- Linux-stable-mirror - lists.linaro.org

[merged mm-hotfixes-stable] nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix missing cleanup on rollforward recovery error has been removed from the -mm tree. Its filename was nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix missing cleanup on rollforward recovery error Date: Sat, 10 Aug 2024 15:52:42 +0900 In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts. Link: https://lkml.kernel.org/r/20240810065242.3701-1-konishi.ryusuke@gmail.com Fixes: 0f3e1c7f23f8 ("nilfs2: recovery functions") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/recovery.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) --- a/fs/nilfs2/recovery.c~nilfs2-fix-missing-cleanup-on-rollforward-recovery-error +++ a/fs/nilfs2/recovery.c @@ -716,6 +716,33 @@ static void nilfs_finish_roll_forward(st } /** + * nilfs_abort_roll_forward - cleaning up after a failed rollforward recovery + * @nilfs: nilfs object + */ +static void nilfs_abort_roll_forward(struct the_nilfs *nilfs) +{ + struct nilfs_inode_info *ii, *n; + LIST_HEAD(head); + + /* Abandon inodes that have read recovery data */ + spin_lock(&nilfs->ns_inode_lock); + list_splice_init(&nilfs->ns_dirty_files, &head); + spin_unlock(&nilfs->ns_inode_lock); + if (list_empty(&head)) + return; + + set_nilfs_purging(nilfs); + list_for_each_entry_safe(ii, n, &head, i_dirty) { + spin_lock(&nilfs->ns_inode_lock); + list_del_init(&ii->i_dirty); + spin_unlock(&nilfs->ns_inode_lock); + + iput(&ii->vfs_inode); + } + clear_nilfs_purging(nilfs); +} + +/** * nilfs_salvage_orphan_logs - salvage logs written after the latest checkpoint * @nilfs: nilfs object * @sb: super block instance @@ -773,15 +800,19 @@ int nilfs_salvage_orphan_logs(struct the if (unlikely(err)) { nilfs_err(sb, "error %d writing segment for recovery", err); - goto failed; + goto put_root; } nilfs_finish_roll_forward(nilfs, ri); } - failed: +put_root: nilfs_put_root(root); return err; + +failed: + nilfs_abort_roll_forward(nilfs); + goto put_root; } /** _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-add-support-for-fs_ioc_getuuid.patch nilfs2-add-support-for-fs_ioc_getfssysfspath.patch nilfs2-add-support-for-fs_ioc_getfslabel.patch nilfs2-add-support-for-fs_ioc_setfslabel.patch nilfs2-do-not-output-warnings-when-clearing-dirty-buffers.patch nilfs2-add-missing-argument-description-for-__nilfs_error.patch nilfs2-add-missing-argument-descriptions-for-ioctl-related-helpers.patch nilfs2-improve-kernel-doc-comments-for-b-tree-node-helpers.patch nilfs2-fix-incorrect-kernel-doc-declaration-of-nilfs_palloc_req-structure.patch nilfs2-add-missing-description-of-nilfs_btree_path-structure.patch nilfs2-describe-the-members-of-nilfs_bmap_operations-structure.patch nilfs2-fix-inconsistencies-in-kernel-doc-comments-in-segmenth.patch nilfs2-fix-missing-initial-short-descriptions-of-kernel-doc-comments.patch nilfs2-treat-missing-sufile-header-block-as-metadata-corruption.patch nilfs2-treat-missing-cpfile-header-block-as-metadata-corruption.patch nilfs2-do-not-propagate-enoent-error-from-sufile-during-recovery.patch nilfs2-do-not-propagate-enoent-error-from-sufile-during-gc.patch nilfs2-do-not-propagate-enoent-error-from-nilfs_sufile_mark_dirty.patch nilfs2-use-the-bits_per_long-macro.patch nilfs2-separate-inode-type-information-from-i_state-field.patch nilfs2-eliminate-the-shared-counter-and-spinlock-for-i_generation.patch nilfs2-do-not-repair-reserved-inode-bitmap-in-nilfs_new_inode.patch nilfs2-remove-sc_timer_task.patch nilfs2-use-kthread_create-and-kthread_stop-for-the-log-writer-thread.patch nilfs2-refactor-nilfs_segctor_thread.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-protect-references-to-superblock-parameters-exposed-in-sysfs.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: protect references to superblock parameters exposed in sysfs has been removed from the -mm tree. Its filename was nilfs2-protect-references-to-superblock-parameters-exposed-in-sysfs.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: protect references to superblock parameters exposed in sysfs Date: Sun, 11 Aug 2024 19:03:20 +0900 The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore "nilfs->ns_sem". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it. Link: https://lkml.kernel.org/r/20240811100320.9913-1-konishi.ryusuke@gmail.com Fixes: da7141fb78db ("nilfs2: add /sys/fs/nilfs2/<device> group") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/sysfs.c | 43 +++++++++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 10 deletions(-) --- a/fs/nilfs2/sysfs.c~nilfs2-protect-references-to-superblock-parameters-exposed-in-sysfs +++ a/fs/nilfs2/sysfs.c @@ -836,9 +836,15 @@ ssize_t nilfs_dev_revision_show(struct n struct the_nilfs *nilfs, char *buf) { - struct nilfs_super_block **sbp = nilfs->ns_sbp; - u32 major = le32_to_cpu(sbp[0]->s_rev_level); - u16 minor = le16_to_cpu(sbp[0]->s_minor_rev_level); + struct nilfs_super_block *raw_sb; + u32 major; + u16 minor; + + down_read(&nilfs->ns_sem); + raw_sb = nilfs->ns_sbp[0]; + major = le32_to_cpu(raw_sb->s_rev_level); + minor = le16_to_cpu(raw_sb->s_minor_rev_level); + up_read(&nilfs->ns_sem); return sysfs_emit(buf, "%d.%d\n", major, minor); } @@ -856,8 +862,13 @@ ssize_t nilfs_dev_device_size_show(struc struct the_nilfs *nilfs, char *buf) { - struct nilfs_super_block **sbp = nilfs->ns_sbp; - u64 dev_size = le64_to_cpu(sbp[0]->s_dev_size); + struct nilfs_super_block *raw_sb; + u64 dev_size; + + down_read(&nilfs->ns_sem); + raw_sb = nilfs->ns_sbp[0]; + dev_size = le64_to_cpu(raw_sb->s_dev_size); + up_read(&nilfs->ns_sem); return sysfs_emit(buf, "%llu\n", dev_size); } @@ -879,9 +890,15 @@ ssize_t nilfs_dev_uuid_show(struct nilfs struct the_nilfs *nilfs, char *buf) { - struct nilfs_super_block **sbp = nilfs->ns_sbp; + struct nilfs_super_block *raw_sb; + ssize_t len; + + down_read(&nilfs->ns_sem); + raw_sb = nilfs->ns_sbp[0]; + len = sysfs_emit(buf, "%pUb\n", raw_sb->s_uuid); + up_read(&nilfs->ns_sem); - return sysfs_emit(buf, "%pUb\n", sbp[0]->s_uuid); + return len; } static @@ -889,10 +906,16 @@ ssize_t nilfs_dev_volume_name_show(struc struct the_nilfs *nilfs, char *buf) { - struct nilfs_super_block **sbp = nilfs->ns_sbp; + struct nilfs_super_block *raw_sb; + ssize_t len; + + down_read(&nilfs->ns_sem); + raw_sb = nilfs->ns_sbp[0]; + len = scnprintf(buf, sizeof(raw_sb->s_volume_name), "%s\n", + raw_sb->s_volume_name); + up_read(&nilfs->ns_sem); - return scnprintf(buf, sizeof(sbp[0]->s_volume_name), "%s\n", - sbp[0]->s_volume_name); + return len; } static const char dev_readme_str[] = _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-add-support-for-fs_ioc_getuuid.patch nilfs2-add-support-for-fs_ioc_getfssysfspath.patch nilfs2-add-support-for-fs_ioc_getfslabel.patch nilfs2-add-support-for-fs_ioc_setfslabel.patch nilfs2-do-not-output-warnings-when-clearing-dirty-buffers.patch nilfs2-add-missing-argument-description-for-__nilfs_error.patch nilfs2-add-missing-argument-descriptions-for-ioctl-related-helpers.patch nilfs2-improve-kernel-doc-comments-for-b-tree-node-helpers.patch nilfs2-fix-incorrect-kernel-doc-declaration-of-nilfs_palloc_req-structure.patch nilfs2-add-missing-description-of-nilfs_btree_path-structure.patch nilfs2-describe-the-members-of-nilfs_bmap_operations-structure.patch nilfs2-fix-inconsistencies-in-kernel-doc-comments-in-segmenth.patch nilfs2-fix-missing-initial-short-descriptions-of-kernel-doc-comments.patch nilfs2-treat-missing-sufile-header-block-as-metadata-corruption.patch nilfs2-treat-missing-cpfile-header-block-as-metadata-corruption.patch nilfs2-do-not-propagate-enoent-error-from-sufile-during-recovery.patch nilfs2-do-not-propagate-enoent-error-from-sufile-during-gc.patch nilfs2-do-not-propagate-enoent-error-from-nilfs_sufile_mark_dirty.patch nilfs2-use-the-bits_per_long-macro.patch nilfs2-separate-inode-type-information-from-i_state-field.patch nilfs2-eliminate-the-shared-counter-and-spinlock-for-i_generation.patch nilfs2-do-not-repair-reserved-inode-bitmap-in-nilfs_new_inode.patch nilfs2-remove-sc_timer_task.patch nilfs2-use-kthread_create-and-kthread_stop-for-the-log-writer-thread.patch nilfs2-refactor-nilfs_segctor_thread.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] userfaultfd-dont-bug_on-if-khugepaged-yanks-our-page-table.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: userfaultfd: don't BUG_ON() if khugepaged yanks our page table has been removed from the -mm tree. Its filename was userfaultfd-dont-bug_on-if-khugepaged-yanks-our-page-table.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jann Horn <jannh(a)google.com> Subject: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Date: Tue, 13 Aug 2024 22:25:22 +0200 Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding "if (unlikely(...))" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected. Link: https://lkml.kernel.org/r/20240813-uffd-thp-flip-fix-v2-2-5efa61078a41@goog… Fixes: 1d65b771bc08 ("mm/khugepaged: retract_page_tables() without mmap or vma lock") Signed-off-by: Jann Horn <jannh(a)google.com> Reviewed-by: Qi Zheng <zhengqi.arch(a)bytedance.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Pavel Emelyanov <xemul(a)virtuozzo.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/userfaultfd.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/mm/userfaultfd.c~userfaultfd-dont-bug_on-if-khugepaged-yanks-our-page-table +++ a/mm/userfaultfd.c @@ -807,9 +807,10 @@ retry: err = -EFAULT; break; } - - BUG_ON(pmd_none(*dst_pmd)); - BUG_ON(pmd_trans_huge(*dst_pmd)); + /* + * For shmem mappings, khugepaged is allowed to remove page + * tables under us; pte_offset_map_lock() will deal with that. + */ err = mfill_atomic_pte(dst_pmd, dst_vma, dst_addr, src_addr, flags, &folio); _ Patches currently in -mm which might be from jannh(a)google.com are mm-fix-harmless-type-confusion-in-lock_vma_under_rcu.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] userfaultfd-fix-checks-for-huge-pmds.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: userfaultfd: fix checks for huge PMDs has been removed from the -mm tree. Its filename was userfaultfd-fix-checks-for-huge-pmds.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jann Horn <jannh(a)google.com> Subject: userfaultfd: fix checks for huge PMDs Date: Tue, 13 Aug 2024 22:25:21 +0200 Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ <zap PMD> pmdp_get_lockless() [reads none pmd] <bail if trans_huge> <if none:> <pagefault creates transhuge zeropage> __pte_alloc [no-op] <zap PMD> <bail if pmd_trans_huge(*dst_pmd)> BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow pte_offset_map[_lock]() to fail"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no "struct page" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding "struct page" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels. Link: https://lkml.kernel.org/r/20240813-uffd-thp-flip-fix-v2-0-5efa61078a41@goog… Link: https://lkml.kernel.org/r/20240813-uffd-thp-flip-fix-v2-1-5efa61078a41@goog… Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation") Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Pavel Emelyanov <xemul(a)virtuozzo.com> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/userfaultfd.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) --- a/mm/userfaultfd.c~userfaultfd-fix-checks-for-huge-pmds +++ a/mm/userfaultfd.c @@ -787,21 +787,23 @@ retry: } dst_pmdval = pmdp_get_lockless(dst_pmd); - /* - * If the dst_pmd is mapped as THP don't - * override it and just be strict. - */ - if (unlikely(pmd_trans_huge(dst_pmdval))) { - err = -EEXIST; - break; - } if (unlikely(pmd_none(dst_pmdval)) && unlikely(__pte_alloc(dst_mm, dst_pmd))) { err = -ENOMEM; break; } - /* If an huge pmd materialized from under us fail */ - if (unlikely(pmd_trans_huge(*dst_pmd))) { + dst_pmdval = pmdp_get_lockless(dst_pmd); + /* + * If the dst_pmd is THP don't override it and just be strict. + * (This includes the case where the PMD used to be THP and + * changed back to none after __pte_alloc().) + */ + if (unlikely(!pmd_present(dst_pmdval) || pmd_trans_huge(dst_pmdval) || + pmd_devmap(dst_pmdval))) { + err = -EEXIST; + break; + } + if (unlikely(pmd_bad(dst_pmdval))) { err = -EFAULT; break; } _ Patches currently in -mm which might be from jannh(a)google.com are mm-fix-harmless-type-confusion-in-lock_vma_under_rcu.patch

8 months

1
0
0 0

[merged mm-hotfixes-stable] mm-vmalloc-ensure-vmap_block-is-initialised-before-adding-to-queue.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmalloc: ensure vmap_block is initialised before adding to queue has been removed from the -mm tree. Its filename was mm-vmalloc-ensure-vmap_block-is-initialised-before-adding-to-queue.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Will Deacon <will(a)kernel.org> Subject: mm: vmalloc: ensure vmap_block is initialised before adding to queue Date: Mon, 12 Aug 2024 18:16:06 +0100 Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray. Link: https://lkml.kernel.org/r/20240812171606.17486-1-will@kernel.org Fixes: 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") Signed-off-by: Will Deacon <will(a)kernel.org> Reviewed-by: Baoquan He <bhe(a)redhat.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: Hailong.Liu <hailong.liu(a)oppo.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Lorenzo Stoakes <lstoakes(a)gmail.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/vmalloc.c~mm-vmalloc-ensure-vmap_block-is-initialised-before-adding-to-queue +++ a/mm/vmalloc.c @@ -2626,6 +2626,7 @@ static void *new_vmap_block(unsigned int vb->dirty_max = 0; bitmap_set(vb->used_map, 0, (1UL << order)); INIT_LIST_HEAD(&vb->free_list); + vb->cpu = raw_smp_processor_id(); xa = addr_to_vb_xa(va->va_start); vb_idx = addr_to_vb_idx(va->va_start); @@ -2642,7 +2643,6 @@ static void *new_vmap_block(unsigned int * integrity together with list_for_each_rcu from read * side. */ - vb->cpu = raw_smp_processor_id(); vbq = per_cpu_ptr(&vmap_block_queue, vb->cpu); spin_lock(&vbq->lock); list_add_tail_rcu(&vb->free_list, &vbq->free); _ Patches currently in -mm which might be from will(a)kernel.org are

8 months

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-fix-build-errors-on-armhf.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests: mm: fix build errors on armhf has been removed from the -mm tree. Its filename was selftests-mm-fix-build-errors-on-armhf.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Subject: selftests: mm: fix build errors on armhf Date: Fri, 9 Aug 2024 13:25:11 +0500 The __NR_mmap isn't found on armhf. The mmap() is commonly available system call and its wrapper is present on all architectures. So it should be used directly. It solves problem for armhf and doesn't create problem for other architectures. Remove sys_mmap() functions as they aren't doing anything else other than calling mmap(). There is no need to set errno = 0 manually as glibc always resets it. For reference errors are as following: CC seal_elf seal_elf.c: In function 'sys_mmap': seal_elf.c:39:33: error: '__NR_mmap' undeclared (first use in this function) 39 | sret = (void *) syscall(__NR_mmap, addr, len, prot, | ^~~~~~~~~ mseal_test.c: In function 'sys_mmap': mseal_test.c:90:33: error: '__NR_mmap' undeclared (first use in this function) 90 | sret = (void *) syscall(__NR_mmap, addr, len, prot, | ^~~~~~~~~ Link: https://lkml.kernel.org/r/20240809082511.497266-1-usama.anjum@collabora.com Fixes: 4926c7a52de7 ("selftest mm/mseal memory sealing") Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: Jeff Xu <jeffxu(a)chromium.org> Cc: Kees Cook <kees(a)kernel.org> Cc: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/mseal_test.c | 37 +++++++--------------- tools/testing/selftests/mm/seal_elf.c | 13 ------- 2 files changed, 14 insertions(+), 36 deletions(-) --- a/tools/testing/selftests/mm/mseal_test.c~selftests-mm-fix-build-errors-on-armhf +++ a/tools/testing/selftests/mm/mseal_test.c @@ -81,17 +81,6 @@ static int sys_mprotect_pkey(void *ptr, return sret; } -static void *sys_mmap(void *addr, unsigned long len, unsigned long prot, - unsigned long flags, unsigned long fd, unsigned long offset) -{ - void *sret; - - errno = 0; - sret = (void *) syscall(__NR_mmap, addr, len, prot, - flags, fd, offset); - return sret; -} - static int sys_munmap(void *ptr, size_t size) { int sret; @@ -172,7 +161,7 @@ static void setup_single_address(int siz { void *ptr; - ptr = sys_mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + ptr = mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); *ptrOut = ptr; } @@ -181,7 +170,7 @@ static void setup_single_address_rw(int void *ptr; unsigned long mapflags = MAP_ANONYMOUS | MAP_PRIVATE; - ptr = sys_mmap(NULL, size, PROT_READ | PROT_WRITE, mapflags, -1, 0); + ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, mapflags, -1, 0); *ptrOut = ptr; } @@ -205,7 +194,7 @@ bool seal_support(void) void *ptr; unsigned long page_size = getpagesize(); - ptr = sys_mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + ptr = mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); if (ptr == (void *) -1) return false; @@ -481,8 +470,8 @@ static void test_seal_zero_address(void) int prot; /* use mmap to change protection. */ - ptr = sys_mmap(0, size, PROT_NONE, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + ptr = mmap(0, size, PROT_NONE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); FAIL_TEST_IF_FALSE(ptr == 0); size = get_vma_size(ptr, &prot); @@ -1209,8 +1198,8 @@ static void test_seal_mmap_overwrite_pro } /* use mmap to change protection. */ - ret2 = sys_mmap(ptr, size, PROT_NONE, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + ret2 = mmap(ptr, size, PROT_NONE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); if (seal) { FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED); FAIL_TEST_IF_FALSE(errno == EPERM); @@ -1240,8 +1229,8 @@ static void test_seal_mmap_expand(bool s } /* use mmap to expand. */ - ret2 = sys_mmap(ptr, size, PROT_READ, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + ret2 = mmap(ptr, size, PROT_READ, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); if (seal) { FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED); FAIL_TEST_IF_FALSE(errno == EPERM); @@ -1268,8 +1257,8 @@ static void test_seal_mmap_shrink(bool s } /* use mmap to shrink. */ - ret2 = sys_mmap(ptr, 8 * page_size, PROT_READ, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + ret2 = mmap(ptr, 8 * page_size, PROT_READ, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); if (seal) { FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED); FAIL_TEST_IF_FALSE(errno == EPERM); @@ -1650,7 +1639,7 @@ static void test_seal_discard_ro_anon_on ret = fallocate(fd, 0, 0, size); FAIL_TEST_IF_FALSE(!ret); - ptr = sys_mmap(NULL, size, PROT_READ, mapflags, fd, 0); + ptr = mmap(NULL, size, PROT_READ, mapflags, fd, 0); FAIL_TEST_IF_FALSE(ptr != MAP_FAILED); if (seal) { @@ -1680,7 +1669,7 @@ static void test_seal_discard_ro_anon_on int ret; unsigned long mapflags = MAP_ANONYMOUS | MAP_SHARED; - ptr = sys_mmap(NULL, size, PROT_READ, mapflags, -1, 0); + ptr = mmap(NULL, size, PROT_READ, mapflags, -1, 0); FAIL_TEST_IF_FALSE(ptr != (void *)-1); if (seal) { --- a/tools/testing/selftests/mm/seal_elf.c~selftests-mm-fix-build-errors-on-armhf +++ a/tools/testing/selftests/mm/seal_elf.c @@ -30,17 +30,6 @@ static int sys_mseal(void *start, size_t return sret; } -static void *sys_mmap(void *addr, unsigned long len, unsigned long prot, - unsigned long flags, unsigned long fd, unsigned long offset) -{ - void *sret; - - errno = 0; - sret = (void *) syscall(__NR_mmap, addr, len, prot, - flags, fd, offset); - return sret; -} - static inline int sys_mprotect(void *ptr, size_t size, unsigned long prot) { int sret; @@ -56,7 +45,7 @@ static bool seal_support(void) void *ptr; unsigned long page_size = getpagesize(); - ptr = sys_mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + ptr = mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); if (ptr == (void *) -1) return false; _ Patches currently in -mm which might be from usama.anjum(a)collabora.com are

8 months

1
0
0 0

[folded-merged] revert-mm-skip-cma-pages-when-they-are-not-available-update.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: revert-mm-skip-cma-pages-when-they-are-not-available-update has been removed from the -mm tree. Its filename was revert-mm-skip-cma-pages-when-they-are-not-available-update.patch This patch was dropped because it was folded into revert-mm-skip-cma-pages-when-they-are-not-available.patch ------------------------------------------------------ From: Usama Arif <usamaarif642(a)gmail.com> Subject: revert-mm-skip-cma-pages-when-they-are-not-available-update Date: Wed, 21 Aug 2024 20:26:07 +0100 also revert b7108d66318a ("Multi-gen LRU: skip CMA pages when they are not eligible"), per Johannes Link: https://lkml.kernel.org/r/9060a32d-b2d7-48c0-8626-1db535653c54@gmail.com Link: https://lkml.kernel.org/r/357ac325-4c61-497a-92a3-bdbd230d5ec9@gmail.com Fixes: 5da226dbfce3 ("mm: skip CMA pages when they are not available") Signed-off-by: Usama Arif <usamaarif642(a)gmail.com> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Bharata B Rao <bharata(a)amd.com> Cc: Breno Leitao <leitao(a)debian.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Rik van Riel <riel(a)surriel.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yu Zhao <yuzhao(a)google.com> Cc: Zhaoyang Huang <huangzhaoyang(a)gmail.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) --- a/mm/vmscan.c~revert-mm-skip-cma-pages-when-they-are-not-available-update +++ a/mm/vmscan.c @@ -4253,25 +4253,6 @@ void lru_gen_soft_reclaim(struct mem_cgr #endif /* CONFIG_MEMCG */ -#ifdef CONFIG_CMA -/* - * It is waste of effort to scan and reclaim CMA pages if it is not available - * for current allocation context. Kswapd can not be enrolled as it can not - * distinguish this scenario by using sc->gfp_mask = GFP_KERNEL - */ -static bool skip_cma(struct folio *folio, struct scan_control *sc) -{ - return !current_is_kswapd() && - gfp_migratetype(sc->gfp_mask) != MIGRATE_MOVABLE && - folio_migratetype(folio) == MIGRATE_CMA; -} -#else -static bool skip_cma(struct folio *folio, struct scan_control *sc) -{ - return false; -} -#endif - /****************************************************************************** * the eviction ******************************************************************************/ @@ -4319,7 +4300,7 @@ static bool sort_folio(struct lruvec *lr } /* ineligible */ - if (zone > sc->reclaim_idx || skip_cma(folio, sc)) { + if (zone > sc->reclaim_idx) { gen = folio_inc_gen(lruvec, folio, false); list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); return true; _ Patches currently in -mm which might be from usamaarif642(a)gmail.com are revert-mm-skip-cma-pages-when-they-are-not-available.patch mm-store-zero-pages-to-be-swapped-out-in-a-bitmap.patch mm-remove-code-to-handle-same-filled-pages.patch mm-introduce-a-pageflag-for-partially-mapped-folios.patch mm-split-underused-thps.patch mm-add-sysfs-entry-to-disable-splitting-underused-thps.patch

8 months

1
0
0 0

[PATCH 1/2] ARM: dts: imx6ul-geam: fix fsl,pins property in tscgrp pinctrl

by Krzysztof Kozlowski

The property is "fsl,pins", not "fsl,pin". Wrong property means the pin configuration was not applied. Fixes dtbs_check warnings: imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pins' is a required property imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+' Cc: <stable(a)vger.kernel.org> Fixes: a58e4e608bc8 ("ARM: dts: imx6ul-geam: Add Engicam IMX6UL GEA M6UL initial support") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts b/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts index cdbb8c435cd6..601d89b904cd 100644 --- a/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts +++ b/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts @@ -365,7 +365,7 @@ MX6UL_PAD_ENET1_RX_ER__PWM8_OUT 0x110b0 }; pinctrl_tsc: tscgrp { - fsl,pin = < + fsl,pins = < MX6UL_PAD_GPIO1_IO01__GPIO1_IO01 0xb0 MX6UL_PAD_GPIO1_IO02__GPIO1_IO02 0xb0 MX6UL_PAD_GPIO1_IO03__GPIO1_IO03 0xb0 -- 2.43.0

8 months

4
4
0 0

Re: [PATCH 6.10 000/149] 6.10.8-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

8 months

1
0
0 0

[PATCH 6.6 000/341] 6.6.48-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.48 release. There are 341 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.48-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.48-rc1 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Input: MT - limit max slots Jan Höppner <hoeppner(a)linux.ibm.com> Revert "s390/dasd: Establish DMA alignment" Mengyuan Lou <mengyuanlou(a)net-swift.com> net: ngbe: Fix phy mode set to external phy Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Boyuan Zhang <boyuan.zhang(a)amd.com> drm/amdgpu/vcn: not pause dpg for unified queue Boyuan Zhang <boyuan.zhang(a)amd.com> drm/amdgpu/vcn: identify unified queue in sw init NeilBrown <neilb(a)suse.de> NFSD: simplify error paths in nfsd_svc() Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Add a test to verify previous stacksafe() fix Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix a kernel verifier crash in stacksafe() Zi Yan <ziy(a)nvidia.com> mm/numa: no task_numa_fault() call if PTE is changed Zi Yan <ziy(a)nvidia.com> mm/numa: no task_numa_fault() call if PMD is changed Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Relax start tick time check for slave timer elements Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix qbv tx latency by setting gtxoffset Jianhua Lu <lujianhua000(a)gmail.com> drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/mdss: specify cfg bandwidth for SDM670 Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Eric Dumazet <edumazet(a)google.com> tcp: do not export tcp_twsk_purge() Jithu Joseph <jithu.joseph(a)intel.com> platform/x86/intel/ifs: Call release_firmware() when handling errors. Alex Hung <alex.hung(a)amd.com> Revert "drm/amd/display: Validate hw_points_num before using it" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: gadget: uvc: cleanup request when not in correct state" Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: check re-using ID of closed subflow Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: validate fullmesh endp on 1st sf Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: avoid possible UaF when selecting endp Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fullmesh: select the right ID later Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only in-kernel cannot have entries with ID 0 Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only decrement add_addr_accepted for MPJ req Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only mark 'subflow' endp as available Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: remove mptcp_pm_remove_subflow() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused flushed subflows Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused removed subflows Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused removed ADD_ADDR Dave Airlie <airlied(a)redhat.com> nouveau/firmware: use dma non-coherent allocator Peng Fan <peng.fan(a)nxp.com> pmdomain: imx: wait SSAR when i.MX93 power domain on Alexander Stein <alexander.stein(a)ew.tq-group.com> pmdomain: imx: scu-pd: Remove duplicated clocks Ben Whitten <ben.whitten(a)gmail.com> mmc: dw_mmc: allow biu and ciu clocks to defer Mengqi Zhang <mengqi.zhang(a)mediatek.com> mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Nikolay Kuratov <kniv(a)yandex-team.ru> cxgb4: add forgotten u64 ivlan cast before shift Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Defer calculation of resolution until resolution_code is known Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: Set timer mode in cpu-probe Martin Whitaker <foss(a)martin-whitaker.me.uk> net: dsa: microchip: fix PTP config failure when using multiple ports Candice Li <candice.li(a)amd.com> drm/amdgpu: Validate TA binary size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: the buffer of smb2 query dir response has at least 1 byte Chaotian Jing <chaotian.jing(a)mediatek.com> scsi: core: Fix the return value of scsi_logical_block_count() Griffin Kroah-Hartman <griffin(a)kroah.com> Bluetooth: MGMT: Add error handling to pair_device() Paulo Alcantara <pc(a)manguebit.com> smb: client: ignore unhandled reparse tags Dan Carpenter <dan.carpenter(a)linaro.org> mmc: mmc_test: Fix NULL dereference on allocation failure Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm: fix the highest_bank_bit for sc7180 Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/mdss: Handle the reg bus ICC path Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/mdss: Rename path references to mdp_path Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/mdss: switch mdss to use devm_of_icc_get() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: take plane rotation into account for wide planes Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: try multirect based on mdp clock limits Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: reset the link phy params before link training Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: capture snapshot on the first commit_done timeout Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: split dpu_encoder_wait_for_event into two functions Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: drop MSM_ENC_VBLANK support Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: fix the max supported bpp logic Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: don't play tricks with debug macros Menglong Dong <menglong8.dong(a)gmail.com> net: ovs: fix ovs_drop_reasons error Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix dangling multicast addresses Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Always disable promiscuous mode Bharat Bhushan <bbhushan2(a)marvell.com> octeontx2-af: Fix CPT AF register offset calculation Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: flowtable: validate vlan header Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible UAF in ip6_xmit() Eric Dumazet <edumazet(a)google.com> ipv6: fix possible UAF in ip6_finish_output2() Eric Dumazet <edumazet(a)google.com> ipv6: prevent UAF in ip6_send_skb() Felix Fietkau <nbd(a)nbd.name> udp: fix receiving fraglist GSO packets Stephen Hemminger <stephen(a)networkplumber.org> netem: fix return value if duplicate enqueue fails Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Fix out-of-bound access Paolo Abeni <pabeni(a)redhat.com> igb: cope with large MAX_SKB_FRAGS Dan Carpenter <dan.carpenter(a)linaro.org> dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix truesize operations for PAGE_SIZE >= 8192 Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix ICE_LAST_OFFSET formula Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix page reuse when PAGE_SIZE is over 8k Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm state handling when clearing active slave Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm real_dev null pointer dereference Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix null pointer deref in bond_ipsec_offload_ok Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix bond_ipsec_offload_ok return type Thomas Bogendoerfer <tbogendoerfer(a)suse.de> ip6_tunnel: Fix broken GRO Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). Kuniyuki Iwashima <kuniyu(a)amazon.com> kcm: Serialise kcm_sendmsg() for the same socket. Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: test: Use correct skb for route input check Florian Westphal <fw(a)strlen.de> tcp: prevent concurrent execution of tcp_sk_exit_batch Eric Dumazet <edumazet(a)google.com> tcp/dccp: do not care about families in inet_twsk_purge() Eric Dumazet <edumazet(a)google.com> tcp/dccp: bypass empty buckets in inet_twsk_purge() Hangbin Liu <liuhangbin(a)gmail.com> selftests: udpgro: report error when receive failed Simon Horman <horms(a)kernel.org> tc-testing: don't access non-existent variable on exception Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: serialize access to the injection/extraction groups Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix assumption of Central always being Initiator Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix LE quote calculation Lang Yu <Lang.Yu(a)amd.com> drm/amdkfd: reserve the BO before validating it Takashi Iwai <tiwai(a)suse.de> ALSA: hda/tas2781: Use correct endian conversion Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator: Fix warning when controller is destroyed in probe David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: command submission parser for JPEG Melissa Wen <mwen(a)igalia.com> drm/amd/display: fix cursor offset on rotation 180 Loan Chen <lo-an.chen(a)amd.com> drm/amd/display: Enable otg synchronization logic for DCN321 Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust cursor position Filipe Manana <fdmanana(a)suse.com> btrfs: send: allow cloning non-aligned extent if it ends at i_size David Sterba <dsterba(a)suse.com> btrfs: replace sb::s_blocksize by fs_info::sectorsize Hailong Liu <hailong.liu(a)oppo.com> mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Suren Baghdasaryan <surenb(a)google.com> change alloc_pages name in dma_map_ops to avoid name conflicts Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests: memfd_secret: don't build memfd_secret test on unsupported arches Ryan Roberts <ryan.roberts(a)arm.com> selftests/mm: log run_vmtests.sh results in TAP format Itaru Kitayama <itaru.kitayama(a)linux.dev> tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix endless reclaim on machines with unaccepted memory Mikulas Patocka <mpatocka(a)redhat.com> dm suspend: return -ERESTARTSYS instead of -EINTR Celeste Liu <coelacanthushex(a)gmail.com> riscv: entry: always initialize regs->a0 to -ENOSYS Sean Nyekjaer <sean(a)geanix.com> i2c: stm32f7: Add atomic_xfer method to driver Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: define xtree root and page independently Eric Dumazet <edumazet(a)google.com> gtp: pull network headers in gtp_dev_xmit() Keith Busch <kbusch(a)kernel.org> nvme: fix namespace removal list Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/skx_common: Allow decoding of SGX addresses Shannon Nelson <shannon.nelson(a)amd.com> ionic: check cmd_regs before copying in or out Shannon Nelson <shannon.nelson(a)amd.com> ionic: use pci_is_enabled not open code Phil Chang <phil.chang(a)mediatek.com> hrtimer: Prevent queuing of hrtimer without a function callback Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Keith Busch <kbusch(a)kernel.org> nvme: use srcu for iterating namespace list Jakub Sitnicki <jakub(a)cloudflare.com> Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem" Cupertino Miranda <cupertino.miranda(a)oracle.com> selftests/bpf: Fix a few tests for GCC related warnings. Sagi Grimberg <sagi(a)grimberg.me> nvmet-rdma: fix possible bad dereference when freeing rsps Baokun Li <libaokun1(a)huawei.com> ext4: set the type of max_zeroout to unsigned int to avoid overflow Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: dwc3: core: Skip setting event buffers for host only controllers Gergo Koteles <soyer(a)irl.hu> platform/x86: lg-laptop: fix %s null argument warning Adrian Hunter <adrian.hunter(a)intel.com> clocksource: Make watchdog and suspend-timing multiplication overflow safe Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Alexander Gordeev <agordeev(a)linux.ibm.com> s390/iucv: fix receive buffer virtual vs physical address confusion Oreoluwa Babatunde <quic_obabatun(a)quicinc.com> openrisc: Call setup_memory() earlier in the init sequence NeilBrown <neilb(a)suse.de> NFS: avoid infinite loop in pnfs_update_layout. Hannes Reinecke <hare(a)suse.de> nvmet-tcp: do not continue for invalid icreq Jian Shen <shenjian15(a)huawei.com> net: hns3: add checking for vf id of mailbox Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: nct3018y: fix possible NULL dereference Richard Fitzgerald <rf(a)opensource.cirrus.com> firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: bnep: Fix out-of-bound access Keith Busch <kbusch(a)kernel.org> nvme: clear caller pointer on identify failure Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: gadget: fsl: Increase size of name buffer for endpoints Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to do sanity check in update_sit_entry David Sterba <dsterba(a)suse.com> btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() David Sterba <dsterba(a)suse.com> btrfs: change BUG_ON to assertion in tree_move_down() David Sterba <dsterba(a)suse.com> btrfs: send: handle unexpected inode in header process_recorded_refs() David Sterba <dsterba(a)suse.com> btrfs: send: handle unexpected data in header buffer in begin_cmd() David Sterba <dsterba(a)suse.com> btrfs: handle invalid root reference found in may_destroy_subvol() David Sterba <dsterba(a)suse.com> btrfs: push errors up from add_async_extent() David Sterba <dsterba(a)suse.com> btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() David Sterba <dsterba(a)suse.com> btrfs: change BUG_ON to assertion when checking for delayed_node root David Sterba <dsterba(a)suse.com> btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves() David Sterba <dsterba(a)suse.com> btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() Michael Ellerman <mpe(a)ellerman.id.au> powerpc/boot: Only free if realloc() succeeds Li zeming <zeming(a)nfschina.com> powerpc/boot: Handle allocation failure in simple_realloc() Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: stop checkpoint when get a out-of-bounds segment David Howells <dhowells(a)redhat.com> rxrpc: Don't pick values out of the wire header when setting up security Helge Deller <deller(a)gmx.de> parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Christophe Kerello <christophe.kerello(a)foss.st.com> memory: stm32-fmc2-ebi: check regmap_read return value Kees Cook <keescook(a)chromium.org> x86: Increase brk randomness entropy for 64-bit systems Li Nan <linan122(a)huawei.com> md: clean up invalid BUG_ON in md_ioctl Eric Dumazet <edumazet(a)google.com> netlink: hold nlk->cb_mutex longer in __netlink_dump_start() Frederic Weisbecker <frederic(a)kernel.org> tick: Move got_idle_tick away from common flags Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> clocksource/drivers/arm_global_timer: Guard against division by zero Avri Kehat <akehat(a)habana.ai> accel/habanalabs: fix debugfs files permissions Stefan Hajnoczi <stefanha(a)redhat.com> virtiofs: forbid newlines in tags Costa Shulyupin <costa.shul(a)redhat.com> hrtimer: Select housekeeping CPU during migration Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: sysfs: extend the critical section for unregistering sysfs devices Erico Nunes <nunes.erico(a)gmail.com> drm/lima: set gp bus_stop bit before hard reset Kees Cook <keescook(a)chromium.org> net/sun3_82586: Avoid reading past buffer in debug output Shaul Triebitz <shaul.triebitz(a)intel.com> wifi: iwlwifi: mvm: avoid garbage iPN Philipp Stanner <pstanner(a)redhat.com> media: drivers/media/dvb-core: copy user arrays safely Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Max Filippov <jcmvbkbc(a)gmail.com> fs: binfmt_elf_efpic: don't use missing interpreter's properties Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: pci: cx23885: check cx23885_vdev_init() return Neel Natu <neelnatu(a)google.com> kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files Clément Léger <cleger(a)rivosinc.com> riscv: blacklist assembly symbols for kprobe Jan Kara <jack(a)suse.cz> quota: Remove BUG_ON from dqget() Jeff Johnson <quic_jjohnson(a)quicinc.com> wifi: ath12k: Add missing qmi_txn_cancel() calls Al Viro <viro(a)zeniv.linux.org.uk> fuse: fix UAF in rcu pathwalks Al Viro <viro(a)zeniv.linux.org.uk> afs: fix __afs_break_callback() / afs_drop_open_mmap() race Qu Wenruo <wqu(a)suse.com> btrfs: zlib: fix and simplify the inline extent decompression Baokun Li <libaokun1(a)huawei.com> ext4: do not trim the group with corrupted block bitmap Daniel Wagner <dwagner(a)suse.de> nvmet-trace: avoid dereferencing pointer too early Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/skx_common: Filter out the invalid address Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Refcounting fix in gfs2_thaw_super Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: hci_conn: Check non NULL function before calling for HFP offload Mimi Zohar <zohar(a)linux.ibm.com> evm: don't copy up 'security.evm' xattr Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Shannon Nelson <shannon.nelson(a)amd.com> ionic: no fw read when PCI reset failed Shannon Nelson <shannon.nelson(a)amd.com> ionic: prevent pci disable of already disabled device Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries/papr-sysparm: Validate buffer object lengths Kees Cook <keescook(a)chromium.org> hwmon: (pc87360) Bounds check data->innr usage Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Kunwu Chan <chentao(a)kylinos.cn> powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Ashish Mhetre <amhetre(a)nvidia.com> memory: tegra: Skip SID programming if SID registers aren't set Rob Clark <robdclark(a)chromium.org> drm/msm: Reduce fallout of fence signaling vs reclaim hangs Li Lingfeng <lilingfeng3(a)huawei.com> block: Fix lockdep warning in blk_mq_mark_tag_wait Samuel Holland <samuel.holland(a)sifive.com> arm64: Fix KASAN random tag seed initialization Nysal Jan K.A <nysal(a)linux.ibm.com> powerpc/topology: Check if a core is online Nysal Jan K.A <nysal(a)linux.ibm.com> cpu/SMT: Enable SMT only if a core is online Masahiro Yamada <masahiroy(a)kernel.org> rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Masahiro Yamada <masahiroy(a)kernel.org> rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Miguel Ojeda <ojeda(a)kernel.org> rust: work around `bindgen` 0.69.0 issue Antoniu Miclaus <antoniu.miclaus(a)analog.com> hwmon: (ltc2992) Avoid division by zero Chengfeng Ye <dg573847474(a)gmail.com> IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Gustavo A. R. Silva <gustavoars(a)kernel.org> clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Dmitry Antipov <dmantipov(a)yandex.ru> wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() Mukesh Sisodiya <mukesh.sisodiya(a)intel.com> wifi: iwlwifi: fw: Fix debugfs command sending Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: abort scan when rfkill on but device enabled Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: setattr_chown: Add missing initialization Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: flush STA queues on unauthorization Mike Christie <michael.christie(a)oracle.com> scsi: spi: Fix sshdr use Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend Richard Acayan <mailingradian(a)gmail.com> iommu/arm-smmu-qcom: Add SDM670 MDSS compatible Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: qcom: venus: fix incorrect return value Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: Zero-initialize iosys_map Christian Brauner <brauner(a)kernel.org> binfmt_misc: cleanup on filesystem umount Yu Kuai <yukuai3(a)huawei.com> md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log' farah kassabri <fkassabri(a)habana.ai> accel/habanalabs: fix bug in timestamp interrupt handling Tomer Tayar <ttayar(a)habana.ai> accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE Ofir Bitton <obitton(a)habana.ai> accel/habanalabs/gaudi2: unsecure tpc count registers Chengfeng Ye <dg573847474(a)gmail.com> media: s5p-mfc: Fix potential deadlock on condlock Jithu Joseph <jithu.joseph(a)intel.com> platform/x86/intel/ifs: Validate image size Chengfeng Ye <dg573847474(a)gmail.com> staging: ks7010: disable bh on tx_dev_lock Alex Hung <alex.hung(a)amd.com> drm/amd/display: Validate hw_points_num before using it Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: gadget: uvc: cleanup request when not in correct state Felix Fietkau <nbd(a)nbd.name> wifi: mt76: fix race condition related to checking tx queue fill status David Lechner <dlechner(a)baylibre.com> staging: iio: resolver: ad2s1210: fix use before initialization Dmitry Antipov <dmantipov(a)yandex.ru> wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: radio-isa: use dev_name to fill in bus_info Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Move dma unmapping after TLB flush Jarkko Nikula <jarkko.nikula(a)linux.intel.com> i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Jarkko Nikula <jarkko.nikula(a)linux.intel.com> i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out Manish Dharanenthiran <quic_mdharane(a)quicinc.com> wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: tc358768: Attempt to fix DSI horizontal timings Heiko Carstens <hca(a)linux.ibm.com> s390/smp,mcck: fix early IPI handling Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rtrs: Fix the problem of variable not initialized fully Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: riic: avoid potential division by zero Kamalesh Babulal <kamalesh.babulal(a)oracle.com> cgroup: Avoid extra dereference in css_populate_dir() Jeff Johnson <quic_jjohnson(a)quicinc.com> wifi: cw1200: Avoid processing an invalid TIM IE Yury Norov <yury.norov(a)gmail.com> sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu() Lorenzo Bianconi <lorenzo(a)kernel.org> net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats() Paul E. McKenney <paulmck(a)kernel.org> rcu: Eliminate rcu_gp_slow_unregister() false positive Zhen Lei <thunder.leizhen(a)huawei.com> rcu: Dump memory object info if callback function is invalid Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: fix recovery flow in CSA Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix BA session teardown race Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: check wiphy mutex is held for wdev mutex Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: lock wiphy in IP address notifier Ricardo Rivera-Matos <rriveram(a)opensource.cirrus.com> ASoC: cs35l45: Checks index of cs35l45_irqs[] Rand Deeb <rand.sec96(a)gmail.com> ssb: Fix division by zero issue in ssb_calc_clock_rate ZhenGuo Yin <zhenguo.yin(a)amd.com> drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime Lee Jones <lee(a)kernel.org> drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Alex Deucher <alexander.deucher(a)amd.com> drm/amd/pm: fix error flow in sensor fetching Parsa Poorshikhian <parsa.poorsh(a)gmail.com> ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Asmaa Mnebhi <asmaa(a)nvidia.com> gpio: mlxbf3: Support shutdown() function Jie Wang <wangjie125(a)huawei.com> net: hns3: fix a deadlock problem when config TC during resetting Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use the user's cfg after reset Jie Wang <wangjie125(a)huawei.com> net: hns3: fix wrong use of semaphore up Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: net: lib: kill PIDs before del netns Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: net: lib: ignore possible errors Cong Wang <cong.wang(a)bytedance.com> vsock: fix recursive ->recvmsg calls Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Introduce nf_tables_getobj_single Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: nft_obj_filter fits into cb->ctx Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: A better name for nft_obj_filter Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Unconditionally allocate nft_obj_filter Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log dump reset after the fact Florian Westphal <fw(a)strlen.de> netfilter: nf_queue: drop packets with cloned unconfirmed conntracks Donald Hunter <donald.hunter(a)gmail.com> netfilter: flowtable: initialise extack before use Tom Hughes <tom(a)compton.nu> netfilter: allow ipv6 fragments to arrive on different devices Subash Abhinov Kasiviswanathan <quic_subashab(a)quicinc.com> tcp: Update window clamping condition Eugene Syromiatnikov <esyr(a)redhat.com> mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size David Thompson <davthompson(a)nvidia.com> mlxbf_gige: disable RX filters until RX path initialized Zheng Zhang <everything411(a)qq.com> net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: check busy flag in MDIO operations Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: use read_poll_timeout instead delay loop Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: pass value in phy_write operation Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> net: axienet: Fix register defines comment description Dan Carpenter <dan.carpenter(a)linaro.org> atm: idt77252: prevent use after free in dequeue_rx() Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Correctly report errors for ethtool rx flows Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: Take state lock during tx timeout reporter Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix reset adapter logics when tx mode change Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix qbv_config_change_errors logics Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Leon Hwang <leon.hwang(a)linux.dev> bpf: Fix updating attached freplace prog in prog_array map Claudio Imbrenda <imbrenda(a)linux.ibm.com> s390/uv: Panic for set and remove shared access UVC errors Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/jpeg4: properly set atomics vmid field Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/jpeg2: properly set atomics vmid field Al Viro <viro(a)zeniv.linux.org.uk> memcg_write_event_control(): fix a user-triggerable oops Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> drm/amdgpu: Actually check flags for all context ops. Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: add dev extent item checks Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: properly take lock to read/update block group's zoned variables Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type Waiman Long <longman(a)redhat.com> mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Zhen Lei <thunder.leizhen(a)huawei.com> selinux: add the processing of the failure of avc_add_xperms_decision() Zhen Lei <thunder.leizhen(a)huawei.com> selinux: fix potential counting error in avc_add_xperms_decision() Max Kellermann <max.kellermann(a)ionos.com> fs/netfs/fscache_cookie: add missing "n_accesses" check Janne Grunau <j(a)jannau.net> wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Long Li <longli(a)microsoft.com> net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Fix RX buf alloc_size alignment and atomic op panic Dan Carpenter <dan.carpenter(a)linaro.org> rtla/osnoise: Prevent NULL dereference in error handling Andi Shyti <andi.shyti(a)kernel.org> i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Al Viro <viro(a)zeniv.linux.org.uk> fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Alexander Lobakin <aleksander.lobakin(a)intel.com> bitmap: introduce generic optimized bitmap_size() Alexander Lobakin <aleksander.lobakin(a)intel.com> btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() Alexander Lobakin <aleksander.lobakin(a)intel.com> s390/cio: rename bitmap_size() -> idset_bitmap_size() Alexander Lobakin <aleksander.lobakin(a)intel.com> fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() Zhihao Cheng <chengzhihao1(a)huawei.com> vfs: Don't evict inode under the inode lru traversing context Mikulas Patocka <mpatocka(a)redhat.com> dm persistent data: fix memory allocation failure Khazhismel Kumykov <khazhy(a)google.com> dm resume: don't return EINVAL when signalled Haibo Xu <haibo1.xu(a)intel.com> arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Evaluate _REG outside the EC scope more carefully Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Add a depth argument to acpi_execute_reg_methods() Breno Leitao <leitao(a)debian.org> i2c: tegra: Do not mark ACPI devices as irq safe Nam Cao <namcao(a)linutronix.de> riscv: change XIP's kernel_map.size to be size of the entire kernel Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: fix validity interception issue when gisa is switched off Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix error recovery leading to data corruption on ESE devices Baojun Xu <baojun.xu(a)ti.com> ALSA: hda/tas2781: fix wrong calibrated data order Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Mark XDomain as unplugged when router is removed Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Juan José Arboleda <soyjuanarbol(a)gmail.com> ALSA: usb-audio: Support Yamaha P-125 quirk entry Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Check USB endpoints when probing device Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Refine workqueue handling Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Don't destroy workqueue from work item running on it Jann Horn <jannh(a)google.com> fuse: Initialize beyond-EOF page contents before setting uptodate Paul Moore <paul(a)paul-moore.com> selinux: revert our use of vma_is_initial_heap() Xu Yang <xu.yang_2(a)nxp.com> Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Griffin Kroah-Hartman <griffin(a)kroah.com> Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: EC: Evaluate orphan _REG under EC device" Mathieu Othacehe <othacehe(a)gnu.org> tty: atmel_serial: use the correct RTS flag. Peng Fan <peng.fan(a)nxp.com> tty: serial: fsl_lpuart: mark last busy before uart_add_one_port ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 3 +- Makefile | 4 +- arch/alpha/kernel/pci_iommu.c | 2 +- arch/arm64/kernel/acpi_numa.c | 2 +- arch/arm64/kernel/setup.c | 3 - arch/arm64/kernel/smp.c | 2 + arch/arm64/kvm/sys_regs.c | 6 + arch/arm64/kvm/vgic/vgic.h | 7 + arch/mips/jazz/jazzdma.c | 2 +- arch/mips/kernel/cpu-probe.c | 4 + arch/openrisc/kernel/setup.c | 6 +- arch/parisc/kernel/irq.c | 4 +- arch/powerpc/boot/simple_alloc.c | 7 +- arch/powerpc/include/asm/topology.h | 13 ++ arch/powerpc/kernel/dma-iommu.c | 2 +- arch/powerpc/platforms/ps3/system-bus.c | 4 +- arch/powerpc/platforms/pseries/papr-sysparm.c | 47 +++++ arch/powerpc/platforms/pseries/vio.c | 2 +- arch/powerpc/sysdev/xics/icp-native.c | 2 + arch/riscv/include/asm/asm.h | 10 + arch/riscv/kernel/entry.S | 3 + arch/riscv/kernel/traps.c | 3 +- arch/riscv/mm/init.c | 4 +- arch/s390/include/asm/uv.h | 5 +- arch/s390/kernel/early.c | 12 +- arch/s390/kernel/smp.c | 4 +- arch/s390/kvm/kvm-s390.h | 7 +- arch/x86/kernel/amd_gart_64.c | 2 +- arch/x86/kernel/process.c | 5 +- block/blk-mq-tag.c | 5 +- drivers/accel/habanalabs/common/debugfs.c | 14 +- drivers/accel/habanalabs/common/irq.c | 3 + drivers/accel/habanalabs/common/memory.c | 15 +- drivers/accel/habanalabs/gaudi2/gaudi2_security.c | 1 + drivers/acpi/acpica/acevents.h | 6 +- drivers/acpi/acpica/evregion.c | 12 +- drivers/acpi/acpica/evxfregn.c | 64 +----- drivers/acpi/ec.c | 14 +- drivers/acpi/internal.h | 1 + drivers/acpi/scan.c | 2 + drivers/atm/idt77252.c | 9 +- drivers/char/xillybus/xillyusb.c | 42 +++- drivers/clk/visconti/pll.c | 6 +- drivers/clocksource/arm_global_timer.c | 11 +- drivers/edac/skx_common.c | 4 + drivers/firmware/cirrus/cs_dsp.c | 7 +- drivers/gpio/gpio-mlxbf3.c | 14 ++ drivers/gpio/gpiolib-sysfs.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 40 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 +++-- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 13 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 13 +- drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 63 +++++- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 6 + drivers/gpu/drm/amd/amdgpu/soc15d.h | 6 + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 24 ++- .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 4 +- .../drm/amd/display/dc/dcn321/dcn321_resource.c | 3 + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 14 +- drivers/gpu/drm/bridge/tc358768.c | 215 +++++++++++++++++--- drivers/gpu/drm/lima/lima_gp.c | 12 ++ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 96 ++++++--- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h | 22 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h | 9 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 43 +--- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 22 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 21 +- drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 +- drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 +- drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 23 ++- drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 + drivers/gpu/drm/msm/dp/dp_panel.c | 19 +- drivers/gpu/drm/msm/msm_drv.h | 12 -- drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 +- drivers/gpu/drm/msm/msm_mdss.c | 84 +++++--- drivers/gpu/drm/msm/msm_mdss.h | 1 + drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 +- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 + drivers/gpu/drm/panel/panel-novatek-nt36523.c | 6 +- drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 + drivers/gpu/drm/tegra/gem.c | 2 +- drivers/hid/wacom_wac.c | 4 +- drivers/hwmon/ltc2992.c | 8 +- drivers/hwmon/pc87360.c | 6 +- drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-riic.c | 2 +- drivers/i2c/busses/i2c-stm32f7.c | 51 ++++- drivers/i2c/busses/i2c-tegra.c | 4 +- drivers/i3c/master/mipi-i3c-hci/dma.c | 5 +- drivers/infiniband/hw/hfi1/chip.c | 5 +- drivers/infiniband/ulp/rtrs/rtrs.c | 2 +- drivers/input/input-mt.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 20 +- drivers/input/serio/i8042.c | 10 +- drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 + drivers/iommu/dma-iommu.c | 2 +- drivers/irqchip/irq-gic-v3-its.c | 2 - drivers/irqchip/irq-renesas-rzg2l.c | 5 +- drivers/md/dm-clone-metadata.c | 5 - drivers/md/dm-ioctl.c | 22 +- drivers/md/dm.c | 4 +- drivers/md/md.c | 5 - drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/raid5-cache.c | 47 +++-- drivers/media/dvb-core/dvb_frontend.c | 12 +- drivers/media/pci/cx23885/cx23885-video.c | 8 + drivers/media/platform/qcom/venus/pm_helpers.c | 2 +- .../media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 +- drivers/media/radio/radio-isa.c | 2 +- drivers/memory/stm32-fmc2-ebi.c | 122 +++++++---- drivers/memory/tegra/tegra186.c | 3 + drivers/misc/fastrpc.c | 22 +- drivers/mmc/core/mmc_test.c | 9 +- drivers/mmc/host/dw_mmc.c | 8 + drivers/mmc/host/mtk-sd.c | 8 +- drivers/net/bonding/bond_main.c | 21 +- drivers/net/bonding/bond_options.c | 2 +- drivers/net/dsa/microchip/ksz_ptp.c | 5 +- drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 +- drivers/net/dsa/ocelot/felix.c | 11 + drivers/net/dsa/vitesse-vsc73xx-core.c | 69 +++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 - drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 ++- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +- drivers/net/ethernet/i825xx/sun3_82586.c | 2 +- drivers/net/ethernet/intel/ice/ice_base.c | 21 +- drivers/net/ethernet/intel/ice/ice_txrx.c | 47 +---- drivers/net/ethernet/intel/igb/igb_main.c | 1 + drivers/net/ethernet/intel/igc/igc_defines.h | 6 + drivers/net/ethernet/intel/igc/igc_main.c | 8 +- drivers/net/ethernet/intel/igc/igc_tsn.c | 76 +++++-- drivers/net/ethernet/intel/igc/igc_tsn.h | 1 + .../net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 +-- drivers/net/ethernet/mediatek/mtk_wed.c | 6 +- drivers/net/ethernet/mediatek/mtk_wed_mcu.c | 3 + .../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 + .../ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 +- .../net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 8 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 ++++- drivers/net/ethernet/microsoft/mana/mana_en.c | 28 ++- drivers/net/ethernet/mscc/ocelot.c | 91 ++++++++- drivers/net/ethernet/mscc/ocelot_fdma.c | 3 +- drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 + .../net/ethernet/pensando/ionic/ionic_bus_pci.c | 9 +- drivers/net/ethernet/pensando/ionic/ionic_dev.c | 33 ++- .../net/ethernet/pensando/ionic/ionic_ethtool.c | 7 +- drivers/net/ethernet/pensando/ionic/ionic_fw.c | 5 + drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 + drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 6 +- drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 +-- drivers/net/gtp.c | 3 + drivers/net/wireless/ath/ath11k/mac.c | 42 ++-- drivers/net/wireless/ath/ath12k/mac.c | 27 ++- drivers/net/wireless/ath/ath12k/qmi.c | 7 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +- drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 +- drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 6 +- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 3 + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 7 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 50 ++++- drivers/net/wireless/mediatek/mt76/mt76.h | 24 +-- drivers/net/wireless/mediatek/mt76/mt7603/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 +- drivers/net/wireless/mediatek/mt76/tx.c | 108 ++++++++-- drivers/net/wireless/st/cw1200/txrx.c | 2 +- drivers/nvme/host/core.c | 107 ++++++---- drivers/nvme/host/ioctl.c | 15 +- drivers/nvme/host/multipath.c | 21 +- drivers/nvme/host/nvme.h | 4 +- drivers/nvme/target/rdma.c | 16 +- drivers/nvme/target/tcp.c | 1 + drivers/nvme/target/trace.c | 6 +- drivers/nvme/target/trace.h | 28 ++- drivers/parisc/ccio-dma.c | 2 +- drivers/parisc/sba_iommu.c | 2 +- drivers/platform/surface/aggregator/controller.c | 3 +- drivers/platform/x86/intel/ifs/load.c | 9 + drivers/platform/x86/lg-laptop.c | 2 +- drivers/pmdomain/imx/imx93-pd.c | 5 +- drivers/pmdomain/imx/scu-pd.c | 5 - drivers/rtc/rtc-nct3018y.c | 6 +- drivers/s390/block/dasd.c | 36 ++-- drivers/s390/block/dasd_3990_erp.c | 10 +- drivers/s390/block/dasd_diag.c | 1 - drivers/s390/block/dasd_eckd.c | 58 +++--- drivers/s390/block/dasd_int.h | 2 +- drivers/s390/cio/idset.c | 12 +- drivers/scsi/lpfc/lpfc_sli.c | 2 +- drivers/scsi/scsi_transport_spi.c | 4 +- drivers/ssb/main.c | 2 +- drivers/staging/iio/resolver/ad2s1210.c | 7 +- drivers/staging/ks7010/ks7010_sdio.c | 4 +- drivers/thunderbolt/switch.c | 1 + drivers/tty/serial/atmel_serial.c | 2 +- drivers/tty/serial/fsl_lpuart.c | 1 + drivers/usb/dwc3/core.c | 13 ++ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- drivers/usb/host/xhci.c | 8 +- drivers/usb/typec/tcpm/tcpm.c | 1 - drivers/xen/grant-dma-ops.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- fs/afs/file.c | 8 +- fs/binfmt_elf_fdpic.c | 2 +- fs/binfmt_misc.c | 216 +++++++++++++++----- fs/btrfs/compression.c | 23 ++- fs/btrfs/compression.h | 2 +- fs/btrfs/defrag.c | 2 +- fs/btrfs/delayed-inode.c | 4 +- fs/btrfs/disk-io.c | 2 + fs/btrfs/extent_io.c | 4 +- fs/btrfs/free-space-cache.c | 22 +- fs/btrfs/inode.c | 24 ++- fs/btrfs/ioctl.c | 2 +- fs/btrfs/qgroup.c | 2 - fs/btrfs/reflink.c | 6 +- fs/btrfs/send.c | 71 +++++-- fs/btrfs/super.c | 2 +- fs/btrfs/tests/extent-io-tests.c | 28 ++- fs/btrfs/tree-checker.c | 74 ++++++- fs/btrfs/zlib.c | 73 ++----- fs/ext4/extents.c | 3 +- fs/ext4/mballoc.c | 3 + fs/f2fs/segment.c | 17 +- fs/file.c | 28 ++- fs/fscache/cookie.c | 4 + fs/fuse/cuse.c | 3 +- fs/fuse/dev.c | 6 +- fs/fuse/fuse_i.h | 1 + fs/fuse/inode.c | 15 +- fs/fuse/virtio_fs.c | 10 + fs/gfs2/inode.c | 2 +- fs/gfs2/super.c | 2 + fs/inode.c | 39 +++- fs/jfs/jfs_dinode.h | 2 +- fs/jfs/jfs_imap.c | 6 +- fs/jfs/jfs_incore.h | 2 +- fs/jfs/jfs_txnmgr.c | 4 +- fs/jfs/jfs_xtree.c | 4 +- fs/jfs/jfs_xtree.h | 37 ++-- fs/kernfs/file.c | 8 +- fs/nfs/pnfs.c | 8 + fs/nfsd/nfssvc.c | 14 +- fs/ntfs3/bitmap.c | 4 +- fs/ntfs3/fsntfs.c | 2 +- fs/ntfs3/index.c | 11 +- fs/ntfs3/ntfs_fs.h | 4 +- fs/ntfs3/super.c | 2 +- fs/quota/dquot.c | 5 +- fs/smb/client/reparse.c | 11 +- fs/smb/server/connection.c | 34 +++- fs/smb/server/connection.h | 3 +- fs/smb/server/mgmt/user_session.c | 8 + fs/smb/server/smb2pdu.c | 5 +- include/acpi/acpixf.h | 5 +- include/linux/bitmap.h | 20 +- include/linux/bpf_verifier.h | 4 +- include/linux/cpumask.h | 2 +- include/linux/dma-map-ops.h | 2 +- include/linux/dsa/ocelot.h | 47 +++++ include/linux/evm.h | 6 + include/linux/f2fs_fs.h | 1 + include/linux/fs.h | 5 + include/net/af_vsock.h | 4 + include/net/inet_timewait_sock.h | 2 +- include/net/kcm.h | 1 + include/net/mana/mana.h | 1 + include/net/tcp.h | 2 +- include/scsi/scsi_cmnd.h | 2 +- include/soc/mscc/ocelot.h | 12 +- include/uapi/misc/fastrpc.h | 3 - init/Kconfig | 7 +- kernel/bpf/verifier.c | 5 +- kernel/cgroup/cgroup.c | 4 +- kernel/cpu.c | 12 +- kernel/dma/mapping.c | 4 +- kernel/rcu/rcu.h | 7 + kernel/rcu/srcutiny.c | 1 + kernel/rcu/srcutree.c | 1 + kernel/rcu/tasks.h | 1 + kernel/rcu/tiny.c | 1 + kernel/rcu/tree.c | 3 +- kernel/sched/topology.c | 3 + kernel/time/clocksource.c | 42 ++-- kernel/time/hrtimer.c | 5 +- kernel/time/tick-sched.h | 2 +- lib/cpumask.c | 4 +- lib/math/prime_numbers.c | 2 - mm/huge_memory.c | 30 ++- mm/memcontrol.c | 7 +- mm/memory-failure.c | 20 +- mm/memory.c | 33 ++- mm/page_alloc.c | 42 ++-- mm/vmalloc.c | 11 +- net/bluetooth/bnep/core.c | 3 +- net/bluetooth/hci_conn.c | 11 +- net/bluetooth/hci_core.c | 19 +- net/bluetooth/mgmt.c | 4 + net/bluetooth/smp.c | 146 ++++++------- net/bridge/br_netfilter_hooks.c | 6 +- net/core/sock_map.c | 6 - net/dccp/ipv4.c | 2 +- net/dccp/ipv6.c | 6 - net/dsa/tag_ocelot.c | 37 +--- net/ipv4/inet_timewait_sock.c | 16 +- net/ipv4/tcp_input.c | 28 ++- net/ipv4/tcp_ipv4.c | 16 +- net/ipv4/tcp_minisocks.c | 7 +- net/ipv4/udp_offload.c | 3 +- net/ipv6/ip6_output.c | 10 + net/ipv6/ip6_tunnel.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 + net/ipv6/tcp_ipv6.c | 6 - net/iucv/iucv.c | 3 +- net/kcm/kcmsock.c | 4 + net/mac80211/agg-tx.c | 6 +- net/mac80211/driver-ops.c | 3 - net/mac80211/iface.c | 14 ++ net/mac80211/main.c | 22 +- net/mac80211/sta_info.c | 46 +++-- net/mctp/test/route-test.c | 2 +- net/mptcp/diag.c | 2 +- net/mptcp/pm.c | 13 -- net/mptcp/pm_netlink.c | 142 ++++++++----- net/mptcp/protocol.h | 3 - net/netfilter/nf_flow_table_inet.c | 3 + net/netfilter/nf_flow_table_ip.c | 3 + net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nf_tables_api.c | 225 ++++++++++++--------- net/netfilter/nfnetlink_queue.c | 35 +++- net/netfilter/nft_counter.c | 9 +- net/netlink/af_netlink.c | 13 +- net/openvswitch/datapath.c | 2 +- net/rxrpc/rxkad.c | 8 +- net/sched/sch_netem.c | 47 +++-- net/vmw_vsock/af_vsock.c | 50 +++-- net/vmw_vsock/vsock_bpf.c | 4 +- net/wireless/core.h | 8 +- scripts/rust_is_available.sh | 6 +- security/integrity/evm/evm_main.c | 7 + security/security.c | 2 +- security/selinux/avc.c | 8 +- security/selinux/hooks.c | 12 +- sound/core/timer.c | 2 +- sound/pci/hda/patch_realtek.c | 1 - sound/pci/hda/tas2781_hda_i2c.c | 14 +- sound/soc/codecs/cs35l45.c | 5 +- sound/soc/sof/intel/hda-dsp.c | 3 + sound/soc/sof/ipc4.c | 9 +- sound/usb/quirks-table.h | 1 + sound/usb/quirks.c | 2 + tools/include/linux/bitmap.h | 7 +- .../testing/selftests/bpf/progs/cpumask_failure.c | 3 - tools/testing/selftests/bpf/progs/dynptr_fail.c | 12 +- tools/testing/selftests/bpf/progs/iters.c | 54 +++++ .../selftests/bpf/progs/jeq_infer_not_null_fail.c | 4 + .../testing/selftests/bpf/progs/test_tunnel_kern.c | 47 +++-- tools/testing/selftests/core/close_range_test.c | 35 ++++ tools/testing/selftests/mm/Makefile | 2 + tools/testing/selftests/mm/run_vmtests.sh | 53 ++++- tools/testing/selftests/net/lib.sh | 11 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 28 ++- tools/testing/selftests/net/udpgro.sh | 44 ++-- tools/testing/selftests/tc-testing/tdc.py | 1 - tools/tracing/rtla/src/osnoise_top.c | 11 +- 386 files changed, 3829 insertions(+), 1937 deletions(-)

8 months

17
366
0 0

FAILED: patch "[PATCH] usb: typec: ucsi: Move unregister out of atomic section" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 11bb2ffb679399f99041540cf662409905179e3a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024090121-distress-disengage-545d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 11bb2ffb6793 ("usb: typec: ucsi: Move unregister out of atomic section") 584e8df58942 ("usb: typec: ucsi: extract common code for command handling") e1870c17e550 ("usb: typec: ucsi: inline ucsi_read_message_in") 5e9c1662a89b ("usb: typec: ucsi: rework command execution functions") 467399d989d7 ("usb: typec: ucsi: split read operation") 13f2ec3115c8 ("usb: typec: ucsi: simplify command sending API") a7d2fa776976 ("usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error()") f7697db8b1b3 ("Merge 6.10-rc6 into usb-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 11bb2ffb679399f99041540cf662409905179e3a Mon Sep 17 00:00:00 2001 From: Bjorn Andersson <quic_bjorande(a)quicinc.com> Date: Tue, 20 Aug 2024 13:29:31 -0700 Subject: [PATCH] usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")' moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn't feasible as it's expecting a sleepable context. An effort is under way to get GLINK to invoke its callbacks in a sleepable context, but until then lets schedule the unregistration. A side effect of this is that ucsi_unregister() can now happen after the remote processor, and thereby the communication link with it, is gone. pmic_glink_send() is amended with a check to avoid the resulting NULL pointer dereference. This does however result in the user being informed about this error by the following entry in the kernel log: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5 Fixes: 9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping") Cc: stable(a)vger.kernel.org Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Tested-by: Amit Pundir <amit.pundir(a)linaro.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> Tested-by: Johan Hovold <johan+linaro(a)kernel.org> Signed-off-by: Bjorn Andersson <quic_bjorande(a)quicinc.com> Link: https://lore.kernel.org/r/20240820-pmic-glink-v6-11-races-v3-2-eec53c750a04… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c index 53b176d04fbd..b218460219b7 100644 --- a/drivers/soc/qcom/pmic_glink.c +++ b/drivers/soc/qcom/pmic_glink.c @@ -112,8 +112,16 @@ EXPORT_SYMBOL_GPL(pmic_glink_client_register); int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len) { struct pmic_glink *pg = client->pg; + int ret; - return rpmsg_send(pg->ept, data, len); + mutex_lock(&pg->state_lock); + if (!pg->ept) + ret = -ECONNRESET; + else + ret = rpmsg_send(pg->ept, data, len); + mutex_unlock(&pg->state_lock); + + return ret; } EXPORT_SYMBOL_GPL(pmic_glink_send); diff --git a/drivers/usb/typec/ucsi/ucsi_glink.c b/drivers/usb/typec/ucsi/ucsi_glink.c index f6f4fae40399..6aace19d595b 100644 --- a/drivers/usb/typec/ucsi/ucsi_glink.c +++ b/drivers/usb/typec/ucsi/ucsi_glink.c @@ -68,6 +68,9 @@ struct pmic_glink_ucsi { struct work_struct notify_work; struct work_struct register_work; + spinlock_t state_lock; + bool ucsi_registered; + bool pd_running; u8 read_buf[UCSI_BUF_SIZE]; }; @@ -244,8 +247,20 @@ static void pmic_glink_ucsi_notify(struct work_struct *work) static void pmic_glink_ucsi_register(struct work_struct *work) { struct pmic_glink_ucsi *ucsi = container_of(work, struct pmic_glink_ucsi, register_work); + unsigned long flags; + bool pd_running; - ucsi_register(ucsi->ucsi); + spin_lock_irqsave(&ucsi->state_lock, flags); + pd_running = ucsi->pd_running; + spin_unlock_irqrestore(&ucsi->state_lock, flags); + + if (!ucsi->ucsi_registered && pd_running) { + ucsi_register(ucsi->ucsi); + ucsi->ucsi_registered = true; + } else if (ucsi->ucsi_registered && !pd_running) { + ucsi_unregister(ucsi->ucsi); + ucsi->ucsi_registered = false; + } } static void pmic_glink_ucsi_callback(const void *data, size_t len, void *priv) @@ -269,11 +284,12 @@ static void pmic_glink_ucsi_callback(const void *data, size_t len, void *priv) static void pmic_glink_ucsi_pdr_notify(void *priv, int state) { struct pmic_glink_ucsi *ucsi = priv; + unsigned long flags; - if (state == SERVREG_SERVICE_STATE_UP) - schedule_work(&ucsi->register_work); - else if (state == SERVREG_SERVICE_STATE_DOWN) - ucsi_unregister(ucsi->ucsi); + spin_lock_irqsave(&ucsi->state_lock, flags); + ucsi->pd_running = (state == SERVREG_SERVICE_STATE_UP); + spin_unlock_irqrestore(&ucsi->state_lock, flags); + schedule_work(&ucsi->register_work); } static void pmic_glink_ucsi_destroy(void *data) @@ -320,6 +336,7 @@ static int pmic_glink_ucsi_probe(struct auxiliary_device *adev, INIT_WORK(&ucsi->register_work, pmic_glink_ucsi_register); init_completion(&ucsi->read_ack); init_completion(&ucsi->write_ack); + spin_lock_init(&ucsi->state_lock); mutex_init(&ucsi->lock); ucsi->ucsi = ucsi_create(dev, &pmic_glink_ucsi_ops);

8 months

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: st: add missing depopulate in probe error path" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x cd4897bfd14f6a5388b21ba45a066541a0425199 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024090143-yiddish-twisted-954d@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: cd4897bfd14f ("usb: dwc3: st: add missing depopulate in probe error path") e36721b90144 ("usb: dwc3: st: Add of_node_put() before return in probe function") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cd4897bfd14f6a5388b21ba45a066541a0425199 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 11:39:57 +0200 Subject: [PATCH] usb: dwc3: st: add missing depopulate in probe error path Depopulate device in probe error paths to fix leak of children resources. Fixes: f83fca0707c6 ("usb: dwc3: add ST dwc3 glue layer to manage dwc3 HC") Cc: stable(a)vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Patrice Chotard <patrice.chotard(a)foss.st.com> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/20240814093957.37940-2-krzysztof.kozlowski@linaro… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/dwc3-st.c b/drivers/usb/dwc3/dwc3-st.c index a9cb04043f08..c8c7cd0c1796 100644 --- a/drivers/usb/dwc3/dwc3-st.c +++ b/drivers/usb/dwc3/dwc3-st.c @@ -266,7 +266,7 @@ static int st_dwc3_probe(struct platform_device *pdev) if (!child_pdev) { dev_err(dev, "failed to find dwc3 core device\n"); ret = -ENODEV; - goto err_node_put; + goto depopulate; } dwc3_data->dr_mode = usb_get_dr_mode(&child_pdev->dev); @@ -282,6 +282,7 @@ static int st_dwc3_probe(struct platform_device *pdev) ret = st_dwc3_drd_init(dwc3_data); if (ret) { dev_err(dev, "drd initialisation failed\n"); + of_platform_depopulate(dev); goto undo_softreset; } @@ -291,6 +292,8 @@ static int st_dwc3_probe(struct platform_device *pdev) platform_set_drvdata(pdev, dwc3_data); return 0; +depopulate: + of_platform_depopulate(dev); err_node_put: of_node_put(child); undo_softreset:

8 months

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: qcom: x1e80100-qcp: fix missing PCIe4 gpios" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 2ac90e4d2b6d6823ca10642ef39595ff1181c3fa # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024090131-caviar-jubilant-3f17@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 2ac90e4d2b6d ("arm64: dts: qcom: x1e80100-qcp: fix missing PCIe4 gpios") 0aab6eaac72a ("arm64: dts: qcom: x1e80100-qcp: fix up PCIe6a pinctrl node") eb57cbe730d1 ("arm64: dts: qcom: x1e80100: Describe the PCIe 6a resources") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ac90e4d2b6d6823ca10642ef39595ff1181c3fa Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Mon, 22 Jul 2024 11:54:51 +0200 Subject: [PATCH] arm64: dts: qcom: x1e80100-qcp: fix missing PCIe4 gpios Add the missing PCIe4 perst, wake and clkreq GPIOs and pin config. Fixes: f9a9c11471da ("arm64: dts: qcom: x1e80100-qcp: Enable more support") Cc: stable(a)vger.kernel.org # 6.9 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Konrad Dybcio <konrad.dybcio(a)linaro.org> Link: https://lore.kernel.org/r/20240722095459.27437-5-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> diff --git a/arch/arm64/boot/dts/qcom/x1e80100-qcp.dts b/arch/arm64/boot/dts/qcom/x1e80100-qcp.dts index 653673e423bf..2dcf2a17511d 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100-qcp.dts +++ b/arch/arm64/boot/dts/qcom/x1e80100-qcp.dts @@ -660,6 +660,12 @@ &mdss_dp3_phy { }; &pcie4 { + perst-gpios = <&tlmm 146 GPIO_ACTIVE_LOW>; + wake-gpios = <&tlmm 148 GPIO_ACTIVE_LOW>; + + pinctrl-0 = <&pcie4_default>; + pinctrl-names = "default"; + status = "okay"; }; @@ -804,6 +810,29 @@ nvme_reg_en: nvme-reg-en-state { bias-disable; }; + pcie4_default: pcie4-default-state { + clkreq-n-pins { + pins = "gpio147"; + function = "pcie4_clk"; + drive-strength = <2>; + bias-pull-up; + }; + + perst-n-pins { + pins = "gpio146"; + function = "gpio"; + drive-strength = <2>; + bias-disable; + }; + + wake-n-pins { + pins = "gpio148"; + function = "gpio"; + drive-strength = <2>; + bias-pull-up; + }; + }; + pcie6a_default: pcie6a-default-state { clkreq-n-pins { pins = "gpio153";

8 months

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: qcom: x1e80100-crd: fix missing PCIe4 gpios" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 42b33ad188466292eaac9825544b8be8deddb3cb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024090124-chaffing-curable-eb92@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 42b33ad18846 ("arm64: dts: qcom: x1e80100-crd: fix missing PCIe4 gpios") 6e3902c49954 ("arm64: dts: qcom: x1e80100-crd: fix up PCIe6a pinctrl node") eb57cbe730d1 ("arm64: dts: qcom: x1e80100: Describe the PCIe 6a resources") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 42b33ad188466292eaac9825544b8be8deddb3cb Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Mon, 22 Jul 2024 11:42:47 +0200 Subject: [PATCH] arm64: dts: qcom: x1e80100-crd: fix missing PCIe4 gpios Add the missing PCIe4 perst, wake and clkreq GPIOs and pin config. Fixes: d7e03cce0400 ("arm64: dts: qcom: x1e80100-crd: Enable more support") Cc: stable(a)vger.kernel.org # 6.9 Reviewed-by: Konrad Dybcio <konrad.dybcio(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Link: https://lore.kernel.org/r/20240722094249.26471-7-johan+linaro@kernel.org Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> diff --git a/arch/arm64/boot/dts/qcom/x1e80100-crd.dts b/arch/arm64/boot/dts/qcom/x1e80100-crd.dts index aeb279b1a0cc..d65a22172006 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100-crd.dts +++ b/arch/arm64/boot/dts/qcom/x1e80100-crd.dts @@ -756,6 +756,12 @@ &mdss_dp3_phy { }; &pcie4 { + perst-gpios = <&tlmm 146 GPIO_ACTIVE_LOW>; + wake-gpios = <&tlmm 148 GPIO_ACTIVE_LOW>; + + pinctrl-0 = <&pcie4_default>; + pinctrl-names = "default"; + status = "okay"; }; @@ -931,6 +937,29 @@ nvme_reg_en: nvme-reg-en-state { bias-disable; }; + pcie4_default: pcie4-default-state { + clkreq-n-pins { + pins = "gpio147"; + function = "pcie4_clk"; + drive-strength = <2>; + bias-pull-up; + }; + + perst-n-pins { + pins = "gpio146"; + function = "gpio"; + drive-strength = <2>; + bias-disable; + }; + + wake-n-pins { + pins = "gpio148"; + function = "gpio"; + drive-strength = <2>; + bias-pull-up; + }; + }; + pcie6a_default: pcie6a-default-state { clkreq-n-pins { pins = "gpio153";

8 months

1
0
0 0

[PATCH v1 2/2] ufs: core: requeue MCQ abort request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> MCQ aborts a command using two methods below: 1. Nullified UTRD, Host controller skips this transfer request, reply Completion Queue entry to Host SW with OCS=ABORTED 2. SQ cleanup, The host controller will post to the Completion Queue to update the OCS field with ABORTED. For these two cases, set a flag to notify SCSI to requeue the command after receiving OCS_ABORTED. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufs-mcq.c | 1 + drivers/ufs/core/ufshcd.c | 21 ++++++++------------- include/ufs/ufshcd.h | 2 ++ 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index afd9541f4bd8..abdc55a8b960 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -642,6 +642,7 @@ static bool ufshcd_mcq_sqe_search(struct ufs_hba *hba, match = le64_to_cpu(utrd->command_desc_base_addr) & CQE_UCD_BA; if (addr == match) { ufshcd_mcq_nullify_sqe(utrd); + lrbp->host_initiate_abort = true; ret = true; goto out; } diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..18418e9d7549 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3006,6 +3006,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) ufshcd_prepare_lrbp_crypto(scsi_cmd_to_rq(cmd), lrbp); lrbp->req_abort_skip = false; + lrbp->host_initiate_abort = false; ufshcd_comp_scsi_upiu(hba, lrbp); @@ -5404,7 +5405,10 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; + if (lrbp->host_initiate_abort) + result |= DID_REQUEUE << 16; + else + result |= DID_ABORT << 16; break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; @@ -6472,24 +6476,15 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } + /* Host will post to CQ with OCS_ABORTED after SQ clean up */ + if (is_mcq_enabled(hba) && (*ret == 0)) + lrbp->host_initiate_abort = true; return *ret == 0; } diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 0fd2aebac728..49dd5ca8a4e7 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -173,6 +173,7 @@ struct ufs_pm_lvl_states { * @crypto_key_slot: the key slot to use for inline crypto (-1 if none) * @data_unit_num: the data unit number for the first block for inline crypto * @req_abort_skip: skip request abort task flag + * @host_initiate_abort: Abort flag initiated by host */ struct ufshcd_lrb { struct utp_transfer_req_desc *utr_descriptor_ptr; @@ -202,6 +203,7 @@ struct ufshcd_lrb { #endif bool req_abort_skip; + bool host_initiate_abort; }; /** -- 2.45.2

8 months

2
2
0 0

[git:media_stage/master] media: imx335: Fix reset-gpio handling

by Hans Verkuil

This is an automatic generated email to let you know that the following patch were queued: Subject: media: imx335: Fix reset-gpio handling Author: Umang Jain <umang.jain(a)ideasonboard.com> Date: Fri Aug 30 11:41:52 2024 +0530 Rectify the logical value of reset-gpio so that it is set to 0 (disabled) during power-on and to 1 (enabled) during power-off. Set the reset-gpio to GPIO_OUT_HIGH at initialization time to make sure it starts off in reset. Also drop the "Set XCLR" comment which is not-so-informative. The existing usage of imx335 had reset-gpios polarity inverted (GPIO_ACTIVE_HIGH) in their device-tree sources. With this patch included, those DTS will not be able to stream imx335 anymore. The reset-gpio polarity will need to be rectified in the device-tree sources as shown in [1] example, in order to get imx335 functional again (as it remains in reset prior to this fix). Cc: stable(a)vger.kernel.org Fixes: 45d19b5fb9ae ("media: i2c: Add imx335 camera sensor driver") Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/linux-media/20240729110437.199428-1-umang.jain@idea… Signed-off-by: Umang Jain <umang.jain(a)ideasonboard.com> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> drivers/media/i2c/imx335.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- diff --git a/drivers/media/i2c/imx335.c b/drivers/media/i2c/imx335.c index 990d74214cc2..54a1de53d497 100644 --- a/drivers/media/i2c/imx335.c +++ b/drivers/media/i2c/imx335.c @@ -997,7 +997,7 @@ static int imx335_parse_hw_config(struct imx335 *imx335) /* Request optional reset pin */ imx335->reset_gpio = devm_gpiod_get_optional(imx335->dev, "reset", - GPIOD_OUT_LOW); + GPIOD_OUT_HIGH); if (IS_ERR(imx335->reset_gpio)) { dev_err(imx335->dev, "failed to get reset gpio %ld\n", PTR_ERR(imx335->reset_gpio)); @@ -1110,8 +1110,7 @@ static int imx335_power_on(struct device *dev) usleep_range(500, 550); /* Tlow */ - /* Set XCLR */ - gpiod_set_value_cansleep(imx335->reset_gpio, 1); + gpiod_set_value_cansleep(imx335->reset_gpio, 0); ret = clk_prepare_enable(imx335->inclk); if (ret) { @@ -1124,7 +1123,7 @@ static int imx335_power_on(struct device *dev) return 0; error_reset: - gpiod_set_value_cansleep(imx335->reset_gpio, 0); + gpiod_set_value_cansleep(imx335->reset_gpio, 1); regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies); return ret; @@ -1141,7 +1140,7 @@ static int imx335_power_off(struct device *dev) struct v4l2_subdev *sd = dev_get_drvdata(dev); struct imx335 *imx335 = to_imx335(sd); - gpiod_set_value_cansleep(imx335->reset_gpio, 0); + gpiod_set_value_cansleep(imx335->reset_gpio, 1); clk_disable_unprepare(imx335->inclk); regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies);

8 months

1
0
0 0

[git:media_stage/master] media: ov5675: Fix power on/off delay timings

by Hans Verkuil

This is an automatic generated email to let you know that the following patch were queued: Subject: media: ov5675: Fix power on/off delay timings Author: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Date: Sat Jul 13 23:33:29 2024 +0100 The ov5675 specification says that the gap between XSHUTDN deassert and the first I2C transaction should be a minimum of 8192 XVCLK cycles. Right now we use a usleep_rage() that gives a sleep time of between about 430 and 860 microseconds. On the Lenovo X13s we have observed that in about 1/20 cases the current timing is too tight and we start transacting before the ov5675's reset cycle completes, leading to I2C bus transaction failures. The reset racing is sometimes triggered at initial chip probe but, more usually on a subsequent power-off/power-on cycle e.g. [ 71.451662] ov5675 24-0010: failed to write reg 0x0103. error = -5 [ 71.451686] ov5675 24-0010: failed to set plls The current quiescence period we have is too tight. Instead of expressing the post reset delay in terms of the current XVCLK this patch converts the power-on and power-off delays to the maximum theoretical delay @ 6 MHz with an additional buffer. 1.365 milliseconds on the power-on path is 1.5 milliseconds with grace. 85.3 microseconds on the power-off path is 90 microseconds with grace. Fixes: 49d9ad719e89 ("media: ov5675: add device-tree support and support runtime PM") Cc: stable(a)vger.kernel.org Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Tested-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Quentin Schulz <quentin.schulz(a)cherry.de> Tested-by: Quentin Schulz <quentin.schulz(a)cherry.de> # RK3399 Puma with Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> drivers/media/i2c/ov5675.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- diff --git a/drivers/media/i2c/ov5675.c b/drivers/media/i2c/ov5675.c index 3641911bc73f..5b5127f8953f 100644 --- a/drivers/media/i2c/ov5675.c +++ b/drivers/media/i2c/ov5675.c @@ -972,12 +972,10 @@ static int ov5675_set_stream(struct v4l2_subdev *sd, int enable) static int ov5675_power_off(struct device *dev) { - /* 512 xvclk cycles after the last SCCB transation or MIPI frame end */ - u32 delay_us = DIV_ROUND_UP(512, OV5675_XVCLK_19_2 / 1000 / 1000); struct v4l2_subdev *sd = dev_get_drvdata(dev); struct ov5675 *ov5675 = to_ov5675(sd); - usleep_range(delay_us, delay_us * 2); + usleep_range(90, 100); clk_disable_unprepare(ov5675->xvclk); gpiod_set_value_cansleep(ov5675->reset_gpio, 1); @@ -988,7 +986,6 @@ static int ov5675_power_off(struct device *dev) static int ov5675_power_on(struct device *dev) { - u32 delay_us = DIV_ROUND_UP(8192, OV5675_XVCLK_19_2 / 1000 / 1000); struct v4l2_subdev *sd = dev_get_drvdata(dev); struct ov5675 *ov5675 = to_ov5675(sd); int ret; @@ -1014,8 +1011,11 @@ static int ov5675_power_on(struct device *dev) gpiod_set_value_cansleep(ov5675->reset_gpio, 0); - /* 8192 xvclk cycles prior to the first SCCB transation */ - usleep_range(delay_us, delay_us * 2); + /* Worst case quiesence gap is 1.365 milliseconds @ 6MHz XVCLK + * Add an additional threshold grace period to ensure reset + * completion before initiating our first I2C transaction. + */ + usleep_range(1500, 1600); return 0; }

8 months

1
0
0 0

[git:media_stage/master] media: i2c: ar0521: Use cansleep version of gpiod_set_value()

by Hans Verkuil

This is an automatic generated email to let you know that the following patch were queued: Subject: media: i2c: ar0521: Use cansleep version of gpiod_set_value() Author: Alexander Shiyan <eagle.alexander923(a)gmail.com> Date: Thu Aug 29 08:48:49 2024 +0300 If we use GPIO reset from I2C port expander, we must use *_cansleep() variant of GPIO functions. This was not done in ar0521_power_on()/ar0521_power_off() functions. Let's fix that. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c Modules linked in: CPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) Workqueue: events_unbound deferred_probe_work_func pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : gpiod_set_value+0x74/0x7c lr : ar0521_power_on+0xcc/0x290 sp : ffffff8001d7ab70 x29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000 x26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088 x23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088 x20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80 x17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000 x14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930 x11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0 x8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780 x5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: gpiod_set_value+0x74/0x7c ar0521_power_on+0xcc/0x290 ... Signed-off-by: Alexander Shiyan <eagle.alexander923(a)gmail.com> Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver") Cc: stable(a)vger.kernel.org Acked-by: Krzysztof Hałasa <khalasa(a)piap.pl> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> drivers/media/i2c/ar0521.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- diff --git a/drivers/media/i2c/ar0521.c b/drivers/media/i2c/ar0521.c index 56a724b4d47e..fc27238dd4d3 100644 --- a/drivers/media/i2c/ar0521.c +++ b/drivers/media/i2c/ar0521.c @@ -842,7 +842,8 @@ static void __ar0521_power_off(struct device *dev) int i; if (sensor->reset_gpio) - gpiod_set_value(sensor->reset_gpio, 1); /* assert RESET signal */ + /* assert RESET signal */ + gpiod_set_value_cansleep(sensor->reset_gpio, 1); for (i = ARRAY_SIZE(ar0521_supply_names) - 1; i >= 0; i--) { if (sensor->supplies[i]) @@ -886,7 +887,7 @@ static int ar0521_power_on(struct device *dev) if (sensor->reset_gpio) /* deassert RESET signal */ - gpiod_set_value(sensor->reset_gpio, 0); + gpiod_set_value_cansleep(sensor->reset_gpio, 0); usleep_range(4500, 5000); /* min 45000 clocks */ for (cnt = 0; cnt < ARRAY_SIZE(initial_regs); cnt++) {

8 months

1
0
0 0

Re: Patch "cifs: Fix FALLOC_FL_PUNCH_HOLE support" has been added to the 6.1-stable tree

by Greg KH

On Fri, Aug 30, 2024 at 02:43:05PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > cifs: Fix FALLOC_FL_PUNCH_HOLE support > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > cifs-fix-falloc_fl_punch_hole-support.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. This breaks the build on 6.1.y so I'll go drop it from there, sorry. greg k-h

8 months

1
0
0 0

[PATCH] s390/pci: follow alloc_pages in dma_map_ops name change

by Ariadne Conill

In linux-6.6.y commit 983e6b2636f0099dbac1874c9e885bbe1cf2df05, alloc_pages was renamed to alloc_pages_op, but this was not changed for the s390 PCI implementation, most likely due to upstream changes in the s390 PCI implementation which moved it to using the generic IOMMU implementation after Linux 6.6 was released. Signed-off-by: Ariadne Conill <ariadne(a)ariadne.space> --- arch/s390/pci/pci_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c index 99209085c75b..ce0f2990cb04 100644 --- a/arch/s390/pci/pci_dma.c +++ b/arch/s390/pci/pci_dma.c @@ -721,7 +721,7 @@ const struct dma_map_ops s390_pci_dma_ops = { .unmap_page = s390_dma_unmap_pages, .mmap = dma_common_mmap, .get_sgtable = dma_common_get_sgtable, - .alloc_pages = dma_common_alloc_pages, + .alloc_pages_op = dma_common_alloc_pages, .free_pages = dma_common_free_pages, /* dma_supported is unconditionally true without a callback */ }; -- 2.46.0

8 months

2
1
0 0

FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when adding pages to" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 8e7860543a94784d744c7ce34b78a2e11beefa5c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024072924-overact-drainable-8abb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 8e7860543a94 ("btrfs: fix extent map use-after-free when adding pages to compressed bio") b7d463a1d125 ("btrfs: store a pointer to the original btrfs_bio in struct compressed_bio") 690834e47cf7 ("btrfs: pass a btrfs_bio to btrfs_submit_compressed_read") 7edb9a3e7200 ("btrfs: move zero filling of compressed read bios into common code") 32586c5bca72 ("btrfs: factor out a btrfs_free_compressed_pages helper") 10e924bc320a ("btrfs: factor out a btrfs_add_compressed_bio_pages helper") d7294e4deeb9 ("btrfs: use the bbio file offset in add_ra_bio_pages") e7aff33e3161 ("btrfs: use the bbio file offset in btrfs_submit_compressed_read") 798c9fc74d03 ("btrfs: remove redundant free_extent_map in btrfs_submit_compressed_read") 544fe4a903ce ("btrfs: embed a btrfs_bio into struct compressed_bio") d5e4377d5051 ("btrfs: split zone append bios in btrfs_submit_bio") 35a8d7da3ca8 ("btrfs: remove now spurious bio submission helpers") 285599b6fe15 ("btrfs: remove the fs_info argument to btrfs_submit_bio") 48253076c3a9 ("btrfs: open code submit_encoded_read_bio") 30493ff49f81 ("btrfs: remove stripe boundary calculation for compressed I/O") 2380220e1e13 ("btrfs: remove stripe boundary calculation for buffered I/O") 67d669825090 ("btrfs: pass the iomap bio to btrfs_submit_bio") 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios") 69ccf3f4244a ("btrfs: handle recording of zoned writes in the storage layer") f8a53bb58ec7 ("btrfs: handle checksum generation in the storage layer") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7860543a94784d744c7ce34b78a2e11beefa5c Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Thu, 4 Jul 2024 16:11:20 +0100 Subject: [PATCH] btrfs: fix extent map use-after-free when adding pages to compressed bio At add_ra_bio_pages() we are accessing the extent map to calculate 'add_size' after we dropped our reference on the extent map, resulting in a use-after-free. Fix this by computing 'add_size' before dropping our extent map reference. Reported-by: syzbot+853d80cba98ce1157ae6(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/000000000000038144061c6d18f2@google.com/ Fixes: 6a4049102055 ("btrfs: subpage: make add_ra_bio_pages() compatible") CC: stable(a)vger.kernel.org # 6.1+ Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c index a149f3659b15..a8e2c461aff7 100644 --- a/fs/btrfs/compression.c +++ b/fs/btrfs/compression.c @@ -515,6 +515,7 @@ static noinline int add_ra_bio_pages(struct inode *inode, put_page(page); break; } + add_size = min(em->start + em->len, page_end + 1) - cur; free_extent_map(em); if (page->index == end_index) { @@ -527,7 +528,6 @@ static noinline int add_ra_bio_pages(struct inode *inode, } } - add_size = min(em->start + em->len, page_end + 1) - cur; ret = bio_add_page(orig_bio, page, add_size, offset_in_page(cur)); if (ret != add_size) { unlock_extent(tree, cur, page_end, NULL);

8 months

3
2
0 0

[PATCH 6.6 000/139] 6.6.39-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.39 release. There are 139 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 11 Jul 2024 11:06:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.39-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.39-rc1 Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix incorrect inode allocation from reserved inodes Damien Le Moal <dlemoal(a)kernel.org> null_blk: Do not allow runt zone with zone capacity smaller then zone size Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: silence UBSAN warning Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Set default protocol when not given explicitly Witold Sadowski <wsadowski(a)marvell.com> spi: cadence: Ensure data lines set to low during dummy-cycle period Edward Adam Davis <eadavis(a)qq.com> nfc/nci: Add the inconsistency check between the input data length and count Masahiro Yamada <masahiroy(a)kernel.org> kbuild: fix short log for AS in link-vmlinux.sh Sagi Grimberg <sagi(a)grimberg.me> nvmet: fix a possible leak when destroy a ctrl during qp establishment hmtheboy154 <buingoc67(a)gmail.com> platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro hmtheboy154 <buingoc67(a)gmail.com> platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet Jim Wylder <jwylder(a)google.com> regmap-i2c: Subtract reg size from max_write Kundan Kumar <kundan.kumar(a)samsung.com> nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset Matt Jan <zoo868e(a)gmail.com> connector: Fix invalid conversion in cn_proc.h Fedor Pchelkin <pchelkin(a)ispras.ru> dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails Nilay Shroff <nilay(a)linux.ibm.com> nvme-multipath: find NUMA path only for online numa-node Mike Christie <michael.christie(a)oracle.com> vhost-scsi: Handle vhost_vq_work_queue failures for events Jian-Hong Pan <jhp(a)endlessos.org> ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Mark volume as dirty if xattr is broken Piotr Wojtaszczyk <piotr.wojtaszczyk(a)timesys.com> i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr Pin-yen Lin <treapking(a)chromium.org> clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg Gabor Juhos <j4g8y7(a)gmail.com> clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs Luca Weiss <luca.weiss(a)fairphone.com> clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents Mauro Carvalho Chehab <mchehab(a)kernel.org> media: dw2102: fix a potential buffer overflow GUO Zihua <guozihua(a)huawei.com> ima: Avoid blocking in RCU read-side critical section Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B Ghadi Elie Rahme <ghadi.rahme(a)canonical.com> bnx2x: Fix multiple UBSAN array-index-out-of-bounds Yijie Yang <quic_yijiyang(a)quicinc.com> net: stmmac: dwmac-qcom-ethqos: fix error array size Val Packett <val(a)packett.cool> mtd: rawnand: rockchip: ensure NVDDR timings are rejected Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: Bypass a couple of sanity checks during NAND identification Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: Fix the nand_read_data_op() early check Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: Ensure ECC configuration is propagated to upper layers Jinglin Wen <jinglin.wen(a)shingroup.cn> powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0 Nicholas Piggin <npiggin(a)gmail.com> powerpc/pseries: Fix scv instruction crash with kexec Frank Oltmanns <frank(a)oltmanns.dev> clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common Md Sadre Alam <quic_mdalam(a)quicinc.com> clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag John Schoenick <johns(a)valvesoftware.com> drm: panel-orientation-quirks: Add quirk for Valve Galileo Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: silence UBSAN warning Ma Ke <make24(a)iscas.ac.cn> drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes Jan Kara <jack(a)suse.cz> Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" Jan Kara <jack(a)suse.cz> fsnotify: Do not generate events for O_PATH file descriptors Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot Hector Martin <marcan(a)marcan.st> Bluetooth: hci_bcm4377: Fix msgid release Nathan Chancellor <nathan(a)kernel.org> scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() Nathan Chancellor <nathan(a)kernel.org> f2fs: Add inline to f2fs_build_fault_attr() stub Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: fix adding block group to a reclaim list and the unused list during reclaim Jan Kara <jack(a)suse.cz> mm: avoid overflows in dirty throttling logic Jinliang Zheng <alexjlzheng(a)tencent.com> mm: optimize the redundant loop of mm_update_owner_next() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: add missing check for inode numbers on directory entries Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix inode number range checks Sasha Neftin <sasha.neftin(a)intel.com> Revert "igc: fix a log entry using uninitialized netdev" Armin Wolf <W_Armin(a)gmx.de> platform/x86: toshiba_acpi: Fix quickstart quirk handling Huacai Chen <chenhuacai(a)kernel.org> cpu: Fix broken cmdline "nosmp" and "maxcpus=0" Dmitry Torokhov <dmitry.torokhov(a)gmail.com> gpiolib: of: add polarity quirk for TSC2005 Aleksandr Mishin <amishin(a)t-argos.ru> mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file Shigeru Yoshida <syoshida(a)redhat.com> inet_diag: Initialize pad field in struct inet_diag_req_v2 Zijian Zhang <zijianzhang(a)bytedance.com> selftests: make order checking verbose in msg_zerocopy selftest Zijian Zhang <zijianzhang(a)bytedance.com> selftests: fix OOM in msg_zerocopy selftest Sam Sun <samsun1006219(a)gmail.com> bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: unconditionally flush pending work before notifier Song Shuai <songshuaishuai(a)tinylab.org> riscv: kexec: Avoid deadlock in kexec crash path Jozef Hopko <jozef.hopko(a)altana.com> wifi: wilc1000: fix ies_len type in connect path Shiji Yang <yangshiji66(a)outlook.com> gpio: mmio: do not calculate bgpio_bits via "ngpios" Dave Jiang <dave.jiang(a)intel.com> net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() Jiawen Wu <jiawenwu(a)trustnetic.com> net: txgbe: initialize num_q_vectors for MSI/INTx interrupts Sagi Grimberg <sagi(a)grimberg.me> net: allow skb_datagram_iter to be called from any context Dmitry Torokhov <dmitry.torokhov(a)gmail.com> gpiolib: of: fix lookup quirk for MIPS Lantiq Dima Ruinskiy <dima.ruinskiy(a)intel.com> e1000e: Fix S0ix residency on corporate systems Christian Borntraeger <borntraeger(a)linux.ibm.com> KVM: s390: fix LPSWEY handling Jakub Kicinski <kuba(a)kernel.org> tcp_metrics: validate source addr length Pavel Skripkin <paskripkin(a)gmail.com> bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX Iulia Tanasescu <iulia.tanasescu(a)nxp.com> Bluetooth: ISO: Check socket flag instead of hcon Edward Adam Davis <eadavis(a)qq.com> Bluetooth: Ignore too large handle values in BIG Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix setting of unicast qos interval Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup() Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Create ingress ACL when needed Neal Cardwell <ncardwell(a)google.com> UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() Marek Vasut <marex(a)denx.de> net: phy: phy_device: Fix PHY LED blinking code comment Dmitry Antipov <dmantipov(a)yandex.ru> mac802154: fix time calculation in ieee802154_configure_durations() Mike Christie <michael.christie(a)oracle.com> vhost_task: Handle SIGKILL by flushing work and exiting Mike Christie <michael.christie(a)oracle.com> vhost: Release worker mutex during flushes Mike Christie <michael.christie(a)oracle.com> vhost: Use virtqueue mutex for swapping worker Len Brown <len.brown(a)intel.com> tools/power turbostat: Remember global max_die_id Justin Stitt <justinstitt(a)google.com> cdrom: rearrange last_media_change check to avoid unintentional overflow Lu Yao <yaolu(a)kylinos.cn> btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation warning Holger Dengler <dengler(a)linux.ibm.com> s390/pkey: Wipe sensitive data on failure Sven Schnelle <svens(a)linux.ibm.com> s390: Mark psw in __load_psw_mask() as __unitialized Wang Yong <wang.yong12(a)zte.com.cn> jffs2: Fix potential illegal address access in jffs2_free_inode Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com> serial: imx: Raise TX trigger level to 8 Tomas Henzl <thenzl(a)redhat.com> scsi: mpi3mr: Sanitise num_phys Chao Yu <chao(a)kernel.org> f2fs: check validation of fault attrs in f2fs_build_fault_attr() Jose E. Marchesi <jose.marchesi(a)oracle.com> bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD Corinna Vinschen <vinschen(a)redhat.com> igc: fix a log entry using uninitialized netdev John Hubbard <jhubbard(a)nvidia.com> selftests/net: fix uninitialized variables Greg Kurz <groug(a)kaod.org> powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" Mickaël Salaün <mic(a)digikod.net> kunit: Handle test faults Mickaël Salaün <mic(a)digikod.net> kunit: Fix timeout message Mike Marshall <hubcap(a)omnibond.com> orangefs: fix out-of-bounds fsid access Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n Heiner Kallweit <hkallweit1(a)gmail.com> i2c: i801: Annotate apanel_addr as __ro_after_init Benjamin Gray <bgray(a)linux.ibm.com> powerpc/dexcr: Track the DEXCR per-process Ricardo Ribalda <ribalda(a)chromium.org> media: dvb-frontends: tda10048: Fix integer overflow Ricardo Ribalda <ribalda(a)chromium.org> media: s2255: Use refcount_t instead of atomic_t for num_channels Ricardo Ribalda <ribalda(a)chromium.org> media: dvb-frontends: tda18271c2dd: Remove casting during div Simon Horman <horms(a)kernel.org> net: dsa: mv88e6xxx: Correct check for empty list Julien Panis <jpanis(a)baylibre.com> thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data StanleyYP Wang <StanleyYP.Wang(a)mediatek.com> wifi: mt76: mt7996: add sanity checks for background radar trigger Felix Fietkau <nbd(a)nbd.name> wifi: mt76: replace skb_put with skb_put_zero Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB Erick Archer <erick.archer(a)outlook.com> Input: ff-core - prefer struct_size over open coded arithmetic Jean Delvare <jdelvare(a)suse.de> firmware: dmi: Stop decoding on broken entry Erick Archer <erick.archer(a)outlook.com> sctp: prefer struct_size over open coded arithmetic Samuel Holland <samuel.holland(a)sifive.com> riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma Michael Bunk <micha(a)freedict.org> media: dw2102: Don't translate i2c read into write Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: fix the warning about the expression (int)size - len Tim Huang <Tim.Huang(a)amd.com> drm/amdgpu: fix uninitialized scalar variable warning Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix uninitialized variables in DM Alex Hung <alex.hung(a)amd.com> drm/amd/display: Skip finding free audio for unknown engine_id Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check pipe offset before setting vblank Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check index msg_id before read or write Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu: Initialize timestamp for some legacy SOCs Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu: Fix uninitialized variable warnings Fei Shao <fshao(a)chromium.org> media: mediatek: vcodec: Only free buffer VA that is not NULL Hailey Mothershead <hailmo(a)amazon.com> crypto: aead,cipher - zeroize key buffer after use Atish Patra <atishp(a)rivosinc.com> RISC-V: KVM: Fix the initial sample period value Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: dummy_st_ops should reject 0 for non-nullable params Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: adjust dummy_st_ops_success to detect additional error Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc John Meneghini <jmeneghi(a)redhat.com> scsi: qedf: Make qedf_execute_tmf() non-preemptible Michael Guralnik <michaelgur(a)nvidia.com> IB/core: Implement a limit on UMAD receive List Ricardo Ribalda <ribalda(a)chromium.org> media: dvb-usb: dib0700_devices: Add missing release_firmware() Ricardo Ribalda <ribalda(a)chromium.org> media: dvb: as102-fe: Fix as10x_register_addr packing Mahesh Salgaonkar <mahesh(a)linux.ibm.com> powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. Erico Nunes <nunes.erico(a)gmail.com> drm/lima: fix shared irq handling on driver remove Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/debugfs - Fix debugfs uninit process issue George Stark <gnstark(a)salutedevices.com> leds: an30259a: Use devm_mutex_init() for mutex initialization George Stark <gnstark(a)salutedevices.com> locking/mutex: Introduce devm_mutex_init() ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts | 2 +- arch/powerpc/include/asm/interrupt.h | 10 ++ arch/powerpc/include/asm/io.h | 2 +- arch/powerpc/include/asm/percpu.h | 10 ++ arch/powerpc/include/asm/processor.h | 1 + arch/powerpc/kernel/head_64.S | 5 +- arch/powerpc/kernel/process.c | 10 ++ arch/powerpc/kernel/ptrace/ptrace-view.c | 7 +- arch/powerpc/kernel/setup_64.c | 2 + arch/powerpc/kexec/core_64.c | 11 ++ arch/powerpc/platforms/pseries/kexec.c | 8 -- arch/powerpc/platforms/pseries/pseries.h | 1 - arch/powerpc/platforms/pseries/setup.c | 1 - arch/powerpc/xmon/xmon.c | 6 +- arch/riscv/include/asm/errata_list.h | 12 +- arch/riscv/include/asm/tlbflush.h | 19 ++- arch/riscv/kernel/machine_kexec.c | 10 +- arch/riscv/kvm/vcpu_pmu.c | 2 +- arch/riscv/mm/tlbflush.c | 23 ---- arch/s390/include/asm/kvm_host.h | 1 + arch/s390/include/asm/processor.h | 2 +- arch/s390/kvm/kvm-s390.c | 1 + arch/s390/kvm/kvm-s390.h | 15 +++ arch/s390/kvm/priv.c | 32 +++++ crypto/aead.c | 3 +- crypto/cipher.c | 3 +- drivers/base/regmap/regmap-i2c.c | 3 +- drivers/block/null_blk/zoned.c | 11 ++ drivers/bluetooth/hci_bcm4377.c | 2 +- drivers/bluetooth/hci_qca.c | 18 ++- drivers/cdrom/cdrom.c | 2 +- drivers/clk/mediatek/clk-mt8183-mfgcfg.c | 1 + drivers/clk/mediatek/clk-mtk.c | 24 ++-- drivers/clk/mediatek/clk-mtk.h | 2 + drivers/clk/qcom/clk-alpha-pll.c | 3 + drivers/clk/qcom/gcc-ipq9574.c | 10 +- drivers/clk/qcom/gcc-sm6350.c | 10 +- drivers/clk/sunxi-ng/ccu_common.c | 18 ++- drivers/crypto/hisilicon/debugfs.c | 21 +++- drivers/firmware/dmi_scan.c | 11 ++ drivers/gpio/gpio-mmio.c | 2 - drivers/gpio/gpiolib-of.c | 22 +++- drivers/gpu/drm/amd/amdgpu/aldebaran.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +- drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 + .../amd/display/dc/irq/dce110/irq_service_dce110.c | 8 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++ drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 ++ drivers/gpu/drm/lima/lima_gp.c | 2 + drivers/gpu/drm/lima/lima_mmu.c | 5 + drivers/gpu/drm/lima/lima_pp.c | 4 + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 + drivers/i2c/busses/i2c-i801.c | 2 +- drivers/i2c/busses/i2c-pnx.c | 48 ++------ drivers/infiniband/core/user_mad.c | 21 +++- drivers/input/ff-core.c | 7 +- drivers/irqchip/irq-gic-v3-its.c | 2 - drivers/leds/leds-an30259a.c | 14 +-- drivers/media/dvb-frontends/as102_fe_types.h | 2 +- drivers/media/dvb-frontends/tda10048.c | 9 +- drivers/media/dvb-frontends/tda18271c2dd.c | 4 +- .../vcodec/decoder/vdec/vdec_av1_req_lat_if.c | 22 ++-- .../mediatek/vcodec/encoder/venc/venc_h264_if.c | 5 +- drivers/media/usb/dvb-usb/dib0700_devices.c | 18 ++- drivers/media/usb/dvb-usb/dw2102.c | 120 +++++++++++-------- drivers/media/usb/s2255/s2255drv.c | 20 ++-- drivers/mtd/nand/raw/nand_base.c | 68 ++++++----- drivers/mtd/nand/raw/rockchip-nand-controller.c | 6 +- drivers/net/bonding/bond_options.c | 6 +- drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 + drivers/net/dsa/mv88e6xxx/chip.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 2 +- drivers/net/ethernet/intel/e1000e/netdev.c | 132 ++++++++++----------- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 + .../mellanox/mlx5/core/esw/acl/ingress_ofld.c | 37 ++++-- .../net/ethernet/mellanox/mlxsw/core_linecards.c | 1 + .../ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 2 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 1 + drivers/net/ntb_netdev.c | 2 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +- drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- .../net/wireless/mediatek/mt76/mt7996/debugfs.c | 5 + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 +- drivers/net/wireless/microchip/wilc1000/hif.c | 3 +- drivers/nfc/virtual_ncidev.c | 4 + drivers/nvme/host/multipath.c | 2 +- drivers/nvme/host/pci.c | 3 +- drivers/nvme/target/core.c | 9 ++ drivers/platform/x86/toshiba_acpi.c | 31 +++-- drivers/platform/x86/touchscreen_dmi.c | 36 ++++++ drivers/s390/crypto/pkey_api.c | 4 +- drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++ drivers/scsi/qedf/qedf_io.c | 6 +- drivers/spi/spi-cadence-xspi.c | 20 +++- drivers/thermal/mediatek/lvts_thermal.c | 2 + drivers/tty/serial/imx.c | 2 +- drivers/usb/host/xhci-ring.c | 5 +- drivers/vhost/scsi.c | 17 ++- drivers/vhost/vhost.c | 118 ++++++++++++++---- drivers/vhost/vhost.h | 2 + fs/btrfs/block-group.c | 13 +- fs/btrfs/scrub.c | 2 +- fs/f2fs/f2fs.h | 12 +- fs/f2fs/super.c | 27 +++-- fs/f2fs/sysfs.c | 14 ++- fs/jffs2/super.c | 1 + fs/nilfs2/alloc.c | 18 ++- fs/nilfs2/alloc.h | 4 +- fs/nilfs2/dat.c | 2 +- fs/nilfs2/dir.c | 6 + fs/nilfs2/ifile.c | 7 +- fs/nilfs2/nilfs.h | 10 +- fs/nilfs2/the_nilfs.c | 6 + fs/nilfs2/the_nilfs.h | 2 +- fs/ntfs3/xattr.c | 5 +- fs/orangefs/super.c | 3 +- include/kunit/try-catch.h | 3 - include/linux/fsnotify.h | 8 +- include/linux/lsm_hook_defs.h | 2 +- include/linux/mutex.h | 27 +++++ include/linux/phy.h | 2 +- include/linux/sched/vhost_task.h | 3 +- include/linux/security.h | 5 +- include/uapi/linux/cn_proc.h | 3 +- kernel/auditfilter.c | 5 +- kernel/cpu.c | 3 + kernel/dma/map_benchmark.c | 3 + kernel/exit.c | 2 + kernel/kthread.c | 1 + kernel/locking/mutex-debug.c | 12 ++ kernel/vhost_task.c | 53 ++++++--- lib/kunit/try-catch.c | 22 ++-- mm/page-writeback.c | 32 ++++- net/bluetooth/hci_conn.c | 15 ++- net/bluetooth/hci_event.c | 26 +++- net/bluetooth/iso.c | 3 +- net/core/datagram.c | 19 ++- net/ipv4/inet_diag.c | 2 + net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_metrics.c | 1 + net/mac802154/main.c | 14 ++- net/netfilter/nf_tables_api.c | 3 +- net/sctp/socket.c | 7 +- scripts/link-vmlinux.sh | 2 +- security/apparmor/audit.c | 6 +- security/apparmor/include/audit.h | 2 +- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_policy.c | 15 ++- security/security.c | 6 +- security/selinux/include/audit.h | 4 +- security/selinux/ss/services.c | 5 +- security/smack/smack_lsm.c | 4 +- sound/core/ump.c | 8 ++ sound/pci/hda/patch_realtek.c | 9 ++ tools/lib/bpf/bpf_core_read.h | 1 + tools/power/x86/turbostat/turbostat.c | 10 +- .../selftests/bpf/prog_tests/dummy_st_ops.c | 34 +++++- .../selftests/bpf/progs/dummy_st_ops_success.c | 15 ++- tools/testing/selftests/net/gro.c | 3 + tools/testing/selftests/net/ip_local_port_range.c | 2 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 2 +- tools/testing/selftests/net/msg_zerocopy.c | 14 ++- 170 files changed, 1283 insertions(+), 570 deletions(-)

8 months

16
160
0 0

+ alloc_tag-fix-allocation-tag-reporting-when-config_modules=n.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: alloc_tag: fix allocation tag reporting when CONFIG_MODULES=n has been added to the -mm mm-hotfixes-unstable branch. Its filename is alloc_tag-fix-allocation-tag-reporting-when-config_modules=n.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: fix allocation tag reporting when CONFIG_MODULES=n Date: Wed, 28 Aug 2024 16:15:36 -0700 codetag_module_init() is used to initialize sections containing allocation tags. This function is used to initialize module sections as well as core kernel sections, in which case the module parameter is set to NULL. This function has to be called even when CONFIG_MODULES=n to initialize core kernel allocation tag sections. When CONFIG_MODULES=n, this function is a NOP, which is wrong. This leads to /proc/allocinfo reported as empty. Fix this by making it independent of CONFIG_MODULES. Link: https://lkml.kernel.org/r/20240828231536.1770519-1-surenb@google.com Fixes: 916cc5167cc6 ("lib: code tagging framework") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Sourav Panda <souravpanda(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [6.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/codetag.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) --- a/lib/codetag.c~alloc_tag-fix-allocation-tag-reporting-when-config_modules=n +++ a/lib/codetag.c @@ -125,7 +125,6 @@ static inline size_t range_size(const st cttype->desc.tag_size; } -#ifdef CONFIG_MODULES static void *get_symbol(struct module *mod, const char *prefix, const char *name) { DECLARE_SEQ_BUF(sb, KSYM_NAME_LEN); @@ -155,6 +154,15 @@ static struct codetag_range get_section_ }; } +static const char *get_mod_name(__maybe_unused struct module *mod) +{ +#ifdef CONFIG_MODULES + if (mod) + return mod->name; +#endif + return "(built-in)"; +} + static int codetag_module_init(struct codetag_type *cttype, struct module *mod) { struct codetag_range range; @@ -164,8 +172,7 @@ static int codetag_module_init(struct co range = get_section_range(mod, cttype->desc.section); if (!range.start || !range.stop) { pr_warn("Failed to load code tags of type %s from the module %s\n", - cttype->desc.section, - mod ? mod->name : "(built-in)"); + cttype->desc.section, get_mod_name(mod)); return -EINVAL; } @@ -199,6 +206,7 @@ static int codetag_module_init(struct co return 0; } +#ifdef CONFIG_MODULES void codetag_load_module(struct module *mod) { struct codetag_type *cttype; @@ -248,9 +256,6 @@ bool codetag_unload_module(struct module return unload_ok; } - -#else /* CONFIG_MODULES */ -static int codetag_module_init(struct codetag_type *cttype, struct module *mod) { return 0; } #endif /* CONFIG_MODULES */ struct codetag_type * _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-fix-allocation-tag-reporting-when-config_modules=n.patch

8 months

1
0
0 0

+ mm-vmalloc-optimize-vmap_lazy_nr-arithmetic-when-purging-each-vmap_area.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmalloc: optimize vmap_lazy_nr arithmetic when purging each vmap_area has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmalloc-optimize-vmap_lazy_nr-arithmetic-when-purging-each-vmap_area.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Adrian Huang <ahuang12(a)lenovo.com> Subject: mm: vmalloc: optimize vmap_lazy_nr arithmetic when purging each vmap_area Date: Thu, 29 Aug 2024 21:06:33 +0800 When running the vmalloc stress on a 448-core system, observe the average latency of purge_vmap_node() is about 2 seconds by using the eBPF/bcc 'funclatency.py' tool [1]. # /your-git-repo/bcc/tools/funclatency.py -u purge_vmap_node & pid1=$! && sleep 8 && modprobe test_vmalloc nr_threads=$(nproc) run_test_mask=0x7; kill -SIGINT $pid1 usecs : count distribution 0 -> 1 : 0 | | 2 -> 3 : 29 | | 4 -> 7 : 19 | | 8 -> 15 : 56 | | 16 -> 31 : 483 |**** | 32 -> 63 : 1548 |************ | 64 -> 127 : 2634 |********************* | 128 -> 255 : 2535 |********************* | 256 -> 511 : 1776 |************** | 512 -> 1023 : 1015 |******** | 1024 -> 2047 : 573 |**** | 2048 -> 4095 : 488 |**** | 4096 -> 8191 : 1091 |********* | 8192 -> 16383 : 3078 |************************* | 16384 -> 32767 : 4821 |****************************************| 32768 -> 65535 : 3318 |*************************** | 65536 -> 131071 : 1718 |************** | 131072 -> 262143 : 2220 |****************** | 262144 -> 524287 : 1147 |********* | 524288 -> 1048575 : 1179 |********* | 1048576 -> 2097151 : 822 |****** | 2097152 -> 4194303 : 906 |******* | 4194304 -> 8388607 : 2148 |***************** | 8388608 -> 16777215 : 4497 |************************************* | 16777216 -> 33554431 : 289 |** | avg = 2041714 usecs, total: 78381401772 usecs, count: 38390 The worst case is over 16-33 seconds, so soft lockup is triggered [2]. [Root Cause] 1) Each purge_list has the long list. The following shows the number of vmap_area is purged. crash> p vmap_nodes vmap_nodes = $27 = (struct vmap_node *) 0xff2de5a900100000 crash> vmap_node 0xff2de5a900100000 128 | grep nr_purged nr_purged = 663070 ... nr_purged = 821670 nr_purged = 692214 nr_purged = 726808 ... 2) atomic_long_sub() employs the 'lock' prefix to ensure the atomic operation when purging each vmap_area. However, the iteration is over 600000 vmap_area (See 'nr_purged' above). Here is objdump output: $ objdump -D vmlinux ffffffff813e8c80 <purge_vmap_node>: ... ffffffff813e8d70: f0 48 29 2d 68 0c bb lock sub %rbp,0x2bb0c68(%rip) ... Quote from "Instruction tables" pdf file [3]: Instructions with a LOCK prefix have a long latency that depends on cache organization and possibly RAM speed. If there are multiple processors or cores or direct memory access (DMA) devices, then all locked instructions will lock a cache line for exclusive access, which may involve RAM access. A LOCK prefix typically costs more than a hundred clock cycles, even on single-processor systems. That's why the latency of purge_vmap_node() dramatically increases on a many-core system: One core is busy on purging each vmap_area of the *long* purge_list and executing atomic_long_sub() for each vmap_area, while other cores free vmalloc allocations and execute atomic_long_add_return() in free_vmap_area_noflush(). [Solution] Employ a local variable to record the total purged pages, and execute atomic_long_sub() after the traversal of the purge_list is done. The experiment result shows the latency improvement is 99%. [Experiment Result] 1) System Configuration: Three servers (with HT-enabled) are tested. * 72-core server: 3rd Gen Intel Xeon Scalable Processor*1 * 192-core server: 5th Gen Intel Xeon Scalable Processor*2 * 448-core server: AMD Zen 4 Processor*2 2) Kernel Config * CONFIG_KASAN is disabled 3) The data in column "w/o patch" and "w/ patch" * Unit: micro seconds (us) * Each data is the average of 3-time measurements System w/o patch (us) w/ patch (us) Improvement (%) --------------- -------------- ------------- ------------- 72-core server 2194 14 99.36% 192-core server 143799 1139 99.21% 448-core server 1992122 6883 99.65% [1] https://github.com/iovisor/bcc/blob/master/tools/funclatency.py [2] https://gist.github.com/AdrianHuang/37c15f67b45407b83c2d32f918656c12 [3] https://www.agner.org/optimize/instruction_tables.pdf Link: https://lkml.kernel.org/r/20240829130633.2184-1-ahuang12@lenovo.com Signed-off-by: Adrian Huang <ahuang12(a)lenovo.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/mm/vmalloc.c~mm-vmalloc-optimize-vmap_lazy_nr-arithmetic-when-purging-each-vmap_area +++ a/mm/vmalloc.c @@ -2191,6 +2191,7 @@ static void purge_vmap_node(struct work_ { struct vmap_node *vn = container_of(work, struct vmap_node, purge_work); + unsigned long nr_purged_pages = 0; struct vmap_area *va, *n_va; LIST_HEAD(local_list); @@ -2208,7 +2209,7 @@ static void purge_vmap_node(struct work_ kasan_release_vmalloc(orig_start, orig_end, va->va_start, va->va_end); - atomic_long_sub(nr, &vmap_lazy_nr); + nr_purged_pages += nr; vn->nr_purged++; if (is_vn_id_valid(vn_id) && !vn->skip_populate) @@ -2219,6 +2220,8 @@ static void purge_vmap_node(struct work_ list_add(&va->list, &local_list); } + atomic_long_sub(nr_purged_pages, &vmap_lazy_nr); + reclaim_list_global(&local_list); } _ Patches currently in -mm which might be from ahuang12(a)lenovo.com are mm-vmalloc-optimize-vmap_lazy_nr-arithmetic-when-purging-each-vmap_area.patch mm-vmalloc-combine-all-tlb-flush-operations-of-kasan-shadow-virtual-address-into-one-operation.patch

8 months

1
0
0 0

[PATCH] dma-buf: heaps: Fix off-by-one in CMA heap fault handler

by T.J. Mercier

Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps: Don't track CMA dma-buf pages under RssFile") it was possible to obtain a mapping larger than the buffer size via mremap and bypass the overflow check in dma_buf_mmap_internal. When using such a mapping to attempt to fault past the end of the buffer, the CMA heap fault handler also checks the fault offset against the buffer size, but gets the boundary wrong by 1. Fix the boundary check so that we don't read off the end of the pages array and insert an arbitrary page in the mapping. Reported-by: Xingyu Jin <xingyuj(a)google.com> Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation") Cc: stable(a)vger.kernel.org # Applicable >= 5.10. Needs adjustments only for 5.10. Signed-off-by: T.J. Mercier <tjmercier(a)google.com> --- drivers/dma-buf/heaps/cma_heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/heaps/cma_heap.c b/drivers/dma-buf/heaps/cma_heap.c index c384004b918e..93be88b805fe 100644 --- a/drivers/dma-buf/heaps/cma_heap.c +++ b/drivers/dma-buf/heaps/cma_heap.c @@ -165,7 +165,7 @@ static vm_fault_t cma_heap_vm_fault(struct vm_fault *vmf) struct vm_area_struct *vma = vmf->vma; struct cma_heap_buffer *buffer = vma->vm_private_data; - if (vmf->pgoff > buffer->pagecount) + if (vmf->pgoff >= buffer->pagecount) return VM_FAULT_SIGBUS; return vmf_insert_pfn(vma, vmf->address, page_to_pfn(buffer->pages[vmf->pgoff])); -- 2.46.0.469.g59c65b2a67-goog

8 months

2
1
0 0

[PATCH net 12/13] can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open

by Marc Kleine-Budde

From: Simon Arlott <simon(a)octiron.net> The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() <interrupt> mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running. Fixes: 8ce8c0abcba3 ("can: mcp251x: only reset hardware as required") Signed-off-by: Simon Arlott <simon(a)octiron.net> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/4fc08687-1d80-43fe-9f0d-8ef8475e75f6@0882a8b5-c… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/spi/mcp251x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c index 3b8736ff0345..ec5c64006a16 100644 --- a/drivers/net/can/spi/mcp251x.c +++ b/drivers/net/can/spi/mcp251x.c @@ -752,7 +752,7 @@ static int mcp251x_hw_wake(struct spi_device *spi) int ret; /* Force wakeup interrupt to wake device, but don't execute IST */ - disable_irq(spi->irq); + disable_irq_nosync(spi->irq); mcp251x_write_2regs(spi, CANINTE, CANINTE_WAKIE, CANINTF_WAKIF); /* Wait for oscillator startup timer after wake up */ -- 2.45.2

8 months

1
0
0 0

[PATCH V3 net] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

by Souradeep Chakrabarti

Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80 Cc: stable(a)vger.kernel.org Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ") Signed-off-by: Souradeep Chakrabarti <schakrabarti(a)linux.microsoft.com> Reviewed-by: Haiyang Zhang <haiyangz(a)microsoft.com> Reviewed-by: Shradha Gupta <shradhagupta(a)linux.microsoft.com> --- V3 -> V2: Instead of using napi internal attribute, using an atomic attribute to verify napi is initialized for a particular txq / rxq. V2 -> V1: Addressed the comment on cleaning up napi for the queues, where queue creation was successful. --- drivers/net/ethernet/microsoft/mana/mana_en.c | 30 ++++++++++++------- include/net/mana/mana.h | 4 +++ 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index 39f56973746d..bd303c89cfa6 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -1872,10 +1872,12 @@ static void mana_destroy_txq(struct mana_port_context *apc) for (i = 0; i < apc->num_queues; i++) { napi = &apc->tx_qp[i].tx_cq.napi; - napi_synchronize(napi); - napi_disable(napi); - netif_napi_del(napi); - + if (atomic_read(&apc->tx_qp[i].txq.napi_initialized)) { + napi_synchronize(napi); + napi_disable(napi); + netif_napi_del(napi); + atomic_set(&apc->tx_qp[i].txq.napi_initialized, 0); + } mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object); mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq); @@ -1931,6 +1933,7 @@ static int mana_create_txq(struct mana_port_context *apc, txq->ndev = net; txq->net_txq = netdev_get_tx_queue(net, i); txq->vp_offset = apc->tx_vp_offset; + atomic_set(&txq->napi_initialized, 0); skb_queue_head_init(&txq->pending_skbs); memset(&spec, 0, sizeof(spec)); @@ -1997,6 +2000,7 @@ static int mana_create_txq(struct mana_port_context *apc, netif_napi_add_tx(net, &cq->napi, mana_poll); napi_enable(&cq->napi); + atomic_set(&txq->napi_initialized, 1); mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); } @@ -2023,14 +2027,18 @@ static void mana_destroy_rxq(struct mana_port_context *apc, napi = &rxq->rx_cq.napi; - if (validate_state) - napi_synchronize(napi); + if (atomic_read(&rxq->napi_initialized)) { - napi_disable(napi); + if (validate_state) + napi_synchronize(napi); - xdp_rxq_info_unreg(&rxq->xdp_rxq); + napi_disable(napi); - netif_napi_del(napi); + netif_napi_del(napi); + atomic_set(&rxq->napi_initialized, 0); + } + + xdp_rxq_info_unreg(&rxq->xdp_rxq); mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj); @@ -2199,6 +2207,7 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc, rxq->num_rx_buf = RX_BUFFERS_PER_QUEUE; rxq->rxq_idx = rxq_idx; rxq->rxobj = INVALID_MANA_HANDLE; + atomic_set(&rxq->napi_initialized, 0); mana_get_rxbuf_cfg(ndev->mtu, &rxq->datasize, &rxq->alloc_size, &rxq->headroom); @@ -2286,6 +2295,8 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc, napi_enable(&cq->napi); + atomic_set(&rxq->napi_initialized, 1); + mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); out: if (!err) @@ -2336,7 +2347,6 @@ static void mana_destroy_vport(struct mana_port_context *apc) rxq = apc->rxqs[rxq_idx]; if (!rxq) continue; - mana_destroy_rxq(apc, rxq, true); apc->rxqs[rxq_idx] = NULL; } diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h index 7caa334f4888..be75abd63dc8 100644 --- a/include/net/mana/mana.h +++ b/include/net/mana/mana.h @@ -98,6 +98,8 @@ struct mana_txq { atomic_t pending_sends; + atomic_t napi_initialized; + struct mana_stats_tx stats; }; @@ -335,6 +337,8 @@ struct mana_rxq { bool xdp_flush; int xdp_rc; /* XDP redirect return code */ + atomic_t napi_initialized; + struct page_pool *page_pool; /* MUST BE THE LAST MEMBER: -- 2.34.1

8 months

3
4
0 0

[PATCH] powerpc/5200: handle irq_of_parse_and_map() errors

by Ma Ke

Zero and negative number is not a valid IRQ for in-kernel code and the irq_of_parse_and_map() function returns zero on error. So this check for valid IRQs should only accept values > 0. Cc: stable(a)vger.kernel.org Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/spi/spi-mpc52xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c index d5ac60c135c2..b49155a25694 100644 --- a/drivers/spi/spi-mpc52xx.c +++ b/drivers/spi/spi-mpc52xx.c @@ -472,7 +472,7 @@ static int mpc52xx_spi_probe(struct platform_device *op) INIT_WORK(&ms->work, mpc52xx_spi_wq); /* Decide if interrupts can be used */ - if (ms->irq0 && ms->irq1) { + if (ms->irq0 > 0 && ms->irq1 > 0) { rc = request_irq(ms->irq0, mpc52xx_spi_irq, 0, "mpc5200-spi-modf", ms); rc |= request_irq(ms->irq1, mpc52xx_spi_irq, 0, -- 2.25.1

8 months, 1 week

1
0
0 0

[PATCH] ice: Fix possible double free in error handling path

by Ma Ke

When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function adev_release calls kfree(iadev). We shouldn't call kfree(iadev) again in the error handling path. Set 'iadev' to NULL. Cc: stable(a)vger.kernel.org Fixes: f9f5301e7e2d ("ice: Register auxiliary device to provide RDMA") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/ethernet/intel/ice/ice_idc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/intel/ice/ice_idc.c b/drivers/net/ethernet/intel/ice/ice_idc.c index 145b27f2a4ce..5db05f54a80c 100644 --- a/drivers/net/ethernet/intel/ice/ice_idc.c +++ b/drivers/net/ethernet/intel/ice/ice_idc.c @@ -330,6 +330,7 @@ int ice_plug_aux_dev(struct ice_pf *pf) return ret; } + iadev = NULL; ret = auxiliary_device_add(adev); if (ret) { auxiliary_device_uninit(adev); -- 2.25.1

8 months, 1 week

2
1
0 0

[PATCH] drm/amd/display: Add null check before access structs in dcn32_enable_phantom_plane

by Ma Ke

In dcn32_enable_phantom_plane, we should better check null pointer before accessing various structs. Cc: stable(a)vger.kernel.org Fixes: 235c67634230 ("drm/amd/display: add DCN32/321 specific files for Display Core") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c index 969658313fd6..1d1b40d22f42 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c @@ -1650,6 +1650,8 @@ static void dcn32_enable_phantom_plane(struct dc *dc, phantom_plane = prev_phantom_plane; else phantom_plane = dc_state_create_phantom_plane(dc, context, curr_pipe->plane_state); + if (!phantom_plane) + return; memcpy(&phantom_plane->address, &curr_pipe->plane_state->address, sizeof(phantom_plane->address)); memcpy(&phantom_plane->scaling_quality, &curr_pipe->plane_state->scaling_quality, -- 2.25.1

8 months, 1 week

1
0
0 0

[PATCH 0/4] soc: versatile: fixes and compile test

by Krzysztof Kozlowski

Hi, Three fixes for unbinding and error paths. Enable also compile testing as cherry on top. Best regards, Krzysztof --- Krzysztof Kozlowski (4): soc: versatile: integrator: fix OF node leak in probe() error path soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove soc: versatile: enable compile testing drivers/soc/Makefile | 2 +- drivers/soc/versatile/Kconfig | 4 ++-- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 ++++++++++++++++---- 4 files changed, 20 insertions(+), 7 deletions(-) --- base-commit: 80a76294855640056006e29988f99d46438dcd2b change-id: 20240825-soc-dev-fixes-ec0889be8379 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

8 months, 1 week

2
3
0 0

[PATCH 5.10/5.15] net:rds: Fix possible deadlock in rds_message_put

by gerben＠altlinux.org

From: Allison Henderson <allison.henderson(a)oracle.com> commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream. Functions rds_still_queued and rds_clear_recv_queue lock a given socket in order to safely iterate over the incoming rds messages. However calling rds_inc_put while under this lock creates a potential deadlock. rds_inc_put may eventually call rds_message_purge, which will lock m_rs_lock. This is the incorrect locking order since m_rs_lock is meant to be locked before the socket. To fix this, we move the message item to a local list or variable that wont need rs_recv_lock protection. Then we can safely call rds_inc_put on any item stored locally after rs_recv_lock is released. Fixes: bdbe6fbc6a2f ("RDS: recv.c") Reported-by: syzbot+f9db6ff27b9bfdcfeca0(a)syzkaller.appspotmail.com Reported-by: syzbot+dcd73ff9291e6d34b3ab(a)syzkaller.appspotmail.com Signed-off-by: Allison Henderson <allison.henderson(a)oracle.com> Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Denis Rastyogin <gerben(a)altlinux.org> --- net/rds/recv.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/rds/recv.c b/net/rds/recv.c index 967d115f97ef..f570d64367a4 100644 --- a/net/rds/recv.c +++ b/net/rds/recv.c @@ -424,6 +424,7 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, struct sock *sk = rds_rs_to_sk(rs); int ret = 0; unsigned long flags; + struct rds_incoming *to_drop = NULL; write_lock_irqsave(&rs->rs_recv_lock, flags); if (!list_empty(&inc->i_item)) { @@ -434,11 +435,14 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, -be32_to_cpu(inc->i_hdr.h_len), inc->i_hdr.h_dport); list_del_init(&inc->i_item); - rds_inc_put(inc); + to_drop = inc; } } write_unlock_irqrestore(&rs->rs_recv_lock, flags); + if (to_drop) + rds_inc_put(to_drop); + rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop); return ret; } @@ -761,16 +765,21 @@ void rds_clear_recv_queue(struct rds_sock *rs) struct sock *sk = rds_rs_to_sk(rs); struct rds_incoming *inc, *tmp; unsigned long flags; + LIST_HEAD(to_drop); write_lock_irqsave(&rs->rs_recv_lock, flags); list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) { rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong, -be32_to_cpu(inc->i_hdr.h_len), inc->i_hdr.h_dport); + list_move(&inc->i_item, &to_drop); + } + write_unlock_irqrestore(&rs->rs_recv_lock, flags); + + list_for_each_entry_safe(inc, tmp, &to_drop, i_item) { list_del_init(&inc->i_item); rds_inc_put(inc); } - write_unlock_irqrestore(&rs->rs_recv_lock, flags); } /* -- 2.42.2

8 months, 1 week

1
1
0 0

[PATCH 5.10 0/1] Fix CVE-2020-16120

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/CVE-2020-16120

8 months, 1 week

2
2
0 0

[PATCH 4.19 0/1] Fix CVE-2023-52435

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/CVE-2023-52435

8 months, 1 week

2
2
0 0

[PATCH 4.19 0/1] Fix CVE-2023-6915

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/CVE-2023-6915

8 months, 1 week

2
2
0 0

[PATCH 4.19 0/2] Fix CVE-2021-33655

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/CVE-2021-33655

8 months, 1 week

2
3
0 0

[PATCH 4.19 0/1] Fix CVE-2021-3759

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/cve-2021-3759

8 months, 1 week

2
2
0 0

[PATCH v5.10-v5.15] cgroup/cpuset: Prevent UAF in proc_cpuset_show()

by Shivani Agarwal

From: Chen Ridong <chenridong(a)huawei.com> [ Upstream commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a ] An UAF can happen when /proc/cpuset is read as reported in [1]. This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgroup_lock In the cgroup_path_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly. The race that cause this bug can be shown as below: (umount) | (cat /proc/<pid>/cpuset) css_release | proc_cpuset_show css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); cgroup_destroy_root | mutex_lock(&cgroup_mutex); rebind_subsystems | cgroup_free_root | | // cgrp was freed, UAF | cgroup_path_ns_locked(cgrp,..); When the cpuset is initialized, the root node top_cpuset.css.cgrp will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated &cgroup_root.cgrp. When the umount operation is executed, top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. The problem is that when rebinding to cgrp_dfl_root, there are cases where the cgroup_root allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgroup_root should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed. Fix this problem by using rcu_read_lock in proc_cpuset_show(). As cgroup_root is kfree_rcu after commit d23b5c577715 ("cgroup: Make operations on the cgroup root_list RCU safe"), css->cgroup won't be freed during the critical section. To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to replace task_get_css with task_css. [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") Signed-off-by: Chen Ridong <chenridong(a)huawei.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- kernel/cgroup/cpuset.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index 9f2a93c82..731547a0d 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -22,6 +22,7 @@ * distribution for more details. */ +#include "cgroup-internal.h" #include <linux/cpu.h> #include <linux/cpumask.h> #include <linux/cpuset.h> @@ -3725,10 +3726,14 @@ int proc_cpuset_show(struct seq_file *m, struct pid_namespace *ns, if (!buf) goto out; - css = task_get_css(tsk, cpuset_cgrp_id); - retval = cgroup_path_ns(css->cgroup, buf, PATH_MAX, - current->nsproxy->cgroup_ns); - css_put(css); + rcu_read_lock(); + spin_lock_irq(&css_set_lock); + css = task_css(tsk, cpuset_cgrp_id); + retval = cgroup_path_ns_locked(css->cgroup, buf, PATH_MAX, + current->nsproxy->cgroup_ns); + spin_unlock_irq(&css_set_lock); + rcu_read_unlock(); + if (retval >= PATH_MAX) retval = -ENAMETOOLONG; if (retval < 0) -- 2.39.4

8 months, 1 week

2
1
0 0

[PATCH] drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check

by Ma Ke

The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. Cc: stable(a)vger.kernel.org Fixes: dd86dc2f9ae1 ("drm/sti: implement atomic_check for the planes") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/sti/sti_gdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/sti/sti_gdp.c b/drivers/gpu/drm/sti/sti_gdp.c index 43c72c2604a0..f046f5f7ad25 100644 --- a/drivers/gpu/drm/sti/sti_gdp.c +++ b/drivers/gpu/drm/sti/sti_gdp.c @@ -638,6 +638,9 @@ static int sti_gdp_atomic_check(struct drm_plane *drm_plane, mixer = to_sti_mixer(crtc); crtc_state = drm_atomic_get_crtc_state(state, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); + mode = &crtc_state->mode; dst_x = new_plane_state->crtc_x; dst_y = new_plane_state->crtc_y; -- 2.25.1

8 months, 1 week

1
0
0 0

[PATCH 5.10 000/317] 5.10.219-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.219 release. There are 317 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 15 Jun 2024 11:31:50 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.219-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.219-rc1 Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix CQ and QP cache affinity Yangyang Li <liyangyang20(a)huawei.com> RDMA/hns: Use mutex instead of spinlock for ida allocation Chao Yu <chao(a)kernel.org> f2fs: compress: fix compression chksum Neil Armstrong <neil.armstrong(a)linaro.org> scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5 Anna Schumaker <Anna.Schumaker(a)Netapp.com> NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS Sergey Shtylyov <s.shtylyov(a)omp.ru> nfs: fix undefined behavior in nfs_block_bits() Harald Freudenberger <freude(a)linux.ibm.com> s390/ap: Fix crash in AP internal function modify_bitmap() Baokun Li <libaokun1(a)huawei.com> ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() Mike Gilbert <floppym(a)gentoo.org> sparc: move struct termio to asm/termios.h Eric Dumazet <edumazet(a)google.com> net: fix __dst_negative_advice() race Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Use format-specifiers rather than memset() for padding in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Merge identical case statements in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Fix console handling when editing and tab-completing commands Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Use format-strings rather than '\0' injection in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Fix buffer overflow during tab-complete Judith Mendez <jm(a)ti.com> watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin Sam Ravnborg <sam(a)ravnborg.org> sparc64: Fix number of online CPUs Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Meteor Lake-S CPU support Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net/9p: fix uninit-value in p9_client_rpc() xu xin <xu.xin16(a)zte.com.cn> net/ipv6: Fix route deleting failure when metric equals 0 Herbert Xu <herbert(a)gondor.apana.org.au> crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Vitaly Chikunov <vt(a)altlinux.org> crypto: ecrdsa - Fix module auto-load on add_key Marc Zyngier <maz(a)kernel.org> KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode Cai Xinchen <caixinchen1(a)huawei.com> fbdev: savage: Handle err return when savagefb_check_var failed Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Sort DMI quirks alphabetically Hans de Goede <hdegoede(a)redhat.com> mmc: core: Add mmc_gpiod_set_cd_config() function Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: v4l2-core: hold videodev_lock until dev reg, finishes Nathan Chancellor <nathan(a)kernel.org> media: mxl5xx: Move xpt structures off stack Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: mc: mark the media devnode as registered from the, start Yang Xiwen <forbidden405(a)outlook.com> arm64: dts: hi3798cv200: fix the size of GICR Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU Yu Kuai <yukuai3(a)huawei.com> md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: qcs404: fix bluetooth device address Krzysztof Kozlowski <krzk(a)kernel.org> arm64: tegra: Correct Tegra132 I2C alias Christoffer Sandberg <cs(a)tuxedo.de> ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx Sergey Shtylyov <s.shtylyov(a)omp.ru> ata: pata_legacy: make legacy_exit() work again Bob Zhou <bob.zhou(a)amd.com> drm/amdgpu: add error handle to avoid out-of-bounds Zheyu Ma <zheyuma97(a)gmail.com> media: lgdt3306a: Add a check against null-pointer-def Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() Ziyang Xuan <william.xuanziyang(a)huawei.com> netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Linus Torvalds <torvalds(a)linux-foundation.org> x86/mm: Remove broken vsyscall emulation code from the page fault code Daniel Borkmann <daniel(a)iogearbox.net> vxlan: Fix regression when dropping packets due to invalid src addresses Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix use-after-free of timer for log writer thread Marc Dionne <marc.dionne(a)auristor.com> afs: Don't cross .backup mountpoint from backup volume Ming Lei <ming.lei(a)redhat.com> io_uring: fail NOP if non-zero op flags is passed in Jorge Ramirez-Ortiz <jorge(a)foundries.io> mmc: core: Do not force a retune before RPMB switch Carlos Llamas <cmllamas(a)google.com> binder: fix max_thread type inconsistency Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix loop termination condition in gss_free_in_token_pages() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: core: add adap_nb_transmit_canceled() callback Dongli Zhang <dongli.zhang(a)oracle.com> genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Set lower bound of start tick time Guenter Roeck <linux(a)roeck-us.net> hwmon: (shtc1) Fix property misspelling Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/uaccess: Use asm goto for get_user when compiler supports it Yue Haibing <yuehaibing(a)huawei.com> ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> spi: stm32: Don't warn about spurious interrupts Masahiro Yamada <masahiroy(a)kernel.org> kconfig: fix comparison to constant symbols, 'm', 'n' Florian Westphal <fw(a)strlen.de> netfilter: tproxy: bail out if IP has been disabled on the device Xiaolei Wang <xiaolei.wang(a)windriver.com> net:fec: Add fec_enet_deinit() Jakub Sitnicki <jakub(a)cloudflare.com> bpf: Allow delete from sockmap/sockhash only if update is allowed Parthiban Veerasooran <Parthiban.Veerasooran(a)microchip.com> net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM Roded Zats <rzats(a)paloaltonetworks.com> enic: Validate length of nl attributes in enic_set_vf_port Friedrich Vock <friedrich.vock(a)gmx.de> bpf: Fix potential integer overflow in resolve_btfids Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> dma-buf/sw-sync: don't enable IRQ from sync_print_obj() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion Sagi Grimberg <sagi(a)grimberg.me> nvmet: fix ns enable/disable possible hang Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: Don't mark message DMA mapped when no transfer in it is Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: restore vlan q-in-q match support Eric Dumazet <edumazet(a)google.com> netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() Ryosuke Yasuoka <ryasuoka(a)redhat.com> nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> nfc: nci: Fix kcov check in nci_rx_work() Dae R. Jeong <threeearcat(a)gmail.com> tls: fix missing memory barrier in tls_init Wei Fang <wei.fang(a)nxp.com> net: fec: avoid lock evasion when reading pps_enable Matthew Bystrin <dev.mbstr(a)gmail.com> riscv: stacktrace: fixed walk_stackframe() Guo Ren <guoren(a)linux.alibaba.com> riscv: stacktrace: Make walk_stackframe cross pt_regs frame Kefeng Wang <wangkefeng.wang(a)huawei.com> riscv: Cleanup stacktrace Jiri Pirko <jiri(a)nvidia.com> virtio: delete vq in vp_find_vqs_msix() when request_irq() fails Jiangfeng Xiao <xiaojiangfeng(a)huawei.com> arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY Aaron Conole <aconole(a)redhat.com> openvswitch: Set the skbuff pkt_type for proper pmtud support. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). Sagi Grimberg <sagi(a)grimberg.me> params: lift param_set_uint_minmax to common code Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: fix memleak in seg6_hmac_init_algo Dan Aloni <dan.aloni(a)vastdata.com> rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL Dan Aloni <dan.aloni(a)vastdata.com> sunrpc: fix NFSACL RPC retry on soft mount Shenghao Ding <shenghao-ding(a)ti.com> ASoC: tas2552: Add TX path for capturing AUDIO-OUT data Ryosuke Yasuoka <ryasuoka(a)redhat.com> nfc: nci: Fix uninit-value in nci_rx_work Masahiro Yamada <masahiroy(a)kernel.org> x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y Matti Vaittinen <mazziesaccount(a)gmail.com> regulator: bd71828: Don't overwrite runtime voltages Zhu Yanjun <yanjun.zhu(a)linux.dev> null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: core: avoid confusing "transmit timed out" message Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: core: avoid recursive cec_claim_log_addrs Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec-adap.c: drop activate_cnt, use state info instead Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: use call_op and check for !unregistered Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: correctly pass on reply results Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: abort if the current transmit was canceled Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: call enable_adap on s_log_addrs Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: fix a deadlock situation Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: core headers: fix kernel-doc warnings Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: cec-api: add locking in cec_release() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: cec-adap: always cancel work in cec_transmit_msg_fh Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix the -Wmissing-prototypes warning for __switch_mm Shrikanth Hegde <sshegde(a)linux.ibm.com> powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp Dongliang Mu <mudongliangabcd(a)gmail.com> media: flexcop-usb: fix sanity check of bNumEndpoints Johan Hovold <johan(a)kernel.org> media: flexcop-usb: clean up endpoint sanity checks Azeem Shaikh <azeemshaikh38(a)gmail.com> scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() Dan Carpenter <dan.carpenter(a)linaro.org> media: stk1160: fix bounds checking in stk1160_copy_video() Michael Walle <mwalle(a)kernel.org> drm/bridge: tc358775: fix support for jeida-18 and jeida-24 Johannes Berg <johannes.berg(a)intel.com> um: vector: fix bpfflash parameter evaluation Roberto Sassu <roberto.sassu(a)huawei.com> um: Add winch to winch_handlers before registering winch IRQ Duoming Zhou <duoming(a)zju.edu.cn> um: Fix return value in ubd_init() Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Always flush the slave INTF on the CTL Fenglin Wu <quic_fenglinw(a)quicinc.com> Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Fix ITAPDLY for HS400 timing Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Add OTAP/ITAP delay enable Vignesh Raghavendra <vigneshr(a)ti.com> mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Write ITAPDLY for DDR52 timing Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Add tuning algorithm for delay chain Karel Balej <balejk(a)matfyz.cz> Input: ioc3kbd - add device table Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Input: ioc3kbd - convert to platform remove callback returning void Arnd Bergmann <arnd(a)arndb.de> Input: ims-pcu - fix printf string overflow Alexander Egorenkov <egorenar(a)linux.ibm.com> s390/ipl: Fix incorrect initialization of nvme dump block Alexander Egorenkov <egorenar(a)linux.ibm.com> s390/ipl: Fix incorrect initialization of len fields in nvme reipl block Ian Rogers <irogers(a)google.com> perf stat: Don't display metric header for non-leader uncore events Ian Rogers <irogers(a)google.com> libsubcmd: Fix parse-options memory leak Wolfram Sang <wsa+renesas(a)sang-engineering.com> serial: sh-sci: protect invalidating RXDMA on shutdown Chao Yu <chao(a)kernel.org> f2fs: compress: don't allow unaligned truncation on released compress inode Chao Yu <chao(a)kernel.org> f2fs: fix to release node block count in error path of f2fs_new_node_page() Chao Yu <chao(a)kernel.org> f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock Ian Rogers <irogers(a)google.com> perf report: Avoid SEGV in report__setup_sample_type() Ian Rogers <irogers(a)google.com> perf ui browser: Avoid SEGV on title Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3 Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3 Randy Dunlap <rdunlap(a)infradead.org> extcon: max8997: select IRQ_DOMAIN instead of depending on it Ian Rogers <irogers(a)google.com> perf ui browser: Don't save pointer to stack memory Ian Rogers <irogers(a)google.com> perf ui: Update use of pthread mutex yaowenbin <yaowenbin1(a)huawei.com> perf top: Fix TUI exit screen refresh race condition He Zhe <zhe.he(a)windriver.com> perf bench internals inject-build-id: Fix trap divide when collecting just one DSO Huai-Yuan Liu <qq810974084(a)gmail.com> ppdev: Add an error check in register_device Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ppdev: Remove usage of the deprecated ida_simple_xx() API Dan Carpenter <dan.carpenter(a)linaro.org> stm class: Fix a double free in stm_register_device() Chris Wulff <Chris.Wulff(a)biamp.com> usb: gadget: u_audio: Clear uac pointer when freed. Miklos Szeredi <mszeredi(a)redhat.com> ovl: remove upper umask handling from ovl_create_upper() Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix unassigned instruction op (discovered by MemorySanitizer) Michal Simek <michal.simek(a)amd.com> microblaze: Remove early printk call from cpuinfo-static.c Michal Simek <michal.simek(a)amd.com> microblaze: Remove gcc flag for non existing early_printk.c file Marco Pagani <marpagan(a)redhat.com> fpga: region: add owner module and take its refcount Russ Weight <russell.h.weight(a)intel.com> fpga: region: Use standard dev_release for class driver Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> docs: driver-api: fpga: avoid using UTF-8 chars Russ Weight <russell.h.weight(a)intel.com> fpga: region: Rename dev to parent for parent device Tom Rix <trix(a)redhat.com> fpga: region: change FPGA indirect article to an Thomas Haemmerle <thomas.haemmerle(a)leica-geosystems.com> iio: pressure: dps310: support negative temperature values Chao Yu <chao(a)kernel.org> f2fs: fix to check pinfile flag in f2fs_move_file_range() Chao Yu <chao(a)kernel.org> f2fs: fix to relocate check condition in f2fs_fallocate() Jinyoung CHOI <j-young.choi(a)samsung.com> f2fs: fix typos in comments Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: do not allow partial truncation on pinned file Chao Yu <chao(a)kernel.org> f2fs: fix to force keeping write barrier for strict fsync mode Chao Yu <chao(a)kernel.org> f2fs: add cp_error check in f2fs_write_compressed_pages Chao Yu <chao(a)kernel.org> f2fs: compress: fix to relocate check condition in f2fs_{release,reserve}_compress_blocks() Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: introduce FI_COMPRESS_RELEASED instead of using IMMUTABLE bit Chao Yu <chao(a)kernel.org> f2fs: compress: remove unneeded preallocation Chao Yu <chao(a)kernel.org> f2fs: compress: clean up parameter of __f2fs_cluster_blocks() Daeho Jeong <daehojeong(a)google.com> f2fs: add compress_mode mount option Chao Yu <chao(a)kernel.org> f2fs: compress: support chksum Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: add proper sched.h include for sched_set_fifo() Arnd Bergmann <arnd(a)arndb.de> greybus: arche-ctrl: move device table to its right location Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: max3100: Fix bitwise types Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: max3100: Update uart_driver_registered on driver removal Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: max3100: Lock port->lock when calling uart_handle_cts_change() Arnd Bergmann <arnd(a)arndb.de> firmware: dmi-id: add a release callback function Chen Ni <nichen(a)iscas.ac.cn> dmaengine: idma64: Add check for dma_set_max_seg_size Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> soundwire: cadence: fix invalid PDI offset Namhyung Kim <namhyung(a)kernel.org> perf annotate: Get rid of duplicate --group option item Martin Liška <mliska(a)suse.cz> perf annotate: Add --demangle and --demangle-kernel Chao Yu <chao(a)kernel.org> f2fs: fix to wait on page writeback in __clone_blkaddrs() Rui Miguel Silva <rmfrfs(a)gmail.com> greybus: lights: check return of get_channel_from_mode Arnaldo Carvalho de Melo <acme(a)redhat.com> perf probe: Add missing libgen.h header needed for using basename() Ian Rogers <irogers(a)google.com> perf record: Delete session after stopping sideband thread Arnaldo Carvalho de Melo <acme(a)redhat.com> perf evlist: Use the right prefix for 'struct evlist' sideband thread methods Vitalii Bursov <vitaly(a)bursov.com> sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level Eric Dumazet <edumazet(a)google.com> af_packet: do not call packet_read_pending() from tpacket_destruct_skb() Eric Dumazet <edumazet(a)google.com> netrom: fix possible dead-lock in nr_rt_ioctl() Chris Lew <quic_clew(a)quicinc.com> net: qrtr: ns: Fix module refcnt Qinglang Miao <miaoqinglang(a)huawei.com> net: qrtr: fix null-ptr-deref in qrtr_ns_remove Leon Romanovsky <leon(a)kernel.org> RDMA/IPoIB: Fix format truncation compilation errors Edward Liaw <edliaw(a)google.com> selftests/kcmp: remove unused open mode Gautam Menghani <gautammenghani201(a)gmail.com> selftests/kcmp: Make the test output consistent and clear Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix gss_free_in_token_pages() Dan Carpenter <dan.carpenter(a)linaro.org> ext4: fix potential unnitialized variable Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: remove unused parameter from ext4_mb_new_blocks_simple() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: try all groups in ext4_mb_new_blocks_simple Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: fix unit mismatch in ext4_mb_new_blocks_simple Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple Aleksandr Aprelkov <aaprelkov(a)usergate.com> sunrpc: removed redundant procp check Jan Kara <jack(a)suse.cz> ext4: avoid excessive credit estimate in ext4_tmpfile() Adrian Hunter <adrian.hunter(a)intel.com> x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map Marc Gonzalez <mgonzalez(a)freebox.fr> clk: qcom: mmcc-msm8998: fix venus clock issue Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Modify the print level of CQE error Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Use complete parentheses in macros Zhengchao Shao <shaozhengchao(a)huawei.com> RDMA/hns: Fix return value in hns_roce_map_mr_sg Wenpeng Liang <liangwenpeng(a)huawei.com> RDMA/hns: Fix incorrect symbol types Yangyang Li <liyangyang20(a)huawei.com> RDMA/hns: Create QP with selected QPN for bank load balance Xi Wang <wangxi11(a)huawei.com> RDMA/hns: Refactor the hns_roce_buf allocation flow Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/mipi-dsi: use correct return type for the DSC functions Marek Vasut <marex(a)denx.de> drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector Nícolas F. R. A. Prado <nfraprado(a)collabora.com> drm/bridge: tc358775: Don't log an error when DSI host can't be found Nícolas F. R. A. Prado <nfraprado(a)collabora.com> drm/bridge: lt9611: Don't log an error when DSI host can't be found Steven Rostedt <rostedt(a)goodmis.org> ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value Aleksandr Mishin <amishin(a)t-argos.ru> drm: vc4: Fix possible null pointer dereference Huai-Yuan Liu <qq810974084(a)gmail.com> drm/arm/malidp: fix a possible null pointer dereference Zhipeng Lu <alexious(a)zju.edu.cn> media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries Randy Dunlap <rdunlap(a)infradead.org> fbdev: sh7760fb: allow modular build Aleksandr Mishin <amishin(a)t-argos.ru> drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference Ricardo Ribalda <ribalda(a)chromium.org> media: radio-shark2: Avoid led_names truncations Aleksandr Burakov <a.burakov(a)rosalinux.ru> media: ngene: Add dvb_ca_en50221_init return value check Arnd Bergmann <arnd(a)arndb.de> fbdev: sisfb: hide unused variables Arnd Bergmann <arnd(a)arndb.de> powerpc/fsl-soc: hide unused const variable Justin Green <greenjustin(a)chromium.org> drm/mediatek: Add 0 size check to mtk_drm_gem_obj Christian Hewitt <christianshewitt(a)gmail.com> drm/meson: vclk: fix calculation of 59.94 fractional rates Arnd Bergmann <arnd(a)arndb.de> fbdev: shmobile: fix snprintf truncation Maxim Korotkov <korotkov.maxim.s(a)gmail.com> mtd: rawnand: hynix: fixed typo Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: Disable route checks for Skylake boards Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: soc-acpi: add helper to identify parent driver. Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix potential index out of bounds in color transformation function Akiva Goldberger <agoldberger(a)nvidia.com> net/mlx5: Discard command completions in internal error Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: fix invalid unregister error path Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: fix incorrect unregister order Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: add missing seg6_local_exit Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix overwriting ct original tuple for ICMPv6 Eric Dumazet <edumazet(a)google.com> net: usb: smsc95xx: stop lying about skb->truesize Breno Leitao <leitao(a)debian.org> af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Locking fixes Jakub Kicinski <kuba(a)kernel.org> eth: sungem: remove .ndo_poll_controller to avoid deadlocks gaoxingwang <gaoxingwang1(a)huawei.com> net: ipv6: fix wrong start position when receive hop-by-hop fragment Finn Thain <fthain(a)linux-m68k.org> m68k: mac: Fix reboot hang on Mac IIci Michael Schmitz <schmitzmic(a)gmail.com> m68k: Fix spinlock race in kernel thread creation Eric Dumazet <edumazet(a)google.com> net: usb: sr9700: stop lying about skb->truesize Eric Dumazet <edumazet(a)google.com> usb: aqc111: stop lying about skb->truesize Dan Carpenter <dan.carpenter(a)linaro.org> wifi: mwl8k: initialize cmd->addr[] properly Bui Quang Minh <minhquangbui99(a)gmail.com> scsi: qedf: Ensure the copied buf is NUL terminated Bui Quang Minh <minhquangbui99(a)gmail.com> scsi: bfa: Ensure the copied buf is NUL terminated Chen Ni <nichen(a)iscas.ac.cn> HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors John Hubbard <jhubbard(a)nvidia.com> selftests/binderfs: use the Makefile's rules, not Make's implicit rules Guenter Roeck <linux(a)roeck-us.net> Revert "sh: Handle calling csum_partial with misaligned data" Geert Uytterhoeven <geert+renesas(a)glider.be> sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: ar5523: enable proper endpoint verification Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: carl9170: add a proper sanity check for endpoints Finn Thain <fthain(a)linux-m68k.org> macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" Eric Dumazet <edumazet(a)google.com> net: give more chances to rcu in netdev_wait_allrefs_any() Eric Dumazet <edumazet(a)google.com> tcp: avoid premature drops in tcp_add_backlog() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> wifi: ath10k: populate board data for WCN3990 Su Hui <suhui(a)nfschina.com> wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() Ard Biesheuvel <ardb(a)kernel.org> x86/purgatory: Switch to the position-independent small code model Yuri Karpov <YKarpov(a)ispras.ru> scsi: hpsa: Fix allocation size for Scsi_Host private data Xingui Yang <yangxingui(a)huawei.com> scsi: libsas: Fix the failure of adding phy with zero-address to port Gabriel Krisman Bertazi <krisman(a)suse.de> udp: Avoid call to compute_score on multiple sites Lorenz Bauer <lmb(a)isovalent.com> net: remove duplicate reuseport_lookup functions Lorenz Bauer <lmb(a)isovalent.com> net: export inet_lookup_reuseport and inet6_lookup_reuseport Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: exit() callback is optional Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Rearrange locking in cpufreq_remove_dev() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Split cpufreq_offline() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reorganize checks in cpufreq_offline() Geliang Tang <tanggeliang(a)kylinos.cn> selftests/bpf: Fix umount cgroup2 error in test_sockmap Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix "ignore unlock failures after withdraw" Arnd Bergmann <arnd(a)arndb.de> ACPI: disable -Wstringop-truncation Zenghui Yu <yuzenghui(a)huawei.com> irqchip/loongson-pch-msi: Fix off-by-one on allocation error path Zenghui Yu <yuzenghui(a)huawei.com> irqchip/alpine-msi: Fix off-by-one in allocation error path Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: core: Perform read back after disabling interrupts Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing CGC enable Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing unipro mode Abel Vesa <abel.vesa(a)linaro.org> scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5 Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0 Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US Ziqi Chen <ziqichen(a)codeaurora.org> scsi: ufs-qcom: Fix ufs RST_n spec violation Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing reset bit Arnd Bergmann <arnd(a)arndb.de> qed: avoid truncating work queue length Guixiong Wei <weiguixiong(a)bytedance.com> x86/boot: Ignore relocations in .notes sections in walk_relocs() too Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath10k: poll service ready message before failing Yu Kuai <yukuai3(a)huawei.com> md: fix resync softlockup when bitmap size is less than array size Zhu Yanjun <yanjun.zhu(a)linux.dev> null_blk: Fix missing mutex_destroy() at module removal Chun-Kuang Hu <chunkuang.hu(a)kernel.org> soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE Ilya Denisyev <dev(a)elkcl.ru> jffs2: prevent xattr node from overflowing the eraseblock Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: fix tracepoint subchannel type field Eric Biggers <ebiggers(a)google.com> crypto: x86/sha256-avx2 - add missing vzeroupper Eric Biggers <ebiggers(a)google.com> crypto: x86/nh-avx2 - add missing vzeroupper Arnd Bergmann <arnd(a)arndb.de> crypto: ccp - drop platform ifdef checks Al Viro <viro(a)zeniv.linux.org.uk> parisc: add missing export of __cmpxchg_u8() Arnd Bergmann <arnd(a)arndb.de> nilfs2: fix out-of-range warning Brian Kubisiak <brian(a)kubisiak.com> ecryptfs: Fix buffer size for tag 66 packet Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> firmware: raspberrypi: Use correct device for DMA mappings Aleksandr Mishin <amishin(a)t-argos.ru> crypto: bcm - Fix pointer arithmetic Eric Sandeen <sandeen(a)redhat.com> openpromfs: finish conversion to the new mount API Nilay Shroff <nilay(a)linux.ibm.com> nvme: find numa distance only if controller has valid numa id Lancelot SIX <lancelot.six(a)amd.com> drm/amdkfd: Flush the process wq before creating a kfd_process Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: da7219-aad: fix usage of device_get_named_child_node() Jack Yu <jack.yu(a)realtek.com> ASoC: rt715: add vendor clear control register Krzysztof Kozlowski <krzk(a)kernel.org> regulator: vqmmc-ipq4019: fix module autoloading Derek Fang <derek.fang(a)realtek.com> ASoC: dt-bindings: rt5645: add cbj sleeve gpio property Derek Fang <derek.fang(a)realtek.com> ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating Joshua Ashton <joshua(a)froggi.es> drm/amd/display: Set color_mgmt_changed to true on unsuspend Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: add Telit FN920C04 compositions Igor Artemiev <Igor.A.Artemiev(a)mcst.ru> wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class Takashi Iwai <tiwai(a)suse.de> ALSA: core: Fix NULL module pointer assignment at card init Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential hang in nilfs_detach_log_writer() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix unexpected freezing of nilfs_segctor_sync() Thorsten Blum <thorsten.blum(a)toblux.com> net: smc91x: Fix m68k kernel compilation for ColdFire CPU Petr Pavlu <petr.pavlu(a)suse.com> ring-buffer: Fix a race between readers and resize checks Ken Milmore <ken.milmore(a)gmail.com> r8169: Fix possible ring buffer corruption on fragmented Tx packets. Dan Carpenter <dan.carpenter(a)linaro.org> speakup: Fix sizeof() vs ARRAY_SIZE() bug Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Daniel J Blueman <daniel(a)quora.org> x86/tsc: Trust initial offset in architectural TSC-adjust MSRs ------------- Diffstat: Documentation/devicetree/bindings/sound/rt5645.txt | 6 + Documentation/driver-api/fpga/fpga-bridge.rst | 10 +- Documentation/driver-api/fpga/fpga-mgr.rst | 12 +- Documentation/driver-api/fpga/fpga-programming.rst | 8 +- Documentation/driver-api/fpga/fpga-region.rst | 35 ++- Documentation/filesystems/f2fs.rst | 36 +++ Makefile | 4 +- arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 2 +- arch/arm64/boot/dts/nvidia/tegra132-norrin.dts | 4 +- arch/arm64/boot/dts/nvidia/tegra132.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404-evb.dtsi | 2 +- arch/arm64/include/asm/asm-bug.h | 1 + arch/arm64/kvm/guest.c | 1 + arch/m68k/kernel/entry.S | 4 +- arch/m68k/mac/misc.c | 36 +-- arch/microblaze/kernel/Makefile | 1 - arch/microblaze/kernel/cpu/cpuinfo-static.c | 2 +- arch/parisc/kernel/parisc_ksyms.c | 1 + arch/powerpc/include/asm/hvcall.h | 2 +- arch/powerpc/include/asm/uaccess.h | 55 ++++ arch/powerpc/platforms/pseries/lpar.c | 6 +- arch/powerpc/platforms/pseries/lparcfg.c | 6 +- arch/powerpc/sysdev/fsl_msi.c | 2 + arch/riscv/include/asm/stacktrace.h | 17 ++ arch/riscv/kernel/entry.S | 3 +- arch/riscv/kernel/perf_callchain.c | 10 +- arch/riscv/kernel/stacktrace.c | 36 ++- arch/s390/kernel/ipl.c | 10 +- arch/sh/kernel/kprobes.c | 7 +- arch/sh/lib/checksum.S | 67 ++--- arch/sparc/include/asm/smp_64.h | 2 - arch/sparc/include/uapi/asm/termbits.h | 10 - arch/sparc/include/uapi/asm/termios.h | 9 + arch/sparc/kernel/prom_64.c | 4 +- arch/sparc/kernel/setup_64.c | 1 - arch/sparc/kernel/smp_64.c | 14 - arch/um/drivers/line.c | 14 +- arch/um/drivers/ubd_kern.c | 4 +- arch/um/drivers/vector_kern.c | 2 +- arch/um/include/asm/mmu.h | 2 - arch/um/include/shared/skas/mm_id.h | 2 + arch/x86/Kconfig.debug | 5 +- arch/x86/crypto/nh-avx2-x86_64.S | 1 + arch/x86/crypto/sha256-avx2-asm.S | 1 + arch/x86/entry/vsyscall/vsyscall_64.c | 28 +- arch/x86/include/asm/processor.h | 1 - arch/x86/kernel/apic/vector.c | 9 +- arch/x86/kernel/tsc_sync.c | 6 +- arch/x86/lib/x86-opcode-map.txt | 2 +- arch/x86/mm/fault.c | 27 +- arch/x86/purgatory/Makefile | 3 +- arch/x86/tools/relocs.c | 9 + crypto/ecrdsa.c | 1 + drivers/accessibility/speakup/main.c | 2 +- drivers/acpi/acpica/Makefile | 1 + drivers/acpi/resource.c | 12 + drivers/android/binder.c | 4 +- drivers/ata/pata_legacy.c | 8 +- drivers/block/null_blk/main.c | 3 + drivers/char/ppdev.c | 21 +- drivers/clk/qcom/mmcc-msm8998.c | 8 + drivers/cpufreq/cpufreq.c | 85 +++--- drivers/crypto/bcm/spu2.c | 2 +- drivers/crypto/ccp/sp-platform.c | 14 +- drivers/crypto/qat/qat_common/adf_aer.c | 19 +- drivers/dma-buf/sync_debug.c | 4 +- drivers/dma/idma64.c | 4 +- drivers/extcon/Kconfig | 3 +- drivers/firmware/dmi-id.c | 7 +- drivers/firmware/raspberrypi.c | 7 +- drivers/fpga/dfl-fme-region.c | 17 +- drivers/fpga/dfl.c | 12 +- drivers/fpga/fpga-region.c | 145 +++++----- drivers/fpga/of-fpga-region.c | 10 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 3 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 8 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 + drivers/gpu/drm/arm/malidp_mw.c | 5 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 + drivers/gpu/drm/bridge/lontium-lt9611.c | 6 +- drivers/gpu/drm/bridge/tc358775.c | 27 +- drivers/gpu/drm/drm_mipi_dsi.c | 6 +- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 + drivers/gpu/drm/meson/meson_vclk.c | 6 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 3 - drivers/gpu/drm/panel/panel-simple.c | 3 + drivers/gpu/drm/vc4/vc4_hdmi.c | 2 + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 5 + drivers/hwmon/shtc1.c | 2 +- drivers/hwtracing/intel_th/pci.c | 5 + drivers/hwtracing/stm/core.c | 11 +- drivers/iio/pressure/dps310.c | 11 +- drivers/infiniband/hw/hns/hns_roce_alloc.c | 128 +++++---- drivers/infiniband/hw/hns/hns_roce_cmd.c | 10 +- drivers/infiniband/hw/hns/hns_roce_cmd.h | 2 +- drivers/infiniband/hw/hns/hns_roce_common.h | 14 +- drivers/infiniband/hw/hns/hns_roce_db.c | 8 +- drivers/infiniband/hw/hns/hns_roce_device.h | 115 ++++---- drivers/infiniband/hw/hns/hns_roce_hem.h | 12 +- drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 8 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 35 +-- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_mr.c | 65 ++--- drivers/infiniband/hw/hns/hns_roce_qp.c | 129 +++++++-- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/misc/pm8xxx-vibrator.c | 7 +- drivers/input/serio/ioc3kbd.c | 13 +- drivers/irqchip/irq-alpine-msi.c | 2 +- drivers/irqchip/irq-loongson-pch-msi.c | 2 +- drivers/macintosh/via-macii.c | 11 +- drivers/md/md-bitmap.c | 6 +- drivers/md/raid5.c | 15 +- drivers/media/cec/core/cec-adap.c | 291 +++++++++++++-------- drivers/media/cec/core/cec-api.c | 31 +-- drivers/media/cec/core/cec-core.c | 7 +- drivers/media/cec/core/cec-pin-priv.h | 11 + drivers/media/cec/core/cec-pin.c | 23 +- drivers/media/cec/core/cec-priv.h | 10 + drivers/media/dvb-frontends/lgdt3306a.c | 5 + drivers/media/dvb-frontends/mxl5xx.c | 22 +- drivers/media/mc/mc-devnode.c | 5 +- drivers/media/pci/ngene/ngene-core.c | 4 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/usb/b2c2/flexcop-usb.c | 12 +- drivers/media/usb/stk1160/stk1160-video.c | 20 +- drivers/media/v4l2-core/v4l2-dev.c | 3 + drivers/mmc/core/host.c | 3 +- drivers/mmc/core/slot-gpio.c | 20 ++ drivers/mmc/host/sdhci-acpi.c | 48 +++- drivers/mmc/host/sdhci_am654.c | 205 ++++++++++----- drivers/mtd/nand/raw/nand_hynix.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 12 + drivers/net/ethernet/cortina/gemini.c | 12 +- drivers/net/ethernet/freescale/fec_main.c | 10 + drivers/net/ethernet/freescale/fec_ptp.c | 14 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 3 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- drivers/net/ethernet/qlogic/qed/qed_main.c | 9 +- drivers/net/ethernet/realtek/r8169_main.c | 3 +- drivers/net/ethernet/smsc/smc91x.h | 4 +- drivers/net/ethernet/sun/sungem.c | 14 - drivers/net/ipvlan/ipvlan_core.c | 4 +- drivers/net/usb/aqc111.c | 8 +- drivers/net/usb/qmi_wwan.c | 3 + drivers/net/usb/smsc95xx.c | 26 +- drivers/net/usb/sr9700.c | 10 +- drivers/net/vxlan/vxlan_core.c | 4 - drivers/net/wireless/ath/ar5523/ar5523.c | 14 + drivers/net/wireless/ath/ath10k/core.c | 3 + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- drivers/net/wireless/ath/ath10k/hw.h | 1 + drivers/net/wireless/ath/ath10k/targaddrs.h | 3 + drivers/net/wireless/ath/ath10k/wmi.c | 26 +- drivers/net/wireless/ath/carl9170/usb.c | 32 +++ drivers/net/wireless/marvell/mwl8k.c | 2 +- .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 26 +- .../net/wireless/realtek/rtlwifi/rtl8192de/trx.c | 21 +- .../net/wireless/realtek/rtlwifi/rtl8192de/trx.h | 79 ++---- drivers/nvme/host/multipath.c | 3 +- drivers/nvme/target/configfs.c | 8 + drivers/pci/pcie/edr.c | 28 +- drivers/regulator/bd71828-regulator.c | 58 +--- drivers/regulator/vqmmc-ipq4019-regulator.c | 1 + drivers/s390/cio/trace.h | 2 +- drivers/s390/crypto/ap_bus.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 4 +- drivers/scsi/hpsa.c | 2 +- drivers/scsi/libsas/sas_expander.c | 3 +- drivers/scsi/qedf/qedf_debugfs.c | 2 +- drivers/scsi/qla2xxx/qla_init.c | 8 +- drivers/scsi/qla2xxx/qla_mr.c | 20 +- drivers/scsi/ufs/cdns-pltfrm.c | 2 +- drivers/scsi/ufs/ufs-qcom.c | 31 ++- drivers/scsi/ufs/ufs-qcom.h | 21 +- drivers/scsi/ufs/ufshcd.c | 4 +- drivers/soc/mediatek/mtk-cmdq-helper.c | 5 +- drivers/soundwire/cadence_master.c | 2 +- drivers/spi/spi-stm32.c | 2 +- drivers/spi/spi.c | 4 + drivers/staging/greybus/arche-apb-ctrl.c | 1 + drivers/staging/greybus/arche-platform.c | 9 +- drivers/staging/greybus/light.c | 8 +- drivers/staging/media/atomisp/pci/sh_css.c | 1 + drivers/tty/n_gsm.c | 8 +- drivers/tty/serial/max3100.c | 22 +- drivers/tty/serial/sc16is7xx.c | 2 +- drivers/tty/serial/sh-sci.c | 5 + drivers/usb/gadget/function/u_audio.c | 2 + drivers/video/fbdev/Kconfig | 4 +- drivers/video/fbdev/savage/savagefb_driver.c | 5 +- drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +- drivers/video/fbdev/sis/init301.c | 3 +- drivers/virtio/virtio_pci_common.c | 4 +- drivers/watchdog/rti_wdt.c | 34 ++- fs/afs/mntpt.c | 5 + fs/ecryptfs/keystore.c | 4 +- fs/ext4/mballoc.c | 134 +++++----- fs/ext4/namei.c | 2 +- fs/ext4/xattr.c | 4 +- fs/f2fs/checkpoint.c | 4 +- fs/f2fs/compress.c | 91 +++---- fs/f2fs/data.c | 10 +- fs/f2fs/extent_cache.c | 4 +- fs/f2fs/f2fs.h | 52 +++- fs/f2fs/file.c | 86 ++++-- fs/f2fs/inode.c | 9 + fs/f2fs/namei.c | 2 +- fs/f2fs/node.c | 2 +- fs/f2fs/segment.c | 4 +- fs/f2fs/super.c | 32 +++ fs/gfs2/glock.c | 4 +- fs/gfs2/util.c | 1 - fs/jffs2/xattr.c | 3 + fs/nfs/internal.h | 4 +- fs/nfs/nfs4proc.c | 2 +- fs/nilfs2/ioctl.c | 2 +- fs/nilfs2/segment.c | 63 ++++- fs/openpromfs/inode.c | 8 +- fs/overlayfs/dir.c | 3 - include/drm/drm_mipi_dsi.h | 6 +- include/linux/f2fs_fs.h | 3 +- include/linux/fpga/fpga-region.h | 43 ++- include/linux/mmc/slot-gpio.h | 1 + include/linux/moduleparam.h | 2 + include/media/cec.h | 26 +- include/media/v4l2-h264.h | 6 +- include/media/v4l2-jpeg.h | 2 + include/net/dst_ops.h | 2 +- include/net/inet6_hashtables.h | 16 ++ include/net/inet_hashtables.h | 18 +- include/net/netfilter/nf_tables.h | 2 + include/net/sock.h | 13 +- include/sound/soc-acpi.h | 6 + include/trace/events/asoc.h | 2 + include/uapi/linux/cec.h | 3 +- include/uapi/linux/v4l2-subdev.h | 12 +- include/uapi/linux/videodev2.h | 15 +- io_uring/io_uring.c | 2 + kernel/bpf/verifier.c | 10 +- kernel/cgroup/cpuset.c | 2 +- kernel/debug/kdb/kdb_io.c | 99 ++++--- kernel/irq/cpuhotplug.c | 16 +- kernel/params.c | 18 ++ kernel/sched/topology.c | 2 +- kernel/trace/ring_buffer.c | 9 + net/9p/client.c | 2 + net/core/dev.c | 3 +- net/ipv4/inet_hashtables.c | 29 +- net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 + net/ipv4/route.c | 22 +- net/ipv4/tcp_dctcp.c | 13 +- net/ipv4/tcp_ipv4.c | 13 +- net/ipv4/udp.c | 55 ++-- net/ipv6/inet6_hashtables.c | 27 +- net/ipv6/reassembly.c | 2 +- net/ipv6/route.c | 34 +-- net/ipv6/seg6.c | 5 +- net/ipv6/seg6_hmac.c | 42 ++- net/ipv6/udp.c | 61 +++-- net/netfilter/nf_tables_api.c | 22 +- net/netfilter/nfnetlink_queue.c | 2 + net/netfilter/nft_payload.c | 23 +- net/netfilter/nft_tunnel.c | 1 + net/netrom/nr_route.c | 19 +- net/nfc/nci/core.c | 17 +- net/openvswitch/actions.c | 6 + net/openvswitch/flow.c | 3 +- net/packet/af_packet.c | 3 +- net/qrtr/af_qrtr.c | 16 +- net/qrtr/ns.c | 34 ++- net/qrtr/qrtr.h | 2 +- net/sunrpc/auth_gss/svcauth_gss.c | 12 +- net/sunrpc/clnt.c | 1 + net/sunrpc/svc.c | 2 - net/sunrpc/xprtrdma/verbs.c | 6 +- net/sunrpc/xprtsock.c | 18 -- net/tls/tls_main.c | 10 +- net/unix/af_unix.c | 2 +- net/wireless/trace.h | 4 +- net/xfrm/xfrm_policy.c | 11 +- scripts/kconfig/symbol.c | 6 +- sound/core/init.c | 2 +- sound/core/timer.c | 10 + sound/soc/codecs/da7219-aad.c | 6 +- sound/soc/codecs/rt5645.c | 25 ++ sound/soc/codecs/rt715-sdw.c | 1 + sound/soc/codecs/tas2552.c | 15 +- sound/soc/intel/boards/bxt_da7219_max98357a.c | 1 + sound/soc/intel/boards/bxt_rt298.c | 1 + sound/soc/intel/boards/glk_rt5682_max98357a.c | 2 + sound/soc/intel/boards/kbl_da7219_max98357a.c | 1 + sound/soc/intel/boards/kbl_da7219_max98927.c | 4 + sound/soc/intel/boards/kbl_rt5660.c | 1 + sound/soc/intel/boards/kbl_rt5663_max98927.c | 2 + .../soc/intel/boards/kbl_rt5663_rt5514_max98927.c | 1 + sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 + sound/soc/intel/boards/skl_nau88l25_max98357a.c | 1 + sound/soc/intel/boards/skl_rt286.c | 1 + tools/arch/x86/lib/x86-opcode-map.txt | 2 +- tools/bpf/resolve_btfids/main.c | 2 +- tools/lib/subcmd/parse-options.c | 8 +- tools/perf/Documentation/perf-annotate.txt | 7 + tools/perf/bench/inject-buildid.c | 2 +- tools/perf/builtin-annotate.c | 6 +- tools/perf/builtin-record.c | 8 +- tools/perf/builtin-report.c | 2 +- tools/perf/builtin-top.c | 4 +- tools/perf/ui/browser.c | 26 +- tools/perf/ui/browser.h | 2 +- tools/perf/ui/browsers/annotate.c | 2 +- tools/perf/ui/setup.c | 5 +- tools/perf/ui/tui/helpline.c | 5 +- tools/perf/ui/tui/progress.c | 8 +- tools/perf/ui/tui/setup.c | 12 +- tools/perf/ui/tui/util.c | 18 +- tools/perf/ui/ui.h | 4 +- tools/perf/util/bpf-event.c | 2 +- tools/perf/util/evlist.h | 11 +- .../perf/util/intel-pt-decoder/intel-pt-decoder.c | 2 + tools/perf/util/intel-pt.c | 2 + tools/perf/util/probe-event.c | 1 + tools/perf/util/sideband_evlist.c | 8 +- tools/perf/util/stat-display.c | 3 + tools/testing/selftests/bpf/test_sockmap.c | 2 +- .../selftests/filesystems/binderfs/Makefile | 2 - tools/testing/selftests/kcmp/kcmp_test.c | 8 +- 328 files changed, 2834 insertions(+), 1844 deletions(-)

8 months, 1 week

11
335
0 0

FAILED: patch "[PATCH] tracing: Have format file honor EVENT_FILE_FL_FREED" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b1560408692cd0ab0370cfbe9deb03ce97ab3f6d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081258-amusement-designing-88e9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: b1560408692c ("tracing: Have format file honor EVENT_FILE_FL_FREED") bb32500fb9b7 ("tracing: Have trace_event_file have ref counters") 5790b1fb3d67 ("eventfs: Remove eventfs_file and just use eventfs_inode") a1f157c7a3bb ("tracing: Expand all ring buffers individually") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b1560408692cd0ab0370cfbe9deb03ce97ab3f6d Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Tue, 30 Jul 2024 11:06:57 -0400 Subject: [PATCH] tracing: Have format file honor EVENT_FILE_FL_FREED MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When eventfs was introduced, special care had to be done to coordinate the freeing of the file meta data with the files that are exposed to user space. The file meta data would have a ref count that is set when the file is created and would be decremented and freed after the last user that opened the file closed it. When the file meta data was to be freed, it would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed, and any new references made (like new opens or reads) would fail as it is marked freed. This allowed other meta data to be freed after this flag was set (under the event_mutex). All the files that were dynamically created in the events directory had a pointer to the file meta data and would call event_release() when the last reference to the user space file was closed. This would be the time that it is safe to free the file meta data. A shortcut was made for the "format" file. It's i_private would point to the "call" entry directly and not point to the file's meta data. This is because all format files are the same for the same "call", so it was thought there was no reason to differentiate them. The other files maintain state (like the "enable", "trigger", etc). But this meant if the file were to disappear, the "format" file would be unaware of it. This caused a race that could be trigger via the user_events test (that would create dynamic events and free them), and running a loop that would read the user_events format files: In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; done And in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/null With KASAN memory checking, it would trigger a use-after-free bug report (which was a real bug). This was because the format file was not checking the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the event that the file meta data pointed to after the event was freed. After inspection, there are other locations that were found to not check the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a new helper function: event_file_file() that will make sure that the event_mutex is held, and will return NULL if the trace_event_file has the EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file pointer use event_file_file() and check for NULL. Later uses can still use the event_file_data() helper function if the event_mutex is still held and was not released since the event_file_file() call. Link: https://lore.kernel.org/all/20240719204701.1605950-1-minipli@grsecurity.net/ Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Ajay Kaher <ajay.kaher(a)broadcom.com> Cc: Ilkka Naulapää <digirigawa(a)gmail.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: Beau Belgrave <beaub(a)linux.microsoft.com> Cc: Florian Fainelli <florian.fainelli(a)broadcom.com> Cc: Alexey Makhalov <alexey.makhalov(a)broadcom.com> Cc: Vasavi Sirnapalli <vasavi.sirnapalli(a)broadcom.com> Link: https://lore.kernel.org/20240730110657.3b69d3c1@gandalf.local.home Fixes: b63db58e2fa5d ("eventfs/tracing: Add callback for release of an eventfs_inode") Reported-by: Mathias Krause <minipli(a)grsecurity.net> Tested-by: Mathias Krause <minipli(a)grsecurity.net> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 8783bebd0562..bd3e3069300e 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -1634,6 +1634,29 @@ static inline void *event_file_data(struct file *filp) extern struct mutex event_mutex; extern struct list_head ftrace_events; +/* + * When the trace_event_file is the filp->i_private pointer, + * it must be taken under the event_mutex lock, and then checked + * if the EVENT_FILE_FL_FREED flag is set. If it is, then the + * data pointed to by the trace_event_file can not be trusted. + * + * Use the event_file_file() to access the trace_event_file from + * the filp the first time under the event_mutex and check for + * NULL. If it is needed to be retrieved again and the event_mutex + * is still held, then the event_file_data() can be used and it + * is guaranteed to be valid. + */ +static inline struct trace_event_file *event_file_file(struct file *filp) +{ + struct trace_event_file *file; + + lockdep_assert_held(&event_mutex); + file = READ_ONCE(file_inode(filp)->i_private); + if (!file || file->flags & EVENT_FILE_FL_FREED) + return NULL; + return file; +} + extern const struct file_operations event_trigger_fops; extern const struct file_operations event_hist_fops; extern const struct file_operations event_hist_debug_fops; diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 6ef29eba90ce..f08fbaf8cad6 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -1386,12 +1386,12 @@ event_enable_read(struct file *filp, char __user *ubuf, size_t cnt, char buf[4] = "0"; mutex_lock(&event_mutex); - file = event_file_data(filp); + file = event_file_file(filp); if (likely(file)) flags = file->flags; mutex_unlock(&event_mutex); - if (!file || flags & EVENT_FILE_FL_FREED) + if (!file) return -ENODEV; if (flags & EVENT_FILE_FL_ENABLED && @@ -1424,8 +1424,8 @@ event_enable_write(struct file *filp, const char __user *ubuf, size_t cnt, case 1: ret = -ENODEV; mutex_lock(&event_mutex); - file = event_file_data(filp); - if (likely(file && !(file->flags & EVENT_FILE_FL_FREED))) { + file = event_file_file(filp); + if (likely(file)) { ret = tracing_update_buffers(file->tr); if (ret < 0) { mutex_unlock(&event_mutex); @@ -1540,7 +1540,8 @@ enum { static void *f_next(struct seq_file *m, void *v, loff_t *pos) { - struct trace_event_call *call = event_file_data(m->private); + struct trace_event_file *file = event_file_data(m->private); + struct trace_event_call *call = file->event_call; struct list_head *common_head = &ftrace_common_fields; struct list_head *head = trace_get_fields(call); struct list_head *node = v; @@ -1572,7 +1573,8 @@ static void *f_next(struct seq_file *m, void *v, loff_t *pos) static int f_show(struct seq_file *m, void *v) { - struct trace_event_call *call = event_file_data(m->private); + struct trace_event_file *file = event_file_data(m->private); + struct trace_event_call *call = file->event_call; struct ftrace_event_field *field; const char *array_descriptor; @@ -1627,12 +1629,14 @@ static int f_show(struct seq_file *m, void *v) static void *f_start(struct seq_file *m, loff_t *pos) { + struct trace_event_file *file; void *p = (void *)FORMAT_HEADER; loff_t l = 0; /* ->stop() is called even if ->start() fails */ mutex_lock(&event_mutex); - if (!event_file_data(m->private)) + file = event_file_file(m->private); + if (!file) return ERR_PTR(-ENODEV); while (l < *pos && p) @@ -1706,8 +1710,8 @@ event_filter_read(struct file *filp, char __user *ubuf, size_t cnt, trace_seq_init(s); mutex_lock(&event_mutex); - file = event_file_data(filp); - if (file && !(file->flags & EVENT_FILE_FL_FREED)) + file = event_file_file(filp); + if (file) print_event_filter(file, s); mutex_unlock(&event_mutex); @@ -1736,9 +1740,13 @@ event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt, return PTR_ERR(buf); mutex_lock(&event_mutex); - file = event_file_data(filp); - if (file) - err = apply_event_filter(file, buf); + file = event_file_file(filp); + if (file) { + if (file->flags & EVENT_FILE_FL_FREED) + err = -ENODEV; + else + err = apply_event_filter(file, buf); + } mutex_unlock(&event_mutex); kfree(buf); @@ -2485,7 +2493,6 @@ static int event_callback(const char *name, umode_t *mode, void **data, if (strcmp(name, "format") == 0) { *mode = TRACE_MODE_READ; *fops = &ftrace_event_format_fops; - *data = call; return 1; } diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index 6ece1308d36a..5f9119eb7c67 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5601,7 +5601,7 @@ static int hist_show(struct seq_file *m, void *v) mutex_lock(&event_mutex); - event_file = event_file_data(m->private); + event_file = event_file_file(m->private); if (unlikely(!event_file)) { ret = -ENODEV; goto out_unlock; @@ -5880,7 +5880,7 @@ static int hist_debug_show(struct seq_file *m, void *v) mutex_lock(&event_mutex); - event_file = event_file_data(m->private); + event_file = event_file_file(m->private); if (unlikely(!event_file)) { ret = -ENODEV; goto out_unlock; diff --git a/kernel/trace/trace_events_inject.c b/kernel/trace/trace_events_inject.c index 8650562bdaa9..a8f076809db4 100644 --- a/kernel/trace/trace_events_inject.c +++ b/kernel/trace/trace_events_inject.c @@ -299,7 +299,7 @@ event_inject_write(struct file *filp, const char __user *ubuf, size_t cnt, strim(buf); mutex_lock(&event_mutex); - file = event_file_data(filp); + file = event_file_file(filp); if (file) { call = file->event_call; size = parse_entry(buf, call, &entry); diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index 4bec043c8690..a5e3d6acf1e1 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -159,7 +159,7 @@ static void *trigger_start(struct seq_file *m, loff_t *pos) /* ->stop() is called even if ->start() fails */ mutex_lock(&event_mutex); - event_file = event_file_data(m->private); + event_file = event_file_file(m->private); if (unlikely(!event_file)) return ERR_PTR(-ENODEV); @@ -213,7 +213,7 @@ static int event_trigger_regex_open(struct inode *inode, struct file *file) mutex_lock(&event_mutex); - if (unlikely(!event_file_data(file))) { + if (unlikely(!event_file_file(file))) { mutex_unlock(&event_mutex); return -ENODEV; } @@ -293,7 +293,7 @@ static ssize_t event_trigger_regex_write(struct file *file, strim(buf); mutex_lock(&event_mutex); - event_file = event_file_data(file); + event_file = event_file_file(file); if (unlikely(!event_file)) { mutex_unlock(&event_mutex); kfree(buf);

8 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] media: uvcvideo: Fix integer overflow calculating timestamp" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024072959-overpass-sapling-797e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 8676a5e796fa ("media: uvcvideo: Fix integer overflow calculating timestamp") 9e56380ae625 ("media: uvcvideo: Rename debug functions") ed4c5fa4d804 ("media: uvcvideo: use dev_printk() for uvc_trace()") 59e92bf62771 ("media: uvcvideo: New macro uvc_trace_cont") 69df09547e7a ("media: uvcvideo: Use dev_ printk aliases") 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT") 351509c604dc ("media: uvcvideo: Move guid to entity") dc9455ffae02 ("media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values") b400b6f28af0 ("media: uvcvideo: Force UVC version to 1.0a for 1bcf:0b40") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda <ribalda(a)chromium.org> Date: Mon, 10 Jun 2024 19:17:49 +0000 Subject: [PATCH] media: uvcvideo: Fix integer overflow calculating timestamp The function uvc_video_clock_update() supports a single SOF overflow. Or in other words, the maximum difference between the first ant the last timestamp can be 4096 ticks or 4.096 seconds. This results in a maximum value for y2 of: 0x12FBECA00, that overflows 32bits. y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; Extend the size of y2 to u64 to support all its values. Without this patch: # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0 Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened. Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes. Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 Current frame rate: 1/5 Setting frame rate to: 1/5 Frame rate set: 1/5 8 buffers requested. length: 4147200 offset: 0 timestamp type/source: mono/SoE Buffer 0/0 mapped at address 0x7947ea94c000. length: 4147200 offset: 4149248 timestamp type/source: mono/SoE Buffer 1/0 mapped at address 0x7947ea557000. length: 4147200 offset: 8298496 timestamp type/source: mono/SoE Buffer 2/0 mapped at address 0x7947ea162000. length: 4147200 offset: 12447744 timestamp type/source: mono/SoE Buffer 3/0 mapped at address 0x7947e9d6d000. length: 4147200 offset: 16596992 timestamp type/source: mono/SoE Buffer 4/0 mapped at address 0x7947e9978000. length: 4147200 offset: 20746240 timestamp type/source: mono/SoE Buffer 5/0 mapped at address 0x7947e9583000. length: 4147200 offset: 24895488 timestamp type/source: mono/SoE Buffer 6/0 mapped at address 0x7947e918e000. length: 4147200 offset: 29044736 timestamp type/source: mono/SoE Buffer 7/0 mapped at address 0x7947e8d99000. 0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE 1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE 2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE 3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE 4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE 5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE 6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE 7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE 8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE 9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE 10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE 11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE 12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE 13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE 14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE 15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE 16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE 17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE 18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE 19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE 20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE 21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE 22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE 23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE 24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE 25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE 26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE 27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE 28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE 29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE 30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE 31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE 32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE 33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE 34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE 35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE Cc: stable(a)vger.kernel.org Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support") Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@c… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index aebcf9b25a16..4dfc1b86bdee 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -760,11 +760,11 @@ void uvc_video_clock_update(struct uvc_streaming *stream, unsigned long flags; u64 timestamp; u32 delta_stc; - u32 y1, y2; + u32 y1; u32 x1, x2; u32 mean; u32 sof; - u64 y; + u64 y, y2; if (!uvc_hw_timestamps_param) return; @@ -816,7 +816,7 @@ void uvc_video_clock_update(struct uvc_streaming *stream, sof = y; uvc_dbg(stream->dev, CLOCK, - "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n", + "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n", stream->dev->name, buf->pts, y >> 16, div_u64((y & 0xffff) * 1000000, 65536), sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), @@ -831,7 +831,7 @@ void uvc_video_clock_update(struct uvc_streaming *stream, goto done; y1 = NSEC_PER_SEC; - y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; /* * Interpolated and host SOF timestamps can wrap around at slightly @@ -852,7 +852,7 @@ void uvc_video_clock_update(struct uvc_streaming *stream, timestamp = ktime_to_ns(first->host_time) + y - y1; uvc_dbg(stream->dev, CLOCK, - "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n", + "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n", stream->dev->name, sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), y, timestamp, vbuf->vb2_buf.timestamp,

8 months, 1 week

3
2
0 0

[PATCH] usb: typec: ucsi: Fix the partner PD revision

by Heikki Krogerus

The Partner PD Revision field in GET_CONNECTOR_CAPABILITY data structure was introduced in UCSI v2.1. In ucsi_check_connector_capability() the version was assumed to be 2.0, and in ucsi_register_partner() the field is accessed completely unconditionally. Fixing the version in ucsi_check_connector_capability(), and replacing the unconditional pd_revision assignment with a direct call to ucsi_check_connector_capability() in ucsi_register_port(). After this the revision is also checked only if there is a PD contract. Fixes: b9fccfdb4ebb ("usb: typec: ucsi: Get PD revision for partner") Cc: stable(a)vger.kernel.org Signed-off-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> --- drivers/usb/typec/ucsi/ucsi.c | 50 ++++++++++++++++++----------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index f0b5867048e2..fad43f292e7f 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -959,6 +959,27 @@ static void ucsi_unregister_cable(struct ucsi_connector *con) con->cable = NULL; } +static int ucsi_check_connector_capability(struct ucsi_connector *con) +{ + u64 command; + int ret; + + if (!con->partner || con->ucsi->version < UCSI_VERSION_2_1) + return 0; + + command = UCSI_GET_CONNECTOR_CAPABILITY | UCSI_CONNECTOR_NUMBER(con->num); + ret = ucsi_send_command(con->ucsi, command, &con->cap, sizeof(con->cap)); + if (ret < 0) { + dev_err(con->ucsi->dev, "GET_CONNECTOR_CAPABILITY failed (%d)\n", ret); + return ret; + } + + typec_partner_set_pd_revision(con->partner, + UCSI_CONCAP_FLAG_PARTNER_PD_MAJOR_REV_AS_BCD(con->cap.flags)); + + return ret; +} + static void ucsi_pwr_opmode_change(struct ucsi_connector *con) { switch (UCSI_CONSTAT_PWR_OPMODE(con->status.flags)) { @@ -968,6 +989,7 @@ static void ucsi_pwr_opmode_change(struct ucsi_connector *con) ucsi_partner_task(con, ucsi_get_src_pdos, 30, 0); ucsi_partner_task(con, ucsi_check_altmodes, 30, HZ); ucsi_partner_task(con, ucsi_register_partner_pdos, 1, HZ); + ucsi_partner_task(con, ucsi_check_connector_capability, 1, HZ); break; case UCSI_CONSTAT_PWR_OPMODE_TYPEC1_5: con->rdo = 0; @@ -1012,7 +1034,6 @@ static int ucsi_register_partner(struct ucsi_connector *con) if (con->ucsi->cap.features & UCSI_CAP_GET_PD_MESSAGE) desc.identity = &con->partner_identity; desc.usb_pd = pwr_opmode == UCSI_CONSTAT_PWR_OPMODE_PD; - desc.pd_revision = UCSI_CONCAP_FLAG_PARTNER_PD_MAJOR_REV_AS_BCD(con->cap.flags); partner = typec_register_partner(con->port, &desc); if (IS_ERR(partner)) { @@ -1089,27 +1110,6 @@ static void ucsi_partner_change(struct ucsi_connector *con) con->num, u_role); } -static int ucsi_check_connector_capability(struct ucsi_connector *con) -{ - u64 command; - int ret; - - if (!con->partner || con->ucsi->version < UCSI_VERSION_2_0) - return 0; - - command = UCSI_GET_CONNECTOR_CAPABILITY | UCSI_CONNECTOR_NUMBER(con->num); - ret = ucsi_send_command(con->ucsi, command, &con->cap, sizeof(con->cap)); - if (ret < 0) { - dev_err(con->ucsi->dev, "GET_CONNECTOR_CAPABILITY failed (%d)\n", ret); - return ret; - } - - typec_partner_set_pd_revision(con->partner, - UCSI_CONCAP_FLAG_PARTNER_PD_MAJOR_REV_AS_BCD(con->cap.flags)); - - return ret; -} - static int ucsi_check_connection(struct ucsi_connector *con) { u8 prev_flags = con->status.flags; @@ -1231,15 +1231,16 @@ static void ucsi_handle_connector_change(struct work_struct *work) if (con->status.flags & UCSI_CONSTAT_CONNECTED) { ucsi_register_partner(con); ucsi_partner_task(con, ucsi_check_connection, 1, HZ); - ucsi_partner_task(con, ucsi_check_connector_capability, 1, HZ); if (con->ucsi->cap.features & UCSI_CAP_GET_PD_MESSAGE) ucsi_partner_task(con, ucsi_get_partner_identity, 1, HZ); if (con->ucsi->cap.features & UCSI_CAP_CABLE_DETAILS) ucsi_partner_task(con, ucsi_check_cable, 1, HZ); if (UCSI_CONSTAT_PWR_OPMODE(con->status.flags) == - UCSI_CONSTAT_PWR_OPMODE_PD) + UCSI_CONSTAT_PWR_OPMODE_PD) { ucsi_partner_task(con, ucsi_register_partner_pdos, 1, HZ); + ucsi_partner_task(con, ucsi_check_connector_capability, 1, HZ); + } } else { ucsi_unregister_partner(con); } @@ -1668,6 +1669,7 @@ static int ucsi_register_port(struct ucsi *ucsi, struct ucsi_connector *con) ucsi_register_device_pdos(con); ucsi_get_src_pdos(con); ucsi_check_altmodes(con); + ucsi_check_connector_capability(con); } trace_ucsi_register_port(con->num, &con->status); -- 2.45.2

8 months, 1 week

1
0
0 0

[PATCH 5.4] filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64

by Long Li

The locks_remove_posix() function in fcntl_setlk/fcntl_setlk64 is designed to reliably remove locks when an fcntl/close race is detected. However, it was passing in the wrong filelock owner, it looks like a mistake and resulting in a failure to remove locks. More critically, if the lock removal fails, it could lead to a uaf issue while traversing the locks. This problem occurs only in the 4.19/5.4 stable version. Fixes: 4c43ad4ab416 ("filelock: Fix fcntl/close race recovery compat path") Fixes: dc2ce1dfceaa ("filelock: Remove locks reliably when fcntl/close race is detected") Cc: stable(a)vger.kernel.org Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/locks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/locks.c b/fs/locks.c index 85c8af53d4eb..cf6ed857664b 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -2542,7 +2542,7 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, f = fcheck(fd); spin_unlock(&current->files->file_lock); if (f != filp) { - locks_remove_posix(filp, &current->files); + locks_remove_posix(filp, current->files); error = -EBADF; } } @@ -2672,7 +2672,7 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, f = fcheck(fd); spin_unlock(&current->files->file_lock); if (f != filp) { - locks_remove_posix(filp, &current->files); + locks_remove_posix(filp, current->files); error = -EBADF; } } -- 2.39.2

8 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081115-giving-hacked-fffb@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 82dbb57ac8d0 ("scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES") 0c25422d34b4 ("scsi: mpt3sas: Remove scsi_dma_map() error messages") 1c2048bdc3f4 ("scsi: mpt3sas: switch to generic DMA API") 919d8a3f3fef ("scsi: mpt3sas: Convert uses of pr_<level> with MPT3SAS_FMT to ioc_<level>") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 Mon Sep 17 00:00:00 2001 From: Damien Le Moal <dlemoal(a)kernel.org> Date: Fri, 19 Jul 2024 16:39:12 +0900 Subject: [PATCH] scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT ZONES command reply buffer from ATA-ZAC devices by directly accessing the buffer in the host memory. This does not respect the default command DMA direction and causes IOMMU page faults on architectures with an IOMMU enforcing write-only mappings for DMA_FROM_DEVICE DMA driection (e.g. AMD hosts). scsi 18:0:0:0: Direct-Access-ZBC ATA WDC WSH722020AL W870 PQ: 0 ANSI: 6 scsi 18:0:0:0: SATA: handle(0x0027), sas_addr(0x300062b2083e7c40), phy(0), device_name(0x5000cca29dc35e11) scsi 18:0:0:0: enclosure logical id (0x300062b208097c40), slot(0) scsi 18:0:0:0: enclosure level(0x0000), connector name( C0.0) scsi 18:0:0:0: atapi(n), ncq(y), asyn_notify(n), smart(y), fua(y), sw_preserve(y) scsi 18:0:0:0: qdepth(32), tagged(1), scsi_level(7), cmd_que(1) sd 18:0:0:0: Attached scsi generic sg2 type 20 sd 18:0:0:0: [sdc] Host-managed zoned block device mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b200 flags=0x0050] mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b300 flags=0x0050] mpt3sas_cm0: mpt3sas_ctl_pre_reset_handler: Releasing the trace buffer due to adapter reset. mpt3sas_cm0 fault info from func: mpt3sas_base_make_ioc_ready mpt3sas_cm0: fault_state(0x2666)! mpt3sas_cm0: sending diag reset !! mpt3sas_cm0: diag reset: SUCCESS sd 18:0:0:0: [sdc] REPORT ZONES start lba 0 failed sd 18:0:0:0: [sdc] REPORT ZONES: Result: hostbyte=DID_RESET driverbyte=DRIVER_OK sd 18:0:0:0: [sdc] 0 4096-byte logical blocks: (0 B/0 B) Avoid such issue by always mapping the buffer of REPORT ZONES commands using DMA_BIDIRECTIONAL (read+write IOMMU mapping). This is done by introducing the helper function _base_scsi_dma_map() and using this helper in _base_build_sg_scmd() and _base_build_sg_scmd_ieee() instead of calling directly scsi_dma_map(). Fixes: 471ef9d4e498 ("mpt3sas: Build MPI SGL LIST on GEN2 HBAs and IEEE SGL LIST on GEN3 HBAs") Cc: stable(a)vger.kernel.org Signed-off-by: Damien Le Moal <dlemoal(a)kernel.org> Link: https://lore.kernel.org/r/20240719073913.179559-3-dlemoal@kernel.org Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 1092497563b2..c8fb965a6bf0 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -2671,6 +2671,22 @@ _base_build_zero_len_sge_ieee(struct MPT3SAS_ADAPTER *ioc, void *paddr) _base_add_sg_single_ieee(paddr, sgl_flags, 0, 0, -1); } +static inline int _base_scsi_dma_map(struct scsi_cmnd *cmd) +{ + /* + * Some firmware versions byte-swap the REPORT ZONES command reply from + * ATA-ZAC devices by directly accessing in the host buffer. This does + * not respect the default command DMA direction and causes IOMMU page + * faults on some architectures with an IOMMU enforcing write mappings + * (e.g. AMD hosts). Avoid such issue by making the report zones buffer + * mapping bi-directional. + */ + if (cmd->cmnd[0] == ZBC_IN && cmd->cmnd[1] == ZI_REPORT_ZONES) + cmd->sc_data_direction = DMA_BIDIRECTIONAL; + + return scsi_dma_map(cmd); +} + /** * _base_build_sg_scmd - main sg creation routine * pcie_device is unused here! @@ -2717,7 +2733,7 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPTER *ioc, sgl_flags = sgl_flags << MPI2_SGE_FLAGS_SHIFT; sg_scmd = scsi_sglist(scmd); - sges_left = scsi_dma_map(scmd); + sges_left = _base_scsi_dma_map(scmd); if (sges_left < 0) return -ENOMEM; @@ -2861,7 +2877,7 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_ADAPTER *ioc, } sg_scmd = scsi_sglist(scmd); - sges_left = scsi_dma_map(scmd); + sges_left = _base_scsi_dma_map(scmd); if (sges_left < 0) return -ENOMEM;

8 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] drm/amdkfd: don't allow mapping the MMIO HDP page with large" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 24e82654e98e96cece5d8b919c522054456eeec6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081202-hastily-panic-ee65@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 24e82654e98e ("drm/amdkfd: don't allow mapping the MMIO HDP page with large pages") b38c074b2b07 ("drm/amdkfd: CRIU Refactor restore BO function") 67a359d85ec2 ("drm/amdkfd: CRIU remove sync and TLB flush on restore") 22804e03f7a5 ("drm/amdkfd: Fix criu_restore_bo error handling") d8a25e485857 ("drm/amdkfd: fix loop error handling") e5af61ffaaef ("drm/amdkfd: CRIU fix a NULL vs IS_ERR() check") be072b06c739 ("drm/amdkfd: CRIU export BOs as prime dmabuf objects") bef153b70c6e ("drm/amdkfd: CRIU implement gpu_id remapping") 40e8a766a761 ("drm/amdkfd: CRIU checkpoint and restore events") 42c6c48214b7 ("drm/amdkfd: CRIU checkpoint and restore queue mqds") 2485c12c980a ("drm/amdkfd: CRIU restore sdma id for queues") 8668dfc30d3e ("drm/amdkfd: CRIU restore queue ids") 626f7b3190b4 ("drm/amdkfd: CRIU add queues support") cd9f79103003 ("drm/amdkfd: CRIU Implement KFD unpause operation") 011bbb03024f ("drm/amdkfd: CRIU Implement KFD resume ioctl") 73fa13b6a511 ("drm/amdkfd: CRIU Implement KFD restore ioctl") 5ccbb057c0a1 ("drm/amdkfd: CRIU Implement KFD checkpoint ioctl") f185381b6481 ("drm/amdkfd: CRIU Implement KFD process_info ioctl") 3698807094ec ("drm/amdkfd: CRIU Introduce Checkpoint-Restore APIs") f61c40c0757a ("drm/amdkfd: enable heavy-weight TLB flush on Arcturus") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 24e82654e98e96cece5d8b919c522054456eeec6 Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Sun, 14 Apr 2024 13:06:39 -0400 Subject: [PATCH] drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. Fixes: d8e408a82704 ("drm/amdkfd: Expose HDP registers to user space") Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c index 6b713fb0b818..fdf171ad4a3c 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c @@ -1144,7 +1144,7 @@ static int kfd_ioctl_alloc_memory_of_gpu(struct file *filep, goto err_unlock; } offset = dev->adev->rmmio_remap.bus_addr; - if (!offset) { + if (!offset || (PAGE_SIZE > 4096)) { err = -ENOMEM; goto err_unlock; } @@ -2312,7 +2312,7 @@ static int criu_restore_memory_of_gpu(struct kfd_process_device *pdd, return -EINVAL; } offset = pdd->dev->adev->rmmio_remap.bus_addr; - if (!offset) { + if (!offset || (PAGE_SIZE > 4096)) { pr_err("amdgpu_amdkfd_get_mmio_remap_phys_addr failed\n"); return -ENOMEM; } @@ -3354,6 +3354,9 @@ static int kfd_mmio_mmap(struct kfd_node *dev, struct kfd_process *process, if (vma->vm_end - vma->vm_start != PAGE_SIZE) return -EINVAL; + if (PAGE_SIZE > 4096) + return -EINVAL; + address = dev->adev->rmmio_remap.bus_addr; vm_flags_set(vma, VM_IO | VM_DONTCOPY | VM_DONTEXPAND | VM_NORESERVE |

8 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] dm suspend: return -ERESTARTSYS instead of -EINTR" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 1e1fd567d32fcf7544c6e09e0e5bc6c650da6e23 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081927-smoky-refrain-8af1@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 1e1fd567d32f ("dm suspend: return -ERESTARTSYS instead of -EINTR") 85067747cf98 ("dm: do not use waitqueue for request-based DM") 087615bf3acd ("dm mpath: pass IO start time to path selector") 5de719e3d01b ("dm mpath: fix missing call of path selector type->end_io") 645efa84f6c7 ("dm: add memory barrier before waitqueue_active") 3c94d83cb352 ("blk-mq: change blk_mq_queue_busy() to blk_mq_queue_inflight()") c4576aed8d85 ("dm: fix request-based dm's use of dm_wait_for_completion") b7934ba4147a ("dm: fix inflight IO check") 6f75723190d8 ("dm: remove the pending IO accounting") dbd3bbd291a0 ("dm rq: leverage blk_mq_queue_busy() to check for outstanding IO") 80a787ba3809 ("dm: dont rewrite dm_disk(md)->part0.in_flight") ae8799125d56 ("blk-mq: provide a helper to check if a queue is busy") 6a23e05c2fe3 ("dm: remove legacy request-based IO path") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e1fd567d32fcf7544c6e09e0e5bc6c650da6e23 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka <mpatocka(a)redhat.com> Date: Tue, 13 Aug 2024 12:38:51 +0200 Subject: [PATCH] dm suspend: return -ERESTARTSYS instead of -EINTR This commit changes device mapper, so that it returns -ERESTARTSYS instead of -EINTR when it is interrupted by a signal (so that the ioctl can be restarted). The manpage signal(7) says that the ioctl function should be restarted if the signal was handled with SA_RESTART. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Cc: stable(a)vger.kernel.org diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 97fab2087df8..87bb90303435 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2737,7 +2737,7 @@ static int dm_wait_for_bios_completion(struct mapped_device *md, unsigned int ta break; if (signal_pending_state(task_state, current)) { - r = -EINTR; + r = -ERESTARTSYS; break; } @@ -2762,7 +2762,7 @@ static int dm_wait_for_completion(struct mapped_device *md, unsigned int task_st break; if (signal_pending_state(task_state, current)) { - r = -EINTR; + r = -ERESTARTSYS; break; }

8 months, 1 week

3
2
0 0

[PATCH 5.10 0/1] Fix CVE-2021-3669

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/CVE-2021-3669

8 months, 1 week

2
2
0 0

[PATCH 5.15 000/479] 5.15.165-rc3 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.165 release. There are 479 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon, 19 Aug 2024 07:51:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.165-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.165-rc3 Niklas Cassel <cassel(a)kernel.org> Revert "ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error" Sean Young <sean(a)mess.org> media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()" Michael Walle <mwalle(a)kernel.org> ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode Eric Dumazet <edumazet(a)google.com> wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values Kees Cook <kees(a)kernel.org> binfmt_flat: Fix corruption when not offsetting data start Chris Wulff <crwulff(a)gmail.com> usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. WangYuli <wangyuli(a)uniontech.com> nvme/pci: Add APST quirk for Lenovo N60z laptop Kees Cook <kees(a)kernel.org> exec: Fix ToCToU between perm check and set-uid/gid usage Amit Daniel Kachhap <amit.kachhap(a)arm.com> arm64: cpufeature: Fix the visibility of compat hwcaps Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes Mahesh Salgaonkar <mahesh(a)linux.ibm.com> powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. Andi Shyti <andi.shyti(a)linux.intel.com> drm/i915/gem: Fix Virtual Memory mapping boundaries calculation Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: fully established after ADD_ADDR echo on MPJ Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: check basic rates validity Jisheng Zhang <jszhang(a)kernel.org> PCI: dwc: Restore MSI Receiver mask during resume Shenwei Wang <shenwei.wang(a)nxp.com> net: stmmac: Enable mac_managed_pm phylink config Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: prefer nft_chain_validate Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: bail out if stateful expression provides no .clone Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: use timestamp to check for set element timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: set element extended ACK reporting support Jakub Kicinski <kuba(a)kernel.org> tls: fix race between tx work scheduling and socket close Lukas Wunner <lukas(a)wunner.de> PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Filipe Manana <fdmanana(a)suse.com> btrfs: fix double inode unlock for direct IO sync writes Christoph Hellwig <hch(a)lst.de> xfs: fix log recovery buffer allocation for the legacy h_size fixup Filipe Manana <fdmanana(a)suse.com> btrfs: fix corruption after buffer fault in during direct IO append write Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: check backup support in signal endp Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: validate backup in MPJ Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fix backup support in signal endpoints Geliang Tang <geliang.tang(a)suse.com> mptcp: export local_address Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only set request_bkup flag when sending MP_PRIO Paolo Abeni <pabeni(a)redhat.com> mptcp: fix bad RCVPRUNED mib accounting Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: mib: count MPJ with backup flag Paolo Abeni <pabeni(a)redhat.com> mptcp: fix NL PM announced address accounting Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: distinguish rcv vs sent backup flag in requests Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sched: check both directions for backup Thomas Zimmermann <tzimmermann(a)suse.de> drm/mgag200: Set DDC timeout in milliseconds Lucas Stach <l.stach(a)pengutronix.de> drm/bridge: analogix_dp: properly handle zero sized AUX transactions Yang Yingliang <yangyingliang(a)huawei.com> sched/smt: Fix unbalance sched_smt_present dec/inc Yang Yingliang <yangyingliang(a)huawei.com> sched/smt: Introduce sched_smt_present_inc/dec() helper Andi Kleen <ak(a)linux.intel.com> x86/mtrr: Check if fixed MTRRs exist before saving them Waiman Long <longman(a)redhat.com> padata: Fix possible divide-by-0 panic in padata_mt_helper() Tze-nan Wu <Tze-nan.Wu(a)mediatek.com> tracing: Fix overflow in get_free_elt() Hans de Goede <hdegoede(a)redhat.com> power: supply: axp288_charger: Round constant_charge_voltage writes down Hans de Goede <hdegoede(a)redhat.com> power: supply: axp288_charger: Fix constant_charge_voltage writes Shay Drory <shayd(a)nvidia.com> genirq/irqdesc: Honor caller provided affinity in alloc_desc() Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> irqchip/xilinx: Fix shift out of bounds Andrey Konovalov <andreyknvl(a)gmail.com> kcov: properly check for softirq context George Kennedy <george.kennedy(a)oracle.com> serial: core: check uartclk for zero to avoid divide by zero Thomas Gleixner <tglx(a)linutronix.de> timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() Justin Stitt <justinstitt(a)google.com> ntp: Safeguard against time_constant overflow Dan Williams <dan.j.williams(a)intel.com> driver core: Fix uevent_show() vs driver detach race Arseniy Krasnov <avkrasnov(a)salutedevices.com> irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' Qianggui Song <qianggui.song(a)amlogic.com> irqchip/meson-gpio: support more than 8 channels gpio irq Paul E. McKenney <paulmck(a)kernel.org> clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() Feng Tang <feng.tang(a)intel.com> clocksource: Scale the watchdog read retries automatically Paul E. McKenney <paulmck(a)kernel.org> torture: Enable clocksource watchdog with "tsc=watchdog" Waiman Long <longman(a)redhat.com> clocksource: Reduce the default clocksource_watchdog() retries to 2 Justin Stitt <justinstitt(a)google.com> ntp: Clamp maxerror and esterror to operating range Jason Wang <jasowang(a)redhat.com> vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler Thomas Gleixner <tglx(a)linutronix.de> tick/broadcast: Move per CPU pointer access into the atomic section Vamshi Gajjela <vamshigajjela(a)google.com> scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic Damien Le Moal <dlemoal(a)kernel.org> scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: u_serial: Set start_delayed during suspend Chris Wulff <crwulff(a)gmail.com> usb: gadget: core: Check for unset descriptor Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> USB: serial: debug: do not echo input by default Oliver Neukum <oneukum(a)suse.com> usb: vhci-hcd: Do not drop references before new references are gained Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 Steven 'Steve' Kendall <skend(a)chromium.org> ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list Takashi Iwai <tiwai(a)suse.de> ALSA: line6: Fix racy access to midibuf Ma Ke <make24(a)iscas.ac.cn> drm/client: fix null pointer dereference in drm_client_modeset_probe Jerome Brunet <jbrunet(a)baylibre.com> ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Re-add ScratchAmp quirk entries Stefan Wahren <wahrenst(a)gmx.net> spi: spi-fsl-lpspi: Fix scldiv calculation Masami Hiramatsu (Google) <mhiramat(a)kernel.org> kprobes: Fix to check symbol prefixes correctly Menglong Dong <menglong8.dong(a)gmail.com> bpf: kprobe: remove unused declaring of bpf_kprobe_override Guenter Roeck <linux(a)roeck-us.net> i2c: smbus: Send alert notifications to all devices if source not found Geert Uytterhoeven <geert+renesas(a)glider.be> spi: spidev: Add missing spi_device_id for bh2228fv Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wsa881x: Correct Soundwire ports mask Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask Guenter Roeck <linux(a)roeck-us.net> i2c: smbus: Improve handling of stuck alerts Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround (again) Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Cortex-A725 definitions Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Cortex-X1C definitions Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Unify speculative SSBS errata logic Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Cortex-X925 definitions Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Cortex-A720 definitions Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Cortex-X3 definitions Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Add workaround for Arm errata 3194386 and 3312417 Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-V3 definitions Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Cortex-X4 definitions Mark Rutland <mark.rutland(a)arm.com> arm64: barrier: Restore spec_bar() macro Besar Wicaksono <bwicaksono(a)nvidia.com> arm64: Add Neoverse-V2 part James Morse <james.morse(a)arm.com> arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: fix wrong unit use in ext4_mb_find_by_goal Zheng Zucheng <zhengzucheng(a)huawei.com> sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime Damien Le Moal <dlemoal(a)kernel.org> scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> profiling: remove profile=sleep support Benjamin Coddington <bcodding(a)redhat.com> SUNRPC: Fix a race to wake a sync task Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/sclp: Prevent release of buffer in I/O Kemeng Shi <shikemeng(a)huaweicloud.com> jbd2: avoid memleak in jbd2_journal_write_metadata_buffer Xiaxi Shen <shenxiaxi26(a)gmail.com> ext4: fix uninitialized variable in ext4_inlinedir_to_tree Michal Pecio <michal.pecio(a)gmail.com> media: uvcvideo: Fix the bandwdith quirk on USB 3.x Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Ignore empty TS packets Alex Hung <alex.hung(a)amd.com> drm/amd/display: Add null checker before passing variables Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu: Fix the null pointer dereference to ras_manager Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu/pm: Fix the null pointer dereference for smu7 Filipe Manana <fdmanana(a)suse.com> btrfs: fix bitmap leak when loading free space cache on duplicate entry Johannes Berg <johannes.berg(a)intel.com> wifi: nl80211: don't give key data to userspace Roman Smirnov <r.smirnov(a)omp.ru> udf: prevent integer overflow in udf_bitmap_free_blocks() FUJITA Tomonori <fujita.tomonori(a)gmail.com> PCI: Add Edimax Vendor ID to pci_ids.h Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT Thomas Weißschuh <linux(a)weissschuh.net> ACPI: SBS: manage alarm sysfs attribute through psy core Thomas Weißschuh <linux(a)weissschuh.net> ACPI: battery: create alarm sysfs attribute atomically Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> clocksource/drivers/sh_cmt: Address race condition for clock events Yu Kuai <yukuai3(a)huawei.com> md/raid5: avoid BUG_ON() while continue reshape after reassembling Li Nan <linan122(a)huawei.com> md: do not delete safemode_timer in mddev_suspend Paul E. McKenney <paulmck(a)kernel.org> rcutorture: Fix rcu_torture_fwd_cb_cr() data race Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Stop PPS on driver remove James Chapman <jchapman(a)katalix.com> l2tp: fix lockdep splat Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() Dmitry Antipov <dmantipov(a)yandex.ru> Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() Eric Dumazet <edumazet(a)google.com> net: linkwatch: use system_unbound_wq Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: mcast: wait for previous gc cycles when removing port Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: fix memory leak for not ip packets Kuniyuki Iwashima <kuniyu(a)amazon.com> sctp: Fix null-ptr-deref in reuseport_add_sock(). Xin Long <lucien.xin(a)gmail.com> sctp: move hlist_node and hashent out of sctp_ep_common Peter Zijlstra <peterz(a)infradead.org> x86/mm: Fix pti_clone_entry_text() for i386 Peter Zijlstra <peterz(a)infradead.org> x86/mm: Fix pti_clone_pgtable() alignment assumption Yipeng Zou <zouyipeng(a)huawei.com> irqchip/mbigen: Fix mbigen node address layout Marc Zyngier <maz(a)kernel.org> genirq: Allow irq_chip registration functions to take a const irq_chip Alexander Maltsev <keltar.gw(a)gmail.com> netfilter: ipset: Add list flush to cancel_gc Paolo Abeni <pabeni(a)redhat.com> mptcp: fix duplicate data handling Heiner Kallweit <hkallweit1(a)gmail.com> r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY Ma Ke <make24(a)iscas.ac.cn> net: usb: sr9700: fix uninitialized variable use in sr_mdio_read Zack Rusin <zack.rusin(a)broadcom.com> drm/vmwgfx: Fix a deadlock in dma buf fence polling Edmund Raile <edmund.raile(a)protonmail.com> Revert "ALSA: firewire-lib: operate for period elapse event in process context" Edmund Raile <edmund.raile(a)protonmail.com> Revert "ALSA: firewire-lib: obsolete workqueue for period update" Mavroudis Chatzilazaridis <mavchatz(a)protonmail.com> ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Correct surround channels in UAC1 channel map Al Viro <viro(a)zeniv.linux.org.uk> protect the fetch of ->fd[fd] in do_dup2() from mispredictions Tatsunosuke Tobita <tatsunosuke.tobita(a)wacom.com> HID: wacom: Modify pen IDs Patryk Duda <patrykd(a)google.com> platform/chrome: cros_ec_proto: Lock device when updating MKBP version Justin Stitt <justinstitt(a)google.com> power: supply: bq24190_charger: replace deprecated strncpy with strscpy Zhe Qiao <qiaozhe(a)iscas.ac.cn> riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() Maciej Żenczykowski <maze(a)google.com> ipv6: fix ndisc_is_useropt() handling for PIO Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys Kuniyuki Iwashima <kuniyu(a)amazon.com> netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). Kuniyuki Iwashima <kuniyu(a)amazon.com> netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). Dan Carpenter <dan.carpenter(a)linaro.org> net: mvpp2: Don't re-use loop iterator Alexandra Winter <wintera(a)linux.ibm.com> net/iucv: fix use after free in iucv_sock_close() Kuniyuki Iwashima <kuniyu(a)amazon.com> rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink(). Florent Fourcot <florent.fourcot(a)wifirst.fr> rtnetlink: enable alt_ifname for setlink/newlink songxiebing <songxiebing(a)kylinos.cn> ALSA: hda: conexant: Fix headset auto detect fail in the polling mode Eric Dumazet <edumazet(a)google.com> sched: act_ct: take care of padding in struct zones_ht_key Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Fix overlay when using Screen Targets Danilo Krummrich <dakr(a)kernel.org> drm/nouveau: prime: fix refcount underflow Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: dts: loongson: Fix ls2k1000-rtc interrupt Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: dts: loongson: Fix liointc IRQ polarity Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a Binbin Zhou <zhoubinbin(a)loongson.cn> MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000 Aleksandr Mishin <amishin(a)t-argos.ru> remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init Wayne Lin <Wayne.Lin(a)amd.com> drm/dp_mst: Fix all mstb marked as not probed after suspend/resume Shenwei Wang <shenwei.wang(a)nxp.com> irqchip/imx-irqsteer: Handle runtime power management correctly Lucas Stach <l.stach(a)pengutronix.de> irqchip/imx-irqsteer: Add runtime PM support Lucas Stach <l.stach(a)pengutronix.de> irqchip/imx-irqsteer: Constify irq_chip struct Marc Zyngier <maz(a)kernel.org> genirq: Allow the PM device to originate from irq domain Herve Codina <herve.codina(a)bootlin.com> irqdomain: Fixed unbalanced fwnode get and put Thomas Weißschuh <linux(a)weissschuh.net> leds: triggers: Flush pending brightness before activating trigger Hans de Goede <hdegoede(a)redhat.com> leds: trigger: Call synchronize_rcu() before calling trig->activate() Heiner Kallweit <hkallweit1(a)gmail.com> leds: trigger: Store brightness set by led_trigger_event() Heiner Kallweit <hkallweit1(a)gmail.com> leds: trigger: Remove unused function led_trigger_rename_static() Johannes Berg <johannes.berg(a)intel.com> leds: trigger: use RCU to protect the led_cdevs list Jay Buddhabhatti <jay.buddhabhatti(a)amd.com> drivers: soc: xilinx: check return status of get_api_version() Michael Tretter <m.tretter(a)pengutronix.de> soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver Zhang Yi <yi.zhang(a)huawei.com> ext4: check the extent status again before inserting delalloc block Zhang Yi <yi.zhang(a)huawei.com> ext4: factor out a common helper to query extent map Zhang Yi <yi.zhang(a)huawei.com> ext4: convert to exclusive lock while inserting delalloc extents Zhang Yi <yi.zhang(a)huawei.com> ext4: refactor ext4_da_map_blocks() Baokun Li <libaokun1(a)huawei.com> ext4: make ext4_es_insert_extent() return void Thomas Weißschuh <linux(a)weissschuh.net> sysctl: always initialize i_uid/i_gid Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB Krishna Kurapati <quic_kriskura(a)quicinc.com> arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: msm8998: drop USB PHY clock index Shawn Guo <shawn.guo(a)linaro.org> arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node Esben Haabendal <esben(a)geanix.com> powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC Seth Forshee (DigitalOcean) <sforshee(a)kernel.org> fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT Leon Romanovsky <leon(a)kernel.org> nvme-pci: add missing condition check for existence of mapped data Jens Axboe <axboe(a)kernel.dk> nvme: separate command prep and issue Jens Axboe <axboe(a)kernel.dk> nvme: split command copy into a helper Artem Chernyshev <artem.chernyshev(a)red-soft.ru> iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en Gerd Bayer <gbayer(a)linux.ibm.com> s390/pci: Allow allocation of more than 1 MSI interrupt Gerd Bayer <gbayer(a)linux.ibm.com> s390/pci: Refactor arch_setup_msi_irqs() Thomas Gleixner <tglx(a)linutronix.de> s390/pci: Rework MSI descriptor walk ethanwu <ethanwu(a)synology.com> ceph: fix incorrect kmalloc size of pagevec mempool Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable Conor Dooley <conor.dooley(a)microchip.com> spi: spidev: add correct compatible for Rohm BH2228FV Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> spi: spidev: order compatibles alphabetically Vincent Tremblay <vincent(a)vtremblay.dev> spidev: Add Silicon Labs EM3581 device compatible Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: spidev: Replace OF specific code by device property API Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: spidev: Replace ACPI specific code by device_get_match_data() Javier Martinez Canillas <javierm(a)redhat.com> spi: spidev: Make probe to fail early if a spidev compatible is used Al Viro <viro(a)zeniv.linux.org.uk> lirc: rc_dev_get_from_fd(): fix file leak Al Viro <viro(a)zeniv.linux.org.uk> powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() Xiao Liang <shaw.leon(a)gmail.com> apparmor: Fix null pointer deref when receiving skb during sock creation Dan Carpenter <dan.carpenter(a)linaro.org> mISDN: Fix a use after free in hfcmulti_tx() Fred Li <dracodingfly(a)gmail.com> bpf: Fix a segment issue when downgrading gso_size Petr Machata <petrm(a)nvidia.com> net: nexthop: Initialize all fields in dumped nexthops Simon Horman <horms(a)kernel.org> net: stmmac: Correct byte order of perfect_match Shigeru Yoshida <syoshida(a)redhat.com> tipc: Return non-zero value from tipc_udp_addr2str() on error Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo_avx2: disable softinterrupts Johannes Berg <johannes.berg(a)intel.com> net: bonding: correctly annotate RCU in bond_should_notify_peers() Ido Schimmel <idosch(a)nvidia.com> ipv4: Fix incorrect source address in Record Route option Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later Hou Tao <houtao1(a)huawei.com> bpf, events: Use prog to emit ksymbol event for main program Lance Richardson <rlance(a)google.com> dma: fix call order in dmam_free_coherent Andrii Nakryiko <andrii(a)kernel.org> libbpf: Fix no-args func prototype BTF dumping syntax Johannes Berg <johannes.berg(a)intel.com> um: time-travel: fix signal blocking race/hang Johannes Berg <johannes.berg(a)intel.com> um: time-travel: fix time-travel-start option Ma Ke <make24(a)iscas.ac.cn> phy: cadence-torrent: Check return value on register read Vignesh Raghavendra <vigneshr(a)ti.com> dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels Jeongjun Park <aha310510(a)gmail.com> jfs: Fix array-index-out-of-bounds in diFree Douglas Anderson <dianders(a)chromium.org> kdb: Use the passed prompt in kdb_position_cursor() Arnd Bergmann <arnd(a)arndb.de> kdb: address -Wformat-security warnings Pavel Begunkov <asml.silence(a)gmail.com> kernel: rerun task_work while freezing in get_signal() Pavel Begunkov <asml.silence(a)gmail.com> io_uring/io-wq: limit retrying worker initialisation Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: handle inconsistent state in nilfs_btnode_create_block() WangYuli <wangyuli(a)uniontech.com> Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 Hilda Wu <hildawu(a)realtek.com> Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables Ilya Dryomov <idryomov(a)gmail.com> rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings Ilya Dryomov <idryomov(a)gmail.com> rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait Dragan Simic <dsimic(a)manjaro.org> drm/panfrost: Mark simple_ondemand governor as softdep Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: Test register availability before use Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: reset: Prioritise firmware service Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: Remove memory node for builtin-dtb Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: env: Hook up Loongsson-2K Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: dts: loongson: Fix GMAC phy node Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: ip30: ip30-console: Add missing include Aleksandr Mishin <amishin(a)t-argos.ru> remoteproc: imx_rproc: Skip over memory region when node value is NULL Gwenael Treuveur <gwenael.treuveur(a)foss.st.com> remoteproc: stm32_rproc: Fix mailbox interrupts queuing Ilya Dryomov <idryomov(a)gmail.com> rbd: don't assume rbd_is_lock_owner() for exclusive mappings Michael Ellerman <mpe(a)ellerman.id.au> selftests/sigaltstack: Fix ppc64 GCC build Bart Van Assche <bvanassche(a)acm.org> RDMA/iwcm: Fix a use-after-free related to destroying CM IDs Jiaxun Yang <jiaxun.yang(a)flygoat.com> platform: mips: cpu_hwmon: Disable driver on unsupported hardware Thomas Gleixner <tglx(a)linutronix.de> watchdog/perf: properly initialize the turbo mode timestamp and rearm counter Joy Chakraborty <joychakr(a)google.com> rtc: isl1208: Fix return value of nvmem callbacks Imre Deak <imre.deak(a)intel.com> drm/i915/dp: Reset intel_dp->link_trained before retraining the link Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell Nitin Gote <nitin.r.gote(a)intel.com> drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8 Adrian Hunter <adrian.hunter(a)intel.com> perf/x86/intel/pt: Fix a topa_entry base address calculation Marco Cavenati <cavenati.marco(a)gmail.com> perf/x86/intel/pt: Fix topa_entry base length Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR Frederic Weisbecker <frederic(a)kernel.org> perf: Fix event leak upon exec and file release Frederic Weisbecker <frederic(a)kernel.org> perf: Fix event leak upon exit Nilesh Javali <njavali(a)marvell.com> scsi: qla2xxx: validate nvme_local_port correctly Shreyas Deodhar <sdeodhar(a)marvell.com> scsi: qla2xxx: Complete command early within lock Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix flash read failure Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Use QP lock to search for bsg Shreyas Deodhar <sdeodhar(a)marvell.com> scsi: qla2xxx: Fix for possible memory corruption Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Unable to act on RSCN for port online Manish Rangankar <mrangankar(a)marvell.com> scsi: qla2xxx: During vport delete send async logout explicitly Joy Chakraborty <joychakr(a)google.com> rtc: cmos: Fix return value of nvmem callbacks Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> mm/numa_balancing: teach mpol_to_str about the balancing mode Zijun Hu <quic_zijuhu(a)quicinc.com> devres: Fix memory leakage caused by driver API devm_free_percpu() Zijun Hu <quic_zijuhu(a)quicinc.com> devres: Fix devm_krealloc() wasting memory Bailey Forrest <bcf(a)google.com> gve: Fix an edge case for TSO skb validity check Zijun Hu <quic_zijuhu(a)quicinc.com> kobject_uevent: Fix OOB access within zap_modalias_env() Nathan Chancellor <nathan(a)kernel.org> kbuild: Fix '-S -c' in x86 stack protector scripts Ross Lagerwall <ross.lagerwall(a)citrix.com> decompress_bunzip2: fix rare decompression failure Fedor Pchelkin <pchelkin(a)ispras.ru> ubi: eba: properly rollback inside self_check_eba Bastien Curutchet <bastien.curutchet(a)bootlin.com> clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use Saurav Kashyap <skashyap(a)marvell.com> scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds Huacai Chen <chenhuacai(a)kernel.org> fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed tuhaowen <tuhaowen(a)uniontech.com> dev/parport: fix the array out-of-bounds risk Carlos Llamas <cmllamas(a)google.com> binder: fix hang of unregistered readers Manivannan Sadhasivam <mani(a)kernel.org> PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio Niklas Cassel <cassel(a)kernel.org> PCI: dw-rockchip: Fix initial PERST# GPIO value Wei Liu <wei.liu(a)kernel.org> PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> hwrng: amd - Convert PCIBIOS_* return codes to errnos Alan Stern <stern(a)rowland.harvard.edu> tools/memory-model: Fix bug in lock.cat wangdicheng <wangdicheng(a)kylinos.cn> ALSA: usb-audio: Add a quirk for Sonix HD USB Camera Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Move HD Webcam quirk to the right place wangdicheng <wangdicheng(a)kylinos.cn> ALSA: usb-audio: Fix microphone sound on HD webcam. Sean Christopherson <seanjc(a)google.com> KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Fix integer overflow calculating timestamp Jan Kara <jack(a)suse.cz> jbd2: make jbd2_journal_get_max_txn_bufs() internal Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> leds: ss4200: Convert PCIBIOS_* return codes to errnos Rafael Beims <rafael.beims(a)toradex.com> wifi: mwifiex: Fix interface type change Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Add cred_transfer test Pavel Begunkov <asml.silence(a)gmail.com> io_uring: tighten task exit cancellations Baokun Li <libaokun1(a)huawei.com> ext4: make sure the first directory block is not a hole Baokun Li <libaokun1(a)huawei.com> ext4: check dot and dotdot of dx_root before making dir indexed Paolo Pisati <p.pisati(a)gmail.com> m68k: amiga: Turn off Warp1260 interrupts during boot Jan Kara <jack(a)suse.cz> udf: Avoid using corrupted block bitmap buffer Frederic Weisbecker <frederic(a)kernel.org> task_work: Introduce task_work_cancel() again Frederic Weisbecker <frederic(a)kernel.org> task_work: s/task_work_cancel()/task_work_cancel_func()/ Fedor Pchelkin <pchelkin(a)ispras.ru> apparmor: use kvfree_sensitive to free data->data Pierre Gondois <pierre.gondois(a)arm.com> sched/fair: Use all little CPUs for CPU-bound workloads Sung Joon Kim <sungjoon.kim(a)amd.com> drm/amd/display: Check for NULL pointer Shreyas Deodhar <sdeodhar(a)marvell.com> scsi: qla2xxx: Fix optrom version displayed in FDMI Ma Ke <make24(a)iscas.ac.cn> drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes Ma Ke <make24(a)iscas.ac.cn> drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes Jan Kara <jack(a)suse.cz> ext2: Verify bitmap and itable block numbers before using them Chao Yu <chao(a)kernel.org> hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() Igor Pylypiv <ipylypiv(a)google.com> ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error Dikshita Agarwal <quic_dikshita(a)quicinc.com> media: venus: fix use after free in vdec_close Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> char: tpm: Fix possible memory leak in tpm_bios_measurements_open() Eric Sandeen <sandeen(a)redhat.com> fuse: verify {g,u}id mount options correctly Tejun Heo <tj(a)kernel.org> sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks Nicolas Dichtel <nicolas.dichtel(a)6wind.com> ipv6: take care of scope when choosing the src addr Chengen Du <chengen.du(a)canonical.com> af_packet: Handle outgoing VLAN packets without hardware offloading Breno Leitao <leitao(a)debian.org> net: netconsole: Disable target before netpoll cleanup Yu Liao <liaoyu15(a)huawei.com> tick/broadcast: Make takeover of broadcast hrtimer reliable Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: thermal: correct thermal zone node name limit Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer Miaohe Lin <linmiaohe(a)huawei.com> mm/hugetlb: fix possible recursive locking detected warning Jann Horn <jannh(a)google.com> landlock: Don't lose track of restrictions on cred_transfer Carlos López <clopez(a)suse.de> s390/dasd: fix error checks in dasd_copy_pair_store() Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Missed error return Csókás, Bence <csokas.bence(a)prolan.hu> rtc: interface: Add RTC offset to alarm after fix-up Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro David Hildenbrand <david(a)redhat.com> fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix field-spanning write in INDEX_HDR Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Replace inode_trylock with inode_lock Peng Fan <peng.fan(a)nxp.com> pinctrl: freescale: mxs: Fix refcount of child Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pinctrl: ti: ti-iodelay: Drop if block with always false condition Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: single: fix possible memory leak when pinctrl_enable() fails Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: core: fix possible memory leak when pinctrl_enable() fails Dmitry Yashin <dmt.yashin(a)gmail.com> pinctrl: rockchip: update rk3308 iomux routes Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix getting file type Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix transform resident to nonresident for compressed files Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Use ALIGN kernel macro Martin Willi <martin(a)strongswan.org> net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports Martin Willi <martin(a)strongswan.org> net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports Florian Westphal <fw(a)strlen.de> netfilter: nf_set_pipapo: fix initial map fill Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: constify lookup fn args where possible Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: ctnetlink: use helper function to calculate expect ID Jack Wang <jinpu.wang(a)ionos.com> bnxt_re: Fix imm_data endianness Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix insufficient extend DB for VFs. Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix undifined behavior caused by invalid max_sge Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix missing pagesize and alignment check in FRMR Nick Bowler <nbowler(a)draconx.ca> macintosh/therm_windtunnel: fix module unload. Michael Ellerman <mpe(a)ellerman.id.au> powerpc/xmon: Fix disassembly CPU feature checks Dominique Martinet <dominique.martinet(a)atmark-techno.com> MIPS: Octeron: remove source file executable bit Denis Arefev <arefev(a)swemel.ru> net: missing check virtio Michael S. Tsirkin <mst(a)redhat.com> vhost/vsock: always initialize seqpacket_allow Dan Carpenter <dan.carpenter(a)linaro.org> PCI: endpoint: Clean up error handling in vpci_scan_bus() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: elan_i2c - do not leave interrupt disabled on suspend failure Leon Romanovsky <leon(a)kernel.org> RDMA/device: Return error earlier if port in not valid Arnd Bergmann <arnd(a)arndb.de> mtd: make mtd_test.c a separate module Chen Ni <nichen(a)iscas.ac.cn> ASoC: max98088: Check for clk_prepare_enable() error Honggang LI <honggangli(a)163.com> RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs Leon Romanovsky <leon(a)kernel.org> RDMA/mlx4: Fix truncated output warning in alias_GUID.c Leon Romanovsky <leon(a)kernel.org> RDMA/mlx4: Fix truncated output warning in mad.c Andrei Lalaev <andrei.lalaev(a)anton-paar.com> Input: qt1050 - handle CHIP_ID reading error Leon Romanovsky <leon(a)kernel.org> RDMA/cache: Release GID table even if leak is detected Chiara Meiohas <cmeiohas(a)nvidia.com> RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE James Clark <james.clark(a)arm.com> coresight: Fix ref leak when of_coresight_parse_endpoint() fails Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: branch: Add helper functions for setting retain bits Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix resource double counting on remove & rescan Benjamin Coddington <bcodding(a)redhat.com> SUNRPC: Fixup gss_status tracepoint error output Andreas Larsson <andreas(a)gaisler.com> sparc64: Fix incorrect function signature and add prototype for prom_cif_init Jan Kara <jack(a)suse.cz> ext4: avoid writing unitialized memory to disk in EA inodes Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: don't track ranges in fast_commit if inode has inlined data Ritesh Harjani <riteshh(a)linux.ibm.com> ext4: return early for non-eligible fast_commit track events Olga Kornievskaia <kolga(a)netapp.com> NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server NeilBrown <neilb(a)suse.de> SUNRPC: avoid soft lockup when transmitting UDP to reachable server. Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Fix rpcrdma_reqs_reset() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> mfd: omap-usb-tll: Use struct_size to allocate tll Arnd Bergmann <arnd(a)arndb.de> mfd: rsmu: Split core code into separate module Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix exclude_guest setting Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix aux_watermark calculation for 64-bit size Dikshita Agarwal <quic_dikshita(a)quicinc.com> media: venus: flush all buffers in output plane streamoff Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix infinite loop when replaying fast_commit Luca Ceresoli <luca.ceresoli(a)bootlin.com> Revert "leds: led-core: Fix refcount leak in of_led_get()" Chen Ni <nichen(a)iscas.ac.cn> drm/qxl: Add check for drm_cvt_mode Lucas Stach <l.stach(a)pengutronix.de> drm/etnaviv: fix DMA direction handling for cached RW buffers Namhyung Kim <namhyung(a)kernel.org> perf report: Fix condition in sort__sym_cmp() Hans de Goede <hdegoede(a)redhat.com> leds: trigger: Unregister sysfs attributes before calling deactivate() Hsiao Chien Sung <shawn.sung(a)mediatek.com> drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property Hsiao Chien Sung <shawn.sung(a)mediatek.com> drm/mediatek: Add missing plane settings when async update Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: renesas: vsp1: Store RPF partition configuration per RPF instance Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: renesas: vsp1: Fix _irqsave and _irq mix Daniel Schaefer <dhs(a)frame.work> media: uvcvideo: Override default flags Aleksandr Burakov <a.burakov(a)rosalinux.ru> saa7134: Unchecked i2c_transfer function result fixed Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: i2c: Fix imx412 exposure control Ricardo Ribalda <ribalda(a)chromium.org> media: imon: Fix race getting ictx->lock Zheng Yejian <zhengyejian1(a)huawei.com> media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() Douglas Anderson <dianders(a)chromium.org> drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() Douglas Anderson <dianders(a)chromium.org> drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators Friedrich Vock <friedrich.vock(a)gmx.de> drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Fix aldebaran pcie speed reporting Taehee Yoo <ap420073(a)gmail.com> xdp: fix invalid wait context of page_pool_destroy() Amit Cohen <amcohen(a)nvidia.com> selftests: forwarding: devlink_lib: Wait for udev events after reloading Alan Maguire <alan.maguire(a)oracle.com> bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> bna: adjust 'name' buf size of bna_tcb and bna_ccb structures Alan Maguire <alan.maguire(a)oracle.com> bpf: annotate BTF show functions with __printf Geliang Tang <tanggeliang(a)kylinos.cn> selftests/bpf: Close fd in error path in drop_on_reuseport John Stultz <jstultz(a)google.com> locking/rwsem: Add __always_inline annotation to __down_write_common() and inlined callers Johannes Berg <johannes.berg(a)intel.com> wifi: virt_wifi: don't use strlen() in const context Gaosheng Cui <cuigaosheng1(a)huawei.com> gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey En-Wei Wu <en-wei.wu(a)canonical.com> wifi: virt_wifi: avoid reporting connection success with wrong SSID Adrian Hunter <adrian.hunter(a)intel.com> perf: Fix default aux_watermark calculation Adrian Hunter <adrian.hunter(a)intel.com> perf: Prevent passing zero nr_pages to rb_alloc_aux() Adrian Hunter <adrian.hunter(a)intel.com> perf: Fix perf_aux_size() for greater-than 32-bit size Adrian Hunter <adrian.hunter(a)intel.com> perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: rise cap on SELinux secmark context Ismael Luceno <iluceno(a)suse.de> ipvs: Avoid unnecessary calls to skb_is_gso_sctp Donglin Peng <dolinux.peng(a)gmail.com> libbpf: Checking the btf_type kind when fixing variable offsets Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Fix FEC_ECR_EN1588 being cleared on link-down Csókás Bence <csokas.bence(a)prolan.hu> net: fec: Refactor: #define magic constants Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors Amit Cohen <amcohen(a)nvidia.com> mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more flexible Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_erp: Fix object nesting warning Ido Schimmel <idosch(a)nvidia.com> lib: objagg: Fix general protection fault Geliang Tang <tanggeliang(a)kylinos.cn> selftests/bpf: Check length of recv in test_sockmap Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined Eric Dumazet <edumazet(a)google.com> tcp: fix races in tcp_v[46]_err() Eric Dumazet <edumazet(a)google.com> tcp: fix race in tcp_write_err() Eric Dumazet <edumazet(a)google.com> tcp: add tcp_done_with_error() helper Eric Dumazet <edumazet(a)google.com> tcp: annotate lockless access to sk->sk_err Eric Dumazet <edumazet(a)google.com> tcp: annotate lockless accesses to sk->sk_err_soft Hagar Hemdan <hagarhem(a)amazon.com> net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP Geliang Tang <tanggeliang(a)kylinos.cn> selftests/bpf: Fix prog numbers in test_sockmap Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device Marek Behún <kabel(a)kernel.org> firmware: turris-mox-rwtm: Initialize completion before mailbox Marek Behún <kabel(a)kernel.org> firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() Marek Behún <kabel(a)kernel.org> firmware: turris-mox-rwtm: Do not complete if there are no waiters Christophe Leroy <christophe.leroy(a)csgroup.eu> vmlinux.lds.h: catch .bss..L* sections into BSS") Dmitry Torokhov <dmitry.torokhov(a)gmail.com> ARM: spitz: fix GPIO assignment for backlight Arnd Bergmann <arnd(a)arndb.de> ARM: pxa: spitz: use gpio descriptors for audio Thorsten Blum <thorsten.blum(a)toblux.com> m68k: cmpxchg: Fix return value for default case in __arch_xchg() Chen Ni <nichen(a)iscas.ac.cn> x86/xen: Convert comma to semicolon Eero Tamminen <oak(a)helsinkinet.fi> m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages Jerome Brunet <jbrunet(a)baylibre.com> arm64: dts: amlogic: gx: correct hdmi clocks Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625 Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property Michael Walle <mwalle(a)kernel.org> ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity Michael Walle <mwalle(a)kernel.org> ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects Michael Walle <mwalle(a)kernel.org> ARM: dts: imx6qdl-kontron-samx6i: fix board reset Michael Walle <mwalle(a)kernel.org> ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset Marco Felsch <m.felsch(a)pengutronix.de> ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node Jonas Karlman <jonas(a)kwiboo.se> arm64: dts: rockchip: Increase VOP clk rate on RK3328 Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> soc: qcom: pdr: fix parsing of domains lists Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> soc: qcom: pdr: protect locator_addr with the main mutex Esben Haabendal <esben(a)geanix.com> memory: fsl_ifc: Make FSL_IFC config visible and selectable Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: msm8996: specify UFS core_clk frequencies Stephen Boyd <swboyd(a)chromium.org> soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data() callers Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8250: add power-domain to UFS PHY Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sdm845: add power-domain to UFS PHY Guenter Roeck <linux(a)roeck-us.net> hwmon: (max6697) Fix swapped temp{1,8} critical alarms Guenter Roeck <linux(a)roeck-us.net> hwmon: (max6697) Fix underflow when writing limit attributes Yao Zi <ziyao(a)disroot.org> drm/meson: fix canvas release in bind function Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Always do lazy disabling Wayne Tung <chineweff(a)gmail.com> hwmon: (adt7475) Fix default duty on fan is disabled Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> x86/pci/xen: Fix PCIBIOS_* return code handling Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> x86/of: Return consistent error type from x86_of_pci_irq_enable() Chao Yu <chao(a)kernel.org> hfsplus: fix to avoid false alarm of circular locking Christoph Hellwig <hch(a)lst.de> block: initialize integrity buffer to zero before writing it to media Jinyoung Choi <j-young.choi(a)samsung.com> block: cleanup bio_integrity_prep Nitesh Shetty <nj.shetty(a)samsung.com> block: refactor to use helper Tzung-Bi Shih <tzungbi(a)kernel.org> platform/chrome: cros_ec_debugfs: fix wrong EC message version Arnd Bergmann <arnd(a)arndb.de> EDAC, i10nm: make skx_common.o a separate module Chao Yu <chao(a)kernel.org> f2fs: fix to don't dirty inode for readonly filesystem Chao Yu <chao(a)kernel.org> f2fs: fix return value of f2fs_convert_inline_inode() ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 10 +- Documentation/arm64/cpu-feature-registers.rst | 38 ++++- Documentation/arm64/silicon-errata.rst | 36 ++++ .../devicetree/bindings/thermal/thermal-zones.yaml | 5 +- Makefile | 4 +- arch/arm/boot/dts/imx6q-kontron-samx6i.dtsi | 23 --- arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi | 26 ++- arch/arm/mach-pxa/spitz.c | 39 ++++- arch/arm/mach-pxa/{include/mach => }/spitz.h | 2 +- arch/arm/mach-pxa/spitz_pm.c | 2 +- arch/arm64/Kconfig | 38 +++++ arch/arm64/boot/dts/amlogic/meson-gxbb.dtsi | 4 +- arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 4 +- .../boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts | 4 +- arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts | 4 +- .../boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 25 +-- arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi | 2 - arch/arm64/boot/dts/qcom/ipq8074.dtsi | 6 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 8 +- arch/arm64/boot/dts/qcom/msm8998.dtsi | 36 ++-- arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 + arch/arm64/boot/dts/qcom/sm8250.dtsi | 22 +-- arch/arm64/boot/dts/qcom/sm8350.dtsi | 3 - arch/arm64/boot/dts/rockchip/rk3328.dtsi | 4 +- arch/arm64/include/asm/barrier.h | 4 + arch/arm64/include/asm/cputype.h | 16 ++ arch/arm64/kernel/cpu_errata.c | 31 ++++ arch/arm64/kernel/cpufeature.c | 94 +++++++++-- arch/arm64/kernel/proton-pack.c | 12 ++ arch/arm64/tools/cpucaps | 1 + arch/m68k/amiga/config.c | 9 + arch/m68k/atari/ataints.c | 6 +- arch/m68k/include/asm/cmpxchg.h | 2 +- arch/mips/boot/dts/loongson/loongson64-2k1000.dtsi | 98 +++++++---- arch/mips/include/asm/mach-loongson64/boot_param.h | 2 + arch/mips/include/asm/mips-cm.h | 4 + arch/mips/kernel/smp-cps.c | 5 +- arch/mips/loongson64/env.c | 8 + arch/mips/loongson64/reset.c | 38 ++--- arch/mips/loongson64/smp.c | 23 ++- arch/mips/pci/pcie-octeon.c | 0 arch/mips/sgi-ip30/ip30-console.c | 1 + arch/powerpc/configs/85xx-hw.config | 2 + arch/powerpc/include/asm/interrupt.h | 14 +- arch/powerpc/include/asm/percpu.h | 10 ++ arch/powerpc/kernel/setup_64.c | 2 + arch/powerpc/kvm/powerpc.c | 4 +- arch/powerpc/xmon/ppc-dis.c | 33 ++-- arch/riscv/mm/fault.c | 17 +- arch/s390/pci/pci_irq.c | 116 ++++++++----- arch/sparc/include/asm/oplib_64.h | 1 + arch/sparc/prom/init_64.c | 3 - arch/sparc/prom/p1275.c | 2 +- arch/um/kernel/time.c | 4 +- arch/um/os-Linux/signal.c | 118 ++++++++++--- arch/x86/events/intel/pt.c | 4 +- arch/x86/events/intel/pt.h | 4 +- arch/x86/events/intel/uncore_snbep.c | 6 +- arch/x86/kernel/cpu/mtrr/mtrr.c | 2 +- arch/x86/kernel/devicetree.c | 2 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/vmx/vmx.h | 1 + arch/x86/mm/pti.c | 8 +- arch/x86/pci/intel_mid_pci.c | 4 +- arch/x86/pci/xen.c | 4 +- arch/x86/platform/intel/iosf_mbi.c | 4 +- arch/x86/xen/p2m.c | 4 +- block/bio-integrity.c | 21 ++- drivers/acpi/battery.c | 16 +- drivers/acpi/sbs.c | 23 +-- drivers/android/binder.c | 4 +- drivers/ata/libata-scsi.c | 10 +- drivers/base/core.c | 13 +- drivers/base/devres.c | 11 +- drivers/base/module.c | 4 + drivers/block/rbd.c | 35 ++-- drivers/bluetooth/btusb.c | 4 + drivers/char/hw_random/amd-rng.c | 4 +- drivers/char/tpm/eventlog/common.c | 2 + drivers/clk/davinci/da8xx-cfgchip.c | 4 +- drivers/clk/qcom/clk-branch.h | 26 +++ drivers/clk/qcom/gcc-sc7280.c | 3 + drivers/clocksource/sh_cmt.c | 13 +- drivers/dma/ti/k3-udma.c | 4 +- drivers/edac/Makefile | 10 +- drivers/edac/skx_common.c | 21 ++- drivers/edac/skx_common.h | 4 +- drivers/firmware/turris-mox-rwtm.c | 23 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 7 +- drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 12 ++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +- drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 3 +- .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 55 +++--- .../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 14 +- .../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 7 +- drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 4 +- drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 5 +- drivers/gpu/drm/drm_client_modeset.c | 5 + drivers/gpu/drm/drm_dp_mst_topology.c | 4 +- drivers/gpu/drm/etnaviv/etnaviv_gem.c | 6 +- drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 + drivers/gpu/drm/gma500/psb_intel_lvds.c | 3 + drivers/gpu/drm/i915/display/intel_dp.c | 2 + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 53 +++++- .../gpu/drm/i915/gt/intel_execlists_submission.c | 6 +- drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 17 +- drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h | 6 +- drivers/gpu/drm/mediatek/mtk_drm_plane.c | 4 +- drivers/gpu/drm/meson/meson_drv.c | 37 ++-- drivers/gpu/drm/mgag200/mgag200_i2c.c | 2 +- drivers/gpu/drm/nouveau/nouveau_prime.c | 3 +- drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 8 +- drivers/gpu/drm/panfrost/panfrost_drv.c | 1 + drivers/gpu/drm/qxl/qxl_display.c | 3 + drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 17 +- drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- drivers/hid/wacom_wac.c | 3 +- drivers/hwmon/adt7475.c | 2 +- drivers/hwmon/max6697.c | 5 +- drivers/hwtracing/coresight/coresight-platform.c | 4 +- drivers/i2c/i2c-smbus.c | 64 ++++++- drivers/infiniband/core/cache.c | 14 +- drivers/infiniband/core/device.c | 6 +- drivers/infiniband/core/iwcm.c | 11 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 8 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 6 +- drivers/infiniband/hw/hns/hns_roce_device.h | 4 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +- drivers/infiniband/hw/hns/hns_roce_mr.c | 5 + drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx5/mlx5_ib.h | 13 ++ drivers/infiniband/hw/mlx5/odp.c | 6 +- drivers/infiniband/sw/rxe/rxe_req.c | 7 +- drivers/input/keyboard/qt1050.c | 7 +- drivers/input/mouse/elan_i2c_core.c | 2 + drivers/iommu/sprd-iommu.c | 2 +- drivers/irqchip/irq-imx-irqsteer.c | 40 ++++- drivers/irqchip/irq-mbigen.c | 20 ++- drivers/irqchip/irq-meson-gpio.c | 35 ++-- drivers/irqchip/irq-xilinx-intc.c | 2 +- drivers/isdn/hardware/mISDN/hfcmulti.c | 7 +- drivers/leds/led-class.c | 1 - drivers/leds/led-triggers.c | 75 ++++---- drivers/leds/leds-ss4200.c | 7 +- drivers/leds/trigger/ledtrig-timer.c | 5 - drivers/macintosh/therm_windtunnel.c | 2 +- drivers/md/md.c | 1 - drivers/md/raid5.c | 20 ++- drivers/media/i2c/imx412.c | 9 +- drivers/media/pci/saa7134/saa7134-dvb.c | 8 +- drivers/media/platform/qcom/venus/vdec.c | 3 +- drivers/media/platform/vsp1/vsp1_histo.c | 20 +-- drivers/media/platform/vsp1/vsp1_pipe.h | 2 +- drivers/media/platform/vsp1/vsp1_rpf.c | 8 +- drivers/media/rc/imon.c | 5 +- drivers/media/rc/lirc_dev.c | 4 +- drivers/media/usb/uvc/uvc_ctrl.c | 9 +- drivers/media/usb/uvc/uvc_video.c | 47 +++++- drivers/memory/Kconfig | 2 +- drivers/mfd/Makefile | 6 +- drivers/mfd/omap-usb-tll.c | 3 +- drivers/mfd/rsmu_core.c | 2 + drivers/mtd/nand/raw/Kconfig | 3 +- drivers/mtd/tests/Makefile | 34 ++-- drivers/mtd/tests/mtd_test.c | 9 + drivers/mtd/ubi/eba.c | 3 +- drivers/net/bonding/bond_main.c | 7 +- drivers/net/dsa/b53/b53_common.c | 3 + drivers/net/dsa/bcm_sf2.c | 4 +- drivers/net/dsa/mv88e6xxx/chip.c | 3 +- drivers/net/ethernet/brocade/bna/bna_types.h | 2 +- drivers/net/ethernet/brocade/bna/bnad.c | 11 +- drivers/net/ethernet/freescale/fec_main.c | 52 ++++-- drivers/net/ethernet/freescale/fec_ptp.c | 3 + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 22 ++- drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 7 +- .../ethernet/mellanox/mlxsw/spectrum_acl_atcam.c | 18 +- .../mellanox/mlxsw/spectrum_acl_bloom_filter.c | 38 +++-- .../net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c | 13 -- .../ethernet/mellanox/mlxsw/spectrum_acl_tcam.h | 9 +- drivers/net/ethernet/realtek/r8169_main.c | 8 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 +- .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 2 +- drivers/net/ethernet/stmicro/stmmac/hwif.h | 2 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +- drivers/net/netconsole.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/usb/sr9700.c | 11 +- drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +- drivers/net/wireless/ath/ath11k/dp_rx.h | 3 + drivers/net/wireless/ath/ath11k/mac.c | 15 +- .../broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 18 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 + drivers/net/wireless/virt_wifi.c | 20 ++- drivers/nvme/host/pci.c | 99 ++++++----- drivers/parport/procfs.c | 24 +-- drivers/pci/controller/dwc/pcie-designware-host.c | 7 +- drivers/pci/controller/dwc/pcie-dw-rockchip.c | 2 +- drivers/pci/controller/pci-hyperv.c | 4 +- drivers/pci/controller/pcie-rockchip.c | 2 +- drivers/pci/endpoint/functions/pci-epf-vntb.c | 12 +- drivers/pci/pci.c | 19 ++- drivers/pci/setup-bus.c | 6 +- drivers/phy/cadence/phy-cadence-torrent.c | 3 + drivers/pinctrl/core.c | 12 +- drivers/pinctrl/freescale/pinctrl-mxs.c | 4 +- drivers/pinctrl/pinctrl-rockchip.c | 17 +- drivers/pinctrl/pinctrl-single.c | 7 +- drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 14 +- drivers/platform/chrome/cros_ec_debugfs.c | 1 + drivers/platform/chrome/cros_ec_proto.c | 2 + drivers/platform/mips/cpu_hwmon.c | 3 + drivers/power/supply/axp288_charger.c | 24 +-- drivers/power/supply/bq24190_charger.c | 2 +- drivers/pwm/pwm-stm32.c | 5 +- drivers/remoteproc/imx_rproc.c | 10 +- drivers/remoteproc/stm32_rproc.c | 2 +- drivers/rtc/interface.c | 9 +- drivers/rtc/rtc-cmos.c | 10 +- drivers/rtc/rtc-isl1208.c | 11 +- drivers/s390/block/dasd_devmap.c | 10 +- drivers/s390/char/sclp_sd.c | 10 +- drivers/scsi/mpi3mr/mpi3mr_os.c | 11 ++ drivers/scsi/mpt3sas/mpt3sas_base.c | 20 ++- drivers/scsi/qla2xxx/qla_bsg.c | 98 ++++++----- drivers/scsi/qla2xxx/qla_def.h | 3 + drivers/scsi/qla2xxx/qla_gs.c | 35 +++- drivers/scsi/qla2xxx/qla_init.c | 87 ++++++++-- drivers/scsi/qla2xxx/qla_inline.h | 8 + drivers/scsi/qla2xxx/qla_mid.c | 2 +- drivers/scsi/qla2xxx/qla_nvme.c | 5 +- drivers/scsi/qla2xxx/qla_os.c | 7 +- drivers/scsi/qla2xxx/qla_sup.c | 108 ++++++++---- drivers/scsi/ufs/ufshcd.c | 11 +- drivers/soc/qcom/pdr_interface.c | 8 +- drivers/soc/qcom/rpmh-rsc.c | 7 +- drivers/soc/qcom/rpmh.c | 1 - drivers/soc/xilinx/zynqmp_pm_domains.c | 16 ++ drivers/soc/xilinx/zynqmp_power.c | 5 +- drivers/spi/spi-fsl-lpspi.c | 6 +- drivers/spi/spidev.c | 95 +++++------ drivers/tty/serial/serial_core.c | 8 + drivers/usb/gadget/function/u_audio.c | 42 ++++- drivers/usb/gadget/function/u_serial.c | 1 + drivers/usb/gadget/udc/core.c | 10 +- drivers/usb/serial/usb_debug.c | 7 + drivers/usb/usbip/vhci_hcd.c | 9 +- drivers/vhost/vdpa.c | 8 +- drivers/vhost/vsock.c | 4 +- fs/binfmt_flat.c | 4 +- fs/btrfs/ctree.h | 1 + fs/btrfs/file.c | 60 +++++-- fs/btrfs/free-space-cache.c | 1 + fs/ceph/super.c | 3 +- fs/exec.c | 8 +- fs/ext2/balloc.c | 11 +- fs/ext4/extents.c | 5 +- fs/ext4/extents_status.c | 16 +- fs/ext4/extents_status.h | 6 +- fs/ext4/fast_commit.c | 65 +++++-- fs/ext4/inline.c | 6 +- fs/ext4/inode.c | 115 +++++++------ fs/ext4/mballoc.c | 3 +- fs/ext4/namei.c | 88 +++++++--- fs/ext4/xattr.c | 6 + fs/f2fs/inline.c | 6 +- fs/f2fs/inode.c | 3 + fs/file.c | 1 + fs/fuse/inode.c | 24 ++- fs/hfs/inode.c | 3 + fs/hfsplus/bfind.c | 15 +- fs/hfsplus/extents.c | 9 +- fs/hfsplus/hfsplus_fs.h | 21 +++ fs/jbd2/commit.c | 2 +- fs/jbd2/journal.c | 6 + fs/jfs/jfs_imap.c | 5 +- fs/nfs/nfs4client.c | 6 +- fs/nfs/nfs4proc.c | 2 +- fs/nilfs2/btnode.c | 25 ++- fs/nilfs2/btree.c | 4 +- fs/nilfs2/segment.c | 2 +- fs/ntfs3/attrib.c | 14 +- fs/ntfs3/bitmap.c | 2 +- fs/ntfs3/dir.c | 3 +- fs/ntfs3/file.c | 5 +- fs/ntfs3/frecord.c | 2 +- fs/ntfs3/fslog.c | 5 +- fs/ntfs3/fsntfs.c | 2 +- fs/ntfs3/index.c | 4 +- fs/ntfs3/inode.c | 2 +- fs/ntfs3/ntfs.h | 13 +- fs/ntfs3/ntfs_fs.h | 2 + fs/proc/proc_sysctl.c | 6 +- fs/proc/task_mmu.c | 2 + fs/super.c | 11 ++ fs/udf/balloc.c | 51 +++--- fs/udf/super.c | 3 +- fs/xfs/xfs_log_recover.c | 20 ++- include/asm-generic/vmlinux.lds.h | 2 +- include/linux/clocksource.h | 14 +- include/linux/hugetlb.h | 1 + include/linux/irq.h | 7 +- include/linux/irqdomain.h | 10 ++ include/linux/jbd2.h | 5 - include/linux/leds.h | 32 ++-- include/linux/objagg.h | 1 - include/linux/pci_ids.h | 2 + include/linux/perf_event.h | 1 + include/linux/profile.h | 1 - include/linux/sched/signal.h | 6 + include/linux/task_work.h | 3 +- include/linux/trace_events.h | 1 - include/linux/virtio_net.h | 11 ++ include/net/netfilter/nf_tables.h | 20 ++- include/net/sctp/sctp.h | 4 +- include/net/sctp/structs.h | 8 +- include/net/tcp.h | 1 + include/trace/events/mptcp.h | 2 +- include/trace/events/rpcgss.h | 2 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- include/uapi/linux/zorro_ids.h | 3 + io_uring/io-wq.c | 10 +- io_uring/io_uring.c | 5 +- kernel/bpf/btf.c | 10 +- kernel/debug/kdb/kdb_io.c | 6 +- kernel/dma/mapping.c | 2 +- kernel/events/core.c | 77 ++++++--- kernel/events/internal.h | 2 +- kernel/events/ring_buffer.c | 4 +- kernel/irq/chip.c | 32 ++-- kernel/irq/irqdesc.c | 1 + kernel/irq/irqdomain.c | 7 +- kernel/irq/manage.c | 2 +- kernel/kcov.c | 15 +- kernel/kprobes.c | 4 +- kernel/locking/rwsem.c | 6 +- kernel/padata.c | 7 + kernel/profile.c | 16 +- kernel/rcu/rcutorture.c | 2 +- kernel/sched/core.c | 50 +++--- kernel/sched/cputime.c | 6 + kernel/sched/fair.c | 19 +-- kernel/sched/sched.h | 2 +- kernel/signal.c | 8 + kernel/task_work.c | 34 +++- kernel/time/clocksource-wdtest.c | 13 +- kernel/time/clocksource.c | 10 +- kernel/time/ntp.c | 9 +- kernel/time/tick-broadcast.c | 24 +++ kernel/time/timekeeping.c | 2 +- kernel/trace/tracing_map.c | 6 +- kernel/watchdog_hld.c | 11 +- lib/decompress_bunzip2.c | 3 +- lib/kobject_uevent.c | 17 +- lib/objagg.c | 18 +- mm/hugetlb.c | 2 +- mm/mempolicy.c | 18 +- mm/mmap_lock.c | 175 +++---------------- net/bluetooth/l2cap_core.c | 1 + net/bridge/br_multicast.c | 4 +- net/core/filter.c | 15 +- net/core/link_watch.c | 4 +- net/core/rtnetlink.c | 65 +++---- net/core/xdp.c | 4 +- net/ipv4/esp4.c | 3 +- net/ipv4/netfilter/iptable_nat.c | 18 +- net/ipv4/nexthop.c | 7 +- net/ipv4/route.c | 2 +- net/ipv4/tcp.c | 13 +- net/ipv4/tcp_input.c | 34 ++-- net/ipv4/tcp_ipv4.c | 19 +-- net/ipv4/tcp_output.c | 2 +- net/ipv4/tcp_timer.c | 10 +- net/ipv6/addrconf.c | 3 +- net/ipv6/esp6.c | 3 +- net/ipv6/ndisc.c | 34 ++-- net/ipv6/netfilter/ip6table_nat.c | 14 +- net/ipv6/tcp_ipv6.c | 19 +-- net/iucv/af_iucv.c | 4 +- net/l2tp/l2tp_core.c | 15 +- net/mac80211/cfg.c | 21 +-- net/mptcp/mib.c | 2 + net/mptcp/mib.h | 2 + net/mptcp/options.c | 5 +- net/mptcp/pm.c | 9 + net/mptcp/pm_netlink.c | 48 ++++-- net/mptcp/protocol.c | 18 +- net/mptcp/protocol.h | 4 + net/mptcp/subflow.c | 24 ++- net/netfilter/ipset/ip_set_list_set.c | 3 + net/netfilter/ipvs/ip_vs_proto_sctp.c | 4 +- net/netfilter/nf_conntrack_netlink.c | 3 +- net/netfilter/nf_tables_api.c | 188 ++++----------------- net/netfilter/nft_connlimit.c | 4 +- net/netfilter/nft_counter.c | 4 +- net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_last.c | 4 +- net/netfilter/nft_limit.c | 14 +- net/netfilter/nft_quota.c | 4 +- net/netfilter/nft_set_hash.c | 8 +- net/netfilter/nft_set_pipapo.c | 40 +++-- net/netfilter/nft_set_pipapo.h | 27 ++- net/netfilter/nft_set_pipapo_avx2.c | 81 +++++---- net/netfilter/nft_set_rbtree.c | 6 +- net/packet/af_packet.c | 86 +++++++++- net/sched/act_ct.c | 4 +- net/sctp/input.c | 48 +++--- net/sctp/proc.c | 10 +- net/sctp/socket.c | 6 +- net/smc/smc_core.c | 5 +- net/sunrpc/auth_gss/gss_krb5_keys.c | 2 +- net/sunrpc/clnt.c | 3 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/frwr_ops.c | 3 +- net/sunrpc/xprtrdma/verbs.c | 16 +- net/tipc/udp_media.c | 5 +- net/tls/tls_sw.c | 16 +- net/wireless/nl80211.c | 16 +- net/wireless/util.c | 8 +- scripts/gcc-x86_32-has-stack-protector.sh | 2 +- scripts/gcc-x86_64-has-stack-protector.sh | 2 +- security/apparmor/lsm.c | 7 + security/apparmor/policy.c | 2 +- security/apparmor/policy_unpack.c | 1 + security/keys/keyctl.c | 2 +- security/landlock/cred.c | 11 +- sound/firewire/amdtp-stream.c | 38 +++-- sound/firewire/amdtp-stream.h | 1 + sound/pci/hda/patch_conexant.c | 54 +----- sound/pci/hda/patch_hdmi.c | 2 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/max98088.c | 10 +- sound/soc/codecs/wcd938x-sdw.c | 4 +- sound/soc/codecs/wsa881x.c | 2 +- sound/soc/intel/common/soc-intel-quirks.h | 2 +- sound/soc/meson/axg-fifo.c | 26 ++- sound/soc/pxa/spitz.c | 58 +++---- sound/usb/line6/driver.c | 5 + sound/usb/mixer.c | 7 + sound/usb/quirks-table.h | 4 + sound/usb/quirks.c | 4 + sound/usb/stream.c | 4 +- tools/lib/bpf/btf_dump.c | 8 +- tools/lib/bpf/linker.c | 11 +- tools/memory-model/lock.cat | 20 +-- tools/perf/arch/x86/util/intel-pt.c | 15 +- tools/perf/util/sort.c | 2 +- .../testing/selftests/bpf/prog_tests/send_signal.c | 3 +- tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 2 +- .../bpf/progs/btf_dump_test_case_multidim.c | 4 +- .../bpf/progs/btf_dump_test_case_syntax.c | 4 +- tools/testing/selftests/bpf/test_sockmap.c | 9 +- .../drivers/net/mlxsw/spectrum-2/tc_flower.sh | 55 +++++- tools/testing/selftests/landlock/base_test.c | 74 ++++++++ tools/testing/selftests/landlock/config | 5 +- .../selftests/net/forwarding/devlink_lib.sh | 2 + tools/testing/selftests/net/mptcp/mptcp_join.sh | 41 ++++- tools/testing/selftests/rcutorture/bin/torture.sh | 6 +- .../selftests/sigaltstack/current_stack_pointer.h | 2 +- 463 files changed, 4085 insertions(+), 2385 deletions(-)

8 months, 1 week

7
8
0 0

FAILED: patch "[PATCH] video/aperture: optionally match the device in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b49420d6a1aeb399e5b107fc6eb8584d0860fbd7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083019-grumble-fading-91fb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: b49420d6a1ae ("video/aperture: optionally match the device in sysfb_disable()") 4e754597d603 ("firmware/sysfb: Create firmware device only for enabled PCI devices") 9eac534db001 ("firmware/sysfb: Set firmware-framebuffer parent device") 2bebc3cd4870 ("Revert "firmware/sysfb: Clear screen_info state after consuming it"") 38814330fedd ("Merge tag 'devicetree-for-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b49420d6a1aeb399e5b107fc6eb8584d0860fbd7 Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Wed, 21 Aug 2024 15:11:35 -0400 Subject: [PATCH] video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled() Fixes: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device") Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Helge Deller <deller(a)gmx.de> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Javier Martinez Canillas <javierm(a)redhat.com> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240821191135.829765-1-alexa… diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c index 921f61507ae8..02a07d3d0d40 100644 --- a/drivers/firmware/sysfb.c +++ b/drivers/firmware/sysfb.c @@ -39,6 +39,8 @@ static struct platform_device *pd; static DEFINE_MUTEX(disable_lock); static bool disabled; +static struct device *sysfb_parent_dev(const struct screen_info *si); + static bool sysfb_unregister(void) { if (IS_ERR_OR_NULL(pd)) @@ -52,6 +54,7 @@ static bool sysfb_unregister(void) /** * sysfb_disable() - disable the Generic System Framebuffers support + * @dev: the device to check if non-NULL * * This disables the registration of system framebuffer devices that match the * generic drivers that make use of the system framebuffer set up by firmware. @@ -61,17 +64,21 @@ static bool sysfb_unregister(void) * Context: The function can sleep. A @disable_lock mutex is acquired to serialize * against sysfb_init(), that registers a system framebuffer device. */ -void sysfb_disable(void) +void sysfb_disable(struct device *dev) { + struct screen_info *si = &screen_info; + mutex_lock(&disable_lock); - sysfb_unregister(); - disabled = true; + if (!dev || dev == sysfb_parent_dev(si)) { + sysfb_unregister(); + disabled = true; + } mutex_unlock(&disable_lock); } EXPORT_SYMBOL_GPL(sysfb_disable); #if defined(CONFIG_PCI) -static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) +static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) { /* * TODO: Try to integrate this code into the PCI subsystem @@ -87,13 +94,13 @@ static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) return true; } #else -static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) +static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) { return false; } #endif -static __init struct device *sysfb_parent_dev(const struct screen_info *si) +static struct device *sysfb_parent_dev(const struct screen_info *si) { struct pci_dev *pdev; diff --git a/drivers/of/platform.c b/drivers/of/platform.c index 389d4ea6bfc1..ef622d41eb5b 100644 --- a/drivers/of/platform.c +++ b/drivers/of/platform.c @@ -592,7 +592,7 @@ static int __init of_platform_default_populate_init(void) * This can happen for example on DT systems that do EFI * booting and may provide a GOP handle to the EFI stub. */ - sysfb_disable(); + sysfb_disable(NULL); of_platform_device_create(node, NULL, NULL); of_node_put(node); } diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c index 561be8feca96..2b5a1e666e9b 100644 --- a/drivers/video/aperture.c +++ b/drivers/video/aperture.c @@ -293,7 +293,7 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si * ask for this, so let's assume that a real driver for the display * was already probed and prevent sysfb to register devices later. */ - sysfb_disable(); + sysfb_disable(NULL); aperture_detach_devices(base, size); @@ -346,15 +346,10 @@ EXPORT_SYMBOL(__aperture_remove_legacy_vga_devices); */ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *name) { - bool primary = false; resource_size_t base, size; int bar, ret = 0; - if (pdev == vga_default_device()) - primary = true; - - if (primary) - sysfb_disable(); + sysfb_disable(&pdev->dev); for (bar = 0; bar < PCI_STD_NUM_BARS; ++bar) { if (!(pci_resource_flags(pdev, bar) & IORESOURCE_MEM)) @@ -370,7 +365,7 @@ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *na * that consumes the VGA framebuffer I/O range. Remove this * device as well. */ - if (primary) + if (pdev == vga_default_device()) ret = __aperture_remove_legacy_vga_devices(pdev); return ret; diff --git a/include/linux/sysfb.h b/include/linux/sysfb.h index c9cb657dad08..bef5f06a91de 100644 --- a/include/linux/sysfb.h +++ b/include/linux/sysfb.h @@ -58,11 +58,11 @@ struct efifb_dmi_info { #ifdef CONFIG_SYSFB -void sysfb_disable(void); +void sysfb_disable(struct device *dev); #else /* CONFIG_SYSFB */ -static inline void sysfb_disable(void) +static inline void sysfb_disable(struct device *dev) { }

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] video/aperture: optionally match the device in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b49420d6a1aeb399e5b107fc6eb8584d0860fbd7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083018-silent-capped-83df@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: b49420d6a1ae ("video/aperture: optionally match the device in sysfb_disable()") 4e754597d603 ("firmware/sysfb: Create firmware device only for enabled PCI devices") 9eac534db001 ("firmware/sysfb: Set firmware-framebuffer parent device") 2bebc3cd4870 ("Revert "firmware/sysfb: Clear screen_info state after consuming it"") 38814330fedd ("Merge tag 'devicetree-for-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b49420d6a1aeb399e5b107fc6eb8584d0860fbd7 Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Wed, 21 Aug 2024 15:11:35 -0400 Subject: [PATCH] video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled() Fixes: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device") Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Helge Deller <deller(a)gmx.de> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Javier Martinez Canillas <javierm(a)redhat.com> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240821191135.829765-1-alexa… diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c index 921f61507ae8..02a07d3d0d40 100644 --- a/drivers/firmware/sysfb.c +++ b/drivers/firmware/sysfb.c @@ -39,6 +39,8 @@ static struct platform_device *pd; static DEFINE_MUTEX(disable_lock); static bool disabled; +static struct device *sysfb_parent_dev(const struct screen_info *si); + static bool sysfb_unregister(void) { if (IS_ERR_OR_NULL(pd)) @@ -52,6 +54,7 @@ static bool sysfb_unregister(void) /** * sysfb_disable() - disable the Generic System Framebuffers support + * @dev: the device to check if non-NULL * * This disables the registration of system framebuffer devices that match the * generic drivers that make use of the system framebuffer set up by firmware. @@ -61,17 +64,21 @@ static bool sysfb_unregister(void) * Context: The function can sleep. A @disable_lock mutex is acquired to serialize * against sysfb_init(), that registers a system framebuffer device. */ -void sysfb_disable(void) +void sysfb_disable(struct device *dev) { + struct screen_info *si = &screen_info; + mutex_lock(&disable_lock); - sysfb_unregister(); - disabled = true; + if (!dev || dev == sysfb_parent_dev(si)) { + sysfb_unregister(); + disabled = true; + } mutex_unlock(&disable_lock); } EXPORT_SYMBOL_GPL(sysfb_disable); #if defined(CONFIG_PCI) -static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) +static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) { /* * TODO: Try to integrate this code into the PCI subsystem @@ -87,13 +94,13 @@ static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) return true; } #else -static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) +static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) { return false; } #endif -static __init struct device *sysfb_parent_dev(const struct screen_info *si) +static struct device *sysfb_parent_dev(const struct screen_info *si) { struct pci_dev *pdev; diff --git a/drivers/of/platform.c b/drivers/of/platform.c index 389d4ea6bfc1..ef622d41eb5b 100644 --- a/drivers/of/platform.c +++ b/drivers/of/platform.c @@ -592,7 +592,7 @@ static int __init of_platform_default_populate_init(void) * This can happen for example on DT systems that do EFI * booting and may provide a GOP handle to the EFI stub. */ - sysfb_disable(); + sysfb_disable(NULL); of_platform_device_create(node, NULL, NULL); of_node_put(node); } diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c index 561be8feca96..2b5a1e666e9b 100644 --- a/drivers/video/aperture.c +++ b/drivers/video/aperture.c @@ -293,7 +293,7 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si * ask for this, so let's assume that a real driver for the display * was already probed and prevent sysfb to register devices later. */ - sysfb_disable(); + sysfb_disable(NULL); aperture_detach_devices(base, size); @@ -346,15 +346,10 @@ EXPORT_SYMBOL(__aperture_remove_legacy_vga_devices); */ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *name) { - bool primary = false; resource_size_t base, size; int bar, ret = 0; - if (pdev == vga_default_device()) - primary = true; - - if (primary) - sysfb_disable(); + sysfb_disable(&pdev->dev); for (bar = 0; bar < PCI_STD_NUM_BARS; ++bar) { if (!(pci_resource_flags(pdev, bar) & IORESOURCE_MEM)) @@ -370,7 +365,7 @@ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *na * that consumes the VGA framebuffer I/O range. Remove this * device as well. */ - if (primary) + if (pdev == vga_default_device()) ret = __aperture_remove_legacy_vga_devices(pdev); return ret; diff --git a/include/linux/sysfb.h b/include/linux/sysfb.h index c9cb657dad08..bef5f06a91de 100644 --- a/include/linux/sysfb.h +++ b/include/linux/sysfb.h @@ -58,11 +58,11 @@ struct efifb_dmi_info { #ifdef CONFIG_SYSFB -void sysfb_disable(void); +void sysfb_disable(struct device *dev); #else /* CONFIG_SYSFB */ -static inline void sysfb_disable(void) +static inline void sysfb_disable(struct device *dev) { }

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/vmwgfx: Prevent unmapping active read buffers" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x aba07b9a0587f50e5d3346eaa19019cf3f86c0ea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083034-repave-fit-eff7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: aba07b9a0587 ("drm/vmwgfx: Prevent unmapping active read buffers") d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") 0208ca55aa9c ("Backmerge tag 'v6.9-rc5' into drm-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From aba07b9a0587f50e5d3346eaa19019cf3f86c0ea Mon Sep 17 00:00:00 2001 From: Zack Rusin <zack.rusin(a)broadcom.com> Date: Fri, 16 Aug 2024 14:32:05 -0400 Subject: [PATCH] drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. Fixes: 485d98d472d5 ("drm/vmwgfx: Add support for CursorMob and CursorBypass 4") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.19+ Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240816183332.31961-2-zack.r… Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c index f42ebc4a7c22..a0e433fbcba6 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c @@ -360,6 +360,8 @@ void *vmw_bo_map_and_cache_size(struct vmw_bo *vbo, size_t size) void *virtual; int ret; + atomic_inc(&vbo->map_count); + virtual = ttm_kmap_obj_virtual(&vbo->map, &not_used); if (virtual) return virtual; @@ -383,11 +385,17 @@ void *vmw_bo_map_and_cache_size(struct vmw_bo *vbo, size_t size) */ void vmw_bo_unmap(struct vmw_bo *vbo) { + int map_count; + if (vbo->map.bo == NULL) return; - ttm_bo_kunmap(&vbo->map); - vbo->map.bo = NULL; + map_count = atomic_dec_return(&vbo->map_count); + + if (!map_count) { + ttm_bo_kunmap(&vbo->map); + vbo->map.bo = NULL; + } } @@ -421,6 +429,7 @@ static int vmw_bo_init(struct vmw_private *dev_priv, vmw_bo->tbo.priority = 3; vmw_bo->res_tree = RB_ROOT; xa_init(&vmw_bo->detached_resources); + atomic_set(&vmw_bo->map_count, 0); params->size = ALIGN(params->size, PAGE_SIZE); drm_gem_private_object_init(vdev, &vmw_bo->tbo.base, params->size); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h index 62b4342d5f7c..43b5439ec9f7 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h @@ -71,6 +71,8 @@ struct vmw_bo_params { * @map: Kmap object for semi-persistent mappings * @res_tree: RB tree of resources using this buffer object as a backing MOB * @res_prios: Eviction priority counts for attached resources + * @map_count: The number of currently active maps. Will differ from the + * cpu_writers because it includes kernel maps. * @cpu_writers: Number of synccpu write grabs. Protected by reservation when * increased. May be decreased without reservation. * @dx_query_ctx: DX context if this buffer object is used as a DX query MOB @@ -90,6 +92,7 @@ struct vmw_bo { u32 res_prios[TTM_MAX_BO_PRIORITY]; struct xarray detached_resources; + atomic_t map_count; atomic_t cpu_writers; /* Not ref-counted. Protected by binding_mutex */ struct vmw_resource *dx_query_ctx;

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/vmwgfx: Prevent unmapping active read buffers" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x aba07b9a0587f50e5d3346eaa19019cf3f86c0ea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083033-refurnish-cartel-4b09@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: aba07b9a0587 ("drm/vmwgfx: Prevent unmapping active read buffers") d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") 0208ca55aa9c ("Backmerge tag 'v6.9-rc5' into drm-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From aba07b9a0587f50e5d3346eaa19019cf3f86c0ea Mon Sep 17 00:00:00 2001 From: Zack Rusin <zack.rusin(a)broadcom.com> Date: Fri, 16 Aug 2024 14:32:05 -0400 Subject: [PATCH] drm/vmwgfx: Prevent unmapping active read buffers The kms paths keep a persistent map active to read and compare the cursor buffer. These maps can race with each other in simple scenario where: a) buffer "a" mapped for update b) buffer "a" mapped for compare c) do the compare d) unmap "a" for compare e) update the cursor f) unmap "a" for update At step "e" the buffer has been unmapped and the read contents is bogus. Prevent unmapping of active read buffers by simply keeping a count of how many paths have currently active maps and unmap only when the count reaches 0. Fixes: 485d98d472d5 ("drm/vmwgfx: Add support for CursorMob and CursorBypass 4") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.19+ Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240816183332.31961-2-zack.r… Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c index f42ebc4a7c22..a0e433fbcba6 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c @@ -360,6 +360,8 @@ void *vmw_bo_map_and_cache_size(struct vmw_bo *vbo, size_t size) void *virtual; int ret; + atomic_inc(&vbo->map_count); + virtual = ttm_kmap_obj_virtual(&vbo->map, &not_used); if (virtual) return virtual; @@ -383,11 +385,17 @@ void *vmw_bo_map_and_cache_size(struct vmw_bo *vbo, size_t size) */ void vmw_bo_unmap(struct vmw_bo *vbo) { + int map_count; + if (vbo->map.bo == NULL) return; - ttm_bo_kunmap(&vbo->map); - vbo->map.bo = NULL; + map_count = atomic_dec_return(&vbo->map_count); + + if (!map_count) { + ttm_bo_kunmap(&vbo->map); + vbo->map.bo = NULL; + } } @@ -421,6 +429,7 @@ static int vmw_bo_init(struct vmw_private *dev_priv, vmw_bo->tbo.priority = 3; vmw_bo->res_tree = RB_ROOT; xa_init(&vmw_bo->detached_resources); + atomic_set(&vmw_bo->map_count, 0); params->size = ALIGN(params->size, PAGE_SIZE); drm_gem_private_object_init(vdev, &vmw_bo->tbo.base, params->size); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h index 62b4342d5f7c..43b5439ec9f7 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h @@ -71,6 +71,8 @@ struct vmw_bo_params { * @map: Kmap object for semi-persistent mappings * @res_tree: RB tree of resources using this buffer object as a backing MOB * @res_prios: Eviction priority counts for attached resources + * @map_count: The number of currently active maps. Will differ from the + * cpu_writers because it includes kernel maps. * @cpu_writers: Number of synccpu write grabs. Protected by reservation when * increased. May be decreased without reservation. * @dx_query_ctx: DX context if this buffer object is used as a DX query MOB @@ -90,6 +92,7 @@ struct vmw_bo { u32 res_prios[TTM_MAX_BO_PRIORITY]; struct xarray detached_resources; + atomic_t map_count; atomic_t cpu_writers; /* Not ref-counted. Protected by binding_mutex */ struct vmw_resource *dx_query_ctx;

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/i915/dp_mst: Fix MST state after a sink reset" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a2ccc33b88e2953a6bf0b309e7e8849cc5320018 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083052-definite-customs-8a5e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: a2ccc33b88e2 ("drm/i915/dp_mst: Fix MST state after a sink reset") e37137380931 ("drm/i915/dp_mst: Force modeset CRTC if DSC toggling requires it") 326b1e792ff0 ("drm/i915/dp_mst: Add the MST topology state for modesetted CRTCs") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2ccc33b88e2953a6bf0b309e7e8849cc5320018 Mon Sep 17 00:00:00 2001 From: Imre Deak <imre.deak(a)intel.com> Date: Fri, 23 Aug 2024 19:29:18 +0300 Subject: [PATCH] drm/i915/dp_mst: Fix MST state after a sink reset In some cases the sink can reset itself after it was configured into MST mode, without the driver noticing the disconnected state. For instance the reset may happen in the middle of a modeset, or the (long) HPD pulse generated may be not long enough for the encoder detect handler to observe the HPD's deasserted state. In this case the sink's DPCD register programmed to enable MST will be reset, while the driver still assumes MST is still enabled. Detect this condition, which will tear down and recreate/re-enable the MST topology. v2: - Add a code comment about adjusting the expected DP_MSTM_CTRL register value for SST + SideBand. (Suraj, Jani) - Print a debug message about detecting the link reset. (Jani) - Verify the DPCD MST state only if it wasn't already determined that the sink is disconnected. Cc: stable(a)vger.kernel.org Cc: Jani Nikula <jani.nikula(a)intel.com> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11195 Reviewed-by: Suraj Kandpal <suraj.kandpal(a)intel.com> (v1) Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240823162918.1211875-1-imre… (cherry picked from commit 594cf78dc36f31c0c7e0de4567e644f406d46bae) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index 59f11af3b0a1..dc75a929d3ed 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -5935,6 +5935,18 @@ intel_dp_detect(struct drm_connector *connector, else status = connector_status_disconnected; + if (status != connector_status_disconnected && + !intel_dp_mst_verify_dpcd_state(intel_dp)) + /* + * This requires retrying detection for instance to re-enable + * the MST mode that got reset via a long HPD pulse. The retry + * will happen either via the hotplug handler's retry logic, + * ensured by setting the connector here to SST/disconnected, + * or via a userspace connector probing in response to the + * hotplug uevent sent when removing the MST connectors. + */ + status = connector_status_disconnected; + if (status == connector_status_disconnected) { memset(&intel_dp->compliance, 0, sizeof(intel_dp->compliance)); memset(intel_connector->dp.dsc_dpcd, 0, sizeof(intel_connector->dp.dsc_dpcd)); diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.c b/drivers/gpu/drm/i915/display/intel_dp_mst.c index 27ce5c3f5951..17978a1f9ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.c +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.c @@ -1998,3 +1998,43 @@ bool intel_dp_mst_crtc_needs_modeset(struct intel_atomic_state *state, return false; } + +/* + * intel_dp_mst_verify_dpcd_state - verify the MST SW enabled state wrt. the DPCD + * @intel_dp: DP port object + * + * Verify if @intel_dp's MST enabled SW state matches the corresponding DPCD + * state. A long HPD pulse - not long enough to be detected as a disconnected + * state - could've reset the DPCD state, which requires tearing + * down/recreating the MST topology. + * + * Returns %true if the SW MST enabled and DPCD states match, %false + * otherwise. + */ +bool intel_dp_mst_verify_dpcd_state(struct intel_dp *intel_dp) +{ + struct intel_display *display = to_intel_display(intel_dp); + struct intel_connector *connector = intel_dp->attached_connector; + struct intel_digital_port *dig_port = dp_to_dig_port(intel_dp); + struct intel_encoder *encoder = &dig_port->base; + int ret; + u8 val; + + if (!intel_dp->is_mst) + return true; + + ret = drm_dp_dpcd_readb(intel_dp->mst_mgr.aux, DP_MSTM_CTRL, &val); + + /* Adjust the expected register value for SST + SideBand. */ + if (ret < 0 || val != (DP_MST_EN | DP_UP_REQ_EN | DP_UPSTREAM_IS_SRC)) { + drm_dbg_kms(display->drm, + "[CONNECTOR:%d:%s][ENCODER:%d:%s] MST mode got reset, removing topology (ret=%d, ctrl=0x%02x)\n", + connector->base.base.id, connector->base.name, + encoder->base.base.id, encoder->base.name, + ret, val); + + return false; + } + + return true; +} diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.h b/drivers/gpu/drm/i915/display/intel_dp_mst.h index 8ca1d599091c..9e4c7679f1c3 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.h +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.h @@ -27,5 +27,6 @@ int intel_dp_mst_atomic_check_link(struct intel_atomic_state *state, struct intel_link_bw_limits *limits); bool intel_dp_mst_crtc_needs_modeset(struct intel_atomic_state *state, struct intel_crtc *crtc); +bool intel_dp_mst_verify_dpcd_state(struct intel_dp *intel_dp); #endif /* __INTEL_DP_MST_H__ */

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/i915/dp_mst: Fix MST state after a sink reset" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a2ccc33b88e2953a6bf0b309e7e8849cc5320018 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083051-camisole-self-47bb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: a2ccc33b88e2 ("drm/i915/dp_mst: Fix MST state after a sink reset") e37137380931 ("drm/i915/dp_mst: Force modeset CRTC if DSC toggling requires it") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2ccc33b88e2953a6bf0b309e7e8849cc5320018 Mon Sep 17 00:00:00 2001 From: Imre Deak <imre.deak(a)intel.com> Date: Fri, 23 Aug 2024 19:29:18 +0300 Subject: [PATCH] drm/i915/dp_mst: Fix MST state after a sink reset In some cases the sink can reset itself after it was configured into MST mode, without the driver noticing the disconnected state. For instance the reset may happen in the middle of a modeset, or the (long) HPD pulse generated may be not long enough for the encoder detect handler to observe the HPD's deasserted state. In this case the sink's DPCD register programmed to enable MST will be reset, while the driver still assumes MST is still enabled. Detect this condition, which will tear down and recreate/re-enable the MST topology. v2: - Add a code comment about adjusting the expected DP_MSTM_CTRL register value for SST + SideBand. (Suraj, Jani) - Print a debug message about detecting the link reset. (Jani) - Verify the DPCD MST state only if it wasn't already determined that the sink is disconnected. Cc: stable(a)vger.kernel.org Cc: Jani Nikula <jani.nikula(a)intel.com> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11195 Reviewed-by: Suraj Kandpal <suraj.kandpal(a)intel.com> (v1) Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240823162918.1211875-1-imre… (cherry picked from commit 594cf78dc36f31c0c7e0de4567e644f406d46bae) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index 59f11af3b0a1..dc75a929d3ed 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -5935,6 +5935,18 @@ intel_dp_detect(struct drm_connector *connector, else status = connector_status_disconnected; + if (status != connector_status_disconnected && + !intel_dp_mst_verify_dpcd_state(intel_dp)) + /* + * This requires retrying detection for instance to re-enable + * the MST mode that got reset via a long HPD pulse. The retry + * will happen either via the hotplug handler's retry logic, + * ensured by setting the connector here to SST/disconnected, + * or via a userspace connector probing in response to the + * hotplug uevent sent when removing the MST connectors. + */ + status = connector_status_disconnected; + if (status == connector_status_disconnected) { memset(&intel_dp->compliance, 0, sizeof(intel_dp->compliance)); memset(intel_connector->dp.dsc_dpcd, 0, sizeof(intel_connector->dp.dsc_dpcd)); diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.c b/drivers/gpu/drm/i915/display/intel_dp_mst.c index 27ce5c3f5951..17978a1f9ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.c +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.c @@ -1998,3 +1998,43 @@ bool intel_dp_mst_crtc_needs_modeset(struct intel_atomic_state *state, return false; } + +/* + * intel_dp_mst_verify_dpcd_state - verify the MST SW enabled state wrt. the DPCD + * @intel_dp: DP port object + * + * Verify if @intel_dp's MST enabled SW state matches the corresponding DPCD + * state. A long HPD pulse - not long enough to be detected as a disconnected + * state - could've reset the DPCD state, which requires tearing + * down/recreating the MST topology. + * + * Returns %true if the SW MST enabled and DPCD states match, %false + * otherwise. + */ +bool intel_dp_mst_verify_dpcd_state(struct intel_dp *intel_dp) +{ + struct intel_display *display = to_intel_display(intel_dp); + struct intel_connector *connector = intel_dp->attached_connector; + struct intel_digital_port *dig_port = dp_to_dig_port(intel_dp); + struct intel_encoder *encoder = &dig_port->base; + int ret; + u8 val; + + if (!intel_dp->is_mst) + return true; + + ret = drm_dp_dpcd_readb(intel_dp->mst_mgr.aux, DP_MSTM_CTRL, &val); + + /* Adjust the expected register value for SST + SideBand. */ + if (ret < 0 || val != (DP_MST_EN | DP_UP_REQ_EN | DP_UPSTREAM_IS_SRC)) { + drm_dbg_kms(display->drm, + "[CONNECTOR:%d:%s][ENCODER:%d:%s] MST mode got reset, removing topology (ret=%d, ctrl=0x%02x)\n", + connector->base.base.id, connector->base.name, + encoder->base.base.id, encoder->base.name, + ret, val); + + return false; + } + + return true; +} diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.h b/drivers/gpu/drm/i915/display/intel_dp_mst.h index 8ca1d599091c..9e4c7679f1c3 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.h +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.h @@ -27,5 +27,6 @@ int intel_dp_mst_atomic_check_link(struct intel_atomic_state *state, struct intel_link_bw_limits *limits); bool intel_dp_mst_crtc_needs_modeset(struct intel_atomic_state *state, struct intel_crtc *crtc); +bool intel_dp_mst_verify_dpcd_state(struct intel_dp *intel_dp); #endif /* __INTEL_DP_MST_H__ */

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: check re-re-adding ID 0 signal" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f18fa2abf81099d822d842a107f8c9889c86043c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083032-bodacious-swifter-6f19@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: f18fa2abf810 ("selftests: mptcp: join: check re-re-adding ID 0 signal") 20ccc7c5f7a3 ("selftests: mptcp: join: validate event numbers") d397d7246c11 ("selftests: mptcp: join: check re-re-adding ID 0 endp") 1c2326fcae4f ("selftests: mptcp: join: check re-adding init endp with != id") 5f94b08c0012 ("selftests: mptcp: join: check removing ID 0 endpoint") 65fb58afa341 ("selftests: mptcp: join: check re-using ID of closed subflow") a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") 40061817d95b ("selftests: mptcp: join: fix dev in check_endpoint") 23a0485d1c04 ("selftests: mptcp: declare event macros in mptcp_lib") 35bc143a8514 ("selftests: mptcp: add mptcp_lib_events helper") 3a0f9bed3c28 ("selftests: mptcp: add mptcp_lib_ns_init/exit helpers") 3fb8c33ef4b9 ("selftests: mptcp: add mptcp_lib_check_tools helper") 7c2eac649054 ("selftests: mptcp: stop forcing iptables-legacy") 4cc5cc7ca052 ("selftests: mptcp: userspace pm get addr tests") 38f027fca1b7 ("selftests: mptcp: dump userspace addrs list") 2d0c1d27ea4e ("selftests: mptcp: add mptcp_lib_check_output helper") 9480f388a2ef ("selftests: mptcp: join: add ss mptcp support check") 7092dbee2328 ("selftests: mptcp: rm subflow with v4/v4mapped addr") 04b57c9e096a ("selftests: mptcp: join: stop transfer when check is done (part 2)") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f18fa2abf81099d822d842a107f8c9889c86043c Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:38 +0200 Subject: [PATCH] selftests: mptcp: join: check re-re-adding ID 0 signal This test extends "delete re-add signal" to validate the previous commit: when the 'signal' endpoint linked to the initial subflow (ID 0) is re-added multiple times, it will re-send the ADD_ADDR with id 0. The client should still be able to re-create this subflow, even if the add_addr_accepted limit has been reached as this special address is not considered as a new address. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index a8ea0fe200fb..a4762c49a878 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3688,7 +3688,7 @@ endpoint_tests() # broadcast IP: no packet for this address will be received on ns1 pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal - test_linkfail=4 speed=20 \ + test_linkfail=4 speed=5 \ run_tests $ns1 $ns2 10.0.1.1 & local tests_pid=$! @@ -3717,7 +3717,17 @@ endpoint_tests() pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal wait_mpj $ns2 - chk_subflow_nr "after re-add" 3 + chk_subflow_nr "after re-add ID 0" 3 + chk_mptcp_info subflows 3 subflows 3 + + pm_nl_del_endpoint $ns1 99 10.0.1.1 + sleep 0.5 + chk_subflow_nr "after re-delete ID 0" 2 + chk_mptcp_info subflows 2 subflows 2 + + pm_nl_add_endpoint $ns1 10.0.1.1 id 88 flags signal + wait_mpj $ns2 + chk_subflow_nr "after re-re-add ID 0" 3 chk_mptcp_info subflows 3 subflows 3 mptcp_lib_kill_wait $tests_pid @@ -3727,19 +3737,19 @@ endpoint_tests() chk_evt_nr ns1 MPTCP_LIB_EVENT_ESTABLISHED 1 chk_evt_nr ns1 MPTCP_LIB_EVENT_ANNOUNCED 0 chk_evt_nr ns1 MPTCP_LIB_EVENT_REMOVED 0 - chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_ESTABLISHED 4 - chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_CLOSED 2 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_ESTABLISHED 5 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_CLOSED 3 chk_evt_nr ns2 MPTCP_LIB_EVENT_CREATED 1 chk_evt_nr ns2 MPTCP_LIB_EVENT_ESTABLISHED 1 - chk_evt_nr ns2 MPTCP_LIB_EVENT_ANNOUNCED 5 - chk_evt_nr ns2 MPTCP_LIB_EVENT_REMOVED 3 - chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_ESTABLISHED 4 - chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 + chk_evt_nr ns2 MPTCP_LIB_EVENT_ANNOUNCED 6 + chk_evt_nr ns2 MPTCP_LIB_EVENT_REMOVED 4 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_ESTABLISHED 5 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 3 - chk_join_nr 4 4 4 - chk_add_nr 5 5 - chk_rm_nr 3 2 invert + chk_join_nr 5 5 5 + chk_add_nr 6 6 + chk_rm_nr 4 3 invert fi # flush and re-add

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: check re-re-adding ID 0 signal" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x f18fa2abf81099d822d842a107f8c9889c86043c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083031-stung-aversion-7783@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: f18fa2abf810 ("selftests: mptcp: join: check re-re-adding ID 0 signal") 20ccc7c5f7a3 ("selftests: mptcp: join: validate event numbers") d397d7246c11 ("selftests: mptcp: join: check re-re-adding ID 0 endp") 1c2326fcae4f ("selftests: mptcp: join: check re-adding init endp with != id") 5f94b08c0012 ("selftests: mptcp: join: check removing ID 0 endpoint") 65fb58afa341 ("selftests: mptcp: join: check re-using ID of closed subflow") a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f18fa2abf81099d822d842a107f8c9889c86043c Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:38 +0200 Subject: [PATCH] selftests: mptcp: join: check re-re-adding ID 0 signal This test extends "delete re-add signal" to validate the previous commit: when the 'signal' endpoint linked to the initial subflow (ID 0) is re-added multiple times, it will re-send the ADD_ADDR with id 0. The client should still be able to re-create this subflow, even if the add_addr_accepted limit has been reached as this special address is not considered as a new address. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index a8ea0fe200fb..a4762c49a878 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3688,7 +3688,7 @@ endpoint_tests() # broadcast IP: no packet for this address will be received on ns1 pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal - test_linkfail=4 speed=20 \ + test_linkfail=4 speed=5 \ run_tests $ns1 $ns2 10.0.1.1 & local tests_pid=$! @@ -3717,7 +3717,17 @@ endpoint_tests() pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal wait_mpj $ns2 - chk_subflow_nr "after re-add" 3 + chk_subflow_nr "after re-add ID 0" 3 + chk_mptcp_info subflows 3 subflows 3 + + pm_nl_del_endpoint $ns1 99 10.0.1.1 + sleep 0.5 + chk_subflow_nr "after re-delete ID 0" 2 + chk_mptcp_info subflows 2 subflows 2 + + pm_nl_add_endpoint $ns1 10.0.1.1 id 88 flags signal + wait_mpj $ns2 + chk_subflow_nr "after re-re-add ID 0" 3 chk_mptcp_info subflows 3 subflows 3 mptcp_lib_kill_wait $tests_pid @@ -3727,19 +3737,19 @@ endpoint_tests() chk_evt_nr ns1 MPTCP_LIB_EVENT_ESTABLISHED 1 chk_evt_nr ns1 MPTCP_LIB_EVENT_ANNOUNCED 0 chk_evt_nr ns1 MPTCP_LIB_EVENT_REMOVED 0 - chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_ESTABLISHED 4 - chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_CLOSED 2 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_ESTABLISHED 5 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_CLOSED 3 chk_evt_nr ns2 MPTCP_LIB_EVENT_CREATED 1 chk_evt_nr ns2 MPTCP_LIB_EVENT_ESTABLISHED 1 - chk_evt_nr ns2 MPTCP_LIB_EVENT_ANNOUNCED 5 - chk_evt_nr ns2 MPTCP_LIB_EVENT_REMOVED 3 - chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_ESTABLISHED 4 - chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 + chk_evt_nr ns2 MPTCP_LIB_EVENT_ANNOUNCED 6 + chk_evt_nr ns2 MPTCP_LIB_EVENT_REMOVED 4 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_ESTABLISHED 5 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 3 - chk_join_nr 4 4 4 - chk_add_nr 5 5 - chk_rm_nr 3 2 invert + chk_join_nr 5 5 5 + chk_add_nr 6 6 + chk_rm_nr 4 3 invert fi # flush and re-add

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: validate event numbers" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 20ccc7c5f7a3aa48092441a4b182f9f40418392e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083025-droop-unsightly-4120@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 20ccc7c5f7a3 ("selftests: mptcp: join: validate event numbers") d397d7246c11 ("selftests: mptcp: join: check re-re-adding ID 0 endp") 1c2326fcae4f ("selftests: mptcp: join: check re-adding init endp with != id") 5f94b08c0012 ("selftests: mptcp: join: check removing ID 0 endpoint") 65fb58afa341 ("selftests: mptcp: join: check re-using ID of closed subflow") a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 20ccc7c5f7a3aa48092441a4b182f9f40418392e Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:36 +0200 Subject: [PATCH] selftests: mptcp: join: validate event numbers This test extends "delete and re-add" and "delete re-add signal" to validate the previous commit: the number of MPTCP events are checked to make sure there are no duplicated or unexpected ones. A new helper has been introduced to easily check these events. The missing events have been added to the lib. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: b911c97c7dc7 ("mptcp: add netlink event support") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 965b614e4b16..a8ea0fe200fb 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -420,12 +420,17 @@ reset_with_fail() fi } +start_events() +{ + mptcp_lib_events "${ns1}" "${evts_ns1}" evts_ns1_pid + mptcp_lib_events "${ns2}" "${evts_ns2}" evts_ns2_pid +} + reset_with_events() { reset "${1}" || return 1 - mptcp_lib_events "${ns1}" "${evts_ns1}" evts_ns1_pid - mptcp_lib_events "${ns2}" "${evts_ns2}" evts_ns2_pid + start_events } reset_with_tcp_filter() @@ -3333,6 +3338,36 @@ userspace_pm_chk_get_addr() fi } +# $1: ns ; $2: event type ; $3: count +chk_evt_nr() +{ + local ns=${1} + local evt_name="${2}" + local exp="${3}" + + local evts="${evts_ns1}" + local evt="${!evt_name}" + local count + + evt_name="${evt_name:16}" # without MPTCP_LIB_EVENT_ + [ "${ns}" == "ns2" ] && evts="${evts_ns2}" + + print_check "event ${ns} ${evt_name} (${exp})" + + if [[ "${evt_name}" = "LISTENER_"* ]] && + ! mptcp_lib_kallsyms_has "mptcp_event_pm_listener$"; then + print_skip "event not supported" + return + fi + + count=$(grep -cw "type:${evt}" "${evts}") + if [ "${count}" != "${exp}" ]; then + fail_test "got ${count} events, expected ${exp}" + else + print_ok + fi +} + userspace_tests() { # userspace pm type prevents add_addr @@ -3572,6 +3607,7 @@ endpoint_tests() if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT && mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + start_events pm_nl_set_limits $ns1 0 3 pm_nl_set_limits $ns2 0 3 pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow @@ -3623,12 +3659,28 @@ endpoint_tests() mptcp_lib_kill_wait $tests_pid + kill_events_pids + chk_evt_nr ns1 MPTCP_LIB_EVENT_LISTENER_CREATED 1 + chk_evt_nr ns1 MPTCP_LIB_EVENT_CREATED 1 + chk_evt_nr ns1 MPTCP_LIB_EVENT_ESTABLISHED 1 + chk_evt_nr ns1 MPTCP_LIB_EVENT_ANNOUNCED 0 + chk_evt_nr ns1 MPTCP_LIB_EVENT_REMOVED 4 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_ESTABLISHED 6 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_CLOSED 4 + + chk_evt_nr ns2 MPTCP_LIB_EVENT_CREATED 1 + chk_evt_nr ns2 MPTCP_LIB_EVENT_ESTABLISHED 1 + chk_evt_nr ns2 MPTCP_LIB_EVENT_ANNOUNCED 0 + chk_evt_nr ns2 MPTCP_LIB_EVENT_REMOVED 0 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_ESTABLISHED 6 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 5 # one has been closed before estab + chk_join_nr 6 6 6 chk_rm_nr 4 4 fi # remove and re-add - if reset "delete re-add signal" && + if reset_with_events "delete re-add signal" && mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then pm_nl_set_limits $ns1 0 3 pm_nl_set_limits $ns2 3 3 @@ -3669,6 +3721,22 @@ endpoint_tests() chk_mptcp_info subflows 3 subflows 3 mptcp_lib_kill_wait $tests_pid + kill_events_pids + chk_evt_nr ns1 MPTCP_LIB_EVENT_LISTENER_CREATED 1 + chk_evt_nr ns1 MPTCP_LIB_EVENT_CREATED 1 + chk_evt_nr ns1 MPTCP_LIB_EVENT_ESTABLISHED 1 + chk_evt_nr ns1 MPTCP_LIB_EVENT_ANNOUNCED 0 + chk_evt_nr ns1 MPTCP_LIB_EVENT_REMOVED 0 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_ESTABLISHED 4 + chk_evt_nr ns1 MPTCP_LIB_EVENT_SUB_CLOSED 2 + + chk_evt_nr ns2 MPTCP_LIB_EVENT_CREATED 1 + chk_evt_nr ns2 MPTCP_LIB_EVENT_ESTABLISHED 1 + chk_evt_nr ns2 MPTCP_LIB_EVENT_ANNOUNCED 5 + chk_evt_nr ns2 MPTCP_LIB_EVENT_REMOVED 3 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_ESTABLISHED 4 + chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 + chk_join_nr 4 4 4 chk_add_nr 5 5 chk_rm_nr 3 2 invert diff --git a/tools/testing/selftests/net/mptcp/mptcp_lib.sh b/tools/testing/selftests/net/mptcp/mptcp_lib.sh index 438280e68434..4578a331041e 100644 --- a/tools/testing/selftests/net/mptcp/mptcp_lib.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh @@ -12,10 +12,14 @@ readonly KSFT_SKIP=4 readonly KSFT_TEST="${MPTCP_LIB_KSFT_TEST:-$(basename "${0}" .sh)}" # These variables are used in some selftests, read-only +declare -rx MPTCP_LIB_EVENT_CREATED=1 # MPTCP_EVENT_CREATED +declare -rx MPTCP_LIB_EVENT_ESTABLISHED=2 # MPTCP_EVENT_ESTABLISHED +declare -rx MPTCP_LIB_EVENT_CLOSED=3 # MPTCP_EVENT_CLOSED declare -rx MPTCP_LIB_EVENT_ANNOUNCED=6 # MPTCP_EVENT_ANNOUNCED declare -rx MPTCP_LIB_EVENT_REMOVED=7 # MPTCP_EVENT_REMOVED declare -rx MPTCP_LIB_EVENT_SUB_ESTABLISHED=10 # MPTCP_EVENT_SUB_ESTABLISHED declare -rx MPTCP_LIB_EVENT_SUB_CLOSED=11 # MPTCP_EVENT_SUB_CLOSED +declare -rx MPTCP_LIB_EVENT_SUB_PRIORITY=13 # MPTCP_EVENT_SUB_PRIORITY declare -rx MPTCP_LIB_EVENT_LISTENER_CREATED=15 # MPTCP_EVENT_LISTENER_CREATED declare -rx MPTCP_LIB_EVENT_LISTENER_CLOSED=16 # MPTCP_EVENT_LISTENER_CLOSED

8 months, 1 week

1
0
0 0

[PATCH] crypto: ccp: Properly unregister /dev/sev on sev PLATFORM_STATUS failure

by Pavan Kumar Paluri

In case of sev PLATFORM_STATUS failure, sev_get_api_version() fails resulting in sev_data field of psp_master nulled out. This later becomes a problem when unloading the ccp module because the device has not been unregistered (via misc_deregister()) before clearing the sev_data field of psp_master. As a result, on reloading the ccp module, a duplicate device issue is encountered as can be seen from the dmesg log below. on reloading ccp module via modprobe ccp Call Trace: <TASK> dump_stack_lvl+0xd7/0xf0 dump_stack+0x10/0x20 sysfs_warn_dup+0x5c/0x70 sysfs_create_dir_ns+0xbc/0xd kobject_add_internal+0xb1/0x2f0 kobject_add+0x7a/0xe0 ? srso_alias_return_thunk+0x5/0xfbef5 ? get_device_parent+0xd4/0x1e0 ? __pfx_klist_children_get+0x10/0x10 device_add+0x121/0x870 ? srso_alias_return_thunk+0x5/0xfbef5 device_create_groups_vargs+0xdc/0x100 device_create_with_groups+0x3f/0x60 misc_register+0x13b/0x1c0 sev_dev_init+0x1d4/0x290 [ccp] psp_dev_init+0x136/0x300 [ccp] sp_init+0x6f/0x80 [ccp] sp_pci_probe+0x2a6/0x310 [ccp] ? srso_alias_return_thunk+0x5/0xfbef5 local_pci_probe+0x4b/0xb0 work_for_cpu_fn+0x1a/0x30 process_one_work+0x203/0x600 worker_thread+0x19e/0x350 ? __pfx_worker_thread+0x10/0x10 kthread+0xeb/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3c/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> kobject: kobject_add_internal failed for sev with -EEXIST, don't try to register things with the same name in the same directory. ccp 0000:22:00.1: sev initialization failed ccp 0000:22:00.1: psp initialization failed ccp 0000:a2:00.1: no command queues available ccp 0000:a2:00.1: psp enabled Address this issue by unregistering the /dev/sev before clearing out sev_data in case of PLATFORM_STATUS failure. Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support") Cc: stable(a)vger.kernel.org Signed-off-by: Pavan Kumar Paluri <papaluri(a)amd.com> --- drivers/crypto/ccp/sev-dev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 9810edbb272d..5f63d2018649 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2410,6 +2410,8 @@ void sev_pci_init(void) return; err: + sev_dev_destroy(psp_master); + psp_master->sev_data = NULL; } base-commit: b8c7cbc324dc17b9e42379b42603613580bec2d8 -- 2.34.1

8 months, 1 week

4
4
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: check re-adding init endp with != id" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1c2326fcae4f0c5de8ad0d734ced43a8e5f17dac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083018-rimmed-calamity-65c5@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 1c2326fcae4f ("selftests: mptcp: join: check re-adding init endp with != id") a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1c2326fcae4f0c5de8ad0d734ced43a8e5f17dac Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:30 +0200 Subject: [PATCH] selftests: mptcp: join: check re-adding init endp with != id The initial subflow has a special local ID: 0. It is specific per connection. When a global endpoint is deleted and re-added later, it can have a different ID, but the kernel should still use the ID 0 if it corresponds to the initial address. This test validates this behaviour: the endpoint linked to the initial subflow is removed, and re-added with a different ID. Note that removing the initial subflow will not decrement the 'subflows' counters, which corresponds to the *additional* subflows. On the other hand, when the same endpoint is re-added, it will increment this counter, as it will be seen as an additional subflow this time. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 8b4529ff15e5..75458ade32c7 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3627,11 +3627,12 @@ endpoint_tests() # remove and re-add if reset "delete re-add signal" && mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then - pm_nl_set_limits $ns1 0 2 - pm_nl_set_limits $ns2 2 2 + pm_nl_set_limits $ns1 0 3 + pm_nl_set_limits $ns2 3 3 pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal # broadcast IP: no packet for this address will be received on ns1 pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal + pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal test_linkfail=4 speed=20 \ run_tests $ns1 $ns2 10.0.1.1 & local tests_pid=$! @@ -3653,11 +3654,21 @@ endpoint_tests() wait_mpj $ns2 chk_subflow_nr "after re-add" 3 chk_mptcp_info subflows 2 subflows 2 + + pm_nl_del_endpoint $ns1 42 10.0.1.1 + sleep 0.5 + chk_subflow_nr "after delete ID 0" 2 + chk_mptcp_info subflows 2 subflows 2 + + pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal + wait_mpj $ns2 + chk_subflow_nr "after re-add" 3 + chk_mptcp_info subflows 3 subflows 3 mptcp_lib_kill_wait $tests_pid - chk_join_nr 3 3 3 - chk_add_nr 4 4 - chk_rm_nr 2 1 invert + chk_join_nr 4 4 4 + chk_add_nr 5 5 + chk_rm_nr 3 2 invert fi # flush and re-add

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: check re-adding init endp with != id" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 1c2326fcae4f0c5de8ad0d734ced43a8e5f17dac # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083017-acclaim-eatery-5ccf@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 1c2326fcae4f ("selftests: mptcp: join: check re-adding init endp with != id") a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1c2326fcae4f0c5de8ad0d734ced43a8e5f17dac Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:30 +0200 Subject: [PATCH] selftests: mptcp: join: check re-adding init endp with != id The initial subflow has a special local ID: 0. It is specific per connection. When a global endpoint is deleted and re-added later, it can have a different ID, but the kernel should still use the ID 0 if it corresponds to the initial address. This test validates this behaviour: the endpoint linked to the initial subflow is removed, and re-added with a different ID. Note that removing the initial subflow will not decrement the 'subflows' counters, which corresponds to the *additional* subflows. On the other hand, when the same endpoint is re-added, it will increment this counter, as it will be seen as an additional subflow this time. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 8b4529ff15e5..75458ade32c7 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3627,11 +3627,12 @@ endpoint_tests() # remove and re-add if reset "delete re-add signal" && mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then - pm_nl_set_limits $ns1 0 2 - pm_nl_set_limits $ns2 2 2 + pm_nl_set_limits $ns1 0 3 + pm_nl_set_limits $ns2 3 3 pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal # broadcast IP: no packet for this address will be received on ns1 pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal + pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal test_linkfail=4 speed=20 \ run_tests $ns1 $ns2 10.0.1.1 & local tests_pid=$! @@ -3653,11 +3654,21 @@ endpoint_tests() wait_mpj $ns2 chk_subflow_nr "after re-add" 3 chk_mptcp_info subflows 2 subflows 2 + + pm_nl_del_endpoint $ns1 42 10.0.1.1 + sleep 0.5 + chk_subflow_nr "after delete ID 0" 2 + chk_mptcp_info subflows 2 subflows 2 + + pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal + wait_mpj $ns2 + chk_subflow_nr "after re-add" 3 + chk_mptcp_info subflows 3 subflows 3 mptcp_lib_kill_wait $tests_pid - chk_join_nr 3 3 3 - chk_add_nr 4 4 - chk_rm_nr 2 1 invert + chk_join_nr 4 4 4 + chk_add_nr 5 5 + chk_rm_nr 3 2 invert fi # flush and re-add

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mptcp: pm: fix ID 0 endp usage after multiple re-creations" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9366922adc6a71378ca01f898c41be295309f044 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083011-antics-rented-acb7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 9366922adc6a ("mptcp: pm: fix ID 0 endp usage after multiple re-creations") 8b8ed1b429f8 ("mptcp: pm: reuse ID 0 after delete and re-add") 48e50dcbcbaa ("mptcp: pm: avoid possible UaF when selecting endp") 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set") cd7c957f936f ("mptcp: pm: don't try to create sf if alloc failed") c95eb32ced82 ("mptcp: pm: reduce indentation blocks") 40eec1795cc2 ("mptcp: pm: update add_addr counters after connect") 6a09788c1a66 ("mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID") e571fb09c893 ("selftests: mptcp: add speed env var") 4aadde088a58 ("selftests: mptcp: add fullmesh env var") 080b7f5733fd ("selftests: mptcp: add fastclose env var") 662aa22d7dcd ("selftests: mptcp: set all env vars as local ones") 9e9d176df8e9 ("selftests: mptcp: add pm_nl_set_endpoint helper") 1534f87ee0dc ("selftests: mptcp: drop sflags parameter") 595ef566a2ef ("selftests: mptcp: drop addr_nr_ns1/2 parameters") 0c93af1f8907 ("selftests: mptcp: drop test_linkfail parameter") be7e9786c915 ("selftests: mptcp: set FAILING_LINKS in run_tests") 4369c198e599 ("selftests: mptcp: test userspace pm out of transfer") 528cb5f2a1e8 ("mptcp: pass addr to mptcp_pm_alloc_anno_list") ae947bb2c253 ("selftests: mptcp: join: skip Fastclose tests if not supported") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9366922adc6a71378ca01f898c41be295309f044 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:33 +0200 Subject: [PATCH] mptcp: pm: fix ID 0 endp usage after multiple re-creations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'local_addr_used' and 'add_addr_accepted' are decremented for addresses not related to the initial subflow (ID0), because the source and destination addresses of the initial subflows are known from the beginning: they don't count as "additional local address being used" or "ADD_ADDR being accepted". It is then required not to increment them when the entrypoint used by the initial subflow is removed and re-added during a connection. Without this modification, this entrypoint cannot be removed and re-added more than once. Reported-by: Arınç ÜNAL <arinc.unal(a)arinc9.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/512 Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking") Reported-by: syzbot+455d38ecd5f655fc45cf(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/00000000000049861306209237f4@google.com Cc: stable(a)vger.kernel.org Tested-by: Arınç ÜNAL <arinc.unal(a)arinc9.com> Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 3ff273e219f2..a93450ded50a 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -615,12 +615,13 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH); - msk->pm.local_addr_used++; __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); /* Special case for ID0: set the correct ID */ if (local.addr.id == msk->mpc_endpoint_id) local.addr.id = 0; + else /* local_addr_used is not decr for ID 0 */ + msk->pm.local_addr_used++; nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs); if (nr == 0) @@ -750,7 +751,9 @@ static void mptcp_pm_nl_add_addr_received(struct mptcp_sock *msk) spin_lock_bh(&msk->pm.lock); if (sf_created) { - msk->pm.add_addr_accepted++; + /* add_addr_accepted is not decr for ID 0 */ + if (remote.id) + msk->pm.add_addr_accepted++; if (msk->pm.add_addr_accepted >= add_addr_accept_max || msk->pm.subflows >= subflows_max) WRITE_ONCE(msk->pm.accept_addr, false);

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mptcp: pm: reuse ID 0 after delete and re-add" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 8b8ed1b429f8fa7ebd5632555e7b047bc0620075 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024083043-surreal-prepay-46e5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 8b8ed1b429f8 ("mptcp: pm: reuse ID 0 after delete and re-add") 48e50dcbcbaa ("mptcp: pm: avoid possible UaF when selecting endp") 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set") cd7c957f936f ("mptcp: pm: don't try to create sf if alloc failed") c95eb32ced82 ("mptcp: pm: reduce indentation blocks") 528cb5f2a1e8 ("mptcp: pass addr to mptcp_pm_alloc_anno_list") 77e4b94a3de6 ("mptcp: update userspace pm infos") 24430f8bf516 ("mptcp: add address into userspace pm list") b9d69db87fb7 ("mptcp: let the in-kernel PM use mixed IPv4 and IPv6 addresses") fb00ee4f3343 ("mptcp: netlink: respect v4/v6-only sockets") 80638684e840 ("mptcp: get sk from msk directly") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8b8ed1b429f8fa7ebd5632555e7b047bc0620075 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Wed, 28 Aug 2024 08:14:24 +0200 Subject: [PATCH] mptcp: pm: reuse ID 0 after delete and re-add When the endpoint used by the initial subflow is removed and re-added later, the PM has to force the ID 0, it is a special case imposed by the MPTCP specs. Note that the endpoint should then need to be re-added reusing the same ID. Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 8d2f97854c64..ec45ab4c66ab 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -585,6 +585,11 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); msk->pm.add_addr_signaled++; + + /* Special case for ID0: set the correct ID */ + if (local.addr.id == msk->mpc_endpoint_id) + local.addr.id = 0; + mptcp_pm_announce_addr(msk, &local.addr, false); mptcp_pm_nl_addr_send_ack(msk); @@ -609,6 +614,11 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) msk->pm.local_addr_used++; __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); + + /* Special case for ID0: set the correct ID */ + if (local.addr.id == msk->mpc_endpoint_id) + local.addr.id = 0; + nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs); if (nr == 0) continue;

8 months, 1 week

1
0
0 0

[PATCH RESEND] crypto: sa2ul - fix memory leak in sa_cra_init_aead()

by Ma Ke

Currently the resource allocated by crypto_alloc_shash() is not freed in case crypto_alloc_aead() fails, resulting in memory leak. Add crypto_free_shash() to fix it. Found by code review. Cc: stable(a)vger.kernel.org Fixes: d2c8ac187fc9 ("crypto: sa2ul - Add AEAD algorithm support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/crypto/sa2ul.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c index 461eca40e878..b5af621f7f17 100644 --- a/drivers/crypto/sa2ul.c +++ b/drivers/crypto/sa2ul.c @@ -1740,7 +1740,8 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash, ctx->shash = crypto_alloc_shash(hash, 0, CRYPTO_ALG_NEED_FALLBACK); if (IS_ERR(ctx->shash)) { dev_err(sa_k3_dev, "base driver %s couldn't be loaded\n", hash); - return PTR_ERR(ctx->shash); + ret = PTR_ERR(ctx->shash); + goto err_free_shash; } ctx->fallback.aead = crypto_alloc_aead(fallback, 0, @@ -1749,7 +1750,8 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash, if (IS_ERR(ctx->fallback.aead)) { dev_err(sa_k3_dev, "fallback driver %s couldn't be loaded\n", fallback); - return PTR_ERR(ctx->fallback.aead); + ret = PTR_ERR(ctx->fallback.aead); + goto err_free_shash; } crypto_aead_set_reqsize(tfm, sizeof(struct aead_request) + @@ -1757,19 +1759,23 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash, ret = sa_init_ctx_info(&ctx->enc, data); if (ret) - return ret; + goto err_free_shash; ret = sa_init_ctx_info(&ctx->dec, data); - if (ret) { - sa_free_ctx_info(&ctx->enc, data); - return ret; - } + if (ret) + goto err_free_ctx_info; dev_dbg(sa_k3_dev, "%s(0x%p) sc-ids(0x%x(0x%pad), 0x%x(0x%pad))\n", __func__, tfm, ctx->enc.sc_id, &ctx->enc.sc_phys, ctx->dec.sc_id, &ctx->dec.sc_phys); return ret; + +err_free_ctx_info: + sa_free_ctx_info(&ctx->enc, data); +err_free_shash: + crypto_free_shash(ctx->shash); + return ret; } static int sa_cra_init_aead_sha1(struct crypto_aead *tfm) -- 2.25.1

8 months, 1 week

2
1
0 0

[PATCH] soc: qcom: smem_state: fix missing of_node_put in error path

by Krzysztof Kozlowski

If of_parse_phandle_with_args() succeeds, the OF node reference should be dropped, regardless of number of phandle arguments. Cc: <stable(a)vger.kernel.org> Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/soc/qcom/smem_state.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c index d9bfac6c54fb..cc5be8019b6a 100644 --- a/drivers/soc/qcom/smem_state.c +++ b/drivers/soc/qcom/smem_state.c @@ -112,7 +112,8 @@ struct qcom_smem_state *qcom_smem_state_get(struct device *dev, if (args.args_count != 1) { dev_err(dev, "invalid #qcom,smem-state-cells\n"); - return ERR_PTR(-EINVAL); + state = ERR_PTR(-EINVAL); + goto put; } state = of_node_to_state(args.np); -- 2.43.0

8 months, 1 week

2
1
0 0

[PATCH v4 0/2] media: imx335: Fix reset-gpio handling

by Umang Jain

These couple of patches intends to fix the reset-gpio handling for imx335 driver. Patch 1/2 mentions reset-gpio polarity in DT binding example. Patch 2/2 fixes the logical value of reset-gpio during power-on/power-off sequence. -- Changes in v4: - rework 2/2 commit message - Explain conclusions for 2/2 patch, in the '---' section. Changes in v3: - Rework 1/2 commit message - Fix gpio include in DT example in 1/2 - Remove not-so-informative XCLR comment in 2/2 Changes in v2: - Also include reset-gpio polarity, mention in DT binding - Add Fixes tag in 2/2 - Set the reset line to high during init time in 2/2 Link to v2: https://lore.kernel.org/linux-media/20240729110437.199428-1-umang.jain@idea… Link to v1: https://lore.kernel.org/linux-media/tyo5etjwsfznuk6vzwqmcphbu4pz4lskrg3fjie… Signed-off-by: Umang Jain <umang.jain(a)ideasonboard.com> --- Umang Jain (2): dt-bindings: media: imx335: Add reset-gpios to the DT example media: imx335: Fix reset-gpio handling Documentation/devicetree/bindings/media/i2c/sony,imx335.yaml | 4 ++++ drivers/media/i2c/imx335.c | 9 ++++----- 2 files changed, 8 insertions(+), 5 deletions(-) --- base-commit: 393556c9f56ced8d9776c32ce99f34913cfd904e change-id: 20240830-imx335-vflip-7f5d4b4d00fe Best regards, -- Umang Jain <umang.jain(a)ideasonboard.com>

8 months, 1 week

2
2
0 0

[PATCH v5 6/7] vdpa: solidrun: Fix UB bug with devres

by Philipp Stanner

In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). Cc: stable(a)vger.kernel.org # v6.3 Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Closes: https://lore.kernel.org/all/74e9109a-ac59-49e2-9b1d-d825c9c9f891@wanadoo.fr/ Suggested-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/vdpa/solidrun/snet_main.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/solidrun/snet_main.c b/drivers/vdpa/solidrun/snet_main.c index 99428a04068d..c8b74980dbd1 100644 --- a/drivers/vdpa/solidrun/snet_main.c +++ b/drivers/vdpa/solidrun/snet_main.c @@ -555,7 +555,7 @@ static const struct vdpa_config_ops snet_config_ops = { static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) { - char name[50]; + char *name; int ret, i, mask = 0; /* We don't know which BAR will be used to communicate.. * We will map every bar with len > 0. @@ -573,7 +573,10 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) return -ENODEV; } - snprintf(name, sizeof(name), "psnet[%s]-bars", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + ret = pcim_iomap_regions(pdev, mask, name); if (ret) { SNET_ERR(pdev, "Failed to request and map PCI BARs\n"); @@ -590,10 +593,13 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) static int snet_open_vf_bar(struct pci_dev *pdev, struct snet *snet) { - char name[50]; + char *name; int ret; - snprintf(name, sizeof(name), "snet[%s]-bar", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "snet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + /* Request and map BAR */ ret = pcim_iomap_regions(pdev, BIT(snet->psnet->cfg.vf_bar), name); if (ret) { -- 2.46.0

8 months, 1 week

3
6
0 0

[PATCH] leds: pca9532: Remove irrelevant error message

by Bastien Curutchet

The update_hw_blink() function prints an error message when hardware is not able to handle a blink configuration on its own. IMHO, this isn't a 'real' error since the software fallback is used afterwards. Remove the error messages to avoid flooding the logs with unnecessary messages. Cc: stable(a)vger.kernel.org Fixes: 48ca7f302cfc ("leds: pca9532: Use PWM1 for hardware blinking") Signed-off-by: Bastien Curutchet <bastien.curutchet(a)bootlin.com> --- drivers/leds/leds-pca9532.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c index 9f3fac66a11c..bcc3063bd441 100644 --- a/drivers/leds/leds-pca9532.c +++ b/drivers/leds/leds-pca9532.c @@ -215,8 +215,7 @@ static int pca9532_update_hw_blink(struct pca9532_led *led, if (other->state == PCA9532_PWM1) { if (other->ldev.blink_delay_on != delay_on || other->ldev.blink_delay_off != delay_off) { - dev_err(&led->client->dev, - "HW can handle only one blink configuration at a time\n"); + /* HW can handle only one blink configuration at a time */ return -EINVAL; } } @@ -224,7 +223,7 @@ static int pca9532_update_hw_blink(struct pca9532_led *led, psc = ((delay_on + delay_off) * PCA9532_PWM_PERIOD_DIV - 1) / 1000; if (psc > U8_MAX) { - dev_err(&led->client->dev, "Blink period too long to be handled by hardware\n"); + /* Blink period too long to be handled by hardware */ return -EINVAL; } -- 2.45.0

8 months, 1 week

2
1
0 0

[PATCH v1 1/2] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufs-mcq.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..afd9541f4bd8 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -570,15 +570,16 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) writel(nexus, opr_sqd_base + REG_SQCTI); /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, + if (err || FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%ld\n", + __func__, id, task_tag, err, FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); if (ufshcd_mcq_sq_start(hba, hwq)) -- 2.45.2

8 months, 1 week

1
0
0 0

[PATCH V4] scsi: ufs: qcom: update MODE_MAX cfg_bw value

by Manish Pandey

The cfg_bw value for max mode is incorrect for the Qualcomm SoC. Update it to the correct value for cfg_bw max mode. Fixes: 03ce80a1bb86 ("scsi: ufs: qcom: Add support for scaling interconnects") Cc: stable(a)vger.kernel.org Signed-off-by: Manish Pandey <quic_mapa(a)quicinc.com> --- Changes from v3: - Cced stable(a)vger.kernel.org. Changes from v2: - Addressed Mani comment, added fixes tag. Changes from v1: - Updated commit message. --- drivers/ufs/host/ufs-qcom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c index c87fdc849c62..ecdfff2456e3 100644 --- a/drivers/ufs/host/ufs-qcom.c +++ b/drivers/ufs/host/ufs-qcom.c @@ -93,7 +93,7 @@ static const struct __ufs_qcom_bw_table { [MODE_HS_RB][UFS_HS_G3][UFS_LANE_2] = { 1492582, 204800 }, [MODE_HS_RB][UFS_HS_G4][UFS_LANE_2] = { 2915200, 409600 }, [MODE_HS_RB][UFS_HS_G5][UFS_LANE_2] = { 5836800, 819200 }, - [MODE_MAX][0][0] = { 7643136, 307200 }, + [MODE_MAX][0][0] = { 7643136, 819200 }, }; static void ufs_qcom_get_default_testbus_cfg(struct ufs_qcom_host *host); -- 2.17.1

8 months, 1 week

2
1
0 0

[PATCH] sched/syscalls: Allow setting niceness using sched_param struct

by Michael Pratt

From userspace, spawning a new process with, for example, posix_spawn(), only allows the user to work with the scheduling priority value defined by POSIX in the sched_param struct. However, sched_setparam() and similar syscalls lead to __sched_setscheduler() which rejects any new value for the priority other than 0 for non-RT schedule classes, a behavior kept since Linux 2.6 or earlier. Linux translates the usage of the sched_param struct into it's own internal sched_attr struct during the syscall, but the user has no way to manage the other values within the sched_attr struct using only POSIX functions. The only other way to adjust niceness while using posix_spawn() would be to set the value after the process has started, but this introduces the risk of the process being dead before the next syscall can set the priority after the fact. To resolve this, allow the use of the priority value originally from the POSIX sched_param struct in order to set the niceness value instead of rejecting the priority value. Edit the sched_get_priority_*() POSIX syscalls in order to reflect the range of values accepted. Cc: stable(a)vger.kernel.org # Apply to kernel/sched/core.c Signed-off-by: Michael Pratt <mcpratt(a)pm.me> --- kernel/sched/syscalls.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c index ae1b42775ef9..52c02b80f037 100644 --- a/kernel/sched/syscalls.c +++ b/kernel/sched/syscalls.c @@ -853,6 +853,19 @@ static int _sched_setscheduler(struct task_struct *p, int policy, attr.sched_policy = policy; } + if (attr.sched_priority > MAX_PRIO-1) + return -EINVAL; + + /* + * If priority is set for SCHED_NORMAL or SCHED_BATCH, + * set the niceness instead, but only for user calls. + */ + if (check && attr.sched_priority > MAX_RT_PRIO-1 && + ((policy != SETPARAM_POLICY && fair_policy(policy)) || fair_policy(p->policy))) { + attr.sched_nice = PRIO_TO_NICE(attr.sched_priority); + attr.sched_priority = 0; + } + return __sched_setscheduler(p, &attr, check, true); } /** @@ -1598,9 +1611,11 @@ SYSCALL_DEFINE1(sched_get_priority_max, int, policy) case SCHED_RR: ret = MAX_RT_PRIO-1; break; - case SCHED_DEADLINE: case SCHED_NORMAL: case SCHED_BATCH: + ret = MAX_PRIO-1; + break; + case SCHED_DEADLINE: case SCHED_IDLE: ret = 0; break; @@ -1625,9 +1640,11 @@ SYSCALL_DEFINE1(sched_get_priority_min, int, policy) case SCHED_RR: ret = 1; break; - case SCHED_DEADLINE: case SCHED_NORMAL: case SCHED_BATCH: + ret = MAX_RT_PRIO; + break; + case SCHED_DEADLINE: case SCHED_IDLE: ret = 0; } base-commit: 5be63fc19fcaa4c236b307420483578a56986a37 -- 2.30.2

8 months, 1 week

1
0
0 0

[PATCH] media: i2c: ar0521: Use cansleep version of gpiod_set_value()

by Alexander Shiyan

If we use GPIO reset from I2C port expander, we must use *_cansleep() variant of GPIO functions. This was not done in ar0521_power_on()/ar0521_power_off() functions. Let's fix that. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c Modules linked in: CPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) Workqueue: events_unbound deferred_probe_work_func pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : gpiod_set_value+0x74/0x7c lr : ar0521_power_on+0xcc/0x290 sp : ffffff8001d7ab70 x29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000 x26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088 x23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088 x20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80 x17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000 x14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930 x11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0 x8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780 x5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: gpiod_set_value+0x74/0x7c ar0521_power_on+0xcc/0x290 ... Signed-off-by: Alexander Shiyan <eagle.alexander923(a)gmail.com> Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver") Cc: stable(a)vger.kernel.org --- drivers/media/i2c/ar0521.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/ar0521.c b/drivers/media/i2c/ar0521.c index 09331cf95c62..d557f3b3de3d 100644 --- a/drivers/media/i2c/ar0521.c +++ b/drivers/media/i2c/ar0521.c @@ -844,7 +844,8 @@ static int ar0521_power_off(struct device *dev) clk_disable_unprepare(sensor->extclk); if (sensor->reset_gpio) - gpiod_set_value(sensor->reset_gpio, 1); /* assert RESET signal */ + /* assert RESET signal */ + gpiod_set_value_cansleep(sensor->reset_gpio, 1); for (i = ARRAY_SIZE(ar0521_supply_names) - 1; i >= 0; i--) { if (sensor->supplies[i]) @@ -878,7 +879,7 @@ static int ar0521_power_on(struct device *dev) if (sensor->reset_gpio) /* deassert RESET signal */ - gpiod_set_value(sensor->reset_gpio, 0); + gpiod_set_value_cansleep(sensor->reset_gpio, 0); usleep_range(4500, 5000); /* min 45000 clocks */ for (cnt = 0; cnt < ARRAY_SIZE(initial_regs); cnt++) { -- 2.39.1

8 months, 1 week

2
1
0 0

[PATCH net] RDMA/mana_ib: fix a bug in calculating the wrong page table index when 64kb page table is used

by longli＠linuxonhyperv.com

From: Long Li <longli(a)microsoft.com> MANA hardware uses 4k page size. When calculating the page table index, it should use the hardware page size, not the system page size. Cc: stable(a)vger.kernel.org Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Long Li <longli(a)microsoft.com> --- drivers/infiniband/hw/mana/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mana/main.c b/drivers/infiniband/hw/mana/main.c index d13abc954d2a..f68f54aea820 100644 --- a/drivers/infiniband/hw/mana/main.c +++ b/drivers/infiniband/hw/mana/main.c @@ -383,7 +383,7 @@ static int mana_ib_gd_create_dma_region(struct mana_ib_dev *dev, struct ib_umem create_req->length = umem->length; create_req->offset_in_page = ib_umem_dma_offset(umem, page_sz); - create_req->gdma_page_type = order_base_2(page_sz) - PAGE_SHIFT; + create_req->gdma_page_type = order_base_2(page_sz) - MANA_PAGE_SHIFT; create_req->page_count = num_pages_total; ibdev_dbg(&dev->ib_dev, "size_dma_region %lu num_pages_total %lu\n", -- 2.17.1

8 months, 1 week

4
5
0 0

[PATCH v2] drm/vmwgfx: Cleanup kms setup without 3d

by Zack Rusin

Do not validate format equality for the non 3d cases to allow xrgb to argb copies and make sure the dx binding flags are only used on dx compatible surfaces. Fixes basic 2d kms setup on configurations without 3d. There's little practical benefit to it because kms framebuffer coherence is disabled on configurations without 3d but with those changes the code actually makes sense. v2: Remove the now unused format variable Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.9+ Cc: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Cc: Martin Krastev <martin.krastev(a)broadcom.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 29 ------------------------- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 +++++--- 2 files changed, 6 insertions(+), 32 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 288ed0bb75cb..282b6153bcdd 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1283,7 +1283,6 @@ static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, { struct drm_device *dev = &dev_priv->drm; struct vmw_framebuffer_surface *vfbs; - enum SVGA3dSurfaceFormat format; struct vmw_surface *surface; int ret; @@ -1320,34 +1319,6 @@ static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, return -EINVAL; } - switch (mode_cmd->pixel_format) { - case DRM_FORMAT_ARGB8888: - format = SVGA3D_A8R8G8B8; - break; - case DRM_FORMAT_XRGB8888: - format = SVGA3D_X8R8G8B8; - break; - case DRM_FORMAT_RGB565: - format = SVGA3D_R5G6B5; - break; - case DRM_FORMAT_XRGB1555: - format = SVGA3D_A1R5G5B5; - break; - default: - DRM_ERROR("Invalid pixel format: %p4cc\n", - &mode_cmd->pixel_format); - return -EINVAL; - } - - /* - * For DX, surface format validation is done when surface->scanout - * is set. - */ - if (!has_sm4_context(dev_priv) && format != surface->metadata.format) { - DRM_ERROR("Invalid surface format for requested mode.\n"); - return -EINVAL; - } - vfbs = kzalloc(sizeof(*vfbs), GFP_KERNEL); if (!vfbs) { ret = -ENOMEM; diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 1625b30d9970..5721c74da3e0 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -2276,9 +2276,12 @@ int vmw_dumb_create(struct drm_file *file_priv, const struct SVGA3dSurfaceDesc *desc = vmw_surface_get_desc(format); SVGA3dSurfaceAllFlags flags = SVGA3D_SURFACE_HINT_TEXTURE | SVGA3D_SURFACE_HINT_RENDERTARGET | - SVGA3D_SURFACE_SCREENTARGET | - SVGA3D_SURFACE_BIND_SHADER_RESOURCE | - SVGA3D_SURFACE_BIND_RENDER_TARGET; + SVGA3D_SURFACE_SCREENTARGET; + + if (vmw_surface_is_dx_screen_target_format(format)) { + flags |= SVGA3D_SURFACE_BIND_SHADER_RESOURCE | + SVGA3D_SURFACE_BIND_RENDER_TARGET; + } /* * Without mob support we're just going to use raw memory buffer -- 2.43.0

8 months, 1 week

3
2
0 0

[PATCH v5] x86/entry_32: Use stack segment selector for VERW operand

by Pawan Gupta

Robert Gill reported below #GP when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Replace CLEAR_CPU_BUFFERS with a safer version that uses %ss to refer VERW operand mds_verw_sel. This ensures VERW will not #GP for an arbitrary user %ds. Also, in NMI return path, move VERW to after RESTORE_ALL_NMI that touches GPRs. For clarity, below are the locations where the new CLEAR_CPU_BUFFERS_SAFE version is being used: * entry_INT80_32(), entry_SYSENTER_32() and interrupts (via handle_exception_return) do: restore_all_switch_stack: [...] mov %esi,%esi verw %ss:0xc0fc92c0 <------------- iret * Opportunistic SYSEXIT: [...] verw %ss:0xc0fc92c0 <------------- btrl $0x9,(%esp) popf pop %eax sti sysexit * nmi_return and nmi_from_espfix: mov %esi,%esi verw %ss:0xc0fc92c0 <------------- jmp .Lirq_return Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Cc: stable(a)vger.kernel.org # 5.10+ Reported-by: Robert Gill <rtgill82(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> # Use %ss Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- v5: - Simplify the use of ALTERNATIVE construct (Uros/Jiri/Peter). v4: https://lore.kernel.org/r/20240710-fix-dosemu-vm86-v4-1-aa6464e1de6f@linux.… - Further simplify the patch by using %ss for all VERW calls in 32-bit mode (Brian). - In NMI exit path move VERW after RESTORE_ALL_NMI that touches GPRs (Dave). v3: https://lore.kernel.org/r/20240701-fix-dosemu-vm86-v3-1-b1969532c75a@linux.… - Simplify CLEAR_CPU_BUFFERS_SAFE by using %ss instead of %ds (Brian). - Do verw before popf in SYSEXIT path (Jari). v2: https://lore.kernel.org/r/20240627-fix-dosemu-vm86-v2-1-d5579f698e77@linux.… - Safe guard against any other system calls like vm86() that might change %ds (Dave). v1: https://lore.kernel.org/r/20240426-fix-dosemu-vm86-v1-1-88c826a3f378@linux.… --- --- arch/x86/entry/entry_32.S | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index d3a814efbff6..25c942149fb5 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -253,6 +253,14 @@ .Lend_\@: .endm +/* + * Safer version of CLEAR_CPU_BUFFERS that uses %ss to reference VERW operand + * mds_verw_sel. This ensures VERW will not #GP for an arbitrary user %ds. + */ +.macro CLEAR_CPU_BUFFERS_SAFE + ALTERNATIVE "", __stringify(verw %ss:_ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +.endm + .macro RESTORE_INT_REGS popl %ebx popl %ecx @@ -871,6 +879,8 @@ SYM_FUNC_START(entry_SYSENTER_32) /* Now ready to switch the cr3 */ SWITCH_TO_USER_CR3 scratch_reg=%eax + /* Clobbers ZF */ + CLEAR_CPU_BUFFERS_SAFE /* * Restore all flags except IF. (We restore IF separately because @@ -881,7 +891,6 @@ SYM_FUNC_START(entry_SYSENTER_32) BUG_IF_WRONG_CR3 no_user_check=1 popfl popl %eax - CLEAR_CPU_BUFFERS /* * Return back to the vDSO, which will pop ecx and edx. @@ -951,7 +960,7 @@ restore_all_switch_stack: /* Restore user state */ RESTORE_REGS pop=4 # skip orig_eax/error_code - CLEAR_CPU_BUFFERS + CLEAR_CPU_BUFFERS_SAFE .Lirq_return: /* * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization @@ -1144,7 +1153,6 @@ SYM_CODE_START(asm_exc_nmi) /* Not on SYSENTER stack. */ call exc_nmi - CLEAR_CPU_BUFFERS jmp .Lnmi_return .Lnmi_from_sysenter_stack: @@ -1165,6 +1173,7 @@ SYM_CODE_START(asm_exc_nmi) CHECK_AND_APPLY_ESPFIX RESTORE_ALL_NMI cr3_reg=%edi pop=4 + CLEAR_CPU_BUFFERS_SAFE jmp .Lirq_return #ifdef CONFIG_X86_ESPFIX32 @@ -1206,6 +1215,7 @@ SYM_CODE_START(asm_exc_nmi) * 1 - orig_ax */ lss (1+5+6)*4(%esp), %esp # back to espfix stack + CLEAR_CPU_BUFFERS_SAFE jmp .Lirq_return #endif SYM_CODE_END(asm_exc_nmi) --- base-commit: f2661062f16b2de5d7b6a5c42a9a5c96326b8454 change-id: 20240426-fix-dosemu-vm86-dd111a01737e

8 months, 1 week

2
2
0 0

[PATCH v2 0/5] soc: qcom: fix rpm_requests module probing

by Dmitry Baryshkov

The GLINK RPMSG channels get modalias based on the compatible string rather than the channel type, however the smd-rpm module uses rpmsg ID instead. Thus if the smd-rpm is built as a module, it doesn't get automatically loaded. Add generic compatible to such devices and fix module's ID table. Module loading worked before the commit bcabe1e09135 ("soc: qcom: smd-rpm: Match rpmsg channel instead of compatible"), because the driver listed all compatible strings, but the mentioned commit changed ID table. Revert the offending commit and add generic compatible strings instead. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- Changes in v2: - Separate fix from the improvements (Krzysztof - Split the qcom,glink-smd-rpm compat from the qcom,smd-rpm as they use different channels underneath. - Link to v1: https://lore.kernel.org/r/20240729-fix-smd-rpm-v1-0-99a96133cc65@linaro.org --- Dmitry Baryshkov (5): Revert "soc: qcom: smd-rpm: Match rpmsg channel instead of compatible" dt-bindings: soc: qcom: smd-rpm: add generic compatibles soc: qcom: smd-rpm: add qcom,smd-rpm compatible ARM: dts: qcom: add generic compat string to RPM glink channels arm64: dts: qcom: add generic compat string to RPM glink channels .../devicetree/bindings/clock/qcom,rpmcc.yaml | 2 +- .../bindings/remoteproc/qcom,glink-rpm-edge.yaml | 2 +- .../bindings/remoteproc/qcom,rpm-proc.yaml | 4 +- .../devicetree/bindings/soc/qcom/qcom,smd-rpm.yaml | 74 ++++++++++------------ .../devicetree/bindings/soc/qcom/qcom,smd.yaml | 2 +- arch/arm/boot/dts/qcom/qcom-apq8084.dtsi | 2 +- arch/arm/boot/dts/qcom/qcom-msm8226.dtsi | 2 +- arch/arm/boot/dts/qcom/qcom-msm8974.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq9574.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8939.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8953.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8998.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcm2290.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404.dtsi | 2 +- arch/arm64/boot/dts/qcom/sdm630.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6115.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6125.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6375.dtsi | 2 +- drivers/soc/qcom/smd-rpm.c | 41 +++++++++--- 24 files changed, 88 insertions(+), 73 deletions(-) --- base-commit: 668d33c9ff922c4590c58754ab064aaf53c387dd change-id: 20240729-fix-smd-rpm-9651e87a9bb0 Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

8 months, 1 week

3
3
0 0

[PATCH net 12/13] can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open

by Marc Kleine-Budde

From: Simon Arlott <simon(a)octiron.net> The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() <interrupt> mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running. Fixes: 8ce8c0abcba3 ("can: mcp251x: only reset hardware as required") Signed-off-by: Simon Arlott <simon(a)octiron.net> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/4fc08687-1d80-43fe-9f0d-8ef8475e75f6@0882a8b5-c… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/spi/mcp251x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c index 3b8736ff0345..ec5c64006a16 100644 --- a/drivers/net/can/spi/mcp251x.c +++ b/drivers/net/can/spi/mcp251x.c @@ -752,7 +752,7 @@ static int mcp251x_hw_wake(struct spi_device *spi) int ret; /* Force wakeup interrupt to wake device, but don't execute IST */ - disable_irq(spi->irq); + disable_irq_nosync(spi->irq); mcp251x_write_2regs(spi, CANINTE, CANINTE_WAKIE, CANINTF_WAKIF); /* Wait for oscillator startup timer after wake up */ -- 2.45.2

8 months, 1 week

1
0
0 0

[PATCH 4.19 0/1] Fix CVE-2021-3493

by hsimeliere.opensource＠witekio.com

https://nvd.nist.gov/vuln/detail/CVE-2021-3493

8 months, 1 week

2
5
0 0

FAILED: patch "[PATCH] smb/client: fix rdma usage in smb2_async_writev()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 017d1701743657fbfaea74397727a9d2b81846b7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082910-depraved-thing-8c02@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 017d17017436 ("smb/client: fix rdma usage in smb2_async_writev()") b608e2c31878 ("smb/client: remove unused rq_iter_size from struct smb_rqst") dc5939de82f1 ("cifs: Replace the writedata replay bool with a netfs sreq flag") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 017d1701743657fbfaea74397727a9d2b81846b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze(a)samba.org> Date: Wed, 21 Aug 2024 16:31:39 +0200 Subject: [PATCH] smb/client: fix rdma usage in smb2_async_writev() rqst.rq_iter needs to be truncated otherwise we'll also send the bytes into the stream socket... This is the logic behind rqst.rq_npages = 0, which was removed in "cifs: Change the I/O paths to use an iterator rather than a page list" (d08089f649a0cfb2099c8551ac47eef0cc23fdf2). Cc: stable(a)vger.kernel.org Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Reviewed-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 63a2541d4a05..2d7e6c42cf18 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -4913,6 +4913,13 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) if (rc) goto out; + rqst.rq_iov = iov; + rqst.rq_iter = wdata->subreq.io_iter; + + rqst.rq_iov[0].iov_len = total_len - 1; + rqst.rq_iov[0].iov_base = (char *)req; + rqst.rq_nvec += 1; + if (smb3_encryption_required(tcon)) flags |= CIFS_TRANSFORM_REQ; @@ -4924,6 +4931,7 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) req->WriteChannelInfoOffset = 0; req->WriteChannelInfoLength = 0; req->Channel = SMB2_CHANNEL_NONE; + req->Length = cpu_to_le32(io_parms->length); req->Offset = cpu_to_le64(io_parms->offset); req->DataOffset = cpu_to_le16( offsetof(struct smb2_write_req, Buffer)); @@ -4943,7 +4951,6 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) */ if (smb3_use_rdma_offload(io_parms)) { struct smbd_buffer_descriptor_v1 *v1; - size_t data_size = iov_iter_count(&wdata->subreq.io_iter); bool need_invalidate = server->dialect == SMB30_PROT_ID; wdata->mr = smbd_register_mr(server->smbd_conn, &wdata->subreq.io_iter, @@ -4952,9 +4959,10 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) rc = -EAGAIN; goto async_writev_out; } + /* For RDMA read, I/O size is in RemainingBytes not in Length */ + req->RemainingBytes = req->Length; req->Length = 0; req->DataOffset = 0; - req->RemainingBytes = cpu_to_le32(data_size); req->Channel = SMB2_CHANNEL_RDMA_V1_INVALIDATE; if (need_invalidate) req->Channel = SMB2_CHANNEL_RDMA_V1; @@ -4966,30 +4974,22 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) v1->offset = cpu_to_le64(wdata->mr->mr->iova); v1->token = cpu_to_le32(wdata->mr->mr->rkey); v1->length = cpu_to_le32(wdata->mr->mr->length); + + rqst.rq_iov[0].iov_len += sizeof(*v1); + + /* + * We keep wdata->subreq.io_iter, + * but we have to truncate rqst.rq_iter + */ + iov_iter_truncate(&rqst.rq_iter, 0); } #endif - iov[0].iov_len = total_len - 1; - iov[0].iov_base = (char *)req; - rqst.rq_iov = iov; - rqst.rq_nvec = 1; - rqst.rq_iter = wdata->subreq.io_iter; if (test_bit(NETFS_SREQ_RETRYING, &wdata->subreq.flags)) smb2_set_replay(server, &rqst); -#ifdef CONFIG_CIFS_SMB_DIRECT - if (wdata->mr) - iov[0].iov_len += sizeof(struct smbd_buffer_descriptor_v1); -#endif - cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n", - io_parms->offset, io_parms->length, iov_iter_count(&rqst.rq_iter)); -#ifdef CONFIG_CIFS_SMB_DIRECT - /* For RDMA read, I/O size is in RemainingBytes not in Length */ - if (!wdata->mr) - req->Length = cpu_to_le32(io_parms->length); -#else - req->Length = cpu_to_le32(io_parms->length); -#endif + cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n", + io_parms->offset, io_parms->length, iov_iter_count(&wdata->subreq.io_iter)); if (wdata->credits.value > 0) { shdr->CreditCharge = cpu_to_le16(DIV_ROUND_UP(wdata->subreq.len,

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] smb/client: fix rdma usage in smb2_async_writev()" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 017d1701743657fbfaea74397727a9d2b81846b7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082909-everyday-familiar-e920@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 017d17017436 ("smb/client: fix rdma usage in smb2_async_writev()") b608e2c31878 ("smb/client: remove unused rq_iter_size from struct smb_rqst") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 017d1701743657fbfaea74397727a9d2b81846b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze(a)samba.org> Date: Wed, 21 Aug 2024 16:31:39 +0200 Subject: [PATCH] smb/client: fix rdma usage in smb2_async_writev() rqst.rq_iter needs to be truncated otherwise we'll also send the bytes into the stream socket... This is the logic behind rqst.rq_npages = 0, which was removed in "cifs: Change the I/O paths to use an iterator rather than a page list" (d08089f649a0cfb2099c8551ac47eef0cc23fdf2). Cc: stable(a)vger.kernel.org Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Reviewed-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 63a2541d4a05..2d7e6c42cf18 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -4913,6 +4913,13 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) if (rc) goto out; + rqst.rq_iov = iov; + rqst.rq_iter = wdata->subreq.io_iter; + + rqst.rq_iov[0].iov_len = total_len - 1; + rqst.rq_iov[0].iov_base = (char *)req; + rqst.rq_nvec += 1; + if (smb3_encryption_required(tcon)) flags |= CIFS_TRANSFORM_REQ; @@ -4924,6 +4931,7 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) req->WriteChannelInfoOffset = 0; req->WriteChannelInfoLength = 0; req->Channel = SMB2_CHANNEL_NONE; + req->Length = cpu_to_le32(io_parms->length); req->Offset = cpu_to_le64(io_parms->offset); req->DataOffset = cpu_to_le16( offsetof(struct smb2_write_req, Buffer)); @@ -4943,7 +4951,6 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) */ if (smb3_use_rdma_offload(io_parms)) { struct smbd_buffer_descriptor_v1 *v1; - size_t data_size = iov_iter_count(&wdata->subreq.io_iter); bool need_invalidate = server->dialect == SMB30_PROT_ID; wdata->mr = smbd_register_mr(server->smbd_conn, &wdata->subreq.io_iter, @@ -4952,9 +4959,10 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) rc = -EAGAIN; goto async_writev_out; } + /* For RDMA read, I/O size is in RemainingBytes not in Length */ + req->RemainingBytes = req->Length; req->Length = 0; req->DataOffset = 0; - req->RemainingBytes = cpu_to_le32(data_size); req->Channel = SMB2_CHANNEL_RDMA_V1_INVALIDATE; if (need_invalidate) req->Channel = SMB2_CHANNEL_RDMA_V1; @@ -4966,30 +4974,22 @@ smb2_async_writev(struct cifs_io_subrequest *wdata) v1->offset = cpu_to_le64(wdata->mr->mr->iova); v1->token = cpu_to_le32(wdata->mr->mr->rkey); v1->length = cpu_to_le32(wdata->mr->mr->length); + + rqst.rq_iov[0].iov_len += sizeof(*v1); + + /* + * We keep wdata->subreq.io_iter, + * but we have to truncate rqst.rq_iter + */ + iov_iter_truncate(&rqst.rq_iter, 0); } #endif - iov[0].iov_len = total_len - 1; - iov[0].iov_base = (char *)req; - rqst.rq_iov = iov; - rqst.rq_nvec = 1; - rqst.rq_iter = wdata->subreq.io_iter; if (test_bit(NETFS_SREQ_RETRYING, &wdata->subreq.flags)) smb2_set_replay(server, &rqst); -#ifdef CONFIG_CIFS_SMB_DIRECT - if (wdata->mr) - iov[0].iov_len += sizeof(struct smbd_buffer_descriptor_v1); -#endif - cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n", - io_parms->offset, io_parms->length, iov_iter_count(&rqst.rq_iter)); -#ifdef CONFIG_CIFS_SMB_DIRECT - /* For RDMA read, I/O size is in RemainingBytes not in Length */ - if (!wdata->mr) - req->Length = cpu_to_le32(io_parms->length); -#else - req->Length = cpu_to_le32(io_parms->length); -#endif + cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n", + io_parms->offset, io_parms->length, iov_iter_count(&wdata->subreq.io_iter)); if (wdata->credits.value > 0) { shdr->CreditCharge = cpu_to_le16(DIV_ROUND_UP(wdata->subreq.len,

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 44ceabdec12f4e5938f5668c5a691aa3aac703d7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082945-closable-sighing-5d70@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 44ceabdec12f ("ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book3 Ultra") dcfed708742c ("ALSA: hda/realtek: Implement sound init sequence for Samsung Galaxy Book3 Pro 360") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44ceabdec12f4e5938f5668c5a691aa3aac703d7 Mon Sep 17 00:00:00 2001 From: YOUNGJIN JOO <neoelec(a)gmail.com> Date: Sun, 25 Aug 2024 18:25:15 +0900 Subject: [PATCH] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book3 Ultra 144d:c1cc requires the same workaround to enable the speaker amp as other Samsung models with the ALC298 codec. Signed-off-by: YOUNGJIN JOO <neoelec(a)gmail.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20240825092515.28728-1-neoelec@gmail.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index b5cc3417138c..c04eac6a5064 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10540,6 +10540,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x144d, 0xca03, "Samsung Galaxy Book2 Pro 360 (NP930QED)", ALC298_FIXUP_SAMSUNG_AMP), SND_PCI_QUIRK(0x144d, 0xc868, "Samsung Galaxy Book2 Pro (NP930XED)", ALC298_FIXUP_SAMSUNG_AMP), SND_PCI_QUIRK(0x144d, 0xc1ca, "Samsung Galaxy Book3 Pro 360 (NP960QFG-KB1US)", ALC298_FIXUP_SAMSUNG_AMP2), + SND_PCI_QUIRK(0x144d, 0xc1cc, "Samsung Galaxy Book3 Ultra (NT960XFH-XD92G))", ALC298_FIXUP_SAMSUNG_AMP2), SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1462, 0xb120, "MSI Cubi MS-B120", ALC283_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC),

8 months, 1 week

1
0
0 0

Apply dbaee836d60a8 to linux-5.10.y

by Nathan Chancellor

Hi Greg and Sasha, Please apply commit dbaee836d60a ("KVM: arm64: Don't use cbz/adr with external symbols") to linux-5.10.y, as a recent LLVM optimization around __cold functions [1] can cause hyp_panic() to be too far away from __guest_enter(), resulting in the same error that occurred with LTO (for the same reason): ld.lld: error: arch/arm64/built-in.a(kvm/hyp/entry.o):(function __guest_enter: .text+0x120): relocation R_AARCH64_CONDBR19 out of range: 14339212 is not in [-1048576, 1048575]; references 'hyp_panic' >>> referenced by entry.S:88 (arch/arm64/kvm/hyp/vhe/../entry.S:88) >>> defined in arch/arm64/built-in.a(kvm/hyp/vhe/switch.o) ld.lld: error: arch/arm64/built-in.a(kvm/hyp/entry.o):(function __guest_enter: .text+0x134): relocation R_AARCH64_ADR_PREL_LO21 out of range: 14339192 is not in [-1048576, 1048575]; references 'hyp_panic' >>> referenced by entry.S:97 (arch/arm64/kvm/hyp/vhe/../entry.S:97) >>> defined in arch/arm64/built-in.a(kvm/hyp/vhe/switch.o) It applies cleanly with 'patch -p1' and I have verified that it fixes the issue. [1]: https://github.com/llvm/llvm-project/commit/6b11573b8c5e3d36beee099dbe7347c… Cheers, Nathan

8 months, 1 week

2
1
0 0

[PATCH v4.19-v6.1] drm/amdgpu: Using uninitialized value *size when calling

by Vamsi Krishna Brahmajosyula

From: Jesse Zhang <jesse.zhang(a)amd.com> [ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ] Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian) Signed-off-by: Jesse Zhang <jesse.zhang(a)amd.com> Suggested-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Vamsi Krishna Brahmajosyula <vamsi-krishna.brahmajosyula(a)broadcom.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c index ecaa2d748..0a28daa14 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c @@ -725,7 +725,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, uint32_t ib_idx) uint32_t created = 0; uint32_t allocated = 0; uint32_t tmp, handle = 0; - uint32_t *size = &tmp; + uint32_t dummy = 0xffffffff; + uint32_t *size = &dummy; unsigned idx; int i, r = 0; -- 2.39.4

8 months, 1 week

2
1
0 0

[PATCH 4.19 1/6] ovl: check permission to open real file

by hsimeliere.opensource＠witekio.com

From: Miklos Szeredi <mszeredi(a)redhat.com> commit 05acefb4872dae89e772729efb194af754c877e8 upstream. Call inode_permission() on real inode before opening regular file on one of the underlying layers. In some cases ovl_permission() already checks access to an underlying file, but it misses the metacopy case, and possibly other ones as well. Removing the redundant permission check from ovl_permission() should be considered later. Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- fs/overlayfs/file.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 73c3e2c21edb..24a83ed9829a 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -34,10 +34,22 @@ static struct file *ovl_open_realfile(const struct file *file, struct file *realfile; const struct cred *old_cred; int flags = file->f_flags | OVL_OPEN_FLAGS; + int acc_mode = ACC_MODE(flags); + int err; + + if (flags & O_APPEND) + acc_mode |= MAY_APPEND; old_cred = ovl_override_creds(inode->i_sb); - realfile = open_with_fake_path(&file->f_path, flags, realinode, - current_cred()); + err = inode_permission(realinode, MAY_OPEN | acc_mode); + if (err) { + realfile = ERR_PTR(err); + } else if (!inode_owner_or_capable(realinode)) { + realfile = ERR_PTR(-EPERM); + } else { + realfile = open_with_fake_path(&file->f_path, flags, realinode, + current_cred()); + } revert_creds(old_cred); pr_debug("open(%p[%pD2/%c], 0%o) -> (%p, 0%o)\n", -- 2.43.0

8 months, 1 week

2
7
0 0

Linux 6.10.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.10.7 kernel. All users of the 6.10 kernel series must upgrade. The updated 6.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 3 Makefile | 4 arch/arm64/kernel/acpi_numa.c | 2 arch/arm64/kernel/setup.c | 3 arch/arm64/kernel/smp.c | 2 arch/arm64/kvm/sys_regs.c | 6 arch/arm64/kvm/vgic/vgic-debug.c | 2 arch/arm64/kvm/vgic/vgic.h | 7 arch/mips/kernel/cpu-probe.c | 4 arch/powerpc/include/asm/topology.h | 13 arch/riscv/kernel/traps.c | 4 arch/riscv/mm/init.c | 4 arch/s390/boot/startup.c | 55 +-- arch/s390/boot/vmem.c | 14 arch/s390/boot/vmlinux.lds.S | 7 arch/s390/include/asm/page.h | 3 arch/s390/include/asm/uv.h | 5 arch/s390/kernel/vmlinux.lds.S | 2 arch/s390/kvm/kvm-s390.h | 7 arch/s390/tools/relocs.c | 2 block/blk-mq-tag.c | 5 drivers/acpi/acpica/acevents.h | 6 drivers/acpi/acpica/evregion.c | 12 drivers/acpi/acpica/evxfregn.c | 64 --- drivers/acpi/ec.c | 14 drivers/acpi/internal.h | 1 drivers/acpi/scan.c | 2 drivers/acpi/video_detect.c | 22 + drivers/ata/pata_macio.c | 23 - drivers/atm/idt77252.c | 9 drivers/bluetooth/btintel.c | 10 drivers/bluetooth/btintel_pcie.c | 3 drivers/bluetooth/btmtksdio.c | 3 drivers/bluetooth/btrtl.c | 1 drivers/bluetooth/btusb.c | 4 drivers/bluetooth/hci_qca.c | 4 drivers/bluetooth/hci_vhci.c | 2 drivers/char/xillybus/xillyusb.c | 42 +- drivers/gpio/gpio-mlxbf3.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 63 +++ drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 7 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 1 drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 18 - drivers/gpu/drm/amd/amdgpu/soc15d.h | 6 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 32 + drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 4 drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c | 3 drivers/gpu/drm/i915/display/intel_dp_hdcp.c | 4 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 4 drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 20 - drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 drivers/gpu/drm/msm/dp/dp_panel.c | 19 - drivers/gpu/drm/msm/msm_mdss.c | 2 drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 drivers/gpu/drm/v3d/v3d_sched.c | 14 drivers/gpu/drm/xe/display/xe_display.c | 6 drivers/gpu/drm/xe/xe_device.c | 4 drivers/gpu/drm/xe/xe_exec_queue.c | 19 - drivers/gpu/drm/xe/xe_exec_queue_types.h | 10 drivers/gpu/drm/xe/xe_gt_pagefault.c | 18 - drivers/gpu/drm/xe/xe_guc_submit.c | 8 drivers/gpu/drm/xe/xe_hw_fence.c | 59 ++- drivers/gpu/drm/xe/xe_hw_fence.h | 7 drivers/gpu/drm/xe/xe_lrc.c | 48 ++ drivers/gpu/drm/xe/xe_lrc.h | 3 drivers/gpu/drm/xe/xe_mmio.c | 41 +- drivers/gpu/drm/xe/xe_mmio.h | 2 drivers/gpu/drm/xe/xe_ring_ops.c | 22 - drivers/gpu/drm/xe/xe_sched_job.c | 180 +++++----- drivers/gpu/drm/xe/xe_sched_job.h | 7 drivers/gpu/drm/xe/xe_sched_job_types.h | 20 + drivers/gpu/drm/xe/xe_trace.h | 11 drivers/hid/wacom_wac.c | 4 drivers/i2c/busses/i2c-qcom-geni.c | 4 drivers/i2c/busses/i2c-tegra.c | 4 drivers/input/input-mt.c | 3 drivers/input/serio/i8042-acpipnpio.h | 20 - drivers/input/serio/i8042.c | 10 drivers/iommu/io-pgfault.c | 1 drivers/iommu/iommufd/device.c | 2 drivers/md/dm-ioctl.c | 22 + drivers/md/dm.c | 4 drivers/md/persistent-data/dm-space-map-metadata.c | 4 drivers/md/raid1.c | 14 drivers/misc/fastrpc.c | 22 - drivers/mmc/core/mmc_test.c | 9 drivers/mmc/host/dw_mmc.c | 8 drivers/mmc/host/mtk-sd.c | 8 drivers/net/bonding/bond_main.c | 21 - drivers/net/bonding/bond_options.c | 2 drivers/net/dsa/microchip/ksz_ptp.c | 5 drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 drivers/net/dsa/ocelot/felix.c | 11 drivers/net/dsa/vitesse-vsc73xx-core.c | 45 ++ drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 drivers/net/ethernet/intel/ice/devlink/devlink_port.c | 4 drivers/net/ethernet/intel/ice/ice_base.c | 21 + drivers/net/ethernet/intel/ice/ice_txrx.c | 47 -- drivers/net/ethernet/intel/igb/igb_main.c | 1 drivers/net/ethernet/intel/igc/igc_defines.h | 6 drivers/net/ethernet/intel/igc/igc_main.c | 8 drivers/net/ethernet/intel/igc/igc_tsn.c | 76 +++- drivers/net/ethernet/intel/igc/igc_tsn.h | 1 drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 - drivers/net/ethernet/mediatek/mtk_wed.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 13 drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec_fs_roce.c | 6 drivers/net/ethernet/mellanox/mlx5/core/lib/sd.c | 18 - drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 8 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 ++ drivers/net/ethernet/microsoft/mana/mana_en.c | 30 + drivers/net/ethernet/mscc/ocelot.c | 91 ++++- drivers/net/ethernet/mscc/ocelot_fdma.c | 3 drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 8 drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 - drivers/net/gtp.c | 3 drivers/net/wireless/ath/ath12k/dp_tx.c | 72 ++++ drivers/net/wireless/ath/ath12k/hw.c | 6 drivers/net/wireless/ath/ath12k/hw.h | 4 drivers/net/wireless/ath/ath12k/mac.c | 1 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 drivers/nvme/host/core.c | 2 drivers/platform/surface/aggregator/controller.c | 3 drivers/platform/x86/dell/Kconfig | 1 drivers/platform/x86/dell/dell-uart-backlight.c | 8 drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 3 drivers/pmdomain/imx/imx93-pd.c | 5 drivers/pmdomain/imx/scu-pd.c | 5 drivers/s390/block/dasd.c | 36 +- drivers/s390/block/dasd_3990_erp.c | 10 drivers/s390/block/dasd_eckd.c | 55 +-- drivers/s390/block/dasd_genhd.c | 1 drivers/s390/block/dasd_int.h | 2 drivers/s390/crypto/ap_bus.c | 7 drivers/spi/spi-cadence-quadspi.c | 14 drivers/staging/media/atomisp/pci/ia_css_stream_public.h | 8 drivers/staging/media/atomisp/pci/sh_css_internal.h | 19 - drivers/thermal/gov_bang_bang.c | 87 +++- drivers/thermal/thermal_core.c | 3 drivers/thermal/thermal_debugfs.c | 6 drivers/thermal/thermal_of.c | 23 - drivers/thunderbolt/switch.c | 1 drivers/tty/serial/8250/8250_omap.c | 33 - drivers/tty/serial/atmel_serial.c | 2 drivers/tty/serial/fsl_lpuart.c | 1 drivers/tty/vt/conmakehash.c | 12 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci.c | 8 drivers/usb/misc/usb-ljca.c | 1 drivers/usb/typec/tcpm/tcpm.c | 1 fs/btrfs/delayed-ref.c | 67 +++ fs/btrfs/delayed-ref.h | 2 fs/btrfs/extent-tree.c | 51 ++ fs/btrfs/extent_io.c | 14 fs/btrfs/extent_map.c | 22 - fs/btrfs/free-space-cache.c | 14 fs/btrfs/send.c | 52 ++ fs/btrfs/super.c | 18 - fs/btrfs/tree-checker.c | 74 ++++ fs/ceph/addr.c | 19 + fs/file.c | 30 - fs/fuse/dev.c | 6 fs/inode.c | 39 ++ fs/libfs.c | 35 + fs/locks.c | 2 fs/netfs/buffered_read.c | 8 fs/netfs/buffered_write.c | 2 fs/netfs/fscache_cookie.c | 4 fs/netfs/io.c | 144 ++++++++ fs/smb/client/cifsglob.h | 17 fs/smb/client/file.c | 55 ++- fs/smb/client/reparse.c | 11 fs/smb/client/smb1ops.c | 2 fs/smb/client/smb2ops.c | 42 ++ fs/smb/client/smb2pdu.c | 40 ++ fs/smb/client/trace.h | 55 +++ fs/smb/client/transport.c | 8 fs/smb/server/connection.c | 34 + fs/smb/server/connection.h | 3 fs/smb/server/mgmt/user_session.c | 8 fs/smb/server/smb2pdu.c | 5 include/acpi/acpixf.h | 5 include/acpi/video.h | 1 include/asm-generic/vmlinux.lds.h | 19 - include/linux/bitmap.h | 12 include/linux/bpf_verifier.h | 4 include/linux/dsa/ocelot.h | 47 ++ include/linux/fs.h | 5 include/linux/hugetlb.h | 33 + include/linux/io_uring_types.h | 2 include/linux/mm.h | 11 include/linux/panic.h | 1 include/linux/pgalloc_tag.h | 13 include/linux/thermal.h | 1 include/net/af_vsock.h | 4 include/net/bluetooth/hci.h | 17 include/net/bluetooth/hci_core.h | 2 include/net/kcm.h | 1 include/net/mana/mana.h | 1 include/scsi/scsi_cmnd.h | 2 include/soc/mscc/ocelot.h | 12 include/trace/events/netfs.h | 1 include/uapi/misc/fastrpc.h | 3 init/Kconfig | 25 - io_uring/io_uring.h | 2 io_uring/kbuf.c | 9 io_uring/napi.c | 50 +- io_uring/napi.h | 2 kernel/bpf/verifier.c | 5 kernel/cgroup/cpuset.c | 5 kernel/cpu.c | 12 kernel/events/core.c | 3 kernel/kallsyms.c | 60 --- kernel/kallsyms_internal.h | 6 kernel/kallsyms_selftest.c | 22 - kernel/panic.c | 8 kernel/printk/printk.c | 2 kernel/trace/trace.c | 2 kernel/vmcore_info.c | 4 kernel/workqueue.c | 47 +- mm/huge_memory.c | 29 - mm/memcontrol.c | 7 mm/memory-failure.c | 20 - mm/memory.c | 33 - mm/mm_init.c | 12 mm/mseal.c | 14 mm/page_alloc.c | 51 +- mm/vmalloc.c | 11 net/bluetooth/hci_core.c | 19 - net/bluetooth/hci_event.c | 2 net/bluetooth/mgmt.c | 4 net/bluetooth/smp.c | 144 ++++---- net/bridge/br_netfilter_hooks.c | 6 net/dsa/tag_ocelot.c | 37 -- net/ipv4/tcp_input.c | 28 - net/ipv4/tcp_ipv4.c | 14 net/ipv4/udp_offload.c | 3 net/ipv6/ip6_output.c | 10 net/ipv6/ip6_tunnel.c | 12 net/ipv6/netfilter/nf_conntrack_reasm.c | 4 net/iucv/iucv.c | 4 net/kcm/kcmsock.c | 4 net/mctp/test/route-test.c | 2 net/mptcp/diag.c | 2 net/mptcp/pm.c | 13 net/mptcp/pm_netlink.c | 142 +++++-- net/mptcp/protocol.h | 3 net/netfilter/nf_flow_table_inet.c | 3 net/netfilter/nf_flow_table_ip.c | 3 net/netfilter/nf_flow_table_offload.c | 2 net/netfilter/nf_tables_api.c | 147 +++++--- net/netfilter/nfnetlink.c | 5 net/netfilter/nfnetlink_queue.c | 35 + net/netfilter/nft_counter.c | 9 net/openvswitch/datapath.c | 2 net/sched/sch_netem.c | 47 +- net/vmw_vsock/af_vsock.c | 50 +- net/vmw_vsock/vsock_bpf.c | 4 scripts/kallsyms.c | 111 +----- scripts/link-vmlinux.sh | 106 +++-- scripts/rust_is_available.sh | 6 security/keys/trusted-keys/trusted_dcp.c | 35 + security/selinux/avc.c | 8 security/selinux/hooks.c | 12 sound/core/timer.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/pci/hda/tas2781_hda_i2c.c | 14 sound/usb/quirks-table.h | 1 sound/usb/quirks.c | 2 tools/perf/tests/vmlinux-kallsyms.c | 1 tools/testing/selftests/bpf/progs/iters.c | 54 +++ tools/testing/selftests/core/close_range_test.c | 35 + tools/testing/selftests/drivers/net/mlxsw/ethtool_lanes.sh | 3 tools/testing/selftests/mm/Makefile | 2 tools/testing/selftests/mm/run_vmtests.sh | 3 tools/testing/selftests/net/af_unix/msg_oob.c | 2 tools/testing/selftests/net/lib.sh | 11 tools/testing/selftests/net/mptcp/mptcp_join.sh | 28 + tools/testing/selftests/net/udpgro.sh | 53 +- tools/testing/selftests/tc-testing/tdc.py | 1 tools/tracing/rtla/src/osnoise_top.c | 11 302 files changed, 3441 insertions(+), 1720 deletions(-) Abhinav Jain (1): selftest: af_unix: Fix kselftest compilation warnings Abhinav Kumar (4): drm/msm/dp: fix the max supported bpp logic drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() drm/msm/dp: reset the link phy params before link training drm/msm: fix the highest_bank_bit for sc7180 Al Viro (2): fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE memcg_write_event_control(): fix a user-triggerable oops Alex Deucher (3): drm/amdgpu/jpeg2: properly set atomics vmid field drm/amdgpu/jpeg4: properly set atomics vmid field drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 Alexander Gordeev (2): s390/boot: Avoid possible physmem_info segment corruption s390/boot: Fix KASLR base offset off by __START_KERNEL bytes Alexander Stein (1): pmdomain: imx: scu-pd: Remove duplicated clocks Alexandra Winter (1): s390/iucv: Fix vargs handling in iucv_alloc_device() Alexandre Courbot (1): Makefile: add $(srctree) to dependency of compile_commands.json target Andi Shyti (1): i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Asmaa Mnebhi (1): gpio: mlxbf3: Support shutdown() function Baochen Qiang (1): wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850 Baojun Xu (1): ALSA: hda/tas2781: fix wrong calibrated data order Barak Biber (1): iommu: Restore lost return in iommu_report_device_fault() Bas Nieuwenhuizen (1): drm/amdgpu: Actually check flags for all context ops. Ben Whitten (1): mmc: dw_mmc: allow biu and ciu clocks to defer Bharat Bhushan (1): octeontx2-af: Fix CPT AF register offset calculation Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue Breno Leitao (1): i2c: tegra: Do not mark ACPI devices as irq safe Candice Li (1): drm/amdgpu: Validate TA binary size Carolina Jubran (1): net/mlx5e: XPS, Fix oversight of Multi-PF Netdev changes Celeste Liu (1): riscv: entry: always initialize regs->a0 to -ENOSYS Chaotian Jing (1): scsi: core: Fix the return value of scsi_logical_block_count() Chen Ridong (1): cgroup/cpuset: fix panic caused by partcmd_update Christian Brauner (2): pidfd: prevent creation of pidfds for kthreads Revert "pidfd: prevent creation of pidfds for kthreads" Claudio Imbrenda (1): s390/uv: Panic for set and remove shared access UVC errors Cong Wang (1): vsock: fix recursive ->recvmsg calls Cosmin Ratiu (1): net/mlx5e: Correctly report errors for ethtool rx flows Dan Carpenter (4): rtla/osnoise: Prevent NULL dereference in error handling atm: idt77252: prevent use after free in dequeue_rx() dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() mmc: mmc_test: Fix NULL dereference on allocation failure Dave Airlie (1): nouveau/firmware: use dma non-coherent allocator David (Ming Qiang) Wu (1): drm/amd/amdgpu: command submission parser for JPEG David Gstir (2): KEYS: trusted: fix DCP blob payload length assignment KEYS: trusted: dcp: fix leak of blob encryption key David Hildenbrand (1): mm/hugetlb: fix hugetlb vs. core-mm PT locking David Howells (2): netfs, ceph: Revert "netfs: Remove deprecated use of PG_private_2 as a second writeback flag" cifs: Add a tracepoint to track credits involved in R/W requests David Thompson (1): mlxbf_gige: disable RX filters until RX path initialized Dmitry Baryshkov (5): drm/msm/dpu: don't play tricks with debug macros drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails drm/msm/dpu: limit QCM2290 to RGB formats only drm/msm/dpu: relax YUV requirements drm/msm/dpu: take plane rotation into account for wide planes Donald Hunter (2): netfilter: nfnetlink: Initialise extack before use in ACKs netfilter: flowtable: initialise extack before use Dragos Tatulea (1): net/mlx5e: Take state lock during tx timeout reporter Eli Billauer (3): char: xillybus: Don't destroy workqueue from work item running on it char: xillybus: Refine workqueue handling char: xillybus: Check USB endpoints when probing device Eric Dumazet (4): gtp: pull network headers in gtp_dev_xmit() ipv6: prevent UAF in ip6_send_skb() ipv6: fix possible UAF in ip6_finish_output2() ipv6: prevent possible UAF in ip6_xmit() Eric Farman (1): s390/dasd: Remove DMA alignment Eugene Syromiatnikov (1): mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Faizal Rahim (4): igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer igc: Fix qbv_config_change_errors logics igc: Fix reset adapter logics when tx mode change igc: Fix qbv tx latency by setting gtxoffset Felix Fietkau (1): udp: fix receiving fraglist GSO packets Filipe Manana (2): btrfs: send: allow cloning non-aligned extent if it ends at i_size btrfs: only run the extent map shrinker from kswapd tasks Florian Westphal (2): netfilter: nf_queue: drop packets with cloned unconfirmed conntracks tcp: prevent concurrent execution of tcp_sk_exit_batch Greg Kroah-Hartman (1): Linux 6.10.7 Griffin Kroah-Hartman (3): Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Revert "serial: 8250_omap: Set the console genpd always on if no console suspend" Bluetooth: MGMT: Add error handling to pair_device() Haibo Xu (1): arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Hailong Liu (1): mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Haiyang Zhang (1): net: mana: Fix RX buf alloc_size alignment and atomic op panic Hamza Mahfooz (1): drm/amd/display: fix s2idle entry for DCN3.5+ Hangbin Liu (2): selftests: udpgro: report error when receive failed selftests: udpgro: no need to load xdp for gro Hans de Goede (5): usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[] media: atomisp: Fix streaming no longer working on BYT / ISP2400 devices ACPI: video: Add Dell UART backlight controller detection ACPI: video: Add backlight=native quirk for Dell OptiPlex 7760 AIO platform/x86: dell-uart-backlight: Use acpi_video_get_backlight_type() Harald Freudenberger (1): s390/ap: Refine AP bus bindings complete processing Ido Schimmel (1): selftests: mlxsw: ethtool_lanes: Source ethtool lib from correct path Jann Horn (2): fuse: Initialize beyond-EOF page contents before setting uptodate kallsyms: get rid of code for absolute kallsyms Janne Grunau (1): wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Jason Gerecke (1): HID: wacom: Defer calculation of resolution until resolution_code is known Jens Axboe (1): io_uring/kbuf: sanitize peek buffer setup Jeremy Kerr (1): net: mctp: test: Use correct skb for route input check Jiaxun Yang (1): MIPS: Loongson64: Set timer mode in cpu-probe Jie Wang (2): net: hns3: fix wrong use of semaphore up net: hns3: fix a deadlock problem when config TC during resetting Josef Bacik (1): btrfs: check delayed refs when we're checking if a ref exists Joseph Huang (1): net: dsa: mv88e6xxx: Fix out-of-bound access Juan José Arboleda (1): ALSA: usb-audio: Support Yamaha P-125 quirk entry Khazhismel Kumykov (1): dm resume: don't return EINVAL when signalled Kirill A. Shutemov (1): mm: fix endless reclaim on machines with unaccepted memory Krzysztof Kozlowski (3): thermal: of: Fix OF node leak in thermal_of_trips_init() error path thermal: of: Fix OF node leak in thermal_of_zone_register() thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Kuniyuki Iwashima (1): kcm: Serialise kcm_sendmsg() for the same socket. Kyle Huey (1): perf/bpf: Don't call bpf_overflow_handler() for tracing events Leon Hwang (1): bpf: Fix updating attached freplace prog in prog_array map Li Lingfeng (1): block: Fix lockdep warning in blk_mq_mark_tag_wait Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Loan Chen (1): drm/amd/display: Enable otg synchronization logic for DCN321 Long Li (1): net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Lucas De Marchi (1): drm/xe: Fix opregion leak Luiz Augusto von Dentz (3): Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in Bluetooth: hci_core: Fix LE quote calculation Bluetooth: SMP: Fix assumption of Central always being Initiator Maciej Fijalkowski (3): ice: fix page reuse when PAGE_SIZE is over 8k ice: fix ICE_LAST_OFFSET formula ice: fix truesize operations for PAGE_SIZE >= 8192 Marc Zyngier (2): usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Mario Limonciello (1): drm/amd/display: Don't register panel_power_savings on OLED panels Martin Whitaker (1): net: dsa: microchip: fix PTP config failure when using multiple ports Masahiro Yamada (7): tty: vt: conmakehash: remove non-portable code printing comment header kbuild: refactor variables in scripts/link-vmlinux.sh kbuild: remove PROVIDE() for kallsyms symbols rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT kbuild: merge temporary vmlinux for BTF and kallsyms kbuild: avoid scripts/kallsyms parsing /dev/null Mathias Nyman (1): xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Mathieu Othacehe (1): tty: atmel_serial: use the correct RTS flag. Matthew Auld (3): drm/xe/display: stop calling domains_driver_remove twice drm/xe/mmio: move mmio_fini over to devm drm/xe: reset mmio mappings with devm Matthew Brost (4): drm/xe: Fix tile fini sequence drm/xe: Decouple job seqno and lrc seqno drm/xe: Free job before xe_exec_queue_put drm/xe: Do not dereference NULL job->fence in trace points Matthew Wilcox (Oracle) (1): netfs: Fault in smaller chunks for non-large folio mappings Matthieu Baerts (NGI0) (14): selftests: net: lib: ignore possible errors selftests: net: lib: kill PIDs before del netns mptcp: pm: re-using ID of unused removed ADD_ADDR mptcp: pm: re-using ID of unused removed subflows mptcp: pm: re-using ID of unused flushed subflows mptcp: pm: remove mptcp_pm_remove_subflow() mptcp: pm: only mark 'subflow' endp as available mptcp: pm: only decrement add_addr_accepted for MPJ req mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR mptcp: pm: only in-kernel cannot have entries with ID 0 mptcp: pm: fullmesh: select the right ID later mptcp: pm: avoid possible UaF when selecting endp selftests: mptcp: join: validate fullmesh endp on 1st sf selftests: mptcp: join: check re-using ID of closed subflow Max Kellermann (1): fs/netfs/fscache_cookie: add missing "n_accesses" check Maximilian Luz (1): platform/surface: aggregator: Fix warning when controller is destroyed in probe Maíra Canal (1): drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()` Melissa Wen (1): drm/amd/display: fix cursor offset on rotation 180 Menglong Dong (1): net: ovs: fix ovs_drop_reasons error Mengqi Zhang (1): mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Mengyuan Lou (1): net: ngbe: Fix phy mode set to external phy Michael Ellerman (1): ata: pata_macio: Fix DMA table overflow Michael Mueller (1): KVM: s390: fix validity interception issue when gisa is switched off Michal Swiatkowski (1): ice: use internal pf id instead of function number Miguel Ojeda (1): rust: work around `bindgen` 0.69.0 issue Mika Westerberg (1): thunderbolt: Mark XDomain as unplugged when router is removed Mikulas Patocka (2): dm persistent data: fix memory allocation failure dm suspend: return -ERESTARTSYS instead of -EINTR Ming Lei (1): nvme: move stopping keep-alive into nvme_uninit_ctrl() Muhammad Usama Anjum (1): selftests: memfd_secret: don't build memfd_secret test on unsupported arches Nam Cao (1): riscv: change XIP's kernel_map.size to be size of the entire kernel Namjae Jeon (2): ksmbd: the buffer of smb2 query dir response has at least 1 byte ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Naohiro Aota (2): btrfs: zoned: properly take lock to read/update block group's zoned variables btrfs: fix invalid mapping of extent xarray state Nicolin Chen (1): iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace() Nikolay Aleksandrov (4): bonding: fix bond_ipsec_offload_ok return type bonding: fix null pointer deref in bond_ipsec_offload_ok bonding: fix xfrm real_dev null pointer dereference bonding: fix xfrm state handling when clearing active slave Nikolay Kuratov (1): cxgb4: add forgotten u64 ivlan cast before shift Nysal Jan K.A (2): cpu/SMT: Enable SMT only if a core is online powerpc/topology: Check if a core is online Olivier Langlois (1): io_uring/napi: check napi_enabled in io_napi_add() before proceeding Omar Sandoval (1): filelock: fix name of file_lease slab cache Pablo Neira Ayuso (1): netfilter: flowtable: validate vlan header Paolo Abeni (1): igb: cope with large MAX_SKB_FRAGS Parsa Poorshikhian (1): ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Patrisious Haddad (1): net/mlx5: Fix IPsec RoCE MPV trace call Paul Moore (1): selinux: revert our use of vma_is_initial_heap() Paulo Alcantara (1): smb: client: ignore unhandled reparse tags Pavel Begunkov (1): io_uring/napi: use ktime in busy polling Pawel Dembicki (3): net: dsa: vsc73xx: fix port MAC configuration in full duplex mode net: dsa: vsc73xx: pass value in phy_write operation net: dsa: vsc73xx: check busy flag in MDIO operations Pedro Falcato (1): mseal: fix is_madv_discard() Peiyang Wang (1): net: hns3: use the user's cfg after reset Peng Fan (2): tty: serial: fsl_lpuart: mark last busy before uart_add_one_port pmdomain: imx: wait SSAR when i.MX93 power domain on Phil Sutter (3): netfilter: nf_tables: Audit log dump reset after the fact netfilter: nf_tables: Introduce nf_tables_getobj_single netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Qu Wenruo (3): btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type btrfs: tree-checker: add dev extent item checks btrfs: only enable extent map shrinker for DEBUG builds Radhey Shyam Pandey (1): net: axienet: Fix register defines comment description Rafael J. Wysocki (8): Revert "ACPI: EC: Evaluate orphan _REG under EC device" thermal: gov_bang_bang: Call __thermal_cdev_update() directly ACPICA: Add a depth argument to acpi_execute_reg_methods() ACPI: EC: Evaluate _REG outside the EC scope more carefully thermal: gov_bang_bang: Drop unnecessary cooling device target state checks thermal: gov_bang_bang: Split bang_bang_control() thermal: gov_bang_bang: Add .manage() callback thermal: gov_bang_bang: Use governor_data to reduce overhead Rodrigo Siqueira (1): drm/amd/display: Adjust cursor position Rodrigo Vivi (1): drm/xe: Relax runtime pm protection during execution Ryo Takakura (1): printk/panic: Allow cpu backtraces to be written into ringbuffer during panic Samuel Holland (1): arm64: Fix KASAN random tag seed initialization Sean Anderson (2): net: xilinx: axienet: Always disable promiscuous mode net: xilinx: axienet: Fix dangling multicast addresses Sebastian Andrzej Siewior (2): netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Simon Horman (1): tc-testing: don't access non-existent variable on exception Somnath Kotur (1): bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Song Liu (2): kallsyms: Do not cleanup .llvm.<hash> suffix before sorting symbols kallsyms: Match symbols exactly with CONFIG_LTO_CLANG Srinivas Pandruvada (1): platform/x86: ISST: Fix return value on last invalid resource Stefan Haberland (1): s390/dasd: fix error recovery leading to data corruption on ESE devices Stephen Hemminger (1): netem: fix return value if duplicate enqueue fails Steve French (2): smb3: fix lock breakage for cached writes smb3: fix broken cached reads when posix locks Steven Rostedt (1): tracing: Return from tracing_buffers_read() if the file has been closed Stuart Summers (1): drm/xe: Fix missing workqueue destroy in xe_gt_pagefault Su Hui (1): smb/client: avoid possible NULL dereference in cifs_free_subrequest() Subash Abhinov Kasiviswanathan (1): tcp: Update window clamping condition Suraj Kandpal (1): drm/i915/hdcp: Use correct cp_irq_count Suren Baghdasaryan (2): alloc_tag: mark pages reserved during CMA activation as not tagged alloc_tag: introduce clear_page_tag_ref() helper function Takashi Iwai (2): ALSA: timer: Relax start tick time check for slave timer elements ALSA: hda/tas2781: Use correct endian conversion Tariq Toukan (1): net/mlx5: SD, Do not query MPIR register if no sd_group Tejun Heo (1): workqueue: Fix spruious data race in __flush_work() Tetsuo Handa (1): Input: MT - limit max slots Thomas Bogendoerfer (1): ip6_tunnel: Fix broken GRO Thomas Hellström (2): drm/xe: Split lrc seqno fence creation up drm/xe: Don't initialize fences at xe_sched_job_create() Thorsten Blum (1): io_uring/napi: Remove unnecessary s64 cast Tom Hughes (1): netfilter: allow ipv6 fragments to arrive on different devices Vignesh Raghavendra (1): spi: spi-cadence-quadspi: Fix OSPI NOR failures during system resume Vladimir Oltean (3): net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" net: mscc: ocelot: serialize access to the injection/extraction groups Waiman Long (2): mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if cpus.exclusive not set Werner Sembach (2): Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Will Deacon (1): workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask() Xu Yang (1): Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Yang Ruibin (1): thermal/debugfs: Fix the NULL vs IS_ERR() confusion in debugfs_create_dir() Yonghong Song (2): bpf: Fix a kernel verifier crash in stacksafe() selftests/bpf: Add a test to verify previous stacksafe() fix Yu Kuai (1): md/raid1: Fix data corruption for degraded array with slow disk Zenghui Yu (1): KVM: arm64: vgic-debug: Don't put unmarked LPIs Zhen Lei (2): selinux: fix potential counting error in avc_add_xperms_decision() selinux: add the processing of the failure of avc_add_xperms_decision() Zheng Zhang (1): net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Zhihao Cheng (1): vfs: Don't evict inode under the inode lru traversing context Zi Yan (2): mm/numa: no task_numa_fault() call if PMD is changed mm/numa: no task_numa_fault() call if PTE is changed yangerkun (1): libfs: fix infinite directory reads for offset dir

8 months, 1 week

1
1
0 0

Linux 6.6.48

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.48 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 3 Makefile | 2 arch/alpha/kernel/pci_iommu.c | 2 arch/arm64/kernel/acpi_numa.c | 2 arch/arm64/kernel/setup.c | 3 arch/arm64/kernel/smp.c | 2 arch/arm64/kvm/sys_regs.c | 6 arch/arm64/kvm/vgic/vgic.h | 7 arch/mips/jazz/jazzdma.c | 2 arch/mips/kernel/cpu-probe.c | 4 arch/openrisc/kernel/setup.c | 6 arch/parisc/kernel/irq.c | 4 arch/powerpc/boot/simple_alloc.c | 7 arch/powerpc/include/asm/topology.h | 13 arch/powerpc/kernel/dma-iommu.c | 2 arch/powerpc/platforms/ps3/system-bus.c | 4 arch/powerpc/platforms/pseries/papr-sysparm.c | 47 ++ arch/powerpc/platforms/pseries/vio.c | 2 arch/powerpc/sysdev/xics/icp-native.c | 2 arch/riscv/include/asm/asm.h | 10 arch/riscv/kernel/entry.S | 3 arch/riscv/kernel/traps.c | 3 arch/riscv/mm/init.c | 4 arch/s390/include/asm/uv.h | 5 arch/s390/kernel/early.c | 12 arch/s390/kernel/smp.c | 4 arch/s390/kvm/kvm-s390.h | 7 arch/x86/kernel/amd_gart_64.c | 2 arch/x86/kernel/process.c | 5 block/blk-mq-tag.c | 5 drivers/accel/habanalabs/common/debugfs.c | 14 drivers/accel/habanalabs/common/irq.c | 3 drivers/accel/habanalabs/common/memory.c | 15 drivers/accel/habanalabs/gaudi2/gaudi2_security.c | 1 drivers/acpi/acpica/acevents.h | 6 drivers/acpi/acpica/evregion.c | 12 drivers/acpi/acpica/evxfregn.c | 64 --- drivers/acpi/ec.c | 14 drivers/acpi/internal.h | 1 drivers/acpi/scan.c | 2 drivers/atm/idt77252.c | 9 drivers/char/xillybus/xillyusb.c | 42 +- drivers/clk/visconti/pll.c | 6 drivers/clocksource/arm_global_timer.c | 11 drivers/edac/skx_common.c | 4 drivers/firmware/cirrus/cs_dsp.c | 7 drivers/gpio/gpio-mlxbf3.c | 14 drivers/gpio/gpiolib-sysfs.c | 15 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 40 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 13 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 13 drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 63 +++ drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 6 drivers/gpu/drm/amd/amdgpu/soc15d.h | 6 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 22 - drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 4 drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 3 drivers/gpu/drm/amd/pm/amdgpu_pm.c | 14 drivers/gpu/drm/bridge/tc358768.c | 213 ++++++++++- drivers/gpu/drm/lima/lima_gp.c | 12 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 96 +++-- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h | 22 - drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys.h | 9 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 43 -- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 22 - drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 21 - drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 23 + drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 drivers/gpu/drm/msm/dp/dp_panel.c | 19 - drivers/gpu/drm/msm/msm_drv.h | 12 drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 drivers/gpu/drm/msm/msm_mdss.c | 84 +++- drivers/gpu/drm/msm/msm_mdss.h | 1 drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 drivers/gpu/drm/panel/panel-novatek-nt36523.c | 6 drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 drivers/gpu/drm/tegra/gem.c | 2 drivers/hid/wacom_wac.c | 4 drivers/hwmon/ltc2992.c | 8 drivers/hwmon/pc87360.c | 6 drivers/i2c/busses/i2c-qcom-geni.c | 4 drivers/i2c/busses/i2c-riic.c | 2 drivers/i2c/busses/i2c-stm32f7.c | 51 ++ drivers/i2c/busses/i2c-tegra.c | 4 drivers/i3c/master/mipi-i3c-hci/dma.c | 5 drivers/infiniband/hw/hfi1/chip.c | 5 drivers/infiniband/ulp/rtrs/rtrs.c | 2 drivers/input/input-mt.c | 3 drivers/input/serio/i8042-acpipnpio.h | 20 - drivers/input/serio/i8042.c | 10 drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 drivers/iommu/dma-iommu.c | 2 drivers/irqchip/irq-gic-v3-its.c | 2 drivers/irqchip/irq-renesas-rzg2l.c | 5 drivers/md/dm-clone-metadata.c | 5 drivers/md/dm-ioctl.c | 22 + drivers/md/dm.c | 4 drivers/md/md.c | 5 drivers/md/persistent-data/dm-space-map-metadata.c | 4 drivers/md/raid5-cache.c | 47 +- drivers/media/dvb-core/dvb_frontend.c | 12 drivers/media/pci/cx23885/cx23885-video.c | 8 drivers/media/platform/qcom/venus/pm_helpers.c | 2 drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 drivers/media/radio/radio-isa.c | 2 drivers/memory/stm32-fmc2-ebi.c | 122 ++++-- drivers/memory/tegra/tegra186.c | 3 drivers/misc/fastrpc.c | 22 - drivers/mmc/core/mmc_test.c | 9 drivers/mmc/host/dw_mmc.c | 8 drivers/mmc/host/mtk-sd.c | 8 drivers/net/bonding/bond_main.c | 21 - drivers/net/bonding/bond_options.c | 2 drivers/net/dsa/microchip/ksz_ptp.c | 5 drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 drivers/net/dsa/ocelot/felix.c | 11 drivers/net/dsa/vitesse-vsc73xx-core.c | 69 ++- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 drivers/net/ethernet/i825xx/sun3_82586.c | 2 drivers/net/ethernet/intel/ice/ice_base.c | 21 + drivers/net/ethernet/intel/ice/ice_txrx.c | 47 -- drivers/net/ethernet/intel/igb/igb_main.c | 1 drivers/net/ethernet/intel/igc/igc_defines.h | 6 drivers/net/ethernet/intel/igc/igc_main.c | 8 drivers/net/ethernet/intel/igc/igc_tsn.c | 76 +++- drivers/net/ethernet/intel/igc/igc_tsn.h | 1 drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 - drivers/net/ethernet/mediatek/mtk_wed.c | 6 drivers/net/ethernet/mediatek/mtk_wed_mcu.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 8 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 ++ drivers/net/ethernet/microsoft/mana/mana_en.c | 30 + drivers/net/ethernet/mscc/ocelot.c | 91 ++++- drivers/net/ethernet/mscc/ocelot_fdma.c | 3 drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 drivers/net/ethernet/pensando/ionic/ionic_bus_pci.c | 9 drivers/net/ethernet/pensando/ionic/ionic_dev.c | 33 + drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 7 drivers/net/ethernet/pensando/ionic/ionic_fw.c | 5 drivers/net/ethernet/pensando/ionic/ionic_main.c | 3 drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 6 drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 - drivers/net/gtp.c | 3 drivers/net/wireless/ath/ath11k/mac.c | 44 +- drivers/net/wireless/ath/ath12k/mac.c | 27 + drivers/net/wireless/ath/ath12k/qmi.c | 7 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 6 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 3 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 7 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 drivers/net/wireless/mediatek/mt76/mac80211.c | 50 ++ drivers/net/wireless/mediatek/mt76/mt76.h | 24 - drivers/net/wireless/mediatek/mt76/mt7603/main.c | 4 drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/net/wireless/mediatek/mt76/mt792x_core.c | 2 drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 drivers/net/wireless/mediatek/mt76/tx.c | 108 ++++-- drivers/net/wireless/st/cw1200/txrx.c | 2 drivers/nvme/host/core.c | 107 +++-- drivers/nvme/host/ioctl.c | 15 drivers/nvme/host/multipath.c | 21 - drivers/nvme/host/nvme.h | 4 drivers/nvme/target/rdma.c | 16 drivers/nvme/target/tcp.c | 1 drivers/nvme/target/trace.c | 6 drivers/nvme/target/trace.h | 28 - drivers/parisc/ccio-dma.c | 2 drivers/parisc/sba_iommu.c | 2 drivers/platform/surface/aggregator/controller.c | 3 drivers/platform/x86/intel/ifs/load.c | 9 drivers/platform/x86/lg-laptop.c | 2 drivers/pmdomain/imx/imx93-pd.c | 5 drivers/pmdomain/imx/scu-pd.c | 5 drivers/rtc/rtc-nct3018y.c | 6 drivers/s390/block/dasd.c | 36 +- drivers/s390/block/dasd_3990_erp.c | 10 drivers/s390/block/dasd_diag.c | 1 drivers/s390/block/dasd_eckd.c | 56 +-- drivers/s390/block/dasd_int.h | 2 drivers/s390/cio/idset.c | 12 drivers/scsi/lpfc/lpfc_sli.c | 2 drivers/scsi/scsi_transport_spi.c | 4 drivers/ssb/main.c | 2 drivers/staging/iio/resolver/ad2s1210.c | 7 drivers/staging/ks7010/ks7010_sdio.c | 4 drivers/thunderbolt/switch.c | 1 drivers/tty/serial/atmel_serial.c | 2 drivers/tty/serial/fsl_lpuart.c | 1 drivers/usb/dwc3/core.c | 13 drivers/usb/gadget/udc/fsl_udc_core.c | 2 drivers/usb/host/xhci.c | 8 drivers/usb/typec/tcpm/tcpm.c | 1 drivers/xen/grant-dma-ops.c | 2 drivers/xen/swiotlb-xen.c | 2 fs/afs/file.c | 8 fs/binfmt_elf_fdpic.c | 2 fs/binfmt_misc.c | 216 +++++++++--- fs/btrfs/compression.c | 23 - fs/btrfs/compression.h | 2 fs/btrfs/defrag.c | 2 fs/btrfs/delayed-inode.c | 4 fs/btrfs/disk-io.c | 2 fs/btrfs/extent_io.c | 4 fs/btrfs/free-space-cache.c | 22 - fs/btrfs/inode.c | 24 - fs/btrfs/ioctl.c | 2 fs/btrfs/qgroup.c | 2 fs/btrfs/reflink.c | 6 fs/btrfs/send.c | 71 +++ fs/btrfs/super.c | 2 fs/btrfs/tests/extent-io-tests.c | 28 + fs/btrfs/tree-checker.c | 74 ++++ fs/btrfs/zlib.c | 73 +--- fs/ext4/extents.c | 3 fs/ext4/mballoc.c | 3 fs/f2fs/segment.c | 17 fs/file.c | 30 - fs/fscache/cookie.c | 4 fs/fuse/cuse.c | 3 fs/fuse/dev.c | 6 fs/fuse/fuse_i.h | 1 fs/fuse/inode.c | 15 fs/fuse/virtio_fs.c | 10 fs/gfs2/inode.c | 2 fs/gfs2/super.c | 2 fs/inode.c | 39 ++ fs/jfs/jfs_dinode.h | 2 fs/jfs/jfs_imap.c | 6 fs/jfs/jfs_incore.h | 2 fs/jfs/jfs_txnmgr.c | 4 fs/jfs/jfs_xtree.c | 4 fs/jfs/jfs_xtree.h | 37 +- fs/kernfs/file.c | 8 fs/nfs/pnfs.c | 8 fs/nfsd/nfssvc.c | 14 fs/ntfs3/bitmap.c | 4 fs/ntfs3/fsntfs.c | 2 fs/ntfs3/index.c | 11 fs/ntfs3/ntfs_fs.h | 4 fs/ntfs3/super.c | 2 fs/quota/dquot.c | 5 fs/smb/client/reparse.c | 11 fs/smb/server/connection.c | 34 + fs/smb/server/connection.h | 3 fs/smb/server/mgmt/user_session.c | 8 fs/smb/server/smb2pdu.c | 5 include/acpi/acpixf.h | 5 include/linux/bitmap.h | 20 - include/linux/bpf_verifier.h | 4 include/linux/cpumask.h | 2 include/linux/dma-map-ops.h | 2 include/linux/dsa/ocelot.h | 47 ++ include/linux/evm.h | 6 include/linux/f2fs_fs.h | 1 include/linux/fs.h | 5 include/linux/slab.h | 5 include/net/af_vsock.h | 4 include/net/inet_timewait_sock.h | 2 include/net/kcm.h | 1 include/net/mana/mana.h | 1 include/net/tcp.h | 2 include/scsi/scsi_cmnd.h | 2 include/soc/mscc/ocelot.h | 12 include/uapi/misc/fastrpc.h | 3 init/Kconfig | 7 kernel/bpf/verifier.c | 5 kernel/cgroup/cgroup.c | 4 kernel/cpu.c | 12 kernel/dma/mapping.c | 4 kernel/rcu/rcu.h | 7 kernel/rcu/srcutiny.c | 1 kernel/rcu/srcutree.c | 1 kernel/rcu/tasks.h | 1 kernel/rcu/tiny.c | 1 kernel/rcu/tree.c | 3 kernel/sched/topology.c | 3 kernel/time/clocksource.c | 42 +- kernel/time/hrtimer.c | 5 kernel/time/tick-sched.h | 2 lib/cpumask.c | 4 lib/math/prime_numbers.c | 2 mm/huge_memory.c | 30 - mm/memcontrol.c | 7 mm/memory-failure.c | 20 - mm/memory.c | 33 - mm/page_alloc.c | 42 +- mm/slab_common.c | 41 -- mm/util.c | 4 mm/vmalloc.c | 11 net/bluetooth/bnep/core.c | 3 net/bluetooth/hci_conn.c | 11 net/bluetooth/hci_core.c | 19 - net/bluetooth/mgmt.c | 4 net/bluetooth/smp.c | 144 ++++---- net/bridge/br_netfilter_hooks.c | 6 net/core/sock_map.c | 6 net/dccp/ipv4.c | 2 net/dccp/ipv6.c | 6 net/dsa/tag_ocelot.c | 37 -- net/ipv4/inet_timewait_sock.c | 16 net/ipv4/tcp_input.c | 28 - net/ipv4/tcp_ipv4.c | 16 net/ipv4/tcp_minisocks.c | 7 net/ipv4/udp_offload.c | 3 net/ipv6/ip6_output.c | 10 net/ipv6/ip6_tunnel.c | 12 net/ipv6/netfilter/nf_conntrack_reasm.c | 4 net/ipv6/tcp_ipv6.c | 6 net/iucv/iucv.c | 3 net/kcm/kcmsock.c | 4 net/mac80211/agg-tx.c | 6 net/mac80211/driver-ops.c | 3 net/mac80211/iface.c | 14 net/mac80211/main.c | 22 + net/mac80211/sta_info.c | 46 +- net/mctp/test/route-test.c | 2 net/mptcp/diag.c | 2 net/mptcp/pm.c | 13 net/mptcp/pm_netlink.c | 142 +++++-- net/mptcp/protocol.h | 3 net/netfilter/nf_flow_table_inet.c | 3 net/netfilter/nf_flow_table_ip.c | 3 net/netfilter/nf_flow_table_offload.c | 2 net/netfilter/nf_tables_api.c | 209 +++++++---- net/netfilter/nfnetlink_queue.c | 35 + net/netfilter/nft_counter.c | 9 net/netlink/af_netlink.c | 13 net/openvswitch/datapath.c | 2 net/rxrpc/rxkad.c | 8 net/sched/sch_netem.c | 47 +- net/vmw_vsock/af_vsock.c | 50 +- net/vmw_vsock/vsock_bpf.c | 4 net/wireless/core.h | 8 scripts/rust_is_available.sh | 6 security/integrity/evm/evm_main.c | 7 security/security.c | 2 security/selinux/avc.c | 8 security/selinux/hooks.c | 12 sound/core/timer.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/pci/hda/tas2781_hda_i2c.c | 14 sound/soc/codecs/cs35l45.c | 5 sound/soc/sof/intel/hda-dsp.c | 3 sound/soc/sof/ipc4.c | 9 sound/usb/quirks-table.h | 1 sound/usb/quirks.c | 2 tools/include/linux/align.h | 12 tools/include/linux/bitmap.h | 9 tools/include/linux/mm.h | 5 tools/testing/selftests/bpf/progs/cpumask_failure.c | 3 tools/testing/selftests/bpf/progs/dynptr_fail.c | 12 tools/testing/selftests/bpf/progs/iters.c | 54 +++ tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c | 4 tools/testing/selftests/bpf/progs/test_tunnel_kern.c | 47 +- tools/testing/selftests/core/close_range_test.c | 35 + tools/testing/selftests/mm/Makefile | 2 tools/testing/selftests/mm/run_vmtests.sh | 53 ++ tools/testing/selftests/net/lib.sh | 11 tools/testing/selftests/net/mptcp/mptcp_join.sh | 28 + tools/testing/selftests/net/udpgro.sh | 44 +- tools/testing/selftests/tc-testing/tdc.py | 1 tools/tracing/rtla/src/osnoise_top.c | 11 391 files changed, 3848 insertions(+), 1967 deletions(-) Abhinav Kumar (5): drm/msm/dp: fix the max supported bpp logic drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() drm/msm/dp: reset the link phy params before link training drm/msm/dpu: try multirect based on mdp clock limits drm/msm: fix the highest_bank_bit for sc7180 Adrian Hunter (1): clocksource: Make watchdog and suspend-timing multiplication overflow safe Al Viro (4): fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE memcg_write_event_control(): fix a user-triggerable oops afs: fix __afs_break_callback() / afs_drop_open_mmap() race fuse: fix UAF in rcu pathwalks Alex Deucher (3): drm/amdgpu/jpeg2: properly set atomics vmid field drm/amdgpu/jpeg4: properly set atomics vmid field drm/amd/pm: fix error flow in sensor fetching Alex Hung (2): drm/amd/display: Validate hw_points_num before using it Revert "drm/amd/display: Validate hw_points_num before using it" Alexander Gordeev (1): s390/iucv: fix receive buffer virtual vs physical address confusion Alexander Lobakin (5): fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() s390/cio: rename bitmap_size() -> idset_bitmap_size() btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() bitmap: introduce generic optimized bitmap_size() tools: move alignment-related macros to new <linux/align.h> Alexander Stein (1): pmdomain: imx: scu-pd: Remove duplicated clocks Alexandre Belloni (1): rtc: nct3018y: fix possible NULL dereference Andi Shyti (1): i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Andreas Gruenbacher (2): gfs2: setattr_chown: Add missing initialization gfs2: Refcounting fix in gfs2_thaw_super Andy Yan (1): drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Antoniu Miclaus (1): hwmon: (ltc2992) Avoid division by zero Ashish Mhetre (1): memory: tegra: Skip SID programming if SID registers aren't set Asmaa Mnebhi (1): gpio: mlxbf3: Support shutdown() function Avri Kehat (1): accel/habanalabs: fix debugfs files permissions Baojun Xu (1): ALSA: hda/tas2781: fix wrong calibrated data order Baokun Li (2): ext4: do not trim the group with corrupted block bitmap ext4: set the type of max_zeroout to unsigned int to avoid overflow Bard Liao (1): ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Bartosz Golaszewski (1): gpio: sysfs: extend the critical section for unregistering sysfs devices Bas Nieuwenhuizen (1): drm/amdgpu: Actually check flags for all context ops. Ben Whitten (1): mmc: dw_mmc: allow biu and ciu clocks to defer Bharat Bhushan (1): octeontx2-af: Fix CPT AF register offset calculation Biju Das (1): irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue Breno Leitao (1): i2c: tegra: Do not mark ACPI devices as irq safe Candice Li (1): drm/amdgpu: Validate TA binary size Celeste Liu (1): riscv: entry: always initialize regs->a0 to -ENOSYS Chaotian Jing (1): scsi: core: Fix the return value of scsi_logical_block_count() Chengfeng Ye (3): staging: ks7010: disable bh on tx_dev_lock media: s5p-mfc: Fix potential deadlock on condlock IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Christian Brauner (1): binfmt_misc: cleanup on filesystem umount Christophe Kerello (1): memory: stm32-fmc2-ebi: check regmap_read return value Claudio Imbrenda (1): s390/uv: Panic for set and remove shared access UVC errors Clément Léger (1): riscv: blacklist assembly symbols for kprobe Cong Wang (1): vsock: fix recursive ->recvmsg calls Cosmin Ratiu (1): net/mlx5e: Correctly report errors for ethtool rx flows Costa Shulyupin (1): hrtimer: Select housekeeping CPU during migration Cupertino Miranda (1): selftests/bpf: Fix a few tests for GCC related warnings. Dan Carpenter (4): rtla/osnoise: Prevent NULL dereference in error handling atm: idt77252: prevent use after free in dequeue_rx() dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() mmc: mmc_test: Fix NULL dereference on allocation failure Daniel Wagner (1): nvmet-trace: avoid dereferencing pointer too early Dave Airlie (1): nouveau/firmware: use dma non-coherent allocator Dave Kleikamp (1): jfs: define xtree root and page independently David (Ming Qiang) Wu (1): drm/amd/amdgpu: command submission parser for JPEG David Howells (1): rxrpc: Don't pick values out of the wire header when setting up security David Lechner (1): staging: iio: resolver: ad2s1210: fix use before initialization David Sterba (11): btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves() btrfs: change BUG_ON to assertion when checking for delayed_node root btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() btrfs: push errors up from add_async_extent() btrfs: handle invalid root reference found in may_destroy_subvol() btrfs: send: handle unexpected data in header buffer in begin_cmd() btrfs: send: handle unexpected inode in header process_recorded_refs() btrfs: change BUG_ON to assertion in tree_move_down() btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() btrfs: replace sb::s_blocksize by fs_info::sectorsize David Thompson (1): mlxbf_gige: disable RX filters until RX path initialized Dmitry Antipov (2): wifi: ath11k: fix ath11k_mac_op_remain_on_channel() stack usage wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware() Dmitry Baryshkov (10): drm/msm/dpu: don't play tricks with debug macros drm/msm/dpu: use drmm-managed allocation for dpu_encoder_phys drm/msm/dpu: drop MSM_ENC_VBLANK support drm/msm/dpu: split dpu_encoder_wait_for_event into two functions drm/msm/dpu: capture snapshot on the first commit_done timeout drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails drm/msm/dpu: take plane rotation into account for wide planes drm/msm/mdss: switch mdss to use devm_of_icc_get() drm/msm/mdss: Handle the reg bus ICC path drm/msm/mdss: specify cfg bandwidth for SDM670 Donald Hunter (1): netfilter: flowtable: initialise extack before use Dragos Tatulea (1): net/mlx5e: Take state lock during tx timeout reporter Eli Billauer (3): char: xillybus: Don't destroy workqueue from work item running on it char: xillybus: Refine workqueue handling char: xillybus: Check USB endpoints when probing device Emmanuel Grumbach (1): wifi: iwlwifi: mvm: fix recovery flow in CSA Eric Dumazet (8): netlink: hold nlk->cb_mutex longer in __netlink_dump_start() gtp: pull network headers in gtp_dev_xmit() tcp/dccp: bypass empty buckets in inet_twsk_purge() tcp/dccp: do not care about families in inet_twsk_purge() ipv6: prevent UAF in ip6_send_skb() ipv6: fix possible UAF in ip6_finish_output2() ipv6: prevent possible UAF in ip6_xmit() tcp: do not export tcp_twsk_purge() Erico Nunes (1): drm/lima: set gp bus_stop bit before hard reset Eugene Syromiatnikov (1): mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Faizal Rahim (4): igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer igc: Fix qbv_config_change_errors logics igc: Fix reset adapter logics when tx mode change igc: Fix qbv tx latency by setting gtxoffset Felix Fietkau (2): wifi: mt76: fix race condition related to checking tx queue fill status udp: fix receiving fraglist GSO packets Filipe Manana (1): btrfs: send: allow cloning non-aligned extent if it ends at i_size Florian Westphal (2): netfilter: nf_queue: drop packets with cloned unconfirmed conntracks tcp: prevent concurrent execution of tcp_sk_exit_batch Frederic Weisbecker (1): tick: Move got_idle_tick away from common flags Gergo Koteles (1): platform/x86: lg-laptop: fix %s null argument warning Greg Kroah-Hartman (2): Revert "usb: gadget: uvc: cleanup request when not in correct state" Linux 6.6.48 Griffin Kroah-Hartman (2): Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Bluetooth: MGMT: Add error handling to pair_device() Guanrui Huang (1): irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Gustavo A. R. Silva (1): clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Haibo Xu (1): arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Hailong Liu (1): mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Haiyang Zhang (1): net: mana: Fix RX buf alloc_size alignment and atomic op panic Hangbin Liu (1): selftests: udpgro: report error when receive failed Hannes Reinecke (1): nvmet-tcp: do not continue for invalid icreq Hans Verkuil (3): media: radio-isa: use dev_name to fill in bus_info media: qcom: venus: fix incorrect return value media: pci: cx23885: check cx23885_vdev_init() return Heiko Carstens (1): s390/smp,mcck: fix early IPI handling Helge Deller (1): parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Itaru Kitayama (1): tools/testing/selftests/mm/run_vmtests.sh: lower the ptrace permissions Jakub Sitnicki (1): Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem" Jan Höppner (1): Revert "s390/dasd: Establish DMA alignment" Jan Kara (1): quota: Remove BUG_ON from dqget() Jann Horn (1): fuse: Initialize beyond-EOF page contents before setting uptodate Janne Grunau (1): wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Jarkko Nikula (2): i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Jason Gerecke (1): HID: wacom: Defer calculation of resolution until resolution_code is known Javier Carrasco (1): hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Jeff Johnson (2): wifi: cw1200: Avoid processing an invalid TIM IE wifi: ath12k: Add missing qmi_txn_cancel() calls Jeremy Kerr (1): net: mctp: test: Use correct skb for route input check Jesse Zhang (1): drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Jian Shen (1): net: hns3: add checking for vf id of mailbox Jianhua Lu (1): drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels Jiaxun Yang (1): MIPS: Loongson64: Set timer mode in cpu-probe Jie Wang (2): net: hns3: fix wrong use of semaphore up net: hns3: fix a deadlock problem when config TC during resetting Jithu Joseph (2): platform/x86/intel/ifs: Validate image size platform/x86/intel/ifs: Call release_firmware() when handling errors. Johannes Berg (4): wifi: mac80211: lock wiphy in IP address notifier wifi: cfg80211: check wiphy mutex is held for wdev mutex wifi: mac80211: fix BA session teardown race wifi: mac80211: flush STA queues on unauthorization Joseph Huang (1): net: dsa: mv88e6xxx: Fix out-of-bound access Juan José Arboleda (1): ALSA: usb-audio: Support Yamaha P-125 quirk entry Justin Tee (1): scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Kamalesh Babulal (1): cgroup: Avoid extra dereference in css_populate_dir() Kees Cook (3): hwmon: (pc87360) Bounds check data->innr usage net/sun3_82586: Avoid reading past buffer in debug output x86: Increase brk randomness entropy for 64-bit systems Keith Busch (3): nvme: clear caller pointer on identify failure nvme: use srcu for iterating namespace list nvme: fix namespace removal list Khazhismel Kumykov (1): dm resume: don't return EINVAL when signalled Kirill A. Shutemov (1): mm: fix endless reclaim on machines with unaccepted memory Konrad Dybcio (1): drm/msm/mdss: Rename path references to mdp_path Krishna Kurapati (1): usb: dwc3: core: Skip setting event buffers for host only controllers Kuniyuki Iwashima (1): kcm: Serialise kcm_sendmsg() for the same socket. Kunwu Chan (1): powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Lang Yu (1): drm/amdkfd: reserve the BO before validating it Lee Jones (1): drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Leon Hwang (1): bpf: Fix updating attached freplace prog in prog_array map Li Lingfeng (1): block: Fix lockdep warning in blk_mq_mark_tag_wait Li Nan (1): md: clean up invalid BUG_ON in md_ioctl Li zeming (1): powerpc/boot: Handle allocation failure in simple_realloc() Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Loan Chen (1): drm/amd/display: Enable otg synchronization logic for DCN321 Long Li (1): net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Lorenzo Bianconi (1): net: ethernet: mtk_wed: check update_wo_rx_stats in mtk_wed_update_rx_stats() Luiz Augusto von Dentz (3): Bluetooth: bnep: Fix out-of-bound access Bluetooth: hci_core: Fix LE quote calculation Bluetooth: SMP: Fix assumption of Central always being Initiator Maciej Fijalkowski (3): ice: fix page reuse when PAGE_SIZE is over 8k ice: fix ICE_LAST_OFFSET formula ice: fix truesize operations for PAGE_SIZE >= 8192 Manish Dharanenthiran (1): wifi: ath12k: fix WARN_ON during ath12k_mac_update_vif_chan Marc Zyngier (1): KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Martin Blumenstingl (1): clocksource/drivers/arm_global_timer: Guard against division by zero Martin Whitaker (1): net: dsa: microchip: fix PTP config failure when using multiple ports Masahiro Yamada (2): rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Mathias Nyman (1): xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Mathieu Othacehe (1): tty: atmel_serial: use the correct RTS flag. Matthieu Baerts (NGI0) (14): selftests: net: lib: ignore possible errors selftests: net: lib: kill PIDs before del netns mptcp: pm: re-using ID of unused removed ADD_ADDR mptcp: pm: re-using ID of unused removed subflows mptcp: pm: re-using ID of unused flushed subflows mptcp: pm: remove mptcp_pm_remove_subflow() mptcp: pm: only mark 'subflow' endp as available mptcp: pm: only decrement add_addr_accepted for MPJ req mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR mptcp: pm: only in-kernel cannot have entries with ID 0 mptcp: pm: fullmesh: select the right ID later mptcp: pm: avoid possible UaF when selecting endp selftests: mptcp: join: validate fullmesh endp on 1st sf selftests: mptcp: join: check re-using ID of closed subflow Max Filippov (1): fs: binfmt_elf_efpic: don't use missing interpreter's properties Max Kellermann (1): fs/netfs/fscache_cookie: add missing "n_accesses" check Maximilian Luz (1): platform/surface: aggregator: Fix warning when controller is destroyed in probe Melissa Wen (1): drm/amd/display: fix cursor offset on rotation 180 Menglong Dong (1): net: ovs: fix ovs_drop_reasons error Mengqi Zhang (1): mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Mengyuan Lou (1): net: ngbe: Fix phy mode set to external phy Michael Ellerman (1): powerpc/boot: Only free if realloc() succeeds Michael Grzeschik (1): usb: gadget: uvc: cleanup request when not in correct state Michael Mueller (1): KVM: s390: fix validity interception issue when gisa is switched off Miguel Ojeda (1): rust: work around `bindgen` 0.69.0 issue Mika Westerberg (1): thunderbolt: Mark XDomain as unplugged when router is removed Mike Christie (1): scsi: spi: Fix sshdr use Mikko Perttunen (1): drm/tegra: Zero-initialize iosys_map Mikulas Patocka (2): dm persistent data: fix memory allocation failure dm suspend: return -ERESTARTSYS instead of -EINTR Mimi Zohar (1): evm: don't copy up 'security.evm' xattr Miri Korenblit (1): wifi: iwlwifi: abort scan when rfkill on but device enabled Muhammad Usama Anjum (1): selftests: memfd_secret: don't build memfd_secret test on unsupported arches Mukesh Sisodiya (1): wifi: iwlwifi: fw: Fix debugfs command sending Nam Cao (1): riscv: change XIP's kernel_map.size to be size of the entire kernel Namjae Jeon (2): ksmbd: the buffer of smb2 query dir response has at least 1 byte ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Naohiro Aota (1): btrfs: zoned: properly take lock to read/update block group's zoned variables Nathan Lynch (1): powerpc/pseries/papr-sysparm: Validate buffer object lengths Neel Natu (1): kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files NeilBrown (2): NFS: avoid infinite loop in pnfs_update_layout. NFSD: simplify error paths in nfsd_svc() Nikolay Aleksandrov (4): bonding: fix bond_ipsec_offload_ok return type bonding: fix null pointer deref in bond_ipsec_offload_ok bonding: fix xfrm real_dev null pointer dereference bonding: fix xfrm state handling when clearing active slave Nikolay Kuratov (1): cxgb4: add forgotten u64 ivlan cast before shift Nysal Jan K.A (2): cpu/SMT: Enable SMT only if a core is online powerpc/topology: Check if a core is online Ofir Bitton (1): accel/habanalabs/gaudi2: unsecure tpc count registers Oreoluwa Babatunde (1): openrisc: Call setup_memory() earlier in the init sequence Pablo Neira Ayuso (1): netfilter: flowtable: validate vlan header Paolo Abeni (1): igb: cope with large MAX_SKB_FRAGS Parsa Poorshikhian (1): ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Paul E. McKenney (1): rcu: Eliminate rcu_gp_slow_unregister() false positive Paul Moore (1): selinux: revert our use of vma_is_initial_heap() Paulo Alcantara (1): smb: client: ignore unhandled reparse tags Pawel Dembicki (3): net: dsa: vsc73xx: pass value in phy_write operation net: dsa: vsc73xx: use read_poll_timeout instead delay loop net: dsa: vsc73xx: check busy flag in MDIO operations Peiyang Wang (1): net: hns3: use the user's cfg after reset Peng Fan (2): tty: serial: fsl_lpuart: mark last busy before uart_add_one_port pmdomain: imx: wait SSAR when i.MX93 power domain on Peter Ujfalusi (1): ASoC: SOF: Intel: hda-dsp: Make sure that no irq handler is pending before suspend Phil Chang (1): hrtimer: Prevent queuing of hrtimer without a function callback Phil Sutter (9): netfilter: nf_tables: Audit log dump reset after the fact netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj netfilter: nf_tables: Unconditionally allocate nft_obj_filter netfilter: nf_tables: A better name for nft_obj_filter netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx netfilter: nf_tables: nft_obj_filter fits into cb->ctx netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx netfilter: nf_tables: Introduce nf_tables_getobj_single netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Philip Yang (1): drm/amdkfd: Move dma unmapping after TLB flush Philipp Stanner (1): media: drivers/media/dvb-core: copy user arrays safely Qiuxu Zhuo (2): EDAC/skx_common: Filter out the invalid address EDAC/skx_common: Allow decoding of SGX addresses Qu Wenruo (3): btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type btrfs: tree-checker: add dev extent item checks btrfs: zlib: fix and simplify the inline extent decompression Radhey Shyam Pandey (1): net: axienet: Fix register defines comment description Rafael J. Wysocki (3): Revert "ACPI: EC: Evaluate orphan _REG under EC device" ACPICA: Add a depth argument to acpi_execute_reg_methods() ACPI: EC: Evaluate _REG outside the EC scope more carefully Rand Deeb (1): ssb: Fix division by zero issue in ssb_calc_clock_rate Ricardo Rivera-Matos (1): ASoC: cs35l45: Checks index of cs35l45_irqs[] Richard Acayan (1): iommu/arm-smmu-qcom: Add SDM670 MDSS compatible Richard Fitzgerald (1): firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Rob Clark (1): drm/msm: Reduce fallout of fence signaling vs reclaim hangs Rodrigo Siqueira (1): drm/amd/display: Adjust cursor position Ryan Roberts (1): selftests/mm: log run_vmtests.sh results in TAP format Sagi Grimberg (1): nvmet-rdma: fix possible bad dereference when freeing rsps Samuel Holland (1): arm64: Fix KASAN random tag seed initialization Sean Anderson (2): net: xilinx: axienet: Always disable promiscuous mode net: xilinx: axienet: Fix dangling multicast addresses Sean Nyekjaer (1): i2c: stm32f7: Add atomic_xfer method to driver Sebastian Andrzej Siewior (2): netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Shannon Nelson (4): ionic: prevent pci disable of already disabled device ionic: no fw read when PCI reset failed ionic: use pci_is_enabled not open code ionic: check cmd_regs before copying in or out Shaul Triebitz (1): wifi: iwlwifi: mvm: avoid garbage iPN Simon Horman (1): tc-testing: don't access non-existent variable on exception Somnath Kotur (1): bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Stefan Haberland (1): s390/dasd: fix error recovery leading to data corruption on ESE devices Stefan Hajnoczi (1): virtiofs: forbid newlines in tags Stephen Hemminger (1): netem: fix return value if duplicate enqueue fails Subash Abhinov Kasiviswanathan (1): tcp: Update window clamping condition Suren Baghdasaryan (1): change alloc_pages name in dma_map_ops to avoid name conflicts Takashi Iwai (2): ALSA: hda/tas2781: Use correct endian conversion ALSA: timer: Relax start tick time check for slave timer elements Tetsuo Handa (1): Input: MT - limit max slots Thomas Bogendoerfer (1): ip6_tunnel: Fix broken GRO Tom Hughes (1): netfilter: allow ipv6 fragments to arrive on different devices Tomer Tayar (1): accel/habanalabs: export dma-buf only if size/offset multiples of PAGE_SIZE Tomi Valkeinen (1): drm/bridge: tc358768: Attempt to fix DSI horizontal timings Uwe Kleine-König (1): usb: gadget: fsl: Increase size of name buffer for endpoints Vladimir Oltean (3): net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" net: mscc: ocelot: serialize access to the injection/extraction groups Waiman Long (1): mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Werner Sembach (2): Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Wolfram Sang (1): i2c: riic: avoid potential division by zero Xu Yang (1): Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Yonghong Song (2): bpf: Fix a kernel verifier crash in stacksafe() selftests/bpf: Add a test to verify previous stacksafe() fix Yu Kuai (1): md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log' Yury Norov (1): sched/topology: Handle NUMA_NO_NODE in sched_numa_find_nth_cpu() Zhen Lei (4): selinux: fix potential counting error in avc_add_xperms_decision() selinux: add the processing of the failure of avc_add_xperms_decision() mm: Remove kmem_valid_obj() rcu: Dump memory object info if callback function is invalid ZhenGuo Yin (1): drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime Zheng Zhang (1): net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Zhiguo Niu (2): f2fs: stop checkpoint when get a out-of-bounds segment f2fs: fix to do sanity check in update_sit_entry Zhihao Cheng (1): vfs: Don't evict inode under the inode lru traversing context Zhu Yanjun (1): RDMA/rtrs: Fix the problem of variable not initialized fully Zi Yan (2): mm/numa: no task_numa_fault() call if PMD is changed mm/numa: no task_numa_fault() call if PTE is changed Zijun Hu (1): Bluetooth: hci_conn: Check non NULL function before calling for HFP offload farah kassabri (1): accel/habanalabs: fix bug in timestamp interrupt handling

8 months, 1 week

1
1
0 0

Linux 6.1.107

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.107 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_lpm_trie.rst | 181 ++++++ Documentation/filesystems/gfs2-glocks.rst | 3 Makefile | 2 arch/arm64/kernel/acpi_numa.c | 2 arch/arm64/kernel/setup.c | 3 arch/arm64/kernel/smp.c | 2 arch/arm64/kvm/sys_regs.c | 6 arch/arm64/kvm/vgic/vgic.h | 7 arch/mips/kernel/cpu-probe.c | 4 arch/openrisc/kernel/setup.c | 6 arch/parisc/kernel/irq.c | 4 arch/powerpc/boot/simple_alloc.c | 7 arch/powerpc/sysdev/xics/icp-native.c | 2 arch/riscv/mm/init.c | 4 arch/s390/include/asm/uv.h | 5 arch/s390/kernel/early.c | 12 arch/s390/kernel/smp.c | 4 arch/x86/kernel/process.c | 5 arch/x86/kvm/lapic.c | 8 block/blk-mq-tag.c | 5 drivers/atm/idt77252.c | 9 drivers/bluetooth/hci_ldisc.c | 3 drivers/char/xillybus/xillyusb.c | 42 + drivers/clk/visconti/pll.c | 6 drivers/clocksource/arm_global_timer.c | 11 drivers/firmware/cirrus/cs_dsp.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 40 + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 - drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 22 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 2 drivers/gpu/drm/bridge/tc358768.c | 213 ++++++- drivers/gpu/drm/lima/lima_gp.c | 12 drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 3 drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 drivers/gpu/drm/msm/dp/dp_panel.c | 19 drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 drivers/gpu/drm/tegra/gem.c | 2 drivers/hid/hid-ids.h | 10 drivers/hid/hid-microsoft.c | 11 drivers/hid/wacom_wac.c | 4 drivers/hwmon/ltc2992.c | 8 drivers/hwmon/pc87360.c | 6 drivers/i2c/busses/i2c-qcom-geni.c | 4 drivers/i2c/busses/i2c-riic.c | 2 drivers/i2c/busses/i2c-tegra.c | 41 - drivers/i3c/master/mipi-i3c-hci/dma.c | 5 drivers/infiniband/hw/hfi1/chip.c | 5 drivers/infiniband/ulp/rtrs/rtrs.c | 2 drivers/input/input-mt.c | 3 drivers/input/serio/i8042-acpipnpio.h | 20 drivers/input/serio/i8042.c | 10 drivers/irqchip/irq-gic-v3-its.c | 2 drivers/irqchip/irq-renesas-rzg2l.c | 5 drivers/md/dm-clone-metadata.c | 5 drivers/md/dm-ioctl.c | 22 drivers/md/dm.c | 4 drivers/md/md.c | 5 drivers/md/persistent-data/dm-space-map-metadata.c | 4 drivers/md/raid5-cache.c | 47 - drivers/media/dvb-core/dvb_frontend.c | 12 drivers/media/pci/cx23885/cx23885-video.c | 8 drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 drivers/media/platform/qcom/venus/pm_helpers.c | 2 drivers/media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 drivers/media/radio/radio-isa.c | 2 drivers/memory/stm32-fmc2-ebi.c | 122 ++-- drivers/memory/tegra/tegra186.c | 3 drivers/mmc/core/mmc_test.c | 9 drivers/mmc/host/dw_mmc.c | 8 drivers/net/bonding/bond_main.c | 21 drivers/net/bonding/bond_options.c | 2 drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 drivers/net/dsa/ocelot/felix.c | 11 drivers/net/dsa/vitesse-vsc73xx-core.c | 69 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 drivers/net/ethernet/i825xx/sun3_82586.c | 2 drivers/net/ethernet/intel/ice/ice_base.c | 4 drivers/net/ethernet/intel/ice/ice_lib.c | 8 drivers/net/ethernet/intel/ice/ice_main.c | 10 drivers/net/ethernet/intel/ice/ice_txrx.c | 117 +-- drivers/net/ethernet/intel/ice/ice_txrx.h | 6 drivers/net/ethernet/intel/ice/ice_txrx_lib.c | 1 drivers/net/ethernet/intel/igc/igc_defines.h | 15 drivers/net/ethernet/intel/igc/igc_main.c | 7 drivers/net/ethernet/intel/igc/igc_regs.h | 1 drivers/net/ethernet/intel/igc/igc_tsn.c | 64 ++ drivers/net/ethernet/intel/igc/igc_tsn.h | 1 drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 9 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 + drivers/net/ethernet/microsoft/mana/mana.h | 1 drivers/net/ethernet/microsoft/mana/mana_en.c | 24 drivers/net/ethernet/mscc/ocelot.c | 91 ++- drivers/net/ethernet/mscc/ocelot_fdma.c | 3 drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 drivers/net/gtp.c | 3 drivers/net/ppp/pppoe.c | 23 drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 2 drivers/net/wireless/st/cw1200/txrx.c | 2 drivers/nvme/host/core.c | 5 drivers/nvme/target/rdma.c | 16 drivers/nvme/target/tcp.c | 1 drivers/nvme/target/trace.c | 6 drivers/nvme/target/trace.h | 28 drivers/platform/surface/aggregator/controller.c | 3 drivers/platform/x86/lg-laptop.c | 2 drivers/rtc/rtc-nct3018y.c | 6 drivers/s390/block/dasd.c | 36 - drivers/s390/block/dasd_3990_erp.c | 10 drivers/s390/block/dasd_diag.c | 1 drivers/s390/block/dasd_eckd.c | 56 - drivers/s390/block/dasd_int.h | 2 drivers/s390/cio/idset.c | 12 drivers/scsi/lpfc/lpfc_sli.c | 2 drivers/scsi/scsi_transport_spi.c | 4 drivers/soc/imx/imx93-pd.c | 5 drivers/ssb/main.c | 2 drivers/staging/iio/resolver/ad2s1210.c | 7 drivers/staging/ks7010/ks7010_sdio.c | 4 drivers/thunderbolt/switch.c | 1 drivers/tty/serial/atmel_serial.c | 2 drivers/usb/dwc3/core.c | 13 drivers/usb/gadget/udc/fsl_udc_core.c | 2 drivers/usb/host/xhci.c | 8 drivers/video/fbdev/offb.c | 3 fs/9p/xattr.c | 8 fs/afs/file.c | 8 fs/binfmt_elf_fdpic.c | 2 fs/binfmt_misc.c | 216 +++++-- fs/btrfs/delayed-inode.c | 4 fs/btrfs/disk-io.c | 2 fs/btrfs/extent_io.c | 4 fs/btrfs/free-space-cache.c | 22 fs/btrfs/inode.c | 11 fs/btrfs/ioctl.c | 2 fs/btrfs/qgroup.c | 2 fs/btrfs/reflink.c | 6 fs/btrfs/send.c | 63 +- fs/btrfs/super.c | 2 fs/btrfs/tests/extent-io-tests.c | 28 fs/btrfs/tree-checker.c | 69 ++ fs/erofs/decompressor.c | 8 fs/ext4/extents.c | 3 fs/ext4/mballoc.c | 3 fs/ext4/super.c | 23 fs/ext4/xattr.c | 158 ++--- fs/f2fs/segment.c | 5 fs/file.c | 30 - fs/fscache/cookie.c | 4 fs/fuse/cuse.c | 3 fs/fuse/dev.c | 6 fs/fuse/fuse_i.h | 1 fs/fuse/inode.c | 15 fs/fuse/virtio_fs.c | 10 fs/gfs2/glock.c | 27 fs/gfs2/glock.h | 9 fs/gfs2/glops.c | 66 -- fs/gfs2/incore.h | 2 fs/gfs2/inode.c | 2 fs/gfs2/lock_dlm.c | 5 fs/gfs2/log.c | 2 fs/gfs2/ops_fstype.c | 13 fs/gfs2/recovery.c | 28 fs/gfs2/super.c | 197 ++++-- fs/gfs2/super.h | 1 fs/gfs2/sys.c | 2 fs/gfs2/util.c | 55 - fs/gfs2/util.h | 5 fs/inode.c | 39 + fs/jbd2/journal.c | 9 fs/jfs/jfs_dmap.c | 2 fs/jfs/jfs_dtree.c | 2 fs/kernfs/file.c | 8 fs/nfs/pnfs.c | 8 fs/nfsd/nfs4proc.c | 4 fs/nfsd/nfs4state.c | 2 fs/nfsd/nfsctl.c | 32 - fs/nfsd/nfsd.h | 3 fs/nfsd/nfssvc.c | 85 -- fs/nfsd/vfs.c | 6 fs/nilfs2/btree.c | 1 fs/nilfs2/dat.c | 11 fs/nilfs2/direct.c | 1 fs/ntfs3/bitmap.c | 4 fs/ntfs3/frecord.c | 75 ++ fs/ntfs3/fsntfs.c | 2 fs/ntfs3/index.c | 11 fs/ntfs3/ntfs_fs.h | 4 fs/ntfs3/super.c | 2 fs/quota/dquot.c | 5 fs/quota/quota_tree.c | 128 +++- fs/quota/quota_v2.c | 15 fs/reiserfs/stree.c | 2 fs/smb/server/smb2pdu.c | 3 fs/squashfs/block.c | 2 fs/squashfs/file.c | 3 fs/squashfs/file_direct.c | 6 fs/udf/namei.c | 1 include/linux/bitmap.h | 20 include/linux/bpf_verifier.h | 23 include/linux/cpumask.h | 2 include/linux/dsa/ocelot.h | 47 + include/linux/fs.h | 5 include/linux/if_vlan.h | 21 include/linux/jbd2.h | 8 include/linux/pid.h | 2 include/linux/sched/signal.h | 2 include/linux/slab.h | 5 include/linux/sunrpc/svc.h | 13 include/linux/udp.h | 2 include/linux/virtio_net.h | 35 - include/net/cfg80211.h | 40 + include/net/inet_timewait_sock.h | 2 include/net/kcm.h | 1 include/net/tcp.h | 2 include/scsi/scsi_cmnd.h | 2 include/soc/mscc/ocelot.h | 12 include/trace/events/huge_memory.h | 3 include/uapi/linux/bpf.h | 19 init/Kconfig | 7 kernel/bpf/Makefile | 3 kernel/bpf/log.c | 82 ++ kernel/bpf/lpm_trie.c | 33 - kernel/bpf/verifier.c | 69 -- kernel/cgroup/cgroup.c | 4 kernel/pid.c | 7 kernel/pid_namespace.c | 2 kernel/rcu/rcu.h | 7 kernel/rcu/srcutiny.c | 1 kernel/rcu/srcutree.c | 1 kernel/rcu/tasks.h | 1 kernel/rcu/tiny.c | 1 kernel/rcu/tree.c | 3 kernel/time/clocksource.c | 42 - kernel/time/hrtimer.c | 5 kernel/time/posix-timers.c | 31 - lib/math/prime_numbers.c | 2 mm/huge_memory.c | 30 - mm/khugepaged.c | 20 mm/memcontrol.c | 7 mm/memory-failure.c | 20 mm/memory.c | 29 mm/slab_common.c | 41 - mm/util.c | 4 mm/vmalloc.c | 11 net/bluetooth/bnep/core.c | 3 net/bluetooth/hci_conn.c | 11 net/bluetooth/hci_core.c | 24 net/bluetooth/mgmt.c | 4 net/bluetooth/rfcomm/sock.c | 14 net/bluetooth/smp.c | 144 ++-- net/bridge/br_netfilter_hooks.c | 6 net/core/filter.c | 8 net/core/skbuff.c | 8 net/dccp/ipv4.c | 2 net/dccp/ipv6.c | 6 net/dsa/tag_ocelot.c | 37 - net/ipv4/fou.c | 2 net/ipv4/inet_timewait_sock.c | 16 net/ipv4/tcp_ipv4.c | 16 net/ipv4/tcp_minisocks.c | 7 net/ipv4/tcp_offload.c | 3 net/ipv4/udp_offload.c | 18 net/ipv6/ip6_output.c | 10 net/ipv6/ip6_tunnel.c | 12 net/ipv6/netfilter/nf_conntrack_reasm.c | 4 net/ipv6/tcp_ipv6.c | 6 net/iucv/iucv.c | 3 net/kcm/kcmsock.c | 4 net/mac80211/agg-tx.c | 6 net/mac80211/debugfs_netdev.c | 3 net/mac80211/driver-ops.c | 3 net/mac80211/ieee80211_i.h | 1 net/mac80211/iface.c | 27 net/mac80211/rx.c | 387 ++++++------- net/mac80211/sta_info.c | 17 net/mac80211/sta_info.h | 3 net/mctp/test/route-test.c | 2 net/mptcp/diag.c | 2 net/mptcp/pm_netlink.c | 31 - net/netfilter/nf_flow_table_inet.c | 3 net/netfilter/nf_flow_table_ip.c | 3 net/netfilter/nf_flow_table_offload.c | 2 net/netfilter/nf_tables_api.c | 209 ++++--- net/netfilter/nfnetlink_queue.c | 35 + net/netfilter/nft_counter.c | 9 net/netlink/af_netlink.c | 13 net/rds/recv.c | 13 net/sched/sch_generic.c | 11 net/sched/sch_netem.c | 47 - net/sctp/inqueue.c | 14 net/wireless/core.h | 8 net/wireless/util.c | 195 ++++-- samples/bpf/map_perf_test_user.c | 2 samples/bpf/xdp_router_ipv4_user.c | 2 scripts/rust_is_available.sh | 41 + security/selinux/avc.c | 2 sound/core/timer.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/sof/ipc4.c | 9 sound/usb/mixer.c | 7 sound/usb/quirks-table.h | 1 sound/usb/quirks.c | 2 tools/include/linux/align.h | 12 tools/include/linux/bitmap.h | 9 tools/include/linux/mm.h | 5 tools/include/uapi/linux/bpf.h | 19 tools/testing/selftests/bpf/progs/map_ptr_kern.c | 2 tools/testing/selftests/bpf/test_lpm_map.c | 18 tools/testing/selftests/core/close_range_test.c | 35 + tools/testing/selftests/net/net_helper.sh | 25 tools/testing/selftests/net/udpgro.sh | 57 + tools/testing/selftests/net/udpgro_bench.sh | 5 tools/testing/selftests/net/udpgro_frglist.sh | 5 tools/testing/selftests/net/udpgso.c | 2 tools/testing/selftests/tc-testing/tdc.py | 1 tools/tracing/rtla/src/osnoise_top.c | 11 340 files changed, 4069 insertions(+), 2057 deletions(-) Abdulrasaq Lawani (1): fbdev: offb: replace of_node_put with __free(device_node) Abhinav Kumar (2): drm/msm/dp: fix the max supported bpp logic drm/msm/dp: reset the link phy params before link training Adrian Hunter (1): clocksource: Make watchdog and suspend-timing multiplication overflow safe Al Viro (4): fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE memcg_write_event_control(): fix a user-triggerable oops afs: fix __afs_break_callback() / afs_drop_open_mmap() race fuse: fix UAF in rcu pathwalks Alex Deucher (1): drm/amdgpu/jpeg2: properly set atomics vmid field Alex Hung (2): drm/amd/display: Validate hw_points_num before using it Revert "drm/amd/display: Validate hw_points_num before using it" Alexander Gordeev (1): s390/iucv: fix receive buffer virtual vs physical address confusion Alexander Lobakin (5): fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() s390/cio: rename bitmap_size() -> idset_bitmap_size() btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() bitmap: introduce generic optimized bitmap_size() tools: move alignment-related macros to new <linux/align.h> Alexandre Belloni (1): rtc: nct3018y: fix possible NULL dereference Alexei Starovoitov (1): bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie. Allison Henderson (1): net:rds: Fix possible deadlock in rds_message_put Andi Shyti (1): i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Andreas Gruenbacher (12): gfs2: Rename remaining "transaction" glock references gfs2: Rename the {freeze,thaw}_super callbacks gfs2: Rename gfs2_freeze_lock{ => _shared } gfs2: Rename SDF_{FS_FROZEN => FREEZE_INITIATOR} gfs2: Rework freeze / thaw logic gfs2: Stop using gfs2_make_fs_ro for withdraw gfs2: setattr_chown: Add missing initialization gfs2: Refcounting fix in gfs2_thaw_super gfs2: Fix another freeze/thaw hang gfs2: don't withdraw if init_threads() got interrupted gfs2: Remove LM_FLAG_PRIORITY flag gfs2: Remove freeze_go_demote_ok Andrew Melnychenko (1): udp: allow header check for dodgy GSO_UDP_L4 packets. Andrii Nakryiko (2): bpf: Split off basic BPF verifier log into separate file bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log Andy Yan (1): drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Antoniu Miclaus (1): hwmon: (ltc2992) Avoid division by zero Ashish Mhetre (1): memory: tegra: Skip SID programming if SID registers aren't set Aurelien Jarno (1): media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Baokun Li (2): ext4: do not trim the group with corrupted block bitmap ext4: set the type of max_zeroout to unsigned int to avoid overflow Bard Liao (1): ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Bas Nieuwenhuizen (1): drm/amdgpu: Actually check flags for all context ops. Ben Whitten (1): mmc: dw_mmc: allow biu and ciu clocks to defer Bharat Bhushan (1): octeontx2-af: Fix CPT AF register offset calculation Biju Das (1): irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue Breno Leitao (1): i2c: tegra: Do not mark ACPI devices as irq safe Candice Li (1): drm/amdgpu: Validate TA binary size Chaotian Jing (1): scsi: core: Fix the return value of scsi_logical_block_count() Chengfeng Ye (3): staging: ks7010: disable bh on tx_dev_lock media: s5p-mfc: Fix potential deadlock on condlock IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Christian Brauner (1): binfmt_misc: cleanup on filesystem umount Christophe Kerello (1): memory: stm32-fmc2-ebi: check regmap_read return value Claudio Imbrenda (1): s390/uv: Panic for set and remove shared access UVC errors Cosmin Ratiu (1): net/mlx5e: Correctly report errors for ethtool rx flows Costa Shulyupin (1): hrtimer: Select housekeeping CPU during migration Dan Carpenter (4): rtla/osnoise: Prevent NULL dereference in error handling atm: idt77252: prevent use after free in dequeue_rx() dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() mmc: mmc_test: Fix NULL dereference on allocation failure Daniel Wagner (1): nvmet-trace: avoid dereferencing pointer too early Dave Kleikamp (1): Revert "jfs: fix shift-out-of-bounds in dbJoin" David Lechner (1): staging: iio: resolver: ad2s1210: fix use before initialization David Sterba (8): btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() btrfs: change BUG_ON to assertion when checking for delayed_node root btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() btrfs: handle invalid root reference found in may_destroy_subvol() btrfs: send: handle unexpected data in header buffer in begin_cmd() btrfs: change BUG_ON to assertion in tree_move_down() btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() btrfs: replace sb::s_blocksize by fs_info::sectorsize David Thompson (1): mlxbf_gige: disable RX filters until RX path initialized Dmitry Antipov (1): net: sctp: fix skb leak in sctp_inq_free() Dmitry Baryshkov (2): drm/msm/dpu: don't play tricks with debug macros drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Donald Hunter (2): docs/bpf: Document BPF_MAP_TYPE_LPM_TRIE map netfilter: flowtable: initialise extack before use Dragos Tatulea (1): net/mlx5e: Take state lock during tx timeout reporter Edward Adam Davis (2): reiserfs: fix uninit-value in comp_keys jfs: fix null ptr deref in dtInsertEntry Eli Billauer (3): char: xillybus: Don't destroy workqueue from work item running on it char: xillybus: Refine workqueue handling char: xillybus: Check USB endpoints when probing device Eric Dumazet (8): netlink: hold nlk->cb_mutex longer in __netlink_dump_start() gtp: pull network headers in gtp_dev_xmit() tcp/dccp: bypass empty buckets in inet_twsk_purge() tcp/dccp: do not care about families in inet_twsk_purge() ipv6: prevent UAF in ip6_send_skb() ipv6: fix possible UAF in ip6_finish_output2() ipv6: prevent possible UAF in ip6_xmit() tcp: do not export tcp_twsk_purge() Erico Nunes (1): drm/lima: set gp bus_stop bit before hard reset Eugene Syromiatnikov (1): mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size Faizal Rahim (1): igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Felix Fietkau (14): wifi: mac80211: fix and simplify unencrypted drop check for mesh wifi: cfg80211: move A-MSDU check in ieee80211_data_to_8023_exthdr wifi: cfg80211: factor out bridge tunnel / RFC1042 header check wifi: mac80211: remove mesh forwarding congestion check wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU wifi: mac80211: fix mesh path discovery based on unicast packets wifi: mac80211: fix mesh forwarding wifi: mac80211: fix flow dissection for forwarded packets wifi: mac80211: fix receiving mesh packets in forwarding=0 networks wifi: mac80211: drop bogus static keywords in A-MSDU rx wifi: mac80211: fix potential null pointer dereference wifi: cfg80211: fix receiving mesh packets without RFC1042 header udp: fix receiving fraglist GSO packets Filipe Manana (1): btrfs: send: allow cloning non-aligned extent if it ends at i_size Florian Westphal (2): netfilter: nf_queue: drop packets with cloned unconfirmed conntracks tcp: prevent concurrent execution of tcp_sk_exit_batch Gao Xiang (1): erofs: avoid debugging output for (de)compressed data Gavrilov Ilia (1): pppoe: Fix memory leak in pppoe_sendmsg() Gergo Koteles (1): platform/x86: lg-laptop: fix %s null argument warning Greg Kroah-Hartman (2): Revert "usb: gadget: uvc: cleanup request when not in correct state" Linux 6.1.107 Griffin Kroah-Hartman (1): Bluetooth: MGMT: Add error handling to pair_device() Guanrui Huang (1): irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Gustavo A. R. Silva (1): clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Haibo Xu (1): arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Hailong Liu (1): mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Hangbin Liu (1): selftests: udpgro: report error when receive failed Hannes Reinecke (1): nvmet-tcp: do not continue for invalid icreq Hans Verkuil (3): media: radio-isa: use dev_name to fill in bus_info media: qcom: venus: fix incorrect return value media: pci: cx23885: check cx23885_vdev_init() return Heiko Carstens (1): s390/smp,mcck: fix early IPI handling Helge Deller (1): parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Ivan Orlov (2): 9P FS: Fix wild-memory-access write in v9fs_get_acl mm: khugepaged: fix kernel BUG in hpage_collapse_scan_file() Jakub Kicinski (1): net: don't dump stack on queue timeout Jan Höppner (1): Revert "s390/dasd: Establish DMA alignment" Jan Kara (5): quota: Detect loops in quota tree ext4: fold quota accounting into ext4_xattr_inode_lookup_create() ext4: do not create EA inode under buffer lock udf: Fix bogus checksum computation in udf_rename() quota: Remove BUG_ON from dqget() Jann Horn (1): fuse: Initialize beyond-EOF page contents before setting uptodate Jarkko Nikula (2): i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Jason Gerecke (1): HID: wacom: Defer calculation of resolution until resolution_code is known Javier Carrasco (1): hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Jeff Johnson (1): wifi: cw1200: Avoid processing an invalid TIM IE Jeff Layton (1): nfsd: drop the nfsd_put helper Jeremy Kerr (1): net: mctp: test: Use correct skb for route input check Jesse Brandeburg (1): ice: fix W=1 headers mismatch Jesse Zhang (1): drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Jian Shen (1): net: hns3: add checking for vf id of mailbox Jiaxun Yang (1): MIPS: Loongson64: Set timer mode in cpu-probe Jie Wang (2): net: hns3: fix wrong use of semaphore up net: hns3: fix a deadlock problem when config TC during resetting Johannes Berg (6): wifi: mac80211: take wiphy lock for MAC addr change wifi: mac80211: fix change_address deadlock during unregister wifi: cfg80211: check A-MSDU format more carefully wifi: cfg80211: check wiphy mutex is held for wdev mutex wifi: mac80211: fix BA session teardown race wifi: mac80211: add documentation for amsdu_mesh_control Joseph Huang (1): net: dsa: mv88e6xxx: Fix out-of-bound access Juan José Arboleda (1): ALSA: usb-audio: Support Yamaha P-125 quirk entry Justin Tee (1): scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Kamalesh Babulal (1): cgroup: Avoid extra dereference in css_populate_dir() Kees Cook (5): pid: Replace struct pid 1-element array with flex-array bpf: Replace bpf_lpm_trie_key 0-length array with flexible array hwmon: (pc87360) Bounds check data->innr usage net/sun3_82586: Avoid reading past buffer in debug output x86: Increase brk randomness entropy for 64-bit systems Keith Busch (1): nvme: clear caller pointer on identify failure Khazhismel Kumykov (1): dm resume: don't return EINVAL when signalled Konstantin Komarov (1): fs/ntfs3: Do copy_to_user out of run_lock Krishna Kurapati (1): usb: dwc3: core: Skip setting event buffers for host only controllers Kuniyuki Iwashima (1): kcm: Serialise kcm_sendmsg() for the same socket. Kunwu Chan (1): powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Lang Yu (1): drm/amdkfd: reserve the BO before validating it Lee Jones (1): drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Lee, Chun-Yi (1): Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO Leon Hwang (1): bpf: Fix updating attached freplace prog in prog_array map Li Lingfeng (1): block: Fix lockdep warning in blk_mq_mark_tag_wait Li Nan (1): md: clean up invalid BUG_ON in md_ioctl Li RongQing (1): KVM: x86: fire timer when it is migrated and expired, and in oneshot mode Li Zhong (1): ext4: check the return value of ext4_xattr_inode_dec_ref() Li zeming (1): powerpc/boot: Handle allocation failure in simple_realloc() Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Lizhi Xu (1): squashfs: squashfs_read_data need to check if the length is 0 Long Li (1): net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Lucas Karpinski (1): selftests/net: synchronize udpgro tests' tx and rx connection Luiz Augusto von Dentz (4): Bluetooth: RFCOMM: Fix not validating setsockopt user input Bluetooth: bnep: Fix out-of-bound access Bluetooth: hci_core: Fix LE quote calculation Bluetooth: SMP: Fix assumption of Central always being Initiator Maciej Fijalkowski (6): ice: Prepare legacy-rx for upcoming XDP multi-buffer support ice: Add xdp_buff to ice_rx_ring struct ice: Store page count inside ice_rx_buf ice: Pull out next_to_clean bump out of ice_put_rx_buf() ice: fix page reuse when PAGE_SIZE is over 8k ice: fix ICE_LAST_OFFSET formula Manas Ghandat (1): jfs: fix shift-out-of-bounds in dbJoin Marc Zyngier (1): KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Martin Blumenstingl (1): clocksource/drivers/arm_global_timer: Guard against division by zero Masahiro Yamada (2): rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Mathias Nyman (1): xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Mathieu Othacehe (1): tty: atmel_serial: use the correct RTS flag. Matthieu Baerts (NGI0) (4): mptcp: pm: re-using ID of unused removed ADD_ADDR mptcp: pm: re-using ID of unused removed subflows mptcp: pm: re-using ID of unused flushed subflows mptcp: pm: only decrement add_addr_accepted for MPJ req Max Filippov (1): fs: binfmt_elf_efpic: don't use missing interpreter's properties Max Kellermann (1): fs/netfs/fscache_cookie: add missing "n_accesses" check Maximilian Luz (1): platform/surface: aggregator: Fix warning when controller is destroyed in probe Michael Ellerman (1): powerpc/boot: Only free if realloc() succeeds Michael Grzeschik (1): usb: gadget: uvc: cleanup request when not in correct state Michał Mirosław (2): i2c: tegra: allow DVC support to be compiled out i2c: tegra: allow VI support to be compiled out Miguel Ojeda (3): kbuild: rust_is_available: normalize version matching kbuild: rust_is_available: handle failures calling `$RUSTC`/`$BINDGEN` rust: work around `bindgen` 0.69.0 issue Mika Westerberg (1): thunderbolt: Mark XDomain as unplugged when router is removed Mike Christie (1): scsi: spi: Fix sshdr use Mikko Perttunen (1): drm/tegra: Zero-initialize iosys_map Mikulas Patocka (2): dm persistent data: fix memory allocation failure dm suspend: return -ERESTARTSYS instead of -EINTR Miri Korenblit (1): wifi: iwlwifi: abort scan when rfkill on but device enabled Muhammad Husaini Zulkifli (1): igc: Correct the launchtime offset Mukesh Sisodiya (1): wifi: iwlwifi: fw: Fix debugfs command sending Nam Cao (1): riscv: change XIP's kernel_map.size to be size of the entire kernel Namjae Jeon (1): ksmbd: the buffer of smb2 query dir response has at least 1 byte Naohiro Aota (1): btrfs: zoned: properly take lock to read/update block group's zoned variables Neel Natu (1): kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files NeilBrown (6): NFS: avoid infinite loop in pnfs_update_layout. nfsd: Simplify code around svc_exit_thread() call in nfsd() nfsd: separate nfsd_last_thread() from nfsd_put() NFSD: simplify error paths in nfsd_svc() nfsd: call nfsd_last_thread() before final nfsd_put() nfsd: don't call locks_release_private() twice concurrently Nikolay Aleksandrov (4): bonding: fix bond_ipsec_offload_ok return type bonding: fix null pointer deref in bond_ipsec_offload_ok bonding: fix xfrm real_dev null pointer dereference bonding: fix xfrm state handling when clearing active slave Nikolay Kuratov (1): cxgb4: add forgotten u64 ivlan cast before shift Oreoluwa Babatunde (1): openrisc: Call setup_memory() earlier in the init sequence Pablo Neira Ayuso (1): netfilter: flowtable: validate vlan header Paolo Abeni (1): selftests: net: more strict check in net_helper Parsa Poorshikhian (1): ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Paul E. McKenney (1): rcu: Eliminate rcu_gp_slow_unregister() false positive Pawel Dembicki (3): net: dsa: vsc73xx: pass value in phy_write operation net: dsa: vsc73xx: use read_poll_timeout instead delay loop net: dsa: vsc73xx: check busy flag in MDIO operations Pei Li (1): jfs: Fix shift-out-of-bounds in dbDiscardAG Peiyang Wang (1): net: hns3: use the user's cfg after reset Peng Fan (1): pmdomain: imx: wait SSAR when i.MX93 power domain on Phil Chang (1): hrtimer: Prevent queuing of hrtimer without a function callback Phil Sutter (9): netfilter: nf_tables: Audit log dump reset after the fact netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj netfilter: nf_tables: Unconditionally allocate nft_obj_filter netfilter: nf_tables: A better name for nft_obj_filter netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx netfilter: nf_tables: nft_obj_filter fits into cb->ctx netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx netfilter: nf_tables: Introduce nf_tables_getobj_single netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Philip Yang (1): drm/amdkfd: Move dma unmapping after TLB flush Philipp Stanner (1): media: drivers/media/dvb-core: copy user arrays safely Phillip Lougher (1): Squashfs: fix variable overflow triggered by sysbot Qu Wenruo (1): btrfs: tree-checker: add dev extent item checks Radhey Shyam Pandey (1): net: axienet: Fix register defines comment description Rand Deeb (1): ssb: Fix division by zero issue in ssb_calc_clock_rate Richard Fitzgerald (1): firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Rob Clark (1): drm/msm: Reduce fallout of fence signaling vs reclaim hangs Rodrigo Siqueira (1): drm/amd/display: Adjust cursor position Ryusuke Konishi (1): nilfs2: prevent WARNING in nilfs_dat_commit_end() Sagi Grimberg (1): nvmet-rdma: fix possible bad dereference when freeing rsps Samuel Holland (1): arm64: Fix KASAN random tag seed initialization Sean Anderson (2): net: xilinx: axienet: Always disable promiscuous mode net: xilinx: axienet: Fix dangling multicast addresses Sebastian Andrzej Siewior (2): netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Siarhei Vishniakou (1): HID: microsoft: Add rumble support to latest xbox controllers Simon Horman (1): tc-testing: don't access non-existent variable on exception Stefan Haberland (1): s390/dasd: fix error recovery leading to data corruption on ESE devices Stefan Hajnoczi (1): virtiofs: forbid newlines in tags Stephen Hemminger (1): netem: fix return value if duplicate enqueue fails Takashi Iwai (2): ALSA: usb: Fix UBSAN warning in parse_audio_unit() ALSA: timer: Relax start tick time check for slave timer elements Tetsuo Handa (2): nilfs2: initialize "struct nilfs_binfo_dat"->bi_pad field Input: MT - limit max slots Theodore Ts'o (1): ext4, jbd2: add an optimized bmap for the journal inode Thomas Bogendoerfer (1): ip6_tunnel: Fix broken GRO Thomas Gleixner (1): posix-timers: Ensure timer ID search-loop limit is valid Tom Hughes (1): netfilter: allow ipv6 fragments to arrive on different devices Tomi Valkeinen (1): drm/bridge: tc358768: Attempt to fix DSI horizontal timings Trond Myklebust (1): nfsd: Fix a regression in nfsd_setattr() Uwe Kleine-König (1): usb: gadget: fsl: Increase size of name buffer for endpoints Vladimir Oltean (5): net: dsa: tag_ocelot: do not rely on skb_mac_header() for VLAN xmit net: dsa: tag_ocelot: call only the relevant portion of __skb_vlan_pop() on TX net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" net: mscc: ocelot: serialize access to the injection/extraction groups Waiman Long (1): mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Werner Sembach (2): Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Willem de Bruijn (3): fou: remove warn in gue_gro_receive on unsupported protocol net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation net: drop bad gso csum_start and offset in virtio_net_hdr Wolfram Sang (1): i2c: riic: avoid potential division by zero Yajun Deng (1): net: sched: Print msecs when transmit queue time out Yan Zhai (1): gso: fix dodgy bit handling for GSO_UDP_L4 Ying Hsu (1): Bluetooth: Fix hci_link_tx_to RCU lock usage Yu Kuai (1): md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log' Yue Haibing (1): mlxbf_gige: Remove two unused function declarations Yuri Benditovich (1): net: change maximum number of UDP segments to 128 Zhen Lei (3): selinux: fix potential counting error in avc_add_xperms_decision() mm: Remove kmem_valid_obj() rcu: Dump memory object info if callback function is invalid Zhiguo Niu (1): f2fs: fix to do sanity check in update_sit_entry Zhihao Cheng (1): vfs: Don't evict inode under the inode lru traversing context Zhu Yanjun (1): RDMA/rtrs: Fix the problem of variable not initialized fully Zi Yan (2): mm/numa: no task_numa_fault() call if PMD is changed mm/numa: no task_numa_fault() call if PTE is changed Zijun Hu (1): Bluetooth: hci_conn: Check non NULL function before calling for HFP offload yunshui (1): bpf, net: Use DEV_STAT_INC()

8 months, 1 week

1
1
0 0

[PATCH] ASoC: amd: yc: Add a quirk for MSI Bravo 17 (D7VEK)

by Markuss Broks

MSI Bravo 17 (D7VEK), like other laptops from the family, has broken ACPI tables and needs a quirk for internal mic to work. Signed-off-by: Markuss Broks <markuss.broks(a)gmail.com> --- sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c index 0523c16305db..843abc378b28 100644 --- a/sound/soc/amd/yc/acp6x-mach.c +++ b/sound/soc/amd/yc/acp6x-mach.c @@ -353,6 +353,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 15 C7VF"), } }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), + DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VEK"), + } + }, { .driver_data = &acp6x_card, .matches = { -- 2.46.0

8 months, 1 week

3
4
0 0

[PATCH v2 net-next 1/3] icmp: change the order of rate limits

by Eric Dumazet

ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation. Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited") Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") Reported-by: Keyu Man <keyu.man(a)email.ucr.edu> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Cc: Jesper Dangaard Brouer <hawk(a)kernel.org> Cc: stable(a)vger.kernel.org --- include/net/ip.h | 2 + net/ipv4/icmp.c | 103 ++++++++++++++++++++++++++--------------------- net/ipv6/icmp.c | 28 ++++++++----- 3 files changed, 76 insertions(+), 57 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index c5606cadb1a552f3e282a5e1e721fd47b07432b2..82248813619e3f21e09d52976accbdc76c7668c2 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -795,6 +795,8 @@ static inline void ip_cmsg_recv(struct msghdr *msg, struct sk_buff *skb) } bool icmp_global_allow(void); +void icmp_global_consume(void); + extern int sysctl_icmp_msgs_per_sec; extern int sysctl_icmp_msgs_burst; diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index b8f56d03fcbb62970a828e20dd9f05fcede2d552..0078e8fb2e86d0552ef85eb5bf5bef947b0f1c3d 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -224,57 +224,59 @@ int sysctl_icmp_msgs_per_sec __read_mostly = 1000; int sysctl_icmp_msgs_burst __read_mostly = 50; static struct { - spinlock_t lock; - u32 credit; + atomic_t credit; u32 stamp; -} icmp_global = { - .lock = __SPIN_LOCK_UNLOCKED(icmp_global.lock), -}; +} icmp_global; /** * icmp_global_allow - Are we allowed to send one more ICMP message ? * * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec. * Returns false if we reached the limit and can not send another packet. - * Note: called with BH disabled + * Works in tandem with icmp_global_consume(). */ bool icmp_global_allow(void) { - u32 credit, delta, incr = 0, now = (u32)jiffies; - bool rc = false; + u32 delta, now, oldstamp; + int incr, new, old; - /* Check if token bucket is empty and cannot be refilled - * without taking the spinlock. The READ_ONCE() are paired - * with the following WRITE_ONCE() in this same function. + /* Note: many cpus could find this condition true. + * Then later icmp_global_consume() could consume more credits, + * this is an acceptable race. */ - if (!READ_ONCE(icmp_global.credit)) { - delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ); - if (delta < HZ / 50) - return false; - } + if (atomic_read(&icmp_global.credit) > 0) + return true; - spin_lock(&icmp_global.lock); - delta = min_t(u32, now - icmp_global.stamp, HZ); - if (delta >= HZ / 50) { - incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; - if (incr) - WRITE_ONCE(icmp_global.stamp, now); - } - credit = min_t(u32, icmp_global.credit + incr, - READ_ONCE(sysctl_icmp_msgs_burst)); - if (credit) { - /* We want to use a credit of one in average, but need to randomize - * it for security reasons. - */ - credit = max_t(int, credit - get_random_u32_below(3), 0); - rc = true; + now = jiffies; + oldstamp = READ_ONCE(icmp_global.stamp); + delta = min_t(u32, now - oldstamp, HZ); + if (delta < HZ / 50) + return false; + + incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; + if (!incr) + return false; + + if (cmpxchg(&icmp_global.stamp, oldstamp, now) == oldstamp) { + old = atomic_read(&icmp_global.credit); + do { + new = min(old + incr, READ_ONCE(sysctl_icmp_msgs_burst)); + } while (!atomic_try_cmpxchg(&icmp_global.credit, &old, new)); } - WRITE_ONCE(icmp_global.credit, credit); - spin_unlock(&icmp_global.lock); - return rc; + return true; } EXPORT_SYMBOL(icmp_global_allow); +void icmp_global_consume(void) +{ + int credits = get_random_u32_below(3); + + /* Note: this might make icmp_global.credit negative. */ + if (credits) + atomic_sub(credits, &icmp_global.credit); +} +EXPORT_SYMBOL(icmp_global_consume); + static bool icmpv4_mask_allow(struct net *net, int type, int code) { if (type > NR_ICMP_TYPES) @@ -291,14 +293,16 @@ static bool icmpv4_mask_allow(struct net *net, int type, int code) return false; } -static bool icmpv4_global_allow(struct net *net, int type, int code) +static bool icmpv4_global_allow(struct net *net, int type, int code, + bool *apply_ratelimit) { if (icmpv4_mask_allow(net, type, code)) return true; - if (icmp_global_allow()) + if (icmp_global_allow()) { + *apply_ratelimit = true; return true; - + } __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL); return false; } @@ -308,15 +312,16 @@ static bool icmpv4_global_allow(struct net *net, int type, int code) */ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, - struct flowi4 *fl4, int type, int code) + struct flowi4 *fl4, int type, int code, + bool apply_ratelimit) { struct dst_entry *dst = &rt->dst; struct inet_peer *peer; bool rc = true; int vif; - if (icmpv4_mask_allow(net, type, code)) - goto out; + if (!apply_ratelimit) + return true; /* No rate limit on loopback */ if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) @@ -331,6 +336,8 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, out: if (!rc) __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST); + else + icmp_global_consume(); return rc; } @@ -402,6 +409,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) struct ipcm_cookie ipc; struct rtable *rt = skb_rtable(skb); struct net *net = dev_net(rt->dst.dev); + bool apply_ratelimit = false; struct flowi4 fl4; struct sock *sk; struct inet_sock *inet; @@ -413,11 +421,11 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) if (ip_options_echo(net, &icmp_param->replyopts.opt.opt, skb)) return; - /* Needed by both icmp_global_allow and icmp_xmit_lock */ + /* Needed by both icmpv4_global_allow and icmp_xmit_lock */ local_bh_disable(); - /* global icmp_msgs_per_sec */ - if (!icmpv4_global_allow(net, type, code)) + /* is global icmp_msgs_per_sec exhausted ? */ + if (!icmpv4_global_allow(net, type, code, &apply_ratelimit)) goto out_bh_enable; sk = icmp_xmit_lock(net); @@ -450,7 +458,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) rt = ip_route_output_key(net, &fl4); if (IS_ERR(rt)) goto out_unlock; - if (icmpv4_xrlim_allow(net, rt, &fl4, type, code)) + if (icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit)) icmp_push_reply(sk, icmp_param, &fl4, &ipc, &rt); ip_rt_put(rt); out_unlock: @@ -596,6 +604,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, int room; struct icmp_bxm icmp_param; struct rtable *rt = skb_rtable(skb_in); + bool apply_ratelimit = false; struct ipcm_cookie ipc; struct flowi4 fl4; __be32 saddr; @@ -677,7 +686,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, } } - /* Needed by both icmp_global_allow and icmp_xmit_lock */ + /* Needed by both icmpv4_global_allow and icmp_xmit_lock */ local_bh_disable(); /* Check global sysctl_icmp_msgs_per_sec ratelimit, unless @@ -685,7 +694,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow) */ if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) && - !icmpv4_global_allow(net, type, code)) + !icmpv4_global_allow(net, type, code, &apply_ratelimit)) goto out_bh_enable; sk = icmp_xmit_lock(net); @@ -744,7 +753,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, goto out_unlock; /* peer icmp_ratelimit */ - if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code)) + if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit)) goto ende; /* RFC says return as much as we can without exceeding 576 bytes. */ diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 7b31674644efc338ec458d92dfe495480825b0fd..46f70e4a835139ef7d8925c49440865355048193 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -175,14 +175,16 @@ static bool icmpv6_mask_allow(struct net *net, int type) return false; } -static bool icmpv6_global_allow(struct net *net, int type) +static bool icmpv6_global_allow(struct net *net, int type, + bool *apply_ratelimit) { if (icmpv6_mask_allow(net, type)) return true; - if (icmp_global_allow()) + if (icmp_global_allow()) { + *apply_ratelimit = true; return true; - + } __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL); return false; } @@ -191,13 +193,13 @@ static bool icmpv6_global_allow(struct net *net, int type) * Check the ICMP output rate limit */ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, - struct flowi6 *fl6) + struct flowi6 *fl6, bool apply_ratelimit) { struct net *net = sock_net(sk); struct dst_entry *dst; bool res = false; - if (icmpv6_mask_allow(net, type)) + if (!apply_ratelimit) return true; /* @@ -228,6 +230,8 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, if (!res) __ICMP6_INC_STATS(net, ip6_dst_idev(dst), ICMP6_MIB_RATELIMITHOST); + else + icmp_global_consume(); dst_release(dst); return res; } @@ -452,6 +456,7 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, struct net *net; struct ipv6_pinfo *np; const struct in6_addr *saddr = NULL; + bool apply_ratelimit = false; struct dst_entry *dst; struct icmp6hdr tmp_hdr; struct flowi6 fl6; @@ -533,11 +538,12 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, return; } - /* Needed by both icmp_global_allow and icmpv6_xmit_lock */ + /* Needed by both icmpv6_global_allow and icmpv6_xmit_lock */ local_bh_disable(); /* Check global sysctl_icmp_msgs_per_sec ratelimit */ - if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type)) + if (!(skb->dev->flags & IFF_LOOPBACK) && + !icmpv6_global_allow(net, type, &apply_ratelimit)) goto out_bh_enable; mip6_addr_swap(skb, parm); @@ -575,7 +581,7 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, np = inet6_sk(sk); - if (!icmpv6_xrlim_allow(sk, type, &fl6)) + if (!icmpv6_xrlim_allow(sk, type, &fl6, apply_ratelimit)) goto out; tmp_hdr.icmp6_type = type; @@ -717,6 +723,7 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) struct ipv6_pinfo *np; const struct in6_addr *saddr = NULL; struct icmp6hdr *icmph = icmp6_hdr(skb); + bool apply_ratelimit = false; struct icmp6hdr tmp_hdr; struct flowi6 fl6; struct icmpv6_msg msg; @@ -781,8 +788,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) goto out; /* Check the ratelimit */ - if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) || - !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6)) + if ((!(skb->dev->flags & IFF_LOOPBACK) && + !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY, &apply_ratelimit)) || + !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6, apply_ratelimit)) goto out_dst_release; idev = __in6_dev_get(skb->dev); -- 2.46.0.295.g3b9ea8a38a-goog

8 months, 1 week

1
0
0 0

[PATCH 6.10 000/273] 6.10.7-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.10.7 release. There are 273 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.10.7-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.10.7-rc1 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Input: MT - limit max slots Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix race condition between destroy_previous_session() and smb2 operations() Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Add a test to verify previous stacksafe() fix Boyuan Zhang <boyuan.zhang(a)amd.com> drm/amdgpu/vcn: not pause dpg for unified queue Boyuan Zhang <boyuan.zhang(a)amd.com> drm/amdgpu/vcn: identify unified queue in sw init Christian Brauner <brauner(a)kernel.org> Revert "pidfd: prevent creation of pidfds for kthreads" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Do not dereference NULL job->fence in trace points Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: check re-using ID of closed subflow Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: validate fullmesh endp on 1st sf Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: avoid possible UaF when selecting endp Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fullmesh: select the right ID later Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only in-kernel cannot have entries with ID 0 Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only decrement add_addr_accepted for MPJ req Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only mark 'subflow' endp as available Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: remove mptcp_pm_remove_subflow() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused flushed subflows Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused removed subflows Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused removed ADD_ADDR Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> thermal: of: Fix OF node leak in thermal_of_zone_register() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> thermal: of: Fix OF node leak in thermal_of_trips_init() error path Dave Airlie <airlied(a)redhat.com> nouveau/firmware: use dma non-coherent allocator Peng Fan <peng.fan(a)nxp.com> pmdomain: imx: wait SSAR when i.MX93 power domain on Alexander Stein <alexander.stein(a)ew.tq-group.com> pmdomain: imx: scu-pd: Remove duplicated clocks Steve French <stfrench(a)microsoft.com> smb3: fix broken cached reads when posix locks Ben Whitten <ben.whitten(a)gmail.com> mmc: dw_mmc: allow biu and ciu clocks to defer Mengqi Zhang <mengqi.zhang(a)mediatek.com> mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Waiman Long <longman(a)redhat.com> cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if cpus.exclusive not set Chen Ridong <chenridong(a)huawei.com> cgroup/cpuset: fix panic caused by partcmd_update Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Zenghui Yu <yuzenghui(a)huawei.com> KVM: arm64: vgic-debug: Don't put unmarked LPIs Nikolay Kuratov <kniv(a)yandex-team.ru> cxgb4: add forgotten u64 ivlan cast before shift Michael Ellerman <mpe(a)ellerman.id.au> ata: pata_macio: Fix DMA table overflow Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Nicolin Chen <nicolinc(a)nvidia.com> iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace() Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Defer calculation of resolution until resolution_code is known Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: Set timer mode in cpu-probe Martin Whitaker <foss(a)martin-whitaker.me.uk> net: dsa: microchip: fix PTP config failure when using multiple ports Mengyuan Lou <mengyuanlou(a)net-swift.com> net: ngbe: Fix phy mode set to external phy Harald Freudenberger <freude(a)linux.ibm.com> s390/ap: Refine AP bus bindings complete processing Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Fix return value on last invalid resource Hans de Goede <hdegoede(a)redhat.com> platform/x86: dell-uart-backlight: Use acpi_video_get_backlight_type() Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add backlight=native quirk for Dell OptiPlex 7760 AIO Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add Dell UART backlight controller detection Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 Candice Li <candice.li(a)amd.com> drm/amdgpu: Validate TA binary size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: the buffer of smb2 query dir response has at least 1 byte Chaotian Jing <chaotian.jing(a)mediatek.com> scsi: core: Fix the return value of scsi_logical_block_count() Griffin Kroah-Hartman <griffin(a)kroah.com> Bluetooth: MGMT: Add error handling to pair_device() Ming Lei <ming.lei(a)redhat.com> nvme: move stopping keep-alive into nvme_uninit_ctrl() Paulo Alcantara <pc(a)manguebit.com> smb: client: ignore unhandled reparse tags Alexander Gordeev <agordeev(a)linux.ibm.com> s390/boot: Fix KASLR base offset off by __START_KERNEL bytes Alexander Gordeev <agordeev(a)linux.ibm.com> s390/boot: Avoid possible physmem_info segment corruption Yang Ruibin <11162571(a)vivo.com> thermal/debugfs: Fix the NULL vs IS_ERR() confusion in debugfs_create_dir() Matthew Brost <matthew.brost(a)intel.com> drm/xe: Free job before xe_exec_queue_put Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Don't initialize fences at xe_sched_job_create() Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Split lrc seqno fence creation up Matthew Brost <matthew.brost(a)intel.com> drm/xe: Decouple job seqno and lrc seqno Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe: Relax runtime pm protection during execution Stuart Summers <stuart.summers(a)intel.com> drm/xe: Fix missing workqueue destroy in xe_gt_pagefault Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: sanitize peek buffer setup Dan Carpenter <dan.carpenter(a)linaro.org> mmc: mmc_test: Fix NULL dereference on allocation failure Matthew Brost <matthew.brost(a)intel.com> drm/xe: Fix tile fini sequence Matthew Auld <matthew.auld(a)intel.com> drm/xe: reset mmio mappings with devm Matthew Auld <matthew.auld(a)intel.com> drm/xe/mmio: move mmio_fini over to devm Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix opregion leak Matthew Auld <matthew.auld(a)intel.com> drm/xe/display: stop calling domains_driver_remove twice Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/hdcp: Use correct cp_irq_count Vignesh Raghavendra <vigneshr(a)ti.com> spi: spi-cadence-quadspi: Fix OSPI NOR failures during system resume Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm: fix the highest_bank_bit for sc7180 Tejun Heo <tj(a)kernel.org> workqueue: Fix spruious data race in __flush_work() Will Deacon <will(a)kernel.org> workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: take plane rotation into account for wide planes Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: relax YUV requirements Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: limit QCM2290 to RGB formats only Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: reset the link phy params before link training Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: fix the max supported bpp logic Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: don't play tricks with debug macros Alexandra Winter <wintera(a)linux.ibm.com> s390/iucv: Fix vargs handling in iucv_alloc_device() Menglong Dong <menglong8.dong(a)gmail.com> net: ovs: fix ovs_drop_reasons error Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix dangling multicast addresses Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Always disable promiscuous mode Bharat Bhushan <bbhushan2(a)marvell.com> octeontx2-af: Fix CPT AF register offset calculation Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: flowtable: validate vlan header Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Fix double DMA unmapping for XDP_REDIRECT Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible UAF in ip6_xmit() Eric Dumazet <edumazet(a)google.com> ipv6: fix possible UAF in ip6_finish_output2() Eric Dumazet <edumazet(a)google.com> ipv6: prevent UAF in ip6_send_skb() Ido Schimmel <idosch(a)nvidia.com> selftests: mlxsw: ethtool_lanes: Source ethtool lib from correct path Felix Fietkau <nbd(a)nbd.name> udp: fix receiving fraglist GSO packets Stephen Hemminger <stephen(a)networkplumber.org> netem: fix return value if duplicate enqueue fails Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Fix out-of-bound access Paolo Abeni <pabeni(a)redhat.com> igb: cope with large MAX_SKB_FRAGS Dan Carpenter <dan.carpenter(a)linaro.org> dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> ice: use internal pf id instead of function number Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix truesize operations for PAGE_SIZE >= 8192 Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix ICE_LAST_OFFSET formula Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix page reuse when PAGE_SIZE is over 8k Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm state handling when clearing active slave Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm real_dev null pointer dereference Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix null pointer deref in bond_ipsec_offload_ok Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix bond_ipsec_offload_ok return type Thomas Bogendoerfer <tbogendoerfer(a)suse.de> ip6_tunnel: Fix broken GRO Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). Kuniyuki Iwashima <kuniyu(a)amazon.com> kcm: Serialise kcm_sendmsg() for the same socket. Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: test: Use correct skb for route input check Florian Westphal <fw(a)strlen.de> tcp: prevent concurrent execution of tcp_sk_exit_batch Hangbin Liu <liuhangbin(a)gmail.com> selftests: udpgro: no need to load xdp for gro Hangbin Liu <liuhangbin(a)gmail.com> selftests: udpgro: report error when receive failed Simon Horman <horms(a)kernel.org> tc-testing: don't access non-existent variable on exception Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix IPsec RoCE MPV trace call Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: XPS, Fix oversight of Multi-PF Netdev changes Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: serialize access to the injection/extraction groups Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix assumption of Central always being Initiator Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix LE quote calculation Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in Masahiro Yamada <masahiroy(a)kernel.org> kbuild: avoid scripts/kallsyms parsing /dev/null Masahiro Yamada <masahiroy(a)kernel.org> kbuild: merge temporary vmlinux for BTF and kallsyms Alexandre Courbot <gnurou(a)gmail.com> Makefile: add $(srctree) to dependency of compile_commands.json target Takashi Iwai <tiwai(a)suse.de> ALSA: hda/tas2781: Use correct endian conversion Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator: Fix warning when controller is destroyed in probe Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850 Mikulas Patocka <mpatocka(a)redhat.com> dm suspend: return -ERESTARTSYS instead of -EINTR Su Hui <suhui(a)nfschina.com> smb/client: avoid possible NULL dereference in cifs_free_subrequest() David Howells <dhowells(a)redhat.com> cifs: Add a tracepoint to track credits involved in R/W requests Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_bang_bang: Use governor_data to reduce overhead Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_bang_bang: Add .manage() callback Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_bang_bang: Split bang_bang_control() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_bang_bang: Drop unnecessary cooling device target state checks Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Don't register panel_power_savings on OLED panels Li Lingfeng <lilingfeng3(a)huawei.com> block: Fix lockdep warning in blk_mq_mark_tag_wait Samuel Holland <samuel.holland(a)sifive.com> arm64: Fix KASAN random tag seed initialization Ryo Takakura <takakura(a)valinux.co.jp> printk/panic: Allow cpu backtraces to be written into ringbuffer during panic Nysal Jan K.A <nysal(a)linux.ibm.com> powerpc/topology: Check if a core is online Nysal Jan K.A <nysal(a)linux.ibm.com> cpu/SMT: Enable SMT only if a core is online Olivier Langlois <olivier(a)trillion01.com> io_uring/napi: check napi_enabled in io_napi_add() before proceeding Pavel Begunkov <asml.silence(a)gmail.com> io_uring/napi: use ktime in busy polling Thorsten Blum <thorsten.blum(a)toblux.com> io_uring/napi: Remove unnecessary s64 cast Eric Farman <farman(a)linux.ibm.com> s390/dasd: Remove DMA alignment Masahiro Yamada <masahiroy(a)kernel.org> rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Masahiro Yamada <masahiroy(a)kernel.org> rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Miguel Ojeda <ojeda(a)kernel.org> rust: work around `bindgen` 0.69.0 issue Maíra Canal <mcanal(a)igalia.com> drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()` Parsa Poorshikhian <parsa.poorsh(a)gmail.com> ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Asmaa Mnebhi <asmaa(a)nvidia.com> gpio: mlxbf3: Support shutdown() function Barak Biber <bbiber(a)nvidia.com> iommu: Restore lost return in iommu_report_device_fault() Song Liu <song(a)kernel.org> kallsyms: Match symbols exactly with CONFIG_LTO_CLANG Song Liu <song(a)kernel.org> kallsyms: Do not cleanup .llvm.<hash> suffix before sorting symbols Jann Horn <jannh(a)google.com> kallsyms: get rid of code for absolute kallsyms Masahiro Yamada <masahiroy(a)kernel.org> kbuild: remove PROVIDE() for kallsyms symbols Masahiro Yamada <masahiroy(a)kernel.org> kbuild: refactor variables in scripts/link-vmlinux.sh Jie Wang <wangjie125(a)huawei.com> net: hns3: fix a deadlock problem when config TC during resetting Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use the user's cfg after reset Jie Wang <wangjie125(a)huawei.com> net: hns3: fix wrong use of semaphore up Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: net: lib: kill PIDs before del netns Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: net: lib: ignore possible errors Cong Wang <cong.wang(a)bytedance.com> vsock: fix recursive ->recvmsg calls Abhinav Jain <jain.abhinav177(a)gmail.com> selftest: af_unix: Fix kselftest compilation warnings Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Introduce nf_tables_getobj_single Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log dump reset after the fact Florian Westphal <fw(a)strlen.de> netfilter: nf_queue: drop packets with cloned unconfirmed conntracks Donald Hunter <donald.hunter(a)gmail.com> netfilter: flowtable: initialise extack before use Donald Hunter <donald.hunter(a)gmail.com> netfilter: nfnetlink: Initialise extack before use in ACKs Tom Hughes <tom(a)compton.nu> netfilter: allow ipv6 fragments to arrive on different devices Subash Abhinov Kasiviswanathan <quic_subashab(a)quicinc.com> tcp: Update window clamping condition Eugene Syromiatnikov <esyr(a)redhat.com> mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size David Thompson <davthompson(a)nvidia.com> mlxbf_gige: disable RX filters until RX path initialized Zheng Zhang <everything411(a)qq.com> net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: check busy flag in MDIO operations Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: pass value in phy_write operation Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: fix port MAC configuration in full duplex mode Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> net: axienet: Fix register defines comment description Dan Carpenter <dan.carpenter(a)linaro.org> atm: idt77252: prevent use after free in dequeue_rx() Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Correctly report errors for ethtool rx flows Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: Take state lock during tx timeout reporter Tariq Toukan <tariqt(a)nvidia.com> net/mlx5: SD, Do not query MPIR register if no sd_group Eric Dumazet <edumazet(a)google.com> gtp: pull network headers in gtp_dev_xmit() Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix qbv tx latency by setting gtxoffset Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix reset adapter logics when tx mode change Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix qbv_config_change_errors logics Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: fix invalid mapping of extent xarray state Dominique Martinet <asmadeus(a)codewreck.org> 9p: Fix DIO read through netfs Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix a kernel verifier crash in stacksafe() Leon Hwang <leon.hwang(a)linux.dev> bpf: Fix updating attached freplace prog in prog_array map yangerkun <yangerkun(a)huawei.com> libfs: fix infinite directory reads for offset dir Omar Sandoval <osandov(a)fb.com> filelock: fix name of file_lease slab cache Matthew Wilcox (Oracle) <willy(a)infradead.org> netfs: Fault in smaller chunks for non-large folio mappings Claudio Imbrenda <imbrenda(a)linux.ibm.com> s390/uv: Panic for set and remove shared access UVC errors Christian Brauner <brauner(a)kernel.org> pidfd: prevent creation of pidfds for kthreads David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: command submission parser for JPEG Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/jpeg4: properly set atomics vmid field Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/jpeg2: properly set atomics vmid field Melissa Wen <mwen(a)igalia.com> drm/amd/display: fix cursor offset on rotation 180 Loan Chen <lo-an.chen(a)amd.com> drm/amd/display: Enable otg synchronization logic for DCN321 Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: fix s2idle entry for DCN3.5+ Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust cursor position Al Viro <viro(a)zeniv.linux.org.uk> memcg_write_event_control(): fix a user-triggerable oops Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> drm/amdgpu: Actually check flags for all context ops. Qu Wenruo <wqu(a)suse.com> btrfs: only enable extent map shrinker for DEBUG builds Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: add dev extent item checks Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: properly take lock to read/update block group's zoned variables Filipe Manana <fdmanana(a)suse.com> btrfs: only run the extent map shrinker from kswapd tasks Josef Bacik <josef(a)toxicpanda.com> btrfs: check delayed refs when we're checking if a ref exists Filipe Manana <fdmanana(a)suse.com> btrfs: send: allow cloning non-aligned extent if it ends at i_size Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type Zi Yan <ziy(a)nvidia.com> mm/numa: no task_numa_fault() call if PTE is changed Hailong Liu <hailong.liu(a)oppo.com> mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Zi Yan <ziy(a)nvidia.com> mm/numa: no task_numa_fault() call if PMD is changed Suren Baghdasaryan <surenb(a)google.com> alloc_tag: introduce clear_page_tag_ref() helper function Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests: memfd_secret: don't build memfd_secret test on unsupported arches Waiman Long <longman(a)redhat.com> mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Suren Baghdasaryan <surenb(a)google.com> alloc_tag: mark pages reserved during CMA activation as not tagged Zhen Lei <thunder.leizhen(a)huawei.com> selinux: add the processing of the failure of avc_add_xperms_decision() Zhen Lei <thunder.leizhen(a)huawei.com> selinux: fix potential counting error in avc_add_xperms_decision() Max Kellermann <max.kellermann(a)ionos.com> fs/netfs/fscache_cookie: add missing "n_accesses" check Janne Grunau <j(a)jannau.net> wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion Long Li <longli(a)microsoft.com> net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Hans de Goede <hdegoede(a)redhat.com> media: atomisp: Fix streaming no longer working on BYT / ISP2400 devices Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Fix RX buf alloc_size alignment and atomic op panic Yu Kuai <yukuai3(a)huawei.com> md/raid1: Fix data corruption for degraded array with slow disk David Hildenbrand <david(a)redhat.com> mm/hugetlb: fix hugetlb vs. core-mm PT locking Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix endless reclaim on machines with unaccepted memory Dan Carpenter <dan.carpenter(a)linaro.org> rtla/osnoise: Prevent NULL dereference in error handling Pedro Falcato <pedro.falcato(a)gmail.com> mseal: fix is_madv_discard() Kyle Huey <me(a)kylehuey.com> perf/bpf: Don't call bpf_overflow_handler() for tracing events Steven Rostedt <rostedt(a)goodmis.org> tracing: Return from tracing_buffers_read() if the file has been closed Andi Shyti <andi.shyti(a)kernel.org> i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Al Viro <viro(a)zeniv.linux.org.uk> fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Zhihao Cheng <chengzhihao1(a)huawei.com> vfs: Don't evict inode under the inode lru traversing context Mikulas Patocka <mpatocka(a)redhat.com> dm persistent data: fix memory allocation failure Khazhismel Kumykov <khazhy(a)google.com> dm resume: don't return EINVAL when signalled Haibo Xu <haibo1.xu(a)intel.com> arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Evaluate _REG outside the EC scope more carefully Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Add a depth argument to acpi_execute_reg_methods() Breno Leitao <leitao(a)debian.org> i2c: tegra: Do not mark ACPI devices as irq safe Steve French <stfrench(a)microsoft.com> smb3: fix lock breakage for cached writes Celeste Liu <coelacanthushex(a)gmail.com> riscv: entry: always initialize regs->a0 to -ENOSYS Nam Cao <namcao(a)linutronix.de> riscv: change XIP's kernel_map.size to be size of the entire kernel David Gstir <david(a)sigma-star.at> KEYS: trusted: dcp: fix leak of blob encryption key David Gstir <david(a)sigma-star.at> KEYS: trusted: fix DCP blob payload length assignment Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_bang_bang: Call __thermal_cdev_update() directly Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: fix validity interception issue when gisa is switched off Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix error recovery leading to data corruption on ESE devices Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Relax start tick time check for slave timer elements Baojun Xu <baojun.xu(a)ti.com> ALSA: hda/tas2781: fix wrong calibrated data order Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Mark XDomain as unplugged when router is removed Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Marc Zyngier <maz(a)kernel.org> usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() Hans de Goede <hdegoede(a)redhat.com> usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[] Juan José Arboleda <soyjuanarbol(a)gmail.com> ALSA: usb-audio: Support Yamaha P-125 quirk entry Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Check USB endpoints when probing device Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Refine workqueue handling Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Don't destroy workqueue from work item running on it Jann Horn <jannh(a)google.com> fuse: Initialize beyond-EOF page contents before setting uptodate David Howells <dhowells(a)redhat.com> netfs, ceph: Revert "netfs: Remove deprecated use of PG_private_2 as a second writeback flag" Paul Moore <paul(a)paul-moore.com> selinux: revert our use of vma_is_initial_heap() Xu Yang <xu.yang_2(a)nxp.com> Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET" Griffin Kroah-Hartman <griffin(a)kroah.com> Revert "serial: 8250_omap: Set the console genpd always on if no console suspend" Griffin Kroah-Hartman <griffin(a)kroah.com> Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: EC: Evaluate orphan _REG under EC device" Mathieu Othacehe <m.othacehe(a)gmail.com> tty: atmel_serial: use the correct RTS flag. Peng Fan <peng.fan(a)nxp.com> tty: serial: fsl_lpuart: mark last busy before uart_add_one_port Masahiro Yamada <masahiroy(a)kernel.org> tty: vt: conmakehash: remove non-portable code printing comment header ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 3 +- Makefile | 6 +- arch/arm64/kernel/acpi_numa.c | 2 +- arch/arm64/kernel/setup.c | 3 - arch/arm64/kernel/smp.c | 2 + arch/arm64/kvm/sys_regs.c | 6 + arch/arm64/kvm/vgic/vgic-debug.c | 2 +- arch/arm64/kvm/vgic/vgic.h | 7 + arch/mips/kernel/cpu-probe.c | 4 + arch/powerpc/include/asm/topology.h | 13 ++ arch/riscv/kernel/traps.c | 4 +- arch/riscv/mm/init.c | 4 +- arch/s390/boot/startup.c | 55 ++++--- arch/s390/boot/vmem.c | 14 +- arch/s390/boot/vmlinux.lds.S | 7 +- arch/s390/include/asm/page.h | 3 +- arch/s390/include/asm/uv.h | 5 +- arch/s390/kernel/vmlinux.lds.S | 2 +- arch/s390/kvm/kvm-s390.h | 7 +- arch/s390/tools/relocs.c | 2 +- block/blk-mq-tag.c | 5 +- drivers/acpi/acpica/acevents.h | 6 +- drivers/acpi/acpica/evregion.c | 12 +- drivers/acpi/acpica/evxfregn.c | 64 +------- drivers/acpi/ec.c | 14 +- drivers/acpi/internal.h | 1 + drivers/acpi/scan.c | 2 + drivers/acpi/video_detect.c | 22 +++ drivers/ata/pata_macio.c | 23 ++- drivers/atm/idt77252.c | 9 +- drivers/bluetooth/btintel.c | 10 -- drivers/bluetooth/btintel_pcie.c | 3 - drivers/bluetooth/btmtksdio.c | 3 - drivers/bluetooth/btrtl.c | 1 - drivers/bluetooth/btusb.c | 4 +- drivers/bluetooth/hci_qca.c | 4 +- drivers/bluetooth/hci_vhci.c | 2 - drivers/char/xillybus/xillyusb.c | 42 ++++- drivers/gpio/gpio-mlxbf3.c | 14 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 +++--- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 63 ++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 7 +- drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 1 + drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 18 +- drivers/gpu/drm/amd/amdgpu/soc15d.h | 6 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 32 +++- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 4 +- .../display/dc/resource/dcn321/dcn321_resource.c | 3 + drivers/gpu/drm/i915/display/intel_dp_hdcp.c | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 +- drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 20 ++- drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 + drivers/gpu/drm/msm/dp/dp_panel.c | 19 ++- drivers/gpu/drm/msm/msm_mdss.c | 2 +- drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 +- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 + drivers/gpu/drm/v3d/v3d_sched.c | 14 +- drivers/gpu/drm/xe/display/xe_display.c | 6 +- drivers/gpu/drm/xe/xe_device.c | 4 +- drivers/gpu/drm/xe/xe_exec_queue.c | 19 --- drivers/gpu/drm/xe/xe_exec_queue_types.h | 10 -- drivers/gpu/drm/xe/xe_gt_pagefault.c | 18 +- drivers/gpu/drm/xe/xe_guc_submit.c | 8 +- drivers/gpu/drm/xe/xe_hw_fence.c | 59 +++++-- drivers/gpu/drm/xe/xe_hw_fence.h | 7 +- drivers/gpu/drm/xe/xe_lrc.c | 48 +++++- drivers/gpu/drm/xe/xe_lrc.h | 3 + drivers/gpu/drm/xe/xe_mmio.c | 41 ++++- drivers/gpu/drm/xe/xe_mmio.h | 2 +- drivers/gpu/drm/xe/xe_ring_ops.c | 22 +-- drivers/gpu/drm/xe/xe_sched_job.c | 182 ++++++++++++--------- drivers/gpu/drm/xe/xe_sched_job.h | 7 +- drivers/gpu/drm/xe/xe_sched_job_types.h | 20 ++- drivers/gpu/drm/xe/xe_trace.h | 11 +- drivers/hid/wacom_wac.c | 4 +- drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-tegra.c | 4 +- drivers/input/input-mt.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 20 +-- drivers/input/serio/i8042.c | 10 +- drivers/iommu/io-pgfault.c | 1 + drivers/iommu/iommufd/device.c | 2 +- drivers/md/dm-ioctl.c | 22 ++- drivers/md/dm.c | 4 +- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/raid1.c | 14 +- drivers/misc/fastrpc.c | 22 +-- drivers/mmc/core/mmc_test.c | 9 +- drivers/mmc/host/dw_mmc.c | 8 + drivers/mmc/host/mtk-sd.c | 8 +- drivers/net/bonding/bond_main.c | 21 +-- drivers/net/bonding/bond_options.c | 2 +- drivers/net/dsa/microchip/ksz_ptp.c | 5 +- drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 +- drivers/net/dsa/ocelot/felix.c | 11 ++ drivers/net/dsa/vitesse-vsc73xx-core.c | 45 ++++- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 - drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 +++- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +- .../net/ethernet/intel/ice/devlink/devlink_port.c | 4 +- drivers/net/ethernet/intel/ice/ice_base.c | 21 ++- drivers/net/ethernet/intel/ice/ice_txrx.c | 47 +----- drivers/net/ethernet/intel/igb/igb_main.c | 1 + drivers/net/ethernet/intel/igc/igc_defines.h | 6 + drivers/net/ethernet/intel/igc/igc_main.c | 8 +- drivers/net/ethernet/intel/igc/igc_tsn.c | 76 +++++++-- drivers/net/ethernet/intel/igc/igc_tsn.h | 1 + .../net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 ++- drivers/net/ethernet/mediatek/mtk_wed.c | 6 +- .../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 + .../ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +- .../mellanox/mlx5/core/lib/ipsec_fs_roce.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/lib/sd.c | 18 +- .../net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 8 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 ++ .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 +++++- drivers/net/ethernet/microsoft/mana/mana_en.c | 28 +++- drivers/net/ethernet/mscc/ocelot.c | 91 ++++++++++- drivers/net/ethernet/mscc/ocelot_fdma.c | 3 +- drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 + drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 8 +- drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 +-- drivers/net/gtp.c | 3 + drivers/net/wireless/ath/ath12k/dp_tx.c | 72 ++++++++ drivers/net/wireless/ath/ath12k/hw.c | 6 + drivers/net/wireless/ath/ath12k/hw.h | 4 + drivers/net/wireless/ath/ath12k/mac.c | 1 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +- drivers/nvme/host/core.c | 2 +- drivers/platform/surface/aggregator/controller.c | 3 +- drivers/platform/x86/dell/Kconfig | 1 + drivers/platform/x86/dell/dell-uart-backlight.c | 8 + .../x86/intel/speed_select_if/isst_tpmi_core.c | 3 +- drivers/pmdomain/imx/imx93-pd.c | 5 +- drivers/pmdomain/imx/scu-pd.c | 5 - drivers/s390/block/dasd.c | 36 ++-- drivers/s390/block/dasd_3990_erp.c | 10 +- drivers/s390/block/dasd_eckd.c | 57 +++---- drivers/s390/block/dasd_genhd.c | 1 - drivers/s390/block/dasd_int.h | 2 +- drivers/s390/crypto/ap_bus.c | 7 +- drivers/spi/spi-cadence-quadspi.c | 14 +- .../media/atomisp/pci/ia_css_stream_public.h | 8 +- .../staging/media/atomisp/pci/sh_css_internal.h | 19 ++- drivers/thermal/gov_bang_bang.c | 91 ++++++++--- drivers/thermal/thermal_core.c | 3 +- drivers/thermal/thermal_debugfs.c | 6 +- drivers/thermal/thermal_of.c | 23 ++- drivers/thunderbolt/switch.c | 1 + drivers/tty/serial/8250/8250_omap.c | 33 +--- drivers/tty/serial/atmel_serial.c | 2 +- drivers/tty/serial/fsl_lpuart.c | 1 + drivers/tty/vt/conmakehash.c | 12 +- drivers/usb/host/xhci-mem.c | 2 +- drivers/usb/host/xhci.c | 8 +- drivers/usb/misc/usb-ljca.c | 1 + drivers/usb/typec/tcpm/tcpm.c | 1 - fs/9p/vfs_addr.c | 3 +- fs/afs/file.c | 3 +- fs/btrfs/delayed-ref.c | 67 ++++++++ fs/btrfs/delayed-ref.h | 2 + fs/btrfs/extent-tree.c | 51 +++++- fs/btrfs/extent_io.c | 14 +- fs/btrfs/extent_map.c | 22 +-- fs/btrfs/free-space-cache.c | 14 +- fs/btrfs/send.c | 52 ++++-- fs/btrfs/super.c | 18 +- fs/btrfs/tree-checker.c | 74 ++++++++- fs/ceph/addr.c | 25 ++- fs/file.c | 28 ++-- fs/fuse/dev.c | 6 +- fs/inode.c | 39 ++++- fs/libfs.c | 35 ++-- fs/locks.c | 2 +- fs/netfs/buffered_read.c | 8 +- fs/netfs/buffered_write.c | 2 +- fs/netfs/fscache_cookie.c | 4 + fs/netfs/io.c | 161 +++++++++++++++++- fs/nfs/fscache.c | 3 +- fs/smb/client/cifsglob.h | 17 +- fs/smb/client/file.c | 58 +++++-- fs/smb/client/reparse.c | 11 +- fs/smb/client/smb1ops.c | 2 +- fs/smb/client/smb2ops.c | 42 ++++- fs/smb/client/smb2pdu.c | 40 ++++- fs/smb/client/trace.h | 55 ++++++- fs/smb/client/transport.c | 8 +- fs/smb/server/connection.c | 34 +++- fs/smb/server/connection.h | 3 +- fs/smb/server/mgmt/user_session.c | 8 + fs/smb/server/smb2pdu.c | 5 +- include/acpi/acpixf.h | 5 +- include/acpi/video.h | 1 + include/asm-generic/vmlinux.lds.h | 19 --- include/linux/bitmap.h | 12 ++ include/linux/bpf_verifier.h | 4 +- include/linux/dsa/ocelot.h | 47 ++++++ include/linux/fs.h | 5 + include/linux/hugetlb.h | 33 +++- include/linux/io_uring_types.h | 2 +- include/linux/mm.h | 11 ++ include/linux/panic.h | 1 + include/linux/pgalloc_tag.h | 13 ++ include/linux/thermal.h | 1 + include/net/af_vsock.h | 4 + include/net/bluetooth/hci.h | 17 +- include/net/bluetooth/hci_core.h | 2 +- include/net/kcm.h | 1 + include/net/mana/mana.h | 1 + include/scsi/scsi_cmnd.h | 2 +- include/soc/mscc/ocelot.h | 12 +- include/trace/events/netfs.h | 1 + include/uapi/misc/fastrpc.h | 3 - init/Kconfig | 25 +-- io_uring/io_uring.h | 2 +- io_uring/kbuf.c | 9 +- io_uring/napi.c | 50 +++--- io_uring/napi.h | 2 +- kernel/bpf/verifier.c | 5 +- kernel/cgroup/cpuset.c | 5 +- kernel/cpu.c | 12 +- kernel/events/core.c | 3 +- kernel/kallsyms.c | 60 +------ kernel/kallsyms_internal.h | 6 - kernel/kallsyms_selftest.c | 22 +-- kernel/panic.c | 8 +- kernel/printk/printk.c | 2 +- kernel/trace/trace.c | 2 +- kernel/vmcore_info.c | 4 - kernel/workqueue.c | 47 +++--- mm/huge_memory.c | 29 ++-- mm/memcontrol.c | 7 +- mm/memory-failure.c | 20 ++- mm/memory.c | 33 ++-- mm/mm_init.c | 12 +- mm/mseal.c | 14 +- mm/page_alloc.c | 51 +++--- mm/vmalloc.c | 11 +- net/bluetooth/hci_core.c | 19 +-- net/bluetooth/hci_event.c | 2 +- net/bluetooth/mgmt.c | 4 + net/bluetooth/smp.c | 146 ++++++++--------- net/bridge/br_netfilter_hooks.c | 6 +- net/dsa/tag_ocelot.c | 37 +---- net/ipv4/tcp_input.c | 28 ++-- net/ipv4/tcp_ipv4.c | 14 ++ net/ipv4/udp_offload.c | 3 +- net/ipv6/ip6_output.c | 10 ++ net/ipv6/ip6_tunnel.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 + net/iucv/iucv.c | 4 +- net/kcm/kcmsock.c | 4 + net/mctp/test/route-test.c | 2 +- net/mptcp/diag.c | 2 +- net/mptcp/pm.c | 13 -- net/mptcp/pm_netlink.c | 142 ++++++++++------ net/mptcp/protocol.h | 3 - net/netfilter/nf_flow_table_inet.c | 3 + net/netfilter/nf_flow_table_ip.c | 3 + net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nf_tables_api.c | 163 ++++++++++++------ net/netfilter/nfnetlink.c | 5 +- net/netfilter/nfnetlink_queue.c | 35 +++- net/netfilter/nft_counter.c | 9 +- net/openvswitch/datapath.c | 2 +- net/sched/sch_netem.c | 47 ++++-- net/vmw_vsock/af_vsock.c | 50 +++--- net/vmw_vsock/vsock_bpf.c | 4 +- scripts/kallsyms.c | 109 ++++-------- scripts/link-vmlinux.sh | 106 ++++++------ scripts/rust_is_available.sh | 6 +- security/keys/trusted-keys/trusted_dcp.c | 35 ++-- security/selinux/avc.c | 8 +- security/selinux/hooks.c | 12 +- sound/core/timer.c | 2 +- sound/pci/hda/patch_realtek.c | 1 - sound/pci/hda/tas2781_hda_i2c.c | 14 +- sound/usb/quirks-table.h | 1 + sound/usb/quirks.c | 2 + tools/perf/tests/vmlinux-kallsyms.c | 1 - tools/testing/selftests/bpf/progs/iters.c | 54 ++++++ tools/testing/selftests/core/close_range_test.c | 35 ++++ .../selftests/drivers/net/mlxsw/ethtool_lanes.sh | 3 +- tools/testing/selftests/mm/Makefile | 2 + tools/testing/selftests/mm/run_vmtests.sh | 3 + tools/testing/selftests/net/af_unix/msg_oob.c | 2 +- tools/testing/selftests/net/lib.sh | 11 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 28 +++- tools/testing/selftests/net/udpgro.sh | 53 +++--- tools/testing/selftests/tc-testing/tdc.py | 1 - tools/tracing/rtla/src/osnoise_top.c | 11 +- 305 files changed, 3476 insertions(+), 1744 deletions(-)

8 months, 1 week

13
286
0 0

[PATCH] tpm: ibmvtpm: Call tpm2_sessions_init() to initialize session support

by Qianqiang Liu

From: Stefan Berger <stefanb(a)linux.ibm.com> Commit d2add27cf2b8 ("tpm: Add NULL primary creation") introduced CONFIG_TCG_TPM2_HMAC. When this option is enabled on ppc64 then the following message appears in the kernel log due to a missing call to tpm2_sessions_init(). [ 2.654549] tpm tpm0: auth session is not active Add the missing call to tpm2_session_init() to the ibmvtpm driver to resolve this issue. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- drivers/char/tpm/tpm_ibmvtpm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c index d3989b257f42..1e5b107d1f3b 100644 --- a/drivers/char/tpm/tpm_ibmvtpm.c +++ b/drivers/char/tpm/tpm_ibmvtpm.c @@ -698,6 +698,10 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, rc = tpm2_get_cc_attrs_tbl(chip); if (rc) goto init_irq_cleanup; + + rc = tpm2_sessions_init(chip); + if (rc) + goto init_irq_cleanup; } return tpm_chip_register(chip); -- 2.39.2

8 months, 1 week

1
0
0 0

[PATCH 2/2] bus: integrator-lm: fix OF node leak in probe()

by Krzysztof Kozlowski

Driver code is leaking OF node reference from of_find_matching_node() in probe(). Fixes: ccea5e8a5918 ("bus: Add driver for Integrator/AP logic modules") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/bus/arm-integrator-lm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/bus/arm-integrator-lm.c b/drivers/bus/arm-integrator-lm.c index b715c8ab36e8..a65c79b08804 100644 --- a/drivers/bus/arm-integrator-lm.c +++ b/drivers/bus/arm-integrator-lm.c @@ -85,6 +85,7 @@ static int integrator_ap_lm_probe(struct platform_device *pdev) return -ENODEV; } map = syscon_node_to_regmap(syscon); + of_node_put(syscon); if (IS_ERR(map)) { dev_err(dev, "could not find Integrator/AP system controller\n"); -- 2.43.0

8 months, 1 week

2
1
0 0

[PATCH v5 4/6] x86/tdx: Add a restriction on access to MMIO address

by Alexey Gladkov

From: "Alexey Gladkov (Intel)" <legion(a)kernel.org> For security reasons, access from kernel space to MMIO addresses in userspace should be restricted. All MMIO operations from kernel space are considered trusted and are not validated. For instance, if in response to a syscall, kernel does put_user() and the target address is MMIO mapping in userspace, current #VE handler threat this access as kernel MMIO which is wrong and have security implications. Cc: stable(a)vger.kernel.org Signed-off-by: Alexey Gladkov (Intel) <legion(a)kernel.org> --- arch/x86/coco/tdx/tdx.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 5d2d07aa08ce..65f65015238a 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -411,6 +411,11 @@ static inline bool is_private_gpa(u64 gpa) return gpa == cc_mkenc(gpa); } +static inline bool is_kernel_addr(unsigned long addr) +{ + return (long)addr < 0; +} + static int get_phys_addr(unsigned long addr, phys_addr_t *phys_addr, bool *writable) { unsigned int level; @@ -606,6 +611,11 @@ static int handle_mmio(struct pt_regs *regs, struct ve_info *ve) if (WARN_ON_ONCE(mmio == INSN_MMIO_DECODE_FAILED)) return -EINVAL; + if (!user_mode(regs) && !is_kernel_addr(ve->gla)) { + WARN_ONCE(1, "Access to userspace address is not supported"); + return -EINVAL; + } + vaddr = (unsigned long)insn_get_addr_ref(&insn, regs); if (user_mode(regs)) { -- 2.46.0

8 months, 1 week

2
1
0 0

[PATCH v3] spi: rockchip: Resolve unbalanced runtime PM / system PM handling

by Brian Norris

Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure. Fixes: e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") Cc: <stable(a)vger.kernel.org> Reported-by: "Ondřej Jirman" <megi(a)xff.cz> Closes: https://lore.kernel.org/lkml/20220621154218.sau54jeij4bunf56@core/ Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- Changes in v3: - actually CC the appropriate lists (sorry, I accidentally dropped them on v2) Changes in v2: - fix unused 'rs' warning drivers/spi/spi-rockchip.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c index e1ecd96c7858..0bb33c43b1b4 100644 --- a/drivers/spi/spi-rockchip.c +++ b/drivers/spi/spi-rockchip.c @@ -945,14 +945,16 @@ static int rockchip_spi_suspend(struct device *dev) { int ret; struct spi_controller *ctlr = dev_get_drvdata(dev); - struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); ret = spi_controller_suspend(ctlr); if (ret < 0) return ret; - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); + ret = pm_runtime_force_suspend(dev); + if (ret < 0) { + spi_controller_resume(ctlr); + return ret; + } pinctrl_pm_select_sleep_state(dev); @@ -963,25 +965,14 @@ static int rockchip_spi_resume(struct device *dev) { int ret; struct spi_controller *ctlr = dev_get_drvdata(dev); - struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); pinctrl_pm_select_default_state(dev); - ret = clk_prepare_enable(rs->apb_pclk); + ret = pm_runtime_force_resume(dev); if (ret < 0) return ret; - ret = clk_prepare_enable(rs->spiclk); - if (ret < 0) - clk_disable_unprepare(rs->apb_pclk); - - ret = spi_controller_resume(ctlr); - if (ret < 0) { - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); - } - - return 0; + return spi_controller_resume(ctlr); } #endif /* CONFIG_PM_SLEEP */ -- 2.46.0.295.g3b9ea8a38a-goog

8 months, 1 week

2
1
0 0

[RFC PATCH 2/7] NFSD: Limit the number of concurrent async COPY operations

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Nothing appears to limit the number of concurrent async COPY operations that clients can start. In addition, AFAICT each async COPY can copy an unlimited number of 4MB chunks, so can run for a long time. Thus IMO async COPY can become a DoS vector. Add a restriction mechanism that bounds the number of concurrent background COPY operations. Start simple and try to be fair -- this patch implements a per-namespace limit. An async COPY request that occurs while this limit is exceeded gets NFS4ERR_DELAY. The requesting client can choose to send the request again after a delay or fall back to a traditional read/write style copy. If there is need to make the mechanism more sophisticated, we can visit that in future patches. Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 12 ++++++++++-- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/netns.h b/fs/nfsd/netns.h index 14ec15656320..5cae26917436 100644 --- a/fs/nfsd/netns.h +++ b/fs/nfsd/netns.h @@ -148,6 +148,7 @@ struct nfsd_net { u32 s2s_cp_cl_id; struct idr s2s_cp_stateids; spinlock_t s2s_cp_lock; + atomic_t pending_async_copies; /* * Version information diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 60c526adc27c..27f7eceb3b00 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1279,6 +1279,7 @@ static void nfs4_put_copy(struct nfsd4_copy *copy) { if (!refcount_dec_and_test(&copy->refcount)) return; + atomic_dec(&copy->cp_nn->pending_async_copies); kfree(copy->cp_src); kfree(copy); } @@ -1833,10 +1834,17 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, memcpy(&copy->fh, &cstate->current_fh.fh_handle, sizeof(struct knfsd_fh)); if (nfsd4_copy_is_async(copy)) { - status = nfserrno(-ENOMEM); + /* Arbitrary cap on number of pending async copy operations */ + int nrthreads = atomic_read(&rqstp->rq_pool->sp_nrthreads); + async_copy = kzalloc(sizeof(struct nfsd4_copy), GFP_KERNEL); if (!async_copy) goto out_err; + async_copy->cp_nn = nn; + if (atomic_inc_return(&nn->pending_async_copies) > nrthreads) { + atomic_dec(&nn->pending_async_copies); + goto out_err; + } INIT_LIST_HEAD(&async_copy->copies); refcount_set(&async_copy->refcount, 1); async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL); @@ -1876,7 +1884,7 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, } if (async_copy) cleanup_async_copy(async_copy); - status = nfserrno(-ENOMEM); + status = nfserr_jukebox; goto out; } diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index a20c2c9d7d45..aaebc60cc77c 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -8554,6 +8554,7 @@ static int nfs4_state_create_net(struct net *net) spin_lock_init(&nn->client_lock); spin_lock_init(&nn->s2s_cp_lock); idr_init(&nn->s2s_cp_stateids); + atomic_set(&nn->pending_async_copies, 0); spin_lock_init(&nn->blocked_locks_lock); INIT_LIST_HEAD(&nn->blocked_locks_lru); diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h index fbdd42cde1fa..2a21a7662e03 100644 --- a/fs/nfsd/xdr4.h +++ b/fs/nfsd/xdr4.h @@ -713,6 +713,7 @@ struct nfsd4_copy { struct nfsd4_ssc_umount_item *ss_nsui; struct nfs_fh c_fh; nfs4_stateid stateid; + struct nfsd_net *cp_nn; }; static inline void nfsd4_copy_set_sync(struct nfsd4_copy *copy, bool sync) -- 2.46.0

8 months, 1 week

2
1
0 0

[PATCH net 3/3] i2c: designware: support hardware lock for Wangxun 10Gb NIC

by Jiawen Wu

Support acquire_lock() and release_lock() for Wangxun 10Gb NIC. Since the firmware needs to access I2C all the time for some features, the semaphore is used between software and firmware. The driver should set software semaphore before accessing I2C bus and release it when it is finished. Otherwise, there is probability that the correct information on I2C bus will not be obtained. Cc: stable(a)vger.kernel.org Fixes: 2f8d1ed79345 ("i2c: designware: Add driver support for Wangxun 10Gb NIC") Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/i2c/busses/Makefile | 1 + drivers/i2c/busses/i2c-designware-core.h | 2 + drivers/i2c/busses/i2c-designware-platdrv.c | 3 + drivers/i2c/busses/i2c-designware-wx.c | 65 +++++++++++++++++++++ 4 files changed, 71 insertions(+) create mode 100644 drivers/i2c/busses/i2c-designware-wx.c diff --git a/drivers/i2c/busses/Makefile b/drivers/i2c/busses/Makefile index 78d0561339e5..f0ad9ebaacaa 100644 --- a/drivers/i2c/busses/Makefile +++ b/drivers/i2c/busses/Makefile @@ -58,6 +58,7 @@ i2c-designware-core-y += i2c-designware-master.o i2c-designware-core-$(CONFIG_I2C_DESIGNWARE_SLAVE) += i2c-designware-slave.o obj-$(CONFIG_I2C_DESIGNWARE_PLATFORM) += i2c-designware-platform.o i2c-designware-platform-y := i2c-designware-platdrv.o +i2c-designware-platform-y += i2c-designware-wx.o i2c-designware-platform-$(CONFIG_I2C_DESIGNWARE_AMDPSP) += i2c-designware-amdpsp.o i2c-designware-platform-$(CONFIG_I2C_DESIGNWARE_BAYTRAIL) += i2c-designware-baytrail.o obj-$(CONFIG_I2C_DESIGNWARE_PCI) += i2c-designware-pci.o diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h index 12b77f464fb5..eae2c4cdc851 100644 --- a/drivers/i2c/busses/i2c-designware-core.h +++ b/drivers/i2c/busses/i2c-designware-core.h @@ -414,6 +414,8 @@ int i2c_dw_baytrail_probe_lock_support(struct dw_i2c_dev *dev); int i2c_dw_amdpsp_probe_lock_support(struct dw_i2c_dev *dev); #endif +int i2c_dw_txgbe_probe_lock_support(struct dw_i2c_dev *dev); + int i2c_dw_validate_speed(struct dw_i2c_dev *dev); void i2c_dw_adjust_bus_speed(struct dw_i2c_dev *dev); diff --git a/drivers/i2c/busses/i2c-designware-platdrv.c b/drivers/i2c/busses/i2c-designware-platdrv.c index df3dc1e8093e..49c71ae5b6c1 100644 --- a/drivers/i2c/busses/i2c-designware-platdrv.c +++ b/drivers/i2c/busses/i2c-designware-platdrv.c @@ -229,6 +229,9 @@ static const struct i2c_dw_semaphore_callbacks i2c_dw_semaphore_cb_table[] = { .probe = i2c_dw_amdpsp_probe_lock_support, }, #endif + { + .probe = i2c_dw_txgbe_probe_lock_support, + }, {} }; diff --git a/drivers/i2c/busses/i2c-designware-wx.c b/drivers/i2c/busses/i2c-designware-wx.c new file mode 100644 index 000000000000..0f98160b956d --- /dev/null +++ b/drivers/i2c/busses/i2c-designware-wx.c @@ -0,0 +1,65 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2015 - 2024 Beijing WangXun Technology Co., Ltd. */ + +#include <linux/platform_data/i2c-wx.h> +#include <linux/platform_device.h> +#include <linux/i2c.h> +#include <linux/pci.h> + +#include "i2c-designware-core.h" + +#define I2C_DW_TXGBE_REQ_RETRY_CNT 4000 +#define I2C_DW_TXGBE_MNG_SW 0x1E004 +#define I2C_DW_TXGBE_MNG_SW_SM BIT(0) +#define I2C_DW_TXGBE_FLUSH 0x10000 + +static int i2c_dw_txgbe_acquire_lock(struct dw_i2c_dev *dev) +{ + void __iomem *req_addr; + u32 swsm; + int i; + + req_addr = dev->ext + I2C_DW_TXGBE_MNG_SW; + + for (i = 0; i < I2C_DW_TXGBE_REQ_RETRY_CNT; i++) { + writel(I2C_DW_TXGBE_MNG_SW_SM, req_addr); + + /* If we set the bit successfully then we got semaphore. */ + swsm = readl(req_addr); + if (swsm & I2C_DW_TXGBE_MNG_SW_SM) + break; + + udelay(50); + } + + if (i == I2C_DW_TXGBE_REQ_RETRY_CNT) + return -ETIMEDOUT; + + return 0; +} + +static void i2c_dw_txgbe_release_lock(struct dw_i2c_dev *dev) +{ + writel(0, dev->ext + I2C_DW_TXGBE_MNG_SW); + /* flush register status */ + readl(dev->ext + I2C_DW_TXGBE_FLUSH); +} + +int i2c_dw_txgbe_probe_lock_support(struct dw_i2c_dev *dev) +{ + struct platform_device *pdev = to_platform_device(dev->dev); + struct txgbe_i2c_platform_data *pdata; + + pdata = dev_get_platdata(&pdev->dev); + if (!pdata) + return -ENXIO; + + dev->ext = pdata->hw_addr; + if (!dev->ext) + return -ENXIO; + + dev->acquire_lock = i2c_dw_txgbe_acquire_lock; + dev->release_lock = i2c_dw_txgbe_release_lock; + + return 0; +} -- 2.27.0

8 months, 1 week

3
3
0 0

[PATCH v2] usb: dwc3: core: update LC timer as per USB Spec V3.2

by Faisal Hassan

This fix addresses STAR 9001285599, which only affects DWC_usb3 version 3.20a. The timer value for PM_LC_TIMER in DWC_usb3 3.20a for the Link ECN changes is incorrect. If the PM TIMER ECN is enabled via GUCTL2[19], the link compliance test (TD7.21) may fail. If the ECN is not enabled (GUCTL2[19] = 0), the controller will use the old timer value (5us), which is still acceptable for the link compliance test. Therefore, clear GUCTL2[19] to pass the USB link compliance test: TD 7.21. Cc: stable(a)vger.kernel.org Signed-off-by: Faisal Hassan <quic_faisalh(a)quicinc.com> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> --- Changes in v2: Updated comment and commit message to include the controller IP. v1 link: https://lore.kernel.org/all/20240822084504.1355-1-quic_faisalh@quicinc.com drivers/usb/dwc3/core.c | 15 +++++++++++++++ drivers/usb/dwc3/core.h | 2 ++ 2 files changed, 17 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 734de2a8bd21..92d7ec830322 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -1378,6 +1378,21 @@ static int dwc3_core_init(struct dwc3 *dwc) dwc3_writel(dwc->regs, DWC3_GUCTL2, reg); } + /* + * STAR 9001285599: This issue affects DWC_usb3 version 3.20a + * only. If the PM TIMER ECM is enabled through GUCTL2[19], the + * link compliance test (TD7.21) may fail. If the ECN is not + * enabled (GUCTL2[19] = 0), the controller will use the old timer + * value (5us), which is still acceptable for the link compliance + * test. Therefore, do not enable PM TIMER ECM in 3.20a by + * setting GUCTL2[19] by default; instead, use GUCTL2[19] = 0. + */ + if (DWC3_VER_IS(DWC3, 320A)) { + reg = dwc3_readl(dwc->regs, DWC3_GUCTL2); + reg &= ~DWC3_GUCTL2_LC_TIMER; + dwc3_writel(dwc->regs, DWC3_GUCTL2, reg); + } + /* * When configured in HOST mode, after issuing U3/L2 exit controller * fails to send proper CRC checksum in CRC5 feild. Because of this diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 1e561fd8b86e..c71240e8f7c7 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -421,6 +421,7 @@ /* Global User Control Register 2 */ #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14) +#define DWC3_GUCTL2_LC_TIMER BIT(19) /* Global User Control Register 3 */ #define DWC3_GUCTL3_SPLITDISABLE BIT(14) @@ -1269,6 +1270,7 @@ struct dwc3 { #define DWC3_REVISION_290A 0x5533290a #define DWC3_REVISION_300A 0x5533300a #define DWC3_REVISION_310A 0x5533310a +#define DWC3_REVISION_320A 0x5533320a #define DWC3_REVISION_330A 0x5533330a #define DWC31_REVISION_ANY 0x0 -- 2.17.1

8 months, 1 week

1
0
0 0

[PATCH v2] clk: rockchip: clk-rk3588: Fix 32k clock name for pmu_24m_32k_100m_src_p

by Alexander Shiyan

The 32kHz input clock is named "xin32k" in the driver, so the name "32k" appears to be a typo in this case. Lets fix this. Signed-off-by: Alexander Shiyan <eagle.alexander923(a)gmail.com> Reviewed-by: Dragan Simic <dsimic(a)manjaro.org> Fixes: f1c506d152ff ("clk: rockchip: add clock controller for the RK3588") --- drivers/clk/rockchip/clk-rk3588.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/rockchip/clk-rk3588.c b/drivers/clk/rockchip/clk-rk3588.c index b30279a96dc8..3027379f2fdd 100644 --- a/drivers/clk/rockchip/clk-rk3588.c +++ b/drivers/clk/rockchip/clk-rk3588.c @@ -526,7 +526,7 @@ PNAME(pmu_200m_100m_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src" }; PNAME(pmu_300m_24m_p) = { "clk_300m_src", "xin24m" }; PNAME(pmu_400m_24m_p) = { "clk_400m_src", "xin24m" }; PNAME(pmu_100m_50m_24m_src_p) = { "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" }; -PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "32k", "clk_pmu1_100m_src" }; +PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "xin32k", "clk_pmu1_100m_src" }; PNAME(hclk_pmu1_root_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" }; PNAME(hclk_pmu_cm0_root_p) = { "clk_pmu1_400m_src", "clk_pmu1_200m_src", "clk_pmu1_100m_src", "xin24m" }; PNAME(mclk_pdm0_p) = { "clk_pmu1_300m_src", "clk_pmu1_200m_src" }; -- 2.39.1

8 months, 1 week

3
2
0 0

[PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> On ilk/snb the pipe may be configured to place the LUT before or after the CSC depending on various factors, but as there is only one LUT (no split mode like on IVB+) we only advertise a gamma_lut and no degamma_lut in the uapi to avoid confusing userspace. This can cause a problem during readout if the VBIOS/GOP enabled the LUT in the pre CSC configuration. The current code blindly assigns the results of the readout to the degamma_lut, which will cause a failure during the next atomic_check() as we aren't expecting anything to be in degamma_lut since it's not visible to userspace. Fix the problem by assigning whatever LUT we read out from the hardware into gamma_lut. Cc: stable(a)vger.kernel.org Fixes: d2559299d339 ("drm/i915: Make ilk_read_luts() capable of degamma readout") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11608 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- .../drm/i915/display/intel_modeset_setup.c | 31 ++++++++++++++++--- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_modeset_setup.c b/drivers/gpu/drm/i915/display/intel_modeset_setup.c index 7602cb30ebf1..e1213f3d93cc 100644 --- a/drivers/gpu/drm/i915/display/intel_modeset_setup.c +++ b/drivers/gpu/drm/i915/display/intel_modeset_setup.c @@ -326,6 +326,8 @@ static void intel_modeset_update_connector_atomic_state(struct drm_i915_private static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state) { + struct drm_i915_private *i915 = to_i915(crtc_state->uapi.crtc->dev); + if (intel_crtc_is_joiner_secondary(crtc_state)) return; @@ -337,11 +339,30 @@ static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state crtc_state->uapi.adjusted_mode = crtc_state->hw.adjusted_mode; crtc_state->uapi.scaling_filter = crtc_state->hw.scaling_filter; - /* assume 1:1 mapping */ - drm_property_replace_blob(&crtc_state->hw.degamma_lut, - crtc_state->pre_csc_lut); - drm_property_replace_blob(&crtc_state->hw.gamma_lut, - crtc_state->post_csc_lut); + if (DISPLAY_INFO(i915)->color.degamma_lut_size) { + /* assume 1:1 mapping */ + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + crtc_state->pre_csc_lut); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut); + } else { + /* + * ilk/snb hw may be configured for either pre_csc_lut + * or post_csc_lut, but we don't advertise degamma_lut as + * being available in the uapi since there is only one + * hardware LUT. Always assign the result of the readout + * to gamma_lut as that is the only valid source of LUTs + * in the uapi. + */ + drm_WARN_ON(&i915->drm, crtc_state->post_csc_lut && + crtc_state->pre_csc_lut); + + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + NULL); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut ?: + crtc_state->pre_csc_lut); + } drm_property_replace_blob(&crtc_state->uapi.degamma_lut, crtc_state->hw.degamma_lut); -- 2.44.2

8 months, 1 week

2
1
0 0

[PATCH net v2 00/15] mptcp: more fixes for the in-kernel PM

by Matthieu Baerts (NGI0)

Here is a new batch of fixes for the MPTCP in-kernel path-manager: Patch 1 ensures the address ID is set to 0 when the path-manager sends an ADD_ADDR for the address of the initial subflow. The same fix is applied when a new subflow is created re-using this special address. A fix for v6.0. Patch 2 is similar, but for the case where an endpoint is removed: if this endpoint was used for the initial address, it is important to send a RM_ADDR with this ID set to 0, and look for existing subflows with the ID set to 0. A fix for v6.0 as well. Patch 3 validates the two previous patches. Patch 4 makes the PM selecting an "active" path to send an address notification in an ACK, instead of taking the first path in the list. A fix for v5.11. Patch 5 fixes skipping the establishment of a new subflow if a previous subflow using the same pair of addresses is being closed. A fix for v5.13. Patch 6 resets the ID linked to the initial subflow when the linked endpoint is re-added, possibly with a different ID. A fix for v6.0. Patch 7 validates the three previous patches. Patch 8 is a small fix for the MPTCP Join selftest, when being used with older subflows not supporting all MIB counters. A fix for a commit introduced in v6.4, but backported up to v5.10. Patch 9 avoids the PM to try to close the initial subflow multiple times, and increment counters while nothing happened. A fix for v5.10. Patch 10 stops incrementing local_addr_used and add_addr_accepted counters when dealing with the address ID 0, because these counters are not taking into account the initial subflow, and are then not decremented when the linked addresses are removed. A fix for v6.0. Patch 11 validates the previous patch. Patch 12 avoids the PM to send multiple SUB_CLOSED events for the initial subflow. A fix for v5.12. Patch 13 validates the previous patch. Patch 14 stops treating the ADD_ADDR 0 as a new address, and accepts it in order to re-create the initial subflow if it has been closed, even if the limit for *new* addresses -- not taking into account the address of the initial subflow -- has been reached. A fix for v5.10. Patch 15 validates the previous patch. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Changes in v2: - Patches 11,15/15: allow the connection to run for longer, should fix the issue seen on the Netdev CI, with a debug kconfig. - Link to v1: https://lore.kernel.org/r/20240826-net-mptcp-more-pm-fix-v1-0-8cd6c87d1d6d@… --- Matthieu Baerts (NGI0) (15): mptcp: pm: reuse ID 0 after delete and re-add mptcp: pm: fix RM_ADDR ID for the initial subflow selftests: mptcp: join: check removing ID 0 endpoint mptcp: pm: send ACK on an active subflow mptcp: pm: skip connecting to already established sf mptcp: pm: reset MPC endp ID when re-added selftests: mptcp: join: check re-adding init endp with != id selftests: mptcp: join: no extra msg if no counter mptcp: pm: do not remove already closed subflows mptcp: pm: fix ID 0 endp usage after multiple re-creations selftests: mptcp: join: check re-re-adding ID 0 endp mptcp: avoid duplicated SUB_CLOSED events selftests: mptcp: join: validate event numbers mptcp: pm: ADD_ADDR 0 is not a new address selftests: mptcp: join: check re-re-adding ID 0 signal net/mptcp/pm.c | 4 +- net/mptcp/pm_netlink.c | 87 ++++++++++---- net/mptcp/protocol.c | 6 + net/mptcp/protocol.h | 5 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 153 ++++++++++++++++++++---- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 4 + 6 files changed, 209 insertions(+), 50 deletions(-) --- base-commit: 3a0504d54b3b57f0d7bf3d9184a00c9f8887f6d7 change-id: 20240826-net-mptcp-more-pm-fix-ffa61a36f817 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

8 months, 1 week

2
16
0 0

[PATCH] wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_eht

by Ma Ke

Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_eht. Found by code review. Cc: stable(a)vger.kernel.org Fixes: ba01944adee9 ("wifi: mt76: mt7996: add EHT beamforming support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c index 2e4fa9f48dfb..d0fe2505ddbf 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c @@ -1605,6 +1605,9 @@ mt7996_mcu_sta_bfer_eht(struct ieee80211_sta *sta, struct ieee80211_vif *vif, IEEE80211_EHT_MCS_NSS_RX) - 1; u8 snd_dim, sts; + if (!vc) + return; + bf->tx_mode = MT_PHY_TYPE_EHT_MU; mt7996_mcu_sta_sounding_rate(bf); -- 2.25.1

8 months, 1 week

1
0
0 0

[PATCH net v2 2/2] net: mctp-serial: Fix missing escapes on transmit

by Matt Johnston

0x7d and 0x7e bytes are meant to be escaped in the data portion of frames, but this didn't occur since next_chunk_len() had an off-by-one error. That also resulted in the final byte of a payload being written as a separate tty write op. The chunk prior to an escaped byte would be one byte short, and the next call would never test the txpos+1 case, which is where the escaped byte was located. That meant it never hit the escaping case in mctp_serial_tx_work(). Example Input: 01 00 08 c8 7e 80 02 Previous incorrect chunks from next_chunk_len(): 01 00 08 c8 7e 80 02 With this fix: 01 00 08 c8 7e 80 02 Cc: stable(a)vger.kernel.org Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding") Signed-off-by: Matt Johnston <matt(a)codeconstruct.com.au> --- drivers/net/mctp/mctp-serial.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c index 7a40d07ff77b..f39bbe255497 100644 --- a/drivers/net/mctp/mctp-serial.c +++ b/drivers/net/mctp/mctp-serial.c @@ -91,8 +91,8 @@ static int next_chunk_len(struct mctp_serial *dev) * will be those non-escaped bytes, and does not include the escaped * byte. */ - for (i = 1; i + dev->txpos + 1 < dev->txlen; i++) { - if (needs_escape(dev->txbuf[dev->txpos + i + 1])) + for (i = 1; i + dev->txpos < dev->txlen; i++) { + if (needs_escape(dev->txbuf[dev->txpos + i])) break; }

8 months, 1 week

1
0
0 0

[PATCH net 2/3] i2c: designware: add device private data passing to lock functions

by Jiawen Wu

In order to add the hardware lock for Wangxun devices with minimal modification, pass struct dw_i2c_dev to the acquire and release lock functions. Cc: stable(a)vger.kernel.org Fixes: 2f8d1ed79345 ("i2c: designware: Add driver support for Wangxun 10Gb NIC") Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/i2c/busses/i2c-designware-amdpsp.c | 4 ++-- drivers/i2c/busses/i2c-designware-baytrail.c | 14 ++++++++++++-- drivers/i2c/busses/i2c-designware-common.c | 4 ++-- drivers/i2c/busses/i2c-designware-core.h | 4 ++-- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/drivers/i2c/busses/i2c-designware-amdpsp.c b/drivers/i2c/busses/i2c-designware-amdpsp.c index 63454b06e5da..ee7cc4b33f4b 100644 --- a/drivers/i2c/busses/i2c-designware-amdpsp.c +++ b/drivers/i2c/busses/i2c-designware-amdpsp.c @@ -167,7 +167,7 @@ static void psp_release_i2c_bus_deferred(struct work_struct *work) } static DECLARE_DELAYED_WORK(release_queue, psp_release_i2c_bus_deferred); -static int psp_acquire_i2c_bus(void) +static int psp_acquire_i2c_bus(struct dw_i2c_dev *dev) { int status; @@ -206,7 +206,7 @@ static int psp_acquire_i2c_bus(void) return 0; } -static void psp_release_i2c_bus(void) +static void psp_release_i2c_bus(struct dw_i2c_dev *dev) { mutex_lock(&psp_i2c_access_mutex); diff --git a/drivers/i2c/busses/i2c-designware-baytrail.c b/drivers/i2c/busses/i2c-designware-baytrail.c index 45774aa47c28..9dde796e0fcc 100644 --- a/drivers/i2c/busses/i2c-designware-baytrail.c +++ b/drivers/i2c/busses/i2c-designware-baytrail.c @@ -12,6 +12,16 @@ #include "i2c-designware-core.h" +static int iosf_mbi_block_punit_i2c_access_dev(struct dw_i2c_dev *dev) +{ + return iosf_mbi_block_punit_i2c_access(); +} + +static void iosf_mbi_unblock_punit_i2c_access_dev(struct dw_i2c_dev *dev) +{ + return iosf_mbi_unblock_punit_i2c_access(); +} + int i2c_dw_baytrail_probe_lock_support(struct dw_i2c_dev *dev) { acpi_status status; @@ -36,8 +46,8 @@ int i2c_dw_baytrail_probe_lock_support(struct dw_i2c_dev *dev) return -EPROBE_DEFER; dev_info(dev->dev, "I2C bus managed by PUNIT\n"); - dev->acquire_lock = iosf_mbi_block_punit_i2c_access; - dev->release_lock = iosf_mbi_unblock_punit_i2c_access; + dev->acquire_lock = iosf_mbi_block_punit_i2c_access_dev; + dev->release_lock = iosf_mbi_unblock_punit_i2c_access_dev; dev->shared_with_punit = true; return 0; diff --git a/drivers/i2c/busses/i2c-designware-common.c b/drivers/i2c/busses/i2c-designware-common.c index e8a688d04aee..743875090356 100644 --- a/drivers/i2c/busses/i2c-designware-common.c +++ b/drivers/i2c/busses/i2c-designware-common.c @@ -524,7 +524,7 @@ int i2c_dw_acquire_lock(struct dw_i2c_dev *dev) if (!dev->acquire_lock) return 0; - ret = dev->acquire_lock(); + ret = dev->acquire_lock(dev); if (!ret) return 0; @@ -536,7 +536,7 @@ int i2c_dw_acquire_lock(struct dw_i2c_dev *dev) void i2c_dw_release_lock(struct dw_i2c_dev *dev) { if (dev->release_lock) - dev->release_lock(); + dev->release_lock(dev); } /* diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h index e9606c00b8d1..12b77f464fb5 100644 --- a/drivers/i2c/busses/i2c-designware-core.h +++ b/drivers/i2c/busses/i2c-designware-core.h @@ -291,8 +291,8 @@ struct dw_i2c_dev { u16 fp_lcnt; u16 hs_hcnt; u16 hs_lcnt; - int (*acquire_lock)(void); - void (*release_lock)(void); + int (*acquire_lock)(struct dw_i2c_dev *dev); + void (*release_lock)(struct dw_i2c_dev *dev); int semaphore_idx; bool shared_with_punit; void (*disable)(struct dw_i2c_dev *dev); -- 2.27.0

8 months, 1 week

4
3
0 0

[PATCH net-next 1/3] icmp: change the order of rate limits

by Eric Dumazet

ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation. Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited") Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") Reported-by: Keyu Man <keyu.man(a)email.ucr.edu> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Jesper Dangaard Brouer <hawk(a)kernel.org> Cc: stable(a)vger.kernel.org --- include/net/ip.h | 2 + net/ipv4/icmp.c | 103 ++++++++++++++++++++++++++--------------------- net/ipv6/icmp.c | 28 ++++++++----- 3 files changed, 76 insertions(+), 57 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index c5606cadb1a552f3e282a5e1e721fd47b07432b2..82248813619e3f21e09d52976accbdc76c7668c2 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -795,6 +795,8 @@ static inline void ip_cmsg_recv(struct msghdr *msg, struct sk_buff *skb) } bool icmp_global_allow(void); +void icmp_global_consume(void); + extern int sysctl_icmp_msgs_per_sec; extern int sysctl_icmp_msgs_burst; diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index b8f56d03fcbb62970a828e20dd9f05fcede2d552..0078e8fb2e86d0552ef85eb5bf5bef947b0f1c3d 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -224,57 +224,59 @@ int sysctl_icmp_msgs_per_sec __read_mostly = 1000; int sysctl_icmp_msgs_burst __read_mostly = 50; static struct { - spinlock_t lock; - u32 credit; + atomic_t credit; u32 stamp; -} icmp_global = { - .lock = __SPIN_LOCK_UNLOCKED(icmp_global.lock), -}; +} icmp_global; /** * icmp_global_allow - Are we allowed to send one more ICMP message ? * * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec. * Returns false if we reached the limit and can not send another packet. - * Note: called with BH disabled + * Works in tandem with icmp_global_consume(). */ bool icmp_global_allow(void) { - u32 credit, delta, incr = 0, now = (u32)jiffies; - bool rc = false; + u32 delta, now, oldstamp; + int incr, new, old; - /* Check if token bucket is empty and cannot be refilled - * without taking the spinlock. The READ_ONCE() are paired - * with the following WRITE_ONCE() in this same function. + /* Note: many cpus could find this condition true. + * Then later icmp_global_consume() could consume more credits, + * this is an acceptable race. */ - if (!READ_ONCE(icmp_global.credit)) { - delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ); - if (delta < HZ / 50) - return false; - } + if (atomic_read(&icmp_global.credit) > 0) + return true; - spin_lock(&icmp_global.lock); - delta = min_t(u32, now - icmp_global.stamp, HZ); - if (delta >= HZ / 50) { - incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; - if (incr) - WRITE_ONCE(icmp_global.stamp, now); - } - credit = min_t(u32, icmp_global.credit + incr, - READ_ONCE(sysctl_icmp_msgs_burst)); - if (credit) { - /* We want to use a credit of one in average, but need to randomize - * it for security reasons. - */ - credit = max_t(int, credit - get_random_u32_below(3), 0); - rc = true; + now = jiffies; + oldstamp = READ_ONCE(icmp_global.stamp); + delta = min_t(u32, now - oldstamp, HZ); + if (delta < HZ / 50) + return false; + + incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; + if (!incr) + return false; + + if (cmpxchg(&icmp_global.stamp, oldstamp, now) == oldstamp) { + old = atomic_read(&icmp_global.credit); + do { + new = min(old + incr, READ_ONCE(sysctl_icmp_msgs_burst)); + } while (!atomic_try_cmpxchg(&icmp_global.credit, &old, new)); } - WRITE_ONCE(icmp_global.credit, credit); - spin_unlock(&icmp_global.lock); - return rc; + return true; } EXPORT_SYMBOL(icmp_global_allow); +void icmp_global_consume(void) +{ + int credits = get_random_u32_below(3); + + /* Note: this might make icmp_global.credit negative. */ + if (credits) + atomic_sub(credits, &icmp_global.credit); +} +EXPORT_SYMBOL(icmp_global_consume); + static bool icmpv4_mask_allow(struct net *net, int type, int code) { if (type > NR_ICMP_TYPES) @@ -291,14 +293,16 @@ static bool icmpv4_mask_allow(struct net *net, int type, int code) return false; } -static bool icmpv4_global_allow(struct net *net, int type, int code) +static bool icmpv4_global_allow(struct net *net, int type, int code, + bool *apply_ratelimit) { if (icmpv4_mask_allow(net, type, code)) return true; - if (icmp_global_allow()) + if (icmp_global_allow()) { + *apply_ratelimit = true; return true; - + } __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL); return false; } @@ -308,15 +312,16 @@ static bool icmpv4_global_allow(struct net *net, int type, int code) */ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, - struct flowi4 *fl4, int type, int code) + struct flowi4 *fl4, int type, int code, + bool apply_ratelimit) { struct dst_entry *dst = &rt->dst; struct inet_peer *peer; bool rc = true; int vif; - if (icmpv4_mask_allow(net, type, code)) - goto out; + if (!apply_ratelimit) + return true; /* No rate limit on loopback */ if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) @@ -331,6 +336,8 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, out: if (!rc) __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST); + else + icmp_global_consume(); return rc; } @@ -402,6 +409,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) struct ipcm_cookie ipc; struct rtable *rt = skb_rtable(skb); struct net *net = dev_net(rt->dst.dev); + bool apply_ratelimit = false; struct flowi4 fl4; struct sock *sk; struct inet_sock *inet; @@ -413,11 +421,11 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) if (ip_options_echo(net, &icmp_param->replyopts.opt.opt, skb)) return; - /* Needed by both icmp_global_allow and icmp_xmit_lock */ + /* Needed by both icmpv4_global_allow and icmp_xmit_lock */ local_bh_disable(); - /* global icmp_msgs_per_sec */ - if (!icmpv4_global_allow(net, type, code)) + /* is global icmp_msgs_per_sec exhausted ? */ + if (!icmpv4_global_allow(net, type, code, &apply_ratelimit)) goto out_bh_enable; sk = icmp_xmit_lock(net); @@ -450,7 +458,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) rt = ip_route_output_key(net, &fl4); if (IS_ERR(rt)) goto out_unlock; - if (icmpv4_xrlim_allow(net, rt, &fl4, type, code)) + if (icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit)) icmp_push_reply(sk, icmp_param, &fl4, &ipc, &rt); ip_rt_put(rt); out_unlock: @@ -596,6 +604,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, int room; struct icmp_bxm icmp_param; struct rtable *rt = skb_rtable(skb_in); + bool apply_ratelimit = false; struct ipcm_cookie ipc; struct flowi4 fl4; __be32 saddr; @@ -677,7 +686,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, } } - /* Needed by both icmp_global_allow and icmp_xmit_lock */ + /* Needed by both icmpv4_global_allow and icmp_xmit_lock */ local_bh_disable(); /* Check global sysctl_icmp_msgs_per_sec ratelimit, unless @@ -685,7 +694,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow) */ if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) && - !icmpv4_global_allow(net, type, code)) + !icmpv4_global_allow(net, type, code, &apply_ratelimit)) goto out_bh_enable; sk = icmp_xmit_lock(net); @@ -744,7 +753,7 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, goto out_unlock; /* peer icmp_ratelimit */ - if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code)) + if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit)) goto ende; /* RFC says return as much as we can without exceeding 576 bytes. */ diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 7b31674644efc338ec458d92dfe495480825b0fd..46f70e4a835139ef7d8925c49440865355048193 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -175,14 +175,16 @@ static bool icmpv6_mask_allow(struct net *net, int type) return false; } -static bool icmpv6_global_allow(struct net *net, int type) +static bool icmpv6_global_allow(struct net *net, int type, + bool *apply_ratelimit) { if (icmpv6_mask_allow(net, type)) return true; - if (icmp_global_allow()) + if (icmp_global_allow()) { + *apply_ratelimit = true; return true; - + } __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL); return false; } @@ -191,13 +193,13 @@ static bool icmpv6_global_allow(struct net *net, int type) * Check the ICMP output rate limit */ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, - struct flowi6 *fl6) + struct flowi6 *fl6, bool apply_ratelimit) { struct net *net = sock_net(sk); struct dst_entry *dst; bool res = false; - if (icmpv6_mask_allow(net, type)) + if (!apply_ratelimit) return true; /* @@ -228,6 +230,8 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, if (!res) __ICMP6_INC_STATS(net, ip6_dst_idev(dst), ICMP6_MIB_RATELIMITHOST); + else + icmp_global_consume(); dst_release(dst); return res; } @@ -452,6 +456,7 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, struct net *net; struct ipv6_pinfo *np; const struct in6_addr *saddr = NULL; + bool apply_ratelimit = false; struct dst_entry *dst; struct icmp6hdr tmp_hdr; struct flowi6 fl6; @@ -533,11 +538,12 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, return; } - /* Needed by both icmp_global_allow and icmpv6_xmit_lock */ + /* Needed by both icmpv6_global_allow and icmpv6_xmit_lock */ local_bh_disable(); /* Check global sysctl_icmp_msgs_per_sec ratelimit */ - if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type)) + if (!(skb->dev->flags & IFF_LOOPBACK) && + !icmpv6_global_allow(net, type, &apply_ratelimit)) goto out_bh_enable; mip6_addr_swap(skb, parm); @@ -575,7 +581,7 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, np = inet6_sk(sk); - if (!icmpv6_xrlim_allow(sk, type, &fl6)) + if (!icmpv6_xrlim_allow(sk, type, &fl6, apply_ratelimit)) goto out; tmp_hdr.icmp6_type = type; @@ -717,6 +723,7 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) struct ipv6_pinfo *np; const struct in6_addr *saddr = NULL; struct icmp6hdr *icmph = icmp6_hdr(skb); + bool apply_ratelimit = false; struct icmp6hdr tmp_hdr; struct flowi6 fl6; struct icmpv6_msg msg; @@ -781,8 +788,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) goto out; /* Check the ratelimit */ - if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) || - !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6)) + if ((!(skb->dev->flags & IFF_LOOPBACK) && + !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY, &apply_ratelimit)) || + !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6, apply_ratelimit)) goto out_dst_release; idev = __in6_dev_get(skb->dev); -- 2.46.0.295.g3b9ea8a38a-goog

8 months, 1 week

2
1
0 0

[PATCH] usb: dwc3: core: update LC timer as per USB Spec V3.2

by Faisal Hassan

This fix addresses STAR 9001285599, which only affects dwc3 core version 320a. The timer value for PM_LC_TIMER in 320a for the Link ECN changes is incorrect. If the PM TIMER ECN is enabled via GUCTL2[19], the link compliance test (TD7.21) may fail. If the ECN is not enabled (GUCTL2[19] = 0), the controller will use the old timer value (5us), which is still acceptable for the link compliance test. Therefore, clear GUCTL2[19] to pass the USB link compliance test: TD 7.21. Cc: stable(a)vger.kernel.org Signed-off-by: Faisal Hassan <quic_faisalh(a)quicinc.com> --- drivers/usb/dwc3/core.c | 15 +++++++++++++++ drivers/usb/dwc3/core.h | 2 ++ 2 files changed, 17 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 734de2a8bd21..d0bd3a0e1f9c 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -1378,6 +1378,21 @@ static int dwc3_core_init(struct dwc3 *dwc) dwc3_writel(dwc->regs, DWC3_GUCTL2, reg); } + /* + * STAR 9001285599: This issue affects dwc3 core version 3.20a + * only. If the PM TIMER ECM is enabled through GUCTL2[19], the + * link compliance test (TD7.21) may fail. If the ECN is not + * enabled (GUCTL2[19] = 0), the controller will use the old timer + * value (5us), which is still acceptable for the link compliance + * test. Therefore, do not enable PM TIMER ECM in 3.20a by + * setting GUCTL2[19] by default; instead, use GUCTL2[19] = 0. + */ + if (DWC3_VER_IS(DWC3, 320A)) { + reg = dwc3_readl(dwc->regs, DWC3_GUCTL2); + reg &= ~DWC3_GUCTL2_LC_TIMER; + dwc3_writel(dwc->regs, DWC3_GUCTL2, reg); + } + /* * When configured in HOST mode, after issuing U3/L2 exit controller * fails to send proper CRC checksum in CRC5 feild. Because of this diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 1e561fd8b86e..c71240e8f7c7 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -421,6 +421,7 @@ /* Global User Control Register 2 */ #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14) +#define DWC3_GUCTL2_LC_TIMER BIT(19) /* Global User Control Register 3 */ #define DWC3_GUCTL3_SPLITDISABLE BIT(14) @@ -1269,6 +1270,7 @@ struct dwc3 { #define DWC3_REVISION_290A 0x5533290a #define DWC3_REVISION_300A 0x5533300a #define DWC3_REVISION_310A 0x5533310a +#define DWC3_REVISION_320A 0x5533320a #define DWC3_REVISION_330A 0x5533330a #define DWC31_REVISION_ANY 0x0 -- 2.17.1

8 months, 1 week

2
1
0 0

[PATCH v5] usb: dwc3: Avoid waking up gadget during startxfer

by Prashanth K

When operating in High-Speed, it is observed that DSTS[USBLNKST] doesn't update link state immediately after receiving the wakeup interrupt. Since wakeup event handler calls the resume callbacks, there is a chance that function drivers can perform an ep queue, which in turn tries to perform remote wakeup from send_gadget_ep_cmd(STARTXFER). This happens because DSTS[[21:18] wasn't updated to U0 yet, it's observed that the latency of DSTS can be in order of milli-seconds. Hence avoid calling gadget_wakeup during startxfer to prevent unnecessarily issuing remote wakeup to host. Fixes: c36d8e947a56 ("usb: dwc3: gadget: put link to U0 before Start Transfer") Cc: <stable(a)vger.kernel.org> Suggested-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- v5: Further rewording of the comment in function. v4: Rewording the comment in function definition. v3: Added notes on top the function definition. v2: Refactored the patch as suggested in v1 discussion. drivers/usb/dwc3/gadget.c | 41 ++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89fc690fdf34..291bc549935b 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -287,6 +287,23 @@ static int __dwc3_gadget_wakeup(struct dwc3 *dwc, bool async); * * Caller should handle locking. This function will issue @cmd with given * @params to @dep and wait for its completion. + * + * According to the programming guide, if the link state is in L1/L2/U3, + * then sending the Start Transfer command may not complete. The + * programming guide suggested to bring the link state back to ON/U0 by + * performing remote wakeup prior to sending the command. However, don't + * initiate remote wakeup when the user/function does not send wakeup + * request via wakeup ops. Send the command when it's allowed. + * + * Notes: + * For L1 link state, issuing a command requires the clearing of + * GUSB2PHYCFG.SUSPENDUSB2, which turns on the signal required to complete + * the given command (usually within 50us). This should happen within the + * command timeout set by driver. No additional step is needed. + * + * For L2 or U3 link state, the gadget is in USB suspend. Care should be + * taken when sending Start Transfer command to ensure that it's done after + * USB resume. */ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, struct dwc3_gadget_ep_cmd_params *params) @@ -327,30 +344,6 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); } - if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_STARTTRANSFER) { - int link_state; - - /* - * Initiate remote wakeup if the link state is in U3 when - * operating in SS/SSP or L1/L2 when operating in HS/FS. If the - * link state is in U1/U2, no remote wakeup is needed. The Start - * Transfer command will initiate the link recovery. - */ - link_state = dwc3_gadget_get_link_state(dwc); - switch (link_state) { - case DWC3_LINK_STATE_U2: - if (dwc->gadget->speed >= USB_SPEED_SUPER) - break; - - fallthrough; - case DWC3_LINK_STATE_U3: - ret = __dwc3_gadget_wakeup(dwc, false); - dev_WARN_ONCE(dwc->dev, ret, "wakeup failed --> %d\n", - ret); - break; - } - } - /* * For some commands such as Update Transfer command, DEPCMDPARn * registers are reserved. Since the driver often sends Update Transfer -- 2.25.1

8 months, 1 week

2
1
0 0

[PATCH 1/1] alloc_tag: fix allocation tag reporting when CONFIG_MODULES=n

by Suren Baghdasaryan

codetag_module_init() is used to initialize sections containing allocation tags. This function is used to initialize module sections as well as core kernel sections, in which case the module parameter is set to NULL. This function has to be called even when CONFIG_MODULES=n to initialize core kernel allocation tag sections. When CONFIG_MODULES=n, this function is a NOP, which is wrong. This leads to /proc/allocinfo reported as empty. Fix this by making it independent of CONFIG_MODULES. Fixes: 916cc5167cc6 ("lib: code tagging framework") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: stable(a)vger.kernel.org # v6.10 --- lib/codetag.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/codetag.c b/lib/codetag.c index 5ace625f2328..afa8a2d4f317 100644 --- a/lib/codetag.c +++ b/lib/codetag.c @@ -125,7 +125,6 @@ static inline size_t range_size(const struct codetag_type *cttype, cttype->desc.tag_size; } -#ifdef CONFIG_MODULES static void *get_symbol(struct module *mod, const char *prefix, const char *name) { DECLARE_SEQ_BUF(sb, KSYM_NAME_LEN); @@ -155,6 +154,15 @@ static struct codetag_range get_section_range(struct module *mod, }; } +static const char *get_mod_name(__maybe_unused struct module *mod) +{ +#ifdef CONFIG_MODULES + if (mod) + return mod->name; +#endif + return "(built-in)"; +} + static int codetag_module_init(struct codetag_type *cttype, struct module *mod) { struct codetag_range range; @@ -164,8 +172,7 @@ static int codetag_module_init(struct codetag_type *cttype, struct module *mod) range = get_section_range(mod, cttype->desc.section); if (!range.start || !range.stop) { pr_warn("Failed to load code tags of type %s from the module %s\n", - cttype->desc.section, - mod ? mod->name : "(built-in)"); + cttype->desc.section, get_mod_name(mod)); return -EINVAL; } @@ -199,6 +206,7 @@ static int codetag_module_init(struct codetag_type *cttype, struct module *mod) return 0; } +#ifdef CONFIG_MODULES void codetag_load_module(struct module *mod) { struct codetag_type *cttype; @@ -248,9 +256,6 @@ bool codetag_unload_module(struct module *mod) return unload_ok; } - -#else /* CONFIG_MODULES */ -static int codetag_module_init(struct codetag_type *cttype, struct module *mod) { return 0; } #endif /* CONFIG_MODULES */ struct codetag_type * base-commit: 9287e4adbc6ab8fa04d25eb82e097fed877a4642 -- 2.46.0.295.g3b9ea8a38a-goog

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] ata: libata-core: Fix null pointer dereference on error" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5d92c7c566dc76d96e0e19e481d926bbe6631c1e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024070108-cabana-swifter-f1c9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 5d92c7c566dc ("ata: libata-core: Fix null pointer dereference on error") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Sat, 29 Jun 2024 14:42:11 +0200 Subject: [PATCH] ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index efb5195da60c..bdccf4ea251a 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5517,6 +5517,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf);

8 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] ata: libata-core: Fix null pointer dereference on error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 5d92c7c566dc76d96e0e19e481d926bbe6631c1e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024070107-underrate-unusable-ddb9@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 5d92c7c566dc ("ata: libata-core: Fix null pointer dereference on error") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Sat, 29 Jun 2024 14:42:11 +0200 Subject: [PATCH] ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index efb5195da60c..bdccf4ea251a 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5517,6 +5517,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf);

8 months, 1 week

2
1
0 0

[PATCH v3] mm: Fix race between __split_huge_pmd_locked() and GUP-fast

by Ryan Roberts

__split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> --- Right v3; this goes back to the original approach in v1 to fix core-mm rather than push the fix into arm64, since we discovered that x86 can't handle pmd_mkinvalid() being called for non-present pmds either. I'm pulling in more arch maintainers because this version adds some warnings in arch code to help spot incorrect usage. Although Catalin had already accepted v2 (fixing arm64) [2] into for-next/fixes, he's agreed to either remove or revert it. Changes since v1 [1] ==================== - Improve pmdp_mkinvalid() docs to make it clear it can only be called for present pmd (per JohnH, Zi Yan) - Added warnings to arch overrides of pmdp_invalidate[_ad]() (per Zi Yan) - Moved comment next to new location of pmpd_invalidate() (per Zi Yan) [1] https://lore.kernel.org/linux-mm/20240425170704.3379492-1-ryan.roberts@arm.… [2] https://lore.kernel.org/all/20240430133138.732088-1-ryan.roberts@arm.com/ Thanks, Ryan Documentation/mm/arch_pgtable_helpers.rst | 6 ++- arch/powerpc/mm/book3s64/pgtable.c | 1 + arch/s390/include/asm/pgtable.h | 4 +- arch/sparc/mm/tlb.c | 1 + arch/x86/mm/pgtable.c | 2 + mm/huge_memory.c | 49 ++++++++++++----------- mm/pgtable-generic.c | 2 + 7 files changed, 39 insertions(+), 26 deletions(-) diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 60950e7a25f5..480bea44559d 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1768,8 +1768,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index b44d79d778c7..ef69127d7e5e 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index d007591b8059..103cbccf1d7d 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 89f58c7603b2..dd1fc105f70b 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2493,32 +2493,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2529,6 +2508,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif -- 2.25.1

8 months, 1 week

5
8
0 0

[PATCH] MIPS: fw: Gracefully handle unknown firmware protocols

by Bjørn Mork

Boards based on the same SoC family can use different boot loaders. These may pass numeric arguments which we erroneously interpret as command line or environment pointers. Such errors will cause boot to halt at an early stage since commit 056a68cea01e ("mips: allow firmware to pass RNG seed to kernel"). One known example of this issue is a HPE switch using a BootWare boot loader. It was found to pass these arguments to the kernel: 0x00020000 0x00060000 0xfffdffff 0x0000416c We can avoid hanging by validating that both passed pointers are in KSEG1 as expected. Cc: stable(a)vger.kernel.org Fixes: 14aecdd41921 ("MIPS: FW: Add environment variable processing.") Signed-off-by: Bjørn Mork <bjorn(a)mork.no> --- arch/mips/fw/lib/cmdline.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/mips/fw/lib/cmdline.c b/arch/mips/fw/lib/cmdline.c index 892765b742bb..51238c4f9455 100644 --- a/arch/mips/fw/lib/cmdline.c +++ b/arch/mips/fw/lib/cmdline.c @@ -22,7 +22,7 @@ void __init fw_init_cmdline(void) int i; /* Validate command line parameters. */ - if ((fw_arg0 >= CKSEG0) || (fw_arg1 < CKSEG0)) { + if (fw_arg0 >= CKSEG0 || fw_arg1 < CKSEG0 || fw_arg1 >= CKSEG2) { fw_argc = 0; _fw_argv = NULL; } else { @@ -31,7 +31,7 @@ void __init fw_init_cmdline(void) } /* Validate environment pointer. */ - if (fw_arg2 < CKSEG0) + if (fw_arg2 < CKSEG0 || fw_arg2 >= CKSEG2) _fw_envp = NULL; else _fw_envp = (int *)fw_arg2; -- 2.39.2

8 months, 1 week

4
9
0 0

[PATCH] btrfs: qgroup: add missing extent changeset release

by Fedor Pchelkin

The extent changeset may have some additional memory dynamically allocated for ulist in result of clear_record_extent_bits() execution. Release it after the local changeset is no longer needed in BTRFS_QGROUP_MODE_DISABLED case. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+81670362c283f3dd889c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000aa8c0c060ade165e@google.com Fixes: af0e2aab3b70 ("btrfs: qgroup: flush reservations during quota disable") Cc: stable(a)vger.kernel.org # 6.10+ Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- fs/btrfs/qgroup.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 5d57a285d59b..4f1fa5d427e1 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -4345,9 +4345,10 @@ static int __btrfs_qgroup_release_data(struct btrfs_inode *inode, if (btrfs_qgroup_mode(inode->root->fs_info) == BTRFS_QGROUP_MODE_DISABLED) { extent_changeset_init(&changeset); - return clear_record_extent_bits(&inode->io_tree, start, - start + len - 1, - EXTENT_QGROUP_RESERVED, &changeset); + ret = clear_record_extent_bits(&inode->io_tree, start, + start + len - 1, + EXTENT_QGROUP_RESERVED, &changeset); + goto out; } /* In release case, we shouldn't have @reserved */ -- 2.39.2

8 months, 1 week

4
8
0 0

[PATCH v3] firmware_loader: Block path traversal

by Jann Horn

Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. Cc: stable(a)vger.kernel.org Reviewed-by: Danilo Krummrich <dakr(a)kernel.org> Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") Signed-off-by: Jann Horn <jannh(a)google.com> --- Changes in v3: - replace name_contains_dotdot implementation (Danilo) - add missing \n in log format string (Danilo) - Link to v2: https://lore.kernel.org/r/20240823-firmware-traversal-v2-1-880082882709@goo… Changes in v2: - describe fix in commit message (dakr) - write check more clearly and with comment in separate helper (dakr) - document new restriction in comment above request_firmware() (dakr) - warn when new restriction is triggered - Link to v1: https://lore.kernel.org/r/20240820-firmware-traversal-v1-1-8699ffaa9276@goo… --- drivers/base/firmware_loader/main.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index a03ee4b11134..324a9a3c087a 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -849,6 +849,26 @@ static void fw_log_firmware_info(const struct firmware *fw, const char *name, {} #endif +/* + * Reject firmware file names with ".." path components. + * There are drivers that construct firmware file names from device-supplied + * strings, and we don't want some device to be able to tell us "I would like to + * be sent my firmware from ../../../etc/shadow, please". + * + * Search for ".." surrounded by either '/' or start/end of string. + * + * This intentionally only looks at the firmware name, not at the firmware base + * directory or at symlink contents. + */ +static bool name_contains_dotdot(const char *name) +{ + size_t name_len = strlen(name); + + return strcmp(name, "..") == 0 || strncmp(name, "../", 3) == 0 || + strstr(name, "/../") != NULL || + (name_len >= 3 && strcmp(name+name_len-3, "/..") == 0); +} + /* called from request_firmware() and request_firmware_work_func() */ static int _request_firmware(const struct firmware **firmware_p, const char *name, @@ -869,6 +889,14 @@ _request_firmware(const struct firmware **firmware_p, const char *name, goto out; } + if (name_contains_dotdot(name)) { + dev_warn(device, + "Firmware load for '%s' refused, path contains '..' component\n", + name); + ret = -EINVAL; + goto out; + } + ret = _request_firmware_prepare(&fw, name, device, buf, size, offset, opt_flags); if (ret <= 0) /* error or already assigned */ @@ -946,6 +974,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name, * @name will be used as $FIRMWARE in the uevent environment and * should be distinctive enough not to be confused with any other * firmware image for this or any other device. + * It must not contain any ".." path components - "foo/bar..bin" is + * allowed, but "foo/../bar.bin" is not. * * Caller must hold the reference count of @device. * --- base-commit: b0da640826ba3b6506b4996a6b23a429235e6923 change-id: 20240820-firmware-traversal-6df8501b0fe4 -- Jann Horn <jannh(a)google.com>

8 months, 1 week

2
1
0 0

[PATCH 1/2] drm/v3d: Disable preemption while updating GPU stats

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> We forgot to disable preemption around the write_seqcount_begin/end() pair while updating GPU stats: [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched] <...snip...> [ ] Call trace: [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d] [ ] v3d_bin_job_run+0x23c/0x388 [v3d] [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched] [ ] process_one_work+0x62c/0xb48 [ ] worker_thread+0x468/0x5b0 [ ] kthread+0x1c4/0x1e0 [ ] ret_from_fork+0x10/0x20 Fix it. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 6abe93b621ab ("drm/v3d: Fix race-condition between sysfs/fdinfo and interrupt handler") Cc: Maíra Canal <mcanal(a)igalia.com> Cc: <stable(a)vger.kernel.org> # v6.10+ Acked-by: Maíra Canal <mcanal(a)igalia.com> --- drivers/gpu/drm/v3d/v3d_sched.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c index 42d4f4a2dba2..cc2e5a89467b 100644 --- a/drivers/gpu/drm/v3d/v3d_sched.c +++ b/drivers/gpu/drm/v3d/v3d_sched.c @@ -136,6 +136,8 @@ v3d_job_start_stats(struct v3d_job *job, enum v3d_queue queue) struct v3d_stats *local_stats = &file->stats[queue]; u64 now = local_clock(); + preempt_disable(); + write_seqcount_begin(&local_stats->lock); local_stats->start_ns = now; write_seqcount_end(&local_stats->lock); @@ -143,6 +145,8 @@ v3d_job_start_stats(struct v3d_job *job, enum v3d_queue queue) write_seqcount_begin(&global_stats->lock); global_stats->start_ns = now; write_seqcount_end(&global_stats->lock); + + preempt_enable(); } static void @@ -164,8 +168,10 @@ v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue) struct v3d_stats *local_stats = &file->stats[queue]; u64 now = local_clock(); + preempt_disable(); v3d_stats_update(local_stats, now); v3d_stats_update(global_stats, now); + preempt_enable(); } static struct dma_fence *v3d_bin_job_run(struct drm_sched_job *sched_job) -- 2.44.0

8 months, 1 week

2
1
0 0

[RESEND PATCH v1] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0

by Hailong Liu

The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. Fixes: e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") Signed-off-by: Hailong Liu <hailong.liu(a)oppo.com> Reported-by: Tangquan Zheng <zhengtangquan(a)oppo.com> Cc: <stable(a)vger.kernel.org> CC: Barry Song <21cnbao(a)gmail.com> CC: Baoquan He <bhe(a)redhat.com> CC: Matthew Wilcox <willy(a)infradead.org> --- mm/vmalloc.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6b783baf12a1..af2de36549d6 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3584,15 +3584,8 @@ vm_area_alloc_pages(gfp_t gfp, int nid, page = alloc_pages_noprof(alloc_gfp, order); else page = alloc_pages_node_noprof(nid, alloc_gfp, order); - if (unlikely(!page)) { - if (!nofail) - break; - - /* fall back to the zero order allocations */ - alloc_gfp |= __GFP_NOFAIL; - order = 0; - continue; - } + if (unlikely(!page)) + break; /* * Higher order allocations must be able to be treated as --- Sorry for fat fingers. with .rej file. resend this. Baoquan suggests set page_shift to 0 if fallback in (2 and concern about performance of retry with order-0. But IMO with retry, - Save memory usage if high order allocation failed. - Keep consistancy with align and page-shift. - make use of bulk allocator with order-0 [2] https://lore.kernel.org/lkml/20240725035318.471-1-hailong.liu@oppo.com/ -- 2.30.0

8 months, 1 week

6
29
0 0

[PATCH] vfs: fix race between evice_inodes() and find_inode()&iput()

by Julian Sun

Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug. Reported-by: syzbot+67ba3c42bcbb4665d3ad(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad CC: stable(a)vger.kernel.org Fixes: 63997e98a3be ("split invalidate_inodes()") Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/inode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/inode.c b/fs/inode.c index 3a41f83a4ba5..011f630777d0 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -723,6 +723,10 @@ void evict_inodes(struct super_block *sb) continue; spin_lock(&inode->i_lock); + if (atomic_read(&inode->i_count)) { + spin_unlock(&inode->i_lock); + continue; + } if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) { spin_unlock(&inode->i_lock); continue; -- 2.39.2

8 months, 1 week

4
5
0 0

[PATCH] f2fs: Do not check the FI_DIRTY_INODE flag when umounting a ro fs.

by Julian Sun

Hi, all. Recently syzbot reported a bug as following: kernel BUG at fs/f2fs/inode.c:896! CPU: 1 UID: 0 PID: 5217 Comm: syz-executor605 Not tainted 6.11.0-rc4-syzkaller-00033-g872cf28b8df9 #0 RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Call Trace: <TASK> evict+0x532/0x950 fs/inode.c:704 dispose_list fs/inode.c:747 [inline] evict_inodes+0x5f9/0x690 fs/inode.c:797 generic_shutdown_super+0x9d/0x2d0 fs/super.c:627 kill_block_super+0x44/0x90 fs/super.c:1696 kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 task_work_run+0x24f/0x310 kernel/task_work.c:228 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402 ptrace_report_syscall include/linux/ptrace.h:415 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The syzbot constructed the following scenario: concurrently creating directories and setting the file system to read-only. In this case, while f2fs was making dir, the filesystem switched to readonly, and when it tried to clear the dirty flag, it triggered this code path: f2fs_mkdir()-> f2fs_sync_fs()->f2fs_write_checkpoint() ->f2fs_readonly(). This resulted FI_DIRTY_INODE flag not being cleared, which eventually led to a bug being triggered during the FI_DIRTY_INODE check in f2fs_evict_inode(). In this case, we cannot do anything further, so if filesystem is readonly, do not trigger the BUG. Instead, clean up resources to the best of our ability to prevent triggering subsequent resource leak checks. If there is anything important I'm missing, please let me know, thanks. Reported-by: syzbot+ebea2790904673d7c618(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ebea2790904673d7c618 Fixes: ca7d802a7d8e ("f2fs: detect dirty inode in evict_inode") CC: stable(a)vger.kernel.org Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/f2fs/inode.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index aef57172014f..52d273383ec2 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -892,8 +892,12 @@ void f2fs_evict_inode(struct inode *inode) atomic_read(&fi->i_compr_blocks)); if (likely(!f2fs_cp_error(sbi) && - !is_sbi_flag_set(sbi, SBI_CP_DISABLED))) - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); + !is_sbi_flag_set(sbi, SBI_CP_DISABLED))) { + if (!f2fs_readonly(sbi->sb)) + f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); + else + f2fs_inode_synced(inode); + } else f2fs_inode_synced(inode); -- 2.39.2

8 months, 1 week

2
2
0 0

[PATCH] remoteproc: k3-r5: Fix error handling when power-up failed

by Jan Kiszka

From: Jan Kiszka <jan.kiszka(a)siemens.com> By simply bailing out, the driver was violating its rule and internal assumptions that either both or no rproc should be initialized. E.g., this could cause the first core to be available but not the second one, leading to crashes on its shutdown later on while trying to dereference that second instance. Fixes: 61f6f68447ab ("remoteproc: k3-r5: Wait for core0 power-up before powering up core1") Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com> --- drivers/remoteproc/ti_k3_r5_remoteproc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c index 39a47540c590..eb09d2e9b32a 100644 --- a/drivers/remoteproc/ti_k3_r5_remoteproc.c +++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c @@ -1332,7 +1332,7 @@ static int k3_r5_cluster_rproc_init(struct platform_device *pdev) dev_err(dev, "Timed out waiting for %s core to power up!\n", rproc->name); - return ret; + goto err_powerup; } } @@ -1348,6 +1348,7 @@ static int k3_r5_cluster_rproc_init(struct platform_device *pdev) } } +err_powerup: rproc_del(rproc); err_add: k3_r5_reserved_mem_exit(kproc); -- 2.43.0

8 months, 1 week

4
8
0 0

[PATCHv6 1/4] x86/tdx: Introduce wrappers to read and write TD metadata

by Kirill A. Shutemov

The TDG_VM_WR TDCALL is used to ask the TDX module to change some TD-specific VM configuration. There is currently only one user in the kernel of this TDCALL leaf. More will be added shortly. Refactor to make way for more users of TDG_VM_WR who will need to modify other TD configuration values. Add a wrapper for the TDG_VM_RD TDCALL that requests TD-specific metadata from the TDX module. There are currently no users for TDG_VM_RD. Mark it as __maybe_unused until the first user appears. This is preparation for enumeration and enabling optional TD features. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/coco/tdx/tdx.c | 32 ++++++++++++++++++++++++++----- arch/x86/include/asm/shared/tdx.h | 1 + 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2bac2553..64717a96a936 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -77,6 +77,32 @@ static inline void tdcall(u64 fn, struct tdx_module_args *args) panic("TDCALL %lld failed (Buggy TDX module!)\n", fn); } +/* Read TD-scoped metadata */ +static inline u64 __maybe_unused tdg_vm_rd(u64 field, u64 *value) +{ + struct tdx_module_args args = { + .rdx = field, + }; + u64 ret; + + ret = __tdcall_ret(TDG_VM_RD, &args); + *value = args.r8; + + return ret; +} + +/* Write TD-scoped metadata */ +static inline u64 tdg_vm_wr(u64 field, u64 value, u64 mask) +{ + struct tdx_module_args args = { + .rdx = field, + .r8 = value, + .r9 = mask, + }; + + return __tdcall(TDG_VM_WR, &args); +} + /** * tdx_mcall_get_report0() - Wrapper to get TDREPORT0 (a.k.a. TDREPORT * subtype 0) using TDG.MR.REPORT TDCALL. @@ -924,10 +950,6 @@ static void tdx_kexec_finish(void) void __init tdx_early_init(void) { - struct tdx_module_args args = { - .rdx = TDCS_NOTIFY_ENABLES, - .r9 = -1ULL, - }; u64 cc_mask; u32 eax, sig[3]; @@ -946,7 +968,7 @@ void __init tdx_early_init(void) cc_set_mask(cc_mask); /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ - tdcall(TDG_VM_WR, &args); + tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); /* * All bits above GPA width are reserved and kernel treats shared bit diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h index fdfd41511b02..7e12cfa28bec 100644 --- a/arch/x86/include/asm/shared/tdx.h +++ b/arch/x86/include/asm/shared/tdx.h @@ -16,6 +16,7 @@ #define TDG_VP_VEINFO_GET 3 #define TDG_MR_REPORT 4 #define TDG_MEM_PAGE_ACCEPT 6 +#define TDG_VM_RD 7 #define TDG_VM_WR 8 /* TDCS fields. To be used by TDG.VM.WR and TDG.VM.RD module calls */ -- 2.45.2

8 months, 1 week

2
1
0 0

[git:media_stage/master] media: sun4i_csi: Implement link validate for sun4i_csi subdev

by Laurent Pinchart

This is an automatic generated email to let you know that the following patch were queued: Subject: media: sun4i_csi: Implement link validate for sun4i_csi subdev Author: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Date: Wed Jun 19 02:46:16 2024 +0300 The sun4i_csi driver doesn't implement link validation for the subdev it registers, leaving the link between the subdev and its source unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Acked-by: Chen-Yu Tsai <wens(a)csie.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> Acked-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ 1 file changed, 5 insertions(+) --- diff --git a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c index 097a3a08ef7d..dbb26c7b2f8d 100644 --- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c @@ -39,6 +39,10 @@ static const struct media_entity_operations sun4i_csi_video_entity_ops = { .link_validate = v4l2_subdev_link_validate, }; +static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { + .link_validate = v4l2_subdev_link_validate, +}; + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, struct v4l2_subdev *subdev, struct v4l2_async_connection *asd) @@ -214,6 +218,7 @@ static int sun4i_csi_probe(struct platform_device *pdev) subdev->internal_ops = &sun4i_csi_subdev_internal_ops; subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; + subdev->entity.ops = &sun4i_csi_subdev_entity_ops; subdev->owner = THIS_MODULE; snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); v4l2_set_subdevdata(subdev, csi);

8 months, 1 week

1
0
0 0

[PATCH 1/1] nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM173X

by Saeed Mirzamohammadi

This adds a quirk to fix the Samsung PM1733a and PM173X reporting bogus eui64 so they are not marked as "non globally unique" duplicates. Cc: <stable(a)vger.kernel.org> Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- drivers/nvme/host/pci.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index 5b95c94ee40f2..c0b1caba1c893 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -3359,6 +3359,10 @@ static const struct pci_device_id nvme_id_table[] = { .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY | NVME_QUIRK_DISABLE_WRITE_ZEROES| NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x144d, 0xa824), /* Samsung PM173X */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x144d, 0xa825), /* Samsung PM1733a */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5012), /* Phison E12 */ .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5016), /* Phison E16 */ -- 2.39.2

8 months, 1 week

6
13
0 0

Re: [PATCH] x86/hyperv: fix kexec crash due to VP assist page corruption

by Vitaly Kuznetsov

Anirudh Rayabharam <anirudh(a)anirudhrb.com> writes: > On Mon, Aug 26, 2024 at 02:36:44PM +0200, Vitaly Kuznetsov wrote: >> Anirudh Rayabharam <anirudh(a)anirudhrb.com> writes: >> >> > From: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> >> > >> > 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go >> > online/offline") introduces a new cpuhp state for hyperv initialization. >> > >> > cpuhp_setup_state() returns the state number if state is CPUHP_AP_ONLINE_DYN >> > or CPUHP_BP_PREPARE_DYN and 0 for all other states. For the hyperv case, >> > since a new cpuhp state was introduced it would return 0. However, >> > in hv_machine_shutdown(), the cpuhp_remove_state() call is conditioned upon >> > "hyperv_init_cpuhp > 0". This will never be true and so hv_cpu_die() won't be >> > called on all CPUs. This means the VP assist page won't be reset. When the >> > kexec kernel tries to setup the VP assist page again, the hypervisor corrupts >> > the memory region of the old VP assist page causing a panic in case the kexec >> > kernel is using that memory elsewhere. This was originally fixed in dfe94d4086e4 >> > ("x86/hyperv: Fix kexec panic/hang issues"). >> > >> > Set hyperv_init_cpuhp to CPUHP_AP_HYPERV_ONLINE upon successful setup so that >> > the hyperv cpuhp state is removed correctly on kexec and the necessary cleanup >> > takes place. >> > >> > Cc: stable(a)vger.kernel.org >> > Fixes: 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") >> > Signed-off-by: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> >> > --- >> > arch/x86/hyperv/hv_init.c | 4 ++-- >> > 1 file changed, 2 insertions(+), 2 deletions(-) >> > >> > diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c >> > index 17a71e92a343..81d1981a75d1 100644 >> > --- a/arch/x86/hyperv/hv_init.c >> > +++ b/arch/x86/hyperv/hv_init.c >> > @@ -607,7 +607,7 @@ void __init hyperv_init(void) >> > >> > register_syscore_ops(&hv_syscore_ops); >> > >> > - hyperv_init_cpuhp = cpuhp; >> > + hyperv_init_cpuhp = CPUHP_AP_HYPERV_ONLINE; >> >> Do we really need 'hyperv_init_cpuhp' at all? I.e. post-change (which >> LGTM btw), I can only see one usage in hv_machine_shutdown(): >> >> if (kexec_in_progress && hyperv_init_cpuhp > 0) >> cpuhp_remove_state(hyperv_init_cpuhp); >> >> and I'm wondering if the 'hyperv_init_cpuhp' check is really >> needed. This only case where this check would fail is if we're crashing >> in between ms_hyperv_init_platform() and hyperv_init() afaiu. Does it > > Or if we fail to setup the cpuhp state for some reason but don't > actually crash and then later do a kexec? I see this can happen for CPUHP_AP_ONLINE_DYN/CPUHP_BP_PREPARE_DYN because we run out of free slots (40/20), but here we have our own dedicated CPUHP_AP_HYPERV_ONLINE and other failure paths seem to be exotic... > > I guess I was just trying to be extra safe and make sure we have > actually setup the cpuhp state before calling cpuhp_remove_state() > for it. However, looking elsewhere in the kernel code I don't > see anybody doing this for custom states... > >> hurt if we try cpuhp_remove_state() anyway? > > cpuhp_invoke_callback() would trigger a WARNING if we try to remove a > cpuhp state that was never setup. > > 184 if (cpuhp_step_empty(bringup, step)) { > 185 WARN_ON_ONCE(1); > 186 return 0; > 187 } > Personally, I'd say that getting an extra WARN for such a corner case (failing to setup cpuhp state or crashing in between ms_hyperv_init_platform() and hyperv_init()) is OK. Alternatively, we can convert hyperv_init_cpuhp to a boolean to make it a bit more staitforward but as it's uncomon to do it for other states, it's likely an overkill. -- Vitaly

8 months, 1 week

2
1
0 0

[PATCH v2 1/1] nfsstat01: Update client RPC calls for kernel 6.9

by Petr Vorel

6.9 moved client RPC calls to namespace in "Make nfs stats visible in network NS" patchet. https://lore.kernel.org/linux-nfs/cover.1708026931.git.josef@toxicpanda.com/ Signed-off-by: Petr Vorel <pvorel(a)suse.cz> --- Changes v1->v2: * Point out whole patchset, not just single commit * Add a comment about the patchset Hi all, could you please ack this so that we have fixed mainline? FYI Some parts has been backported, e.g.: d47151b79e322 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") to all stable/LTS: 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31. But most of that is not yet (but planned to be backported), e.g. 93483ac5fec62 ("nfsd: expose /proc/net/sunrpc/nfsd in net namespaces") see Chuck's patchset for 6.6 https://lore.kernel.org/linux-nfs/20240812223604.32592-1-cel@kernel.org/ Once all kernels up to 5.4 fixed we should update the version. Kind regards, Petr testcases/network/nfs/nfsstat01/nfsstat01.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/testcases/network/nfs/nfsstat01/nfsstat01.sh b/testcases/network/nfs/nfsstat01/nfsstat01.sh index c2856eff1f..1beecbec43 100755 --- a/testcases/network/nfs/nfsstat01/nfsstat01.sh +++ b/testcases/network/nfs/nfsstat01/nfsstat01.sh @@ -15,7 +15,14 @@ get_calls() local calls opt [ "$name" = "rpc" ] && opt="r" || opt="n" - ! tst_net_use_netns && [ "$nfs_f" != "nfs" ] && type="rhost" + + if tst_net_use_netns; then + # "Make nfs stats visible in network NS" patchet + # https://lore.kernel.org/linux-nfs/cover.1708026931.git.josef@toxicpanda.com/ + tst_kvcmp -ge "6.9" && [ "$nfs_f" = "nfs" ] && type="rhost" + else + [ "$nfs_f" != "nfs" ] && type="rhost" + fi if [ "$type" = "lhost" ]; then calls="$(grep $name /proc/net/rpc/$nfs_f | cut -d' ' -f$field)" -- 2.45.2

8 months, 1 week

6
13
0 0

[PATCH] mmc : fix for check cqe halt.

by Seunghwan Baek

To check if mmc cqe is in halt state, need to check set/clear of CQHCI_HALT bit. At this time, we need to check with &, not &&. Fixes: 0653300224a6 ("mmc: cqhci: rename cqhci.c to cqhci-core.c") Cc: stable(a)vger.kernel.org Signed-off-by: Seunghwan Baek <sh8267.baek(a)samsung.com> --- drivers/mmc/host/cqhci-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mmc/host/cqhci-core.c b/drivers/mmc/host/cqhci-core.c index c14d7251d0bb..a02da26a1efd 100644 --- a/drivers/mmc/host/cqhci-core.c +++ b/drivers/mmc/host/cqhci-core.c @@ -617,7 +617,7 @@ static int cqhci_request(struct mmc_host *mmc, struct mmc_request *mrq) cqhci_writel(cq_host, 0, CQHCI_CTL); mmc->cqe_on = true; pr_debug("%s: cqhci: CQE on\n", mmc_hostname(mmc)); - if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT) { + if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) { pr_err("%s: cqhci: CQE failed to exit halt state\n", mmc_hostname(mmc)); } -- 2.17.1

8 months, 1 week

2
2
0 0

[PATCH] powerpc/qspinlock: Fix deadlock in MCS queue

by Nysal Jan K.A.

If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's "next" pointer is set by its successor in the queue. This results in lockups similar to the following. watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs: CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ▼ | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ▼ | Interrupt | (happens before "nodes[0].lock = B") | | | ▼ | spin_lock_irqsave(A) | | | ▼ | id = qnodesp->count++ | nodes[1].lock = A | | | ▼ | Tail of MCS queue | | spin_lock_irqsave(A) ▼ | Head of MCS queue ▼ | CPU0 is previous tail ▼ | Spin indefinitely ▼ (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0) | ▼ prev == &qnodes[CPU0].nodes[0] (as qnodes[CPU0].nodes[0].lock == A) | ▼ WRITE_ONCE(prev->next, node) | ▼ Spin indefinitely (until nodes[0].locked == 1) Thanks to Saket Kumar Bhaskar for help with recreating the issue Fixes: 84990b169557 ("powerpc/qspinlock: add mcs queueing for contended waiters") Cc: stable(a)vger.kernel.org # v6.2+ Reported-by: Geetika Moolchandani <geetika(a)linux.ibm.com> Reported-by: Vaishnavi Bhat <vaish123(a)in.ibm.com> Reported-by: Jijo Varghese <vargjijo(a)in.ibm.com> Signed-off-by: Nysal Jan K.A. <nysal(a)linux.ibm.com> --- arch/powerpc/lib/qspinlock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/powerpc/lib/qspinlock.c b/arch/powerpc/lib/qspinlock.c index 5de4dd549f6e..59861c665cef 100644 --- a/arch/powerpc/lib/qspinlock.c +++ b/arch/powerpc/lib/qspinlock.c @@ -697,6 +697,12 @@ static __always_inline void queued_spin_lock_mcs_queue(struct qspinlock *lock, b } release: + /* + * Clear the lock, as another CPU might see stale values if an + * interrupt occurs after we increment qnodesp->count but before + * node->lock is initialized + */ + node->lock = NULL; qnodesp->count--; /* release the node */ } -- 2.46.0

8 months, 1 week

2
2
0 0

[PATCH v3] usb: dwc3: core: Prevent USB core invalid event buffer address access

by Selvarasu Ganesan

This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core's status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address. Cc: stable(a)vger.kernel.org # v6.1+ Signed-off-by: Selvarasu Ganesan <selvarasu.g(a)samsung.com> --- Changes in v3: - Added comment on why we need this fix. - Included platform name in commit message. - Removed Fixes tag as no issue on the previous commits, and updated Cc tag. - Link to v2: https://lore.kernel.org/lkml/20240808120507.1464-1-selvarasu.g@samsung.com/ Changes in v2: - Added separate check for USB controller status before cleaning the event buffer. - Link to v1: https://lore.kernel.org/lkml/20240722145617.537-1-selvarasu.g@samsung.com/ --- drivers/usb/dwc3/core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 734de2a8bd21..ccc3895dbd7f 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -564,9 +564,17 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc) void dwc3_event_buffers_cleanup(struct dwc3 *dwc) { struct dwc3_event_buffer *evt; + u32 reg; if (!dwc->ev_buf) return; + /* + * Exynos platforms may not be able to access event buffer if the + * controller failed to halt on dwc3_core_exit(). + */ + reg = dwc3_readl(dwc->regs, DWC3_DSTS); + if (!(reg & DWC3_DSTS_DEVCTRLHLT)) + return; evt = dwc->ev_buf; -- 2.17.1

8 months, 1 week

3
8
0 0

+ codetag-debug-mark-codetags-for-poisoned-page-as-empty.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: codetag: debug: mark codetags for poisoned page as empty has been added to the -mm mm-hotfixes-unstable branch. Its filename is codetag-debug-mark-codetags-for-poisoned-page-as-empty.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hao Ge <gehao(a)kylinos.cn> Subject: codetag: debug: mark codetags for poisoned page as empty Date: Mon, 26 Aug 2024 00:36:49 +0800 When PG_hwpoison pages are freed they are treated differently in free_pages_prepare() and instead of being released they are isolated. Page allocation tag counters are decremented at this point since the page is considered not in use. Later on when such pages are released by unpoison_memory(), the allocation tag counters will be decremented again and the following warning gets reported: [ 113.930443][ T3282] ------------[ cut here ]------------ [ 113.931105][ T3282] alloc_tag was not set [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164 [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4 [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18 [ 113.943003][ T3282] Tainted: [W]=WARN [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946706][ T3282] sp : ffff800087093a10 [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0 [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000 [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000 [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210 [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339 [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0 [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001 [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000 [ 113.957962][ T3282] Call trace: [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164 [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8 [ 113.960096][ T3282] __folio_put+0xd4/0x120 [ 113.960614][ T3282] folio_put+0x24/0x50 [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0 [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject] [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc [ 113.963183][ T3282] simple_attr_write+0x38/0x48 [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80 [ 113.964330][ T3282] full_proxy_write+0x68/0x98 [ 113.964880][ T3282] vfs_write+0xdc/0x4d0 [ 113.965372][ T3282] ksys_write+0x78/0x100 [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30 [ 113.966440][ T3282] invoke_syscall+0x7c/0x104 [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104 [ 113.967652][ T3282] do_el0_svc+0x2c/0x38 [ 113.968893][ T3282] el0_svc+0x3c/0x1b8 [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0 [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]--- To fix this, clear the page tag reference after the page got isolated and accounted for. Link: https://lkml.kernel.org/r/20240825163649.33294-1-hao.ge@linux.dev Fixes: d224eb0287fb ("codetag: debug: mark codetags for reserved pages as empty") Signed-off-by: Hao Ge <gehao(a)kylinos.cn> Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Hao Ge <gehao(a)kylinos.cn> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: <stable(a)vger.kernel.org> [6.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/mm/page_alloc.c~codetag-debug-mark-codetags-for-poisoned-page-as-empty +++ a/mm/page_alloc.c @@ -1054,6 +1054,13 @@ __always_inline bool free_pages_prepare( reset_page_owner(page, order); page_table_check_free(page, order); pgalloc_tag_sub(page, 1 << order); + + /* + * The page is isolated and accounted for. + * Mark the codetag as empty to avoid accounting error + * when the page is freed by unpoison_memory(). + */ + clear_page_tag_ref(page); return false; } _ Patches currently in -mm which might be from gehao(a)kylinos.cn are mm-slub-add-check-for-s-flags-in-the-alloc_tagging_slab_free_hook.patch codetag-debug-mark-codetags-for-poisoned-page-as-empty.patch mm-cma-change-the-addition-of-totalcma_pages-in-the-cma_init_reserved_mem.patch

8 months, 1 week

1
0
0 0

[PATCH 1/1] PM / devfreq: Fix buffer overflow in trans_stat_show

by Koichiro Den

From: Christian Marangi <ansuelsmth(a)gmail.com> Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error. Link: https://lore.kernel.org/all/20231024183016.14648-2-ansuelsmth@gmail.com/ Cc: stable(a)vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218041 Fixes: e552bbaf5b98 ("PM / devfreq: Add sysfs node for representing frequency transition information.") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> Signed-off-by: Chanwoo Choi <cw00.choi(a)samsung.com> (backported from commit 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4) [koichiroden: Adjusted context due to missing commits: commit b5d281f6c16d ("PM / devfreq: Rework freq_table to be local to devfreq struct") commit a03dacb0316f ("PM / devfreq: Add cpu based scaling support to passive governor") commit 483d557ee9a3 ("PM / devfreq: Clean up the devfreq instance name in sysfs attr") commit 1ebd0bc0e8ad ("PM / devfreq: Move statistics to separate struct devfreq_stats") commit 14a343968199 ("PM / devfreq: Add clearing transitions stats") commit b76b3479dab9 ("PM / devfreq: Change time stats to 64-bit") commit 5c0f6c795957 ("PM / devfreq: Add new interrupt_driven flag for governors")] CVE-2023-52614 Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> --- Documentation/ABI/testing/sysfs-class-devfreq | 2 + drivers/devfreq/devfreq.c | 60 +++++++++++++------ 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/Documentation/ABI/testing/sysfs-class-devfreq b/Documentation/ABI/testing/sysfs-class-devfreq index 75897e2fde43..f95b69551b60 100644 --- a/Documentation/ABI/testing/sysfs-class-devfreq +++ b/Documentation/ABI/testing/sysfs-class-devfreq @@ -61,6 +61,8 @@ Description: In order to activate this ABI, the devfreq target device driver should provide the list of available frequencies with its profile. + If the transition table is bigger than PAGE_SIZE, reading + this will return an -EFBIG error. What: /sys/class/devfreq/.../userspace/set_freq Date: September 2011 diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index 31e6cb5211bc..7a6115c23ec8 100644 --- a/drivers/devfreq/devfreq.c +++ b/drivers/devfreq/devfreq.c @@ -1403,12 +1403,12 @@ static ssize_t trans_stat_show(struct device *dev, struct device_attribute *attr, char *buf) { struct devfreq *devfreq = to_devfreq(dev); - ssize_t len; + ssize_t len = 0; int i, j; unsigned int max_state = devfreq->profile->max_state; if (max_state == 0) - return sprintf(buf, "Not Supported.\n"); + return scnprintf(buf, PAGE_SIZE, "Not Supported.\n"); mutex_lock(&devfreq->lock); if (!devfreq->stop_polling && @@ -1418,32 +1418,54 @@ static ssize_t trans_stat_show(struct device *dev, } mutex_unlock(&devfreq->lock); - len = sprintf(buf, " From : To\n"); - len += sprintf(buf + len, " :"); - for (i = 0; i < max_state; i++) - len += sprintf(buf + len, "%10lu", - devfreq->profile->freq_table[i]); + len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " :"); + for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu", + devfreq->profile->freq_table[i]); + } + if (len >= PAGE_SIZE - 1) + return PAGE_SIZE - 1; - len += sprintf(buf + len, " time(ms)\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " time(ms)\n"); for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; if (devfreq->profile->freq_table[i] == devfreq->previous_freq) { - len += sprintf(buf + len, "*"); + len += scnprintf(buf + len, PAGE_SIZE - len, "*"); } else { - len += sprintf(buf + len, " "); + len += scnprintf(buf + len, PAGE_SIZE - len, " "); + } + if (len >= PAGE_SIZE - 1) + break; + + len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu:", + devfreq->profile->freq_table[i]); + for (j = 0; j < max_state; j++) { + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10u", + devfreq->trans_table[(i * max_state) + j]); } - len += sprintf(buf + len, "%10lu:", - devfreq->profile->freq_table[i]); - for (j = 0; j < max_state; j++) - len += sprintf(buf + len, "%10u", - devfreq->trans_table[(i * max_state) + j]); - len += sprintf(buf + len, "%10u\n", - jiffies_to_msecs(devfreq->time_in_state[i])); + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10u\n", + jiffies_to_msecs(devfreq->time_in_state[i])); + } + + if (len < PAGE_SIZE - 1) + len += scnprintf(buf + len, PAGE_SIZE - len, "Total transition : %u\n", + devfreq->total_trans); + + if (len >= PAGE_SIZE - 1) { + pr_warn_once("devfreq transition table exceeds PAGE_SIZE. Disabling\n"); + return -EFBIG; } - len += sprintf(buf + len, "Total transition : %u\n", - devfreq->total_trans); return len; } static DEVICE_ATTR_RO(trans_stat); -- 2.43.0

8 months, 1 week

1
1
0 0

[PATCH v4] usb: dwc3: Avoid waking up gadget during startxfer

by Prashanth K

When operating in High-Speed, it is observed that DSTS[USBLNKST] doesn't update link state immediately after receiving the wakeup interrupt. Since wakeup event handler calls the resume callbacks, there is a chance that function drivers can perform an ep queue, which in turn tries to perform remote wakeup from send_gadget_ep_cmd(STARTXFER). This happens because DSTS[[21:18] wasn't updated to U0 yet, it's observed that the latency of DSTS can be in order of milli-seconds. Hence avoid calling gadget_wakeup during startxfer to prevent unnecessarily issuing remote wakeup to host. Fixes: c36d8e947a56 ("usb: dwc3: gadget: put link to U0 before Start Transfer") Cc: <stable(a)vger.kernel.org> Suggested-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- v4: Rewording the comment in function definition. v3: Added notes on top the function definition. v2: Refactored the patch as suggested in v1 discussion. drivers/usb/dwc3/gadget.c | 38 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89fc690fdf34..ea583d24aa37 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -287,6 +287,20 @@ static int __dwc3_gadget_wakeup(struct dwc3 *dwc, bool async); * * Caller should handle locking. This function will issue @cmd with given * @params to @dep and wait for its completion. + * + * According to databook, while issuing StartXfer command if the link is in L1/L2/U3, + * then the command may not complete and timeout, hence software must bring the link + * back to ON state by performing remote wakeup. However, since issuing a command in + * USB2 speeds requires the clearing of GUSB2PHYCFG.SUSPENDUSB2, which turns on the + * signal required to complete the given command (usually within 50us). This should + * happen within the command timeout set by driver. Hence we don't expect to trigger + * a remote wakeup from here; instead it should be done by wakeup ops. + * + * Special note: If wakeup ops is triggered for remote wakeup, care should be taken + * if StartXfer command needs to be sent soon after. The wakeup ops is asynchronous + * and the link state may not transition to ON state yet. And after receiving wakeup + * event, device would no longer be in U3, and any link transition afterwards needs + * to be adressed with wakeup ops. */ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, struct dwc3_gadget_ep_cmd_params *params) @@ -327,30 +341,6 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); } - if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_STARTTRANSFER) { - int link_state; - - /* - * Initiate remote wakeup if the link state is in U3 when - * operating in SS/SSP or L1/L2 when operating in HS/FS. If the - * link state is in U1/U2, no remote wakeup is needed. The Start - * Transfer command will initiate the link recovery. - */ - link_state = dwc3_gadget_get_link_state(dwc); - switch (link_state) { - case DWC3_LINK_STATE_U2: - if (dwc->gadget->speed >= USB_SPEED_SUPER) - break; - - fallthrough; - case DWC3_LINK_STATE_U3: - ret = __dwc3_gadget_wakeup(dwc, false); - dev_WARN_ONCE(dwc->dev, ret, "wakeup failed --> %d\n", - ret); - break; - } - } - /* * For some commands such as Update Transfer command, DEPCMDPARn * registers are reserved. Since the driver often sends Update Transfer -- 2.25.1

8 months, 1 week

2
1
0 0

[PATCHv5, REBASED 3/4] x86/tdx: Dynamically disable SEPT violations from causing #VEs

by Kirill A. Shutemov

Memory access #VE's are hard for Linux to handle in contexts like the entry code or NMIs. But other OSes need them for functionality. There's a static (pre-guest-boot) way for a VMM to choose one or the other. But VMMs don't always know which OS they are booting, so they choose to deliver those #VE's so the "other" OSes will work. That, unfortunately has left us in the lurch and exposed to these hard-to-handle #VEs. The TDX module has introduced a new feature. Even if the static configuration is "send nasty #VE's", the kernel can dynamically request that they be disabled. Check if the feature is available and disable SEPT #VE if possible. If the TD allowed to disable/enable SEPT #VEs, the ATTR_SEPT_VE_DISABLE attribute is no longer reliable. It reflects the initial state of the control for the TD, but it will not be updated if someone (e.g. bootloader) changes it before the kernel starts. Kernel must check TDCS_TD_CTLS bit to determine if SEPT #VEs are enabled or disabled. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: 373e715e31bf ("x86/tdx: Panic on bad configs that #VE on "private" memory access") Cc: stable(a)vger.kernel.org --- arch/x86/coco/tdx/tdx.c | 76 ++++++++++++++++++++++++------- arch/x86/include/asm/shared/tdx.h | 10 +++- 2 files changed, 69 insertions(+), 17 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 08ce488b54d0..ba3103877b21 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -78,7 +78,7 @@ static inline void tdcall(u64 fn, struct tdx_module_args *args) } /* Read TD-scoped metadata */ -static inline u64 __maybe_unused tdg_vm_rd(u64 field, u64 *value) +static inline u64 tdg_vm_rd(u64 field, u64 *value) { struct tdx_module_args args = { .rdx = field, @@ -193,6 +193,62 @@ static void __noreturn tdx_panic(const char *msg) __tdx_hypercall(&args); } +/* + * The kernel cannot handle #VEs when accessing normal kernel memory. Ensure + * that no #VE will be delivered for accesses to TD-private memory. + * + * TDX 1.0 does not allow the guest to disable SEPT #VE on its own. The VMM + * controls if the guest will receive such #VE with TD attribute + * ATTR_SEPT_VE_DISABLE. + * + * Newer TDX module allows the guest to control if it wants to receive SEPT + * violation #VEs. + * + * Check if the feature is available and disable SEPT #VE if possible. + * + * If the TD allowed to disable/enable SEPT #VEs, the ATTR_SEPT_VE_DISABLE + * attribute is no longer reliable. It reflects the initial state of the + * control for the TD, but it will not be updated if someone (e.g. bootloader) + * changes it before the kernel starts. Kernel must check TDCS_TD_CTLS bit to + * determine if SEPT #VEs are enabled or disabled. + */ +static void disable_sept_ve(u64 td_attr) +{ + const char *msg = "TD misconfiguration: SEPT #VE has to be disabled"; + bool debug = td_attr & ATTR_DEBUG; + u64 config, controls; + + /* Is this TD allowed to disable SEPT #VE */ + tdg_vm_rd(TDCS_CONFIG_FLAGS, &config); + if (!(config & TDCS_CONFIG_FLEXIBLE_PENDING_VE)) { + /* No SEPT #VE controls for the guest: check the attribute */ + if (td_attr & ATTR_SEPT_VE_DISABLE) + return; + + /* Relax SEPT_VE_DISABLE check for debug TD for backtraces */ + if (debug) + pr_warn("%s\n", msg); + else + tdx_panic(msg); + return; + } + + /* Check if SEPT #VE has been disabled before us */ + tdg_vm_rd(TDCS_TD_CTLS, &controls); + if (controls & TD_CTLS_PENDING_VE_DISABLE) + return; + + /* Keep #VEs enabled for splats in debugging environments */ + if (debug) + return; + + /* Disable SEPT #VEs */ + tdg_vm_wr(TDCS_TD_CTLS, TD_CTLS_PENDING_VE_DISABLE, + TD_CTLS_PENDING_VE_DISABLE); + + return; +} + static void tdx_setup(u64 *cc_mask) { struct tdx_module_args args = {}; @@ -218,24 +274,12 @@ static void tdx_setup(u64 *cc_mask) gpa_width = args.rcx & GENMASK(5, 0); *cc_mask = BIT_ULL(gpa_width - 1); + td_attr = args.rdx; + /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); - /* - * The kernel can not handle #VE's when accessing normal kernel - * memory. Ensure that no #VE will be delivered for accesses to - * TD-private memory. Only VMM-shared memory (MMIO) will #VE. - */ - td_attr = args.rdx; - if (!(td_attr & ATTR_SEPT_VE_DISABLE)) { - const char *msg = "TD misconfiguration: SEPT_VE_DISABLE attribute must be set."; - - /* Relax SEPT_VE_DISABLE check for debug TD. */ - if (td_attr & ATTR_DEBUG) - pr_warn("%s\n", msg); - else - tdx_panic(msg); - } + disable_sept_ve(td_attr); } /* diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h index 7e12cfa28bec..fecb2a6e864b 100644 --- a/arch/x86/include/asm/shared/tdx.h +++ b/arch/x86/include/asm/shared/tdx.h @@ -19,9 +19,17 @@ #define TDG_VM_RD 7 #define TDG_VM_WR 8 -/* TDCS fields. To be used by TDG.VM.WR and TDG.VM.RD module calls */ +/* TDX TD-Scope Metadata. To be used by TDG.VM.WR and TDG.VM.RD */ +#define TDCS_CONFIG_FLAGS 0x1110000300000016 +#define TDCS_TD_CTLS 0x1110000300000017 #define TDCS_NOTIFY_ENABLES 0x9100000000000010 +/* TDCS_CONFIG_FLAGS bits */ +#define TDCS_CONFIG_FLEXIBLE_PENDING_VE BIT_ULL(1) + +/* TDCS_TD_CTLS bits */ +#define TD_CTLS_PENDING_VE_DISABLE BIT_ULL(0) + /* TDX hypercall Leaf IDs */ #define TDVMCALL_MAP_GPA 0x10001 #define TDVMCALL_GET_QUOTE 0x10002 -- 2.43.0

8 months, 1 week

2
3
0 0

[PATCH net 0/4] mptcp: close subflow when receiving TCP+FIN and misc.

by Matthieu Baerts (NGI0)

Here are different fixes: Patch 1 closes the subflow after having received a FIN, instead of leaving it half-closed until the end of the MPTCP connection. A fix for v5.12. Patch 2 validates the previous patch. Patch 3 is a fix for a recent fix to check both directions for the backup flag. It can follow the 'Fixes' commit and be backported up to v5.7. Patch 4 adds a missing \n at the end of pr_debug(), causing debug messages to be displayed with a delay, which confuses the debugger. A fix for v5.6. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Note: Peter's email address has been removed from the Cc list, because it is bouncing. --- Matthieu Baerts (NGI0) (4): mptcp: close subflow when receiving TCP+FIN selftests: mptcp: join: cannot rm sf if closed mptcp: sched: check both backup in retrans mptcp: pr_debug: add missing \n at the end net/mptcp/fastopen.c | 4 +- net/mptcp/options.c | 50 ++++++++++----------- net/mptcp/pm.c | 28 ++++++------ net/mptcp/pm_netlink.c | 20 ++++----- net/mptcp/protocol.c | 59 +++++++++++++------------ net/mptcp/protocol.h | 4 +- net/mptcp/sched.c | 4 +- net/mptcp/sockopt.c | 4 +- net/mptcp/subflow.c | 56 ++++++++++++----------- tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 ++--- 10 files changed, 122 insertions(+), 118 deletions(-) --- base-commit: 31a972959ae57691a1e4f539399b2674ae576086 change-id: 20240826-net-mptcp-close-extra-sf-fin-19d4e5aa4c9c Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

8 months, 1 week

4
7
0 0

[PATCH v4 6/7] vdpa: solidrun: Fix UB bug with devres

by Philipp Stanner

In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). Cc: stable(a)vger.kernel.org # v6.3 Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Closes: https://lore.kernel.org/all/74e9109a-ac59-49e2-9b1d-d825c9c9f891@wanadoo.fr/ Suggested-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/vdpa/solidrun/snet_main.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/solidrun/snet_main.c b/drivers/vdpa/solidrun/snet_main.c index 99428a04068d..c8b74980dbd1 100644 --- a/drivers/vdpa/solidrun/snet_main.c +++ b/drivers/vdpa/solidrun/snet_main.c @@ -555,7 +555,7 @@ static const struct vdpa_config_ops snet_config_ops = { static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) { - char name[50]; + char *name; int ret, i, mask = 0; /* We don't know which BAR will be used to communicate.. * We will map every bar with len > 0. @@ -573,7 +573,10 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) return -ENODEV; } - snprintf(name, sizeof(name), "psnet[%s]-bars", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + ret = pcim_iomap_regions(pdev, mask, name); if (ret) { SNET_ERR(pdev, "Failed to request and map PCI BARs\n"); @@ -590,10 +593,13 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) static int snet_open_vf_bar(struct pci_dev *pdev, struct snet *snet) { - char name[50]; + char *name; int ret; - snprintf(name, sizeof(name), "snet[%s]-bar", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "snet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + /* Request and map BAR */ ret = pcim_iomap_regions(pdev, BIT(snet->psnet->cfg.vf_bar), name); if (ret) { -- 2.46.0

8 months, 1 week

1
0
0 0

[PATCH 6.1.y] KVM: x86: fire timer when it is migrated and expired, and in oneshot mode

by David Hunter

From: Li RongQing <lirongqing(a)baidu.com> [ Upstream Commit 8e6ed96cdd5001c55fccc80a17f651741c1ca7d2] when the vCPU was migrated, if its timer is expired, KVM _should_ fire the timer ASAP, zeroing the deadline here will cause the timer to immediately fire on the destination Cc: Sean Christopherson <seanjc(a)google.com> Cc: Peter Shier <pshier(a)google.com> Cc: Jim Mattson <jmattson(a)google.com> Cc: Wanpeng Li <wanpengli(a)tencent.com> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Signed-off-by: Li RongQing <lirongqing(a)baidu.com> Link: https://lore.kernel.org/r/20230106040625.8404-1-lirongqing@baidu.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> (cherry picked from commit 8e6ed96cdd5001c55fccc80a17f651741c1ca7d2) The code was able to compile without errors or warnings. Signed-off-by: David Hunter <david.hunter.linux(a)gmail.com> --- arch/x86/kvm/lapic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index c90fef0258c5..3cd590ace95a 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -1843,8 +1843,12 @@ static bool set_target_expiration(struct kvm_lapic *apic, u32 count_reg) if (unlikely(count_reg != APIC_TMICT)) { deadline = tmict_to_ns(apic, kvm_lapic_get_reg(apic, count_reg)); - if (unlikely(deadline <= 0)) - deadline = apic->lapic_timer.period; + if (unlikely(deadline <= 0)) { + if (apic_lvtt_period(apic)) + deadline = apic->lapic_timer.period; + else + deadline = 0; + } else if (unlikely(deadline > apic->lapic_timer.period)) { pr_info_ratelimited( "kvm: vcpu %i: requested lapic timer restore with " -- 2.43.0

8 months, 1 week

4
7
0 0

[PATCH v5 3/3] x86/sgx: Resolve EREMOVE page vs EAUG page data race

by Dmitrii Kuvaiskii

Two enclave threads may try to add and remove the same enclave page simultaneously (e.g., if the SGX runtime supports both lazy allocation and MADV_DONTNEED semantics). Consider some enclave page added to the enclave. User space decides to temporarily remove this page (e.g., emulating the MADV_DONTNEED semantics) on CPU1. At the same time, user space performs a memory access on the same page on CPU2, which results in a #PF and ultimately in sgx_vma_fault(). Scenario proceeds as follows: /* * CPU1: User space performs * ioctl(SGX_IOC_ENCLAVE_REMOVE_PAGES) * on enclave page X */ sgx_encl_remove_pages() { mutex_lock(&encl->lock); entry = sgx_encl_load_page(encl); /* * verify that page is * trimmed and accepted */ mutex_unlock(&encl->lock); /* * remove PTE entry; cannot * be performed under lock */ sgx_zap_enclave_ptes(encl); /* * Fault on CPU2 on same page X */ sgx_vma_fault() { /* * PTE entry was removed, but the * page is still in enclave's xarray */ xa_load(&encl->page_array) != NULL -> /* * SGX driver thinks that this page * was swapped out and loads it */ mutex_lock(&encl->lock); /* * this is effectively a no-op */ entry = sgx_encl_load_page_in_vma(); /* * add PTE entry * * *BUG*: a PTE is installed for a * page in process of being removed */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } /* * continue with page removal */ mutex_lock(&encl->lock); sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE */ /* * free EPC page */ sgx_free_epc_page(epc_page); } xa_erase(&encl->page_array); mutex_unlock(&encl->lock); } Here, CPU1 removed the page. However CPU2 installed the PTE entry on the same page. This enclave page becomes perpetually inaccessible (until another SGX_IOC_ENCLAVE_REMOVE_PAGES ioctl). This is because the page is marked accessible in the PTE entry but is not EAUGed, and any subsequent access to this page raises a fault: with the kernel believing there to be a valid VMA, the unlikely error code X86_PF_SGX encountered by code path do_user_addr_fault() -> access_error() causes the SGX driver's sgx_vma_fault() to be skipped and user space receives a SIGSEGV instead. The userspace SIGSEGV handler cannot perform EACCEPT because the page was not EAUGed. Thus, the user space is stuck with the inaccessible page. Fix this race by forcing the fault handler on CPU2 to back off if the page is currently being removed (on CPU1). This is achieved by setting SGX_ENCL_PAGE_BUSY flag right-before the first mutex_unlock() in sgx_encl_remove_pages(). Upon loading the page, CPU2 checks whether this page is busy, and if yes then CPU2 backs off and waits until the page is completely removed. After that, any memory access to this page results in a normal "allocate and EAUG a page on #PF" flow. Additionally fix a similar race: user space converts a normal enclave page to a TCS page (via SGX_IOC_ENCLAVE_MODIFY_TYPES) on CPU1, and at the same time, user space performs a memory access on the same page on CPU2. This fix is not strictly necessary (this particular race would indicate a bug in a user space application), but it gives a consistent rule: if an enclave page is under certain operation by the kernel with the mapping removed, then other threads trying to access that page are temporarily blocked and should retry. Fixes: 9849bb27152c ("x86/sgx: Support complete page removal") Cc: stable(a)vger.kernel.org Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.h | 3 ++- arch/x86/kernel/cpu/sgx/ioctl.c | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h index b566b8ad5f33..96b11e8fb770 100644 --- a/arch/x86/kernel/cpu/sgx/encl.h +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -22,7 +22,8 @@ /* 'desc' bits holding the offset in the VA (version array) page. */ #define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3) -/* 'desc' bit indicating that the page is busy (being reclaimed). */ +/* 'desc' bit indicating that the page is busy (being reclaimed, removed or + * converted to a TCS page). */ #define SGX_ENCL_PAGE_BUSY BIT(2) /* diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c index 5d390df21440..ee619f2b3414 100644 --- a/arch/x86/kernel/cpu/sgx/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/ioctl.c @@ -969,12 +969,22 @@ static long sgx_enclave_modify_types(struct sgx_encl *encl, /* * Do not keep encl->lock because of dependency on * mmap_lock acquired in sgx_zap_enclave_ptes(). + * + * Releasing encl->lock leads to a data race: while CPU1 + * performs sgx_zap_enclave_ptes() and removes the PTE + * entry for the enclave page, CPU2 may attempt to load + * this page (because the page is still in enclave's + * xarray). To prevent CPU2 from loading the page, mark + * the page as busy before unlock and unmark after lock + * again. */ + entry->desc |= SGX_ENCL_PAGE_BUSY; mutex_unlock(&encl->lock); sgx_zap_enclave_ptes(encl, addr); mutex_lock(&encl->lock); + entry->desc &= ~SGX_ENCL_PAGE_BUSY; sgx_mark_page_reclaimable(entry->epc_page); } @@ -1141,7 +1151,14 @@ static long sgx_encl_remove_pages(struct sgx_encl *encl, /* * Do not keep encl->lock because of dependency on * mmap_lock acquired in sgx_zap_enclave_ptes(). + * + * Releasing encl->lock leads to a data race: while CPU1 + * performs sgx_zap_enclave_ptes() and removes the PTE entry + * for the enclave page, CPU2 may attempt to load this page + * (because the page is still in enclave's xarray). To prevent + * CPU2 from loading the page, mark the page as busy. */ + entry->desc |= SGX_ENCL_PAGE_BUSY; mutex_unlock(&encl->lock); sgx_zap_enclave_ptes(encl, addr); -- 2.43.0

8 months, 1 week

3
2
0 0

[PATCH v5 2/3] x86/sgx: Resolve EAUG race where losing thread returns SIGBUS

by Dmitrii Kuvaiskii

Imagine an mmap()'d file. Two threads touch the same address at the same time and fault. Both allocate a physical page and race to install a PTE for that page. Only one will win the race. The loser frees its page, but still continues handling the fault as a success and returns VM_FAULT_NOPAGE from the fault handler. The same race can happen with SGX. But there's a bug: the loser in the SGX steers into a failure path. The loser EREMOVE's the winner's EPC page, then returns SIGBUS, likely killing the app. Fix the SGX loser's behavior. Check whether another thread already allocated the page and if yes, return with VM_FAULT_NOPAGE. The race can be illustrated as follows: /* /* * Fault on CPU1 * Fault on CPU2 * on enclave page X * on enclave page X */ */ sgx_vma_fault() { sgx_vma_fault() { xa_load(&encl->page_array) xa_load(&encl->page_array) == NULL --> == NULL --> sgx_encl_eaug_page() { sgx_encl_eaug_page() { ... ... /* /* * alloc encl_page * alloc encl_page */ */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray */ xa_insert(&encl->page_array, ...); /* * add page to enclave via EAUG * (page is in pending state) */ /* * add PTE entry */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } } /* * All good up to here: enclave page * successfully added to enclave, * ready for EACCEPT from user space */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray, * this fails with -EBUSY as this * page was already added by CPU2 */ xa_insert(&encl->page_array, ...); err_out_shrink: sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE * * *BUG*: page added by CPU2 is * yanked from enclave while it * remains accessible from OS * perspective (PTE installed) */ /* * free EPC page */ sgx_free_epc_page(epc_page); } mutex_unlock(&encl->lock); /* * *BUG*: SIGBUS is returned * for a valid enclave page */ return VM_FAULT_SIGBUS; } } Fixes: 5a90d2c3f5ef ("x86/sgx: Support adding of pages to an initialized enclave") Cc: stable(a)vger.kernel.org Reported-by: Marcelina Kościelnicka <mwk(a)invisiblethingslab.com> Suggested-by: Kai Huang <kai.huang(a)intel.com> Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.c | 36 ++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index c0a3c00284c8..2aa7ced0e4a0 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -337,6 +337,16 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, if (!test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) return VM_FAULT_SIGBUS; + mutex_lock(&encl->lock); + + /* + * Multiple threads may try to fault on the same page concurrently. + * Re-check if another thread has already done that. + */ + encl_page = xa_load(&encl->page_array, PFN_DOWN(addr)); + if (encl_page) + goto done; + /* * Ignore internal permission checking for dynamically added pages. * They matter only for data added during the pre-initialization @@ -345,23 +355,23 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, */ secinfo_flags = SGX_SECINFO_R | SGX_SECINFO_W | SGX_SECINFO_X; encl_page = sgx_encl_page_alloc(encl, addr - encl->base, secinfo_flags); - if (IS_ERR(encl_page)) - return VM_FAULT_OOM; - - mutex_lock(&encl->lock); + if (IS_ERR(encl_page)) { + vmret = VM_FAULT_OOM; + goto err_out_unlock; + } epc_page = sgx_encl_load_secs(encl); if (IS_ERR(epc_page)) { if (PTR_ERR(epc_page) == -EBUSY) vmret = VM_FAULT_NOPAGE; - goto err_out_unlock; + goto err_out_encl; } epc_page = sgx_alloc_epc_page(encl_page, false); if (IS_ERR(epc_page)) { if (PTR_ERR(epc_page) == -EBUSY) vmret = VM_FAULT_NOPAGE; - goto err_out_unlock; + goto err_out_encl; } va_page = sgx_encl_grow(encl, false); @@ -376,10 +386,6 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, ret = xa_insert(&encl->page_array, PFN_DOWN(encl_page->desc), encl_page, GFP_KERNEL); - /* - * If ret == -EBUSY then page was created in another flow while - * running without encl->lock - */ if (ret) goto err_out_shrink; @@ -389,7 +395,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, ret = __eaug(&pginfo, sgx_get_epc_virt_addr(epc_page)); if (ret) - goto err_out; + goto err_out_eaug; encl_page->encl = encl; encl_page->epc_page = epc_page; @@ -408,20 +414,20 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, mutex_unlock(&encl->lock); return VM_FAULT_SIGBUS; } +done: mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; -err_out: +err_out_eaug: xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc)); - err_out_shrink: sgx_encl_shrink(encl, va_page); err_out_epc: sgx_encl_free_epc_page(epc_page); +err_out_encl: + kfree(encl_page); err_out_unlock: mutex_unlock(&encl->lock); - kfree(encl_page); - return vmret; } -- 2.43.0

8 months, 1 week

3
2
0 0

[PATCH v5 1/3] x86/sgx: Split SGX_ENCL_PAGE_BEING_RECLAIMED into two flags

by Dmitrii Kuvaiskii

The page reclaimer thread sets SGX_ENC_PAGE_BEING_RECLAIMED flag when the enclave page is being reclaimed (moved to the backing store). This flag however has two logical meanings: 1. Don't attempt to load the enclave page (the page is busy), see __sgx_encl_load_page(). 2. Don't attempt to remove the PCMD page corresponding to this enclave page (the PCMD page is busy), see reclaimer_writing_to_pcmd(). To reflect these two meanings, split SGX_ENCL_PAGE_BEING_RECLAIMED into two flags: SGX_ENCL_PAGE_BUSY and SGX_ENCL_PAGE_PCMD_BUSY. Currently, both flags are set only when the enclave page is being reclaimed (by the page reclaimer thread). A future commit will introduce new cases when the enclave page is being operated on; these new cases will set only the SGX_ENCL_PAGE_BUSY flag. Cc: stable(a)vger.kernel.org Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> Reviewed-by: Haitao Huang <haitao.huang(a)linux.intel.com> Acked-by: Kai Huang <kai.huang(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.c | 16 +++++++--------- arch/x86/kernel/cpu/sgx/encl.h | 10 ++++++++-- arch/x86/kernel/cpu/sgx/main.c | 4 ++-- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 279148e72459..c0a3c00284c8 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -46,10 +46,10 @@ static int sgx_encl_lookup_backing(struct sgx_encl *encl, unsigned long page_ind * a check if an enclave page sharing the PCMD page is in the process of being * reclaimed. * - * The reclaimer sets the SGX_ENCL_PAGE_BEING_RECLAIMED flag when it - * intends to reclaim that enclave page - it means that the PCMD page - * associated with that enclave page is about to get some data and thus - * even if the PCMD page is empty, it should not be truncated. + * The reclaimer sets the SGX_ENCL_PAGE_PCMD_BUSY flag when it intends to + * reclaim that enclave page - it means that the PCMD page associated with that + * enclave page is about to get some data and thus even if the PCMD page is + * empty, it should not be truncated. * * Context: Enclave mutex (&sgx_encl->lock) must be held. * Return: 1 if the reclaimer is about to write to the PCMD page @@ -77,8 +77,7 @@ static int reclaimer_writing_to_pcmd(struct sgx_encl *encl, * Stop when reaching the SECS page - it does not * have a page_array entry and its reclaim is * started and completed with enclave mutex held so - * it does not use the SGX_ENCL_PAGE_BEING_RECLAIMED - * flag. + * it does not use the SGX_ENCL_PAGE_PCMD_BUSY flag. */ if (addr == encl->base + encl->size) break; @@ -91,8 +90,7 @@ static int reclaimer_writing_to_pcmd(struct sgx_encl *encl, * VA page slot ID uses same bit as the flag so it is important * to ensure that the page is not already in backing store. */ - if (entry->epc_page && - (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED)) { + if (entry->epc_page && (entry->desc & SGX_ENCL_PAGE_PCMD_BUSY)) { reclaimed = 1; break; } @@ -257,7 +255,7 @@ static struct sgx_encl_page *__sgx_encl_load_page(struct sgx_encl *encl, /* Entry successfully located. */ if (entry->epc_page) { - if (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED) + if (entry->desc & SGX_ENCL_PAGE_BUSY) return ERR_PTR(-EBUSY); return entry; diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h index f94ff14c9486..b566b8ad5f33 100644 --- a/arch/x86/kernel/cpu/sgx/encl.h +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -22,8 +22,14 @@ /* 'desc' bits holding the offset in the VA (version array) page. */ #define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3) -/* 'desc' bit marking that the page is being reclaimed. */ -#define SGX_ENCL_PAGE_BEING_RECLAIMED BIT(3) +/* 'desc' bit indicating that the page is busy (being reclaimed). */ +#define SGX_ENCL_PAGE_BUSY BIT(2) + +/* + * 'desc' bit indicating that PCMD page associated with the enclave page is + * busy (because the enclave page is being reclaimed). + */ +#define SGX_ENCL_PAGE_PCMD_BUSY BIT(3) struct sgx_encl_page { unsigned long desc; diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index 166692f2d501..e94b09c43673 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -204,7 +204,7 @@ static void sgx_encl_ewb(struct sgx_epc_page *epc_page, void *va_slot; int ret; - encl_page->desc &= ~SGX_ENCL_PAGE_BEING_RECLAIMED; + encl_page->desc &= ~(SGX_ENCL_PAGE_BUSY | SGX_ENCL_PAGE_PCMD_BUSY); va_page = list_first_entry(&encl->va_pages, struct sgx_va_page, list); @@ -340,7 +340,7 @@ static void sgx_reclaim_pages(void) goto skip; } - encl_page->desc |= SGX_ENCL_PAGE_BEING_RECLAIMED; + encl_page->desc |= SGX_ENCL_PAGE_BUSY | SGX_ENCL_PAGE_PCMD_BUSY; mutex_unlock(&encl_page->encl->lock); continue; -- 2.43.0

8 months, 1 week

2
1
0 0

[PATCH net] net: drop bad gso csum_start and offset in virtio_net_hdr

by Willem de Bruijn

From: Willem de Bruijn <willemb(a)google.com> Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Migitage with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org Fixes: e269d79c7d35 ("net: missing check virtio") Cc: stable(a)vger.kernel.org Signed-off-by: Willem de Bruijn <willemb(a)google.com> --- include/linux/virtio_net.h | 16 +++++----------- net/ipv4/tcp_offload.c | 3 +++ net/ipv4/udp_offload.c | 3 +++ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index d1d7825318c32..6c395a2600e8d 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -56,7 +56,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, unsigned int thlen = 0; unsigned int p_off = 0; unsigned int ip_proto; - u64 ret, remainder, gso_size; if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { @@ -99,16 +98,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset); u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16)); - if (hdr->gso_size) { - gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); - ret = div64_u64_rem(skb->len, gso_size, &remainder); - if (!(ret && (hdr->gso_size > needed) && - ((remainder > needed) || (remainder == 0)))) { - return -EINVAL; - } - skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG; - } - if (!pskb_may_pull(skb, needed)) return -EINVAL; @@ -182,6 +171,11 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (gso_type != SKB_GSO_UDP_L4) return -EINVAL; break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: + if (skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; } /* Kernel has a special handling for GSO_BY_FRAGS. */ diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index 4b791e74529e1..9e49ffcc77071 100644 --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -140,6 +140,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, if (thlen < sizeof(*th)) goto out; + if (unlikely(skb->csum_start != skb->transport_header)) + goto out; + if (!pskb_may_pull(skb, thlen)) goto out; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index aa2e0a28ca613..f521152c40871 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -278,6 +278,9 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, if (gso_skb->len <= sizeof(*uh) + mss) return ERR_PTR(-EINVAL); + if (unlikely(gso_skb->csum_start != gso_skb->transport_header)) + return ERR_PTR(-EINVAL); + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { /* Packet is from an untrusted source, reset gso_segs. */ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), -- 2.46.0.rc1.232.g9752f9e123-goog

8 months, 1 week

10
25
0 0

[PATCH v2] spi: rockchip: Resolve unbalanced runtime PM / system PM handling

by Brian Norris

Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure. Fixes: e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") Cc: <stable(a)vger.kernel.org> Reported-by: "Ondřej Jirman" <megi(a)xff.cz> Closes: https://lore.kernel.org/lkml/20220621154218.sau54jeij4bunf56@core/ Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- Changes in v2: - fix unused 'rs' warning drivers/spi/spi-rockchip.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c index e1ecd96c7858..0bb33c43b1b4 100644 --- a/drivers/spi/spi-rockchip.c +++ b/drivers/spi/spi-rockchip.c @@ -945,14 +945,16 @@ static int rockchip_spi_suspend(struct device *dev) { int ret; struct spi_controller *ctlr = dev_get_drvdata(dev); - struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); ret = spi_controller_suspend(ctlr); if (ret < 0) return ret; - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); + ret = pm_runtime_force_suspend(dev); + if (ret < 0) { + spi_controller_resume(ctlr); + return ret; + } pinctrl_pm_select_sleep_state(dev); @@ -963,25 +965,14 @@ static int rockchip_spi_resume(struct device *dev) { int ret; struct spi_controller *ctlr = dev_get_drvdata(dev); - struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); pinctrl_pm_select_default_state(dev); - ret = clk_prepare_enable(rs->apb_pclk); + ret = pm_runtime_force_resume(dev); if (ret < 0) return ret; - ret = clk_prepare_enable(rs->spiclk); - if (ret < 0) - clk_disable_unprepare(rs->apb_pclk); - - ret = spi_controller_resume(ctlr); - if (ret < 0) { - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); - } - - return 0; + return spi_controller_resume(ctlr); } #endif /* CONFIG_PM_SLEEP */ -- 2.46.0.295.g3b9ea8a38a-goog

8 months, 1 week

1
0
0 0

Re: [PATCH 6.10 000/273] 6.10.7-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

8 months, 1 week

1
0
0 0

[PATCH 12/14] drm/amd/display: Block timing sync for different signals in PMO

by Hamza Mahfooz

From: Dillon Varone <dillon.varone(a)amd.com> PMO assumes that like timings can be synchronized, but DC only allows this if the signal types match. Cc: stable(a)vger.kernel.org Reviewed-by: Austin Zheng <austin.zheng(a)amd.com> Signed-off-by: Dillon Varone <dillon.varone(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- .../display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c index 3bb5eb2e79ae..d63558ee3135 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c @@ -941,7 +941,8 @@ static void build_synchronized_timing_groups( for (j = i + 1; j < display_config->display_config.num_streams; j++) { if (memcmp(master_timing, &display_config->display_config.stream_descriptors[j].timing, - sizeof(struct dml2_timing_cfg)) == 0) { + sizeof(struct dml2_timing_cfg)) == 0 && + display_config->display_config.stream_descriptors[i].output.output_encoder == display_config->display_config.stream_descriptors[j].output.output_encoder) { set_bit_in_bitfield(&pmo->scratch.pmo_dcn4.synchronized_timing_group_masks[timing_group_idx], j); set_bit_in_bitfield(&stream_mapped_mask, j); } -- 2.46.0

8 months, 1 week

1
0
0 0

[PATCH 11/14] drm/amd/display: fix graphics hang in multi-display mst case

by Hamza Mahfooz

From: Gabe Teeger <Gabe.Teeger(a)amd.com> [what] Graphics hang observed with 3 displays connected to DP2.0 mst dock. [why] There's a mismatch in dml and dc between the assignments of hpo link encoders. [how] Add a new array in dml that tracks the current mapping of HPO stream encoders to HPO link encoders in dc. Cc: stable(a)vger.kernel.org Reviewed-by: Sung joon Kim <sungjoon.kim(a)amd.com> Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Gabe Teeger <Gabe.Teeger(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- .../amd/display/dc/dml2/dml2_internal_types.h | 2 +- .../display/dc/dml2/dml2_translation_helper.c | 67 +++++++++---------- .../display/dc/dml2/dml2_translation_helper.h | 2 +- .../gpu/drm/amd/display/dc/dml2/dml2_utils.c | 12 +--- 4 files changed, 34 insertions(+), 49 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h b/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h index 3ba184be25d3..140ec01545db 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h @@ -101,7 +101,7 @@ struct dml2_wrapper_scratch { struct dml2_dml_to_dc_pipe_mapping dml_to_dc_pipe_mapping; bool enable_flexible_pipe_mapping; bool plane_duplicate_exists; - unsigned int dp2_mst_stream_count; + int hpo_stream_to_link_encoder_mapping[MAX_HPO_DP2_ENCODERS]; }; struct dml2_helper_det_policy_scratch { diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c index 7e39873832bf..bde4250853b1 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c @@ -733,8 +733,7 @@ static void populate_dml_timing_cfg_from_stream_state(struct dml_timing_cfg_st * } static void populate_dml_output_cfg_from_stream_state(struct dml_output_cfg_st *out, unsigned int location, - const struct dc_stream_state *in, const struct pipe_ctx *pipe, - unsigned int dp2_mst_stream_count) + const struct dc_stream_state *in, const struct pipe_ctx *pipe, struct dml2_context *dml2) { unsigned int output_bpc; @@ -747,8 +746,8 @@ static void populate_dml_output_cfg_from_stream_state(struct dml_output_cfg_st * case SIGNAL_TYPE_DISPLAY_PORT_MST: case SIGNAL_TYPE_DISPLAY_PORT: out->OutputEncoder[location] = dml_dp; - if (is_dp2p0_output_encoder(pipe, dp2_mst_stream_count)) - out->OutputEncoder[location] = dml_dp2p0; + if (dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location] != -1) + out->OutputEncoder[dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location]] = dml_dp2p0; break; case SIGNAL_TYPE_EDP: out->OutputEncoder[location] = dml_edp; @@ -1199,36 +1198,6 @@ static void dml2_populate_pipe_to_plane_index_mapping(struct dml2_context *dml2, } } -static unsigned int calculate_dp2_mst_stream_count(struct dc_state *context) -{ - int i, j; - unsigned int dp2_mst_stream_count = 0; - - for (i = 0; i < context->stream_count; i++) { - struct dc_stream_state *stream = context->streams[i]; - - if (!stream || stream->signal != SIGNAL_TYPE_DISPLAY_PORT_MST) - continue; - - for (j = 0; j < MAX_PIPES; j++) { - struct pipe_ctx *pipe_ctx = &context->res_ctx.pipe_ctx[j]; - - if (!pipe_ctx || !pipe_ctx->stream) - continue; - - if (stream != pipe_ctx->stream) - continue; - - if (pipe_ctx->stream_res.hpo_dp_stream_enc && pipe_ctx->link_res.hpo_dp_link_enc) { - dp2_mst_stream_count++; - break; - } - } - } - - return dp2_mst_stream_count; -} - static void populate_dml_writeback_cfg_from_stream_state(struct dml_writeback_cfg_st *out, unsigned int location, const struct dc_stream_state *in) { @@ -1269,6 +1238,30 @@ static void populate_dml_writeback_cfg_from_stream_state(struct dml_writeback_cf } } } + +static void dml2_map_hpo_stream_encoder_to_hpo_link_encoder_index(struct dml2_context *dml2, struct dc_state *context) +{ + int i; + struct pipe_ctx *current_pipe_context; + + /* Scratch gets reset to zero in dml, but link encoder instance can be zero, so reset to -1 */ + for (i = 0; i < MAX_HPO_DP2_ENCODERS; i++) { + dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[i] = -1; + } + + /* If an HPO stream encoder is allocated to a pipe, get the instance of it's allocated HPO Link encoder */ + for (i = 0; i < MAX_PIPES; i++) { + current_pipe_context = &context->res_ctx.pipe_ctx[i]; + if (current_pipe_context->stream && + current_pipe_context->stream_res.hpo_dp_stream_enc && + current_pipe_context->link_res.hpo_dp_link_enc && + dc_is_dp_signal(current_pipe_context->stream->signal)) { + dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[current_pipe_context->stream_res.hpo_dp_stream_enc->inst] = + current_pipe_context->link_res.hpo_dp_link_enc->inst; + } + } +} + void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_state *context, struct dml_display_cfg_st *dml_dispcfg) { int i = 0, j = 0, k = 0; @@ -1291,8 +1284,8 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat if (dml2->v20.dml_core_ctx.ip.hostvm_enable) dml2->v20.dml_core_ctx.policy.AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter; - dml2->v20.scratch.dp2_mst_stream_count = calculate_dp2_mst_stream_count(context); dml2_populate_pipe_to_plane_index_mapping(dml2, context); + dml2_map_hpo_stream_encoder_to_hpo_link_encoder_index(dml2, context); for (i = 0; i < context->stream_count; i++) { current_pipe_context = NULL; @@ -1313,7 +1306,7 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__); populate_dml_timing_cfg_from_stream_state(&dml_dispcfg->timing, disp_cfg_stream_location, context->streams[i]); - populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_stream_location, context->streams[i], current_pipe_context, dml2->v20.scratch.dp2_mst_stream_count); + populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_stream_location, context->streams[i], current_pipe_context, dml2); /*Call site for populate_dml_writeback_cfg_from_stream_state*/ populate_dml_writeback_cfg_from_stream_state(&dml_dispcfg->writeback, disp_cfg_stream_location, context->streams[i]); @@ -1378,7 +1371,7 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat if (j >= 1) { populate_dml_timing_cfg_from_stream_state(&dml_dispcfg->timing, disp_cfg_plane_location, context->streams[i]); - populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_plane_location, context->streams[i], current_pipe_context, dml2->v20.scratch.dp2_mst_stream_count); + populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_plane_location, context->streams[i], current_pipe_context, dml2); switch (context->streams[i]->debug.force_odm_combine_segments) { case 2: dml2->v20.dml_core_ctx.policy.ODMUse[disp_cfg_plane_location] = dml_odm_use_policy_combine_2to1; diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h index 55659b22d87f..d764773938f4 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h @@ -36,6 +36,6 @@ void dml2_translate_socbb_params(const struct dc *in_dc, struct soc_bounding_box void dml2_translate_soc_states(const struct dc *in_dc, struct soc_states_st *out, int num_states); void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_state *context, struct dml_display_cfg_st *dml_dispcfg); void dml2_update_pipe_ctx_dchub_regs(struct _vcs_dpi_dml_display_rq_regs_st *rq_regs, struct _vcs_dpi_dml_display_dlg_regs_st *disp_dlg_regs, struct _vcs_dpi_dml_display_ttu_regs_st *disp_ttu_regs, struct pipe_ctx *out); -bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe, unsigned int dp2_mst_stream_count); +bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe); #endif //__DML2_TRANSLATION_HELPER_H__ diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c index 9e8ff3a9718e..9a33158b63bf 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c @@ -153,7 +153,7 @@ unsigned int dml2_util_get_maximum_odm_combine_for_output(bool force_odm_4to1, e } } -bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe_ctx, unsigned int dp2_mst_stream_count) +bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe_ctx) { if (pipe_ctx == NULL || pipe_ctx->stream == NULL) return false; @@ -161,14 +161,6 @@ bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe_ctx, unsigned int dp2_m /* If this assert is hit then we have a link encoder dynamic management issue */ ASSERT(pipe_ctx->stream_res.hpo_dp_stream_enc ? pipe_ctx->link_res.hpo_dp_link_enc != NULL : true); - /* Count MST hubs once by treating only 1st remote sink in topology as an encoder */ - if (pipe_ctx->stream->link && pipe_ctx->stream->link->remote_sinks[0] && dp2_mst_stream_count > 1) { - return (pipe_ctx->stream_res.hpo_dp_stream_enc && - pipe_ctx->link_res.hpo_dp_link_enc && - dc_is_dp_signal(pipe_ctx->stream->signal) && - (pipe_ctx->stream->link->remote_sinks[0]->sink_id == pipe_ctx->stream->sink->sink_id)); - } - return (pipe_ctx->stream_res.hpo_dp_stream_enc && pipe_ctx->link_res.hpo_dp_link_enc && dc_is_dp_signal(pipe_ctx->stream->signal)); @@ -181,7 +173,7 @@ bool is_dtbclk_required(const struct dc *dc, struct dc_state *context) for (i = 0; i < dc->res_pool->pipe_count; i++) { if (!context->res_ctx.pipe_ctx[i].stream) continue; - if (is_dp2p0_output_encoder(&context->res_ctx.pipe_ctx[i], context->bw_ctx.dml2->v20.scratch.dp2_mst_stream_count)) + if (is_dp2p0_output_encoder(&context->res_ctx.pipe_ctx[i])) return true; } return false; -- 2.46.0

8 months, 1 week

1
0
0 0

[PATCH 08/14] drm/amd/display: fix dccg root clock optimization related hang

by Hamza Mahfooz

From: Qili Lu <qili.lu(a)amd.com> [Why] enable dpp rcg before we disable dppclk in hw_init cause system hang/reboot [How] we remove dccg rcg related code from init into a separate function and call it after we init pipe Cc: stable(a)vger.kernel.org # 6.10+ Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Qili Lu <qili.lu(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 14 +++++++++----- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h | 1 + .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 4 ++++ drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h | 1 + 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c index 889f39694cb7..8b3722a0011b 100644 --- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c @@ -1721,10 +1721,6 @@ void dccg35_init(struct dccg *dccg) dccg35_set_dpstreamclk_root_clock_gating(dccg, otg_inst, false); } - if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) - for (otg_inst = 0; otg_inst < 4; otg_inst++) - dccg35_set_dppclk_root_clock_gating(dccg, otg_inst, 0); - /* dccg35_enable_global_fgcg_rep( dccg, dccg->ctx->dc->debug.enable_fine_grain_clock_gating.bits @@ -2303,6 +2299,14 @@ static void dccg35_disable_symclk_se_cb( /* DMU PHY sequence switches SYMCLK_BE (link_enc_inst) to ref clock once PHY is turned off */ } +void dccg35_root_gate_disable_control(struct dccg *dccg, uint32_t pipe_idx, uint32_t disable_clock_gating) +{ + + if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) { + dccg35_set_dppclk_root_clock_gating(dccg, pipe_idx, disable_clock_gating); + } +} + static const struct dccg_funcs dccg35_funcs_new = { .update_dpp_dto = dccg35_update_dpp_dto_cb, .dpp_root_clock_control = dccg35_dpp_root_clock_control_cb, @@ -2363,7 +2367,7 @@ static const struct dccg_funcs dccg35_funcs = { .enable_symclk_se = dccg35_enable_symclk_se, .disable_symclk_se = dccg35_disable_symclk_se, .set_dtbclk_p_src = dccg35_set_dtbclk_p_src, - + .dccg_root_gate_disable_control = dccg35_root_gate_disable_control, }; struct dccg *dccg35_create( diff --git a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h index 1586a45ca3bd..51f98c5c51c4 100644 --- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h +++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h @@ -241,6 +241,7 @@ struct dccg *dccg35_create( void dccg35_init(struct dccg *dccg); void dccg35_enable_global_fgcg_rep(struct dccg *dccg, bool value); +void dccg35_root_gate_disable_control(struct dccg *dccg, uint32_t pipe_idx, uint32_t disable_clock_gating); #endif //__DCN35_DCCG_H__ diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index fbbb20b9dbee..7ed75c5fe25e 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -271,6 +271,10 @@ void dcn35_init_hw(struct dc *dc) dc->res_pool->hubbub->funcs->allow_self_refresh_control(dc->res_pool->hubbub, !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter); } + if (res_pool->dccg->funcs->dccg_root_gate_disable_control) { + for (i = 0; i < res_pool->pipe_count; i++) + res_pool->dccg->funcs->dccg_root_gate_disable_control(res_pool->dccg, i, 0); + } for (i = 0; i < res_pool->audio_count; i++) { struct audio *audio = res_pool->audios[i]; diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h b/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h index d619eb229a62..e94e9ba60f55 100644 --- a/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h +++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h @@ -213,6 +213,7 @@ struct dccg_funcs { uint32_t otg_inst); void (*set_dto_dscclk)(struct dccg *dccg, uint32_t dsc_inst); void (*set_ref_dscclk)(struct dccg *dccg, uint32_t dsc_inst); + void (*dccg_root_gate_disable_control)(struct dccg *dccg, uint32_t pipe_idx, uint32_t disable_clock_gating); }; #endif //__DAL_DCCG_H__ -- 2.46.0

8 months, 1 week

1
0
0 0

[PATCH 03/14] drm/amd/display: Lock DC and exit IPS when changing backlight

by Hamza Mahfooz

From: Leo Li <sunpeng.li(a)amd.com> Backlight updates require aux and/or register access. Therefore, driver needs to disallow IPS beforehand. So, acquire the dc lock before calling into dc to update backlight - we should be doing this regardless of IPS. Then, while the lock is held, disallow IPS before calling into dc, then allow IPS afterwards (if it was previously allowed). Cc: stable(a)vger.kernel.org # 6.10+ Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Reviewed-by: Roman Li <roman.li(a)amd.com> Signed-off-by: Leo Li <sunpeng.li(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 351f8b0fe7a1..fa26b8d59f23 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -4512,7 +4512,7 @@ static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm, struct amdgpu_dm_backlight_caps caps; struct dc_link *link; u32 brightness; - bool rc; + bool rc, reallow_idle = false; amdgpu_dm_update_backlight_caps(dm, bl_idx); caps = dm->backlight_caps[bl_idx]; @@ -4525,6 +4525,12 @@ static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm, link = (struct dc_link *)dm->backlight_link[bl_idx]; /* Change brightness based on AUX property */ + mutex_lock(&dm->dc_lock); + if (dm->dc->caps.ips_support && dm->dc->ctx->dmub_srv->idle_allowed) { + dc_allow_idle_optimizations(dm->dc, false); + reallow_idle = true; + } + if (caps.aux_support) { rc = dc_link_set_backlight_level_nits(link, true, brightness, AUX_BL_DEFAULT_TRANSITION_TIME_MS); @@ -4536,6 +4542,11 @@ static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm, DRM_DEBUG("DM: Failed to update backlight on eDP[%d]\n", bl_idx); } + if (dm->dc->caps.ips_support && reallow_idle) + dc_allow_idle_optimizations(dm->dc, true); + + mutex_unlock(&dm->dc_lock); + if (rc) dm->actual_brightness[bl_idx] = user_brightness; } -- 2.46.0

8 months, 1 week

1
0
0 0

[PATCH] drm/amdgpu/mes: fix mes ring buffer overflow

by Alex Deucher

From: Jack Xiao <Jack.Xiao(a)amd.com> wait memory room until enough before writing mes packets to avoid ring buffer overflow. v2: squash in sched_hw_submission fix Backport from 6.11. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3571 Fixes: de3246254156 ("drm/amdgpu: cleanup MES11 command submission") Fixes: fffe347e1478 ("drm/amdgpu: cleanup MES12 command submission") Signed-off-by: Jack Xiao <Jack.Xiao(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13) Cc: stable(a)vger.kernel.org # 6.10.x (cherry picked from commit 11752c013f562a1124088a35bd314aa0e9f0e88f) --- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 ++ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 18 ++++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c index 06f0a6534a94..88ffb15e25cc 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c @@ -212,6 +212,8 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct amdgpu_ring *ring, */ if (ring->funcs->type == AMDGPU_RING_TYPE_KIQ) sched_hw_submission = max(sched_hw_submission, 256); + if (ring->funcs->type == AMDGPU_RING_TYPE_MES) + sched_hw_submission = 8; else if (ring == &adev->sdma.instance[0].page) sched_hw_submission = 256; diff --git a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c index 32d4519541c6..e1a66d585f5e 100644 --- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c @@ -163,7 +163,7 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, const char *op_str, *misc_op_str; unsigned long flags; u64 status_gpu_addr; - u32 status_offset; + u32 seq, status_offset; u64 *status_ptr; signed long r; int ret; @@ -191,6 +191,13 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, if (r) goto error_unlock_free; + seq = ++ring->fence_drv.sync_seq; + r = amdgpu_fence_wait_polling(ring, + seq - ring->fence_drv.num_fences_mask, + timeout); + if (r < 1) + goto error_undo; + api_status = (struct MES_API_STATUS *)((char *)pkt + api_status_off); api_status->api_completion_fence_addr = status_gpu_addr; api_status->api_completion_fence_value = 1; @@ -203,8 +210,7 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, mes_status_pkt.header.dwsize = API_FRAME_SIZE_IN_DWORDS; mes_status_pkt.api_status.api_completion_fence_addr = ring->fence_drv.gpu_addr; - mes_status_pkt.api_status.api_completion_fence_value = - ++ring->fence_drv.sync_seq; + mes_status_pkt.api_status.api_completion_fence_value = seq; amdgpu_ring_write_multiple(ring, &mes_status_pkt, sizeof(mes_status_pkt) / 4); @@ -224,7 +230,7 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, dev_dbg(adev->dev, "MES msg=%d was emitted\n", x_pkt->header.opcode); - r = amdgpu_fence_wait_polling(ring, ring->fence_drv.sync_seq, timeout); + r = amdgpu_fence_wait_polling(ring, seq, timeout); if (r < 1 || !*status_ptr) { if (misc_op_str) @@ -247,6 +253,10 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, amdgpu_device_wb_free(adev, status_offset); return 0; +error_undo: + dev_err(adev->dev, "MES ring buffer is full.\n"); + amdgpu_ring_undo(ring); + error_unlock_free: spin_unlock_irqrestore(&mes->ring_lock, flags); -- 2.46.0

8 months, 1 week

3
3
0 0

[PATCH v2 1/2] ufs: core: complete scsi command after release

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When the error handler successfully aborts a MCQ request, it only releases the command and does not notify the SCSI layer. This may cause another abort after 30 seconds timeout. This patch notifies the SCSI layer to requeue the request. Below is error log [ 14.183804][ T74] ufshcd-mtk 112b0000.ufshci: ufshcd_err_handler started; HBA state eh_non_fatal; powered 1; shutting down 0; saved_err = 4; saved_uic_err = 64; force_reset = 0 [ 14.256164][ T74] ufshcd-mtk 112b0000.ufshci: ufshcd_try_to_abort_task: cmd pending in the device. tag = 19 [ 14.257511][ T74] ufshcd-mtk 112b0000.ufshci: Aborting tag 19 / CDB 0x35 succeeded [ 34.287949][ T8] ufshcd-mtk 112b0000.ufshci: ufshcd_abort: Device abort task at tag 19 [ 34.290514][ T8] ufshcd-mtk 112b0000.ufshci: ufshcd_mcq_abort: skip abort. cmd at tag 19 already completed. Fixes:93e6c0e19d5b ("scsi: ufs: core: Clear cmd if abort succeeds in MCQ mode") Cc: <stable(a)vger.kernel.org> 6.6.x Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 0b3d0c8e0dda..4bcd4e5b62bd 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -6482,8 +6482,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) if (!hwq) return 0; spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) + if (ufshcd_cmd_inflight(lrbp->cmd)) { + struct scsi_cmnd *cmd = lrbp->cmd; + set_host_byte(cmd, DID_REQUEUE); ufshcd_release_scsi_cmd(hba, lrbp); + scsi_done(cmd); + } spin_unlock_irqrestore(&hwq->cq_lock, flags); } -- 2.45.2

8 months, 1 week

2
1
0 0

[PATCH 6.6.y] NFSD: simplify error paths in nfsd_svc()

by cel＠kernel.org

From: NeilBrown <neilb(a)suse.de> [ Upstream commit bf32075256e9dd9c6b736859e2c5813981339908 ] The error paths in nfsd_svc() are needlessly complex and can result in a final call to svc_put() without nfsd_last_thread() being called. This results in the listening sockets not being closed properly. The per-netns setup provided by nfsd_startup_new() and removed by nfsd_shutdown_net() is needed precisely when there are running threads. So we don't need nfsd_up_before. We don't need to know if it *was* up. We only need to know if any threads are left. If none are, then we must call nfsd_shutdown_net(). But we don't need to do that explicitly as nfsd_last_thread() does that for us. So simply call nfsd_last_thread() before the last svc_put() if there are no running threads. That will always do the right thing. Also discard: pr_info("nfsd: last server has exited, flushing export cache\n"); It may not be true if an attempt to start the first server failed, and it isn't particularly helpful and it simply reports normal behaviour. Signed-off-by: NeilBrown <neilb(a)suse.de> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/nfsd/nfssvc.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) Reported-by: Li Lingfeng <lilingfeng3(a)huawei.com> Suggested-by: Li Lingfeng <lilingfeng3(a)huawei.com> Tested-by: Li Lingfeng <lilingfeng3(a)huawei.com> diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c index 7911c4b3b5d3..710a54c7dffc 100644 --- a/fs/nfsd/nfssvc.c +++ b/fs/nfsd/nfssvc.c @@ -567,7 +567,6 @@ void nfsd_last_thread(struct net *net) return; nfsd_shutdown_net(net); - pr_info("nfsd: last server has exited, flushing export cache\n"); nfsd_export_flush(net); } @@ -783,7 +782,6 @@ int nfsd_svc(int nrservs, struct net *net, const struct cred *cred) { int error; - bool nfsd_up_before; struct nfsd_net *nn = net_generic(net, nfsd_net_id); struct svc_serv *serv; @@ -803,8 +801,6 @@ nfsd_svc(int nrservs, struct net *net, const struct cred *cred) error = nfsd_create_serv(net); if (error) goto out; - - nfsd_up_before = nn->nfsd_net_up; serv = nn->nfsd_serv; error = nfsd_startup_net(net, cred); @@ -812,17 +808,15 @@ nfsd_svc(int nrservs, struct net *net, const struct cred *cred) goto out_put; error = svc_set_num_threads(serv, NULL, nrservs); if (error) - goto out_shutdown; + goto out_put; error = serv->sv_nrthreads; - if (error == 0) - nfsd_last_thread(net); -out_shutdown: - if (error < 0 && !nfsd_up_before) - nfsd_shutdown_net(net); out_put: /* Threads now hold service active */ if (xchg(&nn->keep_active, 0)) svc_put(serv); + + if (serv->sv_nrthreads == 0) + nfsd_last_thread(net); svc_put(serv); out: mutex_unlock(&nfsd_mutex); -- 2.45.1

8 months, 1 week

3
3
0 0

Backport request to fix a WARNING in input_mt_init_slots

by George Kennedy

Hello, We have seen a WARNING message while fuzzing with syzkaller. Kernel 5.15.165 on an x86_64 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1592 at mm/page_alloc.c:5398 __alloc_pages+0x4aa/0x5b0 mm/page_alloc.c:5398 Modules linked in: CPU: 1 PID: 1592 Comm: syz-executor777 Not tainted 5.15.165-rc1-305-ge122be7431ef1-syzk #1 Hardware name: Red Hat KVM, BIOS 1.16.0-4.module+el8.9.0+90052+d3bf71d8 04/01/2014 RIP: 0010:__alloc_pages+0x4aa/0x5b0 mm/page_alloc.c:5398 Code: 00 48 89 44 24 58 e9 fa fc ff ff 48 89 f2 48 89 c7 44 89 c6 e8 77 32 f2 ff 49 89 c7 e9 72 fd ff ff 80 e7 20 0f 85 d8 fe ff ff <0f> 0b e9 d1 fe ff ff a9 00 00 08 00 75 48 89 da 80 e2 7f a9 00 00 RSP: 0018:ffff88801c18fb58 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000400c0 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000017 RDI: 0000000000040dc0 RBP: 1ffff11003831f6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000017 R14: 0000000000000000 R15: 0000000000000000 FS: 00007ff8aaa97740(0000) GS:ffff888107080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff8aa38a520 CR3: 0000000022534000 CR4: 00000000000006e0 Call Trace: <TASK> alloc_pages+0x21e/0x3d0 mm/mempolicy.c:2185 kmalloc_order+0x31/0xb0 mm/slab_common.c:966 kmalloc_order_trace+0x19/0xa0 mm/slab_common.c:982 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] input_mt_init_slots+0xf6/0x620 drivers/input/input-mt.c:49 uinput_create_device+0x1e6/0x6e0 drivers/input/misc/uinput.c:327 uinput_ioctl_handler.isra.0+0x46f/0x15e0 drivers/input/misc/uinput.c:870 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x199/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6c/0xd6 RIP: 0033:0x7ff8aa38a53d Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 79 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc7eebe838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8aa38a53d RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000003 RBP: 00000000004017a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 431bde82d7b634db R13: 00007ffc7eebe960 R14: 0000000000000000 R15: 0000000000000000 </TASK> ---[ end trace ced5c0b641032976 ]--- Fix commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… Can you please backport this commit to stable kernels on 5.15.y (and other stable kernels 6.1.y, 6.6.y) commit: 99d3bf5f7377 ("Input: MT - limit max slots") author Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> 2024-07-29 21:51:30 +0900 committer Linus Torvalds <torvalds(a)linux-foundation.org> 2024-07-29 10:44:48 -0700 commit 99d3bf5f7377d42f8be60a6b9cb60fb0be34dceb (patch) tree 78dd9dff2065f2eaf5a9e981f84d56eed2346d10 parent 3894840a7a11aa06cc3b0d5a2d1b5f6878127903 (diff) download linux-99d3bf5f7377d42f8be60a6b9cb60fb0be34dceb.tar.gz Input: MT - limit max slots syzbot is reporting too large allocation at input_mt_init_slots(), for num_slots is supplied from userspace using ioctl(UI_DEV_CREATE). Since nobody knows possible max slots, this patch chose 1024. Reported-by: syzbot <syzbot+0122fa359a69694395d5(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5 Suggested-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Diffstat -rw-r--r-- drivers/input/input-mt.c 3 1 files changed, 3 insertions, 0 deletions diff --git a/drivers/input/input-mt.c b/drivers/input/input-mt.c index 14b53dac1253bf..6b04a674f832a0 100644 --- a/drivers/input/input-mt.c +++ b/drivers/input/input-mt.c @@ -46,6 +46,9 @@ int input_mt_init_slots(struct input_dev *dev, unsigned int num_slots, return 0; if (mt) return mt->num_slots != num_slots ? -EINVAL : 0; + /* Arbitrary limit for avoiding too large memory allocation. */ + if (num_slots > 1024) + return -EINVAL; mt = kzalloc(struct_size(mt, slots, num_slots), GFP_KERNEL); if (!mt)

8 months, 1 week

3
2
0 0

[PATCH 1/2] firmware: tegra: bpmp: drop unused mbox_client_to_bpmp()

by Krzysztof Kozlowski

mbox_client_to_bpmp() is not used, W=1 builds: drivers/firmware/tegra/bpmp.c:28:1: error: unused function 'mbox_client_to_bpmp' [-Werror,-Wunused-function] Fixes: cdfa358b248e ("firmware: tegra: Refactor BPMP driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/firmware/tegra/bpmp.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/firmware/tegra/bpmp.c b/drivers/firmware/tegra/bpmp.c index c1590d3aa9cb..c3a1dc344961 100644 --- a/drivers/firmware/tegra/bpmp.c +++ b/drivers/firmware/tegra/bpmp.c @@ -24,12 +24,6 @@ #define MSG_RING BIT(1) #define TAG_SZ 32 -static inline struct tegra_bpmp * -mbox_client_to_bpmp(struct mbox_client *client) -{ - return container_of(client, struct tegra_bpmp, mbox.client); -} - static inline const struct tegra_bpmp_ops * channel_to_ops(struct tegra_bpmp_channel *channel) { -- 2.43.0

8 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082754-tricking-facsimile-011e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082732-calculus-unviable-28eb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

8 months, 1 week

1
0
0 0

[PATCH for stable 0/2] ASoC: topology: Fix loading topology issue

by Amadeusz Sławiński

Commit 97ab304ecd95 ("ASoC: topology: Fix references to freed memory") is a problematic fix for issue in topology loading code, which was cherry-picked to stable. It was later corrected in 0298f51652be ("ASoC: topology: Fix route memory corruption"), however to apply cleanly e0e7bc2cbee9 ("ASoC: topology: Clean up route loading") also needs to be applied. Link: https://lore.kernel.org/linux-sound/ZrwUCnrtKQ61LWFS@sashalap/T/#mbfd273adf… Amadeusz Sławiński (2): ASoC: topology: Clean up route loading ASoC: topology: Fix route memory corruption sound/soc/soc-topology.c | 32 ++++++++------------------------ 1 file changed, 8 insertions(+), 24 deletions(-) base-commit: 878fbff41def4649a2884e9d33bb423f5a7726b0 -- 2.34.1

8 months, 1 week

2
11
0 0

"s390/dasd: Remove DMA alignment" for stable

by Jan Höppner

Hi, the stable tag was missing for the following commit: commit 2a07bb64d801 ("s390/dasd: Remove DMA alignment") The change needs to be applied for kernel 6.0+ essentially reverting bc792884b76f ("s390/dasd: Establish DMA alignment"). The patch fixes filesystem errors especially for XFS when DASD devices are formatted with a blocksize smaller than 4096 bytes. The commit 2a07bb64d801 ("s390/dasd: Remove DMA alignment") should apply cleanly for kernel 6.9+. There was a refactoring happening at the time with the following two commits (just for context, not required as prereqs!): commit 0127a47f58c6 ("dasd: move queue setup to common code") commit fde07a4d74e3 ("dasd: use the atomic queue limits API") For everything before 6.9 a simple git revert for commit bc792884b76f ("s390/dasd: Establish DMA alignment") should work just fine. If you run into any conflicts, need separate patches, or have any questions, please let me know. Thanks a lot and apologies for the inconvenience! regards, Jan

8 months, 1 week

2
3
0 0

[PATCH 6.1 0/2] VCN power saving improvements

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> This is a backport of patches from 6.11-rc1 that improve power savings for VCN when hardware accelerated video playback is active. Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 ++++++++++++------------- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + 2 files changed, 27 insertions(+), 27 deletions(-) -- 2.43.0

8 months, 1 week

2
3
0 0

[PATCH 6.1.y 5.15.y 5.10.y 5.4.y 4.19.y] Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO

by Harshit Mogalapalli

From: "Lee, Chun-Yi" <joeyli.kernel(a)gmail.com> commit 9c33663af9ad115f90c076a1828129a3fbadea98 upstream. This patch adds code to check HCI_UART_PROTO_READY flag before accessing hci_uart->proto. It fixes the race condition in hci_uart_tty_ioctl() between HCIUARTSETPROTO and HCIUARTGETPROTO. This issue bug found by Yu Hao and Weiteng Chen: BUG: general protection fault in hci_uart_tty_ioctl [1] The information of C reproducer can also reference the link [2] Reported-by: Yu Hao <yhao016(a)ucr.edu> Closes: https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDe… [1] Reported-by: Weiteng Chen <wchen130(a)ucr.edu> Closes: https://lore.kernel.org/lkml/CA+UBctDPEvHdkHMwD340=n02rh+jNRJNNQ5LBZNA+Wm4K… [2] Signed-off-by: "Lee, Chun-Yi" <jlee(a)suse.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [Harshit: bp to stable kernels] Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> --- This is backport of a fix for CVE-2023-31083, it applies cleanly to all stable trees and I have build tested this. drivers/bluetooth/hci_ldisc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index 865112e96ff9..c1feebd9e3a0 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -770,7 +770,8 @@ static int hci_uart_tty_ioctl(struct tty_struct *tty, unsigned int cmd, break; case HCIUARTGETPROTO: - if (test_bit(HCI_UART_PROTO_SET, &hu->flags)) + if (test_bit(HCI_UART_PROTO_SET, &hu->flags) && + test_bit(HCI_UART_PROTO_READY, &hu->flags)) err = hu->proto->id; else err = -EUNATCH; -- 2.45.2

8 months, 1 week

2
2
0 0

FAILED: patch "[PATCH] net: ngbe: Fix phy mode set to external phy" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082635-dislike-tipping-1bee@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: f2916c83d746 ("net: ngbe: Fix phy mode set to external phy") bc2426d74aa3 ("net: ngbe: convert phylib to phylink") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 Mon Sep 17 00:00:00 2001 From: Mengyuan Lou <mengyuanlou(a)net-swift.com> Date: Tue, 20 Aug 2024 11:04:25 +0800 Subject: [PATCH] net: ngbe: Fix phy mode set to external phy The MAC only has add the TX delay and it can not be modified. MAC and PHY are both set the TX delay cause transmission problems. So just disable TX delay in PHY, when use rgmii to attach to external phy, set PHY_INTERFACE_MODE_RGMII_RXID to phy drivers. And it is does not matter to internal phy. Fixes: bc2426d74aa3 ("net: ngbe: convert phylib to phylink") Signed-off-by: Mengyuan Lou <mengyuanlou(a)net-swift.com> Cc: stable(a)vger.kernel.org # 6.3+ Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/E6759CF1387CF84C+20240820030425.93003-1-mengyuanlo… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c index ec54b18c5fe7..a5e9b779c44d 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c @@ -124,8 +124,12 @@ static int ngbe_phylink_init(struct wx *wx) MAC_SYM_PAUSE | MAC_ASYM_PAUSE; config->mac_managed_pm = true; - phy_mode = PHY_INTERFACE_MODE_RGMII_ID; - __set_bit(PHY_INTERFACE_MODE_RGMII_ID, config->supported_interfaces); + /* The MAC only has add the Tx delay and it can not be modified. + * So just disable TX delay in PHY, and it is does not matter to + * internal phy. + */ + phy_mode = PHY_INTERFACE_MODE_RGMII_RXID; + __set_bit(PHY_INTERFACE_MODE_RGMII_RXID, config->supported_interfaces); phylink = phylink_create(config, NULL, phy_mode, &ngbe_mac_ops); if (IS_ERR(phylink))

8 months, 1 week

3
2
0 0

FAILED: patch "[PATCH] ksmbd: fix race condition between destroy_previous_session()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 76e98a158b207771a6c9a0de0a60522a446a3447 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082626-succulent-engraver-73cd@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 76e98a158b20 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()") d484d621d40f ("ksmbd: add durable scavenger timer") c8efcc786146 ("ksmbd: add support for durable handles v1/v2") fa9415d4024f ("ksmbd: mark SMB2_SESSION_EXPIRED to session when destroying previous session") c2a721eead71 ("ksmbd: lazy v2 lease break on smb2_write()") d47d9886aeef ("ksmbd: send v2 lease break notification for directory") eb547407f357 ("ksmbd: downgrade RWH lease caching state to RH for directory") 2e450920d58b ("ksmbd: move oplock handling after unlock parent dir") 4274a9dc6aeb ("ksmbd: separately allocate ci per dentry") 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76e98a158b207771a6c9a0de0a60522a446a3447 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Sat, 17 Aug 2024 14:03:49 +0900 Subject: [PATCH] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() If there is ->PreviousSessionId field in the session setup request, The session of the previous connection should be destroyed. During this, if the smb2 operation requests in the previous session are being processed, a racy issue could happen with ksmbd_destroy_file_table(). This patch sets conn->status to KSMBD_SESS_NEED_RECONNECT to block incoming operations and waits until on-going operations are complete (i.e. idle) before desctorying the previous session. Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") Cc: stable(a)vger.kernel.org # v6.6+ Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-25040 Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index 09e1e7771592..7889df8112b4 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -165,11 +165,43 @@ void ksmbd_all_conn_set_status(u64 sess_id, u32 status) up_read(&conn_list_lock); } -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id) +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) { wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2); } +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) +{ + struct ksmbd_conn *conn; + int rc, retry_count = 0, max_timeout = 120; + int rcount = 1; + +retry_idle: + if (retry_count >= max_timeout) + return -EIO; + + down_read(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) { + if (conn->binding || xa_load(&conn->sessions, sess_id)) { + if (conn == curr_conn) + rcount = 2; + if (atomic_read(&conn->req_running) >= rcount) { + rc = wait_event_timeout(conn->req_running_q, + atomic_read(&conn->req_running) < rcount, + HZ); + if (!rc) { + up_read(&conn_list_lock); + retry_count++; + goto retry_idle; + } + } + } + } + up_read(&conn_list_lock); + + return 0; +} + int ksmbd_conn_write(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h index 5c2845e47cf2..5b947175c048 100644 --- a/fs/smb/server/connection.h +++ b/fs/smb/server/connection.h @@ -145,7 +145,8 @@ extern struct list_head conn_list; extern struct rw_semaphore conn_list_lock; bool ksmbd_conn_alive(struct ksmbd_conn *conn); -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id); +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id); struct ksmbd_conn *ksmbd_conn_alloc(void); void ksmbd_conn_free(struct ksmbd_conn *conn); bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 162a12685d2c..99416ce9f501 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -311,6 +311,7 @@ void destroy_previous_session(struct ksmbd_conn *conn, { struct ksmbd_session *prev_sess; struct ksmbd_user *prev_user; + int err; down_write(&sessions_table_lock); down_write(&conn->session_lock); @@ -325,8 +326,16 @@ void destroy_previous_session(struct ksmbd_conn *conn, memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) goto out; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); + err = ksmbd_conn_wait_idle_sess_id(conn, id); + if (err) { + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); + goto out; + } + ksmbd_destroy_file_table(&prev_sess->file_table); prev_sess->state = SMB2_SESSION_EXPIRED; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ksmbd_launch_ksmbd_durable_scavenger(); out: up_write(&conn->session_lock); diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 3f4c56a10a86..cb7f487c96af 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2213,7 +2213,7 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_conn_unlock(conn); ksmbd_close_session_fds(work); - ksmbd_conn_wait_idle(conn, sess_id); + ksmbd_conn_wait_idle(conn); /* * Re-lookup session to validate if session is deleted

8 months, 1 week

3
2
0 0

[PATCH 6.6 0/2] VCN power saving improvements

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> This is a backport of patches from 6.11-rc1 that improve power savings for VCN when hardware accelerated video playback is active. Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 ++++++++++++------------- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + 2 files changed, 27 insertions(+), 27 deletions(-) -- 2.43.0

8 months, 1 week

2
3
0 0

[PATCH 5.10.y] nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg().

by Kuniyuki Iwashima

When commit 390390240145 ("nfsd: don't allow nfsd threads to be signalled.") is backported to 5.10, it was adjusted considering commit 3feac2b55293 ("sunrpc: exclude from freezer when waiting for requests:"). However, 3feac2b55293 is based on commit f6e70aab9dfe ("SUNRPC: refresh rq_pages using a bulk page allocator"), which converted page-by-page allocation to a batch allocation, so schedule_timeout() is placed un-nested. As a result, the backported commit 7229200f6866 ("nfsd: don't allow nfsd threads to be signalled.") placed freezable_schedule_timeout() in the wrong place. Now, freezable_schedule_timeout() is called after every successful page allocation, and we see 30%+ performance regression on 5.10.220 in our test suite. Let's move it to the correct place so that freezable_schedule_timeout() is called only when page allocation fails. Fixes: 7229200f6866 ("nfsd: don't allow nfsd threads to be signalled.") Reported-by: Hughdan Liu <hughliu(a)amazon.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> --- net/sunrpc/svc_xprt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c index d1eacf3358b8..60782504ad3e 100644 --- a/net/sunrpc/svc_xprt.c +++ b/net/sunrpc/svc_xprt.c @@ -679,8 +679,8 @@ static int svc_alloc_arg(struct svc_rqst *rqstp) set_current_state(TASK_RUNNING); return -EINTR; } + freezable_schedule_timeout(msecs_to_jiffies(500)); } - freezable_schedule_timeout(msecs_to_jiffies(500)); rqstp->rq_pages[i] = p; } rqstp->rq_page_end = &rqstp->rq_pages[i]; -- 2.30.2

8 months, 1 week

3
2
0 0

[PATCH 6.1.y 0/7] NFSD updates for LTS 6.1.y

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Address an NFSD crasher that was noted here: https://lore.kernel.org/linux-nfs/65ee9c0d-e89e-b3e5-f542-103a0ee4745c@huaw… To apply the fix cleanly, backport a few NFSD patches into v6.1.y that have been in the other LTS kernels for a while. Reported-by: Li LingFeng <lilingfeng3(a)huawei.com> Suggested-by: Li LingFeng <lilingfeng3(a)huawei.com> Tested-by: Li LingFeng <lilingfeng3(a)huawei.com> Jeff Layton (1): nfsd: drop the nfsd_put helper NeilBrown (5): nfsd: Simplify code around svc_exit_thread() call in nfsd() nfsd: separate nfsd_last_thread() from nfsd_put() NFSD: simplify error paths in nfsd_svc() nfsd: call nfsd_last_thread() before final nfsd_put() nfsd: don't call locks_release_private() twice concurrently Trond Myklebust (1): nfsd: Fix a regression in nfsd_setattr() fs/nfsd/nfs4proc.c | 4 ++ fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsctl.c | 32 ++++++++------ fs/nfsd/nfsd.h | 3 +- fs/nfsd/nfssvc.c | 85 ++++++++++---------------------------- fs/nfsd/vfs.c | 6 ++- include/linux/sunrpc/svc.h | 13 ------ 7 files changed, 51 insertions(+), 94 deletions(-) -- 2.45.1

8 months, 1 week

2
8
0 0

[PATCH stable 6.6 1/2] bpf: Fix a kernel verifier crash in stacksafe()

by Shung-Hsi Yu

From: Yonghong Song <yonghong.song(a)linux.dev> [ Upstream commit bed2eb964c70b780fb55925892a74f26cb590b25 ] Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87(a)gmail.com> Reported-by: Daniel Hodges <hodgesd(a)meta.com> Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> shung-hsi.yu: "exact" variable is bool instead enum because commit 4f81c16f50ba ("bpf: Recognize that two registers are safe when their ranges match") is not present. Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- kernel/bpf/verifier.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 171045b6956d..3f1a9cd7fc9e 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16124,8 +16124,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, spi = i / BPF_REG_SIZE; if (exact && - old->stack[spi].slot_type[i % BPF_REG_SIZE] != - cur->stack[spi].slot_type[i % BPF_REG_SIZE]) + (i >= cur->allocated_stack || + old->stack[spi].slot_type[i % BPF_REG_SIZE] != + cur->stack[spi].slot_type[i % BPF_REG_SIZE])) return false; if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && !exact) { -- 2.46.0

8 months, 1 week

2
2
0 0

[PATCH stable 5.10] bpf: Allow reads from uninit stack

by Maxim Mikityanskiy

From: Eduard Zingerman <eddyz87(a)gmail.com> [ Upstream commit 6715df8d5d24655b9fd368e904028112b54c7de1 ] This commits updates the following functions to allow reads from uninitialized stack locations when env->allow_uninit_stack option is enabled: - check_stack_read_fixed_off() - check_stack_range_initialized(), called from: - check_stack_read_var_off() - check_helper_mem_access() Such change allows to relax logic in stacksafe() to treat STACK_MISC and STACK_INVALID in a same way and make the following stack slot configurations equivalent: | Cached state | Current state | | stack slot | stack slot | |------------------+------------------| | STACK_INVALID or | STACK_INVALID or | | STACK_MISC | STACK_SPILL or | | | STACK_MISC or | | | STACK_ZERO or | | | STACK_DYNPTR | This leads to significant verification speed gains (see below). The idea was suggested by Andrii Nakryiko [1] and initial patch was created by Alexei Starovoitov [2]. Currently the env->allow_uninit_stack is allowed for programs loaded by users with CAP_PERFMON or CAP_SYS_ADMIN capabilities. A number of test cases from verifier/*.c were expecting uninitialized stack access to be an error. These test cases were updated to execute in unprivileged mode (thus preserving the tests). The test progs/test_global_func10.c expected "invalid indirect read from stack" error message because of the access to uninitialized memory region. This error is no longer possible in privileged mode. The test is updated to provoke an error "invalid indirect access to stack" because of access to invalid stack address (such error is not verified by progs/test_global_func*.c series of tests). The following tests had to be removed because these can't be made unprivileged: - verifier/sock.c: - "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value" BPF_PROG_TYPE_SCHED_CLS programs are not executed in unprivileged mode. - verifier/var_off.c: - "indirect variable-offset stack access, max_off+size > max_initialized" - "indirect variable-offset stack access, uninitialized" These tests verify that access to uninitialized stack values is detected when stack offset is not a constant. However, variable stack access is prohibited in unprivileged mode, thus these tests are no longer valid. * * * Here is veristat log comparing this patch with current master on a set of selftest binaries listed in tools/testing/selftests/bpf/veristat.cfg and cilium BPF binaries (see [3]): $ ./veristat -e file,prog,states -C -f 'states_pct<-30' master.log current.log File Program States (A) States (B) States (DIFF) -------------------------- -------------------------- ---------- ---------- ---------------- bpf_host.o tail_handle_ipv6_from_host 349 244 -105 (-30.09%) bpf_host.o tail_handle_nat_fwd_ipv4 1320 895 -425 (-32.20%) bpf_lxc.o tail_handle_nat_fwd_ipv4 1320 895 -425 (-32.20%) bpf_sock.o cil_sock4_connect 70 48 -22 (-31.43%) bpf_sock.o cil_sock4_sendmsg 68 46 -22 (-32.35%) bpf_xdp.o tail_handle_nat_fwd_ipv4 1554 803 -751 (-48.33%) bpf_xdp.o tail_lb_ipv4 6457 2473 -3984 (-61.70%) bpf_xdp.o tail_lb_ipv6 7249 3908 -3341 (-46.09%) pyperf600_bpf_loop.bpf.o on_event 287 145 -142 (-49.48%) strobemeta.bpf.o on_event 15915 4772 -11143 (-70.02%) strobemeta_nounroll2.bpf.o on_event 17087 3820 -13267 (-77.64%) xdp_synproxy_kern.bpf.o syncookie_tc 21271 6635 -14636 (-68.81%) xdp_synproxy_kern.bpf.o syncookie_xdp 23122 6024 -17098 (-73.95%) -------------------------- -------------------------- ---------- ---------- ---------------- Note: I limited selection by states_pct<-30%. Inspection of differences in pyperf600_bpf_loop behavior shows that the following patch for the test removes almost all differences: - a/tools/testing/selftests/bpf/progs/pyperf.h + b/tools/testing/selftests/bpf/progs/pyperf.h @ -266,8 +266,8 @ int __on_event(struct bpf_raw_tracepoint_args *ctx) } if (event->pthread_match || !pidData->use_tls) { - void* frame_ptr; - FrameData frame; + void* frame_ptr = 0; + FrameData frame = {}; Symbol sym = {}; int cur_cpu = bpf_get_smp_processor_id(); W/o this patch the difference comes from the following pattern (for different variables): static bool get_frame_data(... FrameData *frame ...) { ... bpf_probe_read_user(&frame->f_code, ...); if (!frame->f_code) return false; ... bpf_probe_read_user(&frame->co_name, ...); if (frame->co_name) ...; } int __on_event(struct bpf_raw_tracepoint_args *ctx) { FrameData frame; ... get_frame_data(... &frame ...) // indirectly via a bpf_loop & callback ... } SEC("raw_tracepoint/kfree_skb") int on_event(struct bpf_raw_tracepoint_args* ctx) { ... ret |= __on_event(ctx); ret |= __on_event(ctx); ... } With regards to value `frame->co_name` the following is important: - Because of the conditional `if (!frame->f_code)` each call to __on_event() produces two states, one with `frame->co_name` marked as STACK_MISC, another with it as is (and marked STACK_INVALID on a first call). - The call to bpf_probe_read_user() does not mark stack slots corresponding to `&frame->co_name` as REG_LIVE_WRITTEN but it marks these slots as BPF_MISC, this happens because of the following loop in the check_helper_call(): for (i = 0; i < meta.access_size; i++) { err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1, false); if (err) return err; } Note the size of the write, it is a one byte write for each byte touched by a helper. The BPF_B write does not lead to write marks for the target stack slot. - Which means that w/o this patch when second __on_event() call is verified `if (frame->co_name)` will propagate read marks first to a stack slot with STACK_MISC marks and second to a stack slot with STACK_INVALID marks and these states would be considered different. [1] https://lore.kernel.org/bpf/CAEf4BzY3e+ZuC6HUa8dCiUovQRg2SzEk7M-dSkqNZyn=xE… [2] https://lore.kernel.org/bpf/CAADnVQKs2i1iuZ5SUGuJtxWVfGYR9kDgYKhq3rNV+kBLQC… [3] git@github.com:anakryiko/cilium.git Suggested-by: Andrii Nakryiko <andrii(a)kernel.org> Co-developed-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Acked-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/r/20230219200427.606541-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Maxim Mikityanskiy <maxim(a)isovalent.com> --- Backporting to address the complexity regression introduced by commit 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info"), that affects Cilium built with LLVM 18. kernel/bpf/verifier.c | 11 +- .../selftests/bpf/progs/test_global_func10.c | 31 +++ tools/testing/selftests/bpf/verifier/calls.c | 13 +- .../bpf/verifier/helper_access_var_len.c | 104 ++++++--- .../testing/selftests/bpf/verifier/int_ptr.c | 9 +- .../selftests/bpf/verifier/search_pruning.c | 13 +- tools/testing/selftests/bpf/verifier/sock.c | 27 --- .../selftests/bpf/verifier/spill_fill.c | 211 ++++++++++++++++++ .../testing/selftests/bpf/verifier/var_off.c | 52 ----- 9 files changed, 342 insertions(+), 129 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/test_global_func10.c diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ad115ccc2fe0..60db311480d0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2807,6 +2807,8 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, continue; if (type == STACK_MISC) continue; + if (type == STACK_INVALID && env->allow_uninit_stack) + continue; verbose(env, "invalid read from stack off %d+%d size %d\n", off, i, size); return -EACCES; @@ -2844,6 +2846,8 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, continue; if (type == STACK_ZERO) continue; + if (type == STACK_INVALID && env->allow_uninit_stack) + continue; verbose(env, "invalid read from stack off %d+%d size %d\n", off, i, size); return -EACCES; @@ -4300,7 +4304,8 @@ static int check_stack_range_initialized( stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE]; if (*stype == STACK_MISC) goto mark; - if (*stype == STACK_ZERO) { + if ((*stype == STACK_ZERO) || + (*stype == STACK_INVALID && env->allow_uninit_stack)) { if (clobber) { /* helper can write anything into the stack */ *stype = STACK_MISC; @@ -9492,6 +9497,10 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) continue; + if (env->allow_uninit_stack && + old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) + continue; + /* explored stack has more populated slots than current stack * and these slots were used */ diff --git a/tools/testing/selftests/bpf/progs/test_global_func10.c b/tools/testing/selftests/bpf/progs/test_global_func10.c new file mode 100644 index 000000000000..8fba3f3649e2 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_global_func10.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0-only +#include <stddef.h> +#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> +#include "bpf_misc.h" + +struct Small { + long x; +}; + +struct Big { + long x; + long y; +}; + +__noinline int foo(const struct Big *big) +{ + if (!big) + return 0; + + return bpf_get_prandom_u32() < big->y; +} + +SEC("cgroup_skb/ingress") +__failure __msg("invalid indirect access to stack") +int global_func10(struct __sk_buff *skb) +{ + const struct Small small = {.x = skb->len }; + + return foo((struct Big *)&small) ? 1 : 0; +} diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c index eb888c8479c3..4b0628cd2d03 100644 --- a/tools/testing/selftests/bpf/verifier/calls.c +++ b/tools/testing/selftests/bpf/verifier/calls.c @@ -1948,19 +1948,22 @@ * that fp-8 stack slot was unused in the fall-through * branch and will accept the program incorrectly */ - BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2), + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 2, 2), BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_JMP_IMM(BPF_JA, 0, 0, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .fixup_map_hash_48b = { 6 }, - .errstr = "invalid indirect read from stack R2 off -8+0 size 8", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_XDP, + .fixup_map_hash_48b = { 7 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "calls: ctx read at start of subprog", diff --git a/tools/testing/selftests/bpf/verifier/helper_access_var_len.c b/tools/testing/selftests/bpf/verifier/helper_access_var_len.c index 0ab7f1dfc97a..0e24aa11c457 100644 --- a/tools/testing/selftests/bpf/verifier/helper_access_var_len.c +++ b/tools/testing/selftests/bpf/verifier/helper_access_var_len.c @@ -29,19 +29,30 @@ { "helper access to variable memory: stack, bitwise AND, zero included", .insns = { - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), - BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), - BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), - BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), - BPF_MOV64_IMM(BPF_REG_3, 0), - BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), + /* set max stack size */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), + /* set r3 to a random value */ + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), + /* use bitwise AND to limit r3 range to [0, 64] */ + BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 64), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), + BPF_MOV64_IMM(BPF_REG_4, 0), + /* Call bpf_ringbuf_output(), it is one of a few helper functions with + * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. + * For unpriv this should signal an error, because memory at &fp[-64] is + * not initialized. + */ + BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), BPF_EXIT_INSN(), }, - .errstr = "invalid indirect read from stack R1 off -64+0 size 64", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .fixup_map_ringbuf = { 4 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -64+0 size 64", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "helper access to variable memory: stack, bitwise AND + JMP, wrong max", @@ -183,20 +194,31 @@ { "helper access to variable memory: stack, JMP, no min check", .insns = { - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), - BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), - BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), - BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), - BPF_MOV64_IMM(BPF_REG_3, 0), - BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), + /* set max stack size */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), + /* set r3 to a random value */ + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), + /* use JMP to limit r3 range to [0, 64] */ + BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 64, 6), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), + BPF_MOV64_IMM(BPF_REG_4, 0), + /* Call bpf_ringbuf_output(), it is one of a few helper functions with + * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. + * For unpriv this should signal an error, because memory at &fp[-64] is + * not initialized. + */ + BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .errstr = "invalid indirect read from stack R1 off -64+0 size 64", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .fixup_map_ringbuf = { 4 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -64+0 size 64", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "helper access to variable memory: stack, JMP (signed), no min check", @@ -564,29 +586,41 @@ { "helper access to variable memory: 8 bytes leak", .insns = { - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), - BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), + /* set max stack size */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), + /* set r3 to a random value */ + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), + /* Note: fp[-32] left uninitialized */ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), - BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), - BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), - BPF_MOV64_IMM(BPF_REG_3, 0), - BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), - BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + /* Limit r3 range to [1, 64] */ + BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 63), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 1), + BPF_MOV64_IMM(BPF_REG_4, 0), + /* Call bpf_ringbuf_output(), it is one of a few helper functions with + * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. + * For unpriv this should signal an error, because memory region [1, 64] + * at &fp[-64] is not fully initialized. + */ + BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), + BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .errstr = "invalid indirect read from stack R1 off -64+32 size 64", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .fixup_map_ringbuf = { 3 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -64+32 size 64", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "helper access to variable memory: 8 bytes no leak (init memory)", diff --git a/tools/testing/selftests/bpf/verifier/int_ptr.c b/tools/testing/selftests/bpf/verifier/int_ptr.c index 070893fb2900..02d9e004260b 100644 --- a/tools/testing/selftests/bpf/verifier/int_ptr.c +++ b/tools/testing/selftests/bpf/verifier/int_ptr.c @@ -54,12 +54,13 @@ /* bpf_strtoul() */ BPF_EMIT_CALL(BPF_FUNC_strtoul), - BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .result = REJECT, - .prog_type = BPF_PROG_TYPE_CGROUP_SYSCTL, - .errstr = "invalid indirect read from stack R4 off -16+4 size 8", + .result_unpriv = REJECT, + .errstr_unpriv = "invalid indirect read from stack R4 off -16+4 size 8", + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "ARG_PTR_TO_LONG misaligned", diff --git a/tools/testing/selftests/bpf/verifier/search_pruning.c b/tools/testing/selftests/bpf/verifier/search_pruning.c index 7e36078f8f48..949cbe460248 100644 --- a/tools/testing/selftests/bpf/verifier/search_pruning.c +++ b/tools/testing/selftests/bpf/verifier/search_pruning.c @@ -128,9 +128,10 @@ BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, - .errstr = "invalid read from stack off -16+0 size 8", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .errstr_unpriv = "invalid read from stack off -16+0 size 8", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "allocated_stack", @@ -187,6 +188,8 @@ BPF_EXIT_INSN(), }, .flags = BPF_F_TEST_STATE_FREQ, - .errstr = "invalid read from stack off -8+1 size 8", - .result = REJECT, + .errstr_unpriv = "invalid read from stack off -8+1 size 8", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, diff --git a/tools/testing/selftests/bpf/verifier/sock.c b/tools/testing/selftests/bpf/verifier/sock.c index 8c224eac93df..59d976d22867 100644 --- a/tools/testing/selftests/bpf/verifier/sock.c +++ b/tools/testing/selftests/bpf/verifier/sock.c @@ -530,33 +530,6 @@ .prog_type = BPF_PROG_TYPE_SCHED_CLS, .result = ACCEPT, }, -{ - "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value", - .insns = { - BPF_MOV64_IMM(BPF_REG_2, 0), - BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), - BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), - BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - BPF_MOV64_IMM(BPF_REG_4, 1), - BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), - BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), - BPF_LD_MAP_FD(BPF_REG_1, 0), - BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .fixup_sk_storage_map = { 14 }, - .prog_type = BPF_PROG_TYPE_SCHED_CLS, - .result = REJECT, - .errstr = "invalid indirect read from stack", -}, { "bpf_map_lookup_elem(smap, &key)", .insns = { diff --git a/tools/testing/selftests/bpf/verifier/spill_fill.c b/tools/testing/selftests/bpf/verifier/spill_fill.c index 0b943897aaf6..1e76841b7bfa 100644 --- a/tools/testing/selftests/bpf/verifier/spill_fill.c +++ b/tools/testing/selftests/bpf/verifier/spill_fill.c @@ -104,3 +104,214 @@ .result = ACCEPT, .retval = POINTER_VALUE, }, +{ + "Spill and refill a u32 const scalar. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u32 *)(r10 -8) */ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -8), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=20 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,off=20 R2=pkt R3=pkt_end R4=20 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,off=20,r=20 R2=pkt,r=20 R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill a u32 const, refill from another half of the uninit u32 from the stack", + .insns = { + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u32 *)(r10 -4) fp-8=????rrrr*/ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -4), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result_unpriv = REJECT, + .errstr_unpriv = "invalid read from stack off -4+0 size 4", + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, +}, +{ + "Spill a u32 const scalar. Refill as u16. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u16 *)(r10 -8) */ + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill u32 const scalars. Refill as u64. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r6 = 0 */ + BPF_MOV32_IMM(BPF_REG_6, 0), + /* r7 = 20 */ + BPF_MOV32_IMM(BPF_REG_7, 20), + /* *(u32 *)(r10 -4) = r6 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -4), + /* *(u32 *)(r10 -8) = r7 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7, -8), + /* r4 = *(u64 *)(r10 -8) */ + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill a u32 const scalar. Refill as u16 from fp-6. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u16 *)(r10 -6) */ + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -6), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill and refill a u32 const scalar at non 8byte aligned stack addr. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* *(u32 *)(r10 -4) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -4), + /* r4 = *(u32 *)(r10 -4), */ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -4), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=U32_MAX */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=U32_MAX R2=pkt R3=pkt_end R4= */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=U32_MAX R2=pkt R3=pkt_end R4= */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill and refill a umax=40 bounded scalar. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, + offsetof(struct __sk_buff, tstamp)), + BPF_JMP_IMM(BPF_JLE, BPF_REG_4, 40, 2), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + /* *(u32 *)(r10 -8) = r4 R4=umax=40 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = (*u32 *)(r10 - 8) */ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -8), + /* r2 += r4 R2=pkt R4=umax=40 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_4), + /* r0 = r2 R2=pkt,umax=40 R4=umax=40 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r2 += 20 R0=pkt,umax=40 R2=pkt,umax=40 */ + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 20), + /* if (r2 > r3) R0=pkt,umax=40 R2=pkt,off=20,umax=40 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 1), + /* r0 = *(u32 *)r0 R0=pkt,r=20,umax=40 R2=pkt,off=20,r=20,umax=40 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill a u32 scalar at fp-4 and then at fp-8", + .insns = { + /* r4 = 4321 */ + BPF_MOV32_IMM(BPF_REG_4, 4321), + /* *(u32 *)(r10 -4) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -4), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u64 *)(r10 -8) */ + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, diff --git a/tools/testing/selftests/bpf/verifier/var_off.c b/tools/testing/selftests/bpf/verifier/var_off.c index eab1f7f56e2f..dc92a29f0d74 100644 --- a/tools/testing/selftests/bpf/verifier/var_off.c +++ b/tools/testing/selftests/bpf/verifier/var_off.c @@ -212,31 +212,6 @@ .result = REJECT, .prog_type = BPF_PROG_TYPE_LWT_IN, }, -{ - "indirect variable-offset stack access, max_off+size > max_initialized", - .insns = { - /* Fill only the second from top 8 bytes of the stack. */ - BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0), - /* Get an unknown value. */ - BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), - /* Make it small and 4-byte aligned. */ - BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), - BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16), - /* Add it to fp. We now have either fp-12 or fp-16, but we don't know - * which. fp-12 size 8 is partially uninitialized stack. - */ - BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), - /* Dereference it indirectly. */ - BPF_LD_MAP_FD(BPF_REG_1, 0), - BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .fixup_map_hash_8b = { 5 }, - .errstr = "invalid indirect read from stack R2 var_off", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_LWT_IN, -}, { "indirect variable-offset stack access, min_off < min_initialized", .insns = { @@ -289,33 +264,6 @@ .result = ACCEPT, .prog_type = BPF_PROG_TYPE_CGROUP_SKB, }, -{ - "indirect variable-offset stack access, uninitialized", - .insns = { - BPF_MOV64_IMM(BPF_REG_2, 6), - BPF_MOV64_IMM(BPF_REG_3, 28), - /* Fill the top 16 bytes of the stack. */ - BPF_ST_MEM(BPF_W, BPF_REG_10, -16, 0), - BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), - /* Get an unknown value. */ - BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 0), - /* Make it small and 4-byte aligned. */ - BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 4), - BPF_ALU64_IMM(BPF_SUB, BPF_REG_4, 16), - /* Add it to fp. We now have either fp-12 or fp-16, we don't know - * which, but either way it points to initialized stack. - */ - BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_10), - BPF_MOV64_IMM(BPF_REG_5, 8), - /* Dereference it indirectly. */ - BPF_EMIT_CALL(BPF_FUNC_getsockopt), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .errstr = "invalid indirect read from stack R4 var_off", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_SOCK_OPS, -}, { "indirect variable-offset stack access, ok", .insns = { -- 2.45.2

8 months, 1 week

5
6
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PTE is changed" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 40b760cfd44566bca791c80e0720d70d75382b84 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081934-embargo-primer-a23e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 40b760cfd445 ("mm/numa: no task_numa_fault() call if PTE is changed") d2136d749d76 ("mm: support multi-size THP numa balancing") 6b0ed7b3c775 ("mm: factor out the numa mapping rebuilding into a new helper") ec1778807a80 ("mm: mprotect: use a folio in change_pte_range()") 6695cf68b15c ("mm: memory: use a folio in do_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") df57721f9a63 ("Merge tag 'x86_shstk_for_6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40b760cfd44566bca791c80e0720d70d75382b84 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:04 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PTE is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") restructured do_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pte_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-2-ziy@nvidia.com Fixes: b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 34f8402d2046..3c01d68065be 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -5295,7 +5295,7 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (unlikely(!pte_same(old_pte, vmf->orig_pte))) { pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + return 0; } pte = pte_modify(old_pte, vma->vm_page_prot); @@ -5358,23 +5358,19 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { nid = target_nid; flags |= TNF_MIGRATED; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, - vmf->address, &vmf->ptl); - if (unlikely(!vmf->pte)) - goto out; - if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { - pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, nr_pages, flags); - return 0; + flags |= TNF_MIGRATE_FAIL; + vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, + vmf->address, &vmf->ptl); + if (unlikely(!vmf->pte)) + return 0; + if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { + pte_unmap_unlock(vmf->pte, vmf->ptl); + return 0; + } out_map: /* * Make it present again, depending on how arch implements @@ -5387,7 +5383,10 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) numa_rebuild_single_mapping(vmf, vma, vmf->address, vmf->pte, writable); pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } static inline vm_fault_t create_huge_pmd(struct vm_fault *vmf)

8 months, 1 week

3
2
0 0

Re: Patch "drm/amdkfd: Move dma unmapping after TLB flush" has been added to the 6.6-stable tree

by Felix Kuehling

This patch introduced a regression. If you want to backport it, I'd recommend including this fix as well: commit 9c29282ecbeeb1b43fced3055c6a5bb244b9390b Author: Lang Yu <Lang.Yu(a)amd.com> Date: Thu Jan 11 12:27:07 2024 +0800 drm/amdkfd: reserve the BO before validating it Fix a warning. v2: Avoid unmapping attachment repeatedly when ERESTARTSYS. v3: Lock the BO before accessing ttm->sg to avoid race conditions.(Felix) [ 41.708711] WARNING: CPU: 0 PID: 1463 at drivers/gpu/drm/ttm/ttm_bo.c:846 ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.708989] Call Trace: [ 41.708992] <TASK> [ 41.708996] ? show_regs+0x6c/0x80 [ 41.709000] ? ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.709008] ? __warn+0x93/0x190 [ 41.709014] ? ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.709024] ? report_bug+0x1f9/0x210 [ 41.709035] ? handle_bug+0x46/0x80 [ 41.709041] ? exc_invalid_op+0x1d/0x80 [ 41.709048] ? asm_exc_invalid_op+0x1f/0x30 [ 41.709057] ? amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x2c/0x80 [amdgpu] [ 41.709185] ? ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.709197] ? amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x2c/0x80 [amdgpu] [ 41.709337] ? srso_alias_return_thunk+0x5/0x7f [ 41.709346] kfd_mem_dmaunmap_attachment+0x9e/0x1e0 [amdgpu] [ 41.709467] amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x56/0x80 [amdgpu] [ 41.709586] kfd_ioctl_unmap_memory_from_gpu+0x1b7/0x300 [amdgpu] [ 41.709710] kfd_ioctl+0x1ec/0x650 [amdgpu] [ 41.709822] ? __pfx_kfd_ioctl_unmap_memory_from_gpu+0x10/0x10 [amdgpu] [ 41.709945] ? srso_alias_return_thunk+0x5/0x7f [ 41.709949] ? tomoyo_file_ioctl+0x20/0x30 [ 41.709959] __x64_sys_ioctl+0x9c/0xd0 [ 41.709967] do_syscall_64+0x3f/0x90 [ 41.709973] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fixes: 101b8104307e ("drm/amdkfd: Move dma unmapping after TLB flush") Signed-off-by: Lang Yu <Lang.Yu(a)amd.com> Reviewed-by: Felix Kuehling <Felix.Kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Regards, Felix On 2024-08-20 8:00, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > drm/amdkfd: Move dma unmapping after TLB flush > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > drm-amdkfd-move-dma-unmapping-after-tlb-flush.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 23f8ef0f6e5deee5814fda6ec2e2ee4c2f19a384 > Author: Philip Yang <Philip.Yang(a)amd.com> > Date: Mon Sep 11 14:44:22 2023 -0400 > > drm/amdkfd: Move dma unmapping after TLB flush > > [ Upstream commit 101b8104307eac734f2dfa4d3511430b0b631c73 ] > > Otherwise GPU may access the stale mapping and generate IOMMU > IO_PAGE_FAULT. > > Move this to inside p->mutex to prevent multiple threads mapping and > unmapping concurrently race condition. > > After kfd_mem_dmaunmap_attachment is removed from unmap_bo_from_gpuvm, > kfd_mem_dmaunmap_attachment is called if failed to map to GPUs, and > before free the mem attachment in case failed to unmap from GPUs. > > Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> > Reviewed-by: Felix Kuehling <Felix.Kuehling(a)amd.com> > Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h > index 2fe9860725bd9..5e4fb33b97351 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h > @@ -303,6 +303,7 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(struct amdgpu_device *adev, > struct kgd_mem *mem, void *drm_priv); > int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu( > struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv); > +void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv); > int amdgpu_amdkfd_gpuvm_sync_memory( > struct amdgpu_device *adev, struct kgd_mem *mem, bool intr); > int amdgpu_amdkfd_gpuvm_map_gtt_bo_to_kernel(struct kgd_mem *mem, > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c > index 62c1dc9510a41..c2d1d57a6c668 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c > @@ -733,7 +733,7 @@ kfd_mem_dmaunmap_sg_bo(struct kgd_mem *mem, > enum dma_data_direction dir; > > if (unlikely(!ttm->sg)) { > - pr_err("SG Table of BO is UNEXPECTEDLY NULL"); > + pr_debug("SG Table of BO is NULL"); > return; > } > > @@ -1202,8 +1202,6 @@ static void unmap_bo_from_gpuvm(struct kgd_mem *mem, > amdgpu_vm_clear_freed(adev, vm, &bo_va->last_pt_update); > > amdgpu_sync_fence(sync, bo_va->last_pt_update); > - > - kfd_mem_dmaunmap_attachment(mem, entry); > } > > static int update_gpuvm_pte(struct kgd_mem *mem, > @@ -1258,6 +1256,7 @@ static int map_bo_to_gpuvm(struct kgd_mem *mem, > > update_gpuvm_pte_failed: > unmap_bo_from_gpuvm(mem, entry, sync); > + kfd_mem_dmaunmap_attachment(mem, entry); > return ret; > } > > @@ -1862,8 +1861,10 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu( > mem->va + bo_size * (1 + mem->aql_queue)); > > /* Remove from VM internal data structures */ > - list_for_each_entry_safe(entry, tmp, &mem->attachments, list) > + list_for_each_entry_safe(entry, tmp, &mem->attachments, list) { > + kfd_mem_dmaunmap_attachment(mem, entry); > kfd_mem_detach(entry); > + } > > ret = unreserve_bo_and_vms(&ctx, false, false); > > @@ -2037,6 +2038,23 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu( > return ret; > } > > +void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv) > +{ > + struct kfd_mem_attachment *entry; > + struct amdgpu_vm *vm; > + > + vm = drm_priv_to_vm(drm_priv); > + > + mutex_lock(&mem->lock); > + > + list_for_each_entry(entry, &mem->attachments, list) { > + if (entry->bo_va->base.vm == vm) > + kfd_mem_dmaunmap_attachment(mem, entry); > + } > + > + mutex_unlock(&mem->lock); > +} > + > int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu( > struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv) > { > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > index d33ba4fe9ad5b..045280c2b607c 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > @@ -1432,17 +1432,21 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep, > goto sync_memory_failed; > } > } > - mutex_unlock(&p->mutex); > > - if (flush_tlb) { > - /* Flush TLBs after waiting for the page table updates to complete */ > - for (i = 0; i < args->n_devices; i++) { > - peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); > - if (WARN_ON_ONCE(!peer_pdd)) > - continue; > + /* Flush TLBs after waiting for the page table updates to complete */ > + for (i = 0; i < args->n_devices; i++) { > + peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); > + if (WARN_ON_ONCE(!peer_pdd)) > + continue; > + if (flush_tlb) > kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT); > - } > + > + /* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */ > + amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv); > } > + > + mutex_unlock(&p->mutex); > + > kfree(devices_arr); > > return 0;

8 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 61ebe5a747da649057c37be1c37eb934b4af79ca # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081918-payday-symphonic-ac65@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0") 88ae5fb755b0 ("mm: vmalloc: enable memory allocation profiling") e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") 3ba2c3ff98ea ("Merge tag 'modules-6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 61ebe5a747da649057c37be1c37eb934b4af79ca Mon Sep 17 00:00:00 2001 From: Hailong Liu <hailong.liu(a)oppo.com> Date: Thu, 8 Aug 2024 20:19:56 +0800 Subject: [PATCH] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. Link: https://lkml.kernel.org/r/20240808122019.3361-1-hailong.liu@oppo.com Fixes: e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") Signed-off-by: Hailong Liu <hailong.liu(a)oppo.com> Reported-by: Tangquan Zheng <zhengtangquan(a)oppo.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Acked-by: Barry Song <baohua(a)kernel.org> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6b783baf12a1..af2de36549d6 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3584,15 +3584,8 @@ vm_area_alloc_pages(gfp_t gfp, int nid, page = alloc_pages_noprof(alloc_gfp, order); else page = alloc_pages_node_noprof(nid, alloc_gfp, order); - if (unlikely(!page)) { - if (!nofail) - break; - - /* fall back to the zero order allocations */ - alloc_gfp |= __GFP_NOFAIL; - order = 0; - continue; - } + if (unlikely(!page)) + break; /* * Higher order allocations must be able to be treated as

8 months, 1 week

3
2
0 0

[PATCH v6.6.y] ALSA: timer: Relax start tick time check for slave timer elements

by Takashi Iwai

commit ccbfcac05866ebe6eb3bc6d07b51d4ed4fcde436 upstream. The recent addition of a sanity check for a too low start tick time seems breaking some applications that uses aloop with a certain slave timer setup. They may have the initial resolution 0, hence it's treated as if it were a too low value. Relax and skip the check for the slave timer instance for addressing the regression. Fixes: 4a63bd179fa8 ("ALSA: timer: Set lower bound of start tick time") Cc: <stable(a)vger.kernel.org> Link: https://github.com/raspberrypi/linux/issues/6294 Link: https://patch.msgid.link/20240810084833.10939-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- Greg, this is a backport for 6.6.y and older stable kernels that failed to cherry-pick the original one. sound/core/timer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index a0b515981ee9..230babace502 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -556,7 +556,7 @@ static int snd_timer_start1(struct snd_timer_instance *timeri, /* check the actual time for the start tick; * bail out as error if it's way too low (< 100us) */ - if (start) { + if (start && !(timer->hw.flags & SNDRV_TIMER_HW_SLAVE)) { if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) { result = -EINVAL; goto unlock; -- 2.43.0

8 months, 1 week

2
1
0 0

[PATCH AUTOSEL 6.1 01/61] drm/amd/display: Assign linear_pitch_alignment even for VM

by Sasha Levin

From: Alvin Lee <alvin.lee2(a)amd.com> [ Upstream commit 984debc133efa05e62f5aa1a7a1dd8ca0ef041f4 ] [Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments Reviewed-by: Sohaib Nadeem <sohaib.nadeem(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index f415733f1a979..d7bca680805d3 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -1265,6 +1265,7 @@ struct dc *dc_create(const struct dc_init_data *init_params) return NULL; if (init_params->dce_environment == DCE_ENV_VIRTUAL_HW) { + dc->caps.linear_pitch_alignment = 64; if (!dc_construct_ctx(dc, init_params)) goto destruct_dc; } else { -- 2.43.0

8 months, 1 week

2
62
0 0

[PATCH AUTOSEL 5.10 01/38] drm/amdgpu: fix overflowed array index read warning

by Sasha Levin

From: Tim Huang <Tim.Huang(a)amd.com> [ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ] Clear overflowed array index read warning by cast operation. Signed-off-by: Tim Huang <Tim.Huang(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c index 15ee13c3bd9e1..6976f61be7341 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c @@ -368,8 +368,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf, size_t size, loff_t *pos) { struct amdgpu_ring *ring = file_inode(f)->i_private; - int r, i; uint32_t value, result, early[3]; + loff_t i; + int r; if (*pos & 3 || size & 3) return -EINVAL; -- 2.43.0

8 months, 1 week

3
40
0 0

FAILED: patch "[PATCH] ksmbd: fix race condition between destroy_previous_session()" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 76e98a158b207771a6c9a0de0a60522a446a3447 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082625-savior-clinic-1a91@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 76e98a158b20 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()") d484d621d40f ("ksmbd: add durable scavenger timer") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76e98a158b207771a6c9a0de0a60522a446a3447 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Sat, 17 Aug 2024 14:03:49 +0900 Subject: [PATCH] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() If there is ->PreviousSessionId field in the session setup request, The session of the previous connection should be destroyed. During this, if the smb2 operation requests in the previous session are being processed, a racy issue could happen with ksmbd_destroy_file_table(). This patch sets conn->status to KSMBD_SESS_NEED_RECONNECT to block incoming operations and waits until on-going operations are complete (i.e. idle) before desctorying the previous session. Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") Cc: stable(a)vger.kernel.org # v6.6+ Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-25040 Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index 09e1e7771592..7889df8112b4 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -165,11 +165,43 @@ void ksmbd_all_conn_set_status(u64 sess_id, u32 status) up_read(&conn_list_lock); } -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id) +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) { wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2); } +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) +{ + struct ksmbd_conn *conn; + int rc, retry_count = 0, max_timeout = 120; + int rcount = 1; + +retry_idle: + if (retry_count >= max_timeout) + return -EIO; + + down_read(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) { + if (conn->binding || xa_load(&conn->sessions, sess_id)) { + if (conn == curr_conn) + rcount = 2; + if (atomic_read(&conn->req_running) >= rcount) { + rc = wait_event_timeout(conn->req_running_q, + atomic_read(&conn->req_running) < rcount, + HZ); + if (!rc) { + up_read(&conn_list_lock); + retry_count++; + goto retry_idle; + } + } + } + } + up_read(&conn_list_lock); + + return 0; +} + int ksmbd_conn_write(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h index 5c2845e47cf2..5b947175c048 100644 --- a/fs/smb/server/connection.h +++ b/fs/smb/server/connection.h @@ -145,7 +145,8 @@ extern struct list_head conn_list; extern struct rw_semaphore conn_list_lock; bool ksmbd_conn_alive(struct ksmbd_conn *conn); -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id); +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id); struct ksmbd_conn *ksmbd_conn_alloc(void); void ksmbd_conn_free(struct ksmbd_conn *conn); bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 162a12685d2c..99416ce9f501 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -311,6 +311,7 @@ void destroy_previous_session(struct ksmbd_conn *conn, { struct ksmbd_session *prev_sess; struct ksmbd_user *prev_user; + int err; down_write(&sessions_table_lock); down_write(&conn->session_lock); @@ -325,8 +326,16 @@ void destroy_previous_session(struct ksmbd_conn *conn, memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) goto out; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); + err = ksmbd_conn_wait_idle_sess_id(conn, id); + if (err) { + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); + goto out; + } + ksmbd_destroy_file_table(&prev_sess->file_table); prev_sess->state = SMB2_SESSION_EXPIRED; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ksmbd_launch_ksmbd_durable_scavenger(); out: up_write(&conn->session_lock); diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 3f4c56a10a86..cb7f487c96af 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2213,7 +2213,7 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_conn_unlock(conn); ksmbd_close_session_fds(work); - ksmbd_conn_wait_idle(conn, sess_id); + ksmbd_conn_wait_idle(conn); /* * Re-lookup session to validate if session is deleted

8 months, 1 week

3
2
0 0

[PATCH stable 6.10 1/2] bpf: Fix a kernel verifier crash in stacksafe()

by Shung-Hsi Yu

From: Yonghong Song <yonghong.song(a)linux.dev> [ Upstream commit bed2eb964c70b780fb55925892a74f26cb590b25 ] Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87(a)gmail.com> Reported-by: Daniel Hodges <hodgesd(a)meta.com> Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- I see this patch itself was already picked up[1] by Sasha. This thread additional includes the associated selftest that was sent in the same series (not entirely sure if backporting selftest goes against the stable backporting rule though). 1: https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… --- kernel/bpf/verifier.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a8845cc299fe..521bd7efae03 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16881,8 +16881,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, spi = i / BPF_REG_SIZE; if (exact != NOT_EXACT && - old->stack[spi].slot_type[i % BPF_REG_SIZE] != - cur->stack[spi].slot_type[i % BPF_REG_SIZE]) + (i >= cur->allocated_stack || + old->stack[spi].slot_type[i % BPF_REG_SIZE] != + cur->stack[spi].slot_type[i % BPF_REG_SIZE])) return false; if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) -- 2.46.0

8 months, 1 week

2
2
0 0

VCN power consumption improvement for 6.10.y

by Mario Limonciello

Hi, The following patches in 6.11-rc1 help VCN power consumption on a lot of modern products. Can we please take then to 6.10.y so more people can get the power savings? commit ecfa23c8df7e ("drm/amdgpu/vcn: identify unified queue in sw init") commit 7d75ef3736a0 ("drm/amdgpu/vcn: not pause dpg for unified queue") I've also sent out backports to both 6.6.y and 6.1.y separately. Thanks!

8 months, 1 week

2
1
0 0

[PATCH AUTOSEL 5.15 01/47] drm/amd/display: Assign linear_pitch_alignment even for VM

by Sasha Levin

From: Alvin Lee <alvin.lee2(a)amd.com> [ Upstream commit 984debc133efa05e62f5aa1a7a1dd8ca0ef041f4 ] [Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments Reviewed-by: Sohaib Nadeem <sohaib.nadeem(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index ef151a1bc31cd..12e4beca5e840 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -1107,6 +1107,7 @@ struct dc *dc_create(const struct dc_init_data *init_params) return NULL; if (init_params->dce_environment == DCE_ENV_VIRTUAL_HW) { + dc->caps.linear_pitch_alignment = 64; if (!dc_construct_ctx(dc, init_params)) goto destruct_dc; } else { -- 2.43.0

8 months, 1 week

2
47
0 0

[PATCH AUTOSEL 6.10 001/121] drm/amd/display: Enable RCO for PHYSYMCLK in DCN35

by Sasha Levin

From: Daniel Miess <daniel.miess(a)amd.com> [ Upstream commit f2303026a5b6327247ba61152d00199b2d1be294 ] [Why & How] Enable root clock optimization for PHYSYMCLK and only disable it when it's actively being used v2: Fix array-index-out-of-bounds in dcn35_calc_blocks_to_gate Reviewed-by: Roman Li <roman.li(a)amd.com> Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Daniel Miess <daniel.miess(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c | 45 ------------------- .../amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 32 +++++++++++++ .../amd/display/dc/hwss/dcn35/dcn35_hwseq.h | 2 + .../amd/display/dc/hwss/dcn35/dcn35_init.c | 1 + .../amd/display/dc/hwss/dcn351/dcn351_init.c | 1 + .../display/dc/hwss/hw_sequencer_private.h | 4 ++ 7 files changed, 41 insertions(+), 45 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h index 3c33c3bcbe2cb..fe0025f2167fa 100644 --- a/drivers/gpu/drm/amd/display/dc/dc.h +++ b/drivers/gpu/drm/amd/display/dc/dc.h @@ -701,6 +701,7 @@ enum pg_hw_pipe_resources { PG_OPTC, PG_DPSTREAM, PG_HDMISTREAM, + PG_PHYSYMCLK, PG_HW_PIPE_RESOURCES_NUM_ELEMENT }; diff --git a/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c b/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c index 58dd3c5bbff09..024dcf3057a05 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c +++ b/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c @@ -451,32 +451,22 @@ static void dccg35_set_physymclk_root_clock_gating( case 0: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYASYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYA_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 1: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYBSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYB_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 2: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYCSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYC_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 3: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYDSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYD_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 4: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYESYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYE_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; default: BREAK_TO_DEBUGGER(); @@ -499,16 +489,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYASYMCLK_CLOCK_CNTL, PHYASYMCLK_EN, 1, PHYASYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYA_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYASYMCLK_CLOCK_CNTL, PHYASYMCLK_EN, 0, PHYASYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYA_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 1: @@ -516,16 +500,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYBSYMCLK_CLOCK_CNTL, PHYBSYMCLK_EN, 1, PHYBSYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYB_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYBSYMCLK_CLOCK_CNTL, PHYBSYMCLK_EN, 0, PHYBSYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYB_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 2: @@ -533,16 +511,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYCSYMCLK_CLOCK_CNTL, PHYCSYMCLK_EN, 1, PHYCSYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYC_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYCSYMCLK_CLOCK_CNTL, PHYCSYMCLK_EN, 0, PHYCSYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYC_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 3: @@ -550,16 +522,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYDSYMCLK_CLOCK_CNTL, PHYDSYMCLK_EN, 1, PHYDSYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYD_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYDSYMCLK_CLOCK_CNTL, PHYDSYMCLK_EN, 0, PHYDSYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYD_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 4: @@ -567,16 +533,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYESYMCLK_CLOCK_CNTL, PHYESYMCLK_EN, 1, PHYESYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYE_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYESYMCLK_CLOCK_CNTL, PHYESYMCLK_EN, 0, PHYESYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYE_REFCLK_ROOT_GATE_DISABLE, 1); } break; default: @@ -714,11 +674,6 @@ void dccg35_init(struct dccg *dccg) dccg35_set_dpstreamclk_root_clock_gating(dccg, otg_inst, false); } - if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) - for (otg_inst = 0; otg_inst < 5; otg_inst++) - dccg35_set_physymclk_root_clock_gating(dccg, otg_inst, - false); - if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) for (otg_inst = 0; otg_inst < 4; otg_inst++) dccg35_set_dppclk_root_clock_gating(dccg, otg_inst, 0); diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index dcced89c07b38..5f60da72c6f58 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -506,6 +506,17 @@ void dcn35_dpstream_root_clock_control(struct dce_hwseq *hws, unsigned int dp_hp } } +void dcn35_physymclk_root_clock_control(struct dce_hwseq *hws, unsigned int phy_inst, bool clock_on) +{ + if (!hws->ctx->dc->debug.root_clock_optimization.bits.physymclk) + return; + + if (hws->ctx->dc->res_pool->dccg->funcs->set_physymclk_root_clock_gating) { + hws->ctx->dc->res_pool->dccg->funcs->set_physymclk_root_clock_gating( + hws->ctx->dc->res_pool->dccg, phy_inst, clock_on); + } +} + void dcn35_dsc_pg_control( struct dce_hwseq *hws, unsigned int dsc_inst, @@ -1041,6 +1052,13 @@ void dcn35_calc_blocks_to_gate(struct dc *dc, struct dc_state *context, if (pipe_ctx->stream_res.hpo_dp_stream_enc) update_state->pg_pipe_res_update[PG_DPSTREAM][pipe_ctx->stream_res.hpo_dp_stream_enc->inst] = false; } + + for (i = 0; i < dc->link_count; i++) { + update_state->pg_pipe_res_update[PG_PHYSYMCLK][dc->links[i]->link_enc_hw_inst] = true; + if (dc->links[i]->type != dc_connection_none) + update_state->pg_pipe_res_update[PG_PHYSYMCLK][dc->links[i]->link_enc_hw_inst] = false; + } + /*domain24 controls all the otg, mpc, opp, as long as one otg is still up, avoid enabling OTG PG*/ for (i = 0; i < dc->res_pool->timing_generator_count; i++) { struct timing_generator *tg = dc->res_pool->timing_generators[i]; @@ -1138,6 +1156,10 @@ void dcn35_calc_blocks_to_ungate(struct dc *dc, struct dc_state *context, } } + for (i = 0; i < dc->link_count; i++) + if (dc->links[i]->type != dc_connection_none) + update_state->pg_pipe_res_update[PG_PHYSYMCLK][dc->links[i]->link_enc_hw_inst] = true; + for (i = 0; i < dc->res_pool->hpo_dp_stream_enc_count; i++) { if (context->res_ctx.is_hpo_dp_stream_enc_acquired[i] && dc->res_pool->hpo_dp_stream_enc[i]) { @@ -1288,6 +1310,11 @@ void dcn35_root_clock_control(struct dc *dc, dc->hwseq->funcs.dpstream_root_clock_control(dc->hwseq, i, power_on); } + for (i = 0; i < dc->res_pool->dig_link_enc_count; i++) + if (update_state->pg_pipe_res_update[PG_PHYSYMCLK][i]) + if (dc->hwseq->funcs.physymclk_root_clock_control) + dc->hwseq->funcs.physymclk_root_clock_control(dc->hwseq, i, power_on); + } for (i = 0; i < dc->res_pool->res_cap->num_dsc; i++) { if (update_state->pg_pipe_res_update[PG_DSC][i]) { @@ -1313,6 +1340,11 @@ void dcn35_root_clock_control(struct dc *dc, dc->hwseq->funcs.dpstream_root_clock_control(dc->hwseq, i, power_on); } + for (i = 0; i < dc->res_pool->dig_link_enc_count; i++) + if (update_state->pg_pipe_res_update[PG_PHYSYMCLK][i]) + if (dc->hwseq->funcs.physymclk_root_clock_control) + dc->hwseq->funcs.physymclk_root_clock_control(dc->hwseq, i, power_on); + } } diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h index f0ea7d1511ae6..e27b3609020ff 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h @@ -39,6 +39,8 @@ void dcn35_dpp_root_clock_control(struct dce_hwseq *hws, unsigned int dpp_inst, void dcn35_dpstream_root_clock_control(struct dce_hwseq *hws, unsigned int dp_hpo_inst, bool clock_on); +void dcn35_physymclk_root_clock_control(struct dce_hwseq *hws, unsigned int phy_inst, bool clock_on); + void dcn35_enable_power_gating_plane(struct dce_hwseq *hws, bool enable); void dcn35_set_dmu_fgcg(struct dce_hwseq *hws, bool enable); diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c index 199781233fd5f..987e09d9246e4 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c @@ -148,6 +148,7 @@ static const struct hwseq_private_funcs dcn35_private_funcs = { .enable_power_gating_plane = dcn35_enable_power_gating_plane, .dpp_root_clock_control = dcn35_dpp_root_clock_control, .dpstream_root_clock_control = dcn35_dpstream_root_clock_control, + .physymclk_root_clock_control = dcn35_physymclk_root_clock_control, .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree, .update_odm = dcn35_update_odm, .set_hdr_multiplier = dcn10_set_hdr_multiplier, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c index a53092cd619b1..2e0d23ae8fee5 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c @@ -147,6 +147,7 @@ static const struct hwseq_private_funcs dcn351_private_funcs = { .enable_power_gating_plane = dcn35_enable_power_gating_plane, .dpp_root_clock_control = dcn35_dpp_root_clock_control, .dpstream_root_clock_control = dcn35_dpstream_root_clock_control, + .physymclk_root_clock_control = dcn35_physymclk_root_clock_control, .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree, .update_odm = dcn35_update_odm, .set_hdr_multiplier = dcn10_set_hdr_multiplier, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h b/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h index 341219cf41442..9553a7d34c3e9 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h +++ b/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h @@ -124,6 +124,10 @@ struct hwseq_private_funcs { struct dce_hwseq *hws, unsigned int dpp_inst, bool clock_on); + void (*physymclk_root_clock_control)( + struct dce_hwseq *hws, + unsigned int phy_inst, + bool clock_on); void (*dpp_pg_control)(struct dce_hwseq *hws, unsigned int dpp_inst, bool power_on); -- 2.43.0

8 months, 1 week

3
122
0 0

[PATCH AUTOSEL 4.19 01/14] drm/amdgpu: fix overflowed array index read warning

by Sasha Levin

From: Tim Huang <Tim.Huang(a)amd.com> [ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ] Clear overflowed array index read warning by cast operation. Signed-off-by: Tim Huang <Tim.Huang(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c index 93794a85f83d8..d1efab2270340 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c @@ -497,8 +497,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf, size_t size, loff_t *pos) { struct amdgpu_ring *ring = file_inode(f)->i_private; - int r, i; uint32_t value, result, early[3]; + loff_t i; + int r; if (*pos & 3 || size & 3) return -EINVAL; -- 2.43.0

8 months, 1 week

2
14
0 0

[git:media_stage/master] media: videobuf2: Drop minimum allocation requirement of 2 buffers

by Laurent Pinchart

This is an automatic generated email to let you know that the following patch were queued: Subject: media: videobuf2: Drop minimum allocation requirement of 2 buffers Author: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Date: Mon Aug 26 02:24:49 2024 +0300 When introducing the ability for drivers to indicate the minimum number of buffers they require an application to allocate, commit 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") also introduced a global minimum of 2 buffers. It turns out this breaks the Renesas R-Car VSP test suite, where a test that allocates a single buffer fails when two buffers are used. One may consider debatable whether test suite failures without failures in production use cases should be considered as a regression, but operation with a single buffer is a valid use case. While full frame rate can't be maintained, memory-to-memory devices can still be used with a decent efficiency, and requiring applications to allocate multiple buffers for single-shot use cases with capture devices would just waste memory. For those reasons, fix the regression by dropping the global minimum of buffers. Individual drivers can still set their own minimum. Fixes: 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Reviewed-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Acked-by: Tomasz Figa <tfiga(a)chromium.org> Link: https://lore.kernel.org/r/20240825232449.25905-1-laurent.pinchart+renesas@i… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drivers/media/common/videobuf2/videobuf2-core.c | 7 ------- 1 file changed, 7 deletions(-) --- diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index 500a4e0c84ab..29a8d876e6c2 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -2632,13 +2632,6 @@ int vb2_core_queue_init(struct vb2_queue *q) if (WARN_ON(q->supports_requests && q->min_queued_buffers)) return -EINVAL; - /* - * The minimum requirement is 2: one buffer is used - * by the hardware while the other is being processed by userspace. - */ - if (q->min_reqbufs_allocation < 2) - q->min_reqbufs_allocation = 2; - /* * If the driver needs 'min_queued_buffers' in the queue before * calling start_streaming() then the minimum requirement is

8 months, 1 week

1
0
0 0

[PATCH] media: videobuf2: Drop minimum allocation requirement of 2 buffers

by Laurent Pinchart

When introducing the ability for drivers to indicate the minimum number of buffers they require an application to allocate, commit 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") also introduced a global minimum of 2 buffers. It turns out this breaks the Renesas R-Car VSP test suite, where a test that allocates a single buffer fails when two buffers are used. One may consider debatable whether test suite failures without failures in production use cases should be considered as a regression, but operation with a single buffer is a valid use case. While full frame rate can't be maintained, memory-to-memory devices can still be used with a decent efficiency, and requiring applications to allocate multiple buffers for single-shot use cases with capture devices would just waste memory. For those reasons, fix the regression by dropping the global minimum of buffers. Individual drivers can still set their own minimum. Fixes: 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> --- drivers/media/common/videobuf2/videobuf2-core.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index 500a4e0c84ab..29a8d876e6c2 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -2632,13 +2632,6 @@ int vb2_core_queue_init(struct vb2_queue *q) if (WARN_ON(q->supports_requests && q->min_queued_buffers)) return -EINVAL; - /* - * The minimum requirement is 2: one buffer is used - * by the hardware while the other is being processed by userspace. - */ - if (q->min_reqbufs_allocation < 2) - q->min_reqbufs_allocation = 2; - /* * If the driver needs 'min_queued_buffers' in the queue before * calling start_streaming() then the minimum requirement is base-commit: a043ea54bbb975ca9239c69fd17f430488d33522 -- Regards, Laurent Pinchart

8 months, 1 week

4
5
0 0

[PATCH v5] EDAC/ti: Fix possible null pointer dereference in _emif_get_id()

by Ma Ke

In _emif_get_id(), of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202408160935.A6QFliqt-lkp@intel.com/ Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v5: - According to the developer's suggestion, added an inspection of function of_translate_address(). However, kernel test robot reported a build warning, so the inspection is removed here, reverting to the modification solution of patch v3. Changes in v4: - added the check of of_translate_address() as suggestions. Changes in v3: - added the patch operations omitted in PATCH v2 RESEND compared to PATCH v2. Sorry for my oversight. Changes in v2: - added Cc stable line. --- drivers/edac/ti_edac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c index 29723c9592f7..6f3da8d99eab 100644 --- a/drivers/edac/ti_edac.c +++ b/drivers/edac/ti_edac.c @@ -207,6 +207,9 @@ static int _emif_get_id(struct device_node *node) int my_id = 0; addrp = of_get_address(node, 0, NULL, NULL); + if (!addrp) + return -EINVAL; + my_addr = (u32)of_translate_address(node, addrp); for_each_matching_node(np, ti_edac_of_match) { @@ -214,6 +217,9 @@ static int _emif_get_id(struct device_node *node) continue; addrp = of_get_address(np, 0, NULL, NULL); + if (!addrp) + return -EINVAL; + addr = (u32)of_translate_address(np, addrp); edac_printk(KERN_INFO, EDAC_MOD_NAME, -- 2.25.1

8 months, 1 week

2
1
0 0

[PATCH net v2] ionic: Prevent tx_timeout due to frequent doorbell ringing

by Brett Creeley

With recent work to the doorbell workaround code a small hole was introduced that could cause a tx_timeout. This happens if the rx dbell_deadline goes beyond the netdev watchdog timeout set by the driver (i.e. 2 seconds). Fix this by changing the netdev watchdog timeout to 5 seconds and reduce the max rx dbell_deadline to 4 seconds. The test that can reproduce the issue being fixed is a multi-queue send test via pktgen with the "burst" setting to 1. This causes the queue's doorbell to be rung on every packet sent to the driver, which may result in the device missing doorbells due to the high doorbell rate. Cc: stable(a)vger.kernel.org Fixes: 4ded136c78f8 ("ionic: add work item for missed-doorbell check") Signed-off-by: Brett Creeley <brett.creeley(a)amd.com> Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com> --- v2: - Drop budget == 0 patch to expedite getting this patch merged due to the budget == 0 patch being more complicated than we originally thought. v1: - https://lore.kernel.org/netdev/20240813234122.53083-1-brett.creeley@amd.com/ drivers/net/ethernet/pensando/ionic/ionic_dev.h | 2 +- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h index c647033f3ad2..f2f07bf88545 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h +++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h @@ -32,7 +32,7 @@ #define IONIC_ADMIN_DOORBELL_DEADLINE (HZ / 2) /* 500ms */ #define IONIC_TX_DOORBELL_DEADLINE (HZ / 100) /* 10ms */ #define IONIC_RX_MIN_DOORBELL_DEADLINE (HZ / 100) /* 10ms */ -#define IONIC_RX_MAX_DOORBELL_DEADLINE (HZ * 5) /* 5s */ +#define IONIC_RX_MAX_DOORBELL_DEADLINE (HZ * 4) /* 4s */ struct ionic_dev_bar { void __iomem *vaddr; diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c index aa0cc31dfe6e..86774d9922d8 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c +++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c @@ -3220,7 +3220,7 @@ int ionic_lif_alloc(struct ionic *ionic) netdev->netdev_ops = &ionic_netdev_ops; ionic_ethtool_set_ops(netdev); - netdev->watchdog_timeo = 2 * HZ; + netdev->watchdog_timeo = 5 * HZ; netif_carrier_off(netdev); lif->identity = lid; -- 2.17.1

8 months, 1 week

2
1
0 0

[PATCH net 2/2] net: mctp-serial: Fix missing escapes on transmit

by Matt Johnston

0x7d and 0x7e bytes are meant to be escaped in the data portion of frames, but this didn't occur since next_chunk_len() had an off-by-one error. That also resulted in the final byte of a payload being written as a separate tty write op. The chunk prior to an escaped byte would be one byte short, and the next call would never test the txpos+1 case, which is where the escaped byte was located. That meant it never hit the escaping case in mctp_serial_tx_work(). Example Input: 01 00 08 c8 7e 80 02 Previous incorrect chunks from next_chunk_len(): 01 00 08 c8 7e 80 02 With this fix: 01 00 08 c8 7e 80 02 Cc: stable(a)vger.kernel.org Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding") Signed-off-by: Matt Johnston <matt(a)codeconstruct.com.au> --- drivers/net/mctp/mctp-serial.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c index d7db11355909..82890e983847 100644 --- a/drivers/net/mctp/mctp-serial.c +++ b/drivers/net/mctp/mctp-serial.c @@ -91,8 +91,8 @@ static int next_chunk_len(struct mctp_serial *dev) * will be those non-escaped bytes, and does not include the escaped * byte. */ - for (i = 1; i + dev->txpos + 1 < dev->txlen; i++) { - if (needs_escape(dev->txbuf[dev->txpos + i + 1])) + for (i = 1; i + dev->txpos < dev->txlen; i++) { + if (needs_escape(dev->txbuf[dev->txpos + i])) break; }

8 months, 1 week

2
1
0 0

[PATCH] drm/sched: Fix UB pointer dereference

by Philipp Stanner

In drm_sched_job_init(), commit 56e449603f0a ("drm/sched: Convert the GPU scheduler to variable number of run-queues") implemented a call to drm_err(), which uses the job's scheduler pointer as a parameter. job->sched, however, is not yet valid as it gets set by drm_sched_job_arm(), which is always called after drm_sched_job_init(). Since the scheduler code has no control over how the API-User has allocated or set 'job', the pointer's dereference is undefined behavior. Fix the UB by replacing drm_err() with pr_err(). Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 56e449603f0a ("drm/sched: Convert the GPU scheduler to variable number of run-queues") Reported-by: Danilo Krummrich <dakr(a)redhat.com> Closes: https://lore.kernel.org/lkml/20231108022716.15250-1-dakr@redhat.com/ Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/gpu/drm/scheduler/sched_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 7e90c9f95611..356c30fa24a8 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -797,7 +797,7 @@ int drm_sched_job_init(struct drm_sched_job *job, * or worse--a blank screen--leave a trail in the * logs, so this can be debugged easier. */ - drm_err(job->sched, "%s: entity has no rq!\n", __func__); + pr_err("*ERROR* %s: entity has no rq!\n", __func__); return -ENOENT; } -- 2.46.0

8 months, 1 week

3
4
0 0

[PATCH net 00/15] mptcp: more fixes for the in-kernel PM

by Matthieu Baerts (NGI0)

Here is a new batch of fixes for the MPTCP in-kernel path-manager: Patch 1 ensures the address ID is set to 0 when the path-manager sends an ADD_ADDR for the address of the initial subflow. The same fix is applied when a new subflow is created re-using this special address. A fix for v6.0. Patch 2 is similar, but for the case where an endpoint is removed: if this endpoint was used for the initial address, it is important to send a RM_ADDR with this ID set to 0, and look for existing subflows with the ID set to 0. A fix for v6.0 as well. Patch 3 validates the two previous patches. Patch 4 makes the PM selecting an "active" path to send an address notification in an ACK, instead of taking the first path in the list. A fix for v5.11. Patch 5 fixes skipping the establishment of a new subflow if a previous subflow using the same pair of addresses is being closed. A fix for v5.13. Patch 6 resets the ID linked to the initial subflow when the linked endpoint is re-added, possibly with a different ID. A fix for v6.0. Patch 7 validates the three previous patches. Patch 8 is a small fix for the MPTCP Join selftest, when being used with older subflows not supporting all MIB counters. A fix for a commit introduced in v6.4, but backported up to v5.10. Patch 9 avoids the PM to try to close the initial subflow multiple times, and increment counters while nothing happened. A fix for v5.10. Patch 10 stops incrementing local_addr_used and add_addr_accepted counters when dealing with the address ID 0, because these counters are not taking into account the initial subflow, and are then not decremented when the linked addresses are removed. A fix for v6.0. Patch 11 validates the previous patch. Patch 12 avoids the PM to send multiple SUB_CLOSED events for the initial subflow. A fix for v5.12. Patch 13 validates the previous patch. Patch 14 stops treating the ADD_ADDR 0 as a new address, and accepts it in order to re-create the initial subflow if it has been closed, even if the limit for *new* addresses -- not taking into account the address of the initial subflow -- has been reached. A fix for v5.10. Patch 15 validates the previous patch. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (15): mptcp: pm: reuse ID 0 after delete and re-add mptcp: pm: fix RM_ADDR ID for the initial subflow selftests: mptcp: join: check removing ID 0 endpoint mptcp: pm: send ACK on an active subflow mptcp: pm: skip connecting to already established sf mptcp: pm: reset MPC endp ID when re-added selftests: mptcp: join: check re-adding init endp with != id selftests: mptcp: join: no extra msg if no counter mptcp: pm: do not remove already closed subflows mptcp: pm: fix ID 0 endp usage after multiple re-creations selftests: mptcp: join: check re-re-adding ID 0 endp mptcp: avoid duplicated SUB_CLOSED events selftests: mptcp: join: validate event numbers mptcp: pm: ADD_ADDR 0 is not a new address selftests: mptcp: join: check re-re-adding ID 0 signal net/mptcp/pm.c | 4 +- net/mptcp/pm_netlink.c | 87 ++++++++++---- net/mptcp/protocol.c | 6 + net/mptcp/protocol.h | 5 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 149 ++++++++++++++++++++---- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 4 + 6 files changed, 207 insertions(+), 48 deletions(-) --- base-commit: 8af174ea863c72f25ce31cee3baad8a301c0cf0f change-id: 20240826-net-mptcp-more-pm-fix-ffa61a36f817 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

8 months, 1 week

3
17
0 0

[PATCH] x86/hyperv: fix kexec crash due to VP assist page corruption

by Anirudh Rayabharam

From: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") introduces a new cpuhp state for hyperv initialization. cpuhp_setup_state() returns the state number if state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states. For the hyperv case, since a new cpuhp state was introduced it would return 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call is conditioned upon "hyperv_init_cpuhp > 0". This will never be true and so hv_cpu_die() won't be called on all CPUs. This means the VP assist page won't be reset. When the kexec kernel tries to setup the VP assist page again, the hypervisor corrupts the memory region of the old VP assist page causing a panic in case the kexec kernel is using that memory elsewhere. This was originally fixed in dfe94d4086e4 ("x86/hyperv: Fix kexec panic/hang issues"). Set hyperv_init_cpuhp to CPUHP_AP_HYPERV_ONLINE upon successful setup so that the hyperv cpuhp state is removed correctly on kexec and the necessary cleanup takes place. Cc: stable(a)vger.kernel.org Fixes: 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") Signed-off-by: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> --- arch/x86/hyperv/hv_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c index 17a71e92a343..81d1981a75d1 100644 --- a/arch/x86/hyperv/hv_init.c +++ b/arch/x86/hyperv/hv_init.c @@ -607,7 +607,7 @@ void __init hyperv_init(void) register_syscore_ops(&hv_syscore_ops); - hyperv_init_cpuhp = cpuhp; + hyperv_init_cpuhp = CPUHP_AP_HYPERV_ONLINE; if (cpuid_ebx(HYPERV_CPUID_FEATURES) & HV_ACCESS_PARTITION_ID) hv_get_partition_id(); @@ -637,7 +637,7 @@ void __init hyperv_init(void) clean_guest_os_id: wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0); hv_ivm_msr_write(HV_X64_MSR_GUEST_OS_ID, 0); - cpuhp_remove_state(cpuhp); + cpuhp_remove_state(CPUHP_AP_HYPERV_ONLINE); free_ghcb_page: free_percpu(hv_ghcb_pg); free_vp_assist_page: -- 2.45.2

8 months, 1 week

2
2
0 0

[PATCH] wifi: wfx: repair open network AP mode

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> RSN IE missing in beacon is normal in open networks. Avoid returning -ENODEV in this case. Steps to reproduce: $ cat /etc/wpa_supplicant.conf network={ ssid="testNet" mode=2 key_mgmt=NONE } $ wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf nl80211: Beacon set failed: -22 (Invalid argument) Failed to set beacon parameters Interface initialization failed wlan0: interface state UNINITIALIZED->DISABLED wlan0: AP-DISABLED wlan0: Unable to setup interface. Failed to initialize AP interface After the change: $ wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf Successfully initialized wpa_supplicant wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED Cc: stable(a)vger.kernel.org Fixes: fe0a7776d4d1 ("wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()") Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- drivers/net/wireless/silabs/wfx/sta.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/silabs/wfx/sta.c b/drivers/net/wireless/silabs/wfx/sta.c index 216d43c8bd6e..7c04810dbf3d 100644 --- a/drivers/net/wireless/silabs/wfx/sta.c +++ b/drivers/net/wireless/silabs/wfx/sta.c @@ -352,8 +352,11 @@ static int wfx_set_mfp_ap(struct wfx_vif *wvif) ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset, skb->len - ieoffset); - if (unlikely(!ptr)) + if (!ptr) { + /* No RSN IE is fine in open networks */ + ret = 0; goto free_skb; + } ptr += pairwise_cipher_suite_count_offset; if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) -- 2.46.0

8 months, 1 week

4
6
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082742-getting-scoured-1475@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082740-citadel-facelift-bc00@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] ksmbd: the buffer of smb2 query dir response has at least 1" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x ce61b605a00502c59311d0a4b1f58d62b48272d0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082604-depose-iphone-7d55@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: ce61b605a005 ("ksmbd: the buffer of smb2 query dir response has at least 1 byte") e2b76ab8b5c9 ("ksmbd: add support for read compound") e202a1e8634b ("ksmbd: no response from compound read") 7b7d709ef7cf ("ksmbd: add missing compound request handing in some commands") 81a94b27847f ("ksmbd: use kvzalloc instead of kvmalloc") 38c8a9a52082 ("smb: move client and server files to common directory fs/smb") 30210947a343 ("ksmbd: fix racy issue under cocurrent smb2 tree disconnect") abcc506a9a71 ("ksmbd: fix racy issue from smb2 close and logoff with multichannel") ea174a918939 ("ksmbd: destroy expired sessions") f5c779b7ddbd ("ksmbd: fix racy issue from session setup and logoff") 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") 34e8ccf9ce24 ("ksmbd: set NegotiateContextCount once instead of every inc") 42bc6793e452 ("Merge tag 'pull-lock_rename_child' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into ksmbd-for-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ce61b605a00502c59311d0a4b1f58d62b48272d0 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Tue, 20 Aug 2024 22:07:38 +0900 Subject: [PATCH] ksmbd: the buffer of smb2 query dir response has at least 1 byte When STATUS_NO_MORE_FILES status is set to smb2 query dir response, ->StructureSize is set to 9, which mean buffer has 1 byte. This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to flex-array. Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") Cc: stable(a)vger.kernel.org # v6.1+ Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 0bc9edf22ba4..e9204180919e 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -4409,7 +4409,8 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->OutputBufferLength = cpu_to_le32(0); rsp->Buffer[0] = 0; rc = ksmbd_iov_pin_rsp(work, (void *)rsp, - sizeof(struct smb2_query_directory_rsp)); + offsetof(struct smb2_query_directory_rsp, Buffer) + + 1); if (rc) goto err_out; } else {

8 months, 1 week

3
4
0 0

[PATCH] spi: rockchip: Resolve unbalanced runtime PM / system PM handling

by Brian Norris

Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure. Fixes: e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") Cc: <stable(a)vger.kernel.org> Reported-by: "Ondřej Jirman" <megi(a)xff.cz> Closes: https://lore.kernel.org/lkml/20220621154218.sau54jeij4bunf56@core/ Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- drivers/spi/spi-rockchip.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c index e1ecd96c7858..f30af4316b8b 100644 --- a/drivers/spi/spi-rockchip.c +++ b/drivers/spi/spi-rockchip.c @@ -951,8 +951,11 @@ static int rockchip_spi_suspend(struct device *dev) if (ret < 0) return ret; - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); + ret = pm_runtime_force_suspend(dev); + if (ret < 0) { + spi_controller_resume(ctlr); + return ret; + } pinctrl_pm_select_sleep_state(dev); @@ -967,21 +970,11 @@ static int rockchip_spi_resume(struct device *dev) pinctrl_pm_select_default_state(dev); - ret = clk_prepare_enable(rs->apb_pclk); + ret = pm_runtime_force_resume(dev); if (ret < 0) return ret; - ret = clk_prepare_enable(rs->spiclk); - if (ret < 0) - clk_disable_unprepare(rs->apb_pclk); - - ret = spi_controller_resume(ctlr); - if (ret < 0) { - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); - } - - return 0; + return spi_controller_resume(ctlr); } #endif /* CONFIG_PM_SLEEP */ -- 2.46.0.295.g3b9ea8a38a-goog

8 months, 1 week

2
1
0 0

[PATCH] drm/vmwgfx: Cleanup kms setup without 3d

by Zack Rusin

Do not validate format equality for the non 3d cases to allow xrgb to argb copies and make sure the dx binding flags are only used on dx compatible surfaces. Fixes basic 2d kms setup on configurations without 3d. There's little practical benefit to it because kms framebuffer coherence is disabled on configurations without 3d but with those changes the code actually makes sense. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.9+ Cc: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Cc: Martin Krastev <martin.krastev(a)broadcom.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 9 --------- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 ++++++--- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 288ed0bb75cb..b5fc5a9e123a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1339,15 +1339,6 @@ static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, return -EINVAL; } - /* - * For DX, surface format validation is done when surface->scanout - * is set. - */ - if (!has_sm4_context(dev_priv) && format != surface->metadata.format) { - DRM_ERROR("Invalid surface format for requested mode.\n"); - return -EINVAL; - } - vfbs = kzalloc(sizeof(*vfbs), GFP_KERNEL); if (!vfbs) { ret = -ENOMEM; diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 1625b30d9970..5721c74da3e0 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -2276,9 +2276,12 @@ int vmw_dumb_create(struct drm_file *file_priv, const struct SVGA3dSurfaceDesc *desc = vmw_surface_get_desc(format); SVGA3dSurfaceAllFlags flags = SVGA3D_SURFACE_HINT_TEXTURE | SVGA3D_SURFACE_HINT_RENDERTARGET | - SVGA3D_SURFACE_SCREENTARGET | - SVGA3D_SURFACE_BIND_SHADER_RESOURCE | - SVGA3D_SURFACE_BIND_RENDER_TARGET; + SVGA3D_SURFACE_SCREENTARGET; + + if (vmw_surface_is_dx_screen_target_format(format)) { + flags |= SVGA3D_SURFACE_BIND_SHADER_RESOURCE | + SVGA3D_SURFACE_BIND_RENDER_TARGET; + } /* * Without mob support we're just going to use raw memory buffer -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH] cpuidle: haltpoll: Fix guest_halt_poll_ns failed to take effect

by Yanhao Dong

From: ysay <ysaydong(a)gmail.com> When guest_halt_poll_allow_shrink=N,setting guest_halt_poll_ns from a large value to 0 does not reset the CPU polling time, despite guest_halt_poll_ns being intended as a mandatory maximum time limit. The problem was situated in the adjust_poll_limit() within drivers/cpuidle/governors/haltpoll.c:79. Specifically, when guest_halt_poll_allow_shrink was set to N, resetting guest_halt_poll_ns to zero did not lead to executing any section of code that adjusts dev->poll_limit_ns. The issue has been resolved by relocating the check and assignment for dev->poll_limit_ns outside of the conditional block. This ensures that every modification to guest_halt_poll_ns properly influences the CPU polling time. Signed-off-by: ysay <ysaydong(a)gmail.com> Fixes: 2cffe9f6b96f ("cpuidle: add haltpoll governor") --- drivers/cpuidle/governors/haltpoll.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/cpuidle/governors/haltpoll.c b/drivers/cpuidle/governors/haltpoll.c index 663b7f164..99c6260d7 100644 --- a/drivers/cpuidle/governors/haltpoll.c +++ b/drivers/cpuidle/governors/haltpoll.c @@ -78,26 +78,22 @@ static int haltpoll_select(struct cpuidle_driver *drv, static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) { - unsigned int val; + unsigned int val = dev->poll_limit_ns; /* Grow cpu_halt_poll_us if * cpu_halt_poll_us < block_ns < guest_halt_poll_us */ if (block_ns > dev->poll_limit_ns && block_ns <= guest_halt_poll_ns) { - val = dev->poll_limit_ns * guest_halt_poll_grow; + val *= guest_halt_poll_grow; if (val < guest_halt_poll_grow_start) val = guest_halt_poll_grow_start; - if (val > guest_halt_poll_ns) - val = guest_halt_poll_ns; trace_guest_halt_poll_ns_grow(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } else if (block_ns > guest_halt_poll_ns && guest_halt_poll_allow_shrink) { unsigned int shrink = guest_halt_poll_shrink; - val = dev->poll_limit_ns; if (shrink == 0) { val = 0; } else { @@ -108,8 +104,12 @@ static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) } trace_guest_halt_poll_ns_shrink(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } + + if (val > guest_halt_poll_ns) + val = guest_halt_poll_ns; + + dev->poll_limit_ns = val; } /** -- 2.43.5

8 months, 1 week

2
1
0 0

[PATCH 2/2] mmc : fix for check cqe halt.

by Seunghwan Baek

To check if mmc cqe is in halt state, need to check set/clear of CQHCI_HALT bit. At this time, we need to check with &, not &&. Therefore, code to check whether cqe is in halt state is modified to cqhci_halted, which has already been implemented. Fixes: 0653300224a6 ("mmc: cqhci: rename cqhci.c to cqhci-core.c") Cc: stable(a)vger.kernel.org Signed-off-by: Seunghwan Baek <sh8267.baek(a)samsung.com> --- drivers/mmc/host/cqhci-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mmc/host/cqhci-core.c b/drivers/mmc/host/cqhci-core.c index c14d7251d0bb..3d5bcb92c78e 100644 --- a/drivers/mmc/host/cqhci-core.c +++ b/drivers/mmc/host/cqhci-core.c @@ -282,7 +282,7 @@ static void __cqhci_enable(struct cqhci_host *cq_host) cqhci_writel(cq_host, cqcfg, CQHCI_CFG); - if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) + if (cqhci_halted(cq_host)) cqhci_writel(cq_host, 0, CQHCI_CTL); mmc->cqe_on = true; @@ -617,7 +617,7 @@ static int cqhci_request(struct mmc_host *mmc, struct mmc_request *mrq) cqhci_writel(cq_host, 0, CQHCI_CTL); mmc->cqe_on = true; pr_debug("%s: cqhci: CQE on\n", mmc_hostname(mmc)); - if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT) { + if (cqhci_halted(cq_host)) { pr_err("%s: cqhci: CQE failed to exit halt state\n", mmc_hostname(mmc)); } -- 2.17.1

8 months, 1 week

2
2
0 0

[PATCH] binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined

by Max Filippov

create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the commit 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") it resulted in the last entry of the AUX vector being set to zero, but with that change it results in a kernel BUG. Fix that by adding one to the number of AUXV entries (nitems) when ELF_HWCAP2 is defined. Fixes: 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") Cc: stable(a)vger.kernel.org Reported-by: Greg Ungerer <gregungerer(a)westnet.com.au> Closes: https://lore.kernel.org/lkml/5b51975f-6d0b-413c-8b38-39a6a45e8821@westnet.c… Signed-off-by: Max Filippov <jcmvbkbc(a)gmail.com> --- fs/binfmt_elf_fdpic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index c11289e1301b..a5cb45cb30c8 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -594,6 +594,9 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, if (bprm->have_execfd) nitems++; +#ifdef ELF_HWCAP2 + nitems++; +#endif csp = sp; sp -= nitems * 2 * sizeof(unsigned long); -- 2.39.2

8 months, 1 week

3
2
0 0

[tip: x86/urgent] x86/tdx: Fix data leak in mmio_read()

by tip-bot2 for Kirill A. Shutemov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: b6fb565a2d15277896583d471b21bc14a0c99661 Gitweb: https://git.kernel.org/tip/b6fb565a2d15277896583d471b21bc14a0c99661 Author: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> AuthorDate: Mon, 26 Aug 2024 15:53:04 +03:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Mon, 26 Aug 2024 12:45:19 -07:00 x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ] Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Reported-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240826125304.1566719-1-kirill.shutemov%40linu… --- arch/x86/coco/tdx/tdx.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2ba..da8b66d 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -389,7 +389,6 @@ static bool mmio_read(int size, unsigned long addr, unsigned long *val) .r12 = size, .r13 = EPT_READ, .r14 = addr, - .r15 = *val, }; if (__tdx_hypercall(&args))

8 months, 1 week

1
0
0 0

[PATCH] x86/tdx: Fix data leak in mmio_read()

by Kirill A. Shutemov

The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable on the stack to the VMM. Do not send the original value of *val to the VMM. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reported-by: Sean Christopherson <seanjc(a)google.com> Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Cc: stable(a)vger.kernel.org # v5.19+ --- arch/x86/coco/tdx/tdx.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2bac2553..da8b66dce0da 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -389,7 +389,6 @@ static bool mmio_read(int size, unsigned long addr, unsigned long *val) .r12 = size, .r13 = EPT_READ, .r14 = addr, - .r15 = *val, }; if (__tdx_hypercall(&args)) -- 2.43.0

8 months, 1 week

2
2
0 0

[PATCH] codetag: debug: mark codetags for pages which transitioned from being poison to unpoison as empty

by Hao Ge

From: Hao Ge <gehao(a)kylinos.cn> The PG_hwpoison page will be caught and isolated on the entrance to the free buddy page pool. so,when we clear this flag and return it to the buddy system,mark codetags for pages as empty. It was detected by [1] and the following WARN occurred: [ 113.930443][ T3282] ------------[ cut here ]------------ [ 113.931105][ T3282] alloc_tag was not set [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164 [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4 [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18 [ 113.943003][ T3282] Tainted: [W]=WARN [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946706][ T3282] sp : ffff800087093a10 [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0 [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000 [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000 [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210 [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339 [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0 [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001 [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000 [ 113.957962][ T3282] Call trace: [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164 [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8 [ 113.960096][ T3282] __folio_put+0xd4/0x120 [ 113.960614][ T3282] folio_put+0x24/0x50 [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0 [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject] [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc [ 113.963183][ T3282] simple_attr_write+0x38/0x48 [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80 [ 113.964330][ T3282] full_proxy_write+0x68/0x98 [ 113.964880][ T3282] vfs_write+0xdc/0x4d0 [ 113.965372][ T3282] ksys_write+0x78/0x100 [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30 [ 113.966440][ T3282] invoke_syscall+0x7c/0x104 [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104 [ 113.967652][ T3282] do_el0_svc+0x2c/0x38 [ 113.968893][ T3282] el0_svc+0x3c/0x1b8 [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0 [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]--- Link [1]: https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/sysc… Fixes: a8fc28dad6d5 ("alloc_tag: introduce clear_page_tag_ref() helper function") Cc: stable(a)vger.kernel.org # v6.10 Signed-off-by: Hao Ge <gehao(a)kylinos.cn> --- mm/memory-failure.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 7066fc84f351..570388c41532 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2623,6 +2623,12 @@ int unpoison_memory(unsigned long pfn) folio_put(folio); if (TestClearPageHWPoison(p)) { + /* the PG_hwpoison page will be caught and isolated + * on the entrance to the free buddy page pool. + * so,when we clear this flag and return it to the buddy system, + * clear it's codetag + */ + clear_page_tag_ref(p); folio_put(folio); ret = 0; } -- 2.25.1

8 months, 1 week

3
14
0 0

[PATCH] Fixes: 496d0a648509 ("cpuidle: Fix guest_halt_poll_ns failed to take effect when setting guest_halt_poll_allow_shrink=N")

by Yanhao Dong

From: ysay <ysaydong(a)gmail.com> When guest_halt_poll_allow_shrink=N,setting guest_halt_poll_ns from a large value to 0 does not reset the CPU polling time, despite guest_halt_poll_ns being intended as a mandatory maximum time limit. The problem was situated in the adjust_poll_limit() within drivers/cpuidle/governors/haltpoll.c:79. Specifically, when guest_halt_poll_allow_shrink was set to N, resetting guest_halt_poll_ns to zero did not lead to executing any section of code that adjusts dev->poll_limit_ns. The issue has been resolved by relocating the check and assignment for dev->poll_limit_ns outside of the conditional block. This ensures that every modification to guest_halt_poll_ns properly influences the CPU polling time. Signed-off-by: ysay <ysaydong(a)gmail.com> --- drivers/cpuidle/governors/haltpoll.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/cpuidle/governors/haltpoll.c b/drivers/cpuidle/governors/haltpoll.c index 663b7f164..99c6260d7 100644 --- a/drivers/cpuidle/governors/haltpoll.c +++ b/drivers/cpuidle/governors/haltpoll.c @@ -78,26 +78,22 @@ static int haltpoll_select(struct cpuidle_driver *drv, static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) { - unsigned int val; + unsigned int val = dev->poll_limit_ns; /* Grow cpu_halt_poll_us if * cpu_halt_poll_us < block_ns < guest_halt_poll_us */ if (block_ns > dev->poll_limit_ns && block_ns <= guest_halt_poll_ns) { - val = dev->poll_limit_ns * guest_halt_poll_grow; + val *= guest_halt_poll_grow; if (val < guest_halt_poll_grow_start) val = guest_halt_poll_grow_start; - if (val > guest_halt_poll_ns) - val = guest_halt_poll_ns; trace_guest_halt_poll_ns_grow(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } else if (block_ns > guest_halt_poll_ns && guest_halt_poll_allow_shrink) { unsigned int shrink = guest_halt_poll_shrink; - val = dev->poll_limit_ns; if (shrink == 0) { val = 0; } else { @@ -108,8 +104,12 @@ static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) } trace_guest_halt_poll_ns_shrink(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } + + if (val > guest_halt_poll_ns) + val = guest_halt_poll_ns; + + dev->poll_limit_ns = val; } /** -- 2.43.5

8 months, 1 week

3
2
0 0

[tip: x86/urgent] x86/tdx: Fix data leak in mmio_read()

by tip-bot2 for Kirill A. Shutemov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: eb786ee1390b8fbba633c01a971709c6906fd8bf Gitweb: https://git.kernel.org/tip/eb786ee1390b8fbba633c01a971709c6906fd8bf Author: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> AuthorDate: Mon, 26 Aug 2024 15:53:04 +03:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Mon, 26 Aug 2024 07:04:09 -07:00 x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable on the stack to the VMM. Do not send the original value of *val to the VMM. Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Reported-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240826125304.1566719-1-kirill.shutemov%40linu… --- arch/x86/coco/tdx/tdx.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2ba..da8b66d 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -389,7 +389,6 @@ static bool mmio_read(int size, unsigned long addr, unsigned long *val) .r12 = size, .r13 = EPT_READ, .r14 = addr, - .r15 = *val, }; if (__tdx_hypercall(&args))

8 months, 1 week

1
0
0 0

[proposal] binfmt_misc: pass binfmt_misc flags to the interpreter

by Thorsten Glaser

commit 2347961b11d4079deace3c81dceed460c08a8fc1 I would like to propose this commit from 5.12 for stable, or rather, ask whether it’s a candidate and leave the exact picking/backporting to the experts (if it has other commits as prerequisites and/or later fixups). This is because qemu-user needs it, and it arrived just too late for the current Debian LTS kernel (5.10), and qemu-user in Debian until yesterday had a workaround, but now doesn’t because it’s in the stable kernel (6.1), so qemu-user-static cannot be just used as-is on Debian LTS any more. I’d like it to be applied to 5.10 (obviously), but perhaps others would appreciate more broad coverage. Thanks in advance, //mirabilos -- „Cool, /usr/share/doc/mksh/examples/uhr.gz ist ja ein Grund, mksh auf jedem System zu installieren.“ -- XTaran auf der OpenRheinRuhr, ganz begeistert (EN: “[…]uhr.gz is a reason to install mksh on every system.”)

8 months, 1 week

2
2
0 0

[PATCH] btrfs: fix the race between umount and btrfs-cleaner

by Julian Sun

There is a race condition generic_shutdown_super() and __btrfs_run_defrag_inode(). Consider the following scenario: umount thread: btrfs-cleaner thread: btrfs_run_delayed_iputs() ->run_delayed_iput_locked() ->iput(inode) // Here the inode (ie ino 261) will be cleared and freed btrfs_kill_super() ->generic_shutdown_super() btrfs_run_defrag_inodes() ->__btrfs_run_defrag_inode() ->btrfs_iget(ino) // The inode 261 was recreated with i_count=1 // and added to the sb list ->evict_inodes(sb) // After some work // inode 261 was added ->iput(inode) // to the dispose list ->iput_funal() ->evict(inode) ->evict(inode) Now, we have two threads simultaneously evicting the same inode, which led to a bug. The above behavior can be confirmed by the log I added for debugging and the log printed when BUG was triggered. Due to space limitations, I cannot paste the full diff and here is a brief describtion. First, within __btrfs_run_defrag_inode(), set inode->i_state |= (1<<19) just before calling iput(). Within the dispose_list(), check the flag, if the flag was set, then pr_info("bug! double evict! crash will happen! state is 0x%lx\n", inode->i_state); Here is the printed log when the BUG was triggered: [ 190.686726][ T2336] bug! double evict! crash will happen! state is 0x80020 [ 190.687647][ T2336] ------------[ cut here ]------------ [ 190.688294][ T2336] kernel BUG at fs/inode.c:626! [ 190.688939][ T2336] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 190.689792][ T2336] CPU: 1 PID: 2336 Comm: a.out Not tainted 6.10.0-rc2-00223-g0c529ab65ef8-dirty #109 [ 190.690894][ T2336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 190.692111][ T2336] RIP: 0010:clear_inode+0x15b/0x190 // some logs... [ 190.704501][ T2336] btrfs_evict_inode+0x529/0xe80 [ 190.706966][ T2336] evict+0x2ed/0x6c0 [ 190.707209][ T2336] dispose_list+0x62/0x260 [ 190.707490][ T2336] evict_inodes+0x34e/0x450 To prevent this behavior, we need to set BTRFS_FS_CLOSING_START before kill_anon_super() to ensure that btrfs_run_defrag_inodes() doesn't continue working after unmount. Reported-and-tested-by: syzbot+67ba3c42bcbb4665d3ad(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad CC: stable(a)vger.kernel.org Fixes: c146afad2c7f ("Btrfs: mount ro and remount support") Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/btrfs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c index f05cce7c8b8d..f7e87fe583ab 100644 --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c @@ -2093,6 +2093,7 @@ static int btrfs_get_tree(struct fs_context *fc) static void btrfs_kill_super(struct super_block *sb) { struct btrfs_fs_info *fs_info = btrfs_sb(sb); + set_bit(BTRFS_FS_CLOSING_START, &fs_info->flags); kill_anon_super(sb); btrfs_free_fs_info(fs_info); } -- 2.39.2

8 months, 1 week

3
5
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082600-trodden-majesty-7be0@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: c0a1ef9c5be7 ("thermal: of: Fix OF node leak in of_thermal_zone_find() error paths") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:23 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Terminating for_each_available_child_of_node() loop requires dropping OF node reference, so bailing out on errors misses this. Solve the OF node reference leak with scoped for_each_available_child_of_node_scoped(). Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index b08a9b64718d..1f252692815a 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -184,14 +184,14 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int * Search for each thermal zone, a defined sensor * corresponding to the one passed as parameter */ - for_each_available_child_of_node(np, tz) { + for_each_available_child_of_node_scoped(np, child) { int count, i; - count = of_count_phandle_with_args(tz, "thermal-sensors", + count = of_count_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells"); if (count <= 0) { - pr_err("%pOFn: missing thermal sensor\n", tz); + pr_err("%pOFn: missing thermal sensor\n", child); tz = ERR_PTR(-EINVAL); goto out; } @@ -200,18 +200,19 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int int ret; - ret = of_parse_phandle_with_args(tz, "thermal-sensors", + ret = of_parse_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells", i, &sensor_specs); if (ret < 0) { - pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret); + pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret); tz = ERR_PTR(ret); goto out; } if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ? sensor_specs.args[0] : 0)) { - pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz); + pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child); + tz = no_free_ptr(child); goto out; } }

8 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082659-veto-ladies-d1b3@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: c0a1ef9c5be7 ("thermal: of: Fix OF node leak in of_thermal_zone_find() error paths") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:23 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Terminating for_each_available_child_of_node() loop requires dropping OF node reference, so bailing out on errors misses this. Solve the OF node reference leak with scoped for_each_available_child_of_node_scoped(). Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index b08a9b64718d..1f252692815a 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -184,14 +184,14 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int * Search for each thermal zone, a defined sensor * corresponding to the one passed as parameter */ - for_each_available_child_of_node(np, tz) { + for_each_available_child_of_node_scoped(np, child) { int count, i; - count = of_count_phandle_with_args(tz, "thermal-sensors", + count = of_count_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells"); if (count <= 0) { - pr_err("%pOFn: missing thermal sensor\n", tz); + pr_err("%pOFn: missing thermal sensor\n", child); tz = ERR_PTR(-EINVAL); goto out; } @@ -200,18 +200,19 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int int ret; - ret = of_parse_phandle_with_args(tz, "thermal-sensors", + ret = of_parse_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells", i, &sensor_specs); if (ret < 0) { - pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret); + pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret); tz = ERR_PTR(ret); goto out; } if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ? sensor_specs.args[0] : 0)) { - pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz); + pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child); + tz = no_free_ptr(child); goto out; } }

8 months, 1 week

1
0
0 0

[PATCH v2] firmware_loader: Block path traversal

by Jann Horn

Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. Cc: stable(a)vger.kernel.org Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") Signed-off-by: Jann Horn <jannh(a)google.com> --- Changes in v2: - describe fix in commit message (dakr) - write check more clearly and with comment in separate helper (dakr) - document new restriction in comment above request_firmware() (dakr) - warn when new restriction is triggered - Link to v1: https://lore.kernel.org/r/20240820-firmware-traversal-v1-1-8699ffaa9276@goo… --- drivers/base/firmware_loader/main.c | 41 +++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index a03ee4b11134..dd47ce9a761f 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -849,6 +849,37 @@ static void fw_log_firmware_info(const struct firmware *fw, const char *name, {} #endif +/* + * Reject firmware file names with ".." path components. + * There are drivers that construct firmware file names from device-supplied + * strings, and we don't want some device to be able to tell us "I would like to + * be sent my firmware from ../../../etc/shadow, please". + * + * Search for ".." surrounded by either '/' or start/end of string. + * + * This intentionally only looks at the firmware name, not at the firmware base + * directory or at symlink contents. + */ +static bool name_contains_dotdot(const char *name) +{ + size_t name_len = strlen(name); + size_t i; + + if (name_len < 2) + return false; + for (i = 0; i < name_len - 1; i++) { + /* do we see a ".." sequence? */ + if (name[i] != '.' || name[i+1] != '.') + continue; + + /* is it a path component? */ + if ((i == 0 || name[i-1] == '/') && + (i == name_len - 2 || name[i+2] == '/')) + return true; + } + return false; +} + /* called from request_firmware() and request_firmware_work_func() */ static int _request_firmware(const struct firmware **firmware_p, const char *name, @@ -869,6 +900,14 @@ _request_firmware(const struct firmware **firmware_p, const char *name, goto out; } + if (name_contains_dotdot(name)) { + dev_warn(device, + "Firmware load for '%s' refused, path contains '..' component", + name); + ret = -EINVAL; + goto out; + } + ret = _request_firmware_prepare(&fw, name, device, buf, size, offset, opt_flags); if (ret <= 0) /* error or already assigned */ @@ -946,6 +985,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name, * @name will be used as $FIRMWARE in the uevent environment and * should be distinctive enough not to be confused with any other * firmware image for this or any other device. + * It must not contain any ".." path components - "foo/bar..bin" is + * allowed, but "foo/../bar.bin" is not. * * Caller must hold the reference count of @device. * --- base-commit: b0da640826ba3b6506b4996a6b23a429235e6923 change-id: 20240820-firmware-traversal-6df8501b0fe4 -- Jann Horn <jannh(a)google.com>

8 months, 1 week

6
11
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror