); if (!page) { - page = __rmqueue(zone, order, migratetype, alloc_flags); + enum rmqueue_mode rmqm = RMQUEUE_NORMAL; + + page = __rmqueue(zone, order, migratetype, alloc_flags, &rmqm); /* * If the allocation fails, allow OOM handling and

8 months

2
2
0 0

[PATCH v2 0/7] accel/ivpu: Add context violation handling for 6.12

by Jacek Lawrynowicz

These patchset adds support for VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW message added in recent VPU firmware. Without it the driver will not be able to process any jobs after this message is received and would need to be reloaded. Most patches are as-is from upstream besides these two: - Fix locking order in ivpu_job_submit - Abort all jobs after command queue unregister Both these patches need to be rebased because of missing new CMDQ UAPI changes that should not be backported to stable. Changes since v1: - Documented deviations from the original upstream patches in commit messages Andrew Kreimer (1): accel/ivpu: Fix a typo Andrzej Kacprowski (1): accel/ivpu: Update VPU FW API headers Karol Wachowski (4): accel/ivpu: Use xa_alloc_cyclic() instead of custom function accel/ivpu: Abort all jobs after command queue unregister accel/ivpu: Fix locking order in ivpu_job_submit accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW Tomasz Rusinowicz (1): accel/ivpu: Make DB_ID and JOB_ID allocations incremental drivers/accel/ivpu/ivpu_drv.c | 38 ++-- drivers/accel/ivpu/ivpu_drv.h | 9 + drivers/accel/ivpu/ivpu_job.c | 125 +++++++++--- drivers/accel/ivpu/ivpu_job.h | 1 + drivers/accel/ivpu/ivpu_jsm_msg.c | 3 +- drivers/accel/ivpu/ivpu_mmu.c | 3 +- drivers/accel/ivpu/ivpu_sysfs.c | 5 +- drivers/accel/ivpu/vpu_boot_api.h | 45 +++-- drivers/accel/ivpu/vpu_jsm_api.h | 303 +++++++++++++++++++++++++----- 9 files changed, 412 insertions(+), 120 deletions(-) -- 2.45.1

8 months

2
14
0 0

[PATCH 6.14.y v2 0/7] ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd

by Jared Holzman

This patchset backports a series of ublk fixes from upstream to 6.14-stable. Patch 7 fixes the race that can cause kernel panic when ublk server daemon is exiting. It depends on patches 1-6 which simplifies & improves IO canceling when ublk server daemon is exiting as described here: https://lore.kernel.org/linux-block/20250416035444.99569-1-ming.lei@redhat.… Ming Lei (5): ublk: add helper of ublk_need_map_io() ublk: move device reset into ublk_ch_release() ublk: remove __ublk_quiesce_dev() ublk: simplify aborting ublk request ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd Uday Shankar (2): ublk: properly serialize all FETCH_REQs ublk: improve detection and handling of ublk server exit drivers/block/ublk_drv.c | 550 +++++++++++++++++++++------------------ 1 file changed, 291 insertions(+), 259 deletions(-) -- 2.43.0

8 months

3
15
0 0

[PATCH v6.1] md: move initialization and destruction of 'io_acct_set' to md.c

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> commit c567c86b90d4715081adfe5eb812141a5b6b4883 upstream. 'io_acct_set' is only used for raid0 and raid456, prepare to use it for raid1 and raid10, so that io accounting from different levels can be consistent. By the way, follow up patches will also use this io clone mechanism to make sure 'active_io' represents in flight io, not io that is dispatching, so that mddev_suspend will wait for io to be done as designed. Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Xiao Ni <xni(a)redhat.com> Signed-off-by: Song Liu <song(a)kernel.org> Link: https://lore.kernel.org/r/20230621165110.1498313-2-yukuai1@huaweicloud.com [Yu Kuai: This is the relied patch for commit 4a05f7ae3371 ("md/raid10: fix missing discard IO accounting"), kernel will panic while issuing discard to raid10 without this patch] Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> --- drivers/md/md.c | 27 ++++++++++----------------- drivers/md/md.h | 2 -- drivers/md/raid0.c | 16 ++-------------- drivers/md/raid5.c | 41 +++++++++++------------------------------ 4 files changed, 23 insertions(+), 63 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index d5fbccc72810..a9fcfcbc2d11 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5965,6 +5965,13 @@ int md_run(struct mddev *mddev) goto exit_bio_set; } + if (!bioset_initialized(&mddev->io_acct_set)) { + err = bioset_init(&mddev->io_acct_set, BIO_POOL_SIZE, + offsetof(struct md_io_acct, bio_clone), 0); + if (err) + goto exit_sync_set; + } + spin_lock(&pers_lock); pers = find_pers(mddev->level, mddev->clevel); if (!pers || !try_module_get(pers->owner)) { @@ -6142,6 +6149,8 @@ int md_run(struct mddev *mddev) module_put(pers->owner); md_bitmap_destroy(mddev); abort: + bioset_exit(&mddev->io_acct_set); +exit_sync_set: bioset_exit(&mddev->sync_set); exit_bio_set: bioset_exit(&mddev->bio_set); @@ -6374,6 +6383,7 @@ static void __md_stop(struct mddev *mddev) percpu_ref_exit(&mddev->active_io); bioset_exit(&mddev->bio_set); bioset_exit(&mddev->sync_set); + bioset_exit(&mddev->io_acct_set); } void md_stop(struct mddev *mddev) @@ -8744,23 +8754,6 @@ void md_submit_discard_bio(struct mddev *mddev, struct md_rdev *rdev, } EXPORT_SYMBOL_GPL(md_submit_discard_bio); -int acct_bioset_init(struct mddev *mddev) -{ - int err = 0; - - if (!bioset_initialized(&mddev->io_acct_set)) - err = bioset_init(&mddev->io_acct_set, BIO_POOL_SIZE, - offsetof(struct md_io_acct, bio_clone), 0); - return err; -} -EXPORT_SYMBOL_GPL(acct_bioset_init); - -void acct_bioset_exit(struct mddev *mddev) -{ - bioset_exit(&mddev->io_acct_set); -} -EXPORT_SYMBOL_GPL(acct_bioset_exit); - static void md_end_io_acct(struct bio *bio) { struct md_io_acct *md_io_acct = bio->bi_private; diff --git a/drivers/md/md.h b/drivers/md/md.h index 4f0b48097455..1fda5e139beb 100644 --- a/drivers/md/md.h +++ b/drivers/md/md.h @@ -746,8 +746,6 @@ extern void md_error(struct mddev *mddev, struct md_rdev *rdev); extern void md_finish_reshape(struct mddev *mddev); void md_submit_discard_bio(struct mddev *mddev, struct md_rdev *rdev, struct bio *bio, sector_t start, sector_t size); -int acct_bioset_init(struct mddev *mddev); -void acct_bioset_exit(struct mddev *mddev); void md_account_bio(struct mddev *mddev, struct bio **bio); extern bool __must_check md_flush_request(struct mddev *mddev, struct bio *bio); diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c index 7c6a0b4437d8..c50a7abda744 100644 --- a/drivers/md/raid0.c +++ b/drivers/md/raid0.c @@ -377,7 +377,6 @@ static void raid0_free(struct mddev *mddev, void *priv) struct r0conf *conf = priv; free_conf(mddev, conf); - acct_bioset_exit(mddev); } static int raid0_run(struct mddev *mddev) @@ -392,16 +391,11 @@ static int raid0_run(struct mddev *mddev) if (md_check_no_bitmap(mddev)) return -EINVAL; - if (acct_bioset_init(mddev)) { - pr_err("md/raid0:%s: alloc acct bioset failed.\n", mdname(mddev)); - return -ENOMEM; - } - /* if private is not null, we are here after takeover */ if (mddev->private == NULL) { ret = create_strip_zones(mddev, &conf); if (ret < 0) - goto exit_acct_set; + return ret; mddev->private = conf; } conf = mddev->private; @@ -432,15 +426,9 @@ static int raid0_run(struct mddev *mddev) ret = md_integrity_register(mddev); if (ret) - goto free; + free_conf(mddev, conf); return ret; - -free: - free_conf(mddev, conf); -exit_acct_set: - acct_bioset_exit(mddev); - return ret; } /* diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index 4315dabd3202..6e80a439ec45 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -7770,19 +7770,12 @@ static int raid5_run(struct mddev *mddev) struct md_rdev *rdev; struct md_rdev *journal_dev = NULL; sector_t reshape_offset = 0; - int i, ret = 0; + int i; long long min_offset_diff = 0; int first = 1; - if (acct_bioset_init(mddev)) { - pr_err("md/raid456:%s: alloc acct bioset failed.\n", mdname(mddev)); + if (mddev_init_writes_pending(mddev) < 0) return -ENOMEM; - } - - if (mddev_init_writes_pending(mddev) < 0) { - ret = -ENOMEM; - goto exit_acct_set; - } if (mddev->recovery_cp != MaxSector) pr_notice("md/raid:%s: not clean -- starting background reconstruction\n", @@ -7813,8 +7806,7 @@ static int raid5_run(struct mddev *mddev) (mddev->bitmap_info.offset || mddev->bitmap_info.file)) { pr_notice("md/raid:%s: array cannot have both journal and bitmap\n", mdname(mddev)); - ret = -EINVAL; - goto exit_acct_set; + return -EINVAL; } if (mddev->reshape_position != MaxSector) { @@ -7839,15 +7831,13 @@ static int raid5_run(struct mddev *mddev) if (journal_dev) { pr_warn("md/raid:%s: don't support reshape with journal - aborting.\n", mdname(mddev)); - ret = -EINVAL; - goto exit_acct_set; + return -EINVAL; } if (mddev->new_level != mddev->level) { pr_warn("md/raid:%s: unsupported reshape required - aborting.\n", mdname(mddev)); - ret = -EINVAL; - goto exit_acct_set; + return -EINVAL; } old_disks = mddev->raid_disks - mddev->delta_disks; /* reshape_position must be on a new-stripe boundary, and one @@ -7863,8 +7853,7 @@ static int raid5_run(struct mddev *mddev) if (sector_div(here_new, chunk_sectors * new_data_disks)) { pr_warn("md/raid:%s: reshape_position not on a stripe boundary\n", mdname(mddev)); - ret = -EINVAL; - goto exit_acct_set; + return -EINVAL; } reshape_offset = here_new * chunk_sectors; /* here_new is the stripe we will write to */ @@ -7886,8 +7875,7 @@ static int raid5_run(struct mddev *mddev) else if (mddev->ro == 0) { pr_warn("md/raid:%s: in-place reshape must be started in read-only mode - aborting\n", mdname(mddev)); - ret = -EINVAL; - goto exit_acct_set; + return -EINVAL; } } else if (mddev->reshape_backwards ? (here_new * chunk_sectors + min_offset_diff <= @@ -7897,8 +7885,7 @@ static int raid5_run(struct mddev *mddev) /* Reading from the same stripe as writing to - bad */ pr_warn("md/raid:%s: reshape_position too early for auto-recovery - aborting.\n", mdname(mddev)); - ret = -EINVAL; - goto exit_acct_set; + return -EINVAL; } pr_debug("md/raid:%s: reshape will continue\n", mdname(mddev)); /* OK, we should be able to continue; */ @@ -7922,10 +7909,8 @@ static int raid5_run(struct mddev *mddev) else conf = mddev->private; - if (IS_ERR(conf)) { - ret = PTR_ERR(conf); - goto exit_acct_set; - } + if (IS_ERR(conf)) + return PTR_ERR(conf); if (test_bit(MD_HAS_JOURNAL, &mddev->flags)) { if (!journal_dev) { @@ -8125,10 +8110,7 @@ static int raid5_run(struct mddev *mddev) free_conf(conf); mddev->private = NULL; pr_warn("md/raid:%s: failed to run raid set.\n", mdname(mddev)); - ret = -EIO; -exit_acct_set: - acct_bioset_exit(mddev); - return ret; + return -EIO; } static void raid5_free(struct mddev *mddev, void *priv) @@ -8136,7 +8118,6 @@ static void raid5_free(struct mddev *mddev, void *priv) struct r5conf *conf = priv; free_conf(conf); - acct_bioset_exit(mddev); mddev->to_remove = &raid5_attrs_group; } -- 2.39.2

8 months

4
3
0 0

FAILED: patch "[PATCH] drm/xe: Invalidate L3 read-only cachelines for geometry" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x e775278cd75f24a2758c28558c4e41b36c935740 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042247-mounting-playlist-f479@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e775278cd75f24a2758c28558c4e41b36c935740 Mon Sep 17 00:00:00 2001 From: Kenneth Graunke <kenneth(a)whitecape.org> Date: Sun, 30 Mar 2025 12:59:23 -0400 Subject: [PATCH] drm/xe: Invalidate L3 read-only cachelines for geometry streams too Historically, the Vertex Fetcher unit has not been an L3 client. That meant that, when a buffer containing vertex data was written to, it was necessary to issue a PIPE_CONTROL::VF Cache Invalidate to invalidate any VF L2 cachelines associated with that buffer, so the new value would be properly read from memory. Since Tigerlake and later, VERTEX_BUFFER_STATE and 3DSTATE_INDEX_BUFFER have included an "L3 Bypass Enable" bit which userspace drivers can set to request that the vertex fetcher unit snoop L3. However, unlike most true L3 clients, the "VF Cache Invalidate" bit continues to only invalidate the VF L2 cache - and not any associated L3 lines. To handle that, PIPE_CONTROL has a new "L3 Read Only Cache Invalidation Bit", which according to the docs, "controls the invalidation of the Geometry streams cached in L3 cache at the top of the pipe." In other words, the vertex and index buffer data that gets cached in L3 when "L3 Bypass Disable" is set. Mesa always sets L3 Bypass Disable so that the VF unit snoops L3, and whenever it issues a VF Cache Invalidate, it also issues a L3 Read Only Cache Invalidate so that both L2 and L3 vertex data is invalidated. xe is issuing VF cache invalidates too (which handles cases like CPU writes to a buffer between GPU batches). Because userspace may enable L3 snooping, it needs to issue an L3 Read Only Cache Invalidate as well. Fixes significant flickering in Firefox on Meteorlake, which was writing to vertex buffers via the CPU between batches; the missing L3 Read Only invalidates were causing the vertex fetcher to read stale data from L3. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4460 Fixes: 6ef3bb60557d ("drm/xe: enable lite restore") Cc: stable(a)vger.kernel.org # v6.13+ Signed-off-by: Kenneth Graunke <kenneth(a)whitecape.org> Reviewed-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Link: https://lore.kernel.org/r/20250330165923.56410-1-rodrigo.vivi@intel.com Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> (cherry picked from commit 61672806b579dd5a150a042ec9383be2bbc2ae7e) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h b/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h index a255946b6f77..8cfcd3360896 100644 --- a/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h +++ b/drivers/gpu/drm/xe/instructions/xe_gpu_commands.h @@ -41,6 +41,7 @@ #define GFX_OP_PIPE_CONTROL(len) ((0x3<<29)|(0x3<<27)|(0x2<<24)|((len)-2)) +#define PIPE_CONTROL0_L3_READ_ONLY_CACHE_INVALIDATE BIT(10) /* gen12 */ #define PIPE_CONTROL0_HDC_PIPELINE_FLUSH BIT(9) /* gen12 */ #define PIPE_CONTROL_COMMAND_CACHE_INVALIDATE (1<<29) diff --git a/drivers/gpu/drm/xe/xe_ring_ops.c b/drivers/gpu/drm/xe/xe_ring_ops.c index 917fc16de866..a7582b097ae6 100644 --- a/drivers/gpu/drm/xe/xe_ring_ops.c +++ b/drivers/gpu/drm/xe/xe_ring_ops.c @@ -137,7 +137,8 @@ emit_pipe_control(u32 *dw, int i, u32 bit_group_0, u32 bit_group_1, u32 offset, static int emit_pipe_invalidate(u32 mask_flags, bool invalidate_tlb, u32 *dw, int i) { - u32 flags = PIPE_CONTROL_CS_STALL | + u32 flags0 = 0; + u32 flags1 = PIPE_CONTROL_CS_STALL | PIPE_CONTROL_COMMAND_CACHE_INVALIDATE | PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE | PIPE_CONTROL_TEXTURE_CACHE_INVALIDATE | @@ -148,11 +149,15 @@ static int emit_pipe_invalidate(u32 mask_flags, bool invalidate_tlb, u32 *dw, PIPE_CONTROL_STORE_DATA_INDEX; if (invalidate_tlb) - flags |= PIPE_CONTROL_TLB_INVALIDATE; + flags1 |= PIPE_CONTROL_TLB_INVALIDATE; - flags &= ~mask_flags; + flags1 &= ~mask_flags; - return emit_pipe_control(dw, i, 0, flags, LRC_PPHWSP_FLUSH_INVAL_SCRATCH_ADDR, 0); + if (flags1 & PIPE_CONTROL_VF_CACHE_INVALIDATE) + flags0 |= PIPE_CONTROL0_L3_READ_ONLY_CACHE_INVALIDATE; + + return emit_pipe_control(dw, i, flags0, flags1, + LRC_PPHWSP_FLUSH_INVAL_SCRATCH_ADDR, 0); } static int emit_store_imm_ppgtt_posted(u64 addr, u64 value,

8 months

3
2
0 0

[PATCH] dm: fix copying after src array boundaries

by Tudor Ambarus

The blammed commit copied to argv the size of the reallocated argv, instead of the size of the old_argv, thus reading and copying from past the old_argv allocated memory. Following BUG_ON was hit: [ 3.038929][ T1] kernel BUG at lib/string_helpers.c:1040! [ 3.039147][ T1] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... [ 3.056489][ T1] Call trace: [ 3.056591][ T1] __fortify_panic+0x10/0x18 (P) [ 3.056773][ T1] dm_split_args+0x20c/0x210 [ 3.056942][ T1] dm_table_add_target+0x13c/0x360 [ 3.057132][ T1] table_load+0x110/0x3ac [ 3.057292][ T1] dm_ctl_ioctl+0x424/0x56c [ 3.057457][ T1] __arm64_sys_ioctl+0xa8/0xec [ 3.057634][ T1] invoke_syscall+0x58/0x10c [ 3.057804][ T1] el0_svc_common+0xa8/0xdc [ 3.057970][ T1] do_el0_svc+0x1c/0x28 [ 3.058123][ T1] el0_svc+0x50/0xac [ 3.058266][ T1] el0t_64_sync_handler+0x60/0xc4 [ 3.058452][ T1] el0t_64_sync+0x1b0/0x1b4 [ 3.058620][ T1] Code: f800865e a9bf7bfd 910003fd 941f48aa (d4210000) [ 3.058897][ T1] ---[ end trace 0000000000000000 ]--- [ 3.059083][ T1] Kernel panic - not syncing: Oops - BUG: Fatal exception Fix it by copying the size of src, and not the size of dst, as it was. Fixes: 5a2a6c428190 ("dm: always update the array size in realloc_argv on success") Cc: stable(a)vger.kernel.org Signed-off-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> --- drivers/md/dm-table.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 9e175c5e0634b49b990436898f63c2b1e696febb..6dae73ee49dbb36d89341ff09556876d0973c4ff 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -524,9 +524,9 @@ static char **realloc_argv(unsigned int *size, char **old_argv) } argv = kmalloc_array(new_size, sizeof(*argv), gfp); if (argv) { - *size = new_size; if (old_argv) memcpy(argv, old_argv, *size * sizeof(*argv)); + *size = new_size; } kfree(old_argv); --- base-commit: 92a09c47464d040866cf2b4cd052bc60555185fb change-id: 20250506-dm-past-array-boundaries-1fe2f5a1030f Best regards, -- Tudor Ambarus <tudor.ambarus(a)linaro.org>

8 months

3
2
0 0

[PATCH 6.6 0/2] PCI: imx6: Fix i.MX7D controller_id backport regression

by Ryan Matthews

Hello, This fixes an i.Mx 7D SoC PCIe regression caused by a backport mistake. The regression is broken PCIe initialization and for me a boot hang. I don't know how to organize this. I think a revert and redo best captures what's happening. To complicate things, it looks like the redo patch could also be applied to 5.4, 5.10, 5.15, and 6.1. But those versions don't have the original backport commit. Version 6.12 matches master and needs no change. One conflict resolution is needed to apply the redo patch back to versions 6.1 -> 5.15 -> 5.10. One more resolution to apply back to -> 5.4. Patches against those other versions aren't included here. -- Ryan Richard Zhu (1): PCI: imx6: Skip controller_id generation logic for i.MX7D Ryan Matthews (1): Revert "PCI: imx6: Skip controller_id generation logic for i.MX7D" drivers/pci/controller/dwc/pci-imx6.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) base-commit: 814637ca257f4faf57a73fd4e38888cce88b5911 -- 2.47.2

8 months

3
10
0 0

FAILED: patch "[PATCH] btrfs: fix the inode leak in btrfs_iget()" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 48c1d1bb525b1c44b8bdc8e7ec5629cb6c2b9fc4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050558-charger-crumpled-6ca4@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 48c1d1bb525b1c44b8bdc8e7ec5629cb6c2b9fc4 Mon Sep 17 00:00:00 2001 From: Penglei Jiang <superman.xpt(a)gmail.com> Date: Mon, 21 Apr 2025 08:40:29 -0700 Subject: [PATCH] btrfs: fix the inode leak in btrfs_iget() [BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode at unmount time: BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50 VFS: Busy inodes after unmount of loop1 (btrfs) ------------[ cut here ]------------ kernel BUG at fs/super.c:650! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650 Call Trace: <TASK> kill_anon_super+0x3a/0x60 fs/super.c:1237 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099 deactivate_locked_super+0xbe/0x1a0 fs/super.c:473 deactivate_super fs/super.c:506 [inline] deactivate_super+0xe2/0x100 fs/super.c:502 cleanup_mnt+0x21f/0x440 fs/namespace.c:1435 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218 do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> [CAUSE] When btrfs_alloc_path() failed, btrfs_iget() directly returned without releasing the inode already allocated by btrfs_iget_locked(). This results the above busy inode and trigger the kernel BUG. [FIX] Fix it by calling iget_failed() if btrfs_alloc_path() failed. If we hit error inside btrfs_read_locked_inode(), it will properly call iget_failed(), so nothing to worry about. Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a break of the normal error handling scheme, let's fix the obvious bug and backport first, then rework the error handling later. Reported-by: Penglei Jiang <superman.xpt(a)gmail.com> Link: https://lore.kernel.org/linux-btrfs/20250421102425.44431-1-superman.xpt@gma… Fixes: 7c855e16ab72 ("btrfs: remove conditional path allocation in btrfs_read_locked_inode()") CC: stable(a)vger.kernel.org # 6.13+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Penglei Jiang <superman.xpt(a)gmail.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 312fa996a987..d295a37fa049 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -5682,8 +5682,10 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root) return inode; path = btrfs_alloc_path(); - if (!path) + if (!path) { + iget_failed(&inode->vfs_inode); return ERR_PTR(-ENOMEM); + } ret = btrfs_read_locked_inode(inode, path); btrfs_free_path(path);

8 months

4
3
0 0

FAILED: patch "[PATCH] platform/x86: alienware-wmi-wmax: Add support for Alienware" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 246f9bb62016c423972ea7f2335a8e0ed3521cde # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050557-trousers-boogeyman-3f93@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 246f9bb62016c423972ea7f2335a8e0ed3521cde Mon Sep 17 00:00:00 2001 From: Kurt Borja <kuurtb(a)gmail.com> Date: Sat, 19 Apr 2025 12:45:29 -0300 Subject: [PATCH] platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extend thermal control support to Alienware m15 R7. Cc: stable(a)vger.kernel.org Tested-by: Romain THERY <romain.thery(a)ik.me> Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> Link: https://lore.kernel.org/r/20250419-m15-r7-v1-1-18c6eaa27e25@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/dell/alienware-wmi-wmax.c b/drivers/platform/x86/dell/alienware-wmi-wmax.c index 3f9e1e986ecf..08b82c151e07 100644 --- a/drivers/platform/x86/dell/alienware-wmi-wmax.c +++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c @@ -69,6 +69,14 @@ static const struct dmi_system_id awcc_dmi_table[] __initconst = { }, .driver_data = &generic_quirks, }, + { + .ident = "Alienware m15 R7", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), + DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15 R7"), + }, + .driver_data = &generic_quirks, + }, { .ident = "Alienware m16 R1", .matches = {

8 months

3
2
0 0

[PATCH stable v6.6] riscv: Pass patch_text() the length in bytes

by Nam Cao

From: Samuel Holland <samuel.holland(a)sifive.com> [ Upstream commit 51781ce8f4486c3738a6c85175b599ad1be71f89 ] patch_text_nosync() already handles an arbitrary length of code, so this removes a superfluous loop and reduces the number of icache flushes. Reviewed-by: Björn Töpel <bjorn(a)rivosinc.com> Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> Reviewed-by: Conor Dooley <conor.dooley(a)microchip.com> Link: https://lore.kernel.org/r/20240327160520.791322-6-samuel.holland@sifive.com Signed-off-by: Palmer Dabbelt <palmer(a)rivosinc.com> [apply to v6.6] Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- this patch fixes a bug introduced by commit b1756750a397 ("riscv: kprobes: Use patch_text_nosync() for insn slots"), which replaced patch_text() with patch_text_nosync(). That is broken, because patch_text() and patch_text_nosync() takes different parameters (number of instruction vs patched length in bytes). This bug was reported in: https://lore.kernel.org/stable/c7e463c0-8cad-4f4e-addd-195c06b7b6de@iscas.a… --- arch/riscv/include/asm/patch.h | 2 +- arch/riscv/kernel/patch.c | 14 +++++--------- arch/riscv/kernel/probes/kprobes.c | 18 ++++++++++-------- arch/riscv/net/bpf_jit_comp64.c | 7 ++++--- 4 files changed, 20 insertions(+), 21 deletions(-) diff --git a/arch/riscv/include/asm/patch.h b/arch/riscv/include/asm/patch.h index 9f5d6e14c405..7228e266b9a1 100644 --- a/arch/riscv/include/asm/patch.h +++ b/arch/riscv/include/asm/patch.h @@ -9,7 +9,7 @@ int patch_insn_write(void *addr, const void *insn, size_t len); int patch_text_nosync(void *addr, const void *insns, size_t len); int patch_text_set_nosync(void *addr, u8 c, size_t len); -int patch_text(void *addr, u32 *insns, int ninsns); +int patch_text(void *addr, u32 *insns, size_t len); extern int riscv_patch_in_stop_machine; diff --git a/arch/riscv/kernel/patch.c b/arch/riscv/kernel/patch.c index 78387d843aa5..aeda87240dbc 100644 --- a/arch/riscv/kernel/patch.c +++ b/arch/riscv/kernel/patch.c @@ -19,7 +19,7 @@ struct patch_insn { void *addr; u32 *insns; - int ninsns; + size_t len; atomic_t cpu_count; }; @@ -234,14 +234,10 @@ NOKPROBE_SYMBOL(patch_text_nosync); static int patch_text_cb(void *data) { struct patch_insn *patch = data; - unsigned long len; - int i, ret = 0; + int ret = 0; if (atomic_inc_return(&patch->cpu_count) == num_online_cpus()) { - for (i = 0; ret == 0 && i < patch->ninsns; i++) { - len = GET_INSN_LENGTH(patch->insns[i]); - ret = patch_insn_write(patch->addr + i * len, &patch->insns[i], len); - } + ret = patch_insn_write(patch->addr, patch->insns, patch->len); /* * Make sure the patching store is effective *before* we * increment the counter which releases all waiting CPUs @@ -262,13 +258,13 @@ static int patch_text_cb(void *data) } NOKPROBE_SYMBOL(patch_text_cb); -int patch_text(void *addr, u32 *insns, int ninsns) +int patch_text(void *addr, u32 *insns, size_t len) { int ret; struct patch_insn patch = { .addr = addr, .insns = insns, - .ninsns = ninsns, + .len = len, .cpu_count = ATOMIC_INIT(0), }; diff --git a/arch/riscv/kernel/probes/kprobes.c b/arch/riscv/kernel/probes/kprobes.c index 4fbc70e823f0..297427ffc4e0 100644 --- a/arch/riscv/kernel/probes/kprobes.c +++ b/arch/riscv/kernel/probes/kprobes.c @@ -23,13 +23,13 @@ post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *); static void __kprobes arch_prepare_ss_slot(struct kprobe *p) { + size_t len = GET_INSN_LENGTH(p->opcode); u32 insn = __BUG_INSN_32; - unsigned long offset = GET_INSN_LENGTH(p->opcode); - p->ainsn.api.restore = (unsigned long)p->addr + offset; + p->ainsn.api.restore = (unsigned long)p->addr + len; - patch_text_nosync(p->ainsn.api.insn, &p->opcode, 1); - patch_text_nosync((void *)p->ainsn.api.insn + offset, &insn, 1); + patch_text_nosync(p->ainsn.api.insn, &p->opcode, len); + patch_text_nosync((void *)p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn)); } static void __kprobes arch_prepare_simulate(struct kprobe *p) @@ -116,16 +116,18 @@ void *alloc_insn_page(void) /* install breakpoint in text */ void __kprobes arch_arm_kprobe(struct kprobe *p) { - u32 insn = (p->opcode & __INSN_LENGTH_MASK) == __INSN_LENGTH_32 ? - __BUG_INSN_32 : __BUG_INSN_16; + size_t len = GET_INSN_LENGTH(p->opcode); + u32 insn = len == 4 ? __BUG_INSN_32 : __BUG_INSN_16; - patch_text(p->addr, &insn, 1); + patch_text(p->addr, &insn, len); } /* remove breakpoint from text */ void __kprobes arch_disarm_kprobe(struct kprobe *p) { - patch_text(p->addr, &p->opcode, 1); + size_t len = GET_INSN_LENGTH(p->opcode); + + patch_text(p->addr, &p->opcode, len); } void __kprobes arch_remove_kprobe(struct kprobe *p) diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c index 26eeb3973631..16eb4cd11cbd 100644 --- a/arch/riscv/net/bpf_jit_comp64.c +++ b/arch/riscv/net/bpf_jit_comp64.c @@ -14,6 +14,7 @@ #include "bpf_jit.h" #define RV_FENTRY_NINSNS 2 +#define RV_FENTRY_NBYTES (RV_FENTRY_NINSNS * 4) #define RV_REG_TCC RV_REG_A6 #define RV_REG_TCC_SAVED RV_REG_S6 /* Store A6 in S6 if program do calls */ @@ -681,7 +682,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type, if (ret) return ret; - if (memcmp(ip, old_insns, RV_FENTRY_NINSNS * 4)) + if (memcmp(ip, old_insns, RV_FENTRY_NBYTES)) return -EFAULT; ret = gen_jump_or_nops(new_addr, ip, new_insns, is_call); @@ -690,8 +691,8 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type, cpus_read_lock(); mutex_lock(&text_mutex); - if (memcmp(ip, new_insns, RV_FENTRY_NINSNS * 4)) - ret = patch_text(ip, new_insns, RV_FENTRY_NINSNS); + if (memcmp(ip, new_insns, RV_FENTRY_NBYTES)) + ret = patch_text(ip, new_insns, RV_FENTRY_NBYTES); mutex_unlock(&text_mutex); cpus_read_unlock(); -- 2.39.5

8 months

2
1
0 0

FAILED: patch "[PATCH] mm: page_alloc: speed up fallbacks in rmqueue_bulk()" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 90abee6d7895d5eef18c91d870d8168be4e76e9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042149-busily-amaretto-e684@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 90abee6d7895d5eef18c91d870d8168be4e76e9d Mon Sep 17 00:00:00 2001 From: Johannes Weiner <hannes(a)cmpxchg.org> Date: Mon, 7 Apr 2025 14:01:53 -0400 Subject: [PATCH] mm: page_alloc: speed up fallbacks in rmqueue_bulk() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test robot identified c2f6ea38fc1b ("mm: page_alloc: don't steal single pages from biggest buddy") as the root cause of a 56.4% regression in vm-scalability::lru-file-mmap-read. Carlos reports an earlier patch, c0cd6f557b90 ("mm: page_alloc: fix freelist movement during block conversion"), as the root cause for a regression in worst-case zone->lock+irqoff hold times. Both of these patches modify the page allocator's fallback path to be less greedy in an effort to stave off fragmentation. The flip side of this is that fallbacks are also less productive each time around, which means the fallback search can run much more frequently. Carlos' traces point to rmqueue_bulk() specifically, which tries to refill the percpu cache by allocating a large batch of pages in a loop. It highlights how once the native freelists are exhausted, the fallback code first scans orders top-down for whole blocks to claim, then falls back to a bottom-up search for the smallest buddy to steal. For the next batch page, it goes through the same thing again. This can be made more efficient. Since rmqueue_bulk() holds the zone->lock over the entire batch, the freelists are not subject to outside changes; when the search for a block to claim has already failed, there is no point in trying again for the next page. Modify __rmqueue() to remember the last successful fallback mode, and restart directly from there on the next rmqueue_bulk() iteration. Oliver confirms that this improves beyond the regression that the test robot reported against c2f6ea38fc1b: commit: f3b92176f4 ("tools/selftests: add guard region test for /proc/$pid/pagemap") c2f6ea38fc ("mm: page_alloc: don't steal single pages from biggest buddy") acc4d5ff0b ("Merge tag 'net-6.15-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net") 2c847f27c3 ("mm: page_alloc: speed up fallbacks in rmqueue_bulk()") <--- your patch f3b92176f4f7100f c2f6ea38fc1b640aa7a2e155cc1 acc4d5ff0b61eb1715c498b6536 2c847f27c37da65a93d23c237c5 ---------------- --------------------------- --------------------------- --------------------------- %stddev %change %stddev %change %stddev %change %stddev \ | \ | \ | \ 25525364 ± 3% -56.4% 11135467 -57.8% 10779336 +31.6% 33581409 vm-scalability.throughput Carlos confirms that worst-case times are almost fully recovered compared to before the earlier culprit patch: 2dd482ba627d (before freelist hygiene): 1ms c0cd6f557b90 (after freelist hygiene): 90ms next-20250319 (steal smallest buddy): 280ms this patch : 8ms [jackmanb(a)google.com: comment updates] Link: https://lkml.kernel.org/r/D92AC0P9594X.3BML64MUKTF8Z@google.com [hannes(a)cmpxchg.org: reset rmqueue_mode in rmqueue_buddy() error loop, per Yunsheng Lin] Link: https://lkml.kernel.org/r/20250409140023.GA2313@cmpxchg.org Link: https://lkml.kernel.org/r/20250407180154.63348-1-hannes@cmpxchg.org Fixes: c0cd6f557b90 ("mm: page_alloc: fix freelist movement during block conversion") Fixes: c2f6ea38fc1b ("mm: page_alloc: don't steal single pages from biggest buddy") Signed-off-by: Johannes Weiner <hannes(a)cmpxchg.org> Signed-off-by: Brendan Jackman <jackmanb(a)google.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Reported-by: Carlos Song <carlos.song(a)nxp.com> Tested-by: Carlos Song <carlos.song(a)nxp.com> Tested-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202503271547.fc08b188-lkp@intel.com Reviewed-by: Brendan Jackman <jackmanb(a)google.com> Tested-by: Shivank Garg <shivankg(a)amd.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [6.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 9a219fe8e130..1715e34b91af 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -2183,23 +2183,15 @@ try_to_claim_block(struct zone *zone, struct page *page, } /* - * Try finding a free buddy page on the fallback list. - * - * This will attempt to claim a whole pageblock for the requested type - * to ensure grouping of such requests in the future. - * - * If a whole block cannot be claimed, steal an individual page, regressing to - * __rmqueue_smallest() logic to at least break up as little contiguity as - * possible. + * Try to allocate from some fallback migratetype by claiming the entire block, + * i.e. converting it to the allocation's start migratetype. * * The use of signed ints for order and current_order is a deliberate * deviation from the rest of this file, to make the for loop * condition simpler. - * - * Return the stolen page, or NULL if none can be found. */ static __always_inline struct page * -__rmqueue_fallback(struct zone *zone, int order, int start_migratetype, +__rmqueue_claim(struct zone *zone, int order, int start_migratetype, unsigned int alloc_flags) { struct free_area *area; @@ -2237,14 +2229,29 @@ __rmqueue_fallback(struct zone *zone, int order, int start_migratetype, page = try_to_claim_block(zone, page, current_order, order, start_migratetype, fallback_mt, alloc_flags); - if (page) - goto got_one; + if (page) { + trace_mm_page_alloc_extfrag(page, order, current_order, + start_migratetype, fallback_mt); + return page; + } } - if (alloc_flags & ALLOC_NOFRAGMENT) - return NULL; + return NULL; +} + +/* + * Try to steal a single page from some fallback migratetype. Leave the rest of + * the block as its current migratetype, potentially causing fragmentation. + */ +static __always_inline struct page * +__rmqueue_steal(struct zone *zone, int order, int start_migratetype) +{ + struct free_area *area; + int current_order; + struct page *page; + int fallback_mt; + bool claim_block; - /* No luck claiming pageblock. Find the smallest fallback page */ for (current_order = order; current_order < NR_PAGE_ORDERS; current_order++) { area = &(zone->free_area[current_order]); fallback_mt = find_suitable_fallback(area, current_order, @@ -2254,25 +2261,28 @@ __rmqueue_fallback(struct zone *zone, int order, int start_migratetype, page = get_page_from_free_area(area, fallback_mt); page_del_and_expand(zone, page, order, current_order, fallback_mt); - goto got_one; + trace_mm_page_alloc_extfrag(page, order, current_order, + start_migratetype, fallback_mt); + return page; } return NULL; - -got_one: - trace_mm_page_alloc_extfrag(page, order, current_order, - start_migratetype, fallback_mt); - - return page; } +enum rmqueue_mode { + RMQUEUE_NORMAL, + RMQUEUE_CMA, + RMQUEUE_CLAIM, + RMQUEUE_STEAL, +}; + /* * Do the hard work of removing an element from the buddy allocator. * Call me with the zone->lock already held. */ static __always_inline struct page * __rmqueue(struct zone *zone, unsigned int order, int migratetype, - unsigned int alloc_flags) + unsigned int alloc_flags, enum rmqueue_mode *mode) { struct page *page; @@ -2291,16 +2301,48 @@ __rmqueue(struct zone *zone, unsigned int order, int migratetype, } } - page = __rmqueue_smallest(zone, order, migratetype); - if (unlikely(!page)) { - if (alloc_flags & ALLOC_CMA) + /* + * First try the freelists of the requested migratetype, then try + * fallbacks modes with increasing levels of fragmentation risk. + * + * The fallback logic is expensive and rmqueue_bulk() calls in + * a loop with the zone->lock held, meaning the freelists are + * not subject to any outside changes. Remember in *mode where + * we found pay dirt, to save us the search on the next call. + */ + switch (*mode) { + case RMQUEUE_NORMAL: + page = __rmqueue_smallest(zone, order, migratetype); + if (page) + return page; + fallthrough; + case RMQUEUE_CMA: + if (alloc_flags & ALLOC_CMA) { page = __rmqueue_cma_fallback(zone, order); - - if (!page) - page = __rmqueue_fallback(zone, order, migratetype, - alloc_flags); + if (page) { + *mode = RMQUEUE_CMA; + return page; + } + } + fallthrough; + case RMQUEUE_CLAIM: + page = __rmqueue_claim(zone, order, migratetype, alloc_flags); + if (page) { + /* Replenished preferred freelist, back to normal mode. */ + *mode = RMQUEUE_NORMAL; + return page; + } + fallthrough; + case RMQUEUE_STEAL: + if (!(alloc_flags & ALLOC_NOFRAGMENT)) { + page = __rmqueue_steal(zone, order, migratetype); + if (page) { + *mode = RMQUEUE_STEAL; + return page; + } + } } - return page; + return NULL; } /* @@ -2312,6 +2354,7 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order, unsigned long count, struct list_head *list, int migratetype, unsigned int alloc_flags) { + enum rmqueue_mode rmqm = RMQUEUE_NORMAL; unsigned long flags; int i; @@ -2323,7 +2366,7 @@ static int rmqueue_bulk(struct zone *zone, unsigned int order, } for (i = 0; i < count; ++i) { struct page *page = __rmqueue(zone, order, migratetype, - alloc_flags); + alloc_flags, &rmqm); if (unlikely(page == NULL)) break; @@ -2948,7 +2991,9 @@ struct page *rmqueue_buddy(struct zone *preferred_zone, struct zone *zone, if (alloc_flags & ALLOC_HIGHATOMIC) page = __rmqueue_smallest(zone, order, MIGRATE_HIGHATOMIC); if (!page) { - page = __rmqueue(zone, order, migratetype, alloc_flags); + enum rmqueue_mode rmqm = RMQUEUE_NORMAL; + + page = __rmqueue(zone, order, migratetype, alloc_flags, &rmqm); /* * If the allocation fails, allow OOM handling and

8 months

2
2
0 0

RE: Enhance Your Campaigns

by brielle.hayes＠softwareuserzone.info

Hi there, I wanted to follow up on my earlier message. Whenever you have a moment, I'd love to hear your feedback. Best regards, Brielle _____ From: Brielle Hayes Sent: Friday, May 2, 2025 9:04 AM To: linux-stable-mirror(a)lists.linaro.org <mailto:linux-stable-mirror@lists.linaro.org> Subject: Enhance Your Campaigns Hi there, I hope you're doing well. Would you be interested in acquiring our opt-in data list for mobile analytics platform users and customers worldwide? We also provide current Users and Clients data lists for: * Branch * Adjust * Mixpanel * AppsFlyer * CleverTap * Amplitude Analytics * Braze * Singular * Tenjin & many more...! If this sounds relevant, I'd be happy to share more details along with a sample for your review. Best regards, Brielle Hayes | Marketing Executive Reply with "Remove" if you no longer wish to receive emails.

8 months

1
0
0 0

[PATCH 5.15 00/55] 5.15.182-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.182 release. There are 55 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.182-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.182-rc1 Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Use the new rb tree helpers Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Stephan Gerhold <stephan.gerhold(a)linaro.org> serial: msm: Configure correct working mode before starting earlycon Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Thomas Gleixner <tglx(a)linutronix.de> irqchip/gic-v2m: Mark a few functions __init Xiang wangx <wangxiang(a)cdjrlc.com> irqchip/gic-v2m: Add const to of_device_id Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix deadlock issue when externel_lb and reset are executed together Sergey Shtylyov <s.shtylyov(a)omp.ru> of: module: add buffer overflow check in of_modalias() Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: add support for external loopback test Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Brett Creeley <brett.creeley(a)intel.com> ice: Refactor promiscuous functions Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Biao Huang <biao.huang(a)mediatek.com> net: ethernet: mtk-star-emac: separate tx/rx handling with two NAPIs Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Jakub Kicinski <kuba(a)kernel.org> net/sched: act_mirred: don't override retval if we already lost the skb Sean Christopherson <seanjc(a)google.com> KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/svm.c | 13 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/x86.c | 3 + drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_scmi/bus.c | 3 + drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 ++--- drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v2m.c | 8 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 ++- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 119 ++++++-- drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 3 + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 61 ++-- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 26 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_fltr.c | 58 ++++ drivers/net/ethernet/intel/ice/ice_fltr.h | 12 + drivers/net/ethernet/intel/ice/ice_main.c | 49 +-- drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 139 ++++----- drivers/net/ethernet/mediatek/mtk_star_emac.c | 339 ++++++++++++--------- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/phy/microchip.c | 46 +-- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/nvme/host/tcp.c | 31 +- drivers/of/device.c | 7 +- drivers/pci/controller/dwc/pci-imx6.c | 5 +- drivers/tty/serial/msm_serial.c | 6 + kernel/trace/trace.c | 5 +- net/ipv4/udp_offload.c | 61 +++- net/sched/act_mirred.c | 22 +- net/sched/sch_drr.c | 9 +- net/sched/sch_ets.c | 9 +- net/sched/sch_hfsc.c | 2 +- net/sched/sch_qfq.c | 11 +- sound/usb/format.c | 3 +- 66 files changed, 932 insertions(+), 505 deletions(-)

8 months

5
61
0 0

[PATCH 6.1 00/97] 6.1.138-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.138 release. There are 97 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.138-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.138-rc1 Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Rob Herring (Arm) <robh(a)kernel.org> ASoC: Use of_property_read_bool() Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Bhawanpreet Lakha <bhawanpreet.lakha(a)amd.com> drm/amd/display: Change HDCP update sequence for DM Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Clean up style problems in amdgpu_dm_hdcp.c hersen wu <hersenxs.wu(a)amd.com> drm/amd/display: phase2 enable mst hdcp multiple displays Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Use the new rb tree helpers Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Thomas Gleixner <tglx(a)linutronix.de> irqchip/gic-v2m: Mark a few functions __init Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "x86/kexec: Allocate PGD for x86_64 transition page tables separately" Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Yu Kuai <yukuai3(a)huawei.com> md: move initialization and destruction of 'io_acct_set' to md.c Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Sean Christopherson <seanjc(a)google.com> KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Darrick J. Wong <djwong(a)kernel.org> xfs: restrict when we try to align cow fork delalloc to cowextsz hints Darrick J. Wong <djwong(a)kernel.org> xfs: allow unlinked symlinks and dirs with zero size Christoph Hellwig <hch(a)lst.de> xfs: fix freeing speculative preallocations for preallocated files Wengang Wang <wen.gang.wang(a)oracle.com> xfs: make sure sb_fdblocks is non-negative Darrick J. Wong <djwong(a)kernel.org> xfs: allow symlinks with short remote targets Zhang Yi <yi.zhang(a)huawei.com> xfs: convert delayed extents to unwritten when zeroing post eof blocks Zhang Yi <yi.zhang(a)huawei.com> xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset Zhang Yi <yi.zhang(a)huawei.com> xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional Zhang Yi <yi.zhang(a)huawei.com> xfs: match lock mode in xfs_buffered_write_iomap_begin() Darrick J. Wong <djwong(a)kernel.org> xfs: revert commit 44af6c7e59b12 Darrick J. Wong <djwong(a)kernel.org> xfs: validate recovered name buffers when recovering xattr items Darrick J. Wong <djwong(a)kernel.org> xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 Darrick J. Wong <djwong(a)kernel.org> xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery Christoph Hellwig <hch(a)lst.de> xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent Christoph Hellwig <hch(a)lst.de> xfs: fix xfs_bmap_add_extent_delay_real for partial conversions Christoph Hellwig <hch(a)lst.de> xfs: fix error returns from xfs_bmapi_write Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/kexec.h | 18 +- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kernel/machine_kexec_64.c | 45 ++- arch/x86/kvm/svm/svm.c | 13 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/x86.c | 3 + drivers/cpufreq/cpufreq.c | 42 ++- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 6 +- drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 417 ++++++++++++--------- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.h | 5 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 ++-- drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v2m.c | 8 +- drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 3 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/md/md.c | 27 +- drivers/md/md.h | 2 - drivers/md/raid0.c | 16 +- drivers/md/raid5.c | 41 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 +- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 ++-- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 194 +++++++++- drivers/net/ethernet/mscc/ocelot_vcap.c | 1 + drivers/net/ethernet/vertexcom/mse102x.c | 36 +- drivers/net/phy/microchip.c | 46 +-- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/tcp.c | 31 +- drivers/pci/controller/dwc/pci-imx6.c | 5 +- .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- fs/smb/server/auth.c | 14 +- fs/smb/server/smb2pdu.c | 5 - fs/xfs/libxfs/xfs_attr_remote.c | 1 - fs/xfs/libxfs/xfs_bmap.c | 130 +++++-- fs/xfs/libxfs/xfs_da_btree.c | 20 +- fs/xfs/libxfs/xfs_inode_buf.c | 49 ++- fs/xfs/libxfs/xfs_sb.c | 7 +- fs/xfs/scrub/attr.c | 5 + fs/xfs/xfs_aops.c | 54 +-- fs/xfs/xfs_attr_item.c | 88 ++++- fs/xfs/xfs_bmap_util.c | 65 ++-- fs/xfs/xfs_bmap_util.h | 2 +- fs/xfs/xfs_dquot.c | 1 - fs/xfs/xfs_icache.c | 2 +- fs/xfs/xfs_inode.c | 14 +- fs/xfs/xfs_iomap.c | 81 ++-- fs/xfs/xfs_reflink.c | 20 - fs/xfs/xfs_rtalloc.c | 2 - include/linux/cpufreq.h | 83 ++-- include/soc/mscc/ocelot_vcap.h | 2 + kernel/trace/trace.c | 5 +- mm/memcontrol.c | 9 + net/ipv4/udp_offload.c | 61 ++- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- sound/soc/codecs/ak4613.c | 4 +- sound/soc/soc-core.c | 36 +- sound/soc/soc-pcm.c | 5 +- sound/usb/format.c | 3 +- 103 files changed, 1480 insertions(+), 847 deletions(-)

8 months

6
106
0 0

[PATCH v3 1/3] media: videobuf2: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() functions have to be called with the number of elements originally passed to dma_map_sg_*() function, not the one returned in sgt->nents. Fixes: d4db5eb57cab ("media: videobuf2: add begin/end cpu_access callbacks to dma-sg") CC: stable(a)vger.kernel.org Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index c6ddf2357c58..b3bf2173c14e 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -469,7 +469,7 @@ vb2_dma_sg_dmabuf_ops_begin_cpu_access(struct dma_buf *dbuf, struct vb2_dma_sg_buf *buf = dbuf->priv; struct sg_table *sgt = buf->dma_sgt; - dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); + dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir); return 0; } @@ -480,7 +480,7 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(struct dma_buf *dbuf, struct vb2_dma_sg_buf *buf = dbuf->priv; struct sg_table *sgt = buf->dma_sgt; - dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); + dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir); return 0; } -- 2.34.1

8 months

3
2
0 0

[PATCH] spi: tegra114: Use value to check for invalid delays

by Aaron Kling via B4 Relay

From: Aaron Kling <webgeek1234(a)gmail.com> A delay unit of 0 is a valid entry, thus it is not valid to check for unused delays. Instead, check the value field; if that is zero, the given delay is unset. Fixes: 4426e6b4ecf6 ("spi: tegra114: Don't fail set_cs_timing when delays are zero") Cc: stable(a)vger.kernel.org Signed-off-by: Aaron Kling <webgeek1234(a)gmail.com> --- drivers/spi/spi-tegra114.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c index 2a8bb798e95b954fe573f1c50445ed2e7fcbfd78..795a8482c2c700c3768bd50bf59971256893a486 100644 --- a/drivers/spi/spi-tegra114.c +++ b/drivers/spi/spi-tegra114.c @@ -728,9 +728,9 @@ static int tegra_spi_set_hw_cs_timing(struct spi_device *spi) u32 inactive_cycles; u8 cs_state; - if ((setup->unit && setup->unit != SPI_DELAY_UNIT_SCK) || - (hold->unit && hold->unit != SPI_DELAY_UNIT_SCK) || - (inactive->unit && inactive->unit != SPI_DELAY_UNIT_SCK)) { + if ((setup->value && setup->unit != SPI_DELAY_UNIT_SCK) || + (hold->value && hold->unit != SPI_DELAY_UNIT_SCK) || + (inactive->value && inactive->unit != SPI_DELAY_UNIT_SCK)) { dev_err(&spi->dev, "Invalid delay unit %d, should be SPI_DELAY_UNIT_SCK\n", SPI_DELAY_UNIT_SCK); --- base-commit: 0d8d44db295ccad20052d6301ef49ff01fb8ae2d change-id: 20250506-spi-tegra114-fixup-dbf6730db087 Best regards, -- Aaron Kling <webgeek1234(a)gmail.com>

8 months

4
3
0 0

[PATCH v5 0/1] kasan: Avoid sleepable page allocation from atomic context

by Alexander Gordeev

Hi All, Chages since v4: - unused pages leak is avoided Chages since v3: - pfn_to_virt() changed to page_to_virt() due to compile error Chages since v2: - page allocation moved out of the atomic context Chages since v1: - Fixes: and -stable tags added to the patch description Thanks! Alexander Gordeev (1): kasan: Avoid sleepable page allocation from atomic context mm/kasan/shadow.c | 77 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 63 insertions(+), 14 deletions(-) -- 2.45.2

8 months

2
3
0 0

[PATCH] scsi: smartpqi: Fix the race condition between pqi_tmf_worker and pqi_sdev_destroy

by Zhu Wei

There is a race condition between pqi_sdev_destroy and pqi_tmf_worker. After pqi_free_device is released, pqi_tmf_worker will still use device. kasan report: [ 1933.765810] ================================================================== [ 1933.771862] scsi 15:0:20:0: Direct-Access ATA WDC WUH722222AL WTS2 PQ: 0 ANSI: 6 [ 1933.779190] BUG: KASAN: use-after-free in pqi_device_wait_for_pending_io+0x9e/0x600 [smartpqi] [ 1933.779194] Read of size 4 at addr ffff88954c490480 by task kworker/2:2/518186 [ 1933.779201] CPU: 2 PID: 518186 Comm: kworker/2:2 Kdump: loaded Tainted: G U OE 4.19.90-89.16.v2401.osc.sfc.6.11.1.0108.ky10.x86_64+debug #1 [ 1933.779203] Source Version: v6.11.1.0108+0~65323201.20250328 [ 1933.779205] Hardware name: SANGFOR S2122-S12L/ASERVER-P-2000, BIOS TYR.2.00.0100 05/18/2019 [ 1933.779213] Workqueue: events pqi_tmf_worker [smartpqi] [ 1933.779216] Call Trace: [ 1933.779225] dump_stack+0x8b/0xb9 [ 1933.779239] print_address_description+0x65/0x2b0 [ 1933.779249] kasan_report+0x14b/0x290 [ 1933.779255] pqi_device_wait_for_pending_io+0x9e/0x600 [smartpqi] [ 1933.779264] pqi_device_reset_handler+0x174f/0x1f30 [smartpqi] [ 1933.779284] process_one_work+0x65f/0x12d0 [ 1933.806306] worker_thread+0x87/0xb50 [ 1933.806315] kthread+0x2e9/0x3a0 [ 1933.806323] ret_from_fork+0x1f/0x40 [ 1933.843994] Allocated by task 579094: [ 1933.875361] save_stack+0x19/0x80 [ 1933.892366] kasan_kmalloc+0xa0/0xd0 [ 1933.892373] kmem_cache_alloc+0xbb/0x1c0 [ 1933.892378] getname_flags+0xba/0x500 [ 1933.892384] user_path_at_empty+0x1d/0x40 [ 1933.892389] vfs_statx+0xb9/0x140 [ 1933.892397] __do_sys_newstat+0x77/0xd0 [ 1933.913179] do_syscall_64+0xa4/0x430 [ 1933.913187] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 1933.933381] Freed by task 579094: [ 1933.933389] save_stack+0x19/0x80 [ 1933.933392] __kasan_slab_free+0x130/0x180 [ 1933.933396] kmem_cache_free+0x78/0x1e0 [ 1933.933401] filename_lookup+0x216/0x400 [ 1933.933405] vfs_statx+0xb9/0x140 [ 1933.933407] __do_sys_newstat+0x77/0xd0 [ 1933.933417] do_syscall_64+0xa4/0x430 [ 1933.933432] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 1933.956837] [ 1933.956842] The buggy address belongs to the object at ffff88954c490000 which belongs to the cache names_cache of size 4096 [ 1933.956845] The buggy address is located 1152 bytes inside of 4096-byte region [ffff88954c490000, ffff88954c491000) [ 1933.956851] The buggy address belongs to the page: [ 1934.297352] page:ffffea0055312400 count:1 mapcount:0 mapping:ffff888100580f00 index:0x0 compound_mapcount: 0 [ 1934.309566] flags: 0x57ffffc0008100(slab|head) [ 1934.316370] raw: 0057ffffc0008100 0000000000000000 dead000000000200 ffff888100580f00 [ 1934.326518] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 1934.338191] page dumped because: kasan: bad access detected [ 1934.346177] [ 1934.350031] Memory state around the buggy address: [ 1934.357220] ffff88954c490380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.366854] ffff88954c490400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.376474] >ffff88954c490480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.386094] ^ [ 1934.391684] ffff88954c490500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.402601] ffff88954c490580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1934.412228] ================================================================== Before pqi_sdev_destroy executes pqi_free_device, cancel the pqi_tmf_worker of the corresponding device. Fixes: 2d80f4054f7f ("scsi: smartpqi: Update deleting a LUN via sysfs") Signed-off-by: Zhu Wei <zhuwei(a)sangfor.com.cn> --- drivers/scsi/smartpqi/smartpqi_init.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c index 8a26eca4fdc9..102ed7501f08 100644 --- a/drivers/scsi/smartpqi/smartpqi_init.c +++ b/drivers/scsi/smartpqi/smartpqi_init.c @@ -6581,6 +6581,8 @@ static void pqi_sdev_destroy(struct scsi_device *sdev) struct pqi_scsi_dev *device; int mutex_acquired; unsigned long flags; + unsigned int lun; + struct pqi_tmf_work *tmf_work; ctrl_info = shost_to_hba(sdev->host); @@ -6607,6 +6609,8 @@ static void pqi_sdev_destroy(struct scsi_device *sdev) mutex_unlock(&ctrl_info->scan_mutex); pqi_dev_info(ctrl_info, "removed", device); + for (lun = 0, tmf_work = device->tmf_work; lun < PQI_MAX_LUNS_PER_DEVICE; lun++, tmf_work++) + cancel_work_sync(&tmf_work->work_struct); pqi_free_device(device); } -- 2.43.0

8 months

2
1
0 0

[PATCH] drm/dp: Fix Write_Status_Update_Request AUX request format

by Wayne Lin

[Why] Notice AUX request format of I2C-over-AUX with Write_Status_Update_Request flag set is incorrect. It should be address only request without length and data like: "SYNC->COM3:0 (= 0110)|0000-> 0000|0000-> 0|7-bit I2C address (the same as the last)-> STOP->". [How] Refer to DP v2.1 Table 2-178, correct the Write_Status_Update_Request to be address only request. Note that we might receive 0 returned by aux->transfer() when receive reply I2C_ACK|AUX_ACK of Write_Status_Update_Request transaction. Which indicating all data bytes get written. We should avoid to return 0 bytes get transferred under this case. Fixes: 68ec2a2a2481 ("drm/dp: Use I2C_WRITE_STATUS_UPDATE to drain partial I2C_WRITE requests") Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> --- drivers/gpu/drm/display/drm_dp_helper.c | 45 +++++++++++++++++++++---- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c index 57828f2b7b5a..0c8cba7ed875 100644 --- a/drivers/gpu/drm/display/drm_dp_helper.c +++ b/drivers/gpu/drm/display/drm_dp_helper.c @@ -1857,6 +1857,12 @@ static u32 drm_dp_i2c_functionality(struct i2c_adapter *adapter) I2C_FUNC_10BIT_ADDR; } +static inline bool +drm_dp_i2c_msg_is_write_status_update(struct drm_dp_aux_msg *msg) +{ + return ((msg->request & ~DP_AUX_I2C_MOT) == DP_AUX_I2C_WRITE_STATUS_UPDATE); +} + static void drm_dp_i2c_msg_write_status_update(struct drm_dp_aux_msg *msg) { /* @@ -1965,6 +1971,7 @@ MODULE_PARM_DESC(dp_aux_i2c_speed_khz, static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) { unsigned int retry, defer_i2c; + struct drm_dp_aux_msg orig_msg = *msg; int ret; /* * DP1.2 sections 2.7.7.1.5.6.1 and 2.7.7.1.6.6.1: A DP Source device @@ -1976,6 +1983,12 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) int max_retries = max(7, drm_dp_i2c_retry_count(msg, dp_aux_i2c_speed_khz)); for (retry = 0, defer_i2c = 0; retry < (max_retries + defer_i2c); retry++) { + if (drm_dp_i2c_msg_is_write_status_update(msg)) { + /* Address only transaction */ + msg->buffer = NULL; + msg->size = 0; + } + ret = aux->transfer(aux, msg); if (ret < 0) { if (ret == -EBUSY) @@ -1993,7 +2006,7 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) else drm_dbg_kms(aux->drm_dev, "%s: transaction failed: %d\n", aux->name, ret); - return ret; + goto out; } @@ -2008,7 +2021,8 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) case DP_AUX_NATIVE_REPLY_NACK: drm_dbg_kms(aux->drm_dev, "%s: native nack (result=%d, size=%zu)\n", aux->name, ret, msg->size); - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; case DP_AUX_NATIVE_REPLY_DEFER: drm_dbg_kms(aux->drm_dev, "%s: native defer\n", aux->name); @@ -2027,24 +2041,35 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) default: drm_err(aux->drm_dev, "%s: invalid native reply %#04x\n", aux->name, msg->reply); - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; } switch (msg->reply & DP_AUX_I2C_REPLY_MASK) { case DP_AUX_I2C_REPLY_ACK: + /* + * When I2C write firstly get defer and get ack after + * retries by wirte_status_update, we have to return + * all data bytes get transferred instead of 0. + */ + if (drm_dp_i2c_msg_is_write_status_update(msg) && ret == 0) + ret = orig_msg.size; + /* * Both native ACK and I2C ACK replies received. We * can assume the transfer was successful. */ if (ret != msg->size) drm_dp_i2c_msg_write_status_update(msg); - return ret; + + goto out; case DP_AUX_I2C_REPLY_NACK: drm_dbg_kms(aux->drm_dev, "%s: I2C nack (result=%d, size=%zu)\n", aux->name, ret, msg->size); aux->i2c_nack_count++; - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; case DP_AUX_I2C_REPLY_DEFER: drm_dbg_kms(aux->drm_dev, "%s: I2C defer\n", aux->name); @@ -2063,12 +2088,18 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) default: drm_err(aux->drm_dev, "%s: invalid I2C reply %#04x\n", aux->name, msg->reply); - return -EREMOTEIO; + ret = -EREMOTEIO; + goto out; } } drm_dbg_kms(aux->drm_dev, "%s: Too many retries, giving up\n", aux->name); - return -EREMOTEIO; + ret = -EREMOTEIO; +out: + /* In case we change original msg by Write_Status_Update*/ + msg->buffer = orig_msg.buffer; + msg->size = orig_msg.size; + return ret; } static void drm_dp_i2c_msg_set_request(struct drm_dp_aux_msg *msg, -- 2.43.0

8 months

4
6
0 0

[PATCH v4 00/25] Add support for HEVC and VP9 codecs in decoder

by Dikshita Agarwal

Hi All, This patch series adds initial support for the HEVC(H.265) and VP9 codecs in iris decoder. The objective of this work is to extend the decoder's capabilities to handle HEVC and VP9 codec streams, including necessary format handling and buffer management. In addition, the series also includes a set of fixes to address issues identified during testing of these additional codecs. These patches also address the comments and feedback received from the RFC patches previously sent. I have made the necessary improvements based on the community's suggestions. Changes in v4: - Splitted patch patch 06/23 in two patches (Bryan) - Simplified the conditional logic in patch 13/23 (Bryan) - Improved commit description for patch patch 13/23 (Nicolas) - Fix the value of H265_NUM_TILE_ROW macro (Neil) - Link to v3: https://lore.kernel.org/r/20250502-qcom-iris-hevc-vp9-v3-0-552158a10a7d@qui… Changes in v3: - Introduced two wrappers with explicit names to handle destroy internal buffers (Nicolas) - Used sub state check instead of introducing new boolean (Vikash) - Addressed other comments (Vikash) - Reorderd patches to have all fixes patches first (Dmitry) - Link to v2: https://lore.kernel.org/r/20250428-qcom-iris-hevc-vp9-v2-0-3a6013ecb8a5@qui… Changes in v2: - Added Changes to make sure all buffers are released in session close (bryna) - Added tracking for flush responses to fix a timing issue. - Added a handling to fix timing issue in reconfig - Splitted patch 06/20 in two patches (Bryan) - Added missing fixes tag (bryan) - Updated fluster report (Nicolas) - Link to v1: https://lore.kernel.org/r/20250408-iris-dec-hevc-vp9-v1-0-acd258778bd6@quic… Changes sinces RFC: - Added additional fixes to address issues identified during further testing. - Moved typo fix to a seperate patch [Neil] - Reordered the patches for better logical flow and clarity [Neil, Dmitry] - Added fixes tag wherever applicable [Neil, Dmitry] - Removed the default case in the switch statement for codecs [Bryan] - Replaced if-else statements with switch-case [Bryan] - Added comments for mbpf [Bryan] - RFC: https://lore.kernel.org/linux-media/20250305104335.3629945-1-quic_dikshita@… This patch series depends on [1] & [2] [1] https://lore.kernel.org/linux-media/20250417-topic-sm8x50-iris-v10-v7-0-f02… [2] https://lore.kernel.org/linux-media/20250424-qcs8300_iris-v5-0-f118f505c300… These patches are tested on SM8250 and SM8550 with v4l2-ctl and Gstreamer for HEVC and VP9 decoders, at the same time ensured that the existing H264 decoder functionality remains uneffected. Note: 1 of the fluster compliance test is fixed with firmware [3] [3]: https://lore.kernel.org/linux-firmware/1a511921-446d-cdc4-0203-084c88a5dc1e… The result of fluster test on SM8550: 131/147 testcases passed while testing JCT-VC-HEVC_V1 with GStreamer-H.265-V4L2-Gst1.0. The failing test case: - 10 testcases failed due to unsupported 10 bit format. - DBLK_A_MAIN10_VIXS_4 - INITQP_B_Main10_Sony_1 - TSUNEQBD_A_MAIN10_Technicolor_2 - WP_A_MAIN10_Toshiba_3 - WP_MAIN10_B_Toshiba_3 - WPP_A_ericsson_MAIN10_2 - WPP_B_ericsson_MAIN10_2 - WPP_C_ericsson_MAIN10_2 - WPP_E_ericsson_MAIN10_2 - WPP_F_ericsson_MAIN10_2 - 4 testcase failed due to unsupported resolution - PICSIZE_A_Bossen_1 - PICSIZE_B_Bossen_1 - WPP_D_ericsson_MAIN10_2 - WPP_D_ericsson_MAIN_2 - 2 testcase failed due to CRC mismatch - RAP_A_docomo_6 - RAP_B_Bossen_2 - BUG reported: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4392 Analysis - First few frames in this discarded by firmware and are sent to driver with 0 filled length. Driver send such buffers to client with timestamp 0 and payload set to 0 and make buf state to VB2_BUF_STATE_ERROR. Such buffers should be dropped by GST. But instead, the first frame displayed as green frame and when a valid buffer is sent to client later with same 0 timestamp, its dropped, leading to CRC mismatch for first frame. 235/305 testcases passed while testing VP9-TEST-VECTORS with GStreamer-VP9-V4L2-Gst1.0. The failing test case: - 64 testcases failed due to unsupported resolution - vp90-2-02-size-08x08.webm - vp90-2-02-size-08x10.webm - vp90-2-02-size-08x16.webm - vp90-2-02-size-08x18.webm - vp90-2-02-size-08x32.webm - vp90-2-02-size-08x34.webm - vp90-2-02-size-08x64.webm - vp90-2-02-size-08x66.webm - vp90-2-02-size-10x08.webm - vp90-2-02-size-10x10.webm - vp90-2-02-size-10x16.webm - vp90-2-02-size-10x18.webm - vp90-2-02-size-10x32.webm - vp90-2-02-size-10x34.webm - vp90-2-02-size-10x64.webm - vp90-2-02-size-10x66.webm - vp90-2-02-size-16x08.webm - vp90-2-02-size-16x10.webm - vp90-2-02-size-16x16.webm - vp90-2-02-size-16x18.webm - vp90-2-02-size-16x32.webm - vp90-2-02-size-16x34.webm - vp90-2-02-size-16x64.webm - vp90-2-02-size-16x66.webm - vp90-2-02-size-18x08.webm - vp90-2-02-size-18x10.webm - vp90-2-02-size-18x16.webm - vp90-2-02-size-18x18.webm - vp90-2-02-size-18x32.webm - vp90-2-02-size-18x34.webm - vp90-2-02-size-18x64.webm - vp90-2-02-size-18x66.webm - vp90-2-02-size-32x08.webm - vp90-2-02-size-32x10.webm - vp90-2-02-size-32x16.webm - vp90-2-02-size-32x18.webm - vp90-2-02-size-32x32.webm - vp90-2-02-size-32x34.webm - vp90-2-02-size-32x64.webm - vp90-2-02-size-32x66.webm - vp90-2-02-size-34x08.webm - vp90-2-02-size-34x10.webm - vp90-2-02-size-34x16.webm - vp90-2-02-size-34x18.webm - vp90-2-02-size-34x32.webm - vp90-2-02-size-34x34.webm - vp90-2-02-size-34x64.webm - vp90-2-02-size-34x66.webm - vp90-2-02-size-64x08.webm - vp90-2-02-size-64x10.webm - vp90-2-02-size-64x16.webm - vp90-2-02-size-64x18.webm - vp90-2-02-size-64x32.webm - vp90-2-02-size-64x34.webm - vp90-2-02-size-64x64.webm - vp90-2-02-size-64x66.webm - vp90-2-02-size-66x08.webm - vp90-2-02-size-66x10.webm - vp90-2-02-size-66x16.webm - vp90-2-02-size-66x18.webm - vp90-2-02-size-66x32.webm - vp90-2-02-size-66x34.webm - vp90-2-02-size-66x64.webm - vp90-2-02-size-66x66.webm - 2 testcases failed due to unsupported format - vp91-2-04-yuv422.webm - vp91-2-04-yuv444.webm - 1 testcase failed with CRC mismatch - vp90-2-22-svc_1280x720_3.ivf - Bug reported: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4371 - 2 testcase failed due to unsupported resolution after sequence change - vp90-2-21-resize_inter_320x180_5_1-2.webm - vp90-2-21-resize_inter_320x180_7_1-2.webm - 1 testcase failed due to unsupported stream - vp90-2-16-intra-only.webm The result of fluster test on SM8250: 133/147 testcases passed while testing JCT-VC-HEVC_V1 with GStreamer-H.265-V4L2-Gst1.0. The failing test case: - 10 testcases failed due to unsupported 10 bit format. - DBLK_A_MAIN10_VIXS_4 - INITQP_B_Main10_Sony_1 - TSUNEQBD_A_MAIN10_Technicolor_2 - WP_A_MAIN10_Toshiba_3 - WP_MAIN10_B_Toshiba_3 - WPP_A_ericsson_MAIN10_2 - WPP_B_ericsson_MAIN10_2 - WPP_C_ericsson_MAIN10_2 - WPP_E_ericsson_MAIN10_2 - WPP_F_ericsson_MAIN10_2 - 4 testcase failed due to unsupported resolution - PICSIZE_A_Bossen_1 - PICSIZE_B_Bossen_1 - WPP_D_ericsson_MAIN10_2 - WPP_D_ericsson_MAIN_2 232/305 testcases passed while testing VP9-TEST-VECTORS with GStreamer-VP9-V4L2-Gst1.0. The failing test case: - 64 testcases failed due to unsupported resolution - vp90-2-02-size-08x08.webm - vp90-2-02-size-08x10.webm - vp90-2-02-size-08x16.webm - vp90-2-02-size-08x18.webm - vp90-2-02-size-08x32.webm - vp90-2-02-size-08x34.webm - vp90-2-02-size-08x64.webm - vp90-2-02-size-08x66.webm - vp90-2-02-size-10x08.webm - vp90-2-02-size-10x10.webm - vp90-2-02-size-10x16.webm - vp90-2-02-size-10x18.webm - vp90-2-02-size-10x32.webm - vp90-2-02-size-10x34.webm - vp90-2-02-size-10x64.webm - vp90-2-02-size-10x66.webm - vp90-2-02-size-16x08.webm - vp90-2-02-size-16x10.webm - vp90-2-02-size-16x16.webm - vp90-2-02-size-16x18.webm - vp90-2-02-size-16x32.webm - vp90-2-02-size-16x34.webm - vp90-2-02-size-16x64.webm - vp90-2-02-size-16x66.webm - vp90-2-02-size-18x08.webm - vp90-2-02-size-18x10.webm - vp90-2-02-size-18x16.webm - vp90-2-02-size-18x18.webm - vp90-2-02-size-18x32.webm - vp90-2-02-size-18x34.webm - vp90-2-02-size-18x64.webm - vp90-2-02-size-18x66.webm - vp90-2-02-size-32x08.webm - vp90-2-02-size-32x10.webm - vp90-2-02-size-32x16.webm - vp90-2-02-size-32x18.webm - vp90-2-02-size-32x32.webm - vp90-2-02-size-32x34.webm - vp90-2-02-size-32x64.webm - vp90-2-02-size-32x66.webm - vp90-2-02-size-34x08.webm - vp90-2-02-size-34x10.webm - vp90-2-02-size-34x16.webm - vp90-2-02-size-34x18.webm - vp90-2-02-size-34x32.webm - vp90-2-02-size-34x34.webm - vp90-2-02-size-34x64.webm - vp90-2-02-size-34x66.webm - vp90-2-02-size-64x08.webm - vp90-2-02-size-64x10.webm - vp90-2-02-size-64x16.webm - vp90-2-02-size-64x18.webm - vp90-2-02-size-64x32.webm - vp90-2-02-size-64x34.webm - vp90-2-02-size-64x64.webm - vp90-2-02-size-64x66.webm - vp90-2-02-size-66x08.webm - vp90-2-02-size-66x10.webm - vp90-2-02-size-66x16.webm - vp90-2-02-size-66x18.webm - vp90-2-02-size-66x32.webm - vp90-2-02-size-66x34.webm - vp90-2-02-size-66x64.webm - vp90-2-02-size-66x66.webm - 2 testcases failed due to unsupported format - vp91-2-04-yuv422.webm - vp91-2-04-yuv444.webm - 1 testcase failed with CRC mismatch - vp90-2-22-svc_1280x720_3.ivf - Bug raised: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4371 - 5 testcase failed due to unsupported resolution after sequence change - vp90-2-21-resize_inter_320x180_5_1-2.webm - vp90-2-21-resize_inter_320x180_7_1-2.webm - vp90-2-21-resize_inter_320x240_5_1-2.webm - vp90-2-21-resize_inter_320x240_7_1-2.webm - vp90-2-18-resize.ivf - 1 testcase failed with CRC mismatch - vp90-2-16-intra-only.webm Analysis: First few frames are marked by firmware as NO_SHOW frame. Driver make buf state to VB2_BUF_STATE_ERROR for such frames. Such buffers should be dropped by GST. But instead, the first frame is being displayed and when a valid buffer is sent to client later with same timestamp, its dropped, leading to CRC mismatch for first frame. To: Vikash Garodia <quic_vgarodia(a)quicinc.com> To: Abhinav Kumar <quic_abhinavk(a)quicinc.com> To: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> To: Mauro Carvalho Chehab <mchehab(a)kernel.org> To: Hans Verkuil <hverkuil(a)xs4all.nl> To: Stefan Schmidt <stefan.schmidt(a)linaro.org> Cc: linux-media(a)vger.kernel.org Cc: linux-arm-msm(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Cc: Neil Armstrong <neil.armstrong(a)linaro.org> Cc: Nicolas Dufresne <nicolas.dufresne(a)collabora.com> Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> --- Dikshita Agarwal (25): media: iris: Skip destroying internal buffer if not dequeued media: iris: Update CAPTURE format info based on OUTPUT format media: iris: Avoid updating frame size to firmware during reconfig media: iris: Drop port check for session property response media: iris: Prevent HFI queue writes when core is in deinit state media: iris: Remove error check for non-zero v4l2 controls media: iris: Remove deprecated property setting to firmware media: iris: Fix missing function pointer initialization media: iris: Fix NULL pointer dereference media: iris: Fix typo in depth variable media: iris: Track flush responses to prevent premature completion media: iris: Fix buffer preparation failure during resolution change media: iris: Send V4L2_BUF_FLAG_ERROR for capture buffers with 0 filled length media: iris: Skip flush on first sequence change media: iris: Remove unnecessary re-initialization of flush completion media: iris: Add handling for corrupt and drop frames media: iris: Add handling for no show frames media: iris: Improve last flag handling media: iris: Remove redundant buffer count check in stream off media: iris: Add a comment to explain usage of MBPS media: iris: Add HEVC and VP9 formats for decoder media: iris: Add platform capabilities for HEVC and VP9 decoders media: iris: Set mandatory properties for HEVC and VP9 decoders. media: iris: Add internal buffer calculation for HEVC and VP9 decoders media: iris: Add codec specific check for VP9 decoder drain handling drivers/media/platform/qcom/iris/iris_buffer.c | 35 +- drivers/media/platform/qcom/iris/iris_buffer.h | 3 +- drivers/media/platform/qcom/iris/iris_ctrls.c | 35 +- drivers/media/platform/qcom/iris/iris_hfi_common.h | 1 + .../platform/qcom/iris/iris_hfi_gen1_command.c | 48 ++- .../platform/qcom/iris/iris_hfi_gen1_defines.h | 5 +- .../platform/qcom/iris/iris_hfi_gen1_response.c | 37 +- .../platform/qcom/iris/iris_hfi_gen2_command.c | 143 +++++++- .../platform/qcom/iris/iris_hfi_gen2_defines.h | 5 + .../platform/qcom/iris/iris_hfi_gen2_response.c | 56 ++- drivers/media/platform/qcom/iris/iris_hfi_queue.c | 2 +- drivers/media/platform/qcom/iris/iris_instance.h | 6 + .../platform/qcom/iris/iris_platform_common.h | 28 +- .../media/platform/qcom/iris/iris_platform_gen2.c | 198 ++++++++-- .../platform/qcom/iris/iris_platform_qcs8300.h | 126 +++++-- .../platform/qcom/iris/iris_platform_sm8250.c | 15 +- drivers/media/platform/qcom/iris/iris_state.c | 2 +- drivers/media/platform/qcom/iris/iris_state.h | 1 + drivers/media/platform/qcom/iris/iris_vb2.c | 18 +- drivers/media/platform/qcom/iris/iris_vdec.c | 116 +++--- drivers/media/platform/qcom/iris/iris_vdec.h | 11 + drivers/media/platform/qcom/iris/iris_vidc.c | 36 +- drivers/media/platform/qcom/iris/iris_vpu_buffer.c | 397 ++++++++++++++++++++- drivers/media/platform/qcom/iris/iris_vpu_buffer.h | 46 ++- 24 files changed, 1159 insertions(+), 211 deletions(-) --- base-commit: 398a1b33f1479af35ca915c5efc9b00d6204f8fa change-id: 20250507-video-iris-hevc-vp9-59096b189050 prerequisite-message-id: <20250417-topic-sm8x50-iris-v10-v7-0-f020cb1d0e98(a)linaro.org> prerequisite-patch-id: afffe7096c8e110a8da08c987983bc4441d39578 prerequisite-patch-id: b93c37dc7e09d1631b75387dc1ca90e3066dce17 prerequisite-patch-id: b7b50aa1657be59fd51c3e53d73382a1ee75a08e prerequisite-patch-id: 30960743105a36f20b3ec4a9ff19e7bca04d6add prerequisite-patch-id: 2bba98151ca103aa62a513a0fbd0df7ae64d9868 prerequisite-patch-id: 0e43a6d758b5fa5ab921c6aa3c19859e312b47d0 prerequisite-patch-id: 35f8dae1416977e88c2db7c767800c01822e266e prerequisite-message-id: <20250501-qcs8300_iris-v7-0-b229d5347990(a)quicinc.com> prerequisite-patch-id: e35b05c527217206ae871aef0d7b0261af0319ea prerequisite-patch-id: 07ba0745c7d72796567e0a57f5c8e5355a8d2046 prerequisite-patch-id: 3398937a7fabb45934bb98a530eef73252231132 prerequisite-patch-id: 500bc3b8391940d3ebca222d2098b737414b2af4 prerequisite-patch-id: 2e72fe4d11d264db3d42fa450427d30171303c6f Best regards, -- Dikshita Agarwal <quic_dikshita(a)quicinc.com>

8 months

3
19
0 0

[PATCH v1] ufs: core: fix hwq_id type and value

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> Because the member id of struct ufs_hw_queue is u32 (hwq->id) and the trace entry hwq_id is also u32, the type should be changed to u32. If mcq is not supported, SDB mode only supports one hardware queue, for which setting the hwq_id to 0 is more suitable. Fixes: 4a52338bf288 ("scsi: ufs: core: Add trace event for MCQ") Cc: <stable(a)vger.kernel.org> Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 7735421e3991..14e4cfbcb9eb 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -432,7 +432,7 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag, u8 opcode = 0, group_id = 0; u32 doorbell = 0; u32 intr; - int hwq_id = -1; + u32 hwq_id = 0; struct ufshcd_lrb *lrbp = &hba->lrb[tag]; struct scsi_cmnd *cmd = lrbp->cmd; struct request *rq = scsi_cmd_to_rq(cmd); -- 2.45.2

8 months

3
4
0 0

[PATCH 6.14 000/449] 6.14.3-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.14.3 release. There are 449 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.14.3-rc1 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Yi Liu <yi.l.liu(a)intel.com> iommufd: Fail replace if device has not been attached Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Make attach_handle generic than fault specific Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Wen Gong <quic_wgong(a)quicinc.com> wifi: ath11k: update channel list in worker when wait flag is set Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable monitor mode during suspend Kevin Hao <haokexin(a)gmail.com> spi: fsl-qspi: Fix double cleanup in probe error path Han Xu <han.xu(a)nxp.com> spi: fsl-qspi: use devm function instead of driver remove Cong Liu <liucong2(a)kylinos.cn> selftests: mptcp: fix incorrect fd checks in main_loop Geliang Tang <geliang(a)kernel.org> selftests: mptcp: close fd_in before returning in main_loop Jake Hillion <jake(a)hillion.co.uk> sched_ext: create_dsq: Return -EEXIST on duplicate request Sumanth Korikkar <sumanthk(a)linux.ibm.com> s390: Fix linker error when -no-pie option is unavailable David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() Peter Griffin <peter.griffin(a)linaro.org> pinctrl: samsung: add support for eint_fltcon_offset Stephan Gerhold <stephan.gerhold(a)linaro.org> pinctrl: qcom: Clear latched interrupt status when changing IRQ type Stefan Eichenberger <stefan.eichenberger(a)toradex.com> phy: freescale: imx8m-pcie: assert phy reset and perst in power off Philipp Stanner <phasta(a)kernel.org> PCI: Fix wrong length of devres array Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_register_host_bridge() Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Lukas Wunner <lukas(a)wunner.de> PCI: pciehp: Avoid unnecessary device replacement check Ioana Ciornei <ioana.ciornei(a)nxp.com> PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args() Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_one() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Switch to page pool for jumbo frames Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Add a new test for setuid() Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Split signal_scoping_threads tests Mickaël Salaün <mic(a)digikod.net> landlock: Prepare to add second errata Mickaël Salaün <mic(a)digikod.net> landlock: Always allow signals between threads of the same process Mickaël Salaün <mic(a)digikod.net> landlock: Add erratum for TCP fix Mickaël Salaün <mic(a)digikod.net> landlock: Add the errata interface Mickaël Salaün <mic(a)digikod.net> landlock: Move code to ease future backports Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Sean Christopherson <seanjc(a)google.com> KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly zero-initialize on-stack CPUID unions Amit Machhiwal <amachhiw(a)linux.ibm.com> KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests Sean Christopherson <seanjc(a)google.com> KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Joshua Washington <joshwash(a)google.com> gve: handle overflow when reporting TX consumed descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind Guixin Liu <kanie(a)linux.alibaba.com> gpio: tegra186: fix resource handling in ACPI probe path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: mpc8xxx: Fix wakeup source leaks on device unbind Bernd Schubert <bschubert(a)ddn.com> fuse: {io-uring} Fix a possible req cancellation race Andy Chiu <andybnac(a)gmail.com> ftrace: Properly merge notrace hashes zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> firmware: cs_dsp: test_control_parse: null-terminate test strings Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix prefetch-vs-suspend race Jo Van Bulck <jo.vanbulck(a)kuleuven.be> dm-integrity: fix non-constant-time tag verification Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: fix prefetch-vs-suspend race Alexander Aring <aahringo(a)redhat.com> dlm: fix error if active rsb is not hashed Alexander Aring <aahringo(a)redhat.com> dlm: fix error if inactive rsb is not hashed Dionna Glaze <dionnaglaze(a)google.com> crypto: ccp - Fix uAPI definitions of PSP errors Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Release pm subdomains in reverse add order Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Pali Rohár <pali(a)kernel.org> cifs: Ensure that all non-client-specific reparse points are processed by the server Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Alexandra Diupina <adiupina(a)astralinux.ru> cifs: avoid NULL pointer dereference in dbg call Aman <aman1(a)microsoft.com> CIFS: Propagate min offload along with other parameters from primary to secondary channels. Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not add length to print format in synthetic events Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe events: Fix possible UAF on modules Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe: Fix to lock module while registering fprobe Andrii Nakryiko <andrii(a)kernel.org> uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*() Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: fix balloon target initialization for PVH dom0 Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Jinjiang Tu <tujinjiang(a)huawei.com> mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Marc Herbert <Marc.Herbert(a)linux.intel.com> mm/hugetlb: move hugetlb_sysctl_init() to the __init section Shuai Xue <xueshuai(a)linux.alibaba.com> mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix release hang over concurrent GUP Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/mremap: correctly handle partial mremap() of VMA starting at 0 Ryan Roberts <ryan.roberts(a)arm.com> mm: fix lazy mmu docs and usage Jane Chu <jane.chu(a)oracle.com> mm: make page_mapped_in_vma() hugetlb walk aware David Hildenbrand <david(a)redhat.com> mm/rmap: reject hugetlb folios in folio_make_device_exclusive() SeongJae Park <sj(a)kernel.org> mm/damon: avoid applying DAMOS action to same entity multiple times Usama Arif <usamaarif642(a)gmail.com> mm/damon/ops: have damon_get_folio return folio even for tail pages Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix possible circular locking dependency Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Don't clobber posted vCPU IRTE when host IRQ affinity changes Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled Nicolin Chen <nicolinc(a)nvidia.com> iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix uninitialized rc in iommufd_access_rw() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone finishing with missing devices Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone activation with missing devices Filipe Manana <fdmanana(a)suse.com> btrfs: tests: fix chunk map leak after failure to add it to the tree Filipe Manana <fdmanana(a)suse.com> btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Herve Codina <herve.codina(a)bootlin.com> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Peter Griffin <peter.griffin(a)linaro.org> arm64: dts: exynos: gs101: disable pinctrl_gsacore node Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang Siddharth Vadapalli <s-vadapalli(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks Keerthy <j-keerthy(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Correct the update of max_pfn Ninad Malwade <nmalwade(a)nvidia.com> arm64: tegra: Remove the Orin NX/Nano suspend key Keir Fraser <keirf(a)google.com> arm64: mops: Do not dereference src reg for a set operation Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: Fix build with gcc < 7.5 Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: only inc MPJoinAckHMacFailure for HMAC failures Gang Yan <yangang(a)kylinos.cn> mptcp: fix NULL pointer in can_accept_new_subflow T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Kartik Rajput <kkartik(a)nvidia.com> mailbox: tegra-hsp: Define dimensioning masks in SoC data Chenyuan Yang <chenyuan0y(a)gmail.com> mfd: ene-kb3930: Fix a potential NULL pointer dereference Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Kris Van Hees <kris.van.hees(a)oracle.com> kbuild: exclude .rodata.(cst|str)* when building ranges Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use readsb helper for reading MDB Joe Damato <jdamato(a)fastly.com> igc: Fix XSK queue NAPI ID mapping Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of ToMToU integrity violations Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of open-writers integrity violations Steve French <stfrench(a)microsoft.com> smb311 client: fix missing tcon check when mounting with linux/posix extensions Chenyuan Yang <chenyuan0y(a)gmail.com> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Olga Kornievskaia <okorniev(a)redhat.com> svcrdma: do not unregister device for listeners Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> tpm: do not start chip while suspended Jan Kara <jack(a)suse.cz> udf: Fix inode_getblk() return value Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix oversized null mkey longer than 32bit Yeongjin Gil <youngjin.gil(a)samsung.com> f2fs: fix to avoid atomicity corruption of atomic file Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix the missing write pointer correction Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix race between unprepare and queue_buf Eric Biggers <ebiggers(a)google.com> arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Eric Biggers <ebiggers(a)google.com> arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() Sharan Kumar M <sharweshraajan(a)gmail.com> ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: make use of q6apm_get_hw_pointer Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm: add q6apm_get_hw_pointer helper Haoxiang Li <haoxiang_li2024(a)163.com> ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: reject zero sized provided buffers Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix io_req_post_cqe abuse by send bundle Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix accept multishot handling Qingfang Deng <dqfext(a)gmail.com> net: stmmac: Fix accessing freed irq affinity_hint Ewan D. Milne <emilne(a)redhat.com> scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: update the power-saving flow Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix country count limitation for CLC Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: ensure wow pattern command align fw format Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series Haoxiang Li <haoxiang_li2024(a)163.com> wifi: mt76: Add check for devm_kstrdup() Sean Wang <sean.wang(a)mediatek.com> Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" Alexandre Torgue <alexandre.torgue(a)foss.st.com> clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Replace kcalloc() with devm_kcalloc() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix internal PHYs for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Add check for devm_kcalloc() Ming Lei <ming.lei(a)redhat.com> block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting freebind & transparent Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting IPV6_V6ONLY Harshitha Ramamurthy <hramamurthy(a)google.com> gve: unlink old napi only if page pool exists Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type() Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix a hang after seeking Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Avoid race condition in the interrupt handler Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix gray color on screen Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx214: Rectify probe error handling related to runtime PM Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx219: Rectify runtime PM handling in probe and remove Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx319: Rectify runtime PM handling probe and remove Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: refactor hfi packet parsing logic Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Ricardo Ribalda <ribalda(a)chromium.org> media: nuvoton: Fix reference handling of ece_pdev Ricardo Ribalda <ribalda(a)chromium.org> media: nuvoton: Fix reference handling of ece_node Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in remove Sakari Ailus <sakari.ailus(a)linux.intel.com> Revert "media: imx214: Fix the error handling in imx214_probe()" Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: imx219: Adjust PLL settings based on the number of MIPI lanes Dan Carpenter <dan.carpenter(a)linaro.org> media: xilinx-tpg: fix double put in xtpg_parse_of() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: platform: stm32: Add check for clk_enable() Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: visl: Fix ERANGE error when setting enum controls Hans de Goede <hdegoede(a)redhat.com> media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Hans de Goede <hdegoede(a)redhat.com> media: ov08x40: Properly turn sensor on/off when runtime-suspended Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix PM related deadlocks in MS IOCTLs Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Fix timeout handling when waiting for TPM status Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Miquel Raynal <miquel.raynal(a)bootlin.com> spi: cadence-qspi: Fix probe on AM62A LP SK Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: Set HCR_EL2.TID1 unconditionally Will Deacon <will(a)kernel.org> KVM: arm64: Tear down vGIC on failed vCPU creation Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Akihiko Odaki <akihiko.odaki(a)daynix.com> KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR} Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication John Keeping <jkeeping(a)inmusicbrands.com> media: rockchip: rga: fix rga offset lookup Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Bingbu Cao <bingbu.cao(a)intel.com> media: intel/ipu6: set the dev_parent of video device to pdev Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: mgb4: Fix switched CMT frequency range "magic values" sets Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: mgb4: Fix CMT registers update logic Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: uapi: rkisp1-config: Fix typo in extensible params example Arnd Bergmann <arnd(a)arndb.de> media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Alain Volmat <alain.volmat(a)foss.st.com> dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Haoxiang Li <haoxiang_li2024(a)163.com> auxdisplay: hd44780: Fix an API misuse in hd44780.c Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Fix set_device_control() Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Fix 90 degrees direction name North -> East Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Clamp effect playback LOOP_COUNT value Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Rename two functions to align them with naming convention Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Remove redundant call to pidff_find_special_keys Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Support device error response from PID_BLOCK_LOAD Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Comment and code style update Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: hid-universal-pidff: Add Asetek wheelbases support Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Factor out pool report fetch and remove excess declaration Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Use macros instead of hardcoded min/max values for shorts Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Simplify pidff_rescale_signed Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Move all hid-pidff definitions to a dedicated header Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Factor out code for setting gain Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Rescale time values to match field units Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Define values used in pidff_find_special_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Simplify pidff_upload_effect function Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Completely rework and fix pidff_reset function Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Stop all effects before enabling actuators Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Clamp PERIODIC effect period to device's logical range Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix s390_mmio_read/write syscall page fault handling Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Sheng Yong <shengyong1(a)xiaomi.com> erofs: set error to bio if file-backed IO fails Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Search an appropriate duty_cycle if period cannot be modified Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: rcar: Improve register calculation Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Jonathan McDowell <noodles(a)meta.com> tpm: End any active auth session before shutdown Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Workaround failed command reception on Infineon devices Ayush Jain <Ayush.jain3(a)amd.com> ktest: Fix Test Failures Due to Missing LOG_FILE Directories Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probe-events: Add comments about entry data storing code Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probe-events: Log error for exceeding the number of arguments Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Support mmap() of PCI resources except for ISM devices Christian König <christian.koenig(a)amd.com> drm/amdgpu: grab an additional reference on the gang fence v2 Ryo Takakura <ryotkkr98(a)gmail.com> PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Philipp Stanner <phasta(a)kernel.org> PCI: Check BAR index for validity Emily Deng <Emily.Deng(a)amd.com> drm/amdgpu: Fix the race condition for draining retry fault Bjorn Helgaas <bhelgaas(a)google.com> PCI: Enable Configuration RRS SV early Ryan Seto <ryanseto(a)amd.com> drm/amd/display: Prevent VStartup Overflow Wentao Liang <vulab(a)iscas.ac.cn> drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Shawn Lin <shawn.lin(a)rock-chips.com> PCI: Add Rockchip Vendor ID Jani Nikula <jani.nikula(a)intel.com> drm/rockchip: stop passing non struct drm_device to drm_err() and friends AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: debugfs hang_hws skip GPU with MES Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mode1 reset crash issue David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Lucas De Marchi <lucas.demarchi(a)intel.com> drivers: base: devres: Allow to release group on device release Mike Katsnelson <mike.katsnelson(a)amd.com> drm/amd/display: stop DML2 from removing pipes based on planes Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/bridge: panel: forbid initializing a panel with unknown connector type Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/debugfs: fix printk format for bridge index Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Philip Yang <Philip.Yang(a)amd.com> drm/amdgpu: Unlocked unmap only clear page table leaves Brendan Tam <Brendan.Tam(a)amd.com> drm/amd/display: add workaround flag to link to force FFE preset Sung Lee <Sung.Lee(a)amd.com> drm/amd/display: Guard Possible Null Pointer Dereference Zhikai Zhai <zhikai.zhai(a)amd.com> drm/amd/display: Update Cursor request mode to the beginning prefetch always Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/vf: Don't try to trigger a full GT reset if VF Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Don't send BEGIN_ID if VF has no context/doorbells Matt Atwood <matthew.s.atwood(a)intel.com> drm/xe/ptl: Update the PTL pci id table Shekhar Chauhan <shekhar.chauhan(a)intel.com> drm/xe/bmg: Add new PCI IDs Derek Foreman <derek.foreman(a)collabora.com> drm/rockchip: Don't change hdmi reference clock rate Dmitry Osipenko <dmitry.osipenko(a)collabora.com> drm/virtio: Set missing bo->attached flag Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Bluetooth: qca: add WCN3950 support Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Bluetooth: qca: simplify WCN399x NVM loading Janaki Ramaiah Thota <quic_janathot(a)quicinc.com> Bluetooth: hci_qca: use the power sequencer for wcn6750 Jiande Lu <jiande.lu(a)mediatek.com> Bluetooth: btusb: Add 2 HWIDs for MT7922 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Add device id of Whale Peak Dorian Cruveiller <doriancruveiller(a)gmail.com> Bluetooth: btusb: Add new VID/PID for WCN785x Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Boris Burkov <boris(a)bur.io> btrfs: harden block_group::bg_list against list_del() races Huacai Chen <chenhuacai(a)kernel.org> ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Philipp Hahn <phahn-oss(a)avm.de> cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix userspace_selectors corruption Chao Yu <chao(a)kernel.org> Revert "f2fs: rebuild nat_bits during umount" Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Martin Schiller <ms(a)dev.tdt.de> net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Manish Dharanenthiran <quic_mdharane(a)quicinc.com> wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Birger Koblitz <mail(a)birger-koblitz.de> net: sfp: add quirk for 2.5G OEM BX SFP Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Zenm Chen <zenmchen(a)gmail.com> wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1 Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Zhongqiu Han <quic_zhonhan(a)quicinc.com> jfs: Fix uninit-value access of imap allocated in the diMount() function Ciprian Marian Costea <ciprianmarian.costea(a)oss.nxp.com> can: flexcan: add NXP S32G2/S32G3 SoC support Ciprian Marian Costea <ciprianmarian.costea(a)oss.nxp.com> can: flexcan: Add quirk to handle separate interrupt lines for mailboxes Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Max Schulze <max.schulze(a)online.de> net: usb: asix_devices: add FiberGecko DeviceID Chaohai Chen <wdhh66(a)163.com> scsi: target: spc: Fix RSOC parameter data header size Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: ensure sdata->work is canceled before initialized. Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: add strict mode disabling workarounds Chao Yu <chao(a)kernel.org> f2fs: don't retry IO for corrupted data scenario Pavel Begunkov <asml.silence(a)gmail.com> net: page_pool: don't cast mp param to devmem Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Avoid reply queue full condition Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Add 'external' to the libata.force kernel parameter P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Avoid memory leak while enabling statistics P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Miaoqing Pan <quic_miaoqing(a)quicinc.com> wifi: ath12k: fix memory leak in ath12k_pci_remove() Miaoqing Pan <quic_miaoqing(a)quicinc.com> wifi: ath11k: fix memory leak in ath11k_xxx_remove() P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues Dmitry Antipov <dmantipov(a)yandex.ru> wifi: ath9k: use unsigned long for activity check timestamp Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig Syed Saba kareem <syed.sabakareem(a)amd.com> ASoC: amd: yc: update quirk data for new Lenovo model Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247 Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315 keenplify <keenplify(a)gmail.com> ASoC: amd: Add DMI quirk for ACP6X mic support Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Kaustabh Chakraborty <kauschluss(a)disroot.org> mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Aakarsh Jain <aakarsh.jain(a)samsung.com> media: s5p-mfc: Corrected NV12M/NV21M plane-sizes Vishnu Sankar <vishnuocv(a)gmail.com> HID: lenovo: Fix to ensure the data as __le32 instead of u32 Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Add quirk for Actions UVC05 Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_audmix: register card device depends on 'dais' property Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: amd_sdw: Add quirks for Dell SKU's Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: ps: use macro for ACP6.3 pci revision id Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERIODIC_SINE_ONLY quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: Add hid-universal-pidff driver and supported device ids Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add FIX_WHEEL_DIRECTION quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERMISSIVE_CONTROL quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_PBO quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_DELAY quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Zhang Heng <zhangheng(a)kylinos.cn> ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Daniel Schaefer <dhs(a)frame.work> platform/chrome: cros_ec_lpc: Match on Framework ACPI device Josh Poimboeuf <jpoimboe(a)kernel.org> tracing: Disable branch profiling in noinstr code Ingo Molnar <mingo(a)kernel.org> zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Mario Limonciello <mario.limonciello(a)amd.com> cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend Paul E. McKenney <paulmck(a)kernel.org> Flush console log from kernel_power_off() Lizhi Xu <lizhi.xu(a)windriver.com> PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() Yunhui Cui <cuiyunhui(a)bytedance.com> perf/dwc_pcie: fix duplicate pci_dev devices Yunhui Cui <cuiyunhui(a)bytedance.com> perf/dwc_pcie: fix some unreleased resources Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Xin Li (Intel) <xin(a)zytor.com> x86/ia32: Leave NULL selector values 0~3 unchanged Uros Bizjak <ubizjak(a)gmail.com> x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 Matthew Wilcox (Oracle) <willy(a)infradead.org> x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Dmitry Osipenko <dmitry.osipenko(a)collabora.com> irqchip/gic-v3: Add Rockchip 3568002 erratum workaround Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Paul E. McKenney <paulmck(a)kernel.org> srcu: Force synchronization for srcu_get_delay() Trond Myklebust <trond.myklebust(a)hammerspace.com> umount: Allow superblock owners to force umount Mateusz Guzik <mjguzik(a)gmail.com> fs: consistently deref the files table with rcu_dereference_raw() Frederic Weisbecker <frederic(a)kernel.org> perf: Fix hang while freeing sigtrap event Peter Zijlstra <peterz(a)infradead.org> perf/core: Simplify the perf_event_alloc() error path Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: Fix the wrong Rx descriptor field Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Marek Szyprowski <m.szyprowski(a)samsung.com> iommu/exynos: Fix suspend/resume with IDENTITY domain Ido Schimmel <idosch(a)nvidia.com> ethtool: cmis_cdb: Fix incorrect read / write length extension Florian Westphal <fw(a)strlen.de> nft_set_pipapo: fix incorrect avx2 match of 5th field octet Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Ido Schimmel <idosch(a)nvidia.com> ipv6: Align behavior across nexthops during path selection Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix UAF in decryption with multichannel Dave Hansen <dave.hansen(a)linux.intel.com> x86/cpu: Avoid running off the end of an AMD erratum table Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Daniel Wagner <wagi(a)kernel.org> nvmet-fcloop: swap list_add_tail arguments Thomas Richter <tmricht(a)linux.ibm.com> s390/cpumf: Fix double free on error in cpumf_pmu_event_init() Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/huc: Fix fence not released on early probe errors Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Pali Rohár <pali(a)kernel.org> cifs: Fix support for WSL-style symlinks Chenyuan Yang <chenyuan0y(a)gmail.com> net: libwx: handle page_pool_dev_alloc_pages error Maxime Ripard <mripard(a)kernel.org> drm/tests: probe-helper: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: modes: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: cmdline: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Maxime Ripard <mripard(a)kernel.org> drm/tests: modeset: Fix drm_display_mode memory leak Maxime Chevallier <maxime.chevallier(a)bootlin.com> net: ethtool: Don't call .cleanup_data when prepare_data fails Toke Høiland-Jørgensen <toke(a)redhat.com> tc: Ensure we have enough buffer space when sending filter netlink notifications Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-pf: qos: fix VF root node parent queue index Jakub Kicinski <kuba(a)kernel.org> net: tls: explicitly disallow disconnect Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe: Restore EIO errno return when GuC PC start fails Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/hw_engine: define sysfs_ops on all directories Taehee Yoo <ap420073(a)gmail.com> net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value always as 0. Petr Vaněk <arkamar(a)atlas.cz> x86/acpi: Don't limit CPUs to 1 for Xen PV guests due to disabled ACPI Badal Nilawar <badal.nilawar(a)intel.com> drm/i915: Disable RPG during live selftest Vivek Kasireddy <vivek.kasireddy(a)intel.com> drm/virtio: Fix flickering issue seen with imported dmabufs Ming Lei <ming.lei(a)redhat.com> ublk: fix handling recovery & reissue in ublk_abort_queue() Edward Liaw <edliaw(a)google.com> selftests/futex: futex_waitv wouldblock test should fail Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: of: Fix the choice for Ingenic NAND quirk Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe: Cleanup fprobe hash when module unloading Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix race between newly created partition and dying one Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix error handling in remote_partition_disable() Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: adl: add 2xrt1316 audio configuration ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 + Documentation/arch/arm64/silicon-errata.rst | 2 + .../bindings/arm/qcom,coresight-tpda.yaml | 3 +- .../bindings/arm/qcom,coresight-tpdm.yaml | 3 +- .../bindings/media/i2c/st,st-mipid02.yaml | 2 +- Makefile | 7 +- arch/arm/lib/crc-t10dif-glue.c | 4 +- arch/arm64/Kconfig | 9 + arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/boot/dts/mediatek/mt8188.dtsi | 2 +- .../boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi | 7 - .../boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/kvm_arm.h | 4 +- arch/arm64/include/asm/spectre.h | 1 - arch/arm64/include/asm/traps.h | 4 +- arch/arm64/kernel/proton-pack.c | 208 ++++---- arch/arm64/kvm/arm.c | 6 +- arch/arm64/kvm/sys_regs.c | 204 ++++---- arch/arm64/lib/crc-t10dif-glue.c | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/kvm/powerpc.c | 5 +- arch/s390/Kconfig | 4 +- arch/s390/Makefile | 2 +- arch/s390/include/asm/pci.h | 3 + arch/s390/kernel/perf_cpum_cf.c | 9 +- arch/s390/kernel/perf_cpum_sf.c | 3 - arch/s390/pci/Makefile | 2 +- arch/s390/pci/pci_bus.c | 3 + arch/s390/pci/pci_fixup.c | 23 + arch/s390/pci/pci_mmio.c | 18 +- arch/sparc/include/asm/pgtable_64.h | 2 - arch/sparc/mm/tlb.c | 5 +- arch/x86/Kbuild | 4 + arch/x86/Kconfig | 20 +- arch/x86/coco/sev/core.c | 2 - arch/x86/kernel/acpi/boot.c | 11 + arch/x86/kernel/cpu/amd.c | 3 +- arch/x86/kernel/e820.c | 17 +- arch/x86/kernel/head64.c | 2 - arch/x86/kernel/signal_32.c | 62 ++- arch/x86/kvm/cpuid.c | 8 +- arch/x86/kvm/x86.c | 4 + arch/x86/mm/kasan_init_64.c | 1 - arch/x86/mm/mem_encrypt_amd.c | 2 - arch/x86/mm/mem_encrypt_identity.c | 2 - arch/x86/mm/pat/set_memory.c | 6 +- arch/x86/xen/enlighten.c | 10 + arch/x86/xen/setup.c | 3 - block/blk-mq.c | 1 + drivers/accel/ivpu/ivpu_debugfs.c | 4 +- drivers/accel/ivpu/ivpu_ipc.c | 3 +- drivers/accel/ivpu/ivpu_ms.c | 24 + drivers/acpi/Makefile | 4 + drivers/ata/ahci.c | 11 + drivers/ata/ahci.h | 1 + drivers/ata/libahci.c | 4 + drivers/ata/libata-core.c | 38 ++ drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 + drivers/ata/sata_sx4.c | 13 +- drivers/auxdisplay/hd44780.c | 4 +- drivers/base/devres.c | 7 + drivers/block/ublk_drv.c | 30 +- drivers/bluetooth/btintel_pcie.c | 1 + drivers/bluetooth/btqca.c | 27 +- drivers/bluetooth/btqca.h | 4 + drivers/bluetooth/btusb.c | 32 ++ drivers/bluetooth/hci_ldisc.c | 19 +- drivers/bluetooth/hci_qca.c | 27 +- drivers/bluetooth/hci_uart.h | 1 + drivers/bus/mhi/host/main.c | 16 +- drivers/char/tpm/tpm-chip.c | 6 + drivers/char/tpm/tpm-interface.c | 7 - drivers/char/tpm/tpm_tis_core.c | 20 +- drivers/char/tpm/tpm_tis_core.h | 1 + drivers/clk/qcom/clk-branch.c | 4 +- drivers/clk/qcom/gdsc.c | 61 ++- drivers/clk/renesas/r9a07g043-cpg.c | 7 + drivers/clocksource/timer-stm32-lp.c | 4 +- drivers/cpufreq/amd-pstate.c | 5 +- drivers/cpuidle/Makefile | 3 + drivers/crypto/ccp/sp-pci.c | 15 +- .../cirrus/test/cs_dsp_test_control_parse.c | 51 +- drivers/gpio/gpio-mpc8xxx.c | 4 +- drivers/gpio/gpio-tegra186.c | 25 +- drivers/gpio/gpio-zynq.c | 1 + drivers/gpio/gpiolib-of.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 43 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 + .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 31 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 8 +- drivers/gpu/drm/amd/display/dc/dc.h | 2 + drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 8 + .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 2 + .../amd/display/dc/dml2/dml2_dc_resource_mgmt.c | 26 - .../gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c | 2 +- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 22 +- .../display/dc/link/protocols/link_dp_capability.c | 12 +- .../display/dc/link/protocols/link_dp_training.c | 2 + .../link_dp_training_fixed_vs_pe_retimer.c | 3 +- drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 + drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_debugfs.c | 2 +- drivers/gpu/drm/drm_panel.c | 5 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 +- drivers/gpu/drm/i915/gt/intel_rc6.c | 19 +- drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 +- drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 + drivers/gpu/drm/i915/selftests/i915_selftest.c | 18 + drivers/gpu/drm/mediatek/mtk_dpi.c | 23 +- drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 16 +- drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 29 +- drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 + drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 +- drivers/gpu/drm/tests/drm_kunit_helpers.c | 22 + drivers/gpu/drm/tests/drm_modes_test.c | 22 + drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 +- drivers/gpu/drm/virtio/virtgpu_prime.c | 2 +- drivers/gpu/drm/virtio/virtgpu_vq.c | 3 + drivers/gpu/drm/xe/xe_gt.c | 4 + drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 4 +- drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 16 + drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 1 + drivers/gpu/drm/xe/xe_guc_pc.c | 1 + drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c | 108 ++-- drivers/gpu/drm/xe/xe_tuning.c | 8 - drivers/gpu/drm/xe/xe_wa.c | 7 + drivers/hid/Kconfig | 14 + drivers/hid/Makefile | 1 + drivers/hid/hid-ids.h | 37 ++ drivers/hid/hid-lenovo.c | 2 +- drivers/hid/hid-universal-pidff.c | 202 ++++++++ drivers/hid/usbhid/hid-core.c | 1 + drivers/hid/usbhid/hid-pidff.c | 571 ++++++++++++++------- drivers/hid/usbhid/hid-pidff.h | 33 ++ drivers/i3c/master.c | 3 + drivers/i3c/master/svc-i3c-master.c | 2 +- drivers/idle/Makefile | 5 +- drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 32 +- drivers/iommu/exynos-iommu.c | 4 +- drivers/iommu/intel/iommu.c | 2 + drivers/iommu/intel/irq_remapping.c | 71 +-- drivers/iommu/iommufd/device.c | 123 ++++- drivers/iommu/iommufd/fault.c | 8 +- drivers/iommu/iommufd/iommufd_private.h | 33 +- drivers/iommu/mtk_iommu.c | 26 +- drivers/irqchip/irq-gic-v3-its.c | 23 +- drivers/irqchip/irq-renesas-rzv2h.c | 2 +- drivers/leds/rgb/leds-qcom-lpg.c | 8 +- drivers/mailbox/tegra-hsp.c | 72 ++- drivers/md/dm-ebs-target.c | 7 + drivers/md/dm-integrity.c | 48 +- drivers/md/dm-verity-target.c | 8 + drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ccs/ccs-core.c | 6 +- drivers/media/i2c/hi556.c | 5 +- drivers/media/i2c/imx214.c | 25 +- drivers/media/i2c/imx219.c | 106 ++-- drivers/media/i2c/imx319.c | 9 +- drivers/media/i2c/ov08x40.c | 8 +- drivers/media/i2c/ov7251.c | 4 +- drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 + drivers/media/pci/mgb4/mgb4_cmt.c | 8 +- .../media/platform/chips-media/wave5/wave5-hw.c | 2 +- .../platform/chips-media/wave5/wave5-vpu-dec.c | 31 +- .../media/platform/chips-media/wave5/wave5-vpu.c | 4 +- .../platform/chips-media/wave5/wave5-vpuapi.c | 10 + .../mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 +- .../mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +- drivers/media/platform/nuvoton/npcm-video.c | 6 +- drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++- drivers/media/platform/qcom/venus/hfi_venus.c | 18 +- drivers/media/platform/rockchip/rga/rga-hw.c | 2 +- .../platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c | 5 +- drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +- drivers/media/platform/xilinx/xilinx-tpg.c | 2 - drivers/media/rc/streamzap.c | 68 +-- drivers/media/test-drivers/vim2m.c | 6 +- drivers/media/test-drivers/visl/visl-core.c | 12 + drivers/media/usb/uvc/uvc_driver.c | 9 + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/mfd/ene-kb3930.c | 2 +- drivers/misc/pci_endpoint_test.c | 7 +- drivers/mmc/host/dw_mmc.c | 94 +++- drivers/mmc/host/dw_mmc.h | 27 + drivers/mtd/inftlcore.c | 9 +- drivers/mtd/mtdpstore.c | 12 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/can/flexcan/flexcan-core.c | 35 +- drivers/net/can/flexcan/flexcan.h | 5 + drivers/net/dsa/mv88e6xxx/chip.c | 23 +- drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 3 +- drivers/net/ethernet/intel/igc/igc.h | 2 - drivers/net/ethernet/intel/igc/igc_main.c | 4 +- drivers/net/ethernet/intel/igc/igc_xdp.c | 2 - drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 + drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 6 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 3 +- drivers/net/phy/phy_device.c | 57 +- drivers/net/phy/sfp.c | 13 +- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/usb/asix_devices.c | 17 + drivers/net/usb/cdc_ether.c | 7 + drivers/net/usb/r8152.c | 6 + drivers/net/usb/r8153_ecm.c | 6 + drivers/net/wireless/ath/ath11k/ahb.c | 4 +- drivers/net/wireless/ath/ath11k/core.c | 4 +- drivers/net/wireless/ath/ath11k/core.h | 5 +- drivers/net/wireless/ath/ath11k/dp.c | 35 +- drivers/net/wireless/ath/ath11k/fw.c | 3 +- drivers/net/wireless/ath/ath11k/mac.c | 14 + drivers/net/wireless/ath/ath11k/pci.c | 3 +- drivers/net/wireless/ath/ath11k/reg.c | 85 ++- drivers/net/wireless/ath/ath11k/reg.h | 3 +- drivers/net/wireless/ath/ath11k/wmi.h | 1 + drivers/net/wireless/ath/ath12k/dp_mon.c | 66 +-- drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +- drivers/net/wireless/ath/ath12k/hal_rx.h | 3 + drivers/net/wireless/ath/ath12k/pci.c | 2 +- drivers/net/wireless/ath/ath9k/ath9k.h | 2 +- drivers/net/wireless/mediatek/mt76/eeprom.c | 4 + drivers/net/wireless/mediatek/mt76/mt76.h | 1 + .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 1 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 160 ++++-- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 170 +++--- drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 6 +- drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 3 +- drivers/net/wireless/mediatek/mt76/mt792x.h | 9 + drivers/net/wireless/mediatek/mt76/mt792x_core.c | 3 +- drivers/net/wireless/realtek/rtw88/rtw8822bu.c | 4 + drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/target/fcloop.c | 2 +- drivers/of/irq.c | 78 +-- drivers/pci/controller/cadence/pci-j721e.c | 5 +- drivers/pci/controller/dwc/pci-layerscape.c | 2 +- drivers/pci/controller/pcie-brcmstb.c | 13 +- drivers/pci/controller/pcie-rockchip-host.c | 2 +- drivers/pci/controller/pcie-rockchip.h | 1 - drivers/pci/controller/vmd.c | 12 +- drivers/pci/devres.c | 18 +- drivers/pci/hotplug/pciehp_core.c | 5 +- drivers/pci/iomap.c | 29 +- drivers/pci/pci.c | 6 + drivers/pci/pci.h | 16 + drivers/pci/probe.c | 22 +- drivers/perf/arm_pmu.c | 8 +- drivers/perf/dwc_pcie_pmu.c | 51 +- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 12 +- drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++-- drivers/pinctrl/samsung/pinctrl-exynos.h | 22 + drivers/pinctrl/samsung/pinctrl-samsung.c | 1 + drivers/pinctrl/samsung/pinctrl-samsung.h | 4 + drivers/platform/chrome/cros_ec_lpc.c | 22 +- drivers/platform/x86/x86-android-tablets/Kconfig | 1 + drivers/pwm/pwm-fsl-ftm.c | 6 + drivers/pwm/pwm-mediatek.c | 8 +- drivers/pwm/pwm-rcar.c | 24 +- drivers/pwm/pwm-stm32.c | 12 +- drivers/s390/net/ism_drv.c | 1 - drivers/s390/virtio/virtio_ccw.c | 16 +- drivers/scsi/lpfc/lpfc_sli.c | 2 + drivers/scsi/mpi3mr/mpi3mr.h | 14 +- drivers/scsi/mpi3mr/mpi3mr_app.c | 24 + drivers/scsi/mpi3mr/mpi3mr_fw.c | 99 +++- drivers/scsi/st.c | 2 +- drivers/soc/samsung/exynos-chipid.c | 2 + drivers/spi/spi-cadence-quadspi.c | 6 + drivers/spi/spi-fsl-qspi.c | 36 +- drivers/target/target_core_spc.c | 2 +- drivers/thermal/mediatek/lvts_thermal.c | 52 +- drivers/thermal/rockchip_thermal.c | 1 + drivers/ufs/host/ufs-qcom.c | 2 +- drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/video/backlight/led_bl.c | 5 +- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/balloon.c | 34 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/btrfs/disk-io.c | 12 + fs/btrfs/extent-tree.c | 8 + fs/btrfs/tests/extent-map-tests.c | 1 + fs/btrfs/transaction.c | 12 + fs/btrfs/zoned.c | 6 + fs/dlm/lock.c | 2 + fs/erofs/fileio.c | 2 + fs/ext4/inode.c | 68 ++- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 17 + fs/ext4/xattr.c | 11 +- fs/f2fs/checkpoint.c | 21 +- fs/f2fs/f2fs.h | 32 +- fs/f2fs/inode.c | 8 +- fs/f2fs/node.c | 110 ++-- fs/f2fs/super.c | 8 +- fs/file.c | 26 +- fs/fuse/dev.c | 34 +- fs/fuse/dev_uring.c | 15 +- fs/fuse/dev_uring_i.h | 6 + fs/fuse/fuse_dev_i.h | 1 + fs/fuse/fuse_i.h | 3 + fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 4 +- fs/namespace.c | 3 +- fs/smb/client/cifsencrypt.c | 16 +- fs/smb/client/connect.c | 3 + fs/smb/client/fs_context.c | 5 + fs/smb/client/inode.c | 10 + fs/smb/client/reparse.c | 29 +- fs/smb/client/sess.c | 7 + fs/smb/client/smb2misc.c | 9 +- fs/smb/client/smb2ops.c | 6 +- fs/smb/client/smb2pdu.c | 11 +- fs/smb/common/smb2pdu.h | 6 +- fs/udf/inode.c | 1 + fs/userfaultfd.c | 51 +- include/drm/drm_kunit_helpers.h | 3 + include/drm/intel/pciids.h | 11 +- include/linux/cgroup-defs.h | 1 + include/linux/cgroup.h | 2 +- include/linux/damon.h | 11 + include/linux/hid.h | 6 - include/linux/io_uring_types.h | 3 + include/linux/kvm_host.h | 2 +- include/linux/mtd/spinand.h | 2 +- include/linux/page-flags.h | 6 + include/linux/pci_ids.h | 3 + include/linux/perf_event.h | 17 +- include/linux/pgtable.h | 14 +- include/linux/printk.h | 6 + include/linux/tpm.h | 1 + include/net/mac80211.h | 6 + include/net/sctp/structs.h | 3 +- include/net/sock.h | 40 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/landlock.h | 2 + include/uapi/linux/psp-sev.h | 21 +- include/uapi/linux/rkisp1-config.h | 2 +- include/xen/interface/xen-mca.h | 2 +- io_uring/io_uring.c | 4 +- io_uring/kbuf.c | 2 + io_uring/net.c | 3 + kernel/Makefile | 5 + kernel/cgroup/cgroup.c | 6 + kernel/cgroup/cpuset.c | 55 +- kernel/entry/Makefile | 3 + kernel/events/core.c | 184 +++---- kernel/events/uprobes.c | 15 +- kernel/locking/lockdep.c | 3 + kernel/power/hibernate.c | 6 +- kernel/printk/printk.c | 4 +- kernel/rcu/srcutree.c | 11 +- kernel/reboot.c | 1 + kernel/sched/Makefile | 5 + kernel/sched/ext.c | 4 +- kernel/time/Makefile | 6 + kernel/trace/fprobe.c | 170 +++++- kernel/trace/ftrace.c | 9 +- kernel/trace/ring_buffer.c | 5 +- kernel/trace/trace_eprobe.c | 2 + kernel/trace/trace_events.c | 4 +- kernel/trace/trace_events_synth.c | 1 - kernel/trace/trace_fprobe.c | 31 +- kernel/trace/trace_kprobe.c | 5 +- kernel/trace/trace_probe.c | 28 + kernel/trace/trace_probe.h | 1 + kernel/trace/trace_uprobe.c | 9 +- lib/Makefile | 5 + lib/sg_split.c | 2 - lib/zstd/common/portability_macros.h | 2 +- mm/damon/core.c | 1 + mm/damon/ops-common.c | 2 +- mm/damon/paddr.c | 57 +- mm/hugetlb.c | 2 +- mm/memory-failure.c | 11 +- mm/memory_hotplug.c | 3 +- mm/mremap.c | 10 +- mm/page_vma_mapped.c | 13 +- mm/rmap.c | 2 +- mm/shmem.c | 3 +- mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +- net/core/filter.c | 80 +-- net/core/page_pool.c | 8 +- net/core/page_pool_user.c | 2 +- net/core/sock.c | 5 + net/ethtool/cmis.h | 1 - net/ethtool/cmis_cdb.c | 18 +- net/ethtool/common.c | 1 + net/ethtool/netlink.c | 8 +- net/ipv6/route.c | 8 +- net/mac80211/debugfs.c | 44 +- net/mac80211/iface.c | 5 +- net/mac80211/mesh_hwmp.c | 14 +- net/mac80211/mlme.c | 59 ++- net/mptcp/sockopt.c | 28 + net/mptcp/subflow.c | 19 +- net/netfilter/nft_set_pipapo_avx2.c | 3 +- net/sched/cls_api.c | 66 ++- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_sfq.c | 66 ++- net/sctp/socket.c | 22 +- net/sctp/transport.c | 2 + net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 +- net/tipc/link.c | 1 + net/tls/tls_main.c | 6 + scripts/generate_builtin_ranges.awk | 5 + security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_main.c | 18 +- security/landlock/errata.h | 99 ++++ security/landlock/errata/abi-4.h | 15 + security/landlock/errata/abi-6.h | 19 + security/landlock/fs.c | 39 +- security/landlock/setup.c | 38 +- security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 +- security/landlock/task.c | 12 + sound/pci/hda/hda_intel.c | 44 +- sound/pci/hda/patch_realtek.c | 41 ++ sound/soc/amd/acp/acp-sdw-legacy-mach.c | 34 ++ sound/soc/amd/acp/soc_amd_sdw_common.h | 1 + sound/soc/amd/ps/acp63.h | 1 + sound/soc/amd/ps/pci-ps.c | 2 +- sound/soc/amd/yc/acp6x-mach.c | 14 + sound/soc/codecs/wcd937x.c | 2 + sound/soc/fsl/fsl_audmix.c | 16 +- sound/soc/intel/common/soc-acpi-intel-adl-match.c | 29 ++ sound/soc/qcom/qdsp6/q6apm-dai.c | 60 ++- sound/soc/qcom/qdsp6/q6apm.c | 18 +- sound/soc/qcom/qdsp6/q6apm.h | 3 + sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +- sound/soc/sof/topology.c | 4 +- sound/usb/midi.c | 80 ++- tools/objtool/check.c | 5 + tools/power/cpupower/bench/parse.c | 4 + tools/testing/ktest/ktest.pl | 8 + .../futex/functional/futex_wait_wouldblock.c | 2 +- tools/testing/selftests/landlock/base_test.c | 46 +- tools/testing/selftests/landlock/common.h | 1 + .../selftests/landlock/scoped_signal_test.c | 108 +++- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- virt/kvm/Kconfig | 2 +- virt/kvm/eventfd.c | 10 +- 460 files changed, 5785 insertions(+), 2515 deletions(-)

8 months

11
468
0 0

[merged mm-hotfixes-stable] mm-fix-folio_pte_batch-on-xen-pv.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix folio_pte_batch() on XEN PV has been removed from the -mm tree. Its filename was mm-fix-folio_pte_batch-on-xen-pv.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Petr Van��k <arkamar(a)atlas.cz> Subject: mm: fix folio_pte_batch() on XEN PV Date: Fri, 2 May 2025 23:50:19 +0200 On XEN PV, folio_pte_batch() can incorrectly batch beyond the end of a folio due to a corner case in pte_advance_pfn(). Specifically, when the PFN following the folio maps to an invalidated MFN, expected_pte = pte_advance_pfn(expected_pte, nr); produces a pte_none(). If the actual next PTE in memory is also pte_none(), the pte_same() succeeds, if (!pte_same(pte, expected_pte)) break; the loop is not broken, and batching continues into unrelated memory. For example, with a 4-page folio, the PTE layout might look like this: [ 53.465673] [ T2552] folio_pte_batch: printing PTE values at addr=0x7f1ac9dc5000 [ 53.465674] [ T2552] PTE[453] = 000000010085c125 [ 53.465679] [ T2552] PTE[454] = 000000010085d125 [ 53.465682] [ T2552] PTE[455] = 000000010085e125 [ 53.465684] [ T2552] PTE[456] = 000000010085f125 [ 53.465686] [ T2552] PTE[457] = 0000000000000000 <-- not present [ 53.465689] [ T2552] PTE[458] = 0000000101da7125 pte_advance_pfn(PTE[456]) returns a pte_none() due to invalid PFN->MFN mapping. The next actual PTE (PTE[457]) is also pte_none(), so the loop continues and includes PTE[457] in the batch, resulting in 5 batched entries for a 4-page folio. This triggers the following warning: [ 53.465751] [ T2552] page: refcount:85 mapcount:20 mapping:ffff88813ff4f6a8 index:0x110 pfn:0x10085c [ 53.465754] [ T2552] head: order:2 mapcount:80 entire_mapcount:0 nr_pages_mapped:4 pincount:0 [ 53.465756] [ T2552] memcg:ffff888003573000 [ 53.465758] [ T2552] aops:0xffffffff8226fd20 ino:82467c dentry name(?):"libc.so.6" [ 53.465761] [ T2552] flags: 0x2000000000416c(referenced|uptodate|lru|active|private|head|node=0|zone=2) [ 53.465764] [ T2552] raw: 002000000000416c ffffea0004021f08 ffffea0004021908 ffff88813ff4f6a8 [ 53.465767] [ T2552] raw: 0000000000000110 ffff888133d8bd40 0000005500000013 ffff888003573000 [ 53.465768] [ T2552] head: 002000000000416c ffffea0004021f08 ffffea0004021908 ffff88813ff4f6a8 [ 53.465770] [ T2552] head: 0000000000000110 ffff888133d8bd40 0000005500000013 ffff888003573000 [ 53.465772] [ T2552] head: 0020000000000202 ffffea0004021701 000000040000004f 00000000ffffffff [ 53.465774] [ T2552] head: 0000000300000003 8000000300000002 0000000000000013 0000000000000004 [ 53.465775] [ T2552] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) Original code works as expected everywhere, except on XEN PV, where pte_advance_pfn() can yield a pte_none() after balloon inflation due to MFNs invalidation. In XEN, pte_advance_pfn() ends up calling __pte()->xen_make_pte()->pte_pfn_to_mfn(), which returns pte_none() when mfn == INVALID_P2M_ENTRY. The pte_pfn_to_mfn() documents that nastiness: If there's no mfn for the pfn, then just create an empty non-present pte. Unfortunately this loses information about the original pfn, so pte_mfn_to_pfn is asymmetric. While such hacks should certainly be removed, we can do better in folio_pte_batch() and simply check ahead of time how many PTEs we can possibly batch in our folio. This way, we can not only fix the issue but cleanup the code: removing the pte_pfn() check inside the loop body and avoiding end_ptr comparison + arithmetic. Link: https://lkml.kernel.org/r/20250502215019.822-2-arkamar@atlas.cz Fixes: f8d937761d65 ("mm/memory: optimize fork() with PTE-mapped THP") Co-developed-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Petr Van��k <arkamar(a)atlas.cz> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) --- a/mm/internal.h~mm-fix-folio_pte_batch-on-xen-pv +++ a/mm/internal.h @@ -248,11 +248,9 @@ static inline int folio_pte_batch(struct pte_t *start_ptep, pte_t pte, int max_nr, fpb_t flags, bool *any_writable, bool *any_young, bool *any_dirty) { - unsigned long folio_end_pfn = folio_pfn(folio) + folio_nr_pages(folio); - const pte_t *end_ptep = start_ptep + max_nr; pte_t expected_pte, *ptep; bool writable, young, dirty; - int nr; + int nr, cur_nr; if (any_writable) *any_writable = false; @@ -265,11 +263,15 @@ static inline int folio_pte_batch(struct VM_WARN_ON_FOLIO(!folio_test_large(folio) || max_nr < 1, folio); VM_WARN_ON_FOLIO(page_folio(pfn_to_page(pte_pfn(pte))) != folio, folio); + /* Limit max_nr to the actual remaining PFNs in the folio we could batch. */ + max_nr = min_t(unsigned long, max_nr, + folio_pfn(folio) + folio_nr_pages(folio) - pte_pfn(pte)); + nr = pte_batch_hint(start_ptep, pte); expected_pte = __pte_batch_clear_ignored(pte_advance_pfn(pte, nr), flags); ptep = start_ptep + nr; - while (ptep < end_ptep) { + while (nr < max_nr) { pte = ptep_get(ptep); if (any_writable) writable = !!pte_write(pte); @@ -282,14 +284,6 @@ static inline int folio_pte_batch(struct if (!pte_same(pte, expected_pte)) break; - /* - * Stop immediately once we reached the end of the folio. In - * corner cases the next PFN might fall into a different - * folio. - */ - if (pte_pfn(pte) >= folio_end_pfn) - break; - if (any_writable) *any_writable |= writable; if (any_young) @@ -297,12 +291,13 @@ static inline int folio_pte_batch(struct if (any_dirty) *any_dirty |= dirty; - nr = pte_batch_hint(ptep, pte); - expected_pte = pte_advance_pfn(expected_pte, nr); - ptep += nr; + cur_nr = pte_batch_hint(ptep, pte); + expected_pte = pte_advance_pfn(expected_pte, cur_nr); + ptep += cur_nr; + nr += cur_nr; } - return min(ptep - start_ptep, max_nr); + return min(nr, max_nr); } /** _ Patches currently in -mm which might be from arkamar(a)atlas.cz are

8 months

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-fix-a-build-failure-on-powerpc.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: fix a build failure on powerpc has been removed from the -mm tree. Its filename was selftests-mm-fix-a-build-failure-on-powerpc.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Nysal Jan K.A." <nysal(a)linux.ibm.com> Subject: selftests/mm: fix a build failure on powerpc Date: Mon, 28 Apr 2025 18:49:35 +0530 The compiler is unaware of the size of code generated by the ".rept" assembler directive. This results in the compiler emitting branch instructions where the offset to branch to exceeds the maximum allowed value, resulting in build failures like the following: CC protection_keys /tmp/ccypKWAE.s: Assembler messages: /tmp/ccypKWAE.s:2073: Error: operand out of range (0x0000000000020158 is not between 0xffffffffffff8000 and 0x0000000000007ffc) /tmp/ccypKWAE.s:2509: Error: operand out of range (0x0000000000020130 is not between 0xffffffffffff8000 and 0x0000000000007ffc) Fix the issue by manually adding nop instructions using the preprocessor. Link: https://lkml.kernel.org/r/20250428131937.641989-2-nysal@linux.ibm.com Fixes: 46036188ea1f ("selftests/mm: build with -O2") Reported-by: Madhavan Srinivasan <maddy(a)linux.ibm.com> Signed-off-by: Nysal Jan K.A. <nysal(a)linux.ibm.com> Tested-by: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Reviewed-by: Donet Tom <donettom(a)linux.ibm.com> Tested-by: Donet Tom <donettom(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/pkey-powerpc.h | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/tools/testing/selftests/mm/pkey-powerpc.h~selftests-mm-fix-a-build-failure-on-powerpc +++ a/tools/testing/selftests/mm/pkey-powerpc.h @@ -104,8 +104,18 @@ static inline void expect_fault_on_read_ return; } +#define REPEAT_8(s) s s s s s s s s +#define REPEAT_64(s) REPEAT_8(s) REPEAT_8(s) REPEAT_8(s) REPEAT_8(s) \ + REPEAT_8(s) REPEAT_8(s) REPEAT_8(s) REPEAT_8(s) +#define REPEAT_512(s) REPEAT_64(s) REPEAT_64(s) REPEAT_64(s) REPEAT_64(s) \ + REPEAT_64(s) REPEAT_64(s) REPEAT_64(s) REPEAT_64(s) +#define REPEAT_4096(s) REPEAT_512(s) REPEAT_512(s) REPEAT_512(s) REPEAT_512(s) \ + REPEAT_512(s) REPEAT_512(s) REPEAT_512(s) REPEAT_512(s) +#define REPEAT_16384(s) REPEAT_4096(s) REPEAT_4096(s) \ + REPEAT_4096(s) REPEAT_4096(s) + /* 4-byte instructions * 16384 = 64K page */ -#define __page_o_noops() asm(".rept 16384 ; nop; .endr") +#define __page_o_noops() asm(REPEAT_16384("nop\n")) static inline void *malloc_pkey_with_mprotect_subpage(long size, int prot, u16 pkey) { _ Patches currently in -mm which might be from nysal(a)linux.ibm.com are watchdog-fix-watchdog-may-detect-false-positive-of-softlockup-fix.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-fix-build-break-when-compiling-pkey_utilc.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: fix build break when compiling pkey_util.c has been removed from the -mm tree. Its filename was selftests-mm-fix-build-break-when-compiling-pkey_utilc.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Madhavan Srinivasan <maddy(a)linux.ibm.com> Subject: selftests/mm: fix build break when compiling pkey_util.c Date: Mon, 28 Apr 2025 18:49:34 +0530 Commit 50910acd6f615 ("selftests/mm: use sys_pkey helpers consistently") added a pkey_util.c to refactor some of the protection_keys functions accessible by other tests. But this broken the build in powerpc in two ways, pkey-powerpc.h: In function `arch_is_powervm': pkey-powerpc.h:73:21: error: storage size of `buf' isn't known 73 | struct stat buf; | ^~~ pkey-powerpc.h:75:14: error: implicit declaration of function `stat'; did you mean `strcat'? [-Wimplicit-function-declaration] 75 | if ((stat("/sys/firmware/devicetree/base/ibm,partition-name", &buf) == 0) && | ^~~~ | strcat Since pkey_util.c includes pkeys-helper.h, which in turn includes pkeys-powerpc.h, stat.h including is missing for "struct stat". This is fixed by adding "sys/stat.h" in pkeys-powerpc.h Secondly, pkey-powerpc.h:55:18: warning: format `%llx' expects argument of type `long long unsigned int', but argument 3 has type `u64' {aka `long unsigned int'} [-Wformat=] 55 | dprintf4("%s() changing %016llx to %016llx\n", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __func__, __read_pkey_reg(), pkey_reg); | ~~~~~~~~~~~~~~~~~ | | | u64 {aka long unsigned int} pkey-helpers.h:63:32: note: in definition of macro `dprintf_level' 63 | sigsafe_printf(args); \ | ^~~~ These format specifier related warning are removed by adding "__SANE_USERSPACE_TYPES__" to pkeys_utils.c. Link: https://lkml.kernel.org/r/20250428131937.641989-1-nysal@linux.ibm.com Fixes: 50910acd6f61 ("selftests/mm: use sys_pkey helpers consistently") Signed-off-by: Madhavan Srinivasan <maddy(a)linux.ibm.com> Signed-off-by: Nysal Jan K.A. <nysal(a)linux.ibm.com> Tested-by: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/pkey-powerpc.h | 2 ++ tools/testing/selftests/mm/pkey_util.c | 1 + 2 files changed, 3 insertions(+) --- a/tools/testing/selftests/mm/pkey-powerpc.h~selftests-mm-fix-build-break-when-compiling-pkey_utilc +++ a/tools/testing/selftests/mm/pkey-powerpc.h @@ -3,6 +3,8 @@ #ifndef _PKEYS_POWERPC_H #define _PKEYS_POWERPC_H +#include <sys/stat.h> + #ifndef SYS_pkey_alloc # define SYS_pkey_alloc 384 # define SYS_pkey_free 385 --- a/tools/testing/selftests/mm/pkey_util.c~selftests-mm-fix-build-break-when-compiling-pkey_utilc +++ a/tools/testing/selftests/mm/pkey_util.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0-only +#define __SANE_USERSPACE_TYPES__ #include <sys/syscall.h> #include <unistd.h> _ Patches currently in -mm which might be from maddy(a)linux.ibm.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-vmalloc-support-more-granular-vrealloc-sizing.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmalloc: support more granular vrealloc() sizing has been removed from the -mm tree. Its filename was mm-vmalloc-support-more-granular-vrealloc-sizing.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kees Cook <kees(a)kernel.org> Subject: mm: vmalloc: support more granular vrealloc() sizing Date: Fri, 25 Apr 2025 17:11:07 -0700 Introduce struct vm_struct::requested_size so that the requested (re)allocation size is retained separately from the allocated area size. This means that KASAN will correctly poison the correct spans of requested bytes. This also means we can support growing the usable portion of an allocation that can already be supported by the existing area's existing allocation. Link: https://lkml.kernel.org/r/20250426001105.it.679-kees@kernel.org Fixes: 3ddc2fefe6f3 ("mm: vmalloc: implement vrealloc()") Signed-off-by: Kees Cook <kees(a)kernel.org> Reported-by: Erhard Furtner <erhard_f(a)mailbox.org> Closes: https://lore.kernel.org/all/20250408192503.6149a816@outsider.home/ Reviewed-by: Danilo Krummrich <dakr(a)kernel.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/vmalloc.h | 1 + mm/vmalloc.c | 31 ++++++++++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) --- a/include/linux/vmalloc.h~mm-vmalloc-support-more-granular-vrealloc-sizing +++ a/include/linux/vmalloc.h @@ -61,6 +61,7 @@ struct vm_struct { unsigned int nr_pages; phys_addr_t phys_addr; const void *caller; + unsigned long requested_size; }; struct vmap_area { --- a/mm/vmalloc.c~mm-vmalloc-support-more-granular-vrealloc-sizing +++ a/mm/vmalloc.c @@ -1940,7 +1940,7 @@ static inline void setup_vmalloc_vm(stru { vm->flags = flags; vm->addr = (void *)va->va_start; - vm->size = va_size(va); + vm->size = vm->requested_size = va_size(va); vm->caller = caller; va->vm = vm; } @@ -3133,6 +3133,7 @@ struct vm_struct *__get_vm_area_node(uns area->flags = flags; area->caller = caller; + area->requested_size = requested_size; va = alloc_vmap_area(size, align, start, end, node, gfp_mask, 0, area); if (IS_ERR(va)) { @@ -4063,6 +4064,8 @@ EXPORT_SYMBOL(vzalloc_node_noprof); */ void *vrealloc_noprof(const void *p, size_t size, gfp_t flags) { + struct vm_struct *vm = NULL; + size_t alloced_size = 0; size_t old_size = 0; void *n; @@ -4072,15 +4075,17 @@ void *vrealloc_noprof(const void *p, siz } if (p) { - struct vm_struct *vm; - vm = find_vm_area(p); if (unlikely(!vm)) { WARN(1, "Trying to vrealloc() nonexistent vm area (%p)\n", p); return NULL; } - old_size = get_vm_area_size(vm); + alloced_size = get_vm_area_size(vm); + old_size = vm->requested_size; + if (WARN(alloced_size < old_size, + "vrealloc() has mismatched area vs requested sizes (%p)\n", p)) + return NULL; } /* @@ -4088,14 +4093,26 @@ void *vrealloc_noprof(const void *p, siz * would be a good heuristic for when to shrink the vm_area? */ if (size <= old_size) { - /* Zero out spare memory. */ - if (want_init_on_alloc(flags)) + /* Zero out "freed" memory. */ + if (want_init_on_free()) memset((void *)p + size, 0, old_size - size); + vm->requested_size = size; kasan_poison_vmalloc(p + size, old_size - size); - kasan_unpoison_vmalloc(p, size, KASAN_VMALLOC_PROT_NORMAL); return (void *)p; } + /* + * We already have the bytes available in the allocation; use them. + */ + if (size <= alloced_size) { + kasan_unpoison_vmalloc(p + old_size, size - old_size, + KASAN_VMALLOC_PROT_NORMAL); + /* Zero out "alloced" memory. */ + if (want_init_on_alloc(flags)) + memset((void *)p + old_size, 0, size - old_size); + vm->requested_size = size; + } + /* TODO: Grow the vm_area, i.e. allocate and map additional pages. */ n = __vmalloc_noprof(size, flags); if (!n) _ Patches currently in -mm which might be from kees(a)kernel.org are

8 months

1
0
0 0

[merged mm-hotfixes-stable] tools-testing-selftests-fix-guard-region-test-tmpfs-assumption.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: tools/testing/selftests: fix guard region test tmpfs assumption has been removed from the -mm tree. Its filename was tools-testing-selftests-fix-guard-region-test-tmpfs-assumption.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: tools/testing/selftests: fix guard region test tmpfs assumption Date: Fri, 25 Apr 2025 17:24:36 +0100 The current implementation of the guard region tests assume that /tmp is mounted as tmpfs, that is shmem. This isn't always the case, and at least one instance of a spurious test failure has been reported as a result. This assumption is unsafe, rushed and silly - and easily remedied by simply using memfd, so do so. We also have to fixup the readonly_file test to explicitly only be applicable to file-backed cases. Link: https://lkml.kernel.org/r/20250425162436.564002-1-lorenzo.stoakes@oracle.com Fixes: 272f37d3e99a ("tools/selftests: expand all guard region tests to file-backed") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Ryan Roberts <ryan.roberts(a)arm.com> Closes: https://lore.kernel.org/linux-mm/a2d2766b-0ab4-437b-951a-8595a7506fe9@arm.c… Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/guard-regions.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) --- a/tools/testing/selftests/mm/guard-regions.c~tools-testing-selftests-fix-guard-region-test-tmpfs-assumption +++ a/tools/testing/selftests/mm/guard-regions.c @@ -271,12 +271,16 @@ FIXTURE_SETUP(guard_regions) self->page_size = (unsigned long)sysconf(_SC_PAGESIZE); setup_sighandler(); - if (variant->backing == ANON_BACKED) + switch (variant->backing) { + case ANON_BACKED: return; - - self->fd = open_file( - variant->backing == SHMEM_BACKED ? "/tmp/" : "", - self->path); + case LOCAL_FILE_BACKED: + self->fd = open_file("", self->path); + break; + case SHMEM_BACKED: + self->fd = memfd_create(self->path, 0); + break; + } /* We truncate file to at least 100 pages, tests can modify as needed. */ ASSERT_EQ(ftruncate(self->fd, 100 * self->page_size), 0); @@ -1696,7 +1700,7 @@ TEST_F(guard_regions, readonly_file) char *ptr; int i; - if (variant->backing == ANON_BACKED) + if (variant->backing != LOCAL_FILE_BACKED) SKIP(return, "Read-only test specific to file-backed"); /* Map shared so we can populate with pattern, populate it, unmap. */ _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are maintainers-add-mm-gup-section.patch mm-vma-fix-incorrectly-disallowed-anonymous-vma-merges.patch tools-testing-add-procmap_query-helper-functions-in-mm-self-tests.patch tools-testing-selftests-assert-that-anon-merge-cases-behave-as-expected.patch mm-move-mmap-vma-locking-logic-into-specific-files.patch mm-establish-mm-vma_execc-for-shared-exec-mm-vma-functionality.patch mm-abstract-initial-stack-setup-to-mm-subsystem.patch mm-move-dup_mmap-to-mm.patch mm-perform-vma-allocation-freeing-duplication-in-mm.patch mm-introduce-new-mmap_prepare-file-callback.patch mm-secretmem-convert-to-mmap_prepare-hook.patch mm-vma-remove-mmap-retry-merge.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-stop-quota-recovery-before-disabling-quotas.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: stop quota recovery before disabling quotas has been removed from the -mm tree. Its filename was ocfs2-stop-quota-recovery-before-disabling-quotas.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: ocfs2: stop quota recovery before disabling quotas Date: Thu, 24 Apr 2025 15:45:13 +0200 Currently quota recovery is synchronized with unmount using sb->s_umount semaphore. That is however prone to deadlocks because flush_workqueue(osb->ocfs2_wq) called from umount code can wait for quota recovery to complete while ocfs2_finish_quota_recovery() waits for sb->s_umount semaphore. Grabbing of sb->s_umount semaphore in ocfs2_finish_quota_recovery() is only needed to protect that function from disabling of quotas from ocfs2_dismount_volume(). Handle this problem by disabling quota recovery early during unmount in ocfs2_dismount_volume() instead so that we can drop acquisition of sb->s_umount from ocfs2_finish_quota_recovery(). Link: https://lkml.kernel.org/r/20250424134515.18933-6-jack@suse.cz Fixes: 5f530de63cfc ("ocfs2: Use s_umount for quota recovery protection") Signed-off-by: Jan Kara <jack(a)suse.cz> Reported-by: Shichangkuo <shi.changkuo(a)h3c.com> Reported-by: Murad Masimov <m.masimov(a)mt-integration.ru> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Tested-by: Heming Zhao <heming.zhao(a)suse.com> Acked-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Jun Piao <piaojun(a)huawei.com> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/journal.c | 20 ++++++++++++++++++-- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 6 ++++++ fs/ocfs2/quota_local.c | 9 ++------- fs/ocfs2/super.c | 3 +++ 5 files changed, 30 insertions(+), 9 deletions(-) --- a/fs/ocfs2/journal.c~ocfs2-stop-quota-recovery-before-disabling-quotas +++ a/fs/ocfs2/journal.c @@ -225,6 +225,11 @@ out_lock: flush_workqueue(osb->ocfs2_wq); } +void ocfs2_recovery_disable_quota(struct ocfs2_super *osb) +{ + ocfs2_recovery_disable(osb, OCFS2_REC_QUOTA_WANT_DISABLE); +} + void ocfs2_recovery_exit(struct ocfs2_super *osb) { struct ocfs2_recovery_map *rm; @@ -1489,6 +1494,18 @@ static int __ocfs2_recovery_thread(void } } restart: + if (quota_enabled) { + mutex_lock(&osb->recovery_lock); + /* Confirm that recovery thread will no longer recover quotas */ + if (osb->recovery_state == OCFS2_REC_QUOTA_WANT_DISABLE) { + osb->recovery_state = OCFS2_REC_QUOTA_DISABLED; + wake_up(&osb->recovery_event); + } + if (osb->recovery_state >= OCFS2_REC_QUOTA_DISABLED) + quota_enabled = 0; + mutex_unlock(&osb->recovery_lock); + } + status = ocfs2_super_lock(osb, 1); if (status < 0) { mlog_errno(status); @@ -1592,8 +1609,7 @@ bail: mutex_unlock(&osb->recovery_lock); - if (quota_enabled) - kfree(rm_quota); + kfree(rm_quota); return status; } --- a/fs/ocfs2/journal.h~ocfs2-stop-quota-recovery-before-disabling-quotas +++ a/fs/ocfs2/journal.h @@ -148,6 +148,7 @@ void ocfs2_wait_for_recovery(struct ocfs int ocfs2_recovery_init(struct ocfs2_super *osb); void ocfs2_recovery_exit(struct ocfs2_super *osb); +void ocfs2_recovery_disable_quota(struct ocfs2_super *osb); int ocfs2_compute_replay_slots(struct ocfs2_super *osb); void ocfs2_free_replay_slots(struct ocfs2_super *osb); --- a/fs/ocfs2/ocfs2.h~ocfs2-stop-quota-recovery-before-disabling-quotas +++ a/fs/ocfs2/ocfs2.h @@ -310,6 +310,12 @@ void ocfs2_initialize_journal_triggers(s enum ocfs2_recovery_state { OCFS2_REC_ENABLED = 0, + OCFS2_REC_QUOTA_WANT_DISABLE, + /* + * Must be OCFS2_REC_QUOTA_WANT_DISABLE + 1 for + * ocfs2_recovery_disable_quota() to work. + */ + OCFS2_REC_QUOTA_DISABLED, OCFS2_REC_WANT_DISABLE, /* * Must be OCFS2_REC_WANT_DISABLE + 1 for ocfs2_recovery_exit() to work --- a/fs/ocfs2/quota_local.c~ocfs2-stop-quota-recovery-before-disabling-quotas +++ a/fs/ocfs2/quota_local.c @@ -453,8 +453,7 @@ out: /* Sync changes in local quota file into global quota file and * reinitialize local quota file. - * The function expects local quota file to be already locked and - * s_umount locked in shared mode. */ + * The function expects local quota file to be already locked. */ static int ocfs2_recover_local_quota_file(struct inode *lqinode, int type, struct ocfs2_quota_recovery *rec) @@ -588,7 +587,6 @@ int ocfs2_finish_quota_recovery(struct o { unsigned int ino[OCFS2_MAXQUOTAS] = { LOCAL_USER_QUOTA_SYSTEM_INODE, LOCAL_GROUP_QUOTA_SYSTEM_INODE }; - struct super_block *sb = osb->sb; struct ocfs2_local_disk_dqinfo *ldinfo; struct buffer_head *bh; handle_t *handle; @@ -600,7 +598,6 @@ int ocfs2_finish_quota_recovery(struct o printk(KERN_NOTICE "ocfs2: Finishing quota recovery on device (%s) for " "slot %u\n", osb->dev_str, slot_num); - down_read(&sb->s_umount); for (type = 0; type < OCFS2_MAXQUOTAS; type++) { if (list_empty(&(rec->r_list[type]))) continue; @@ -677,7 +674,6 @@ out_put: break; } out: - up_read(&sb->s_umount); kfree(rec); return status; } @@ -843,8 +839,7 @@ static int ocfs2_local_free_info(struct ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); /* - * s_umount held in exclusive mode protects us against racing with - * recovery thread... + * ocfs2_dismount_volume() has already aborted quota recovery... */ if (oinfo->dqi_rec) { ocfs2_free_quota_recovery(oinfo->dqi_rec); --- a/fs/ocfs2/super.c~ocfs2-stop-quota-recovery-before-disabling-quotas +++ a/fs/ocfs2/super.c @@ -1812,6 +1812,9 @@ static void ocfs2_dismount_volume(struct /* Orphan scan should be stopped as early as possible */ ocfs2_orphan_scan_stop(osb); + /* Stop quota recovery so that we can disable quotas */ + ocfs2_recovery_disable_quota(osb); + ocfs2_disable_quotas(osb); /* All dquots should be freed by now */ _ Patches currently in -mm which might be from jack(a)suse.cz are

8 months

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-implement-handshaking-with-ocfs2-recovery-thread.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: implement handshaking with ocfs2 recovery thread has been removed from the -mm tree. Its filename was ocfs2-implement-handshaking-with-ocfs2-recovery-thread.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: ocfs2: implement handshaking with ocfs2 recovery thread Date: Thu, 24 Apr 2025 15:45:12 +0200 We will need ocfs2 recovery thread to acknowledge transitions of recovery_state when disabling particular types of recovery. This is similar to what currently happens when disabling recovery completely, just more general. Implement the handshake and use it for exit from recovery. Link: https://lkml.kernel.org/r/20250424134515.18933-5-jack@suse.cz Fixes: 5f530de63cfc ("ocfs2: Use s_umount for quota recovery protection") Signed-off-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Tested-by: Heming Zhao <heming.zhao(a)suse.com> Acked-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Jun Piao <piaojun(a)huawei.com> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Murad Masimov <m.masimov(a)mt-integration.ru> Cc: Shichangkuo <shi.changkuo(a)h3c.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/journal.c | 52 ++++++++++++++++++++++++++++--------------- fs/ocfs2/ocfs2.h | 4 +++ 2 files changed, 39 insertions(+), 17 deletions(-) --- a/fs/ocfs2/journal.c~ocfs2-implement-handshaking-with-ocfs2-recovery-thread +++ a/fs/ocfs2/journal.c @@ -190,31 +190,48 @@ int ocfs2_recovery_init(struct ocfs2_sup return 0; } -/* we can't grab the goofy sem lock from inside wait_event, so we use - * memory barriers to make sure that we'll see the null task before - * being woken up */ static int ocfs2_recovery_thread_running(struct ocfs2_super *osb) { - mb(); return osb->recovery_thread_task != NULL; } -void ocfs2_recovery_exit(struct ocfs2_super *osb) +static void ocfs2_recovery_disable(struct ocfs2_super *osb, + enum ocfs2_recovery_state state) { - struct ocfs2_recovery_map *rm; - - /* disable any new recovery threads and wait for any currently - * running ones to exit. Do this before setting the vol_state. */ mutex_lock(&osb->recovery_lock); - osb->recovery_state = OCFS2_REC_DISABLED; + /* + * If recovery thread is not running, we can directly transition to + * final state. + */ + if (!ocfs2_recovery_thread_running(osb)) { + osb->recovery_state = state + 1; + goto out_lock; + } + osb->recovery_state = state; + /* Wait for recovery thread to acknowledge state transition */ + wait_event_cmd(osb->recovery_event, + !ocfs2_recovery_thread_running(osb) || + osb->recovery_state >= state + 1, + mutex_unlock(&osb->recovery_lock), + mutex_lock(&osb->recovery_lock)); +out_lock: mutex_unlock(&osb->recovery_lock); - wait_event(osb->recovery_event, !ocfs2_recovery_thread_running(osb)); - /* At this point, we know that no more recovery threads can be - * launched, so wait for any recovery completion work to - * complete. */ + /* + * At this point we know that no more recovery work can be queued so + * wait for any recovery completion work to complete. + */ if (osb->ocfs2_wq) flush_workqueue(osb->ocfs2_wq); +} + +void ocfs2_recovery_exit(struct ocfs2_super *osb) +{ + struct ocfs2_recovery_map *rm; + + /* disable any new recovery threads and wait for any currently + * running ones to exit. Do this before setting the vol_state. */ + ocfs2_recovery_disable(osb, OCFS2_REC_WANT_DISABLE); /* * Now that recovery is shut down, and the osb is about to be @@ -1569,7 +1586,8 @@ bail: ocfs2_free_replay_slots(osb); osb->recovery_thread_task = NULL; - mb(); /* sync with ocfs2_recovery_thread_running */ + if (osb->recovery_state == OCFS2_REC_WANT_DISABLE) + osb->recovery_state = OCFS2_REC_DISABLED; wake_up(&osb->recovery_event); mutex_unlock(&osb->recovery_lock); @@ -1585,13 +1603,13 @@ void ocfs2_recovery_thread(struct ocfs2_ int was_set = -1; mutex_lock(&osb->recovery_lock); - if (osb->recovery_state < OCFS2_REC_DISABLED) + if (osb->recovery_state < OCFS2_REC_WANT_DISABLE) was_set = ocfs2_recovery_map_set(osb, node_num); trace_ocfs2_recovery_thread(node_num, osb->node_num, osb->recovery_state, osb->recovery_thread_task, was_set); - if (osb->recovery_state == OCFS2_REC_DISABLED) + if (osb->recovery_state >= OCFS2_REC_WANT_DISABLE) goto out; if (osb->recovery_thread_task) --- a/fs/ocfs2/ocfs2.h~ocfs2-implement-handshaking-with-ocfs2-recovery-thread +++ a/fs/ocfs2/ocfs2.h @@ -310,6 +310,10 @@ void ocfs2_initialize_journal_triggers(s enum ocfs2_recovery_state { OCFS2_REC_ENABLED = 0, + OCFS2_REC_WANT_DISABLE, + /* + * Must be OCFS2_REC_WANT_DISABLE + 1 for ocfs2_recovery_exit() to work + */ OCFS2_REC_DISABLED, }; _ Patches currently in -mm which might be from jack(a)suse.cz are

8 months

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-switch-osb-disable_recovery-to-enum.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: switch osb->disable_recovery to enum has been removed from the -mm tree. Its filename was ocfs2-switch-osb-disable_recovery-to-enum.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: ocfs2: switch osb->disable_recovery to enum Date: Thu, 24 Apr 2025 15:45:11 +0200 Patch series "ocfs2: Fix deadlocks in quota recovery", v3. This implements another approach to fixing quota recovery deadlocks. We avoid grabbing sb->s_umount semaphore from ocfs2_finish_quota_recovery() and instead stop quota recovery early in ocfs2_dismount_volume(). This patch (of 3): We will need more recovery states than just pure enable / disable to fix deadlocks with quota recovery. Switch osb->disable_recovery to enum. Link: https://lkml.kernel.org/r/20250424134301.1392-1-jack@suse.cz Link: https://lkml.kernel.org/r/20250424134515.18933-4-jack@suse.cz Fixes: 5f530de63cfc ("ocfs2: Use s_umount for quota recovery protection") Signed-off-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Tested-by: Heming Zhao <heming.zhao(a)suse.com> Acked-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: Murad Masimov <m.masimov(a)mt-integration.ru> Cc: Shichangkuo <shi.changkuo(a)h3c.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/journal.c | 14 ++++++++------ fs/ocfs2/ocfs2.h | 7 ++++++- 2 files changed, 14 insertions(+), 7 deletions(-) --- a/fs/ocfs2/journal.c~ocfs2-switch-osb-disable_recovery-to-enum +++ a/fs/ocfs2/journal.c @@ -174,7 +174,7 @@ int ocfs2_recovery_init(struct ocfs2_sup struct ocfs2_recovery_map *rm; mutex_init(&osb->recovery_lock); - osb->disable_recovery = 0; + osb->recovery_state = OCFS2_REC_ENABLED; osb->recovery_thread_task = NULL; init_waitqueue_head(&osb->recovery_event); @@ -206,7 +206,7 @@ void ocfs2_recovery_exit(struct ocfs2_su /* disable any new recovery threads and wait for any currently * running ones to exit. Do this before setting the vol_state. */ mutex_lock(&osb->recovery_lock); - osb->disable_recovery = 1; + osb->recovery_state = OCFS2_REC_DISABLED; mutex_unlock(&osb->recovery_lock); wait_event(osb->recovery_event, !ocfs2_recovery_thread_running(osb)); @@ -1582,14 +1582,16 @@ bail: void ocfs2_recovery_thread(struct ocfs2_super *osb, int node_num) { + int was_set = -1; + mutex_lock(&osb->recovery_lock); + if (osb->recovery_state < OCFS2_REC_DISABLED) + was_set = ocfs2_recovery_map_set(osb, node_num); trace_ocfs2_recovery_thread(node_num, osb->node_num, - osb->disable_recovery, osb->recovery_thread_task, - osb->disable_recovery ? - -1 : ocfs2_recovery_map_set(osb, node_num)); + osb->recovery_state, osb->recovery_thread_task, was_set); - if (osb->disable_recovery) + if (osb->recovery_state == OCFS2_REC_DISABLED) goto out; if (osb->recovery_thread_task) --- a/fs/ocfs2/ocfs2.h~ocfs2-switch-osb-disable_recovery-to-enum +++ a/fs/ocfs2/ocfs2.h @@ -308,6 +308,11 @@ enum ocfs2_journal_trigger_type { void ocfs2_initialize_journal_triggers(struct super_block *sb, struct ocfs2_triggers triggers[]); +enum ocfs2_recovery_state { + OCFS2_REC_ENABLED = 0, + OCFS2_REC_DISABLED, +}; + struct ocfs2_journal; struct ocfs2_slot_info; struct ocfs2_recovery_map; @@ -370,7 +375,7 @@ struct ocfs2_super struct ocfs2_recovery_map *recovery_map; struct ocfs2_replay_map *replay_map; struct task_struct *recovery_thread_task; - int disable_recovery; + enum ocfs2_recovery_state recovery_state; wait_queue_head_t checkpoint_event; struct ocfs2_journal *journal; unsigned long osb_commit_interval; _ Patches currently in -mm which might be from jack(a)suse.cz are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/userfaultfd: fix uninitialized output field for -EAGAIN race has been removed from the -mm tree. Its filename was mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Peter Xu <peterx(a)redhat.com> Subject: mm/userfaultfd: fix uninitialized output field for -EAGAIN race Date: Thu, 24 Apr 2025 17:57:28 -0400 While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/userfaultfd.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) --- a/fs/userfaultfd.c~mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race +++ a/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userf user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct u user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct u user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(str user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userf user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */ _ Patches currently in -mm which might be from peterx(a)redhat.com are mm-selftests-add-a-test-to-verify-mmap_changing-race-with-eagain.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: compaction_test: support platform with huge mount of memory has been removed from the -mm tree. Its filename was selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Feng Tang <feng.tang(a)linux.alibaba.com> Subject: selftests/mm: compaction_test: support platform with huge mount of memory Date: Wed, 23 Apr 2025 18:36:45 +0800 When running mm selftest to verify mm patches, 'compaction_test' case failed on an x86 server with 1TB memory. And the root cause is that it has too much free memory than what the test supports. The test case tries to allocate 100000 huge pages, which is about 200 GB for that x86 server, and when it succeeds, it expects it's large than 1/3 of 80% of the free memory in system. This logic only works for platform with 750 GB ( 200 / (1/3) / 80% ) or less free memory, and may raise false alarm for others. Fix it by changing the fixed page number to self-adjustable number according to the real number of free memory. Link: https://lkml.kernel.org/r/20250423103645.2758-1-feng.tang@linux.alibaba.com Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") Signed-off-by: Feng Tang <feng.tang(a)linux.alibaba.com> Acked-by: Dev Jain <dev.jain(a)arm.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Tested-by: Baolin Wang <baolin.wang(a)inux.alibaba.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Sri Jayaramappa <sjayaram(a)akamai.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/compaction_test.c | 19 ++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- a/tools/testing/selftests/mm/compaction_test.c~selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory +++ a/tools/testing/selftests/mm/compaction_test.c @@ -90,6 +90,8 @@ int check_compaction(unsigned long mem_f int compaction_index = 0; char nr_hugepages[20] = {0}; char init_nr_hugepages[24] = {0}; + char target_nr_hugepages[24] = {0}; + int slen; snprintf(init_nr_hugepages, sizeof(init_nr_hugepages), "%lu", initial_nr_hugepages); @@ -106,11 +108,18 @@ int check_compaction(unsigned long mem_f goto out; } - /* Request a large number of huge pages. The Kernel will allocate - as much as it can */ - if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { - ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", - strerror(errno)); + /* + * Request huge pages for about half of the free memory. The Kernel + * will allocate as much as it can, and we expect it will get at least 1/3 + */ + nr_hugepages_ul = mem_free / hugepage_size / 2; + snprintf(target_nr_hugepages, sizeof(target_nr_hugepages), + "%lu", nr_hugepages_ul); + + slen = strlen(target_nr_hugepages); + if (write(fd, target_nr_hugepages, slen) != slen) { + ksft_print_msg("Failed to write %lu to /proc/sys/vm/nr_hugepages: %s\n", + nr_hugepages_ul, strerror(errno)); goto close_fd; } _ Patches currently in -mm which might be from feng.tang(a)linux.alibaba.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix panic in failed foilio allocation has been removed from the -mm tree. Its filename was v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Mark Tinguely <mark.tinguely(a)oracle.com> Subject: ocfs2: fix panic in failed foilio allocation Date: Fri, 11 Apr 2025 11:31:24 -0500 commit 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") and commit 9a5e08652dc4b ("ocfs2: use an array of folios instead of an array of pages") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry. Link: https://lkml.kernel.org/r/c879a52b-835c-4fa0-902b-8b2e9196dcbd@oracle.com Fixes: 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") Fixes: 9a5e08652dc4b ("ocfs2: use an array of folios instead of an array of pages") Signed-off-by: Mark Tinguely <mark.tinguely(a)oracle.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/alloc.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/ocfs2/alloc.c~v2-ocfs2-fix-panic-in-failed-foilio-allocation +++ a/fs/ocfs2/alloc.c @@ -6918,6 +6918,7 @@ static int ocfs2_grab_folios(struct inod if (IS_ERR(folios[numfolios])) { ret = PTR_ERR(folios[numfolios]); mlog_errno(ret); + folios[numfolios] = NULL; goto out; } _ Patches currently in -mm which might be from mark.tinguely(a)oracle.com are

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-huge_memory-fix-dereferencing-invalid-pmd-migration-entry.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/huge_memory: fix dereferencing invalid pmd migration entry has been removed from the -mm tree. Its filename was mm-huge_memory-fix-dereferencing-invalid-pmd-migration-entry.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Gavin Guo <gavinguo(a)igalia.com> Subject: mm/huge_memory: fix dereferencing invalid pmd migration entry Date: Mon, 21 Apr 2025 19:35:36 +0800 When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream. Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Cc: Florent Revest <revest(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-fix-dereferencing-invalid-pmd-migration-entry +++ a/mm/huge_memory.c @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(stru void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, bool freeze, struct folio *folio) { + bool pmd_migration = is_pmd_migration_entry(*pmd); + VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); @@ -3085,9 +3087,12 @@ void split_huge_pmd_locked(struct vm_are * require a folio to check the PMD against. Otherwise, there * is a risk of replacing the wrong folio. */ - if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || - is_pmd_migration_entry(*pmd)) { - if (folio && folio != pmd_folio(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { + /* + * Do not apply pmd_folio() to a migration entry; and folio lock + * guarantees that it must be of the wrong folio anyway. + */ + if (folio && (pmd_migration || folio != pmd_folio(*pmd))) return; __split_huge_pmd_locked(vma, pmd, address, freeze); } _ Patches currently in -mm which might be from gavinguo(a)igalia.com are mm-huge_memory-adjust-try_to_migrate_one-and-split_huge_pmd_locked.patch mm-huge_memory-remove-useless-folio-pointers-passing.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-fix-the-issue-with-discontiguous-allocation-in-the-global_bitmap.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix the issue with discontiguous allocation in the global_bitmap has been removed from the -mm tree. Its filename was ocfs2-fix-the-issue-with-discontiguous-allocation-in-the-global_bitmap.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Heming Zhao <heming.zhao(a)suse.com> Subject: ocfs2: fix the issue with discontiguous allocation in the global_bitmap Date: Mon, 14 Apr 2025 14:01:23 +0800 commit 4eb7b93e0310 ("ocfs2: improve write IO performance when fragmentation is high") introduced another regression. The following ocfs2-test case can trigger this issue: > discontig_runner.sh => activate_discontig_bg.sh => resv_unwritten: > ${RESV_UNWRITTEN_BIN} -f ${WORK_PLACE}/large_testfile -s 0 -l \ > $((${FILE_MAJOR_SIZE_M}*1024*1024)) In my env, test disk size (by "fdisk -l <dev>"): > 53687091200 bytes, 104857600 sectors. Above command is: > /usr/local/ocfs2-test/bin/resv_unwritten -f \ > /mnt/ocfs2/ocfs2-activate-discontig-bg-dir/large_testfile -s 0 -l \ > 53187969024 Error log: > [*] Reserve 50724M space for a LARGE file, reserve 200M space for future test. > ioctl error 28: "No space left on device" > resv allocation failed Unknown error -1 > reserve unwritten region from 0 to 53187969024. Call flow: __ocfs2_change_file_space //by ioctl OCFS2_IOC_RESVSP64 ocfs2_allocate_unwritten_extents //start:0 len:53187969024 while() + ocfs2_get_clusters //cpos:0, alloc_size:1623168 (cluster number) + ocfs2_extend_allocation + ocfs2_lock_allocators | + choose OCFS2_AC_USE_MAIN & ocfs2_cluster_group_search | + ocfs2_add_inode_data ocfs2_add_clusters_in_btree __ocfs2_claim_clusters ocfs2_claim_suballoc_bits + During the allocation of the final part of the large file (after ~47GB), no chain had the required contiguous bits_wanted. Consequently, the allocation failed. How to fix: When OCFS2 is encountering fragmented allocation, the file system should stop attempting bits_wanted contiguous allocation and instead provide the largest available contiguous free bits from the cluster groups. Link: https://lkml.kernel.org/r/20250414060125.19938-2-heming.zhao@suse.com Fixes: 4eb7b93e0310 ("ocfs2: improve write IO performance when fragmentation is high") Signed-off-by: Heming Zhao <heming.zhao(a)suse.com> Reported-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/suballoc.c | 38 ++++++++++++++++++++++++++++++++------ fs/ocfs2/suballoc.h | 1 + 2 files changed, 33 insertions(+), 6 deletions(-) --- a/fs/ocfs2/suballoc.c~ocfs2-fix-the-issue-with-discontiguous-allocation-in-the-global_bitmap +++ a/fs/ocfs2/suballoc.c @@ -698,10 +698,12 @@ static int ocfs2_block_group_alloc(struc bg_bh = ocfs2_block_group_alloc_contig(osb, handle, alloc_inode, ac, cl); - if (PTR_ERR(bg_bh) == -ENOSPC) + if (PTR_ERR(bg_bh) == -ENOSPC) { + ac->ac_which = OCFS2_AC_USE_MAIN_DISCONTIG; bg_bh = ocfs2_block_group_alloc_discontig(handle, alloc_inode, ac, cl); + } if (IS_ERR(bg_bh)) { status = PTR_ERR(bg_bh); bg_bh = NULL; @@ -1794,6 +1796,7 @@ static int ocfs2_search_chain(struct ocf { int status; u16 chain; + u32 contig_bits; u64 next_group; struct inode *alloc_inode = ac->ac_inode; struct buffer_head *group_bh = NULL; @@ -1819,10 +1822,21 @@ static int ocfs2_search_chain(struct ocf status = -ENOSPC; /* for now, the chain search is a bit simplistic. We just use * the 1st group with any empty bits. */ - while ((status = ac->ac_group_search(alloc_inode, group_bh, - bits_wanted, min_bits, - ac->ac_max_block, - res)) == -ENOSPC) { + while (1) { + if (ac->ac_which == OCFS2_AC_USE_MAIN_DISCONTIG) { + contig_bits = le16_to_cpu(bg->bg_contig_free_bits); + if (!contig_bits) + contig_bits = ocfs2_find_max_contig_free_bits(bg->bg_bitmap, + le16_to_cpu(bg->bg_bits), 0); + if (bits_wanted > contig_bits && contig_bits >= min_bits) + bits_wanted = contig_bits; + } + + status = ac->ac_group_search(alloc_inode, group_bh, + bits_wanted, min_bits, + ac->ac_max_block, res); + if (status != -ENOSPC) + break; if (!bg->bg_next_group) break; @@ -1982,6 +1996,7 @@ static int ocfs2_claim_suballoc_bits(str victim = ocfs2_find_victim_chain(cl); ac->ac_chain = victim; +search: status = ocfs2_search_chain(ac, handle, bits_wanted, min_bits, res, &bits_left); if (!status) { @@ -2022,6 +2037,16 @@ static int ocfs2_claim_suballoc_bits(str } } + /* Chains can't supply the bits_wanted contiguous space. + * We should switch to using every single bit when allocating + * from the global bitmap. */ + if (i == le16_to_cpu(cl->cl_next_free_rec) && + status == -ENOSPC && ac->ac_which == OCFS2_AC_USE_MAIN) { + ac->ac_which = OCFS2_AC_USE_MAIN_DISCONTIG; + ac->ac_chain = victim; + goto search; + } + set_hint: if (status != -ENOSPC) { /* If the next search of this group is not likely to @@ -2365,7 +2390,8 @@ int __ocfs2_claim_clusters(handle_t *han BUG_ON(ac->ac_bits_given >= ac->ac_bits_wanted); BUG_ON(ac->ac_which != OCFS2_AC_USE_LOCAL - && ac->ac_which != OCFS2_AC_USE_MAIN); + && ac->ac_which != OCFS2_AC_USE_MAIN + && ac->ac_which != OCFS2_AC_USE_MAIN_DISCONTIG); if (ac->ac_which == OCFS2_AC_USE_LOCAL) { WARN_ON(min_clusters > 1); --- a/fs/ocfs2/suballoc.h~ocfs2-fix-the-issue-with-discontiguous-allocation-in-the-global_bitmap +++ a/fs/ocfs2/suballoc.h @@ -29,6 +29,7 @@ struct ocfs2_alloc_context { #define OCFS2_AC_USE_MAIN 2 #define OCFS2_AC_USE_INODE 3 #define OCFS2_AC_USE_META 4 +#define OCFS2_AC_USE_MAIN_DISCONTIG 5 u32 ac_which; /* these are used by the chain search */ _ Patches currently in -mm which might be from heming.zhao(a)suse.com are

8 months

1
0
0 0

+ x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: x86/kexec: fix potential cmem->ranges out of bounds has been added to the -mm mm-hotfixes-unstable branch. Its filename is x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: fuqiang wang <fuqiang.wang(a)easystack.cn> Subject: x86/kexec: fix potential cmem->ranges out of bounds Date: Mon, 8 Jan 2024 21:06:47 +0800 In memmap_exclude_ranges(), elfheader will be excluded from crashk_res. In the current x86 architecture code, the elfheader is always allocated at crashk_res.start. It seems that there won't be a new split range. But it depends on the allocation position of elfheader in crashk_res. To avoid potential out of bounds in future, add a extra slot. The similar issue also exists in fill_up_crash_elf_data(). The range to be excluded is [0, 1M], start (0) is special and will not appear in the middle of existing cmem->ranges[]. But in cast the low 1M could be changed in the future, add a extra slot too. Without this patch, kdump kernel will fail to be loaded by kexec_file_load, [ 139.736948] UBSAN: array-index-out-of-bounds in arch/x86/kernel/crash.c:350:25 [ 139.742360] index 0 is out of range for type 'range [*]' [ 139.745695] CPU: 0 UID: 0 PID: 5778 Comm: kexec Not tainted 6.15.0-0.rc3.20250425git02ddfb981de8.32.fc43.x86_64 #1 PREEMPT(lazy) [ 139.745698] Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 [ 139.745699] Call Trace: [ 139.745700] <TASK> [ 139.745701] dump_stack_lvl+0x5d/0x80 [ 139.745706] ubsan_epilogue+0x5/0x2b [ 139.745709] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ 139.745711] crash_setup_memmap_entries+0x2d9/0x330 [ 139.745716] setup_boot_parameters+0xf8/0x6a0 [ 139.745720] bzImage64_load+0x41b/0x4e0 [ 139.745722] ? find_next_iomem_res+0x109/0x140 [ 139.745727] ? locate_mem_hole_callback+0x109/0x170 [ 139.745737] kimage_file_alloc_init+0x1ef/0x3e0 [ 139.745740] __do_sys_kexec_file_load+0x180/0x2f0 [ 139.745742] do_syscall_64+0x7b/0x160 [ 139.745745] ? do_user_addr_fault+0x21a/0x690 [ 139.745747] ? exc_page_fault+0x7e/0x1a0 [ 139.745749] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 139.745751] RIP: 0033:0x7f7712c84e4d Previously discussed link: [1] https://lore.kernel.org/kexec/ZXk2oBf%2FT1Ul6o0c@MiWiFi-R3L-srv/ [2] https://lore.kernel.org/kexec/273284e8-7680-4f5f-8065-c5d780987e59@easystac… [3] https://lore.kernel.org/kexec/ZYQ6O%2F57sHAPxTHm@MiWiFi-R3L-srv/ Link: https://lkml.kernel.org/r/20240108130720.228478-1-fuqiang.wang@easystack.cn Signed-off-by: fuqiang wang <fuqiang.wang(a)easystack.cn> Acked-by: Baoquan He <bhe(a)redhat.com> Reported-by: Coiby Xu <coxu(a)redhat.com> Closes: https://lkml.kernel.org/r/4de3c2onosr7negqnfhekm4cpbklzmsimgdfv33c52dktqpza… Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: <x86(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/kernel/crash.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/arch/x86/kernel/crash.c~x86-kexec-fix-potential-cmem-ranges-out-of-bounds +++ a/arch/x86/kernel/crash.c @@ -165,8 +165,18 @@ static struct crash_mem *fill_up_crash_e /* * Exclusion of crash region and/or crashk_low_res may cause * another range split. So add extra two slots here. + * + * Exclusion of low 1M may not cause another range split, because the + * range of exclude is [0, 1M] and the condition for splitting a new + * region is that the start, end parameters are both in a certain + * existing region in cmem and cannot be equal to existing region's + * start or end. Obviously, the start of [0, 1M] cannot meet this + * condition. + * + * But in order to lest the low 1M could be changed in the future, + * (e.g. [stare, 1M]), add a extra slot. */ - nr_ranges += 2; + nr_ranges += 3; cmem = vzalloc(struct_size(cmem, ranges, nr_ranges)); if (!cmem) return NULL; @@ -298,9 +308,16 @@ int crash_setup_memmap_entries(struct ki struct crash_memmap_data cmd; struct crash_mem *cmem; - cmem = vzalloc(struct_size(cmem, ranges, 1)); + /* + * In the current x86 architecture code, the elfheader is always + * allocated at crashk_res.start. But it depends on the allocation + * position of elfheader in crashk_res. To avoid potential out of + * bounds in future, add a extra slot. + */ + cmem = vzalloc(struct_size(cmem, ranges, 2)); if (!cmem) return -ENOMEM; + cmem->max_nr_ranges = 2; memset(&cmd, 0, sizeof(struct crash_memmap_data)); cmd.params = params; _ Patches currently in -mm which might be from fuqiang.wang(a)easystack.cn are x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch

8 months

1
0
0 0

[PATCH] wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> The hdr_trans_tlv function call has been moved inside the conditional block to ensure it is executed when info->enable is true. Cc: stable(a)vger.kernel.org Fixes: cb1353ef3473 ("wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index a42b584634ab..fd756f0d18f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -2183,14 +2183,14 @@ mt7925_mcu_sta_cmd(struct mt76_phy *phy, mt7925_mcu_sta_mld_tlv(skb, info->vif, info->link_sta->sta); mt7925_mcu_sta_eht_mld_tlv(skb, info->vif, info->link_sta->sta); } - - mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } if (!info->enable) { mt7925_mcu_sta_remove_tlv(skb); mt76_connac_mcu_add_tlv(skb, STA_REC_MLD_OFF, sizeof(struct tlv)); + } else { + mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } return mt76_mcu_skb_send_msg(dev, skb, info->cmd, true); -- 2.34.1

8 months

1
0
0 0

+ mm-fix-vm_uffd_minor-==-vm_shadow_stack-on-userfaultfd=y-arm64_gcs=y.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-fix-vm_uffd_minor-==-vm_shadow_stack-on-userfaultfd=y-arm64_gcs=y.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Florent Revest <revest(a)chromium.org> Subject: mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y Date: Wed, 7 May 2025 15:09:57 +0200 On configs with CONFIG_ARM64_GCS=y, VM_SHADOW_STACK is bit 38. On configs with CONFIG_HAVE_ARCH_USERFAULTFD_MINOR=y (selected by CONFIG_ARM64 when CONFIG_USERFAULTFD=y), VM_UFFD_MINOR is _also_ bit 38. This bit being shared by two different VMA flags could lead to all sorts of unintended behaviors. Presumably, a process could maybe call into userfaultfd in a way that disables the shadow stack vma flag. I can't think of any attack where this would help (presumably, if an attacker tries to disable shadow stacks, they are trying to hijack control flow so can't arbitrarily call into userfaultfd yet anyway) but this still feels somewhat scary. Link: https://lkml.kernel.org/r/20250507131000.1204175-2-revest@chromium.org Fixes: ae80e1629aea ("mm: Define VM_SHADOW_STACK for arm64 when we support GCS") Signed-off-by: Florent Revest <revest(a)chromium.org> Reviewed-by: Mark Brown <broonie(a)kernel.org> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Florent Revest <revest(a)chromium.org> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Thiago Jung Bauermann <thiago.bauermann(a)linaro.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/mm.h~mm-fix-vm_uffd_minor-==-vm_shadow_stack-on-userfaultfd=y-arm64_gcs=y +++ a/include/linux/mm.h @@ -385,7 +385,7 @@ extern unsigned int kobjsize(const void #endif #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR -# define VM_UFFD_MINOR_BIT 38 +# define VM_UFFD_MINOR_BIT 41 # define VM_UFFD_MINOR BIT(VM_UFFD_MINOR_BIT) /* UFFD minor faults */ #else /* !CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ # define VM_UFFD_MINOR VM_NONE _ Patches currently in -mm which might be from revest(a)chromium.org are mm-fix-vm_uffd_minor-==-vm_shadow_stack-on-userfaultfd=y-arm64_gcs=y.patch

8 months

1
0
0 0

+ mm-mmap-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-mmap-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> Subject: mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled Date: Wed, 07 May 2025 15:28:06 +0200 commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") maps the mmap option MAP_STACK to VM_NOHUGEPAGE. This is also done if CONFIG_TRANSPARENT_HUGEPAGE is not defined. But in that case, the VM_NOHUGEPAGE does not make sense. I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGEPAGE. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGEPAGE is not defined. Link: https://lkml.kernel.org/r/20250507-map-map_stack-to-vm_nohugepage-only-if-t… Fixes: c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") Signed-off-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mman.h | 2 ++ 1 file changed, 2 insertions(+) --- a/include/linux/mman.h~mm-mmap-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled +++ a/include/linux/mman.h @@ -155,7 +155,9 @@ calc_vm_flag_bits(struct file *file, uns return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | +#ifdef CONFIG_TRANSPARENT_HUGEPAGE _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) | +#endif arch_calc_vm_flag_bits(file, flags); } _ Patches currently in -mm which might be from Ignacio.MorenoGonzalez(a)kuka.com are mm-mmap-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled.patch

8 months

1
0
0 0

[to-be-updated] mm-vmscan-avoid-signedness-error-for-gcc-54.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmscan: avoid signedness error for GCC 5.4 has been removed from the -mm tree. Its filename was mm-vmscan-avoid-signedness-error-for-gcc-54.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: WangYuli <wangyuli(a)uniontech.com> Subject: mm: vmscan: avoid signedness error for GCC 5.4 Date: Wed, 7 May 2025 12:08:27 +0800 To the GCC 5.4 compiler, (MAX_NR_TIERS - 1) (i.e., (4U - 1)) is unsigned, whereas tier is a signed integer. Then, the __types_ok check within the __careful_cmp_once macro failed, triggered BUILD_BUG_ON. Use min_t instead of min to circumvent this compiler error. Fix follow error with gcc 5.4: mm/vmscan.c: In function `read_ctrl_pos': mm/vmscan.c:3166:728: error: call to `__compiletime_assert_887' declared with attribute error: min(tier, 4U - 1) signedness error Link: https://lkml.kernel.org/r/62726950F697595A+20250507040827.1147510-1-wangyul… Fixes: 37a260870f2c ("mm/mglru: rework type selection") Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: David Laight <david.laight.linux(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/vmscan.c~mm-vmscan-avoid-signedness-error-for-gcc-54 +++ a/mm/vmscan.c @@ -3163,7 +3163,7 @@ static void read_ctrl_pos(struct lruvec pos->gain = gain; pos->refaulted = pos->total = 0; - for (i = tier % MAX_NR_TIERS; i <= min(tier, MAX_NR_TIERS - 1); i++) { + for (i = tier % MAX_NR_TIERS; i <= min_t(int, tier, MAX_NR_TIERS - 1); i++) { pos->refaulted += lrugen->avg_refaulted[type][i] + atomic_long_read(&lrugen->refaulted[hist][type][i]); pos->total += lrugen->avg_total[type][i] + _ Patches currently in -mm which might be from wangyuli(a)uniontech.com are ocfs2-o2net_idle_timer-rename-del_timer_sync-in-comment.patch treewide-fix-typo-previlege.patch

8 months

1
0
0 0

+ mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/page_alloc: fix race condition in unaccepted memory handling has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Subject: mm/page_alloc: fix race condition in unaccepted memory handling Date: Tue, 6 May 2025 16:32:07 +0300 The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: /* * Warn about the '-1' case though; since that means a * decrement is concurrent with a first (0->1) increment. IOW * people are trying to disable something that wasn't yet fully * enabled. This suggests an ordering problem on the user side. */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether. Link: https://lkml.kernel.org/r/20250506133207.1009676-1-kirill.shutemov@linux.in… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory") Link: https://lore.kernel.org/all/20250506092445.GBaBnVXXyvnazly6iF@fat_crate.loc… Reported-by: Borislav Petkov <bp(a)alien8.de> Tested-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reported-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> [6.5+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 1 mm/mm_init.c | 1 mm/page_alloc.c | 47 ---------------------------------------------- 3 files changed, 49 deletions(-) --- a/mm/internal.h~mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling +++ a/mm/internal.h @@ -1590,7 +1590,6 @@ unsigned long move_page_tables(struct pa #ifdef CONFIG_UNACCEPTED_MEMORY void accept_page(struct page *page); -void unaccepted_cleanup_work(struct work_struct *work); #else /* CONFIG_UNACCEPTED_MEMORY */ static inline void accept_page(struct page *page) { --- a/mm/mm_init.c~mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling +++ a/mm/mm_init.c @@ -1441,7 +1441,6 @@ static void __meminit zone_init_free_lis #ifdef CONFIG_UNACCEPTED_MEMORY INIT_LIST_HEAD(&zone->unaccepted_pages); - INIT_WORK(&zone->unaccepted_cleanup, unaccepted_cleanup_work); #endif } --- a/mm/page_alloc.c~mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling +++ a/mm/page_alloc.c @@ -7180,16 +7180,8 @@ bool has_managed_dma(void) #ifdef CONFIG_UNACCEPTED_MEMORY -/* Counts number of zones with unaccepted pages. */ -static DEFINE_STATIC_KEY_FALSE(zones_with_unaccepted_pages); - static bool lazy_accept = true; -void unaccepted_cleanup_work(struct work_struct *work) -{ - static_branch_dec(&zones_with_unaccepted_pages); -} - static int __init accept_memory_parse(char *p) { if (!strcmp(p, "lazy")) { @@ -7214,11 +7206,7 @@ static bool page_contains_unaccepted(str static void __accept_page(struct zone *zone, unsigned long *flags, struct page *page) { - bool last; - list_del(&page->lru); - last = list_empty(&zone->unaccepted_pages); - account_freepages(zone, -MAX_ORDER_NR_PAGES, MIGRATE_MOVABLE); __mod_zone_page_state(zone, NR_UNACCEPTED, -MAX_ORDER_NR_PAGES); __ClearPageUnaccepted(page); @@ -7227,28 +7215,6 @@ static void __accept_page(struct zone *z accept_memory(page_to_phys(page), PAGE_SIZE << MAX_PAGE_ORDER); __free_pages_ok(page, MAX_PAGE_ORDER, FPI_TO_TAIL); - - if (last) { - /* - * There are two corner cases: - * - * - If allocation occurs during the CPU bring up, - * static_branch_dec() cannot be used directly as - * it causes a deadlock on cpu_hotplug_lock. - * - * Instead, use schedule_work() to prevent deadlock. - * - * - If allocation occurs before workqueues are initialized, - * static_branch_dec() should be called directly. - * - * Workqueues are initialized before CPU bring up, so this - * will not conflict with the first scenario. - */ - if (system_wq) - schedule_work(&zone->unaccepted_cleanup); - else - unaccepted_cleanup_work(&zone->unaccepted_cleanup); - } } void accept_page(struct page *page) @@ -7285,20 +7251,12 @@ static bool try_to_accept_memory_one(str return true; } -static inline bool has_unaccepted_memory(void) -{ - return static_branch_unlikely(&zones_with_unaccepted_pages); -} - static bool cond_accept_memory(struct zone *zone, unsigned int order, int alloc_flags) { long to_accept, wmark; bool ret = false; - if (!has_unaccepted_memory()) - return false; - if (list_empty(&zone->unaccepted_pages)) return false; @@ -7336,22 +7294,17 @@ static bool __free_unaccepted(struct pag { struct zone *zone = page_zone(page); unsigned long flags; - bool first = false; if (!lazy_accept) return false; spin_lock_irqsave(&zone->lock, flags); - first = list_empty(&zone->unaccepted_pages); list_add_tail(&page->lru, &zone->unaccepted_pages); account_freepages(zone, MAX_ORDER_NR_PAGES, MIGRATE_MOVABLE); __mod_zone_page_state(zone, NR_UNACCEPTED, MAX_ORDER_NR_PAGES); __SetPageUnaccepted(page); spin_unlock_irqrestore(&zone->lock, flags); - if (first) - static_branch_inc(&zones_with_unaccepted_pages); - return true; } _ Patches currently in -mm which might be from kirill.shutemov(a)linux.intel.com are mm-page_alloc-ensure-try_alloc_pages-plays-well-with-unaccepted-memory.patch mm-page_alloc-fix-race-condition-in-unaccepted-memory-handling.patch

8 months

1
0
0 0

[PATCH net] net: qede: Initialize qede_ll_ops with designated initializer

by Nathan Chancellor

After a recent change [1] in clang's randstruct implementation to randomize structures that only contain function pointers, there is an error because qede_ll_ops get randomized but does not use a designated initializer for the first member: drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer 206 | { | ^ Explicitly initialize the common member using a designated initializer to fix the build. Cc: stable(a)vger.kernel.org Fixes: 035f7f87b729 ("randstruct: Enable Clang support") Link: https://github.com/llvm/llvm-project/commit/04364fb888eea6db9811510607bed4b… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c index 99df00c30b8c..b5d744d2586f 100644 --- a/drivers/net/ethernet/qlogic/qede/qede_main.c +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c @@ -203,7 +203,7 @@ static struct pci_driver qede_pci_driver = { }; static struct qed_eth_cb_ops qede_ll_ops = { - { + .common = { #ifdef CONFIG_RFS_ACCEL .arfs_filter_op = qede_arfs_filter_op, #endif --- base-commit: 9540984da649d46f699c47f28c68bbd3c9d99e4c change-id: 20250507-qede-fix-clang-randstruct-011a3119f5d6 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

8 months

1
0
0 0

[PATCH v3 3/3] media: omap3isp: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() functions have to be called with the number of elements originally passed to dma_map_sg_*() function, not the one returned in sgtable's nents. Fixes: d33186d0be18 ("[media] omap3isp: ccdc: Use the DMA API for LSC") Fixes: 0e24e90f2ca7 ("[media] omap3isp: stat: Use the DMA API") CC: stable(a)vger.kernel.org Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- drivers/media/platform/ti/omap3isp/ispccdc.c | 8 ++++---- drivers/media/platform/ti/omap3isp/ispstat.c | 6 ++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/media/platform/ti/omap3isp/ispccdc.c b/drivers/media/platform/ti/omap3isp/ispccdc.c index dd375c4e180d..7d0c723dcd11 100644 --- a/drivers/media/platform/ti/omap3isp/ispccdc.c +++ b/drivers/media/platform/ti/omap3isp/ispccdc.c @@ -446,8 +446,8 @@ static int ccdc_lsc_config(struct isp_ccdc_device *ccdc, if (ret < 0) goto done; - dma_sync_sg_for_cpu(isp->dev, req->table.sgt.sgl, - req->table.sgt.nents, DMA_TO_DEVICE); + dma_sync_sgtable_for_cpu(isp->dev, &req->table.sgt, + DMA_TO_DEVICE); if (copy_from_user(req->table.addr, config->lsc, req->config.size)) { @@ -455,8 +455,8 @@ static int ccdc_lsc_config(struct isp_ccdc_device *ccdc, goto done; } - dma_sync_sg_for_device(isp->dev, req->table.sgt.sgl, - req->table.sgt.nents, DMA_TO_DEVICE); + dma_sync_sgtable_for_device(isp->dev, &req->table.sgt, + DMA_TO_DEVICE); } spin_lock_irqsave(&ccdc->lsc.req_lock, flags); diff --git a/drivers/media/platform/ti/omap3isp/ispstat.c b/drivers/media/platform/ti/omap3isp/ispstat.c index 359a846205b0..d3da68408ecb 100644 --- a/drivers/media/platform/ti/omap3isp/ispstat.c +++ b/drivers/media/platform/ti/omap3isp/ispstat.c @@ -161,8 +161,7 @@ static void isp_stat_buf_sync_for_device(struct ispstat *stat, if (ISP_STAT_USES_DMAENGINE(stat)) return; - dma_sync_sg_for_device(stat->isp->dev, buf->sgt.sgl, - buf->sgt.nents, DMA_FROM_DEVICE); + dma_sync_sgtable_for_device(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); } static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, @@ -171,8 +170,7 @@ static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, if (ISP_STAT_USES_DMAENGINE(stat)) return; - dma_sync_sg_for_cpu(stat->isp->dev, buf->sgt.sgl, - buf->sgt.nents, DMA_FROM_DEVICE); + dma_sync_sgtable_for_cpu(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); } static void isp_stat_buf_clear(struct ispstat *stat) -- 2.34.1

8 months

2
1
0 0

Re: Patch "spi: tegra114: Don't fail set_cs_timing when delays are zero" has been added to the 5.15-stable tree

by Jon Hunter

On 07/05/2025 16:45, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > spi: tegra114: Don't fail set_cs_timing when delays are zero > > to the 5.15-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > spi-tegra114-don-t-fail-set_cs_timing-when-delays-ar.patch > and it can be found in the queue-5.15 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this from the stable queue because there is another fix pending to fix this fix. Jon -- nvpublic

8 months

1
0
0 0

[PATCH 6.14 000/311] 6.14.5-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.14.5 release. There are 311 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 01 May 2025 16:10:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.5-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.14.5-rc1 Herbert Xu <herbert(a)gondor.apana.org.au> crypto: Kconfig - Select LIB generic option Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Silence more KCOV warnings, part 2 Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Ignore end-of-section jumps for KCOV/GCOV Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix Short Packet handling rework ignoring errors Hannes Reinecke <hare(a)kernel.org> nvme: fixup scan failure for non-ANA multipath controllers Ming Lei <ming.lei(a)redhat.com> ublk: don't fail request for recovery & reissue in case of ubq->canceling Miguel Ojeda <ojeda(a)kernel.org> rust: kbuild: skip `--remap-path-prefix` for `rustdoc` Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> net: phy: dp83822: fix transmit amplitude if CONFIG_OF_MDIO not defined Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: cm: Fix warning if MIPS_CM is disabled Dan Carpenter <dan.carpenter(a)linaro.org> media: i2c: imx214: Fix uninitialized variable in imx214_set_ctrl() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: lib/Kconfig - Hide arch options from user Ian Abbott <abbotti(a)mev.co.uk> comedi: jr3_pci: Fix synchronous deletion of timer Daniel Borkmann <daniel(a)iogearbox.net> vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp Dmitry Torokhov <dmitry.torokhov(a)gmail.com> driver core: fix potential NULL pointer dereference in dev_uevent() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> driver core: introduce device_set_driver() helper Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Revert "drivers: core: synchronize really_probe() and dev_uevent()" Tamura Dai <kirinode0(a)gmail.com> spi: spi-imx: Add check for spi_imx_setupxfer() Ming Lei <ming.lei(a)redhat.com> ublk: rely on ->canceling for dealing with ublk_nosrv_dev_should_queue_io Ming Lei <ming.lei(a)redhat.com> ublk: add ublk_force_abort_dev() Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Use the right function for hdp flush Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Forbid suspending into non-default suspend states Christian König <christian.koenig(a)amd.com> drm/amdgpu: use a dummy owner for sysfs triggered cleaner shaders v4 Meir Elisha <meir.elisha(a)volumez.com> md/raid1: Add check for missing source disk in process_checks() Pi Xiange <xiange.pi(a)intel.com> x86/cpu: Add CPU model number for Bartlett Lake CPUs with Raptor Cove cores Damien Le Moal <dlemoal(a)kernel.org> nvmet: pci-epf: cleanup link state management Mostafa Saleh <smostafa(a)google.com> ubsan: Fix panic from test_ubsan_out_of_bounds Breno Leitao <leitao(a)debian.org> spi: tegra210-quad: add rate limiting and simplify timeout error message Breno Leitao <leitao(a)debian.org> spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix WARNING "do not call blocking ops when !TASK_RUNNING" Andrew Jones <ajones(a)ventanamicro.com> riscv: Provide all alternative macros all the time Gou Hao <gouhao(a)uniontech.com> iomap: skip unnecessary ifs_block_is_uptodate check Song Liu <song(a)kernel.org> netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Add Vexia Edu Atla 10 tablet 5V data Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Add "9v" to Vexia EDU ATLA 10 tablet symbols Fernando Fernandez Mancera <ffmancera(a)riseup.net> x86/i8253: Call clockevent_i8253_disable() with interrupts disabled Weidong Wang <wangweidong.a(a)awinic.com> ASoC: codecs: Add of_match_table for aw888081 driver Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc_dma: get codec or cpu dai from backend Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy_attached to zero when device is gone Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: gs101: Put UFS device in reset on .suspend() Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Move phy calls to .exit() callback Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init() Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: make block validity check resistent to sb bh corruption Robin Murphy <robin.murphy(a)arm.com> iommu: Clear iommu-dma ops on cleanup Pali Rohár <pali(a)kernel.org> cifs: Fix querying of WSL CHR and BLK reparse points over SMB1 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> timekeeping: Add a lockdep override in tick_freeze() Pali Rohár <pali(a)kernel.org> cifs: Fix encoding of SMB1 Session Setup Kerberos Request in non-UNICODE mode Daniel Wagner <wagi(a)kernel.org> nvmet-fc: put ref when assoc->del_work is already scheduled Daniel Wagner <wagi(a)kernel.org> nvmet-fc: take tgtport reference only once Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on context switch with eIBRS Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Use SBPB in write_ibpb() if applicable Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> selftests/mincore: Allow read-ahead pages to reach the end of the file Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: disable CPU idle and frequency drivers for PVH dom0 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: of: Move Atmel HSMCI quirk up out of the regulator comment Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Stop UNRET validation on UD2 Uday Shankar <ushankar(a)purestorage.com> nvme: multipath: fix return value of nvme_available_path Hannes Reinecke <hare(a)kernel.org> nvme: re-read ANA log page after ns scan completes Julia Filipchuk <julia.filipchuk(a)intel.com> drm/xe/xe3lpg: Apply Wa_14022293748, Wa_22019794406 Jay Cornwall <jay.cornwall(a)amd.com> drm/amdgpu: Increase KIQ invalidate_tlbs timeout Emily Deng <Emily.Deng(a)amd.com> drm/amdkfd: sriov doesn't support per queue reset Jean-Marc Eurin <jmeurin(a)google.com> ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Mario Limonciello <mario.limonciello(a)amd.com> ACPI: EC: Set ec_no_wakeup for Lenovo Go S Hannes Reinecke <hare(a)kernel.org> nvme: requeue namespace scan on missed AENs Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: axi-pwmgen: Let .round_waveform_tohw() signal when request was rounded up Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Let pwm_set_waveform() succeed even if lowlevel driver rounded up Jason Andryuk <jason.andryuk(a)amd.com> xen: Change xen-acpi-processor dom0 dependency Gabriel Shahrouzi <gshahrouzi(a)gmail.com> perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix test_stripe_04 Waiman Long <longman(a)redhat.com> cgroup/cpuset: Don't allow creation of local partition over a remote one Xiaogang Chen <xiaogang.chen(a)amd.com> udmabuf: fix a buf size overflow issue during udmabuf creation Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through debug printing Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through tracepoints Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Xi Ruoyao <xry111(a)xry111.site> kbuild: add dependency from vmlinux to sorttable Thomas Weißschuh <linux(a)weissschuh.net> kbuild, rust: use -fremap-path-prefix to make paths relative Pavel Begunkov <asml.silence(a)gmail.com> io_uring: always do atomic put from iowq Steven Rostedt <rostedt(a)goodmis.org> tracing: Enforce the persistent ring buffer to be page aligned Lukas Stockmann <lukas.stockmann(a)siemens.com> rtc: pcf85063: do a SW reset if POR failed Ignacio Encinas <ignacio(a)iencinas.com> 9p/trans_fd: mark concurrent read and writes to p9_conn->err Dominique Martinet <asmadeus(a)codewreck.org> 9p/net: fix improper handling of bogus negative read/write replies Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> ntb_hw_amd: Add NTB PCI ID for new gen CPU Arnd Bergmann <arnd(a)arndb.de> ntb: reduce stack usage in idt_scan_mws Charlie Jenkins <charlie(a)rivosinc.com> riscv: tracing: Fix __write_overflow_field in ftrace_partial_regs() Al Viro <viro(a)zeniv.linux.org.uk> qibfs: fix _another_ leak Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, lkdtm: Obfuscate the do_nothing() pointer Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, regulator: rk808: Remove potential undefined behavior in rk806_set_mode_dcdc() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, panic: Disable SMAP in __stack_chk_fail() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Silence more KCOV warnings Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Set MEV bit in nested STE for DoS mitigations Benjamin Berg <benjamin.berg(a)intel.com> um: work around sched_yield not yielding in time-travel mode Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Scan retimers after device router has been enumerated Théo Lebrun <theo.lebrun(a)bootlin.com> usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func Chenyuan Yang <chenyuan0y(a)gmail.com> usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Andy Yan <andy.yan(a)rock-chips.com> phy: rockchip: usbdp: Avoid call hpd_event_trigger in dp_phy_init Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running Vinicius Costa Gomes <vinicius.gomes(a)intel.com> dmaengine: dmatest: Fix dmatest waiting less when interrupted Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Add support for Nuvoton npcm845 i3c Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Handle spurious events on Etron host isoc enpoints Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix isochronous Ring Underrun/Overrun event handling Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Complete 'error mid TD' transfers when handling Missed Service Stefan Wahren <wahrenst(a)gmx.net> dmaengine: bcm2835-dma: fix warning when CONFIG_PM=n John Stultz <jstultz(a)google.com> sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: gadget: Refactor loop to avoid NULL endpoints Edward Adam Davis <eadavis(a)qq.com> fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size Lizhi Xu <lizhi.xu(a)windriver.com> fs/ntfs3: Keep write operations atomic Trevor Gamblin <tgamblin(a)baylibre.com> iio: adc: ad4695: make ad4695_exit_conversion_mode() more robust Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> usb: typec: ucsi: ccg: move command quirks to ucsi_ccg_sync_control() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> usb: typec: ucsi: return CCI and message from sync_control callback Alexander Stein <alexander.stein(a)mailbox.org> usb: host: max3421-hcd: Add missing spi_device_id table Dave Penkler <dpenkler(a)gmail.com> staging: gpib: Use min for calculating transfer length Sudeep Holla <sudeep.holla(a)arm.com> mailbox: pcc: Always clear the platform ack interrupt first Huisong Li <lihuisong(a)huawei.com> mailbox: pcc: Fix the possible race in updation of chan_in_use flag Yafang Shao <laoar.shao(a)gmail.com> bpf: Reject attaching fexit/fmod_ret to __noreturn functions Martin KaFai Lau <martin.lau(a)kernel.org> bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it creates storage Sewon Nam <swnam0729(a)gmail.com> bpf: bpftool: Setting error code in do_loader() Feng Yang <yangfeng(a)kylinos.cn> selftests/bpf: Fix cap_enable_effective() return code Biju Das <biju.das.jz(a)bp.renesas.com> clk: renesas: rzv2h: Adjust for CPG_BUS_m_MSTOP starting from m = 1 Haoxiang Li <haoxiang_li2024(a)163.com> s390/tty: Fix a potential memory leak bug Haoxiang Li <haoxiang_li2024(a)163.com> s390/sclp: Add check for get_zeroed_page() Yu-Chun Lin <eleanor15x(a)gmail.com> parisc: PDT: Fix missing prototype warning Heiko Stuebner <heiko(a)sntech.de> clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Alexei Starovoitov <ast(a)kernel.org> bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix kmemleak warning for percpu hashmap Herbert Xu <herbert(a)gondor.apana.org.au> crypto: null - Use spin lock instead of mutex Herbert Xu <herbert(a)gondor.apana.org.au> crypto: lib/Kconfig - Fix lib built-in failure when arch is modular Devaraj Rangasamy <Devaraj.Rangasamy(a)amd.com> crypto: ccp - Add support for PCI device 0x1134 Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: cm: Detect CM quirks from device tree Dmitry Mastykin <mastichi(a)gmail.com> pinctrl: mcp23s08: Get rid of spurious level interrupts Chenyuan Yang <chenyuan0y(a)gmail.com> pinctrl: renesas: rza2: Fix potential NULL pointer dereference Amery Hung <ameryhung(a)gmail.com> selftests/bpf: Fix stdout race condition in traffic monitor Lukas Wunner <lukas(a)wunner.de> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Oliver Neukum <oneukum(a)suse.com> USB: wdm: add annotation Oliver Neukum <oneukum(a)suse.com> USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context Oliver Neukum <oneukum(a)suse.com> USB: wdm: close race between wdm_open and wdm_wwan_port_stop Oliver Neukum <oneukum(a)suse.com> USB: wdm: handle IO errors in wdm_wwan_port_start Dan Carpenter <dan.carpenter(a)linaro.org> usb: typec: class: Unlocked on error in typec_register_partner() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: class: Invalidate USB device pointers on partner unregistration Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: class: Fix NULL pointer access Oliver Neukum <oneukum(a)suse.com> USB: VLI disk crashes if LPM is used Miao Li <limiao(a)kylinos.cn> usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive Miao Li <limiao(a)kylinos.cn> usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Mike Looijmans <mike.looijmans(a)topic.nl> usb: dwc3: xilinx: Prevent spike in reset signal Frode Isaksen <frode(a)meta.com> usb: dwc3: gadget: check that event count does not exceed event buffer length Huacai Chen <chenhuacai(a)kernel.org> USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: fix usbmisc handling Ralph Siemsen <ralph.siemsen(a)linaro.org> usb: cdns3: Fix deadlock when using NCM gadget Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix invalid pointer dereference in Etron workaround Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Limit time spent with xHC interrupts disabled during bus resume Craig Hesling <craig(a)hesling.com> USB: serial: simple: add OWON HDS200 series oscilloscope support Adam Xue <zxue(a)semtech.com> USB: serial: option: add Sierra Wireless EM9291 Michael Ehrenreich <michideep(a)gmail.com> USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Ryo Takakura <ryotkkr98(a)gmail.com> serial: sifive: lock port in startup()/shutdown() callbacks Stephan Gerhold <stephan.gerhold(a)linaro.org> serial: msm: Configure correct working mode before starting earlycon Günther Noack <gnoack3000(a)gmail.com> tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT Mahesh Rao <mahesh.rao(a)intel.com> firmware: stratix10-svc: Add of_platform_default_populate() Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> char: misc: register chrdev region with all possible minors Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Sean Christopherson <seanjc(a)google.com> KVM: x86: Reset IRTE to host control if *new* route isn't postable Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly treat routing entry type changes as changes Hans de Goede <hdegoede(a)redhat.com> mei: vsc: Fix fortify-panic caused by invalid counted_by() use Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake H DID Damien Le Moal <dlemoal(a)kernel.org> scsi: Improve CDL control Oliver Neukum <oneukum(a)suse.com> USB: storage: quirk for ADATA Portable HDD CH94 Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_msense_control_ata_feature() Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Improve CDL control Haoxiang Li <haoxiang_li2024(a)163.com> mcb: fix a double free bug in chameleon_parse_gdd() Smita Koralahalli <Smita.KoralahalliChannabasappa(a)amd.com> cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports Sean Christopherson <seanjc(a)google.com> KVM: SVM: Allocate IR data using atomic allocation Jens Axboe <axboe(a)kernel.dk> io_uring: fix 'sync' handling of io_fallback_tw() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix PMU pass-through issue if VM exits to host finally Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fully clear some CSRs when VM reboot Yulong Han <wheatfox17(a)icloud.com> LoongArch: KVM: Fix multiple typos of KVM code Petr Tesarik <ptesarik(a)suse.com> LoongArch: Remove a bogus reference to ZONE_DMA Ming Wang <wangming01(a)loongson.cn> LoongArch: Return NULL from huge_pte_offset() for invalid PMD Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle fp, lsx, lasx and lbt assembly symbols Carlos Llamas <cmllamas(a)google.com> binder: fix offset calculation in debug log Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> selftests/pcie_bwctrl: Fix test progs list Juergen Gross <jgross(a)suse.com> x86/mm: Fix _pgd_alloc() for Xen PV mode Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/insn: Fix CTEST instruction decoding Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix ACPI edid parsing on some Lenovo systems Roman Li <Roman.Li(a)amd.com> drm/amd/display: Force full update in gpu reset Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix gpu reset in multidisplay config Hugo Villeneuve <hvilleneuve(a)dimonoff.com> drm: panel: jd9365da: fix reset signal polarity in unprepare Christian Schrefl <chrisi.schrefl(a)gmail.com> rust: firmware: Use `ffi::c_char` type in `FwFunc` Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Fix pending I/O counter Mat Martineau <martineau(a)kernel.org> mptcp: pm: Defer freeing of MPTCP userspace path manager entries Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: selftests: initialize TCP header and skb payload with zero Alexey Nepomnyashih <sdl(a)nppct.ru> xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() Marek Behún <kabel(a)kernel.org> crypto: atmel-sha204a - Set hwrng quality to lowest possible Breno Leitao <leitao(a)debian.org> sched_ext: Use kvzalloc for large exit_dump allocation Halil Pasic <pasic(a)linux.ibm.com> virtio_console: fix missing byte order handling for cols and rows Florian Westphal <fw(a)strlen.de> netfilter: fib: avoid lookup if socket is available Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: stmmac: block PHY RXC clock-stop Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: add functions to block/unblock rx clock stop Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: stmmac: socfpga: remove phy_resume() call Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: stmmac: address non-LPI resume failures properly Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: add phylink_prepare_resume() Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: stmmac: simplify phylink_suspend() and phylink_resume() calls Omar Sandoval <osandov(a)fb.com> sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make do_xyz() exception handlers more robust Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make regs_irqs_disabled() more clear Yuli Wang <wangyuli(a)uniontech.com> LoongArch: Select ARCH_USE_MEMTEST Luo Gengkun <luogengkun(a)huaweicloud.com> perf/x86: Fix non-sampling (counting) events on certain x86 platforms Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> drm/meson: use unsigned long long / Hz for frequency types Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Alexei Starovoitov <ast(a)kernel.org> bpf: Add namespace to BPF internal symbols Jan Kara <jack(a)suse.cz> fs/xattr: Fix handling of AT_FDCWD in setxattrat(2) and getxattrat(2) T.J. Mercier <tjmercier(a)google.com> splice: remove duplicate noinline from pipe_clear_nowait Ming Lei <ming.lei(a)redhat.com> ublk: call ublk_dispatch_req() for handling UBLK_U_IO_NEED_GET_DATA Caleb Sander Mateos <csander(a)purestorage.com> ublk: remove unused cmd argument to ublk_dispatch_req() Ming Lei <ming.lei(a)redhat.com> ublk: implement ->queue_rqs() Ming Lei <ming.lei(a)redhat.com> ublk: comment on ubq->canceling handling in ublk_queue_rq() Uday Shankar <ushankar(a)purestorage.com> ublk: remove io_cmds list in ublk_queue Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Björn Töpel <bjorn(a)rivosinc.com> riscv: Replace function-like macro by static inline function Sean Christopherson <seanjc(a)google.com> iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Christoph Hellwig <hch(a)lst.de> block: don't autoload drivers on stat Christoph Hellwig <hch(a)lst.de> block: remove the backing_inode variable in bdev_statx Christoph Hellwig <hch(a)lst.de> block: move blkdev_{get,put} _no_open prototypes out of blkdev.h Luis Chamberlain <mcgrof(a)kernel.org> bdev: use bdev_io_min() for statx block size Christoph Hellwig <hch(a)lst.de> block: never reduce ra_pages in blk_apply_bdi_limits Alexis Lothoré <alexis.lothore(a)bootlin.com> net: stmmac: fix multiplication overflow when reading timestamp Alexis Lothore <alexis.lothore(a)bootlin.com> net: stmmac: fix dwmac1000 ptp timestamp status offset Johannes Schneider <johannes.schneider(a)leica-geosystems.com> net: dp83822: Fix OF_MDIO config check Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> net: phy: dp83822: Add support for changing the transmit amplitude voltage Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> net: phy: Add helper for getting tx amplitude gain Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make wait_context part of q_info Brett Creeley <brett.creeley(a)amd.com> pds_core: Remove unnecessary check in pds_client_adminq_cmd() Brett Creeley <brett.creeley(a)amd.com> pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result Brett Creeley <brett.creeley(a)amd.com> pds_core: Prevent possible adminq overflow/stuck condition Daniel Golle <daniel(a)makrotopia.org> net: dsa: mt7530: sync driver-specific behavior of MT7531 variants Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a UAF vulnerability in class handling Al Viro <viro(a)zeniv.linux.org.uk> fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount() Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: net: revise NETSYSv3 hardware configuration Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: disable delayed refill when pausing rx Joe Damato <jdamato(a)fastly.com> virtio-net: Refactor napi_disable paths Joe Damato <jdamato(a)fastly.com> virtio-net: Refactor napi_enable paths Qingfang Deng <qingfang.deng(a)siflower.com.cn> net: phy: leds: fix memory leak Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: fix suspend/resume with WoL enabled and link down Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: force link down on major_config failure Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: disable BHs when required Richard Weinberger <richard(a)nod.at> nvmet: fix out-of-bounds access in nvmet_enable_port Vladimir Oltean <vladimir.oltean(a)nxp.com> net: enetc: fix frame corruption on bpf_xdp_adjust_head/tail() and XDP_PASS Vladimir Oltean <vladimir.oltean(a)nxp.com> net: enetc: refactor bulk flipping of RX buffers to separate function Vladimir Oltean <vladimir.oltean(a)nxp.com> net: enetc: register XDP RX queues with frag_size Chenyuan Yang <chenyuan0y(a)gmail.com> scsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer() Anastasia Kovaleva <a.kovaleva(a)yadro.com> scsi: core: Clear flags for scsi_cmnd that did not complete Henry Martin <bsdhenrymartin(a)gmail.com> net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin <bsdhenrymartin(a)gmail.com> net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: Fix vhost_scsi_send_status() Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: Fix vhost_scsi_send_bad_target() Mike Christie <michael.christie(a)oracle.com> vhost-scsi: Add better resource allocation failure handling T.J. Mercier <tjmercier(a)google.com> cgroup/cpuset-v1: Add missing support for cpuset_v2_mode Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: return EIO on RAID1 block group write pointer mismatch Qu Wenruo <wqu(a)suse.com> btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range() Johan Hovold <johan+linaro(a)kernel.org> cpufreq: fix compile-test defaults Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> cpufreq: Do not enable by default during compile testing Marc Zyngier <maz(a)kernel.org> cpufreq: cppc: Fix invalid return value in .get() callback Daniel Jurgens <danielj(a)nvidia.com> virtio_pci: Use self group type for cap commands Chenyuan Yang <chenyuan0y(a)gmail.com> scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() Arnd Bergmann <arnd(a)arndb.de> dma/contiguous: avoid warning about unused size_bytes Andre Przywara <andre.przywara(a)arm.com> cpufreq: sun50i: prevent out-of-bounds access David Howells <dhowells(a)redhat.com> ceph: Fix incorrect flush end position calculation Nathan Chancellor <nathan(a)kernel.org> lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP Niranjana Vishwanathapura <niranjana.vishwanathapura(a)intel.com> drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe/rtp: Drop sentinels from arg to xe_rtp_process_to_sr() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/xe: Add performance tunings to debugfs Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/xe3lpg: Add Wa_13012615864 Nirmoy Das <nirmoy.das(a)intel.com> drm/xe/ptl: Apply Wa_14023061436 Jonathan Currier <dullfire(a)yahoo.com> net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzv2h: Prevent TINT spurious interrupt Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzv2h: Add struct rzv2h_hw_info with t_offs variable Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzv2h: Simplify rzv2h_icu_init() Jonathan Currier <dullfire(a)yahoo.com> PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Thomas Gleixner <tglx(a)linutronix.de> PCI/MSI: Handle the NOMASK flag correctly for all PCI/MSI backends Roger Pau Monne <roger.pau(a)citrix.com> PCI/MSI: Convert pci_msi_ignore_mask to per MSI domain flag Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Support mmap() of PCI resources except for ISM devices Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Zijun Hu <quic_zijuhu(a)quicinc.com> of: resolver: Fix device node refcount leakage in of_resolve_phandles() Rob Herring (Arm) <robh(a)kernel.org> of: resolver: Simplify of_resolve_phandles() using __free() Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: adc: ad7768-1: Fix conversion result sign Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Hans de Goede <hdegoede(a)redhat.com> media: ov08x40: Add missing ov08x40_identify_module() call on stream-start Hans de Goede <hdegoede(a)redhat.com> media: ov08x40: Move ov08x40_identify_module() function up André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Fix link frequency validation André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Check number of lanes from device tree André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Replace register addresses with macros André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Convert to CCI register access helpers André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Simplify with dev_err_probe() André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Use subdev active state Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: EM: Address RCU-related sparse warnings Li RongQing <lirongqing(a)baidu.com> PM: EM: use kfree_rcu() to simplify the code Tudor Ambarus <tudor.ambarus(a)linaro.org> mmc: sdhci-msm: fix dev reference leaked through of_qcom_ice_get Tudor Ambarus <tudor.ambarus(a)linaro.org> soc: qcom: ice: introduce devm_of_qcom_ice_get Jinjiang Tu <tujinjiang(a)huawei.com> mm/vmscan: don't try to reclaim hwpoison folio ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 + Documentation/bpf/bpf_devel_QA.rst | 8 + Documentation/trace/debugging.rst | 2 + Makefile | 5 +- arch/arm/crypto/Kconfig | 10 +- arch/arm64/crypto/Kconfig | 6 +- arch/loongarch/Kconfig | 1 + arch/loongarch/include/asm/fpu.h | 33 +- arch/loongarch/include/asm/lbt.h | 10 +- arch/loongarch/include/asm/ptrace.h | 4 +- arch/loongarch/kernel/fpu.S | 6 + arch/loongarch/kernel/lbt.S | 4 + arch/loongarch/kernel/signal.c | 21 - arch/loongarch/kernel/traps.c | 20 +- arch/loongarch/kvm/intc/ipi.c | 4 +- arch/loongarch/kvm/main.c | 4 +- arch/loongarch/kvm/vcpu.c | 8 + arch/loongarch/mm/hugetlbpage.c | 2 +- arch/loongarch/mm/init.c | 3 - arch/mips/crypto/Kconfig | 7 +- arch/mips/include/asm/mips-cm.h | 22 + arch/mips/kernel/mips-cm.c | 14 + arch/parisc/kernel/pdt.c | 2 + arch/powerpc/crypto/Kconfig | 7 +- arch/riscv/crypto/Kconfig | 1 - arch/riscv/include/asm/alternative-macros.h | 21 +- arch/riscv/include/asm/cacheflush.h | 15 +- arch/riscv/include/asm/ftrace.h | 2 +- arch/riscv/include/asm/ptrace.h | 18 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/s390/Kconfig | 4 +- arch/s390/crypto/Kconfig | 3 +- arch/s390/include/asm/pci.h | 3 + arch/s390/kvm/intercept.c | 2 +- arch/s390/kvm/interrupt.c | 8 +- arch/s390/kvm/kvm-s390.c | 10 +- arch/s390/kvm/trace-s390.h | 4 +- arch/s390/pci/Makefile | 2 +- arch/s390/pci/pci_fixup.c | 23 + arch/um/include/linux/time-internal.h | 2 + arch/um/kernel/skas/syscall.c | 11 + arch/x86/crypto/Kconfig | 11 +- arch/x86/entry/entry.S | 2 +- arch/x86/events/core.c | 2 +- arch/x86/include/asm/intel-family.h | 2 + arch/x86/include/asm/pgalloc.h | 19 +- arch/x86/kernel/cpu/bugs.c | 36 +- arch/x86/kernel/i8253.c | 3 +- arch/x86/kernel/machine_kexec_32.c | 4 +- arch/x86/kvm/svm/avic.c | 60 +- arch/x86/kvm/vmx/posted_intr.c | 28 +- arch/x86/kvm/x86.c | 20 +- arch/x86/lib/x86-opcode-map.txt | 4 +- arch/x86/mm/pgtable.c | 4 +- arch/x86/mm/tlb.c | 6 +- arch/x86/pci/xen.c | 8 +- arch/x86/platform/efi/efi_64.c | 4 +- arch/x86/xen/enlighten_pvh.c | 19 +- block/bdev.c | 22 +- block/blk-cgroup.c | 2 +- block/blk-settings.c | 8 +- block/blk.h | 3 + block/fops.c | 2 +- crypto/Kconfig | 3 + crypto/crypto_null.c | 37 +- crypto/ecc.c | 2 +- crypto/ecdsa-p1363.c | 2 +- crypto/ecdsa-x962.c | 4 +- drivers/acpi/ec.c | 28 + drivers/acpi/pptt.c | 4 +- drivers/android/binder.c | 2 +- drivers/ata/libata-scsi.c | 25 +- drivers/base/base.h | 17 + drivers/base/bus.c | 2 +- drivers/base/core.c | 38 +- drivers/base/dd.c | 7 +- drivers/block/ublk_drv.c | 214 +++-- drivers/char/misc.c | 2 +- drivers/char/virtio_console.c | 7 +- drivers/clk/clk.c | 4 + drivers/clk/renesas/rzv2h-cpg.c | 12 +- drivers/comedi/drivers/jr3_pci.c | 2 +- drivers/cpufreq/Kconfig.arm | 20 +- drivers/cpufreq/apple-soc-cpufreq.c | 10 +- drivers/cpufreq/cppc_cpufreq.c | 2 +- drivers/cpufreq/scmi-cpufreq.c | 10 +- drivers/cpufreq/scpi-cpufreq.c | 13 +- drivers/cpufreq/sun50i-cpufreq-nvmem.c | 18 +- drivers/crypto/atmel-sha204a.c | 6 + drivers/crypto/ccp/sp-pci.c | 1 + drivers/cxl/core/regs.c | 4 - drivers/dma-buf/udmabuf.c | 2 +- drivers/dma/bcm2835-dma.c | 2 +- drivers/dma/dmatest.c | 6 +- drivers/firmware/stratix10-svc.c | 14 +- drivers/gpio/gpiolib-of.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 19 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 6 +- drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 2 +- drivers/gpu/drm/meson/meson_drv.c | 2 +- drivers/gpu/drm/meson/meson_drv.h | 2 +- drivers/gpu/drm/meson/meson_encoder_hdmi.c | 29 +- drivers/gpu/drm/meson/meson_vclk.c | 195 ++--- drivers/gpu/drm/meson/meson_vclk.h | 13 +- drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 4 +- drivers/gpu/drm/xe/regs/xe_gt_regs.h | 4 + drivers/gpu/drm/xe/tests/xe_rtp_test.c | 2 +- drivers/gpu/drm/xe/xe_gt.c | 4 + drivers/gpu/drm/xe/xe_gt_debugfs.c | 11 + drivers/gpu/drm/xe/xe_gt_types.h | 10 + drivers/gpu/drm/xe/xe_hw_engine.c | 18 +- drivers/gpu/drm/xe/xe_reg_whitelist.c | 4 +- drivers/gpu/drm/xe/xe_rtp.c | 6 +- drivers/gpu/drm/xe/xe_rtp.h | 2 +- drivers/gpu/drm/xe/xe_tuning.c | 71 +- drivers/gpu/drm/xe/xe_tuning.h | 3 + drivers/gpu/drm/xe/xe_wa.c | 22 +- drivers/gpu/drm/xe/xe_wa_oob.rules | 2 + drivers/i3c/master/svc-i3c-master.c | 17 +- drivers/iio/adc/ad4695.c | 34 +- drivers/iio/adc/ad7768-1.c | 5 +- drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/iommu/amd/iommu.c | 2 +- .../iommu/arm/arm-smmu-v3/arm-smmu-v3-iommufd.c | 2 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 4 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h | 1 + drivers/iommu/iommu.c | 3 + drivers/irqchip/irq-gic-v2m.c | 2 +- drivers/irqchip/irq-renesas-rzv2h.c | 91 +- drivers/mailbox/pcc.c | 15 +- drivers/mcb/mcb-parse.c | 2 +- drivers/md/raid1.c | 26 +- drivers/media/i2c/Kconfig | 1 + drivers/media/i2c/imx214.c | 934 ++++++++++----------- drivers/media/i2c/ov08x40.c | 78 +- drivers/misc/lkdtm/perms.c | 14 +- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 8 +- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + drivers/misc/mei/vsc-tp.c | 26 +- drivers/mmc/host/sdhci-msm.c | 2 +- drivers/net/dsa/mt7530.c | 6 +- drivers/net/ethernet/amd/pds_core/adminq.c | 36 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 3 - drivers/net/ethernet/amd/pds_core/core.c | 9 +- drivers/net/ethernet/amd/pds_core/core.h | 4 +- drivers/net/ethernet/amd/pds_core/devlink.c | 4 +- drivers/net/ethernet/freescale/enetc/enetc.c | 45 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 24 +- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 10 +- .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 26 +- .../net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 18 - drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 4 +- .../net/ethernet/stmicro/stmmac/dwmac1000_core.c | 2 +- .../net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 62 +- drivers/net/ethernet/sun/niu.c | 2 + drivers/net/phy/dp83822.c | 40 +- drivers/net/phy/microchip.c | 46 +- drivers/net/phy/phy_device.c | 53 +- drivers/net/phy/phy_led_triggers.c | 23 +- drivers/net/phy/phylink.c | 164 +++- drivers/net/virtio_net.c | 133 ++- drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +- drivers/net/xen-netfront.c | 19 +- drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +- drivers/nvme/host/core.c | 9 + drivers/nvme/host/multipath.c | 2 +- drivers/nvme/target/core.c | 3 + drivers/nvme/target/fc.c | 25 +- drivers/nvme/target/pci-epf.c | 14 +- drivers/of/resolver.c | 37 +- drivers/pci/msi/msi.c | 38 +- drivers/phy/rockchip/phy-rockchip-usbdp.c | 1 - drivers/pinctrl/pinctrl-mcp23s08.c | 23 +- drivers/pinctrl/renesas/pinctrl-rza2.c | 3 + drivers/platform/x86/x86-android-tablets/dmi.c | 14 +- drivers/platform/x86/x86-android-tablets/other.c | 160 ++-- .../x86/x86-android-tablets/x86-android-tablets.h | 3 +- drivers/pwm/core.c | 13 +- drivers/pwm/pwm-axi-pwmgen.c | 10 +- drivers/regulator/rk808-regulator.c | 4 +- drivers/rtc/rtc-pcf85063.c | 19 +- drivers/s390/char/sclp_con.c | 17 + drivers/s390/char/sclp_tty.c | 12 + drivers/s390/net/ism_drv.c | 1 - drivers/scsi/hisi_sas/hisi_sas_main.c | 20 + drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +- drivers/scsi/pm8001/pm8001_sas.c | 1 + drivers/scsi/scsi.c | 36 +- drivers/scsi/scsi_lib.c | 6 +- drivers/soc/qcom/ice.c | 48 ++ drivers/spi/spi-imx.c | 5 +- drivers/spi/spi-tegra210-quad.c | 6 +- .../staging/gpib/agilent_82350b/agilent_82350b.c | 10 +- drivers/thunderbolt/tb.c | 16 +- drivers/tty/serial/msm_serial.c | 6 + drivers/tty/serial/sifive.c | 6 + drivers/tty/vt/selection.c | 5 +- drivers/ufs/core/ufs-mcq.c | 12 +- drivers/ufs/core/ufshcd.c | 2 + drivers/ufs/host/ufs-exynos.c | 44 +- drivers/ufs/host/ufs-exynos.h | 1 + drivers/ufs/host/ufs-qcom.c | 2 +- drivers/usb/cdns3/cdns3-gadget.c | 2 + drivers/usb/chipidea/ci_hdrc_imx.c | 44 +- drivers/usb/class/cdc-wdm.c | 21 +- drivers/usb/core/quirks.c | 9 + drivers/usb/dwc3/dwc3-pci.c | 10 + drivers/usb/dwc3/dwc3-xilinx.c | 4 +- drivers/usb/dwc3/gadget.c | 28 +- drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 + drivers/usb/host/max3421-hcd.c | 7 + drivers/usb/host/ohci-pci.c | 23 + drivers/usb/host/xhci-hub.c | 30 +- drivers/usb/host/xhci-mvebu.c | 10 - drivers/usb/host/xhci-mvebu.h | 6 - drivers/usb/host/xhci-plat.c | 2 +- drivers/usb/host/xhci-ring.c | 75 +- drivers/usb/host/xhci.c | 4 +- drivers/usb/host/xhci.h | 4 +- drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 5 + drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb-serial-simple.c | 7 + drivers/usb/storage/unusual_uas.h | 7 + drivers/usb/typec/class.c | 24 +- drivers/usb/typec/class.h | 1 + drivers/usb/typec/ucsi/cros_ec_ucsi.c | 5 +- drivers/usb/typec/ucsi/ucsi.c | 19 +- drivers/usb/typec/ucsi/ucsi.h | 6 +- drivers/usb/typec/ucsi/ucsi_acpi.c | 5 +- drivers/usb/typec/ucsi/ucsi_ccg.c | 67 +- drivers/vhost/scsi.c | 80 +- drivers/virtio/virtio_pci_modern.c | 4 +- drivers/xen/Kconfig | 2 +- fs/btrfs/file.c | 9 +- fs/btrfs/zoned.c | 1 - fs/ceph/inode.c | 2 +- fs/ext4/block_validity.c | 5 +- fs/ext4/inode.c | 7 +- fs/iomap/buffered-io.c | 2 +- fs/namespace.c | 69 +- fs/netfs/main.c | 4 + fs/ntfs3/file.c | 20 +- fs/smb/client/sess.c | 60 +- fs/smb/client/smb1ops.c | 36 + fs/smb/server/vfs_cache.c | 8 +- fs/splice.c | 2 +- fs/xattr.c | 4 +- include/linux/blkdev.h | 4 - include/linux/energy_model.h | 12 +- include/linux/math.h | 12 + include/linux/msi.h | 3 +- include/linux/pci.h | 2 + include/linux/pci_ids.h | 1 + include/linux/phy.h | 4 + include/linux/phylink.h | 4 + include/net/netfilter/nft_fib.h | 21 + include/soc/qcom/ice.h | 2 + include/uapi/linux/virtio_pci.h | 1 + init/Kconfig | 2 +- io_uring/io_uring.c | 15 +- io_uring/refs.h | 7 + kernel/bpf/bpf_cgrp_storage.c | 11 +- kernel/bpf/hashtab.c | 6 +- kernel/bpf/preload/bpf_preload_kern.c | 1 + kernel/bpf/syscall.c | 6 +- kernel/bpf/verifier.c | 32 + kernel/cgroup/cgroup.c | 29 + kernel/cgroup/cpuset-internal.h | 1 + kernel/cgroup/cpuset.c | 14 + kernel/dma/contiguous.c | 3 +- kernel/events/core.c | 6 +- kernel/irq/msi.c | 2 +- kernel/panic.c | 6 + kernel/power/energy_model.c | 47 +- kernel/sched/ext.c | 4 +- kernel/sched/fair.c | 4 +- kernel/time/tick-common.c | 22 + kernel/trace/bpf_trace.c | 7 +- kernel/trace/trace.c | 10 + lib/Kconfig.ubsan | 1 - lib/crypto/Kconfig | 37 +- lib/test_ubsan.c | 18 +- mm/vmscan.c | 7 + net/9p/client.c | 30 +- net/9p/trans_fd.c | 17 +- net/core/lwtunnel.c | 26 +- net/core/selftests.c | 18 +- net/ipv4/netfilter/nft_fib_ipv4.c | 11 +- net/ipv6/netfilter/nft_fib_ipv6.c | 19 +- net/mptcp/pm_userspace.c | 6 +- net/sched/sch_hfsc.c | 23 +- net/tipc/monitor.c | 3 +- rust/Makefile | 8 +- rust/kernel/firmware.rs | 8 +- scripts/Makefile.lib | 2 +- scripts/Makefile.vmlinux | 4 + sound/soc/codecs/aw88081.c | 10 + sound/soc/codecs/wcd934x.c | 2 +- sound/soc/fsl/fsl_asrc_dma.c | 15 +- sound/virtio/virtio_pcm.c | 21 +- tools/arch/x86/lib/x86-opcode-map.txt | 4 +- tools/bpf/bpftool/prog.c | 1 + tools/objtool/check.c | 36 +- tools/testing/selftests/bpf/cap_helpers.c | 8 +- tools/testing/selftests/bpf/cap_helpers.h | 1 + tools/testing/selftests/bpf/network_helpers.c | 33 +- tools/testing/selftests/bpf/prog_tests/verifier.c | 4 +- tools/testing/selftests/bpf/test_loader.c | 6 +- tools/testing/selftests/mincore/mincore_selftest.c | 3 - tools/testing/selftests/pcie_bwctrl/Makefile | 3 +- tools/testing/selftests/ublk/test_stripe_04.sh | 24 + 329 files changed, 3712 insertions(+), 2060 deletions(-)

8 months

19
340
0 0

[PATCH] ACPI/PPTT: fix off-by-one error

by Heyne, Maximilian

Commit 7ab4f0e37a0f ("ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls") corrects the processer entry size but unmasked a longer standing bug where the last entry in the structure can get skipped due to an off-by-one mistake if the last entry ends exactly at the end of the ACPI subtable. The error manifests for instance on EC2 Graviton Metal instances with ACPI PPTT: PPTT table found, but unable to locate core 63 (63) [...] ACPI: SPE must be homogeneous Fixes: 2bd00bcd73e5 ("ACPI/PPTT: Add Processor Properties Topology Table parsing") Cc: stable(a)vger.kernel.org Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> --- drivers/acpi/pptt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c index f73ce6e13065d..4364da90902e5 100644 --- a/drivers/acpi/pptt.c +++ b/drivers/acpi/pptt.c @@ -231,7 +231,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr, sizeof(struct acpi_table_pptt)); proc_sz = sizeof(struct acpi_pptt_processor); - while ((unsigned long)entry + proc_sz < table_end) { + while ((unsigned long)entry + proc_sz <= table_end) { cpu_node = (struct acpi_pptt_processor *)entry; if (entry->type == ACPI_PPTT_TYPE_PROCESSOR && cpu_node->parent == node_entry) @@ -273,7 +273,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he proc_sz = sizeof(struct acpi_pptt_processor); /* find the processor structure associated with this cpuid */ - while ((unsigned long)entry + proc_sz < table_end) { + while ((unsigned long)entry + proc_sz <= table_end) { cpu_node = (struct acpi_pptt_processor *)entry; if (entry->length == 0) { -- 2.47.1 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

8 months

4
29
0 0

Re: Patch "spi: tegra114: Don't fail set_cs_timing when delays are zero" has been added to the 6.1-stable tree

by Jon Hunter

On 07/05/2025 16:43, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > spi: tegra114: Don't fail set_cs_timing when delays are zero > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > spi-tegra114-don-t-fail-set_cs_timing-when-delays-ar.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please don't queue this up for stable yet. This fix is not correct and there is another change pending to correct this change. Jon -- nvpublic

8 months

2
1
0 0

[PATCH v3] NFSD: Implement FATTR4_CLONE_BLKSIZE attribute

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> RFC 7862 states that if an NFS server implements a CLONE operation, it MUST also implement FATTR4_CLONE_BLKSIZE. NFSD implements CLONE, but does not implement FATTR4_CLONE_BLKSIZE. Note that in Section 12.2, RFC 7862 claims that FATTR4_CLONE_BLKSIZE is RECOMMENDED, not REQUIRED. Likely this is because a minor version is not permitted to add a REQUIRED attribute. Confusing. We assume this attribute reports a block size as a count of bytes, as RFC 7862 does not specify a unit. Reported-by: Roland Mainz <roland.mainz(a)nrubsig.org> Suggested-by: Christoph Hellwig <hch(a)infradead.org> Reviewed-by: Roland Mainz <roland.mainz(a)nrubsig.org> Cc: stable(a)vger.kernel.org # v6.7+ Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/nfsd/nfs4xdr.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index e67420729ecd..9eb8e5704622 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -3391,6 +3391,23 @@ static __be32 nfsd4_encode_fattr4_suppattr_exclcreat(struct xdr_stream *xdr, return nfsd4_encode_bitmap4(xdr, supp[0], supp[1], supp[2]); } +/* + * Copied from generic_remap_checks/generic_remap_file_range_prep. + * + * These generic functions use the file system's s_blocksize, but + * individual file systems aren't required to use + * generic_remap_file_range_prep. Until there is a mechanism for + * determining a particular file system's (or file's) clone block + * size, this is the best NFSD can do. + */ +static __be32 nfsd4_encode_fattr4_clone_blksize(struct xdr_stream *xdr, + const struct nfsd4_fattr_args *args) +{ + struct inode *inode = d_inode(args->dentry); + + return nfsd4_encode_uint32_t(xdr, inode->i_sb->s_blocksize); +} + #ifdef CONFIG_NFSD_V4_SECURITY_LABEL static __be32 nfsd4_encode_fattr4_sec_label(struct xdr_stream *xdr, const struct nfsd4_fattr_args *args) @@ -3545,7 +3562,7 @@ static const nfsd4_enc_attr nfsd4_enc_fattr4_encode_ops[] = { [FATTR4_MODE_SET_MASKED] = nfsd4_encode_fattr4__noop, [FATTR4_SUPPATTR_EXCLCREAT] = nfsd4_encode_fattr4_suppattr_exclcreat, [FATTR4_FS_CHARSET_CAP] = nfsd4_encode_fattr4__noop, - [FATTR4_CLONE_BLKSIZE] = nfsd4_encode_fattr4__noop, + [FATTR4_CLONE_BLKSIZE] = nfsd4_encode_fattr4_clone_blksize, [FATTR4_SPACE_FREED] = nfsd4_encode_fattr4__noop, [FATTR4_CHANGE_ATTR_TYPE] = nfsd4_encode_fattr4__noop, -- 2.49.0

8 months

3
2
0 0

[PATCH] arm64: dts: qcom: x1e80100: Fix PCIe 3rd controller DBI size

by Abel Vesa

According to documentation, the DBI range size is 0xf20. So fix it. Cc: stable(a)vger.kernel.org # 6.14 Fixes: f8af195beeb0 ("arm64: dts: qcom: x1e80100: Add support for PCIe3 on x1e80100") Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi index 46b79fce92c90d969e3de48bc88e27915d1592bb..34ccabc3cc302b17e944b4343a37fab0bb6334e9 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi @@ -3126,7 +3126,7 @@ pcie3: pcie@1bd0000 { device_type = "pci"; compatible = "qcom,pcie-x1e80100"; reg = <0x0 0x01bd0000 0x0 0x3000>, - <0x0 0x78000000 0x0 0xf1d>, + <0x0 0x78000000 0x0 0xf20>, <0x0 0x78000f40 0x0 0xa8>, <0x0 0x78001000 0x0 0x1000>, <0x0 0x78100000 0x0 0x100000>, --- base-commit: bc8aa6cdadcc00862f2b5720e5de2e17f696a081 change-id: 20250422-x1e80100-dts-fix-pcie3-dbi-size-56fc110aa36d Best regards, -- Abel Vesa <abel.vesa(a)linaro.org>

8 months

3
2
0 0

[PATCH RESEND] drm/tegra: fix a possible null pointer dereference

by Qiu-ji Chen

In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference. Fixes: b7e0b04ae450 ("drm/tegra: Convert to using __drm_atomic_helper_crtc_reset() for reset.") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/gpu/drm/tegra/dc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index be61c9d1a4f0..1ed30853bd9e 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -1388,7 +1388,10 @@ static void tegra_crtc_reset(struct drm_crtc *crtc) if (crtc->state) tegra_crtc_atomic_destroy_state(crtc, crtc->state); - __drm_atomic_helper_crtc_reset(crtc, &state->base); + if (state) + __drm_atomic_helper_crtc_reset(crtc, &state->base); + else + __drm_atomic_helper_crtc_reset(crtc, NULL); } static struct drm_crtc_state * -- 2.34.1

8 months

2
1
0 0

[Patch v3 3/5] uio_hv_generic: Align ring size to system page

by longli＠linuxonhyperv.com

From: Long Li <longli(a)microsoft.com> Following the ring header, the ring data should align to system page boundary. Adjust the size if necessary. Cc: stable(a)vger.kernel.org Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus") Signed-off-by: Long Li <longli(a)microsoft.com> --- drivers/uio/uio_hv_generic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 08385b04c4ab..cb2e7e0e1540 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -256,6 +256,9 @@ hv_uio_probe(struct hv_device *dev, if (!ring_size) ring_size = SZ_2M; + /* Adjust ring size if necessary to have it page aligned */ + ring_size = VMBUS_RING_SIZE(ring_size); + pdata = devm_kzalloc(&dev->device, sizeof(*pdata), GFP_KERNEL); if (!pdata) return -ENOMEM; -- 2.34.1

8 months

2
1
0 0

[Patch v3 2/5] uio_hv_generic: Use correct size for interrupt and monitor pages

by longli＠linuxonhyperv.com

From: Long Li <longli(a)microsoft.com> Interrupt and monitor pages should be in Hyper-V page size (4k bytes). This can be different from the system page size. This size is read and used by the user-mode program to determine the mapped data region. An example of such user-mode program is the VMBus driver in DPDK. Cc: stable(a)vger.kernel.org Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus") Signed-off-by: Long Li <longli(a)microsoft.com> --- drivers/uio/uio_hv_generic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..08385b04c4ab 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -287,13 +287,13 @@ hv_uio_probe(struct hv_device *dev, pdata->info.mem[INT_PAGE_MAP].name = "int_page"; pdata->info.mem[INT_PAGE_MAP].addr = (uintptr_t)vmbus_connection.int_page; - pdata->info.mem[INT_PAGE_MAP].size = PAGE_SIZE; + pdata->info.mem[INT_PAGE_MAP].size = HV_HYP_PAGE_SIZE; pdata->info.mem[INT_PAGE_MAP].memtype = UIO_MEM_LOGICAL; pdata->info.mem[MON_PAGE_MAP].name = "monitor_page"; pdata->info.mem[MON_PAGE_MAP].addr = (uintptr_t)vmbus_connection.monitor_pages[1]; - pdata->info.mem[MON_PAGE_MAP].size = PAGE_SIZE; + pdata->info.mem[MON_PAGE_MAP].size = HV_HYP_PAGE_SIZE; pdata->info.mem[MON_PAGE_MAP].memtype = UIO_MEM_LOGICAL; if (channel->device_id == HV_NIC) { -- 2.34.1

8 months

2
1
0 0

[Patch v3 1/5] Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary

by longli＠linuxonhyperv.com

From: Long Li <longli(a)microsoft.com> There are use cases that interrupt and monitor pages are mapped to user-mode through UIO, so they need to be system page aligned. Some Hyper-V allocation APIs introduced earlier broke those requirements. Fix this by using page allocation functions directly for interrupt and monitor pages. Cc: stable(a)vger.kernel.org Fixes: ca48739e59df ("Drivers: hv: vmbus: Move Hyper-V page allocator to arch neutral code") Signed-off-by: Long Li <longli(a)microsoft.com> --- drivers/hv/connection.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index 8351360bba16..be490c598785 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -206,11 +206,20 @@ int vmbus_connect(void) INIT_LIST_HEAD(&vmbus_connection.chn_list); mutex_init(&vmbus_connection.channel_mutex); + /* + * The following Hyper-V interrupt and monitor pages can be used by + * UIO for mapping to user-space, so they should always be allocated on + * system page boundaries. The system page size must be >= the Hyper-V + * page size. + */ + BUILD_BUG_ON(PAGE_SIZE < HV_HYP_PAGE_SIZE); + /* * Setup the vmbus event connection for channel interrupt * abstraction stuff */ - vmbus_connection.int_page = hv_alloc_hyperv_zeroed_page(); + vmbus_connection.int_page = + (void *)__get_free_page(GFP_KERNEL | __GFP_ZERO); if (vmbus_connection.int_page == NULL) { ret = -ENOMEM; goto cleanup; @@ -225,8 +234,8 @@ int vmbus_connect(void) * Setup the monitor notification facility. The 1st page for * parent->child and the 2nd page for child->parent */ - vmbus_connection.monitor_pages[0] = hv_alloc_hyperv_page(); - vmbus_connection.monitor_pages[1] = hv_alloc_hyperv_page(); + vmbus_connection.monitor_pages[0] = (void *)__get_free_page(GFP_KERNEL); + vmbus_connection.monitor_pages[1] = (void *)__get_free_page(GFP_KERNEL); if ((vmbus_connection.monitor_pages[0] == NULL) || (vmbus_connection.monitor_pages[1] == NULL)) { ret = -ENOMEM; @@ -342,21 +351,23 @@ void vmbus_disconnect(void) destroy_workqueue(vmbus_connection.work_queue); if (vmbus_connection.int_page) { - hv_free_hyperv_page(vmbus_connection.int_page); + free_page((unsigned long)vmbus_connection.int_page); vmbus_connection.int_page = NULL; } if (vmbus_connection.monitor_pages[0]) { if (!set_memory_encrypted( (unsigned long)vmbus_connection.monitor_pages[0], 1)) - hv_free_hyperv_page(vmbus_connection.monitor_pages[0]); + free_page((unsigned long) + vmbus_connection.monitor_pages[0]); vmbus_connection.monitor_pages[0] = NULL; } if (vmbus_connection.monitor_pages[1]) { if (!set_memory_encrypted( (unsigned long)vmbus_connection.monitor_pages[1], 1)) - hv_free_hyperv_page(vmbus_connection.monitor_pages[1]); + free_page((unsigned long) + vmbus_connection.monitor_pages[1]); vmbus_connection.monitor_pages[1] = NULL; } } -- 2.34.1

8 months

2
1
0 0

[PATCH v2] drm/tegra: Assign plane type before registration

by Aaron Kling via B4 Relay

From: Thierry Reding <treding(a)nvidia.com> Changes to a plane's type after it has been registered aren't propagated to userspace automatically. This could possibly be achieved by updating the property, but since we can already determine which type this should be before the registration, passing in the right type from the start is a much better solution. Suggested-by: Aaron Kling <webgeek1234(a)gmail.com> Signed-off-by: Thierry Reding <treding(a)nvidia.com> Cc: stable(a)vger.kernel.org Fixes: 473079549f27 ("drm/tegra: dc: Add Tegra186 support") Signed-off-by: Aaron Kling <webgeek1234(a)gmail.com> --- Changes in v2: - Fixed signoff in commit message - Added fixes to commit message - Link to v1: https://lore.kernel.org/r/20250419-tegra-drm-primary-v1-1-b91054fb413f@gmai… --- drivers/gpu/drm/tegra/dc.c | 12 ++++++++---- drivers/gpu/drm/tegra/hub.c | 4 ++-- drivers/gpu/drm/tegra/hub.h | 3 ++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index 798507a8ae56d6789feb95dccdd23b2e63d9c148..56f12dbcee3e93ff5e4804e5fe9b23f160073ebf 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -1321,10 +1321,16 @@ static struct drm_plane *tegra_dc_add_shared_planes(struct drm_device *drm, if (wgrp->dc == dc->pipe) { for (j = 0; j < wgrp->num_windows; j++) { unsigned int index = wgrp->windows[j]; + enum drm_plane_type type; + + if (primary) + type = DRM_PLANE_TYPE_OVERLAY; + else + type = DRM_PLANE_TYPE_PRIMARY; plane = tegra_shared_plane_create(drm, dc, wgrp->index, - index); + index, type); if (IS_ERR(plane)) return plane; @@ -1332,10 +1338,8 @@ static struct drm_plane *tegra_dc_add_shared_planes(struct drm_device *drm, * Choose the first shared plane owned by this * head as the primary plane. */ - if (!primary) { - plane->type = DRM_PLANE_TYPE_PRIMARY; + if (!primary) primary = plane; - } } } } diff --git a/drivers/gpu/drm/tegra/hub.c b/drivers/gpu/drm/tegra/hub.c index fa6140fc37fb16df4b150e5ae9d8148f8f446cd7..8f779f23dc0904d38b14d3f3a928a07fc9e601ad 100644 --- a/drivers/gpu/drm/tegra/hub.c +++ b/drivers/gpu/drm/tegra/hub.c @@ -755,9 +755,9 @@ static const struct drm_plane_helper_funcs tegra_shared_plane_helper_funcs = { struct drm_plane *tegra_shared_plane_create(struct drm_device *drm, struct tegra_dc *dc, unsigned int wgrp, - unsigned int index) + unsigned int index, + enum drm_plane_type type) { - enum drm_plane_type type = DRM_PLANE_TYPE_OVERLAY; struct tegra_drm *tegra = drm->dev_private; struct tegra_display_hub *hub = tegra->hub; struct tegra_shared_plane *plane; diff --git a/drivers/gpu/drm/tegra/hub.h b/drivers/gpu/drm/tegra/hub.h index 23c4b2115ed1e36e8d2d6ed614a6ead97eb4c441..a66f18c4facc9df96ea8b9f54239b52f06536d12 100644 --- a/drivers/gpu/drm/tegra/hub.h +++ b/drivers/gpu/drm/tegra/hub.h @@ -80,7 +80,8 @@ void tegra_display_hub_cleanup(struct tegra_display_hub *hub); struct drm_plane *tegra_shared_plane_create(struct drm_device *drm, struct tegra_dc *dc, unsigned int wgrp, - unsigned int index); + unsigned int index, + enum drm_plane_type type); int tegra_display_hub_atomic_check(struct drm_device *drm, struct drm_atomic_state *state); --- base-commit: 119009db267415049182774196e3cce9e13b52ef change-id: 20250419-tegra-drm-primary-ce47febefdaf Best regards, -- Aaron Kling <webgeek1234(a)gmail.com>

8 months

2
1
0 0

[PATCH v2 1/3] media: videobuf2: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() functions have to be called with the number of elements originally passed to dma_map_sg_*() function, not the one returned in sgt->nents. Fixes: d4db5eb57cab ("media: videobuf2: add begin/end cpu_access callbacks to dma-sg") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index c6ddf2357c58..b3bf2173c14e 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -469,7 +469,7 @@ vb2_dma_sg_dmabuf_ops_begin_cpu_access(struct dma_buf *dbuf, struct vb2_dma_sg_buf *buf = dbuf->priv; struct sg_table *sgt = buf->dma_sgt; - dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); + dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir); return 0; } @@ -480,7 +480,7 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(struct dma_buf *dbuf, struct vb2_dma_sg_buf *buf = dbuf->priv; struct sg_table *sgt = buf->dma_sgt; - dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); + dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir); return 0; } -- 2.34.1

8 months

2
1
0 0

[PATCH v2 2/3] udmabuf: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() functions have to be called with the number of elements originally passed to dma_map_sg_*() function, not the one returned in sgtable's nents. Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> --- drivers/dma-buf/udmabuf.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 7eee3eb47a8e..c9d0c68d2fcb 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -264,8 +264,7 @@ static int begin_cpu_udmabuf(struct dma_buf *buf, ubuf->sg = NULL; } } else { - dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents, - direction); + dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction); } return ret; @@ -280,7 +279,7 @@ static int end_cpu_udmabuf(struct dma_buf *buf, if (!ubuf->sg) return -EINVAL; - dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction); + dma_sync_sgtable_for_device(dev, ubuf->sg, direction); return 0; } -- 2.34.1

8 months

2
1
0 0

[PATCH v2 3/3] media: omap3isp: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() functions have to be called with the number of elements originally passed to dma_map_sg_*() function, not the one returned in sgtable's nents. Fixes: d33186d0be18 ("[media] omap3isp: ccdc: Use the DMA API for LSC") Fixes: 0e24e90f2ca7 ("[media] omap3isp: stat: Use the DMA API") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- drivers/media/platform/ti/omap3isp/ispccdc.c | 8 ++++---- drivers/media/platform/ti/omap3isp/ispstat.c | 6 ++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/media/platform/ti/omap3isp/ispccdc.c b/drivers/media/platform/ti/omap3isp/ispccdc.c index dd375c4e180d..7d0c723dcd11 100644 --- a/drivers/media/platform/ti/omap3isp/ispccdc.c +++ b/drivers/media/platform/ti/omap3isp/ispccdc.c @@ -446,8 +446,8 @@ static int ccdc_lsc_config(struct isp_ccdc_device *ccdc, if (ret < 0) goto done; - dma_sync_sg_for_cpu(isp->dev, req->table.sgt.sgl, - req->table.sgt.nents, DMA_TO_DEVICE); + dma_sync_sgtable_for_cpu(isp->dev, &req->table.sgt, + DMA_TO_DEVICE); if (copy_from_user(req->table.addr, config->lsc, req->config.size)) { @@ -455,8 +455,8 @@ static int ccdc_lsc_config(struct isp_ccdc_device *ccdc, goto done; } - dma_sync_sg_for_device(isp->dev, req->table.sgt.sgl, - req->table.sgt.nents, DMA_TO_DEVICE); + dma_sync_sgtable_for_device(isp->dev, &req->table.sgt, + DMA_TO_DEVICE); } spin_lock_irqsave(&ccdc->lsc.req_lock, flags); diff --git a/drivers/media/platform/ti/omap3isp/ispstat.c b/drivers/media/platform/ti/omap3isp/ispstat.c index 359a846205b0..d3da68408ecb 100644 --- a/drivers/media/platform/ti/omap3isp/ispstat.c +++ b/drivers/media/platform/ti/omap3isp/ispstat.c @@ -161,8 +161,7 @@ static void isp_stat_buf_sync_for_device(struct ispstat *stat, if (ISP_STAT_USES_DMAENGINE(stat)) return; - dma_sync_sg_for_device(stat->isp->dev, buf->sgt.sgl, - buf->sgt.nents, DMA_FROM_DEVICE); + dma_sync_sgtable_for_device(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); } static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, @@ -171,8 +170,7 @@ static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, if (ISP_STAT_USES_DMAENGINE(stat)) return; - dma_sync_sg_for_cpu(stat->isp->dev, buf->sgt.sgl, - buf->sgt.nents, DMA_FROM_DEVICE); + dma_sync_sgtable_for_cpu(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); } static void isp_stat_buf_clear(struct ispstat *stat) -- 2.34.1

8 months

1
0
0 0

[PATCH 3/3] perf vendor events amd: Remove Zen 5 IBS fetch event

by Sandipan Das

As mentioned in Erratum 1544 from the Revision Guide for AMD Family 1Ah Models 00h-0Fh Processors available at the link below, PMCx188 reports incorrect information about valid IBS fetch samples when used with unit mask 0x10 on Zen 5 processors. Remove affected events and metrics. Link: https://bugzilla.kernel.org/attachment.cgi?id=308095 Fixes: 45c072f2537a ("perf vendor events amd: Add Zen 5 core events") Signed-off-by: Sandipan Das <sandipan.das(a)amd.com> Cc: stable(a)vger.kernel.org --- tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json b/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json index 4fd5e2c5432f..3b61cf8a04da 100644 --- a/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json +++ b/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json @@ -27,12 +27,6 @@ "BriefDescription": "Fetches discarded after being tagged by Fetch IBS due to IBS filtering.", "UMask": "0x08" }, - { - "EventName": "ic_fetch_ibs_events.sample_valid", - "EventCode": "0x188", - "BriefDescription": "Fetches tagged by Fetch IBS that result in a valid sample and an IBS interrupt.", - "UMask": "0x10" - }, { "EventName": "op_cache_hit_miss.op_cache_hit", "EventCode": "0x28f", -- 2.43.0

8 months

1
0
0 0

[PATCH 2/3] perf vendor events amd: Remove Zen 5 TLB flush event

by Sandipan Das

As mentioned in Erratum 1569 from the Revision Guide for AMD Family 1Ah Models 00h-0Fh Processors available at the link below, PMCx078 reports incorrect information about TLB flushes on Zen 5 processors. Remove affected events and metrics. Link: https://bugzilla.kernel.org/attachment.cgi?id=308095 Fixes: 45c072f2537a ("perf vendor events amd: Add Zen 5 core events") Signed-off-by: Sandipan Das <sandipan.das(a)amd.com> Cc: stable(a)vger.kernel.org --- tools/perf/pmu-events/arch/x86/amdzen5/load-store.json | 6 ------ tools/perf/pmu-events/arch/x86/amdzen5/recommended.json | 7 ------- 2 files changed, 13 deletions(-) diff --git a/tools/perf/pmu-events/arch/x86/amdzen5/load-store.json b/tools/perf/pmu-events/arch/x86/amdzen5/load-store.json index ff6627a77805..f23a92bf55ac 100644 --- a/tools/perf/pmu-events/arch/x86/amdzen5/load-store.json +++ b/tools/perf/pmu-events/arch/x86/amdzen5/load-store.json @@ -502,12 +502,6 @@ "EventCode": "0x76", "BriefDescription": "Core cycles not in halt." }, - { - "EventName": "ls_tlb_flush.all", - "EventCode": "0x78", - "BriefDescription": "All TLB Flushes.", - "UMask": "0xff" - }, { "EventName": "ls_not_halted_p0_cyc.p0_freq_cyc", "EventCode": "0x120", diff --git a/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json b/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json index 863f4b5dfc14..6b32308b1c3a 100644 --- a/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json +++ b/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json @@ -241,13 +241,6 @@ "MetricGroup": "tlb", "ScaleUnit": "1e3per_1k_instr" }, - { - "MetricName": "all_tlbs_flushed_pti", - "BriefDescription": "All TLBs flushed per thousand instructions.", - "MetricExpr": "ls_tlb_flush.all / instructions", - "MetricGroup": "tlb", - "ScaleUnit": "1e3per_1k_instr" - }, { "MetricName": "macro_ops_dispatched", "BriefDescription": "Macro-ops dispatched.", -- 2.43.0

8 months

1
0
0 0

[PATCH 1/3] perf vendor events amd: Remove Zen 5 instruction cache events

by Sandipan Das

As mentioned in Erratum 1583 from the Revision Guide for AMD Family 1Ah Models 00h-0Fh Processors available at the link below, PMCx18E reports incorrect information about instruction cache accesses on Zen 5 processors. Remove affected events and metrics. Link: https://bugzilla.kernel.org/attachment.cgi?id=308095 Fixes: 45c072f2537a ("perf vendor events amd: Add Zen 5 core events") Signed-off-by: Sandipan Das <sandipan.das(a)amd.com> Cc: stable(a)vger.kernel.org --- .../arch/x86/amdzen5/inst-cache.json | 18 ------------------ .../arch/x86/amdzen5/recommended.json | 6 ------ 2 files changed, 24 deletions(-) diff --git a/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json b/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json index ad75e5bf9513..4fd5e2c5432f 100644 --- a/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json +++ b/tools/perf/pmu-events/arch/x86/amdzen5/inst-cache.json @@ -33,24 +33,6 @@ "BriefDescription": "Fetches tagged by Fetch IBS that result in a valid sample and an IBS interrupt.", "UMask": "0x10" }, - { - "EventName": "ic_tag_hit_miss.instruction_cache_hit", - "EventCode": "0x18e", - "BriefDescription": "Instruction cache hits.", - "UMask": "0x07" - }, - { - "EventName": "ic_tag_hit_miss.instruction_cache_miss", - "EventCode": "0x18e", - "BriefDescription": "Instruction cache misses.", - "UMask": "0x18" - }, - { - "EventName": "ic_tag_hit_miss.all_instruction_cache_accesses", - "EventCode": "0x18e", - "BriefDescription": "Instruction cache accesses of all types.", - "UMask": "0x1f" - }, { "EventName": "op_cache_hit_miss.op_cache_hit", "EventCode": "0x28f", diff --git a/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json b/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json index 635d57e3bc15..863f4b5dfc14 100644 --- a/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json +++ b/tools/perf/pmu-events/arch/x86/amdzen5/recommended.json @@ -136,12 +136,6 @@ "MetricExpr": "d_ratio(op_cache_hit_miss.op_cache_miss, op_cache_hit_miss.all_op_cache_accesses)", "ScaleUnit": "100%" }, - { - "MetricName": "ic_fetch_miss_ratio", - "BriefDescription": "Instruction cache miss ratio for all fetches. An instruction cache miss will not be counted by this metric if it is an OC hit.", - "MetricExpr": "d_ratio(ic_tag_hit_miss.instruction_cache_miss, ic_tag_hit_miss.all_instruction_cache_accesses)", - "ScaleUnit": "100%" - }, { "MetricName": "l1_data_cache_fills_from_memory_pti", "BriefDescription": "L1 data cache fills from DRAM or MMIO in any NUMA node per thousand instructions.", -- 2.43.0

8 months

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Ensure fixed_slice_mode gets set after ccs_mode" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 262de94a3a7ef23c326534b3d9483602b7af841e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042256-unshackle-unwashed-bd50@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 262de94a3a7ef23c326534b3d9483602b7af841e Mon Sep 17 00:00:00 2001 From: Niranjana Vishwanathapura <niranjana.vishwanathapura(a)intel.com> Date: Thu, 27 Mar 2025 11:56:04 -0700 Subject: [PATCH] drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change The RCU_MODE_FIXED_SLICE_CCS_MODE setting is not getting invoked in the gt reset path after the ccs_mode setting by the user. Add it to engine register update list (in hw_engine_setup_default_state()) which ensures it gets set in the gt reset and engine reset paths. v2: Add register update to engine list to ensure it gets updated after engine reset also. Fixes: 0d97ecce16bd ("drm/xe: Enable Fixed CCS mode setting") Cc: stable(a)vger.kernel.org Signed-off-by: Niranjana Vishwanathapura <niranjana.vishwanathapura(a)intel.com> Reviewed-by: Matt Roper <matthew.d.roper(a)intel.com> Signed-off-by: Matthew Brost <matthew.brost(a)intel.com> Link: https://lore.kernel.org/r/20250327185604.18230-1-niranjana.vishwanathapura@… (cherry picked from commit 12468e519f98e4d93370712e3607fab61df9dae9) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c index 8c05fd30b7df..93241fd0a4ba 100644 --- a/drivers/gpu/drm/xe/xe_hw_engine.c +++ b/drivers/gpu/drm/xe/xe_hw_engine.c @@ -389,12 +389,6 @@ xe_hw_engine_setup_default_lrc_state(struct xe_hw_engine *hwe) blit_cctl_val, XE_RTP_ACTION_FLAG(ENGINE_BASE))) }, - /* Use Fixed slice CCS mode */ - { XE_RTP_NAME("RCU_MODE_FIXED_SLICE_CCS_MODE"), - XE_RTP_RULES(FUNC(xe_hw_engine_match_fixed_cslice_mode)), - XE_RTP_ACTIONS(FIELD_SET(RCU_MODE, RCU_MODE_FIXED_SLICE_CCS_MODE, - RCU_MODE_FIXED_SLICE_CCS_MODE)) - }, /* Disable WMTP if HW doesn't support it */ { XE_RTP_NAME("DISABLE_WMTP_ON_UNSUPPORTED_HW"), XE_RTP_RULES(FUNC(xe_rtp_cfeg_wmtp_disabled)), @@ -461,6 +455,12 @@ hw_engine_setup_default_state(struct xe_hw_engine *hwe) XE_RTP_ACTIONS(SET(CSFE_CHICKEN1(0), CS_PRIORITY_MEM_READ, XE_RTP_ACTION_FLAG(ENGINE_BASE))) }, + /* Use Fixed slice CCS mode */ + { XE_RTP_NAME("RCU_MODE_FIXED_SLICE_CCS_MODE"), + XE_RTP_RULES(FUNC(xe_hw_engine_match_fixed_cslice_mode)), + XE_RTP_ACTIONS(FIELD_SET(RCU_MODE, RCU_MODE_FIXED_SLICE_CCS_MODE, + RCU_MODE_FIXED_SLICE_CCS_MODE)) + }, }; xe_rtp_process_to_sr(&ctx, engine_entries, ARRAY_SIZE(engine_entries), &hwe->reg_sr);

8 months

3
4
0 0

[PATCH v5] mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled

by Ignacio Moreno Gonzalez via B4 Relay

From: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") maps the mmap option MAP_STACK to VM_NOHUGEPAGE. This is also done if CONFIG_TRANSPARENT_HUGEPAGE is not defined. But in that case, the VM_NOHUGEPAGE does not make sense. I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGEPAGE. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGEPAGE is not defined. Fixes: c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") Cc: stable(a)vger.kernel.org Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Signed-off-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> --- I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGEPAGE. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGEPAGE is not defined. The mapping MAP_STACK -> VM_NOHUGEPAGE was introduced by commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") in order to fix a regression introduced by commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries"). The change introducing the regression (efa7df3e3bb5) was limited to THP kernels, but its fix (c4608d1bf7c6) is applied without checking if THP is set. The mapping MAP_STACK -> VM_NOHUGEPAGE should only be applied if THP is enabled. --- Changes in v5: - Correct typo CONFIG_TRANSPARENT_HUGETABLES -> CONFIG_TRANSPARENT_HUGEPAGE in patch description - Link to v4: https://lore.kernel.org/r/20250507-map-map_stack-to-vm_nohugepage-only-if-t… Changes in v4: - Correct typo CONFIG_TRANSPARENT_HUGETABLES -> CONFIG_TRANSPARENT_HUGEPAGE - Copy description from cover letter to commit description - Link to v3: https://lore.kernel.org/r/20250507-map-map_stack-to-vm_nohugepage-only-if-t… Changes in v3: - Exclude non-stable patch (for huge_mm.h) from this series to avoid mixing stable and non-stable patches, as suggested by Andrew. - Extend description in cover letter. - Link to v2: https://lore.kernel.org/r/20250506-map-map_stack-to-vm_nohugepage-only-if-t… Changes in v2: - [Patch 1/2] Use '#ifdef' instead of '#if defined(...)' - [Patch 1/2] Add 'Fixes: c4608d1bf7c6...' - Create [Patch 2/2] - Link to v1: https://lore.kernel.org/r/20250502-map-map_stack-to-vm_nohugepage-only-if-t… --- include/linux/mman.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/mman.h b/include/linux/mman.h index bce214fece16b9af3791a2baaecd6063d0481938..f4c6346a8fcd29b08d43f7cd9158c3eddc3383e1 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -155,7 +155,9 @@ calc_vm_flag_bits(struct file *file, unsigned long flags) return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | +#ifdef CONFIG_TRANSPARENT_HUGEPAGE _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) | +#endif arch_calc_vm_flag_bits(file, flags); } --- base-commit: fc96b232f8e7c0a6c282f47726b2ff6a5fb341d2 change-id: 20250428-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled-ce40a1de095d Best regards, -- Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com>

8 months

2
1
0 0

[PATCH v1] drm/bridge: cdns-dsi: Replace deprecated UNIVERSAL_DEV_PM_OPS()

by Vitor Soares

From: Vitor Soares <vitor.soares(a)toradex.com> The deprecated UNIVERSAL_DEV_PM_OPS() macro uses the provided callbacks for both runtime PM and system sleep. This causes the DSI clocks to be disabled twice: once during runtime suspend and again during system suspend, resulting in a WARN message from the clock framework when attempting to disable already-disabled clocks. [ 84.384540] clk:231:5 already disabled [ 84.388314] WARNING: CPU: 2 PID: 531 at /drivers/clk/clk.c:1181 clk_core_disable+0xa4/0xac ... [ 84.579183] Call trace: [ 84.581624] clk_core_disable+0xa4/0xac [ 84.585457] clk_disable+0x30/0x4c [ 84.588857] cdns_dsi_suspend+0x20/0x58 [cdns_dsi] [ 84.593651] pm_generic_suspend+0x2c/0x44 [ 84.597661] ti_sci_pd_suspend+0xbc/0x15c [ 84.601670] dpm_run_callback+0x8c/0x14c [ 84.605588] __device_suspend+0x1a0/0x56c [ 84.609594] dpm_suspend+0x17c/0x21c [ 84.613165] dpm_suspend_start+0xa0/0xa8 [ 84.617083] suspend_devices_and_enter+0x12c/0x634 [ 84.621872] pm_suspend+0x1fc/0x368 To address this issue, replace UNIVERSAL_DEV_PM_OPS() with DEFINE_RUNTIME_DEV_PM_OPS(), which avoids redundant suspend/resume calls by checking if the device is already runtime suspended. Cc: <stable(a)vger.kernel.org> # 6.1.x Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index b022dd6e6b6e..62179e55e032 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -1258,7 +1258,7 @@ static const struct mipi_dsi_host_ops cdns_dsi_ops = { .transfer = cdns_dsi_transfer, }; -static int __maybe_unused cdns_dsi_resume(struct device *dev) +static int cdns_dsi_resume(struct device *dev) { struct cdns_dsi *dsi = dev_get_drvdata(dev); @@ -1269,7 +1269,7 @@ static int __maybe_unused cdns_dsi_resume(struct device *dev) return 0; } -static int __maybe_unused cdns_dsi_suspend(struct device *dev) +static int cdns_dsi_suspend(struct device *dev) { struct cdns_dsi *dsi = dev_get_drvdata(dev); @@ -1279,8 +1279,8 @@ static int __maybe_unused cdns_dsi_suspend(struct device *dev) return 0; } -static UNIVERSAL_DEV_PM_OPS(cdns_dsi_pm_ops, cdns_dsi_suspend, cdns_dsi_resume, - NULL); +static DEFINE_RUNTIME_DEV_PM_OPS(cdns_dsi_pm_ops, cdns_dsi_suspend, + cdns_dsi_resume, NULL); static int cdns_dsi_drm_probe(struct platform_device *pdev) { @@ -1427,7 +1427,7 @@ static struct platform_driver cdns_dsi_platform_driver = { .driver = { .name = "cdns-dsi", .of_match_table = cdns_dsi_of_match, - .pm = &cdns_dsi_pm_ops, + .pm = pm_ptr(&cdns_dsi_pm_ops), }, }; module_platform_driver(cdns_dsi_platform_driver); -- 2.34.1

8 months

2
6
0 0

net/sched: codel: Inclusion of patchset

by Tai, Gerrard

Upstream commits: 01: 5ba8b837b522d7051ef81bacf3d95383ff8edce5 ("sch_htb: make htb_qlen_notify() idempotent") 02: df008598b3a00be02a8051fde89ca0fbc416bd55 ("sch_drr: make drr_qlen_notify() idempotent") 03: 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb ("sch_hfsc: make hfsc_qlen_notify() idempotent") 04: 55f9eca4bfe30a15d8656f915922e8c98b7f0728 ("sch_qfq: make qfq_qlen_notify() idempotent") 05: a7a15f39c682ac4268624da2abdb9114bdde96d5 ("sch_ets: make est_qlen_notify() idempotent") 06: 342debc12183b51773b3345ba267e9263bdfaaef ("codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()") These patches are patch 01-06 of the original patchset ([1]) authored by Cong Wang. I have omitted patches 07-11 which are selftests. This patchset addresses a UAF vulnerability. Originally, only the last commit (06) was picked to merge into the latest round of stable queues 5.15,5.10,5.4. For 6.x stable branches, that sole commit has already been merged in a previous cycle. From my understanding, this patch depends on the previous patches to work. Without patches 01-05 which make various classful qdiscs' qlen_notify() idempotent, if an fq_codel's dequeue() routine empties the fq_codel qdisc, it will be doubly deactivated - first in the parent qlen_notify and then again in the parent dequeue. For instance, in the case of parent drr, the double deactivation will either cause a fault on an invalid address, or trigger a splat if list checks are compiled into the kernel. This is also why the original unpatched code included the qlen check in the first place. After discussion with Greg, he has helped to temporarily drop the patch from the 5.x queues ([2]). My suggestion is to include patches 01-06 of the patchset, as listed above, for the 5.x queues. For the 6.x queues that have already merged patch 06, the earlier patches 01-05 should be merged too. I'm not too familiar with the stable patch process, so I may be completely mistaken here. Cheers, Gerrard [1]: https://lore.kernel.org/netdev/174410343500.1831514.15019771038334698036.gi… [2]: https://lore.kernel.org/stable/2025050131-fragrant-famine-eb32@gregkh/

8 months

3
4
0 0

[PATCH 6.1 000/167] 6.1.136-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.136 release. There are 167 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 01 May 2025 16:10:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.136-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.136-rc1 Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Silence more KCOV warnings, part 2 Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qcom: q6afe-dai: fix Display Port Playback stream name Rob Herring <robh(a)kernel.org> PCI: Fix use-after-free in pci_bus_release_domain_nr() Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Remove pointer (asterisk) and brackets from cpumask_t field Richard Zhu <hongxing.zhu(a)nxp.com> phy: freescale: imx8m-pcie: Add one missing error return Richard Zhu <hongxing.zhu(a)nxp.com> phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check Hannes Reinecke <hare(a)kernel.org> nvme: fixup scan failure for non-ANA multipath controllers Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: cm: Fix warning if MIPS_CM is disabled Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> xdp: Reset bpf_redirect_info before running a xdp's BPF prog. Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: enable STU methods for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: enable .port_set_policy() for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: enable PVT for 6321 switch Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix atu_move_port_mask for 6341 family Jakub Kicinski <kuba(a)kernel.org> net/sched: act_mirred: don't override retval if we already lost the skb Marek Behún <kabel(a)kernel.org> crypto: atmel-sha204a - Set hwrng quality to lowest possible Ian Abbott <abbotti(a)mev.co.uk> comedi: jr3_pci: Fix synchronous deletion of timer Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: define xtree root and page independently Sergey Shtylyov <s.shtylyov(a)omp.ru> of: module: add buffer overflow check in of_modalias() Tamura Dai <kirinode0(a)gmail.com> spi: spi-imx: Add check for spi_imx_setupxfer() Meir Elisha <meir.elisha(a)volumez.com> md/raid1: Add check for missing source disk in process_checks() Mostafa Saleh <smostafa(a)google.com> ubsan: Fix panic from test_ubsan_out_of_bounds Breno Leitao <leitao(a)debian.org> spi: tegra210-quad: add rate limiting and simplify timeout error message Breno Leitao <leitao(a)debian.org> spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts Yunlong Xing <yunlong.xing(a)unisoc.com> loop: aio inherit the ioprio of original request Fernando Fernandez Mancera <ffmancera(a)riseup.net> x86/i8253: Call clockevent_i8253_disable() with interrupts disabled Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy_attached to zero when device is gone Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init() Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: make block validity check resistent to sb bh corruption Daniel Wagner <wagi(a)kernel.org> nvmet-fc: put ref when assoc->del_work is already scheduled Daniel Wagner <wagi(a)kernel.org> nvmet-fc: take tgtport reference only once Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on context switch with eIBRS Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Use SBPB in write_ibpb() if applicable Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> selftests/mincore: Allow read-ahead pages to reach the end of the file Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Stop UNRET validation on UD2 Hannes Reinecke <hare(a)kernel.org> nvme: re-read ANA log page after ns scan completes Jean-Marc Eurin <jmeurin(a)google.com> ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Mario Limonciello <mario.limonciello(a)amd.com> ACPI: EC: Set ec_no_wakeup for Lenovo Go S Hannes Reinecke <hare(a)kernel.org> nvme: requeue namespace scan on missed AENs Jason Andryuk <jason.andryuk(a)amd.com> xen: Change xen-acpi-processor dom0 dependency Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix test_stripe_04 Xiaogang Chen <xiaogang.chen(a)amd.com> udmabuf: fix a buf size overflow issue during udmabuf creation Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through tracepoints Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Lukas Stockmann <lukas.stockmann(a)siemens.com> rtc: pcf85063: do a SW reset if POR failed Dominique Martinet <asmadeus(a)codewreck.org> 9p/net: fix improper handling of bogus negative read/write replies Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> ntb_hw_amd: Add NTB PCI ID for new gen CPU Arnd Bergmann <arnd(a)arndb.de> ntb: reduce stack usage in idt_scan_mws Al Viro <viro(a)zeniv.linux.org.uk> qibfs: fix _another_ leak Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, lkdtm: Obfuscate the do_nothing() pointer Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Silence more KCOV warnings Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Scan retimers after device router has been enumerated Théo Lebrun <theo.lebrun(a)bootlin.com> usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func Chenyuan Yang <chenyuan0y(a)gmail.com> usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running Vinicius Costa Gomes <vinicius.gomes(a)intel.com> dmaengine: dmatest: Fix dmatest waiting less when interrupted John Stultz <jstultz(a)google.com> sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: gadget: Refactor loop to avoid NULL endpoints Edward Adam Davis <eadavis(a)qq.com> fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size Alexander Stein <alexander.stein(a)mailbox.org> usb: host: max3421-hcd: Add missing spi_device_id table Haoxiang Li <haoxiang_li2024(a)163.com> s390/tty: Fix a potential memory leak bug Haoxiang Li <haoxiang_li2024(a)163.com> s390/sclp: Add check for get_zeroed_page() Yu-Chun Lin <eleanor15x(a)gmail.com> parisc: PDT: Fix missing prototype warning Heiko Stuebner <heiko(a)sntech.de> clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Alexei Starovoitov <ast(a)kernel.org> bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Herbert Xu <herbert(a)gondor.apana.org.au> crypto: null - Use spin lock instead of mutex Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: cm: Detect CM quirks from device tree Chenyuan Yang <chenyuan0y(a)gmail.com> pinctrl: renesas: rza2: Fix potential NULL pointer dereference Oliver Neukum <oneukum(a)suse.com> USB: wdm: add annotation Oliver Neukum <oneukum(a)suse.com> USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context Oliver Neukum <oneukum(a)suse.com> USB: wdm: close race between wdm_open and wdm_wwan_port_stop Oliver Neukum <oneukum(a)suse.com> USB: wdm: handle IO errors in wdm_wwan_port_start Oliver Neukum <oneukum(a)suse.com> USB: VLI disk crashes if LPM is used Miao Li <limiao(a)kylinos.cn> usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive Miao Li <limiao(a)kylinos.cn> usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Mike Looijmans <mike.looijmans(a)topic.nl> usb: dwc3: xilinx: Prevent spike in reset signal Frode Isaksen <frode(a)meta.com> usb: dwc3: gadget: check that event count does not exceed event buffer length Huacai Chen <chenhuacai(a)kernel.org> USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: fix usbmisc handling Ralph Siemsen <ralph.siemsen(a)linaro.org> usb: cdns3: Fix deadlock when using NCM gadget Craig Hesling <craig(a)hesling.com> USB: serial: simple: add OWON HDS200 series oscilloscope support Adam Xue <zxue(a)semtech.com> USB: serial: option: add Sierra Wireless EM9291 Michael Ehrenreich <michideep(a)gmail.com> USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Ryo Takakura <ryotkkr98(a)gmail.com> serial: sifive: lock port in startup()/shutdown() callbacks Stephan Gerhold <stephan.gerhold(a)linaro.org> serial: msm: Configure correct working mode before starting earlycon Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Sean Christopherson <seanjc(a)google.com> KVM: x86: Reset IRTE to host control if *new* route isn't postable Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly treat routing entry type changes as changes Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake H DID Oliver Neukum <oneukum(a)suse.com> USB: storage: quirk for ADATA Portable HDD CH94 Haoxiang Li <haoxiang_li2024(a)163.com> mcb: fix a double free bug in chameleon_parse_gdd() Sean Christopherson <seanjc(a)google.com> KVM: SVM: Allocate IR data using atomic allocation Petr Tesarik <ptesarik(a)suse.com> LoongArch: Remove a bogus reference to ZONE_DMA Ming Wang <wangming01(a)loongson.cn> LoongArch: Return NULL from huge_pte_offset() for invalid PMD Roman Li <Roman.Li(a)amd.com> drm/amd/display: Force full update in gpu reset Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix gpu reset in multidisplay config Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Oleksij Rempel <linux(a)rempel-privat.de> net: selftests: initialize TCP header and skb payload with zero Alexey Nepomnyashih <sdl(a)nppct.ru> xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() Halil Pasic <pasic(a)linux.ibm.com> virtio_console: fix missing byte order handling for cols and rows Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb Ping-Ke Shih <pkshih(a)realtek.com> wifi: mac80211: export ieee80211_purge_tx_queue() for drivers Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make regs_irqs_disabled() more clear Yuli Wang <wangyuli(a)uniontech.com> LoongArch: Select ARCH_USE_MEMTEST Luo Gengkun <luogengkun(a)huaweicloud.com> perf/x86: Fix non-sampling (counting) events on certain x86 platforms Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Sean Christopherson <seanjc(a)google.com> iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Daniel Golle <daniel(a)makrotopia.org> net: dsa: mt7530: sync driver-specific behavior of MT7531 variants Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a UAF vulnerability in class handling Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Qingfang Deng <qingfang.deng(a)siflower.com.cn> net: phy: leds: fix memory leak Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: disable BHs when required Anastasia Kovaleva <a.kovaleva(a)yadro.com> scsi: core: Clear flags for scsi_cmnd that did not complete Qu Wenruo <wqu(a)suse.com> btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range() Marc Zyngier <maz(a)kernel.org> cpufreq: cppc: Fix invalid return value in .get() callback Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() Arnd Bergmann <arnd(a)arndb.de> dma/contiguous: avoid warning about unused size_bytes Mark Brown <broonie(a)kernel.org> selftests/mm: generate a temporary mountpoint for cgroup filesystem Evgeny Pimenov <pimenoveu12(a)gmail.com> ASoC: qcom: Fix sc7280 lpass potential buffer overflow Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qcom: q6dsp: add support to more display ports Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Support mmap() of PCI resources except for ISM devices Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Report PCI error recovery results via SCLP Niklas Schnelle <schnelle(a)linux.ibm.com> s390/sclp: Allow user-space to provide PCI reports for optical modules Stefan Eichenberger <stefan.eichenberger(a)toradex.com> phy: freescale: imx8m-pcie: assert phy reset and perst in power off Richard Zhu <hongxing.zhu(a)nxp.com> phy: freescale: imx8m-pcie: Add i.MX8MP PCIe PHY support David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Halil Pasic <pasic(a)linux.ibm.com> s390/virtio_ccw: fix virtual vs physical address confusion Alexander Gordeev <agordeev(a)linux.ibm.com> s390/virtio: sort out physical vs virtual pointers usage Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_register_host_bridge() Pali Rohár <pali(a)kernel.org> PCI: Assign PCI domain IDs by ida_alloc() Zijun Hu <quic_zijuhu(a)quicinc.com> of: resolver: Fix device node refcount leakage in of_resolve_phandles() Rob Herring (Arm) <robh(a)kernel.org> of: resolver: Simplify of_resolve_phandles() using __free() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: r9a07g04[34]: Fix typo for sel_shdi variable Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: r9a07g04[34]: Use SEL_SDHI1_STS status configuration for SD1 mux Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: rzg2l: Refactor SD mux driver Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: rzg2l: Remove CPG_SDHI_DSEL from generic header Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: rzg2l: Add struct clk_hw_data Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> clk: renesas: rzg2l: Use u32 for flag and mux_flags Herve Codina <herve.codina(a)bootlin.com> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> backlight: led_bl: Convert to platform remove callback returning void Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: adc: ad7768-1: Fix conversion result sign Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix VTU methods for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix internal PHYs for 6320 family Alexis Lothoré <alexis.lothore(a)bootlin.com> net: dsa: mv88e6xxx: add field to specify internal phys layout Alexis Lothoré <alexis.lothore(a)bootlin.com> net: dsa: mv88e6xxx: pass directly chip structure to mv88e6xxx_phy_is_internal Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: mv88e6xxx: move link forcing to mac_prepare/mac_finish Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: add support for mac_prepare() and mac_finish() calls Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: don't dispose of Global2 IRQ mappings from mdiobus code Haoxiang Li <haoxiang_li2024(a)163.com> auxdisplay: hd44780: Fix an API misuse in hd44780.c Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> auxdisplay: hd44780: Convert to platform remove callback returning void Steven Rostedt <rostedt(a)goodmis.org> tracing: Verify event formats that have "%*p.." Steven Rostedt <rostedt(a)goodmis.org> tracing: Add __print_dynamic_array() helper Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Add __string_len() example Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Fix cpumask() example typo Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Add __cpumask to denote a trace event field that is a cpumask_t Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Thorsten Leemhuis <linux(a)leemhuis.info> module: sign with sha512 instead of sha1 by default ------------- Diffstat: Makefile | 4 +- arch/loongarch/Kconfig | 1 + arch/loongarch/include/asm/ptrace.h | 4 +- arch/loongarch/mm/hugetlbpage.c | 2 +- arch/loongarch/mm/init.c | 3 - arch/mips/include/asm/mips-cm.h | 22 +++ arch/mips/kernel/mips-cm.c | 14 ++ arch/parisc/kernel/pdt.c | 2 + arch/riscv/kernel/probes/uprobes.c | 10 +- arch/s390/Kconfig | 4 +- arch/s390/include/asm/pci.h | 3 + arch/s390/include/asm/sclp.h | 33 ++++ arch/s390/kvm/trace-s390.h | 4 +- arch/s390/pci/Makefile | 2 +- arch/s390/pci/pci_event.c | 21 ++- arch/s390/pci/pci_fixup.c | 23 +++ arch/s390/pci/pci_report.c | 111 +++++++++++++ arch/s390/pci/pci_report.h | 16 ++ arch/x86/entry/entry.S | 2 +- arch/x86/events/core.c | 2 +- arch/x86/kernel/cpu/bugs.c | 36 ++--- arch/x86/kernel/i8253.c | 3 +- arch/x86/kvm/svm/avic.c | 60 +++---- arch/x86/kvm/vmx/posted_intr.c | 28 ++-- arch/x86/kvm/x86.c | 3 +- arch/x86/mm/tlb.c | 6 +- crypto/crypto_null.c | 37 +++-- drivers/acpi/ec.c | 28 ++++ drivers/acpi/pptt.c | 4 +- drivers/auxdisplay/hd44780.c | 9 +- drivers/block/loop.c | 2 +- drivers/char/virtio_console.c | 7 +- drivers/clk/clk.c | 4 + drivers/clk/renesas/r9a07g043-cpg.c | 28 +++- drivers/clk/renesas/r9a07g044-cpg.c | 21 ++- drivers/clk/renesas/rzg2l-cpg.c | 178 +++++++++++++++------ drivers/clk/renesas/rzg2l-cpg.h | 24 +-- drivers/comedi/drivers/jr3_pci.c | 17 +- drivers/cpufreq/cppc_cpufreq.c | 2 +- drivers/cpufreq/scmi-cpufreq.c | 10 +- drivers/cpufreq/scpi-cpufreq.c | 13 +- drivers/crypto/atmel-sha204a.c | 7 +- drivers/dma-buf/udmabuf.c | 2 +- drivers/dma/dmatest.c | 6 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +- drivers/iio/adc/ad7768-1.c | 5 +- drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/iommu/amd/iommu.c | 2 +- drivers/mcb/mcb-parse.c | 2 +- drivers/md/raid1.c | 26 +-- drivers/misc/lkdtm/perms.c | 14 +- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 8 +- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + drivers/net/dsa/mt7530.c | 6 +- drivers/net/dsa/mv88e6xxx/chip.c | 106 ++++++++---- drivers/net/dsa/mv88e6xxx/chip.h | 5 + drivers/net/dsa/mv88e6xxx/global2.c | 25 +-- drivers/net/phy/microchip.c | 46 +----- drivers/net/phy/phy_led_triggers.c | 23 +-- drivers/net/wireless/realtek/rtw88/main.c | 2 +- drivers/net/wireless/realtek/rtw88/tx.c | 2 +- drivers/net/xen-netfront.c | 19 ++- drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +-- drivers/nvme/host/core.c | 9 ++ drivers/nvme/target/fc.c | 25 ++- drivers/of/device.c | 7 +- drivers/of/resolver.c | 37 ++--- drivers/pci/pci.c | 107 +++++++------ drivers/pci/probe.c | 16 +- drivers/pci/remove.c | 7 + drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 46 +++++- drivers/pinctrl/renesas/pinctrl-rza2.c | 3 + drivers/rtc/rtc-pcf85063.c | 19 ++- drivers/s390/char/sclp.h | 14 -- drivers/s390/char/sclp_con.c | 17 ++ drivers/s390/char/sclp_pci.c | 19 +-- drivers/s390/char/sclp_tty.c | 12 ++ drivers/s390/net/ism_drv.c | 1 - drivers/s390/virtio/virtio_ccw.c | 100 ++++++------ drivers/scsi/hisi_sas/hisi_sas_main.c | 20 +++ drivers/scsi/pm8001/pm8001_sas.c | 1 + drivers/scsi/scsi_lib.c | 6 +- drivers/spi/spi-imx.c | 5 +- drivers/spi/spi-tegra210-quad.c | 6 +- drivers/thunderbolt/tb.c | 16 +- drivers/tty/serial/msm_serial.c | 6 + drivers/tty/serial/sifive.c | 6 + drivers/ufs/host/ufs-exynos.c | 10 +- drivers/usb/cdns3/cdns3-gadget.c | 2 + drivers/usb/chipidea/ci_hdrc_imx.c | 44 +++-- drivers/usb/class/cdc-wdm.c | 21 ++- drivers/usb/core/quirks.c | 9 ++ drivers/usb/dwc3/dwc3-pci.c | 10 ++ drivers/usb/dwc3/dwc3-xilinx.c | 4 +- drivers/usb/dwc3/gadget.c | 28 +++- drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 + drivers/usb/host/max3421-hcd.c | 7 + drivers/usb/host/ohci-pci.c | 23 +++ drivers/usb/host/xhci-mvebu.c | 10 -- drivers/usb/host/xhci-mvebu.h | 6 - drivers/usb/host/xhci-plat.c | 2 +- drivers/usb/host/xhci-ring.c | 11 +- drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 5 + drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb-serial-simple.c | 7 + drivers/usb/storage/unusual_uas.h | 7 + drivers/video/backlight/led_bl.c | 11 +- drivers/xen/Kconfig | 2 +- fs/btrfs/file.c | 9 +- fs/ext4/block_validity.c | 5 +- fs/ext4/inode.c | 7 +- fs/jfs/jfs_dinode.h | 2 +- fs/jfs/jfs_imap.c | 6 +- fs/jfs/jfs_incore.h | 2 +- fs/jfs/jfs_txnmgr.c | 4 +- fs/jfs/jfs_xtree.c | 4 +- fs/jfs/jfs_xtree.h | 37 +++-- fs/ntfs3/file.c | 1 + include/dt-bindings/sound/qcom,q6dsp-lpass-ports.h | 8 + include/linux/filter.h | 9 +- include/linux/pci.h | 1 + include/linux/pci_ids.h | 1 + include/net/dsa.h | 6 + include/net/mac80211.h | 13 ++ include/trace/bpf_probe.h | 6 + include/trace/perf.h | 6 + include/trace/stages/stage1_struct_define.h | 6 + include/trace/stages/stage2_data_offsets.h | 6 + include/trace/stages/stage3_trace_output.h | 14 ++ include/trace/stages/stage4_event_fields.h | 12 ++ include/trace/stages/stage5_get_offsets.h | 6 + include/trace/stages/stage6_event_callback.h | 20 +++ include/trace/stages/stage7_class_define.h | 3 + init/Kconfig | 2 +- kernel/dma/contiguous.c | 3 +- kernel/module/Kconfig | 1 + kernel/trace/bpf_trace.c | 7 +- kernel/trace/trace_events.c | 7 + lib/test_ubsan.c | 18 ++- mm/memcontrol.c | 9 ++ net/9p/client.c | 30 ++-- net/core/lwtunnel.c | 26 ++- net/core/selftests.c | 18 ++- net/dsa/port.c | 32 ++++ net/mac80211/ieee80211_i.h | 2 - net/mac80211/status.c | 1 + net/sched/act_mirred.c | 22 +-- net/sched/sch_hfsc.c | 23 ++- net/tipc/monitor.c | 3 +- samples/trace_events/trace-events-sample.c | 2 +- samples/trace_events/trace-events-sample.h | 46 +++++- scripts/Makefile.lib | 2 +- sound/soc/codecs/wcd934x.c | 2 +- sound/soc/qcom/lpass.h | 3 +- sound/soc/qcom/qdsp6/q6afe-dai.c | 2 +- sound/soc/qcom/qdsp6/q6dsp-lpass-ports.c | 43 +++-- sound/virtio/virtio_pcm.c | 21 ++- tools/objtool/check.c | 9 ++ tools/testing/selftests/mincore/mincore_selftest.c | 3 - tools/testing/selftests/ublk/test_stripe_04.sh | 24 +++ .../selftests/vm/charge_reserved_hugetlb.sh | 4 +- .../selftests/vm/hugetlb_reparenting_test.sh | 2 +- 165 files changed, 1713 insertions(+), 720 deletions(-)

8 months

16
194
0 0

[PATCH v4] mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled

by Ignacio Moreno Gonzalez via B4 Relay

From: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") maps the mmap option MAP_STACK to VM_NOHUGEPAGE. This is also done if CONFIG_TRANSPARENT_HUGETABLES is not defined. But in that case, the VM_NOHUGEPAGE does not make sense. I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGETABLES. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGEPAGE is not defined. Fixes: c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") Cc: stable(a)vger.kernel.org Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Signed-off-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> --- I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGEPAGE. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGEPAGE is not defined. The mapping MAP_STACK -> VM_NOHUGEPAGE was introduced by commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") in order to fix a regression introduced by commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries"). The change introducing the regression (efa7df3e3bb5) was limited to THP kernels, but its fix (c4608d1bf7c6) is applied without checking if THP is set. The mapping MAP_STACK -> VM_NOHUGEPAGE should only be applied if THP is enabled. --- Changes in v4: - Correct typo CONFIG_TRANSPARENT_HUGETABLES -> CONFIG_TRANSPARENT_HUGEPAGE - Copy description from cover letter to commit description - Link to v3: https://lore.kernel.org/r/20250507-map-map_stack-to-vm_nohugepage-only-if-t… Changes in v3: - Exclude non-stable patch (for huge_mm.h) from this series to avoid mixing stable and non-stable patches, as suggested by Andrew. - Extend description in cover letter. - Link to v2: https://lore.kernel.org/r/20250506-map-map_stack-to-vm_nohugepage-only-if-t… Changes in v2: - [Patch 1/2] Use '#ifdef' instead of '#if defined(...)' - [Patch 1/2] Add 'Fixes: c4608d1bf7c6...' - Create [Patch 2/2] - Link to v1: https://lore.kernel.org/r/20250502-map-map_stack-to-vm_nohugepage-only-if-t… --- include/linux/mman.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/mman.h b/include/linux/mman.h index bce214fece16b9af3791a2baaecd6063d0481938..f4c6346a8fcd29b08d43f7cd9158c3eddc3383e1 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -155,7 +155,9 @@ calc_vm_flag_bits(struct file *file, unsigned long flags) return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | +#ifdef CONFIG_TRANSPARENT_HUGEPAGE _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) | +#endif arch_calc_vm_flag_bits(file, flags); } --- base-commit: fc96b232f8e7c0a6c282f47726b2ff6a5fb341d2 change-id: 20250428-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled-ce40a1de095d Best regards, -- Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com>

8 months

3
2
0 0

[PATCH v2 1/4] mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y

by Florent Revest

On configs with CONFIG_ARM64_GCS=y, VM_SHADOW_STACK is bit 38. On configs with CONFIG_HAVE_ARCH_USERFAULTFD_MINOR=y (selected by CONFIG_ARM64 when CONFIG_USERFAULTFD=y), VM_UFFD_MINOR is _also_ bit 38. This bit being shared by two different VMA flags could lead to all sorts of unintended behaviors. Presumably, a process could maybe call into userfaultfd in a way that disables the shadow stack vma flag. I can't think of any attack where this would help (presumably, if an attacker tries to disable shadow stacks, they are trying to hijack control flow so can't arbitrarily call into userfaultfd yet anyway) but this still feels somewhat scary. Reviewed-by: Mark Brown <broonie(a)kernel.org> Fixes: ae80e1629aea ("mm: Define VM_SHADOW_STACK for arm64 when we support GCS") Cc: <stable(a)vger.kernel.org> Signed-off-by: Florent Revest <revest(a)chromium.org> --- include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index bf55206935c46..fdda6b16263b3 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -385,7 +385,7 @@ extern unsigned int kobjsize(const void *objp); #endif #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR -# define VM_UFFD_MINOR_BIT 38 +# define VM_UFFD_MINOR_BIT 41 # define VM_UFFD_MINOR BIT(VM_UFFD_MINOR_BIT) /* UFFD minor faults */ #else /* !CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ # define VM_UFFD_MINOR VM_NONE -- 2.49.0.987.g0cc8ee98dc-goog

8 months

1
0
0 0

[PATCH RESEND v3 5/5] phy: renesas: rcar-gen3-usb2: Set timing registers only once

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> phy-rcar-gen3-usb2 driver exports 4 PHYs. The timing registers are common to all PHYs. There is no need to set them every time a PHY is initialized. Set timing register only when the 1st PHY is initialized. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- Changes in v3: - collected tags Changes in v2: - collected tags drivers/phy/renesas/phy-rcar-gen3-usb2.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 118899efda70..9fdf17e0848a 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -467,8 +467,11 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; writel(val, usb2_base + USB2_INT_ENABLE); - writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); - writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); + + if (!rcar_gen3_is_any_rphy_initialized(channel)) { + writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); + writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); + } /* Initialize otg part (only if we initialize a PHY with IRQs). */ if (rphy->int_enable_bits) -- 2.43.0

8 months

1
0
0 0

[PATCH RESEND v3 4/5] phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Assert PLL reset on PHY power off. This saves power. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- Changes in v3: - collected tags Changes in v2: - collected tags - add an empty line after definition of val to get rid of the checkpatch.pl warning drivers/phy/renesas/phy-rcar-gen3-usb2.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 00ce564463de..118899efda70 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -537,9 +537,17 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - scoped_guard(spinlock_irqsave, &channel->lock) + scoped_guard(spinlock_irqsave, &channel->lock) { rphy->powered = false; + if (rcar_gen3_are_all_rphys_power_off(channel)) { + u32 val = readl(channel->base + USB2_USBCTR); + + val |= USB2_USBCTR_PLL_RST; + writel(val, channel->base + USB2_USBCTR); + } + } + if (channel->vbus) ret = regulator_disable(channel->vbus); -- 2.43.0

8 months

1
0
0 0

[PATCH RESEND v3 3/5] phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> The phy-rcar-gen3-usb2 driver exposes four individual PHYs that are requested and configured by PHY users. The struct phy_ops APIs access the same set of registers to configure all PHYs. Additionally, PHY settings can be modified through sysfs or an IRQ handler. While some struct phy_ops APIs are protected by a driver-wide mutex, others rely on individual PHY-specific mutexes. This approach can lead to various issues, including: 1/ the IRQ handler may interrupt PHY settings in progress, racing with hardware configuration protected by a mutex lock 2/ due to msleep(20) in rcar_gen3_init_otg(), while a configuration thread suspends to wait for the delay, another thread may try to configure another PHY (with phy_init() + phy_power_on()); re-running the phy_init() goes to the exact same configuration code, re-running the same hardware configuration on the same set of registers (and bits) which might impact the result of the msleep for the 1st configuring thread 3/ sysfs can configure the hardware (though role_store()) and it can still race with the phy_init()/phy_power_on() APIs calling into the drivers struct phy_ops To address these issues, add a spinlock to protect hardware register access and driver private data structures (e.g., calls to rcar_gen3_is_any_rphy_initialized()). Checking driver-specific data remains necessary as all PHY instances share common settings. With this change, the existing mutex protection is removed and the cleanup.h helpers are used. While at it, to keep the code simpler, do not skip regulator_enable()/regulator_disable() APIs in rcar_gen3_phy_usb2_power_on()/rcar_gen3_phy_usb2_power_off() as the regulators enable/disable operations are reference counted anyway. Fixes: f3b5a8d9b50d ("phy: rcar-gen3-usb2: Add R-Car Gen3 USB2 PHY driver") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- Changes in v3: - collected tags Changes in v2: - collected tags drivers/phy/renesas/phy-rcar-gen3-usb2.c | 49 +++++++++++++----------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index bb05fd26eb7f..00ce564463de 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -9,6 +9,7 @@ * Copyright (C) 2014 Cogent Embedded, Inc. */ +#include <linux/cleanup.h> #include <linux/extcon-provider.h> #include <linux/interrupt.h> #include <linux/io.h> @@ -118,7 +119,7 @@ struct rcar_gen3_chan { struct regulator *vbus; struct reset_control *rstc; struct work_struct work; - struct mutex lock; /* protects rphys[...].powered */ + spinlock_t lock; /* protects access to hardware and driver data structure. */ enum usb_dr_mode dr_mode; u32 obint_enable_bits; bool extcon_host; @@ -348,6 +349,8 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; + guard(spinlock_irqsave)(&ch->lock); + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; @@ -415,7 +418,7 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) val = readl(usb2_base + USB2_ADPCTRL); writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); } - msleep(20); + mdelay(20); writel(0xffffffff, usb2_base + USB2_OBINTSTA); writel(ch->obint_enable_bits, usb2_base + USB2_OBINTEN); @@ -436,12 +439,14 @@ static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) if (pm_runtime_suspended(dev)) goto rpm_put; - status = readl(usb2_base + USB2_OBINTSTA); - if (status & ch->obint_enable_bits) { - dev_vdbg(dev, "%s: %08x\n", __func__, status); - writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); - rcar_gen3_device_recognition(ch); - ret = IRQ_HANDLED; + scoped_guard(spinlock, &ch->lock) { + status = readl(usb2_base + USB2_OBINTSTA); + if (status & ch->obint_enable_bits) { + dev_vdbg(dev, "%s: %08x\n", __func__, status); + writel(ch->obint_enable_bits, usb2_base + USB2_OBINTSTA); + rcar_gen3_device_recognition(ch); + ret = IRQ_HANDLED; + } } rpm_put: @@ -456,6 +461,8 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + /* Initialize USB2 part */ val = readl(usb2_base + USB2_INT_ENABLE); val |= USB2_INT_ENABLE_UCOM_INTEN | rphy->int_enable_bits; @@ -479,6 +486,8 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) void __iomem *usb2_base = channel->base; u32 val; + guard(spinlock_irqsave)(&channel->lock); + rphy->initialized = false; val = readl(usb2_base + USB2_INT_ENABLE); @@ -498,16 +507,17 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) u32 val; int ret = 0; - mutex_lock(&channel->lock); - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; - if (channel->vbus) { ret = regulator_enable(channel->vbus); if (ret) - goto out; + return ret; } + guard(spinlock_irqsave)(&channel->lock); + + if (!rcar_gen3_are_all_rphys_power_off(channel)) + goto out; + val = readl(usb2_base + USB2_USBCTR); val |= USB2_USBCTR_PLL_RST; writel(val, usb2_base + USB2_USBCTR); @@ -517,7 +527,6 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) out: /* The powered flag should be set for any other phys anyway */ rphy->powered = true; - mutex_unlock(&channel->lock); return 0; } @@ -528,18 +537,12 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) struct rcar_gen3_chan *channel = rphy->ch; int ret = 0; - mutex_lock(&channel->lock); - rphy->powered = false; - - if (!rcar_gen3_are_all_rphys_power_off(channel)) - goto out; + scoped_guard(spinlock_irqsave, &channel->lock) + rphy->powered = false; if (channel->vbus) ret = regulator_disable(channel->vbus); -out: - mutex_unlock(&channel->lock); - return ret; } @@ -750,7 +753,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) if (phy_data->no_adp_ctrl) channel->obint_enable_bits = USB2_OBINT_IDCHG_EN; - mutex_init(&channel->lock); + spin_lock_init(&channel->lock); for (i = 0; i < NUM_OF_PHYS; i++) { channel->rphys[i].phy = devm_phy_create(dev, NULL, phy_data->phy_usb2_ops); -- 2.43.0

8 months

1
0
0 0

[PATCH RESEND v3 1/5] phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> It has been observed on the Renesas RZ/G3S SoC that unbinding and binding the PHY driver leads to role autodetection failures. This issue occurs when PHY 3 is the first initialized PHY. PHY 3 does not have an interrupt associated with the USB2_INT_ENABLE register (as rcar_gen3_int_enable[3] = 0). As a result, rcar_gen3_init_otg() is called to initialize OTG without enabling PHY interrupts. To resolve this, add rcar_gen3_is_any_otg_rphy_initialized() and call it in role_store(), role_show(), and rcar_gen3_init_otg(). At the same time, rcar_gen3_init_otg() is only called when initialization for a PHY with interrupt bits is in progress. As a result, the struct rcar_gen3_phy::otg_initialized is no longer needed. Fixes: 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") Cc: stable(a)vger.kernel.org Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- Changes in v3: - collected tags Changes in v2: - collected tags drivers/phy/renesas/phy-rcar-gen3-usb2.c | 33 ++++++++++-------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c index 775f4f973a6c..46afba2fe0dc 100644 --- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c +++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c @@ -107,7 +107,6 @@ struct rcar_gen3_phy { struct rcar_gen3_chan *ch; u32 int_enable_bits; bool initialized; - bool otg_initialized; bool powered; }; @@ -320,16 +319,15 @@ static bool rcar_gen3_is_any_rphy_initialized(struct rcar_gen3_chan *ch) return false; } -static bool rcar_gen3_needs_init_otg(struct rcar_gen3_chan *ch) +static bool rcar_gen3_is_any_otg_rphy_initialized(struct rcar_gen3_chan *ch) { - int i; - - for (i = 0; i < NUM_OF_PHYS; i++) { - if (ch->rphys[i].otg_initialized) - return false; + for (enum rcar_gen3_phy_index i = PHY_INDEX_BOTH_HC; i <= PHY_INDEX_EHCI; + i++) { + if (ch->rphys[i].initialized) + return true; } - return true; + return false; } static bool rcar_gen3_are_all_rphys_power_off(struct rcar_gen3_chan *ch) @@ -351,7 +349,7 @@ static ssize_t role_store(struct device *dev, struct device_attribute *attr, bool is_b_device; enum phy_mode cur_mode, new_mode; - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; if (sysfs_streq(buf, "host")) @@ -389,7 +387,7 @@ static ssize_t role_show(struct device *dev, struct device_attribute *attr, { struct rcar_gen3_chan *ch = dev_get_drvdata(dev); - if (!ch->is_otg_channel || !rcar_gen3_is_any_rphy_initialized(ch)) + if (!ch->is_otg_channel || !rcar_gen3_is_any_otg_rphy_initialized(ch)) return -EIO; return sprintf(buf, "%s\n", rcar_gen3_is_host(ch) ? "host" : @@ -402,6 +400,9 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) void __iomem *usb2_base = ch->base; u32 val; + if (!ch->is_otg_channel || rcar_gen3_is_any_otg_rphy_initialized(ch)) + return; + /* Should not use functions of read-modify-write a register */ val = readl(usb2_base + USB2_LINECTRL1); val = (val & ~USB2_LINECTRL1_DP_RPD) | USB2_LINECTRL1_DPRPD_EN | @@ -465,12 +466,9 @@ static int rcar_gen3_phy_usb2_init(struct phy *p) writel(USB2_SPD_RSM_TIMSET_INIT, usb2_base + USB2_SPD_RSM_TIMSET); writel(USB2_OC_TIMSET_INIT, usb2_base + USB2_OC_TIMSET); - /* Initialize otg part */ - if (channel->is_otg_channel) { - if (rcar_gen3_needs_init_otg(channel)) - rcar_gen3_init_otg(channel); - rphy->otg_initialized = true; - } + /* Initialize otg part (only if we initialize a PHY with IRQs). */ + if (rphy->int_enable_bits) + rcar_gen3_init_otg(channel); rphy->initialized = true; @@ -486,9 +484,6 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) rphy->initialized = false; - if (channel->is_otg_channel) - rphy->otg_initialized = false; - val = readl(usb2_base + USB2_INT_ENABLE); val &= ~rphy->int_enable_bits; if (!rcar_gen3_is_any_rphy_initialized(channel)) -- 2.43.0

8 months

1
0
0 0

[PATCH v2 1/2] tty: serial: 8250_omap: fix tx with dma

by Mans Rullgard

Commit 1788cf6a91d9 ("tty: serial: switch from circ_buf to kfifo") introduced an error in the TX DMA handling for 8250_omap. When the OMAP_DMA_TX_KICK flag is set, one byte is pulled from the kfifo and emitted directly in order to start the DMA. This is done without updating DMA tx_size which leads to uart_xmit_advance() called in the DMA complete callback advancing the kfifo by one too much. In practice, transmitting N bytes has been seen to result in the last N-1 bytes being sent repeatedly. This change fixes the problem by moving all of the dma setup after the OMAP_DMA_TX_KICK handling and using kfifo_len() instead of the dma size for the 4-byte cutoff check. This slightly changes the behaviour at buffer wraparound, but it still transmits the correct bytes somehow. At the point kfifo_dma_out_prepare_mapped is called, at least one byte is guaranteed to be in the fifo, so checking the return value is not necessary. Fixes: 1788cf6a91d9 ("tty: serial: switch from circ_buf to kfifo") Cc: stable(a)vger.kernel.org Signed-off-by: Mans Rullgard <mans(a)mansr.com> --- v2: split patch in two --- drivers/tty/serial/8250/8250_omap.c | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index f1aee915bc02..180466e09605 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -1173,16 +1173,6 @@ static int omap_8250_tx_dma(struct uart_8250_port *p) return 0; } - sg_init_table(&sg, 1); - ret = kfifo_dma_out_prepare_mapped(&tport->xmit_fifo, &sg, 1, - UART_XMIT_SIZE, dma->tx_addr); - if (ret != 1) { - serial8250_clear_THRI(p); - return 0; - } - - dma->tx_size = sg_dma_len(&sg); - if (priv->habit & OMAP_DMA_TX_KICK) { unsigned char c; u8 tx_lvl; @@ -1207,7 +1197,7 @@ static int omap_8250_tx_dma(struct uart_8250_port *p) ret = -EBUSY; goto err; } - if (dma->tx_size < 4) { + if (kfifo_len(&tport->xmit_fifo) < 4) { ret = -EINVAL; goto err; } @@ -1216,11 +1206,12 @@ static int omap_8250_tx_dma(struct uart_8250_port *p) goto err; } skip_byte = c; - /* now we need to recompute due to kfifo_get */ - kfifo_dma_out_prepare_mapped(&tport->xmit_fifo, &sg, 1, - UART_XMIT_SIZE, dma->tx_addr); } + sg_init_table(&sg, 1); + kfifo_dma_out_prepare_mapped(&tport->xmit_fifo, &sg, 1, + UART_XMIT_SIZE, dma->tx_addr); + desc = dmaengine_prep_slave_sg(dma->txchan, &sg, 1, DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT | DMA_CTRL_ACK); if (!desc) { @@ -1228,6 +1219,7 @@ static int omap_8250_tx_dma(struct uart_8250_port *p) goto err; } + dma->tx_size = sg_dma_len(&sg); dma->tx_running = 1; desc->callback = omap_8250_dma_tx_complete; @@ -1248,8 +1240,10 @@ static int omap_8250_tx_dma(struct uart_8250_port *p) err: dma->tx_err = 1; out_skip: - if (skip_byte >= 0) + if (skip_byte >= 0) { serial_out(p, UART_TX, skip_byte); + p->port.icount.tx++; + } return ret; } -- 2.49.0

8 months

3
4
0 0

[PATCH] udf: Make sure i_lenExtents is uptodate on inode eviction

by Jan Kara

UDF maintains total length of all extents in i_lenExtents. Generally we keep extent lengths (and thus i_lenExtents) block aligned because it makes the file appending logic simpler. However the standard mandates that the inode size must match the length of all extents and thus we trim the last extent when closing the file. To catch possible bugs we also verify that i_lenExtents matches i_size when evicting inode from memory. Commit b405c1e58b73 ("udf: refactor udf_next_aext() to handle error") however broke the code updating i_lenExtents and thus udf_evict_inode() ended up spewing lots of errors about incorrectly sized extents although the extents were actually sized properly. Fix the updating of i_lenExtents to silence the errors. Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/udf/truncate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) I plan to merge this fix to my tree. diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c index 4f33a4a48886..b4071c9cf8c9 100644 --- a/fs/udf/truncate.c +++ b/fs/udf/truncate.c @@ -115,7 +115,7 @@ void udf_truncate_tail_extent(struct inode *inode) } /* This inode entry is in-memory only and thus we don't have to mark * the inode dirty */ - if (ret == 0) + if (ret >= 0) iinfo->i_lenExtents = inode->i_size; brelse(epos.bh); } -- 2.43.0

8 months

1
0
0 0

[PATCH v3] mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled

by Ignacio Moreno Gonzalez via B4 Relay

From: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") maps the mmap option MAP_STACK to VM_NOHUGEPAGE. This is also done if CONFIG_TRANSPARENT_HUGETABLES is not defined. But in that case, the VM_NOHUGEPAGE does not make sense. Fixes: c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") Cc: stable(a)vger.kernel.org Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Signed-off-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> --- I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGETABLES. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGETABLES is not defined. The mapping MAP_STACK -> VM_NOHUGEPAGE was introduced by commit c4608d1bf7c6 ("mm: mmap: map MAP_STACK to VM_NOHUGEPAGE") in order to fix a regression introduced by commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries"). The change introducing the regression (efa7df3e3bb5) was limited to THP kernels, but its fix (c4608d1bf7c6) is applied without checking if THP is set. The mapping MAP_STACK -> VM_NOHUGEPAGE should only be applied if THP is enabled. --- Changes in v3: - Exclude non-stable patch (for huge_mm.h) from this series to avoid mixing stable and non-stable patches, as suggested by Andrew. - Extend description in cover letter. - Link to v2: https://lore.kernel.org/r/20250506-map-map_stack-to-vm_nohugepage-only-if-t… Changes in v2: - [Patch 1/2] Use '#ifdef' instead of '#if defined(...)' - [Patch 1/2] Add 'Fixes: c4608d1bf7c6...' - Create [Patch 2/2] - Link to v1: https://lore.kernel.org/r/20250502-map-map_stack-to-vm_nohugepage-only-if-t… --- include/linux/mman.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/mman.h b/include/linux/mman.h index bce214fece16b9af3791a2baaecd6063d0481938..f4c6346a8fcd29b08d43f7cd9158c3eddc3383e1 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -155,7 +155,9 @@ calc_vm_flag_bits(struct file *file, unsigned long flags) return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | +#ifdef CONFIG_TRANSPARENT_HUGEPAGE _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) | +#endif arch_calc_vm_flag_bits(file, flags); } --- base-commit: fc96b232f8e7c0a6c282f47726b2ff6a5fb341d2 change-id: 20250428-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled-ce40a1de095d Best regards, -- Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com>

8 months

2
1
0 0

[PATCH] bus: firewall: Fix missing static inline annotations for stubs

by Krzysztof Kozlowski

Stubs in the header file for !CONFIG_STM32_FIREWALL case should be both static and inline, because they do not come with earlier declaration and should be inlined in every unit including the header. Cc: Patrice Chotard <patrice.chotard(a)foss.st.com> Cc: <stable(a)vger.kernel.org> Fixes: 5c9668cfc6d7 ("firewall: introduce stm32_firewall framework") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- include/linux/bus/stm32_firewall_device.h | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/include/linux/bus/stm32_firewall_device.h b/include/linux/bus/stm32_firewall_device.h index 5178b72bc920..eaa7a3f54450 100644 --- a/include/linux/bus/stm32_firewall_device.h +++ b/include/linux/bus/stm32_firewall_device.h @@ -114,27 +114,30 @@ void stm32_firewall_release_access_by_id(struct stm32_firewall *firewall, u32 su #else /* CONFIG_STM32_FIREWALL */ -int stm32_firewall_get_firewall(struct device_node *np, struct stm32_firewall *firewall, - unsigned int nb_firewall) +static inline int stm32_firewall_get_firewall(struct device_node *np, + struct stm32_firewall *firewall, + unsigned int nb_firewall) { return -ENODEV; } -int stm32_firewall_grant_access(struct stm32_firewall *firewall) +static inline int stm32_firewall_grant_access(struct stm32_firewall *firewall) { return -ENODEV; } -void stm32_firewall_release_access(struct stm32_firewall *firewall) +static inline void stm32_firewall_release_access(struct stm32_firewall *firewall) { } -int stm32_firewall_grant_access_by_id(struct stm32_firewall *firewall, u32 subsystem_id) +static inline int stm32_firewall_grant_access_by_id(struct stm32_firewall *firewall, + u32 subsystem_id) { return -ENODEV; } -void stm32_firewall_release_access_by_id(struct stm32_firewall *firewall, u32 subsystem_id) +static inline void stm32_firewall_release_access_by_id(struct stm32_firewall *firewall, + u32 subsystem_id) { } -- 2.45.2

8 months

2
2
0 0

[PATCH 1/2] phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode

by Wayne Chang

The logic that drives the pad calibration values resides in the controller reset domain and so the calibration values are only being captured when the controller is out of reset. However, by clearing the CYA_TRK_CODE_UPDATE_ON_IDLE bit, the calibration values can be set while the controller is in reset. The CYA_TRK_CODE_UPDATE_ON_IDLE bit was previously cleared based on the trk_hw_mode flag, but this dependency is not necessary. Instead, introduce a new flag, trk_update_on_idle, to independently control this bit. Fixes: d8163a32ca95 ("phy: tegra: xusb: Add Tegra234 support") Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- drivers/phy/tegra/xusb-tegra186.c | 14 ++++++++------ drivers/phy/tegra/xusb.h | 1 + 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c index fae6242aa730..dd0aaf305e90 100644 --- a/drivers/phy/tegra/xusb-tegra186.c +++ b/drivers/phy/tegra/xusb-tegra186.c @@ -650,14 +650,15 @@ static void tegra186_utmi_bias_pad_power_on(struct tegra_xusb_padctl *padctl) udelay(100); } - if (padctl->soc->trk_hw_mode) { - value = padctl_readl(padctl, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); - value |= USB2_TRK_HW_MODE; + value = padctl_readl(padctl, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); + if (padctl->soc->trk_update_on_idle) value &= ~CYA_TRK_CODE_UPDATE_ON_IDLE; - padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); - } else { + if (padctl->soc->trk_hw_mode) + value |= USB2_TRK_HW_MODE; + padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL2); + + if (!padctl->soc->trk_hw_mode) clk_disable_unprepare(priv->usb2_trk_clk); - } mutex_unlock(&padctl->lock); } @@ -1703,6 +1704,7 @@ const struct tegra_xusb_padctl_soc tegra234_xusb_padctl_soc = { .supports_gen2 = true, .poll_trk_completed = true, .trk_hw_mode = true, + .trk_update_on_idle = true, .supports_lp_cfg_en = true, }; EXPORT_SYMBOL_GPL(tegra234_xusb_padctl_soc); diff --git a/drivers/phy/tegra/xusb.h b/drivers/phy/tegra/xusb.h index 6e45d194c689..d2b5f9565132 100644 --- a/drivers/phy/tegra/xusb.h +++ b/drivers/phy/tegra/xusb.h @@ -434,6 +434,7 @@ struct tegra_xusb_padctl_soc { bool need_fake_usb3_port; bool poll_trk_completed; bool trk_hw_mode; + bool trk_update_on_idle; bool supports_lp_cfg_en; }; -- 2.25.1

8 months

2
1
0 0

[PATCH] parisc stable patch for kernel v6.13

by Helge Deller

Hi Greg, below is a backport for upstream patch fd87b7783802 ("net: Fix the devmem sock opts and msgs for parisc"). This upstream patch does not apply cleanly against v6.13, and backporting all intermediate changes are too big, so I created this trivial standalone patch instead. Can you please add the patch below to the stable queue for v6.13? Thanks! Helge --- From: Pranjal Shrivastava <praan(a)google.com> Date: Mon, 24 Mar 2025 07:42:27 +0000 Subject: [PATCH] net: Fix the devmem sock opts and msgs for parisc The devmem socket options and socket control message definitions introduced in the TCP devmem series[1] incorrectly continued the socket definitions for arch/parisc. The UAPI change seems safe as there are currently no drivers that declare support for devmem TCP RX via PP_FLAG_ALLOW_UNREADABLE_NETMEM. Hence, fixing this UAPI should be safe. Fix the devmem socket options and socket control message definitions to reflect the series followed by arch/parisc. [1] https://lore.kernel.org/lkml/20240910171458.219195-10-almasrymina@google.co… Patch modified for kernel 6.13 by Helge Deller. Fixes: 8f0b3cc9a4c10 ("tcp: RX path for devmem TCP") Signed-off-by: Pranjal Shrivastava <praan(a)google.com> Signed-off-by: Helge Deller <deller(a)gmx.de> diff --git b/arch/parisc/include/uapi/asm/socket.h a/arch/parisc/include/uapi/asm/socket.h index d268d69bfcd2..96831c988606 100644 --- b/arch/parisc/include/uapi/asm/socket.h +++ a/arch/parisc/include/uapi/asm/socket.h @@ -132,13 +132,15 @@ #define SO_PASSPIDFD 0x404A #define SO_PEERPIDFD 0x404B -#define SO_DEVMEM_LINEAR 78 +#define SCM_TS_OPT_ID 0x404C + +#define SO_RCVPRIORITY 0x404D + +#define SO_DEVMEM_LINEAR 0x404E #define SCM_DEVMEM_LINEAR SO_DEVMEM_LINEAR -#define SO_DEVMEM_DMABUF 79 +#define SO_DEVMEM_DMABUF 0x404F #define SCM_DEVMEM_DMABUF SO_DEVMEM_DMABUF -#define SO_DEVMEM_DONTNEED 80 - -#define SCM_TS_OPT_ID 0x404C +#define SO_DEVMEM_DONTNEED 0x4050 #if !defined(__KERNEL__)

8 months

2
1
0 0

[PATCH v13 0/4] Add STM32MP25 SPI NOR support

by Patrice Chotard

This series adds SPI NOR support for STM32MP25 SoCs from STMicroelectronics. On STM32MP25 SoCs family, an Octo Memory Manager block manages the muxing, the memory area split, the chip select override and the time constraint between its 2 Octo SPI children. Due to these depedencies, this series adds support for: - Octo Memory Manager driver. - Octo SPI driver. - yaml schema for Octo Memory Manager and Octo SPI drivers. The device tree files adds Octo Memory Manager and its 2 associated Octo SPI chidren in stm32mp251.dtsi and adds SPI NOR support in stm32mp257f-ev1 board. Signed-off-by: Patrice Chotard <patrice.chotard(a)foss.st.com> Changes in v13: - Make firewall prototypes always exposed. - Restore STM32_OMM Kconfig dependency from v11. - Link to v12: https://lore.kernel.org/r/20250506-upstream_ospi_v6-v12-0-e3bb5a0d78fb@foss… Changes in v12: - Update Kconfig dependencies. - Link to v11: https://lore.kernel.org/r/20250428-upstream_ospi_v6-v11-0-1548736fd9d2@foss… Changes in v11: - Add stm32_omm_toggle_child_clock(dev, false) in stm32_omm_disable_child() in case of error. - Check MUXEN bit in stm32_omm_probe() to check if child clock must be disabled. - Add dev_err_probe() in stm32_omm_probe(). - Link to v10: https://lore.kernel.org/r/20250422-upstream_ospi_v6-v10-0-6f4942a04e10@foss… Changes in v10: - Add of_node_put() in stm32_omm_set_amcr(). - Link to v9: https://lore.kernel.org/r/20250410-upstream_ospi_v6-v9-0-cf119508848a@foss.… Changes in v9: - split patchset by susbsystem, current one include only OMM related patches. - Update SPDX Identifiers to "GPL-2.0-only". - Add of_node_put)() instm32_omm_set_amcr(). - Rework error path in stm32_omm_toggle_child_clock(). - Make usage of reset_control_acquire/release() in stm32_omm_disable_child() and move reset_control_get in probe(). - Rename error label in stm32_omm_configure(). - Remove child compatible check in stm32_omm_probe(). - Make usage of devm_of_platform_populate(). - Link to v8: https://lore.kernel.org/r/20250407-upstream_ospi_v6-v8-0-7b7716c1c1f6@foss.… Changes in v8: - update OMM's dt-bindings: - Remove minItems for clocks and resets properties. - Fix st,syscfg-amcr items declaration. - move power-domains property before vendor specific properties. - Update compatible check wrongly introduced during internal tests in stm32_omm.c. - Move ommanager's node outside bus@42080000's node in stm32mp251.dtsi. - Link to v7: https://lore.kernel.org/r/20250401-upstream_ospi_v6-v7-0-0ef28513ed81@foss.… Changes in v7: - update OMM's dt-bindings by updating : - clock-names and reset-names properties. - spi unit-address node. - example. - update stm32mp251.dtsi to match with OMM's bindings update. - update stm32mp257f-ev1.dts to match with OMM's bindings update. - Link to v6: https://lore.kernel.org/r/20250321-upstream_ospi_v6-v6-0-37bbcab43439@foss.… Changes in v6: - Update MAINTAINERS file. - Remove previous patch 1/8 and 2/8, merged by Mark Brown in spi git tree. - Fix Signed-off-by order for patch 3. - OMM driver: - Add dev_err_probe() in error path. - Rename stm32_omm_enable_child_clock() to stm32_omm_toggle_child_clock(). - Reorder initialised/non-initialized variable in stm32_omm_configure() and stm32_omm_probe(). - Move pm_runtime_disable() calls from stm32_omm_configure() to stm32_omm_probe(). - Update children's clocks and reset management. - Use of_platform_populate() to probe children. - Add missing pm_runtime_disable(). - Remove useless stm32_omm_check_access's first parameter. - Update OMM's dt-bindings by adding OSPI's clocks and resets. - Update stm32mp251.dtsi by adding OSPI's clock and reset in OMM's node. Changes in v5: - Add Reviewed-by Krzysztof Kozlowski for patch 1 and 3. Changes in v4: - Add default value requested by Krzysztof for st,omm-req2ack-ns, st,omm-cssel-ovr and st,omm-mux properties in st,stm32mp25-omm.yaml - Remove constraint in free form test for st,omm-mux property. - Fix drivers/memory/Kconfig by replacing TEST_COMPILE_ by COMPILE_TEST. - Fix SPDX-License-Identifier for stm32-omm.c. - Fix Kernel test robot by fixing dev_err() format in stm32-omm.c. - Add missing pm_runtime_disable() in the error handling path in stm32-omm.c. - Replace an int by an unsigned int in stm32-omm.c - Remove uneeded "," after terminator in stm32-omm.c. - Update cover letter description to explain dependecies between Octo Memory Manager and its 2 Octo SPI children. Changes in v3: - Squash defconfig patches 8 and 9. - Update STM32 Octo Memory Manager controller bindings. - Rename st,stm32-omm.yaml to st,stm32mp25-omm.yaml. - Update STM32 OSPI controller bindings. - Reorder DT properties in .dtsi and .dts files. - Replace devm_reset_control_get_optional() by devm_reset_control_get_optional_exclusive() in stm32_omm.c. - Reintroduce region-memory-names management in stm32_omm.c. - Rename stm32_ospi_tx_poll() and stm32_ospi_tx() to respectively to stm32_ospi_poll() and stm32_ospi_xfer() in spi-stm32-ospi.c. - Set SPI_CONTROLLER_HALF_DUPLEX in controller flags in spi-stm32-ospi.c. Changes in v2: - Move STM32 Octo Memory Manager controller driver and bindings from misc to memory-controllers. - Update STM32 OSPI controller bindings. - Update STM32 Octo Memory Manager controller bindings. - Update STM32 Octo Memory Manager driver to match bindings update. - Update DT to match bindings update. Signed-off-by: Patrice Chotard <patrice.chotard(a)foss.st.com> --- Patrice Chotard (4): firewall: Always expose firewall prototype dt-bindings: memory-controllers: Add STM32 Octo Memory Manager controller memory: Add STM32 Octo Memory Manager driver MAINTAINERS: add entry for STM32 OCTO MEMORY MANAGER driver .../memory-controllers/st,stm32mp25-omm.yaml | 226 ++++++++++ MAINTAINERS | 6 + drivers/memory/Kconfig | 17 + drivers/memory/Makefile | 1 + drivers/memory/stm32_omm.c | 476 +++++++++++++++++++++ include/linux/bus/stm32_firewall_device.h | 10 +- 6 files changed, 735 insertions(+), 1 deletion(-) --- base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 change-id: 20250320-upstream_ospi_v6-d432a8172105 Best regards, -- Patrice Chotard <patrice.chotard(a)foss.st.com>

8 months

3
5
0 0

[PATCH v1 0/7] ublk: Backport to 6.14-stable: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd

by Jared Holzman

This patchset backports a series of ublk fixes from upstream to 6.14-stable. Patch 7 fixes the race that can cause kernel panic when ublk server daemon is exiting. It depends on patches 1-6 which simplifies & improves IO canceling when ublk server daemon is exiting as described here: https://lore.kernel.org/linux-block/20250416035444.99569-1-ming.lei@redhat.… Ming Lei (5): ublk: add helper of ublk_need_map_io() ublk: move device reset into ublk_ch_release() ublk: remove __ublk_quiesce_dev() ublk: simplify aborting ublk request ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd Uday Shankar (2): ublk: properly serialize all FETCH_REQs ublk: improve detection and handling of ublk server exit drivers/block/ublk_drv.c | 550 +++++++++++++++++++++------------------ 1 file changed, 291 insertions(+), 259 deletions(-) -- 2.43.0

8 months

3
10
0 0

[PATCH] KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()

by Sebastian Ott

Commit fce886a60207 ("KVM: arm64: Plumb the pKVM MMU in KVM") made the initialization of the local memcache variable in user_mem_abort() conditional, leaving a codepath where it is used uninitialized via kvm_pgtable_stage2_map(). This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging. Fix this by making sure that memcache is always valid. Fixes: fce886a60207 ("KVM: arm64: Plumb the pKVM MMU in KVM") Signed-off-by: Sebastian Ott <sebott(a)redhat.com> Reviewed-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/kvmarm/3f5db4c7-ccce-fb95-595c-692fa7aad227@redhat.… --- arch/arm64/kvm/mmu.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c index 754f2fe0cc67..eeda92330ade 100644 --- a/arch/arm64/kvm/mmu.c +++ b/arch/arm64/kvm/mmu.c @@ -1501,6 +1501,11 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, return -EFAULT; } + if (!is_protected_kvm_enabled()) + memcache = &vcpu->arch.mmu_page_cache; + else + memcache = &vcpu->arch.pkvm_memcache; + /* * Permission faults just need to update the existing leaf entry, * and so normally don't require allocations from the memcache. The @@ -1510,13 +1515,11 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, if (!fault_is_perm || (logging_active && write_fault)) { int min_pages = kvm_mmu_cache_min_pages(vcpu->arch.hw_mmu); - if (!is_protected_kvm_enabled()) { - memcache = &vcpu->arch.mmu_page_cache; + if (!is_protected_kvm_enabled()) ret = kvm_mmu_topup_memory_cache(memcache, min_pages); - } else { - memcache = &vcpu->arch.pkvm_memcache; + else ret = topup_hyp_memcache(memcache, min_pages); - } + if (ret) return ret; } base-commit: 92a09c47464d040866cf2b4cd052bc60555185fb -- 2.49.0

8 months

3
2
0 0

Re: [PATCH v4 00/24] Add support for HEVC and VP9 codecs in decoder

by Dikshita Agarwal

Hi All, Pls ignore this, b4 messed up. Will post a proper series soon. Thanks, Dikshita On 5/7/2025 12:10 PM, Dikshita Agarwal wrote: > Hi All, > > This patch series adds initial support for the HEVC(H.265) and VP9 > codecs in iris decoder. The objective of this work is to extend the > decoder's capabilities to handle HEVC and VP9 codec streams, > including necessary format handling and buffer management. > In addition, the series also includes a set of fixes to address issues > identified during testing of these additional codecs. > > These patches also address the comments and feedback received from the > RFC patches previously sent. I have made the necessary improvements > based on the community's suggestions. > > Changes in v4: > - Splitted patch patch 06/23 in two patches (Bryan) > - Simplified the conditional logic in patch 13/23 (Bryan) > - Fix the value of H265_NUM_TILE_ROW macro (Neil) > - Link to v3: https://lore.kernel.org/r/20250502-qcom-iris-hevc-vp9-v3-0-552158a10a7d@qui… > > Changes in v3: > - Introduced two wrappers with explicit names to handle destroy internal > buffers (Nicolas) > - Used sub state check instead of introducing new boolean (Vikash) > - Addressed other comments (Vikash) > - Reorderd patches to have all fixes patches first (Dmitry) > - Link to v2: > https://lore.kernel.org/r/20250428-qcom-iris-hevc-vp9-v2-0-3a6013ecb8a5@qui… > > Changes in v2: > - Added Changes to make sure all buffers are released in session close > (bryna) > - Added tracking for flush responses to fix a timing issue. > - Added a handling to fix timing issue in reconfig > - Splitted patch 06/20 in two patches (Bryan) > - Added missing fixes tag (bryan) > - Updated fluster report (Nicolas) > - Link to v1: > https://lore.kernel.org/r/20250408-iris-dec-hevc-vp9-v1-0-acd258778bd6@quic… > > Changes sinces RFC: > - Added additional fixes to address issues identified during further > testing. > - Moved typo fix to a seperate patch [Neil] > - Reordered the patches for better logical flow and clarity [Neil, > Dmitry] > - Added fixes tag wherever applicable [Neil, Dmitry] > - Removed the default case in the switch statement for codecs [Bryan] > - Replaced if-else statements with switch-case [Bryan] > - Added comments for mbpf [Bryan] > - RFC: > https://lore.kernel.org/linux-media/20250305104335.3629945-1-quic_dikshita@… > > This patch series depends on [1] & [2] > [1] > https://lore.kernel.org/linux-media/20250417-topic-sm8x50-iris-v10-v7-0-f02… > [2] > https://lore.kernel.org/linux-media/20250424-qcs8300_iris-v5-0-f118f505c300… > > These patches are tested on SM8250 and SM8550 with v4l2-ctl and > Gstreamer for HEVC and VP9 decoders, at the same time ensured that > the existing H264 decoder functionality remains uneffected. > > Note: 1 of the fluster compliance test is fixed with firmware [3] > [3]: > https://lore.kernel.org/linux-firmware/1a511921-446d-cdc4-0203-084c88a5dc1e… > > The result of fluster test on SM8550: > 131/147 testcases passed while testing JCT-VC-HEVC_V1 with > GStreamer-H.265-V4L2-Gst1.0. > The failing test case: > - 10 testcases failed due to unsupported 10 bit format. > - DBLK_A_MAIN10_VIXS_4 > - INITQP_B_Main10_Sony_1 > - TSUNEQBD_A_MAIN10_Technicolor_2 > - WP_A_MAIN10_Toshiba_3 > - WP_MAIN10_B_Toshiba_3 > - WPP_A_ericsson_MAIN10_2 > - WPP_B_ericsson_MAIN10_2 > - WPP_C_ericsson_MAIN10_2 > - WPP_E_ericsson_MAIN10_2 > - WPP_F_ericsson_MAIN10_2 > - 4 testcase failed due to unsupported resolution > - PICSIZE_A_Bossen_1 > - PICSIZE_B_Bossen_1 > - WPP_D_ericsson_MAIN10_2 > - WPP_D_ericsson_MAIN_2 > - 2 testcase failed due to CRC mismatch > - RAP_A_docomo_6 > - RAP_B_Bossen_2 > - BUG reported: > https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4392 > Analysis - First few frames in this discarded by firmware and are > sent to driver with 0 filled length. Driver send such buffers to > client with timestamp 0 and payload set to 0 and > make buf state to VB2_BUF_STATE_ERROR. Such buffers should be > dropped by GST. But instead, the first frame displayed as green > frame and when a valid buffer is sent to client later with same 0 > timestamp, its dropped, leading to CRC mismatch for first frame. > > 235/305 testcases passed while testing VP9-TEST-VECTORS with > GStreamer-VP9-V4L2-Gst1.0. > The failing test case: > - 64 testcases failed due to unsupported resolution > - vp90-2-02-size-08x08.webm > - vp90-2-02-size-08x10.webm > - vp90-2-02-size-08x16.webm > - vp90-2-02-size-08x18.webm > - vp90-2-02-size-08x32.webm > - vp90-2-02-size-08x34.webm > - vp90-2-02-size-08x64.webm > - vp90-2-02-size-08x66.webm > - vp90-2-02-size-10x08.webm > - vp90-2-02-size-10x10.webm > - vp90-2-02-size-10x16.webm > - vp90-2-02-size-10x18.webm > - vp90-2-02-size-10x32.webm > - vp90-2-02-size-10x34.webm > - vp90-2-02-size-10x64.webm > - vp90-2-02-size-10x66.webm > - vp90-2-02-size-16x08.webm > - vp90-2-02-size-16x10.webm > - vp90-2-02-size-16x16.webm > - vp90-2-02-size-16x18.webm > - vp90-2-02-size-16x32.webm > - vp90-2-02-size-16x34.webm > - vp90-2-02-size-16x64.webm > - vp90-2-02-size-16x66.webm > - vp90-2-02-size-18x08.webm > - vp90-2-02-size-18x10.webm > - vp90-2-02-size-18x16.webm > - vp90-2-02-size-18x18.webm > - vp90-2-02-size-18x32.webm > - vp90-2-02-size-18x34.webm > - vp90-2-02-size-18x64.webm > - vp90-2-02-size-18x66.webm > - vp90-2-02-size-32x08.webm > - vp90-2-02-size-32x10.webm > - vp90-2-02-size-32x16.webm > - vp90-2-02-size-32x18.webm > - vp90-2-02-size-32x32.webm > - vp90-2-02-size-32x34.webm > - vp90-2-02-size-32x64.webm > - vp90-2-02-size-32x66.webm > - vp90-2-02-size-34x08.webm > - vp90-2-02-size-34x10.webm > - vp90-2-02-size-34x16.webm > - vp90-2-02-size-34x18.webm > - vp90-2-02-size-34x32.webm > - vp90-2-02-size-34x34.webm > - vp90-2-02-size-34x64.webm > - vp90-2-02-size-34x66.webm > - vp90-2-02-size-64x08.webm > - vp90-2-02-size-64x10.webm > - vp90-2-02-size-64x16.webm > - vp90-2-02-size-64x18.webm > - vp90-2-02-size-64x32.webm > - vp90-2-02-size-64x34.webm > - vp90-2-02-size-64x64.webm > - vp90-2-02-size-64x66.webm > - vp90-2-02-size-66x08.webm > - vp90-2-02-size-66x10.webm > - vp90-2-02-size-66x16.webm > - vp90-2-02-size-66x18.webm > - vp90-2-02-size-66x32.webm > - vp90-2-02-size-66x34.webm > - vp90-2-02-size-66x64.webm > - vp90-2-02-size-66x66.webm > - 2 testcases failed due to unsupported format > - vp91-2-04-yuv422.webm > - vp91-2-04-yuv444.webm > - 1 testcase failed with CRC mismatch > - vp90-2-22-svc_1280x720_3.ivf > - Bug reported: > https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4371 > - 2 testcase failed due to unsupported resolution after sequence change > - vp90-2-21-resize_inter_320x180_5_1-2.webm > - vp90-2-21-resize_inter_320x180_7_1-2.webm > - 1 testcase failed due to unsupported stream > - vp90-2-16-intra-only.webm > > The result of fluster test on SM8250: > 133/147 testcases passed while testing JCT-VC-HEVC_V1 with > GStreamer-H.265-V4L2-Gst1.0. > The failing test case: > - 10 testcases failed due to unsupported 10 bit format. > - DBLK_A_MAIN10_VIXS_4 > - INITQP_B_Main10_Sony_1 > - TSUNEQBD_A_MAIN10_Technicolor_2 > - WP_A_MAIN10_Toshiba_3 > - WP_MAIN10_B_Toshiba_3 > - WPP_A_ericsson_MAIN10_2 > - WPP_B_ericsson_MAIN10_2 > - WPP_C_ericsson_MAIN10_2 > - WPP_E_ericsson_MAIN10_2 > - WPP_F_ericsson_MAIN10_2 > - 4 testcase failed due to unsupported resolution > - PICSIZE_A_Bossen_1 > - PICSIZE_B_Bossen_1 > - WPP_D_ericsson_MAIN10_2 > - WPP_D_ericsson_MAIN_2 > > 232/305 testcases passed while testing VP9-TEST-VECTORS with > GStreamer-VP9-V4L2-Gst1.0. > The failing test case: > - 64 testcases failed due to unsupported resolution > - vp90-2-02-size-08x08.webm > - vp90-2-02-size-08x10.webm > - vp90-2-02-size-08x16.webm > - vp90-2-02-size-08x18.webm > - vp90-2-02-size-08x32.webm > - vp90-2-02-size-08x34.webm > - vp90-2-02-size-08x64.webm > - vp90-2-02-size-08x66.webm > - vp90-2-02-size-10x08.webm > - vp90-2-02-size-10x10.webm > - vp90-2-02-size-10x16.webm > - vp90-2-02-size-10x18.webm > - vp90-2-02-size-10x32.webm > - vp90-2-02-size-10x34.webm > - vp90-2-02-size-10x64.webm > - vp90-2-02-size-10x66.webm > - vp90-2-02-size-16x08.webm > - vp90-2-02-size-16x10.webm > - vp90-2-02-size-16x16.webm > - vp90-2-02-size-16x18.webm > - vp90-2-02-size-16x32.webm > - vp90-2-02-size-16x34.webm > - vp90-2-02-size-16x64.webm > - vp90-2-02-size-16x66.webm > - vp90-2-02-size-18x08.webm > - vp90-2-02-size-18x10.webm > - vp90-2-02-size-18x16.webm > - vp90-2-02-size-18x18.webm > - vp90-2-02-size-18x32.webm > - vp90-2-02-size-18x34.webm > - vp90-2-02-size-18x64.webm > - vp90-2-02-size-18x66.webm > - vp90-2-02-size-32x08.webm > - vp90-2-02-size-32x10.webm > - vp90-2-02-size-32x16.webm > - vp90-2-02-size-32x18.webm > - vp90-2-02-size-32x32.webm > - vp90-2-02-size-32x34.webm > - vp90-2-02-size-32x64.webm > - vp90-2-02-size-32x66.webm > - vp90-2-02-size-34x08.webm > - vp90-2-02-size-34x10.webm > - vp90-2-02-size-34x16.webm > - vp90-2-02-size-34x18.webm > - vp90-2-02-size-34x32.webm > - vp90-2-02-size-34x34.webm > - vp90-2-02-size-34x64.webm > - vp90-2-02-size-34x66.webm > - vp90-2-02-size-64x08.webm > - vp90-2-02-size-64x10.webm > - vp90-2-02-size-64x16.webm > - vp90-2-02-size-64x18.webm > - vp90-2-02-size-64x32.webm > - vp90-2-02-size-64x34.webm > - vp90-2-02-size-64x64.webm > - vp90-2-02-size-64x66.webm > - vp90-2-02-size-66x08.webm > - vp90-2-02-size-66x10.webm > - vp90-2-02-size-66x16.webm > - vp90-2-02-size-66x18.webm > - vp90-2-02-size-66x32.webm > - vp90-2-02-size-66x34.webm > - vp90-2-02-size-66x64.webm > - vp90-2-02-size-66x66.webm > - 2 testcases failed due to unsupported format > - vp91-2-04-yuv422.webm > - vp91-2-04-yuv444.webm > - 1 testcase failed with CRC mismatch > - vp90-2-22-svc_1280x720_3.ivf > - Bug raised: > https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4371 > - 5 testcase failed due to unsupported resolution after sequence change > - vp90-2-21-resize_inter_320x180_5_1-2.webm > - vp90-2-21-resize_inter_320x180_7_1-2.webm > - vp90-2-21-resize_inter_320x240_5_1-2.webm > - vp90-2-21-resize_inter_320x240_7_1-2.webm > - vp90-2-18-resize.ivf > - 1 testcase failed with CRC mismatch > - vp90-2-16-intra-only.webm > Analysis: First few frames are marked by firmware as NO_SHOW frame. > Driver make buf state to VB2_BUF_STATE_ERROR for such frames. > Such buffers should be dropped by GST. But instead, the first frame > is being displayed and when a valid buffer is sent to client later > with same timestamp, its dropped, leading to CRC mismatch for first > frame. > > Signed-off-by: Dikshita Agarwal <dikshita(a)qti.qualcomm.com> > --- > Dikshita Agarwal (24): > media: iris: Skip destroying internal buffer if not dequeued > media: iris: Update CAPTURE format info based on OUTPUT format > media: iris: Avoid updating frame size to firmware during reconfig > media: iris: Drop port check for session property response > media: iris: Prevent HFI queue writes when core is in deinit state > media: iris: Remove error check for non-zero v4l2 controls > media: iris: Remove deprecated property setting to firmware > media: iris: Fix missing function pointer initialization > media: iris: Fix NULL pointer dereference > media: iris: Fix typo in depth variable > media: iris: Track flush responses to prevent premature completion > media: iris: Fix buffer preparation failure during resolution change > media: iris: Send V4L2_BUF_FLAG_ERROR for capture buffers with 0 filled length > media: iris: Skip flush on first sequence change > media: iris: Add handling for corrupt and drop frames > media: iris: Add handling for no show frames > media: iris: Improve last flag handling > media: iris: Remove redundant buffer count check in stream off > media: iris: Add a comment to explain usage of MBPS > media: iris: Add HEVC and VP9 formats for decoder > media: iris: Add platform capabilities for HEVC and VP9 decoders > media: iris: Set mandatory properties for HEVC and VP9 decoders. > media: iris: Add internal buffer calculation for HEVC and VP9 decoders > media: iris: Add codec specific check for VP9 decoder drain handling > > drivers/media/platform/qcom/iris/iris_buffer.c | 35 +- > drivers/media/platform/qcom/iris/iris_buffer.h | 3 +- > drivers/media/platform/qcom/iris/iris_ctrls.c | 35 +- > drivers/media/platform/qcom/iris/iris_hfi_common.h | 1 + > .../platform/qcom/iris/iris_hfi_gen1_command.c | 48 ++- > .../platform/qcom/iris/iris_hfi_gen1_defines.h | 5 +- > .../platform/qcom/iris/iris_hfi_gen1_response.c | 37 +- > .../platform/qcom/iris/iris_hfi_gen2_command.c | 143 +++++++- > .../platform/qcom/iris/iris_hfi_gen2_defines.h | 5 + > .../platform/qcom/iris/iris_hfi_gen2_response.c | 56 ++- > drivers/media/platform/qcom/iris/iris_hfi_queue.c | 2 +- > drivers/media/platform/qcom/iris/iris_instance.h | 6 + > .../platform/qcom/iris/iris_platform_common.h | 28 +- > .../media/platform/qcom/iris/iris_platform_gen2.c | 198 ++++++++-- > .../platform/qcom/iris/iris_platform_qcs8300.h | 126 +++++-- > .../platform/qcom/iris/iris_platform_sm8250.c | 15 +- > drivers/media/platform/qcom/iris/iris_state.c | 2 +- > drivers/media/platform/qcom/iris/iris_state.h | 1 + > drivers/media/platform/qcom/iris/iris_vb2.c | 18 +- > drivers/media/platform/qcom/iris/iris_vdec.c | 116 +++--- > drivers/media/platform/qcom/iris/iris_vdec.h | 11 + > drivers/media/platform/qcom/iris/iris_vidc.c | 36 +- > drivers/media/platform/qcom/iris/iris_vpu_buffer.c | 397 ++++++++++++++++++++- > drivers/media/platform/qcom/iris/iris_vpu_buffer.h | 46 ++- > 24 files changed, 1159 insertions(+), 211 deletions(-) > --- > base-commit: 398a1b33f1479af35ca915c5efc9b00d6204f8fa > change-id: 20250506-video-iris-hevc-vp9-ee13f23dd9a8 > prerequisite-message-id: <20250417-topic-sm8x50-iris-v10-v7-0-f020cb1d0e98(a)linaro.org> > prerequisite-patch-id: afffe7096c8e110a8da08c987983bc4441d39578 > prerequisite-patch-id: b93c37dc7e09d1631b75387dc1ca90e3066dce17 > prerequisite-patch-id: b7b50aa1657be59fd51c3e53d73382a1ee75a08e > prerequisite-patch-id: 30960743105a36f20b3ec4a9ff19e7bca04d6add > prerequisite-patch-id: 2bba98151ca103aa62a513a0fbd0df7ae64d9868 > prerequisite-patch-id: 0e43a6d758b5fa5ab921c6aa3c19859e312b47d0 > prerequisite-patch-id: 35f8dae1416977e88c2db7c767800c01822e266e > prerequisite-message-id: <20250501-qcs8300_iris-v7-0-b229d5347990(a)quicinc.com> > prerequisite-patch-id: e35b05c527217206ae871aef0d7b0261af0319ea > prerequisite-patch-id: 07ba0745c7d72796567e0a57f5c8e5355a8d2046 > prerequisite-patch-id: 3398937a7fabb45934bb98a530eef73252231132 > prerequisite-patch-id: 500bc3b8391940d3ebca222d2098b737414b2af4 > prerequisite-patch-id: 2e72fe4d11d264db3d42fa450427d30171303c6f > > Best regards,

8 months, 1 week

1
0
0 0

[PATCH v3 0/2] Restrict devmem for confidential VMs

by Dan Williams

Changes since v2 [1]: * Drop the new x86_platform_op and just use cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT) directly where needed (Naveen) * Make the restriction identical to lockdown and stop playing games with devmem_is_allowed() * Ensure that CONFIG_IO_STRICT_DEVMEM is enabled to avoid conflicting mappings for userspace mappings of PCI MMIO. The original response to Nikolay's report of an SEPT violation triggered by /dev/mem access to private memory was "let's just turn off /dev/mem". After some machinations of x86_platform_ops to block a subset of problematic access, spelunking the history of devmem_is_allowed() returning "2" to enable some compatibility benefits while blocking access, and discovering that userspace depends buggy kernel behavior for mmap(2) of the first 1MB of memory on x86, the proposal has circled back to "disable /dev/mem". Require both STRICT_DEVMEM and IO_STRICT_DEVMEM for x86 confidential guests to close /dev/mem hole while still allowing for userspace mapping of PCI MMIO as long as the kernel and userspace are not mapping the range at the same time. The range_is_allowed() cleanup is not strictly necessary, but might as well close a 17 year-old "TODO". --- Dan Williams (2): x86/devmem: Remove duplicate range_is_allowed() definition x86/devmem: Drop /dev/mem access for confidential guests arch/x86/Kconfig | 4 ++++ arch/x86/mm/pat/memtype.c | 31 ++++--------------------------- drivers/char/mem.c | 27 +++++++++------------------ include/linux/io.h | 21 +++++++++++++++++++++ 4 files changed, 38 insertions(+), 45 deletions(-) base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8

8 months, 1 week

7
18
0 0

[PATCH] zsmalloc: don't underflow size calculation in zs_obj_write()

by Sergey Senozhatsky

Do not mix class->size and object size during offsets/sizes calculation in zs_obj_write(). Size classes can merge into clusters, based on objects-per-zspage and pages-per-zspage characteristics, so some size classes can store objects smaller than class->size. This becomes problematic when object size is much smaller than class->size - we can determine that object spans two physical pages, because we use a larger class->size for this, while the actual object is much smaller and fits one physical page, so there is nothing to write to the second page and memcpy() size calculation underflows. We always know the exact size in bytes of the object that we are about to write (store), so use it instead of class->size. Reported-by: Igor Belousov <igor.b(a)beldev.am> Cc: <stable(a)vger.kernel.org> Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> --- mm/zsmalloc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 70406ac94bbd..999b513c7fdf 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -1233,19 +1233,19 @@ void zs_obj_write(struct zs_pool *pool, unsigned long handle, class = zspage_class(pool, zspage); off = offset_in_page(class->size * obj_idx); - if (off + class->size <= PAGE_SIZE) { + if (!ZsHugePage(zspage)) + off += ZS_HANDLE_SIZE; + + if (off + mem_len <= PAGE_SIZE) { /* this object is contained entirely within a page */ void *dst = kmap_local_zpdesc(zpdesc); - if (!ZsHugePage(zspage)) - off += ZS_HANDLE_SIZE; memcpy(dst + off, handle_mem, mem_len); kunmap_local(dst); } else { /* this object spans two pages */ size_t sizes[2]; - off += ZS_HANDLE_SIZE; sizes[0] = PAGE_SIZE - off; sizes[1] = mem_len - sizes[0]; -- 2.49.0.906.g1f30a19c02-goog

8 months, 1 week

3
4
0 0

[PATCH] dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()

by Qiu-ji Chen

This patch fixes a potential deadlock bug. We observed that in the mtk-cqdma.c file, most functions like mtk_cqdma_issue_pending() and mtk_cqdma_free_active_desc() follow the correct locking sequence by acquiring the pc lock first before taking the vc lock when handling the vc and pc fields. However, in mtk_cqdma_tx_status(), the function incorrectly acquires the vc lock first before calling mtk_cqdma_find_active_desc(), which subsequently acquires the pc lock. This reversed lock acquisition order (vc → pc) violates the established sequence (pc → vc) and could potentially trigger deadlock scenarios. To resolve this issue, we have moved the vc lock acquisition code from mtk_cqdma_tx_status() into the mtk_cqdma_find_active_desc() function. This adjustment ensures proper lock ordering while maintaining functionality. Since mtk_cqdma_find_active_desc() is a static function with only one call site in mtk_cqdma_tx_status(), this fix effectively addresses the deadlock risk without introducing unintended side effects to other components. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/dma/mediatek/mtk-cqdma.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c index d5ddb4e30e71..656354bccb44 100644 --- a/drivers/dma/mediatek/mtk-cqdma.c +++ b/drivers/dma/mediatek/mtk-cqdma.c @@ -423,11 +423,14 @@ static struct virt_dma_desc *mtk_cqdma_find_active_desc(struct dma_chan *c, unsigned long flags; spin_lock_irqsave(&cvc->pc->lock, flags); + spin_lock_irqsave(&cvc->vc.lock, flags); list_for_each_entry(vd, &cvc->pc->queue, node) if (vd->tx.cookie == cookie) { + spin_unlock_irqrestore(&cvc->vc.lock, flags); spin_unlock_irqrestore(&cvc->pc->lock, flags); return vd; } + spin_unlock_irqrestore(&cvc->vc.lock, flags); spin_unlock_irqrestore(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->vc.desc_issued, node) @@ -452,9 +455,7 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, if (ret == DMA_COMPLETE || !txstate) return ret; - spin_lock_irqsave(&cvc->vc.lock, flags); vd = mtk_cqdma_find_active_desc(c, cookie); - spin_unlock_irqrestore(&cvc->vc.lock, flags); if (vd) { cvd = to_cqdma_vdesc(vd); -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH 1/3] ASoC: amd: amd_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks()

by Vijendar Mukunda

Initialize current_be_id to 0 in AMD legacy stack(NO DSP enabled) SoundWire generic machine driver code to handle the unlikely case when there are no devices connected to a DAI. In this case create_sdw_dailink() would return without touching the passed pointer to current_be_id. Found by gcc -fanalyzer Cc: stable(a)vger.kernel.org Fixes: 2981d9b0789c4 ("ASoC: amd: acp: add soundwire machine driver for legacy stack") Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> --- sound/soc/amd/acp/acp-sdw-legacy-mach.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c index 2020c5cfb3d5..582c68aee6e5 100644 --- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c +++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c @@ -272,7 +272,7 @@ static int create_sdw_dailinks(struct snd_soc_card *card, /* generate DAI links by each sdw link */ while (soc_dais->initialised) { - int current_be_id; + int current_be_id = 0; ret = create_sdw_dailink(card, soc_dais, dai_links, &current_be_id, codec_conf, sdw_platform_component); -- 2.45.2

8 months, 1 week

2
2
0 0

[PATCH v2 0/4] clk: qcom: Add camera clock controller support for sc8180x

by Satya Priya Kakitapalli

This series adds support for camera clock controller base driver, bindings and DT support on sc8180x platform. Signed-off-by: Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> --- Changes in v2: - New patch [1/4] to add all the missing gcc bindings along with the required GCC_CAMERA_AHB_CLOCK - As per Konrad's comments, add the camera AHB clock dependency in the DT and yaml bindings. - As per Vladimir's comments, update the Kconfig to add the SC8180X config in correct alphanumerical order. - Link to v1: https://lore.kernel.org/r/20250422-sc8180x-camcc-support-v1-0-691614d13f06@… --- Satya Priya Kakitapalli (4): dt-bindings: clock: qcom: Add missing bindings on gcc-sc8180x dt-bindings: clock: Add Qualcomm SC8180X Camera clock controller clk: qcom: camcc-sc8180x: Add SC8180X camera clock controller driver arm64: dts: qcom: Add camera clock controller for sc8180x .../bindings/clock/qcom,sc8180x-camcc.yaml | 67 + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 14 + drivers/clk/qcom/Kconfig | 10 + drivers/clk/qcom/Makefile | 1 + drivers/clk/qcom/camcc-sc8180x.c | 2897 ++++++++++++++++++++ include/dt-bindings/clock/qcom,gcc-sc8180x.h | 12 + include/dt-bindings/clock/qcom,sc8180x-camcc.h | 181 ++ 7 files changed, 3182 insertions(+) --- base-commit: bc8aa6cdadcc00862f2b5720e5de2e17f696a081 change-id: 20250422-sc8180x-camcc-support-9a82507d2a39 Best regards, -- Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com>

8 months, 1 week

3
6
0 0

[PATCH 2/2] phy: tegra: xusb: Disable periodic tracking on Tegra234

by Wayne Chang

From: Haotien Hsu <haotienh(a)nvidia.com> Periodic calibration updates (~10µs) may overlap with transfers when PCIe NVMe SSD, LPDDR, and USB2 devices operate simultaneously, causing crosstalk on Tegra234 devices. Hence disable periodic calibration updates and make this a one-time calibration. Fixes: d8163a32ca95 ("phy: tegra: xusb: Add Tegra234 support") Cc: stable(a)vger.kernel.org Signed-off-by: Haotien Hsu <haotienh(a)nvidia.com> Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- drivers/phy/tegra/xusb-tegra186.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c index dd0aaf305e90..414f4eabfe9d 100644 --- a/drivers/phy/tegra/xusb-tegra186.c +++ b/drivers/phy/tegra/xusb-tegra186.c @@ -1703,7 +1703,7 @@ const struct tegra_xusb_padctl_soc tegra234_xusb_padctl_soc = { .num_supplies = ARRAY_SIZE(tegra194_xusb_padctl_supply_names), .supports_gen2 = true, .poll_trk_completed = true, - .trk_hw_mode = true, + .trk_hw_mode = false, .trk_update_on_idle = true, .supports_lp_cfg_en = true, }; -- 2.25.1

8 months, 1 week

1
0
0 0

[PATCH 02/14] drm/amd/display: Correct the reply value when AUX write incomplete

by Ray Wu

From: Wayne Lin <Wayne.Lin(a)amd.com> [Why] Now forcing aux->transfer to return 0 when incomplete AUX write is inappropriate. It should return bytes have been transferred. [How] aux->transfer is asked not to change original msg except reply field of drm_dp_aux_msg structure. Copy the msg->buffer when it's write request, and overwrite the first byte when sink reply 1 byte indicating partially written byte number. Then we can return the correct value without changing the original msg. Fixes: 6285f12bc54c ("drm/amd/display: Fix wrong handling for AUX_DEFER case") Cc: stable(a)vger.kernel.org Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Ray Wu <ray.wu(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Signed-off-by: Ray Wu <ray.wu(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- .../drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 10 ++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 8984e211dd1c..36c16030fca9 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -12853,7 +12853,8 @@ int amdgpu_dm_process_dmub_aux_transfer_sync( /* The reply is stored in the top nibble of the command. */ payload->reply[0] = (adev->dm.dmub_notify->aux_reply.command >> 4) & 0xF; - if (!payload->write && p_notify->aux_reply.length) + /*write req may receive a byte indicating partially written number as well*/ + if (p_notify->aux_reply.length) memcpy(payload->data, p_notify->aux_reply.data, p_notify->aux_reply.length); diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index d19aea595722..0d7b72c75802 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -62,6 +62,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, enum aux_return_code_type operation_result; struct amdgpu_device *adev; struct ddc_service *ddc; + uint8_t copy[16]; if (WARN_ON(msg->size > 16)) return -E2BIG; @@ -77,6 +78,11 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, (msg->request & DP_AUX_I2C_WRITE_STATUS_UPDATE) != 0; payload.defer_delay = 0; + if (payload.write) { + memcpy(copy, msg->buffer, msg->size); + payload.data = copy; + } + result = dc_link_aux_transfer_raw(TO_DM_AUX(aux)->ddc_service, &payload, &operation_result); @@ -100,9 +106,9 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux, */ if (payload.write && result >= 0) { if (result) { - /*one byte indicating partially written bytes. Force 0 to retry*/ + /*one byte indicating partially written bytes*/ drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n"); - result = 0; + result = payload.data[0]; } else if (!payload.reply[0]) /*I2C_ACK|AUX_ACK*/ result = msg->size; -- 2.43.0

8 months, 1 week

1
0
0 0

[REGRESSION][BISECTED][STABLE] MT7925: mDNS and IPv6 broken in kernel 6.14.3 and above

by fossben＠pm.me

Hello all, After upgrading to 6.14.3 on my PC with a MT7925 chip, I noticed that I could no longer ping *.local addresses provided by Avahi. In addition, I also noticed that I was not able to get a DHCP IPv6 address from my router, no matter how many times I rebooted the router or reconnected with NetworkManager. Reverting to 6.14.2 fixes both mDNS and IPv6 addresses immediately. Going back to 6.14.3 immediately breaks mDNS again, but the IPv6 address will stay there for a while before disappearing later, possibly because the DHCP lease expired? I am not sure exactly when it stops working. I've done a kernel bisect between 6.14.2 and 6.14.3 and found the offending commit that causes mDNS to fail: commit 80007d3f92fd018d0a052a706400e976b36e3c87 Author: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Date: Tue Mar 4 16:08:50 2025 -0800 wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd commit cb1353ef34735ec1e5d9efa1fe966f05ff1dc1e1 upstream. Integrate *mlo_sta_cmd and *sta_cmd for the MLO firmware. Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it") drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 59 ++++------------------------------------------------------- 1 file changed, 4 insertions(+), 55 deletions(-) I do not know if this same commit is also causing the IPv6 issues as testing that requires quite a bit of time to reproduce. What I do know with certainty as of this moment is that it definitely breaks in kernel 6.14.3. I've attached my hardware info as well as dmesg logs from the last working kernel from the bisect and 6.14.4 which exhibits the issue. Please let me know if there's any other info you need. Thanks! Benjamin Xiao

8 months, 1 week

3
9
0 0

[PATCH v2] usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work

by RD Babiera

A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event. Fixes: cdc9946ea637 ("usb: typec: tcpm: enforce ready state when queueing alt mode vdm") Cc: stable(a)vger.kernel.org Signed-off-by: RD Babiera <rdbabiera(a)google.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> --- Changes from v1: * modified commit message to include call stack --- drivers/usb/typec/tcpm/tcpm.c | 91 +++++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 20 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 784fa23102f9..9b8d98328ddb 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -597,6 +597,15 @@ struct pd_rx_event { enum tcpm_transmit_type rx_sop_type; }; +struct altmode_vdm_event { + struct kthread_work work; + struct tcpm_port *port; + u32 header; + u32 *data; + int cnt; + enum tcpm_transmit_type tx_sop_type; +}; + static const char * const pd_rev[] = { [PD_REV10] = "rev1", [PD_REV20] = "rev2", @@ -1610,18 +1619,68 @@ static void tcpm_queue_vdm(struct tcpm_port *port, const u32 header, mod_vdm_delayed_work(port, 0); } -static void tcpm_queue_vdm_unlocked(struct tcpm_port *port, const u32 header, - const u32 *data, int cnt, enum tcpm_transmit_type tx_sop_type) +static void tcpm_queue_vdm_work(struct kthread_work *work) { - if (port->state != SRC_READY && port->state != SNK_READY && - port->state != SRC_VDM_IDENTITY_REQUEST) - return; + struct altmode_vdm_event *event = container_of(work, + struct altmode_vdm_event, + work); + struct tcpm_port *port = event->port; mutex_lock(&port->lock); - tcpm_queue_vdm(port, header, data, cnt, tx_sop_type); + if (port->state != SRC_READY && port->state != SNK_READY && + port->state != SRC_VDM_IDENTITY_REQUEST) { + tcpm_log_force(port, "dropping altmode_vdm_event"); + goto port_unlock; + } + + tcpm_queue_vdm(port, event->header, event->data, event->cnt, event->tx_sop_type); + +port_unlock: + kfree(event->data); + kfree(event); mutex_unlock(&port->lock); } +static int tcpm_queue_vdm_unlocked(struct tcpm_port *port, const u32 header, + const u32 *data, int cnt, enum tcpm_transmit_type tx_sop_type) +{ + struct altmode_vdm_event *event; + u32 *data_cpy; + int ret = -ENOMEM; + + event = kzalloc(sizeof(*event), GFP_KERNEL); + if (!event) + goto err_event; + + data_cpy = kcalloc(cnt, sizeof(u32), GFP_KERNEL); + if (!data_cpy) + goto err_data; + + kthread_init_work(&event->work, tcpm_queue_vdm_work); + event->port = port; + event->header = header; + memcpy(data_cpy, data, sizeof(u32) * cnt); + event->data = data_cpy; + event->cnt = cnt; + event->tx_sop_type = tx_sop_type; + + ret = kthread_queue_work(port->wq, &event->work); + if (!ret) { + ret = -EBUSY; + goto err_queue; + } + + return 0; + +err_queue: + kfree(data_cpy); +err_data: + kfree(event); +err_event: + tcpm_log_force(port, "failed to queue altmode vdm, err:%d", ret); + return ret; +} + static void svdm_consume_identity(struct tcpm_port *port, const u32 *p, int cnt) { u32 vdo = p[VDO_INDEX_IDH]; @@ -2832,8 +2891,7 @@ static int tcpm_altmode_enter(struct typec_altmode *altmode, u32 *vdo) header = VDO(altmode->svid, vdo ? 2 : 1, svdm_version, CMD_ENTER_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP); - return 0; + return tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP); } static int tcpm_altmode_exit(struct typec_altmode *altmode) @@ -2849,8 +2907,7 @@ static int tcpm_altmode_exit(struct typec_altmode *altmode) header = VDO(altmode->svid, 1, svdm_version, CMD_EXIT_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP); - return 0; + return tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP); } static int tcpm_altmode_vdm(struct typec_altmode *altmode, @@ -2858,9 +2915,7 @@ static int tcpm_altmode_vdm(struct typec_altmode *altmode, { struct tcpm_port *port = typec_altmode_get_drvdata(altmode); - tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP); - - return 0; + return tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP); } static const struct typec_altmode_ops tcpm_altmode_ops = { @@ -2884,8 +2939,7 @@ static int tcpm_cable_altmode_enter(struct typec_altmode *altmode, enum typec_pl header = VDO(altmode->svid, vdo ? 2 : 1, svdm_version, CMD_ENTER_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP_PRIME); - return 0; + return tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP_PRIME); } static int tcpm_cable_altmode_exit(struct typec_altmode *altmode, enum typec_plug_index sop) @@ -2901,8 +2955,7 @@ static int tcpm_cable_altmode_exit(struct typec_altmode *altmode, enum typec_plu header = VDO(altmode->svid, 1, svdm_version, CMD_EXIT_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP_PRIME); - return 0; + return tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP_PRIME); } static int tcpm_cable_altmode_vdm(struct typec_altmode *altmode, enum typec_plug_index sop, @@ -2910,9 +2963,7 @@ static int tcpm_cable_altmode_vdm(struct typec_altmode *altmode, enum typec_plug { struct tcpm_port *port = typec_altmode_get_drvdata(altmode); - tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP_PRIME); - - return 0; + return tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP_PRIME); } static const struct typec_cable_ops tcpm_cable_ops = { base-commit: 588d032e9e566997db3213dee145dbe3bda297b6 -- 2.49.0.967.g6a0df3ecc3-goog

8 months, 1 week

2
1
0 0

[PATCH v2 0/2] Map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled

by Ignacio Moreno Gonzalez via B4 Relay

... and make setting MADV_NOHUGEPAGE with madvise() into a no-op if THP is not enabled. I discovered this issue when trying to use the tool CRIU to checkpoint and restore a container. Our running kernel is compiled without CONFIG_TRANSPARENT_HUGETABLES. CRIU parses the output of /proc/<pid>/smaps and saves the "nh" flag. When trying to restore the container, CRIU fails to restore the "nh" mappings, since madvise() MADV_NOHUGEPAGE always returns an error because CONFIG_TRANSPARENT_HUGETABLES is not defined. These patches: - Avoid mapping MAP_STACK to VM_NOHUGEPAGE if !THP - Avoid returning an error when calling madvise() with MADV_NOHUGEPAGE if !THP Signed-off-by: Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com> --- Changes in v2: - [Patch 1/2] Use '#ifdef' instead of '#if defined(...)' - [Patch 1/2] Add 'Fixes: c4608d1bf7c6...' - Create [Patch 2/2] - Link to v1: https://lore.kernel.org/r/20250502-map-map_stack-to-vm_nohugepage-only-if-t… --- Ignacio Moreno Gonzalez (2): mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled mm: madvise: no-op for MADV_NOHUGEPAGE if THP is disabled include/linux/huge_mm.h | 6 ++++++ include/linux/mman.h | 2 ++ 2 files changed, 8 insertions(+) --- base-commit: fc96b232f8e7c0a6c282f47726b2ff6a5fb341d2 change-id: 20250428-map-map_stack-to-vm_nohugepage-only-if-thp-is-enabled-ce40a1de095d Best regards, -- Ignacio Moreno Gonzalez <Ignacio.MorenoGonzalez(a)kuka.com>

8 months, 1 week

5
6
0 0

[PATCH v1] usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work

by RD Babiera

A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event. Fixes: cdc9946ea637 ("usb: typec: tcpm: enforce ready state when queueing alt mode vdm") Cc: stable(a)vger.kernel.org Signed-off-by: RD Babiera <rdbabiera(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 91 +++++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 20 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 784fa23102f9..9b8d98328ddb 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -597,6 +597,15 @@ struct pd_rx_event { enum tcpm_transmit_type rx_sop_type; }; +struct altmode_vdm_event { + struct kthread_work work; + struct tcpm_port *port; + u32 header; + u32 *data; + int cnt; + enum tcpm_transmit_type tx_sop_type; +}; + static const char * const pd_rev[] = { [PD_REV10] = "rev1", [PD_REV20] = "rev2", @@ -1610,18 +1619,68 @@ static void tcpm_queue_vdm(struct tcpm_port *port, const u32 header, mod_vdm_delayed_work(port, 0); } -static void tcpm_queue_vdm_unlocked(struct tcpm_port *port, const u32 header, - const u32 *data, int cnt, enum tcpm_transmit_type tx_sop_type) +static void tcpm_queue_vdm_work(struct kthread_work *work) { - if (port->state != SRC_READY && port->state != SNK_READY && - port->state != SRC_VDM_IDENTITY_REQUEST) - return; + struct altmode_vdm_event *event = container_of(work, + struct altmode_vdm_event, + work); + struct tcpm_port *port = event->port; mutex_lock(&port->lock); - tcpm_queue_vdm(port, header, data, cnt, tx_sop_type); + if (port->state != SRC_READY && port->state != SNK_READY && + port->state != SRC_VDM_IDENTITY_REQUEST) { + tcpm_log_force(port, "dropping altmode_vdm_event"); + goto port_unlock; + } + + tcpm_queue_vdm(port, event->header, event->data, event->cnt, event->tx_sop_type); + +port_unlock: + kfree(event->data); + kfree(event); mutex_unlock(&port->lock); } +static int tcpm_queue_vdm_unlocked(struct tcpm_port *port, const u32 header, + const u32 *data, int cnt, enum tcpm_transmit_type tx_sop_type) +{ + struct altmode_vdm_event *event; + u32 *data_cpy; + int ret = -ENOMEM; + + event = kzalloc(sizeof(*event), GFP_KERNEL); + if (!event) + goto err_event; + + data_cpy = kcalloc(cnt, sizeof(u32), GFP_KERNEL); + if (!data_cpy) + goto err_data; + + kthread_init_work(&event->work, tcpm_queue_vdm_work); + event->port = port; + event->header = header; + memcpy(data_cpy, data, sizeof(u32) * cnt); + event->data = data_cpy; + event->cnt = cnt; + event->tx_sop_type = tx_sop_type; + + ret = kthread_queue_work(port->wq, &event->work); + if (!ret) { + ret = -EBUSY; + goto err_queue; + } + + return 0; + +err_queue: + kfree(data_cpy); +err_data: + kfree(event); +err_event: + tcpm_log_force(port, "failed to queue altmode vdm, err:%d", ret); + return ret; +} + static void svdm_consume_identity(struct tcpm_port *port, const u32 *p, int cnt) { u32 vdo = p[VDO_INDEX_IDH]; @@ -2832,8 +2891,7 @@ static int tcpm_altmode_enter(struct typec_altmode *altmode, u32 *vdo) header = VDO(altmode->svid, vdo ? 2 : 1, svdm_version, CMD_ENTER_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP); - return 0; + return tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP); } static int tcpm_altmode_exit(struct typec_altmode *altmode) @@ -2849,8 +2907,7 @@ static int tcpm_altmode_exit(struct typec_altmode *altmode) header = VDO(altmode->svid, 1, svdm_version, CMD_EXIT_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP); - return 0; + return tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP); } static int tcpm_altmode_vdm(struct typec_altmode *altmode, @@ -2858,9 +2915,7 @@ static int tcpm_altmode_vdm(struct typec_altmode *altmode, { struct tcpm_port *port = typec_altmode_get_drvdata(altmode); - tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP); - - return 0; + return tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP); } static const struct typec_altmode_ops tcpm_altmode_ops = { @@ -2884,8 +2939,7 @@ static int tcpm_cable_altmode_enter(struct typec_altmode *altmode, enum typec_pl header = VDO(altmode->svid, vdo ? 2 : 1, svdm_version, CMD_ENTER_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP_PRIME); - return 0; + return tcpm_queue_vdm_unlocked(port, header, vdo, vdo ? 1 : 0, TCPC_TX_SOP_PRIME); } static int tcpm_cable_altmode_exit(struct typec_altmode *altmode, enum typec_plug_index sop) @@ -2901,8 +2955,7 @@ static int tcpm_cable_altmode_exit(struct typec_altmode *altmode, enum typec_plu header = VDO(altmode->svid, 1, svdm_version, CMD_EXIT_MODE); header |= VDO_OPOS(altmode->mode); - tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP_PRIME); - return 0; + return tcpm_queue_vdm_unlocked(port, header, NULL, 0, TCPC_TX_SOP_PRIME); } static int tcpm_cable_altmode_vdm(struct typec_altmode *altmode, enum typec_plug_index sop, @@ -2910,9 +2963,7 @@ static int tcpm_cable_altmode_vdm(struct typec_altmode *altmode, enum typec_plug { struct tcpm_port *port = typec_altmode_get_drvdata(altmode); - tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP_PRIME); - - return 0; + return tcpm_queue_vdm_unlocked(port, header, data, count - 1, TCPC_TX_SOP_PRIME); } static const struct typec_cable_ops tcpm_cable_ops = { base-commit: 615dca38c2eae55aff80050275931c87a812b48c -- 2.49.0.967.g6a0df3ecc3-goog

8 months, 1 week

3
2
0 0

[PATCH v1 0/7] ublk: Backport to 6.14-stable: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd

by Jared Holzman

This patchset backports a series of ublk fixes from upstream to 6.14-stable. Patch 7 fixes the race that can cause kernel panic when ublk server daemon is exiting. It depends on patches 1-6 which simplifies & improves IO canceling when ublk server daemon is exiting as described here: https://lore.kernel.org/linux-block/20250416035444.99569-1-ming.lei@redhat.… Ming Lei (5): ublk: add helper of ublk_need_map_io() ublk: move device reset into ublk_ch_release() ublk: remove __ublk_quiesce_dev() ublk: simplify aborting ublk request ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd Uday Shankar (2): ublk: properly serialize all FETCH_REQs ublk: improve detection and handling of ublk server exit drivers/block/ublk_drv.c | 550 +++++++++++++++++++++------------------ 1 file changed, 291 insertions(+), 259 deletions(-) -- 2.43.0

8 months, 1 week

1
1
0 0

[PATCH v1 7/7] ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd

by Jared Holzman

From: Ming Lei <ming.lei(a)redhat.com> ublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, but we may have scheduled task work via io_uring_cmd_complete_in_task() for dispatching request, then kernel crash can be triggered. Fix it by not trying to canceling the command if ublk block request is started. Fixes: 216c8f5ef0f2 ("ublk: replace monitor with cancelable uring_cmd") Reported-by: Jared Holzman <jholzman(a)nvidia.com> Tested-by: Jared Holzman <jholzman(a)nvidia.com> Closes: https://lore.kernel.org/linux-block/d2179120-171b-47ba-b664-23242981ef19@nv… Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250425013742.1079549-3-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 6000147ac2a5..348c4feb7a2d 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -1655,14 +1655,31 @@ static void ublk_start_cancel(struct ublk_queue *ubq) ublk_put_disk(disk); } -static void ublk_cancel_cmd(struct ublk_queue *ubq, struct ublk_io *io, +static void ublk_cancel_cmd(struct ublk_queue *ubq, unsigned tag, unsigned int issue_flags) { + struct ublk_io *io = &ubq->ios[tag]; + struct ublk_device *ub = ubq->dev; + struct request *req; bool done; if (!(io->flags & UBLK_IO_FLAG_ACTIVE)) return; + /* + * Don't try to cancel this command if the request is started for + * avoiding race between io_uring_cmd_done() and + * io_uring_cmd_complete_in_task(). + * + * Either the started request will be aborted via __ublk_abort_rq(), + * then this uring_cmd is canceled next time, or it will be done in + * task work function ublk_dispatch_req() because io_uring guarantees + * that ublk_dispatch_req() is always called + */ + req = blk_mq_tag_to_rq(ub->tag_set.tags[ubq->q_id], tag); + if (req && blk_mq_request_started(req)) + return; + spin_lock(&ubq->cancel_lock); done = !!(io->flags & UBLK_IO_FLAG_CANCELED); if (!done) @@ -1694,7 +1711,6 @@ static void ublk_uring_cmd_cancel_fn(struct io_uring_cmd *cmd, struct ublk_uring_cmd_pdu *pdu = ublk_get_uring_cmd_pdu(cmd); struct ublk_queue *ubq = pdu->ubq; struct task_struct *task; - struct ublk_io *io; if (WARN_ON_ONCE(!ubq)) return; @@ -1709,9 +1725,8 @@ static void ublk_uring_cmd_cancel_fn(struct io_uring_cmd *cmd, if (!ubq->canceling) ublk_start_cancel(ubq); - io = &ubq->ios[pdu->tag]; - WARN_ON_ONCE(io->cmd != cmd); - ublk_cancel_cmd(ubq, io, issue_flags); + WARN_ON_ONCE(ubq->ios[pdu->tag].cmd != cmd); + ublk_cancel_cmd(ubq, pdu->tag, issue_flags); } static inline bool ublk_queue_ready(struct ublk_queue *ubq) @@ -1724,7 +1739,7 @@ static void ublk_cancel_queue(struct ublk_queue *ubq) int i; for (i = 0; i < ubq->q_depth; i++) - ublk_cancel_cmd(ubq, &ubq->ios[i], IO_URING_F_UNLOCKED); + ublk_cancel_cmd(ubq, i, IO_URING_F_UNLOCKED); } /* Cancel all pending commands, must be called after del_gendisk() returns */ -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v1 6/7] ublk: simplify aborting ublk request

by Jared Holzman

From: Ming Lei <ming.lei(a)redhat.com> Now ublk_abort_queue() is moved to ublk char device release handler, meantime our request queue is "quiesced" because either ->canceling was set from uring_cmd cancel function or all IOs are inflight and can't be completed by ublk server, things becomes easy much: - all uring_cmd are done, so we needn't to mark io as UBLK_IO_FLAG_ABORTED for handling completion from uring_cmd - ublk char device is closed, no one can hold IO request reference any more, so we can simply complete this request or requeue it for ublk_nosrv_should_reissue_outstanding. Reviewed-by: Uday Shankar <ushankar(a)purestorage.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250416035444.99569-8-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 82 ++++++++++------------------------------ 1 file changed, 20 insertions(+), 62 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index c3f576a9dbf2..6000147ac2a5 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -115,15 +115,6 @@ struct ublk_uring_cmd_pdu { */ #define UBLK_IO_FLAG_OWNED_BY_SRV 0x02 -/* - * IO command is aborted, so this flag is set in case of - * !UBLK_IO_FLAG_ACTIVE. - * - * After this flag is observed, any pending or new incoming request - * associated with this io command will be failed immediately - */ -#define UBLK_IO_FLAG_ABORTED 0x04 - /* * UBLK_IO_FLAG_NEED_GET_DATA is set because IO command requires * get data buffer address from ublksrv. @@ -1054,12 +1045,6 @@ static inline void __ublk_complete_rq(struct request *req) unsigned int unmapped_bytes; blk_status_t res = BLK_STS_OK; - /* called from ublk_abort_queue() code path */ - if (io->flags & UBLK_IO_FLAG_ABORTED) { - res = BLK_STS_IOERR; - goto exit; - } - /* failed read IO if nothing is read */ if (!io->res && req_op(req) == REQ_OP_READ) io->res = -EIO; @@ -1109,47 +1094,6 @@ static void ublk_complete_rq(struct kref *ref) __ublk_complete_rq(req); } -static void ublk_do_fail_rq(struct request *req) -{ - struct ublk_queue *ubq = req->mq_hctx->driver_data; - - if (ublk_nosrv_should_reissue_outstanding(ubq->dev)) - blk_mq_requeue_request(req, false); - else - __ublk_complete_rq(req); -} - -static void ublk_fail_rq_fn(struct kref *ref) -{ - struct ublk_rq_data *data = container_of(ref, struct ublk_rq_data, - ref); - struct request *req = blk_mq_rq_from_pdu(data); - - ublk_do_fail_rq(req); -} - -/* - * Since ublk_rq_task_work_cb always fails requests immediately during - * exiting, __ublk_fail_req() is only called from abort context during - * exiting. So lock is unnecessary. - * - * Also aborting may not be started yet, keep in mind that one failed - * request may be issued by block layer again. - */ -static void __ublk_fail_req(struct ublk_queue *ubq, struct ublk_io *io, - struct request *req) -{ - WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_ACTIVE); - - if (ublk_need_req_ref(ubq)) { - struct ublk_rq_data *data = blk_mq_rq_to_pdu(req); - - kref_put(&data->ref, ublk_fail_rq_fn); - } else { - ublk_do_fail_rq(req); - } -} - static void ubq_complete_io_cmd(struct ublk_io *io, int res, unsigned issue_flags) { @@ -1639,10 +1583,26 @@ static void ublk_commit_completion(struct ublk_device *ub, ublk_put_req_ref(ubq, req); } +static void __ublk_fail_req(struct ublk_queue *ubq, struct ublk_io *io, + struct request *req) +{ + WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_ACTIVE); + + if (ublk_nosrv_should_reissue_outstanding(ubq->dev)) + blk_mq_requeue_request(req, false); + else { + io->res = -EIO; + __ublk_complete_rq(req); + } +} + /* - * Called from ubq_daemon context via cancel fn, meantime quiesce ublk - * blk-mq queue, so we are called exclusively with blk-mq and ubq_daemon - * context, so everything is serialized. + * Called from ublk char device release handler, when any uring_cmd is + * done, meantime request queue is "quiesced" since all inflight requests + * can't be completed because ublk server is dead. + * + * So no one can hold our request IO reference any more, simply ignore the + * reference, and complete the request immediately */ static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq) { @@ -1659,10 +1619,8 @@ static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq) * will do it */ rq = blk_mq_tag_to_rq(ub->tag_set.tags[ubq->q_id], i); - if (rq && blk_mq_request_started(rq)) { - io->flags |= UBLK_IO_FLAG_ABORTED; + if (rq && blk_mq_request_started(rq)) __ublk_fail_req(ubq, io, rq); - } } } } -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v1 5/7] ublk: remove __ublk_quiesce_dev()

by Jared Holzman

From: Ming Lei <ming.lei(a)redhat.com> Remove __ublk_quiesce_dev() and open code for updating device state as QUIESCED. We needn't to drain inflight requests in __ublk_quiesce_dev() any more, because all inflight requests are aborted in ublk char device release handler. Also we needn't to set ->canceling in __ublk_quiesce_dev() any more because it is done unconditionally now in ublk_ch_release(). Reviewed-by: Uday Shankar <ushankar(a)purestorage.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250416035444.99569-7-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 652742db0396..c3f576a9dbf2 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -205,7 +205,6 @@ struct ublk_params_header { static void ublk_stop_dev_unlocked(struct ublk_device *ub); static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq); -static void __ublk_quiesce_dev(struct ublk_device *ub); static inline unsigned int ublk_req_build_flags(struct request *req); static inline struct ublksrv_io_desc *ublk_get_iod(struct ublk_queue *ubq, @@ -1558,7 +1557,8 @@ static int ublk_ch_release(struct inode *inode, struct file *filp) ublk_stop_dev_unlocked(ub); } else { if (ublk_nosrv_dev_should_queue_io(ub)) { - __ublk_quiesce_dev(ub); + /* ->canceling is set and all requests are aborted */ + ub->dev_info.state = UBLK_S_DEV_QUIESCED; } else { ub->dev_info.state = UBLK_S_DEV_FAIL_IO; for (i = 0; i < ub->dev_info.nr_hw_queues; i++) @@ -1804,21 +1804,6 @@ static void ublk_wait_tagset_rqs_idle(struct ublk_device *ub) } } -static void __ublk_quiesce_dev(struct ublk_device *ub) -{ - int i; - - pr_devel("%s: quiesce ub: dev_id %d state %s\n", - __func__, ub->dev_info.dev_id, - ub->dev_info.state == UBLK_S_DEV_LIVE ? - "LIVE" : "QUIESCED"); - /* mark every queue as canceling */ - for (i = 0; i < ub->dev_info.nr_hw_queues; i++) - ublk_get_queue(ub, i)->canceling = true; - ublk_wait_tagset_rqs_idle(ub); - ub->dev_info.state = UBLK_S_DEV_QUIESCED; -} - static void ublk_force_abort_dev(struct ublk_device *ub) { int i; -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v1 4/7] ublk: improve detection and handling of ublk server exit

by Jared Holzman

From: Uday Shankar <ushankar(a)purestorage.com> There are currently two ways in which ublk server exit is detected by ublk_drv: 1. uring_cmd cancellation. If there are any outstanding uring_cmds which have not been completed to the ublk server when it exits, io_uring calls the uring_cmd callback with a special cancellation flag as the issuing task is exiting. 2. I/O timeout. This is needed in addition to the above to handle the "saturated queue" case, when all I/Os for a given queue are in the ublk server, and therefore there are no outstanding uring_cmds to cancel when the ublk server exits. There are a couple of issues with this approach: - It is complex and inelegant to have two methods to detect the same condition - The second method detects ublk server exit only after a long delay (~30s, the default timeout assigned by the block layer). This delays the nosrv behavior from kicking in and potential subsequent recovery of the device. The second issue is brought to light with the new test_generic_06 which will be added in following patch. It fails before this fix: selftests: ublk: test_generic_06.sh dev id is 0 dd: error writing '/dev/ublkb0': Input/output error 1+0 records in 0+0 records out 0 bytes copied, 30.0611 s, 0.0 kB/s DEAD dd took 31 seconds to exit (>= 5s tolerance)! generic_06 : [FAIL] Fix this by instead detecting and handling ublk server exit in the character file release callback. This has several advantages: - This one place can handle both saturated and unsaturated queues. Thus, it replaces both preexisting methods of detecting ublk server exit. - It runs quickly on ublk server exit - there is no 30s delay. - It starts the process of removing task references in ublk_drv. This is needed if we want to relax restrictions in the driver like letting only one thread serve each queue There is also the disadvantage that the character file release callback can also be triggered by intentional close of the file, which is a significant behavior change. Preexisting ublk servers (libublksrv) are dependent on the ability to open/close the file multiple times. To address this, only transition to a nosrv state if the file is released while the ublk device is live. This allows for programs to open/close the file multiple times during setup. It is still a behavior change if a ublk server decides to close/reopen the file while the device is LIVE (i.e. while it is responsible for serving I/O), but that would be highly unusual. This behavior is in line with what is done by FUSE, which is very similar to ublk in that a userspace daemon is providing services traditionally provided by the kernel. With this change in, the new test (and all other selftests, and all ublksrv tests) pass: selftests: ublk: test_generic_06.sh dev id is 0 dd: error writing '/dev/ublkb0': Input/output error 1+0 records in 0+0 records out 0 bytes copied, 0.0376731 s, 0.0 kB/s DEAD generic_04 : [PASS] Signed-off-by: Uday Shankar <ushankar(a)purestorage.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250416035444.99569-6-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 223 ++++++++++++++++++++++----------------- 1 file changed, 124 insertions(+), 99 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index c619df880c72..652742db0396 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -194,8 +194,6 @@ struct ublk_device { struct completion completion; unsigned int nr_queues_ready; unsigned int nr_privileged_daemon; - - struct work_struct nosrv_work; }; /* header of ublk_params */ @@ -204,7 +202,10 @@ struct ublk_params_header { __u32 types; }; -static bool ublk_abort_requests(struct ublk_device *ub, struct ublk_queue *ubq); + +static void ublk_stop_dev_unlocked(struct ublk_device *ub); +static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq); +static void __ublk_quiesce_dev(struct ublk_device *ub); static inline unsigned int ublk_req_build_flags(struct request *req); static inline struct ublksrv_io_desc *ublk_get_iod(struct ublk_queue *ubq, @@ -1306,8 +1307,6 @@ static void ublk_queue_cmd_list(struct ublk_queue *ubq, struct rq_list *l) static enum blk_eh_timer_return ublk_timeout(struct request *rq) { struct ublk_queue *ubq = rq->mq_hctx->driver_data; - unsigned int nr_inflight = 0; - int i; if (ubq->flags & UBLK_F_UNPRIVILEGED_DEV) { if (!ubq->timeout) { @@ -1318,26 +1317,6 @@ static enum blk_eh_timer_return ublk_timeout(struct request *rq) return BLK_EH_DONE; } - if (!ubq_daemon_is_dying(ubq)) - return BLK_EH_RESET_TIMER; - - for (i = 0; i < ubq->q_depth; i++) { - struct ublk_io *io = &ubq->ios[i]; - - if (!(io->flags & UBLK_IO_FLAG_ACTIVE)) - nr_inflight++; - } - - /* cancelable uring_cmd can't help us if all commands are in-flight */ - if (nr_inflight == ubq->q_depth) { - struct ublk_device *ub = ubq->dev; - - if (ublk_abort_requests(ub, ubq)) { - schedule_work(&ub->nosrv_work); - } - return BLK_EH_DONE; - } - return BLK_EH_RESET_TIMER; } @@ -1495,13 +1474,105 @@ static void ublk_reset_ch_dev(struct ublk_device *ub) ub->nr_privileged_daemon = 0; } +static struct gendisk *ublk_get_disk(struct ublk_device *ub) +{ + struct gendisk *disk; + + spin_lock(&ub->lock); + disk = ub->ub_disk; + if (disk) + get_device(disk_to_dev(disk)); + spin_unlock(&ub->lock); + + return disk; +} + +static void ublk_put_disk(struct gendisk *disk) +{ + if (disk) + put_device(disk_to_dev(disk)); +} + static int ublk_ch_release(struct inode *inode, struct file *filp) { struct ublk_device *ub = filp->private_data; + struct gendisk *disk; + int i; + + /* + * disk isn't attached yet, either device isn't live, or it has + * been removed already, so we needn't to do anything + */ + disk = ublk_get_disk(ub); + if (!disk) + goto out; + + /* + * All uring_cmd are done now, so abort any request outstanding to + * the ublk server + * + * This can be done in lockless way because ublk server has been + * gone + * + * More importantly, we have to provide forward progress guarantee + * without holding ub->mutex, otherwise control task grabbing + * ub->mutex triggers deadlock + * + * All requests may be inflight, so ->canceling may not be set, set + * it now. + */ + for (i = 0; i < ub->dev_info.nr_hw_queues; i++) { + struct ublk_queue *ubq = ublk_get_queue(ub, i); + + ubq->canceling = true; + ublk_abort_queue(ub, ubq); + } + blk_mq_kick_requeue_list(disk->queue); + + /* + * All infligh requests have been completed or requeued and any new + * request will be failed or requeued via `->canceling` now, so it is + * fine to grab ub->mutex now. + */ + mutex_lock(&ub->mutex); + + /* double check after grabbing lock */ + if (!ub->ub_disk) + goto unlock; + + /* + * Transition the device to the nosrv state. What exactly this + * means depends on the recovery flags + */ + blk_mq_quiesce_queue(disk->queue); + if (ublk_nosrv_should_stop_dev(ub)) { + /* + * Allow any pending/future I/O to pass through quickly + * with an error. This is needed because del_gendisk + * waits for all pending I/O to complete + */ + for (i = 0; i < ub->dev_info.nr_hw_queues; i++) + ublk_get_queue(ub, i)->force_abort = true; + blk_mq_unquiesce_queue(disk->queue); + + ublk_stop_dev_unlocked(ub); + } else { + if (ublk_nosrv_dev_should_queue_io(ub)) { + __ublk_quiesce_dev(ub); + } else { + ub->dev_info.state = UBLK_S_DEV_FAIL_IO; + for (i = 0; i < ub->dev_info.nr_hw_queues; i++) + ublk_get_queue(ub, i)->fail_io = true; + } + blk_mq_unquiesce_queue(disk->queue); + } +unlock: + mutex_unlock(&ub->mutex); + ublk_put_disk(disk); /* all uring_cmd has been done now, reset device & ubq */ ublk_reset_ch_dev(ub); - +out: clear_bit(UB_STATE_OPEN, &ub->state); return 0; } @@ -1597,37 +1668,22 @@ static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq) } /* Must be called when queue is frozen */ -static bool ublk_mark_queue_canceling(struct ublk_queue *ubq) +static void ublk_mark_queue_canceling(struct ublk_queue *ubq) { - bool canceled; - spin_lock(&ubq->cancel_lock); - canceled = ubq->canceling; - if (!canceled) + if (!ubq->canceling) ubq->canceling = true; spin_unlock(&ubq->cancel_lock); - - return canceled; } -static bool ublk_abort_requests(struct ublk_device *ub, struct ublk_queue *ubq) +static void ublk_start_cancel(struct ublk_queue *ubq) { - bool was_canceled = ubq->canceling; - struct gendisk *disk; - - if (was_canceled) - return false; - - spin_lock(&ub->lock); - disk = ub->ub_disk; - if (disk) - get_device(disk_to_dev(disk)); - spin_unlock(&ub->lock); + struct ublk_device *ub = ubq->dev; + struct gendisk *disk = ublk_get_disk(ub); /* Our disk has been dead */ if (!disk) - return false; - + return; /* * Now we are serialized with ublk_queue_rq() * @@ -1636,15 +1692,9 @@ static bool ublk_abort_requests(struct ublk_device *ub, struct ublk_queue *ubq) * touch completed uring_cmd */ blk_mq_quiesce_queue(disk->queue); - was_canceled = ublk_mark_queue_canceling(ubq); - if (!was_canceled) { - /* abort queue is for making forward progress */ - ublk_abort_queue(ub, ubq); - } + ublk_mark_queue_canceling(ubq); blk_mq_unquiesce_queue(disk->queue); - put_device(disk_to_dev(disk)); - - return !was_canceled; + ublk_put_disk(disk); } static void ublk_cancel_cmd(struct ublk_queue *ubq, struct ublk_io *io, @@ -1668,6 +1718,17 @@ static void ublk_cancel_cmd(struct ublk_queue *ubq, struct ublk_io *io, /* * The ublk char device won't be closed when calling cancel fn, so both * ublk device and queue are guaranteed to be live + * + * Two-stage cancel: + * + * - make every active uring_cmd done in ->cancel_fn() + * + * - aborting inflight ublk IO requests in ublk char device release handler, + * which depends on 1st stage because device can only be closed iff all + * uring_cmd are done + * + * Do _not_ try to acquire ub->mutex before all inflight requests are + * aborted, otherwise deadlock may be caused. */ static void ublk_uring_cmd_cancel_fn(struct io_uring_cmd *cmd, unsigned int issue_flags) @@ -1675,8 +1736,6 @@ static void ublk_uring_cmd_cancel_fn(struct io_uring_cmd *cmd, struct ublk_uring_cmd_pdu *pdu = ublk_get_uring_cmd_pdu(cmd); struct ublk_queue *ubq = pdu->ubq; struct task_struct *task; - struct ublk_device *ub; - bool need_schedule; struct ublk_io *io; if (WARN_ON_ONCE(!ubq)) @@ -1689,16 +1748,12 @@ static void ublk_uring_cmd_cancel_fn(struct io_uring_cmd *cmd, if (WARN_ON_ONCE(task && task != ubq->ubq_daemon)) return; - ub = ubq->dev; - need_schedule = ublk_abort_requests(ub, ubq); + if (!ubq->canceling) + ublk_start_cancel(ubq); io = &ubq->ios[pdu->tag]; WARN_ON_ONCE(io->cmd != cmd); ublk_cancel_cmd(ubq, io, issue_flags); - - if (need_schedule) { - schedule_work(&ub->nosrv_work); - } } static inline bool ublk_queue_ready(struct ublk_queue *ubq) @@ -1757,13 +1812,11 @@ static void __ublk_quiesce_dev(struct ublk_device *ub) __func__, ub->dev_info.dev_id, ub->dev_info.state == UBLK_S_DEV_LIVE ? "LIVE" : "QUIESCED"); - blk_mq_quiesce_queue(ub->ub_disk->queue); /* mark every queue as canceling */ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) ublk_get_queue(ub, i)->canceling = true; ublk_wait_tagset_rqs_idle(ub); ub->dev_info.state = UBLK_S_DEV_QUIESCED; - blk_mq_unquiesce_queue(ub->ub_disk->queue); } static void ublk_force_abort_dev(struct ublk_device *ub) @@ -1800,50 +1853,25 @@ static struct gendisk *ublk_detach_disk(struct ublk_device *ub) return disk; } -static void ublk_stop_dev(struct ublk_device *ub) +static void ublk_stop_dev_unlocked(struct ublk_device *ub) + __must_hold(&ub->mutex) { struct gendisk *disk; - mutex_lock(&ub->mutex); if (ub->dev_info.state == UBLK_S_DEV_DEAD) - goto unlock; + return; + if (ublk_nosrv_dev_should_queue_io(ub)) ublk_force_abort_dev(ub); del_gendisk(ub->ub_disk); disk = ublk_detach_disk(ub); put_disk(disk); - unlock: - mutex_unlock(&ub->mutex); - ublk_cancel_dev(ub); } -static void ublk_nosrv_work(struct work_struct *work) +static void ublk_stop_dev(struct ublk_device *ub) { - struct ublk_device *ub = - container_of(work, struct ublk_device, nosrv_work); - int i; - - if (ublk_nosrv_should_stop_dev(ub)) { - ublk_stop_dev(ub); - return; - } - mutex_lock(&ub->mutex); - if (ub->dev_info.state != UBLK_S_DEV_LIVE) - goto unlock; - - if (ublk_nosrv_dev_should_queue_io(ub)) { - __ublk_quiesce_dev(ub); - } else { - blk_mq_quiesce_queue(ub->ub_disk->queue); - ub->dev_info.state = UBLK_S_DEV_FAIL_IO; - for (i = 0; i < ub->dev_info.nr_hw_queues; i++) { - ublk_get_queue(ub, i)->fail_io = true; - } - blk_mq_unquiesce_queue(ub->ub_disk->queue); - } - - unlock: + ublk_stop_dev_unlocked(ub); mutex_unlock(&ub->mutex); ublk_cancel_dev(ub); } @@ -2419,7 +2447,6 @@ static int ublk_add_tag_set(struct ublk_device *ub) static void ublk_remove(struct ublk_device *ub) { ublk_stop_dev(ub); - cancel_work_sync(&ub->nosrv_work); cdev_device_del(&ub->cdev, &ub->cdev_dev); ublk_put_device(ub); ublks_added--; @@ -2693,7 +2720,6 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) goto out_unlock; mutex_init(&ub->mutex); spin_lock_init(&ub->lock); - INIT_WORK(&ub->nosrv_work, ublk_nosrv_work); ret = ublk_alloc_dev_number(ub, header->dev_id); if (ret < 0) @@ -2828,7 +2854,6 @@ static inline void ublk_ctrl_cmd_dump(struct io_uring_cmd *cmd) static int ublk_ctrl_stop_dev(struct ublk_device *ub) { ublk_stop_dev(ub); - cancel_work_sync(&ub->nosrv_work); return 0; } -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v1 3/7] ublk: move device reset into ublk_ch_release()

by Jared Holzman

From: Ming Lei <ming.lei(a)redhat.com> ublk_ch_release() is called after ublk char device is closed, when all uring_cmd are done, so it is perfect fine to move ublk device reset to ublk_ch_release() from ublk_ctrl_start_recovery(). This way can avoid to grab the exiting daemon task_struct too long. However, reset of the following ublk IO flags has to be moved until ublk io_uring queues are ready: - ubq->canceling For requeuing IO in case of ublk_nosrv_dev_should_queue_io() before device is recovered - ubq->fail_io For failing IO in case of UBLK_F_USER_RECOVERY_FAIL_IO before device is recovered - ublk_io->flags For preventing using io->cmd With this way, recovery is simplified a lot. Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250416035444.99569-5-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 121 +++++++++++++++++++++++---------------- 1 file changed, 72 insertions(+), 49 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 9345a6d8dbd8..c619df880c72 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -1043,7 +1043,7 @@ static inline struct ublk_uring_cmd_pdu *ublk_get_uring_cmd_pdu( static inline bool ubq_daemon_is_dying(struct ublk_queue *ubq) { - return ubq->ubq_daemon->flags & PF_EXITING; + return !ubq->ubq_daemon || ubq->ubq_daemon->flags & PF_EXITING; } /* todo: handle partial completion */ @@ -1440,6 +1440,37 @@ static const struct blk_mq_ops ublk_mq_ops = { .timeout = ublk_timeout, }; +static void ublk_queue_reinit(struct ublk_device *ub, struct ublk_queue *ubq) +{ + int i; + + /* All old ioucmds have to be completed */ + ubq->nr_io_ready = 0; + + /* + * old daemon is PF_EXITING, put it now + * + * It could be NULL in case of closing one quisced device. + */ + if (ubq->ubq_daemon) + put_task_struct(ubq->ubq_daemon); + /* We have to reset it to NULL, otherwise ub won't accept new FETCH_REQ */ + ubq->ubq_daemon = NULL; + ubq->timeout = false; + + for (i = 0; i < ubq->q_depth; i++) { + struct ublk_io *io = &ubq->ios[i]; + + /* + * UBLK_IO_FLAG_CANCELED is kept for avoiding to touch + * io->cmd + */ + io->flags &= UBLK_IO_FLAG_CANCELED; + io->cmd = NULL; + io->addr = 0; + } +} + static int ublk_ch_open(struct inode *inode, struct file *filp) { struct ublk_device *ub = container_of(inode->i_cdev, @@ -1451,10 +1482,26 @@ static int ublk_ch_open(struct inode *inode, struct file *filp) return 0; } +static void ublk_reset_ch_dev(struct ublk_device *ub) +{ + int i; + + for (i = 0; i < ub->dev_info.nr_hw_queues; i++) + ublk_queue_reinit(ub, ublk_get_queue(ub, i)); + + /* set to NULL, otherwise new ubq_daemon cannot mmap the io_cmd_buf */ + ub->mm = NULL; + ub->nr_queues_ready = 0; + ub->nr_privileged_daemon = 0; +} + static int ublk_ch_release(struct inode *inode, struct file *filp) { struct ublk_device *ub = filp->private_data; + /* all uring_cmd has been done now, reset device & ubq */ + ublk_reset_ch_dev(ub); + clear_bit(UB_STATE_OPEN, &ub->state); return 0; } @@ -1801,6 +1848,24 @@ static void ublk_nosrv_work(struct work_struct *work) ublk_cancel_dev(ub); } +/* reset ublk io_uring queue & io flags */ +static void ublk_reset_io_flags(struct ublk_device *ub) +{ + int i, j; + + for (i = 0; i < ub->dev_info.nr_hw_queues; i++) { + struct ublk_queue *ubq = ublk_get_queue(ub, i); + + /* UBLK_IO_FLAG_CANCELED can be cleared now */ + spin_lock(&ubq->cancel_lock); + for (j = 0; j < ubq->q_depth; j++) + ubq->ios[j].flags &= ~UBLK_IO_FLAG_CANCELED; + spin_unlock(&ubq->cancel_lock); + ubq->canceling = false; + ubq->fail_io = false; + } +} + /* device can only be started after all IOs are ready */ static void ublk_mark_io_ready(struct ublk_device *ub, struct ublk_queue *ubq) __must_hold(&ub->mutex) @@ -1814,8 +1879,12 @@ static void ublk_mark_io_ready(struct ublk_device *ub, struct ublk_queue *ubq) if (capable(CAP_SYS_ADMIN)) ub->nr_privileged_daemon++; } - if (ub->nr_queues_ready == ub->dev_info.nr_hw_queues) + + if (ub->nr_queues_ready == ub->dev_info.nr_hw_queues) { + /* now we are ready for handling ublk io request */ + ublk_reset_io_flags(ub); complete_all(&ub->completion); + } } static inline int ublk_check_cmd_op(u32 cmd_op) @@ -2866,42 +2935,15 @@ static int ublk_ctrl_set_params(struct ublk_device *ub, return ret; } -static void ublk_queue_reinit(struct ublk_device *ub, struct ublk_queue *ubq) -{ - int i; - - WARN_ON_ONCE(!(ubq->ubq_daemon && ubq_daemon_is_dying(ubq))); - - /* All old ioucmds have to be completed */ - ubq->nr_io_ready = 0; - /* old daemon is PF_EXITING, put it now */ - put_task_struct(ubq->ubq_daemon); - /* We have to reset it to NULL, otherwise ub won't accept new FETCH_REQ */ - ubq->ubq_daemon = NULL; - ubq->timeout = false; - - for (i = 0; i < ubq->q_depth; i++) { - struct ublk_io *io = &ubq->ios[i]; - - /* forget everything now and be ready for new FETCH_REQ */ - io->flags = 0; - io->cmd = NULL; - io->addr = 0; - } -} - static int ublk_ctrl_start_recovery(struct ublk_device *ub, struct io_uring_cmd *cmd) { const struct ublksrv_ctrl_cmd *header = io_uring_sqe_cmd(cmd->sqe); int ret = -EINVAL; - int i; mutex_lock(&ub->mutex); if (ublk_nosrv_should_stop_dev(ub)) goto out_unlock; - if (!ub->nr_queues_ready) - goto out_unlock; /* * START_RECOVERY is only allowd after: * @@ -2925,12 +2967,6 @@ static int ublk_ctrl_start_recovery(struct ublk_device *ub, goto out_unlock; } pr_devel("%s: start recovery for dev id %d.\n", __func__, header->dev_id); - for (i = 0; i < ub->dev_info.nr_hw_queues; i++) - ublk_queue_reinit(ub, ublk_get_queue(ub, i)); - /* set to NULL, otherwise new ubq_daemon cannot mmap the io_cmd_buf */ - ub->mm = NULL; - ub->nr_queues_ready = 0; - ub->nr_privileged_daemon = 0; init_completion(&ub->completion); ret = 0; out_unlock: @@ -2944,7 +2980,6 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub, const struct ublksrv_ctrl_cmd *header = io_uring_sqe_cmd(cmd->sqe); int ublksrv_pid = (int)header->data[0]; int ret = -EINVAL; - int i; pr_devel("%s: Waiting for new ubq_daemons(nr: %d) are ready, dev id %d...\n", __func__, ub->dev_info.nr_hw_queues, header->dev_id); @@ -2964,22 +2999,10 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub, goto out_unlock; } ub->dev_info.ublksrv_pid = ublksrv_pid; + ub->dev_info.state = UBLK_S_DEV_LIVE; pr_devel("%s: new ublksrv_pid %d, dev id %d\n", __func__, ublksrv_pid, header->dev_id); - - blk_mq_quiesce_queue(ub->ub_disk->queue); - ub->dev_info.state = UBLK_S_DEV_LIVE; - for (i = 0; i < ub->dev_info.nr_hw_queues; i++) { - struct ublk_queue *ubq = ublk_get_queue(ub, i); - - ubq->canceling = false; - ubq->fail_io = false; - } - blk_mq_unquiesce_queue(ub->ub_disk->queue); - pr_devel("%s: queue unquiesced, dev id %d.\n", - __func__, header->dev_id); blk_mq_kick_requeue_list(ub->ub_disk->queue); - ret = 0; out_unlock: mutex_unlock(&ub->mutex); -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v1 2/7] ublk: properly serialize all FETCH_REQs

by Jared Holzman

From: Uday Shankar <ushankar(a)purestorage.com> Most uring_cmds issued against ublk character devices are serialized because each command affects only one queue, and there is an early check which only allows a single task (the queue's ubq_daemon) to issue uring_cmds against that queue. However, this mechanism does not work for FETCH_REQs, since they are expected before ubq_daemon is set. Since FETCH_REQs are only used at initialization and not in the fast path, serialize them using the per-ublk-device mutex. This fixes a number of data races that were previously possible if a badly behaved ublk server decided to issue multiple FETCH_REQs against the same qid/tag concurrently. Reported-by: Caleb Sander Mateos <csander(a)purestorage.com> Signed-off-by: Uday Shankar <ushankar(a)purestorage.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250416035444.99569-2-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 77 +++++++++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 28 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 4e81505179c6..9345a6d8dbd8 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -1803,8 +1803,8 @@ static void ublk_nosrv_work(struct work_struct *work) /* device can only be started after all IOs are ready */ static void ublk_mark_io_ready(struct ublk_device *ub, struct ublk_queue *ubq) + __must_hold(&ub->mutex) { - mutex_lock(&ub->mutex); ubq->nr_io_ready++; if (ublk_queue_ready(ubq)) { ubq->ubq_daemon = current; @@ -1816,7 +1816,6 @@ static void ublk_mark_io_ready(struct ublk_device *ub, struct ublk_queue *ubq) } if (ub->nr_queues_ready == ub->dev_info.nr_hw_queues) complete_all(&ub->completion); - mutex_unlock(&ub->mutex); } static inline int ublk_check_cmd_op(u32 cmd_op) @@ -1855,6 +1854,52 @@ static inline void ublk_prep_cancel(struct io_uring_cmd *cmd, io_uring_cmd_mark_cancelable(cmd, issue_flags); } +static int ublk_fetch(struct io_uring_cmd *cmd, struct ublk_queue *ubq, + struct ublk_io *io, __u64 buf_addr) +{ + struct ublk_device *ub = ubq->dev; + int ret = 0; + + /* + * When handling FETCH command for setting up ublk uring queue, + * ub->mutex is the innermost lock, and we won't block for handling + * FETCH, so it is fine even for IO_URING_F_NONBLOCK. + */ + mutex_lock(&ub->mutex); + /* UBLK_IO_FETCH_REQ is only allowed before queue is setup */ + if (ublk_queue_ready(ubq)) { + ret = -EBUSY; + goto out; + } + + /* allow each command to be FETCHed at most once */ + if (io->flags & UBLK_IO_FLAG_ACTIVE) { + ret = -EINVAL; + goto out; + } + + WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV); + + if (ublk_need_map_io(ubq)) { + /* + * FETCH_RQ has to provide IO buffer if NEED GET + * DATA is not enabled + */ + if (!buf_addr && !ublk_need_get_data(ubq)) + goto out; + } else if (buf_addr) { + /* User copy requires addr to be unset */ + ret = -EINVAL; + goto out; + } + + ublk_fill_io_cmd(io, cmd, buf_addr); + ublk_mark_io_ready(ub, ubq); +out: + mutex_unlock(&ub->mutex); + return ret; +} + static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags, const struct ublksrv_io_cmd *ub_cmd) @@ -1907,33 +1952,9 @@ static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd, ret = -EINVAL; switch (_IOC_NR(cmd_op)) { case UBLK_IO_FETCH_REQ: - /* UBLK_IO_FETCH_REQ is only allowed before queue is setup */ - if (ublk_queue_ready(ubq)) { - ret = -EBUSY; - goto out; - } - /* - * The io is being handled by server, so COMMIT_RQ is expected - * instead of FETCH_REQ - */ - if (io->flags & UBLK_IO_FLAG_OWNED_BY_SRV) - goto out; - - if (ublk_need_map_io(ubq)) { - /* - * FETCH_RQ has to provide IO buffer if NEED GET - * DATA is not enabled - */ - if (!ub_cmd->addr && !ublk_need_get_data(ubq)) - goto out; - } else if (ub_cmd->addr) { - /* User copy requires addr to be unset */ - ret = -EINVAL; + ret = ublk_fetch(cmd, ubq, io, ub_cmd->addr); + if (ret) goto out; - } - - ublk_fill_io_cmd(io, cmd, ub_cmd->addr); - ublk_mark_io_ready(ub, ubq); break; case UBLK_IO_COMMIT_AND_FETCH_REQ: req = blk_mq_tag_to_rq(ub->tag_set.tags[ub_cmd->q_id], tag); -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v1 1/7] ublk: add helper of ublk_need_map_io()

by Jared Holzman

From: Ming Lei <ming.lei(a)redhat.com> ublk_need_map_io() is more readable. Reviewed-by: Caleb Sander Mateos <csander(a)purestorage.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250327095123.179113-5-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- drivers/block/ublk_drv.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index ab06a7a064fb..4e81505179c6 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -594,6 +594,11 @@ static inline bool ublk_support_user_copy(const struct ublk_queue *ubq) return ubq->flags & UBLK_F_USER_COPY; } +static inline bool ublk_need_map_io(const struct ublk_queue *ubq) +{ + return !ublk_support_user_copy(ubq); +} + static inline bool ublk_need_req_ref(const struct ublk_queue *ubq) { /* @@ -921,7 +926,7 @@ static int ublk_map_io(const struct ublk_queue *ubq, const struct request *req, { const unsigned int rq_bytes = blk_rq_bytes(req); - if (ublk_support_user_copy(ubq)) + if (!ublk_need_map_io(ubq)) return rq_bytes; /* @@ -945,7 +950,7 @@ static int ublk_unmap_io(const struct ublk_queue *ubq, { const unsigned int rq_bytes = blk_rq_bytes(req); - if (ublk_support_user_copy(ubq)) + if (!ublk_need_map_io(ubq)) return rq_bytes; if (ublk_need_unmap_req(req)) { @@ -1914,7 +1919,7 @@ static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd, if (io->flags & UBLK_IO_FLAG_OWNED_BY_SRV) goto out; - if (!ublk_support_user_copy(ubq)) { + if (ublk_need_map_io(ubq)) { /* * FETCH_RQ has to provide IO buffer if NEED GET * DATA is not enabled @@ -1936,7 +1941,7 @@ static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd, if (!(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV)) goto out; - if (!ublk_support_user_copy(ubq)) { + if (ublk_need_map_io(ubq)) { /* * COMMIT_AND_FETCH_REQ has to provide IO buffer if * NEED GET DATA is not enabled or it is Read IO. -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH AUTOSEL 5.4 1/3] pinctrl: meson: define the pull up/down resistor value as 60 kOhm

by Sasha Levin

From: Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> [ Upstream commit e56088a13708757da68ad035269d69b93ac8c389 ] The public datasheets of the following Amlogic SoCs describe a typical resistor value for the built-in pull up/down resistor: - Meson8/8b/8m2: not documented - GXBB (S905): 60 kOhm - GXL (S905X): 60 kOhm - GXM (S912): 60 kOhm - G12B (S922X): 60 kOhm - SM1 (S905D3): 60 kOhm The public G12B and SM1 datasheets additionally state min and max values: - min value: 50 kOhm for both, pull-up and pull-down - max value for the pull-up: 70 kOhm - max value for the pull-down: 130 kOhm Use 60 kOhm in the pinctrl-meson driver as well so it's shown in the debugfs output. It may not be accurate for Meson8/8b/8m2 but in reality 60 kOhm is closer to the actual value than 1 Ohm. Signed-off-by: Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://lore.kernel.org/20250329190132.855196-1-martin.blumenstingl@googlem… Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/pinctrl/meson/pinctrl-meson.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pinctrl/meson/pinctrl-meson.c b/drivers/pinctrl/meson/pinctrl-meson.c index aba479a1150c8..f3b381370e5ed 100644 --- a/drivers/pinctrl/meson/pinctrl-meson.c +++ b/drivers/pinctrl/meson/pinctrl-meson.c @@ -480,7 +480,7 @@ static int meson_pinconf_get(struct pinctrl_dev *pcdev, unsigned int pin, case PIN_CONFIG_BIAS_PULL_DOWN: case PIN_CONFIG_BIAS_PULL_UP: if (meson_pinconf_get_pull(pc, pin) == param) - arg = 1; + arg = 60000; else return -EINVAL; break; -- 2.39.5

8 months, 1 week

1
2
0 0

[PATCH AUTOSEL 5.10 1/4] pinctrl: meson: define the pull up/down resistor value as 60 kOhm

by Sasha Levin

From: Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> [ Upstream commit e56088a13708757da68ad035269d69b93ac8c389 ] The public datasheets of the following Amlogic SoCs describe a typical resistor value for the built-in pull up/down resistor: - Meson8/8b/8m2: not documented - GXBB (S905): 60 kOhm - GXL (S905X): 60 kOhm - GXM (S912): 60 kOhm - G12B (S922X): 60 kOhm - SM1 (S905D3): 60 kOhm The public G12B and SM1 datasheets additionally state min and max values: - min value: 50 kOhm for both, pull-up and pull-down - max value for the pull-up: 70 kOhm - max value for the pull-down: 130 kOhm Use 60 kOhm in the pinctrl-meson driver as well so it's shown in the debugfs output. It may not be accurate for Meson8/8b/8m2 but in reality 60 kOhm is closer to the actual value than 1 Ohm. Signed-off-by: Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://lore.kernel.org/20250329190132.855196-1-martin.blumenstingl@googlem… Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/pinctrl/meson/pinctrl-meson.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pinctrl/meson/pinctrl-meson.c b/drivers/pinctrl/meson/pinctrl-meson.c index 20683cd072bb0..ae72edba8a1f0 100644 --- a/drivers/pinctrl/meson/pinctrl-meson.c +++ b/drivers/pinctrl/meson/pinctrl-meson.c @@ -483,7 +483,7 @@ static int meson_pinconf_get(struct pinctrl_dev *pcdev, unsigned int pin, case PIN_CONFIG_BIAS_PULL_DOWN: case PIN_CONFIG_BIAS_PULL_UP: if (meson_pinconf_get_pull(pc, pin) == param) - arg = 1; + arg = 60000; else return -EINVAL; break; -- 2.39.5

8 months, 1 week

1
3
0 0

[PATCH AUTOSEL 5.15 1/5] ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()

by Sasha Levin

From: Chenyuan Yang <chenyuan0y(a)gmail.com> [ Upstream commit a9a69c3b38c89d7992fb53db4abb19104b531d32 ] Incorrect types are used as sizeof() arguments in devm_kcalloc(). It should be sizeof(dai_link_data) for link_data instead of sizeof(snd_soc_dai_link). This is found by our static analysis tool. Signed-off-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Link: https://patch.msgid.link/20250406210854.149316-1-chenyuan0y@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/fsl/imx-card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c index 2b64c0384b6bb..9b14cda56b068 100644 --- a/sound/soc/fsl/imx-card.c +++ b/sound/soc/fsl/imx-card.c @@ -517,7 +517,7 @@ static int imx_card_parse_of(struct imx_card_data *data) if (!card->dai_link) return -ENOMEM; - data->link_data = devm_kcalloc(dev, num_links, sizeof(*link), GFP_KERNEL); + data->link_data = devm_kcalloc(dev, num_links, sizeof(*link_data), GFP_KERNEL); if (!data->link_data) return -ENOMEM; -- 2.39.5

8 months, 1 week

1
4
0 0

[PATCH AUTOSEL 6.1 1/6] ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()

by Sasha Levin

From: Chenyuan Yang <chenyuan0y(a)gmail.com> [ Upstream commit a9a69c3b38c89d7992fb53db4abb19104b531d32 ] Incorrect types are used as sizeof() arguments in devm_kcalloc(). It should be sizeof(dai_link_data) for link_data instead of sizeof(snd_soc_dai_link). This is found by our static analysis tool. Signed-off-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Link: https://patch.msgid.link/20250406210854.149316-1-chenyuan0y@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/fsl/imx-card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c index c6d55b21f9496..11430f9f49968 100644 --- a/sound/soc/fsl/imx-card.c +++ b/sound/soc/fsl/imx-card.c @@ -517,7 +517,7 @@ static int imx_card_parse_of(struct imx_card_data *data) if (!card->dai_link) return -ENOMEM; - data->link_data = devm_kcalloc(dev, num_links, sizeof(*link), GFP_KERNEL); + data->link_data = devm_kcalloc(dev, num_links, sizeof(*link_data), GFP_KERNEL); if (!data->link_data) return -ENOMEM; -- 2.39.5

8 months, 1 week

1
5
0 0

[PATCH AUTOSEL 6.6 01/12] ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()

by Sasha Levin

From: Chenyuan Yang <chenyuan0y(a)gmail.com> [ Upstream commit a9a69c3b38c89d7992fb53db4abb19104b531d32 ] Incorrect types are used as sizeof() arguments in devm_kcalloc(). It should be sizeof(dai_link_data) for link_data instead of sizeof(snd_soc_dai_link). This is found by our static analysis tool. Signed-off-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Link: https://patch.msgid.link/20250406210854.149316-1-chenyuan0y@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/fsl/imx-card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c index 7128bcf3a743e..bb304de5cc38a 100644 --- a/sound/soc/fsl/imx-card.c +++ b/sound/soc/fsl/imx-card.c @@ -517,7 +517,7 @@ static int imx_card_parse_of(struct imx_card_data *data) if (!card->dai_link) return -ENOMEM; - data->link_data = devm_kcalloc(dev, num_links, sizeof(*link), GFP_KERNEL); + data->link_data = devm_kcalloc(dev, num_links, sizeof(*link_data), GFP_KERNEL); if (!data->link_data) return -ENOMEM; -- 2.39.5

8 months, 1 week

1
11
0 0

[PATCH AUTOSEL 6.12 01/18] ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()

by Sasha Levin

From: Chenyuan Yang <chenyuan0y(a)gmail.com> [ Upstream commit a9a69c3b38c89d7992fb53db4abb19104b531d32 ] Incorrect types are used as sizeof() arguments in devm_kcalloc(). It should be sizeof(dai_link_data) for link_data instead of sizeof(snd_soc_dai_link). This is found by our static analysis tool. Signed-off-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Link: https://patch.msgid.link/20250406210854.149316-1-chenyuan0y@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/fsl/imx-card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c index 93dbe40008c00..e5ae435171d68 100644 --- a/sound/soc/fsl/imx-card.c +++ b/sound/soc/fsl/imx-card.c @@ -516,7 +516,7 @@ static int imx_card_parse_of(struct imx_card_data *data) if (!card->dai_link) return -ENOMEM; - data->link_data = devm_kcalloc(dev, num_links, sizeof(*link), GFP_KERNEL); + data->link_data = devm_kcalloc(dev, num_links, sizeof(*link_data), GFP_KERNEL); if (!data->link_data) return -ENOMEM; -- 2.39.5

8 months, 1 week

1
17
0 0

[PATCH AUTOSEL 6.14 01/20] ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of()

by Sasha Levin

From: Chenyuan Yang <chenyuan0y(a)gmail.com> [ Upstream commit a9a69c3b38c89d7992fb53db4abb19104b531d32 ] Incorrect types are used as sizeof() arguments in devm_kcalloc(). It should be sizeof(dai_link_data) for link_data instead of sizeof(snd_soc_dai_link). This is found by our static analysis tool. Signed-off-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Link: https://patch.msgid.link/20250406210854.149316-1-chenyuan0y@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/fsl/imx-card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c index 21f617f6f9fa8..566214cb3d60c 100644 --- a/sound/soc/fsl/imx-card.c +++ b/sound/soc/fsl/imx-card.c @@ -543,7 +543,7 @@ static int imx_card_parse_of(struct imx_card_data *data) if (!card->dai_link) return -ENOMEM; - data->link_data = devm_kcalloc(dev, num_links, sizeof(*link), GFP_KERNEL); + data->link_data = devm_kcalloc(dev, num_links, sizeof(*link_data), GFP_KERNEL); if (!data->link_data) return -ENOMEM; -- 2.39.5

8 months, 1 week

1
19
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror