- Linux-stable-mirror - lists.linaro.org

[merged mm-hotfixes-stable] fork-do-not-invoke-uffd-on-fork-if-error-occurs.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fork: do not invoke uffd on fork if error occurs has been removed from the -mm tree. Its filename was fork-do-not-invoke-uffd-on-fork-if-error-occurs.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: fork: do not invoke uffd on fork if error occurs Date: Tue, 15 Oct 2024 18:56:05 +0100 Patch series "fork: do not expose incomplete mm on fork". During fork we may place the virtual memory address space into an inconsistent state before the fork operation is complete. In addition, we may encounter an error during the fork operation that indicates that the virtual memory address space is invalidated. As a result, we should not be exposing it in any way to external machinery that might interact with the mm or VMAs, machinery that is not designed to deal with incomplete state. We specifically update the fork logic to defer khugepaged and ksm to the end of the operation and only to be invoked if no error arose, and disallow uffd from observing fork events should an error have occurred. This patch (of 2): Currently on fork we expose the virtual address space of a process to userland unconditionally if uffd is registered in VMAs, regardless of whether an error arose in the fork. This is performed in dup_userfaultfd_complete() which is invoked unconditionally, and performs two duties - invoking registered handlers for the UFFD_EVENT_FORK event via dup_fctx(), and clearing down userfaultfd_fork_ctx objects established in dup_userfaultfd(). This is problematic, because the virtual address space may not yet be correctly initialised if an error arose. The change in commit d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") makes this more pertinent as we may be in a state where entries in the maple tree are not yet consistent. We address this by, on fork error, ensuring that we roll back state that we would otherwise expect to clean up through the event being handled by userland and perform the memory freeing duty otherwise performed by dup_userfaultfd_complete(). We do this by implementing a new function, dup_userfaultfd_fail(), which performs the same loop, only decrementing reference counts. Note that we perform mmgrab() on the parent and child mm's, however userfaultfd_ctx_put() will mmdrop() this once the reference count drops to zero, so we will avoid memory leaks correctly here. Link: https://lkml.kernel.org/r/cover.1729014377.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/d3691d58bb58712b6fb3df2be441d175bd3cdf07.17290143… Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jan Kara <jack(a)suse.cz> Cc: Linus Torvalds <torvalds(a)linuxfoundation.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/userfaultfd.c | 28 ++++++++++++++++++++++++++++ include/linux/userfaultfd_k.h | 5 +++++ kernel/fork.c | 5 ++++- 3 files changed, 37 insertions(+), 1 deletion(-) --- a/fs/userfaultfd.c~fork-do-not-invoke-uffd-on-fork-if-error-occurs +++ a/fs/userfaultfd.c @@ -692,6 +692,34 @@ void dup_userfaultfd_complete(struct lis } } +void dup_userfaultfd_fail(struct list_head *fcs) +{ + struct userfaultfd_fork_ctx *fctx, *n; + + /* + * An error has occurred on fork, we will tear memory down, but have + * allocated memory for fctx's and raised reference counts for both the + * original and child contexts (and on the mm for each as a result). + * + * These would ordinarily be taken care of by a user handling the event, + * but we are no longer doing so, so manually clean up here. + * + * mm tear down will take care of cleaning up VMA contexts. + */ + list_for_each_entry_safe(fctx, n, fcs, list) { + struct userfaultfd_ctx *octx = fctx->orig; + struct userfaultfd_ctx *ctx = fctx->new; + + atomic_dec(&octx->mmap_changing); + VM_BUG_ON(atomic_read(&octx->mmap_changing) < 0); + userfaultfd_ctx_put(octx); + userfaultfd_ctx_put(ctx); + + list_del(&fctx->list); + kfree(fctx); + } +} + void mremap_userfaultfd_prep(struct vm_area_struct *vma, struct vm_userfaultfd_ctx *vm_ctx) { --- a/include/linux/userfaultfd_k.h~fork-do-not-invoke-uffd-on-fork-if-error-occurs +++ a/include/linux/userfaultfd_k.h @@ -249,6 +249,7 @@ static inline bool vma_can_userfault(str extern int dup_userfaultfd(struct vm_area_struct *, struct list_head *); extern void dup_userfaultfd_complete(struct list_head *); +void dup_userfaultfd_fail(struct list_head *); extern void mremap_userfaultfd_prep(struct vm_area_struct *, struct vm_userfaultfd_ctx *); @@ -351,6 +352,10 @@ static inline void dup_userfaultfd_compl { } +static inline void dup_userfaultfd_fail(struct list_head *l) +{ +} + static inline void mremap_userfaultfd_prep(struct vm_area_struct *vma, struct vm_userfaultfd_ctx *ctx) { --- a/kernel/fork.c~fork-do-not-invoke-uffd-on-fork-if-error-occurs +++ a/kernel/fork.c @@ -775,7 +775,10 @@ out: mmap_write_unlock(mm); flush_tlb_mm(oldmm); mmap_write_unlock(oldmm); - dup_userfaultfd_complete(&uf); + if (!retval) + dup_userfaultfd_complete(&uf); + else + dup_userfaultfd_fail(&uf); fail_uprobe_end: uprobe_end_dup_mmap(); return retval; _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems-fix.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-defer-second-attempt-at-merge-on-mmap.patch mm-pagewalk-add-the-ability-to-install-ptes.patch mm-add-pte_marker_guard-pte-marker.patch mm-madvise-implement-lightweight-guard-page-mechanism.patch tools-testing-update-tools-uapi-header-for-mman-commonh.patch selftests-mm-add-self-tests-for-guard-page-feature.patch

8 months, 1 week

1
0
0 0

[PATCH xe-i915-for-6.11 01/22] drm/i915: Skip programming FIA link enable bits for MTL+

by Lucas De Marchi

From: Gustavo Sousa <gustavo.sousa(a)intel.com> commit 9fc97277eb2d17492de636b68cf7d2f5c4f15c1b upstream. Starting with Xe_LPD+, although FIA is still used to readout Type-C pin assignment, part of Type-C support is moved to PICA and programming PORT_TX_DFLEXDPMLE1(*) registers is not applicable anymore like it was for previous display IPs (e.g. see BSpec 49190). v2: - Mention Bspec 49190 as a reference of instructions for previous IPs. (Shekhar Chauhan) - s/Xe_LPDP/Xe_LPD+/ in the commit message. (Matt Roper) - Update commit message to be more accurate to the changes in the IP. (Imre Deak) Bspec: 65750, 65448 Reviewed-by: Shekhar Chauhan <shekhar.chauhan(a)intel.com> Reviewed-by: Imre Deak <imre.deak(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240625202652.315936-1-gusta… Signed-off-by: Gustavo Sousa <gustavo.sousa(a)intel.com> Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/i915/display/intel_tc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_tc.c b/drivers/gpu/drm/i915/display/intel_tc.c index 9887967b2ca5c..6f2ee7dbc43b3 100644 --- a/drivers/gpu/drm/i915/display/intel_tc.c +++ b/drivers/gpu/drm/i915/display/intel_tc.c @@ -393,6 +393,9 @@ void intel_tc_port_set_fia_lane_count(struct intel_digital_port *dig_port, bool lane_reversal = dig_port->saved_port_bits & DDI_BUF_PORT_REVERSAL; u32 val; + if (DISPLAY_VER(i915) >= 14) + return; + drm_WARN_ON(&i915->drm, lane_reversal && tc->mode != TC_PORT_LEGACY); -- 2.47.0

8 months, 1 week

1
21
0 0

+ lib-string_helpers-fix-potential-snprintf-output-truncation.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: lib: string_helpers: fix potential snprintf() output truncation has been added to the -mm mm-hotfixes-unstable branch. Its filename is lib-string_helpers-fix-potential-snprintf-output-truncation.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Subject: lib: string_helpers: fix potential snprintf() output truncation Date: Mon, 21 Oct 2024 11:14:17 +0200 The output of ".%03u" with the unsigned int in range [0, 4294966295] may get truncated if the target buffer is not 12 bytes. Link: https://lkml.kernel.org/r/20241021091417.37796-1-brgl@bgdev.pl Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range") Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Reviewed-by: Andy Shevchenko <andy(a)kernel.org> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/string_helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/string_helpers.c~lib-string_helpers-fix-potential-snprintf-output-truncation +++ a/lib/string_helpers.c @@ -57,7 +57,7 @@ int string_get_size(u64 size, u64 blk_si static const unsigned int rounding[] = { 500, 50, 5 }; int i = 0, j; u32 remainder = 0, sf_cap; - char tmp[8]; + char tmp[12]; const char *unit; tmp[0] = '\0'; _ Patches currently in -mm which might be from bartosz.golaszewski(a)linaro.org are lib-string_helpers-fix-potential-snprintf-output-truncation.patch

8 months, 1 week

2
2
0 0

+ mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() Date: Sat, 19 Oct 2024 01:29:39 +0000 When the MM_WALK capability is enabled, memory that is mostly accessed by a VM appears younger than it really is, therefore this memory will be less likely to be evicted. Therefore, the presence of a running VM can significantly increase swap-outs for non-VM memory, regressing the performance for the rest of the system. Fix this regression by always calling {ptep,pmdp}_clear_young_notify() whenever we clear the young bits on PMDs/PTEs. Link: https://lkml.kernel.org/r/20241019012940.3656292-3-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Signed-off-by: James Houghton <jthoughton(a)google.com> Reported-by: David Stevens <stevensd(a)google.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: David Matlack <dmatlack(a)google.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 5 +- mm/rmap.c | 9 +-- mm/vmscan.c | 91 +++++++++++++++++++++------------------ 3 files changed, 55 insertions(+), 50 deletions(-) --- a/include/linux/mmzone.h~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/include/linux/mmzone.h @@ -555,7 +555,7 @@ struct lru_gen_memcg { void lru_gen_init_pgdat(struct pglist_data *pgdat); void lru_gen_init_lruvec(struct lruvec *lruvec); -void lru_gen_look_around(struct page_vma_mapped_walk *pvmw); +bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw); void lru_gen_init_memcg(struct mem_cgroup *memcg); void lru_gen_exit_memcg(struct mem_cgroup *memcg); @@ -574,8 +574,9 @@ static inline void lru_gen_init_lruvec(s { } -static inline void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) +static inline bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw) { + return false; } static inline void lru_gen_init_memcg(struct mem_cgroup *memcg) --- a/mm/rmap.c~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/mm/rmap.c @@ -885,13 +885,10 @@ static bool folio_referenced_one(struct return false; } - if (pvmw.pte) { - if (lru_gen_enabled() && - pte_young(ptep_get(pvmw.pte))) { - lru_gen_look_around(&pvmw); + if (lru_gen_enabled() && pvmw.pte) { + if (lru_gen_look_around(&pvmw)) referenced++; - } - + } else if (pvmw.pte) { if (ptep_clear_flush_young_notify(vma, address, pvmw.pte)) referenced++; --- a/mm/vmscan.c~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/mm/vmscan.c @@ -56,6 +56,7 @@ #include <linux/khugepaged.h> #include <linux/rculist_nulls.h> #include <linux/random.h> +#include <linux/mmu_notifier.h> #include <asm/tlbflush.h> #include <asm/div64.h> @@ -3294,7 +3295,8 @@ static bool get_next_vma(unsigned long m return false; } -static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr, + struct pglist_data *pgdat) { unsigned long pfn = pte_pfn(pte); @@ -3306,13 +3308,20 @@ static unsigned long get_pte_pfn(pte_t p if (WARN_ON_ONCE(pte_devmap(pte) || pte_special(pte))) return -1; + if (!pte_young(pte) && !mm_has_notifiers(vma->vm_mm)) + return -1; + if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; + if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) + return -1; + return pfn; } -static unsigned long get_pmd_pfn(pmd_t pmd, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pmd_pfn(pmd_t pmd, struct vm_area_struct *vma, unsigned long addr, + struct pglist_data *pgdat) { unsigned long pfn = pmd_pfn(pmd); @@ -3324,9 +3333,15 @@ static unsigned long get_pmd_pfn(pmd_t p if (WARN_ON_ONCE(pmd_devmap(pmd))) return -1; + if (!pmd_young(pmd) && !mm_has_notifiers(vma->vm_mm)) + return -1; + if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; + if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) + return -1; + return pfn; } @@ -3335,10 +3350,6 @@ static struct folio *get_pfn_folio(unsig { struct folio *folio; - /* try to avoid unnecessary memory loads */ - if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) - return NULL; - folio = pfn_folio(pfn); if (folio_nid(folio) != pgdat->node_id) return NULL; @@ -3394,20 +3405,16 @@ restart: total++; walk->mm_stats[MM_LEAF_TOTAL]++; - pfn = get_pte_pfn(ptent, args->vma, addr); + pfn = get_pte_pfn(ptent, args->vma, addr, pgdat); if (pfn == -1) continue; - if (!pte_young(ptent)) { - continue; - } - folio = get_pfn_folio(pfn, memcg, pgdat, walk->can_swap); if (!folio) continue; - if (!ptep_test_and_clear_young(args->vma, addr, pte + i)) - VM_WARN_ON_ONCE(true); + if (!ptep_clear_young_notify(args->vma, addr, pte + i)) + continue; young++; walk->mm_stats[MM_LEAF_YOUNG]++; @@ -3473,21 +3480,22 @@ static void walk_pmd_range_locked(pud_t /* don't round down the first address */ addr = i ? (*first & PMD_MASK) + i * PMD_SIZE : *first; - pfn = get_pmd_pfn(pmd[i], vma, addr); - if (pfn == -1) - goto next; - - if (!pmd_trans_huge(pmd[i])) { - if (!walk->force_scan && should_clear_pmd_young()) + if (pmd_present(pmd[i]) && !pmd_trans_huge(pmd[i])) { + if (!walk->force_scan && should_clear_pmd_young() && + !mm_has_notifiers(args->mm)) pmdp_test_and_clear_young(vma, addr, pmd + i); goto next; } + pfn = get_pmd_pfn(pmd[i], vma, addr, pgdat); + if (pfn == -1) + goto next; + folio = get_pfn_folio(pfn, memcg, pgdat, walk->can_swap); if (!folio) goto next; - if (!pmdp_test_and_clear_young(vma, addr, pmd + i)) + if (!pmdp_clear_young_notify(vma, addr, pmd + i)) goto next; walk->mm_stats[MM_LEAF_YOUNG]++; @@ -3545,24 +3553,18 @@ restart: } if (pmd_trans_huge(val)) { - unsigned long pfn = pmd_pfn(val); struct pglist_data *pgdat = lruvec_pgdat(walk->lruvec); + unsigned long pfn = get_pmd_pfn(val, vma, addr, pgdat); walk->mm_stats[MM_LEAF_TOTAL]++; - if (!pmd_young(val)) { - continue; - } - - /* try to avoid unnecessary memory loads */ - if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) - continue; - - walk_pmd_range_locked(pud, addr, vma, args, bitmap, &first); + if (pfn != -1) + walk_pmd_range_locked(pud, addr, vma, args, bitmap, &first); continue; } - if (!walk->force_scan && should_clear_pmd_young()) { + if (!walk->force_scan && should_clear_pmd_young() && + !mm_has_notifiers(args->mm)) { if (!pmd_young(val)) continue; @@ -4036,13 +4038,13 @@ static void lru_gen_age_node(struct pgli * the PTE table to the Bloom filter. This forms a feedback loop between the * eviction and the aging. */ -void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) +bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw) { int i; unsigned long start; unsigned long end; struct lru_gen_mm_walk *walk; - int young = 0; + int young = 1; pte_t *pte = pvmw->pte; unsigned long addr = pvmw->address; struct vm_area_struct *vma = pvmw->vma; @@ -4058,12 +4060,15 @@ void lru_gen_look_around(struct page_vma lockdep_assert_held(pvmw->ptl); VM_WARN_ON_ONCE_FOLIO(folio_test_lru(folio), folio); + if (!ptep_clear_young_notify(vma, addr, pte)) + return false; + if (spin_is_contended(pvmw->ptl)) - return; + return true; /* exclude special VMAs containing anon pages from COW */ if (vma->vm_flags & VM_SPECIAL) - return; + return true; /* avoid taking the LRU lock under the PTL when possible */ walk = current->reclaim_state ? current->reclaim_state->mm_walk : NULL; @@ -4071,6 +4076,9 @@ void lru_gen_look_around(struct page_vma start = max(addr & PMD_MASK, vma->vm_start); end = min(addr | ~PMD_MASK, vma->vm_end - 1) + 1; + if (end - start == PAGE_SIZE) + return true; + if (end - start > MIN_LRU_BATCH * PAGE_SIZE) { if (addr - start < MIN_LRU_BATCH * PAGE_SIZE / 2) end = start + MIN_LRU_BATCH * PAGE_SIZE; @@ -4084,7 +4092,7 @@ void lru_gen_look_around(struct page_vma /* folio_update_gen() requires stable folio_memcg() */ if (!mem_cgroup_trylock_pages(memcg)) - return; + return true; arch_enter_lazy_mmu_mode(); @@ -4094,19 +4102,16 @@ void lru_gen_look_around(struct page_vma unsigned long pfn; pte_t ptent = ptep_get(pte + i); - pfn = get_pte_pfn(ptent, vma, addr); + pfn = get_pte_pfn(ptent, vma, addr, pgdat); if (pfn == -1) continue; - if (!pte_young(ptent)) - continue; - folio = get_pfn_folio(pfn, memcg, pgdat, can_swap); if (!folio) continue; - if (!ptep_test_and_clear_young(vma, addr, pte + i)) - VM_WARN_ON_ONCE(true); + if (!ptep_clear_young_notify(vma, addr, pte + i)) + continue; young++; @@ -4136,6 +4141,8 @@ void lru_gen_look_around(struct page_vma /* feedback from rmap walkers to page table walkers */ if (mm_state && suitable_to_scan(i, young)) update_bloom_filter(mm_state, max_seq, pvmw->pmd); + + return true; } /****************************************************************************** _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-allow-set-clear-page_type-again.patch mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch

8 months, 1 week

1
0
0 0

+ mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats Date: Sat, 19 Oct 2024 01:29:38 +0000 Patch series "mm: multi-gen LRU: Have secondary MMUs participate in MM_WALK". Today, the MM_WALK capability causes MGLRU to clear the young bit from PMDs and PTEs during the page table walk before eviction, but MGLRU does not call the clear_young() MMU notifier in this case. By not calling this notifier, the MM walk takes less time/CPU, but it causes pages that are accessed mostly through KVM / secondary MMUs to appear younger than they should be. We do call the clear_young() notifier today, but only when attempting to evict the page, so we end up clearing young/accessed information less frequently for secondary MMUs than for mm PTEs, and therefore they appear younger and are less likely to be evicted. Therefore, memory that is *not* being accessed mostly by KVM will be evicted *more* frequently, worsening performance. ChromeOS observed a tab-open latency regression when enabling MGLRU with a setup that involved running a VM: Tab-open latency histogram (ms) Version p50 mean p95 p99 max base 1315 1198 2347 3454 10319 mglru 2559 1311 7399 12060 43758 fix 1119 926 2470 4211 6947 This series replaces the final non-selftest patchs from this series[1], which introduced a similar change (and a new MMU notifier) with KVM optimizations. I'll send a separate series (to Sean and Paolo) for the KVM optimizations. This series also makes proactive reclaim with MGLRU possible for KVM memory. I have verified that this functions correctly with the selftest from [1], but given that that test is a KVM selftest, I'll send it with the rest of the KVM optimizations later. Andrew, let me know if you'd like to take the test now anyway. [1]: https://lore.kernel.org/linux-mm/20240926013506.860253-18-jthoughton@google… This patch (of 2): The removed stats, MM_LEAF_OLD and MM_NONLEAF_TOTAL, are not very helpful and become more complicated to properly compute when adding test/clear_young() notifiers in MGLRU's mm walk. Link: https://lkml.kernel.org/r/20241019012940.3656292-1-jthoughton@google.com Link: https://lkml.kernel.org/r/20241019012940.3656292-2-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Signed-off-by: James Houghton <jthoughton(a)google.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: David Matlack <dmatlack(a)google.com> Cc: David Rientjes <rientjes(a)google.com> Cc: David Stevens <stevensd(a)google.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 2 -- mm/vmscan.c | 14 +++++--------- 2 files changed, 5 insertions(+), 11 deletions(-) --- a/include/linux/mmzone.h~mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats +++ a/include/linux/mmzone.h @@ -458,9 +458,7 @@ struct lru_gen_folio { enum { MM_LEAF_TOTAL, /* total leaf entries */ - MM_LEAF_OLD, /* old leaf entries */ MM_LEAF_YOUNG, /* young leaf entries */ - MM_NONLEAF_TOTAL, /* total non-leaf entries */ MM_NONLEAF_FOUND, /* non-leaf entries found in Bloom filters */ MM_NONLEAF_ADDED, /* non-leaf entries added to Bloom filters */ NR_MM_STATS --- a/mm/vmscan.c~mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats +++ a/mm/vmscan.c @@ -3399,7 +3399,6 @@ restart: continue; if (!pte_young(ptent)) { - walk->mm_stats[MM_LEAF_OLD]++; continue; } @@ -3552,7 +3551,6 @@ restart: walk->mm_stats[MM_LEAF_TOTAL]++; if (!pmd_young(val)) { - walk->mm_stats[MM_LEAF_OLD]++; continue; } @@ -3564,8 +3562,6 @@ restart: continue; } - walk->mm_stats[MM_NONLEAF_TOTAL]++; - if (!walk->force_scan && should_clear_pmd_young()) { if (!pmd_young(val)) continue; @@ -5254,11 +5250,11 @@ static void lru_gen_seq_show_full(struct for (tier = 0; tier < MAX_NR_TIERS; tier++) { seq_printf(m, " %10d", tier); for (type = 0; type < ANON_AND_FILE; type++) { - const char *s = " "; + const char *s = "xxx"; unsigned long n[3] = {}; if (seq == max_seq) { - s = "RT "; + s = "RTx"; n[0] = READ_ONCE(lrugen->avg_refaulted[type][tier]); n[1] = READ_ONCE(lrugen->avg_total[type][tier]); } else if (seq == min_seq[type] || NR_HIST_GENS > 1) { @@ -5280,14 +5276,14 @@ static void lru_gen_seq_show_full(struct seq_puts(m, " "); for (i = 0; i < NR_MM_STATS; i++) { - const char *s = " "; + const char *s = "xxxx"; unsigned long n = 0; if (seq == max_seq && NR_HIST_GENS == 1) { - s = "LOYNFA"; + s = "TYFA"; n = READ_ONCE(mm_state->stats[hist][i]); } else if (seq != max_seq && NR_HIST_GENS > 1) { - s = "loynfa"; + s = "tyfa"; n = READ_ONCE(mm_state->stats[hist][i]); } _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-allow-set-clear-page_type-again.patch mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch

8 months, 1 week

1
0
0 0

+ mm-allow-set-clear-page_type-again.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: allow set/clear page_type again has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-allow-set-clear-page_type-again.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: allow set/clear page_type again Date: Sat, 19 Oct 2024 22:22:12 -0600 Some page flags (page->flags) were converted to page types (page->page_types). A recent example is PG_hugetlb. From the exclusive writer's perspective, e.g., a thread doing __folio_set_hugetlb(), there is a difference between the page flag and type APIs: the former allows the same non-atomic operation to be repeated whereas the latter does not. For example, calling __folio_set_hugetlb() twice triggers VM_BUG_ON_FOLIO(), since the second call expects the type (PG_hugetlb) not to be set previously. Using add_hugetlb_folio() as an example, it calls __folio_set_hugetlb() in the following error-handling path. And when that happens, it triggers the aforementioned VM_BUG_ON_FOLIO(). if (folio_test_hugetlb(folio)) { rc = hugetlb_vmemmap_restore_folio(h, folio); if (rc) { spin_lock_irq(&hugetlb_lock); add_hugetlb_folio(h, folio, false); ... It is possible to make hugeTLB comply with the new requirements from the page type API. However, a straightforward fix would be to just allow the same page type to be set or cleared again inside the API, to avoid any changes to its callers. Link: https://lkml.kernel.org/r/20241020042212.296781-1-yuzhao@google.com Fixes: d99e3140a4d3 ("mm: turn folio_test_hugetlb into a PageType") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page-flags.h | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/include/linux/page-flags.h~mm-allow-set-clear-page_type-again +++ a/include/linux/page-flags.h @@ -975,12 +975,16 @@ static __always_inline bool folio_test_# } \ static __always_inline void __folio_set_##fname(struct folio *folio) \ { \ + if (folio_test_##fname(folio)) \ + return; \ VM_BUG_ON_FOLIO(data_race(folio->page.page_type) != UINT_MAX, \ folio); \ folio->page.page_type = (unsigned int)PGTY_##lname << 24; \ } \ static __always_inline void __folio_clear_##fname(struct folio *folio) \ { \ + if (folio->page.page_type == UINT_MAX) \ + return; \ VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ folio->page.page_type = UINT_MAX; \ } @@ -993,11 +997,15 @@ static __always_inline int Page##uname(c } \ static __always_inline void __SetPage##uname(struct page *page) \ { \ + if (Page##uname(page)) \ + return; \ VM_BUG_ON_PAGE(data_race(page->page_type) != UINT_MAX, page); \ page->page_type = (unsigned int)PGTY_##lname << 24; \ } \ static __always_inline void __ClearPage##uname(struct page *page) \ { \ + if (page->page_type == UINT_MAX) \ + return; \ VM_BUG_ON_PAGE(!Page##uname(page), page); \ page->page_type = UINT_MAX; \ } _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-allow-set-clear-page_type-again.patch

8 months, 1 week

1
0
0 0

+ nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix potential deadlock with newly created symlinks has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix potential deadlock with newly created symlinks Date: Sun, 20 Oct 2024 13:51:28 +0900 Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers memory reclamation involving the filesystem layer, which can result in circular lock dependencies among the reader/writer semaphore nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the fs_reclaim pseudo lock. This is because after commit 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem"), the gfp flags of the page cache for symbolic links are overwritten to GFP_KERNEL via inode_nohighmem(). This is not a problem for symlinks read from the backing device, because the __GFP_FS flag is dropped after inode_nohighmem() is called. However, when a new symlink is created with nilfs_symlink(), the gfp flags remain overwritten to GFP_KERNEL. Then, memory allocation called from page_symlink() etc. triggers memory reclamation including the FS layer, which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can cause a deadlock if they are called while nilfs->ns_segctor_sem is held: Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags of newly created symlinks in the same way that nilfs_new_inode() and __nilfs_read_inode() do, as a workaround until we adopt nofs allocation scope consistently or improve the locking constraints. Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+9ef37ac20608f4836256(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256 Tested-by: syzbot+9ef37ac20608f4836256(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/namei.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/nilfs2/namei.c~nilfs2-fix-potential-deadlock-with-newly-created-symlinks +++ a/fs/nilfs2/namei.c @@ -157,6 +157,9 @@ static int nilfs_symlink(struct mnt_idma /* slow symlink */ inode->i_op = &nilfs_symlink_inode_operations; inode_nohighmem(inode); + mapping_set_gfp_mask(inode->i_mapping, + mapping_gfp_constraint(inode->i_mapping, + ~__GFP_FS)); inode->i_mapping->a_ops = &nilfs_aops; err = page_symlink(inode, symname, l); if (err) _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch

8 months, 1 week

1
0
0 0

+ mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/vaddr: fix issue in damon_va_evenly_split_region() has been added to the -mm mm-unstable branch. Its filename is mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Zheng Yejian <zhengyejian(a)huaweicloud.com> Subject: mm/damon/vaddr: fix issue in damon_va_evenly_split_region() Date: Tue, 22 Oct 2024 16:39:26 +0800 Patch series "mm/damon/vaddr: Fix issue in damon_va_evenly_split_region()". v2. According to the logic of damon_va_evenly_split_region(), currently following split case would not meet the expectation: Suppose DAMON_MIN_REGION=0x1000, Case: Split [0x0, 0x3000) into 2 pieces, then the result would be acutually 3 regions: [0x0, 0x1000), [0x1000, 0x2000), [0x2000, 0x3000) but NOT the expected 2 regions: [0x0, 0x1000), [0x1000, 0x3000) !!! The root cause is that when calculating size of each split piece in damon_va_evenly_split_region(): `sz_piece = ALIGN_DOWN(sz_orig / nr_pieces, DAMON_MIN_REGION);` both the dividing and the ALIGN_DOWN may cause loss of precision, then each time split one piece of size 'sz_piece' from origin 'start' to 'end' would cause more pieces are split out than expected!!! To fix it, count for each piece split and make sure no more than 'nr_pieces'. In addition, add above case into damon_test_split_evenly(). And add 'nr_piece == 1' check in damon_va_evenly_split_region() for better code readability and add a corresponding kunit testcase. This patch (of 2): According to the logic of damon_va_evenly_split_region(), currently following split case would not meet the expectation: Suppose DAMON_MIN_REGION=0x1000, Case: Split [0x0, 0x3000) into 2 pieces, then the result would be acutually 3 regions: [0x0, 0x1000), [0x1000, 0x2000), [0x2000, 0x3000) but NOT the expected 2 regions: [0x0, 0x1000), [0x1000, 0x3000) !!! The root cause is that when calculating size of each split piece in damon_va_evenly_split_region(): `sz_piece = ALIGN_DOWN(sz_orig / nr_pieces, DAMON_MIN_REGION);` both the dividing and the ALIGN_DOWN may cause loss of precision, then each time split one piece of size 'sz_piece' from origin 'start' to 'end' would cause more pieces are split out than expected!!! To fix it, count for each piece split and make sure no more than 'nr_pieces'. In addition, add above case into damon_test_split_evenly(). After this patch, damon-operations test passed: # ./tools/testing/kunit/kunit.py run damon-operations [...] ============== damon-operations (6 subtests) =============== [PASSED] damon_test_three_regions_in_vmas [PASSED] damon_test_apply_three_regions1 [PASSED] damon_test_apply_three_regions2 [PASSED] damon_test_apply_three_regions3 [PASSED] damon_test_apply_three_regions4 [PASSED] damon_test_split_evenly ================ [PASSED] damon-operations ================= Link: https://lkml.kernel.org/r/20241022083927.3592237-1-zhengyejian@huaweicloud.… Link: https://lkml.kernel.org/r/20241022083927.3592237-2-zhengyejian@huaweicloud.… Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces") Signed-off-by: Zheng Yejian <zhengyejian(a)huaweicloud.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: Fernand Sieber <sieberf(a)amazon.com> Cc: Leonard Foerster <foersleo(a)amazon.de> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Ye Weihua <yeweihua4(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/vaddr-kunit.h | 1 + mm/damon/vaddr.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) --- a/mm/damon/tests/vaddr-kunit.h~mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region +++ a/mm/damon/tests/vaddr-kunit.h @@ -300,6 +300,7 @@ static void damon_test_split_evenly(stru damon_test_split_evenly_fail(test, 0, 100, 0); damon_test_split_evenly_succ(test, 0, 100, 10); damon_test_split_evenly_succ(test, 5, 59, 5); + damon_test_split_evenly_succ(test, 0, 3, 2); damon_test_split_evenly_fail(test, 5, 6, 2); } --- a/mm/damon/vaddr.c~mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region +++ a/mm/damon/vaddr.c @@ -67,6 +67,7 @@ static int damon_va_evenly_split_region( unsigned long sz_orig, sz_piece, orig_end; struct damon_region *n = NULL, *next; unsigned long start; + unsigned int i; if (!r || !nr_pieces) return -EINVAL; @@ -80,8 +81,7 @@ static int damon_va_evenly_split_region( r->ar.end = r->ar.start + sz_piece; next = damon_next_region(r); - for (start = r->ar.end; start + sz_piece <= orig_end; - start += sz_piece) { + for (start = r->ar.end, i = 1; i < nr_pieces; start += sz_piece, i++) { n = damon_new_region(start, start + sz_piece); if (!n) return -ENOMEM; _ Patches currently in -mm which might be from zhengyejian(a)huaweicloud.com are mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch mm-damon-vaddr-add-nr_piece-==-1-check-in-damon_va_evenly_split_region.patch

8 months, 1 week

1
0
0 0

[PATCH v2] ufs: core: fix another deadlock when rtc update

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When ufshcd_rtc_work calls ufshcd_rpm_put_sync and the pm's usage_count is 0, it will enter the runtime suspend callback. However, the runtime suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock. Replacing ufshcd_rpm_put_sync with ufshcd_rpm_put can avoid the deadlock. Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") Cc: <stable(a)vger.kernel.org> #6.11.x Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufshcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a63dcf48e59d..f5846598d80e 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -8219,7 +8219,7 @@ static void ufshcd_update_rtc(struct ufs_hba *hba) err = ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_WRITE_ATTR, QUERY_ATTR_IDN_SECONDS_PASSED, 0, 0, &val); - ufshcd_rpm_put_sync(hba); + ufshcd_rpm_put(hba); if (err) dev_err(hba->dev, "%s: Failed to update rtc %d\n", __func__, err); -- 2.18.0

8 months, 1 week

1
0
0 0

[PATCH v1] ufs: core: fix another deadlock when rtc update

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When ufshcd_rtc_work calls ufshcd_rpm_put_sync and the pm's usage_count is 0, it will enter the runtime suspend callback. However, the runtime suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock. Replacing ufshcd_rpm_put_sync with ufshcd_rpm_put can avoid the deadlock. Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") Cc: <stable(a)vger.kernel.org> 6.11.x Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a63dcf48e59d..f5846598d80e 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -8219,7 +8219,7 @@ static void ufshcd_update_rtc(struct ufs_hba *hba) err = ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_WRITE_ATTR, QUERY_ATTR_IDN_SECONDS_PASSED, 0, 0, &val); - ufshcd_rpm_put_sync(hba); + ufshcd_rpm_put(hba); if (err) dev_err(hba->dev, "%s: Failed to update rtc %d\n", __func__, err); -- 2.18.0

8 months, 1 week

3
2
0 0

+ kasan-remove-vmalloc_percpu-test.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: remove vmalloc_percpu test has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-remove-vmalloc_percpu-test.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Andrey Konovalov <andreyknvl(a)gmail.com> Subject: kasan: remove vmalloc_percpu test Date: Tue, 22 Oct 2024 18:07:06 +0200 Commit 1a2473f0cbc0 ("kasan: improve vmalloc tests") added the vmalloc_percpu KASAN test with the assumption that __alloc_percpu always uses vmalloc internally, which is tagged by KASAN. However, __alloc_percpu might allocate memory from the first per-CPU chunk, which is not allocated via vmalloc(). As a result, the test might fail. Remove the test until proper KASAN annotation for the per-CPU allocated are added; tracked in https://bugzilla.kernel.org/show_bug.cgi?id=215019. Link: https://lkml.kernel.org/r/20241022160706.38943-1-andrey.konovalov@linux.dev Fixes: 1a2473f0cbc0 ("kasan: improve vmalloc tests") Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> Reported-by: Samuel Holland <samuel.holland(a)sifive.com> Link: https://lore.kernel.org/all/4a245fff-cc46-44d1-a5f9-fd2f1c3764ae@sifive.com/ Reported-by: Sabyrzhan Tasbolatov <snovitoll(a)gmail.com> Link: https://lore.kernel.org/all/CACzwLxiWzNqPBp4C1VkaXZ2wDwvY3yZeetCi1TLGFipKW7… Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Sabyrzhan Tasbolatov <snovitoll(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan_test_c.c | 27 --------------------------- 1 file changed, 27 deletions(-) --- a/mm/kasan/kasan_test_c.c~kasan-remove-vmalloc_percpu-test +++ a/mm/kasan/kasan_test_c.c @@ -1810,32 +1810,6 @@ static void vm_map_ram_tags(struct kunit free_pages((unsigned long)p_ptr, 1); } -static void vmalloc_percpu(struct kunit *test) -{ - char __percpu *ptr; - int cpu; - - /* - * This test is specifically crafted for the software tag-based mode, - * the only tag-based mode that poisons percpu mappings. - */ - KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS); - - ptr = __alloc_percpu(PAGE_SIZE, PAGE_SIZE); - - for_each_possible_cpu(cpu) { - char *c_ptr = per_cpu_ptr(ptr, cpu); - - KUNIT_EXPECT_GE(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_MIN); - KUNIT_EXPECT_LT(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_KERNEL); - - /* Make sure that in-bounds accesses don't crash the kernel. */ - *c_ptr = 0; - } - - free_percpu(ptr); -} - /* * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN, * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based @@ -2023,7 +1997,6 @@ static struct kunit_case kasan_kunit_tes KUNIT_CASE(vmalloc_oob), KUNIT_CASE(vmap_tags), KUNIT_CASE(vm_map_ram_tags), - KUNIT_CASE(vmalloc_percpu), KUNIT_CASE(match_all_not_assigned), KUNIT_CASE(match_all_ptr_tag), KUNIT_CASE(match_all_mem_tag), _ Patches currently in -mm which might be from andreyknvl(a)gmail.com are kasan-remove-vmalloc_percpu-test.patch

8 months, 1 week

1
0
0 0

LinkedIn ,Andre Torres : 查看通过LinkedIn发送给您的订单请求

by LinkedIn

linux-stable-mirror(a)lists.linaro.org `A8Y7D �0C gE5w0B�1A�C7LinkedInSD1�01~D9`A8v84�A2S55�F7l42 N70[B6YD3T0D e36NF6NBAu35[50�AENF6 IPW30W40 e70�CF NA7TC1cCF�F0: N70[B6VFD[B6 Andre Torres sales.oiuy(a)outlook.com 78.54.***.*** ***pcs General goods,mol... Spain zCBS73VDEY0Dm88`6F � 2024 LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085. LinkedIn and the LinkedIn logo are registered trademarks of LinkedIn.

8 months, 1 week

1
0
0 0

+ tools-mm-werror-fixes-in-page-types-slabinfo.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: tools/mm: -Werror fixes in page-types/slabinfo has been added to the -mm mm-hotfixes-unstable branch. Its filename is tools-mm-werror-fixes-in-page-types-slabinfo.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wladislav Wiebe <wladislav.kw(a)gmail.com> Subject: tools/mm: -Werror fixes in page-types/slabinfo Date: Tue, 22 Oct 2024 19:21:13 +0200 Commit e6d2c436ff693 ("tools/mm: allow users to provide additional cflags/ldflags") passes now CFLAGS to Makefile. With this, build systems with default -Werror enabled found: slabinfo.c:1300:25: error: ignoring return value of 'chdir' declared with attribute 'warn_unused_result' [-Werror=unused-result] �� chdir(".."); �� ^~~~~~~~~~~ page-types.c:397:35: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'uint64_t' {aka 'long long unsigned int'} [-Werror=format=] �� printf("%lu\t", mapcnt0); �� ~~^�� ~~~~~~~ .. Fix page-types by using PRIu64 for uint64_t prints and check in slabinfo for return code on chdir(".."). Link: https://lkml.kernel.org/r/c1ceb507-94bc-461c-934d-c19b77edd825@gmail.com Fixes: e6d2c436ff693 ("tools/mm: allow users to provide additional cflags/ldflags") Signed-off-by: Wladislav Wiebe <wladislav.kw(a)gmail.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Herton R. Krzesinski <herton(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/mm/page-types.c | 9 +++++---- tools/mm/slabinfo.c | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) --- a/tools/mm/page-types.c~tools-mm-werror-fixes-in-page-types-slabinfo +++ a/tools/mm/page-types.c @@ -22,6 +22,7 @@ #include <time.h> #include <setjmp.h> #include <signal.h> +#include <inttypes.h> #include <sys/types.h> #include <sys/errno.h> #include <sys/fcntl.h> @@ -391,9 +392,9 @@ static void show_page_range(unsigned lon if (opt_file) printf("%lx\t", voff); if (opt_list_cgroup) - printf("@%llu\t", (unsigned long long)cgroup0); + printf("@%" PRIu64 "\t", cgroup0); if (opt_list_mapcnt) - printf("%lu\t", mapcnt0); + printf("%" PRIu64 "\t", mapcnt0); printf("%lx\t%lx\t%s\n", index, count, page_flag_name(flags0)); } @@ -419,9 +420,9 @@ static void show_page(unsigned long voff if (opt_file) printf("%lx\t", voffset); if (opt_list_cgroup) - printf("@%llu\t", (unsigned long long)cgroup); + printf("@%" PRIu64 "\t", cgroup) if (opt_list_mapcnt) - printf("%lu\t", mapcnt); + printf("%" PRIu64 "\t", mapcnt); printf("%lx\t%s\n", offset, page_flag_name(flags)); } --- a/tools/mm/slabinfo.c~tools-mm-werror-fixes-in-page-types-slabinfo +++ a/tools/mm/slabinfo.c @@ -1297,7 +1297,9 @@ static void read_slab_dir(void) slab->cpu_partial_free = get_obj("cpu_partial_free"); slab->alloc_node_mismatch = get_obj("alloc_node_mismatch"); slab->deactivate_bypass = get_obj("deactivate_bypass"); - chdir(".."); + if (chdir("..")) + fatal("Unable to chdir from slab ../%s\n", + slab->name); if (slab->name[0] == ':') alias_targets++; slab++; _ Patches currently in -mm which might be from wladislav.kw(a)gmail.com are tools-mm-werror-fixes-in-page-types-slabinfo.patch

8 months, 1 week

1
0
0 0

+ ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: ipc: fix memleak if msg_init_ns failed in create_ipc_ns has been added to the -mm mm-nonmm-unstable branch. Its filename is ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wupeng Ma <mawupeng1(a)huawei.com> Subject: ipc: fix memleak if msg_init_ns failed in create_ipc_ns Date: Wed, 23 Oct 2024 17:31:29 +0800 Percpu memory allocation may failed during create_ipc_ns however this fail is not handled properly since ipc sysctls and mq sysctls is not released properly. Fix this by release these two resource when failure. Here is the kmemleak stack when percpu failed: unreferenced object 0xffff88819de2a600 (size 512): comm "shmem_2nstest", pid 120711, jiffies 4300542254 hex dump (first 32 bytes): 60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff `.........H..... 04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff ........ .V..... backtrace (crc be7cba35): [<ffffffff81b43f83>] __kmalloc_node_track_caller_noprof+0x333/0x420 [<ffffffff81a52e56>] kmemdup_noprof+0x26/0x50 [<ffffffff821b2f37>] setup_mq_sysctls+0x57/0x1d0 [<ffffffff821b29cc>] copy_ipcs+0x29c/0x3b0 [<ffffffff815d6a10>] create_new_namespaces+0x1d0/0x920 [<ffffffff815d7449>] copy_namespaces+0x2e9/0x3e0 [<ffffffff815458f3>] copy_process+0x29f3/0x7ff0 [<ffffffff8154b080>] kernel_clone+0xc0/0x650 [<ffffffff8154b6b1>] __do_sys_clone+0xa1/0xe0 [<ffffffff843df8ff>] do_syscall_64+0xbf/0x1c0 [<ffffffff846000b0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 Link: https://lkml.kernel.org/r/20241023093129.3074301-1-mawupeng1@huawei.com Fixes: 72d1e611082e ("ipc/msg: mitigate the lock contention with percpu counter") Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/namespace.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/ipc/namespace.c~ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns +++ a/ipc/namespace.c @@ -83,13 +83,15 @@ static struct ipc_namespace *create_ipc_ err = msg_init_ns(ns); if (err) - goto fail_put; + goto fail_ipc; sem_init_ns(ns); shm_init_ns(ns); return ns; +fail_ipc: + retire_ipc_sysctls(ns); fail_mq: retire_mq_sysctls(ns); _ Patches currently in -mm which might be from mawupeng1(a)huawei.com are ipc-fix-memleak-if-msg_init_ns-failed-in-create_ipc_ns.patch

8 months, 1 week

1
0
0 0

Request to include xe and i915 patches for 6.11.y

by Lucas De Marchi

Hi, I have tested 6.11.4 with these additional fixes for the xe and i915 drivers: f0ffa657e9f3913c7921cbd4d876343401f15f52 4551d60299b5ddc2655b6b365a4b92634e14e04f ecabb5e6ce54711c28706fc794d77adb3ecd0605 2009e808bc3e0df6d4d83e2271bc25ae63a4ac05 e4ac526c440af8aa94d2bdfe6066339dd93b4db2 ab0d6ef864c5fa820e894ee1a07f861e63851664 7929ffce0f8b9c76cb5c2a67d1966beaed20ab61 da9a73b7b25eab574cb9c984fcce0b5e240bdd2c 014125c64d09e58e90dde49fbb57d802a13e2559 4cce34b3835b6f7dc52ee2da95c96b6364bb72e5 a8efd8ce280996fe29f2564f705e96e18da3fa62 f15e5587448989a55cf8b4feaad0df72ca3aa6a0 a9556637a23311dea96f27fa3c3e5bfba0b38ae4 c7085d08c7e53d9aef0cdd4b20798356f6f5d469 eb53e5b933b9ff315087305b3dc931af3067d19c 3e307d6c28e7bc7d94b5699d0ed7fe07df6db094 d34f4f058edf1235c103ca9c921dc54820d14d40 31b42af516afa1e184d1a9f9dd4096c54044269a 7fbad577c82c5dd6db7217855c26f51554e53d85 b2013783c4458a1fe8b25c0b249d2e878bcf6999 c55f79f317ab428ae6d005965bc07e37496f209f 9fc97277eb2d17492de636b68cf7d2f5c4f15c1b I have them applied locally and could submit that if preferred, but there were no conflicts (since it also brings some additional patches as required for fixes to apply), so it should be trivial. All of these patches are already in upstream. Some of them are brought as dependency. The ones mentioning "performance changes" are knobs to follow the hw spec and could be considered as fixes too. These patches are also enabled downstream in Ubuntu 24.10 in order to allow the new Lunar Lake and Battlemage to work correctly. They have more patches not included here, but I may follow up with more depending on the acceptance of these patches. thanks Lucas De Marchi

8 months, 1 week

2
3
0 0

+ mm-resolve-faulty-mmap_region-error-path-behaviour.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: resolve faulty mmap_region() error path behaviour has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-resolve-faulty-mmap_region-error-path-behaviour.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: resolve faulty mmap_region() error path behaviour Date: Wed, 23 Oct 2024 21:38:29 +0100 The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Link: https://lkml.kernel.org/r/6e8deda970b982e1e8ffd876e3cef342c292fbb5.17297152… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mmap.c | 121 ++++++++++++++++++++++++++++------------------------ 1 file changed, 66 insertions(+), 55 deletions(-) --- a/mm/mmap.c~mm-resolve-faulty-mmap_region-error-path-behaviour +++ a/mm/mmap.c @@ -1357,20 +1357,18 @@ int do_munmap(struct mm_struct *mm, unsi return do_vmi_munmap(&vmi, mm, start, len, uf, false); } -unsigned long mmap_region(struct file *file, unsigned long addr, +static unsigned long __mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, struct list_head *uf) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; pgoff_t pglen = PHYS_PFN(len); - struct vm_area_struct *merge; unsigned long charged = 0; struct vma_munmap_struct vms; struct ma_state mas_detach; struct maple_tree mt_detach; unsigned long end = addr + len; - bool writable_file_mapping = false; int error; VMA_ITERATOR(vmi, mm, addr); VMG_STATE(vmg, mm, &vmi, addr, end, vm_flags, pgoff); @@ -1444,28 +1442,26 @@ unsigned long mmap_region(struct file *f vm_flags_init(vma, vm_flags); vma->vm_page_prot = vm_get_page_prot(vm_flags); + if (vma_iter_prealloc(&vmi, vma)) { + error = -ENOMEM; + goto free_vma; + } + if (file) { vma->vm_file = get_file(file); error = mmap_file(file, vma); if (error) - goto unmap_and_free_vma; - - if (vma_is_shared_maywrite(vma)) { - error = mapping_map_writable(file->f_mapping); - if (error) - goto close_and_free_vma; - - writable_file_mapping = true; - } + goto unmap_and_free_file_vma; + /* Drivers cannot alter the address of the VMA. */ + WARN_ON_ONCE(addr != vma->vm_start); /* - * Expansion is handled above, merging is handled below. - * Drivers should not alter the address of the VMA. + * Drivers should not permit writability when previously it was + * disallowed. */ - if (WARN_ON((addr != vma->vm_start))) { - error = -EINVAL; - goto close_and_free_vma; - } + VM_WARN_ON_ONCE(vm_flags != vma->vm_flags && + !(vm_flags & VM_MAYWRITE) && + (vma->vm_flags & VM_MAYWRITE)); vma_iter_config(&vmi, addr, end); /* @@ -1473,6 +1469,8 @@ unsigned long mmap_region(struct file *f * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) { + struct vm_area_struct *merge; + vmg.flags = vma->vm_flags; /* If this fails, state is reset ready for a reattempt. */ merge = vma_merge_new_range(&vmg); @@ -1490,7 +1488,7 @@ unsigned long mmap_region(struct file *f vma = merge; /* Update vm_flags to pick up the change. */ vm_flags = vma->vm_flags; - goto unmap_writable; + goto file_expanded; } vma_iter_config(&vmi, addr, end); } @@ -1499,26 +1497,15 @@ unsigned long mmap_region(struct file *f } else if (vm_flags & VM_SHARED) { error = shmem_zero_setup(vma); if (error) - goto free_vma; + goto free_iter_vma; } else { vma_set_anonymous(vma); } - if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { - error = -EACCES; - goto close_and_free_vma; - } - - /* Allow architectures to sanity-check the vm_flags */ - if (!arch_validate_flags(vma->vm_flags)) { - error = -EINVAL; - goto close_and_free_vma; - } - - if (vma_iter_prealloc(&vmi, vma)) { - error = -ENOMEM; - goto close_and_free_vma; - } +#ifdef CONFIG_SPARC64 + /* TODO: Fix SPARC ADI! */ + WARN_ON_ONCE(!arch_validate_flags(vm_flags)); +#endif /* Lock the VMA since it is modified after insertion into VMA tree */ vma_start_write(vma); @@ -1532,10 +1519,7 @@ unsigned long mmap_region(struct file *f */ khugepaged_enter_vma(vma, vma->vm_flags); - /* Once vma denies write, undo our temporary denial count */ -unmap_writable: - if (writable_file_mapping) - mapping_unmap_writable(file->f_mapping); +file_expanded: file = vma->vm_file; ksm_add_vma(vma); expanded: @@ -1568,23 +1552,17 @@ expanded: vma_set_page_prot(vma); - validate_mm(mm); return addr; -close_and_free_vma: - vma_close(vma); - - if (file || vma->vm_file) { -unmap_and_free_vma: - fput(vma->vm_file); - vma->vm_file = NULL; - - vma_iter_set(&vmi, vma->vm_end); - /* Undo any partial mapping done by a device driver. */ - unmap_region(&vmi.mas, vma, vmg.prev, vmg.next); - } - if (writable_file_mapping) - mapping_unmap_writable(file->f_mapping); +unmap_and_free_file_vma: + fput(vma->vm_file); + vma->vm_file = NULL; + + vma_iter_set(&vmi, vma->vm_end); + /* Undo any partial mapping done by a device driver. */ + unmap_region(&vmi.mas, vma, vmg.prev, vmg.next); +free_iter_vma: + vma_iter_free(&vmi); free_vma: vm_area_free(vma); unacct_error: @@ -1594,10 +1572,43 @@ unacct_error: abort_munmap: vms_abort_munmap_vmas(&vms, &mas_detach); gather_failed: - validate_mm(mm); return error; } +unsigned long mmap_region(struct file *file, unsigned long addr, + unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, + struct list_head *uf) +{ + unsigned long ret; + bool writable_file_mapping = false; + + /* Check to see if MDWE is applicable. */ + if (map_deny_write_exec(vm_flags, vm_flags)) + return -EACCES; + + /* Allow architectures to sanity-check the vm_flags. */ + if (!arch_validate_flags(vm_flags)) + return -EINVAL; + + /* Map writable and ensure this isn't a sealed memfd. */ + if (file && is_shared_maywrite(vm_flags)) { + int error = mapping_map_writable(file->f_mapping); + + if (error) + return error; + writable_file_mapping = true; + } + + ret = __mmap_region(file, addr, len, vm_flags, pgoff, uf); + + /* Clear our write mapping regardless of error. */ + if (writable_file_mapping) + mapping_unmap_writable(file->f_mapping); + + validate_mm(current->mm); + return ret; +} + static int __vm_munmap(unsigned long start, size_t len, bool unlock) { int ret; _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are fork-do-not-invoke-uffd-on-fork-if-error-occurs.patch fork-only-invoke-khugepaged-ksm-hooks-if-no-error.patch mm-vma-add-expand-only-vma-merge-mode-and-optimise-do_brk_flags.patch tools-testing-add-expand-only-mode-vma-test.patch mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-defer-second-attempt-at-merge-on-mmap.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch

8 months, 1 week

1
0
0 0

+ mm-refactor-map_deny_write_exec.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: refactor map_deny_write_exec() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-refactor-map_deny_write_exec.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: refactor map_deny_write_exec() Date: Wed, 23 Oct 2024 21:38:28 +0100 Refactor the map_deny_write_exec() to not unnecessarily require a VMA parameter but rather to accept VMA flags parameters, which allows us to use this function early in mmap_region() in a subsequent commit. While we're here, we refactor the function to be more readable and add some additional documentation. Link: https://lkml.kernel.org/r/e82d23cebaa87fe5b767fecf9e730e0059066e63.17297152… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mman.h | 21 ++++++++++++++++++--- mm/mmap.c | 2 +- mm/mprotect.c | 2 +- mm/vma.h | 2 +- 4 files changed, 21 insertions(+), 6 deletions(-) --- a/include/linux/mman.h~mm-refactor-map_deny_write_exec +++ a/include/linux/mman.h @@ -188,16 +188,31 @@ static inline bool arch_memory_deny_writ * * d) mmap(PROT_READ | PROT_EXEC) * mmap(PROT_READ | PROT_EXEC | PROT_BTI) + * + * This is only applicable if the user has set the Memory-Deny-Write-Execute + * (MDWE) protection mask for the current process. + * + * @old specifies the VMA flags the VMA originally possessed, and @new the ones + * we propose to set. + * + * Return: false if proposed change is OK, true if not ok and should be denied. */ -static inline bool map_deny_write_exec(struct vm_area_struct *vma, unsigned long vm_flags) +static inline bool map_deny_write_exec(unsigned long old, unsigned long new) { + /* If MDWE is disabled, we have nothing to deny. */ if (!test_bit(MMF_HAS_MDWE, &current->mm->flags)) return false; - if ((vm_flags & VM_EXEC) && (vm_flags & VM_WRITE)) + /* If the new VMA is not executable, we have nothing to deny. */ + if (!(new & VM_EXEC)) + return false; + + /* Under MDWE we do not accept newly writably executable VMAs... */ + if (new & VM_WRITE) return true; - if (!(vma->vm_flags & VM_EXEC) && (vm_flags & VM_EXEC)) + /* ...nor previously non-executable VMAs becoming executable. */ + if (!(old & VM_EXEC)) return true; return false; --- a/mm/mmap.c~mm-refactor-map_deny_write_exec +++ a/mm/mmap.c @@ -1504,7 +1504,7 @@ unsigned long mmap_region(struct file *f vma_set_anonymous(vma); } - if (map_deny_write_exec(vma, vma->vm_flags)) { + if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { error = -EACCES; goto close_and_free_vma; } --- a/mm/mprotect.c~mm-refactor-map_deny_write_exec +++ a/mm/mprotect.c @@ -810,7 +810,7 @@ static int do_mprotect_pkey(unsigned lon break; } - if (map_deny_write_exec(vma, newflags)) { + if (map_deny_write_exec(vma->vm_flags, newflags)) { error = -EACCES; break; } --- a/mm/vma.h~mm-refactor-map_deny_write_exec +++ a/mm/vma.h @@ -42,7 +42,7 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - /* 1 byte hole */ + /* 2 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ unsigned long nr_accounted; /* Number of VM_ACCOUNT pages */ _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are fork-do-not-invoke-uffd-on-fork-if-error-occurs.patch fork-only-invoke-khugepaged-ksm-hooks-if-no-error.patch mm-vma-add-expand-only-vma-merge-mode-and-optimise-do_brk_flags.patch tools-testing-add-expand-only-mode-vma-test.patch mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-defer-second-attempt-at-merge-on-mmap.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch

8 months, 1 week

1
0
0 0

+ mm-unconditionally-close-vmas-on-error.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: unconditionally close VMAs on error has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-unconditionally-close-vmas-on-error.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: unconditionally close VMAs on error Date: Wed, 23 Oct 2024 21:38:27 +0100 Incorrect invokation of VMA callbacks when the VMA is no longer in a consistent state is bug prone and risky to perform. With regards to the important vm_ops->close() callback We have gone to great lengths to try to track whether or not we ought to close VMAs. Rather than doing so and risking making a mistake somewhere, instead unconditionally close and reset vma->vm_ops to an empty dummy operations set with a NULL .close operator. We introduce a new function to do so - vma_close() - and simplify existing vms logic which tracked whether we needed to close or not. This simplifies the logic, avoids incorrect double-calling of the .close() callback and allows us to update error paths to simply call vma_close() unconditionally - making VMA closure idempotent. Link: https://lkml.kernel.org/r/72a81a6fb997508db644313a5fdf4d239f620da6.17297152… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 18 ++++++++++++++++++ mm/mmap.c | 5 ++--- mm/nommu.c | 3 +-- mm/vma.c | 14 +++++--------- mm/vma.h | 4 +--- 5 files changed, 27 insertions(+), 17 deletions(-) --- a/mm/internal.h~mm-unconditionally-close-vmas-on-error +++ a/mm/internal.h @@ -135,6 +135,24 @@ static inline int mmap_file(struct file return err; } +/* + * If the VMA has a close hook then close it, and since closing it might leave + * it in an inconsistent state which makes the use of any hooks suspect, clear + * them down by installing dummy empty hooks. + */ +static inline void vma_close(struct vm_area_struct *vma) +{ + if (vma->vm_ops && vma->vm_ops->close) { + vma->vm_ops->close(vma); + + /* + * The mapping is in an inconsistent state, and no further hooks + * may be invoked upon it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + } +} + #ifdef CONFIG_MMU /* Flags for folio_pte_batch(). */ --- a/mm/mmap.c~mm-unconditionally-close-vmas-on-error +++ a/mm/mmap.c @@ -1572,8 +1572,7 @@ expanded: return addr; close_and_free_vma: - if (file && !vms.closed_vm_ops && vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (file || vma->vm_file) { unmap_and_free_vma: @@ -1933,7 +1932,7 @@ void exit_mmap(struct mm_struct *mm) do { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); - remove_vma(vma, /* unreachable = */ true, /* closed = */ false); + remove_vma(vma, /* unreachable = */ true); count++; cond_resched(); vma = vma_next(&vmi); --- a/mm/nommu.c~mm-unconditionally-close-vmas-on-error +++ a/mm/nommu.c @@ -589,8 +589,7 @@ static int delete_vma_from_mm(struct vm_ */ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) { - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); put_nommu_region(vma->vm_region); --- a/mm/vma.c~mm-unconditionally-close-vmas-on-error +++ a/mm/vma.c @@ -323,11 +323,10 @@ static bool can_vma_merge_right(struct v /* * Close a vm structure and free it. */ -void remove_vma(struct vm_area_struct *vma, bool unreachable, bool closed) +void remove_vma(struct vm_area_struct *vma, bool unreachable) { might_sleep(); - if (!closed && vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); mpol_put(vma_policy(vma)); @@ -1115,9 +1114,7 @@ void vms_clean_up_area(struct vma_munmap vms_clear_ptes(vms, mas_detach, true); mas_set(mas_detach, 0); mas_for_each(mas_detach, vma, ULONG_MAX) - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); - vms->closed_vm_ops = true; + vma_close(vma); } /* @@ -1160,7 +1157,7 @@ void vms_complete_munmap_vmas(struct vma /* Remove and clean up vmas */ mas_set(mas_detach, 0); mas_for_each(mas_detach, vma, ULONG_MAX) - remove_vma(vma, /* = */ false, vms->closed_vm_ops); + remove_vma(vma, /* unreachable = */ false); vm_unacct_memory(vms->nr_accounted); validate_mm(mm); @@ -1684,8 +1681,7 @@ struct vm_area_struct *copy_vma(struct v return new_vma; out_vma_link: - if (new_vma->vm_ops && new_vma->vm_ops->close) - new_vma->vm_ops->close(new_vma); + vma_close(new_vma); if (new_vma->vm_file) fput(new_vma->vm_file); --- a/mm/vma.h~mm-unconditionally-close-vmas-on-error +++ a/mm/vma.h @@ -42,7 +42,6 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - bool closed_vm_ops; /* call_mmap() was encountered, so vmas may be closed */ /* 1 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ @@ -198,7 +197,6 @@ static inline void init_vma_munmap(struc vms->unmap_start = FIRST_USER_ADDRESS; vms->unmap_end = USER_PGTABLES_CEILING; vms->clear_ptes = false; - vms->closed_vm_ops = false; } #endif @@ -269,7 +267,7 @@ int do_vmi_munmap(struct vma_iterator *v unsigned long start, size_t len, struct list_head *uf, bool unlock); -void remove_vma(struct vm_area_struct *vma, bool unreachable, bool closed); +void remove_vma(struct vm_area_struct *vma, bool unreachable); void unmap_region(struct ma_state *mas, struct vm_area_struct *vma, struct vm_area_struct *prev, struct vm_area_struct *next); _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are fork-do-not-invoke-uffd-on-fork-if-error-occurs.patch fork-only-invoke-khugepaged-ksm-hooks-if-no-error.patch mm-vma-add-expand-only-vma-merge-mode-and-optimise-do_brk_flags.patch tools-testing-add-expand-only-mode-vma-test.patch mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-defer-second-attempt-at-merge-on-mmap.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch

8 months, 1 week

1
0
0 0

+ mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: avoid unsafe VMA hook invocation when error arises on mmap hook has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: avoid unsafe VMA hook invocation when error arises on mmap hook Date: Wed, 23 Oct 2024 21:38:26 +0100 Patch series "fix error handling in mmap_region() and refactor", v2. The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. This series goes to great lengths to simplify how mmap_region() works and to avoid unwinding errors late on in the process of setting up the VMA for the new mapping, and equally avoids such operations occurring while the VMA is in an inconsistent state. The first four patches are intended for backporting to correct the possibility of people encountering corrupted state while invoking mmap() which is otherwise at risk of happening. After this we go further, refactoring the code, placing it in mm/vma.c in order to make it eventually userland testable, and significantly simplifying the logic to avoid this issue arising in future. This patch (of 4): After an attempted mmap() fails, we are no longer in a situation where we can safely interact with VMA hooks. This is currently not enforced, meaning that we need complicated handling to ensure we do not incorrectly call these hooks. We can avoid the whole issue by treating the VMA as suspect the moment that the file->f_ops->mmap() function reports an error by replacing whatever VMA operations were installed with a dummy empty set of VMA operations. We do so through a new helper function internal to mm - mmap_file() - which is both more logically named than the existing call_mmap() function and correctly isolates handling of the vm_op reassignment to mm. All the existing invocations of call_mmap() outside of mm are ultimately nested within the call_mmap() from mm, which we now replace. It is therefore safe to leave call_mmap() in place as a convenience function (and to avoid churn). The invokers are: ovl_file_operations -> mmap -> ovl_mmap() -> backing_file_mmap() coda_file_operations -> mmap -> coda_file_mmap() shm_file_operations -> shm_mmap() shm_file_operations_huge -> shm_mmap() dma_buf_fops -> dma_buf_mmap_internal -> i915_dmabuf_ops -> i915_gem_dmabuf_mmap() None of these callers interact with vm_ops or mappings in a problematic way on error, quickly exiting out. Link: https://lkml.kernel.org/r/cover.1729715266.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/69f3c04df1ece2b7d402a29451ec19290ff429a4.17297152… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 27 +++++++++++++++++++++++++++ mm/mmap.c | 6 +++--- mm/nommu.c | 4 ++-- 3 files changed, 32 insertions(+), 5 deletions(-) --- a/mm/internal.h~mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook +++ a/mm/internal.h @@ -108,6 +108,33 @@ static inline void *folio_raw_mapping(co return (void *)(mapping & ~PAGE_MAPPING_FLAGS); } +/* + * This is a file-backed mapping, and is about to be memory mapped - invoke its + * mmap hook and safely handle error conditions. On error, VMA hooks will be + * mutated. + * + * @file: File which backs the mapping. + * @vma: VMA which we are mapping. + * + * Returns: 0 if success, error otherwise. + */ +static inline int mmap_file(struct file *file, struct vm_area_struct *vma) +{ + int err = call_mmap(file, vma); + + if (likely(!err)) + return 0; + + /* + * OK, we tried to call the file hook for mmap(), but an error + * arose. The mapping is in an inconsistent state and we most not invoke + * any further hooks on it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + + return err; +} + #ifdef CONFIG_MMU /* Flags for folio_pte_batch(). */ --- a/mm/mmap.c~mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook +++ a/mm/mmap.c @@ -1421,7 +1421,7 @@ unsigned long mmap_region(struct file *f /* * clear PTEs while the vma is still in the tree so that rmap * cannot race with the freeing later in the truncate scenario. - * This is also needed for call_mmap(), which is why vm_ops + * This is also needed for mmap_file(), which is why vm_ops * close function is called. */ vms_clean_up_area(&vms, &mas_detach); @@ -1446,7 +1446,7 @@ unsigned long mmap_region(struct file *f if (file) { vma->vm_file = get_file(file); - error = call_mmap(file, vma); + error = mmap_file(file, vma); if (error) goto unmap_and_free_vma; @@ -1469,7 +1469,7 @@ unsigned long mmap_region(struct file *f vma_iter_config(&vmi, addr, end); /* - * If vm_flags changed after call_mmap(), we should try merge + * If vm_flags changed after mmap_file(), we should try merge * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) { --- a/mm/nommu.c~mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook +++ a/mm/nommu.c @@ -885,7 +885,7 @@ static int do_mmap_shared_file(struct vm { int ret; - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); if (ret == 0) { vma->vm_region->vm_top = vma->vm_region->vm_end; return 0; @@ -918,7 +918,7 @@ static int do_mmap_private(struct vm_are * happy. */ if (capabilities & NOMMU_MAP_DIRECT) { - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); /* shouldn't return success if we're not sharing */ if (WARN_ON_ONCE(!is_nommu_shared_mapping(vma->vm_flags))) ret = -ENOSYS; _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are fork-do-not-invoke-uffd-on-fork-if-error-occurs.patch fork-only-invoke-khugepaged-ksm-hooks-if-no-error.patch mm-vma-add-expand-only-vma-merge-mode-and-optimise-do_brk_flags.patch tools-testing-add-expand-only-mode-vma-test.patch mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-defer-second-attempt-at-merge-on-mmap.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch

8 months, 1 week

1
0
0 0

[PATCH 0/2] soc: qcom: pmic_glink: Resolve failures to bring up pmic_glink

by Bjorn Andersson

With the transition of pd-mapper into the kernel, the timing was altered such that on some targets the initial rpmsg_send() requests from pmic_glink clients would be attempted before the firmware had announced intents, and the firmware reject intent requests. Fix this Signed-off-by: Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> --- Bjorn Andersson (2): rpmsg: glink: Handle rejected intent request better soc: qcom: pmic_glink: Handle GLINK intent allocation rejections drivers/rpmsg/qcom_glink_native.c | 10 +++++++--- drivers/soc/qcom/pmic_glink.c | 18 +++++++++++++++--- 2 files changed, 22 insertions(+), 6 deletions(-) --- base-commit: 42f7652d3eb527d03665b09edac47f85fb600924 change-id: 20241022-pmic-glink-ecancelled-d899a9ca0358 Best regards, -- Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com>

8 months, 1 week

3
5
0 0

[PATCH v7 5/5] tpm: flush the auth session only when /dev/tpm0 is open

by Jarkko Sakkinen

Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma <mapengyu(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: - No changes. v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4eaa8e05c291..a3ed7a99a394 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6e52785de9fd..a7079c7ec6d1 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC -- 2.47.0

8 months, 1 week

2
1
0 0

[PATCH v1 1/2] mseal: Two fixes for madvise(MADV_DONTNEED) when sealed

by jeffxu＠chromium.org

From: Jeff Xu <jeffxu(a)chromium.org> Two fixes for madvise(MADV_DONTNEED) when sealed. For PROT_NONE mappings, the previous blocking of madvise(MADV_DONTNEED) is unnecessary. As PROT_NONE already prohibits memory access, madvise(MADV_DONTNEED) should be allowed to proceed in order to free the page. For file-backed, private, read-only memory mappings, we previously did not block the madvise(MADV_DONTNEED). This was based on the assumption that the memory's content, being file-backed, could be retrieved from the file if accessed again. However, this assumption failed to consider scenarios where a mapping is initially created as read-write, modified, and subsequently changed to read-only. The newly introduced VM_WASWRITE flag addresses this oversight. Reported-by: Pedro Falcato <pedro.falcato(a)gmail.com> Link:https://lore.kernel.org/all/CABi2SkW2XzuZ2-TunWOVzTEX1qc29LhjfNQ3hD4Ny… Fixes: 8be7258aad44 ("mseal: add mseal syscall") Cc: <stable(a)vger.kernel.org> # 6.11.y: 4d1b3416659b: mm: move can_modify_vma to mm/vma.h Cc: <stable(a)vger.kernel.org> # 6.11.y: 4a2dd02b0916: mm/mprotect: replace can_modify_mm with can_modify_vma Cc: <stable(a)vger.kernel.org> # 6.11.y: 23c57d1fa2b9: mseal: replace can_modify_mm_madv with a vma variant Cc: <stable(a)vger.kernel.org> # 6.11.y Signed-off-by: Jeff Xu <jeffxu(a)chromium.org> --- include/linux/mm.h | 2 ++ mm/mprotect.c | 3 +++ mm/mseal.c | 42 ++++++++++++++++++++++++++++++++++++------ 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 4c32003c8404..b402eca2565a 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -430,6 +430,8 @@ extern unsigned int kobjsize(const void *objp); #ifdef CONFIG_64BIT /* VM is sealed, in vm_flags */ #define VM_SEALED _BITUL(63) +/* VM was writable */ +#define VM_WASWRITE _BITUL(62) #endif /* Bits set in the VMA until the stack is in its final location */ diff --git a/mm/mprotect.c b/mm/mprotect.c index 0c5d6d06107d..6397135ca526 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -821,6 +821,9 @@ static int do_mprotect_pkey(unsigned long start, size_t len, break; } + if ((vma->vm_flags & VM_WRITE) && !(newflags & VM_WRITE)) + newflags |= VM_WASWRITE; + error = security_file_mprotect(vma, reqprot, prot); if (error) break; diff --git a/mm/mseal.c b/mm/mseal.c index ece977bd21e1..28f28487be17 100644 --- a/mm/mseal.c +++ b/mm/mseal.c @@ -36,12 +36,8 @@ static bool is_madv_discard(int behavior) return false; } -static bool is_ro_anon(struct vm_area_struct *vma) +static bool anon_is_ro(struct vm_area_struct *vma) { - /* check anonymous mapping. */ - if (vma->vm_file || vma->vm_flags & VM_SHARED) - return false; - /* * check for non-writable: * PROT=RO or PKRU is not writeable. @@ -53,6 +49,22 @@ static bool is_ro_anon(struct vm_area_struct *vma) return false; } +static bool vma_is_prot_none(struct vm_area_struct *vma) +{ + if ((vma->vm_flags & VM_ACCESS_FLAGS) == VM_NONE) + return true; + + return false; +} + +static bool vma_was_writable_turn_readonly(struct vm_area_struct *vma) +{ + if (!(vma->vm_flags & VM_WRITE) && vma->vm_flags & VM_WASWRITE) + return true; + + return false; +} + /* * Check if a vma is allowed to be modified by madvise. */ @@ -61,7 +73,25 @@ bool can_modify_vma_madv(struct vm_area_struct *vma, int behavior) if (!is_madv_discard(behavior)) return true; - if (unlikely(!can_modify_vma(vma) && is_ro_anon(vma))) + /* not sealed */ + if (likely(can_modify_vma(vma))) + return true; + + /* PROT_NONE mapping */ + if (vma_is_prot_none(vma)) + return true; + + /* file-backed private mapping */ + if (vma->vm_file) { + /* read-only but was writeable */ + if (vma_was_writable_turn_readonly(vma)) + return false; + + return true; + } + + /* anonymous mapping is read-only */ + if (anon_is_ro(vma)) return false; /* Allow by default. */ -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 1 week

7
10
0 0

[PATCH stable 5.4] mtd: rawnand: protect access to rawnand devices while in suspend

by Florian Fainelli

From: Sean Nyekjaer <sean(a)geanix.com> commit 8cba323437a49a45756d661f500b324fc2d486fe upstream. Prevent rawnand access while in a suspended state. Commit 013e6292aaf5 ("mtd: rawnand: Simplify the locking") allows the rawnand layer to return errors rather than waiting in a blocking wait. Tested on a iMX6ULL. Fixes: 013e6292aaf5 ("mtd: rawnand: Simplify the locking") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Reviewed-by: Boris Brezillon <boris.brezillon(a)collabora.com> Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/20220208085213.1838273-1-sean@geanix.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [florian: Adjust rawnand.h members documentation and position] Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> --- drivers/mtd/nand/raw/nand_base.c | 44 +++++++++++++++----------------- include/linux/mtd/rawnand.h | 2 ++ 2 files changed, 22 insertions(+), 24 deletions(-) diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c index db66c1be6e5f..29e3a5b04778 100644 --- a/drivers/mtd/nand/raw/nand_base.c +++ b/drivers/mtd/nand/raw/nand_base.c @@ -359,16 +359,19 @@ static int nand_isbad_bbm(struct nand_chip *chip, loff_t ofs) * * Return: -EBUSY if the chip has been suspended, 0 otherwise */ -static int nand_get_device(struct nand_chip *chip) +static void nand_get_device(struct nand_chip *chip) { - mutex_lock(&chip->lock); - if (chip->suspended) { + /* Wait until the device is resumed. */ + while (1) { + mutex_lock(&chip->lock); + if (!chip->suspended) { + mutex_lock(&chip->controller->lock); + return; + } mutex_unlock(&chip->lock); - return -EBUSY; - } - mutex_lock(&chip->controller->lock); - return 0; + wait_event(chip->resume_wq, !chip->suspended); + } } /** @@ -593,9 +596,7 @@ static int nand_block_markbad_lowlevel(struct nand_chip *chip, loff_t ofs) nand_erase_nand(chip, &einfo, 0); /* Write bad block marker to OOB */ - ret = nand_get_device(chip); - if (ret) - return ret; + nand_get_device(chip); ret = nand_markbad_bbm(chip, ofs); nand_release_device(chip); @@ -3576,9 +3577,7 @@ static int nand_read_oob(struct mtd_info *mtd, loff_t from, ops->mode != MTD_OPS_RAW) return -ENOTSUPP; - ret = nand_get_device(chip); - if (ret) - return ret; + nand_get_device(chip); if (!ops->datbuf) ret = nand_do_read_oob(chip, from, ops); @@ -4122,13 +4121,11 @@ static int nand_write_oob(struct mtd_info *mtd, loff_t to, struct mtd_oob_ops *ops) { struct nand_chip *chip = mtd_to_nand(mtd); - int ret; + int ret = 0; ops->retlen = 0; - ret = nand_get_device(chip); - if (ret) - return ret; + nand_get_device(chip); switch (ops->mode) { case MTD_OPS_PLACE_OOB: @@ -4184,9 +4181,7 @@ int nand_erase_nand(struct nand_chip *chip, struct erase_info *instr, return -EINVAL; /* Grab the lock and see if the device is available */ - ret = nand_get_device(chip); - if (ret) - return ret; + nand_get_device(chip); /* Shift to get first page */ page = (int)(instr->addr >> chip->page_shift); @@ -4273,7 +4268,7 @@ static void nand_sync(struct mtd_info *mtd) pr_debug("%s: called\n", __func__); /* Grab the lock and see if the device is available */ - WARN_ON(nand_get_device(chip)); + nand_get_device(chip); /* Release it and go back */ nand_release_device(chip); } @@ -4290,9 +4285,7 @@ static int nand_block_isbad(struct mtd_info *mtd, loff_t offs) int ret; /* Select the NAND device */ - ret = nand_get_device(chip); - if (ret) - return ret; + nand_get_device(chip); nand_select_target(chip, chipnr); @@ -4354,6 +4347,8 @@ static void nand_resume(struct mtd_info *mtd) pr_err("%s called for a chip which is not in suspended state\n", __func__); mutex_unlock(&chip->lock); + + wake_up_all(&chip->resume_wq); } /** @@ -5014,6 +5009,7 @@ static int nand_scan_ident(struct nand_chip *chip, unsigned int maxchips, chip->cur_cs = -1; mutex_init(&chip->lock); + init_waitqueue_head(&chip->resume_wq); /* Enforce the right timings for reset/detection */ onfi_fill_data_interface(chip, NAND_SDR_IFACE, 0); diff --git a/include/linux/mtd/rawnand.h b/include/linux/mtd/rawnand.h index 4ab9bccfcde0..9db457532870 100644 --- a/include/linux/mtd/rawnand.h +++ b/include/linux/mtd/rawnand.h @@ -1064,6 +1064,7 @@ struct nand_legacy { * @lock: lock protecting the suspended field. Also used to * serialize accesses to the NAND device. * @suspended: set to 1 when the device is suspended, 0 when it's not. + * @resume_wq: wait queue to sleep if rawnand is in suspended state. * @bbt: [INTERN] bad block table pointer * @bbt_td: [REPLACEABLE] bad block table descriptor for flash * lookup. @@ -1117,6 +1118,7 @@ struct nand_chip { struct mutex lock; unsigned int suspended : 1; + wait_queue_head_t resume_wq; uint8_t *oob_poi; struct nand_controller *controller; -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH v7 2/5] tpm: Implement tpm2_load_null() rollback

by Jarkko Sakkinen

tpm2_load_null() has weak and broken error handling: - The return value of tpm2_create_primary() is ignored. - Leaks TPM return codes from tpm2_load_context() to the caller. - If the key name comparison succeeds returns previous error instead of zero to the caller. Implement a proper error rollback. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> -- v6: - Address Stefan's remark: https://lore.kernel.org/linux-integrity/def4ec2d-584b-405f-9d5e-99267013c3c… v5: - Fix the TPM error code leak from tpm2_load_context(). v4: - No changes. v3: - Update log messages. Previously the log message incorrectly stated on load failure that integrity check had been failed, even tho the check is done *after* the load operation. v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 43 +++++++++++++++++--------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 1e12e0b2492e..bdac11964b55 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -915,33 +915,36 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) - return rc; + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; + goto err; + } - /* an integrity failure may mean the TPM has been reset */ - dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ - return rc; - /* - * Fatal TPM failure: the NULL seed has actually changed, so - * the TPM must have been illegally reset. All in-kernel TPM - * operations will fail because the NULL primary can't be - * loaded to salt the sessions, but disable the TPM anyway so - * userspace programmes can't be compromised by it. - */ - dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) + goto err; + + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + + /* Deduce from the name change TPM interference: */ + dev_err(&chip->dev, "the null key integrity check failedh\n"); + tpm2_flush_context(chip, tmp_null_key); chip->flags |= TPM_CHIP_FLAG_DISABLE; - return rc; +err: + return rc ? -ENODEV : 0; } /** -- 2.47.0

8 months, 1 week

2
1
0 0

[PATCH AUTOSEL 5.4 1/7] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index 73ad78f47763c..7814856636907 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

8 months, 1 week

2
8
0 0

[PATCH 6.1.y 5.15.y 5.10.y 5.4.y 4.19.y] vt: prevent kernel-infoleak in con_font_get()

by Jeongjun Park

commit f956052e00de211b5c9ebaa1958366c23f82ee9e upstream. font.data may not initialize all memory spaces depending on the implementation of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it is safest to modify it to initialize the allocated memory space to 0, and it generally does not affect the overall performance of the system. Cc: stable(a)vger.kernel.org Reported-by: syzbot+955da2d57931604ee691(a)syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://lore.kernel.org/r/20241010174619.59662-1-aha310510@gmail.com --- drivers/tty/vt/vt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 5f1183b0b89d..800979e8d5b6 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4398,7 +4398,7 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op) int c; if (op->data) { - font.data = kmalloc(max_font_size, GFP_KERNEL); + font.data = kzalloc(max_font_size, GFP_KERNEL); if (!font.data) return -ENOMEM; } else --

8 months, 1 week

1
0
0 0

[PATCH AUTOSEL 4.19 1/5] 9p: Avoid creating multiple slab caches with the same name

by Sasha Levin

From: Pedro Falcato <pedro.falcato(a)gmail.com> [ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] In the spirit of [1], avoid creating multiple slab caches with the same name. Instead, add the dev_name into the mix. [1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.co… Signed-off-by: Pedro Falcato <pedro.falcato(a)gmail.com> Reported-by: syzbot+3c5d43e97993e1fa612b(a)syzkaller.appspotmail.com Message-ID: <20240807094725.2193423-1-pedro.falcato(a)gmail.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/9p/client.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/9p/client.c b/net/9p/client.c index a7518e8e76265..e6eee4eecf24b 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1018,6 +1018,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) int err; struct p9_client *clnt; char *client_id; + char *cache_name; err = 0; clnt = kmalloc(sizeof(struct p9_client), GFP_KERNEL); @@ -1070,15 +1071,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) if (err) goto close_trans; + cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); + if (!cache_name) { + err = -ENOMEM; + goto close_trans; + } + /* P9_HDRSZ + 4 is the smallest packet header we can have that is * followed by data accessed from userspace by read */ clnt->fcall_cache = - kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, + kmem_cache_create_usercopy(cache_name, clnt->msize, 0, 0, P9_HDRSZ + 4, clnt->msize - (P9_HDRSZ + 4), NULL); + kfree(cache_name); return clnt; close_trans: -- 2.43.0

8 months, 1 week

1
4
0 0

[PATCH AUTOSEL 5.4 1/5] 9p: Avoid creating multiple slab caches with the same name

by Sasha Levin

From: Pedro Falcato <pedro.falcato(a)gmail.com> [ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] In the spirit of [1], avoid creating multiple slab caches with the same name. Instead, add the dev_name into the mix. [1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.co… Signed-off-by: Pedro Falcato <pedro.falcato(a)gmail.com> Reported-by: syzbot+3c5d43e97993e1fa612b(a)syzkaller.appspotmail.com Message-ID: <20240807094725.2193423-1-pedro.falcato(a)gmail.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/9p/client.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/9p/client.c b/net/9p/client.c index 2b54f1cef2b0d..0f5db1f414be1 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1003,6 +1003,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) int err; struct p9_client *clnt; char *client_id; + char *cache_name; err = 0; clnt = kmalloc(sizeof(struct p9_client), GFP_KERNEL); @@ -1055,15 +1056,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) if (err) goto close_trans; + cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); + if (!cache_name) { + err = -ENOMEM; + goto close_trans; + } + /* P9_HDRSZ + 4 is the smallest packet header we can have that is * followed by data accessed from userspace by read */ clnt->fcall_cache = - kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, + kmem_cache_create_usercopy(cache_name, clnt->msize, 0, 0, P9_HDRSZ + 4, clnt->msize - (P9_HDRSZ + 4), NULL); + kfree(cache_name); return clnt; close_trans: -- 2.43.0

8 months, 1 week

1
4
0 0

[PATCH AUTOSEL 5.10 1/6] 9p: Avoid creating multiple slab caches with the same name

by Sasha Levin

From: Pedro Falcato <pedro.falcato(a)gmail.com> [ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] In the spirit of [1], avoid creating multiple slab caches with the same name. Instead, add the dev_name into the mix. [1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.co… Signed-off-by: Pedro Falcato <pedro.falcato(a)gmail.com> Reported-by: syzbot+3c5d43e97993e1fa612b(a)syzkaller.appspotmail.com Message-ID: <20240807094725.2193423-1-pedro.falcato(a)gmail.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/9p/client.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/9p/client.c b/net/9p/client.c index 0fa324e8b2451..2668a1a67c8a8 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1006,6 +1006,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) int err; struct p9_client *clnt; char *client_id; + char *cache_name; err = 0; clnt = kmalloc(sizeof(struct p9_client), GFP_KERNEL); @@ -1058,15 +1059,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) if (err) goto close_trans; + cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); + if (!cache_name) { + err = -ENOMEM; + goto close_trans; + } + /* P9_HDRSZ + 4 is the smallest packet header we can have that is * followed by data accessed from userspace by read */ clnt->fcall_cache = - kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, + kmem_cache_create_usercopy(cache_name, clnt->msize, 0, 0, P9_HDRSZ + 4, clnt->msize - (P9_HDRSZ + 4), NULL); + kfree(cache_name); return clnt; close_trans: -- 2.43.0

8 months, 1 week

1
5
0 0

[PATCH AUTOSEL 5.15 01/10] 9p: Avoid creating multiple slab caches with the same name

by Sasha Levin

From: Pedro Falcato <pedro.falcato(a)gmail.com> [ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] In the spirit of [1], avoid creating multiple slab caches with the same name. Instead, add the dev_name into the mix. [1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.co… Signed-off-by: Pedro Falcato <pedro.falcato(a)gmail.com> Reported-by: syzbot+3c5d43e97993e1fa612b(a)syzkaller.appspotmail.com Message-ID: <20240807094725.2193423-1-pedro.falcato(a)gmail.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/9p/client.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/9p/client.c b/net/9p/client.c index bf29462c919bb..03fb36d938c70 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1005,6 +1005,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) int err; struct p9_client *clnt; char *client_id; + char *cache_name; err = 0; clnt = kmalloc(sizeof(*clnt), GFP_KERNEL); @@ -1057,15 +1058,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) if (err) goto close_trans; + cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); + if (!cache_name) { + err = -ENOMEM; + goto close_trans; + } + /* P9_HDRSZ + 4 is the smallest packet header we can have that is * followed by data accessed from userspace by read */ clnt->fcall_cache = - kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, + kmem_cache_create_usercopy(cache_name, clnt->msize, 0, 0, P9_HDRSZ + 4, clnt->msize - (P9_HDRSZ + 4), NULL); + kfree(cache_name); return clnt; close_trans: -- 2.43.0

8 months, 1 week

1
9
0 0

[PATCH AUTOSEL 6.1 01/17] 9p: Avoid creating multiple slab caches with the same name

by Sasha Levin

From: Pedro Falcato <pedro.falcato(a)gmail.com> [ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] In the spirit of [1], avoid creating multiple slab caches with the same name. Instead, add the dev_name into the mix. [1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.co… Signed-off-by: Pedro Falcato <pedro.falcato(a)gmail.com> Reported-by: syzbot+3c5d43e97993e1fa612b(a)syzkaller.appspotmail.com Message-ID: <20240807094725.2193423-1-pedro.falcato(a)gmail.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/9p/client.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/9p/client.c b/net/9p/client.c index 0fc2d706d9c23..18db0e23e2f15 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -969,6 +969,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) int err; struct p9_client *clnt; char *client_id; + char *cache_name; err = 0; clnt = kmalloc(sizeof(*clnt), GFP_KERNEL); @@ -1026,15 +1027,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) if (err) goto close_trans; + cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); + if (!cache_name) { + err = -ENOMEM; + goto close_trans; + } + /* P9_HDRSZ + 4 is the smallest packet header we can have that is * followed by data accessed from userspace by read */ clnt->fcall_cache = - kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, + kmem_cache_create_usercopy(cache_name, clnt->msize, 0, 0, P9_HDRSZ + 4, clnt->msize - (P9_HDRSZ + 4), NULL); + kfree(cache_name); return clnt; close_trans: -- 2.43.0

8 months, 1 week

1
16
0 0

[PATCH AUTOSEL 6.6 01/23] 9p: v9fs_fid_find: also lookup by inode if not found dentry

by Sasha Levin

From: Dominique Martinet <asmadeus(a)codewreck.org> [ Upstream commit 38d222b3163f7b7d737e5d999ffc890a12870e36 ] It's possible for v9fs_fid_find "find by dentry" branch to not turn up anything despite having an entry set (because e.g. uid doesn't match), in which case the calling code will generally make an extra lookup to the server. In this case we might have had better luck looking by inode, so fall back to look up by inode if we have one and the lookup by dentry failed. Message-Id: <20240523210024.1214386-1-asmadeus(a)codewreck.org> Reviewed-by: Christian Schoenebeck <linux_oss(a)crudebyte.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/9p/fid.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/9p/fid.c b/fs/9p/fid.c index de009a33e0e26..f84412290a30c 100644 --- a/fs/9p/fid.c +++ b/fs/9p/fid.c @@ -131,10 +131,9 @@ static struct p9_fid *v9fs_fid_find(struct dentry *dentry, kuid_t uid, int any) } } spin_unlock(&dentry->d_lock); - } else { - if (dentry->d_inode) - ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any); } + if (!ret && dentry->d_inode) + ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any); return ret; } -- 2.43.0

8 months, 1 week

1
22
0 0

[PATCH AUTOSEL 6.11 01/30] 9p: v9fs_fid_find: also lookup by inode if not found dentry

by Sasha Levin

From: Dominique Martinet <asmadeus(a)codewreck.org> [ Upstream commit 38d222b3163f7b7d737e5d999ffc890a12870e36 ] It's possible for v9fs_fid_find "find by dentry" branch to not turn up anything despite having an entry set (because e.g. uid doesn't match), in which case the calling code will generally make an extra lookup to the server. In this case we might have had better luck looking by inode, so fall back to look up by inode if we have one and the lookup by dentry failed. Message-Id: <20240523210024.1214386-1-asmadeus(a)codewreck.org> Reviewed-by: Christian Schoenebeck <linux_oss(a)crudebyte.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/9p/fid.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/9p/fid.c b/fs/9p/fid.c index de009a33e0e26..f84412290a30c 100644 --- a/fs/9p/fid.c +++ b/fs/9p/fid.c @@ -131,10 +131,9 @@ static struct p9_fid *v9fs_fid_find(struct dentry *dentry, kuid_t uid, int any) } } spin_unlock(&dentry->d_lock); - } else { - if (dentry->d_inode) - ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any); } + if (!ret && dentry->d_inode) + ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any); return ret; } -- 2.43.0

8 months, 1 week

1
29
0 0

RE:Small MOQ Bags

by Steven

8 months, 1 week

1
0
0 0

[PATCH v4 0/3] Fix KASAN crash when using KASAN_VMALLOC

by Linus Walleij

This problem reported by Clement LE GOFFIC manifest when using CONFIG_KASAN_IN_VMALLOC and VMAP_STACK: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db… After some analysis it seems we are missing to sync the VMALLOC shadow memory in top level PGD to all CPUs. Add some code to perform this sync, and the bug appears to go away. As suggested by Ard, also perform a dummy read from the shadow memory of the new VMAP_STACK in the low level assembly. Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> --- Changes in v4: - Since Kasan is not using header stubs, it is necessary to avoid kasan_*() calls using ifdef when compiling without KASAN. - Lift a line aligning the end of vmalloc from Melon Liu's very similar patch so we have feature parity, credit Melon as co-developer. - Include the atomic_read_acquire() patch in the series due to context requirements. - Verify that the after the patch the kernel still builds and boots without Kasan. - Link to v3: https://lore.kernel.org/r/20241017-arm-kasan-vmalloc-crash-v3-0-d2a34cd5b66… Changes in v3: - Collect Mark Rutlands ACK on patch 1 - Change the simplified assembly add r2, ip, lsr #n to the canonical add r2, r2, ip, lsr #n in patch 2. - Link to v2: https://lore.kernel.org/r/20241016-arm-kasan-vmalloc-crash-v2-0-0a52fd086ee… Changes in v2: - Implement the two helper functions suggested by Russell making the KASAN PGD copying less messy. - Link to v1: https://lore.kernel.org/r/20241015-arm-kasan-vmalloc-crash-v1-0-dbb23592ca8… --- Linus Walleij (3): ARM: ioremap: Sync PGDs for VMALLOC shadow ARM: entry: Do a dummy read from VMAP shadow mm: Pair atomic_set_release() with _read_acquire() arch/arm/kernel/entry-armv.S | 8 ++++++++ arch/arm/mm/ioremap.c | 35 ++++++++++++++++++++++++++++++----- 2 files changed, 38 insertions(+), 5 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241015-arm-kasan-vmalloc-crash-fcbd51416457 Best regards, -- Linus Walleij <linus.walleij(a)linaro.org>

8 months, 1 week

1
4
0 0

Re: Patch "selftests: mm: fix the incorrect usage() info of khugepaged" has been added to the 6.11-stable tree

by Nanyong Sun

On 2024/10/23 1:44, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > selftests: mm: fix the incorrect usage() info of khugepaged > > to the 6.11-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > selftests-mm-fix-the-incorrect-usage-info-of-khugepa.patch > and it can be found in the queue-6.11 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi， I don't think this patch needs to be added to the stable tree because this just fixes usage information, as Andrew had previously said： https://lore.kernel.org/lkml/20241017001441.2db5adaaa63dc3faa0934204@linux-… > > > > commit ad8b93ffe0a86e3b6be297826cd34b12080fc877 > Author: Nanyong Sun <sunnanyong(a)huawei.com> > Date: Tue Oct 15 10:02:57 2024 +0800 > > selftests: mm: fix the incorrect usage() info of khugepaged > > [ Upstream commit 3e822bed2fbd1527d88f483342b1d2a468520a9a ] > > The mount option of tmpfs should be huge=advise, not madvise which is not > supported and may mislead the users. > > Link: https://lkml.kernel.org/r/20241015020257.139235-1-sunnanyong@huawei.com > Fixes: 1b03d0d558a2 ("selftests/vm: add thp collapse file and tmpfs testing") > Signed-off-by: Nanyong Sun <sunnanyong(a)huawei.com> > Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> > Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> > Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> > Cc: Shuah Khan <shuah(a)kernel.org> > Cc: Zach O'Keefe <zokeefe(a)google.com> > Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/tools/testing/selftests/mm/khugepaged.c b/tools/testing/selftests/mm/khugepaged.c > index 829320a519e72..89dec42986825 100644 > --- a/tools/testing/selftests/mm/khugepaged.c > +++ b/tools/testing/selftests/mm/khugepaged.c > @@ -1091,7 +1091,7 @@ static void usage(void) > fprintf(stderr, "\n\t\"file,all\" mem_type requires kernel built with\n"); > fprintf(stderr, "\tCONFIG_READ_ONLY_THP_FOR_FS=y\n"); > fprintf(stderr, "\n\tif [dir] is a (sub)directory of a tmpfs mount, tmpfs must be\n"); > - fprintf(stderr, "\tmounted with huge=madvise option for khugepaged tests to work\n"); > + fprintf(stderr, "\tmounted with huge=advise option for khugepaged tests to work\n"); > fprintf(stderr, "\n\tSupported Options:\n"); > fprintf(stderr, "\t\t-h: This help message.\n"); > fprintf(stderr, "\t\t-s: mTHP size, expressed as page order.\n"); > .

8 months, 1 week

2
1
0 0

[PATCH 6.6 000/124] 6.6.58-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.58 release. There are 124 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 23 Oct 2024 10:22:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.58-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.58-rc1 Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: remove duplicated variables Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: join: test for prohibited MPC to port-based endp Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: join: change capture/checksum as bool Paolo Abeni <pabeni(a)redhat.com> tcp: fix mptcp DSS corruption due to large pmtu xmit Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix receiver enable Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix dma rx cancellation Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: revert broken hibernation support Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix polled console initialisation Nam Cao <namcao(a)linutronix.de> irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Marc Zyngier <maz(a)kernel.org> irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Ma Ke <make24(a)iscas.ac.cn> pinctrl: apple: check devm_kasprintf() returned value Ma Ke <make24(a)iscas.ac.cn> pinctrl: stm32: check devm_kasprintf() returned value Sergey Matsievskiy <matsievskiysv(a)gmail.com> pinctrl: ocelot: fix system hang on level based interrupts Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bugs: Use code segment selector for VERW operand Longlong Xia <xialonglong(a)kylinos.cn> tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Clear CPU buffers after register restore in NMI return Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Do not clobber user EFLAGS.ZF John Allen <john.allen(a)amd.com> x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Nathan Chancellor <nathan(a)kernel.org> x86/resctrl: Annotate get_mem_config() functions as __init Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Marek Vasut <marex(a)denx.de> serial: imx: Update mctrl old_status on RTSD interrupt Heiko Thiery <heiko.thiery(a)gmail.com> misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for OTP device Heiko Thiery <heiko.thiery(a)gmail.com> misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for EEPROM device Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Jonathan Marek <jonathan(a)marek.ca> usb: typec: qcom-pmic-typec: fix sink status being overwritten with RP_DEF Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Mitigate failed set dequeue pointer commands Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Henry Lin <henryl(a)nvidia.com> xhci: tegra: fix checked USB2 port number Jeongjun Park <aha310510(a)gmail.com> vt: prevent kernel-infoleak in con_font_get() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Aaron Thompson <dev(a)aaront.org> Bluetooth: ISO: Fix multiple init when debugfs is disabled Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Aaron Thompson <dev(a)aaront.org> Bluetooth: Call iso_exit() on module unload Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix IIO device retrieval from embedded device Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix ALS sensor resolution Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Mohammed Anees <pvmohammedanees2003(a)gmail.com> drm/amdgpu: prevent BO_HANDLES error from being overwritten Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/swsmu: Only force workload setup on init Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/radeon: Fix encoder->possible_clones Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: core: Fix the issue of ICU failure Seunghwan Baek <sh8267.baek(a)samsung.com> scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down John Edwards <uejji(a)uejji.net> Input: xpad - add support for MSI Claw A1M Yun Lu <luyun(a)kylinos.cn> selftest: hid: add the missing tests directory Ming Lei <ming.lei(a)redhat.com> ublk: don't allow user copy for unprivileged device Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: close race on waiting for sqring entries Omar Sandoval <osandov(a)fb.com> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Skip RSB fill at VMEXIT Johannes Wikner <kwikner(a)ethz.ch> x86/entry: Have entry_ibpb() invalidate return predictions Johannes Wikner <kwikner(a)ethz.ch> x86/cpufeatures: Add a IBPB_NO_RET BUG flag Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp: Deactivate sclp after all its users Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Paolo Abeni <pabeni(a)redhat.com> mptcp: prevent MPC handshake on port-based signal endpoints Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Remove duplicated code Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Move `fec_ptp_read()` to the top of the file Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> maple_tree: correct tree corruption on spanning store Darrick J. Wong <djwong(a)kernel.org> xfs: restrict when we try to align cow fork delalloc to cowextsz hints Darrick J. Wong <djwong(a)kernel.org> xfs: allow unlinked symlinks and dirs with zero size Christoph Hellwig <hch(a)lst.de> xfs: fix freeing speculative preallocations for preallocated files Dave Chinner <dchinner(a)redhat.com> xfs: fix unlink vs cluster buffer instantiation race Wengang Wang <wen.gang.wang(a)oracle.com> xfs: make sure sb_fdblocks is non-negative Darrick J. Wong <djwong(a)kernel.org> xfs: allow symlinks with short remote targets Zhang Yi <yi.zhang(a)huawei.com> xfs: convert delayed extents to unwritten when zeroing post eof blocks Zhang Yi <yi.zhang(a)huawei.com> xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset Zhang Yi <yi.zhang(a)huawei.com> xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional Zhang Yi <yi.zhang(a)huawei.com> xfs: match lock mode in xfs_buffered_write_iomap_begin() Darrick J. Wong <djwong(a)kernel.org> xfs: use dontcache for grabbing inodes during scrub Darrick J. Wong <djwong(a)kernel.org> xfs: revert commit 44af6c7e59b12 Darrick J. Wong <djwong(a)kernel.org> xfs: enforce one namespace per attribute Darrick J. Wong <djwong(a)kernel.org> xfs: validate recovered name buffers when recovering xattr items Darrick J. Wong <djwong(a)kernel.org> xfs: check shortform attr entry flags specifically Darrick J. Wong <djwong(a)kernel.org> xfs: fix missing check for invalid attr flags Darrick J. Wong <djwong(a)kernel.org> xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 Darrick J. Wong <djwong(a)kernel.org> xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery Christoph Hellwig <hch(a)lst.de> xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent Christoph Hellwig <hch(a)lst.de> xfs: fix xfs_bmap_add_extent_delay_real for partial conversions Christoph Hellwig <hch(a)lst.de> xfs: fix error returns from xfs_bmapi_write Liu Shixin <liushixin2(a)huawei.com> mm/swapfile: skip HugeTLB pages for unuse_vma Wei Xu <weixugc(a)google.com> mm/mglru: only clear kswapd_failures if reclaimable Jann Horn <jannh(a)google.com> mm/mremap: fix move_normal_pmd/retract_page_tables race Edward Liaw <edliaw(a)google.com> selftests/mm: fix deadlock for fork after pthread_create on ARM Edward Liaw <edliaw(a)google.com> selftests/mm: replace atomic_bool with pthread_barrier_t OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable Nianyao Tang <tangnianyao(a)huawei.com> irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Jinjie Ruan <ruanjinjie(a)huawei.com> net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() Oleksij Rempel <o.rempel(a)pengutronix.de> net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Wei Fang <wei.fang(a)nxp.com> net: enetc: add missing static descriptor and inline keyword Wei Fang <wei.fang(a)nxp.com> net: enetc: disable NAPI after all rings are disabled Wei Fang <wei.fang(a)nxp.com> net: enetc: disable Tx BD rings after they are empty Wei Fang <wei.fang(a)nxp.com> net: enetc: block concurrent XDP transmissions during ring reconfiguration Wei Fang <wei.fang(a)nxp.com> net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix user-after-free from session log off Roi Martin <jroi.martin(a)gmail.com> btrfs: fix uninitialized pointer free on read_alloc_one_name() error Roi Martin <jroi.martin(a)gmail.com> btrfs: fix uninitialized pointer free in add_inode_ref() ------------- Diffstat: Makefile | 4 +- arch/arm64/include/asm/uprobes.h | 8 +- arch/arm64/kernel/probes/decode-insn.c | 16 ++- arch/arm64/kernel/probes/simulate-insn.c | 18 ++- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/s390/kvm/diag.c | 2 +- arch/s390/kvm/gaccess.c | 4 + arch/s390/kvm/gaccess.h | 14 ++- arch/x86/entry/entry.S | 5 + arch/x86/entry/entry_32.S | 6 +- arch/x86/include/asm/cpufeatures.h | 4 +- arch/x86/include/asm/nospec-branch.h | 11 +- arch/x86/kernel/apic/apic.c | 14 ++- arch/x86/kernel/cpu/amd.c | 3 +- arch/x86/kernel/cpu/bugs.c | 32 +++++ arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/resctrl/core.c | 4 +- block/blk-rq-qos.c | 2 +- drivers/block/ublk_drv.c | 11 +- drivers/bluetooth/btusb.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 +- drivers/gpu/drm/radeon/radeon_encoders.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/iio/accel/Kconfig | 2 + drivers/iio/adc/Kconfig | 5 + drivers/iio/amplifiers/Kconfig | 1 + .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 7 ++ drivers/iio/frequency/Kconfig | 1 + drivers/iio/light/Kconfig | 2 + drivers/iio/light/opt3001.c | 4 + drivers/iio/light/veml6030.c | 5 +- drivers/iio/proximity/Kconfig | 2 + drivers/input/joystick/xpad.c | 2 + drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v3-its.c | 26 ++-- drivers/irqchip/irq-sifive-plic.c | 21 ++-- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c | 2 + drivers/net/ethernet/cadence/macb_main.c | 14 ++- drivers/net/ethernet/freescale/enetc/enetc.c | 56 +++++++-- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + drivers/net/ethernet/freescale/fec_ptp.c | 58 ++++----- .../net/ethernet/microchip/vcap/vcap_api_kunit.c | 2 + drivers/parport/procfs.c | 22 ++-- drivers/pinctrl/pinctrl-apple-gpio.c | 3 + drivers/pinctrl/pinctrl-ocelot.c | 8 +- drivers/pinctrl/stm32/pinctrl-stm32.c | 9 +- drivers/s390/char/sclp.c | 3 +- drivers/s390/char/sclp_vt220.c | 4 +- drivers/tty/n_gsm.c | 2 + drivers/tty/serial/imx.c | 15 +++ drivers/tty/serial/qcom_geni_serial.c | 90 +++++++------- drivers/tty/vt/vt.c | 2 +- drivers/ufs/core/ufs-mcq.c | 15 +-- drivers/ufs/core/ufshcd.c | 4 +- drivers/usb/dwc3/gadget.c | 10 +- drivers/usb/host/xhci-ring.c | 2 +- drivers/usb/host/xhci-tegra.c | 2 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/option.c | 8 ++ drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c | 1 - fs/btrfs/tree-log.c | 6 +- fs/fat/namei_vfat.c | 2 +- fs/nilfs2/dir.c | 50 ++++---- fs/nilfs2/namei.c | 39 ++++-- fs/nilfs2/nilfs.h | 2 +- fs/smb/server/mgmt/user_session.c | 26 +++- fs/smb/server/mgmt/user_session.h | 4 + fs/smb/server/server.c | 2 + fs/smb/server/smb2pdu.c | 8 +- fs/xfs/libxfs/xfs_attr.c | 11 ++ fs/xfs/libxfs/xfs_attr.h | 4 +- fs/xfs/libxfs/xfs_attr_leaf.c | 6 +- fs/xfs/libxfs/xfs_attr_remote.c | 1 - fs/xfs/libxfs/xfs_bmap.c | 130 ++++++++++++++++---- fs/xfs/libxfs/xfs_da_btree.c | 20 +-- fs/xfs/libxfs/xfs_da_format.h | 5 + fs/xfs/libxfs/xfs_inode_buf.c | 49 ++++++-- fs/xfs/libxfs/xfs_sb.c | 7 +- fs/xfs/scrub/attr.c | 47 ++++--- fs/xfs/scrub/common.c | 12 +- fs/xfs/scrub/scrub.h | 7 ++ fs/xfs/xfs_aops.c | 54 +++------ fs/xfs/xfs_attr_item.c | 98 ++++++++++++--- fs/xfs/xfs_attr_list.c | 11 +- fs/xfs/xfs_bmap_util.c | 65 ++++++---- fs/xfs/xfs_bmap_util.h | 2 +- fs/xfs/xfs_dquot.c | 1 - fs/xfs/xfs_icache.c | 2 +- fs/xfs/xfs_inode.c | 37 +++--- fs/xfs/xfs_iomap.c | 81 +++++++------ fs/xfs/xfs_reflink.c | 20 --- fs/xfs/xfs_rtalloc.c | 2 - include/linux/fsl/enetc_mdio.h | 3 +- include/linux/irqchip/arm-gic-v4.h | 4 +- include/uapi/linux/ublk_cmd.h | 8 +- io_uring/io_uring.h | 9 +- kernel/time/posix-clock.c | 3 + lib/maple_tree.c | 12 +- mm/mremap.c | 11 +- mm/swapfile.c | 2 +- mm/vmscan.c | 4 +- net/bluetooth/af_bluetooth.c | 3 + net/bluetooth/iso.c | 6 +- net/ipv4/tcp_output.c | 4 +- net/mptcp/mib.c | 1 + net/mptcp/mib.h | 1 + net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 11 ++ sound/pci/hda/patch_conexant.c | 19 +++ tools/testing/selftests/hid/Makefile | 1 + tools/testing/selftests/mm/uffd-common.c | 5 +- tools/testing/selftests/mm/uffd-common.h | 3 +- tools/testing/selftests/mm/uffd-unit-tests.c | 21 +++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 135 +++++++++++++++------ tools/testing/selftests/net/mptcp/mptcp_lib.sh | 11 -- 118 files changed, 1126 insertions(+), 574 deletions(-)

8 months, 1 week

10
134
0 0

[PATCH 6.1 00/91] 6.1.114-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.114 release. There are 91 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 23 Oct 2024 10:22:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.114-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.114-rc1 Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Add big-endian ELFv2 flavour to crypto VMX asm generation Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Paolo Abeni <pabeni(a)redhat.com> mptcp: prevent MPC handshake on port-based signal endpoints Paolo Abeni <pabeni(a)redhat.com> tcp: fix mptcp DSS corruption due to large pmtu xmit Nam Cao <namcao(a)linutronix.de> irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Marc Zyngier <maz(a)kernel.org> irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Ma Ke <make24(a)iscas.ac.cn> pinctrl: apple: check devm_kasprintf() returned value Sergey Matsievskiy <matsievskiysv(a)gmail.com> pinctrl: ocelot: fix system hang on level based interrupts Longlong Xia <xialonglong(a)kylinos.cn> tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Clear CPU buffers after register restore in NMI return Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Do not clobber user EFLAGS.ZF Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Nathan Chancellor <nathan(a)kernel.org> x86/resctrl: Annotate get_mem_config() functions as __init Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Mitigate failed set dequeue pointer commands Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Aaron Thompson <dev(a)aaront.org> Bluetooth: ISO: Fix multiple init when debugfs is disabled Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Aaron Thompson <dev(a)aaront.org> Bluetooth: Call iso_exit() on module unload Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix IIO device retrieval from embedded device Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix ALS sensor resolution Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Mohammed Anees <pvmohammedanees2003(a)gmail.com> drm/amdgpu: prevent BO_HANDLES error from being overwritten Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/swsmu: Only force workload setup on init Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/radeon: Fix encoder->possible_clones Seunghwan Baek <sh8267.baek(a)samsung.com> scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: close race on waiting for sqring entries Omar Sandoval <osandov(a)fb.com> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Skip RSB fill at VMEXIT Johannes Wikner <kwikner(a)ethz.ch> x86/entry: Have entry_ibpb() invalidate return predictions Johannes Wikner <kwikner(a)ethz.ch> x86/cpufeatures: Add a IBPB_NO_RET BUG flag Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp: Deactivate sclp after all its users Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Wachowski, Karol <karol.wachowski(a)intel.com> drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> maple_tree: correct tree corruption on spanning store Jakub Kicinski <kuba(a)kernel.org> devlink: bump the instance index directly when iterating Jakub Kicinski <kuba(a)kernel.org> devlink: drop the filter argument from devlinks_xa_find_get Liu Shixin <liushixin2(a)huawei.com> mm/swapfile: skip HugeTLB pages for unuse_vma OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable Nianyao Tang <tangnianyao(a)huawei.com> irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Oleksij Rempel <linux(a)rempel-privat.de> net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Wei Fang <wei.fang(a)nxp.com> net: enetc: add missing static descriptor and inline keyword Wei Fang <wei.fang(a)nxp.com> net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Jan Kara <jack(a)suse.cz> udf: Don't return bh from udf_expand_dir_adinicb() Jan Kara <jack(a)suse.cz> udf: Handle error when expanding directory Jan Kara <jack(a)suse.cz> udf: Remove old directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_link() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_mkdir() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_add_nondir() to new directory iteration Jan Kara <jack(a)suse.cz> udf: Implement adding of dir entries using new iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_unlink() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_rmdir() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert empty_dir() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_get_parent() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_lookup() to use new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_readdir() to new directory iteration Jan Kara <jack(a)suse.cz> udf: Convert udf_rename() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Provide function to mark entry as deleted using new directory iteration code Jan Kara <jack(a)suse.cz> udf: Implement searching for directory entry using new iteration code Jan Kara <jack(a)suse.cz> udf: Move udf_expand_dir_adinicb() to its callsite Jan Kara <jack(a)suse.cz> udf: Convert udf_expand_dir_adinicb() to new directory iteration Jan Kara <jack(a)suse.cz> udf: New directory iteration code Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix user-after-free from session log off Roi Martin <jroi.martin(a)gmail.com> btrfs: fix uninitialized pointer free on read_alloc_one_name() error Roi Martin <jroi.martin(a)gmail.com> btrfs: fix uninitialized pointer free in add_inode_ref() ------------- Diffstat: Makefile | 4 +- arch/arm64/kernel/probes/decode-insn.c | 16 +- arch/arm64/kernel/probes/simulate-insn.c | 18 +- arch/s390/kvm/diag.c | 2 +- arch/s390/kvm/gaccess.c | 4 + arch/s390/kvm/gaccess.h | 14 +- arch/x86/entry/entry.S | 5 + arch/x86/entry/entry_32.S | 6 +- arch/x86/include/asm/cpufeatures.h | 4 +- arch/x86/kernel/apic/apic.c | 14 +- arch/x86/kernel/cpu/bugs.c | 32 + arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/resctrl/core.c | 4 +- block/blk-rq-qos.c | 2 +- drivers/bluetooth/btusb.c | 13 +- drivers/crypto/vmx/Makefile | 12 +- drivers/crypto/vmx/ppc-xlate.pl | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 +- drivers/gpu/drm/drm_gem_shmem_helper.c | 3 + drivers/gpu/drm/radeon/radeon_encoders.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/iio/adc/Kconfig | 4 + drivers/iio/amplifiers/Kconfig | 1 + .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 7 + drivers/iio/light/opt3001.c | 4 + drivers/iio/light/veml6030.c | 5 +- drivers/iio/proximity/Kconfig | 2 + drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v3-its.c | 26 +- drivers/irqchip/irq-sifive-plic.c | 21 +- drivers/net/ethernet/cadence/macb_main.c | 14 +- drivers/net/ethernet/freescale/enetc/enetc.c | 2 +- drivers/parport/procfs.c | 22 +- drivers/pinctrl/pinctrl-apple-gpio.c | 3 + drivers/pinctrl/pinctrl-ocelot.c | 8 +- drivers/s390/char/sclp.c | 3 +- drivers/s390/char/sclp_vt220.c | 4 +- drivers/tty/n_gsm.c | 2 + drivers/ufs/core/ufshcd.c | 4 +- drivers/usb/dwc3/gadget.c | 10 +- drivers/usb/host/xhci-ring.c | 2 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/option.c | 8 + fs/btrfs/tree-log.c | 6 +- fs/fat/namei_vfat.c | 2 +- fs/nilfs2/dir.c | 50 +- fs/nilfs2/namei.c | 39 +- fs/nilfs2/nilfs.h | 2 +- fs/smb/server/mgmt/user_session.c | 26 +- fs/smb/server/mgmt/user_session.h | 4 + fs/smb/server/server.c | 2 + fs/smb/server/smb2pdu.c | 8 +- fs/udf/dir.c | 148 +-- fs/udf/directory.c | 594 ++++++++--- fs/udf/inode.c | 90 -- fs/udf/namei.c | 1037 +++++++------------- fs/udf/udfdecl.h | 45 +- include/linux/fsl/enetc_mdio.h | 3 +- include/linux/irqchip/arm-gic-v4.h | 4 +- io_uring/io_uring.h | 9 +- kernel/time/posix-clock.c | 3 + lib/maple_tree.c | 12 +- mm/swapfile.c | 2 +- net/bluetooth/af_bluetooth.c | 3 + net/bluetooth/iso.c | 6 +- net/devlink/leftover.c | 40 +- net/ipv4/tcp_output.c | 4 +- net/mptcp/mib.c | 1 + net/mptcp/mib.h | 1 + net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 11 + sound/pci/hda/patch_conexant.c | 19 + 75 files changed, 1237 insertions(+), 1275 deletions(-)

8 months, 1 week

10
106
0 0

[PATCH] drm/i915/gt: Cleanup partial engine discovery failures

by kai.kang＠windriver.com

From: Chris Wilson <chris.p.wilson(a)intel.com> commit 78a033433a5ae4fee85511ee075bc9a48312c79e upstream. If we abort driver initialisation in the middle of gt/engine discovery, some engines will be fully setup and some not. Those incompletely setup engines only have 'engine->release == NULL' and so will leak any of the common objects allocated. v2: - Drop the destroy_pinned_context() helper for now. It's not really worth it with just a single callsite at the moment. (Janusz) Signed-off-by: Chris Wilson <chris.p.wilson(a)intel.com> Cc: Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> Signed-off-by: Matt Roper <matthew.d.roper(a)intel.com> Reviewed-by: Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220915232654.3283095-2-matt… Cc: <stable(a)vger.kernel.org> # 5.10+ --- drivers/gpu/drm/i915/gt/intel_engine_cs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c index a19537706ed1..eb6f4d7f1e34 100644 --- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c +++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c @@ -904,8 +904,13 @@ int intel_engines_init(struct intel_gt *gt) return err; err = setup(engine); - if (err) + if (err) { + intel_engine_cleanup_common(engine); return err; + } + + /* The backend should now be responsible for cleanup */ + GEM_BUG_ON(engine->release == NULL); err = engine_init_common(engine); if (err) -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH 5.10 00/52] 5.10.228-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.228 release. There are 52 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 23 Oct 2024 10:22:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.228-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.228-rc1 Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Paolo Abeni <pabeni(a)redhat.com> tcp: fix mptcp DSS corruption due to large pmtu xmit Paolo Abeni <pabeni(a)redhat.com> mptcp: handle consistently DSS corruption Geliang Tang <geliang.tang(a)suse.com> mptcp: track and update contiguous data status Marc Zyngier <maz(a)kernel.org> irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Clear CPU buffers after register restore in NMI return Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Do not clobber user EFLAGS.ZF Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Nathan Chancellor <nathan(a)kernel.org> x86/resctrl: Annotate get_mem_config() functions as __init Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix IIO device retrieval from embedded device Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix ALS sensor resolution Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/radeon: Fix encoder->possible_clones Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: close race on waiting for sqring entries Omar Sandoval <osandov(a)fb.com> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Skip RSB fill at VMEXIT Johannes Wikner <kwikner(a)ethz.ch> x86/entry: Have entry_ibpb() invalidate return predictions Johannes Wikner <kwikner(a)ethz.ch> x86/cpufeatures: Add a IBPB_NO_RET BUG flag Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not put cpumask on stack Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: retain test for whether the CPU is valid Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not allow pinning outside of cpuset Breno Leitao <leitao(a)debian.org> KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix potential key use-after-free Liu Shixin <liushixin2(a)huawei.com> mm/swapfile: skip HugeTLB pages for unuse_vma OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable Nianyao Tang <tangnianyao(a)huawei.com> irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Oleksij Rempel <linux(a)rempel-privat.de> net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Wei Fang <wei.fang(a)nxp.com> net: enetc: add missing static descriptor and inline keyword Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ------------- Diffstat: Makefile | 4 +- arch/arm64/kernel/probes/decode-insn.c | 16 ++++--- arch/arm64/kernel/probes/simulate-insn.c | 18 +++----- arch/powerpc/mm/numa.c | 6 +-- arch/s390/kvm/diag.c | 2 +- arch/x86/entry/entry.S | 5 +++ arch/x86/entry/entry_32.S | 6 ++- arch/x86/include/asm/cpufeatures.h | 5 ++- arch/x86/kernel/apic/apic.c | 14 +++++- arch/x86/kernel/cpu/bugs.c | 32 ++++++++++++++ arch/x86/kernel/cpu/common.c | 3 ++ arch/x86/kernel/cpu/resctrl/core.c | 4 +- block/blk-rq-qos.c | 2 +- drivers/bluetooth/btusb.c | 13 ++++-- drivers/gpu/drm/radeon/radeon_encoders.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/iio/adc/Kconfig | 4 ++ .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 3 ++ drivers/iio/light/opt3001.c | 4 ++ drivers/iio/light/veml6030.c | 5 +-- drivers/iio/proximity/Kconfig | 2 + drivers/irqchip/irq-gic-v3-its.c | 26 ++++++++--- drivers/net/ethernet/cadence/macb_main.c | 14 ++++-- drivers/parport/procfs.c | 22 +++++----- drivers/s390/char/sclp_vt220.c | 4 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/option.c | 8 ++++ fs/fat/namei_vfat.c | 2 +- fs/nilfs2/dir.c | 50 ++++++++++++---------- fs/nilfs2/namei.c | 39 +++++++++++------ fs/nilfs2/nilfs.h | 2 +- include/linux/fsl/enetc_mdio.h | 3 +- include/linux/irqchip/arm-gic-v4.h | 4 +- io_uring/io_uring.c | 21 ++++++++- kernel/time/posix-clock.c | 3 ++ mm/swapfile.c | 2 +- net/bluetooth/af_bluetooth.c | 1 + net/ipv4/tcp_output.c | 2 +- net/mac80211/cfg.c | 3 ++ net/mac80211/key.c | 2 +- net/mptcp/mib.c | 2 + net/mptcp/mib.h | 2 + net/mptcp/protocol.c | 26 +++++++++-- net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 3 +- sound/pci/hda/patch_conexant.c | 19 ++++++++ virt/kvm/kvm_main.c | 5 ++- 48 files changed, 308 insertions(+), 113 deletions(-)

8 months, 1 week

7
58
0 0

[PATCH wireless] wifi: iwlwifi: mvm: fix 6 GHz scan construction

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> If more than 255 colocated APs exist for the set of all APs found during 2.5/5 GHz scanning, then the 6 GHz scan construction will loop forever since the loop variable has type u8, which can never reach the number found when that's bigger than 255, and is stored in a u32 variable. Also move it into the loops to have a smaller scope. Using a u32 there is fine, we limit the number of APs in the scan list and each has a limit on the number of RNR entries due to the frame size. With a limit of 1000 scan results, a frame size upper bound of 4096 (really it's more like ~2300) and a TBTT entry size of at least 11, we get an upper bound for the number of ~372k, well in the bounds of a u32. Cc: stable(a)vger.kernel.org Fixes: eae94cf82d74 ("iwlwifi: mvm: add support for 6GHz") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219375 Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> --- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c index 3ce9150213a7..ddcbd80a49fb 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c @@ -1774,7 +1774,7 @@ iwl_mvm_umac_scan_cfg_channels_v7_6g(struct iwl_mvm *mvm, &cp->channel_config[ch_cnt]; u32 s_ssid_bitmap = 0, bssid_bitmap = 0, flags = 0; - u8 j, k, n_s_ssids = 0, n_bssids = 0; + u8 k, n_s_ssids = 0, n_bssids = 0; u8 max_s_ssids, max_bssids; bool force_passive = false, found = false, allow_passive = true, unsolicited_probe_on_chan = false, psc_no_listen = false; @@ -1799,7 +1799,7 @@ iwl_mvm_umac_scan_cfg_channels_v7_6g(struct iwl_mvm *mvm, cfg->v5.iter_count = 1; cfg->v5.iter_interval = 0; - for (j = 0; j < params->n_6ghz_params; j++) { + for (u32 j = 0; j < params->n_6ghz_params; j++) { s8 tmp_psd_20; if (!(scan_6ghz_params[j].channel_idx == i)) @@ -1873,7 +1873,7 @@ iwl_mvm_umac_scan_cfg_channels_v7_6g(struct iwl_mvm *mvm, * SSID. * TODO: improve this logic */ - for (j = 0; j < params->n_6ghz_params; j++) { + for (u32 j = 0; j < params->n_6ghz_params; j++) { if (!(scan_6ghz_params[j].channel_idx == i)) continue; -- 2.47.0

8 months, 1 week

1
0
0 0

[PATCH 6.11 000/135] 6.11.5-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.5 release. There are 135 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 23 Oct 2024 10:22:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.5-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.5-rc1 Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Chris Li <chrisl(a)kernel.org> mm: vmscan.c: fix OOM on swap stress test Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix receiver enable Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix dma rx cancellation Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix shutdown race Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: revert broken hibernation support Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix polled console initialisation Charlie Jenkins <charlie(a)rivosinc.com> irqchip/sifive-plic: Return error code on failure Nam Cao <namcao(a)linutronix.de> irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Marc Zyngier <maz(a)kernel.org> irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Ma Ke <make24(a)iscas.ac.cn> pinctrl: apple: check devm_kasprintf() returned value Ma Ke <make24(a)iscas.ac.cn> pinctrl: stm32: check devm_kasprintf() returned value Sergey Matsievskiy <matsievskiysv(a)gmail.com> pinctrl: ocelot: fix system hang on level based interrupts Javier Carrasco <javier.carrasco.cruz(a)gmail.com> pinctrl: intel: platform: fix error path in device_for_each_child_node() Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bugs: Use code segment selector for VERW operand Longlong Xia <xialonglong(a)kylinos.cn> tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Clear CPU buffers after register restore in NMI return Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Do not clobber user EFLAGS.ZF John Allen <john.allen(a)amd.com> x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Nathan Chancellor <nathan(a)kernel.org> x86/resctrl: Annotate get_mem_config() functions as __init Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Marek Vasut <marex(a)denx.de> serial: imx: Update mctrl old_status on RTSD interrupt Heiko Thiery <heiko.thiery(a)gmail.com> misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for OTP device Heiko Thiery <heiko.thiery(a)gmail.com> misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for EEPROM device Roger Quadros <rogerq(a)kernel.org> usb: dwc3: core: Fix system suspend on TI AM62 platforms Prashanth K <quic_prashk(a)quicinc.com> usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Kevin Groeneveld <kgroeneveld(a)lenbrook.com> usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix "task hung" problem Jonathan Marek <jonathan(a)marek.ca> usb: typec: qcom-pmic-typec: fix sink status being overwritten with RP_DEF Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Mitigate failed set dequeue pointer commands Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Henry Lin <henryl(a)nvidia.com> xhci: tegra: fix checked USB2 port number Jeongjun Park <aha310510(a)gmail.com> vt: prevent kernel-infoleak in con_font_get() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix not being able to reconnect after suspend Aaron Thompson <dev(a)aaront.org> Bluetooth: ISO: Fix multiple init when debugfs is disabled Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Aaron Thompson <dev(a)aaront.org> Bluetooth: Call iso_exit() on module unload Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ad7944: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: resolver: ad2s1210: add missing select (TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: bm1390: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: resolver: ad2s1210 add missing select REGMAP in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: magnetometer: af8133j: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: chemical: ens160: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix IIO device retrieval from embedded device Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix ALS sensor resolution Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Mohammed Anees <pvmohammedanees2003(a)gmail.com> drm/amdgpu: prevent BO_HANDLES error from being overwritten Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/swsmu: Only force workload setup on init Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/smu13: always apply the powersave optimization Michael Chen <michael.chen(a)amd.com> drm/amdgpu/mes: fix issue of writing to the same log buffer from 2 MES pipes Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Zack Rusin <zack.rusin(a)broadcom.com> drm/vmwgfx: Cleanup kms setup without 3d Nirmoy Das <nirmoy.das(a)intel.com> drm/xe/ufence: ufence can be signaled right after wait_woken Matthew Auld <matthew.auld(a)intel.com> drm/xe/xe_sync: initialise ufence.signalled Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Don't require DSC hblank quirk for a non-DSC compatible mode Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Handle error during DSC BW overhead/slice calculation Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/radeon: Fix encoder->possible_clones Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: core: Requeue aborted request Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: core: Fix the issue of ICU failure Seunghwan Baek <sh8267.baek(a)samsung.com> scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Validate SAS port assignments John Edwards <uejji(a)uejji.net> Input: xpad - add support for MSI Claw A1M Yun Lu <luyun(a)kylinos.cn> selftest: hid: add the missing tests directory Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work Ming Lei <ming.lei(a)redhat.com> ublk: don't allow user copy for unprivileged device Ming Lei <ming.lei(a)redhat.com> blk-mq: setup queue ->tag_set before initializing hctx Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: close race on waiting for sqring entries Omar Sandoval <osandov(a)fb.com> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Stefan Kerkmann <s.kerkmann(a)pengutronix.de> Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller Steven Rostedt <rostedt(a)goodmis.org> fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Skip RSB fill at VMEXIT Johannes Wikner <kwikner(a)ethz.ch> x86/entry: Have entry_ibpb() invalidate return predictions Johannes Wikner <kwikner(a)ethz.ch> x86/cpufeatures: Add a IBPB_NO_RET BUG flag Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp: Deactivate sclp after all its users Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Paolo Abeni <pabeni(a)redhat.com> mptcp: prevent MPC handshake on port-based signal endpoints Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Remove duplicated code Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Move `fec_ptp_read()` to the top of the file Paolo Abeni <pabeni(a)redhat.com> tcp: fix mptcp DSS corruption due to large pmtu xmit Jinjie Ruan <ruanjinjie(a)huawei.com> mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets() Liu Shixin <liushixin2(a)huawei.com> mm/swapfile: skip HugeTLB pages for unuse_vma Wei Xu <weixugc(a)google.com> mm/mglru: only clear kswapd_failures if reclaimable Yang Shi <yang(a)os.amperecomputing.com> mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point Jann Horn <jannh(a)google.com> mm/mremap: fix move_normal_pmd/retract_page_tables race Edward Liaw <edliaw(a)google.com> selftests/mm: fix deadlock for fork after pthread_create on ARM Edward Liaw <edliaw(a)google.com> selftests/mm: replace atomic_bool with pthread_barrier_t Florian Westphal <fw(a)strlen.de> lib: alloc_tag_module_unload must wait for pending kfree_rcu calls OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> maple_tree: correct tree corruption on spanning store Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: join: test for prohibited MPC to port-based endp Jinjie Ruan <ruanjinjie(a)huawei.com> net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() Oleksij Rempel <o.rempel(a)pengutronix.de> net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Josua Mayer <josua(a)solid-run.com> arm64: dts: marvell: cn9130-sr-som: fix cp0 mdio pin numbers Jakub Sitnicki <jakub(a)cloudflare.com> udp: Compute L4 checksum as usual when not segmenting the skb Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Wei Fang <wei.fang(a)nxp.com> net: enetc: add missing static descriptor and inline keyword Wei Fang <wei.fang(a)nxp.com> net: enetc: disable NAPI after all rings are disabled Wei Fang <wei.fang(a)nxp.com> net: enetc: disable Tx BD rings after they are empty Wei Fang <wei.fang(a)nxp.com> net: enetc: block concurrent XDP transmissions during ring reconfiguration Wei Fang <wei.fang(a)nxp.com> net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 Zhu Jun <zhujun2(a)cmss.chinamobile.com> ALSA: scarlett2: Add error check after retrieving PEQ filter values Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix user-after-free from session log off Roi Martin <jroi.martin(a)gmail.com> btrfs: fix uninitialized pointer free on read_alloc_one_name() error Roi Martin <jroi.martin(a)gmail.com> btrfs: fix uninitialized pointer free in add_inode_ref() ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/marvell/cn9130-sr-som.dtsi | 2 +- arch/arm64/include/asm/uprobes.h | 8 +- arch/arm64/kernel/probes/decode-insn.c | 16 ++- arch/arm64/kernel/probes/simulate-insn.c | 18 ++-- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/s390/kvm/diag.c | 2 +- arch/s390/kvm/gaccess.c | 4 + arch/s390/kvm/gaccess.h | 14 +-- arch/x86/entry/entry.S | 5 + arch/x86/entry/entry_32.S | 6 +- arch/x86/include/asm/cpufeatures.h | 4 +- arch/x86/include/asm/nospec-branch.h | 11 +- arch/x86/kernel/apic/apic.c | 14 ++- arch/x86/kernel/cpu/amd.c | 3 +- arch/x86/kernel/cpu/bugs.c | 32 ++++++ arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/resctrl/core.c | 4 +- block/blk-mq.c | 8 +- block/blk-rq-qos.c | 2 +- drivers/block/ublk_drv.c | 11 +- drivers/bluetooth/btusb.c | 27 ++--- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 4 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 22 ++-- drivers/gpu/drm/i915/display/intel_dp_mst.c | 40 +++++-- drivers/gpu/drm/radeon/radeon_encoders.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 30 +----- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 +- drivers/gpu/drm/xe/xe_sync.c | 2 +- drivers/gpu/drm/xe/xe_wait_user_fence.c | 3 - drivers/iio/accel/Kconfig | 2 + drivers/iio/adc/Kconfig | 9 ++ drivers/iio/amplifiers/Kconfig | 1 + drivers/iio/chemical/Kconfig | 2 + .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 7 ++ drivers/iio/frequency/Kconfig | 1 + drivers/iio/light/Kconfig | 2 + drivers/iio/light/opt3001.c | 4 + drivers/iio/light/veml6030.c | 5 +- drivers/iio/magnetometer/Kconfig | 2 + drivers/iio/pressure/Kconfig | 3 + drivers/iio/proximity/Kconfig | 2 + drivers/iio/resolver/Kconfig | 3 + drivers/input/joystick/xpad.c | 3 + drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v3-its.c | 18 ++-- drivers/irqchip/irq-sifive-plic.c | 29 ++--- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c | 2 + drivers/net/ethernet/cadence/macb_main.c | 14 ++- drivers/net/ethernet/freescale/enetc/enetc.c | 56 +++++++--- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + drivers/net/ethernet/freescale/fec_ptp.c | 58 +++++----- .../net/ethernet/microchip/vcap/vcap_api_kunit.c | 2 + drivers/parport/procfs.c | 22 ++-- drivers/pinctrl/intel/pinctrl-intel-platform.c | 3 +- drivers/pinctrl/nuvoton/pinctrl-ma35.c | 2 +- drivers/pinctrl/pinctrl-apple-gpio.c | 3 + drivers/pinctrl/pinctrl-ocelot.c | 8 +- drivers/pinctrl/stm32/pinctrl-stm32.c | 9 +- drivers/s390/char/sclp.c | 3 +- drivers/s390/char/sclp_vt220.c | 4 +- drivers/scsi/mpi3mr/mpi3mr.h | 4 +- drivers/scsi/mpi3mr/mpi3mr_transport.c | 42 +++++--- drivers/tty/n_gsm.c | 2 + drivers/tty/serial/imx.c | 15 +++ drivers/tty/serial/qcom_geni_serial.c | 91 ++++++++-------- drivers/tty/vt/vt.c | 2 +- drivers/ufs/core/ufs-mcq.c | 15 +-- drivers/ufs/core/ufshcd.c | 24 ++--- drivers/usb/dwc3/core.c | 19 ++++ drivers/usb/dwc3/core.h | 3 + drivers/usb/dwc3/gadget.c | 10 +- drivers/usb/gadget/function/f_uac2.c | 6 +- drivers/usb/gadget/udc/dummy_hcd.c | 20 +++- drivers/usb/host/xhci-ring.c | 2 +- drivers/usb/host/xhci-tegra.c | 2 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/option.c | 8 ++ drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c | 1 - fs/btrfs/tree-log.c | 6 +- fs/fat/namei_vfat.c | 2 +- fs/nilfs2/dir.c | 48 +++++---- fs/nilfs2/namei.c | 39 ++++--- fs/nilfs2/nilfs.h | 2 +- fs/smb/server/mgmt/user_session.c | 26 ++++- fs/smb/server/mgmt/user_session.h | 4 + fs/smb/server/server.c | 2 + fs/smb/server/smb2pdu.c | 8 +- include/linux/fsl/enetc_mdio.h | 3 +- include/linux/irqchip/arm-gic-v4.h | 4 +- include/trace/events/huge_memory.h | 4 +- include/uapi/linux/ublk_cmd.h | 8 +- io_uring/io_uring.h | 10 +- kernel/time/posix-clock.c | 3 + kernel/trace/fgraph.c | 28 +++-- lib/codetag.c | 3 + lib/maple_tree.c | 12 +-- mm/damon/sysfs-test.h | 1 + mm/khugepaged.c | 2 +- mm/mremap.c | 11 +- mm/swapfile.c | 2 +- mm/vmscan.c | 6 +- net/bluetooth/af_bluetooth.c | 3 + net/bluetooth/iso.c | 6 +- net/ipv4/tcp_output.c | 4 +- net/ipv4/udp.c | 4 +- net/ipv6/udp.c | 4 +- net/mptcp/mib.c | 1 + net/mptcp/mib.h | 1 + net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 11 ++ sound/pci/hda/patch_conexant.c | 19 ++++ sound/usb/mixer_scarlett2.c | 2 + tools/testing/selftests/hid/Makefile | 1 + tools/testing/selftests/mm/uffd-common.c | 5 +- tools/testing/selftests/mm/uffd-common.h | 3 +- tools/testing/selftests/mm/uffd-unit-tests.c | 21 ++-- tools/testing/selftests/net/mptcp/mptcp_join.sh | 117 +++++++++++++++------ 122 files changed, 863 insertions(+), 453 deletions(-)

8 months, 1 week

15
154
0 0

Re: Patch "xhci: dbgtty: remove kfifo_out() wrapper" has been added to the 6.11-stable tree

by Jiri Slaby

On 22. 10. 24, 19:45, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > xhci: dbgtty: remove kfifo_out() wrapper This is a cleanup, not needed in stable. -- js suse labs

8 months, 1 week

1
0
0 0

[PATCH 04/16] Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35"

by Tom Chung

From: Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> This reverts commit db88df35a509 ("drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35") [why & how] The offending commit exposes a hang with lid close/open behavior. Both issues seem to be related to ODM 2:1 mode switching, so there is another issue generic to that sequence that needs to be investigated. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> --- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c index 11c904ae2958..c4c52173ef22 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c @@ -303,6 +303,7 @@ void build_unoptimized_policy_settings(enum dml_project_id project, struct dml_m if (project == dml_project_dcn35 || project == dml_project_dcn351) { policy->DCCProgrammingAssumesScanDirectionUnknownFinal = false; + policy->EnhancedPrefetchScheduleAccelerationFinal = 0; policy->AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter_if_possible; /*new*/ policy->UseOnlyMaxPrefetchModes = 1; } -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH] clk: qcom: gcc-qcs404: fix initial rate of GPLL3

by Gabor Juhos

The comment before the config of the GPLL3 PLL says that the PLL should run at 930 MHz. In contrary to this, calculating the frequency from the current configuration values by using 19.2 MHz as input frequency defined in 'qcs404.dtsi', it gives 921.6 MHz: $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x0 $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l 921600000.00000000000000000000 Set 'alpha_hi' in the configuration to a value used in downstream kernels [1][2] in order to get the correct output rate: $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x70 $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l 930000000.00000000000000000000 The change is based on static code analysis, compile tested only. [1] https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/blob/kernel.lnx.5.4.r56-… [2} https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/blob/kernel.lnx.5.15.r4… Cc: stable(a)vger.kernel.org Fixes: 652f1813c113 ("clk: qcom: gcc: Add global clock controller driver for QCS404") Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> --- Note: due to a bug in the clk_alpha_pll_configure() function, the following patch is also needed in order for this fix to take effect: https://lore.kernel.org/all/20241019-qcs615-mm-clockcontroller-v1-1-4cfb96d… --- drivers/clk/qcom/gcc-qcs404.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/clk/qcom/gcc-qcs404.c b/drivers/clk/qcom/gcc-qcs404.c index c3cfd572e7c1e0a987519be2cb2050c9bc7992c7..5ca003c9bfba89bee2e626b3c35936452cc02765 100644 --- a/drivers/clk/qcom/gcc-qcs404.c +++ b/drivers/clk/qcom/gcc-qcs404.c @@ -131,6 +131,7 @@ static struct clk_alpha_pll gpll1_out_main = { /* 930MHz configuration */ static const struct alpha_pll_config gpll3_config = { .l = 48, + .alpha_hi = 0x70, .alpha = 0x0, .alpha_en_mask = BIT(24), .post_div_mask = 0xf << 8, --- base-commit: 03dc72319cee7d0dfefee9ae7041b67732f6b8cd change-id: 20241021-fix-gcc-qcs404-gpll3-f314335c8ecf Best regards, -- Gabor Juhos <j4g8y7(a)gmail.com>

8 months, 1 week

3
3
0 0

[PATCH 5.10] block, bfq: fix procress reference leakage for bfqq in merge chain

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> [ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ] Original state: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \--------------\ \-------------\ \-------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 1 2 4 After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()"), if P1 issues a new IO: Without the patch: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \------------------------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 bfqq3 will be used to handle IO from P1, this is not expected, IO should be redirected to bfqq4; With the patch: ------------------------------------------- | | Process 1 Process 2 Process 3 | Process 4 (BIC1) (BIC2) (BIC3) | (BIC4) | | | | \-------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 IO is redirected to bfqq4, however, procress reference of bfqq3 is still 2, while there is only P2 using it. Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify code. Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- block/bfq-iosched.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index 515e3c1a5475..c1600e3ac333 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -2774,10 +2774,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq) bfq_put_queue(bfqq); } -static void -bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, - struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) +static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd, + struct bfq_io_cq *bic, + struct bfq_queue *bfqq) { + struct bfq_queue *new_bfqq = bfqq->new_bfqq; + bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu", (unsigned long)new_bfqq->pid); /* Save weight raising and idle window of the merged queues */ @@ -2845,6 +2847,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, new_bfqq->pid = -1; bfqq->bic = NULL; bfq_release_process_ref(bfqd, bfqq); + + return new_bfqq; } static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, @@ -2880,14 +2884,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, * fulfilled, i.e., bic can be redirected to new_bfqq * and bfqq can be put. */ - bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq, - new_bfqq); - /* - * If we get here, bio will be queued into new_queue, - * so use new_bfqq to decide whether bio and rq can be - * merged. - */ - bfqq = new_bfqq; + while (bfqq != new_bfqq) + bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq); /* * Change also bqfd->bio_bfqq, as @@ -5444,6 +5442,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) bool waiting, idle_timer_disabled = false; if (new_bfqq) { + struct bfq_queue *old_bfqq = bfqq; /* * Release the request's reference to the old bfqq * and make sure one is taken to the shared queue. @@ -5459,18 +5458,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) * then complete the merge and redirect it to * new_bfqq. */ - if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) - bfq_merge_bfqqs(bfqd, RQ_BIC(rq), - bfqq, new_bfqq); + if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) { + while (bfqq != new_bfqq) + bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq); + } - bfq_clear_bfqq_just_created(bfqq); + bfq_clear_bfqq_just_created(old_bfqq); /* * rq is about to be enqueued into new_bfqq, * release rq reference on bfqq */ - bfq_put_queue(bfqq); + bfq_put_queue(old_bfqq); rq->elv.priv[1] = new_bfqq; - bfqq = new_bfqq; } bfq_update_io_thinktime(bfqd, bfqq); -- 2.39.2

8 months, 1 week

1
0
0 0

[PATCH 5.15] block, bfq: fix procress reference leakage for bfqq in merge chain

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> [ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ] Original state: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \--------------\ \-------------\ \-------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 1 2 4 After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()"), if P1 issues a new IO: Without the patch: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \------------------------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 bfqq3 will be used to handle IO from P1, this is not expected, IO should be redirected to bfqq4; With the patch: ------------------------------------------- | | Process 1 Process 2 Process 3 | Process 4 (BIC1) (BIC2) (BIC3) | (BIC4) | | | | \-------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 IO is redirected to bfqq4, however, procress reference of bfqq3 is still 2, while there is only P2 using it. Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify code. Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- block/bfq-iosched.c | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index b0bdb5197530..c985c944fa65 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -2981,10 +2981,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq) bfq_put_queue(bfqq); } -static void -bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, - struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) +static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd, + struct bfq_io_cq *bic, + struct bfq_queue *bfqq) { + struct bfq_queue *new_bfqq = bfqq->new_bfqq; + bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu", (unsigned long)new_bfqq->pid); /* Save weight raising and idle window of the merged queues */ @@ -3078,6 +3080,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, bfq_reassign_last_bfqq(bfqq, new_bfqq); bfq_release_process_ref(bfqd, bfqq); + + return new_bfqq; } static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, @@ -3113,14 +3117,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, * fulfilled, i.e., bic can be redirected to new_bfqq * and bfqq can be put. */ - bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq, - new_bfqq); - /* - * If we get here, bio will be queued into new_queue, - * so use new_bfqq to decide whether bio and rq can be - * merged. - */ - bfqq = new_bfqq; + while (bfqq != new_bfqq) + bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq); /* * Change also bqfd->bio_bfqq, as @@ -5482,9 +5480,7 @@ bfq_do_early_stable_merge(struct bfq_data *bfqd, struct bfq_queue *bfqq, * state before killing it. */ bfqq->bic = bic; - bfq_merge_bfqqs(bfqd, bic, bfqq, new_bfqq); - - return new_bfqq; + return bfq_merge_bfqqs(bfqd, bic, bfqq); } /* @@ -5916,6 +5912,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) bool waiting, idle_timer_disabled = false; if (new_bfqq) { + struct bfq_queue *old_bfqq = bfqq; /* * Release the request's reference to the old bfqq * and make sure one is taken to the shared queue. @@ -5931,18 +5928,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) * then complete the merge and redirect it to * new_bfqq. */ - if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) - bfq_merge_bfqqs(bfqd, RQ_BIC(rq), - bfqq, new_bfqq); + if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) { + while (bfqq != new_bfqq) + bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq); + } - bfq_clear_bfqq_just_created(bfqq); + bfq_clear_bfqq_just_created(old_bfqq); /* * rq is about to be enqueued into new_bfqq, * release rq reference on bfqq */ - bfq_put_queue(bfqq); + bfq_put_queue(old_bfqq); rq->elv.priv[1] = new_bfqq; - bfqq = new_bfqq; } bfq_update_io_thinktime(bfqd, bfqq); -- 2.39.2

8 months, 1 week

1
0
0 0

[PATCH 6.1] block, bfq: fix procress reference leakage for bfqq in merge chain

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> [ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ] Original state: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \--------------\ \-------------\ \-------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 1 2 4 After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()"), if P1 issues a new IO: Without the patch: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \------------------------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 bfqq3 will be used to handle IO from P1, this is not expected, IO should be redirected to bfqq4; With the patch: ------------------------------------------- | | Process 1 Process 2 Process 3 | Process 4 (BIC1) (BIC2) (BIC3) | (BIC4) | | | | \-------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 IO is redirected to bfqq4, however, procress reference of bfqq3 is still 2, while there is only P2 using it. Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify code. Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- block/bfq-iosched.c | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index bfce6343a577..8e797782cfe3 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -3117,10 +3117,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq) bfq_put_queue(bfqq); } -static void -bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, - struct bfq_queue *bfqq, struct bfq_queue *new_bfqq) +static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd, + struct bfq_io_cq *bic, + struct bfq_queue *bfqq) { + struct bfq_queue *new_bfqq = bfqq->new_bfqq; + bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu", (unsigned long)new_bfqq->pid); /* Save weight raising and idle window of the merged queues */ @@ -3214,6 +3216,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, bfq_reassign_last_bfqq(bfqq, new_bfqq); bfq_release_process_ref(bfqd, bfqq); + + return new_bfqq; } static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, @@ -3249,14 +3253,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq, * fulfilled, i.e., bic can be redirected to new_bfqq * and bfqq can be put. */ - bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq, - new_bfqq); - /* - * If we get here, bio will be queued into new_queue, - * so use new_bfqq to decide whether bio and rq can be - * merged. - */ - bfqq = new_bfqq; + while (bfqq != new_bfqq) + bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq); /* * Change also bqfd->bio_bfqq, as @@ -5616,9 +5614,7 @@ bfq_do_early_stable_merge(struct bfq_data *bfqd, struct bfq_queue *bfqq, * state before killing it. */ bfqq->bic = bic; - bfq_merge_bfqqs(bfqd, bic, bfqq, new_bfqq); - - return new_bfqq; + return bfq_merge_bfqqs(bfqd, bic, bfqq); } /* @@ -6066,6 +6062,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) bool waiting, idle_timer_disabled = false; if (new_bfqq) { + struct bfq_queue *old_bfqq = bfqq; /* * Release the request's reference to the old bfqq * and make sure one is taken to the shared queue. @@ -6081,18 +6078,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq) * then complete the merge and redirect it to * new_bfqq. */ - if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) - bfq_merge_bfqqs(bfqd, RQ_BIC(rq), - bfqq, new_bfqq); + if (bic_to_bfqq(RQ_BIC(rq), 1) == bfqq) { + while (bfqq != new_bfqq) + bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq); + } - bfq_clear_bfqq_just_created(bfqq); + bfq_clear_bfqq_just_created(old_bfqq); /* * rq is about to be enqueued into new_bfqq, * release rq reference on bfqq */ - bfq_put_queue(bfqq); + bfq_put_queue(old_bfqq); rq->elv.priv[1] = new_bfqq; - bfqq = new_bfqq; } bfq_update_io_thinktime(bfqd, bfqq); -- 2.39.2

8 months, 1 week

1
0
0 0

[PATCH OLK-6.6 3/3] LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h

by Hongchen Zhang

From: Huacai Chen <chenhuacai(a)loongson.cn> mainline inclusion from mainline-v6.11-rc1 commit 7697a0fe0154468f5df35c23ebd7aa48994c2cdc category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IAZ33N CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------------------------------------- Chromium sandbox apparently wants to deny statx [1] so it could properly inspect arguments after the sandboxed process later falls back to fstat. Because there's currently not a "fd-only" version of statx, so that the sandbox has no way to ensure the path argument is empty without being able to peek into the sandboxed process's memory. For architectures able to do newfstatat though, glibc falls back to newfstatat after getting -ENOSYS for statx, then the respective SIGSYS handler [2] takes care of inspecting the path argument, transforming allowed newfstatat's into fstat instead which is allowed and has the same type of return value. But, as LoongArch is the first architecture to not have fstat nor newfstatat, the LoongArch glibc does not attempt falling back at all when it gets -ENOSYS for statx -- and you see the problem there! Actually, back when the LoongArch port was under review, people were aware of the same problem with sandboxing clone3 [3], so clone was eventually kept. Unfortunately it seemed at that time no one had noticed statx, so besides restoring fstat/newfstatat to LoongArch uapi (and postponing the problem further), it seems inevitable that we would need to tackle seccomp deep argument inspection. However, this is obviously a decision that shouldn't be taken lightly, so we just restore fstat/newfstatat by defining __ARCH_WANT_NEW_STAT in unistd.h. This is the simplest solution for now, and so we hope the community will tackle the long-standing problem of seccomp deep argument inspection in the future [4][5]. Also add "newstat" to syscall_abis_64 in Makefile.syscalls due to upstream asm-generic changes. More infomation please reading this thread [6]. [1] https://chromium-review.googlesource.com/c/chromium/src/+/2823150 [2] https://chromium.googlesource.com/chromium/src/sandbox/+/c085b51940bd/linux… [3] https://lore.kernel.org/linux-arch/20220511211231.GG7074@brightrain.aerifal… [4] https://lwn.net/Articles/799557/ [5] https://lpc.events/event/4/contributions/560/attachments/397/640/deep-arg-i… [6] https://lore.kernel.org/loongarch/20240226-granit-seilschaft-eccc2433014d@b… Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/include/asm/unistd.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/loongarch/include/asm/unistd.h b/arch/loongarch/include/asm/unistd.h index cfddb0116a8c..f1d2b7e5c062 100644 --- a/arch/loongarch/include/asm/unistd.h +++ b/arch/loongarch/include/asm/unistd.h @@ -8,4 +8,5 @@ #include <uapi/asm/unistd.h> +#define __ARCH_WANT_NEW_STAT #define NR_syscalls (__NR_syscalls) -- 2.33.0

8 months, 1 week

1
0
0 0

[PATCH] mm: avoid unconditional one-tick sleep when swapcache_prepare fails

by Barry Song

From: Barry Song <v-songbaohua(a)oppo.com> Commit 13ddaf26be32 ("mm/swap: fix race when skipping swapcache") introduced an unconditional one-tick sleep when `swapcache_prepare()` fails, which has led to reports of UI stuttering on latency-sensitive Android devices. To address this, we can use a waitqueue to wake up tasks that fail `swapcache_prepare()` sooner, instead of always sleeping for a full tick. While tasks may occasionally be woken by an unrelated `do_swap_page()`, this method is preferable to two scenarios: rapid re-entry into page faults, which can cause livelocks, and multiple millisecond sleeps, which visibly degrade user experience. Oven's testing shows that a single waitqueue resolves the UI stuttering issue. If a 'thundering herd' problem becomes apparent later, a waitqueue hash similar to `folio_wait_table[PAGE_WAIT_TABLE_SIZE]` for page bit locks can be introduced. Fixes: 13ddaf26be32 ("mm/swap: fix race when skipping swapcache") Cc: Kairui Song <kasong(a)tencent.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Yosry Ahmed <yosryahmed(a)google.com> Cc: SeongJae Park <sj(a)kernel.org> Cc: Kalesh Singh <kaleshsingh(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Reported-by: Oven Liyang <liyangouwen1(a)oppo.com> Tested-by: Oven Liyang <liyangouwen1(a)oppo.com> Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> --- mm/memory.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 2366578015ad..6913174f7f41 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -4192,6 +4192,8 @@ static struct folio *alloc_swap_folio(struct vm_fault *vmf) } #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ +static DECLARE_WAIT_QUEUE_HEAD(swapcache_wq); + /* * We enter with non-exclusive mmap_lock (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. @@ -4204,6 +4206,7 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) { struct vm_area_struct *vma = vmf->vma; struct folio *swapcache, *folio = NULL; + DECLARE_WAITQUEUE(wait, current); struct page *page; struct swap_info_struct *si = NULL; rmap_t rmap_flags = RMAP_NONE; @@ -4302,7 +4305,9 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) * Relax a bit to prevent rapid * repeated page faults. */ + add_wait_queue(&swapcache_wq, &wait); schedule_timeout_uninterruptible(1); + remove_wait_queue(&swapcache_wq, &wait); goto out_page; } need_clear_cache = true; @@ -4609,8 +4614,10 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) pte_unmap_unlock(vmf->pte, vmf->ptl); out: /* Clear the swap cache pin for direct swapin after PTL unlock */ - if (need_clear_cache) + if (need_clear_cache) { swapcache_clear(si, entry, nr_pages); + wake_up(&swapcache_wq); + } if (si) put_swap_device(si); return ret; @@ -4625,8 +4632,10 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) folio_unlock(swapcache); folio_put(swapcache); } - if (need_clear_cache) + if (need_clear_cache) { swapcache_clear(si, entry, nr_pages); + wake_up(&swapcache_wq); + } if (si) put_swap_device(si); return ret; -- 2.34.1

8 months, 1 week

4
20
0 0

[PATCH] blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long

by Bart Van Assche

Make sure that the tag_list_lock mutex is no longer held than necessary. This change reduces latency if e.g. blk_mq_quiesce_tagset() is called concurrently from more than one thread. This function is used by the NVMe core and also by the UFS driver. Reported-by: Peter Wang <peter.wang(a)mediatek.com> Cc: Chao Leng <lengchao(a)huawei.com> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: commit 414dd48e882c ("blk-mq: add tagset quiesce interface") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- block/blk-mq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 4b2c8e940f59..1ef227dfb9ba 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -283,8 +283,9 @@ void blk_mq_quiesce_tagset(struct blk_mq_tag_set *set) if (!blk_queue_skip_tagset_quiesce(q)) blk_mq_quiesce_queue_nowait(q); } - blk_mq_wait_quiesce_done(set); mutex_unlock(&set->tag_list_lock); + + blk_mq_wait_quiesce_done(set); } EXPORT_SYMBOL_GPL(blk_mq_quiesce_tagset);

8 months, 1 week

4
3
0 0

[PATCH 0/5] cxl: Initialization and shutdown fixes

by Dan Williams

Gregory's modest proposal to fix CXL cxl_mem_probe() failures due to delayed arrival of the CXL "root" infrastructure [1] prompted questions of how the existing mechanism for retrying cxl_mem_probe() could be failing. The critical missing piece in the debug was that Gregory's setup had almost all CXL modules built-in to the kernel. On the way to that discovery several other bugs and init-order corner cases were discovered. The main fix is to make sure the drivers/cxl/Makefile object order supports root CXL ports being fully initialized upon cxl_acpi_probe() exit. The modular case has some similar potential holes that are fixed with MODULE_SOFTDEP() and other fix ups. Finally, an attempt to update cxl_test to reproduce the original report resulted in the discovery of a separate long standing use after free bug in cxl_region_detach(). [1]: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net --- Dan Williams (5): cxl/port: Fix CXL port initialization order when the subsystem is built-in cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() cxl/acpi: Ensure ports ready at cxl_acpi_probe() return cxl/port: Fix use-after-free, permit out-of-order decoder shutdown cxl/test: Improve init-order fidelity relative to real-world systems drivers/base/core.c | 35 +++++++ drivers/cxl/Kconfig | 1 drivers/cxl/Makefile | 12 +-- drivers/cxl/acpi.c | 7 + drivers/cxl/core/hdm.c | 50 +++++++++-- drivers/cxl/core/port.c | 13 ++- drivers/cxl/core/region.c | 48 +++------- drivers/cxl/cxl.h | 3 - include/linux/device.h | 3 + tools/testing/cxl/test/cxl.c | 200 +++++++++++++++++++++++------------------- tools/testing/cxl/test/mem.c | 1 11 files changed, 228 insertions(+), 145 deletions(-) base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b

8 months, 1 week

5
24
0 0

[merged] nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix kernel bug due to missing clearing of buffer delay flag has been removed from the -mm tree. Its filename was nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix kernel bug due to missing clearing of buffer delay flag Date: Wed, 16 Oct 2024 06:32:07 +0900 Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug. This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this. This became necessary when the use of nilfs2's own page clear routine was expanded. This state inconsistency does not occur if the buffer is written normally by log writing. Link: https://lkml.kernel.org/r/20241015213300.7114-1-konishi.ryusuke@gmail.com Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+985ada84bf055a575c07(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/page.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/nilfs2/page.c~nilfs2-fix-kernel-bug-due-to-missing-clearing-of-buffer-delay-flag +++ a/fs/nilfs2/page.c @@ -77,7 +77,8 @@ void nilfs_forget_buffer(struct buffer_h const unsigned long clear_bits = (BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) | BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) | - BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected)); + BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) | + BIT(BH_Delay)); lock_buffer(bh); set_mask_bits(&bh->b_state, clear_bits, 0); @@ -406,7 +407,8 @@ void nilfs_clear_folio_dirty(struct foli const unsigned long clear_bits = (BIT(BH_Uptodate) | BIT(BH_Dirty) | BIT(BH_Mapped) | BIT(BH_Async_Write) | BIT(BH_NILFS_Volatile) | - BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected)); + BIT(BH_NILFS_Checked) | BIT(BH_NILFS_Redirected) | + BIT(BH_Delay)); bh = head; do { _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch

8 months, 1 week

1
0
0 0

[PATCH v2] ASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc

by Krzysztof Kozlowski

Commit 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc to soundcards") moved the allocation of Soundwire stream runtime from the Qualcomm Soundwire driver to each individual machine sound card driver, except that it forgot to update SC7280 card. Just like for other Qualcomm sound cards using Soundwire, the card driver should allocate and release the runtime. Otherwise sound playback will result in a NULL pointer dereference or other effect of uninitialized memory accesses (which was confirmed on SDM845 having similar issue). Cc: stable(a)vger.kernel.org Cc: Alexey Klimov <alexey.klimov(a)linaro.org> Cc: Steev Klimaszewski <steev(a)kali.org> Fixes: 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc to soundcards") Link: https://lore.kernel.org/r/20241010054109.16938-1-krzysztof.kozlowski@linaro… Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Changes in v2: 1. Add missing 'select SND_SOC_QCOM_SDW' as reported by LKP --- sound/soc/qcom/Kconfig | 1 + sound/soc/qcom/sc7280.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/sound/soc/qcom/Kconfig b/sound/soc/qcom/Kconfig index 3687b9db5ed4..ca7a30ebd26a 100644 --- a/sound/soc/qcom/Kconfig +++ b/sound/soc/qcom/Kconfig @@ -209,6 +209,7 @@ config SND_SOC_SC7280 tristate "SoC Machine driver for SC7280 boards" depends on I2C && SOUNDWIRE select SND_SOC_QCOM_COMMON + select SND_SOC_QCOM_SDW select SND_SOC_LPASS_SC7280 select SND_SOC_MAX98357A select SND_SOC_WCD938X_SDW diff --git a/sound/soc/qcom/sc7280.c b/sound/soc/qcom/sc7280.c index 207ac5da4dd4..230af8d7b205 100644 --- a/sound/soc/qcom/sc7280.c +++ b/sound/soc/qcom/sc7280.c @@ -23,6 +23,7 @@ #include "common.h" #include "lpass.h" #include "qdsp6/q6afe.h" +#include "sdw.h" #define DEFAULT_MCLK_RATE 19200000 #define RT5682_PLL_FREQ (48000 * 512) @@ -316,6 +317,7 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_card *card = rtd->card; struct sc7280_snd_data *data = snd_soc_card_get_drvdata(card); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); + struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; switch (cpu_dai->id) { case MI2S_PRIMARY: @@ -333,6 +335,9 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) default: break; } + + data->sruntime[cpu_dai->id] = NULL; + sdw_release_stream(sruntime); } static int sc7280_snd_startup(struct snd_pcm_substream *substream) @@ -347,6 +352,8 @@ static int sc7280_snd_startup(struct snd_pcm_substream *substream) switch (cpu_dai->id) { case MI2S_PRIMARY: ret = sc7280_rt5682_init(rtd); + if (ret) + return ret; break; case SECONDARY_MI2S_RX: codec_dai_fmt |= SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_I2S; @@ -360,7 +367,8 @@ static int sc7280_snd_startup(struct snd_pcm_substream *substream) default: break; } - return ret; + + return qcom_snd_sdw_startup(substream); } static const struct snd_soc_ops sc7280_ops = { -- 2.43.0

8 months, 1 week

2
1
0 0

[tip: locking/core] locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass()

by tip-bot2 for Ahmed Ehab

The following commit has been merged into the locking/core branch of tip: Commit-ID: d7fe143cb115076fed0126ad8cf5ba6c3e575e43 Gitweb: https://git.kernel.org/tip/d7fe143cb115076fed0126ad8cf5ba6c3e575e43 Author: Ahmed Ehab <bottaawesome633(a)gmail.com> AuthorDate: Sun, 25 Aug 2024 01:10:30 +03:00 Committer: Boqun Feng <boqun.feng(a)gmail.com> CommitterDate: Thu, 17 Oct 2024 20:07:23 -07:00 locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() Syzbot reports a problem that a warning will be triggered while searching a lock class in look_up_lock_class(). The cause of the issue is that a new name is created and used by lockdep_set_subclass() instead of using the existing one. This results in a lock instance has a different name pointer than previous registered one stored in lock class, and WARN_ONCE() is triggered because of that in look_up_lock_class(). To fix this, change lockdep_set_subclass() to use the existing name instead of a new one. Hence, no new name will be created by lockdep_set_subclass(). Hence, the warning is avoided. [boqun: Reword the commit log to state the correct issue] Reported-by: <syzbot+7f4a6f7f7051474e40ad(a)syzkaller.appspotmail.com> Fixes: de8f5e4f2dc1f ("lockdep: Introduce wait-type checks") Cc: stable(a)vger.kernel.org Signed-off-by: Ahmed Ehab <bottaawesome633(a)gmail.com> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Link: https://lore.kernel.org/lkml/20240824221031.7751-1-bottaawesome633@gmail.co… --- include/linux/lockdep.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h index 217f7ab..67964dc 100644 --- a/include/linux/lockdep.h +++ b/include/linux/lockdep.h @@ -173,7 +173,7 @@ static inline void lockdep_init_map(struct lockdep_map *lock, const char *name, (lock)->dep_map.lock_type) #define lockdep_set_subclass(lock, sub) \ - lockdep_init_map_type(&(lock)->dep_map, #lock, (lock)->dep_map.key, sub,\ + lockdep_init_map_type(&(lock)->dep_map, (lock)->dep_map.name, (lock)->dep_map.key, sub,\ (lock)->dep_map.wait_type_inner, \ (lock)->dep_map.wait_type_outer, \ (lock)->dep_map.lock_type)

8 months, 1 week

1
0
0 0

[PATCH 5.10] exec: don't WARN for racy path_noexec check

by Thadeu Lima de Souza Cascardo

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 ] Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact of the previous implementation. They used to legitimately check for the condition, but that got moved up in two commits: 633fb6ac3980 ("exec: move S_ISREG() check earlier") 0fd338b2d2cd ("exec: move path_noexec() check earlier") Instead of being removed said checks are WARN_ON'ed instead, which has some debug value. However, the spurious path_noexec check is racy, resulting in unwarranted warnings should someone race with setting the noexec flag. One can note there is more to perm-checking whether execve is allowed and none of the conditions are guaranteed to still hold after they were tested for. Additionally this does not validate whether the code path did any perm checking to begin with -- it will pass if the inode happens to be regular. Keep the redundant path_noexec() check even though it's mindless nonsense checking for guarantee that isn't given so drop the WARN. Reword the commentary and do small tidy ups while here. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20240805131721.765484-1-mjguzik@gmail.com [brauner: keep redundant path_noexec() check] Signed-off-by: Christian Brauner <brauner(a)kernel.org> [cascardo: keep exit label and use it] Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> --- fs/exec.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 6e5324c7e9b6..7144c541818f 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -144,13 +144,11 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) goto out; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * Check do_open_execat() for an explanation. */ error = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; fsnotify_open(file); @@ -919,16 +917,16 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) file = do_filp_open(fd, name, &open_exec_flags); if (IS_ERR(file)) - goto out; + return file; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * In the past the regular type check was here. It moved to may_open() in + * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is + * an invariant that all non-regular files error out before we get here. */ err = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; err = deny_write_access(file); @@ -938,7 +936,6 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) if (name->name[0] != '\0') fsnotify_open(file); -out: return file; exit: -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH 5.15] exec: don't WARN for racy path_noexec check

by Thadeu Lima de Souza Cascardo

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 ] Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact of the previous implementation. They used to legitimately check for the condition, but that got moved up in two commits: 633fb6ac3980 ("exec: move S_ISREG() check earlier") 0fd338b2d2cd ("exec: move path_noexec() check earlier") Instead of being removed said checks are WARN_ON'ed instead, which has some debug value. However, the spurious path_noexec check is racy, resulting in unwarranted warnings should someone race with setting the noexec flag. One can note there is more to perm-checking whether execve is allowed and none of the conditions are guaranteed to still hold after they were tested for. Additionally this does not validate whether the code path did any perm checking to begin with -- it will pass if the inode happens to be regular. Keep the redundant path_noexec() check even though it's mindless nonsense checking for guarantee that isn't given so drop the WARN. Reword the commentary and do small tidy ups while here. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20240805131721.765484-1-mjguzik@gmail.com [brauner: keep redundant path_noexec() check] Signed-off-by: Christian Brauner <brauner(a)kernel.org> [cascardo: keep exit label and use it] Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> --- fs/exec.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 26f0b79cb4f9..8395e7ff7b94 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -142,13 +142,11 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) goto out; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * Check do_open_execat() for an explanation. */ error = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; fsnotify_open(file); @@ -919,16 +917,16 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) file = do_filp_open(fd, name, &open_exec_flags); if (IS_ERR(file)) - goto out; + return file; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * In the past the regular type check was here. It moved to may_open() in + * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is + * an invariant that all non-regular files error out before we get here. */ err = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; err = deny_write_access(file); @@ -938,7 +936,6 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) if (name->name[0] != '\0') fsnotify_open(file); -out: return file; exit: -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH 6.1] exec: don't WARN for racy path_noexec check

by Thadeu Lima de Souza Cascardo

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 ] Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact of the previous implementation. They used to legitimately check for the condition, but that got moved up in two commits: 633fb6ac3980 ("exec: move S_ISREG() check earlier") 0fd338b2d2cd ("exec: move path_noexec() check earlier") Instead of being removed said checks are WARN_ON'ed instead, which has some debug value. However, the spurious path_noexec check is racy, resulting in unwarranted warnings should someone race with setting the noexec flag. One can note there is more to perm-checking whether execve is allowed and none of the conditions are guaranteed to still hold after they were tested for. Additionally this does not validate whether the code path did any perm checking to begin with -- it will pass if the inode happens to be regular. Keep the redundant path_noexec() check even though it's mindless nonsense checking for guarantee that isn't given so drop the WARN. Reword the commentary and do small tidy ups while here. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20240805131721.765484-1-mjguzik@gmail.com [brauner: keep redundant path_noexec() check] Signed-off-by: Christian Brauner <brauner(a)kernel.org> [cascardo: keep exit label and use it] Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> --- fs/exec.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 65d3ebc24fd3..a42c9b8b070d 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -141,13 +141,11 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) goto out; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * Check do_open_execat() for an explanation. */ error = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; fsnotify_open(file); @@ -927,16 +925,16 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) file = do_filp_open(fd, name, &open_exec_flags); if (IS_ERR(file)) - goto out; + return file; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * In the past the regular type check was here. It moved to may_open() in + * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is + * an invariant that all non-regular files error out before we get here. */ err = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; err = deny_write_access(file); @@ -946,7 +944,6 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) if (name->name[0] != '\0') fsnotify_open(file); -out: return file; exit: -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH 6.6] exec: don't WARN for racy path_noexec check

by Thadeu Lima de Souza Cascardo

From: Mateusz Guzik <mjguzik(a)gmail.com> [ Upstream commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 ] Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact of the previous implementation. They used to legitimately check for the condition, but that got moved up in two commits: 633fb6ac3980 ("exec: move S_ISREG() check earlier") 0fd338b2d2cd ("exec: move path_noexec() check earlier") Instead of being removed said checks are WARN_ON'ed instead, which has some debug value. However, the spurious path_noexec check is racy, resulting in unwarranted warnings should someone race with setting the noexec flag. One can note there is more to perm-checking whether execve is allowed and none of the conditions are guaranteed to still hold after they were tested for. Additionally this does not validate whether the code path did any perm checking to begin with -- it will pass if the inode happens to be regular. Keep the redundant path_noexec() check even though it's mindless nonsense checking for guarantee that isn't given so drop the WARN. Reword the commentary and do small tidy ups while here. Signed-off-by: Mateusz Guzik <mjguzik(a)gmail.com> Link: https://lore.kernel.org/r/20240805131721.765484-1-mjguzik@gmail.com [brauner: keep redundant path_noexec() check] Signed-off-by: Christian Brauner <brauner(a)kernel.org> [cascardo: keep exit label and use it] Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> --- fs/exec.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index f49b352a6032..7776209d98c1 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -143,13 +143,11 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) goto out; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * Check do_open_execat() for an explanation. */ error = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; error = -ENOEXEC; @@ -925,23 +923,22 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) file = do_filp_open(fd, name, &open_exec_flags); if (IS_ERR(file)) - goto out; + return file; /* - * may_open() has already checked for this, so it should be - * impossible to trip now. But we need to be extra cautious - * and check again at the very end too. + * In the past the regular type check was here. It moved to may_open() in + * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is + * an invariant that all non-regular files error out before we get here. */ err = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || - path_noexec(&file->f_path))) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || + path_noexec(&file->f_path)) goto exit; err = deny_write_access(file); if (err) goto exit; -out: return file; exit: -- 2.34.1

8 months, 1 week

1
0
0 0

[PATCH 5.15 00/82] 5.15.169-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.169 release. There are 82 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 23 Oct 2024 10:22:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.169-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.169-rc1 Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Paolo Abeni <pabeni(a)redhat.com> mptcp: prevent MPC handshake on port-based signal endpoints Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: fallback when MPTCP opts are dropped after 1st data Paolo Abeni <pabeni(a)redhat.com> tcp: fix mptcp DSS corruption due to large pmtu xmit Paolo Abeni <pabeni(a)redhat.com> mptcp: handle consistently DSS corruption Geliang Tang <geliang.tang(a)suse.com> mptcp: track and update contiguous data status Marc Zyngier <maz(a)kernel.org> irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Sergey Matsievskiy <matsievskiysv(a)gmail.com> pinctrl: ocelot: fix system hang on level based interrupts Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Clear CPU buffers after register restore in NMI return Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/entry_32: Do not clobber user EFLAGS.ZF Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Nathan Chancellor <nathan(a)kernel.org> x86/resctrl: Annotate get_mem_config() functions as __init Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Mitigate failed set dequeue pointer commands Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix IIO device retrieval from embedded device Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix ALS sensor resolution Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/radeon: Fix encoder->possible_clones Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: close race on waiting for sqring entries Omar Sandoval <osandov(a)fb.com> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Johannes Wikner <kwikner(a)ethz.ch> x86/bugs: Skip RSB fill at VMEXIT Johannes Wikner <kwikner(a)ethz.ch> x86/entry: Have entry_ibpb() invalidate return predictions Johannes Wikner <kwikner(a)ethz.ch> x86/cpufeatures: Add a IBPB_NO_RET BUG flag Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not put cpumask on stack Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: retain test for whether the CPU is valid Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not allow pinning outside of cpuset Wachowski, Karol <karol.wachowski(a)intel.com> drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Breno Leitao <leitao(a)debian.org> KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Mikulas Patocka <mpatocka(a)redhat.com> dm-crypt, dm-verity: disable tasklets Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix potential key use-after-free Patrick Roy <roypat(a)amazon.co.uk> secretmem: disable memfd_secret() if arch cannot set direct map Liu Shixin <liushixin2(a)huawei.com> mm/swapfile: skip HugeTLB pages for unuse_vma OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable Nianyao Tang <tangnianyao(a)huawei.com> irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Oleksij Rempel <linux(a)rempel-privat.de> net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Wei Fang <wei.fang(a)nxp.com> net: enetc: add missing static descriptor and inline keyword Wei Fang <wei.fang(a)nxp.com> net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Jan Kara <jack(a)suse.cz> udf: Fix bogus checksum computation in udf_rename() Jan Kara <jack(a)suse.cz> udf: Don't return bh from udf_expand_dir_adinicb() Jan Kara <jack(a)suse.cz> udf: Handle error when expanding directory Jan Kara <jack(a)suse.cz> udf: Remove old directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_link() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_mkdir() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_add_nondir() to new directory iteration Jan Kara <jack(a)suse.cz> udf: Implement adding of dir entries using new iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_unlink() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_rmdir() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert empty_dir() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_get_parent() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_lookup() to use new directory iteration code Jan Kara <jack(a)suse.cz> udf: Convert udf_readdir() to new directory iteration Jan Kara <jack(a)suse.cz> udf: Convert udf_rename() to new directory iteration code Jan Kara <jack(a)suse.cz> udf: Provide function to mark entry as deleted using new directory iteration code Jan Kara <jack(a)suse.cz> udf: Implement searching for directory entry using new iteration code Jan Kara <jack(a)suse.cz> udf: Move udf_expand_dir_adinicb() to its callsite Jan Kara <jack(a)suse.cz> udf: Convert udf_expand_dir_adinicb() to new directory iteration Jan Kara <jack(a)suse.cz> udf: New directory iteration code Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ------------- Diffstat: Makefile | 4 +- arch/arm64/kernel/probes/decode-insn.c | 16 +- arch/arm64/kernel/probes/simulate-insn.c | 18 +- arch/powerpc/mm/numa.c | 6 +- arch/s390/kvm/diag.c | 2 +- arch/x86/entry/entry.S | 5 + arch/x86/entry/entry_32.S | 6 +- arch/x86/include/asm/cpufeatures.h | 4 +- arch/x86/kernel/apic/apic.c | 14 +- arch/x86/kernel/cpu/bugs.c | 32 + arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/resctrl/core.c | 4 +- block/blk-rq-qos.c | 2 +- drivers/bluetooth/btusb.c | 13 +- drivers/gpu/drm/drm_gem_shmem_helper.c | 3 + drivers/gpu/drm/radeon/radeon_encoders.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/iio/adc/Kconfig | 4 + .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 3 + drivers/iio/light/opt3001.c | 4 + drivers/iio/light/veml6030.c | 5 +- drivers/iio/proximity/Kconfig | 2 + drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-gic-v3-its.c | 26 +- drivers/md/dm-crypt.c | 37 +- drivers/net/ethernet/cadence/macb_main.c | 14 +- drivers/net/ethernet/freescale/enetc/enetc.c | 2 +- drivers/parport/procfs.c | 22 +- drivers/pinctrl/pinctrl-ocelot.c | 8 +- drivers/s390/char/sclp_vt220.c | 4 +- drivers/usb/host/xhci-ring.c | 2 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/serial/option.c | 8 + fs/fat/namei_vfat.c | 2 +- fs/nilfs2/dir.c | 50 +- fs/nilfs2/namei.c | 39 +- fs/nilfs2/nilfs.h | 2 +- fs/udf/dir.c | 148 +-- fs/udf/directory.c | 594 ++++++++--- fs/udf/inode.c | 90 -- fs/udf/namei.c | 1038 +++++++------------- fs/udf/udfdecl.h | 45 +- include/linux/fsl/enetc_mdio.h | 3 +- include/linux/irqchip/arm-gic-v4.h | 4 +- io_uring/io_uring.c | 21 +- kernel/time/posix-clock.c | 3 + mm/secretmem.c | 4 +- mm/swapfile.c | 2 +- net/bluetooth/af_bluetooth.c | 1 + net/ipv4/tcp_output.c | 2 +- net/mac80211/cfg.c | 3 + net/mac80211/key.c | 2 +- net/mptcp/mib.c | 3 + net/mptcp/mib.h | 3 + net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.c | 23 +- net/mptcp/protocol.h | 2 + net/mptcp/subflow.c | 19 +- sound/pci/hda/patch_conexant.c | 19 + virt/kvm/kvm_main.c | 5 +- 61 files changed, 1172 insertions(+), 1242 deletions(-)

8 months, 1 week

8
89
0 0

[PATCH iwl-net 1/2] idpf: avoid vport access in idpf_get_link_ksettings

by Pavan Kumar Linga

When the device control plane is removed or the platform running device control plane is rebooted, a reset is detected on the driver. On driver reset, it releases the resources and waits for the reset to complete. If the reset fails, it takes the error path and releases the vport lock. At this time if the monitoring tools tries to access link settings, it call traces for accessing released vport pointer. To avoid it, move link_speed_mbps to netdev_priv structure which removes the dependency on vport pointer and the vport lock in idpf_get_link_ksettings. Also use netif_carrier_ok() to check the link status and adjust the offsetof to use link_up instead of link_speed_mbps. Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks") Cc: stable(a)vger.kernel.org # 6.7+ Reviewed-by: Tarun K Singh <tarun.k.singh(a)intel.com> Signed-off-by: Pavan Kumar Linga <pavan.kumar.linga(a)intel.com> --- drivers/net/ethernet/intel/idpf/idpf.h | 4 ++-- drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 11 +++-------- drivers/net/ethernet/intel/idpf/idpf_lib.c | 4 ++-- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 2 +- 4 files changed, 8 insertions(+), 13 deletions(-) diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h index 2c31ad87587a..66544faab710 100644 --- a/drivers/net/ethernet/intel/idpf/idpf.h +++ b/drivers/net/ethernet/intel/idpf/idpf.h @@ -141,6 +141,7 @@ enum idpf_vport_state { * @adapter: Adapter back pointer * @vport: Vport back pointer * @vport_id: Vport identifier + * @link_speed_mbps: Link speed in mbps * @vport_idx: Relative vport index * @state: See enum idpf_vport_state * @netstats: Packet and byte stats @@ -150,6 +151,7 @@ struct idpf_netdev_priv { struct idpf_adapter *adapter; struct idpf_vport *vport; u32 vport_id; + u32 link_speed_mbps; u16 vport_idx; enum idpf_vport_state state; struct rtnl_link_stats64 netstats; @@ -287,7 +289,6 @@ struct idpf_port_stats { * @tx_itr_profile: TX profiles for Dynamic Interrupt Moderation * @port_stats: per port csum, header split, and other offload stats * @link_up: True if link is up - * @link_speed_mbps: Link speed in mbps * @sw_marker_wq: workqueue for marker packets */ struct idpf_vport { @@ -331,7 +332,6 @@ struct idpf_vport { struct idpf_port_stats port_stats; bool link_up; - u32 link_speed_mbps; wait_queue_head_t sw_marker_wq; }; diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c index 3806ddd3ce4a..59b1a1a09996 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c @@ -1296,24 +1296,19 @@ static void idpf_set_msglevel(struct net_device *netdev, u32 data) static int idpf_get_link_ksettings(struct net_device *netdev, struct ethtool_link_ksettings *cmd) { - struct idpf_vport *vport; - - idpf_vport_ctrl_lock(netdev); - vport = idpf_netdev_to_vport(netdev); + struct idpf_netdev_priv *np = netdev_priv(netdev); ethtool_link_ksettings_zero_link_mode(cmd, supported); cmd->base.autoneg = AUTONEG_DISABLE; cmd->base.port = PORT_NONE; - if (vport->link_up) { + if (netif_carrier_ok(netdev)) { cmd->base.duplex = DUPLEX_FULL; - cmd->base.speed = vport->link_speed_mbps; + cmd->base.speed = np->link_speed_mbps; } else { cmd->base.duplex = DUPLEX_UNKNOWN; cmd->base.speed = SPEED_UNKNOWN; } - idpf_vport_ctrl_unlock(netdev); - return 0; } diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c index 4f20343e49a9..c3848e10e7db 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_lib.c +++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c @@ -1860,7 +1860,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, * mess with. Nothing below should use those variables from new_vport * and should instead always refer to them in vport if they need to. */ - memcpy(new_vport, vport, offsetof(struct idpf_vport, link_speed_mbps)); + memcpy(new_vport, vport, offsetof(struct idpf_vport, link_up)); /* Adjust resource parameters prior to reallocating resources */ switch (reset_cause) { @@ -1906,7 +1906,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, /* Same comment as above regarding avoiding copying the wait_queues and * mutexes applies here. We do not want to mess with those if possible. */ - memcpy(vport, new_vport, offsetof(struct idpf_vport, link_speed_mbps)); + memcpy(vport, new_vport, offsetof(struct idpf_vport, link_up)); if (reset_cause == IDPF_SR_Q_CHANGE) idpf_vport_alloc_vec_indexes(vport); diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c index 70986e12da28..3be883726b87 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c @@ -141,7 +141,7 @@ static void idpf_handle_event_link(struct idpf_adapter *adapter, } np = netdev_priv(vport->netdev); - vport->link_speed_mbps = le32_to_cpu(v2e->link_speed); + np->link_speed_mbps = le32_to_cpu(v2e->link_speed); if (vport->link_up == v2e->link_status) return; -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH 5.10] iomap: update ki_pos a little later in iomap_dio_complete

by Mahmoud Adam

From: Christoph Hellwig <hch(a)lst.de> upstream 936e114a245b6e38e0dbf706a67e7611fc993da1 commit. Move the ki_pos update down a bit to prepare for a better common helper that invalidates pages based of an iocb. Link: https://lkml.kernel.org/r/20230601145904.1385409-3-hch@lst.de Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Andreas Gruenbacher <agruenba(a)redhat.com> Cc: Anna Schumaker <anna(a)kernel.org> Cc: Chao Yu <chao(a)kernel.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Ilya Dryomov <idryomov(a)gmail.com> Cc: Jaegeuk Kim <jaegeuk(a)kernel.org> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Miklos Szeredi <miklos(a)szeredi.hu> Cc: Miklos Szeredi <mszeredi(a)redhat.com> Cc: Theodore Ts'o <tytso(a)mit.edu> Cc: Trond Myklebust <trond.myklebust(a)hammerspace.com> Cc: Xiubo Li <xiubli(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Mahmoud Adam <mngyadam(a)amazon.com> --- This fixes the ext3/4 data corruption casued by dde4c1e1663b6 ("ext4: properly sync file size update after O_SYNC direct IO"). reported here: https://lore.kernel.org/all/2024102130-thieving-parchment-7885@gregkh/T/#mf… fs/iomap/direct-io.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c index 933f234d5becd..8a49c0d3a7b46 100644 --- a/fs/iomap/direct-io.c +++ b/fs/iomap/direct-io.c @@ -93,7 +93,6 @@ ssize_t iomap_dio_complete(struct iomap_dio *dio) if (offset + ret > dio->i_size && !(dio->flags & IOMAP_DIO_WRITE)) ret = dio->i_size - offset; - iocb->ki_pos += ret; } /* @@ -119,15 +118,18 @@ ssize_t iomap_dio_complete(struct iomap_dio *dio) } inode_dio_end(file_inode(iocb->ki_filp)); - /* - * If this is a DSYNC write, make sure we push it to stable storage now - * that we've written data. - */ - if (ret > 0 && (dio->flags & IOMAP_DIO_NEED_SYNC)) - ret = generic_write_sync(iocb, ret); - kfree(dio); + if (ret > 0) { + iocb->ki_pos += ret; + /* + * If this is a DSYNC write, make sure we push it to stable + * storage now that we've written data. + */ + if (dio->flags & IOMAP_DIO_NEED_SYNC) + ret = generic_write_sync(iocb, ret); + } + kfree(dio); return ret; } EXPORT_SYMBOL_GPL(iomap_dio_complete); -- 2.40.1

8 months, 1 week

1
0
0 0

[PATCH v2] mm: Split critical region in remap_file_pages() and invoke LSMs in between

by Roberto Sassu

From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Commit ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") fixed a security issue, it added an LSM check when trying to remap file pages, so that LSMs have the opportunity to evaluate such action like for other memory operations such as mmap() and mprotect(). However, that commit called security_mmap_file() inside the mmap_lock lock, while the other calls do it before taking the lock, after commit 8b3ec6814c83 ("take security_mmap_file() outside of ->mmap_sem"). This caused lock inversion issue with IMA which was taking the mmap_lock and i_mutex lock in the opposite way when the remap_file_pages() system call was called. Solve the issue by splitting the critical region in remap_file_pages() in two regions: the first takes a read lock of mmap_lock, retrieves the VMA and the file descriptor associated, and calculates the 'prot' and 'flags' variables; the second takes a write lock on mmap_lock, checks that the VMA flags and the VMA file descriptor are the same as the ones obtained in the first critical region (otherwise the system call fails), and calls do_mmap(). In between, after releasing the read lock and before taking the write lock, call security_mmap_file(), and solve the lock inversion issue. Cc: stable(a)vger.kernel.org # v6.12-rcx Fixes: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") Reported-by: syzbot+1cd571a672400ef3a930(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-security-module/66f7b10e.050a0220.46d20.0036.… Reviewed-by: Roberto Sassu <roberto.sassu(a)huawei.com> Reviewed-by: Jann Horn <jannh(a)google.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Tested-by: Roberto Sassu <roberto.sassu(a)huawei.com> Tested-by: syzbot+1cd571a672400ef3a930(a)syzkaller.appspotmail.com Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> --- mm/mmap.c | 69 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 17 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 9c0fb43064b5..f731dd69e162 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1640,6 +1640,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, unsigned long populate = 0; unsigned long ret = -EINVAL; struct file *file; + vm_flags_t vm_flags; pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.\n", current->comm, current->pid); @@ -1656,12 +1657,60 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, if (pgoff + (size >> PAGE_SHIFT) < pgoff) return ret; - if (mmap_write_lock_killable(mm)) + if (mmap_read_lock_killable(mm)) return -EINTR; + /* + * Look up VMA under read lock first so we can perform the security + * without holding locks (which can be problematic). We reacquire a + * write lock later and check nothing changed underneath us. + */ vma = vma_lookup(mm, start); - if (!vma || !(vma->vm_flags & VM_SHARED)) + if (!vma || !(vma->vm_flags & VM_SHARED)) { + mmap_read_unlock(mm); + return -EINVAL; + } + + prot |= vma->vm_flags & VM_READ ? PROT_READ : 0; + prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0; + prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0; + + flags &= MAP_NONBLOCK; + flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE; + if (vma->vm_flags & VM_LOCKED) + flags |= MAP_LOCKED; + + /* Save vm_flags used to calculate prot and flags, and recheck later. */ + vm_flags = vma->vm_flags; + file = get_file(vma->vm_file); + + mmap_read_unlock(mm); + + /* Call outside mmap_lock to be consistent with other callers. */ + ret = security_mmap_file(file, prot, flags); + if (ret) { + fput(file); + return ret; + } + + ret = -EINVAL; + + /* OK security check passed, take write lock + let it rip. */ + if (mmap_write_lock_killable(mm)) { + fput(file); + return -EINTR; + } + + vma = vma_lookup(mm, start); + + if (!vma) + goto out; + + /* Make sure things didn't change under us. */ + if (vma->vm_flags != vm_flags) + goto out; + if (vma->vm_file != file) goto out; if (start + size > vma->vm_end) { @@ -1689,25 +1738,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, goto out; } - prot |= vma->vm_flags & VM_READ ? PROT_READ : 0; - prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0; - prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0; - - flags &= MAP_NONBLOCK; - flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE; - if (vma->vm_flags & VM_LOCKED) - flags |= MAP_LOCKED; - - file = get_file(vma->vm_file); - ret = security_mmap_file(vma->vm_file, prot, flags); - if (ret) - goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); -out_fput: - fput(file); out: mmap_write_unlock(mm); + fput(file); if (populate) mm_populate(ret, populate); if (!IS_ERR_VALUE(ret)) -- 2.34.1

8 months, 1 week

5
6
0 0

[PATCH v2] xhci: Fix Link TRB DMA in command ring stopped completion event

by Faisal Hassan

During the aborting of a command, the software receives a command completion event for the command ring stopped, with the TRB pointing to the next TRB after the aborted command. If the command we abort is located just before the Link TRB in the command ring, then during the 'command ring stopped' completion event, the xHC gives the Link TRB in the event's cmd DMA, which causes a mismatch in handling command completion event. To handle this situation, an additional check has been added to ignore the mismatch error and continue the operation. Fixes: 7f84eef0dafb ("USB: xhci: No-op command queueing and irq handler.") Cc: stable(a)vger.kernel.org Signed-off-by: Faisal Hassan <quic_faisalh(a)quicinc.com> --- Changes in v2: - Removed traversing of TRBs with in_range() API. - Simplified the if condition check. v1 link: https://lore.kernel.org/all/20241018195953.12315-1-quic_faisalh@quicinc.com drivers/usb/host/xhci-ring.c | 43 +++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index b2950c35c740..de375c9f08ca 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -126,6 +126,29 @@ static void inc_td_cnt(struct urb *urb) urb_priv->num_tds_done++; } +/* + * Return true if the DMA is pointing to a Link TRB in the ring; + * otherwise, return false. + */ +static bool is_dma_link_trb(struct xhci_ring *ring, dma_addr_t dma) +{ + struct xhci_segment *seg; + union xhci_trb *trb; + + seg = ring->first_seg; + do { + if (in_range(dma, seg->dma, TRB_SEGMENT_SIZE)) { + /* found the TRB, check if it's link */ + trb = &seg->trbs[(dma - seg->dma) / sizeof(*trb)]; + return trb_is_link(trb); + } + + seg = seg->next; + } while (seg != ring->first_seg); + + return false; +} + static void trb_to_noop(union xhci_trb *trb, u32 noop_type) { if (trb_is_link(trb)) { @@ -1718,6 +1741,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, trace_xhci_handle_command(xhci->cmd_ring, &cmd_trb->generic); + cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, cmd_trb); /* @@ -1725,17 +1749,26 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, * command. */ if (!cmd_dequeue_dma || cmd_dma != (u64)cmd_dequeue_dma) { - xhci_warn(xhci, - "ERROR mismatched command completion event\n"); - return; + /* + * For the 'command ring stopped' completion event, there + * is a risk of a mismatch in dequeue pointers if we abort + * the command just before the link TRB in the command ring. + * In this scenario, the cmd_dma in the event would point + * to a link TRB, while the software dequeue pointer circles + * back to the start. + */ + if (!(cmd_comp_code == COMP_COMMAND_RING_STOPPED && + is_dma_link_trb(xhci->cmd_ring, cmd_dma))) { + xhci_warn(xhci, + "ERROR mismatched command completion event\n"); + return; + } } cmd = list_first_entry(&xhci->cmd_list, struct xhci_command, cmd_list); cancel_delayed_work(&xhci->cmd_timer); - cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); - /* If CMD ring stopped we own the trbs between enqueue and dequeue */ if (cmd_comp_code == COMP_COMMAND_RING_STOPPED) { complete_all(&xhci->cmd_ring_stop_completion); -- 2.17.1

8 months, 1 week

2
4
0 0

Linux 6.11.5

by Greg Kroah-Hartman

I'm announcing the release of the 6.11.5 kernel. All users of the 6.11 kernel series must upgrade. The updated 6.11.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.11.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/marvell/cn9130-sr-som.dtsi | 2 arch/arm64/include/asm/uprobes.h | 8 - arch/arm64/kernel/probes/decode-insn.c | 16 +- arch/arm64/kernel/probes/simulate-insn.c | 18 +- arch/arm64/kernel/probes/uprobes.c | 4 arch/s390/kvm/diag.c | 2 arch/s390/kvm/gaccess.c | 4 arch/s390/kvm/gaccess.h | 14 +- arch/x86/entry/entry.S | 5 arch/x86/entry/entry_32.S | 6 arch/x86/include/asm/cpufeatures.h | 4 arch/x86/include/asm/nospec-branch.h | 11 + arch/x86/kernel/apic/apic.c | 14 ++ arch/x86/kernel/cpu/amd.c | 3 arch/x86/kernel/cpu/bugs.c | 32 +++++ arch/x86/kernel/cpu/common.c | 3 arch/x86/kernel/cpu/resctrl/core.c | 4 block/blk-mq.c | 8 - block/blk-rq-qos.c | 2 drivers/block/ublk_drv.c | 11 + drivers/bluetooth/btusb.c | 27 +--- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 4 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 22 +-- drivers/gpu/drm/i915/display/intel_dp_mst.c | 40 ++++-- drivers/gpu/drm/radeon/radeon_encoders.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 30 ---- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 - drivers/gpu/drm/xe/xe_sync.c | 2 drivers/gpu/drm/xe/xe_wait_user_fence.c | 3 drivers/iio/accel/Kconfig | 2 drivers/iio/adc/Kconfig | 9 + drivers/iio/amplifiers/Kconfig | 1 drivers/iio/chemical/Kconfig | 2 drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 7 + drivers/iio/frequency/Kconfig | 1 drivers/iio/light/Kconfig | 2 drivers/iio/light/opt3001.c | 4 drivers/iio/light/veml6030.c | 5 drivers/iio/magnetometer/Kconfig | 2 drivers/iio/pressure/Kconfig | 3 drivers/iio/proximity/Kconfig | 2 drivers/iio/resolver/Kconfig | 3 drivers/input/joystick/xpad.c | 3 drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-gic-v3-its.c | 18 +- drivers/irqchip/irq-sifive-plic.c | 29 ++-- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c | 2 drivers/net/ethernet/cadence/macb_main.c | 14 +- drivers/net/ethernet/freescale/enetc/enetc.c | 56 +++++++-- drivers/net/ethernet/freescale/enetc/enetc.h | 1 drivers/net/ethernet/freescale/fec_ptp.c | 58 ++++----- drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c | 2 drivers/parport/procfs.c | 22 +-- drivers/pinctrl/intel/pinctrl-intel-platform.c | 3 drivers/pinctrl/nuvoton/pinctrl-ma35.c | 2 drivers/pinctrl/pinctrl-apple-gpio.c | 3 drivers/pinctrl/pinctrl-ocelot.c | 8 - drivers/pinctrl/stm32/pinctrl-stm32.c | 9 + drivers/s390/char/sclp.c | 3 drivers/s390/char/sclp_vt220.c | 4 drivers/scsi/mpi3mr/mpi3mr.h | 4 drivers/scsi/mpi3mr/mpi3mr_transport.c | 42 ++++-- drivers/tty/n_gsm.c | 2 drivers/tty/serial/imx.c | 15 ++ drivers/tty/serial/qcom_geni_serial.c | 91 +++++++-------- drivers/tty/vt/vt.c | 2 drivers/ufs/core/ufs-mcq.c | 15 +- drivers/ufs/core/ufshcd.c | 24 +-- drivers/usb/dwc3/core.c | 19 +++ drivers/usb/dwc3/core.h | 3 drivers/usb/dwc3/gadget.c | 10 - drivers/usb/gadget/function/f_uac2.c | 6 drivers/usb/gadget/udc/dummy_hcd.c | 20 ++- drivers/usb/host/xhci-ring.c | 2 drivers/usb/host/xhci-tegra.c | 2 drivers/usb/host/xhci.h | 2 drivers/usb/serial/option.c | 8 + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c | 1 fs/btrfs/tree-log.c | 6 fs/fat/namei_vfat.c | 2 fs/nilfs2/dir.c | 48 ++++--- fs/nilfs2/namei.c | 39 ++++-- fs/nilfs2/nilfs.h | 2 fs/smb/server/mgmt/user_session.c | 26 +++- fs/smb/server/mgmt/user_session.h | 4 fs/smb/server/server.c | 2 fs/smb/server/smb2pdu.c | 8 + include/linux/fsl/enetc_mdio.h | 3 include/linux/irqchip/arm-gic-v4.h | 4 include/trace/events/huge_memory.h | 4 include/uapi/linux/ublk_cmd.h | 8 + io_uring/io_uring.h | 10 + kernel/time/posix-clock.c | 3 kernel/trace/fgraph.c | 28 +++- lib/maple_tree.c | 12 - mm/damon/sysfs-test.h | 1 mm/khugepaged.c | 2 mm/mremap.c | 11 + mm/swapfile.c | 2 mm/vmscan.c | 6 net/bluetooth/af_bluetooth.c | 3 net/bluetooth/iso.c | 6 net/ipv4/tcp_output.c | 4 net/ipv4/udp.c | 4 net/ipv6/udp.c | 4 net/mptcp/mib.c | 1 net/mptcp/mib.h | 1 net/mptcp/pm_netlink.c | 3 net/mptcp/protocol.h | 1 net/mptcp/subflow.c | 11 + sound/pci/hda/patch_conexant.c | 19 +++ sound/usb/mixer_scarlett2.c | 2 tools/testing/selftests/hid/Makefile | 1 tools/testing/selftests/mm/uffd-common.c | 5 tools/testing/selftests/mm/uffd-common.h | 3 tools/testing/selftests/mm/uffd-unit-tests.c | 21 ++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 115 ++++++++++++++----- 121 files changed, 858 insertions(+), 451 deletions(-) Aaron Thompson (3): Bluetooth: Call iso_exit() on module unload Bluetooth: Remove debugfs directory on module init failure Bluetooth: ISO: Fix multiple init when debugfs is disabled Alan Stern (1): USB: gadget: dummy-hcd: Fix "task hung" problem Alex Deucher (2): drm/amdgpu/smu13: always apply the powersave optimization drm/amdgpu/swsmu: Only force workload setup on init Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Charlie Jenkins (1): irqchip/sifive-plic: Return error code on failure Chris Li (1): mm: vmscan.c: fix OOM on swap stress test Christophe JAILLET (1): iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Csókás, Bence (2): net: fec: Move `fec_ptp_read()` to the top of the file net: fec: Remove duplicated code Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Edward Liaw (2): selftests/mm: replace atomic_bool with pthread_barrier_t selftests/mm: fix deadlock for fork after pthread_create on ARM Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Greg Kroah-Hartman (1): Linux 6.11.5 Harshit Mogalapalli (1): pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func() Heiko Thiery (2): misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for EEPROM device misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for OTP device Henry Lin (1): xhci: tegra: fix checked USB2 port number Imre Deak (2): drm/i915/dp_mst: Handle error during DSC BW overhead/slice calculation drm/i915/dp_mst: Don't require DSC hblank quirk for a non-DSC compatible mode Jakub Sitnicki (1): udp: Compute L4 checksum as usual when not segmenting the skb Jann Horn (1): mm/mremap: fix move_normal_pmd/retract_page_tables race Javier Carrasco (23): iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig iio: chemical: ens160: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: magnetometer: af8133j: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: resolver: ad2s1210 add missing select REGMAP in Kconfig iio: pressure: bm1390: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: resolver: ad2s1210: add missing select (TRIGGERED_)BUFFER in Kconfig iio: adc: ad7944: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig pinctrl: intel: platform: fix error path in device_for_each_child_node() Jens Axboe (2): io_uring/sqpoll: close race on waiting for sqring entries io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work Jeongjun Park (1): vt: prevent kernel-infoleak in con_font_get() Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (3): posix-clock: Fix missing timespec64 check in pc_clock_settime() net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets() Johan Hovold (5): serial: qcom-geni: fix polled console initialisation serial: qcom-geni: revert broken hibernation support serial: qcom-geni: fix shutdown race serial: qcom-geni: fix dma rx cancellation serial: qcom-geni: fix receiver enable Johannes Wikner (4): x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry John Allen (1): x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load John Edwards (1): Input: xpad - add support for MSI Claw A1M Jonathan Marek (1): usb: typec: qcom-pmic-typec: fix sink status being overwritten with RP_DEF Josua Mayer (1): arm64: dts: marvell: cn9130-sr-som: fix cp0 mdio pin numbers Kevin Groeneveld (1): usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store Liu Shixin (1): mm/swapfile: skip HugeTLB pages for unuse_vma Longlong Xia (1): tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Lorenzo Stoakes (1): maple_tree: correct tree corruption on spanning store Lu Baolu (1): iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Luiz Augusto von Dentz (2): Bluetooth: btusb: Fix not being able to reconnect after suspend Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Ma Ke (2): pinctrl: stm32: check devm_kasprintf() returned value pinctrl: apple: check devm_kasprintf() returned value Marc Zyngier (1): irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Marek Vasut (1): serial: imx: Update mctrl old_status on RTSD interrupt Mark Rutland (3): arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() arm64: probes: Fix uprobes for big-endian kernels Mathias Nyman (2): xhci: Fix incorrect stream context type macro xhci: Mitigate failed set dequeue pointer commands Matthew Auld (1): drm/xe/xe_sync: initialise ufence.signalled Matthieu Baerts (NGI0) (1): mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Michael Chen (1): drm/amdgpu/mes: fix issue of writing to the same log buffer from 2 MES pipes Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Ming Lei (2): blk-mq: setup queue ->tag_set before initializing hctx ublk: don't allow user copy for unprivileged device Mohammed Anees (1): drm/amdgpu: prevent BO_HANDLES error from being overwritten Nam Cao (1): irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Namjae Jeon (1): ksmbd: fix user-after-free from session log off Nathan Chancellor (1): x86/resctrl: Annotate get_mem_config() functions as __init Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly Nirmoy Das (1): drm/xe/ufence: ufence can be signaled right after wait_woken OGAWA Hirofumi (1): fat: fix uninitialized variable Oleksij Rempel (1): net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Omar Sandoval (1): blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Paolo Abeni (3): selftests: mptcp: join: test for prohibited MPC to port-based endp tcp: fix mptcp DSS corruption due to large pmtu xmit mptcp: prevent MPC handshake on port-based signal endpoints Pawan Gupta (3): x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return x86/bugs: Use code segment selector for VERW operand Peter Wang (2): scsi: ufs: core: Fix the issue of ICU failure scsi: ufs: core: Requeue aborted request Prashanth K (1): usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Ranjan Kumar (1): scsi: mpi3mr: Validate SAS port assignments Roger Quadros (1): usb: dwc3: core: Fix system suspend on TI AM62 platforms Roi Martin (2): btrfs: fix uninitialized pointer free in add_inode_ref() btrfs: fix uninitialized pointer free on read_alloc_one_name() error Ryusuke Konishi (1): nilfs2: propagate directory read errors from nilfs_find_entry() Sergey Matsievskiy (1): pinctrl: ocelot: fix system hang on level based interrupts Seunghwan Baek (1): scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down Stefan Kerkmann (1): Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller Steven Rostedt (1): fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks Takashi Iwai (1): parport: Proper fix for array out-of-bounds access Thomas Weißschuh (2): s390/sclp: Deactivate sclp after all its users s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Vasiliy Kovalev (2): ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Ville Syrjälä (1): drm/radeon: Fix encoder->possible_clones Wei Fang (5): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: block concurrent XDP transmissions during ring reconfiguration net: enetc: disable Tx BD rings after they are empty net: enetc: disable NAPI after all rings are disabled net: enetc: add missing static descriptor and inline keyword Wei Xu (1): mm/mglru: only clear kswapd_failures if reclaimable Yang Shi (1): mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point Yun Lu (1): selftest: hid: add the missing tests directory Zack Rusin (1): drm/vmwgfx: Cleanup kms setup without 3d Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer Zhu Jun (1): ALSA: scarlett2: Add error check after retrieving PEQ filter values

8 months, 1 week

1
1
0 0

Linux 6.6.58

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.58 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/include/asm/uprobes.h | 8 - arch/arm64/kernel/probes/decode-insn.c | 16 +- arch/arm64/kernel/probes/simulate-insn.c | 18 -- arch/arm64/kernel/probes/uprobes.c | 4 arch/s390/kvm/diag.c | 2 arch/s390/kvm/gaccess.c | 4 arch/s390/kvm/gaccess.h | 14 + arch/x86/entry/entry.S | 5 arch/x86/entry/entry_32.S | 6 arch/x86/include/asm/cpufeatures.h | 4 arch/x86/include/asm/nospec-branch.h | 11 + arch/x86/kernel/apic/apic.c | 14 + arch/x86/kernel/cpu/amd.c | 3 arch/x86/kernel/cpu/bugs.c | 32 ++++ arch/x86/kernel/cpu/common.c | 3 arch/x86/kernel/cpu/resctrl/core.c | 4 block/blk-rq-qos.c | 2 drivers/block/ublk_drv.c | 11 + drivers/bluetooth/btusb.c | 13 + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 drivers/gpu/drm/radeon/radeon_encoders.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/iio/accel/Kconfig | 2 drivers/iio/adc/Kconfig | 5 drivers/iio/amplifiers/Kconfig | 1 drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 7 drivers/iio/frequency/Kconfig | 1 drivers/iio/light/Kconfig | 2 drivers/iio/light/opt3001.c | 4 drivers/iio/light/veml6030.c | 5 drivers/iio/proximity/Kconfig | 2 drivers/input/joystick/xpad.c | 2 drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-gic-v3-its.c | 26 ++- drivers/irqchip/irq-sifive-plic.c | 21 +- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_otpe2p.c | 2 drivers/net/ethernet/cadence/macb_main.c | 14 + drivers/net/ethernet/freescale/enetc/enetc.c | 56 ++++++- drivers/net/ethernet/freescale/enetc/enetc.h | 1 drivers/net/ethernet/freescale/fec_ptp.c | 58 +++----- drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c | 2 drivers/parport/procfs.c | 22 +-- drivers/pinctrl/pinctrl-apple-gpio.c | 3 drivers/pinctrl/pinctrl-ocelot.c | 8 - drivers/pinctrl/stm32/pinctrl-stm32.c | 9 - drivers/s390/char/sclp.c | 3 drivers/s390/char/sclp_vt220.c | 4 drivers/tty/n_gsm.c | 2 drivers/tty/serial/imx.c | 15 ++ drivers/tty/serial/qcom_geni_serial.c | 90 +++++------- drivers/tty/vt/vt.c | 2 drivers/ufs/core/ufs-mcq.c | 15 +- drivers/ufs/core/ufshcd.c | 4 drivers/usb/dwc3/gadget.c | 10 - drivers/usb/host/xhci-ring.c | 2 drivers/usb/host/xhci-tegra.c | 2 drivers/usb/host/xhci.h | 2 drivers/usb/serial/option.c | 8 + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c | 1 fs/btrfs/tree-log.c | 6 fs/fat/namei_vfat.c | 2 fs/nilfs2/dir.c | 50 +++---- fs/nilfs2/namei.c | 39 +++-- fs/nilfs2/nilfs.h | 2 fs/smb/server/mgmt/user_session.c | 26 ++- fs/smb/server/mgmt/user_session.h | 4 fs/smb/server/server.c | 2 fs/smb/server/smb2pdu.c | 8 - fs/xfs/libxfs/xfs_attr.c | 11 + fs/xfs/libxfs/xfs_attr.h | 4 fs/xfs/libxfs/xfs_attr_leaf.c | 6 fs/xfs/libxfs/xfs_attr_remote.c | 1 fs/xfs/libxfs/xfs_bmap.c | 130 +++++++++++++++--- fs/xfs/libxfs/xfs_da_btree.c | 20 -- fs/xfs/libxfs/xfs_da_format.h | 5 fs/xfs/libxfs/xfs_inode_buf.c | 47 +++++- fs/xfs/libxfs/xfs_sb.c | 7 fs/xfs/scrub/attr.c | 47 +++--- fs/xfs/scrub/common.c | 12 - fs/xfs/scrub/scrub.h | 7 fs/xfs/xfs_aops.c | 54 +------ fs/xfs/xfs_attr_item.c | 98 +++++++++++-- fs/xfs/xfs_attr_list.c | 11 - fs/xfs/xfs_bmap_util.c | 61 +++++--- fs/xfs/xfs_bmap_util.h | 2 fs/xfs/xfs_dquot.c | 1 fs/xfs/xfs_icache.c | 2 fs/xfs/xfs_inode.c | 37 +++-- fs/xfs/xfs_iomap.c | 81 ++++++----- fs/xfs/xfs_reflink.c | 20 -- fs/xfs/xfs_rtalloc.c | 2 include/linux/fsl/enetc_mdio.h | 3 include/linux/irqchip/arm-gic-v4.h | 4 include/uapi/linux/ublk_cmd.h | 8 - io_uring/io_uring.h | 9 + kernel/time/posix-clock.c | 3 lib/maple_tree.c | 12 - mm/mremap.c | 11 + mm/swapfile.c | 2 mm/vmscan.c | 4 net/bluetooth/af_bluetooth.c | 3 net/bluetooth/iso.c | 6 net/ipv4/tcp_output.c | 4 net/mptcp/mib.c | 1 net/mptcp/mib.h | 1 net/mptcp/pm_netlink.c | 3 net/mptcp/protocol.h | 1 net/mptcp/subflow.c | 11 + sound/pci/hda/patch_conexant.c | 19 ++ tools/testing/selftests/hid/Makefile | 1 tools/testing/selftests/mm/uffd-common.c | 5 tools/testing/selftests/mm/uffd-common.h | 3 tools/testing/selftests/mm/uffd-unit-tests.c | 21 ++ tools/testing/selftests/net/mptcp/mptcp_join.sh | 135 +++++++++++++------ tools/testing/selftests/net/mptcp/mptcp_lib.sh | 11 - 118 files changed, 1122 insertions(+), 570 deletions(-) Aaron Thompson (3): Bluetooth: Call iso_exit() on module unload Bluetooth: Remove debugfs directory on module init failure Bluetooth: ISO: Fix multiple init when debugfs is disabled Alex Deucher (1): drm/amdgpu/swsmu: Only force workload setup on init Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Christoph Hellwig (4): xfs: fix error returns from xfs_bmapi_write xfs: fix xfs_bmap_add_extent_delay_real for partial conversions xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent xfs: fix freeing speculative preallocations for preallocated files Christophe JAILLET (1): iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Csókás, Bence (2): net: fec: Move `fec_ptp_read()` to the top of the file net: fec: Remove duplicated code Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Darrick J. Wong (11): xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 xfs: fix missing check for invalid attr flags xfs: check shortform attr entry flags specifically xfs: validate recovered name buffers when recovering xattr items xfs: enforce one namespace per attribute xfs: revert commit 44af6c7e59b12 xfs: use dontcache for grabbing inodes during scrub xfs: allow symlinks with short remote targets xfs: allow unlinked symlinks and dirs with zero size xfs: restrict when we try to align cow fork delalloc to cowextsz hints Dave Chinner (1): xfs: fix unlink vs cluster buffer instantiation race Edward Liaw (2): selftests/mm: replace atomic_bool with pthread_barrier_t selftests/mm: fix deadlock for fork after pthread_create on ARM Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Geliang Tang (1): selftests: mptcp: join: change capture/checksum as bool Greg Kroah-Hartman (1): Linux 6.6.58 Heiko Thiery (2): misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for EEPROM device misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for OTP device Henry Lin (1): xhci: tegra: fix checked USB2 port number Jann Horn (1): mm/mremap: fix move_normal_pmd/retract_page_tables race Javier Carrasco (15): iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jens Axboe (1): io_uring/sqpoll: close race on waiting for sqring entries Jeongjun Park (1): vt: prevent kernel-infoleak in con_font_get() Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (2): posix-clock: Fix missing timespec64 check in pc_clock_settime() net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test() Johan Hovold (4): serial: qcom-geni: fix polled console initialisation serial: qcom-geni: revert broken hibernation support serial: qcom-geni: fix dma rx cancellation serial: qcom-geni: fix receiver enable Johannes Wikner (4): x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry John Allen (1): x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load John Edwards (1): Input: xpad - add support for MSI Claw A1M Jonathan Marek (1): usb: typec: qcom-pmic-typec: fix sink status being overwritten with RP_DEF Liu Shixin (1): mm/swapfile: skip HugeTLB pages for unuse_vma Longlong Xia (1): tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Lorenzo Stoakes (1): maple_tree: correct tree corruption on spanning store Lu Baolu (1): iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Luiz Augusto von Dentz (1): Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Ma Ke (2): pinctrl: stm32: check devm_kasprintf() returned value pinctrl: apple: check devm_kasprintf() returned value Marc Zyngier (1): irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Marek Vasut (1): serial: imx: Update mctrl old_status on RTSD interrupt Mark Rutland (3): arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() arm64: probes: Fix uprobes for big-endian kernels Mathias Nyman (2): xhci: Fix incorrect stream context type macro xhci: Mitigate failed set dequeue pointer commands Matthieu Baerts (NGI0) (2): mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow selftests: mptcp: remove duplicated variables Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Ming Lei (1): ublk: don't allow user copy for unprivileged device Mohammed Anees (1): drm/amdgpu: prevent BO_HANDLES error from being overwritten Nam Cao (1): irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Namjae Jeon (1): ksmbd: fix user-after-free from session log off Nathan Chancellor (1): x86/resctrl: Annotate get_mem_config() functions as __init Nianyao Tang (1): irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly OGAWA Hirofumi (1): fat: fix uninitialized variable Oleksij Rempel (1): net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Omar Sandoval (1): blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Paolo Abeni (3): mptcp: prevent MPC handshake on port-based signal endpoints tcp: fix mptcp DSS corruption due to large pmtu xmit selftests: mptcp: join: test for prohibited MPC to port-based endp Pawan Gupta (3): x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return x86/bugs: Use code segment selector for VERW operand Peter Wang (1): scsi: ufs: core: Fix the issue of ICU failure Prashanth K (1): usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Roi Martin (2): btrfs: fix uninitialized pointer free in add_inode_ref() btrfs: fix uninitialized pointer free on read_alloc_one_name() error Ryusuke Konishi (1): nilfs2: propagate directory read errors from nilfs_find_entry() Sergey Matsievskiy (1): pinctrl: ocelot: fix system hang on level based interrupts Seunghwan Baek (1): scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down Takashi Iwai (1): parport: Proper fix for array out-of-bounds access Thomas Weißschuh (2): s390/sclp: Deactivate sclp after all its users s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Vasiliy Kovalev (2): ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Ville Syrjälä (1): drm/radeon: Fix encoder->possible_clones Wei Fang (5): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: block concurrent XDP transmissions during ring reconfiguration net: enetc: disable Tx BD rings after they are empty net: enetc: disable NAPI after all rings are disabled net: enetc: add missing static descriptor and inline keyword Wei Xu (1): mm/mglru: only clear kswapd_failures if reclaimable Wengang Wang (1): xfs: make sure sb_fdblocks is non-negative Yun Lu (1): selftest: hid: add the missing tests directory Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer Zhang Yi (4): xfs: match lock mode in xfs_buffered_write_iomap_begin() xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset xfs: convert delayed extents to unwritten when zeroing post eof blocks

8 months, 1 week

1
1
0 0

Linux 6.1.114

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.114 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/kernel/probes/decode-insn.c | 16 arch/arm64/kernel/probes/simulate-insn.c | 18 arch/s390/kvm/diag.c | 2 arch/s390/kvm/gaccess.c | 4 arch/s390/kvm/gaccess.h | 14 arch/x86/entry/entry.S | 5 arch/x86/entry/entry_32.S | 6 arch/x86/include/asm/cpufeatures.h | 4 arch/x86/kernel/apic/apic.c | 14 arch/x86/kernel/cpu/bugs.c | 32 arch/x86/kernel/cpu/common.c | 3 arch/x86/kernel/cpu/resctrl/core.c | 4 block/blk-rq-qos.c | 2 drivers/bluetooth/btusb.c | 13 drivers/crypto/vmx/Makefile | 12 drivers/crypto/vmx/ppc-xlate.pl | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 drivers/gpu/drm/drm_gem_shmem_helper.c | 3 drivers/gpu/drm/radeon/radeon_encoders.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/iio/adc/Kconfig | 4 drivers/iio/amplifiers/Kconfig | 1 drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 7 drivers/iio/light/opt3001.c | 4 drivers/iio/light/veml6030.c | 5 drivers/iio/proximity/Kconfig | 2 drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-gic-v3-its.c | 26 drivers/irqchip/irq-sifive-plic.c | 21 drivers/net/ethernet/cadence/macb_main.c | 14 drivers/net/ethernet/freescale/enetc/enetc.c | 2 drivers/parport/procfs.c | 22 drivers/pinctrl/pinctrl-apple-gpio.c | 3 drivers/pinctrl/pinctrl-ocelot.c | 8 drivers/s390/char/sclp.c | 3 drivers/s390/char/sclp_vt220.c | 4 drivers/tty/n_gsm.c | 2 drivers/ufs/core/ufshcd.c | 4 drivers/usb/dwc3/gadget.c | 10 drivers/usb/host/xhci-ring.c | 2 drivers/usb/host/xhci.h | 2 drivers/usb/serial/option.c | 8 fs/btrfs/tree-log.c | 6 fs/fat/namei_vfat.c | 2 fs/nilfs2/dir.c | 50 fs/nilfs2/namei.c | 39 fs/nilfs2/nilfs.h | 2 fs/smb/server/mgmt/user_session.c | 26 fs/smb/server/mgmt/user_session.h | 4 fs/smb/server/server.c | 2 fs/smb/server/smb2pdu.c | 8 fs/udf/dir.c | 148 -- fs/udf/directory.c | 570 ++++++++-- fs/udf/inode.c | 90 - fs/udf/namei.c | 1049 ++++++-------------- fs/udf/udfdecl.h | 45 include/linux/fsl/enetc_mdio.h | 3 include/linux/irqchip/arm-gic-v4.h | 4 io_uring/io_uring.h | 9 kernel/time/posix-clock.c | 3 lib/maple_tree.c | 12 mm/swapfile.c | 2 net/bluetooth/af_bluetooth.c | 3 net/bluetooth/iso.c | 6 net/devlink/leftover.c | 40 net/ipv4/tcp_output.c | 4 net/mptcp/mib.c | 1 net/mptcp/mib.h | 1 net/mptcp/pm_netlink.c | 3 net/mptcp/protocol.h | 1 net/mptcp/subflow.c | 11 sound/pci/hda/patch_conexant.c | 19 75 files changed, 1235 insertions(+), 1263 deletions(-) Aaron Thompson (3): Bluetooth: Call iso_exit() on module unload Bluetooth: Remove debugfs directory on module init failure Bluetooth: ISO: Fix multiple init when debugfs is disabled Alex Deucher (1): drm/amdgpu/swsmu: Only force workload setup on init Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Christophe JAILLET (1): iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Greg Kroah-Hartman (1): Linux 6.1.114 Jakub Kicinski (2): devlink: drop the filter argument from devlinks_xa_find_get devlink: bump the instance index directly when iterating Jan Kara (21): udf: New directory iteration code udf: Convert udf_expand_dir_adinicb() to new directory iteration udf: Move udf_expand_dir_adinicb() to its callsite udf: Implement searching for directory entry using new iteration code udf: Provide function to mark entry as deleted using new directory iteration code udf: Convert udf_rename() to new directory iteration code udf: Convert udf_readdir() to new directory iteration udf: Convert udf_lookup() to use new directory iteration code udf: Convert udf_get_parent() to new directory iteration code udf: Convert empty_dir() to new directory iteration code udf: Convert udf_rmdir() to new directory iteration code udf: Convert udf_unlink() to new directory iteration code udf: Implement adding of dir entries using new iteration code udf: Convert udf_add_nondir() to new directory iteration udf: Convert udf_mkdir() to new directory iteration code udf: Convert udf_link() to new directory iteration code udf: Remove old directory iteration code udf: Handle error when expanding directory udf: Don't return bh from udf_expand_dir_adinicb() udf: Allocate name buffer in directory iterator on heap udf: Avoid directory type conversion failure due to ENOMEM Javier Carrasco (11): iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jens Axboe (1): io_uring/sqpoll: close race on waiting for sqring entries Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (1): posix-clock: Fix missing timespec64 check in pc_clock_settime() Johannes Wikner (4): x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Liu Shixin (1): mm/swapfile: skip HugeTLB pages for unuse_vma Longlong Xia (1): tty: n_gsm: Fix use-after-free in gsm_cleanup_mux Lorenzo Stoakes (1): maple_tree: correct tree corruption on spanning store Lu Baolu (1): iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Luiz Augusto von Dentz (1): Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Ma Ke (1): pinctrl: apple: check devm_kasprintf() returned value Marc Zyngier (1): irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Mark Rutland (2): arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() Mathias Nyman (2): xhci: Fix incorrect stream context type macro xhci: Mitigate failed set dequeue pointer commands Matthieu Baerts (NGI0) (1): mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Mohammed Anees (1): drm/amdgpu: prevent BO_HANDLES error from being overwritten Nam Cao (1): irqchip/sifive-plic: Unmask interrupt in plic_irq_enable() Namjae Jeon (1): ksmbd: fix user-after-free from session log off Nathan Chancellor (1): x86/resctrl: Annotate get_mem_config() functions as __init Nianyao Tang (1): irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Nicholas Piggin (1): powerpc/64: Add big-endian ELFv2 flavour to crypto VMX asm generation Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly OGAWA Hirofumi (1): fat: fix uninitialized variable Oleksij Rempel (1): net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Omar Sandoval (1): blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Paolo Abeni (2): tcp: fix mptcp DSS corruption due to large pmtu xmit mptcp: prevent MPC handshake on port-based signal endpoints Pawan Gupta (2): x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return Prashanth K (1): usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG Roi Martin (2): btrfs: fix uninitialized pointer free in add_inode_ref() btrfs: fix uninitialized pointer free on read_alloc_one_name() error Ryusuke Konishi (1): nilfs2: propagate directory read errors from nilfs_find_entry() Sergey Matsievskiy (1): pinctrl: ocelot: fix system hang on level based interrupts Seunghwan Baek (1): scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down Takashi Iwai (1): parport: Proper fix for array out-of-bounds access Thomas Weißschuh (2): s390/sclp: Deactivate sclp after all its users s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Vasiliy Kovalev (2): ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Ville Syrjälä (1): drm/radeon: Fix encoder->possible_clones Wachowski, Karol (1): drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Wei Fang (2): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: add missing static descriptor and inline keyword Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer

8 months, 1 week

1
1
0 0

Linux 5.15.169

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.169 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/kernel/probes/decode-insn.c | 16 arch/arm64/kernel/probes/simulate-insn.c | 18 arch/powerpc/mm/numa.c | 6 arch/s390/kvm/diag.c | 2 arch/x86/entry/entry.S | 5 arch/x86/entry/entry_32.S | 6 arch/x86/include/asm/cpufeatures.h | 4 arch/x86/kernel/apic/apic.c | 14 arch/x86/kernel/cpu/bugs.c | 32 arch/x86/kernel/cpu/common.c | 3 arch/x86/kernel/cpu/resctrl/core.c | 4 block/blk-rq-qos.c | 2 drivers/bluetooth/btusb.c | 13 drivers/gpu/drm/drm_gem_shmem_helper.c | 3 drivers/gpu/drm/radeon/radeon_encoders.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/iio/adc/Kconfig | 4 drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 3 drivers/iio/light/opt3001.c | 4 drivers/iio/light/veml6030.c | 5 drivers/iio/proximity/Kconfig | 2 drivers/iommu/intel/iommu.c | 4 drivers/irqchip/irq-gic-v3-its.c | 26 drivers/md/dm-crypt.c | 37 drivers/net/ethernet/cadence/macb_main.c | 14 drivers/net/ethernet/freescale/enetc/enetc.c | 2 drivers/parport/procfs.c | 22 drivers/pinctrl/pinctrl-ocelot.c | 8 drivers/s390/char/sclp_vt220.c | 4 drivers/usb/host/xhci-ring.c | 2 drivers/usb/host/xhci.h | 2 drivers/usb/serial/option.c | 8 fs/fat/namei_vfat.c | 2 fs/nilfs2/dir.c | 50 fs/nilfs2/namei.c | 39 fs/nilfs2/nilfs.h | 2 fs/udf/dir.c | 148 -- fs/udf/directory.c | 564 +++++++--- fs/udf/inode.c | 90 - fs/udf/namei.c | 1050 ++++++-------------- fs/udf/udfdecl.h | 45 include/linux/fsl/enetc_mdio.h | 3 include/linux/irqchip/arm-gic-v4.h | 4 io_uring/io_uring.c | 21 kernel/time/posix-clock.c | 3 mm/secretmem.c | 4 mm/swapfile.c | 2 net/bluetooth/af_bluetooth.c | 1 net/ipv4/tcp_output.c | 2 net/mac80211/cfg.c | 3 net/mac80211/key.c | 2 net/mptcp/mib.c | 3 net/mptcp/mib.h | 3 net/mptcp/pm_netlink.c | 3 net/mptcp/protocol.c | 23 net/mptcp/protocol.h | 2 net/mptcp/subflow.c | 19 sound/pci/hda/patch_conexant.c | 19 virt/kvm/kvm_main.c | 5 61 files changed, 1162 insertions(+), 1232 deletions(-) Aaron Thompson (1): Bluetooth: Remove debugfs directory on module init failure Aneesh Kumar K.V (1): powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Breno Leitao (1): KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Christophe JAILLET (1): iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Felix Moessbauer (2): io_uring/sqpoll: do not allow pinning outside of cpuset io_uring/sqpoll: do not put cpumask on stack Geliang Tang (1): mptcp: track and update contiguous data status Greg Kroah-Hartman (1): Linux 5.15.169 Jan Kara (20): udf: New directory iteration code udf: Convert udf_expand_dir_adinicb() to new directory iteration udf: Move udf_expand_dir_adinicb() to its callsite udf: Implement searching for directory entry using new iteration code udf: Provide function to mark entry as deleted using new directory iteration code udf: Convert udf_rename() to new directory iteration code udf: Convert udf_readdir() to new directory iteration udf: Convert udf_lookup() to use new directory iteration code udf: Convert udf_get_parent() to new directory iteration code udf: Convert empty_dir() to new directory iteration code udf: Convert udf_rmdir() to new directory iteration code udf: Convert udf_unlink() to new directory iteration code udf: Implement adding of dir entries using new iteration code udf: Convert udf_add_nondir() to new directory iteration udf: Convert udf_mkdir() to new directory iteration code udf: Convert udf_link() to new directory iteration code udf: Remove old directory iteration code udf: Handle error when expanding directory udf: Don't return bh from udf_expand_dir_adinicb() udf: Fix bogus checksum computation in udf_rename() Javier Carrasco (8): iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jens Axboe (2): io_uring/sqpoll: retain test for whether the CPU is valid io_uring/sqpoll: close race on waiting for sqring entries Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (1): posix-clock: Fix missing timespec64 check in pc_clock_settime() Johannes Berg (1): wifi: mac80211: fix potential key use-after-free Johannes Wikner (4): x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Liu Shixin (1): mm/swapfile: skip HugeTLB pages for unuse_vma Lu Baolu (1): iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Luiz Augusto von Dentz (1): Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Marc Zyngier (1): irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Mark Rutland (2): arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() Mathias Nyman (2): xhci: Fix incorrect stream context type macro xhci: Mitigate failed set dequeue pointer commands Matthieu Baerts (NGI0) (2): mptcp: fallback when MPTCP opts are dropped after 1st data mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Mikulas Patocka (1): dm-crypt, dm-verity: disable tasklets Nathan Chancellor (1): x86/resctrl: Annotate get_mem_config() functions as __init Nianyao Tang (1): irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly OGAWA Hirofumi (1): fat: fix uninitialized variable Oleksij Rempel (1): net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Omar Sandoval (1): blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Paolo Abeni (3): mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit mptcp: prevent MPC handshake on port-based signal endpoints Patrick Roy (1): secretmem: disable memfd_secret() if arch cannot set direct map Pawan Gupta (2): x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return Ryusuke Konishi (1): nilfs2: propagate directory read errors from nilfs_find_entry() Sergey Matsievskiy (1): pinctrl: ocelot: fix system hang on level based interrupts Takashi Iwai (1): parport: Proper fix for array out-of-bounds access Thomas Weißschuh (1): s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Vasiliy Kovalev (2): ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Ville Syrjälä (1): drm/radeon: Fix encoder->possible_clones Wachowski, Karol (1): drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Wei Fang (2): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: add missing static descriptor and inline keyword Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer

8 months, 1 week

1
1
0 0

Linux 5.10.228

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.228 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/kernel/probes/decode-insn.c | 16 ++++-- arch/arm64/kernel/probes/simulate-insn.c | 18 ++----- arch/powerpc/mm/numa.c | 6 +- arch/s390/kvm/diag.c | 2 arch/x86/entry/entry.S | 5 ++ arch/x86/entry/entry_32.S | 6 +- arch/x86/include/asm/cpufeatures.h | 5 +- arch/x86/kernel/apic/apic.c | 14 +++++ arch/x86/kernel/cpu/bugs.c | 32 ++++++++++++ arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/resctrl/core.c | 4 - block/blk-rq-qos.c | 2 drivers/bluetooth/btusb.c | 13 +++-- drivers/gpu/drm/radeon/radeon_encoders.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/iio/adc/Kconfig | 4 + drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 3 + drivers/iio/light/opt3001.c | 4 + drivers/iio/light/veml6030.c | 5 -- drivers/iio/proximity/Kconfig | 2 drivers/irqchip/irq-gic-v3-its.c | 26 +++++++--- drivers/net/ethernet/cadence/macb_main.c | 14 ++++- drivers/parport/procfs.c | 22 ++++---- drivers/s390/char/sclp_vt220.c | 4 - drivers/usb/host/xhci.h | 2 drivers/usb/serial/option.c | 8 +++ fs/fat/namei_vfat.c | 2 fs/nilfs2/dir.c | 50 ++++++++++---------- fs/nilfs2/namei.c | 39 ++++++++++----- fs/nilfs2/nilfs.h | 2 include/linux/fsl/enetc_mdio.h | 3 - include/linux/irqchip/arm-gic-v4.h | 4 + io_uring/io_uring.c | 21 ++++++++ kernel/time/posix-clock.c | 3 + mm/swapfile.c | 2 net/bluetooth/af_bluetooth.c | 1 net/ipv4/tcp_output.c | 2 net/mac80211/cfg.c | 3 + net/mac80211/key.c | 2 net/mptcp/mib.c | 2 net/mptcp/mib.h | 2 net/mptcp/protocol.c | 26 ++++++++-- net/mptcp/protocol.h | 1 net/mptcp/subflow.c | 3 - sound/pci/hda/patch_conexant.c | 19 +++++++ virt/kvm/kvm_main.c | 5 +- 48 files changed, 307 insertions(+), 112 deletions(-) Aaron Thompson (1): Bluetooth: Remove debugfs directory on module init failure Aneesh Kumar K.V (1): powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Breno Leitao (1): KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Christophe JAILLET (1): iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Felix Moessbauer (2): io_uring/sqpoll: do not allow pinning outside of cpuset io_uring/sqpoll: do not put cpumask on stack Geliang Tang (1): mptcp: track and update contiguous data status Greg Kroah-Hartman (1): Linux 5.10.228 Javier Carrasco (8): iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jens Axboe (2): io_uring/sqpoll: retain test for whether the CPU is valid io_uring/sqpoll: close race on waiting for sqring entries Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (1): posix-clock: Fix missing timespec64 check in pc_clock_settime() Johannes Berg (1): wifi: mac80211: fix potential key use-after-free Johannes Wikner (4): x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Liu Shixin (1): mm/swapfile: skip HugeTLB pages for unuse_vma Luiz Augusto von Dentz (1): Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Marc Zyngier (1): irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Mark Rutland (2): arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() Mathias Nyman (1): xhci: Fix incorrect stream context type macro Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Nathan Chancellor (1): x86/resctrl: Annotate get_mem_config() functions as __init Nianyao Tang (1): irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly OGAWA Hirofumi (1): fat: fix uninitialized variable Oleksij Rempel (1): net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Omar Sandoval (1): blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Paolo Abeni (2): mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit Pawan Gupta (2): x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return Ryusuke Konishi (1): nilfs2: propagate directory read errors from nilfs_find_entry() Takashi Iwai (1): parport: Proper fix for array out-of-bounds access Thomas Weißschuh (1): s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Vasiliy Kovalev (2): ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Ville Syrjälä (1): drm/radeon: Fix encoder->possible_clones Wei Fang (1): net: enetc: add missing static descriptor and inline keyword Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer

8 months, 1 week

1
1
0 0

[PATCH] lib: string_helpers: fix potential snprintf() output truncation

by Bartosz Golaszewski

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> The output of ".%03u" with the unsigned int in range [0, 4294966295] may get truncated if the target buffer is not 12 bytes. Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range") Cc: stable(a)vger.kernel.org Reviewed-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- lib/string_helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/string_helpers.c b/lib/string_helpers.c index 4f887aa62fa0..91fa37b5c510 100644 --- a/lib/string_helpers.c +++ b/lib/string_helpers.c @@ -57,7 +57,7 @@ int string_get_size(u64 size, u64 blk_size, const enum string_size_units units, static const unsigned int rounding[] = { 500, 50, 5 }; int i = 0, j; u32 remainder = 0, sf_cap; - char tmp[8]; + char tmp[12]; const char *unit; tmp[0] = '\0'; -- 2.43.0

8 months, 1 week

6
8
0 0

[PATCH] wifi: cfg80211: clear wdev->cqm_config pointer on free

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free. Reported-by: syzbot+36218cddfd84b5cc263e(a)syzkaller.appspotmail.com Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race") Cc: stable(a)vger.kernel.org # 6.6+ Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> --- net/wireless/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/wireless/core.c b/net/wireless/core.c index 4c8d8f167409..d3c7b7978f00 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1280,6 +1280,7 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, /* deleted from the list, so can't be found from nl80211 any more */ cqm_config = rcu_access_pointer(wdev->cqm_config); kfree_rcu(cqm_config, rcu_head); + RCU_INIT_POINTER(wdev->cqm_config, NULL); /* * Ensure that all events have been processed and -- 2.47.0

8 months, 1 week

1
0
0 0

[PATCH v4 1/1] dmaengine: dw: Select only supported masters for ACPI devices

by Andy Shevchenko

From: Serge Semin <fancer.lancer(a)gmail.com> The recently submitted fix-commit revealed a problem in the iDMA 32-bit platform code. Even though the controller supported only a single master the dw_dma_acpi_filter() method hard-coded two master interfaces with IDs 0 and 1. As a result the sanity check implemented in the commit b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") got incorrect interface data width and thus prevented the client drivers from configuring the DMA-channel with the EINVAL error returned. E.g., the next error was printed for the PXA2xx SPI controller driver trying to configure the requested channels: > [ 164.525604] pxa2xx_spi_pci 0000:00:07.1: DMA slave config failed > [ 164.536105] pxa2xx_spi_pci 0000:00:07.1: failed to get DMA TX descriptor > [ 164.543213] spidev spi-SPT0001:00: SPI transfer failed: -16 The problem would have been spotted much earlier if the iDMA 32-bit controller supported more than one master interfaces. But since it supports just a single master and the iDMA 32-bit specific code just ignores the master IDs in the CTLLO preparation method, the issue has been gone unnoticed so far. Fix the problem by specifying the default master ID for both memory and peripheral devices in the driver data. Thus the issue noticed for the iDMA 32-bit controllers will be eliminated and the ACPI-probed DW DMA controllers will be configured with the correct master ID by default. Cc: stable(a)vger.kernel.org Fixes: b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") Fixes: 199244d69458 ("dmaengine: dw: add support of iDMA 32-bit hardware") Reported-by: Ferry Toth <fntoth(a)gmail.com> Closes: https://lore.kernel.org/dmaengine/ZuXbCKUs1iOqFu51@black.fi.intel.com/ Reported-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Closes: https://lore.kernel.org/dmaengine/ZuXgI-VcHpMgbZ91@black.fi.intel.com/ Co-developed-by: Serge Semin <fancer.lancer(a)gmail.com> Signed-off-by: Serge Semin <fancer.lancer(a)gmail.com> Tested-by: Ferry Toth <fntoth(a)gmail.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> --- v4: gathered tag (Ferry), left the code as agreed with Serge and Andy drivers/dma/dw/acpi.c | 6 ++++-- drivers/dma/dw/internal.h | 8 ++++++++ drivers/dma/dw/pci.c | 4 ++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/dma/dw/acpi.c b/drivers/dma/dw/acpi.c index c510c109d2c3..b6452fffa657 100644 --- a/drivers/dma/dw/acpi.c +++ b/drivers/dma/dw/acpi.c @@ -8,13 +8,15 @@ static bool dw_dma_acpi_filter(struct dma_chan *chan, void *param) { + struct dw_dma *dw = to_dw_dma(chan->device); + struct dw_dma_chip_pdata *data = dev_get_drvdata(dw->dma.dev); struct acpi_dma_spec *dma_spec = param; struct dw_dma_slave slave = { .dma_dev = dma_spec->dev, .src_id = dma_spec->slave_id, .dst_id = dma_spec->slave_id, - .m_master = 0, - .p_master = 1, + .m_master = data->m_master, + .p_master = data->p_master, }; return dw_dma_filter(chan, &slave); diff --git a/drivers/dma/dw/internal.h b/drivers/dma/dw/internal.h index 563ce73488db..f1bd06a20cd6 100644 --- a/drivers/dma/dw/internal.h +++ b/drivers/dma/dw/internal.h @@ -51,11 +51,15 @@ struct dw_dma_chip_pdata { int (*probe)(struct dw_dma_chip *chip); int (*remove)(struct dw_dma_chip *chip); struct dw_dma_chip *chip; + u8 m_master; + u8 p_master; }; static __maybe_unused const struct dw_dma_chip_pdata dw_dma_chip_pdata = { .probe = dw_dma_probe, .remove = dw_dma_remove, + .m_master = 0, + .p_master = 1, }; static const struct dw_dma_platform_data idma32_pdata = { @@ -72,6 +76,8 @@ static __maybe_unused const struct dw_dma_chip_pdata idma32_chip_pdata = { .pdata = &idma32_pdata, .probe = idma32_dma_probe, .remove = idma32_dma_remove, + .m_master = 0, + .p_master = 0, }; static const struct dw_dma_platform_data xbar_pdata = { @@ -88,6 +94,8 @@ static __maybe_unused const struct dw_dma_chip_pdata xbar_chip_pdata = { .pdata = &xbar_pdata, .probe = idma32_dma_probe, .remove = idma32_dma_remove, + .m_master = 0, + .p_master = 0, }; #endif /* _DMA_DW_INTERNAL_H */ diff --git a/drivers/dma/dw/pci.c b/drivers/dma/dw/pci.c index ad2d4d012cf7..e8a0eb81726a 100644 --- a/drivers/dma/dw/pci.c +++ b/drivers/dma/dw/pci.c @@ -56,10 +56,10 @@ static int dw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *pid) if (ret) return ret; - dw_dma_acpi_controller_register(chip->dw); - pci_set_drvdata(pdev, data); + dw_dma_acpi_controller_register(chip->dw); + return 0; } -- 2.43.0.rc1.1336.g36b5255a03ac

8 months, 1 week

1
0
0 0

[PATCH net v2] mctp i2c: handle NULL header address

by Matt Johnston

daddr can be NULL if there is no neighbour table entry present, in that case the tx packet should be dropped. saddr will normally be set by MCTP core, but in case it is NULL it should be set to the device address. Incorrect indent of the function arguments is also fixed. Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") Cc: stable(a)vger.kernel.org Reported-by: Dung Cao <dung(a)os.amperecomputing.com> Signed-off-by: Matt Johnston <matt(a)codeconstruct.com.au> --- Changes in v2: - Set saddr to device address if NULL, mention in commit message - Fix patch prefix formatting - Link to v1: https://lore.kernel.org/r/20241018-mctp-i2c-null-dest-v1-1-ba1ab52966e9@cod… --- drivers/net/mctp/mctp-i2c.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c index 4dc057c121f5d0fb9c9c48bf16b6933ae2f7b2ac..c909254e03c21518c17daf8b813e610558e074c1 100644 --- a/drivers/net/mctp/mctp-i2c.c +++ b/drivers/net/mctp/mctp-i2c.c @@ -579,7 +579,7 @@ static void mctp_i2c_flow_release(struct mctp_i2c_dev *midev) static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, unsigned short type, const void *daddr, - const void *saddr, unsigned int len) + const void *saddr, unsigned int len) { struct mctp_i2c_hdr *hdr; struct mctp_hdr *mhdr; @@ -588,8 +588,15 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, if (len > MCTP_I2C_MAXMTU) return -EMSGSIZE; - lldst = *((u8 *)daddr); - llsrc = *((u8 *)saddr); + if (daddr) + lldst = *((u8 *)daddr); + else + return -EINVAL; + + if (saddr) + llsrc = *((u8 *)saddr); + else + llsrc = dev->dev_addr; skb_push(skb, sizeof(struct mctp_i2c_hdr)); skb_reset_mac_header(skb); --- base-commit: cb560795c8c2ceca1d36a95f0d1b2eafc4074e37 change-id: 20241018-mctp-i2c-null-dest-a0ba271e0c48 Best regards, -- Matt Johnston <matt(a)codeconstruct.com.au>

8 months, 1 week

3
5
0 0

FAILED: patch "[PATCH] mm: don't install PMD mappings when THPs are disabled by the" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2b0f922323ccfa76219bcaacd35cd50aeaa13592 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101837-mammogram-headsman-2dec@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2b0f922323ccfa76219bcaacd35cd50aeaa13592 Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Fri, 11 Oct 2024 12:24:45 +0200 Subject: [PATCH] mm: don't install PMD mappings when THPs are disabled by the hw/process/vma We (or rather, readahead logic :) ) might be allocating a THP in the pagecache and then try mapping it into a process that explicitly disabled THP: we might end up installing PMD mappings. This is a problem for s390x KVM, which explicitly remaps all PMD-mapped THPs to be PTE-mapped in s390_enable_sie()->thp_split_mm(), before starting the VM. For example, starting a VM backed on a file system with large folios supported makes the VM crash when the VM tries accessing such a mapping using KVM. Is it also a problem when the HW disabled THP using TRANSPARENT_HUGEPAGE_UNSUPPORTED? At least on x86 this would be the case without X86_FEATURE_PSE. In the future, we might be able to do better on s390x and only disallow PMD mappings -- what s390x and likely TRANSPARENT_HUGEPAGE_UNSUPPORTED really wants. For now, fix it by essentially performing the same check as would be done in __thp_vma_allowable_orders() or in shmem code, where this works as expected, and disallow PMD mappings, making us fallback to PTE mappings. Link: https://lkml.kernel.org/r/20241011102445.934409-3-david@redhat.com Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: Leo Fu <bfu(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Cc: Thomas Huth <thuth(a)redhat.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Janosch Frank <frankja(a)linux.ibm.com> Cc: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index c0869a962ddd..30feedabc932 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -4920,6 +4920,15 @@ vm_fault_t do_set_pmd(struct vm_fault *vmf, struct page *page) pmd_t entry; vm_fault_t ret = VM_FAULT_FALLBACK; + /* + * It is too late to allocate a small folio, we already have a large + * folio in the pagecache: especially s390 KVM cannot tolerate any + * PMD mappings, but PTE-mapped THP are fine. So let's simply refuse any + * PMD mappings if THPs are disabled. + */ + if (thp_disabled_by_hw() || vma_thp_disabled(vma, vma->vm_flags)) + return ret; + if (!thp_vma_suitable_order(vma, haddr, PMD_ORDER)) return ret;

8 months, 1 week

2
5
0 0

[PATCH] arm64: dts: mediatek: mt8186-corsola: Fix GPU supply coupling max-spread

by Chen-Yu Tsai

The GPU SRAM supply is supposed to be always at least 0.1V higher than the GPU supply. However when the DT was upstreamed, the spread was incorrectly set to 0.01V. Fixes: 8855d01fb81f ("arm64: dts: mediatek: Add MT8186 Krabby platform based Tentacruel / Tentacool") Cc: <stable(a)vger.kernel.org> Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> --- Noticed this while trying to align the downstream Mali driver to the upstream device tree and binding. arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi index cf288fe7a238..db2aca079349 100644 --- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi @@ -1352,7 +1352,7 @@ mt6366_vgpu_reg: vgpu { regulator-allowed-modes = <MT6397_BUCK_MODE_AUTO MT6397_BUCK_MODE_FORCE_PWM>; regulator-coupled-with = <&mt6366_vsram_gpu_reg>; - regulator-coupled-max-spread = <10000>; + regulator-coupled-max-spread = <100000>; }; mt6366_vproc11_reg: vproc11 { @@ -1561,7 +1561,7 @@ mt6366_vsram_gpu_reg: vsram-gpu { regulator-ramp-delay = <6250>; regulator-enable-ramp-delay = <240>; regulator-coupled-with = <&mt6366_vgpu_reg>; - regulator-coupled-max-spread = <10000>; + regulator-coupled-max-spread = <100000>; }; mt6366_vsram_others_reg: vsram-others { -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 1 week

2
2
0 0

[PATCH v2] arm64: dts: mediatek: mt8186-corsola-voltorb: Merge speaker codec nodes

by Chen-Yu Tsai

The Voltorb device uses a speaker codec different from the original Corsola device. When the Voltorb device tree was first added, the new codec was added as a separate node when it should have just replaced the existing one. Merge the two nodes. The only differences are the compatible string and the GPIO line property name. This keeps the device node path for the speaker codec the same across the MT8186 Chromebook line. Also rename the related labels and node names from having rt1019p to speaker codec. Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> --- This is technically not a fix, but having the same device tree structure in stable kernels would be more consistent for consumers of the device tree. Hence the request for a stable backport. Changes since v1: - Dropped Fixes tag, since this is technically a cleanup, not a fix - Rename existing rt1019p related node names and labels to the generic "speaker codec" name --- .../dts/mediatek/mt8186-corsola-voltorb.dtsi | 21 +++++-------------- .../boot/dts/mediatek/mt8186-corsola.dtsi | 8 +++---- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi index 52ec58128d56..b495a241b443 100644 --- a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi @@ -10,12 +10,6 @@ / { chassis-type = "laptop"; - - max98360a: max98360a { - compatible = "maxim,max98360a"; - sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; - #sound-dai-cells = <0>; - }; }; &cpu6 { @@ -59,19 +53,14 @@ &cluster1_opp_15 { opp-hz = /bits/ 64 <2200000000>; }; -&rt1019p{ - status = "disabled"; -}; - &sound { compatible = "mediatek,mt8186-mt6366-rt5682s-max98360-sound"; - status = "okay"; +}; - spk-hdmi-playback-dai-link { - codec { - sound-dai = <&it6505dptx>, <&max98360a>; - }; - }; +&speaker_codec { + compatible = "maxim,max98360a"; + sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; + /delete-property/ sdb-gpios; }; &spmi { diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi index c7580ac1e2d4..cf288fe7a238 100644 --- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi @@ -259,15 +259,15 @@ spk-hdmi-playback-dai-link { mediatek,clk-provider = "cpu"; /* RT1019P and IT6505 connected to the same I2S line */ codec { - sound-dai = <&it6505dptx>, <&rt1019p>; + sound-dai = <&it6505dptx>, <&speaker_codec>; }; }; }; - rt1019p: speaker-codec { + speaker_codec: speaker-codec { compatible = "realtek,rt1019p"; pinctrl-names = "default"; - pinctrl-0 = <&rt1019p_pins_default>; + pinctrl-0 = <&speaker_codec_pins_default>; #sound-dai-cells = <0>; sdb-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; }; @@ -1195,7 +1195,7 @@ pins { }; }; - rt1019p_pins_default: rt1019p-default-pins { + speaker_codec_pins_default: speaker-codec-default-pins { pins-sdb { pinmux = <PINMUX_GPIO150__FUNC_GPIO150>; output-low; -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 1 week

2
2
0 0

FAILED: patch "[PATCH] mm: huge_memory: add vma_thp_disabled() and" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 963756aac1f011d904ddd9548ae82286d3a91f96 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101835-eloquent-could-27ce@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 963756aac1f011d904ddd9548ae82286d3a91f96 Mon Sep 17 00:00:00 2001 From: Kefeng Wang <wangkefeng.wang(a)huawei.com> Date: Fri, 11 Oct 2024 12:24:44 +0200 Subject: [PATCH] mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() Patch series "mm: don't install PMD mappings when THPs are disabled by the hw/process/vma". During testing, it was found that we can get PMD mappings in processes where THP (and more precisely, PMD mappings) are supposed to be disabled. While it works as expected for anon+shmem, the pagecache is the problematic bit. For s390 KVM this currently means that a VM backed by a file located on filesystem with large folio support can crash when KVM tries accessing the problematic page, because the readahead logic might decide to use a PMD-sized THP and faulting it into the page tables will install a PMD mapping, something that s390 KVM cannot tolerate. This might also be a problem with HW that does not support PMD mappings, but I did not try reproducing it. Fix it by respecting the ways to disable THPs when deciding whether we can install a PMD mapping. khugepaged should already be taking care of not collapsing if THPs are effectively disabled for the hw/process/vma. This patch (of 2): Add vma_thp_disabled() and thp_disabled_by_hw() helpers to be shared by shmem_allowable_huge_orders() and __thp_vma_allowable_orders(). [david(a)redhat.com: rename to vma_thp_disabled(), split out thp_disabled_by_hw() ] Link: https://lkml.kernel.org/r/20241011102445.934409-2-david@redhat.com Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: Leo Fu <bfu(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Boqiao Fu <bfu(a)redhat.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Janosch Frank <frankja(a)linux.ibm.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h index 67d0ab3c3bba..ef5b80e48599 100644 --- a/include/linux/huge_mm.h +++ b/include/linux/huge_mm.h @@ -322,6 +322,24 @@ struct thpsize { (transparent_hugepage_flags & \ (1<<TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG)) +static inline bool vma_thp_disabled(struct vm_area_struct *vma, + unsigned long vm_flags) +{ + /* + * Explicitly disabled through madvise or prctl, or some + * architectures may disable THP for some mappings, for + * example, s390 kvm. + */ + return (vm_flags & VM_NOHUGEPAGE) || + test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags); +} + +static inline bool thp_disabled_by_hw(void) +{ + /* If the hardware/firmware marked hugepage support disabled. */ + return transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED); +} + unsigned long thp_get_unmapped_area(struct file *filp, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags); unsigned long thp_get_unmapped_area_vmflags(struct file *filp, unsigned long addr, diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 87b49ecc7b1e..2fb328880b50 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -109,18 +109,7 @@ unsigned long __thp_vma_allowable_orders(struct vm_area_struct *vma, if (!vma->vm_mm) /* vdso */ return 0; - /* - * Explicitly disabled through madvise or prctl, or some - * architectures may disable THP for some mappings, for - * example, s390 kvm. - * */ - if ((vm_flags & VM_NOHUGEPAGE) || - test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags)) - return 0; - /* - * If the hardware/firmware marked hugepage support disabled. - */ - if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) + if (thp_disabled_by_hw() || vma_thp_disabled(vma, vm_flags)) return 0; /* khugepaged doesn't collapse DAX vma, but page fault is fine. */ diff --git a/mm/shmem.c b/mm/shmem.c index 4f11b5506363..c5adb987b23c 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1664,12 +1664,7 @@ unsigned long shmem_allowable_huge_orders(struct inode *inode, loff_t i_size; int order; - if (vma && ((vm_flags & VM_NOHUGEPAGE) || - test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags))) - return 0; - - /* If the hardware/firmware marked hugepage support disabled. */ - if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) + if (thp_disabled_by_hw() || (vma && vma_thp_disabled(vma, vm_flags))) return 0; global_huge = shmem_huge_global_enabled(inode, index, write_end,

8 months, 1 week

2
1
0 0

[PATCH 6.1] fs/ntfs3: Add more attributes checks in mi_enum_attr()

by Xiangyu Chen

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit 013ff63b649475f0ee134e2c8d0c8e65284ede50 ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> CVE: CVE-2023-45896 Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- fs/ntfs3/record.c | 67 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 13 deletions(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 1351fb02e140..7ab452710572 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -193,8 +193,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) { const struct MFT_REC *rec = mi->mrec; u32 used = le32_to_cpu(rec->used); - u32 t32, off, asize; + u32 t32, off, asize, prev_type; u16 t16; + u64 data_size, alloc_size, tot_size; if (!attr) { u32 total = le32_to_cpu(rec->total); @@ -213,6 +214,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (!is_rec_inuse(rec)) return NULL; + prev_type = 0; attr = Add2Ptr(rec, off); } else { /* Check if input attr inside record. */ @@ -226,6 +228,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) return NULL; } + /* Overflow check. */ + if (off + asize < off) + return NULL; + + prev_type = le32_to_cpu(attr->type); attr = Add2Ptr(attr, asize); off += asize; } @@ -245,7 +252,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) /* 0x100 is last known attribute for now. */ t32 = le32_to_cpu(attr->type); - if ((t32 & 0xf) || (t32 > 0x100)) + if (!t32 || (t32 & 0xf) || (t32 > 0x100)) + return NULL; + + /* attributes in record must be ordered by type */ + if (t32 < prev_type) return NULL; /* Check overflow and boundary. */ @@ -254,16 +265,15 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) /* Check size of attribute. */ if (!attr->non_res) { + /* Check resident fields. */ if (asize < SIZEOF_RESIDENT) return NULL; t16 = le16_to_cpu(attr->res.data_off); - if (t16 > asize) return NULL; - t32 = le32_to_cpu(attr->res.data_size); - if (t16 + t32 > asize) + if (t16 + le32_to_cpu(attr->res.data_size) > asize) return NULL; if (attr->name_len && @@ -274,21 +284,52 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) return attr; } - /* Check some nonresident fields. */ - if (attr->name_len && - le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > - le16_to_cpu(attr->nres.run_off)) { + /* Check nonresident fields. */ + if (attr->non_res != 1) return NULL; - } - if (attr->nres.svcn || !is_attr_ext(attr)) { + t16 = le16_to_cpu(attr->nres.run_off); + if (t16 > asize) + return NULL; + + t32 = sizeof(short) * attr->name_len; + if (t32 && le16_to_cpu(attr->name_off) + t32 > t16) + return NULL; + + /* Check start/end vcn. */ + if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) + return NULL; + + data_size = le64_to_cpu(attr->nres.data_size); + if (le64_to_cpu(attr->nres.valid_size) > data_size) + return NULL; + + alloc_size = le64_to_cpu(attr->nres.alloc_size); + if (data_size > alloc_size) + return NULL; + + t32 = mi->sbi->cluster_mask; + if (alloc_size & t32) + return NULL; + + if (!attr->nres.svcn && is_attr_ext(attr)) { + /* First segment of sparse/compressed attribute */ + if (asize + 8 < SIZEOF_NONRESIDENT_EX) + return NULL; + + tot_size = le64_to_cpu(attr->nres.total_size); + if (tot_size & t32) + return NULL; + + if (tot_size > alloc_size) + return NULL; + } else { if (asize + 8 < SIZEOF_NONRESIDENT) return NULL; if (attr->nres.c_unit) return NULL; - } else if (asize + 8 < SIZEOF_NONRESIDENT_EX) - return NULL; + } return attr; } -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH] fs/ntfs3: Add more attributes checks in mi_enum_attr()

by Xiangyu Chen

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit 013ff63b649475f0ee134e2c8d0c8e65284ede50 ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> CVE: CVE-2023-45896 Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- fs/ntfs3/record.c | 67 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 13 deletions(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 1351fb02e140..7ab452710572 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -193,8 +193,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) { const struct MFT_REC *rec = mi->mrec; u32 used = le32_to_cpu(rec->used); - u32 t32, off, asize; + u32 t32, off, asize, prev_type; u16 t16; + u64 data_size, alloc_size, tot_size; if (!attr) { u32 total = le32_to_cpu(rec->total); @@ -213,6 +214,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (!is_rec_inuse(rec)) return NULL; + prev_type = 0; attr = Add2Ptr(rec, off); } else { /* Check if input attr inside record. */ @@ -226,6 +228,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) return NULL; } + /* Overflow check. */ + if (off + asize < off) + return NULL; + + prev_type = le32_to_cpu(attr->type); attr = Add2Ptr(attr, asize); off += asize; } @@ -245,7 +252,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) /* 0x100 is last known attribute for now. */ t32 = le32_to_cpu(attr->type); - if ((t32 & 0xf) || (t32 > 0x100)) + if (!t32 || (t32 & 0xf) || (t32 > 0x100)) + return NULL; + + /* attributes in record must be ordered by type */ + if (t32 < prev_type) return NULL; /* Check overflow and boundary. */ @@ -254,16 +265,15 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) /* Check size of attribute. */ if (!attr->non_res) { + /* Check resident fields. */ if (asize < SIZEOF_RESIDENT) return NULL; t16 = le16_to_cpu(attr->res.data_off); - if (t16 > asize) return NULL; - t32 = le32_to_cpu(attr->res.data_size); - if (t16 + t32 > asize) + if (t16 + le32_to_cpu(attr->res.data_size) > asize) return NULL; if (attr->name_len && @@ -274,21 +284,52 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) return attr; } - /* Check some nonresident fields. */ - if (attr->name_len && - le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > - le16_to_cpu(attr->nres.run_off)) { + /* Check nonresident fields. */ + if (attr->non_res != 1) return NULL; - } - if (attr->nres.svcn || !is_attr_ext(attr)) { + t16 = le16_to_cpu(attr->nres.run_off); + if (t16 > asize) + return NULL; + + t32 = sizeof(short) * attr->name_len; + if (t32 && le16_to_cpu(attr->name_off) + t32 > t16) + return NULL; + + /* Check start/end vcn. */ + if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) + return NULL; + + data_size = le64_to_cpu(attr->nres.data_size); + if (le64_to_cpu(attr->nres.valid_size) > data_size) + return NULL; + + alloc_size = le64_to_cpu(attr->nres.alloc_size); + if (data_size > alloc_size) + return NULL; + + t32 = mi->sbi->cluster_mask; + if (alloc_size & t32) + return NULL; + + if (!attr->nres.svcn && is_attr_ext(attr)) { + /* First segment of sparse/compressed attribute */ + if (asize + 8 < SIZEOF_NONRESIDENT_EX) + return NULL; + + tot_size = le64_to_cpu(attr->nres.total_size); + if (tot_size & t32) + return NULL; + + if (tot_size > alloc_size) + return NULL; + } else { if (asize + 8 < SIZEOF_NONRESIDENT) return NULL; if (attr->nres.c_unit) return NULL; - } else if (asize + 8 < SIZEOF_NONRESIDENT_EX) - return NULL; + } return attr; } -- 2.43.0

8 months, 1 week

1
0
0 0

[PATCH stable-6.6.x 0/3] ASoC: SOF: ipc4-control: Support for Switch and Enum controls

by Peter Ujfalusi

Hi, This is a backport of [1] series for 6.6.x stable kernel. It is fixing a user reported [2] NULL dereference kernel panic after updating the SOF firmware and topology files. While Meteor Lake is not supported by 6.6 kernel, users might need to be able to use it as a jumping point to update the kernel to a version which is supporting Meteor Lake (6.7+), a kernel panic should be avoided to not block the transition. [1] https://lore.kernel.org/alsa-devel/20230919103115.30783-1-peter.ujfalusi@li… [2] https://github.com/thesofproject/sof/issues/9600 Regards, Peter --- Peter Ujfalusi (3): ASoC: SOF: ipc4-topology: Add definition for generic switch/enum control ASoC: SOF: ipc4-control: Add support for ALSA switch control ASoC: SOF: ipc4-control: Add support for ALSA enum control sound/soc/sof/ipc4-control.c | 175 +++++++++++++++++++++++++++++++++- sound/soc/sof/ipc4-topology.c | 49 +++++++++- sound/soc/sof/ipc4-topology.h | 19 +++- 3 files changed, 237 insertions(+), 6 deletions(-) -- 2.47.0

8 months, 2 weeks

1
3
0 0

[PATCH 6.1/6.6] wifi: mac80211: fix NULL dereference at band check in starting tx ba session

by Xiangyu Chen

From: Zong-Zhe Yang <kevin_yang(a)realtek.com> [ Upstream commit 021d53a3d87eeb9dbba524ac515651242a2a7e3b ] In MLD connection, link_data/link_conf are dynamically allocated. They don't point to vif->bss_conf. So, there will be no chanreq assigned to vif->bss_conf and then the chan will be NULL. Tweak the code to check ht_supported/vht_supported/has_he/has_eht on sta deflink. Crash log (with rtw89 version under MLO development): [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 9890.526102] #PF: supervisor read access in kernel mode [ 9890.526105] #PF: error_code(0x0000) - not-present page [ 9890.526109] PGD 0 P4D 0 [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1 [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018 [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core] [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211 [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3 All code ======== 0: f7 e8 imul %eax 2: d5 (bad) 3: 93 xchg %eax,%ebx 4: 3e ea ds (bad) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,(%rax) <-- trapping instruction 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c: 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz Code starting with the faulting instruction =========================================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 test %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246 [ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8 [ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685 [ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873 [ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70 [ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000 [ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000 [ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0 [ 9890.526321] Call Trace: [ 9890.526324] <TASK> [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479) [ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713) [ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator 3)) [ 9890.526353] ? ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211 Signed-off-by: Zong-Zhe Yang <kevin_yang(a)realtek.com> Link: https://patch.msgid.link/20240617115217.22344-1-kevin_yang@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> CVE: CVE-2024-43911 Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- net/mac80211/agg-tx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index e26a72f3a104..1241ab7a86bb 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -593,7 +593,9 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid, return -EINVAL; if (!pubsta->deflink.ht_cap.ht_supported && - sta->sdata->vif.bss_conf.chandef.chan->band != NL80211_BAND_6GHZ) + !pubsta->deflink.vht_cap.vht_supported && + !pubsta->deflink.he_cap.has_he && + !pubsta->deflink.eht_cap.has_eht) return -EINVAL; if (WARN_ON_ONCE(!local->ops->ampdu_action)) -- 2.43.0

8 months, 2 weeks

1
0
0 0

Re: [PATCH net 2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6

by Linux regression tracking (Thorsten Leemhuis)

[CCing Greg and the stable list, to ensure he is aware of this, as well as the regressions list] On 21.10.24 11:45, Pablo Neira Ayuso wrote: > - There is no NFPROTO_IPV6 family for mark and NFLOG. > - TRACE is also missing module autoload with NFPROTO_IPV6. > > This results in ip6tables failing to restore a ruleset. This issue has been > reported by several users providing incomplete patches. > > Very similar to Ilya Katsnelson's patch including a missing chunk in the > TRACE extension. > > Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") > [...] Just FYI as the culprit recently hit various stable series (v6.11.4, v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like issues that might be fixed by this to my untrained eyes. I suppose they won't tell you anything new and maybe you even have seen them, but on the off-chance that this might not be the case you can find them here: https://bugzilla.kernel.org/show_bug.cgi?id=219397 https://bugzilla.kernel.org/show_bug.cgi?id=219402 https://bugzilla.kernel.org/show_bug.cgi?id=219409 Ciao, Thorsten

8 months, 2 weeks

3
2
0 0

[PATCH 6.1] drm/amd/display: Skip on writeback when it's not applicable

by Xiangyu Chen

From: Alex Hung <alex.hung(a)amd.com> [ Upstream commit ecedd99a9369fb5cde601ae9abd58bca2739f1ae ] [WHY] dynamic memory safety error detector (KASAN) catches and generates error messages "BUG: KASAN: slab-out-of-bounds" as writeback connector does not support certain features which are not initialized. [HOW] Skip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3199 Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Acked-by: Roman Li <roman.li(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> CVE: CVE-2024-36914 Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 8f7130f7d8c6..8dc0f70df24f 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -2990,6 +2990,10 @@ static int dm_resume(void *handle) /* Do mst topology probing after resuming cached state*/ drm_connector_list_iter_begin(ddev, &iter); drm_for_each_connector_iter(connector, &iter) { + + if (connector->connector_type == DRM_MODE_CONNECTOR_WRITEBACK) + continue; + aconnector = to_amdgpu_dm_connector(connector); if (aconnector->dc_link->type != dc_connection_mst_branch || aconnector->mst_port) @@ -5722,6 +5726,9 @@ get_highest_refresh_rate_mode(struct amdgpu_dm_connector *aconnector, &aconnector->base.probed_modes : &aconnector->base.modes; + if (aconnector->base.connector_type == DRM_MODE_CONNECTOR_WRITEBACK) + return NULL; + if (aconnector->freesync_vid_base.clock != 0) return &aconnector->freesync_vid_base; @@ -8242,6 +8249,9 @@ static void amdgpu_dm_commit_audio(struct drm_device *dev, continue; notify: + if (connector->connector_type == DRM_MODE_CONNECTOR_WRITEBACK) + continue; + aconnector = to_amdgpu_dm_connector(connector); mutex_lock(&adev->dm.audio_lock); -- 2.43.0

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 705e3ce37bccdf2ed6f848356ff355f480d51a91 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102152-salvage-pursuable-3b7c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 705e3ce37bccdf2ed6f848356ff355f480d51a91 Mon Sep 17 00:00:00 2001 From: Roger Quadros <rogerq(a)kernel.org> Date: Fri, 11 Oct 2024 13:53:24 +0300 Subject: [PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), system suspend is broken on AM62 TI platforms. Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY bits (hence forth called 2 SUSPHY bits) were being set during core initialization and even during core re-initialization after a system suspend/resume. These bits are required to be set for system suspend/resume to work correctly on AM62 platforms. Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget driver is not loaded and started. For Host mode, the 2 SUSPHY bits are set before the first system suspend but get cleared at system resume during core re-init and are never set again. This patch resovles these two issues by ensuring the 2 SUSPHY bits are set before system suspend and restored to the original state during system resume. Cc: stable(a)vger.kernel.org # v6.9+ Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ Signed-off-by: Roger Quadros <rogerq(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Tested-by: Markus Schneider-Pargmann <msp(a)baylibre.com> Reviewed-by: Dhruva Gole <d-gole(a)ti.com> Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 21740e2b8f07..427e5660f87c 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2342,6 +2342,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) u32 reg; int i; + dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & + DWC3_GUSB2PHYCFG_SUSPHY) || + (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & + DWC3_GUSB3PIPECTL_SUSPHY); + switch (dwc->current_dr_role) { case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) @@ -2393,6 +2398,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* + * TI AM62 platform requires SUSPHY to be + * enabled for system suspend to work. + */ + if (!dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } @@ -2460,6 +2474,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* restore SUSPHY state to that before system suspend. */ + dwc3_enable_susphy(dwc, dwc->susphy_state); + } + return 0; } diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 9c508e0c5cdf..eab81dfdcc35 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -1150,6 +1150,8 @@ struct dwc3_scratchpad_array { * @sys_wakeup: set if the device may do system wakeup. * @wakeup_configured: set if the device is configured for remote wakeup. * @suspended: set to track suspend event due to U3/L2. + * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY + * before PM suspend. * @imod_interval: set the interrupt moderation interval in 250ns * increments or 0 to disable. * @max_cfg_eps: current max number of IN eps used across all USB configs. @@ -1382,6 +1384,7 @@ struct dwc3 { unsigned sys_wakeup:1; unsigned wakeup_configured:1; unsigned suspended:1; + unsigned susphy_state:1; u16 imod_interval;

8 months, 2 weeks

3
3
0 0

[PATCH] phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check

by Richard Zhu

When enable initcall_debug together with higher debug level below. CONFIG_CONSOLE_LOGLEVEL_DEFAULT=9 CONFIG_CONSOLE_LOGLEVEL_QUIET=9 CONFIG_MESSAGE_LOGLEVEL_DEFAULT=7 The initialization of i.MX8MP PCIe PHY might be timeout failed randomly. To fix this issue, adjust the sequence of the resets refer to the power up sequence listed below. i.MX8MP PCIe PHY power up sequence: /--------------------------------------------- 1.8v supply ---------/ /--------------------------------------------------- 0.8v supply ---/ ---\ /-------------------------------------------------- X REFCLK Valid Reference Clock ---/ \-------------------------------------------------- ------------------------------------------- | i_init_restn -------------- ------------------------------------ | i_cmn_rstn --------------------- ------------------------------- | o_pll_lock_done -------------------------- Logs: imx6q-pcie 33800000.pcie: host bridge /soc@0/pcie@33800000 ranges: imx6q-pcie 33800000.pcie: IO 0x001ff80000..0x001ff8ffff -> 0x0000000000 imx6q-pcie 33800000.pcie: MEM 0x0018000000..0x001fefffff -> 0x0018000000 probe of clk_imx8mp_audiomix.reset.0 returned 0 after 1052 usecs probe of 30e20000.clock-controller returned 0 after 32971 usecs phy phy-32f00000.pcie-phy.4: phy poweron failed --> -110 probe of 30e10000.dma-controller returned 0 after 10235 usecs imx6q-pcie 33800000.pcie: waiting for PHY ready timeout! dwhdmi-imx 32fd8000.hdmi: Detected HDMI TX controller v2.13a with HDCP (samsung_dw_hdmi_phy2) imx6q-pcie 33800000.pcie: probe with driver imx6q-pcie failed with error -110 Fixes: dce9edff16ee ("phy: freescale: imx8m-pcie: Add i.MX8MP PCIe PHY support") Cc: stable(a)vger.kernel.org Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> --- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c index 8e7834e84af8c..694a6e6e5eafb 100644 --- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c +++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c @@ -218,11 +218,6 @@ static int imx8_pcie_phy_power_on(struct phy *phy) imx8_phy->base + IMX8MP_PCIE_PHY_TRSV_REG206); } - /* Do the PHY common block reset */ - regmap_update_bits(imx8_phy->iomuxc_gpr, IOMUXC_GPR14, - IMX8MM_GPR_PCIE_CMN_RST, - IMX8MM_GPR_PCIE_CMN_RST); - switch (imx8_phy->drvdata->variant) { case IMX8MP: reset_control_deassert(imx8_phy->perst); @@ -233,6 +228,11 @@ static int imx8_pcie_phy_power_on(struct phy *phy) break; } + /* Do the PHY common block reset */ + regmap_update_bits(imx8_phy->iomuxc_gpr, IOMUXC_GPR14, + IMX8MM_GPR_PCIE_CMN_RST, + IMX8MM_GPR_PCIE_CMN_RST); + /* Polling to check the phy is ready or not. */ ret = readl_poll_timeout(imx8_phy->base + IMX8MM_PCIE_PHY_CMN_REG075, val, val == ANA_PLL_DONE, 10, 20000); -- 2.37.1

8 months, 2 weeks

2
2
0 0

Backport Fix for CVE-2024-26800 to V5.15

by Michael Kochera

Hello, I wanted to check on the backport of the fix for CVE-2024-26800 on the 5.15 kernel. Here is the commit fixing the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… and as you can see the commit it says it fixes was backported to 5.15 to fix a different CVE but this one wasn't as far as I can tell. Thank You, Michael Kochera

8 months, 2 weeks

2
1
0 0

Re: [PATCH v2] wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

by Jeongjun Park

> Jeongjun Park <aha310510(a)gmail.com> wrote: > > > >> Kalle Valo <kvalo(a)kernel.org> wrote: >> >> Jeongjun Park <aha310510(a)gmail.com> wrote: >> >>> I found the following bug in my fuzzer: >>> >>> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 >>> index 255 is out of range for type 'htc_endpoint [22]' >>> CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14 >>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 >>> Workqueue: events request_firmware_work_func >>> Call Trace: >>> <TASK> >>> dump_stack_lvl+0x180/0x1b0 >>> __ubsan_handle_out_of_bounds+0xd4/0x130 >>> htc_issue_send.constprop.0+0x20c/0x230 >>> ? _raw_spin_unlock_irqrestore+0x3c/0x70 >>> ath9k_wmi_cmd+0x41d/0x610 >>> ? mark_held_locks+0x9f/0xe0 >>> ... >>> >>> Since this bug has been confirmed to be caused by insufficient verification >>> of conn_rsp_epid, I think it would be appropriate to add a range check for >>> conn_rsp_epid to htc_connect_service() to prevent the bug from occurring. >>> >>> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") >>> Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> >>> Acked-by: Toke Høiland-Jørgensen <toke(a)toke.dk> >>> Signed-off-by: Kalle Valo <quic_kvalo(a)quicinc.com> >> >> Patch applied to ath-next branch of ath.git, thanks. >> > Cc: <stable(a)vger.kernel.org> > I think this patch should be applied to the next rc version immediately > to fix the oob vulnerability as soon as possible, and also to the > stable version. > > Regards, > > Jeongjun Park > >> 8619593634cb wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() >> >> -- >> https://patchwork.kernel.org/project/linux-wireless/patch/20240909103855.68… >> >> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatc… >> https://docs.kernel.org/process/submitting-patches.html >>

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: imx: Update mctrl old_status on RTSD interrupt" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 40d7903386df4d18f04d90510ba90eedee260085 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102153-fiddling-unblended-6e63@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marex(a)denx.de> Date: Wed, 2 Oct 2024 20:40:38 +0200 Subject: [PATCH] serial: imx: Update mctrl old_status on RTSD interrupt When sending data using DMA at high baudrate (4 Mbdps in local test case) to a device with small RX buffer which keeps asserting RTS after every received byte, it is possible that the iMX UART driver would not recognize the falling edge of RTS input signal and get stuck, unable to transmit any more data. This condition happens when the following sequence of events occur: - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART control signal status into sport->old_status using imx_uart_get_hwmctrl(). The RTSS/TIOCM_CTS bit is of interest here (*). - DMA transfer occurs, the remote device asserts RTS signal after each byte. The i.MX UART driver recognizes each such RTS signal change, raises an interrupt with USR1 register RTSD bit set, which leads to invocation of __imx_uart_rtsint(), which calls uart_handle_cts_change(). - If the RTS signal is deasserted, uart_handle_cts_change() clears port->hw_stopped and unblocks the port for further data transfers. - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped and blocks the port for further data transfers. This may occur as the last interrupt of a transfer, which means port->hw_stopped remains set and the port remains blocked (**). - Any further data transfer attempts will trigger imx_uart_mctrl_check(), which will read current status of UART control signals by calling imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . - If current status differs from sport->old_status for RTS signal, uart_handle_cts_change() is called and possibly unblocks the port by clearing port->hw_stopped . - If current status does not differ from sport->old_status for RTS signal, no action occurs. This may occur in case prior snapshot (*) was taken before any transfer so the RTS is deasserted, current snapshot (***) was taken after a transfer and therefore RTS is deasserted again, which means current status and sport->old_status are identical. In case (**) triggered when RTS got asserted, and made port->hw_stopped set, the port->hw_stopped will remain set because no change on RTS line is recognized by this driver and uart_handle_cts_change() is not called from here to unblock the port->hw_stopped. Update sport->old_status in __imx_uart_rtsint() accordingly to make imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR and TIOCM_RI bits in sport->old_status do not suffer from this problem. Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") Cc: stable <stable(a)kernel.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Signed-off-by: Marek Vasut <marex(a)denx.de> Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 67d4a72eda77..90974d338f3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) imx_uart_writel(sport, USR1_RTSD, USR1); usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + /* + * Update sport->old_status here, so any follow-up calls to + * imx_uart_mctrl_check() will be able to recognize that RTS + * state changed since last imx_uart_mctrl_check() call. + * + * In case RTS has been detected as asserted here and later on + * deasserted by the time imx_uart_mctrl_check() was called, + * imx_uart_mctrl_check() can detect the RTS state change and + * trigger uart_handle_cts_change() to unblock the port for + * further TX transfers. + */ + if (usr1 & USR1_RTSS) + sport->old_status |= TIOCM_CTS; + else + sport->old_status &= ~TIOCM_CTS; uart_handle_cts_change(&sport->port, usr1); wake_up_interruptible(&sport->port.state->port.delta_msr_wait);

8 months, 2 weeks

2
1
0 0

[tip: x86/urgent] x86/lam: Disable ADDRESS_MASKING in most cases

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 3267cb6d3a174ff83d6287dcd5b0047bbd912452 Gitweb: https://git.kernel.org/tip/3267cb6d3a174ff83d6287dcd5b0047bbd912452 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Tue, 23 Jan 2024 19:55:21 -08:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Mon, 21 Oct 2024 15:05:43 -07:00 x86/lam: Disable ADDRESS_MASKING in most cases Linear Address Masking (LAM) has a weakness related to transient execution as described in the SLAM paper[1]. Unless Linear Address Space Separation (LASS) is enabled this weakness may be exploitable. Until kernel adds support for LASS[2], only allow LAM for COMPILE_TEST, or when speculation mitigations have been disabled at compile time, otherwise keep LAM disabled. There are no processors in market that support LAM yet, so currently nobody is affected by this issue. [1] SLAM: https://download.vusec.net/papers/slam_sp24.pdf [2] LASS: https://lore.kernel.org/lkml/20230609183632.48706-1-alexander.shishkin@linu… [ dhansen: update SPECULATION_MITIGATIONS -> CPU_MITIGATIONS ] Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Sohil Mehta <sohil.mehta(a)intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/5373262886f2783f054256babdf5a98545dc986b.170606… --- arch/x86/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 2852fcd..16354df 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2257,6 +2257,7 @@ config RANDOMIZE_MEMORY_PHYSICAL_PADDING config ADDRESS_MASKING bool "Linear Address Masking support" depends on X86_64 + depends on COMPILE_TEST || !CPU_MITIGATIONS # wait for LASS help Linear Address Masking (LAM) modifies the checking that is applied to 64-bit linear addresses, allowing software to use of the

8 months, 2 weeks

1
0
0 0

[PATCH RFC v3 00/10] extensible syscalls: CHECK_FIELDS to allow for easier feature detection

by Aleksa Sarai

This is something that I've been thinking about for a while. We had a discussion at LPC 2020 about this[1] but the proposals suggested there never materialised. In short, it is quite difficult for userspace to detect the feature capability of syscalls at runtime. This is something a lot of programs want to do, but they are forced to create elaborate scenarios to try to figure out if a feature is supported without causing damage to the system. For the vast majority of cases, each individual feature also needs to be tested individually (because syscall results are all-or-nothing), so testing even a single syscall's feature set can easily inflate the startup time of programs. This patchset implements the fairly minimal design I proposed in this talk[2] and in some old LKML threads (though I can't find the exact references ATM). The general flow looks like: 1. Userspace will indicate to the kernel that a syscall should a be no-op by setting the top bit of the extensible struct size argument. We will almost certainly never support exabyte sized structs, so the top bits are free for us to use as makeshift flag bits. This is preferable to using the per-syscall flag field inside the structure because seccomp can easily detect the bit in the flag and allow the probe or forcefully return -EEXTSYS_NOOP. 2. The kernel will then fill the provided structure with every valid bit pattern that the current kernel understands. For flags or other bitflag-like fields, this is the set of valid flags or bits. For pointer fields or fields that take an arbitrary value, the field has every bit set (0xFF... to fill the field) to indicate that any value is valid in the field. 3. The syscall then returns -EEXTSYS_NOOP which is an errno that will only ever be used for this purpose (so userspace can be sure that the request succeeded). On older kernels, the syscall will return a different error (usually -E2BIG or -EFAULT) and userspace can do their old-fashioned checks. 4. Userspace can then check which flags and fields are supported by looking at the fields in the returned structure. Flags are checked by doing an AND with the flags field, and field support can checked by comparing to 0. In principle you could just AND the entire structure if you wanted to do this check generically without caring about the structure contents (this is what libraries might consider doing). Userspace can even find out the internal kernel structure size by passing a PAGE_SIZE buffer and seeing how many bytes are non-zero. As with copy_struct_from_user(), this is designed to be forward- and backwards- compatible. This allows programas to get a one-shot understanding of what features a syscall supports without having to do any elaborate setups or tricks to detect support for destructive features. Flags can simply be ANDed to check if they are in the supported set, and fields can just be checked to see if they are non-zero. This patchset is IMHO the simplest way we can add the ability to introspect the feature set of extensible struct (copy_struct_from_user) syscalls. It doesn't preclude the chance of a more generic mechanism being added later. The intended way of using this interface to get feature information looks something like the following (imagine that openat2 has gained a new field and a new flag in the future): static bool openat2_no_automount_supported; static bool openat2_cwd_fd_supported; int check_openat2_support(void) { int err; struct open_how how = {}; err = openat2(AT_FDCWD, ".", &how, CHECK_FIELDS | sizeof(how)); assert(err < 0); switch (errno) { case EFAULT: case E2BIG: /* Old kernel... */ check_support_the_old_way(); break; case EEXTSYS_NOOP: openat2_no_automount_supported = (how.flags & RESOLVE_NO_AUTOMOUNT); openat2_cwd_fd_supported = (how.cwd_fd != 0); break; } } This series adds CHECK_FIELDS support for the following extensible struct syscalls, as they are quite likely to grow flags in the near future: * openat2 * clone3 * mount_setattr [1]: https://lwn.net/Articles/830666/ [2]: https://youtu.be/ggD-eb3yPVs Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> --- Changes in v3: - Fix copy_struct_to_user() return values in case of clear_user() failure. - v2: <https://lore.kernel.org/r/20240906-extensible-structs-check_fields-v2-0-0f4…> Changes in v2: - Add CHECK_FIELDS support to mount_setattr(2). - Fix build failure on architectures with custom errno values. - Rework selftests to use the tools/ uAPI headers rather than custom defining EEXTSYS_NOOP. - Make sure we return -EINVAL and -E2BIG for invalid sizes even if CHECK_FIELDS is set, and add some tests for that. - v1: <https://lore.kernel.org/r/20240902-extensible-structs-check_fields-v1-0-545…> --- Aleksa Sarai (10): uaccess: add copy_struct_to_user helper sched_getattr: port to copy_struct_to_user openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) openat2: add CHECK_FIELDS flag to usize argument selftests: openat2: add 0xFF poisoned data after misaligned struct selftests: openat2: add CHECK_FIELDS selftests clone3: add CHECK_FIELDS flag to usize argument selftests: clone3: add CHECK_FIELDS selftests mount_setattr: add CHECK_FIELDS flag to usize argument selftests: mount_setattr: add CHECK_FIELDS selftest arch/alpha/include/uapi/asm/errno.h | 3 + arch/mips/include/uapi/asm/errno.h | 3 + arch/parisc/include/uapi/asm/errno.h | 3 + arch/sparc/include/uapi/asm/errno.h | 3 + fs/namespace.c | 17 ++ fs/open.c | 18 ++ include/linux/uaccess.h | 97 ++++++++ include/uapi/asm-generic/errno.h | 3 + include/uapi/linux/openat2.h | 2 + kernel/fork.c | 30 ++- kernel/sched/syscalls.c | 42 +--- tools/arch/alpha/include/uapi/asm/errno.h | 3 + tools/arch/mips/include/uapi/asm/errno.h | 3 + tools/arch/parisc/include/uapi/asm/errno.h | 3 + tools/arch/sparc/include/uapi/asm/errno.h | 3 + tools/include/uapi/asm-generic/errno.h | 3 + tools/include/uapi/asm-generic/posix_types.h | 101 ++++++++ tools/testing/selftests/clone3/.gitignore | 1 + tools/testing/selftests/clone3/Makefile | 4 +- .../testing/selftests/clone3/clone3_check_fields.c | 264 +++++++++++++++++++++ tools/testing/selftests/mount_setattr/Makefile | 2 +- .../selftests/mount_setattr/mount_setattr_test.c | 53 ++++- tools/testing/selftests/openat2/Makefile | 2 + tools/testing/selftests/openat2/openat2_test.c | 165 ++++++++++++- 24 files changed, 777 insertions(+), 51 deletions(-) --- base-commit: 98f7e32f20d28ec452afb208f9cffc08448a2652 change-id: 20240803-extensible-structs-check_fields-a47e94cef691 Best regards, -- Aleksa Sarai <cyphar(a)cyphar.com>

8 months, 2 weeks

4
6
0 0

[PATCH v2 0/2] usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes()

by Javier Carrasco

The first patch simply adds the missing call to fwnode_handle_put() when the node is no longer required to make it compatible with stable kernels that don't support the cleanup attribute in its current form. The second patch adds the __free() macro to make the code more robust and avoid similar issues in the future. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Changes in v2: - Add patch for the automatic cleanup facility. - Link to v1: https://lore.kernel.org/r/20241019-typec-class-fwnode_handle_put-v1-1-a3b5a… --- Javier Carrasco (2): usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() usb: typec: use cleanup facility for 'altmodes_node' drivers/usb/typec/class.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- base-commit: f2493655d2d3d5c6958ed996b043c821c23ae8d3 change-id: 20241019-typec-class-fwnode_handle_put-b3648f5bc51b Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

8 months, 2 weeks

1
1
0 0

FAILED: patch "[PATCH] x86/bugs: Use code segment selector for VERW operand" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e4d2102018542e3ae5e297bc6e229303abff8a0f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102131-blissful-iodize-4056@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4d2102018542e3ae5e297bc6e229303abff8a0f Mon Sep 17 00:00:00 2001 From: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu, 26 Sep 2024 09:10:31 -0700 Subject: [PATCH] x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. [ mingo: Fixed the SOB chain. ] Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Robert Gill <rtgill82(a)gmail.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com Cc: stable(a)vger.kernel.org # 5.10+ Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index ff5f1ecc7d1e..96b410b1d4e8 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,16 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +#ifdef CONFIG_X86_64 + ALTERNATIVE "", "verw mds_verw_sel(%rip)", X86_FEATURE_CLEAR_CPU_BUF +#else + /* + * In 32bit mode, the memory operand must be a %cs reference. The data + * segments may not be usable (vm86 mode), and the stack segment may not + * be flat (ESPFIX32). + */ + ALTERNATIVE "", "verw %cs:mds_verw_sel", X86_FEATURE_CLEAR_CPU_BUF +#endif .endm #ifdef CONFIG_X86_64

8 months, 2 weeks

2
1
0 0

[PATCH] drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too

by Mario Limonciello

Stuart Hayhurst has found that both at bootup and fullscreen VA-API video is leading to black screens for around 1 second and kernel WARNING [1] traces when calling dmub_psr_enable() with Parade 08-01 TCON. These symptoms all go away with PSR-SU disabled for this TCON, so disable it for now while DMUB traces [2] from the failure can be analyzed and the failure state properly root caused. Cc: stable(a)vger.kernel.org Cc: Marc Rossi <Marc.Rossi(a)amd.com> Cc: Hamza Mahfooz <Hamza.Mahfooz(a)amd.com> Link: https://gitlab.freedesktop.org/drm/amd/uploads/a832dd515b571ee171b3e3b566e9… [1] Link: https://gitlab.freedesktop.org/drm/amd/uploads/8f13ff3b00963c833e23e68aa811… [2] Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2645 Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- --- drivers/gpu/drm/amd/display/modules/power/power_helpers.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/modules/power/power_helpers.c b/drivers/gpu/drm/amd/display/modules/power/power_helpers.c index e304e8435fb8..477289846a0a 100644 --- a/drivers/gpu/drm/amd/display/modules/power/power_helpers.c +++ b/drivers/gpu/drm/amd/display/modules/power/power_helpers.c @@ -841,6 +841,8 @@ bool is_psr_su_specific_panel(struct dc_link *link) isPSRSUSupported = false; else if (dpcd_caps->sink_dev_id_str[1] == 0x08 && dpcd_caps->sink_dev_id_str[0] == 0x03) isPSRSUSupported = false; + else if (dpcd_caps->sink_dev_id_str[1] == 0x08 && dpcd_caps->sink_dev_id_str[0] == 0x01) + isPSRSUSupported = false; else if (dpcd_caps->psr_info.force_psrsu_cap == 0x1) isPSRSUSupported = true; } -- 2.34.1

8 months, 2 weeks

5
4
0 0

FAILED: patch "[PATCH] x86/bugs: Use code segment selector for VERW operand" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e4d2102018542e3ae5e297bc6e229303abff8a0f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102130-saturday-bountiful-5087@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4d2102018542e3ae5e297bc6e229303abff8a0f Mon Sep 17 00:00:00 2001 From: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu, 26 Sep 2024 09:10:31 -0700 Subject: [PATCH] x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. [ mingo: Fixed the SOB chain. ] Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Robert Gill <rtgill82(a)gmail.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com Cc: stable(a)vger.kernel.org # 5.10+ Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index ff5f1ecc7d1e..96b410b1d4e8 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,16 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +#ifdef CONFIG_X86_64 + ALTERNATIVE "", "verw mds_verw_sel(%rip)", X86_FEATURE_CLEAR_CPU_BUF +#else + /* + * In 32bit mode, the memory operand must be a %cs reference. The data + * segments may not be usable (vm86 mode), and the stack segment may not + * be flat (ESPFIX32). + */ + ALTERNATIVE "", "verw %cs:mds_verw_sel", X86_FEATURE_CLEAR_CPU_BUF +#endif .endm #ifdef CONFIG_X86_64

8 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/bugs: Use code segment selector for VERW operand" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e4d2102018542e3ae5e297bc6e229303abff8a0f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102128-omega-phosphate-db6c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4d2102018542e3ae5e297bc6e229303abff8a0f Mon Sep 17 00:00:00 2001 From: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu, 26 Sep 2024 09:10:31 -0700 Subject: [PATCH] x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. [ mingo: Fixed the SOB chain. ] Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Robert Gill <rtgill82(a)gmail.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com Cc: stable(a)vger.kernel.org # 5.10+ Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index ff5f1ecc7d1e..96b410b1d4e8 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,16 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +#ifdef CONFIG_X86_64 + ALTERNATIVE "", "verw mds_verw_sel(%rip)", X86_FEATURE_CLEAR_CPU_BUF +#else + /* + * In 32bit mode, the memory operand must be a %cs reference. The data + * segments may not be usable (vm86 mode), and the stack segment may not + * be flat (ESPFIX32). + */ + ALTERNATIVE "", "verw %cs:mds_verw_sel", X86_FEATURE_CLEAR_CPU_BUF +#endif .endm #ifdef CONFIG_X86_64

8 months, 2 weeks

2
2
0 0

[PATCH] mm: page_alloc: move mlocked flag clearance into free_pages_prepare()

by Roman Gushchin

Syzbot reported [1] a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.0.15 pfn:1137bb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8881137bb870 pfn:0x1137bb flags: 0x400000000080000(mlocked|node=0|zone=1) raw: 0400000000080000 0000000000000000 dead000000000122 0000000000000000 raw: ffff8881137bb870 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 3005, tgid 3004 (syz.0.15), ts 61546 608067, free_ts 61390082085 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x3008/0x31f0 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x7b0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x630 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5500 [inline] kvm_dev_ioctl+0x13bb/0x2320 virt/kvm/kvm_main.c:5542 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x69/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e page last free pid 951 tgid 951 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0xcb1/0xf00 mm/page_alloc.c:2638 vfree+0x181/0x2e0 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x80 mm/vmalloc.c:3282 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa5c/0x17a0 kernel/workqueue.c:3310 worker_thread+0xa2b/0xf70 kernel/workqueue.c:3391 kthread+0x2df/0x370 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The problem was originally introduced by commit b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance"): it was handling focused on handling pagecache and anonymous memory and wasn't suitable for lower level get_page()/free_page() API's used for example by KVM, as with this reproducer. Fix it by moving the mlocked flag clearance down to free_page_prepare(). The bug itself if fairly old and harmless (aside from generating these warnings), so the stable backport is likely not justified. Closes: https://syzkaller.appspot.com/x/report.txt?x=169a47d0580000 Fixes: b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: <stable(a)vger.kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> --- mm/page_alloc.c | 9 +++++++++ mm/swap.c | 14 -------------- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index bc55d39eb372..24200651ad92 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -1044,6 +1044,7 @@ __always_inline bool free_pages_prepare(struct page *page, bool skip_kasan_poison = should_skip_kasan_poison(page); bool init = want_init_on_free(); bool compound = PageCompound(page); + struct folio *folio = page_folio(page); VM_BUG_ON_PAGE(PageTail(page), page); @@ -1053,6 +1054,14 @@ __always_inline bool free_pages_prepare(struct page *page, if (memcg_kmem_online() && PageMemcgKmem(page)) __memcg_kmem_uncharge_page(page, order); + if (unlikely(folio_test_mlocked(folio))) { + long nr_pages = folio_nr_pages(folio); + + __folio_clear_mlocked(folio); + zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); + count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); + } + if (unlikely(PageHWPoison(page)) && !order) { /* Do not let hwpoison pages hit pcplists/buddy */ reset_page_owner(page, order); diff --git a/mm/swap.c b/mm/swap.c index 835bdf324b76..7cd0f4719423 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -78,20 +78,6 @@ static void __page_cache_release(struct folio *folio, struct lruvec **lruvecp, lruvec_del_folio(*lruvecp, folio); __folio_clear_lru_flags(folio); } - - /* - * In rare cases, when truncation or holepunching raced with - * munlock after VM_LOCKED was cleared, Mlocked may still be - * found set here. This does not indicate a problem, unless - * "unevictable_pgs_cleared" appears worryingly large. - */ - if (unlikely(folio_test_mlocked(folio))) { - long nr_pages = folio_nr_pages(folio); - - __folio_clear_mlocked(folio); - zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); - count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); - } } /* -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 2 weeks

2
2
0 0

[PATCH v2] Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()

by Andrej Shadura

Commit 9bf4e919ccad worked around an issue introduced after an innocuous optimisation change in LLVM main: > len is defined as an 'int' because it is assigned from > '__user int *optlen'. However, it is clamped against the result of > sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit > platforms). This is done with min_t() because min() requires compatible > types, which results in both len and the result of sizeof() being casted > to 'unsigned int', meaning len changes signs and the result of sizeof() > is truncated. From there, len is passed to copy_to_user(), which has a > third parameter type of 'unsigned long', so it is widened and changes > signs again. This excessive casting in combination with the KCSAN > instrumentation causes LLVM to fail to eliminate the __bad_copy_from() > call, failing the build. The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and rfcomm_sock_getsockopt_old. Change the type of len to size_t in both rfcomm_sock_getsockopt and rfcomm_sock_getsockopt_old and replace min_t() with min(). Cc: stable(a)vger.kernel.org Co-authored-by: Aleksei Vetrov <vvvvvv(a)google.com> Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()") Link: https://github.com/ClangBuiltLinux/linux/issues/2007 Link: https://github.com/llvm/llvm-project/issues/85647 Signed-off-by: Andrej Shadura <andrew.shadura(a)collabora.co.uk> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> --- net/bluetooth/rfcomm/sock.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 37d63d768afb..5f9d370e09b1 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -729,7 +729,8 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u struct sock *l2cap_sk; struct l2cap_conn *conn; struct rfcomm_conninfo cinfo; - int len, err = 0; + int err = 0; + size_t len; u32 opt; BT_DBG("sk %p", sk); @@ -783,7 +784,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u cinfo.hci_handle = conn->hcon->handle; memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); - len = min_t(unsigned int, len, sizeof(cinfo)); + len = min(len, sizeof(cinfo)); if (copy_to_user(optval, (char *) &cinfo, len)) err = -EFAULT; @@ -802,7 +803,8 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c { struct sock *sk = sock->sk; struct bt_security sec; - int len, err = 0; + int err = 0; + size_t len; BT_DBG("sk %p", sk); @@ -827,7 +829,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c sec.level = rfcomm_pi(sk)->sec_level; sec.key_size = 0; - len = min_t(unsigned int, len, sizeof(sec)); + len = min(len, sizeof(sec)); if (copy_to_user(optval, (char *) &sec, len)) err = -EFAULT; -- 2.43.0

8 months, 2 weeks

4
5
0 0

[char-misc-next v3] mei: use kvmalloc for read buffer

by Alexander Usyskin

Read buffer is allocated according to max message size, reported by the firmware and may reach 64K in systems with pxp client. Contiguous 64k allocation may fail under memory pressure. Read buffer is used as in-driver message storage and not required to be contiguous. Use kvmalloc to allow kernel to allocate non-contiguous memory. Fixes: 3030dc056459 ("mei: add wrapper for queuing control commands.") Reported-by: Rohit Agarwal <rohiagar(a)chromium.org> Closes: https://lore.kernel.org/all/20240813084542.2921300-1-rohiagar@chromium.org/ Tested-by: Brian Geffon <bgeffon(a)google.com> Signed-off-by: Alexander Usyskin <alexander.usyskin(a)intel.com> --- Changes since V2: - add Fixes and CC:stable Changes since V1: - add Tested-by and Reported-by drivers/misc/mei/client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c index 9d090fa07516..be011cef12e5 100644 --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -321,7 +321,7 @@ void mei_io_cb_free(struct mei_cl_cb *cb) return; list_del(&cb->list); - kfree(cb->buf.data); + kvfree(cb->buf.data); kfree(cb->ext_hdr); kfree(cb); } @@ -497,7 +497,7 @@ struct mei_cl_cb *mei_cl_alloc_cb(struct mei_cl *cl, size_t length, if (length == 0) return cb; - cb->buf.data = kmalloc(roundup(length, MEI_SLOT_SIZE), GFP_KERNEL); + cb->buf.data = kvmalloc(roundup(length, MEI_SLOT_SIZE), GFP_KERNEL); if (!cb->buf.data) { mei_io_cb_free(cb); return NULL; -- 2.43.0

8 months, 2 weeks

5
4
0 0

Re: [PATCH 6.11 000/135] 6.11.5-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

8 months, 2 weeks

1
0
0 0

[PATCH v2] mmc: core: Use GFP_NOIO in ACMD22

by Avri Altman

While reviewing the SDUC series, Adrian made a comment concerning the memory allocation code in mmc_sd_num_wr_blocks() - see [1]. Prevent memory allocations from triggering I/O operations while ACMD22 is in progress. [1] https://www.spinics.net/lists/linux-mmc/msg82199.html Suggested-by: Adrian Hunter <adrian.hunter(a)intel.com> Signed-off-by: Avri Altman <avri.altman(a)wdc.com> Cc: stable(a)vger.kernel.org --- Changes since v1: - Move memalloc_noio_restore around (Adrian) --- drivers/mmc/core/block.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index 04f3165cf9ae..a813fd7f39cc 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -995,6 +995,8 @@ static int mmc_sd_num_wr_blocks(struct mmc_card *card, u32 *written_blocks) u32 result; __be32 *blocks; u8 resp_sz = mmc_card_ult_capacity(card) ? 8 : 4; + unsigned int noio_flag; + struct mmc_request mrq = {}; struct mmc_command cmd = {}; struct mmc_data data = {}; @@ -1018,7 +1020,9 @@ static int mmc_sd_num_wr_blocks(struct mmc_card *card, u32 *written_blocks) mrq.cmd = &cmd; mrq.data = &data; + noio_flag = memalloc_noio_save(); blocks = kmalloc(resp_sz, GFP_KERNEL); + memalloc_noio_restore(noio_flag); if (!blocks) return -ENOMEM; -- 2.25.1

8 months, 2 weeks

3
4
0 0

[PATCH] usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes()

by Javier Carrasco

The 'altmodes_node' fwnode_handle is never released after it is no longer required, which leaks the resource. Add the required call to fwnode_handle_put() when 'altmodes_node' is no longer required. Cc: stable(a)vger.kernel.org Fixes: 7b458a4c5d73 ("usb: typec: Add typec_port_register_altmodes()") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/usb/typec/class.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c index d61b4c74648d..1eb240604cf6 100644 --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c @@ -2341,6 +2341,7 @@ void typec_port_register_altmodes(struct typec_port *port, altmodes[index] = alt; index++; } + fwnode_handle_put(altmodes_node); } EXPORT_SYMBOL_GPL(typec_port_register_altmodes); --- base-commit: f2493655d2d3d5c6958ed996b043c821c23ae8d3 change-id: 20241019-typec-class-fwnode_handle_put-b3648f5bc51b Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

8 months, 2 weeks

2
4
0 0

[PATCH v5 1/2] misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors

by avimalin＠gmail.com

From: Vimal Agrawal <vimal.agrawal(a)sophos.com> misc_minor_alloc was allocating id using ida for minor only in case of MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids using ida_free causing a mismatch and following warn: > > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f > > ida_free called for id=127 which is not allocated. > > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ... > > [<60941eb4>] ida_free+0x3e0/0x41f > > [<605ac993>] misc_minor_free+0x3e/0xbc > > [<605acb82>] misc_deregister+0x171/0x1b3 misc_minor_alloc is changed to allocate id from ida for all minors falling in the range of dynamic/ misc dynamic minors Fixes: ab760791c0cf ("char: misc: Increase the maximum number of dynamic misc devices to 1048448") Signed-off-by: Vimal Agrawal <vimal.agrawal(a)sophos.com> Reviewed-by: Dirk VanDerMerwe <dirk.vandermerwe(a)sophos.com> Cc: stable(a)vger.kernel.org --- v2: Added Fixes: Added missed case for static minor in misc_minor_alloc v3: Removed kunit changes as that will be added as second patch in this two patch series v4: Updated Signed-off-by: to match from: v5: Used corporate id in from: and Signed-off-by: drivers/char/misc.c | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/drivers/char/misc.c b/drivers/char/misc.c index 541edc26ec89..2cf595d2e10b 100644 --- a/drivers/char/misc.c +++ b/drivers/char/misc.c @@ -63,16 +63,30 @@ static DEFINE_MUTEX(misc_mtx); #define DYNAMIC_MINORS 128 /* like dynamic majors */ static DEFINE_IDA(misc_minors_ida); -static int misc_minor_alloc(void) +static int misc_minor_alloc(int minor) { - int ret; - - ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL); - if (ret >= 0) { - ret = DYNAMIC_MINORS - ret - 1; + int ret = 0; + + if (minor == MISC_DYNAMIC_MINOR) { + /* allocate free id */ + ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL); + if (ret >= 0) { + ret = DYNAMIC_MINORS - ret - 1; + } else { + ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1, + MINORMASK, GFP_KERNEL); + } } else { - ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1, - MINORMASK, GFP_KERNEL); + /* specific minor, check if it is in dynamic or misc dynamic range */ + if (minor < DYNAMIC_MINORS) { + minor = DYNAMIC_MINORS - minor - 1; + ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL); + } else if (minor > MISC_DYNAMIC_MINOR) { + ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL); + } else { + /* case of non-dynamic minors, no need to allocate id */ + ret = 0; + } } return ret; } @@ -219,7 +233,7 @@ int misc_register(struct miscdevice *misc) mutex_lock(&misc_mtx); if (is_dynamic) { - int i = misc_minor_alloc(); + int i = misc_minor_alloc(misc->minor); if (i < 0) { err = -EBUSY; @@ -228,6 +242,7 @@ int misc_register(struct miscdevice *misc) misc->minor = i; } else { struct miscdevice *c; + int i; list_for_each_entry(c, &misc_list, list) { if (c->minor == misc->minor) { @@ -235,6 +250,12 @@ int misc_register(struct miscdevice *misc) goto out; } } + + i = misc_minor_alloc(misc->minor); + if (i < 0) { + err = -EBUSY; + goto out; + } } dev = MKDEV(MISC_MAJOR, misc->minor); -- 2.17.1

8 months, 2 weeks

1
0
0 0

[PATCH] drm/atomic_helper: Add missing NULL check for drm_plane_helper_funcs.atomic_update

by Lyude Paul

Something I discovered while writing rvkms since some versions of the driver didn't have a filled out atomic_update function - we mention that this callback is "optional", but we don't actually check whether it's NULL or not before calling it. As a result, we'll segfault if it's not filled in. rvkms rvkms.0: [drm:drm_atomic_helper_commit_modeset_disables] modeset on [ENCODER:36:Virtual-36] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP NOPTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20240813-1.fc40 08/13/2024 RIP: 0010:0x0 So, let's fix that. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Fixes: c2fcd274bce5 ("drm: Add atomic/plane helpers") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v3.19+ --- drivers/gpu/drm/drm_atomic_helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 43cdf39019a44..b3c507040c6d6 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -2797,7 +2797,8 @@ void drm_atomic_helper_commit_planes(struct drm_device *dev, funcs->atomic_disable(plane, old_state); } else if (new_plane_state->crtc || disabling) { - funcs->atomic_update(plane, old_state); + if (funcs->atomic_update) + funcs->atomic_update(plane, old_state); if (!disabling && funcs->atomic_enable) { if (drm_atomic_plane_enabling(old_plane_state, new_plane_state)) @@ -2889,7 +2890,8 @@ drm_atomic_helper_commit_planes_on_crtc(struct drm_crtc_state *old_crtc_state) if (disabling && plane_funcs->atomic_disable) { plane_funcs->atomic_disable(plane, old_state); } else if (new_plane_state->crtc || disabling) { - plane_funcs->atomic_update(plane, old_state); + if (plane_funcs->atomic_update) + plane_funcs->atomic_update(plane, old_state); if (!disabling && plane_funcs->atomic_enable) { if (drm_atomic_plane_enabling(old_plane_state, new_plane_state)) base-commit: 22512c3ee0f47faab5def71c4453638923c62522 -- 2.46.1

8 months, 2 weeks

3
5
0 0

[PATCH v2 0/2] usb: typec: qcom-pmic-typec: fix missing fwnode removal in error path

by Javier Carrasco

This series fixes the handling of an fwnode that is not released in all error paths and uses the wrong function to release it (spotted by Dmitry Baryshkov). To: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> To: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> To: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> To: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> To: Caleb Connolly <caleb.connolly(a)linaro.org> To: Guenter Roeck <linux(a)roeck-us.net> Cc: linux-arm-msm(a)vger.kernel.org Cc: linux-usb(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Changes in v2: - add patch to use fwnode_handle_put() instead of fwnode_remove_software-node(). - Link to v1: https://lore.kernel.org/r/20241019-qcom_pmic_typec-fwnode_remove-v1-1-88496… --- Javier Carrasco (2): usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes usb: typec: qcom-pmic-typec: fix missing fwnode removal in error path drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- base-commit: f2493655d2d3d5c6958ed996b043c821c23ae8d3 change-id: 20241019-qcom_pmic_typec-fwnode_remove-00dc49054cf7 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

8 months, 2 weeks

4
8
0 0

[PATCH 5.10 0/1] Fix lockup when splicing 0-length buffers

by Thadeu Lima de Souza Cascardo

When splicing a 0-length bvec, the block layer may loop iterating and not advancing the bvec, causing lockups or hangs. Pavel Begunkov (1): splice: don't generate zero-len segement bvecs fs/splice.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.34.1

8 months, 2 weeks

1
1
0 0

[PATCH v4] xhci: tegra: fix checked USB2 port number

by Henry Lin

If USB virtualizatoin is enabled, USB2 ports are shared between all Virtual Functions. The USB2 port number owned by an USB2 root hub in a Virtual Function may be less than total USB2 phy number supported by the Tegra XUSB controller. Using total USB2 phy number as port number to check all PORTSC values would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f ... [ 117.213640] Call trace: [ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658 [ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68 [ 117.227260] pm_generic_runtime_suspend+0x30/0x50 [ 117.232847] __rpm_callback+0x84/0x3c0 [ 117.237038] rpm_suspend+0x2dc/0x740 [ 117.241229] pm_runtime_work+0xa0/0xb8 [ 117.245769] process_scheduled_works+0x24c/0x478 [ 117.251007] worker_thread+0x23c/0x328 [ 117.255547] kthread+0x104/0x1b0 [ 117.259389] ret_from_fork+0x10/0x20 [ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100) Cc: <stable(a)vger.kernel.org> # v6.3+ Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") Signed-off-by: Henry Lin <henryl(a)nvidia.com> --- V1 -> V2: Add Fixes tag and the cc stable line V2 -> V3: Update commit message to clarify issue V3 -> V4: Resend for patch changelogs that are missing in V3 drivers/usb/host/xhci-tegra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c index 6246d5ad1468..76f228e7443c 100644 --- a/drivers/usb/host/xhci-tegra.c +++ b/drivers/usb/host/xhci-tegra.c @@ -2183,7 +2183,7 @@ static int tegra_xusb_enter_elpg(struct tegra_xusb *tegra, bool runtime) goto out; } - for (i = 0; i < tegra->num_usb_phys; i++) { + for (i = 0; i < xhci->usb2_rhub.num_ports; i++) { if (!xhci->usb2_rhub.ports[i]) continue; portsc = readl(xhci->usb2_rhub.ports[i]->addr); -- 2.25.1

8 months, 2 weeks

2
1
0 0

[PATCH v2] ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[]

by Christian Heusel

The LG Gram Pro 16 2-in-1 (2024) the 16T90SP has its keybopard IRQ (1) described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh which breaks the keyboard. Add the 16T90SP to the irq1_level_low_skip_override[] quirk table to fix this. Reported-by: Dirk Holten <dirk.holten(a)gmx.de> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219382 Cc: stable(a)vger.kernel.org Suggested-by: Dirk Holten <dirk.holten(a)gmx.de> Signed-off-by: Christian Heusel <christian(a)heusel.eu> --- Note that I do not have the relevant hardware since I'm sending in this quirk at the request of someone else. --- Changes in v2: - fix the double initialization warning reported by the kernel test robot, which accidentially overwrote another quirk - Link to v1: https://lore.kernel.org/r/20241016-lg-gram-pro-keyboard-v1-1-34306123102f@h… --- drivers/acpi/resource.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 129bceb1f4a27df93439bcefdb27fd9c91258028..7fe842dae1ec05ce6726af2ae4fcc8eff3698dcb 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -503,6 +503,13 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = { DMI_MATCH(DMI_BOARD_NAME, "17U70P"), }, }, + { + /* LG Electronics 16T90SP */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"), + DMI_MATCH(DMI_BOARD_NAME, "16T90SP"), + }, + }, { } }; --- base-commit: 8e929cb546ee42c9a61d24fae60605e9e3192354 change-id: 20241016-lg-gram-pro-keyboard-9a9d8b9aa647 Best regards, -- Christian Heusel <christian(a)heusel.eu>

8 months, 2 weeks

2
1
0 0

[PATCH 1/4] mtd: spi-nand: winbond: Fix 512GW and 02JW OOB layout

by Miquel Raynal

Both W25N512GW and W25N02JW chips have 64 bytes of OOB and thus cannot use the layout for 128 bytes OOB. Reference the correct layout instead. Fixes: 6a804fb72de5 ("mtd: spinand: winbond: add support for serial NAND flash") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/mtd/nand/spi/winbond.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c index 6b520b68407e..4e765cec0a3b 100644 --- a/drivers/mtd/nand/spi/winbond.c +++ b/drivers/mtd/nand/spi/winbond.c @@ -189,7 +189,7 @@ static const struct spinand_info winbond_spinand_table[] = { &write_cache_variants, &update_cache_variants), 0, - SPINAND_ECCINFO(&w25n02kv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), SPINAND_INFO("W25N512GW", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x20), NAND_MEMORG(1, 2048, 64, 64, 512, 10, 1, 1, 1), @@ -198,7 +198,7 @@ static const struct spinand_info winbond_spinand_table[] = { &write_cache_variants, &update_cache_variants), 0, - SPINAND_ECCINFO(&w25n02kv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), SPINAND_INFO("W25N02KWZEIR", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x22), NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), -- 2.43.0

8 months, 2 weeks

2
2
0 0

[PATCH 2/4] mtd: spi-nand: winbond: Fix 512GW, 01GW, 01JW and 02JW ECC information

by Miquel Raynal

These four chips: * W25N512GW * W25N01GW * W25N01JW * W25N02JW all require a single bit of ECC strength and thus feature an on-die Hamming-like ECC engine. There is no point in filling a ->get_status() callback for them because the main ECC status bytes are located in standard places, and retrieving the number of bitflips in case of corrected chunk is both useless and unsupported (if there are bitflips, then there is 1 at most, so no need to query the chip for that). Without this change, a kernel warning triggers every time a bit flips. Fixes: 6a804fb72de5 ("mtd: spinand: winbond: add support for serial NAND flash") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/mtd/nand/spi/winbond.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c index 4e765cec0a3b..9b611bf7e8f0 100644 --- a/drivers/mtd/nand/spi/winbond.c +++ b/drivers/mtd/nand/spi/winbond.c @@ -175,30 +175,30 @@ static const struct spinand_info winbond_spinand_table[] = { SPINAND_INFO("W25N01JW", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xbc, 0x21), NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), - NAND_ECCREQ(4, 512), + NAND_ECCREQ(1, 512), SPINAND_INFO_OP_VARIANTS(&read_cache_variants, &write_cache_variants, &update_cache_variants), 0, - SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), SPINAND_INFO("W25N02JWZEIF", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xbf, 0x22), NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 2, 1), - NAND_ECCREQ(4, 512), + NAND_ECCREQ(1, 512), SPINAND_INFO_OP_VARIANTS(&read_cache_variants, &write_cache_variants, &update_cache_variants), 0, - SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), SPINAND_INFO("W25N512GW", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x20), NAND_MEMORG(1, 2048, 64, 64, 512, 10, 1, 1, 1), - NAND_ECCREQ(4, 512), + NAND_ECCREQ(1, 512), SPINAND_INFO_OP_VARIANTS(&read_cache_variants, &write_cache_variants, &update_cache_variants), 0, - SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), SPINAND_INFO("W25N02KWZEIR", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x22), NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), @@ -220,12 +220,12 @@ static const struct spinand_info winbond_spinand_table[] = { SPINAND_INFO("W25N01GWZEIG", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x21), NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), - NAND_ECCREQ(4, 512), + NAND_ECCREQ(1, 512), SPINAND_INFO_OP_VARIANTS(&read_cache_variants, &write_cache_variants, &update_cache_variants), 0, - SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), SPINAND_INFO("W25N04KV", SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xaa, 0x23), NAND_MEMORG(1, 2048, 128, 64, 4096, 40, 2, 1, 1), -- 2.43.0

8 months, 2 weeks

2
3
0 0

[PATCH 6.11.y v2 0/3] Yu Zhao's memory fix backport

by chrisl＠kernel.org

A few commits from Yu Zhao have been merged into 6.12. They need to be backported to 6.11. - c2a967f6ab0ec ("mm/hugetlb_vmemmap: don't synchronize_rcu() without HVO") - 95599ef684d01 ("mm/codetag: fix pgalloc_tag_split()") - e0a955bf7f61c ("mm/codetag: add pgalloc_tag_copy()") --- Changes in v2: - Add signed off tag - Link to v1: https://lore.kernel.org/r/20241017-stable-yuzhao-v1-0-3a4566660d44@kernel.o… --- Yu Zhao (3): mm/hugetlb_vmemmap: don't synchronize_rcu() without HVO mm/codetag: fix pgalloc_tag_split() mm/codetag: add pgalloc_tag_copy() include/linux/alloc_tag.h | 24 ++++++++----------- include/linux/mm.h | 57 +++++++++++++++++++++++++++++++++++++++++++++ include/linux/pgalloc_tag.h | 31 ------------------------ mm/huge_memory.c | 2 +- mm/hugetlb_vmemmap.c | 40 +++++++++++++++---------------- mm/migrate.c | 1 + mm/page_alloc.c | 4 ++-- 7 files changed, 91 insertions(+), 68 deletions(-) --- base-commit: 8e24a758d14c0b1cd42ab0aea980a1030eea811f change-id: 20241016-stable-yuzhao-7779910482e8 Best regards, -- Chris Li <chrisl(a)kernel.org>

8 months, 2 weeks

3
5
0 0

[PATCH 5.4.y] erofs: fix lz4 inplace decompression

by Gao Xiang

commit 3c12466b6b7bf1e56f9b32c366a3d83d87afb4de upstream. Currently EROFS can map another compressed buffer for inplace decompression, that was used to handle the cases that some pages of compressed data are actually not in-place I/O. However, like most simple LZ77 algorithms, LZ4 expects the compressed data is arranged at the end of the decompressed buffer and it explicitly uses memmove() to handle overlapping: __________________________________________________________ |_ direction of decompression --> ____ |_ compressed data _| Although EROFS arranges compressed data like this, it typically maps two individual virtual buffers so the relative order is uncertain. Previously, it was hardly observed since LZ4 only uses memmove() for short overlapped literals and x86/arm64 memmove implementations seem to completely cover it up and they don't have this issue. Juhyung reported that EROFS data corruption can be found on a new Intel x86 processor. After some analysis, it seems that recent x86 processors with the new FSRM feature expose this issue with "rep movsb". Let's strictly use the decompressed buffer for lz4 inplace decompression for now. Later, as an useful improvement, we could try to tie up these two buffers together in the correct order. Reported-and-tested-by: Juhyung Park <qkrwngud825(a)gmail.com> Closes: https://lore.kernel.org/r/CAD14+f2AVKf8Fa2OO1aAUdDNTDsVzzR6ctU_oJSmTyd6zSYR… Fixes: 0ffd71bcc3a0 ("staging: erofs: introduce LZ4 decompression inplace") Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend") Cc: stable <stable(a)vger.kernel.org> # 5.4+ Tested-by: Yifan Zhao <zhaoyifan(a)sjtu.edu.cn> Link: https://lore.kernel.org/r/20231206045534.3920847-1-hsiangkao@linux.alibaba.… Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> --- The remaining stable patch to address the issue "CVE-2023-52497" for 5.4.y, which is the same as the 5.10.y one [1]. [1] https://lore.kernel.org/r/20240224063248.2157885-1-hsiangkao@linux.alibaba.… fs/erofs/decompressor.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 38eeec5e3032..d06a3b77fb39 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -24,7 +24,8 @@ struct z_erofs_decompressor { */ int (*prepare_destpages)(struct z_erofs_decompress_req *rq, struct list_head *pagepool); - int (*decompress)(struct z_erofs_decompress_req *rq, u8 *out); + int (*decompress)(struct z_erofs_decompress_req *rq, u8 *out, + u8 *obase); char *name; }; @@ -114,10 +115,13 @@ static void *generic_copy_inplace_data(struct z_erofs_decompress_req *rq, return tmp; } -static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) +static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out, + u8 *obase) { + const uint nrpages_out = PAGE_ALIGN(rq->pageofs_out + + rq->outputsize) >> PAGE_SHIFT; unsigned int inputmargin, inlen; - u8 *src; + u8 *src, *src2; bool copied, support_0padding; int ret; @@ -125,6 +129,7 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) return -EOPNOTSUPP; src = kmap_atomic(*rq->in); + src2 = src; inputmargin = 0; support_0padding = false; @@ -148,16 +153,15 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) if (rq->inplace_io) { const uint oend = (rq->pageofs_out + rq->outputsize) & ~PAGE_MASK; - const uint nr = PAGE_ALIGN(rq->pageofs_out + - rq->outputsize) >> PAGE_SHIFT; - if (rq->partial_decoding || !support_0padding || - rq->out[nr - 1] != rq->in[0] || + rq->out[nrpages_out - 1] != rq->in[0] || rq->inputsize - oend < LZ4_DECOMPRESS_INPLACE_MARGIN(inlen)) { src = generic_copy_inplace_data(rq, src, inputmargin); inputmargin = 0; copied = true; + } else { + src = obase + ((nrpages_out - 1) << PAGE_SHIFT); } } @@ -178,7 +182,7 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) if (copied) erofs_put_pcpubuf(src); else - kunmap_atomic(src); + kunmap_atomic(src2); return ret; } @@ -248,7 +252,7 @@ static int z_erofs_decompress_generic(struct z_erofs_decompress_req *rq, return PTR_ERR(dst); rq->inplace_io = false; - ret = alg->decompress(rq, dst); + ret = alg->decompress(rq, dst, NULL); if (!ret) copy_from_pcpubuf(rq->out, dst, rq->pageofs_out, rq->outputsize); @@ -282,7 +286,7 @@ static int z_erofs_decompress_generic(struct z_erofs_decompress_req *rq, dst_maptype = 2; dstmap_out: - ret = alg->decompress(rq, dst + rq->pageofs_out); + ret = alg->decompress(rq, dst + rq->pageofs_out, dst); if (!dst_maptype) kunmap_atomic(dst); -- 2.43.5

8 months, 2 weeks

2
1
0 0

[PATCH 5.15 000/691] 5.15.168-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.168 release. There are 691 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Oct 2024 11:22:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.168-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.168-rc1 Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Schedule NAPI in two steps Paolo Abeni <pabeni(a)redhat.com> selftests: net: more strict check in net_helper Andy Chiu <andy.chiu(a)sifive.com> net: axienet: start napi before enabling Rx/Tx Jan Kara <jack(a)suse.cz> ext4: fix warning in ext4_dio_write_end_io() Phil Sutter <phil(a)nwl.cc> netfilter: ip6t_rpfilter: Fix regression with VRF interfaces Antoine Tenart <atenart(a)kernel.org> net: vrf: determine the dst using the original ifindex for multicast Andrea Mayer <andrea.mayer(a)uniroma2.it> net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev David Ahern <dsahern(a)kernel.org> net: Handle l3mdev in ip_tunnel_init_flow David Ahern <dsahern(a)kernel.org> xfrm: Pass flowi_oif or l3mdev as oif to xfrm_dst_lookup Eyal Birger <eyal.birger(a)gmail.com> net: geneve: add missing netlink policy and size for IFLA_GENEVE_INNER_PROTO_INHERIT Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: smbus: Check for parent device before dereference Thomas Richter <tmricht(a)linux.ibm.com> perf test sample-parsing: Fix branch_stack entry endianness check Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix uaf for accessing waker_bfqq after splitting Frederic Weisbecker <frederic(a)kernel.org> kthread: unpark only parked kthread Yonatan Maman <Ymaman(a)Nvidia.com> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: do not remove closing subflows Anatolij Gustschin <agust(a)denx.de> net: dsa: lan9303: ensure chip reset and wait for READY status Anastasia Kovaleva <a.kovaleva(a)yadro.com> net: Fix an unsafe loop on the list Ignat Korchagin <ignat(a)cloudflare.com> net: explicitly clear the sk pointer, when pf->create fails Maíra Canal <mcanal(a)igalia.com> drm/v3d: Stop the active perfmon before being destroyed SurajSonawane2415 <surajsonawane0215(a)gmail.com> hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma Icenowy Zheng <uwu(a)icenowy.me> usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Jose Alberto Reguero <jose.alberto.reguero(a)gmail.com> usb: xhci: Fix problem with xhci resume from suspend Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: core: Stop processing of pending events if controller is halted Oliver Neukum <oneukum(a)suse.com> Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" Wade Wang <wade.wang(a)hp.com> HID: plantronics: Workaround for an unexcepted opposite volume key Huang Ying <ying.huang(a)intel.com> resource: fix region_intersects() vs add_memory_driver_managed() Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> HID: amd_sfh: Switch to device-managed dmam_alloc_coherent() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (adt7470) Add missing dependency on REGMAP_I2C Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (adm9240) Add missing dependency on REGMAP_I2C Guenter Roeck <linux(a)roeck-us.net> hwmon: (tmp513) Add missing dependency on REGMAP_I2C Mitchell Levy <levymitchell0(a)gmail.com> x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix UAF for cq async event Eric Dumazet <edumazet(a)google.com> slip: make slhc_remember() more robust against malicious packets Eric Dumazet <edumazet(a)google.com> ppp: fix ppp_async_encode() illegal access Kuniyuki Iwashima <kuniyu(a)amazon.com> mctp: Handle error of rtnl_register_module(). Kuniyuki Iwashima <kuniyu(a)amazon.com> rtnetlink: Add bulk registration helpers for rtnetlink message handlers. Nikolay Aleksandrov <razor(a)blackwall.org> net: rtnetlink: add msg kind names Florian Westphal <fw(a)strlen.de> netfilter: fib: check correct rtable in vrf setups Guillaume Nault <gnault(a)redhat.com> netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces. Phil Sutter <phil(a)nwl.cc> netfilter: rpfilter/fib: Populate flowic_l3mdev field David Ahern <dsahern(a)kernel.org> net: Add l3mdev index to flow struct and avoid oif reset for port devices Florian Westphal <fw(a)strlen.de> netfilter: xtables: avoid NFPROTO_UNSPEC where needed Xin Long <lucien.xin(a)gmail.com> sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start Rosen Penev <rosenp(a)gmail.com> net: ibm: emac: mal: fix wrong goto Eric Dumazet <edumazet(a)google.com> net/sched: accept TCA_STAB only for root qdisc Mohamed Khalfella <mkhalfella(a)purestorage.com> igb: Do not bring the device up after non-fatal error Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: Fix macvlan leak by synchronizing access to mac_filter_hash Marcin Szycik <marcin.szycik(a)linux.intel.com> ice: Fix netif_is_ice() in Safe Mode Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Use devm_clk api to manage clock source Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Add the flush write to ensure the write complete. Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix jumbo frames on 10/100 ports Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow lower MTUs on BCM5325/5365 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix max MTU for BCM5325/BCM5365 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix max MTU for 1g switches Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix jumbo frame mtu check Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Fix warning during module unload Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: int340x: processor_thermal: Set feature mask before proc_thermal_add Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: phy: bcm84881: Fix some error handling paths Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Andy Roulin <aroulin(a)nvidia.com> netfilter: br_netfilter: fix panic with metadata_dst skb Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe Neal Cardwell <ncardwell(a)google.com> tcp: fix to allow timestamp undo if no retransmits were sent Ingo van Lil <inguin(a)gmx.de> net: phy: dp83869: fix memory corruption when enabling fiber Yanjun Zhang <zhangyanjun(a)cestc.cn> NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() Dan Carpenter <dan.carpenter(a)linaro.org> SUNRPC: Fix integer overflow in decode_rc_list() Dave Ertman <david.m.ertman(a)intel.com> ice: fix VLAN replay after reset Chuck Lever <chuck.lever(a)oracle.com> NFSD: Mark filecache "down" if init fails Bob Pearson <rpearsonhpe(a)gmail.com> RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt Andrey Shumilin <shum.sdl(a)nppct.ru> fbdev: sisfb: Fix strbuf array overflow Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointer before dereferencing se Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/iio: Add memory allocation failure check for trigger_name Philip Chen <philipchen(a)chromium.org> virtio_pmem: Check device status before requesting flush Ruffalo Lavoisier <ruffalolavoisier(a)gmail.com> comedi: ni_routing: tools: Check when the file could not be opened Shawn Shao <shawn.shao(a)jaguarmicro.com> usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: udc: enable suspend interrupt after usb reset Peng Fan <peng.fan(a)nxp.com> clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table Yunke Cao <yunkec(a)chromium.org> media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Kaixin Wang <kxwang23(a)m.fudan.edu.cn> ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition Alex Williamson <alex.williamson(a)redhat.com> PCI: Mark Creative Labs EMU20k2 INTx masking as broken Hans de Goede <hdegoede(a)redhat.com> i2c: i801: Use a different adapter-name for IDF adapters Subramanian Ananthanarayanan <quic_skananth(a)quicinc.com> PCI: Add ACS quirk for Qualcomm SA8775P Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> clk: bcm: bcm53573: fix OF node leak in init Md Haris Iqbal <haris.iqbal(a)ionos.com> RDMA/rtrs-srv: Avoid null pointer deref during path establishment WangYuli <wangyuli(a)uniontech.com> PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/mad: Improve handling of timed out WRs of mad agent Daniel Jordan <daniel.m.jordan(a)oracle.com> ktest.pl: Avoid false positives with grub2 skip regex Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_sf: Remove WARN_ON_ONCE statements Wojciech Gładysz <wojciech.gladysz(a)infogain.com> ext4: nested locking for xattr inode Jan Kara <jack(a)suse.cz> ext4: don't set SB_RDONLY after filesystem errors Yonghong Song <yonghong.song(a)linux.dev> bpf, x64: Fix a jit convergence issue Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Add cond_resched() to cmm_alloc/free_pages() Heiko Carstens <hca(a)linux.ibm.com> s390/facility: Disable compile time optimization for decompressor code Tao Chen <chen.dylane(a)gmail.com> bpf: Check percpu map value size first Mathias Krause <minipli(a)grsecurity.net> Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Michael S. Tsirkin <mst(a)redhat.com> virtio_console: fix misc probe bugs Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Refactor enum_rstbl to suppress static checker Benjamin Poirier <bpoirier(a)nvidia.com> selftests: net: Remove executable bits from library scripts Lucas Karpinski <lkarpins(a)redhat.com> selftests/net: synchronize udpgro tests' tx and rx connection Adrien Thierry <athierry(a)redhat.com> selftests/net: give more time to udpgro bg processes to complete startup Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Have saved_cmdlines arrays all in one allocation Rob Clark <robdclark(a)chromium.org> drm/crtc: fix uninitialized variable use even harder Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Remove precision vsnprintf() check from print event Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Drop TSO support Gabriel Krisman Bertazi <krisman(a)suse.de> unicode: Don't special case ignorable code points Jaroslav Kysela <perex(a)perex.cz> ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate() Namhyung Kim <namhyung(a)kernel.org> perf report: Fix segfault when 'sym' sort key is not used Haoran Zhang <wh1sper(a)zju.edu.cn> vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Dominique Martinet <asmadeus(a)codewreck.org> 9p: add missing locking around taking dentry fid list zhanchengbin <zhanchengbin1(a)huawei.com> ext4: fix inode tree inconsistency caused by ENOMEM Sumit Semwal <sumit.semwal(a)linaro.org> Revert "arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings" Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Add GPLL9 support Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add tally counter fields added with RTL8125 Colin Ian King <colin.i.king(a)gmail.com> r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Manivannan Sadhasivam <mani(a)kernel.org> dt-bindings: clock: qcom: Add missing UFS QREF clocks Umang Jain <umang.jain(a)ideasonboard.com> media: imx335: Fix reset-gpio handling Kieran Bingham <kieran.bingham(a)ideasonboard.com> media: i2c: imx335: Enable regulator supplies Val Packett <val(a)packett.cool> drm/rockchip: vop: clear DMA stop bit on RK3066 Hugh Cole-Baker <sigmaris(a)gmail.com> drm/rockchip: support gamma control on RK3399 Hugh Cole-Baker <sigmaris(a)gmail.com> drm/rockchip: define gamma registers for RK3399 Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: harden build ID parsing logic Alexey Dobriyan <adobriyan(a)gmail.com> build-id: require program headers to be right after ELF header Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Anshuman Khandual <anshuman.khandual(a)arm.com> arm64: Add Cortex-715 CPU part definition Zhihao Cheng <chengzhihao1(a)huawei.com> ext4: dax: fix overflowing extents beyond inode size when partially writing Jan Kara <jack(a)suse.cz> ext4: properly sync file size update after O_SYNC direct IO Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Andi Shyti <andi.shyti(a)kernel.org> i2c: xiic: Use devm_clk_get_enabled() Heiner Kallweit <hkallweit1(a)gmail.com> i2c: core: Lock address during client device instantiation Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: create debugfs entry per adapter Akhil R <akhilrajeev(a)nvidia.com> i2c: smbus: Use device_*() functions instead of of_*() Akhil R <akhilrajeev(a)nvidia.com> device property: Add fwnode_irq_get_byname Anand Ashok Dumbre <anand.ashok.dumbre(a)xilinx.com> device property: Add fwnode_iomap() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix buffer overflow in debug links Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix system hang while resume with TBT monitor Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Add locking to drm_sched_entity_modify_sched Al Viro <viro(a)zeniv.linux.org.uk> close_range(): fix the logics in descriptor table trimming Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix a race during cpuhp processing Wei Li <liwei391(a)huawei.com> tracing/hwlat: Fix a race during cpuhp processing Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Qu Wenruo <wqu(a)suse.com> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix NULL pointer dereference Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path KhaiWenTan <khai.wen.tan(a)linux.intel.com> net: stmmac: Fix zero-division error when disabling tc cbs Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Manivannan Sadhasivam <mani(a)kernel.org> clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src Mike Tipton <quic_mdtipton(a)quicinc.com> clk: qcom: clk-rpmh: Fix overflow in BCM vote Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: sun4i_csi: Implement link validate for sun4i_csi subdev Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv4's PUTPUBFH operation Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: map the EBADMSG to nfserr_io to avoid warning NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Matt Fleming <matt(a)readmodwrite.com> perf hist: Update hist symbol when updating maps Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix memory leak in exfat_load_bitmap() Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: use handle to mark fc as ineligible in __track_dentry_update() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix fast commit inode enqueueing during a full journal commit Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: update orig_path in ext4_find_extent() Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Baokun Li <libaokun1(a)huawei.com> ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() yao.ly <yao.ly(a)linux.alibaba.com> ext4: correct encrypted dentry name hash when not casefolded Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Ai Chao <aichao(a)kylinos.cn> ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Hans P. Moller <hmoller(a)uc.cl> ALSA: line6: add hw monitor volume control to POD HD500X Jan Lalinsky <lalinsky(a)c4.cz> ALSA: usb-audio: Add native DSD support for Luxman D-08u Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Thomas Zimmermann <tzimmermann(a)suse.de> drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Hans de Goede <hdegoede(a)redhat.com> power: supply: hwmon: Fix missing temp1_max_alarm attribute Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Marek Vasut <marex(a)denx.de> i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Zach Wade <zachwade.k(a)gmail.com> platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Heiko Carstens <hca(a)linux.ibm.com> selftests: vDSO: fix vdso_config for s390 Jens Remus <jremus(a)linux.ibm.com> selftests: vDSO: fix ELF hash table entry size for s390x David Hildenbrand <david(a)redhat.com> selftests/mm: fix charge_reserved_hugetlb.sh test Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vdso_config for powerpc Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO name for powerpc Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpm: Check for port partner validity before consuming it Thomas Weißschuh <linux(a)weissschuh.net> blk-integrity: register sysfs attributes on struct device Thomas Weißschuh <linux(a)weissschuh.net> blk-integrity: convert to struct device_attribute Thomas Weißschuh <linux(a)weissschuh.net> blk-integrity: use sysfs_emit Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Baokun Li <libaokun1(a)huawei.com> ext4: avoid use-after-free in ext4_ext_show_leaf() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Tim Huang <tim.huang(a)amd.com> drm/amd/pm: ensure the fw_info is not null before using it Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize get_bytes_per_element's default to 1 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 color transformation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Ckath <ckath(a)yandex.ru> platform/x86: touchscreen_dmi: add nanote-next quirk Vishnu Sankar <vishnuocv(a)gmail.com> HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: enable gfxoff quirk on HP 705G4 Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: add raven1 gfxoff quirk Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Mahesh Rajashekhara <mahesh.rajashekhara(a)microchip.com> scsi: smartpqi: correct stream detection Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using dc->clk_mgr Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Sanjay K Kumar <sanjay.k.kumar(a)intel.com> iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Always reserve a domain ID for identity setup Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Marc Gonzalez <mgonzalez(a)freebox.fr> iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux Paul E. McKenney <paulmck(a)kernel.org> rcuscale: Provide clear error when async specified without primitives Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Kees Cook <kees(a)kernel.org> x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Ahmed S. Darwish <darwi(a)linutronix.de> tools/x86/kcpuid: Protect against faulty "max subleaf" values Joshua Pius <joshuapius(a)chromium.org> ALSA: usb-audio: Add logitech Audio profile quirk Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Define macros for quirk table entries Thomas Gleixner <tglx(a)linutronix.de> x86/ioapic: Handle allocation failures gracefully Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add input value sanity checks for standard types Thomas Gleixner <tglx(a)linutronix.de> signal: Replace BUG_ON()s Jinjie Ruan <ruanjinjie(a)huawei.com> nfp: Use IRQF_NO_AUTOEN flag in request_irq() Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Adrian Ratiu <adrian.ratiu(a)collabora.com> proc: add config & param to block forcing mem writes Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Simon Horman <horms(a)kernel.org> net: atlantic: Avoid warning about potential string truncation Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw88: select WANT_DEV_COREDUMP Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath11k: fix array out-of-bound access in SoC stats Keith Busch <kbusch(a)kernel.org> nvme-pci: qdepth 1 quirk Konstantin Ovsepian <ovs(a)ovs.to> blk_iocost: fix more out of bound shifts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: consistently use rcu_replace_pointer() in taprio_change() Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Aleksandr Mishin <amishin(a)t-argos.ru> ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Jann Horn <jannh(a)google.com> f2fs: Require FMODE_WRITE for atomic write ioctls Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Hui Wang <hui.wang(a)canonical.com> ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Oder Chiou <oder_chiou(a)realtek.com> ALSA: hda/realtek: Fix the push button function for the ALC257 Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: mixer_oss: Remove some incorrect kfree_const() usages Benjamin Gaignard <benjamin.gaignard(a)collabora.com> media: usbtv: Remove useless locks in usbtv_video_free() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Try re-initialization on bus busy timeout Marc Ferland <marc.ferland(a)sonatest.com> i2c: xiic: improve error message when transfer fails to start Lars-Peter Clausen <lars(a)metafoo.de> i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path Marek Vasut <marex(a)denx.de> i2c: xiic: Fix RX IRQ busy check Marek Vasut <marex(a)denx.de> i2c: xiic: Switch from waitqueue to completion Marek Vasut <marex(a)denx.de> i2c: xiic: Fix broken locking on tx_msg Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Eric Dumazet <edumazet(a)google.com> ppp: do not assume bh is held in ppp_channel_bridge_input() Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Shenwei Wang <shenwei.wang(a)nxp.com> net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Kurt Kanzenbach <kurt(a)linutronix.de> net: stmmac: Disable automatic FCS/Pad stripping Zekun Shen <bruceshenzk(a)gmail.com> stmmac_pci: Fix underflow size in stmmac_rx Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Jinjie Ruan <ruanjinjie(a)huawei.com> Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Jinjie Ruan <ruanjinjie(a)huawei.com> net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Elena Salomatkina <esalomatkina(a)ispras.ru> net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Mohamed Khalfella <mkhalfella(a)purestorage.com> net/mlx5: Added cond_resched() to crdump collection Gerd Bayer <gbayer(a)linux.ibm.com> net/mlx5: Fix error path in multi-packet WQE transmit Jinjie Ruan <ruanjinjie(a)huawei.com> ieee802154: Fix build error Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Thomas Gleixner <tglx(a)linutronix.de> static_call: Replace pointless WARN_ON() in static_call_module_notify() Thomas Gleixner <tglx(a)linutronix.de> static_call: Handle module init failure correctly in static_call_del_module() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> spi: lpspi: Simplify some error message Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> usb: yurex: Fix inconsistent locking bug in yurex_read() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: isch: Add missed 'else' Tommy Huang <tommy_huang(a)aspeedtech.com> i2c: aspeed: Update the stop sw state when the bus recovery occurs David Gow <davidgow(a)google.com> mm: only enforce minimum stack gap size if it's sensible Zhiguo Niu <zhiguo.niu(a)unisoc.com> lockdep: fix deadlock issue between lockdep and rcu Song Liu <song(a)kernel.org> bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0 Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not allow pinning outside of cpuset Dmitry Vyukov <dvyukov(a)google.com> x86/entry: Remove unwanted instrumentation in common_interrupt() Xin Li <xin3.li(a)intel.com> x86/idtentry: Incorporate definitions/declarations of the FRED entries Ma Ke <make24(a)iscas.ac.cn> pps: add an error check in parport_attach Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pps: remove usage of the deprecated ida_simple_xx() API Pawel Laszczak <pawell(a)cadence.com> usb: xhci: fix loss of data on Cadence xHC Daehwan Jung <dh10.jung(a)samsung.com> xhci: Add a quirk for writing ERST in high-low order Lukas Wunner <lukas(a)wunner.de> xhci: Preserve RsvdP bits in ERSTBA register correctly Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Refactor interrupter code for initial multi interrupter support. Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: remove xhci_test_trb_in_td_math early development check Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix event ring segment table related masks and variables in header Oliver Neukum <oneukum(a)suse.com> USB: misc: yurex: fix race between read and write Lee Jones <lee(a)kernel.org> usb: yurex: Replace snprintf() with the safer scnprintf() variant Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix soc_dev leak during device remove Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix memory leak during device remove VanGiang Nguyen <vangiang.nguyen(a)rohde-schwarz.com> padata: use integer wrap around to prevent deadlock on seq_nr overflow Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/igen6: Fix conversion of system address to physical memory address Li Lingfeng <lilingfeng3(a)huawei.com> nfs: fix memory leak in error path of nfs4_do_reclaim Mickaël Salaün <mic(a)digikod.net> fs: Fix file_set_fowner LSM hook inconsistencies Julian Sun <sunjunchao2870(a)gmail.com> vfs: fix race between evice_inodes() and find_inode()&iput() Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency Gaosheng Cui <cuigaosheng1(a)huawei.com> hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume Gaosheng Cui <cuigaosheng1(a)huawei.com> hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init Guoqing Jiang <guoqing.jiang(a)canonical.com> hwrng: mtk - Use devm_pm_runtime_enable Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: prevent possible int overflow in dir_block_index() Zhen Lei <thunder.leizhen(a)huawei.com> debugobjects: Fix conditions in fill_pool() Ma Ke <make24(a)iscas.ac.cn> wifi: mt76: mt7615: check devm_kasprintf() returned value Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: 8822c: Fix reported RX band width Adrian Hunter <adrian.hunter(a)intel.com> perf/x86/intel/pt: Fix sampling synchronization Ard Biesheuvel <ardb(a)kernel.org> efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption Werner Sembach <wse(a)tuxedocomputers.com> ACPI: resource: Add another DMI match for the TongFang GMxXGxx Thomas Weißschuh <linux(a)weissschuh.net> ACPI: sysfs: validate return type of _STR method Mikhail Lobanov <m.lobanov(a)rosalinux.ru> drbd: Add NULL check for net_conf to prevent dereference in state validation Qiu-ji Chen <chenqiuji666(a)gmail.com> drbd: Fix atomicity violation in drbd_uuid_set_bm() Pavan Kumar Paluri <papaluri(a)amd.com> crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them. Florian Fainelli <florian.fainelli(a)broadcom.com> tty: rp2: Fix reset with non forgiving PCIe host bridges Jann Horn <jannh(a)google.com> firmware_loader: Block path traversal Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> bus: integrator-lm: fix OF node leak in probe() Tomas Marek <tomas.marek(a)elrest.cz> usb: dwc2: drd: fix clock gating on USB role switch Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix incorrect usb_request status Oliver Neukum <oneukum(a)suse.com> USB: class: CDC-ACM: fix race between get_serial and set_serial Oliver Neukum <oneukum(a)suse.com> USB: misc: cypress_cy7c63: check for short transfer Oliver Neukum <oneukum(a)suse.com> USB: appledisplay: close race between probe and completion handler Oliver Neukum <oneukum(a)suse.com> usbnet: fix cyclical race on disconnect with work queue Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Disallow bus errors during PDMA send Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Refactor polling loop Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Validate backlight caps are sane Robin Chen <robin.chen(a)amd.com> drm/amd/display: Round calculated vtotal Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table Roman Smirnov <r.smirnov(a)omp.ru> Revert "media: tuners: fix error return code of hybrid_tuner_request_state()" Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: integrator: fix OF node leak in probe() error path Ma Ke <make24(a)iscas.ac.cn> ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Remove *.orig pattern from .gitignore Scott Mayhew <smayhew(a)redhat.com> selinux,smack: don't bypass permissions check in inode_setsecctx hook Ye Bin <yebin10(a)huawei.com> vfio/pci: fix potential memory leak in vfio_intx_enable() Tony Luck <tony.luck(a)intel.com> x86/mm: Switch to new Intel CPU model defines Sumeet Pawnikar <sumeet.r.pawnikar(a)intel.com> powercap: RAPL: fix invalid initialization for pl4_supported field Hans de Goede <hdegoede(a)redhat.com> Input: goodix - use the new soc_intel_is_byt() helper Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination Simon Horman <horms(a)kernel.org> netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Keep deleted flowtable hooks until after RCU Jiwon Kim <jiwonaid0(a)gmail.com> bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave() Youssef Samir <quic_yabdulra(a)quicinc.com> net: qrtr: Update packets cloning when broadcasting Josh Hunt <johunt(a)akamai.com> tcp: check skb is non-NULL in tcp_rto_delta_us() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL Kaixin Wang <kxwang23(a)m.fudan.edu.cn> net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix packet counting Robert Hancock <robert.hancock(a)calian.com> net: axienet: Switch to 64-bit RX/TX statistics Robert Hancock <robert.hancock(a)calian.com> net: axienet: Use NAPI for TX completion path Robert Hancock <robert.hancock(a)calian.com> net: axienet: Be more careful about updating tx_bd_tail Robert Hancock <robert.hancock(a)calian.com> net: axienet: add coalesce timer ethtool configuration Robert Hancock <robert.hancock(a)calian.com> net: axienet: reduce default RX interrupt threshold to 1 Robert Hancock <robert.hancock(a)calian.com> net: axienet: implement NAPI and GRO receive Robert Hancock <robert.hancock(a)calian.com> net: axienet: don't set IRQ timer when IRQ delay not used Robert Hancock <robert.hancock(a)calian.com> net: axienet: Clean up DMA start/stop and error handling Robert Hancock <robert.hancock(a)calian.com> net: axienet: Clean up device used for DMA calls Mikulas Patocka <mpatocka(a)redhat.com> Revert "dm: requeue IO if mapping table not yet available" Jason Wang <jasowang(a)redhat.com> vhost_vdpa: assign irq bypass producer token correctly Xie Yongji <xieyongji(a)bytedance.com> vdpa: Add eventfd for the vdpa callback Konrad Dybcio <konrad.dybcio(a)linaro.org> interconnect: qcom: sm8250: Enable sync_state Suzuki K Poulose <suzuki.poulose(a)arm.com> coresight: tmc: sg: Do not leak sg_table Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix standby gpio state to match the documentation Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix oversampling gpio array Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time Alexander Stein <alexander.stein(a)ew.tq-group.com> spi: lpspi: release requested DMA channels Alexander Stein <alexander.stein(a)ew.tq-group.com> spi: lpspi: Silence error message upon deferred probe Chao Yu <chao(a)kernel.org> f2fs: get rid of online repaire on corrupted directory Chao Yu <chao(a)kernel.org> f2fs: clean up w/ dotdot_name Chao Yu <chao(a)kernel.org> f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy Chao Yu <chao(a)kernel.org> f2fs: fix to wait page writeback before setting gcing flag Jack Qiu <jack.qiu(a)huawei.com> f2fs: optimize error handling in redirty_blocks Chao Yu <chao(a)kernel.org> f2fs: reduce expensive checkpoint trigger frequency Chao Yu <chao(a)kernel.org> f2fs: remove unneeded check condition in __f2fs_setxattr() Chao Yu <chao(a)kernel.org> f2fs: fix to update i_ctime in __f2fs_setxattr() Yonggil Song <yonggil.song(a)samsung.com> f2fs: fix typo Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: return -EINVAL when namelen is 0 Guoqing Jiang <guoqing.jiang(a)linux.dev> nfsd: call cache_put if xdr_reserve_space returns NULL Max Hawking <maxahawking(a)sonnenkinder.org> ntb_perf: Fix printk format Jinjie Ruan <ruanjinjie(a)huawei.com> ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> RDMA/irdma: fix error message in irdma_modify_qp_roce() Mikhail Lobanov <m.lobanov(a)rosalinux.ru> RDMA/cxgb4: Added NULL check for lookup_atid Jinjie Ruan <ruanjinjie(a)huawei.com> riscv: Fix fp alignment bug in perf_callchain_user() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Optimize hem allocation performance Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler Haoyue Xu <xuhaoyue1(a)hisilicon.com> RDMA/hns: Refactor the abnormal interrupt handler function Haoyue Xu <xuhaoyue1(a)hisilicon.com> RDMA/hns: Fix the wrong type of return value of the interrupt handler Haoyue Xu <xuhaoyue1(a)hisilicon.com> RDMA/hns: Remove unused abnormal interrupt of type RAS Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Don't modify rq next block addr in HIP09 QPC Jonas Blixt <jonas.blixt(a)actia.se> watchdog: imx_sc_wdt: Don't disable WDT in suspend Patrisious Haddad <phaddad(a)nvidia.com> IB/core: Fix ib_cache_setup_one error flow cleanup Wang Jianzheng <wangjianzheng(a)vivo.com> pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function Yangtao Li <frank.li(a)vivo.com> pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource() Jeff Layton <jlayton(a)kernel.org> nfsd: fix refcount leak when file is unhashed after being found Jeff Layton <jlayton(a)kernel.org> nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire David Lechner <dlechner(a)baylibre.com> clk: ti: dra7-atl: Fix leak of of_nodes Md Haris Iqbal <haris.iqbal(a)ionos.com> RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds Jack Wang <jinpu.wang(a)ionos.com> RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: single: fix missing error code in pcs_probe() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Clean up clock on probe failure/removal Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix register misspelling Dan Carpenter <dan.carpenter(a)linaro.org> PCI: keystone: Fix if-statement expression in ks_pcie_quirk() Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Input: ilitek_ts_i2c - add report id message validation Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Input: ilitek_ts_i2c - avoid wrong input subsystem sync Jonas Karlman <jonas(a)kwiboo.se> clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Initialize workqueue earlier Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Correct ddr alias for i.MX8M Peng Fan <peng.fan(a)nxp.com> clk: imx: imx8qxp: Parent should be initialized earlier than the clock Peng Fan <peng.fan(a)nxp.com> clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk Zhipeng Wang <zhipeng.wang_1(a)nxp.com> clk: imx: imx8mp: fix clock tree update of TF-A managed clocks Ian Rogers <irogers(a)google.com> perf time-utils: Fix 32-bit nsec parsing Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fix missing free of session in perf_sched__timehist() Ian Rogers <irogers(a)google.com> perf inject: Fix leader sampling inserting additional samples Namhyung Kim <namhyung(a)kernel.org> perf tools: Support reading PERF_FORMAT_LOST Ian Rogers <irogers(a)google.com> perf evsel: Rename variable cpu to index Ian Rogers <irogers(a)google.com> perf evsel: Reduce scope of evsel__ignore_missing_thread Madhavan Srinivasan <maddy(a)linux.ibm.com> perf test sample-parsing: Add endian test for struct branch_flags Namhyung Kim <namhyung(a)kernel.org> perf mem: Free the allocated sort string, fixing a leak Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential oob read in nilfs_btree_check_delete() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: determine empty node blocks as corrupted Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: avoid OOB when system.data xattr changes underneath the filesystem Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: return error on ext4_find_inline_entry Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid negative min_clusters in find_group_orlov() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid potential buffer_head leak in __ext4_new_inode() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid buffer_head leak in ext4_mark_inode_used() Jiawei Ye <jiawei.ye(a)foxmail.com> smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso yangerkun <yangerkun(a)huawei.com> ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard Chen Yu <yu.c.chen(a)intel.com> kthread: fix task state in kthread worker if being frozen Lasse Collin <lasse.collin(a)tukaani.org> xz: cleanup CRC32 edits from 2018 Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix C++ compile error from missing _Bool type Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling test_lru_map.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling core_reloc.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling tcp_rtt.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling flow_dissector.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling kfree_skb.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c Jonathan McDowell <noodles(a)meta.com> tpm: Clean up TPM space after command failure Juergen Gross <jgross(a)suse.com> xen/swiotlb: add alignment check for dma buffers Juergen Gross <jgross(a)suse.com> xen: use correct end address of kernel for conflict checking Yuesong Li <liyuesong(a)vivo.com> drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() Sherry Yang <sherry.yang(a)oracle.com> drm/msm: fix %s null argument error Wolfram Sang <wsa+renesas(a)sang-engineering.com> ipmi: docs: don't advertise deprecated sysfs entries Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: workaround early ring-buffer emptiness check Rob Clark <robdclark(a)chromium.org> drm/msm: Drop priv->lastctx Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: fix races in preemption evaluation stage Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: properly clear preemption records on resume Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: disable preemption in submits by default Aleksandr Mishin <amishin(a)t-argos.ru> drm/msm: Fix incorrect file name output in adreno_request_fw() Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix kernel vs user address comparison Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix initial memory mapping Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/32: Remove 'noltlbs' kernel parameter Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/32: Remove the 'nobats' kernel parameter Fei Shao <fshao(a)chromium.org> drm/mediatek: Use spin_lock_irqsave() for CRTC event lock Jeongjun Park <aha310510(a)gmail.com> jfs: fix out-of-bounds in dbNextAG() and diAlloc() Dan Carpenter <dan.carpenter(a)linaro.org> scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() Liu Ying <victor.liu(a)nxp.com> drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets Jonas Karlman <jonas(a)kwiboo.se> drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode Alex Bee <knaerzche(a)gmail.com> drm/rockchip: vop: Allow 4096px width scaling Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Check for phase match during PDMA fixup Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Add SCp members to struct NCR5380_cmd Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/radeon: Replace one-element array with flexible-array member Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/amdgpu: Replace one-element array with flexible-array member Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/stm: Fix an error handling path in stm_drm_platform_probe() Geert Uytterhoeven <geert+renesas(a)glider.be> pmdomain: core: Harden inter-column space in debug summary Charles Han <hanchunchao(a)inspur.com> mtd: powernv: Add check devm_kasprintf() returned value Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() Artur Weber <aweber.kernel(a)gmail.com> power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Chris Morgan <macromorgan(a)hotmail.com> power: supply: axp20x_battery: Remove design from min and max voltage Yuntao Liu <liuyuntao12(a)huawei.com> hwmon: (ntc_thermistor) fix module autoloading Mirsad Todorovac <mtodorovac69(a)gmail.com> mtd: slram: insert break after errors in parsing the map Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix alarm attributes Andrew Davis <afd(a)ti.com> hwmon: (max16065) Remove use of i2c_match_id() Biju Das <biju.das.jz(a)bp.renesas.com> i2c: Add i2c_get_match_data() Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix overflows seen when writing limits Finn Thain <fthain(a)linux-m68k.org> m68k: Fix kernel_clone_args.flags in m68k_clone() Ankit Agrawal <agrawal.ag.ankit(a)gmail.com> clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: k210: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: berlin: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: versatile: fix OF node leak in CPUs prepare Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property Alexander Dahl <ada(a)thorsis.com> ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ Ma Ke <make24(a)iscas.ac.cn> spi: ppc4xx: handle irq_of_parse_and_map() errors Riyan Dhiman <riyandhiman14(a)gmail.com> block: fix potential invalid pointer dereference in blk_add_partition Christian Heusel <christian(a)heusel.eu> block: print symbolic error name instead of error code Yu Kuai <yukuai3(a)huawei.com> block, bfq: don't break merge chain in bfq_split_bfqq() Yu Kuai <yukuai3(a)huawei.com> block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix possible UAF for bfqq->bic with merge chain Su Hui <suhui(a)nfschina.com> net: tipc: avoid possible garbage value Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input Heiner Kallweit <hkallweit1(a)gmail.com> r8169: disable ALDPS per default for RTL8125 Jinjie Ruan <ruanjinjie(a)huawei.com> net: enetc: Use IRQF_NO_AUTOEN flag in request_irq() Guillaume Nault <gnault(a)redhat.com> bareudp: Pull inner IP header on xmit. Gal Pressman <gal(a)nvidia.com> geneve: Fix incorrect inner network header offset when innerprotoinherit is set Eyal Birger <eyal.birger(a)gmail.com> net: geneve: support IPv4/IPv6 as inner protocol Guillaume Nault <gnault(a)redhat.com> bareudp: Pull inner IP header in bareudp_udp_encap_recv(). Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix not handling ZPL/short-transfer Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_close(): stop clocks after device has been shut down Kuniyuki Iwashima <kuniyu(a)amazon.com> can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Eric Dumazet <edumazet(a)google.com> sock_map: Add a cond_resched() in sock_hash_free() Jiawei Ye <jiawei.ye(a)foxmail.com> wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param Dmitry Antipov <dmantipov(a)yandex.ru> wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors Howard Hsu <howard-yh.hsu(a)mediatek.com> wifi: mt76: mt7915: fix rx filter setting for bfee functionality Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() Aaron Lu <aaron.lu(a)intel.com> x86/sgx: Fix deadlock in SGX NUMA node search Nishanth Menon <nm(a)ti.com> cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: remove annotation to access set timeout while holding lock Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject expiration higher than timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject element expiration with no timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire Clément Léger <cleger(a)rivosinc.com> ACPI: CPPC: Fix MASK_VAL() usage Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: bus: Avoid using CPPC if not supported by firmware Zhang Changzhong <zhangchangzhong(a)huawei.com> can: j1939: use correct function name in comment Kamlesh Gurudasani <kamlesh(a)ti.com> padata: Honor the caller's alignment in case of chunk_size 0 Avraham Stern <avraham.stern(a)intel.com> wifi: iwlwifi: mvm: increase the time between ranging measurements Olaf Hering <olaf(a)aepfle.de> mount: handle OOM on mnt_warn_timestamp_expiry Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> fs/namespace: fnic: Switch to use %ptTd Anthony Iliopoulos <ailiop(a)suse.com> mount: warn only once about timestamp range expiration Christoph Hellwig <hch(a)lst.de> fs: explicitly unregister per-superblock BDIs Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: rtw88: remove CPT execution branch never used Yanteng Si <siyanteng(a)loongson.cn> net: stmmac: dwmac-loongson: Init ref and PTP clocks rate Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k: Remove error checks when creating debugfs entries Minjie Du <duminjie(a)vivo.com> wifi: ath9k: fix parameter check in ath9k_init_debug() Aleksandr Mishin <amishin(a)t-argos.ru> ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() Helge Deller <deller(a)kernel.org> crypto: xor - fix template benchmarking Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: always wait for both firmware loading attempts Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> EDAC/synopsys: Fix error injection on Zynq UltraScale+ Serge Semin <fancer.lancer(a)gmail.com> EDAC/synopsys: Fix ECC status and IRQ control race condition Sherry Sun <sherry.sun(a)nxp.com> EDAC/synopsys: Re-enable the error interrupts on v3 hw Sherry Sun <sherry.sun(a)nxp.com> EDAC/synopsys: Use the correct register to disable the error interrupt on v3 hw Dinh Nguyen <dinguyen(a)kernel.org> EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR Edward Adam Davis <eadavis(a)qq.com> USB: usbtmc: prevent kernel-usb-infoleak Junhao Xie <bigfoot(a)classfun.cn> USB: serial: pl2303: add device id for Macrosilicon MS3020 Waiman Long <longman(a)redhat.com> cgroup: Move rcu_head up near the top of cgroup_root Kent Gibson <warthog618(a)gmail.com> gpiolib: cdev: Ignore reconfiguration without direction Florian Westphal <fw(a)strlen.de> inet: inet_defrag: prevent sk release while still in use Hagar Hemdan <hagarhem(a)amazon.com> gpio: prevent potential speculation leaks in gpio_device_get_desc() Ping-Ke Shih <pkshih(a)realtek.com> Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex" Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: missing iterator type in lookup walk Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_pipapo: walk over current view on netlink dump Yafang Shao <laoar.shao(a)gmail.com> cgroup: Make operations on the cgroup root_list RCU safe Ferry Meng <mengferry(a)linux.alibaba.com> ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() Ferry Meng <mengferry(a)linux.alibaba.com> ocfs2: add bounds checking to ocfs2_xattr_find_entry() Geert Uytterhoeven <geert+renesas(a)glider.be> spi: spidev: Add missing spi_device_id for jg10309-01 Michael Kelley <mhklinux(a)outlook.com> x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency Liao Chen <liaochen4(a)huawei.com> spi: bcm63xx: Enable module autoloading hongchi.peng <hongchi.peng(a)siengine.com> drm: komeda: Fix an issue related to normalized zpos Fabio Estevam <festevam(a)gmail.com> spi: spidev: Add an entry for elgin,jg10309-01 Liao Chen <liaochen4(a)huawei.com> ASoC: tda7419: fix module autoloading Liao Chen <liaochen4(a)huawei.com> ASoC: intel: fix module autoloading Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: clear trans->state earlier upon error Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: pause TCM when the firmware is stopped Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: lower message level for FW buffer destination Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Ensure tx descriptor updates are visible Mike Rapoport <rppt(a)kernel.org> microblaze: don't treat zero reserved memory regions as error Thomas Blocher <thomas.blocher(a)ek-dev.de> pinctrl: at91: make it work with current gpiolib Sherry Yang <sherry.yang(a)oracle.com> scsi: lpfc: Fix overflow build issue Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - FIxed ALC285 headphone no sound Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed ALC256 headphone no sound Hongbo Li <lihongbo22(a)huawei.com> ASoC: allow module autoloading for table db1200_pids Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Add IFC bits and enums for flow meter Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: Add support to create match definer Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Mårten Lindahl <marten.lindahl(a)axis.com> hwmon: (pmbus) Introduce and use write_byte_data callback Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Use kvfree to free memory allocated by kvmalloc Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Danilo Krummrich <dakr(a)kernel.org> mm: krealloc: consider spare memory for __GFP_ZERO Kemeng Shi <shikemeng(a)huaweicloud.com> jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Ma Ke <make24(a)iscas.ac.cn> drm: omapdrm: Add missing check for alloc_ordered_workqueue Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Helge Deller <deller(a)gmx.de> parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path ------------- Diffstat: .gitignore | 1 - Documentation/ABI/testing/sysfs-fs-f2fs | 3 +- Documentation/admin-guide/kernel-parameters.txt | 16 +- Documentation/arm64/silicon-errata.rst | 4 + Documentation/driver-api/ipmi.rst | 2 +- Makefile | 4 +- arch/arm/boot/dts/imx7d-zii-rmu2.dts | 2 +- arch/arm/boot/dts/sam9x60.dtsi | 4 +- arch/arm/mach-realview/platsmp-dt.c | 1 + arch/arm64/Kconfig | 2 + arch/arm64/boot/dts/qcom/sm8250.dtsi | 20 +- arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 4 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/kernel/cpu_errata.c | 2 + arch/m68k/kernel/process.c | 2 +- arch/microblaze/mm/init.c | 5 - arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/powerpc/kernel/head_8xx.S | 6 +- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/book3s32/mmu.c | 2 +- arch/powerpc/mm/init_32.c | 14 - arch/powerpc/mm/mem.c | 2 - arch/powerpc/mm/mmu_decl.h | 1 - arch/powerpc/mm/nohash/8xx.c | 13 +- arch/powerpc/platforms/83xx/misc.c | 14 +- arch/riscv/Kconfig | 5 + arch/riscv/kernel/perf_callchain.c | 2 +- arch/s390/include/asm/facility.h | 6 +- arch/s390/kernel/perf_cpum_sf.c | 12 +- arch/s390/mm/cmm.c | 18 +- arch/x86/events/intel/pt.c | 15 +- arch/x86/include/asm/fpu/xstate.h | 5 +- arch/x86/include/asm/hardirq.h | 8 +- arch/x86/include/asm/idtentry.h | 73 +- arch/x86/include/asm/syscall.h | 7 +- arch/x86/kernel/apic/io_apic.c | 46 +- arch/x86/kernel/cpu/mshyperv.c | 1 + arch/x86/kernel/cpu/sgx/main.c | 27 +- arch/x86/kernel/fpu/xstate.c | 7 + arch/x86/mm/init.c | 16 +- arch/x86/net/bpf_jit_comp.c | 54 +- arch/x86/xen/setup.c | 2 +- block/bfq-iosched.c | 44 +- block/blk-integrity.c | 175 +- block/blk-iocost.c | 8 +- block/blk.h | 10 +- block/genhd.c | 12 +- block/partitions/core.c | 8 +- crypto/xor.c | 31 +- drivers/acpi/acpi_pad.c | 6 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/battery.c | 28 +- drivers/acpi/bus.c | 8 + drivers/acpi/cppc_acpi.c | 46 +- drivers/acpi/device_sysfs.c | 5 +- drivers/acpi/ec.c | 55 +- drivers/acpi/pmic/tps68470_pmic.c | 6 +- drivers/acpi/resource.c | 20 + drivers/ata/sata_sil.c | 12 +- drivers/base/bus.c | 6 +- drivers/base/firmware_loader/main.c | 30 + drivers/base/power/domain.c | 2 +- drivers/base/property.c | 45 + drivers/block/aoe/aoecmd.c | 13 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_state.c | 2 +- drivers/bluetooth/btmrvl_sdio.c | 3 +- drivers/bluetooth/btusb.c | 5 +- drivers/bus/arm-integrator-lm.c | 1 + drivers/char/hw_random/bcm2835-rng.c | 4 +- drivers/char/hw_random/cctrng.c | 1 + drivers/char/hw_random/mtk-rng.c | 2 +- drivers/char/tpm/tpm-dev-common.c | 2 + drivers/char/tpm/tpm2-space.c | 3 + drivers/char/virtio_console.c | 18 +- drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +- drivers/clk/imx/clk-imx7d.c | 4 +- drivers/clk/imx/clk-imx8mp.c | 4 +- drivers/clk/imx/clk-imx8qxp.c | 10 +- drivers/clk/qcom/clk-rpmh.c | 2 + drivers/clk/qcom/dispcc-sm8250.c | 3 + drivers/clk/qcom/gcc-sc8180x.c | 88 +- drivers/clk/qcom/gcc-sm8250.c | 6 +- drivers/clk/rockchip/clk-rk3228.c | 2 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/ti/clk-dra7-atl.c | 1 + drivers/clocksource/timer-qcom.c | 7 +- .../drivers/ni_routing/tools/convert_c_to_py.c | 5 + drivers/cpufreq/ti-cpufreq.c | 10 +- drivers/crypto/ccp/sev-dev.c | 2 + drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/edac/igen6_edac.c | 2 +- drivers/edac/synopsys_edac.c | 146 +- drivers/firmware/efi/libstub/tpm.c | 2 +- drivers/firmware/tegra/bpmp.c | 6 - drivers/gpio/gpio-aspeed.c | 4 +- drivers/gpio/gpio-davinci.c | 8 +- drivers/gpio/gpiolib-cdev.c | 13 +- drivers/gpio/gpiolib.c | 3 +- drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 26 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 4 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 22 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 8 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + .../gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 6 +- .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- .../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- .../drm/amd/display/modules/freesync/freesync.c | 2 +- drivers/gpu/drm/amd/include/atombios.h | 2 +- .../drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 + drivers/gpu/drm/arm/display/komeda/komeda_kms.c | 10 +- drivers/gpu/drm/bridge/lontium-lt8912b.c | 35 +- drivers/gpu/drm/drm_atomic_uapi.c | 2 +- drivers/gpu/drm/drm_crtc.c | 1 + drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 5 +- drivers/gpu/drm/msm/adreno/a2xx_gpu.c | 3 +- drivers/gpu/drm/msm/adreno/a3xx_gpu.c | 3 +- drivers/gpu/drm/msm/adreno/a4xx_gpu.c | 3 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 20 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 2 + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 30 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 9 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 10 - drivers/gpu/drm/msm/adreno/adreno_gpu.c | 4 +- drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- drivers/gpu/drm/msm/msm_drv.c | 6 - drivers/gpu/drm/msm/msm_drv.h | 2 +- drivers/gpu/drm/msm/msm_gpu.c | 2 +- drivers/gpu/drm/msm/msm_gpu.h | 11 + drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/omapdrm/omap_drv.c | 5 + drivers/gpu/drm/radeon/atombios.h | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 62 +- drivers/gpu/drm/radeon/r100.c | 70 +- drivers/gpu/drm/radeon/radeon_atombios.c | 26 +- drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 113 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 3 + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 25 +- drivers/gpu/drm/rockchip/rockchip_vop_reg.h | 1 + drivers/gpu/drm/scheduler/sched_entity.c | 2 + drivers/gpu/drm/stm/drv.c | 4 +- drivers/gpu/drm/v3d/v3d_perfmon.c | 9 +- drivers/hid/amd-sfh-hid/amd_sfh_client.c | 14 +- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-multitouch.c | 39 + drivers/hid/hid-plantronics.c | 23 + drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 2 +- drivers/hwmon/Kconfig | 3 + drivers/hwmon/max16065.c | 27 +- drivers/hwmon/ntc_thermistor.c | 1 + drivers/hwmon/pmbus/pmbus.h | 8 + drivers/hwmon/pmbus/pmbus_core.c | 39 +- drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- drivers/i2c/busses/i2c-aspeed.c | 16 +- drivers/i2c/busses/i2c-i801.c | 9 +- drivers/i2c/busses/i2c-isch.c | 3 +- drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-stm32f7.c | 6 +- drivers/i2c/busses/i2c-xiic.c | 138 +- drivers/i2c/i2c-core-base.c | 60 +- drivers/i2c/i2c-core-smbus.c | 15 +- drivers/i2c/i2c-smbus.c | 5 +- drivers/iio/adc/ad7606.c | 8 +- drivers/iio/adc/ad7606_spi.c | 5 +- drivers/iio/magnetometer/ak8975.c | 32 +- drivers/infiniband/core/cache.c | 4 +- drivers/infiniband/core/iwcm.c | 2 +- drivers/infiniband/core/mad.c | 14 +- drivers/infiniband/hw/cxgb4/cm.c | 5 + drivers/infiniband/hw/hns/hns_roce_cq.c | 25 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 22 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 93 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 - drivers/infiniband/hw/hns/hns_roce_qp.c | 16 +- drivers/infiniband/hw/irdma/verbs.c | 2 +- drivers/infiniband/sw/rxe/rxe_comp.c | 6 +- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 9 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 14 +- drivers/input/keyboard/adp5589-keys.c | 22 +- drivers/input/mouse/synaptics.c | 1 + drivers/input/rmi4/rmi_driver.c | 6 +- drivers/input/serio/i8042-acpipnpio.h | 46 + drivers/input/touchscreen/ads7846.c | 2 +- drivers/input/touchscreen/goodix.c | 18 +- drivers/input/touchscreen/ilitek_ts_i2c.c | 18 +- drivers/interconnect/qcom/sm8250.c | 1 + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 7 + drivers/iommu/intel/dmar.c | 16 +- drivers/iommu/intel/iommu.c | 6 +- drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/md/dm-rq.c | 4 +- drivers/md/dm.c | 11 +- drivers/media/common/videobuf2/videobuf2-core.c | 8 +- drivers/media/dvb-frontends/rtl2830.c | 2 +- drivers/media/dvb-frontends/rtl2832.c | 2 +- drivers/media/i2c/imx335.c | 43 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 + drivers/media/tuners/tuner-i2c.h | 4 +- drivers/media/usb/usbtv/usbtv-video.c | 7 - drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/mtd/devices/powernv_flash.c | 3 + drivers/mtd/devices/slram.c | 2 + drivers/net/bareudp.c | 26 +- drivers/net/bonding/bond_main.c | 6 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/dsa/b53/b53_common.c | 17 +- drivers/net/dsa/lan9303-core.c | 29 + .../net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 +- drivers/net/ethernet/cortina/gemini.c | 15 +- drivers/net/ethernet/faraday/ftgmac100.c | 26 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- drivers/net/ethernet/freescale/enetc/enetc.c | 3 +- drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/ibm/emac/mal.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 + drivers/net/ethernet/intel/ice/ice_main.c | 3 +- drivers/net/ethernet/intel/ice/ice_sched.c | 6 +- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 21 +- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 15 + .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 177 +- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 + .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 7 + drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 57 + drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.h | 4 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 46 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.h | 5 + .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 + .../ethernet/mellanox/mlx5/core/steering/fs_dr.c | 15 + .../net/ethernet/mellanox/mlxsw/spectrum_span.c | 2 +- .../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 31 +- drivers/net/ethernet/realtek/r8169_phy_config.c | 2 + drivers/net/ethernet/seeq/ether3.c | 2 + .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 + drivers/net/ethernet/stmicro/stmmac/dwmac100.h | 2 +- drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 2 +- .../net/ethernet/stmicro/stmmac/dwmac1000_core.c | 9 - .../net/ethernet/stmicro/stmmac/dwmac100_core.c | 8 - drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 19 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 33 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + drivers/net/ethernet/xilinx/xilinx_axienet.h | 78 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 596 +- drivers/net/geneve.c | 91 +- drivers/net/ieee802154/Kconfig | 1 + drivers/net/ieee802154/mcr20a.c | 5 +- drivers/net/phy/bcm84881.c | 4 +- drivers/net/phy/dp83869.c | 1 - drivers/net/phy/vitesse.c | 14 - drivers/net/ppp/ppp_async.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 57 +- drivers/net/usb/ipheth.c | 5 +- drivers/net/usb/usbnet.c | 37 +- drivers/net/vrf.c | 13 +- drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath9k/debug.c | 6 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 - drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 2 +- drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/constants.h | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 23 +- .../wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 3 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7615/init.c | 3 + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 +- drivers/net/wireless/microchip/wilc1000/hif.c | 4 +- drivers/net/wireless/realtek/rtw88/Kconfig | 1 + drivers/net/wireless/realtek/rtw88/coex.c | 38 +- drivers/net/wireless/realtek/rtw88/main.c | 7 +- drivers/net/wireless/realtek/rtw88/rtw8822c.c | 12 +- drivers/net/xen-netback/hash.c | 5 +- drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 + drivers/ntb/test/ntb_perf.c | 2 +- drivers/nvdimm/nd_virtio.c | 9 + drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 18 +- drivers/of/irq.c | 38 +- drivers/pci/controller/dwc/pci-keystone.c | 2 +- drivers/pci/controller/pcie-xilinx-nwl.c | 39 +- drivers/pci/quirks.c | 8 + drivers/pinctrl/mvebu/pinctrl-dove.c | 45 +- drivers/pinctrl/pinctrl-at91.c | 5 +- drivers/pinctrl/pinctrl-single.c | 3 +- .../platform/surface/surface_aggregator_registry.c | 3 + .../x86/intel/speed_select_if/isst_if_common.c | 4 +- drivers/platform/x86/panasonic-laptop.c | 58 +- drivers/platform/x86/touchscreen_dmi.c | 26 + drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/axp20x_battery.c | 16 +- drivers/power/supply/max17042_battery.c | 5 +- drivers/power/supply/power_supply_hwmon.c | 3 +- drivers/powercap/intel_rapl_msr.c | 6 +- drivers/pps/clients/pps_parport.c | 14 +- drivers/remoteproc/imx_rproc.c | 19 +- drivers/reset/reset-berlin.c | 3 +- drivers/reset/reset-k210.c | 3 +- drivers/rtc/rtc-at91sam9.c | 1 + drivers/scsi/NCR5380.c | 170 +- drivers/scsi/NCR5380.h | 11 + drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/atari_scsi.c | 4 +- drivers/scsi/elx/libefc/efc_nport.c | 2 +- drivers/scsi/g_NCR5380.c | 4 +- drivers/scsi/lpfc/lpfc_bsg.c | 2 +- drivers/scsi/mac_scsi.c | 173 +- drivers/scsi/smartpqi/smartpqi_init.c | 2 +- drivers/scsi/sun3_scsi.c | 2 +- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 +- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-bcm63xx.c | 10 +- drivers/spi/spi-fsl-lpspi.c | 9 +- drivers/spi/spi-imx.c | 2 +- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/spi/spi-ppc4xx.c | 7 +- drivers/spi/spi-s3c64xx.c | 4 +- drivers/spi/spidev.c | 2 + drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +- .../int340x_thermal/processor_thermal_device_pci.c | 23 +- drivers/tty/serial/rp2.c | 2 +- drivers/usb/cdns3/cdnsp-ring.c | 6 +- drivers/usb/cdns3/host.c | 4 +- drivers/usb/chipidea/udc.c | 8 +- drivers/usb/class/cdc-acm.c | 2 + drivers/usb/class/usbtmc.c | 2 +- drivers/usb/dwc2/drd.c | 9 + drivers/usb/dwc2/platform.c | 26 +- drivers/usb/dwc3/core.c | 22 +- drivers/usb/dwc3/core.h | 4 - drivers/usb/dwc3/gadget.c | 11 - drivers/usb/host/xhci-debugfs.c | 2 +- drivers/usb/host/xhci-mem.c | 331 +- drivers/usb/host/xhci-pci.c | 22 +- drivers/usb/host/xhci-ring.c | 82 +- drivers/usb/host/xhci.c | 54 +- drivers/usb/host/xhci.h | 32 +- drivers/usb/misc/appledisplay.c | 15 +- drivers/usb/misc/cypress_cy7c63.c | 4 + drivers/usb/misc/yurex.c | 5 +- drivers/usb/serial/pl2303.c | 1 + drivers/usb/serial/pl2303.h | 4 + drivers/usb/storage/unusual_devs.h | 11 + drivers/usb/typec/tcpm/tcpm.c | 28 +- drivers/vfio/pci/vfio_pci_intrs.c | 4 +- drivers/vhost/scsi.c | 25 +- drivers/vhost/vdpa.c | 18 +- drivers/video/fbdev/hpfb.c | 1 + drivers/video/fbdev/pxafb.c | 1 + drivers/video/fbdev/sis/sis_main.c | 2 +- drivers/virtio/virtio_vdpa.c | 1 + drivers/watchdog/imx_sc_wdt.c | 24 - drivers/xen/swiotlb-xen.c | 6 + fs/9p/vfs_dentry.c | 9 +- fs/btrfs/disk-io.c | 11 + fs/btrfs/inode.c | 1 + fs/btrfs/relocation.c | 2 +- fs/ceph/addr.c | 1 - fs/exec.c | 3 +- fs/exfat/balloc.c | 10 +- fs/ext4/dir.c | 14 +- fs/ext4/extents.c | 57 +- fs/ext4/fast_commit.c | 34 +- fs/ext4/file.c | 155 +- fs/ext4/ialloc.c | 14 +- fs/ext4/inline.c | 35 +- fs/ext4/inode.c | 11 +- fs/ext4/mballoc.c | 10 +- fs/ext4/migrate.c | 2 +- fs/ext4/move_extent.c | 1 - fs/ext4/namei.c | 14 +- fs/ext4/super.c | 9 +- fs/ext4/xattr.c | 7 +- fs/f2fs/data.c | 18 +- fs/f2fs/dir.c | 3 +- fs/f2fs/f2fs.h | 18 +- fs/f2fs/file.c | 48 +- fs/f2fs/namei.c | 69 - fs/f2fs/segment.h | 5 +- fs/f2fs/super.c | 7 +- fs/f2fs/xattr.c | 18 +- fs/fcntl.c | 14 +- fs/file.c | 93 +- fs/inode.c | 4 + fs/jbd2/checkpoint.c | 21 +- fs/jbd2/journal.c | 4 +- fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 11 +- fs/jfs/jfs_imap.c | 2 +- fs/jfs/xattr.c | 2 + fs/namespace.c | 23 +- fs/nfs/callback_xdr.c | 2 + fs/nfs/client.c | 1 + fs/nfs/delegation.c | 15 +- fs/nfs/nfs42proc.c | 2 +- fs/nfs/nfs4proc.c | 9 +- fs/nfs/nfs4state.c | 3 +- fs/nfs/pnfs.c | 5 +- fs/nfsd/filecache.c | 7 +- fs/nfsd/nfs4idmap.c | 13 +- fs/nfsd/nfs4recover.c | 8 + fs/nfsd/nfs4state.c | 5 +- fs/nfsd/nfs4xdr.c | 10 +- fs/nfsd/vfs.c | 1 + fs/nilfs2/btree.c | 12 +- fs/ntfs3/attrlist.c | 4 +- fs/ntfs3/bitmap.c | 4 +- fs/ntfs3/frecord.c | 4 +- fs/ntfs3/fslog.c | 19 +- fs/ntfs3/super.c | 2 +- fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 38 +- fs/proc/base.c | 61 +- fs/super.c | 3 + fs/unicode/mkutf8data.c | 70 - fs/unicode/utf8data.h_shipped | 6703 ++++++++++---------- include/acpi/cppc_acpi.h | 2 + include/drm/drm_print.h | 54 +- include/dt-bindings/clock/qcom,gcc-sc8180x.h | 3 + include/linux/acpi.h | 1 + include/linux/cgroup-defs.h | 7 +- include/linux/f2fs_fs.h | 2 +- include/linux/fdtable.h | 8 +- include/linux/fs.h | 2 + include/linux/genhd.h | 3 - include/linux/i2c-smbus.h | 6 +- include/linux/i2c.h | 7 + include/linux/mlx5/device.h | 1 + include/linux/mlx5/fs.h | 8 + include/linux/mlx5/mlx5_ifc.h | 392 +- include/linux/nfs_fs_sb.h | 1 + include/linux/pci_ids.h | 2 + include/linux/property.h | 3 + include/linux/skbuff.h | 7 +- include/linux/usb/usbnet.h | 15 + include/linux/vdpa.h | 6 + include/linux/virtio_net.h | 3 +- include/net/flow.h | 6 +- include/net/ip_tunnels.h | 16 +- include/net/mctp.h | 2 +- include/net/netfilter/nf_tables.h | 13 + include/net/rtnetlink.h | 24 + include/net/sch_generic.h | 1 - include/net/sock.h | 2 + include/net/tcp.h | 21 +- include/trace/events/f2fs.h | 3 +- include/uapi/linux/cec.h | 6 +- include/uapi/linux/if_link.h | 1 + include/uapi/linux/netfilter/nf_tables.h | 2 +- io_uring/io_uring.c | 5 +- kernel/bpf/arraymap.c | 3 + kernel/bpf/hashtab.c | 3 + kernel/bpf/helpers.c | 4 +- kernel/cgroup/cgroup-internal.h | 3 +- kernel/cgroup/cgroup.c | 14 +- kernel/events/core.c | 6 +- kernel/events/uprobes.c | 2 +- kernel/fork.c | 30 +- kernel/kthread.c | 12 +- kernel/locking/lockdep.c | 50 +- kernel/padata.c | 6 +- kernel/rcu/rcuscale.c | 4 +- kernel/resource.c | 58 +- kernel/signal.c | 11 +- kernel/static_call_inline.c | 13 +- kernel/trace/trace.c | 18 +- kernel/trace/trace_hwlat.c | 2 + kernel/trace/trace_osnoise.c | 2 + kernel/trace/trace_output.c | 6 +- lib/buildid.c | 88 +- lib/debugobjects.c | 5 +- lib/xz/xz_crc32.c | 2 +- lib/xz/xz_private.h | 4 - mm/memory.c | 27 +- mm/slab_common.c | 7 + mm/util.c | 2 +- net/bluetooth/rfcomm/sock.c | 2 - net/bridge/br_netfilter_hooks.c | 5 + net/can/bcm.c | 4 +- net/can/j1939/transport.c | 8 +- net/core/dev.c | 12 +- net/core/rtnetlink.c | 35 +- net/core/sock_map.c | 1 + net/ipv4/devinet.c | 6 +- net/ipv4/fib_frontend.c | 9 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/fib_trie.c | 7 +- net/ipv4/fou.c | 4 +- net/ipv4/inet_fragment.c | 70 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_gre.c | 10 +- net/ipv4/ip_tunnel.c | 9 +- net/ipv4/netfilter/ipt_rpfilter.c | 3 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/netfilter/nft_fib_ipv4.c | 5 +- net/ipv4/route.c | 4 +- net/ipv4/tcp_input.c | 31 +- net/ipv4/tcp_ipv4.c | 3 + net/ipv4/xfrm4_policy.c | 4 +- net/ipv6/Kconfig | 1 + net/ipv6/ip6_output.c | 3 +- net/ipv6/netfilter/ip6t_rpfilter.c | 6 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/ipv6/netfilter/nf_reject_ipv6.c | 14 +- net/ipv6/netfilter/nft_fib_ipv6.c | 8 +- net/ipv6/route.c | 12 - net/ipv6/rpl_iptunnel.c | 12 +- net/ipv6/seg6_local.c | 1 + net/ipv6/xfrm6_policy.c | 3 +- net/l3mdev/l3mdev.c | 43 +- net/mac80211/iface.c | 17 +- net/mctp/af_mctp.c | 6 +- net/mctp/device.c | 32 +- net/mctp/neigh.c | 29 +- net/mctp/route.c | 33 +- net/mptcp/pm_netlink.c | 16 +- net/netfilter/nf_conntrack_netlink.c | 7 +- net/netfilter/nf_tables_api.c | 19 +- net/netfilter/nft_lookup.c | 1 + net/netfilter/nft_set_pipapo.c | 6 +- net/netfilter/nft_socket.c | 7 +- net/netfilter/xt_CHECKSUM.c | 33 +- net/netfilter/xt_CLASSIFY.c | 16 +- net/netfilter/xt_CONNSECMARK.c | 36 +- net/netfilter/xt_CT.c | 148 +- net/netfilter/xt_IDLETIMER.c | 59 +- net/netfilter/xt_LED.c | 39 +- net/netfilter/xt_NFLOG.c | 36 +- net/netfilter/xt_RATEEST.c | 39 +- net/netfilter/xt_SECMARK.c | 27 +- net/netfilter/xt_TRACE.c | 35 +- net/netfilter/xt_addrtype.c | 15 +- net/netfilter/xt_cluster.c | 33 +- net/netfilter/xt_connbytes.c | 4 +- net/netfilter/xt_connlimit.c | 39 +- net/netfilter/xt_connmark.c | 28 +- net/netfilter/xt_mark.c | 42 +- net/netlink/af_netlink.c | 3 +- net/qrtr/af_qrtr.c | 2 +- net/sched/sch_api.c | 7 +- net/sched/sch_taprio.c | 4 +- net/sctp/socket.c | 20 +- net/socket.c | 7 +- net/tipc/bcast.c | 2 +- net/tipc/bearer.c | 8 +- net/wireless/core.h | 8 +- net/wireless/nl80211.c | 3 +- net/wireless/scan.c | 6 +- net/wireless/sme.c | 3 +- net/xfrm/xfrm_policy.c | 4 +- scripts/kconfig/merge_config.sh | 2 + scripts/kconfig/qconf.cc | 2 +- security/Kconfig | 32 + security/bpf/hooks.c | 1 - security/selinux/hooks.c | 4 +- security/smack/smack_lsm.c | 4 +- security/smack/smackfs.c | 2 +- security/tomoyo/domain.c | 9 +- sound/core/init.c | 14 +- sound/core/oss/mixer_oss.c | 4 +- sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 78 +- sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/au1x/db1200.c | 1 + sound/soc/codecs/rt5682.c | 4 +- sound/soc/codecs/tda7419.c | 1 + sound/soc/fsl/imx-card.c | 1 + sound/soc/intel/keembay/kmb_platform.c | 1 + sound/soc/meson/axg-card.c | 3 +- sound/usb/card.c | 6 + sound/usb/line6/podhd.c | 2 +- sound/usb/mixer.c | 35 +- sound/usb/mixer.h | 1 + sound/usb/pcm.c | 3 +- sound/usb/quirks-table.h | 77 + sound/usb/quirks.c | 4 + tools/arch/x86/kcpuid/kcpuid.c | 12 +- tools/iio/iio_generic_buffer.c | 4 + tools/perf/builtin-inject.c | 1 + tools/perf/builtin-mem.c | 1 + tools/perf/builtin-sched.c | 8 +- tools/perf/tests/sample-parsing.c | 57 +- tools/perf/util/event.h | 21 +- tools/perf/util/evsel.c | 112 +- tools/perf/util/evsel.h | 10 +- tools/perf/util/hist.c | 7 +- .../util/scripting-engines/trace-event-python.c | 19 +- tools/perf/util/session.c | 38 +- tools/perf/util/stat.c | 4 +- tools/perf/util/stat.h | 2 +- tools/perf/util/synthetic-events.c | 32 +- tools/perf/util/time-utils.c | 4 +- tools/perf/util/tool.h | 1 + tools/testing/ktest/ktest.pl | 2 +- tools/testing/selftests/bpf/bench.c | 1 + .../selftests/bpf/map_tests/sk_storage_map.c | 2 +- .../selftests/bpf/prog_tests/bpf_iter_setsockopt.c | 2 +- .../testing/selftests/bpf/prog_tests/core_reloc.c | 1 + .../selftests/bpf/prog_tests/flow_dissector.c | 1 + tools/testing/selftests/bpf/prog_tests/kfree_skb.c | 1 + .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 + .../testing/selftests/bpf/progs/cg_storage_multi.h | 2 - tools/testing/selftests/bpf/test_cpp.cpp | 4 + tools/testing/selftests/bpf/test_lru_map.c | 3 +- .../breakpoints/step_after_suspend_test.c | 5 +- tools/testing/selftests/net/fcnal-test.sh | 2 +- tools/testing/selftests/net/net_helper.sh | 25 + tools/testing/selftests/net/setup_loopback.sh | 0 tools/testing/selftests/net/udpgro.sh | 13 +- tools/testing/selftests/net/udpgro_bench.sh | 5 +- tools/testing/selftests/vDSO/parse_vdso.c | 17 +- tools/testing/selftests/vDSO/vdso_config.h | 10 +- .../testing/selftests/vDSO/vdso_test_correctness.c | 6 + .../selftests/vm/charge_reserved_hugetlb.sh | 2 +- tools/testing/selftests/vm/write_to_hugetlbfs.c | 23 +- 656 files changed, 10222 insertions(+), 6971 deletions(-)

8 months, 2 weeks

11
705
0 0

[PATCH 6.1 000/791] 6.1.113-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.113 release. There are 791 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Oct 2024 11:22:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.113-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.113-rc2 Jack Wang <jinpu.wang(a)ionos.com> Revert "iommu/vt-d: Retrieve IOMMU perfmon capability information" Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix uaf for accessing waker_bfqq after splitting Arnaldo Carvalho de Melo <acme(a)redhat.com> perf lock: Don't pass an ERR_PTR() directly to perf_session__delete() Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Restore TSO support Patrick Roy <roypat(a)amazon.co.uk> secretmem: disable memfd_secret() if arch cannot set direct map Frederic Weisbecker <frederic(a)kernel.org> kthread: unpark only parked kthread Yonatan Maman <Ymaman(a)Nvidia.com> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Kun(llfl) <llfl(a)linux.alibaba.com> device-dax: correct pgoff align in dax_set_mapping() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: do not remove closing subflows Paolo Abeni <pabeni(a)redhat.com> mptcp: handle consistently DSS corruption Anatolij Gustschin <agust(a)denx.de> net: dsa: lan9303: ensure chip reset and wait for READY status Anastasia Kovaleva <a.kovaleva(a)yadro.com> net: Fix an unsafe loop on the list Ignat Korchagin <ignat(a)cloudflare.com> net: explicitly clear the sk pointer, when pf->create fails Niklas Cassel <cassel(a)kernel.org> ata: libata: avoid superfluous disk spin down + spin up during hibernation Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: fallback when MPTCP opts are dropped after 1st data Daniel Palmer <daniel(a)0x0f.com> scsi: wd33c93: Don't use stale scsi_pointer value Maíra Canal <mcanal(a)igalia.com> drm/vc4: Stop the active perfmon before being destroyed Maíra Canal <mcanal(a)igalia.com> drm/v3d: Stop the active perfmon before being destroyed SurajSonawane2415 <surajsonawane0215(a)gmail.com> hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma John Keeping <jkeeping(a)inmusicbrands.com> usb: gadget: core: force synchronous registration Icenowy Zheng <uwu(a)icenowy.me> usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Jose Alberto Reguero <jose.alberto.reguero(a)gmail.com> usb: xhci: Fix problem with xhci resume from suspend Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: core: Stop processing of pending events if controller is halted Oliver Neukum <oneukum(a)suse.com> Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" Wade Wang <wade.wang(a)hp.com> HID: plantronics: Workaround for an unexcepted opposite volume key Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> HID: amd_sfh: Switch to device-managed dmam_alloc_coherent() Sasha Levin <sashal(a)kernel.org> Revert "net: ibm/emac: allocate dummy net_device dynamically" Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (adt7470) Add missing dependency on REGMAP_I2C Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (adm9240) Add missing dependency on REGMAP_I2C Guenter Roeck <linux(a)roeck-us.net> hwmon: (tmp513) Add missing dependency on REGMAP_I2C Kenton Groombridge <concord(a)gentoo.org> wifi: mac80211: Avoid address calculations via out of bounds array indexing Shay Drory <shayd(a)nvidia.com> net/mlx5: Always drain health in shutdown callback He Lugang <helugang(a)uniontech.com> HID: multitouch: Add support for lenovo Y9000P Touchpad Boqun Feng <boqun.feng(a)gmail.com> rust: macros: provide correct provenance when constructing THIS_MODULE Eric Dumazet <edumazet(a)google.com> slip: make slhc_remember() more robust against malicious packets Eric Dumazet <edumazet(a)google.com> ppp: fix ppp_async_encode() illegal access Kuniyuki Iwashima <kuniyu(a)amazon.com> mctp: Handle error of rtnl_register_module(). Kuniyuki Iwashima <kuniyu(a)amazon.com> vxlan: Handle error of rtnl_register_module(). Kuniyuki Iwashima <kuniyu(a)amazon.com> rtnetlink: Add bulk registration helpers for rtnetlink message handlers. Rosen Penev <rosenp(a)gmail.com> net: ibm: emac: mal: add dcr_unmap to _remove Breno Leitao <leitao(a)debian.org> net: ibm/emac: allocate dummy net_device dynamically Florian Westphal <fw(a)strlen.de> netfilter: fib: check correct rtable in vrf setups Florian Westphal <fw(a)strlen.de> netfilter: xtables: avoid NFPROTO_UNSPEC where needed Xin Long <lucien.xin(a)gmail.com> sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start Filipe Manana <fdmanana(a)suse.com> btrfs: zoned: fix missing RCU locking in error message when loading zone info Rosen Penev <rosenp(a)gmail.com> net: ibm: emac: mal: fix wrong goto Eric Dumazet <edumazet(a)google.com> net/sched: accept TCA_STAB only for root qdisc Mohamed Khalfella <mkhalfella(a)purestorage.com> igb: Do not bring the device up after non-fatal error Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: Fix macvlan leak by synchronizing access to mac_filter_hash Marcin Szycik <marcin.szycik(a)linux.intel.com> ice: Fix netif_is_ice() in Safe Mode Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Use devm_clk api to manage clock source Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Add the flush write to ensure the write complete. Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix jumbo frames on 10/100 ports Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow lower MTUs on BCM5325/5365 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix max MTU for BCM5325/BCM5365 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix max MTU for 1g switches Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix jumbo frame mtu check Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: ethernet: adi: adin1110: Fix some error handling path in adin1110_read_fifo() Jakub Kicinski <kuba(a)kernel.org> Revert "net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled" Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Fix warning during module unload Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: int340x: processor_thermal: Set feature mask before proc_thermal_add Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: phy: bcm84881: Fix some error handling paths Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Kacper Ludwinski <kac.ludwinski(a)icloud.com> selftests: net: no_forwarding: fix VID for $swp2 in one_bridge_two_pvids() test Andy Roulin <aroulin(a)nvidia.com> netfilter: br_netfilter: fix panic with metadata_dst skb Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe Neal Cardwell <ncardwell(a)google.com> tcp: fix to allow timestamp undo if no retransmits were sent Ingo van Lil <inguin(a)gmx.de> net: phy: dp83869: fix memory corruption when enabling fiber Yanjun Zhang <zhangyanjun(a)cestc.cn> NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() Dan Carpenter <dan.carpenter(a)linaro.org> SUNRPC: Fix integer overflow in decode_rc_list() Dave Ertman <david.m.ertman(a)intel.com> ice: fix VLAN replay after reset Chuck Lever <chuck.lever(a)oracle.com> NFSD: Mark filecache "down" if init fails Val Packett <val(a)packett.cool> drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Sascha Hauer <s.hauer(a)pengutronix.de> drm/rockchip: vop: limit maximum resolution to hardware capabilities Andrey Shumilin <shum.sdl(a)nppct.ru> fbdev: sisfb: Fix strbuf array overflow Qianqiang Liu <qianqiang.liu(a)163.com> fbcon: Fix a NULL pointer dereference issue in fbcon_putcs Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointer before dereferencing se Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Add ELS_RSP cmd to the list of WQEs to flush in lpfc_els_flush_cmd() Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute Riyan Dhiman <riyandhiman14(a)gmail.com> staging: vme_user: added bound check to geoid Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/iio: Add memory allocation failure check for trigger_name Philip Chen <philipchen(a)chromium.org> virtio_pmem: Check device status before requesting flush Simon Horman <horms(a)kernel.org> netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n Wentao Guan <guanwentao(a)uniontech.com> LoongArch: Fix memleak in pci_acpi_scan_root() Ruffalo Lavoisier <ruffalolavoisier(a)gmail.com> comedi: ni_routing: tools: Check when the file could not be opened Shawn Shao <shawn.shao(a)jaguarmicro.com> usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: udc: enable suspend interrupt after usb reset Peng Fan <peng.fan(a)nxp.com> clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table Yunke Cao <yunkec(a)chromium.org> media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Ying Sun <sunying(a)isrc.iscas.ac.cn> riscv/kexec_file: Fix relocation type R_RISCV_ADD16 and R_RISCV_SUB16 unknown Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Enforce umem boundaries for explicit ODP page faults Kaixin Wang <kxwang23(a)m.fudan.edu.cn> ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition Jens Axboe <axboe(a)kernel.dk> io_uring: check if we need to reschedule during overflow flush Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: Don't have MAX_PHYSMEM_BITS exceed phys_addr_t Alex Williamson <alex.williamson(a)redhat.com> PCI: Mark Creative Labs EMU20k2 INTx masking as broken Hans de Goede <hdegoede(a)redhat.com> i2c: i801: Use a different adapter-name for IDF adapters Subramanian Ananthanarayanan <quic_skananth(a)quicinc.com> PCI: Add ACS quirk for Qualcomm SA8775P Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> clk: bcm: bcm53573: fix OF node leak in init Md Haris Iqbal <haris.iqbal(a)ionos.com> RDMA/rtrs-srv: Avoid null pointer deref during path establishment WangYuli <wangyuli(a)uniontech.com> PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/mad: Improve handling of timed out WRs of mad agent Daniel Jordan <daniel.m.jordan(a)oracle.com> ktest.pl: Avoid false positives with grub2 skip regex Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_sf: Remove WARN_ON_ONCE statements Wojciech Gładysz <wojciech.gladysz(a)infogain.com> ext4: nested locking for xattr inode Jan Kara <jack(a)suse.cz> ext4: don't set SB_RDONLY after filesystem errors Yonghong Song <yonghong.song(a)linux.dev> bpf, x64: Fix a jit convergence issue Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Add cond_resched() to cmm_alloc/free_pages() Heiko Carstens <hca(a)linux.ibm.com> s390/facility: Disable compile time optimization for decompressor code Tao Chen <chen.dylane(a)gmail.com> bpf: Check percpu map value size first Mathias Krause <minipli(a)grsecurity.net> Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Michael S. Tsirkin <mst(a)redhat.com> virtio_console: fix misc probe bugs Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Refactor enum_rstbl to suppress static checker Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix sparse warning in ni_fiemap Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Do not call file_modified if collapse range failed Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: Fix usage of __hci_cmd_sync_status Benjamin Poirier <bpoirier(a)nvidia.com> selftests: net: Remove executable bits from library scripts Aditya Gupta <adityag(a)linux.ibm.com> libsubcmd: Don't free the usage string Yang Jihong <yangjihong1(a)huawei.com> perf sched: Move curr_pid and cpu_last_switched initialization to perf_sched__{lat|map|replay}() Yang Jihong <yangjihong1(a)huawei.com> perf sched: Move curr_thread initialization to perf_sched__map() Yang Jihong <yangjihong1(a)huawei.com> perf sched: Fix memory leak in perf_sched__map() Yang Jihong <yangjihong1(a)huawei.com> perf sched: Move start_work_mutex and work_done_wait_mutex initialization to perf_sched__replay() Ian Rogers <irogers(a)google.com> perf sched: Avoid large stack allocations Ian Rogers <irogers(a)google.com> perf lock: Dynamically allocate lockhash_table Masami Hiramatsu (Google) <mhiramat(a)kernel.org> bootconfig: Fix the kerneldoc of _xbc_exit() Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Have saved_cmdlines arrays all in one allocation Rob Clark <robdclark(a)chromium.org> drm/crtc: fix uninitialized variable use even harder Jean-Loïc Charroud <lagiraudiere+linux(a)free.fr> ALSA: hda/realtek: cs35l41: Fix device ID / model name Jean-Loïc Charroud <lagiraudiere+linux(a)free.fr> ALSA: hda/realtek: cs35l41: Fix order and duplicates in quirks table Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Remove precision vsnprintf() check from print event Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Drop TSO support Gabriel Krisman Bertazi <krisman(a)suse.de> unicode: Don't special case ignorable code points Shiyang Ruan <ruansy.fnst(a)fujitsu.com> fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN Shiyang Ruan <ruansy.fnst(a)fujitsu.com> fsdax: dax_unshare_iter() should return a valid length Namhyung Kim <namhyung(a)kernel.org> perf report: Fix segfault when 'sym' sort key is not used Haoran Zhang <wh1sper(a)zju.edu.cn> vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Gao Xiang <xiang(a)kernel.org> erofs: fix incorrect symlink detection in fast symlink Jingbo Xu <jefflexu(a)linux.alibaba.com> erofs: set block size to the on-disk block size Jingbo Xu <jefflexu(a)linux.alibaba.com> erofs: avoid hardcoded blocksize for subpage block support Gao Xiang <xiang(a)kernel.org> erofs: get rid of z_erofs_do_map_blocks() forward declaration Gao Xiang <xiang(a)kernel.org> erofs: get rid of erofs_inode_datablocks() Sumit Semwal <sumit.semwal(a)linaro.org> Revert "arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings" Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Add GPLL9 support Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add tally counter fields added with RTL8125 Colin Ian King <colin.i.king(a)gmail.com> r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" David Virag <virag.david003(a)gmail.com> clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> clk: samsung: exynos7885: do not define number of clocks in bindings Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Manivannan Sadhasivam <mani(a)kernel.org> dt-bindings: clock: qcom: Add missing UFS QREF clocks Udit Kumar <u-kumar1(a)ti.com> remoteproc: k3-r5: Delay notification of wakeup event Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Acquire mailbox handle during probe routine Umang Jain <umang.jain(a)ideasonboard.com> media: imx335: Fix reset-gpio handling Kieran Bingham <kieran.bingham(a)ideasonboard.com> media: i2c: imx335: Enable regulator supplies Johannes Weiner <hannes(a)cmpxchg.org> sched: psi: fix bogus pressure spikes from aggregation race Wang Yong <wang.yong12(a)zte.com.cn> delayacct: improve the average delay precision of getdelay tool to microsecond Yanteng Si <siyanteng(a)loongson.cn> docs/zh_CN: Update the translation of delay-accounting to 6.1-rc8 Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: harden build ID parsing logic Alexey Dobriyan <adobriyan(a)gmail.com> build-id: require program headers to be right after ELF header Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Yosry Ahmed <yosryahmed(a)google.com> mm: z3fold: deprecate CONFIG_Z3FOLD Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Jens Axboe <axboe(a)kernel.dk> io_uring/net: harden multishot termination case for recv Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Anshuman Khandual <anshuman.khandual(a)arm.com> arm64: Add Cortex-715 CPU part definition Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix missing pm_runtime_disable() David Virag <virag.david003(a)gmail.com> dt-bindings: clock: exynos7885: Fix duplicated binding Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Andi Shyti <andi.shyti(a)kernel.org> i2c: xiic: Use devm_clk_get_enabled() Heiner Kallweit <hkallweit1(a)gmail.com> i2c: core: Lock address during client device instantiation Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: create debugfs entry per adapter Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix buffer overflow in debug links Uwe Kleine-König <ukleinek(a)debian.org> cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix system hang while resume with TBT monitor Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Add locking to drm_sched_entity_modify_sched Jani Nikula <jani.nikula(a)intel.com> drm/i915/gem: fix bitwise and logical AND mixup Al Viro <viro(a)zeniv.linux.org.uk> close_range(): fix the logics in descriptor table trimming Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix a race during cpuhp processing Wei Li <liwei391(a)huawei.com> tracing/hwlat: Fix a race during cpuhp processing Patrick Donnelly <pdonnell(a)redhat.com> ceph: fix cap ref leak via netfs init_request Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Filipe Manana <fdmanana(a)suse.com> btrfs: send: fix invalid clone operation for file that got its size decreased Qu Wenruo <wqu(a)suse.com> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Baokun Li <libaokun1(a)huawei.com> cachefiles: fix dentry leak in cachefiles_open_file() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix NULL pointer dereference Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path KhaiWenTan <khai.wen.tan(a)linux.intel.com> net: stmmac: Fix zero-division error when disabling tc cbs Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Willem de Bruijn <willemb(a)google.com> gso: fix udp gso fraglist segmentation after pull from frag_list Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors wangrong <wangrong(a)uniontech.com> smb: client: use actual path when queryfs Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Fix ordering of pm_runtime_enable Manivannan Sadhasivam <mani(a)kernel.org> clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src Mike Tipton <quic_mdtipton(a)quicinc.com> clk: qcom: clk-rpmh: Fix overflow in BCM vote Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Manivannan Sadhasivam <mani(a)kernel.org> clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: sun4i_csi: Implement link validate for sun4i_csi subdev Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Jan Kiszka <jan.kiszka(a)siemens.com> remoteproc: k3-r5: Fix error handling when power-up failed Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv4's PUTPUBFH operation Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: map the EBADMSG to nfserr_io to avoid warning NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Matt Fleming <matt(a)readmodwrite.com> perf hist: Update hist symbol when updating maps Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix memory leak in exfat_load_bitmap() Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Danilo Krummrich <dakr(a)kernel.org> mm: krealloc: consider spare memory for __GFP_ZERO Kemeng Shi <shikemeng(a)huaweicloud.com> jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Huang Ying <ying.huang(a)intel.com> resource: fix region_intersects() vs add_memory_driver_managed() Ma Ke <make24(a)iscas.ac.cn> drm: omapdrm: Add missing check for alloc_ordered_workqueue Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Val Packett <val(a)packett.cool> drm/rockchip: vop: clear DMA stop bit on RK3066 Helge Deller <deller(a)gmx.de> parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: use handle to mark fc as ineligible in __track_dentry_update() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix fast commit inode enqueueing during a full journal commit Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: update orig_path in ext4_find_extent() Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Baokun Li <libaokun1(a)huawei.com> ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Zhihao Cheng <chengzhihao1(a)huawei.com> ext4: dax: fix overflowing extents beyond inode size when partially writing Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() yao.ly <yao.ly(a)linux.alibaba.com> ext4: correct encrypted dentry name hash when not casefolded Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Abhishek Tamboli <abhishektamboli9(a)gmail.com> ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Ai Chao <aichao(a)kylinos.cn> ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Hans P. Moller <hmoller(a)uc.cl> ALSA: line6: add hw monitor volume control to POD HD500X Jan Lalinsky <lalinsky(a)c4.cz> ALSA: usb-audio: Add native DSD support for Luxman D-08u Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Thomas Zimmermann <tzimmermann(a)suse.de> drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Hans de Goede <hdegoede(a)redhat.com> power: supply: hwmon: Fix missing temp1_max_alarm attribute Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Alexander Shiyan <eagle.alexander923(a)gmail.com> media: i2c: ar0521: Use cansleep version of gpiod_set_value() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Marek Vasut <marex(a)denx.de> i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Zach Wade <zachwade.k(a)gmail.com> platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Takashi Iwai <tiwai(a)suse.de> Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Heiko Carstens <hca(a)linux.ibm.com> selftests: vDSO: fix vdso_config for s390 Jens Remus <jremus(a)linux.ibm.com> selftests: vDSO: fix ELF hash table entry size for s390x Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Fix VDSO data access when running in a non-root time namespace David Hildenbrand <david(a)redhat.com> selftests/mm: fix charge_reserved_hugetlb.sh test Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vdso_config for powerpc Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO name for powerpc Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Thomas Weißschuh <linux(a)weissschuh.net> blk-integrity: register sysfs attributes on struct device Thomas Weißschuh <linux(a)weissschuh.net> blk-integrity: convert to struct device_attribute Thomas Weißschuh <linux(a)weissschuh.net> blk-integrity: use sysfs_emit Christoph Hellwig <hch(a)lst.de> iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Baokun Li <libaokun1(a)huawei.com> ext4: avoid use-after-free in ext4_ext_show_leaf() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Tim Huang <tim.huang(a)amd.com> drm/amd/pm: ensure the fw_info is not null before using it Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Tim Huang <tim.huang(a)amd.com> drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Update PRLO handling in direct attached topology Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Andrii Nakryiko <andrii(a)kernel.org> perf,x86: avoid missing caller address in stack traces captured in uprobe Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize get_bytes_per_element's default to 1 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 color transformation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Yannick Fertre <yannick.fertre(a)foss.st.com> drm/stm: ltdc: reset plane transparency after plane disable Ckath <ckath(a)yandex.ru> platform/x86: touchscreen_dmi: add nanote-next quirk Vishnu Sankar <vishnuocv(a)gmail.com> HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Jesse Zhang <jesse.zhang(a)amd.com> drm/amdkfd: Fix resource leak in criu restore queue Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: enable gfxoff quirk on HP 705G4 Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: add raven1 gfxoff quirk Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Mahesh Rajashekhara <mahesh.rajashekhara(a)microchip.com> scsi: smartpqi: correct stream detection Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using dc->clk_mgr Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Damien Le Moal <dlemoal(a)kernel.org> ata: pata_serverworks: Do not use the term blacklist Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Katya Orlova <e.orlova(a)ispras.ru> drm/stm: Avoid use-after-free issues with crtc and plane Sanjay K Kumar <sanjay.k.kumar(a)intel.com> iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Always reserve a domain ID for identity setup Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Marc Gonzalez <mgonzalez(a)freebox.fr> iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux Paul E. McKenney <paulmck(a)kernel.org> rcuscale: Provide clear error when async specified without primitives Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Kees Cook <kees(a)kernel.org> x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Thomas Weißschuh <linux(a)weissschuh.net> selftests/nolibc: avoid passing NULL to printf("%s") Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Tao Liu <ltao(a)redhat.com> x86/kexec: Add EFI config table identity mapping for kexec kernel Ahmed S. Darwish <darwi(a)linutronix.de> tools/x86/kcpuid: Protect against faulty "max subleaf" values Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wsa883x: Handle reading version failure Joshua Pius <joshuapius(a)chromium.org> ALSA: usb-audio: Add logitech Audio profile quirk Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Replace complex quirk lines with macros Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Define macros for quirk table entries Thomas Gleixner <tglx(a)linutronix.de> x86/ioapic: Handle allocation failures gracefully Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add input value sanity checks for standard types Jinjie Ruan <ruanjinjie(a)huawei.com> nfp: Use IRQF_NO_AUTOEN flag in request_irq() Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Adrian Ratiu <adrian.ratiu(a)collabora.com> proc: add config & param to block forcing mem writes Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU list iterations Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Herbert Xu <herbert(a)gondor.apana.org.au> crypto: simd - Do not call crypto_alloc_tfm during registration Simon Horman <horms(a)kernel.org> net: atlantic: Avoid warning about potential string truncation Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: correct base HT rate mask for firmware Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> bnxt_en: Extend maximum length of version string by 1 byte Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw88: select WANT_DEV_COREDUMP Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath11k: fix array out-of-bound access in SoC stats Keith Busch <kbusch(a)kernel.org> nvme-pci: qdepth 1 quirk Konstantin Ovsepian <ovs(a)ovs.to> blk_iocost: fix more out of bound shifts Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Hilda Wu <hildawu(a)realtek.com> Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: consistently use rcu_replace_pointer() in taprio_change() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Issam Hamdi <ih(a)simonwunderlich.de> wifi: cfg80211: Set correct chandef when starting CAC Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: mvm: Fix a race in scan abort flow Aleksandr Mishin <amishin(a)t-argos.ru> ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Jann Horn <jannh(a)google.com> f2fs: Require FMODE_WRITE for atomic write ioctls Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Hui Wang <hui.wang(a)canonical.com> ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Oder Chiou <oder_chiou(a)realtek.com> ALSA: hda/realtek: Fix the push button function for the ALC257 Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: mixer_oss: Remove some incorrect kfree_const() usages Andrei Simion <andrei.simion(a)microchip.com> ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Benjamin Gaignard <benjamin.gaignard(a)collabora.com> media: usbtv: Remove useless locks in usbtv_video_free() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sock: Fix not validating setsockopt user input Christoph Hellwig <hch(a)lst.de> loop: don't set QUEUE_FLAG_NOMERGES Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Try re-initialization on bus busy timeout Marc Ferland <marc.ferland(a)sonatest.com> i2c: xiic: improve error message when transfer fails to start Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Darrick J. Wong <djwong(a)kernel.org> iomap: constrain the file range passed to iomap_file_unshare Shiyang Ruan <ruansy.fnst(a)fujitsu.com> fsdax,xfs: port unshare to fsdax Eric Dumazet <edumazet(a)google.com> ppp: do not assume bh is held in ppp_channel_bridge_input() Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Shenwei Wang <shenwei.wang(a)nxp.com> net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Jinjie Ruan <ruanjinjie(a)huawei.com> Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Phil Sutter <phil(a)nwl.cc> selftests: netfilter: Fix nft_audit.sh for newer nft binaries Jinjie Ruan <ruanjinjie(a)huawei.com> net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Elena Salomatkina <esalomatkina(a)ispras.ru> net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Mohamed Khalfella <mkhalfella(a)purestorage.com> net/mlx5: Added cond_resched() to crdump collection Gerd Bayer <gbayer(a)linux.ibm.com> net/mlx5: Fix error path in multi-packet WQE transmit Aakash Menon <aakash.r.menon(a)gmail.com> net: sparx5: Fix invalid timestamps Jinjie Ruan <ruanjinjie(a)huawei.com> ieee802154: Fix build error Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Daniel Wagner <dwagner(a)suse.de> scsi: pm8001: Do not overwrite PCI queue mapping Peter Zijlstra <peterz(a)infradead.org> jump_label: Fix static_key_slow_dec() yet again Thomas Gleixner <tglx(a)linutronix.de> jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() Thomas Gleixner <tglx(a)linutronix.de> static_call: Replace pointless WARN_ON() in static_call_module_notify() Thomas Gleixner <tglx(a)linutronix.de> static_call: Handle module init failure correctly in static_call_del_module() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: do not run mt76_unregister_device() on unregistered hw Alexey Gladkov (Intel) <legion(a)kernel.org> x86/tdx: Fix "in-kernel MMIO" check Mika Westerberg <mika.westerberg(a)linux.intel.com> PCI/PM: Mark devices disconnected if upstream PCIe link is down on resume Nathan Chancellor <nathan(a)kernel.org> powerpc: Allow CONFIG_PPC64_BIG_ENDIAN_ELF_ABI_V2 with ld.lld 15+ André Apitzsch <git(a)apitzsch.eu> iio: magnetometer: ak8975: Fix 'Unexpected device' error Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Fail DTC counter allocation correctly Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> usb: yurex: Fix inconsistent locking bug in yurex_read() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: isch: Add missed 'else' Tommy Huang <tommy_huang(a)aspeedtech.com> i2c: aspeed: Update the stop sw state when the bus recovery occurs Liam R. Howlett <Liam.Howlett(a)oracle.com> mm/damon/vaddr: protect vma traversal in __damon_va_thre_regions() with rcu read lock Dmitry Vyukov <dvyukov(a)google.com> module: Fix KCOV-ignored file name David Gow <davidgow(a)google.com> mm: only enforce minimum stack gap size if it's sensible Zhiguo Niu <zhiguo.niu(a)unisoc.com> lockdep: fix deadlock issue between lockdep and rcu Song Liu <song(a)kernel.org> bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0 Eric Dumazet <edumazet(a)google.com> icmp: change the order of rate limits Jamie Bainbridge <jamie.bainbridge(a)gmail.com> icmp: Add counters for rate limits Kairui Song <kasong(a)tencent.com> mm/filemap: optimize filemap folio adding Kairui Song <kasong(a)tencent.com> lib/xarray: introduce a new helper xas_get_order Kairui Song <kasong(a)tencent.com> mm/filemap: return early if failed to allocate memory for split Dmitry Vyukov <dvyukov(a)google.com> x86/entry: Remove unwanted instrumentation in common_interrupt() Xin Li <xin3.li(a)intel.com> x86/idtentry: Incorporate definitions/declarations of the FRED entries Ma Ke <make24(a)iscas.ac.cn> pps: add an error check in parport_attach Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pps: remove usage of the deprecated ida_simple_xx() API Pawel Laszczak <pawell(a)cadence.com> usb: xhci: fix loss of data on Cadence xHC Daehwan Jung <dh10.jung(a)samsung.com> xhci: Add a quirk for writing ERST in high-low order Lukas Wunner <lukas(a)wunner.de> xhci: Preserve RsvdP bits in ERSTBA register correctly Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Refactor interrupter code for initial multi interrupter support. Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: remove xhci_test_trb_in_td_math early development check Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix event ring segment table related masks and variables in header Oliver Neukum <oneukum(a)suse.com> USB: misc: yurex: fix race between read and write Lee Jones <lee(a)kernel.org> usb: yurex: Replace snprintf() with the safer scnprintf() variant Michael Ellerman <mpe(a)ellerman.id.au> powerpc/atomic: Use YZ constraints for DS-form instructions Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Add support to build with prefixed instructions Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Option to build big-endian with ELFv2 ABI Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix soc_dev leak during device remove Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix memory leak during device remove VanGiang Nguyen <vangiang.nguyen(a)rohde-schwarz.com> padata: use integer wrap around to prevent deadlock on seq_nr overflow Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/igen6: Fix conversion of system address to physical memory address Li Lingfeng <lilingfeng3(a)huawei.com> nfs: fix memory leak in error path of nfs4_do_reclaim Mickaël Salaün <mic(a)digikod.net> fs: Fix file_set_fowner LSM hook inconsistencies Julian Sun <sunjunchao2870(a)gmail.com> vfs: fix race between evice_inodes() and find_inode()&iput() Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency Gaosheng Cui <cuigaosheng1(a)huawei.com> hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume Gaosheng Cui <cuigaosheng1(a)huawei.com> hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init Guoqing Jiang <guoqing.jiang(a)canonical.com> hwrng: mtk - Use devm_pm_runtime_enable Chao Yu <chao(a)kernel.org> f2fs: fix to check atomic_file in f2fs ioctl interfaces Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: prevent possible int overflow in dir_block_index() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: fix several potential integer overflows in file offsets Zhen Lei <thunder.leizhen(a)huawei.com> debugobjects: Fix conditions in fill_pool() Ma Ke <make24(a)iscas.ac.cn> wifi: mt76: mt7615: check devm_kasprintf() returned value Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: 8822c: Fix reported RX band width Adrian Hunter <adrian.hunter(a)intel.com> perf/x86/intel/pt: Fix sampling synchronization Ard Biesheuvel <ardb(a)kernel.org> efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption Werner Sembach <wse(a)tuxedocomputers.com> ACPI: resource: Add another DMI match for the TongFang GMxXGxx Thomas Weißschuh <linux(a)weissschuh.net> ACPI: sysfs: validate return type of _STR method Mikhail Lobanov <m.lobanov(a)rosalinux.ru> drbd: Add NULL check for net_conf to prevent dereference in state validation Qiu-ji Chen <chenqiuji666(a)gmail.com> drbd: Fix atomicity violation in drbd_uuid_set_bm() Pavan Kumar Paluri <papaluri(a)amd.com> crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them. Florian Fainelli <florian.fainelli(a)broadcom.com> tty: rp2: Fix reset with non forgiving PCIe host bridges Jann Horn <jannh(a)google.com> firmware_loader: Block path traversal Fabio Porcedda <fabio.porcedda(a)gmail.com> bus: mhi: host: pci_generic: Fix the name for the Telit FE990A Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> bus: integrator-lm: fix OF node leak in probe() Tomas Marek <tomas.marek(a)elrest.cz> usb: dwc2: drd: fix clock gating on USB role switch Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix incorrect usb_request status Oliver Neukum <oneukum(a)suse.com> USB: class: CDC-ACM: fix race between get_serial and set_serial Oliver Neukum <oneukum(a)suse.com> USB: misc: cypress_cy7c63: check for short transfer Oliver Neukum <oneukum(a)suse.com> USB: appledisplay: close race between probe and completion handler Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled Oliver Neukum <oneukum(a)suse.com> usbnet: fix cyclical race on disconnect with work queue Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Disallow bus errors during PDMA send Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Refactor polling loop Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages Martin Wilck <mwilck(a)suse.com> scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: handle caseless file creation Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow write with FILE_APPEND_DATA Hobin Woo <hobin.woo(a)samsung.com> ksmbd: make __dir_empty() compatible with POSIX Chuck Lever <chuck.lever(a)oracle.com> fs: Create a generic is_dot_dotdot() utility Roman Smirnov <r.smirnov(a)omp.ru> KEYS: prevent NULL pointer dereference in find_asymmetric_key() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Validate backlight caps are sane Robin Chen <robin.chen(a)amd.com> drm/amd/display: Round calculated vtotal Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Skip Recompute DSC Params if no Stream on Link Sean Christopherson <seanjc(a)google.com> KVM: x86: Move x2APIC ICR helper above kvm_apic_write_nodecode() Sean Christopherson <seanjc(a)google.com> KVM: x86: Enforce x2APIC's must-be-zero reserved ICR bits Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table Nuno Sa <nuno.sa(a)analog.com> Input: adp5588-keys - fix check on return code Roman Smirnov <r.smirnov(a)omp.ru> Revert "media: tuners: fix error return code of hybrid_tuner_request_state()" Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: integrator: fix OF node leak in probe() error path Ma Ke <make24(a)iscas.ac.cn> ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Frank Li <Frank.Li(a)nxp.com> PCI: imx6: Fix missing call to phy_power_off() in error handling Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Remove *.orig pattern from .gitignore Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not put cpumask on stack Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: retain test for whether the CPU is valid Zack Rusin <zack.rusin(a)broadcom.com> drm/vmwgfx: Prevent unmapping active read buffers Scott Mayhew <smayhew(a)redhat.com> selinux,smack: don't bypass permissions check in inode_setsecctx hook Ye Bin <yebin10(a)huawei.com> vfio/pci: fix potential memory leak in vfio_intx_enable() Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/io-wq: inherit cpuset of cgroup in io worker Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/io-wq: do not allow pinning outside of cpuset Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not allow pinning outside of cpuset Simon Horman <horms(a)kernel.org> netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Keep deleted flowtable hooks until after RCU Furong Xu <0x1207(a)gmail.com> net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled Jiwon Kim <jiwonaid0(a)gmail.com> bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave() Youssef Samir <quic_yabdulra(a)quicinc.com> net: qrtr: Update packets cloning when broadcasting Josh Hunt <johunt(a)akamai.com> tcp: check skb is non-NULL in tcp_rto_delta_us() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL Kaixin Wang <kxwang23(a)m.fudan.edu.cn> net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix packet counting Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Schedule NAPI in two steps Mikulas Patocka <mpatocka(a)redhat.com> Revert "dm: requeue IO if mapping table not yet available" Dan Carpenter <alexander.sverdlin(a)gmail.com> ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() Jason Wang <jasowang(a)redhat.com> vhost_vdpa: assign irq bypass producer token correctly Xie Yongji <xieyongji(a)bytedance.com> vdpa: Add eventfd for the vdpa callback Yanfei Xu <yanfei.xu(a)intel.com> cxl/pci: Fix to record only non-zero ranges Dave Jiang <dave.jiang(a)intel.com> cxl/pci: Break out range register decoding from cxl_hdm_decode_init() Suzuki K Poulose <suzuki.poulose(a)arm.com> coresight: tmc: sg: Do not leak sg_table Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: iio: asahi-kasei,ak8975: drop incorrect AK09116 compatible Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> iio: magnetometer: ak8975: drop incorrect AK09116 compatible Biju Das <biju.das.jz(a)bp.renesas.com> iio: magnetometer: ak8975: Convert enum->pointer for data in the match tables Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix read/write ops to device by adding mutexes Antoniu Miclaus <antoniu.miclaus(a)analog.com> ABI: testing: fix admv8818 attr description Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix standby gpio state to match the documentation Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix oversampling gpio array Hannes Reinecke <hare(a)kernel.org> nvme-multipath: system fails to create generic nvme device Ming Lei <ming.lei(a)redhat.com> lib/sbitmap: define swap_lock as raw_spinlock_t Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time Jinjie Ruan <ruanjinjie(a)huawei.com> spi: atmel-quadspi: Undo runtime PM changes at driver exit time Chao Yu <chao(a)kernel.org> f2fs: get rid of online repaire on corrupted directory Chao Yu <chao(a)kernel.org> f2fs: clean up w/ dotdot_name Chao Yu <chao(a)kernel.org> f2fs: atomic: fix to truncate pagecache before on-disk metadata truncation Chao Yu <chao(a)kernel.org> f2fs: fix to wait page writeback before setting gcing flag Chao Yu <chao(a)kernel.org> f2fs: fix to avoid racing in between read and OPU dio write Christoph Hellwig <hch(a)lst.de> f2fs: factor the read/write tracing logic into a helper Chao Yu <chao(a)kernel.org> f2fs: reduce expensive checkpoint trigger frequency Chao Yu <chao(a)kernel.org> f2fs: remove unneeded check condition in __f2fs_setxattr() Chao Yu <chao(a)kernel.org> f2fs: fix to update i_ctime in __f2fs_setxattr() Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: return -EINVAL when namelen is 0 Guoqing Jiang <guoqing.jiang(a)linux.dev> nfsd: call cache_put if xdr_reserve_space returns NULL Dave Jiang <dave.jiang(a)intel.com> ntb: Force physically contiguous allocation of rx ring buffers Max Hawking <maxahawking(a)sonnenkinder.org> ntb_perf: Fix printk format Jinjie Ruan <ruanjinjie(a)huawei.com> ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> RDMA/irdma: fix error message in irdma_modify_qp_roce() Mikhail Lobanov <m.lobanov(a)rosalinux.ru> RDMA/cxgb4: Added NULL check for lookup_atid Jinjie Ruan <ruanjinjie(a)huawei.com> riscv: Fix fp alignment bug in perf_callchain_user() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Optimize hem allocation performance Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Don't modify rq next block addr in HIP09 QPC Jonas Blixt <jonas.blixt(a)actia.se> watchdog: imx_sc_wdt: Don't disable WDT in suspend Cheng Xu <chengyou(a)linux.alibaba.com> RDMA/erdma: Return QP state in erdma_query_qp Alexandra Diupina <adiupina(a)astralinux.ru> PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() Patrisious Haddad <phaddad(a)nvidia.com> IB/core: Fix ib_cache_setup_one error flow cleanup Wang Jianzheng <wangjianzheng(a)vivo.com> pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function Yangtao Li <frank.li(a)vivo.com> pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource() Jeff Layton <jlayton(a)kernel.org> nfsd: fix refcount leak when file is unhashed after being found Jeff Layton <jlayton(a)kernel.org> nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire David Lechner <dlechner(a)baylibre.com> clk: ti: dra7-atl: Fix leak of of_nodes Md Haris Iqbal <haris.iqbal(a)ionos.com> RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds Jack Wang <jinpu.wang(a)ionos.com> RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: single: fix missing error code in pcs_probe() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Clean up clock on probe failure/removal Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix register misspelling Li Zhijian <lizhijian(a)fujitsu.com> nvdimm: Fix devs leaks in scan_labels() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use special function for Lucid 5LPE PLL Dan Carpenter <dan.carpenter(a)linaro.org> PCI: keystone: Fix if-statement expression in ks_pcie_quirk() Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Wait for Link before restoring Downstream Buses Mika Westerberg <mika.westerberg(a)linux.intel.com> PCI/PM: Drop pci_bridge_wait_for_secondary_bus() timeout parameter Mika Westerberg <mika.westerberg(a)linux.intel.com> PCI/PM: Increase wait time after resume Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Input: ilitek_ts_i2c - add report id message validation Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Input: ilitek_ts_i2c - avoid wrong input subsystem sync Jonas Karlman <jonas(a)kwiboo.se> clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Initialize workqueue earlier Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Correct ddr alias for i.MX8M Peng Fan <peng.fan(a)nxp.com> clk: imx: imx8qxp: Parent should be initialized earlier than the clock Peng Fan <peng.fan(a)nxp.com> clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk Zhipeng Wang <zhipeng.wang_1(a)nxp.com> clk: imx: imx8mp: fix clock tree update of TF-A managed clocks Pengfei Li <pengfei.li_1(a)nxp.com> clk: imx: fracn-gppll: fix fractional part of PLL getting lost Peng Fan <peng.fan(a)nxp.com> clk: imx: fracn-gppll: support integer pll Ye Li <ye.li(a)nxp.com> clk: imx: composite-7ulp: Check the PCC present bit Peng Fan <peng.fan(a)nxp.com> clk: imx: composite-8m: Enable gate clk with mcore_booted Markus Elfring <elfring(a)users.sourceforge.net> clk: imx: composite-8m: Less function calls in __imx8m_clk_hw_composite() after error detection Ian Rogers <irogers(a)google.com> perf time-utils: Fix 32-bit nsec parsing Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yicong Yang <yangyicong(a)hisilicon.com> perf stat: Display iostat headers correctly Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fix missing free of session in perf_sched__timehist() Ian Rogers <irogers(a)google.com> perf inject: Fix leader sampling inserting additional samples Namhyung Kim <namhyung(a)kernel.org> perf mem: Free the allocated sort string, fixing a leak Daniel Borkmann <daniel(a)iogearbox.net> bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error Daniel Borkmann <daniel(a)iogearbox.net> bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential oob read in nilfs_btree_check_delete() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: determine empty node blocks as corrupted Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: avoid OOB when system.data xattr changes underneath the filesystem Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: return error on ext4_find_inline_entry Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid negative min_clusters in find_group_orlov() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid potential buffer_head leak in __ext4_new_inode() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid buffer_head leak in ext4_mark_inode_used() Jiawei Ye <jiawei.ye(a)foxmail.com> smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso yangerkun <yangerkun(a)huawei.com> ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard Chen Yu <yu.c.chen(a)intel.com> kthread: fix task state in kthread worker if being frozen Lasse Collin <lasse.collin(a)tukaani.org> xz: cleanup CRC32 edits from 2018 Eduard Zingerman <eddyz87(a)gmail.com> bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compile if backtrace support missing in libc Jiri Olsa <jolsa(a)kernel.org> selftests/bpf: Move test_progs helpers to testing_helpers object Jiri Olsa <jolsa(a)kernel.org> selftests/bpf: Replace extract_build_id with read_build_id Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix C++ compile error from missing _Bool type Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling test_lru_map.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling core_reloc.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling tcp_rtt.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling flow_dissector.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling kfree_skb.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix include of <sys/fcntl.h> Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Refactor out some functions in ns_current_pid_tgid test Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Replace CHECK with ASSERT_* in ns_current_pid_tgid test Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing BUILD_BUG_ON() declaration Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing UINT_MAX definitions in benchmarks Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Use pid_t consistently in test_progs.c Alexei Starovoitov <ast(a)kernel.org> selftests/bpf: Workaround strict bpf_lsm return value check. Roberto Sassu <roberto.sassu(a)huawei.com> selftests/bpf: Add tests for _opts variants of bpf_*_get_fd_by_id() Yonghong Song <yhs(a)fb.com> selftests/bpf: Add selftest deny_namespace to s390x deny list Jonathan McDowell <noodles(a)meta.com> tpm: Clean up TPM space after command failure Juergen Gross <jgross(a)suse.com> xen/swiotlb: fix allocated size Juergen Gross <jgross(a)suse.com> xen/swiotlb: add alignment check for dma buffers Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Do not warn about dropped packets for first packet Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Support sequence numbers smaller than 16-bit Juergen Gross <jgross(a)suse.com> xen: use correct end address of kernel for conflict checking Yuesong Li <liyuesong(a)vivo.com> drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() Sherry Yang <sherry.yang(a)oracle.com> drm/msm: fix %s null argument error Wolfram Sang <wsa+renesas(a)sang-engineering.com> ipmi: docs: don't advertise deprecated sysfs entries Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: workaround early ring-buffer emptiness check Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: fix races in preemption evaluation stage Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: properly clear preemption records on resume Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: disable preemption in submits by default Aleksandr Mishin <amishin(a)t-argos.ru> drm/msm: Fix incorrect file name output in adreno_request_fw() Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix kernel vs user address comparison Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix initial memory mapping Fei Shao <fshao(a)chromium.org> drm/mediatek: Use spin_lock_irqsave() for CRTC event lock Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix missing configuration flags in mtk_crtc_ddp_config() Jeongjun Park <aha310510(a)gmail.com> jfs: fix out-of-bounds in dbNextAG() and diAlloc() Dan Carpenter <dan.carpenter(a)linaro.org> scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() Stefan Wahren <wahrenst(a)gmx.net> drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get Liu Ying <victor.liu(a)nxp.com> drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets Jonas Karlman <jonas(a)kwiboo.se> drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode Alex Bee <knaerzche(a)gmail.com> drm/rockchip: vop: Allow 4096px width scaling WangYuli <wangyuli(a)uniontech.com> drm/amd/amdgpu: Properly tune the size of struct Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Check for phase match during PDMA fixup Gilbert Wu <Gilbert.Wu(a)microchip.com> scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/radeon: Replace one-element array with flexible-array member Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/amdgpu: Replace one-element array with flexible-array member Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func Claudiu Beznea <claudiu.beznea(a)microchip.com> drm/stm: ltdc: check memory returned by devm_kzalloc() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/stm: Fix an error handling path in stm_drm_platform_probe() Geert Uytterhoeven <geert+renesas(a)glider.be> pmdomain: core: Harden inter-column space in debug summary Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: mtk: Fix init error path Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: mtk: Factorize out the logic cleaning mtk chips Jinjie Ruan <ruanjinjie(a)huawei.com> mtd: rawnand: mtk: Use for_each_child_of_node_scoped() Frederic Weisbecker <frederic(a)kernel.org> rcu/nocb: Fix RT throttling hrtimer armed from offline CPU Charles Han <hanchunchao(a)inspur.com> mtd: powernv: Add check devm_kasprintf() returned value Jason Gunthorpe <jgg(a)ziepe.ca> iommu/amd: Do not set the D bit on AMD v2 table entries Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() Artur Weber <aweber.kernel(a)gmail.com> power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Chris Morgan <macromorgan(a)hotmail.com> power: supply: axp20x_battery: Remove design from min and max voltage Yuntao Liu <liuyuntao12(a)huawei.com> hwmon: (ntc_thermistor) fix module autoloading Mirsad Todorovac <mtodorovac69(a)gmail.com> mtd: slram: insert break after errors in parsing the map Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix alarm attributes Andrew Davis <afd(a)ti.com> hwmon: (max16065) Remove use of i2c_match_id() Biju Das <biju.das.jz(a)bp.renesas.com> i2c: Add i2c_get_match_data() Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix overflows seen when writing limits Finn Thain <fthain(a)linux-m68k.org> m68k: Fix kernel_clone_args.flags in m68k_clone() Yuntao Liu <liuyuntao12(a)huawei.com> ALSA: hda: cs35l41: fix module autoloading Ma Ke <make24(a)iscas.ac.cn> ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the error Ankit Agrawal <agrawal.ag.ankit(a)gmail.com> clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: k210: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: berlin: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: versatile: fix OF node leak in CPUs prepare Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property Claudiu Beznea <claudiu.beznea(a)tuxon.dev> ARM: dts: microchip: sama7g5: Fix RTT clock Andrew Davis <afd(a)ti.com> arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations Alexander Dahl <ada(a)thorsis.com> ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g054: Correct GICD and GICR sizes Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g043u: Correct GICD and GICR sizes Chen-Yu Tsai <wenst(a)chromium.org> regulator: Return actual error in of_regulator_bulk_get_all() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Fix double free in OPTEE transport David Virag <virag.david003(a)gmail.com> arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB Ma Ke <make24(a)iscas.ac.cn> spi: ppc4xx: handle irq_of_parse_and_map() errors Riyan Dhiman <riyandhiman14(a)gmail.com> block: fix potential invalid pointer dereference in blk_add_partition Christian Heusel <christian(a)heusel.eu> block: print symbolic error name instead of error code Yu Kuai <yukuai3(a)huawei.com> block, bfq: don't break merge chain in bfq_split_bfqq() Yu Kuai <yukuai3(a)huawei.com> block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix possible UAF for bfqq->bic with merge chain Ming Lei <ming.lei(a)redhat.com> nbd: fix race between timeout and normal completion Eric Dumazet <edumazet(a)google.com> ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Su Hui <suhui(a)nfschina.com> net: tipc: avoid possible garbage value Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input Heiner Kallweit <hkallweit1(a)gmail.com> r8169: disable ALDPS per default for RTL8125 Jinjie Ruan <ruanjinjie(a)huawei.com> net: enetc: Use IRQF_NO_AUTOEN flag in request_irq() Guillaume Nault <gnault(a)redhat.com> bareudp: Pull inner IP header on xmit. Guillaume Nault <gnault(a)redhat.com> bareudp: Pull inner IP header in bareudp_udp_encap_recv(). Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix not handling ZPL/short-transfer Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_close(): stop clocks after device has been shut down Jake Hamby <Jake.Hamby(a)Teledyne.com> can: m_can: enable NAPI before enabling interrupts Markus Schneider-Pargmann <msp(a)baylibre.com> can: m_can: Remove repeated check for is_peripheral Kuniyuki Iwashima <kuniyu(a)amazon.com> can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Eric Dumazet <edumazet(a)google.com> sock_map: Add a cond_resched() in sock_hash_free() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED Jiawei Ye <jiawei.ye(a)foxmail.com> wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param Dmitry Antipov <dmantipov(a)yandex.ru> wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors Howard Hsu <howard-yh.hsu(a)mediatek.com> wifi: mt76: mt7915: fix rx filter setting for bfee functionality Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - inject error before stopping queue Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - reset device before enabling it Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - fix coding style issues Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/hpre - mask cluster timeout error Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/hpre - enable sva error interrupt event Aaron Lu <aaron.lu(a)intel.com> x86/sgx: Fix deadlock in SGX NUMA node search Nishanth Menon <nm(a)ti.com> cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Ensure dtm_idx is big enough Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Refactor node ID handling. Again. Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Improve debugfs pretty-printing for large configs Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Rework DTC counters (again) Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: remove annotation to access set timeout while holding lock Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject expiration higher than timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject element expiration with no timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire Clément Léger <cleger(a)rivosinc.com> ACPI: CPPC: Fix MASK_VAL() usage Zhang Changzhong <zhangchangzhong(a)huawei.com> can: j1939: use correct function name in comment Mark Brown <broonie(a)kernel.org> kselftest/arm64: Actually test SME vector length changes via sigreturn Yicong Yang <yangyicong(a)hisilicon.com> drivers/perf: hisi_pcie: Record hardware counts correctly Kamlesh Gurudasani <kamlesh(a)ti.com> padata: Honor the caller's alignment in case of chunk_size 0 Vasily Khoruzhick <anarsoul(a)gmail.com> ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec Vasily Khoruzhick <anarsoul(a)gmail.com> ACPICA: Implement ACPI_WARNING_ONCE and ACPI_ERROR_ONCE Avraham Stern <avraham.stern(a)intel.com> wifi: iwlwifi: mvm: increase the time between ranging measurements Ping-Ke Shih <pkshih(a)realtek.com> wifi: mac80211: don't use rate mask for offchannel TX either Jing Zhang <renyu.zj(a)linux.alibaba.com> drivers/perf: Fix ali_drw_pmu driver interrupt status clearing Andre Przywara <andre.przywara(a)arm.com> kselftest/arm64: signal: fix/refactor SVE vector length enumeration Mark Brown <broonie(a)kernel.org> kselftest/arm64: Fix enumeration of systems without 128 bit SME for SSVE+ZA Mark Brown <broonie(a)kernel.org> kselftest/arm64: Verify simultaneous SSVE and ZA context generation Mark Brown <broonie(a)kernel.org> kselftest/arm64: Don't pass headers to the compiler as source Olaf Hering <olaf(a)aepfle.de> mount: handle OOM on mnt_warn_timestamp_expiry Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> fs/namespace: fnic: Switch to use %ptTd Andrew Jones <ajones(a)ventanamicro.com> RISC-V: KVM: Fix sbiret init before forwarding to userspace Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: rtw88: remove CPT execution branch never used Yanteng Si <siyanteng(a)loongson.cn> net: stmmac: dwmac-loongson: Init ref and PTP clocks rate Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k: Remove error checks when creating debugfs entries Minjie Du <duminjie(a)vivo.com> wifi: ath9k: fix parameter check in ath9k_init_debug() Aleksandr Mishin <amishin(a)t-argos.ru> ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() Helge Deller <deller(a)kernel.org> crypto: xor - fix template benchmarking Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: always wait for both firmware loading attempts Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> EDAC/synopsys: Fix error injection on Zynq UltraScale+ Serge Semin <fancer.lancer(a)gmail.com> EDAC/synopsys: Fix ECC status and IRQ control race condition ------------- Diffstat: .gitignore | 1 - .../ABI/testing/sysfs-bus-iio-filter-admv8818 | 2 +- Documentation/accounting/delay-accounting.rst | 14 +- Documentation/admin-guide/kernel-parameters.txt | 10 + Documentation/arm64/silicon-errata.rst | 4 + .../iio/magnetometer/asahi-kasei,ak8975.yaml | 1 - Documentation/driver-api/ipmi.rst | 2 +- .../zh_CN/accounting/delay-accounting.rst | 17 +- Makefile | 4 +- arch/arm/boot/dts/imx7d-zii-rmu2.dts | 2 +- arch/arm/boot/dts/sam9x60.dtsi | 4 +- arch/arm/boot/dts/sama7g5.dtsi | 2 +- arch/arm/crypto/aes-ce-glue.c | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- arch/arm/mach-ep93xx/clock.c | 2 +- arch/arm/mach-versatile/platsmp-realview.c | 1 + arch/arm64/Kconfig | 2 + .../boot/dts/exynos/exynos7885-jackpotlte.dts | 2 +- arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 1 + arch/arm64/boot/dts/qcom/sm8250.dtsi | 20 +- arch/arm64/boot/dts/renesas/r9a07g043u.dtsi | 4 +- arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 4 +- arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 4 +- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 4 +- arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 4 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/kernel/cpu_errata.c | 2 + arch/loongarch/configs/loongson3_defconfig | 1 - arch/loongarch/pci/acpi.c | 1 + arch/m68k/kernel/process.c | 2 +- arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/powerpc/Kconfig | 23 + arch/powerpc/Makefile | 4 + arch/powerpc/include/asm/asm-compat.h | 6 + arch/powerpc/include/asm/atomic.h | 25 +- arch/powerpc/include/asm/io.h | 37 + arch/powerpc/include/asm/uaccess.h | 33 +- arch/powerpc/include/asm/vdso_datapage.h | 15 + arch/powerpc/kernel/asm-offsets.c | 2 + arch/powerpc/kernel/head_8xx.S | 6 +- arch/powerpc/kernel/trace/ftrace.c | 2 + arch/powerpc/kernel/vdso/cacheflush.S | 2 +- arch/powerpc/kernel/vdso/datapage.S | 4 +- arch/powerpc/mm/nohash/8xx.c | 4 +- arch/powerpc/platforms/Kconfig.cputype | 24 +- arch/powerpc/platforms/pseries/dlpar.c | 17 - arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +- arch/powerpc/platforms/pseries/hotplug-memory.c | 16 +- arch/powerpc/platforms/pseries/pmem.c | 2 +- arch/riscv/Kconfig | 5 + arch/riscv/include/asm/sparsemem.h | 2 +- arch/riscv/kernel/elf_kexec.c | 6 + arch/riscv/kernel/perf_callchain.c | 2 +- arch/riscv/kvm/vcpu_sbi.c | 4 +- arch/s390/include/asm/facility.h | 6 +- arch/s390/kernel/perf_cpum_sf.c | 12 +- arch/s390/mm/cmm.c | 18 +- arch/x86/coco/tdx/tdx.c | 6 + arch/x86/events/core.c | 63 + arch/x86/events/intel/pt.c | 15 +- arch/x86/include/asm/hardirq.h | 8 +- arch/x86/include/asm/idtentry.h | 73 +- arch/x86/include/asm/syscall.h | 7 +- arch/x86/kernel/apic/io_apic.c | 46 +- arch/x86/kernel/cpu/sgx/main.c | 27 +- arch/x86/kernel/machine_kexec_64.c | 27 + arch/x86/kvm/lapic.c | 35 +- arch/x86/net/bpf_jit_comp.c | 54 +- arch/x86/xen/setup.c | 2 +- block/bfq-iosched.c | 44 +- block/blk-integrity.c | 175 +- block/blk-iocost.c | 8 +- block/blk.h | 10 +- block/genhd.c | 12 +- block/partitions/core.c | 8 +- crypto/asymmetric_keys/asymmetric_type.c | 7 +- crypto/simd.c | 76 +- crypto/xor.c | 31 +- drivers/acpi/acpi_pad.c | 6 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/exsystem.c | 11 +- drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/battery.c | 28 +- drivers/acpi/cppc_acpi.c | 43 +- drivers/acpi/device_sysfs.c | 5 +- drivers/acpi/ec.c | 55 +- drivers/acpi/pmic/tps68470_pmic.c | 6 +- drivers/acpi/resource.c | 20 + drivers/acpi/video_detect.c | 8 + drivers/ata/libata-eh.c | 18 +- drivers/ata/pata_serverworks.c | 16 +- drivers/ata/sata_sil.c | 12 +- drivers/base/bus.c | 6 +- drivers/base/firmware_loader/main.c | 30 + drivers/base/power/domain.c | 2 +- drivers/block/aoe/aoecmd.c | 13 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_state.c | 2 +- drivers/block/loop.c | 15 +- drivers/block/nbd.c | 13 +- drivers/bluetooth/btmrvl_sdio.c | 3 +- drivers/bluetooth/btusb.c | 7 +- drivers/bus/arm-integrator-lm.c | 1 + drivers/bus/mhi/host/pci_generic.c | 13 +- drivers/char/hw_random/bcm2835-rng.c | 4 +- drivers/char/hw_random/cctrng.c | 1 + drivers/char/hw_random/mtk-rng.c | 2 +- drivers/char/tpm/tpm-dev-common.c | 2 + drivers/char/tpm/tpm2-space.c | 3 + drivers/char/virtio_console.c | 18 +- drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +- drivers/clk/imx/clk-composite-7ulp.c | 7 + drivers/clk/imx/clk-composite-8m.c | 61 +- drivers/clk/imx/clk-fracn-gppll.c | 72 +- drivers/clk/imx/clk-imx7d.c | 4 +- drivers/clk/imx/clk-imx8mp.c | 4 +- drivers/clk/imx/clk-imx8qxp.c | 10 +- drivers/clk/imx/clk.h | 7 + drivers/clk/qcom/clk-alpha-pll.c | 54 +- drivers/clk/qcom/clk-alpha-pll.h | 2 + drivers/clk/qcom/clk-rpmh.c | 2 + drivers/clk/qcom/dispcc-sm8250.c | 12 +- drivers/clk/qcom/gcc-sc8180x.c | 88 +- drivers/clk/qcom/gcc-sm8250.c | 6 +- drivers/clk/qcom/gcc-sm8450.c | 4 +- drivers/clk/rockchip/clk-rk3228.c | 2 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/samsung/clk-exynos7885.c | 14 +- drivers/clk/ti/clk-dra7-atl.c | 1 + drivers/clocksource/timer-qcom.c | 7 +- .../drivers/ni_routing/tools/convert_c_to_py.c | 5 + drivers/cpufreq/intel_pstate.c | 20 +- drivers/cpufreq/ti-cpufreq.c | 10 +- drivers/crypto/ccp/sev-dev.c | 2 + drivers/crypto/hisilicon/hpre/hpre_main.c | 57 +- drivers/crypto/hisilicon/qm.c | 180 +- drivers/crypto/hisilicon/sec2/sec_main.c | 16 +- drivers/crypto/hisilicon/sgl.c | 1 - drivers/crypto/hisilicon/zip/zip_main.c | 23 +- drivers/cxl/core/pci.c | 60 +- drivers/dax/device.c | 2 +- drivers/edac/igen6_edac.c | 2 +- drivers/edac/synopsys_edac.c | 85 +- drivers/firmware/arm_scmi/optee.c | 7 + drivers/firmware/efi/libstub/tpm.c | 2 +- drivers/firmware/tegra/bpmp.c | 6 - drivers/gpio/gpio-aspeed.c | 4 +- drivers/gpio/gpio-davinci.c | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 +- drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h | 4 +- drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 26 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 4 + .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 22 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 5 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 8 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 +- .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + .../gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 6 +- .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- .../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- .../drm/amd/display/modules/freesync/freesync.c | 2 +- drivers/gpu/drm/amd/include/atombios.h | 2 +- .../drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 + drivers/gpu/drm/bridge/lontium-lt8912b.c | 35 +- drivers/gpu/drm/drm_atomic_uapi.c | 2 +- drivers/gpu/drm/drm_crtc.c | 1 + drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 32 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 12 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 2 + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 30 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/omapdrm/omap_drv.c | 5 + drivers/gpu/drm/radeon/atombios.h | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 62 +- drivers/gpu/drm/radeon/r100.c | 70 +- drivers/gpu/drm/radeon/radeon_atombios.c | 26 +- drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 20 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 7 + drivers/gpu/drm/rockchip/rockchip_drm_vop2.h | 5 - drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 20 + drivers/gpu/drm/scheduler/sched_entity.c | 2 + drivers/gpu/drm/stm/drv.c | 7 +- drivers/gpu/drm/stm/ltdc.c | 78 +- drivers/gpu/drm/v3d/v3d_perfmon.c | 9 +- drivers/gpu/drm/vc4/vc4_hdmi.c | 8 +- drivers/gpu/drm/vc4/vc4_perfmon.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 12 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 3 + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 14 +- drivers/hid/hid-ids.h | 4 + drivers/hid/hid-multitouch.c | 14 +- drivers/hid/hid-plantronics.c | 23 + drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 2 +- drivers/hid/wacom_wac.c | 13 +- drivers/hid/wacom_wac.h | 2 +- drivers/hwmon/Kconfig | 3 + drivers/hwmon/max16065.c | 27 +- drivers/hwmon/ntc_thermistor.c | 1 + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- drivers/i2c/busses/i2c-aspeed.c | 16 +- drivers/i2c/busses/i2c-i801.c | 9 +- drivers/i2c/busses/i2c-isch.c | 3 +- drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-stm32f7.c | 6 +- drivers/i2c/busses/i2c-xiic.c | 89 +- drivers/i2c/i2c-core-base.c | 58 + drivers/iio/adc/ad7606.c | 8 +- drivers/iio/adc/ad7606_spi.c | 5 +- drivers/iio/chemical/bme680_core.c | 7 + drivers/iio/magnetometer/ak8975.c | 117 +- drivers/infiniband/core/cache.c | 4 +- drivers/infiniband/core/iwcm.c | 2 +- drivers/infiniband/core/mad.c | 14 +- drivers/infiniband/hw/cxgb4/cm.c | 5 + drivers/infiniband/hw/erdma/erdma_verbs.c | 25 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 22 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 29 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 16 +- drivers/infiniband/hw/irdma/verbs.c | 2 +- drivers/infiniband/hw/mlx5/odp.c | 25 +- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 9 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 14 +- drivers/input/keyboard/adp5588-keys.c | 2 +- drivers/input/keyboard/adp5589-keys.c | 22 +- drivers/input/rmi4/rmi_driver.c | 6 +- drivers/input/serio/i8042-acpipnpio.h | 37 + drivers/input/touchscreen/ilitek_ts_i2c.c | 18 +- drivers/iommu/amd/io_pgtable_v2.c | 2 +- drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 7 + drivers/iommu/intel/Kconfig | 11 - drivers/iommu/intel/Makefile | 1 - drivers/iommu/intel/dmar.c | 23 +- drivers/iommu/intel/iommu.c | 6 +- drivers/iommu/intel/iommu.h | 43 +- drivers/iommu/intel/perfmon.c | 172 - drivers/iommu/intel/perfmon.h | 40 - drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/md/dm-rq.c | 4 +- drivers/md/dm.c | 11 +- drivers/media/common/videobuf2/videobuf2-core.c | 8 +- drivers/media/dvb-frontends/rtl2830.c | 2 +- drivers/media/dvb-frontends/rtl2832.c | 2 +- drivers/media/i2c/ar0521.c | 5 +- drivers/media/i2c/imx335.c | 43 +- drivers/media/platform/qcom/camss/camss.c | 5 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 + drivers/media/tuners/tuner-i2c.h | 4 +- drivers/media/usb/usbtv/usbtv-video.c | 7 - drivers/mtd/devices/powernv_flash.c | 3 + drivers/mtd/devices/slram.c | 2 + drivers/mtd/nand/raw/mtk_nand.c | 36 +- drivers/net/bareudp.c | 26 +- drivers/net/bonding/bond_main.c | 6 +- drivers/net/can/m_can/m_can.c | 18 +- drivers/net/dsa/b53/b53_common.c | 17 +- drivers/net/dsa/lan9303-core.c | 29 + drivers/net/ethernet/adi/adin1110.c | 4 +- .../net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- drivers/net/ethernet/cortina/gemini.c | 32 +- drivers/net/ethernet/freescale/enetc/enetc.c | 3 +- drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/ibm/emac/mal.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 + drivers/net/ethernet/intel/ice/ice_main.c | 3 +- drivers/net/ethernet/intel/ice/ice_sched.c | 6 +- drivers/net/ethernet/intel/ice/ice_switch.c | 2 - drivers/net/ethernet/intel/igb/igb_main.c | 4 + drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- .../ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 + .../net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +- .../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 31 +- drivers/net/ethernet/realtek/r8169_phy_config.c | 2 + drivers/net/ethernet/seeq/ether3.c | 2 + .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 37 +- drivers/net/ieee802154/Kconfig | 1 + drivers/net/ieee802154/mcr20a.c | 5 +- drivers/net/phy/bcm84881.c | 4 +- drivers/net/phy/dp83869.c | 1 - drivers/net/ppp/ppp_async.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 57 +- drivers/net/usb/usbnet.c | 37 +- drivers/net/vxlan/vxlan_core.c | 6 +- drivers/net/vxlan/vxlan_private.h | 2 +- drivers/net/vxlan/vxlan_vnifilter.c | 19 +- drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath9k/debug.c | 6 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 - drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 + drivers/net/wireless/intel/iwlwifi/mvm/constants.h | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 8 + drivers/net/wireless/mediatek/mt76/mt76.h | 1 + drivers/net/wireless/mediatek/mt76/mt7615/init.c | 3 + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +- drivers/net/wireless/microchip/wilc1000/hif.c | 4 +- drivers/net/wireless/realtek/rtw88/Kconfig | 1 + drivers/net/wireless/realtek/rtw88/coex.c | 38 +- drivers/net/wireless/realtek/rtw88/main.c | 7 +- drivers/net/wireless/realtek/rtw88/rtw8822c.c | 12 +- drivers/net/wireless/realtek/rtw89/phy.c | 4 +- drivers/net/wwan/qcom_bam_dmux.c | 11 +- drivers/net/xen-netback/hash.c | 5 +- drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 + drivers/ntb/ntb_transport.c | 23 +- drivers/ntb/test/ntb_perf.c | 2 +- drivers/nvdimm/namespace_devs.c | 34 +- drivers/nvdimm/nd_virtio.c | 9 + drivers/nvme/host/multipath.c | 2 +- drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 18 +- drivers/of/irq.c | 38 +- drivers/pci/controller/dwc/pci-imx6.c | 7 +- drivers/pci/controller/dwc/pci-keystone.c | 2 +- drivers/pci/controller/dwc/pcie-kirin.c | 4 +- drivers/pci/controller/pcie-xilinx-nwl.c | 39 +- drivers/pci/pci-driver.c | 15 +- drivers/pci/pci.c | 26 +- drivers/pci/pci.h | 9 +- drivers/pci/pcie/dpc.c | 3 +- drivers/pci/quirks.c | 8 + drivers/perf/alibaba_uncore_drw_pmu.c | 2 +- drivers/perf/arm-cmn.c | 232 +- drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 + drivers/pinctrl/mvebu/pinctrl-dove.c | 45 +- drivers/pinctrl/pinctrl-single.c | 3 +- .../x86/intel/speed_select_if/isst_if_common.c | 4 +- drivers/platform/x86/touchscreen_dmi.c | 26 + drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/axp20x_battery.c | 16 +- drivers/power/supply/max17042_battery.c | 5 +- drivers/power/supply/power_supply_hwmon.c | 3 +- drivers/pps/clients/pps_parport.c | 14 +- drivers/regulator/of_regulator.c | 2 +- drivers/remoteproc/imx_rproc.c | 19 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 +- drivers/reset/reset-berlin.c | 3 +- drivers/reset/reset-k210.c | 3 +- drivers/rtc/rtc-at91sam9.c | 1 + drivers/scsi/NCR5380.c | 82 +- drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/elx/libefc/efc_nport.c | 2 +- drivers/scsi/lpfc/lpfc_ct.c | 12 + drivers/scsi/lpfc/lpfc_disc.h | 7 + drivers/scsi/lpfc/lpfc_els.c | 34 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 22 +- drivers/scsi/lpfc/lpfc_vport.c | 43 +- drivers/scsi/mac_scsi.c | 166 +- drivers/scsi/pm8001/pm8001_init.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/smartpqi/smartpqi_init.c | 22 +- drivers/scsi/wd33c93.c | 2 +- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 +- drivers/spi/atmel-quadspi.c | 1 + drivers/spi/spi-bcm63xx.c | 9 +- drivers/spi/spi-fsl-lpspi.c | 1 + drivers/spi/spi-imx.c | 2 +- drivers/spi/spi-ppc4xx.c | 7 +- drivers/spi/spi-s3c64xx.c | 4 +- drivers/staging/vme_user/vme_fake.c | 6 + drivers/staging/vme_user/vme_tsi148.c | 6 + .../int340x_thermal/processor_thermal_device_pci.c | 23 +- drivers/tty/serial/rp2.c | 2 +- drivers/usb/cdns3/cdnsp-ring.c | 6 +- drivers/usb/cdns3/host.c | 4 +- drivers/usb/chipidea/udc.c | 8 +- drivers/usb/class/cdc-acm.c | 2 + drivers/usb/dwc2/drd.c | 9 + drivers/usb/dwc2/platform.c | 26 +- drivers/usb/dwc3/core.c | 22 +- drivers/usb/dwc3/core.h | 4 - drivers/usb/dwc3/gadget.c | 11 - drivers/usb/gadget/udc/core.c | 1 + drivers/usb/host/xhci-debugfs.c | 2 +- drivers/usb/host/xhci-mem.c | 331 +- drivers/usb/host/xhci-pci.c | 22 +- drivers/usb/host/xhci-ring.c | 82 +- drivers/usb/host/xhci.c | 54 +- drivers/usb/host/xhci.h | 32 +- drivers/usb/misc/appledisplay.c | 15 +- drivers/usb/misc/cypress_cy7c63.c | 4 + drivers/usb/misc/yurex.c | 5 +- drivers/usb/storage/unusual_devs.h | 11 + drivers/vfio/pci/vfio_pci_intrs.c | 4 +- drivers/vhost/scsi.c | 25 +- drivers/vhost/vdpa.c | 18 +- drivers/video/fbdev/core/fbcon.c | 2 + drivers/video/fbdev/hpfb.c | 1 + drivers/video/fbdev/pxafb.c | 1 + drivers/video/fbdev/sis/sis_main.c | 2 +- drivers/virtio/virtio_vdpa.c | 1 + drivers/watchdog/imx_sc_wdt.c | 24 - drivers/xen/swiotlb-xen.c | 10 +- fs/btrfs/disk-io.c | 11 + fs/btrfs/relocation.c | 2 +- fs/btrfs/send.c | 23 +- fs/btrfs/zoned.c | 2 +- fs/cachefiles/namei.c | 7 +- fs/ceph/addr.c | 6 +- fs/crypto/fname.c | 8 +- fs/dax.c | 62 + fs/ecryptfs/crypto.c | 10 - fs/erofs/data.c | 50 +- fs/erofs/decompressor.c | 6 +- fs/erofs/decompressor_lzma.c | 4 +- fs/erofs/dir.c | 22 +- fs/erofs/erofs_fs.h | 5 +- fs/erofs/fscache.c | 7 +- fs/erofs/inode.c | 37 +- fs/erofs/internal.h | 34 +- fs/erofs/namei.c | 30 +- fs/erofs/super.c | 72 +- fs/erofs/xattr.c | 40 +- fs/erofs/xattr.h | 10 +- fs/erofs/zdata.c | 16 +- fs/erofs/zmap.c | 263 +- fs/exec.c | 3 +- fs/exfat/balloc.c | 10 +- fs/ext4/dir.c | 14 +- fs/ext4/extents.c | 55 +- fs/ext4/fast_commit.c | 49 +- fs/ext4/file.c | 8 +- fs/ext4/ialloc.c | 14 +- fs/ext4/inline.c | 35 +- fs/ext4/inode.c | 11 +- fs/ext4/mballoc.c | 10 +- fs/ext4/migrate.c | 2 +- fs/ext4/move_extent.c | 1 - fs/ext4/namei.c | 14 +- fs/ext4/super.c | 9 +- fs/ext4/xattr.c | 7 +- fs/f2fs/dir.c | 3 +- fs/f2fs/extent_cache.c | 4 +- fs/f2fs/f2fs.h | 24 +- fs/f2fs/file.c | 96 +- fs/f2fs/namei.c | 69 - fs/f2fs/super.c | 4 +- fs/f2fs/xattr.c | 18 +- fs/fcntl.c | 14 +- fs/file.c | 93 +- fs/inode.c | 4 + fs/iomap/buffered-io.c | 16 +- fs/jbd2/checkpoint.c | 21 +- fs/jbd2/journal.c | 4 +- fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 11 +- fs/jfs/jfs_imap.c | 2 +- fs/jfs/xattr.c | 2 + fs/namei.c | 6 +- fs/namespace.c | 21 +- fs/nfs/callback_xdr.c | 2 + fs/nfs/client.c | 1 + fs/nfs/nfs42proc.c | 2 +- fs/nfs/nfs4state.c | 3 +- fs/nfsd/filecache.c | 7 +- fs/nfsd/nfs4idmap.c | 13 +- fs/nfsd/nfs4recover.c | 8 + fs/nfsd/nfs4state.c | 5 +- fs/nfsd/nfs4xdr.c | 10 +- fs/nfsd/vfs.c | 1 + fs/nilfs2/btree.c | 12 +- fs/ntfs3/file.c | 4 +- fs/ntfs3/frecord.c | 21 +- fs/ntfs3/fslog.c | 19 +- fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 11 +- fs/proc/base.c | 61 +- fs/smb/client/cifsfs.c | 13 +- fs/smb/client/cifsglob.h | 2 +- fs/smb/client/smb1ops.c | 2 +- fs/smb/client/smb2ops.c | 19 +- fs/smb/server/vfs.c | 19 +- fs/unicode/mkutf8data.c | 70 - fs/unicode/utf8data.c_shipped | 6703 ++++++++++---------- fs/xfs/xfs_reflink.c | 8 +- include/acpi/acoutput.h | 5 + include/acpi/cppc_acpi.h | 2 + include/crypto/internal/simd.h | 12 +- include/drm/drm_print.h | 54 +- include/dt-bindings/clock/exynos7885.h | 4 +- include/dt-bindings/clock/qcom,gcc-sc8180x.h | 3 + include/linux/blkdev.h | 3 - include/linux/dax.h | 2 + include/linux/f2fs_fs.h | 2 +- include/linux/fdtable.h | 8 +- include/linux/fs.h | 11 + include/linux/i2c.h | 7 + include/linux/nfs_fs_sb.h | 1 + include/linux/pci_ids.h | 2 + include/linux/sbitmap.h | 2 +- include/linux/uprobes.h | 2 + include/linux/usb/usbnet.h | 15 + include/linux/vdpa.h | 6 + include/linux/xarray.h | 6 + include/net/bluetooth/hci_core.h | 4 +- include/net/ip.h | 2 + include/net/mac80211.h | 7 +- include/net/mctp.h | 2 +- include/net/rtnetlink.h | 17 + include/net/sch_generic.h | 1 - include/net/sock.h | 2 + include/net/tcp.h | 21 +- include/trace/events/erofs.h | 4 +- include/trace/events/f2fs.h | 3 +- include/uapi/linux/cec.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- include/uapi/linux/snmp.h | 3 + io_uring/io-wq.c | 33 +- io_uring/io_uring.c | 15 + io_uring/net.c | 4 +- io_uring/sqpoll.c | 12 + kernel/bpf/arraymap.c | 3 + kernel/bpf/btf.c | 8 + kernel/bpf/hashtab.c | 3 + kernel/bpf/helpers.c | 6 +- kernel/bpf/syscall.c | 1 + kernel/bpf/verifier.c | 16 +- kernel/events/core.c | 6 +- kernel/events/uprobes.c | 4 +- kernel/fork.c | 30 +- kernel/jump_label.c | 52 +- kernel/kthread.c | 12 +- kernel/locking/lockdep.c | 50 +- kernel/module/Makefile | 2 +- kernel/padata.c | 6 +- kernel/rcu/rcuscale.c | 4 +- kernel/rcu/tree_nocb.h | 5 +- kernel/resource.c | 58 +- kernel/sched/psi.c | 26 +- kernel/static_call_inline.c | 13 +- kernel/trace/trace.c | 18 +- kernel/trace/trace_hwlat.c | 2 + kernel/trace/trace_osnoise.c | 2 + kernel/trace/trace_output.c | 6 +- lib/bootconfig.c | 3 +- lib/buildid.c | 88 +- lib/debugobjects.c | 5 +- lib/sbitmap.c | 4 +- lib/test_xarray.c | 93 + lib/xarray.c | 53 +- lib/xz/xz_crc32.c | 2 +- lib/xz/xz_private.h | 4 - mm/Kconfig | 25 +- mm/damon/vaddr.c | 2 + mm/filemap.c | 50 +- mm/secretmem.c | 4 +- mm/slab_common.c | 7 + mm/util.c | 2 +- net/bluetooth/hci_conn.c | 6 +- net/bluetooth/hci_core.c | 27 +- net/bluetooth/hci_event.c | 13 +- net/bluetooth/hci_sock.c | 21 +- net/bluetooth/hci_sync.c | 5 +- net/bluetooth/mgmt.c | 13 +- net/bluetooth/rfcomm/sock.c | 2 - net/bridge/br_netfilter_hooks.c | 5 + net/can/bcm.c | 4 +- net/can/j1939/transport.c | 8 +- net/core/dev.c | 12 +- net/core/filter.c | 44 +- net/core/rtnetlink.c | 29 + net/core/sock_map.c | 1 + net/ipv4/devinet.c | 6 +- net/ipv4/fib_frontend.c | 2 +- net/ipv4/icmp.c | 106 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/netfilter/nf_reject_ipv4.c | 10 +- net/ipv4/netfilter/nft_fib_ipv4.c | 4 +- net/ipv4/proc.c | 8 +- net/ipv4/tcp_input.c | 31 +- net/ipv4/tcp_ipv4.c | 3 + net/ipv4/udp_offload.c | 22 +- net/ipv6/Kconfig | 1 + net/ipv6/icmp.c | 32 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/ipv6/netfilter/nf_reject_ipv6.c | 19 +- net/ipv6/netfilter/nft_fib_ipv6.c | 5 +- net/ipv6/proc.c | 1 + net/ipv6/route.c | 2 +- net/ipv6/rpl_iptunnel.c | 12 +- net/mac80211/chan.c | 4 +- net/mac80211/iface.c | 17 +- net/mac80211/mlme.c | 2 +- net/mac80211/offchannel.c | 1 + net/mac80211/rate.c | 2 +- net/mac80211/scan.c | 21 +- net/mac80211/tx.c | 2 +- net/mac80211/util.c | 4 +- net/mctp/af_mctp.c | 6 +- net/mctp/device.c | 32 +- net/mctp/neigh.c | 29 +- net/mctp/route.c | 33 +- net/mptcp/mib.c | 2 + net/mptcp/mib.h | 2 + net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.c | 24 +- net/mptcp/subflow.c | 6 +- net/netfilter/nf_conntrack_netlink.c | 7 +- net/netfilter/nf_tables_api.c | 14 +- net/netfilter/xt_CHECKSUM.c | 33 +- net/netfilter/xt_CLASSIFY.c | 16 +- net/netfilter/xt_CONNSECMARK.c | 36 +- net/netfilter/xt_CT.c | 148 +- net/netfilter/xt_IDLETIMER.c | 59 +- net/netfilter/xt_LED.c | 39 +- net/netfilter/xt_NFLOG.c | 36 +- net/netfilter/xt_RATEEST.c | 39 +- net/netfilter/xt_SECMARK.c | 27 +- net/netfilter/xt_TRACE.c | 35 +- net/netfilter/xt_addrtype.c | 15 +- net/netfilter/xt_cluster.c | 33 +- net/netfilter/xt_connbytes.c | 4 +- net/netfilter/xt_connlimit.c | 39 +- net/netfilter/xt_connmark.c | 28 +- net/netfilter/xt_mark.c | 42 +- net/netlink/af_netlink.c | 3 +- net/qrtr/af_qrtr.c | 2 +- net/sched/sch_api.c | 7 +- net/sched/sch_taprio.c | 4 +- net/sctp/socket.c | 20 +- net/socket.c | 7 +- net/tipc/bcast.c | 2 +- net/tipc/bearer.c | 8 +- net/wireless/nl80211.c | 18 +- net/wireless/scan.c | 6 +- net/wireless/sme.c | 3 +- rust/macros/module.rs | 6 +- scripts/kconfig/qconf.cc | 2 +- security/Kconfig | 32 + security/bpf/hooks.c | 1 - security/selinux/hooks.c | 4 +- security/smack/smack_lsm.c | 4 +- security/smack/smackfs.c | 2 +- security/tomoyo/domain.c | 9 +- sound/core/init.c | 14 +- sound/core/oss/mixer_oss.c | 4 +- sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/cs35l41_hda_spi.c | 1 + sound/pci/hda/hda_controller.h | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/hda_intel.c | 12 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 10 +- sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/atmel/mchp-pdmc.c | 3 + sound/soc/codecs/rt5682.c | 4 +- sound/soc/codecs/rt5682s.c | 4 +- sound/soc/codecs/wsa883x.c | 16 +- sound/soc/fsl/imx-card.c | 1 + sound/usb/card.c | 6 + sound/usb/line6/podhd.c | 2 +- sound/usb/mixer.c | 35 +- sound/usb/mixer.h | 1 + sound/usb/quirks-table.h | 2283 ++----- sound/usb/quirks.c | 4 + tools/accounting/getdelays.c | 24 +- tools/arch/x86/kcpuid/kcpuid.c | 12 +- tools/iio/iio_generic_buffer.c | 4 + tools/lib/subcmd/parse-options.c | 8 +- tools/perf/builtin-inject.c | 1 + tools/perf/builtin-kmem.c | 2 + tools/perf/builtin-kvm.c | 3 + tools/perf/builtin-kwork.c | 3 + tools/perf/builtin-lock.c | 24 +- tools/perf/builtin-mem.c | 4 + tools/perf/builtin-sched.c | 160 +- tools/perf/util/hist.c | 7 +- tools/perf/util/session.c | 3 + tools/perf/util/stat-display.c | 3 +- tools/perf/util/time-utils.c | 4 +- tools/perf/util/tool.h | 1 + tools/testing/ktest/ktest.pl | 2 +- tools/testing/selftests/arm64/signal/Makefile | 8 +- tools/testing/selftests/arm64/signal/sve_helpers.c | 56 + tools/testing/selftests/arm64/signal/sve_helpers.h | 21 + .../testcases/fake_sigreturn_sme_change_vl.c | 46 +- .../testcases/fake_sigreturn_sve_change_vl.c | 30 +- .../selftests/arm64/signal/testcases/ssve_regs.c | 36 +- .../arm64/signal/testcases/ssve_za_regs.c | 146 + .../selftests/arm64/signal/testcases/sve_regs.c | 32 +- .../selftests/arm64/signal/testcases/za_no_regs.c | 32 +- .../selftests/arm64/signal/testcases/za_regs.c | 36 +- tools/testing/selftests/bpf/DENYLIST.s390x | 2 + tools/testing/selftests/bpf/bench.c | 1 + tools/testing/selftests/bpf/bench.h | 1 + .../selftests/bpf/map_tests/sk_storage_map.c | 2 +- .../selftests/bpf/prog_tests/bpf_iter_setsockopt.c | 2 +- .../testing/selftests/bpf/prog_tests/core_reloc.c | 1 + .../selftests/bpf/prog_tests/flow_dissector.c | 1 + tools/testing/selftests/bpf/prog_tests/kfree_skb.c | 1 + .../bpf/prog_tests/libbpf_get_fd_by_id_opts.c | 87 + .../selftests/bpf/prog_tests/ns_current_pid_tgid.c | 156 +- .../selftests/bpf/prog_tests/stacktrace_build_id.c | 19 +- .../bpf/prog_tests/stacktrace_build_id_nmi.c | 17 +- tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 + .../selftests/bpf/prog_tests/user_ringbuf.c | 1 + .../testing/selftests/bpf/progs/cg_storage_multi.h | 2 - .../bpf/progs/test_libbpf_get_fd_by_id_opts.c | 37 + .../selftests/bpf/progs/test_ns_current_pid_tgid.c | 17 +- tools/testing/selftests/bpf/test_cpp.cpp | 4 + tools/testing/selftests/bpf/test_lru_map.c | 3 +- tools/testing/selftests/bpf/test_progs.c | 110 +- tools/testing/selftests/bpf/test_progs.h | 2 - tools/testing/selftests/bpf/testing_helpers.c | 63 + tools/testing/selftests/bpf/testing_helpers.h | 9 + .../breakpoints/step_after_suspend_test.c | 5 +- .../selftests/net/forwarding/no_forwarding.sh | 2 +- tools/testing/selftests/net/net_helper.sh | 0 tools/testing/selftests/net/setup_loopback.sh | 0 tools/testing/selftests/netfilter/nft_audit.sh | 57 +- tools/testing/selftests/nolibc/nolibc-test.c | 4 +- tools/testing/selftests/vDSO/parse_vdso.c | 17 +- tools/testing/selftests/vDSO/vdso_config.h | 10 +- .../testing/selftests/vDSO/vdso_test_correctness.c | 6 + .../selftests/vm/charge_reserved_hugetlb.sh | 2 +- tools/testing/selftests/vm/write_to_hugetlbfs.c | 23 +- 757 files changed, 11836 insertions(+), 9609 deletions(-)

8 months, 2 weeks

9
10
0 0

FAILED: patch "[PATCH] nilfs2: propagate directory read errors from" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 08cfa12adf888db98879dbd735bc741360a34168 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101853-recall-payee-2d9d@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 08cfa12adf888db98879dbd735bc741360a34168 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Fri, 4 Oct 2024 12:35:31 +0900 Subject: [PATCH] nilfs2: propagate directory read errors from nilfs_find_entry() Syzbot reported that a task hang occurs in vcs_open() during a fuzzing test for nilfs2. The root cause of this problem is that in nilfs_find_entry(), which searches for directory entries, ignores errors when loading a directory page/folio via nilfs_get_folio() fails. If the filesystem images is corrupted, and the i_size of the directory inode is large, and the directory page/folio is successfully read but fails the sanity check, for example when it is zero-filled, nilfs_check_folio() may continue to spit out error messages in bursts. Fix this issue by propagating the error to the callers when loading a page/folio fails in nilfs_find_entry(). The current interface of nilfs_find_entry() and its callers is outdated and cannot propagate error codes such as -EIO and -ENOMEM returned via nilfs_find_entry(), so fix it together. Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: Lizhi Xu <lizhi.xu(a)windriver.com> Closes: https://lkml.kernel.org/r/20240927013806.3577931-1-lizhi.xu@windriver.com Reported-by: syzbot+8a192e8d090fa9a31135(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8a192e8d090fa9a31135 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index fe5b1a30c509..a8602729586a 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -289,7 +289,7 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx) * The folio is mapped and unlocked. When the caller is finished with * the entry, it should call folio_release_kmap(). * - * On failure, returns NULL and the caller should ignore foliop. + * On failure, returns an error pointer and the caller should ignore foliop. */ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, const struct qstr *qstr, struct folio **foliop) @@ -312,22 +312,24 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, do { char *kaddr = nilfs_get_folio(dir, n, foliop); - if (!IS_ERR(kaddr)) { - de = (struct nilfs_dir_entry *)kaddr; - kaddr += nilfs_last_byte(dir, n) - reclen; - while ((char *) de <= kaddr) { - if (de->rec_len == 0) { - nilfs_error(dir->i_sb, - "zero-length directory entry"); - folio_release_kmap(*foliop, kaddr); - goto out; - } - if (nilfs_match(namelen, name, de)) - goto found; - de = nilfs_next_entry(de); + if (IS_ERR(kaddr)) + return ERR_CAST(kaddr); + + de = (struct nilfs_dir_entry *)kaddr; + kaddr += nilfs_last_byte(dir, n) - reclen; + while ((char *)de <= kaddr) { + if (de->rec_len == 0) { + nilfs_error(dir->i_sb, + "zero-length directory entry"); + folio_release_kmap(*foliop, kaddr); + goto out; } - folio_release_kmap(*foliop, kaddr); + if (nilfs_match(namelen, name, de)) + goto found; + de = nilfs_next_entry(de); } + folio_release_kmap(*foliop, kaddr); + if (++n >= npages) n = 0; /* next folio is past the blocks we've got */ @@ -340,7 +342,7 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, } } while (n != start); out: - return NULL; + return ERR_PTR(-ENOENT); found: ei->i_dir_start_lookup = n; @@ -384,18 +386,18 @@ fail: return NULL; } -ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) +int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino) { - ino_t res = 0; struct nilfs_dir_entry *de; struct folio *folio; de = nilfs_find_entry(dir, qstr, &folio); - if (de) { - res = le64_to_cpu(de->inode); - folio_release_kmap(folio, de); - } - return res; + if (IS_ERR(de)) + return PTR_ERR(de); + + *ino = le64_to_cpu(de->inode); + folio_release_kmap(folio, de); + return 0; } void nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c index c950139db6ef..4905063790c5 100644 --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -55,12 +55,20 @@ nilfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) { struct inode *inode; ino_t ino; + int res; if (dentry->d_name.len > NILFS_NAME_LEN) return ERR_PTR(-ENAMETOOLONG); - ino = nilfs_inode_by_name(dir, &dentry->d_name); - inode = ino ? nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino) : NULL; + res = nilfs_inode_by_name(dir, &dentry->d_name, &ino); + if (res) { + if (res != -ENOENT) + return ERR_PTR(res); + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); + } + return d_splice_alias(inode, dentry); } @@ -263,10 +271,11 @@ static int nilfs_do_unlink(struct inode *dir, struct dentry *dentry) struct folio *folio; int err; - err = -ENOENT; de = nilfs_find_entry(dir, &dentry->d_name, &folio); - if (!de) + if (IS_ERR(de)) { + err = PTR_ERR(de); goto out; + } inode = d_inode(dentry); err = -EIO; @@ -362,10 +371,11 @@ static int nilfs_rename(struct mnt_idmap *idmap, if (unlikely(err)) return err; - err = -ENOENT; old_de = nilfs_find_entry(old_dir, &old_dentry->d_name, &old_folio); - if (!old_de) + if (IS_ERR(old_de)) { + err = PTR_ERR(old_de); goto out; + } if (S_ISDIR(old_inode->i_mode)) { err = -EIO; @@ -382,10 +392,12 @@ static int nilfs_rename(struct mnt_idmap *idmap, if (dir_de && !nilfs_empty_dir(new_inode)) goto out_dir; - err = -ENOENT; - new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, &new_folio); - if (!new_de) + new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, + &new_folio); + if (IS_ERR(new_de)) { + err = PTR_ERR(new_de); goto out_dir; + } nilfs_set_link(new_dir, new_de, new_folio, old_inode); folio_release_kmap(new_folio, new_de); nilfs_mark_inode_dirty(new_dir); @@ -440,12 +452,13 @@ out: */ static struct dentry *nilfs_get_parent(struct dentry *child) { - unsigned long ino; + ino_t ino; + int res; struct nilfs_root *root; - ino = nilfs_inode_by_name(d_inode(child), &dotdot_name); - if (!ino) - return ERR_PTR(-ENOENT); + res = nilfs_inode_by_name(d_inode(child), &dotdot_name, &ino); + if (res) + return ERR_PTR(res); root = NILFS_I(d_inode(child))->i_root; diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h index fb1c4c5bae7c..45d03826eaf1 100644 --- a/fs/nilfs2/nilfs.h +++ b/fs/nilfs2/nilfs.h @@ -254,7 +254,7 @@ static inline __u32 nilfs_mask_flags(umode_t mode, __u32 flags) /* dir.c */ int nilfs_add_link(struct dentry *, struct inode *); -ino_t nilfs_inode_by_name(struct inode *, const struct qstr *); +int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino); int nilfs_make_empty(struct inode *, struct inode *); struct nilfs_dir_entry *nilfs_find_entry(struct inode *, const struct qstr *, struct folio **);

8 months, 2 weeks

3
2
0 0

[PATCH 5.10.y 0/3] mptcp: fix recent failed backports

by Matthieu Baerts (NGI0)

Greg recently reported 2 patches that could not be applied without conflicts in v5.10: - e32d262c89e2 ("mptcp: handle consistently DSS corruption") - 4dabcdf58121 ("tcp: fix mptcp DSS corruption due to large pmtu xmit") Conflicts have been resolved, and documented in each patch. One extra commit has been backported, to support allow_infinite_fallback which is used by one commit from the list above: - 0530020a7c8f ("mptcp: track and update contiguous data status") Geliang Tang (1): mptcp: track and update contiguous data status Paolo Abeni (2): mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit net/ipv4/tcp_output.c | 2 +- net/mptcp/mib.c | 2 ++ net/mptcp/mib.h | 2 ++ net/mptcp/protocol.c | 26 ++++++++++++++++++++++---- net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 3 ++- 6 files changed, 30 insertions(+), 6 deletions(-) -- 2.45.2

8 months, 2 weeks

2
4
0 0

[PATCH 5.15.y 0/6] mptcp: fix recent failed backports

by Matthieu Baerts (NGI0)

Greg recently reported 6 patches that could not be applied without conflicts in v5.15: - e32d262c89e2 ("mptcp: handle consistently DSS corruption") - 4dabcdf58121 ("tcp: fix mptcp DSS corruption due to large pmtu xmit") - 119d51e225fe ("mptcp: fallback when MPTCP opts are dropped after 1st data") - 7decd1f5904a ("mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow") - 3d041393ea8c ("mptcp: prevent MPC handshake on port-based signal endpoints") - 5afca7e996c4 ("selftests: mptcp: join: test for prohibited MPC to port-based endp") Conflicts have been resolved for the 5 first ones, and documented in each patch. The last patch has not been backported: this is an extra test for the selftests validating the previous commit, and there are a lot of conflicts. That's fine not to backport this test, it is still possible to use the selftests from a newer version and run them on this older kernel. One extra commit has been backported, to support allow_infinite_fallback which is used by two commits from the list above: - 0530020a7c8f ("mptcp: track and update contiguous data status") Geliang Tang (1): mptcp: track and update contiguous data status Matthieu Baerts (NGI0) (2): mptcp: fallback when MPTCP opts are dropped after 1st data mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Paolo Abeni (3): mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit mptcp: prevent MPC handshake on port-based signal endpoints net/ipv4/tcp_output.c | 2 +- net/mptcp/mib.c | 3 +++ net/mptcp/mib.h | 3 +++ net/mptcp/pm_netlink.c | 3 ++- net/mptcp/protocol.c | 23 ++++++++++++++++++++--- net/mptcp/protocol.h | 2 ++ net/mptcp/subflow.c | 19 ++++++++++++++++--- 7 files changed, 47 insertions(+), 8 deletions(-) -- 2.45.2

8 months, 2 weeks

2
7
0 0

[PATCH 6.1.y 0/2] mptcp: fix recent failed backports

by Matthieu Baerts (NGI0)

Greg recently reported 3 patches that could not be applied without conflicts in v6.1: - 4dabcdf58121 ("tcp: fix mptcp DSS corruption due to large pmtu xmit") - 3d041393ea8c ("mptcp: prevent MPC handshake on port-based signal endpoints") - 5afca7e996c4 ("selftests: mptcp: join: test for prohibited MPC to port-based endp") Conflicts have been resolved for the two first ones, and documented in each patch. The last patch has not been backported: this is an extra test for the selftests validating the previous commit, and there are a lot of conflicts. That's fine not to backport this test, it is still possible to use the selftests from a newer version and run them on this older kernel. Paolo Abeni (2): tcp: fix mptcp DSS corruption due to large pmtu xmit mptcp: prevent MPC handshake on port-based signal endpoints net/ipv4/tcp_output.c | 4 +--- net/mptcp/mib.c | 1 + net/mptcp/mib.h | 1 + net/mptcp/pm_netlink.c | 1 + net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 11 +++++++++++ 6 files changed, 16 insertions(+), 3 deletions(-) -- 2.45.2

8 months, 2 weeks

2
3
0 0

[PATCH 6.6.y 0/4] mptcp: fix recent failed backports

by Matthieu Baerts (NGI0)

Greg recently reported 2 patches that could not be applied without conflict in v6.6: - 4dabcdf58121 ("tcp: fix mptcp DSS corruption due to large pmtu xmit") - 5afca7e996c4 ("selftests: mptcp: join: test for prohibited MPC to port-based endp") Conflicts have been resolved, and documented in each patch. Note that there are two extra patches: - 8c6f6b4bb53a ("selftests: mptcp: join: change capture/checksum as bool"): to avoid some conflicts - "selftests: mptcp: remove duplicated variables": a dedicated patch for v6.6, to fix some previous backport issues. Geliang Tang (1): selftests: mptcp: join: change capture/checksum as bool Matthieu Baerts (NGI0) (1): selftests: mptcp: remove duplicated variables Paolo Abeni (2): tcp: fix mptcp DSS corruption due to large pmtu xmit selftests: mptcp: join: test for prohibited MPC to port-based endp net/ipv4/tcp_output.c | 4 +- .../testing/selftests/net/mptcp/mptcp_join.sh | 135 ++++++++++++------ .../testing/selftests/net/mptcp/mptcp_lib.sh | 11 -- 3 files changed, 96 insertions(+), 54 deletions(-) -- 2.45.2

8 months, 2 weeks

2
5
0 0

FAILED: patch "[PATCH] serial: qcom-geni: fix shutdown race" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 23f5f5debcaac1399cfeacec215278bf6dbc1d11 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102142-pristine-mayday-9998@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 23f5f5debcaac1399cfeacec215278bf6dbc1d11 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Wed, 9 Oct 2024 16:51:04 +0200 Subject: [PATCH] serial: qcom-geni: fix shutdown race A commit adding back the stopping of tx on port shutdown failed to add back the locking which had also been removed by commit e83766334f96 ("tty: serial: qcom_geni_serial: No need to stop tx/rx on UART shutdown"). Holding the port lock is needed to serialise against the console code, which may update the interrupt enable register and access the port state. Fixes: d8aca2f96813 ("tty: serial: qcom-geni-serial: stop operations in progress at shutdown") Fixes: 947cc4ecc06c ("serial: qcom-geni: fix soft lockup on sw flow control and suspend") Cc: stable(a)vger.kernel.org # 6.3 Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Link: https://lore.kernel.org/r/20241009145110.16847-4-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 2e4a5361f137..87cd974b76bf 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1114,10 +1114,12 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) { disable_irq(uport->irq); + uart_port_lock_irq(uport); qcom_geni_serial_stop_tx(uport); qcom_geni_serial_stop_rx(uport); qcom_geni_serial_cancel_tx_cmd(uport); + uart_port_unlock_irq(uport); } static void qcom_geni_serial_flush_buffer(struct uart_port *uport)

8 months, 2 weeks

1
0
0 0

[PATCH v2 0/2] Fix KASAN crash when using KASAN_VMALLOC

by Linus Walleij

This problem reported by Clement LE GOFFIC manifest when using CONFIG_KASAN_IN_VMALLOC and VMAP_STACK: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db… After some analysis it seems we are missing to sync the VMALLOC shadow memory in top level PGD to all CPUs. Add some code to perform this sync, and the bug appears to go away. As suggested by Ard, also perform a dummy read from the shadow memory of the new VMAP_STACK in the low level assembly. Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> --- Changes in v2: - Implement the two helper functions suggested by Russell making the KASAN PGD copying less messy. - Link to v1: https://lore.kernel.org/r/20241015-arm-kasan-vmalloc-crash-v1-0-dbb23592ca8… --- Linus Walleij (2): ARM: ioremap: Sync PGDs for VMALLOC shadow ARM: entry: Do a dummy read from VMAP shadow arch/arm/kernel/entry-armv.S | 8 ++++++++ arch/arm/mm/ioremap.c | 25 +++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241015-arm-kasan-vmalloc-crash-fcbd51416457 Best regards, -- Linus Walleij <linus.walleij(a)linaro.org>

8 months, 2 weeks

4
8
0 0

FAILED: patch "[PATCH] serial: imx: Update mctrl old_status on RTSD interrupt" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 40d7903386df4d18f04d90510ba90eedee260085 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102101-glacial-outsell-b7f5@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marex(a)denx.de> Date: Wed, 2 Oct 2024 20:40:38 +0200 Subject: [PATCH] serial: imx: Update mctrl old_status on RTSD interrupt When sending data using DMA at high baudrate (4 Mbdps in local test case) to a device with small RX buffer which keeps asserting RTS after every received byte, it is possible that the iMX UART driver would not recognize the falling edge of RTS input signal and get stuck, unable to transmit any more data. This condition happens when the following sequence of events occur: - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART control signal status into sport->old_status using imx_uart_get_hwmctrl(). The RTSS/TIOCM_CTS bit is of interest here (*). - DMA transfer occurs, the remote device asserts RTS signal after each byte. The i.MX UART driver recognizes each such RTS signal change, raises an interrupt with USR1 register RTSD bit set, which leads to invocation of __imx_uart_rtsint(), which calls uart_handle_cts_change(). - If the RTS signal is deasserted, uart_handle_cts_change() clears port->hw_stopped and unblocks the port for further data transfers. - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped and blocks the port for further data transfers. This may occur as the last interrupt of a transfer, which means port->hw_stopped remains set and the port remains blocked (**). - Any further data transfer attempts will trigger imx_uart_mctrl_check(), which will read current status of UART control signals by calling imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . - If current status differs from sport->old_status for RTS signal, uart_handle_cts_change() is called and possibly unblocks the port by clearing port->hw_stopped . - If current status does not differ from sport->old_status for RTS signal, no action occurs. This may occur in case prior snapshot (*) was taken before any transfer so the RTS is deasserted, current snapshot (***) was taken after a transfer and therefore RTS is deasserted again, which means current status and sport->old_status are identical. In case (**) triggered when RTS got asserted, and made port->hw_stopped set, the port->hw_stopped will remain set because no change on RTS line is recognized by this driver and uart_handle_cts_change() is not called from here to unblock the port->hw_stopped. Update sport->old_status in __imx_uart_rtsint() accordingly to make imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR and TIOCM_RI bits in sport->old_status do not suffer from this problem. Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") Cc: stable <stable(a)kernel.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Signed-off-by: Marek Vasut <marex(a)denx.de> Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 67d4a72eda77..90974d338f3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) imx_uart_writel(sport, USR1_RTSD, USR1); usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + /* + * Update sport->old_status here, so any follow-up calls to + * imx_uart_mctrl_check() will be able to recognize that RTS + * state changed since last imx_uart_mctrl_check() call. + * + * In case RTS has been detected as asserted here and later on + * deasserted by the time imx_uart_mctrl_check() was called, + * imx_uart_mctrl_check() can detect the RTS state change and + * trigger uart_handle_cts_change() to unblock the port for + * further TX transfers. + */ + if (usr1 & USR1_RTSS) + sport->old_status |= TIOCM_CTS; + else + sport->old_status &= ~TIOCM_CTS; uart_handle_cts_change(&sport->port, usr1); wake_up_interruptible(&sport->port.state->port.delta_msr_wait);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: imx: Update mctrl old_status on RTSD interrupt" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 40d7903386df4d18f04d90510ba90eedee260085 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102100-unselect-chevron-960a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marex(a)denx.de> Date: Wed, 2 Oct 2024 20:40:38 +0200 Subject: [PATCH] serial: imx: Update mctrl old_status on RTSD interrupt When sending data using DMA at high baudrate (4 Mbdps in local test case) to a device with small RX buffer which keeps asserting RTS after every received byte, it is possible that the iMX UART driver would not recognize the falling edge of RTS input signal and get stuck, unable to transmit any more data. This condition happens when the following sequence of events occur: - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART control signal status into sport->old_status using imx_uart_get_hwmctrl(). The RTSS/TIOCM_CTS bit is of interest here (*). - DMA transfer occurs, the remote device asserts RTS signal after each byte. The i.MX UART driver recognizes each such RTS signal change, raises an interrupt with USR1 register RTSD bit set, which leads to invocation of __imx_uart_rtsint(), which calls uart_handle_cts_change(). - If the RTS signal is deasserted, uart_handle_cts_change() clears port->hw_stopped and unblocks the port for further data transfers. - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped and blocks the port for further data transfers. This may occur as the last interrupt of a transfer, which means port->hw_stopped remains set and the port remains blocked (**). - Any further data transfer attempts will trigger imx_uart_mctrl_check(), which will read current status of UART control signals by calling imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . - If current status differs from sport->old_status for RTS signal, uart_handle_cts_change() is called and possibly unblocks the port by clearing port->hw_stopped . - If current status does not differ from sport->old_status for RTS signal, no action occurs. This may occur in case prior snapshot (*) was taken before any transfer so the RTS is deasserted, current snapshot (***) was taken after a transfer and therefore RTS is deasserted again, which means current status and sport->old_status are identical. In case (**) triggered when RTS got asserted, and made port->hw_stopped set, the port->hw_stopped will remain set because no change on RTS line is recognized by this driver and uart_handle_cts_change() is not called from here to unblock the port->hw_stopped. Update sport->old_status in __imx_uart_rtsint() accordingly to make imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR and TIOCM_RI bits in sport->old_status do not suffer from this problem. Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") Cc: stable <stable(a)kernel.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Signed-off-by: Marek Vasut <marex(a)denx.de> Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 67d4a72eda77..90974d338f3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) imx_uart_writel(sport, USR1_RTSD, USR1); usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + /* + * Update sport->old_status here, so any follow-up calls to + * imx_uart_mctrl_check() will be able to recognize that RTS + * state changed since last imx_uart_mctrl_check() call. + * + * In case RTS has been detected as asserted here and later on + * deasserted by the time imx_uart_mctrl_check() was called, + * imx_uart_mctrl_check() can detect the RTS state change and + * trigger uart_handle_cts_change() to unblock the port for + * further TX transfers. + */ + if (usr1 & USR1_RTSS) + sport->old_status |= TIOCM_CTS; + else + sport->old_status &= ~TIOCM_CTS; uart_handle_cts_change(&sport->port, usr1); wake_up_interruptible(&sport->port.state->port.delta_msr_wait);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: imx: Update mctrl old_status on RTSD interrupt" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 40d7903386df4d18f04d90510ba90eedee260085 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102158-vanquish-ignition-83d0@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marex(a)denx.de> Date: Wed, 2 Oct 2024 20:40:38 +0200 Subject: [PATCH] serial: imx: Update mctrl old_status on RTSD interrupt When sending data using DMA at high baudrate (4 Mbdps in local test case) to a device with small RX buffer which keeps asserting RTS after every received byte, it is possible that the iMX UART driver would not recognize the falling edge of RTS input signal and get stuck, unable to transmit any more data. This condition happens when the following sequence of events occur: - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART control signal status into sport->old_status using imx_uart_get_hwmctrl(). The RTSS/TIOCM_CTS bit is of interest here (*). - DMA transfer occurs, the remote device asserts RTS signal after each byte. The i.MX UART driver recognizes each such RTS signal change, raises an interrupt with USR1 register RTSD bit set, which leads to invocation of __imx_uart_rtsint(), which calls uart_handle_cts_change(). - If the RTS signal is deasserted, uart_handle_cts_change() clears port->hw_stopped and unblocks the port for further data transfers. - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped and blocks the port for further data transfers. This may occur as the last interrupt of a transfer, which means port->hw_stopped remains set and the port remains blocked (**). - Any further data transfer attempts will trigger imx_uart_mctrl_check(), which will read current status of UART control signals by calling imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . - If current status differs from sport->old_status for RTS signal, uart_handle_cts_change() is called and possibly unblocks the port by clearing port->hw_stopped . - If current status does not differ from sport->old_status for RTS signal, no action occurs. This may occur in case prior snapshot (*) was taken before any transfer so the RTS is deasserted, current snapshot (***) was taken after a transfer and therefore RTS is deasserted again, which means current status and sport->old_status are identical. In case (**) triggered when RTS got asserted, and made port->hw_stopped set, the port->hw_stopped will remain set because no change on RTS line is recognized by this driver and uart_handle_cts_change() is not called from here to unblock the port->hw_stopped. Update sport->old_status in __imx_uart_rtsint() accordingly to make imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR and TIOCM_RI bits in sport->old_status do not suffer from this problem. Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") Cc: stable <stable(a)kernel.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Signed-off-by: Marek Vasut <marex(a)denx.de> Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 67d4a72eda77..90974d338f3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) imx_uart_writel(sport, USR1_RTSD, USR1); usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + /* + * Update sport->old_status here, so any follow-up calls to + * imx_uart_mctrl_check() will be able to recognize that RTS + * state changed since last imx_uart_mctrl_check() call. + * + * In case RTS has been detected as asserted here and later on + * deasserted by the time imx_uart_mctrl_check() was called, + * imx_uart_mctrl_check() can detect the RTS state change and + * trigger uart_handle_cts_change() to unblock the port for + * further TX transfers. + */ + if (usr1 & USR1_RTSS) + sport->old_status |= TIOCM_CTS; + else + sport->old_status &= ~TIOCM_CTS; uart_handle_cts_change(&sport->port, usr1); wake_up_interruptible(&sport->port.state->port.delta_msr_wait);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: imx: Update mctrl old_status on RTSD interrupt" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 40d7903386df4d18f04d90510ba90eedee260085 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102157-tactical-darkened-7877@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marex(a)denx.de> Date: Wed, 2 Oct 2024 20:40:38 +0200 Subject: [PATCH] serial: imx: Update mctrl old_status on RTSD interrupt When sending data using DMA at high baudrate (4 Mbdps in local test case) to a device with small RX buffer which keeps asserting RTS after every received byte, it is possible that the iMX UART driver would not recognize the falling edge of RTS input signal and get stuck, unable to transmit any more data. This condition happens when the following sequence of events occur: - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART control signal status into sport->old_status using imx_uart_get_hwmctrl(). The RTSS/TIOCM_CTS bit is of interest here (*). - DMA transfer occurs, the remote device asserts RTS signal after each byte. The i.MX UART driver recognizes each such RTS signal change, raises an interrupt with USR1 register RTSD bit set, which leads to invocation of __imx_uart_rtsint(), which calls uart_handle_cts_change(). - If the RTS signal is deasserted, uart_handle_cts_change() clears port->hw_stopped and unblocks the port for further data transfers. - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped and blocks the port for further data transfers. This may occur as the last interrupt of a transfer, which means port->hw_stopped remains set and the port remains blocked (**). - Any further data transfer attempts will trigger imx_uart_mctrl_check(), which will read current status of UART control signals by calling imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . - If current status differs from sport->old_status for RTS signal, uart_handle_cts_change() is called and possibly unblocks the port by clearing port->hw_stopped . - If current status does not differ from sport->old_status for RTS signal, no action occurs. This may occur in case prior snapshot (*) was taken before any transfer so the RTS is deasserted, current snapshot (***) was taken after a transfer and therefore RTS is deasserted again, which means current status and sport->old_status are identical. In case (**) triggered when RTS got asserted, and made port->hw_stopped set, the port->hw_stopped will remain set because no change on RTS line is recognized by this driver and uart_handle_cts_change() is not called from here to unblock the port->hw_stopped. Update sport->old_status in __imx_uart_rtsint() accordingly to make imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR and TIOCM_RI bits in sport->old_status do not suffer from this problem. Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") Cc: stable <stable(a)kernel.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Signed-off-by: Marek Vasut <marex(a)denx.de> Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 67d4a72eda77..90974d338f3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) imx_uart_writel(sport, USR1_RTSD, USR1); usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + /* + * Update sport->old_status here, so any follow-up calls to + * imx_uart_mctrl_check() will be able to recognize that RTS + * state changed since last imx_uart_mctrl_check() call. + * + * In case RTS has been detected as asserted here and later on + * deasserted by the time imx_uart_mctrl_check() was called, + * imx_uart_mctrl_check() can detect the RTS state change and + * trigger uart_handle_cts_change() to unblock the port for + * further TX transfers. + */ + if (usr1 & USR1_RTSS) + sport->old_status |= TIOCM_CTS; + else + sport->old_status &= ~TIOCM_CTS; uart_handle_cts_change(&sport->port, usr1); wake_up_interruptible(&sport->port.state->port.delta_msr_wait);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] serial: imx: Update mctrl old_status on RTSD interrupt" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 40d7903386df4d18f04d90510ba90eedee260085 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102155-anemia-fructose-ab64@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40d7903386df4d18f04d90510ba90eedee260085 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marex(a)denx.de> Date: Wed, 2 Oct 2024 20:40:38 +0200 Subject: [PATCH] serial: imx: Update mctrl old_status on RTSD interrupt When sending data using DMA at high baudrate (4 Mbdps in local test case) to a device with small RX buffer which keeps asserting RTS after every received byte, it is possible that the iMX UART driver would not recognize the falling edge of RTS input signal and get stuck, unable to transmit any more data. This condition happens when the following sequence of events occur: - imx_uart_mctrl_check() is called at some point and takes a snapshot of UART control signal status into sport->old_status using imx_uart_get_hwmctrl(). The RTSS/TIOCM_CTS bit is of interest here (*). - DMA transfer occurs, the remote device asserts RTS signal after each byte. The i.MX UART driver recognizes each such RTS signal change, raises an interrupt with USR1 register RTSD bit set, which leads to invocation of __imx_uart_rtsint(), which calls uart_handle_cts_change(). - If the RTS signal is deasserted, uart_handle_cts_change() clears port->hw_stopped and unblocks the port for further data transfers. - If the RTS is asserted, uart_handle_cts_change() sets port->hw_stopped and blocks the port for further data transfers. This may occur as the last interrupt of a transfer, which means port->hw_stopped remains set and the port remains blocked (**). - Any further data transfer attempts will trigger imx_uart_mctrl_check(), which will read current status of UART control signals by calling imx_uart_get_hwmctrl() (***) and compare it with sport->old_status . - If current status differs from sport->old_status for RTS signal, uart_handle_cts_change() is called and possibly unblocks the port by clearing port->hw_stopped . - If current status does not differ from sport->old_status for RTS signal, no action occurs. This may occur in case prior snapshot (*) was taken before any transfer so the RTS is deasserted, current snapshot (***) was taken after a transfer and therefore RTS is deasserted again, which means current status and sport->old_status are identical. In case (**) triggered when RTS got asserted, and made port->hw_stopped set, the port->hw_stopped will remain set because no change on RTS line is recognized by this driver and uart_handle_cts_change() is not called from here to unblock the port->hw_stopped. Update sport->old_status in __imx_uart_rtsint() accordingly to make imx_uart_mctrl_check() detect such RTS change. Note that TIOCM_CAR and TIOCM_RI bits in sport->old_status do not suffer from this problem. Fixes: ceca629e0b48 ("[ARM] 2971/1: i.MX uart handle rts irq") Cc: stable <stable(a)kernel.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Signed-off-by: Marek Vasut <marex(a)denx.de> Link: https://lore.kernel.org/r/20241002184133.19427-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 67d4a72eda77..90974d338f3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -762,6 +762,21 @@ static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) imx_uart_writel(sport, USR1_RTSD, USR1); usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + /* + * Update sport->old_status here, so any follow-up calls to + * imx_uart_mctrl_check() will be able to recognize that RTS + * state changed since last imx_uart_mctrl_check() call. + * + * In case RTS has been detected as asserted here and later on + * deasserted by the time imx_uart_mctrl_check() was called, + * imx_uart_mctrl_check() can detect the RTS state change and + * trigger uart_handle_cts_change() to unblock the port for + * further TX transfers. + */ + if (usr1 & USR1_RTSS) + sport->old_status |= TIOCM_CTS; + else + sport->old_status &= ~TIOCM_CTS; uart_handle_cts_change(&sport->port, usr1); wake_up_interruptible(&sport->port.state->port.delta_msr_wait);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 705e3ce37bccdf2ed6f848356ff355f480d51a91 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102151-shove-lucid-37a2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 705e3ce37bccdf2ed6f848356ff355f480d51a91 Mon Sep 17 00:00:00 2001 From: Roger Quadros <rogerq(a)kernel.org> Date: Fri, 11 Oct 2024 13:53:24 +0300 Subject: [PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), system suspend is broken on AM62 TI platforms. Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY bits (hence forth called 2 SUSPHY bits) were being set during core initialization and even during core re-initialization after a system suspend/resume. These bits are required to be set for system suspend/resume to work correctly on AM62 platforms. Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget driver is not loaded and started. For Host mode, the 2 SUSPHY bits are set before the first system suspend but get cleared at system resume during core re-init and are never set again. This patch resovles these two issues by ensuring the 2 SUSPHY bits are set before system suspend and restored to the original state during system resume. Cc: stable(a)vger.kernel.org # v6.9+ Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ Signed-off-by: Roger Quadros <rogerq(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Tested-by: Markus Schneider-Pargmann <msp(a)baylibre.com> Reviewed-by: Dhruva Gole <d-gole(a)ti.com> Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 21740e2b8f07..427e5660f87c 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2342,6 +2342,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) u32 reg; int i; + dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & + DWC3_GUSB2PHYCFG_SUSPHY) || + (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & + DWC3_GUSB3PIPECTL_SUSPHY); + switch (dwc->current_dr_role) { case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) @@ -2393,6 +2398,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* + * TI AM62 platform requires SUSPHY to be + * enabled for system suspend to work. + */ + if (!dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } @@ -2460,6 +2474,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* restore SUSPHY state to that before system suspend. */ + dwc3_enable_susphy(dwc, dwc->susphy_state); + } + return 0; } diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 9c508e0c5cdf..eab81dfdcc35 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -1150,6 +1150,8 @@ struct dwc3_scratchpad_array { * @sys_wakeup: set if the device may do system wakeup. * @wakeup_configured: set if the device is configured for remote wakeup. * @suspended: set to track suspend event due to U3/L2. + * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY + * before PM suspend. * @imod_interval: set the interrupt moderation interval in 250ns * increments or 0 to disable. * @max_cfg_eps: current max number of IN eps used across all USB configs. @@ -1382,6 +1384,7 @@ struct dwc3 { unsigned sys_wakeup:1; unsigned wakeup_configured:1; unsigned suspended:1; + unsigned susphy_state:1; u16 imod_interval;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 705e3ce37bccdf2ed6f848356ff355f480d51a91 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102150-sneer-daughter-91eb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 705e3ce37bccdf2ed6f848356ff355f480d51a91 Mon Sep 17 00:00:00 2001 From: Roger Quadros <rogerq(a)kernel.org> Date: Fri, 11 Oct 2024 13:53:24 +0300 Subject: [PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), system suspend is broken on AM62 TI platforms. Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY bits (hence forth called 2 SUSPHY bits) were being set during core initialization and even during core re-initialization after a system suspend/resume. These bits are required to be set for system suspend/resume to work correctly on AM62 platforms. Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget driver is not loaded and started. For Host mode, the 2 SUSPHY bits are set before the first system suspend but get cleared at system resume during core re-init and are never set again. This patch resovles these two issues by ensuring the 2 SUSPHY bits are set before system suspend and restored to the original state during system resume. Cc: stable(a)vger.kernel.org # v6.9+ Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ Signed-off-by: Roger Quadros <rogerq(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Tested-by: Markus Schneider-Pargmann <msp(a)baylibre.com> Reviewed-by: Dhruva Gole <d-gole(a)ti.com> Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 21740e2b8f07..427e5660f87c 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2342,6 +2342,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) u32 reg; int i; + dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & + DWC3_GUSB2PHYCFG_SUSPHY) || + (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & + DWC3_GUSB3PIPECTL_SUSPHY); + switch (dwc->current_dr_role) { case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) @@ -2393,6 +2398,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* + * TI AM62 platform requires SUSPHY to be + * enabled for system suspend to work. + */ + if (!dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } @@ -2460,6 +2474,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* restore SUSPHY state to that before system suspend. */ + dwc3_enable_susphy(dwc, dwc->susphy_state); + } + return 0; } diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 9c508e0c5cdf..eab81dfdcc35 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -1150,6 +1150,8 @@ struct dwc3_scratchpad_array { * @sys_wakeup: set if the device may do system wakeup. * @wakeup_configured: set if the device is configured for remote wakeup. * @suspended: set to track suspend event due to U3/L2. + * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY + * before PM suspend. * @imod_interval: set the interrupt moderation interval in 250ns * increments or 0 to disable. * @max_cfg_eps: current max number of IN eps used across all USB configs. @@ -1382,6 +1384,7 @@ struct dwc3 { unsigned sys_wakeup:1; unsigned wakeup_configured:1; unsigned suspended:1; + unsigned susphy_state:1; u16 imod_interval;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 705e3ce37bccdf2ed6f848356ff355f480d51a91 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102149-useable-steep-0218@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 705e3ce37bccdf2ed6f848356ff355f480d51a91 Mon Sep 17 00:00:00 2001 From: Roger Quadros <rogerq(a)kernel.org> Date: Fri, 11 Oct 2024 13:53:24 +0300 Subject: [PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), system suspend is broken on AM62 TI platforms. Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY bits (hence forth called 2 SUSPHY bits) were being set during core initialization and even during core re-initialization after a system suspend/resume. These bits are required to be set for system suspend/resume to work correctly on AM62 platforms. Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget driver is not loaded and started. For Host mode, the 2 SUSPHY bits are set before the first system suspend but get cleared at system resume during core re-init and are never set again. This patch resovles these two issues by ensuring the 2 SUSPHY bits are set before system suspend and restored to the original state during system resume. Cc: stable(a)vger.kernel.org # v6.9+ Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ Signed-off-by: Roger Quadros <rogerq(a)kernel.org> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Tested-by: Markus Schneider-Pargmann <msp(a)baylibre.com> Reviewed-by: Dhruva Gole <d-gole(a)ti.com> Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 21740e2b8f07..427e5660f87c 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2342,6 +2342,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) u32 reg; int i; + dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & + DWC3_GUSB2PHYCFG_SUSPHY) || + (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & + DWC3_GUSB3PIPECTL_SUSPHY); + switch (dwc->current_dr_role) { case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) @@ -2393,6 +2398,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* + * TI AM62 platform requires SUSPHY to be + * enabled for system suspend to work. + */ + if (!dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } @@ -2460,6 +2474,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* restore SUSPHY state to that before system suspend. */ + dwc3_enable_susphy(dwc, dwc->susphy_state); + } + return 0; } diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 9c508e0c5cdf..eab81dfdcc35 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -1150,6 +1150,8 @@ struct dwc3_scratchpad_array { * @sys_wakeup: set if the device may do system wakeup. * @wakeup_configured: set if the device is configured for remote wakeup. * @suspended: set to track suspend event due to U3/L2. + * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY + * before PM suspend. * @imod_interval: set the interrupt moderation interval in 250ns * increments or 0 to disable. * @max_cfg_eps: current max number of IN eps used across all USB configs. @@ -1382,6 +1384,7 @@ struct dwc3 { unsigned sys_wakeup:1; unsigned wakeup_configured:1; unsigned suspended:1; + unsigned susphy_state:1; u16 imod_interval;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: gadget: f_uac2: fix return value for" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9499327714de7bc5cf6c792112c1474932d8ad31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102111-sandstone-affected-1fd4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9499327714de7bc5cf6c792112c1474932d8ad31 Mon Sep 17 00:00:00 2001 From: Kevin Groeneveld <kgroeneveld(a)lenbrook.com> Date: Sun, 6 Oct 2024 19:26:31 -0400 Subject: [PATCH] usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store The configfs store callback should return the number of bytes consumed not the total number of bytes we actually stored. These could differ if for example the passed in string had a newline we did not store. If the returned value does not match the number of bytes written the writer might assume a failure or keep trying to write the remaining bytes. For example the following command will hang trying to write the final newline over and over again (tested on bash 2.05b): echo foo > function_name Fixes: 993a44fa85c1 ("usb: gadget: f_uac2: allow changing interface name via configfs") Cc: stable <stable(a)kernel.org> Signed-off-by: Kevin Groeneveld <kgroeneveld(a)lenbrook.com> Link: https://lore.kernel.org/r/20241006232637.4267-1-kgroeneveld@lenbrook.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c index 1cdda44455b3..ce5b77f89190 100644 --- a/drivers/usb/gadget/function/f_uac2.c +++ b/drivers/usb/gadget/function/f_uac2.c @@ -2061,7 +2061,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ const char *page, size_t len) \ { \ struct f_uac2_opts *opts = to_f_uac2_opts(item); \ - int ret = 0; \ + int ret = len; \ \ mutex_lock(&opts->lock); \ if (opts->refcnt) { \ @@ -2072,8 +2072,8 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ if (len && page[len - 1] == '\n') \ len--; \ \ - ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ - "%s", page); \ + scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ + "%s", page); \ \ end: \ mutex_unlock(&opts->lock); \

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] usb: gadget: f_uac2: fix return value for" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9499327714de7bc5cf6c792112c1474932d8ad31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102111-unbalance-roman-5bdd@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9499327714de7bc5cf6c792112c1474932d8ad31 Mon Sep 17 00:00:00 2001 From: Kevin Groeneveld <kgroeneveld(a)lenbrook.com> Date: Sun, 6 Oct 2024 19:26:31 -0400 Subject: [PATCH] usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store The configfs store callback should return the number of bytes consumed not the total number of bytes we actually stored. These could differ if for example the passed in string had a newline we did not store. If the returned value does not match the number of bytes written the writer might assume a failure or keep trying to write the remaining bytes. For example the following command will hang trying to write the final newline over and over again (tested on bash 2.05b): echo foo > function_name Fixes: 993a44fa85c1 ("usb: gadget: f_uac2: allow changing interface name via configfs") Cc: stable <stable(a)kernel.org> Signed-off-by: Kevin Groeneveld <kgroeneveld(a)lenbrook.com> Link: https://lore.kernel.org/r/20241006232637.4267-1-kgroeneveld@lenbrook.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c index 1cdda44455b3..ce5b77f89190 100644 --- a/drivers/usb/gadget/function/f_uac2.c +++ b/drivers/usb/gadget/function/f_uac2.c @@ -2061,7 +2061,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ const char *page, size_t len) \ { \ struct f_uac2_opts *opts = to_f_uac2_opts(item); \ - int ret = 0; \ + int ret = len; \ \ mutex_lock(&opts->lock); \ if (opts->refcnt) { \ @@ -2072,8 +2072,8 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \ if (len && page[len - 1] == '\n') \ len--; \ \ - ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ - "%s", page); \ + scnprintf(opts->name, min(sizeof(opts->name), len + 1), \ + "%s", page); \ \ end: \ mutex_unlock(&opts->lock); \

8 months, 2 weeks

1
0
0 0

[PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled

by Peter Collingbourne

When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image struct on the stack is passed during the size calculation pass and an address on the heap is passed during code generation. This may cause a heap buffer overflow if the heap address is tagged because emit_a64_mov_i64() will emit longer code than it did during the size calculation pass. The same problem could occur without tag-based KASAN if one of the 16-bit words of the stack address happened to be all-ones during the size calculation pass. Fix the problem by assuming the worst case (4 instructions) when calculating the size of the bpf_tramp_image address emission. Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG") Signed-off-by: Peter Collingbourne <pcc(a)google.com> Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf437… Cc: stable(a)vger.kernel.org --- arch/arm64/net/bpf_jit_comp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c index 8bbd0b20136a8..5db82bfc9dc11 100644 --- a/arch/arm64/net/bpf_jit_comp.c +++ b/arch/arm64/net/bpf_jit_comp.c @@ -2220,7 +2220,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx); if (flags & BPF_TRAMP_F_CALL_ORIG) { - emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); + /* for the first pass, assume the worst case */ + if (!ctx->image) + ctx->idx += 4; + else + emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); emit_call((const u64)__bpf_tramp_enter, ctx); } @@ -2264,7 +2268,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, if (flags & BPF_TRAMP_F_CALL_ORIG) { im->ip_epilogue = ctx->ro_image + ctx->idx; - emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); + /* for the first pass, assume the worst case */ + if (!ctx->image) + ctx->idx += 4; + else + emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); emit_call((const u64)__bpf_tramp_exit, ctx); } -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] xhci: dbc: honor usb transfer size boundaries." failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 30c9ae5ece8ecd69d36e6912c2c0896418f2468c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102146-theme-encircle-9ead@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 30c9ae5ece8ecd69d36e6912c2c0896418f2468c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Wed, 16 Oct 2024 17:00:00 +0300 Subject: [PATCH] xhci: dbc: honor usb transfer size boundaries. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat each completed full size write to /dev/ttyDBC0 as a separate usb transfer. Make sure the size of the TRBs matches the size of the tty write by first queuing as many max packet size TRBs as possible up to the last TRB which will be cut short to match the size of the tty write. This solves an issue where userspace writes several transfers back to back via /dev/ttyDBC0 into a kfifo before dbgtty can find available request to turn that kfifo data into TRBs on the transfer ring. The boundary between transfer was lost as xhci-dbgtty then turned everyting in the kfifo into as many 'max packet size' TRBs as possible. DbC would then send more data to the host than intended for that transfer, causing host to issue a babble error. Refuse to write more data to kfifo until previous tty write data is turned into properly sized TRBs with data size boundaries matching tty write size Tested-by: Uday M Bhat <uday.m.bhat(a)intel.com> Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 8ec813b6e9fd..9dc8f4d8077c 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -110,6 +110,7 @@ struct dbc_port { struct tasklet_struct push; struct list_head write_pool; + unsigned int tx_boundary; bool registered; }; diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index b8e78867e25a..d719c16ea30b 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) return dbc->priv; } +static unsigned int +dbc_kfifo_to_req(struct dbc_port *port, char *packet) +{ + unsigned int len; + + len = kfifo_len(&port->port.xmit_fifo); + + if (len == 0) + return 0; + + len = min(len, DBC_MAX_PACKET); + + if (port->tx_boundary) + len = min(port->tx_boundary, len); + + len = kfifo_out(&port->port.xmit_fifo, packet, len); + + if (port->tx_boundary) + port->tx_boundary -= len; + + return len; +} + static int dbc_start_tx(struct dbc_port *port) __releases(&port->port_lock) __acquires(&port->port_lock) @@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port) while (!list_empty(pool)) { req = list_entry(pool->next, struct dbc_request, list_pool); - len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); + len = dbc_kfifo_to_req(port, req->buf); if (len == 0) break; do_tty_wake = true; @@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, { struct dbc_port *port = tty->driver_data; unsigned long flags; + unsigned int written = 0; spin_lock_irqsave(&port->port_lock, flags); - if (count) - count = kfifo_in(&port->port.xmit_fifo, buf, count); - dbc_start_tx(port); + + /* + * Treat tty write as one usb transfer. Make sure the writes are turned + * into TRB request having the same size boundaries as the tty writes. + * Don't add data to kfifo before previous write is turned into TRBs + */ + if (port->tx_boundary) { + spin_unlock_irqrestore(&port->port_lock, flags); + return 0; + } + + if (count) { + written = kfifo_in(&port->port.xmit_fifo, buf, count); + + if (written == count) + port->tx_boundary = kfifo_len(&port->port.xmit_fifo); + + dbc_start_tx(port); + } + spin_unlock_irqrestore(&port->port_lock, flags); - return count; + return written; } static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) @@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) spin_lock_irqsave(&port->port_lock, flags); room = kfifo_avail(&port->port.xmit_fifo); + + if (port->tx_boundary) + room = 0; + spin_unlock_irqrestore(&port->port_lock, flags); return room;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: dbc: honor usb transfer size boundaries." failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 30c9ae5ece8ecd69d36e6912c2c0896418f2468c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102144-cinch-foster-09d5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 30c9ae5ece8ecd69d36e6912c2c0896418f2468c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Wed, 16 Oct 2024 17:00:00 +0300 Subject: [PATCH] xhci: dbc: honor usb transfer size boundaries. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat each completed full size write to /dev/ttyDBC0 as a separate usb transfer. Make sure the size of the TRBs matches the size of the tty write by first queuing as many max packet size TRBs as possible up to the last TRB which will be cut short to match the size of the tty write. This solves an issue where userspace writes several transfers back to back via /dev/ttyDBC0 into a kfifo before dbgtty can find available request to turn that kfifo data into TRBs on the transfer ring. The boundary between transfer was lost as xhci-dbgtty then turned everyting in the kfifo into as many 'max packet size' TRBs as possible. DbC would then send more data to the host than intended for that transfer, causing host to issue a babble error. Refuse to write more data to kfifo until previous tty write data is turned into properly sized TRBs with data size boundaries matching tty write size Tested-by: Uday M Bhat <uday.m.bhat(a)intel.com> Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 8ec813b6e9fd..9dc8f4d8077c 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -110,6 +110,7 @@ struct dbc_port { struct tasklet_struct push; struct list_head write_pool; + unsigned int tx_boundary; bool registered; }; diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index b8e78867e25a..d719c16ea30b 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) return dbc->priv; } +static unsigned int +dbc_kfifo_to_req(struct dbc_port *port, char *packet) +{ + unsigned int len; + + len = kfifo_len(&port->port.xmit_fifo); + + if (len == 0) + return 0; + + len = min(len, DBC_MAX_PACKET); + + if (port->tx_boundary) + len = min(port->tx_boundary, len); + + len = kfifo_out(&port->port.xmit_fifo, packet, len); + + if (port->tx_boundary) + port->tx_boundary -= len; + + return len; +} + static int dbc_start_tx(struct dbc_port *port) __releases(&port->port_lock) __acquires(&port->port_lock) @@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port) while (!list_empty(pool)) { req = list_entry(pool->next, struct dbc_request, list_pool); - len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); + len = dbc_kfifo_to_req(port, req->buf); if (len == 0) break; do_tty_wake = true; @@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, { struct dbc_port *port = tty->driver_data; unsigned long flags; + unsigned int written = 0; spin_lock_irqsave(&port->port_lock, flags); - if (count) - count = kfifo_in(&port->port.xmit_fifo, buf, count); - dbc_start_tx(port); + + /* + * Treat tty write as one usb transfer. Make sure the writes are turned + * into TRB request having the same size boundaries as the tty writes. + * Don't add data to kfifo before previous write is turned into TRBs + */ + if (port->tx_boundary) { + spin_unlock_irqrestore(&port->port_lock, flags); + return 0; + } + + if (count) { + written = kfifo_in(&port->port.xmit_fifo, buf, count); + + if (written == count) + port->tx_boundary = kfifo_len(&port->port.xmit_fifo); + + dbc_start_tx(port); + } + spin_unlock_irqrestore(&port->port_lock, flags); - return count; + return written; } static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) @@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) spin_lock_irqsave(&port->port_lock, flags); room = kfifo_avail(&port->port.xmit_fifo); + + if (port->tx_boundary) + room = 0; + spin_unlock_irqrestore(&port->port_lock, flags); return room;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: dbc: honor usb transfer size boundaries." failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 30c9ae5ece8ecd69d36e6912c2c0896418f2468c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102143-chevy-extras-add3@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 30c9ae5ece8ecd69d36e6912c2c0896418f2468c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Wed, 16 Oct 2024 17:00:00 +0300 Subject: [PATCH] xhci: dbc: honor usb transfer size boundaries. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat each completed full size write to /dev/ttyDBC0 as a separate usb transfer. Make sure the size of the TRBs matches the size of the tty write by first queuing as many max packet size TRBs as possible up to the last TRB which will be cut short to match the size of the tty write. This solves an issue where userspace writes several transfers back to back via /dev/ttyDBC0 into a kfifo before dbgtty can find available request to turn that kfifo data into TRBs on the transfer ring. The boundary between transfer was lost as xhci-dbgtty then turned everyting in the kfifo into as many 'max packet size' TRBs as possible. DbC would then send more data to the host than intended for that transfer, causing host to issue a babble error. Refuse to write more data to kfifo until previous tty write data is turned into properly sized TRBs with data size boundaries matching tty write size Tested-by: Uday M Bhat <uday.m.bhat(a)intel.com> Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 8ec813b6e9fd..9dc8f4d8077c 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -110,6 +110,7 @@ struct dbc_port { struct tasklet_struct push; struct list_head write_pool; + unsigned int tx_boundary; bool registered; }; diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index b8e78867e25a..d719c16ea30b 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) return dbc->priv; } +static unsigned int +dbc_kfifo_to_req(struct dbc_port *port, char *packet) +{ + unsigned int len; + + len = kfifo_len(&port->port.xmit_fifo); + + if (len == 0) + return 0; + + len = min(len, DBC_MAX_PACKET); + + if (port->tx_boundary) + len = min(port->tx_boundary, len); + + len = kfifo_out(&port->port.xmit_fifo, packet, len); + + if (port->tx_boundary) + port->tx_boundary -= len; + + return len; +} + static int dbc_start_tx(struct dbc_port *port) __releases(&port->port_lock) __acquires(&port->port_lock) @@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port) while (!list_empty(pool)) { req = list_entry(pool->next, struct dbc_request, list_pool); - len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); + len = dbc_kfifo_to_req(port, req->buf); if (len == 0) break; do_tty_wake = true; @@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, { struct dbc_port *port = tty->driver_data; unsigned long flags; + unsigned int written = 0; spin_lock_irqsave(&port->port_lock, flags); - if (count) - count = kfifo_in(&port->port.xmit_fifo, buf, count); - dbc_start_tx(port); + + /* + * Treat tty write as one usb transfer. Make sure the writes are turned + * into TRB request having the same size boundaries as the tty writes. + * Don't add data to kfifo before previous write is turned into TRBs + */ + if (port->tx_boundary) { + spin_unlock_irqrestore(&port->port_lock, flags); + return 0; + } + + if (count) { + written = kfifo_in(&port->port.xmit_fifo, buf, count); + + if (written == count) + port->tx_boundary = kfifo_len(&port->port.xmit_fifo); + + dbc_start_tx(port); + } + spin_unlock_irqrestore(&port->port_lock, flags); - return count; + return written; } static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) @@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) spin_lock_irqsave(&port->port_lock, flags); room = kfifo_avail(&port->port.xmit_fifo); + + if (port->tx_boundary) + room = 0; + spin_unlock_irqrestore(&port->port_lock, flags); return room;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: dbc: honor usb transfer size boundaries." failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 30c9ae5ece8ecd69d36e6912c2c0896418f2468c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102142-eskimo-lumber-a654@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 30c9ae5ece8ecd69d36e6912c2c0896418f2468c Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Wed, 16 Oct 2024 17:00:00 +0300 Subject: [PATCH] xhci: dbc: honor usb transfer size boundaries. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat each completed full size write to /dev/ttyDBC0 as a separate usb transfer. Make sure the size of the TRBs matches the size of the tty write by first queuing as many max packet size TRBs as possible up to the last TRB which will be cut short to match the size of the tty write. This solves an issue where userspace writes several transfers back to back via /dev/ttyDBC0 into a kfifo before dbgtty can find available request to turn that kfifo data into TRBs on the transfer ring. The boundary between transfer was lost as xhci-dbgtty then turned everyting in the kfifo into as many 'max packet size' TRBs as possible. DbC would then send more data to the host than intended for that transfer, causing host to issue a babble error. Refuse to write more data to kfifo until previous tty write data is turned into properly sized TRBs with data size boundaries matching tty write size Tested-by: Uday M Bhat <uday.m.bhat(a)intel.com> Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 8ec813b6e9fd..9dc8f4d8077c 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -110,6 +110,7 @@ struct dbc_port { struct tasklet_struct push; struct list_head write_pool; + unsigned int tx_boundary; bool registered; }; diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index b8e78867e25a..d719c16ea30b 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc) return dbc->priv; } +static unsigned int +dbc_kfifo_to_req(struct dbc_port *port, char *packet) +{ + unsigned int len; + + len = kfifo_len(&port->port.xmit_fifo); + + if (len == 0) + return 0; + + len = min(len, DBC_MAX_PACKET); + + if (port->tx_boundary) + len = min(port->tx_boundary, len); + + len = kfifo_out(&port->port.xmit_fifo, packet, len); + + if (port->tx_boundary) + port->tx_boundary -= len; + + return len; +} + static int dbc_start_tx(struct dbc_port *port) __releases(&port->port_lock) __acquires(&port->port_lock) @@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port) while (!list_empty(pool)) { req = list_entry(pool->next, struct dbc_request, list_pool); - len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET); + len = dbc_kfifo_to_req(port, req->buf); if (len == 0) break; do_tty_wake = true; @@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf, { struct dbc_port *port = tty->driver_data; unsigned long flags; + unsigned int written = 0; spin_lock_irqsave(&port->port_lock, flags); - if (count) - count = kfifo_in(&port->port.xmit_fifo, buf, count); - dbc_start_tx(port); + + /* + * Treat tty write as one usb transfer. Make sure the writes are turned + * into TRB request having the same size boundaries as the tty writes. + * Don't add data to kfifo before previous write is turned into TRBs + */ + if (port->tx_boundary) { + spin_unlock_irqrestore(&port->port_lock, flags); + return 0; + } + + if (count) { + written = kfifo_in(&port->port.xmit_fifo, buf, count); + + if (written == count) + port->tx_boundary = kfifo_len(&port->port.xmit_fifo); + + dbc_start_tx(port); + } + spin_unlock_irqrestore(&port->port_lock, flags); - return count; + return written; } static int dbc_tty_put_char(struct tty_struct *tty, u8 ch) @@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty) spin_lock_irqsave(&port->port_lock, flags); room = kfifo_avail(&port->port.xmit_fifo); + + if (port->tx_boundary) + room = 0; + spin_unlock_irqrestore(&port->port_lock, flags); return room;

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: Mitigate failed set dequeue pointer commands" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x fe49df60cdb7c2975aa743dc295f8786e4b7db10 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102120-valid-uncured-dcca@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fe49df60cdb7c2975aa743dc295f8786e4b7db10 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Wed, 16 Oct 2024 16:59:58 +0300 Subject: [PATCH] xhci: Mitigate failed set dequeue pointer commands Avoid xHC host from processing a cancelled URB by always turning cancelled URB TDs into no-op TRBs before queuing a 'Set TR Deq' command. If the command fails then xHC will start processing the cancelled TD instead of skipping it once endpoint is restarted, causing issues like Babble error. This is not a complete solution as a failed 'Set TR Deq' command does not guarantee xHC TRB caches are cleared. Fixes: 4db356924a50 ("xhci: turn cancelled td cleanup to its own function") Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20241016140000.783905-3-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 4d664ba53fe9..7dedf31bbddd 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1023,7 +1023,7 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) td_to_noop(xhci, ring, cached_td, false); cached_td->cancel_status = TD_CLEARED; } - + td_to_noop(xhci, ring, td, false); td->cancel_status = TD_CLEARING_CACHE; cached_td = td; break;

8 months, 2 weeks

1
0
0 0

Pls pick up two bluetooth fixes

by Thorsten Leemhuis

Hi Greg! Please consider picking up the following two bluetooth fixes for the next round of stable updates, they fix problems quite a few users hit in various stable series due to backports: 4084286151fc91 ("Bluetooth: btusb: Fix not being able to reconnect after suspend") [v6.12-rc4] for 6.11.y and 2c1dda2acc4192 ("Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001") [v6.12-rc4] for 5.10.y and later For details see also: https://lore.kernel.org/all/CABBYNZL0_j4EDWzDS=kXc1Vy0D6ToU+oYnP_uBWTKoXbEa… tia! Ciao, Thorsten

8 months, 2 weeks

2
1
0 0

[PATCH] ALSA: hda/tas2781: select CRC32 instead of CRC32_SARWATE

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> Fix the kconfig option for the tas2781 HDA driver to select CRC32 rather than CRC32_SARWATE. CRC32_SARWATE is an option from the kconfig 'choice' that selects the specific CRC32 implementation. Selecting a 'choice' option seems to have no effect, but even if it did work, it would be incorrect for a random driver to override the user's choice. CRC32 is the correct option to select for crc32() to be available. Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- sound/pci/hda/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/Kconfig b/sound/pci/hda/Kconfig index bb15a0248250c..68f1eee9e5c93 100644 --- a/sound/pci/hda/Kconfig +++ b/sound/pci/hda/Kconfig @@ -196,11 +196,11 @@ config SND_HDA_SCODEC_TAS2781_I2C depends on ACPI depends on EFI depends on SND_SOC select SND_SOC_TAS2781_COMLIB select SND_SOC_TAS2781_FMWLIB - select CRC32_SARWATE + select CRC32 help Say Y or M here to include TAS2781 I2C HD-audio side codec support in snd-hda-intel driver, such as ALC287. comment "Set to Y if you want auto-loading the side codec driver" base-commit: 715ca9dd687f89ddaac8ec8ccb3b5e5a30311a99 -- 2.47.0

8 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] iio: adc: ti-lmp92064: add missing select" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a985576af824426e33100554a5958a6beda60a1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102110-tableful-unnatural-5dab@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a985576af824426e33100554a5958a6beda60a13 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:52 +0200 Subject: [PATCH] iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 6c7bc1d27bb2 ("iio: adc: ti-lmp92064: add buffering support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-6-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index 68640fa26f4e..c1197ee3dc68 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1530,6 +1530,8 @@ config TI_LMP92064 tristate "Texas Instruments LMP92064 ADC driver" depends on SPI select REGMAP_SPI + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for the LMP92064 Precision Current and Voltage sensor.

8 months, 2 weeks

1
0
0 0

6.6.57-stable regression: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed" broke NFLOG on IPv6

by Krzysztof Olędzki

Hi, After upgrading to 6.6.57 I noticed that my IPv6 firewall config failed to load. Quick investigation flagged NFLOG to be the issue: # ip6tables -I INPUT -j NFLOG Warning: Extension NFLOG revision 0 not supported, missing kernel module? ip6tables: No chain/target/match by that name. The regression is caused by the following commit: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/… More precisely, the bug is in the change below: +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + { + .name = "NFLOG", + .revision = 0, + .family = NFPROTO_IPV4, + .checkentry = nflog_tg_check, + .destroy = nflog_tg_destroy, + .target = nflog_tg, + .targetsize = sizeof(struct xt_nflog_info), + .me = THIS_MODULE, + }, +#endif Replacing NFPROTO_IPV4 with NFPROTO_IPV6 fixed the issue. Looking at the commit, it seems that at least one more target (MARK) may be also impacted: +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + { + .name = "MARK", + .revision = 2, + .family = NFPROTO_IPV4, + .target = mark_tg, + .targetsize = sizeof(struct xt_mark_tginfo2), + .me = THIS_MODULE, + }, +#endif The same errors seem to be present in the main tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… I also suspect other -stable trees may be impacted by the same issue. Best regards, Krzysztof Olędzki

8 months, 2 weeks

3
3
0 0

[PATCH] iio: invensense: fix multiple odr switch when FIFO is off

by Jean-Baptiste Maneyrol via B4 Relay

From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> When multiple ODR switch happens during FIFO off, the change could not be taken into account if you get back to previous FIFO on value. For example, if you run sensor buffer at 50Hz, stop, change to 200Hz, then back to 50Hz and restart buffer, data will be timestamped at 200Hz. This due to testing against mult and not new_mult. To prevent this, let's just run apply_odr automatically when FIFO is off. It will also simplify driver code. Update inv_mpu6050 and inv_icm42600 to delete now useless apply_odr. Fixes: 95444b9eeb8c ("iio: invensense: fix odr switching to same value") Cc: stable(a)vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> --- drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 4 ++++ drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 1 - drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 1 - drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 1 - 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c index f44458c380d92823ce2e7e5f78ca877ea4c06118..37d0bdaa8d824f79dcd2f341be7501d249926951 100644 --- a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c +++ b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c @@ -70,6 +70,10 @@ int inv_sensors_timestamp_update_odr(struct inv_sensors_timestamp *ts, if (mult != ts->mult) ts->new_mult = mult; + /* When FIFO is off, directly apply the new ODR */ + if (!fifo) + inv_sensors_timestamp_apply_odr(ts, 0, 0, 0); + return 0; } EXPORT_SYMBOL_NS_GPL(inv_sensors_timestamp_update_odr, IIO_INV_SENSORS_TIMESTAMP); diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c index 56ac198142500a2e1fc40b62cdd465cc736d8bf0..d061a64ebbf71859a3bc44644a14137dff0f9efe 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c @@ -229,7 +229,6 @@ static int inv_icm42600_accel_update_scan_mode(struct iio_dev *indio_dev, } /* update data FIFO write */ - inv_sensors_timestamp_apply_odr(ts, 0, 0, 0); ret = inv_icm42600_buffer_set_fifo_en(st, fifo_en | st->fifo.en); out_unlock: diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c index 938af5b640b00f58d2b8185f752c4755edfb0d25..f1e5a9648c4f5dd34f40136d02c72c90473eff37 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c @@ -128,7 +128,6 @@ static int inv_icm42600_gyro_update_scan_mode(struct iio_dev *indio_dev, } /* update data FIFO write */ - inv_sensors_timestamp_apply_odr(ts, 0, 0, 0); ret = inv_icm42600_buffer_set_fifo_en(st, fifo_en | st->fifo.en); out_unlock: diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c index 3bfeabab0ec4f6fa28fbbcd47afe92af5b8a58e2..5b1088cc3704f1ad1288a0d65b2f957b91455d7f 100644 --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c @@ -112,7 +112,6 @@ int inv_mpu6050_prepare_fifo(struct inv_mpu6050_state *st, bool enable) if (enable) { /* reset timestamping */ inv_sensors_timestamp_reset(&st->timestamp); - inv_sensors_timestamp_apply_odr(&st->timestamp, 0, 0, 0); /* reset FIFO */ d = st->chip_config.user_ctrl | INV_MPU6050_BIT_FIFO_RST; ret = regmap_write(st->map, st->reg->user_ctrl, d); --- base-commit: c3e9df514041ec6c46be83801b1891392f4522f7 change-id: 20241017-invn-inv-sensors-timestamp-fix-switch-fifo-off-3f29110e95d0 Best regards, -- Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com>

8 months, 2 weeks

3
2
0 0

No sound on speakers X1 Carbon Gen 12

by Dean Matthew Menezes

I am not getting sound on the speakers on my Thinkpad X1 Carbon Gen 12 with kernel 6.11.2 The sound is working in kernel 6.8 Dean Menezes

8 months, 2 weeks

4
10
0 0

[PATCH v3] netfilter: xtables: fix a bunch of typos causing some targets to not load on IPv6

by Ilya Katsnelson

The xt_NFLOG and xt_MARK changes were added with the wrong family in 0bfcb7b71e73, which seems to just have been a typo, but now ip6tables rules with --set-mark don't work anymore, which is pretty bad. Pablo spotted another typo introduced in the same commit in xt_TRACE. Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") Reviewed-by: Phil Sutter <phil(a)nwl.cc> Signed-off-by: Ilya Katsnelson <me(a)0upti.me> --- Changes in v3: - Fix another typo spotted by Pablo, adjust text accordingly. - CCing stable because it's a pretty bad regression. - Link to v2: https://lore.kernel.org/r/20241019-xtables-typos-v2-1-6b8b1735dc8e@0upti.me Changes in v2: - Fixed a typo in the commit message (that's karma). - Replaced a reference to backport commit. - Link to v1: https://lore.kernel.org/r/20241018-xtables-typos-v1-1-02a51789c0ec@0upti.me --- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_TRACE.c | 1 + net/netfilter/xt_mark.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index d80abd6ccaf8f71fa70605fef7edada827a19ceb..6dcf4bc7e30b2ae364a1cd9ac8df954a90905c52 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = { { .name = "NFLOG", .revision = 0, - .family = NFPROTO_IPV4, + .family = NFPROTO_IPV6, .checkentry = nflog_tg_check, .destroy = nflog_tg_destroy, .target = nflog_tg, diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c index f3fa4f11348cd8ad796ce94f012cd48aa7a9020f..2a029b4adbcadf95e493b153f613a210624a9101 100644 --- a/net/netfilter/xt_TRACE.c +++ b/net/netfilter/xt_TRACE.c @@ -49,6 +49,7 @@ static struct xt_target trace_tg_reg[] __read_mostly = { .target = trace_tg, .checkentry = trace_tg_check, .destroy = trace_tg_destroy, + .me = THIS_MODULE, }, #endif }; diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c index f76fe04fc9a4e19f18ac323349ba6f22a00eafd7..65b965ca40ea7ea5d9feff381b433bf267a424c4 100644 --- a/net/netfilter/xt_mark.c +++ b/net/netfilter/xt_mark.c @@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { { .name = "MARK", .revision = 2, - .family = NFPROTO_IPV4, + .family = NFPROTO_IPV6, .target = mark_tg, .targetsize = sizeof(struct xt_mark_tginfo2), .me = THIS_MODULE, --- base-commit: 75aa74d52f43e75d0beb20572f98529071b700e5 change-id: 20241018-xtables-typos-dfeadb8b122d Best regards, -- Ilya Katsnelson <me(a)0upti.me>

8 months, 2 weeks

3
2
0 0

[PATCH] usb: typec: qcom-pmic-typec: fix missing fwnode removal in error path

by Javier Carrasco

If drm_dp_hpd_bridge_register() fails, the probe function returns without removing the fwnode via fwnode_remove_software_node(), leaking the resource. Jump to fwnode_remove if drm_dp_hpd_bridge_register() fails to remove the software node acquired with device_get_named_child_node(). Cc: stable(a)vger.kernel.org Fixes: 7d9f1b72b296 ("usb: typec: qcom-pmic-typec: switch to DRM_AUX_HPD_BRIDGE") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c index 2201eeae5a99..776fc7f93f37 100644 --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c @@ -93,8 +93,10 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) return -EINVAL; bridge_dev = devm_drm_dp_hpd_bridge_alloc(tcpm->dev, to_of_node(tcpm->tcpc.fwnode)); - if (IS_ERR(bridge_dev)) - return PTR_ERR(bridge_dev); + if (IS_ERR(bridge_dev)) { + ret = PTR_ERR(bridge_dev); + goto fwnode_remove; + } tcpm->tcpm_port = tcpm_register_port(tcpm->dev, &tcpm->tcpc); if (IS_ERR(tcpm->tcpm_port)) { --- base-commit: f2493655d2d3d5c6958ed996b043c821c23ae8d3 change-id: 20241019-qcom_pmic_typec-fwnode_remove-00dc49054cf7 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

8 months, 2 weeks

2
2
0 0

[PATCH] PCI: endpoint: Fix API devm_pci_epc_destroy() can not destroy the EPC device

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> For devm_pci_epc_destroy(), its comment says it needs to destroy the EPC device, but it does not do that actually, so it can not fully undo what the API devm_pci_epc_create() does, that is wrong, fixed by using devres_release() instead of devres_destroy() within the API. Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- drivers/pci/endpoint/pci-epc-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c index 17f007109255..71b6d100056e 100644 --- a/drivers/pci/endpoint/pci-epc-core.c +++ b/drivers/pci/endpoint/pci-epc-core.c @@ -857,7 +857,7 @@ void devm_pci_epc_destroy(struct device *dev, struct pci_epc *epc) { int r; - r = devres_destroy(dev, devm_pci_epc_release, devm_pci_epc_match, + r = devres_release(dev, devm_pci_epc_release, devm_pci_epc_match, epc); dev_WARN_ONCE(dev, r, "couldn't find PCI EPC resource\n"); } --- base-commit: 715ca9dd687f89ddaac8ec8ccb3b5e5a30311a99 change-id: 20241020-pci-epc-core_fix-a92512fa9d19 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu/smu13: always apply the powersave optimization" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7a1613e47e65ba6967085ad99dee95420346a0ce # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102019-mummy-veteran-1b27@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7a1613e47e65ba6967085ad99dee95420346a0ce Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Thu, 3 Oct 2024 10:09:50 -0400 Subject: [PATCH] drm/amdgpu/smu13: always apply the powersave optimization It can avoid margin issues in some very demanding applications. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3618 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3131 Fixes: c50fe289ed72 ("drm/amdgpu/swsmu: always force a state reprogram on init") Reviewed-by: Kenneth Feng <kenneth.feng(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 62f38b4ccaa6aa063ca781d80b10aacd39dc5c76) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c index 1d024b122b0c..cb923e33fd6f 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c @@ -2555,18 +2555,16 @@ static int smu_v13_0_0_set_power_profile_mode(struct smu_context *smu, workload_mask = 1 << workload_type; /* Add optimizations for SMU13.0.0/10. Reuse the power saving profile */ - if (smu->power_profile_mode == PP_SMC_POWER_PROFILE_COMPUTE) { - if ((amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 0) && - ((smu->adev->pm.fw_version == 0x004e6601) || - (smu->adev->pm.fw_version >= 0x004e7300))) || - (amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 10) && - smu->adev->pm.fw_version >= 0x00504500)) { - workload_type = smu_cmn_to_asic_specific_index(smu, - CMN2ASIC_MAPPING_WORKLOAD, - PP_SMC_POWER_PROFILE_POWERSAVING); - if (workload_type >= 0) - workload_mask |= 1 << workload_type; - } + if ((amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 0) && + ((smu->adev->pm.fw_version == 0x004e6601) || + (smu->adev->pm.fw_version >= 0x004e7300))) || + (amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 10) && + smu->adev->pm.fw_version >= 0x00504500)) { + workload_type = smu_cmn_to_asic_specific_index(smu, + CMN2ASIC_MAPPING_WORKLOAD, + PP_SMC_POWER_PROFILE_POWERSAVING); + if (workload_type >= 0) + workload_mask |= 1 << workload_type; } ret = smu_cmn_send_smc_msg_with_param(smu,

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu/smu13: always apply the powersave optimization" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7a1613e47e65ba6967085ad99dee95420346a0ce # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102018-distrust-unworthy-142c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7a1613e47e65ba6967085ad99dee95420346a0ce Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Thu, 3 Oct 2024 10:09:50 -0400 Subject: [PATCH] drm/amdgpu/smu13: always apply the powersave optimization It can avoid margin issues in some very demanding applications. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3618 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3131 Fixes: c50fe289ed72 ("drm/amdgpu/swsmu: always force a state reprogram on init") Reviewed-by: Kenneth Feng <kenneth.feng(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 62f38b4ccaa6aa063ca781d80b10aacd39dc5c76) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c index 1d024b122b0c..cb923e33fd6f 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c @@ -2555,18 +2555,16 @@ static int smu_v13_0_0_set_power_profile_mode(struct smu_context *smu, workload_mask = 1 << workload_type; /* Add optimizations for SMU13.0.0/10. Reuse the power saving profile */ - if (smu->power_profile_mode == PP_SMC_POWER_PROFILE_COMPUTE) { - if ((amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 0) && - ((smu->adev->pm.fw_version == 0x004e6601) || - (smu->adev->pm.fw_version >= 0x004e7300))) || - (amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 10) && - smu->adev->pm.fw_version >= 0x00504500)) { - workload_type = smu_cmn_to_asic_specific_index(smu, - CMN2ASIC_MAPPING_WORKLOAD, - PP_SMC_POWER_PROFILE_POWERSAVING); - if (workload_type >= 0) - workload_mask |= 1 << workload_type; - } + if ((amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 0) && + ((smu->adev->pm.fw_version == 0x004e6601) || + (smu->adev->pm.fw_version >= 0x004e7300))) || + (amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 10) && + smu->adev->pm.fw_version >= 0x00504500)) { + workload_type = smu_cmn_to_asic_specific_index(smu, + CMN2ASIC_MAPPING_WORKLOAD, + PP_SMC_POWER_PROFILE_POWERSAVING); + if (workload_type >= 0) + workload_mask |= 1 << workload_type; } ret = smu_cmn_send_smc_msg_with_param(smu,

8 months, 2 weeks

1
0
0 0

[PATCH] usb: phy: Fix API devm_usb_put_phy() can not release the phy

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> For devm_usb_put_phy(), its comment says it needs to invoke usb_put_phy() to release the phy, but it does not do that actually, so it can not fully undo what the API devm_usb_get_phy() does, that is wrong, fixed by using devres_release() instead of devres_destroy() within the API. Fixes: cedf8602373a ("usb: phy: move bulk of otg/otg.c to phy/phy.c") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- The API is directly used by drivers/usb/musb/sunxi.c, sorry for that i can't evaluate relevant impact since i know nothing about sunxi. --- drivers/usb/phy/phy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c index 06e0fb23566c..06f789097989 100644 --- a/drivers/usb/phy/phy.c +++ b/drivers/usb/phy/phy.c @@ -628,7 +628,7 @@ void devm_usb_put_phy(struct device *dev, struct usb_phy *phy) { int r; - r = devres_destroy(dev, devm_usb_phy_release, devm_usb_phy_match, phy); + r = devres_release(dev, devm_usb_phy_release, devm_usb_phy_match, phy); dev_WARN_ONCE(dev, r, "couldn't find PHY resource\n"); } EXPORT_SYMBOL_GPL(devm_usb_put_phy); --- base-commit: 07b887f8236eb3ed52f1fe83e385e6436dc4b052 change-id: 20241020-usb_phy_fix-9d7c67ef4ab4 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: ufs: core: Requeue aborted request" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 8fa075804cb3b00960dd5c06554308175c834530 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102014-dorsal-renounce-5242@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8fa075804cb3b00960dd5c06554308175c834530 Mon Sep 17 00:00:00 2001 From: Peter Wang <peter.wang(a)mediatek.com> Date: Tue, 1 Oct 2024 17:19:17 +0800 Subject: [PATCH] scsi: ufs: core: Requeue aborted request After the SQ cleanup fix, the CQ will receive a response with the corresponding tag marked as OCS: ABORTED. To align with the behavior of Legacy SDB mode, the handling of OCS: ABORTED has been changed to match that of OCS_INVALID_COMMAND_STATUS (SDB), with both returning a SCSI result of DID_REQUEUE. Furthermore, the workaround implemented before the SQ cleanup fix can be removed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Link: https://lore.kernel.org/r/20241001091917.6917-3-peter.wang@mediatek.com Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 6a71ebf953e2..f845166dc0d7 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -5416,10 +5416,12 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; - break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; + dev_warn(hba->dev, + "OCS %s from controller for tag %d\n", + (ocs == OCS_ABORTED ? "aborted" : "invalid"), + lrbp->task_tag); break; case OCS_INVALID_CMD_TABLE_ATTR: case OCS_INVALID_PRDT_ATTR: @@ -6465,26 +6467,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; }

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 19a198b67767d952c8f3d0cf24eb3100522a8223 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102050-unequal-radiator-f679@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 19a198b67767d952c8f3d0cf24eb3100522a8223 Mon Sep 17 00:00:00 2001 From: Seunghwan Baek <sh8267.baek(a)samsung.com> Date: Thu, 29 Aug 2024 18:39:13 +0900 Subject: [PATCH] scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down There is a history of deadlock if reboot is performed at the beginning of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS shutdown, and at that time the audio driver was waiting on blk_mq_submit_bio() holding a mutex_lock while reading the fw binary. After that, a deadlock issue occurred while audio driver shutdown was waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down after a UFS shutdown will return an error. [ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown] [ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49] [ 31.907806]I[0: swapper/0: 0] Call trace: [ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40 [ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac [ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24 [ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec [ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280 [ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c [ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280 [ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158 [ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4 [ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0 [ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0 [ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4 [ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4 [ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter] [ 31.908783]I[0: swapper/0: 0] Call trace: [ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178 [ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c [ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun") Cc: stable(a)vger.kernel.org Signed-off-by: Seunghwan Baek <sh8267.baek(a)samsung.com> Link: https://lore.kernel.org/r/20240829093913.6282-2-sh8267.baek@samsung.com Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index f845166dc0d7..706dc81eb924 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -10197,7 +10197,9 @@ static void ufshcd_wl_shutdown(struct device *dev) shost_for_each_device(sdev, hba->host) { if (sdev == hba->ufs_device_wlun) continue; - scsi_device_quiesce(sdev); + mutex_lock(&sdev->state_mutex); + scsi_device_set_state(sdev, SDEV_OFFLINE); + mutex_unlock(&sdev->state_mutex); } __ufshcd_wl_suspend(hba, UFS_SHUTDOWN_PM);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: mpi3mr: Validate SAS port assignments" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102028-henchman-favorable-6119@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 Mon Sep 17 00:00:00 2001 From: Ranjan Kumar <ranjan.kumar(a)broadcom.com> Date: Tue, 8 Oct 2024 13:13:53 +0530 Subject: [PATCH] scsi: mpi3mr: Validate SAS port assignments A sanity check on phy_mask was added in commit 3668651def2c ("scsi: mpi3mr: Sanitise num_phys"). This causes warning messages when more than 64 phys are detected and devices connected to phys greater than 64 are dropped. The phy_mask bitmap is only needed for controller phys and not required for expander phys. Controller phys can go up to a maximum of 64 and therefore u64 is good enough to contain phy_mask bitmap. To suppress those warnings and allow devices to be discovered as before the offending commit, restrict the phy_mask setting and lowest phy setting only to the controller phys. Fixes: 3668651def2c ("scsi: mpi3mr: Sanitise num_phys") Cc: stable(a)vger.kernel.org Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202410051943.Mp9o5DlF-lkp@intel.com/ Reported-by: Alexander Motin <mav(a)ixsystems.com> Signed-off-by: Ranjan Kumar <ranjan.kumar(a)broadcom.com> Link: https://lore.kernel.org/r/20241008074353.200379-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h index fcb0fa31536b..16e0baeb8799 100644 --- a/drivers/scsi/mpi3mr/mpi3mr.h +++ b/drivers/scsi/mpi3mr/mpi3mr.h @@ -542,8 +542,8 @@ struct mpi3mr_hba_port { * @port_list: List of ports belonging to a SAS node * @num_phys: Number of phys associated with port * @marked_responding: used while refresing the sas ports - * @lowest_phy: lowest phy ID of current sas port - * @phy_mask: phy_mask of current sas port + * @lowest_phy: lowest phy ID of current sas port, valid for controller port + * @phy_mask: phy_mask of current sas port, valid for controller port * @hba_port: HBA port entry * @remote_identify: Attached device identification * @rphy: SAS transport layer rphy object diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c index ccd23def2e0c..0ba9e6a6a13c 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c @@ -590,12 +590,13 @@ static enum sas_linkrate mpi3mr_convert_phy_link_rate(u8 link_rate) * @mrioc: Adapter instance reference * @mr_sas_port: Internal Port object * @mr_sas_phy: Internal Phy object + * @host_node: Flag to indicate this is a host_node * * Return: None. */ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, struct mpi3mr_sas_port *mr_sas_port, - struct mpi3mr_sas_phy *mr_sas_phy) + struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node) { u64 sas_address = mr_sas_port->remote_identify.sas_address; @@ -605,9 +606,13 @@ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, list_del(&mr_sas_phy->port_siblings); mr_sas_port->num_phys--; - mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id); - if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id) - mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + + if (host_node) { + mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id); + + if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id) + mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + } sas_port_delete_phy(mr_sas_port->port, mr_sas_phy->phy); mr_sas_phy->phy_belongs_to_port = 0; } @@ -617,12 +622,13 @@ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, * @mrioc: Adapter instance reference * @mr_sas_port: Internal Port object * @mr_sas_phy: Internal Phy object + * @host_node: Flag to indicate this is a host_node * * Return: None. */ static void mpi3mr_add_sas_phy(struct mpi3mr_ioc *mrioc, struct mpi3mr_sas_port *mr_sas_port, - struct mpi3mr_sas_phy *mr_sas_phy) + struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node) { u64 sas_address = mr_sas_port->remote_identify.sas_address; @@ -632,9 +638,12 @@ static void mpi3mr_add_sas_phy(struct mpi3mr_ioc *mrioc, list_add_tail(&mr_sas_phy->port_siblings, &mr_sas_port->phy_list); mr_sas_port->num_phys++; - mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id); - if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy) - mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + if (host_node) { + mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id); + + if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy) + mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + } sas_port_add_phy(mr_sas_port->port, mr_sas_phy->phy); mr_sas_phy->phy_belongs_to_port = 1; } @@ -675,7 +684,7 @@ static void mpi3mr_add_phy_to_an_existing_port(struct mpi3mr_ioc *mrioc, if (srch_phy == mr_sas_phy) return; } - mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy); + mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy, mr_sas_node->host_node); return; } } @@ -736,7 +745,7 @@ static void mpi3mr_del_phy_from_an_existing_port(struct mpi3mr_ioc *mrioc, mpi3mr_delete_sas_port(mrioc, mr_sas_port); else mpi3mr_delete_sas_phy(mrioc, mr_sas_port, - mr_sas_phy); + mr_sas_phy, mr_sas_node->host_node); return; } } @@ -1028,7 +1037,7 @@ mpi3mr_alloc_hba_port(struct mpi3mr_ioc *mrioc, u16 port_id) /** * mpi3mr_get_hba_port_by_id - find hba port by id * @mrioc: Adapter instance reference - * @port_id - Port ID to search + * @port_id: Port ID to search * * Return: mpi3mr_hba_port reference for the matched port */ @@ -1367,7 +1376,8 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, mr_sas_port->remote_identify.sas_address, hba_port); - if (mr_sas_node->num_phys >= sizeof(mr_sas_port->phy_mask) * 8) + if (mr_sas_node->host_node && mr_sas_node->num_phys >= + sizeof(mr_sas_port->phy_mask) * 8) ioc_info(mrioc, "max port count %u could be too high\n", mr_sas_node->num_phys); @@ -1377,7 +1387,7 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, (mr_sas_node->phy[i].hba_port != hba_port)) continue; - if (i >= sizeof(mr_sas_port->phy_mask) * 8) { + if (mr_sas_node->host_node && (i >= sizeof(mr_sas_port->phy_mask) * 8)) { ioc_warn(mrioc, "skipping port %u, max allowed value is %zu\n", i, sizeof(mr_sas_port->phy_mask) * 8); goto out_fail; @@ -1385,7 +1395,8 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, list_add_tail(&mr_sas_node->phy[i].port_siblings, &mr_sas_port->phy_list); mr_sas_port->num_phys++; - mr_sas_port->phy_mask |= (1 << i); + if (mr_sas_node->host_node) + mr_sas_port->phy_mask |= (1 << i); } if (!mr_sas_port->num_phys) { @@ -1394,7 +1405,8 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, goto out_fail; } - mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + if (mr_sas_node->host_node) + mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; if (mr_sas_port->remote_identify.device_type == SAS_END_DEVICE) { tgtdev = mpi3mr_get_tgtdev_by_addr(mrioc,

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] scsi: mpi3mr: Validate SAS port assignments" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102027-late-goggles-8ae6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 Mon Sep 17 00:00:00 2001 From: Ranjan Kumar <ranjan.kumar(a)broadcom.com> Date: Tue, 8 Oct 2024 13:13:53 +0530 Subject: [PATCH] scsi: mpi3mr: Validate SAS port assignments A sanity check on phy_mask was added in commit 3668651def2c ("scsi: mpi3mr: Sanitise num_phys"). This causes warning messages when more than 64 phys are detected and devices connected to phys greater than 64 are dropped. The phy_mask bitmap is only needed for controller phys and not required for expander phys. Controller phys can go up to a maximum of 64 and therefore u64 is good enough to contain phy_mask bitmap. To suppress those warnings and allow devices to be discovered as before the offending commit, restrict the phy_mask setting and lowest phy setting only to the controller phys. Fixes: 3668651def2c ("scsi: mpi3mr: Sanitise num_phys") Cc: stable(a)vger.kernel.org Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202410051943.Mp9o5DlF-lkp@intel.com/ Reported-by: Alexander Motin <mav(a)ixsystems.com> Signed-off-by: Ranjan Kumar <ranjan.kumar(a)broadcom.com> Link: https://lore.kernel.org/r/20241008074353.200379-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h index fcb0fa31536b..16e0baeb8799 100644 --- a/drivers/scsi/mpi3mr/mpi3mr.h +++ b/drivers/scsi/mpi3mr/mpi3mr.h @@ -542,8 +542,8 @@ struct mpi3mr_hba_port { * @port_list: List of ports belonging to a SAS node * @num_phys: Number of phys associated with port * @marked_responding: used while refresing the sas ports - * @lowest_phy: lowest phy ID of current sas port - * @phy_mask: phy_mask of current sas port + * @lowest_phy: lowest phy ID of current sas port, valid for controller port + * @phy_mask: phy_mask of current sas port, valid for controller port * @hba_port: HBA port entry * @remote_identify: Attached device identification * @rphy: SAS transport layer rphy object diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c index ccd23def2e0c..0ba9e6a6a13c 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_transport.c +++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c @@ -590,12 +590,13 @@ static enum sas_linkrate mpi3mr_convert_phy_link_rate(u8 link_rate) * @mrioc: Adapter instance reference * @mr_sas_port: Internal Port object * @mr_sas_phy: Internal Phy object + * @host_node: Flag to indicate this is a host_node * * Return: None. */ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, struct mpi3mr_sas_port *mr_sas_port, - struct mpi3mr_sas_phy *mr_sas_phy) + struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node) { u64 sas_address = mr_sas_port->remote_identify.sas_address; @@ -605,9 +606,13 @@ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, list_del(&mr_sas_phy->port_siblings); mr_sas_port->num_phys--; - mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id); - if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id) - mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + + if (host_node) { + mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id); + + if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id) + mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + } sas_port_delete_phy(mr_sas_port->port, mr_sas_phy->phy); mr_sas_phy->phy_belongs_to_port = 0; } @@ -617,12 +622,13 @@ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc, * @mrioc: Adapter instance reference * @mr_sas_port: Internal Port object * @mr_sas_phy: Internal Phy object + * @host_node: Flag to indicate this is a host_node * * Return: None. */ static void mpi3mr_add_sas_phy(struct mpi3mr_ioc *mrioc, struct mpi3mr_sas_port *mr_sas_port, - struct mpi3mr_sas_phy *mr_sas_phy) + struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node) { u64 sas_address = mr_sas_port->remote_identify.sas_address; @@ -632,9 +638,12 @@ static void mpi3mr_add_sas_phy(struct mpi3mr_ioc *mrioc, list_add_tail(&mr_sas_phy->port_siblings, &mr_sas_port->phy_list); mr_sas_port->num_phys++; - mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id); - if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy) - mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + if (host_node) { + mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id); + + if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy) + mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + } sas_port_add_phy(mr_sas_port->port, mr_sas_phy->phy); mr_sas_phy->phy_belongs_to_port = 1; } @@ -675,7 +684,7 @@ static void mpi3mr_add_phy_to_an_existing_port(struct mpi3mr_ioc *mrioc, if (srch_phy == mr_sas_phy) return; } - mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy); + mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy, mr_sas_node->host_node); return; } } @@ -736,7 +745,7 @@ static void mpi3mr_del_phy_from_an_existing_port(struct mpi3mr_ioc *mrioc, mpi3mr_delete_sas_port(mrioc, mr_sas_port); else mpi3mr_delete_sas_phy(mrioc, mr_sas_port, - mr_sas_phy); + mr_sas_phy, mr_sas_node->host_node); return; } } @@ -1028,7 +1037,7 @@ mpi3mr_alloc_hba_port(struct mpi3mr_ioc *mrioc, u16 port_id) /** * mpi3mr_get_hba_port_by_id - find hba port by id * @mrioc: Adapter instance reference - * @port_id - Port ID to search + * @port_id: Port ID to search * * Return: mpi3mr_hba_port reference for the matched port */ @@ -1367,7 +1376,8 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, mr_sas_port->remote_identify.sas_address, hba_port); - if (mr_sas_node->num_phys >= sizeof(mr_sas_port->phy_mask) * 8) + if (mr_sas_node->host_node && mr_sas_node->num_phys >= + sizeof(mr_sas_port->phy_mask) * 8) ioc_info(mrioc, "max port count %u could be too high\n", mr_sas_node->num_phys); @@ -1377,7 +1387,7 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, (mr_sas_node->phy[i].hba_port != hba_port)) continue; - if (i >= sizeof(mr_sas_port->phy_mask) * 8) { + if (mr_sas_node->host_node && (i >= sizeof(mr_sas_port->phy_mask) * 8)) { ioc_warn(mrioc, "skipping port %u, max allowed value is %zu\n", i, sizeof(mr_sas_port->phy_mask) * 8); goto out_fail; @@ -1385,7 +1395,8 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, list_add_tail(&mr_sas_node->phy[i].port_siblings, &mr_sas_port->phy_list); mr_sas_port->num_phys++; - mr_sas_port->phy_mask |= (1 << i); + if (mr_sas_node->host_node) + mr_sas_port->phy_mask |= (1 << i); } if (!mr_sas_port->num_phys) { @@ -1394,7 +1405,8 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, goto out_fail; } - mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; + if (mr_sas_node->host_node) + mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1; if (mr_sas_port->remote_identify.device_type == SAS_END_DEVICE) { tgtdev = mpi3mr_get_tgtdev_by_addr(mrioc,

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x e972b08b91ef48488bae9789f03cfedb148667fb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102019-roundness-penholder-bb3f@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e972b08b91ef48488bae9789f03cfedb148667fb Mon Sep 17 00:00:00 2001 From: Omar Sandoval <osandov(a)fb.com> Date: Tue, 15 Oct 2024 10:59:46 -0700 Subject: [PATCH] blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race We're seeing crashes from rq_qos_wake_function that look like this: BUG: unable to handle page fault for address: ffffafe180a40084 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40 Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00 RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084 RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011 R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002 R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> try_to_wake_up+0x5a/0x6a0 rq_qos_wake_function+0x71/0x80 __wake_up_common+0x75/0xa0 __wake_up+0x36/0x60 scale_up.part.0+0x50/0x110 wb_timer_fn+0x227/0x450 ... So rq_qos_wake_function() calls wake_up_process(data->task), which calls try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock). p comes from data->task, and data comes from the waitqueue entry, which is stored on the waiter's stack in rq_qos_wait(). Analyzing the core dump with drgn, I found that the waiter had already woken up and moved on to a completely unrelated code path, clobbering what was previously data->task. Meanwhile, the waker was passing the clobbered garbage in data->task to wake_up_process(), leading to the crash. What's happening is that in between rq_qos_wake_function() deleting the waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding that it already got a token and returning. The race looks like this: rq_qos_wait() rq_qos_wake_function() ============================================================== prepare_to_wait_exclusive() data->got_token = true; list_del_init(&curr->entry); if (data.got_token) break; finish_wait(&rqw->wait, &data.wq); ^- returns immediately because list_empty_careful(&wq_entry->entry) is true ... return, go do something else ... wake_up_process(data->task) (NO LONGER VALID!)-^ Normally, finish_wait() is supposed to synchronize against the waker. But, as noted above, it is returning immediately because the waitqueue entry has already been removed from the waitqueue. The bug is that rq_qos_wake_function() is accessing the waitqueue entry AFTER deleting it. Note that autoremove_wake_function() wakes the waiter and THEN deletes the waitqueue entry, which is the proper order. Fix it by swapping the order. We also need to use list_del_init_careful() to match the list_empty_careful() in finish_wait(). Fixes: 38cfb5a45ee0 ("blk-wbt: improve waking of tasks") Cc: stable(a)vger.kernel.org Signed-off-by: Omar Sandoval <osandov(a)fb.com> Acked-by: Tejun Heo <tj(a)kernel.org> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Link: https://lore.kernel.org/r/d3bee2463a67b1ee597211823bf7ad3721c26e41.17290145… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/blk-rq-qos.c b/block/blk-rq-qos.c index 2cfb297d9a62..058f92c4f9d5 100644 --- a/block/blk-rq-qos.c +++ b/block/blk-rq-qos.c @@ -219,8 +219,8 @@ static int rq_qos_wake_function(struct wait_queue_entry *curr, data->got_token = true; smp_wmb(); - list_del_init(&curr->entry); wake_up_process(data->task); + list_del_init_careful(&curr->entry); return 1; }

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 2c02f7375e658ae93d57a31a66f91b62754ef8f1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102001-badly-overvalue-6662@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Oct 2024 21:43:00 -0400 Subject: [PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks The function graph infrastructure allocates a shadow stack for every task when enabled. This includes the idle tasks. The first time the function graph is invoked, the shadow stacks are created and never freed until the task exits. This includes the idle tasks. Only the idle tasks that were for online CPUs had their shadow stacks created when function graph tracing started. If function graph tracing is enabled and a CPU comes online, the idle task representing that CPU will not have its shadow stack created, and all function graph tracing for that idle task will be silently dropped. Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. This will include idle tasks for CPUs that come online during tracing. This issue can be reproduced by: # cd /sys/kernel/tracing # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > set_ftrace_pid # echo function_graph > current_tracer # echo 1 > options/funcgraph-proc # echo 1 > /sys/devices/system/cpu/cpu1 # grep '<idle>' per_cpu/cpu1/trace | head Before, nothing would show up. After: 1) <idle>-0 | 0.811 us | __enqueue_entity(); 1) <idle>-0 | 5.626 us | } /* enqueue_entity */ 1) <idle>-0 | | dl_server_update_idle_time() { 1) <idle>-0 | | dl_scaled_delta_exec() { 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity(); 1) <idle>-0 | 1.242 us | } 1) <idle>-0 | 1.908 us | } 1) <idle>-0 | | dl_server_start() { 1) <idle>-0 | | enqueue_dl_entity() { 1) <idle>-0 | | task_contending() { Note, if tracing stops and restarts, the old way would then initialize the onlined CPUs. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/20241018214300.6df82178@rorschach Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index d7d4fb403f6f..43f4e3f57438 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) static int start_graph_tracing(void) { unsigned long **ret_stack_list; - int ret, cpu; + int ret; ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); if (!ret_stack_list) return -ENOMEM; - /* The cpu_boot init_task->ret_stack will never be freed */ - for_each_online_cpu(cpu) { - if (!idle_task(cpu)->ret_stack) - ftrace_graph_init_idle_task(idle_task(cpu), cpu); - } - do { ret = alloc_retstack_tasklist(ret_stack_list); } while (ret == -EAGAIN); @@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(bool disable_branch) fgraph_direct_gops = &fgraph_stub; } +/* The cpu_boot init_task->ret_stack will never be freed */ +static int fgraph_cpu_init(unsigned int cpu) +{ + if (!idle_task(cpu)->ret_stack) + ftrace_graph_init_idle_task(idle_task(cpu), cpu); + return 0; +} + int register_ftrace_graph(struct fgraph_ops *gops) { + static bool fgraph_initialized; int command = 0; int ret = 0; int i = -1; mutex_lock(&ftrace_lock); + if (!fgraph_initialized) { + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", + fgraph_cpu_init, NULL); + if (ret < 0) { + pr_warn("fgraph: Error to init cpu hotplug support\n"); + return ret; + } + fgraph_initialized = true; + ret = 0; + } + if (!fgraph_array[0]) { /* The array must always have real data on it */ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2c02f7375e658ae93d57a31a66f91b62754ef8f1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102000-mortician-chant-190e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Oct 2024 21:43:00 -0400 Subject: [PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks The function graph infrastructure allocates a shadow stack for every task when enabled. This includes the idle tasks. The first time the function graph is invoked, the shadow stacks are created and never freed until the task exits. This includes the idle tasks. Only the idle tasks that were for online CPUs had their shadow stacks created when function graph tracing started. If function graph tracing is enabled and a CPU comes online, the idle task representing that CPU will not have its shadow stack created, and all function graph tracing for that idle task will be silently dropped. Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. This will include idle tasks for CPUs that come online during tracing. This issue can be reproduced by: # cd /sys/kernel/tracing # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > set_ftrace_pid # echo function_graph > current_tracer # echo 1 > options/funcgraph-proc # echo 1 > /sys/devices/system/cpu/cpu1 # grep '<idle>' per_cpu/cpu1/trace | head Before, nothing would show up. After: 1) <idle>-0 | 0.811 us | __enqueue_entity(); 1) <idle>-0 | 5.626 us | } /* enqueue_entity */ 1) <idle>-0 | | dl_server_update_idle_time() { 1) <idle>-0 | | dl_scaled_delta_exec() { 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity(); 1) <idle>-0 | 1.242 us | } 1) <idle>-0 | 1.908 us | } 1) <idle>-0 | | dl_server_start() { 1) <idle>-0 | | enqueue_dl_entity() { 1) <idle>-0 | | task_contending() { Note, if tracing stops and restarts, the old way would then initialize the onlined CPUs. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/20241018214300.6df82178@rorschach Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index d7d4fb403f6f..43f4e3f57438 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) static int start_graph_tracing(void) { unsigned long **ret_stack_list; - int ret, cpu; + int ret; ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); if (!ret_stack_list) return -ENOMEM; - /* The cpu_boot init_task->ret_stack will never be freed */ - for_each_online_cpu(cpu) { - if (!idle_task(cpu)->ret_stack) - ftrace_graph_init_idle_task(idle_task(cpu), cpu); - } - do { ret = alloc_retstack_tasklist(ret_stack_list); } while (ret == -EAGAIN); @@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(bool disable_branch) fgraph_direct_gops = &fgraph_stub; } +/* The cpu_boot init_task->ret_stack will never be freed */ +static int fgraph_cpu_init(unsigned int cpu) +{ + if (!idle_task(cpu)->ret_stack) + ftrace_graph_init_idle_task(idle_task(cpu), cpu); + return 0; +} + int register_ftrace_graph(struct fgraph_ops *gops) { + static bool fgraph_initialized; int command = 0; int ret = 0; int i = -1; mutex_lock(&ftrace_lock); + if (!fgraph_initialized) { + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", + fgraph_cpu_init, NULL); + if (ret < 0) { + pr_warn("fgraph: Error to init cpu hotplug support\n"); + return ret; + } + fgraph_initialized = true; + ret = 0; + } + if (!fgraph_array[0]) { /* The array must always have real data on it */ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2c02f7375e658ae93d57a31a66f91b62754ef8f1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102058-headphone-embody-6747@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Oct 2024 21:43:00 -0400 Subject: [PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks The function graph infrastructure allocates a shadow stack for every task when enabled. This includes the idle tasks. The first time the function graph is invoked, the shadow stacks are created and never freed until the task exits. This includes the idle tasks. Only the idle tasks that were for online CPUs had their shadow stacks created when function graph tracing started. If function graph tracing is enabled and a CPU comes online, the idle task representing that CPU will not have its shadow stack created, and all function graph tracing for that idle task will be silently dropped. Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. This will include idle tasks for CPUs that come online during tracing. This issue can be reproduced by: # cd /sys/kernel/tracing # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > set_ftrace_pid # echo function_graph > current_tracer # echo 1 > options/funcgraph-proc # echo 1 > /sys/devices/system/cpu/cpu1 # grep '<idle>' per_cpu/cpu1/trace | head Before, nothing would show up. After: 1) <idle>-0 | 0.811 us | __enqueue_entity(); 1) <idle>-0 | 5.626 us | } /* enqueue_entity */ 1) <idle>-0 | | dl_server_update_idle_time() { 1) <idle>-0 | | dl_scaled_delta_exec() { 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity(); 1) <idle>-0 | 1.242 us | } 1) <idle>-0 | 1.908 us | } 1) <idle>-0 | | dl_server_start() { 1) <idle>-0 | | enqueue_dl_entity() { 1) <idle>-0 | | task_contending() { Note, if tracing stops and restarts, the old way would then initialize the onlined CPUs. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/20241018214300.6df82178@rorschach Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index d7d4fb403f6f..43f4e3f57438 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) static int start_graph_tracing(void) { unsigned long **ret_stack_list; - int ret, cpu; + int ret; ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); if (!ret_stack_list) return -ENOMEM; - /* The cpu_boot init_task->ret_stack will never be freed */ - for_each_online_cpu(cpu) { - if (!idle_task(cpu)->ret_stack) - ftrace_graph_init_idle_task(idle_task(cpu), cpu); - } - do { ret = alloc_retstack_tasklist(ret_stack_list); } while (ret == -EAGAIN); @@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(bool disable_branch) fgraph_direct_gops = &fgraph_stub; } +/* The cpu_boot init_task->ret_stack will never be freed */ +static int fgraph_cpu_init(unsigned int cpu) +{ + if (!idle_task(cpu)->ret_stack) + ftrace_graph_init_idle_task(idle_task(cpu), cpu); + return 0; +} + int register_ftrace_graph(struct fgraph_ops *gops) { + static bool fgraph_initialized; int command = 0; int ret = 0; int i = -1; mutex_lock(&ftrace_lock); + if (!fgraph_initialized) { + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", + fgraph_cpu_init, NULL); + if (ret < 0) { + pr_warn("fgraph: Error to init cpu hotplug support\n"); + return ret; + } + fgraph_initialized = true; + ret = 0; + } + if (!fgraph_array[0]) { /* The array must always have real data on it */ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2c02f7375e658ae93d57a31a66f91b62754ef8f1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102057-skipper-growl-db34@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Oct 2024 21:43:00 -0400 Subject: [PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks The function graph infrastructure allocates a shadow stack for every task when enabled. This includes the idle tasks. The first time the function graph is invoked, the shadow stacks are created and never freed until the task exits. This includes the idle tasks. Only the idle tasks that were for online CPUs had their shadow stacks created when function graph tracing started. If function graph tracing is enabled and a CPU comes online, the idle task representing that CPU will not have its shadow stack created, and all function graph tracing for that idle task will be silently dropped. Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. This will include idle tasks for CPUs that come online during tracing. This issue can be reproduced by: # cd /sys/kernel/tracing # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > set_ftrace_pid # echo function_graph > current_tracer # echo 1 > options/funcgraph-proc # echo 1 > /sys/devices/system/cpu/cpu1 # grep '<idle>' per_cpu/cpu1/trace | head Before, nothing would show up. After: 1) <idle>-0 | 0.811 us | __enqueue_entity(); 1) <idle>-0 | 5.626 us | } /* enqueue_entity */ 1) <idle>-0 | | dl_server_update_idle_time() { 1) <idle>-0 | | dl_scaled_delta_exec() { 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity(); 1) <idle>-0 | 1.242 us | } 1) <idle>-0 | 1.908 us | } 1) <idle>-0 | | dl_server_start() { 1) <idle>-0 | | enqueue_dl_entity() { 1) <idle>-0 | | task_contending() { Note, if tracing stops and restarts, the old way would then initialize the onlined CPUs. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/20241018214300.6df82178@rorschach Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index d7d4fb403f6f..43f4e3f57438 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) static int start_graph_tracing(void) { unsigned long **ret_stack_list; - int ret, cpu; + int ret; ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); if (!ret_stack_list) return -ENOMEM; - /* The cpu_boot init_task->ret_stack will never be freed */ - for_each_online_cpu(cpu) { - if (!idle_task(cpu)->ret_stack) - ftrace_graph_init_idle_task(idle_task(cpu), cpu); - } - do { ret = alloc_retstack_tasklist(ret_stack_list); } while (ret == -EAGAIN); @@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(bool disable_branch) fgraph_direct_gops = &fgraph_stub; } +/* The cpu_boot init_task->ret_stack will never be freed */ +static int fgraph_cpu_init(unsigned int cpu) +{ + if (!idle_task(cpu)->ret_stack) + ftrace_graph_init_idle_task(idle_task(cpu), cpu); + return 0; +} + int register_ftrace_graph(struct fgraph_ops *gops) { + static bool fgraph_initialized; int command = 0; int ret = 0; int i = -1; mutex_lock(&ftrace_lock); + if (!fgraph_initialized) { + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", + fgraph_cpu_init, NULL); + if (ret < 0) { + pr_warn("fgraph: Error to init cpu hotplug support\n"); + return ret; + } + fgraph_initialized = true; + ret = 0; + } + if (!fgraph_array[0]) { /* The array must always have real data on it */ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2c02f7375e658ae93d57a31a66f91b62754ef8f1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102055-nugget-delicious-edfe@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Oct 2024 21:43:00 -0400 Subject: [PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks The function graph infrastructure allocates a shadow stack for every task when enabled. This includes the idle tasks. The first time the function graph is invoked, the shadow stacks are created and never freed until the task exits. This includes the idle tasks. Only the idle tasks that were for online CPUs had their shadow stacks created when function graph tracing started. If function graph tracing is enabled and a CPU comes online, the idle task representing that CPU will not have its shadow stack created, and all function graph tracing for that idle task will be silently dropped. Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. This will include idle tasks for CPUs that come online during tracing. This issue can be reproduced by: # cd /sys/kernel/tracing # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > set_ftrace_pid # echo function_graph > current_tracer # echo 1 > options/funcgraph-proc # echo 1 > /sys/devices/system/cpu/cpu1 # grep '<idle>' per_cpu/cpu1/trace | head Before, nothing would show up. After: 1) <idle>-0 | 0.811 us | __enqueue_entity(); 1) <idle>-0 | 5.626 us | } /* enqueue_entity */ 1) <idle>-0 | | dl_server_update_idle_time() { 1) <idle>-0 | | dl_scaled_delta_exec() { 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity(); 1) <idle>-0 | 1.242 us | } 1) <idle>-0 | 1.908 us | } 1) <idle>-0 | | dl_server_start() { 1) <idle>-0 | | enqueue_dl_entity() { 1) <idle>-0 | | task_contending() { Note, if tracing stops and restarts, the old way would then initialize the onlined CPUs. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/20241018214300.6df82178@rorschach Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index d7d4fb403f6f..43f4e3f57438 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) static int start_graph_tracing(void) { unsigned long **ret_stack_list; - int ret, cpu; + int ret; ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); if (!ret_stack_list) return -ENOMEM; - /* The cpu_boot init_task->ret_stack will never be freed */ - for_each_online_cpu(cpu) { - if (!idle_task(cpu)->ret_stack) - ftrace_graph_init_idle_task(idle_task(cpu), cpu); - } - do { ret = alloc_retstack_tasklist(ret_stack_list); } while (ret == -EAGAIN); @@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(bool disable_branch) fgraph_direct_gops = &fgraph_stub; } +/* The cpu_boot init_task->ret_stack will never be freed */ +static int fgraph_cpu_init(unsigned int cpu) +{ + if (!idle_task(cpu)->ret_stack) + ftrace_graph_init_idle_task(idle_task(cpu), cpu); + return 0; +} + int register_ftrace_graph(struct fgraph_ops *gops) { + static bool fgraph_initialized; int command = 0; int ret = 0; int i = -1; mutex_lock(&ftrace_lock); + if (!fgraph_initialized) { + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", + fgraph_cpu_init, NULL); + if (ret < 0) { + pr_warn("fgraph: Error to init cpu hotplug support\n"); + return ret; + } + fgraph_initialized = true; + ret = 0; + } + if (!fgraph_array[0]) { /* The array must always have real data on it */ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2c02f7375e658ae93d57a31a66f91b62754ef8f1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024102054-nineteen-exemplary-3f78@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Oct 2024 21:43:00 -0400 Subject: [PATCH] fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks The function graph infrastructure allocates a shadow stack for every task when enabled. This includes the idle tasks. The first time the function graph is invoked, the shadow stacks are created and never freed until the task exits. This includes the idle tasks. Only the idle tasks that were for online CPUs had their shadow stacks created when function graph tracing started. If function graph tracing is enabled and a CPU comes online, the idle task representing that CPU will not have its shadow stack created, and all function graph tracing for that idle task will be silently dropped. Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks. This will include idle tasks for CPUs that come online during tracing. This issue can be reproduced by: # cd /sys/kernel/tracing # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > set_ftrace_pid # echo function_graph > current_tracer # echo 1 > options/funcgraph-proc # echo 1 > /sys/devices/system/cpu/cpu1 # grep '<idle>' per_cpu/cpu1/trace | head Before, nothing would show up. After: 1) <idle>-0 | 0.811 us | __enqueue_entity(); 1) <idle>-0 | 5.626 us | } /* enqueue_entity */ 1) <idle>-0 | | dl_server_update_idle_time() { 1) <idle>-0 | | dl_scaled_delta_exec() { 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity(); 1) <idle>-0 | 1.242 us | } 1) <idle>-0 | 1.908 us | } 1) <idle>-0 | | dl_server_start() { 1) <idle>-0 | | enqueue_dl_entity() { 1) <idle>-0 | | task_contending() { Note, if tracing stops and restarts, the old way would then initialize the onlined CPUs. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/20241018214300.6df82178@rorschach Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index d7d4fb403f6f..43f4e3f57438 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void) static int start_graph_tracing(void) { unsigned long **ret_stack_list; - int ret, cpu; + int ret; ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL); if (!ret_stack_list) return -ENOMEM; - /* The cpu_boot init_task->ret_stack will never be freed */ - for_each_online_cpu(cpu) { - if (!idle_task(cpu)->ret_stack) - ftrace_graph_init_idle_task(idle_task(cpu), cpu); - } - do { ret = alloc_retstack_tasklist(ret_stack_list); } while (ret == -EAGAIN); @@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(bool disable_branch) fgraph_direct_gops = &fgraph_stub; } +/* The cpu_boot init_task->ret_stack will never be freed */ +static int fgraph_cpu_init(unsigned int cpu) +{ + if (!idle_task(cpu)->ret_stack) + ftrace_graph_init_idle_task(idle_task(cpu), cpu); + return 0; +} + int register_ftrace_graph(struct fgraph_ops *gops) { + static bool fgraph_initialized; int command = 0; int ret = 0; int i = -1; mutex_lock(&ftrace_lock); + if (!fgraph_initialized) { + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init", + fgraph_cpu_init, NULL); + if (ret < 0) { + pr_warn("fgraph: Error to init cpu hotplug support\n"); + return ret; + } + fgraph_initialized = true; + ret = 0; + } + if (!fgraph_array[0]) { /* The array must always have real data on it */ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)

8 months, 2 weeks

1
0
0 0

[PATCH 0/6] phy: core: Fix bugs for several APIs and simplify an API

by Zijun Hu

This patch series is to fix bugs for below APIs: devm_phy_put() devm_of_phy_provider_unregister() devm_phy_destroy() phy_get() of_phy_get() devm_of_phy_get_by_index() And simplify API of_phy_simple_xlate(). Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Zijun Hu (6): phy: core: Fix API devm_phy_put() can not release the phy phy: core: Fix API devm_of_phy_provider_unregister() can not unregister the phy provider phy: core: Fix API devm_phy_destroy() can not destroy the phy phy: core: Add missing of_node_put() for an error handling path of _of_phy_get() phy: core: Add missing of_node_put() in of_phy_provider_lookup() phy: core: Simplify API of_phy_simple_xlate() implementation drivers/phy/phy-core.c | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) --- base-commit: d8f9d6d826fc15780451802796bb88ec52978f17 change-id: 20241020-phy_core_fix-e3ad65db98f7 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

8 months, 2 weeks

3
10
0 0

[PATCH mm-unstable v1] mm: allow set/clear page_type again

by Yu Zhao

Some page flags (page->flags) were converted to page types (page->page_types). A recent example is PG_hugetlb. From the exclusive writer's perspective, e.g., a thread doing __folio_set_hugetlb(), there is a difference between the page flag and type APIs: the former allows the same non-atomic operation to be repeated whereas the latter does not. For example, calling __folio_set_hugetlb() twice triggers VM_BUG_ON_FOLIO(), since the second call expects the type (PG_hugetlb) not to be set previously. Using add_hugetlb_folio() as an example, it calls __folio_set_hugetlb() in the following error-handling path. And when that happens, it triggers the aforementioned VM_BUG_ON_FOLIO(). if (folio_test_hugetlb(folio)) { rc = hugetlb_vmemmap_restore_folio(h, folio); if (rc) { spin_lock_irq(&hugetlb_lock); add_hugetlb_folio(h, folio, false); ... It is possible to make hugeTLB comply with the new requirements from the page type API. However, a straightforward fix would be to just allow the same page type to be set or cleared again inside the API, to avoid any changes to its callers. Fixes: d99e3140a4d3 ("mm: turn folio_test_hugetlb into a PageType") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> --- include/linux/page-flags.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index ccf3c78faefc..e80665bc51fa 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -977,12 +977,16 @@ static __always_inline bool folio_test_##fname(const struct folio *folio) \ } \ static __always_inline void __folio_set_##fname(struct folio *folio) \ { \ + if (folio_test_##fname(folio)) \ + return; \ VM_BUG_ON_FOLIO(data_race(folio->page.page_type) != UINT_MAX, \ folio); \ folio->page.page_type = (unsigned int)PGTY_##lname << 24; \ } \ static __always_inline void __folio_clear_##fname(struct folio *folio) \ { \ + if (folio->page.page_type == UINT_MAX) \ + return; \ VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ folio->page.page_type = UINT_MAX; \ } @@ -995,11 +999,15 @@ static __always_inline int Page##uname(const struct page *page) \ } \ static __always_inline void __SetPage##uname(struct page *page) \ { \ + if (Page##uname(page)) \ + return; \ VM_BUG_ON_PAGE(data_race(page->page_type) != UINT_MAX, page); \ page->page_type = (unsigned int)PGTY_##lname << 24; \ } \ static __always_inline void __ClearPage##uname(struct page *page) \ { \ + if (page->page_type == UINT_MAX) \ + return; \ VM_BUG_ON_PAGE(!Page##uname(page), page); \ page->page_type = UINT_MAX; \ } -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 2 weeks

1
0
0 0

[PATCH net] netfilter: xtables: fix a bad copypaste in xt_nflog module

by Ignat Korchagin

For the nflog_tg_reg struct under the CONFIG_IP6_NF_IPTABLES switch family should probably be NFPROTO_IPV6 Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed") Cc: stable(a)vger.kernel.org Signed-off-by: Ignat Korchagin <ignat(a)cloudflare.com> --- net/netfilter/xt_NFLOG.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index d80abd6ccaf8..6dcf4bc7e30b 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c @@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = { { .name = "NFLOG", .revision = 0, - .family = NFPROTO_IPV4, + .family = NFPROTO_IPV6, .checkentry = nflog_tg_check, .destroy = nflog_tg_destroy, .target = nflog_tg, -- 2.39.5

8 months, 2 weeks

2
1
0 0

[PATCH v6 5/5] tpm: flush the auth session only when /dev/tpm0 is open

by Jarkko Sakkinen

Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma <mapengyu(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: - No changes. v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4bc07963e260..c6fdeb4feaef 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 78d344607b53..844cfc338f33 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC -- 2.47.0

8 months, 2 weeks

1
1
0 0

[PATCH v6 1/5] tpm: Return on tpm2_create_null_primary() failure

by Jarkko Sakkinen

tpm2_sessions_init() does not ignore the result of tpm2_create_null_primary(). Address this by returning -ENODEV to the caller. Given that upper layers cannot help healing the situation further, deal with the TPM error here by Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v6: - Address: https://lore.kernel.org/linux-integrity/69c893e7-6b87-4daa-80db-44d1120e80f… as TPM RC is taken care of at the call site. Add also the missing documentation for the return values. v5: - Do not print klog messages on error, as tpm2_save_context() already takes care of this. v4: - Fixed up stable version. v3: - Handle TPM and POSIX error separately and return -ENODEV always back to the caller. v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 511c67061728..253639767c1e 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1347,6 +1347,11 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) * * Derive and context save the null primary and allocate memory in the * struct tpm_chip for the authorizations. + * + * Return: + * * 0 - OK + * * -errno - A system error + * * TPM_RC - A TPM error */ int tpm2_sessions_init(struct tpm_chip *chip) { @@ -1354,7 +1359,7 @@ int tpm2_sessions_init(struct tpm_chip *chip) rc = tpm2_create_null_primary(chip); if (rc) - dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) -- 2.47.0

8 months, 2 weeks

1
1
0 0

[PATCH 1/2] KVM: arm64: Don't retire aborted MMIO instruction

by Oliver Upton

Returning an abort to the guest for an unsupported MMIO access is a documented feature of the KVM UAPI. Nevertheless, it's clear that this plumbing has seen limited testing, since userspace can trivially cause a WARN in the MMIO return: WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 Call trace: kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133 kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487 __do_sys_ioctl fs/ioctl.c:51 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The splat is complaining that KVM is advancing PC while an exception is pending, i.e. that KVM is retiring the MMIO instruction despite a pending external abort. Womp womp. Fix the glaring UAPI bug by skipping over all the MMIO emulation in case there is a pending synchronous exception. Note that while userspace is capable of pending an asynchronous exception (SError, IRQ, or FIQ), it is still safe to retire the MMIO instruction in this case as (1) they are by definition asynchronous, and (2) KVM relies on hardware support for pending/delivering these exceptions instead of the software state machine for advancing PC. Cc: stable(a)vger.kernel.org Fixes: da345174ceca ("KVM: arm/arm64: Allow user injection of external data aborts") Reported-by: Alexander Potapenko <glider(a)google.com> Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> --- arch/arm64/include/asm/kvm_emulate.h | 25 +++++++++++++++++++++++++ arch/arm64/kvm/mmio.c | 7 +++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h index a601a9305b10..1b229099f684 100644 --- a/arch/arm64/include/asm/kvm_emulate.h +++ b/arch/arm64/include/asm/kvm_emulate.h @@ -544,6 +544,31 @@ static __always_inline void kvm_incr_pc(struct kvm_vcpu *vcpu) vcpu_set_flag((v), e); \ } while (0) +static inline bool kvm_pending_sync_exception(struct kvm_vcpu *vcpu) +{ + if (!vcpu_get_flag(vcpu, PENDING_EXCEPTION)) + return false; + + if (vcpu_el1_is_32bit(vcpu)) { + switch (vcpu_get_flag(vcpu, EXCEPT_MASK)) { + case unpack_vcpu_flag(EXCEPT_AA32_UND): + case unpack_vcpu_flag(EXCEPT_AA32_IABT): + case unpack_vcpu_flag(EXCEPT_AA32_DABT): + return true; + default: + return false; + } + } else { + switch (vcpu_get_flag(vcpu, EXCEPT_MASK)) { + case unpack_vcpu_flag(EXCEPT_AA64_EL1_SYNC): + case unpack_vcpu_flag(EXCEPT_AA64_EL2_SYNC): + return true; + default: + return false; + } + } +} + #define __build_check_all_or_none(r, bits) \ BUILD_BUG_ON(((r) & (bits)) && ((r) & (bits)) != (bits)) diff --git a/arch/arm64/kvm/mmio.c b/arch/arm64/kvm/mmio.c index cd6b7b83e2c3..0155ba665717 100644 --- a/arch/arm64/kvm/mmio.c +++ b/arch/arm64/kvm/mmio.c @@ -84,8 +84,11 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu) unsigned int len; int mask; - /* Detect an already handled MMIO return */ - if (unlikely(!vcpu->mmio_needed)) + /* + * Detect if the MMIO return was already handled or if userspace aborted + * the MMIO access. + */ + if (unlikely(!vcpu->mmio_needed || kvm_pending_sync_exception(vcpu))) return 1; vcpu->mmio_needed = 0; -- 2.47.0.rc1.288.g06298d1525-goog

8 months, 2 weeks

2
2
0 0

[PATCH] xhci: Fix Link TRB DMA in command ring stopped completion event

by Faisal Hassan

During the aborting of a command, the software receives a command completion event for the command ring stopped, with the TRB pointing to the next TRB after the aborted command. If the command we abort is located just before the Link TRB in the command ring, then during the 'command ring stopped' completion event, the xHC gives the Link TRB in the event's cmd DMA, which causes a mismatch in handling command completion event. To handle this situation, an additional check has been added to ignore the mismatch error and continue the operation. Cc: stable(a)vger.kernel.org Signed-off-by: Faisal Hassan <quic_faisalh(a)quicinc.com> --- drivers/usb/host/xhci-ring.c | 38 +++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index b2950c35c740..43926c378df9 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -126,6 +126,32 @@ static void inc_td_cnt(struct urb *urb) urb_priv->num_tds_done++; } +/* + * Return true if the DMA is pointing to a Link TRB in the ring; + * otherwise, return false. + */ +static bool is_dma_link_trb(struct xhci_ring *ring, dma_addr_t dma) +{ + struct xhci_segment *seg; + union xhci_trb *trb; + dma_addr_t trb_dma; + int i; + + seg = ring->first_seg; + do { + for (i = 0; i < TRBS_PER_SEGMENT; i++) { + trb = &seg->trbs[i]; + trb_dma = seg->dma + (i * sizeof(union xhci_trb)); + + if (trb_is_link(trb) && trb_dma == dma) + return true; + } + seg = seg->next; + } while (seg != ring->first_seg); + + return false; +} + static void trb_to_noop(union xhci_trb *trb, u32 noop_type) { if (trb_is_link(trb)) { @@ -1718,13 +1744,21 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, trace_xhci_handle_command(xhci->cmd_ring, &cmd_trb->generic); + cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, cmd_trb); /* * Check whether the completion event is for our internal kept * command. + * For the 'command ring stopped' completion event, there is a + * risk of a mismatch in dequeue pointers if we abort the command + * just before the link TRB in the command ring. In this scenario, + * the cmd_dma in the event would point to a link TRB, while the + * software dequeue pointer circles back to the start. */ - if (!cmd_dequeue_dma || cmd_dma != (u64)cmd_dequeue_dma) { + if ((!cmd_dequeue_dma || cmd_dma != (u64)cmd_dequeue_dma) && + !(cmd_comp_code == COMP_COMMAND_RING_STOPPED && + is_dma_link_trb(xhci->cmd_ring, cmd_dma))) { xhci_warn(xhci, "ERROR mismatched command completion event\n"); return; @@ -1734,8 +1768,6 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, cancel_delayed_work(&xhci->cmd_timer); - cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); - /* If CMD ring stopped we own the trbs between enqueue and dequeue */ if (cmd_comp_code == COMP_COMMAND_RING_STOPPED) { complete_all(&xhci->cmd_ring_stop_completion); -- 2.17.1

8 months, 2 weeks

3
4
0 0

FAILED: patch "[PATCH] nilfs2: propagate directory read errors from" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 08cfa12adf888db98879dbd735bc741360a34168 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101851-wok-iguana-839c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 08cfa12adf888db98879dbd735bc741360a34168 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Fri, 4 Oct 2024 12:35:31 +0900 Subject: [PATCH] nilfs2: propagate directory read errors from nilfs_find_entry() Syzbot reported that a task hang occurs in vcs_open() during a fuzzing test for nilfs2. The root cause of this problem is that in nilfs_find_entry(), which searches for directory entries, ignores errors when loading a directory page/folio via nilfs_get_folio() fails. If the filesystem images is corrupted, and the i_size of the directory inode is large, and the directory page/folio is successfully read but fails the sanity check, for example when it is zero-filled, nilfs_check_folio() may continue to spit out error messages in bursts. Fix this issue by propagating the error to the callers when loading a page/folio fails in nilfs_find_entry(). The current interface of nilfs_find_entry() and its callers is outdated and cannot propagate error codes such as -EIO and -ENOMEM returned via nilfs_find_entry(), so fix it together. Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: Lizhi Xu <lizhi.xu(a)windriver.com> Closes: https://lkml.kernel.org/r/20240927013806.3577931-1-lizhi.xu@windriver.com Reported-by: syzbot+8a192e8d090fa9a31135(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8a192e8d090fa9a31135 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index fe5b1a30c509..a8602729586a 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -289,7 +289,7 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx) * The folio is mapped and unlocked. When the caller is finished with * the entry, it should call folio_release_kmap(). * - * On failure, returns NULL and the caller should ignore foliop. + * On failure, returns an error pointer and the caller should ignore foliop. */ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, const struct qstr *qstr, struct folio **foliop) @@ -312,22 +312,24 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, do { char *kaddr = nilfs_get_folio(dir, n, foliop); - if (!IS_ERR(kaddr)) { - de = (struct nilfs_dir_entry *)kaddr; - kaddr += nilfs_last_byte(dir, n) - reclen; - while ((char *) de <= kaddr) { - if (de->rec_len == 0) { - nilfs_error(dir->i_sb, - "zero-length directory entry"); - folio_release_kmap(*foliop, kaddr); - goto out; - } - if (nilfs_match(namelen, name, de)) - goto found; - de = nilfs_next_entry(de); + if (IS_ERR(kaddr)) + return ERR_CAST(kaddr); + + de = (struct nilfs_dir_entry *)kaddr; + kaddr += nilfs_last_byte(dir, n) - reclen; + while ((char *)de <= kaddr) { + if (de->rec_len == 0) { + nilfs_error(dir->i_sb, + "zero-length directory entry"); + folio_release_kmap(*foliop, kaddr); + goto out; } - folio_release_kmap(*foliop, kaddr); + if (nilfs_match(namelen, name, de)) + goto found; + de = nilfs_next_entry(de); } + folio_release_kmap(*foliop, kaddr); + if (++n >= npages) n = 0; /* next folio is past the blocks we've got */ @@ -340,7 +342,7 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, } } while (n != start); out: - return NULL; + return ERR_PTR(-ENOENT); found: ei->i_dir_start_lookup = n; @@ -384,18 +386,18 @@ fail: return NULL; } -ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) +int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino) { - ino_t res = 0; struct nilfs_dir_entry *de; struct folio *folio; de = nilfs_find_entry(dir, qstr, &folio); - if (de) { - res = le64_to_cpu(de->inode); - folio_release_kmap(folio, de); - } - return res; + if (IS_ERR(de)) + return PTR_ERR(de); + + *ino = le64_to_cpu(de->inode); + folio_release_kmap(folio, de); + return 0; } void nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c index c950139db6ef..4905063790c5 100644 --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -55,12 +55,20 @@ nilfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) { struct inode *inode; ino_t ino; + int res; if (dentry->d_name.len > NILFS_NAME_LEN) return ERR_PTR(-ENAMETOOLONG); - ino = nilfs_inode_by_name(dir, &dentry->d_name); - inode = ino ? nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino) : NULL; + res = nilfs_inode_by_name(dir, &dentry->d_name, &ino); + if (res) { + if (res != -ENOENT) + return ERR_PTR(res); + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); + } + return d_splice_alias(inode, dentry); } @@ -263,10 +271,11 @@ static int nilfs_do_unlink(struct inode *dir, struct dentry *dentry) struct folio *folio; int err; - err = -ENOENT; de = nilfs_find_entry(dir, &dentry->d_name, &folio); - if (!de) + if (IS_ERR(de)) { + err = PTR_ERR(de); goto out; + } inode = d_inode(dentry); err = -EIO; @@ -362,10 +371,11 @@ static int nilfs_rename(struct mnt_idmap *idmap, if (unlikely(err)) return err; - err = -ENOENT; old_de = nilfs_find_entry(old_dir, &old_dentry->d_name, &old_folio); - if (!old_de) + if (IS_ERR(old_de)) { + err = PTR_ERR(old_de); goto out; + } if (S_ISDIR(old_inode->i_mode)) { err = -EIO; @@ -382,10 +392,12 @@ static int nilfs_rename(struct mnt_idmap *idmap, if (dir_de && !nilfs_empty_dir(new_inode)) goto out_dir; - err = -ENOENT; - new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, &new_folio); - if (!new_de) + new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, + &new_folio); + if (IS_ERR(new_de)) { + err = PTR_ERR(new_de); goto out_dir; + } nilfs_set_link(new_dir, new_de, new_folio, old_inode); folio_release_kmap(new_folio, new_de); nilfs_mark_inode_dirty(new_dir); @@ -440,12 +452,13 @@ out: */ static struct dentry *nilfs_get_parent(struct dentry *child) { - unsigned long ino; + ino_t ino; + int res; struct nilfs_root *root; - ino = nilfs_inode_by_name(d_inode(child), &dotdot_name); - if (!ino) - return ERR_PTR(-ENOENT); + res = nilfs_inode_by_name(d_inode(child), &dotdot_name, &ino); + if (res) + return ERR_PTR(res); root = NILFS_I(d_inode(child))->i_root; diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h index fb1c4c5bae7c..45d03826eaf1 100644 --- a/fs/nilfs2/nilfs.h +++ b/fs/nilfs2/nilfs.h @@ -254,7 +254,7 @@ static inline __u32 nilfs_mask_flags(umode_t mode, __u32 flags) /* dir.c */ int nilfs_add_link(struct dentry *, struct inode *); -ino_t nilfs_inode_by_name(struct inode *, const struct qstr *); +int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino); int nilfs_make_empty(struct inode *, struct inode *); struct nilfs_dir_entry *nilfs_find_entry(struct inode *, const struct qstr *, struct folio **);

8 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] nilfs2: propagate directory read errors from" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 08cfa12adf888db98879dbd735bc741360a34168 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101851-treble-echo-a580@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 08cfa12adf888db98879dbd735bc741360a34168 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Fri, 4 Oct 2024 12:35:31 +0900 Subject: [PATCH] nilfs2: propagate directory read errors from nilfs_find_entry() Syzbot reported that a task hang occurs in vcs_open() during a fuzzing test for nilfs2. The root cause of this problem is that in nilfs_find_entry(), which searches for directory entries, ignores errors when loading a directory page/folio via nilfs_get_folio() fails. If the filesystem images is corrupted, and the i_size of the directory inode is large, and the directory page/folio is successfully read but fails the sanity check, for example when it is zero-filled, nilfs_check_folio() may continue to spit out error messages in bursts. Fix this issue by propagating the error to the callers when loading a page/folio fails in nilfs_find_entry(). The current interface of nilfs_find_entry() and its callers is outdated and cannot propagate error codes such as -EIO and -ENOMEM returned via nilfs_find_entry(), so fix it together. Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: Lizhi Xu <lizhi.xu(a)windriver.com> Closes: https://lkml.kernel.org/r/20240927013806.3577931-1-lizhi.xu@windriver.com Reported-by: syzbot+8a192e8d090fa9a31135(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8a192e8d090fa9a31135 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index fe5b1a30c509..a8602729586a 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -289,7 +289,7 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx) * The folio is mapped and unlocked. When the caller is finished with * the entry, it should call folio_release_kmap(). * - * On failure, returns NULL and the caller should ignore foliop. + * On failure, returns an error pointer and the caller should ignore foliop. */ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, const struct qstr *qstr, struct folio **foliop) @@ -312,22 +312,24 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, do { char *kaddr = nilfs_get_folio(dir, n, foliop); - if (!IS_ERR(kaddr)) { - de = (struct nilfs_dir_entry *)kaddr; - kaddr += nilfs_last_byte(dir, n) - reclen; - while ((char *) de <= kaddr) { - if (de->rec_len == 0) { - nilfs_error(dir->i_sb, - "zero-length directory entry"); - folio_release_kmap(*foliop, kaddr); - goto out; - } - if (nilfs_match(namelen, name, de)) - goto found; - de = nilfs_next_entry(de); + if (IS_ERR(kaddr)) + return ERR_CAST(kaddr); + + de = (struct nilfs_dir_entry *)kaddr; + kaddr += nilfs_last_byte(dir, n) - reclen; + while ((char *)de <= kaddr) { + if (de->rec_len == 0) { + nilfs_error(dir->i_sb, + "zero-length directory entry"); + folio_release_kmap(*foliop, kaddr); + goto out; } - folio_release_kmap(*foliop, kaddr); + if (nilfs_match(namelen, name, de)) + goto found; + de = nilfs_next_entry(de); } + folio_release_kmap(*foliop, kaddr); + if (++n >= npages) n = 0; /* next folio is past the blocks we've got */ @@ -340,7 +342,7 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir, } } while (n != start); out: - return NULL; + return ERR_PTR(-ENOENT); found: ei->i_dir_start_lookup = n; @@ -384,18 +386,18 @@ fail: return NULL; } -ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) +int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino) { - ino_t res = 0; struct nilfs_dir_entry *de; struct folio *folio; de = nilfs_find_entry(dir, qstr, &folio); - if (de) { - res = le64_to_cpu(de->inode); - folio_release_kmap(folio, de); - } - return res; + if (IS_ERR(de)) + return PTR_ERR(de); + + *ino = le64_to_cpu(de->inode); + folio_release_kmap(folio, de); + return 0; } void nilfs_set_link(struct inode *dir, struct nilfs_dir_entry *de, diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c index c950139db6ef..4905063790c5 100644 --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -55,12 +55,20 @@ nilfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) { struct inode *inode; ino_t ino; + int res; if (dentry->d_name.len > NILFS_NAME_LEN) return ERR_PTR(-ENAMETOOLONG); - ino = nilfs_inode_by_name(dir, &dentry->d_name); - inode = ino ? nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino) : NULL; + res = nilfs_inode_by_name(dir, &dentry->d_name, &ino); + if (res) { + if (res != -ENOENT) + return ERR_PTR(res); + inode = NULL; + } else { + inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); + } + return d_splice_alias(inode, dentry); } @@ -263,10 +271,11 @@ static int nilfs_do_unlink(struct inode *dir, struct dentry *dentry) struct folio *folio; int err; - err = -ENOENT; de = nilfs_find_entry(dir, &dentry->d_name, &folio); - if (!de) + if (IS_ERR(de)) { + err = PTR_ERR(de); goto out; + } inode = d_inode(dentry); err = -EIO; @@ -362,10 +371,11 @@ static int nilfs_rename(struct mnt_idmap *idmap, if (unlikely(err)) return err; - err = -ENOENT; old_de = nilfs_find_entry(old_dir, &old_dentry->d_name, &old_folio); - if (!old_de) + if (IS_ERR(old_de)) { + err = PTR_ERR(old_de); goto out; + } if (S_ISDIR(old_inode->i_mode)) { err = -EIO; @@ -382,10 +392,12 @@ static int nilfs_rename(struct mnt_idmap *idmap, if (dir_de && !nilfs_empty_dir(new_inode)) goto out_dir; - err = -ENOENT; - new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, &new_folio); - if (!new_de) + new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, + &new_folio); + if (IS_ERR(new_de)) { + err = PTR_ERR(new_de); goto out_dir; + } nilfs_set_link(new_dir, new_de, new_folio, old_inode); folio_release_kmap(new_folio, new_de); nilfs_mark_inode_dirty(new_dir); @@ -440,12 +452,13 @@ out: */ static struct dentry *nilfs_get_parent(struct dentry *child) { - unsigned long ino; + ino_t ino; + int res; struct nilfs_root *root; - ino = nilfs_inode_by_name(d_inode(child), &dotdot_name); - if (!ino) - return ERR_PTR(-ENOENT); + res = nilfs_inode_by_name(d_inode(child), &dotdot_name, &ino); + if (res) + return ERR_PTR(res); root = NILFS_I(d_inode(child))->i_root; diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h index fb1c4c5bae7c..45d03826eaf1 100644 --- a/fs/nilfs2/nilfs.h +++ b/fs/nilfs2/nilfs.h @@ -254,7 +254,7 @@ static inline __u32 nilfs_mask_flags(umode_t mode, __u32 flags) /* dir.c */ int nilfs_add_link(struct dentry *, struct inode *); -ino_t nilfs_inode_by_name(struct inode *, const struct qstr *); +int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino); int nilfs_make_empty(struct inode *, struct inode *); struct nilfs_dir_entry *nilfs_find_entry(struct inode *, const struct qstr *, struct folio **);

8 months, 2 weeks

2
1
0 0

[PATCH 0/2] vfs: fstatat, statx: Consistently accept AT_EMPTY_PATH and NULL path

by Xi Ruoyao

Since Linux 6.11 we support AT_EMPTY_PATH and NULL path for fstatat and statx in "some circumstances" mostly for performance and allowing seccomp audition. But to make the API easier to be documented and used, we should just treat AT_EMPTY_PATH and NULL as is AT_EMPTY_PATH and empty string even if there are no performance or seccomp benefits. Cc: Miao Wang <shankerwangmiao(a)gmail.com> Cc: linux-fsdevel(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: stable(a)vger.kernel.org Xi Ruoyao (2): vfs: support fstatat(..., NULL, AT_EMPTY_PATH | AT_NO_AUTOMOUNT, ...) vfs: Make sure {statx,fstatat}(..., AT_EMPTY_PATH | ..., NULL, ...) behave as (..., AT_EMPTY_PATH | ..., "", ...) fs/stat.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -- 2.46.2

8 months, 2 weeks

3
7
0 0

[PATCH net] mctp i2c: handle NULL header address

by Matt Johnston via B4 Relay

From: Matt Johnston <matt(a)codeconstruct.com.au> daddr can be NULL if there is no neighbour table entry present, in that case the tx packet should be dropped. Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") Cc: stable(a)vger.kernel.org Reported-by: Dung Cao <dung(a)os.amperecomputing.com> Signed-off-by: Matt Johnston <matt(a)codeconstruct.com.au> --- drivers/net/mctp/mctp-i2c.c | 3 +++ 1 file changed, 3 insertions(+) diff --git drivers/net/mctp/mctp-i2c.c drivers/net/mctp/mctp-i2c.c index 4dc057c121f5..e70fb6687994 100644 --- drivers/net/mctp/mctp-i2c.c +++ drivers/net/mctp/mctp-i2c.c @@ -588,6 +588,9 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, if (len > MCTP_I2C_MAXMTU) return -EMSGSIZE; + if (!daddr || !saddr) + return -EINVAL; + lldst = *((u8 *)daddr); llsrc = *((u8 *)saddr); --- base-commit: cb560795c8c2ceca1d36a95f0d1b2eafc4074e37 change-id: 20241018-mctp-i2c-null-dest-a0ba271e0c48 Best regards, -- Matt Johnston <matt(a)codeconstruct.com.au>

8 months, 2 weeks

3
2
0 0

[PATCH 3/8] drm/i915/pmu: Fix crash due to use-after-free

by Lucas De Marchi

When an i915 PMU counter is enabled and the driver is then unbound, the PMU will be unregistered via perf_pmu_unregister(), however the event will still be alive. i915 currently tries to deal with this situation by: a) Marking the pmu as "closed" and shortcut the calls from perf b) Taking a reference from i915, that is put back when the event is destroyed. c) Setting event_init to NULL to avoid any further event (a) is ugly, but may be left as is since it protects not trying to access the HW that is now gone. Unless a pmu driver can call perf_pmu_unregister() and not receive any more calls, it's a necessary ugliness. (b) doesn't really work: when the event is destroyed and the i915 ref is put it may free the i915 object, that contains the pmu, not only the event. After event->destroy() callback, perf still expects the pmu object to be alive. Instead of pigging back on the event->destroy() to take and put the device reference, implement the new get()/put() on the pmu object for that purpose. (c) is only done to have a flag to avoid some function entrypoints when pmu is unregistered. Cc: stable(a)vger.kernel.org # 5.11+ Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/i915/i915_pmu.c | 36 ++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_pmu.c b/drivers/gpu/drm/i915/i915_pmu.c index 4d05d98f51b8e..dc9f753369170 100644 --- a/drivers/gpu/drm/i915/i915_pmu.c +++ b/drivers/gpu/drm/i915/i915_pmu.c @@ -515,15 +515,6 @@ static enum hrtimer_restart i915_sample(struct hrtimer *hrtimer) return HRTIMER_RESTART; } -static void i915_pmu_event_destroy(struct perf_event *event) -{ - struct i915_pmu *pmu = event_to_pmu(event); - struct drm_i915_private *i915 = pmu_to_i915(pmu); - - drm_WARN_ON(&i915->drm, event->parent); - - drm_dev_put(&i915->drm); -} static int engine_event_status(struct intel_engine_cs *engine, @@ -629,11 +620,6 @@ static int i915_pmu_event_init(struct perf_event *event) if (ret) return ret; - if (!event->parent) { - drm_dev_get(&i915->drm); - event->destroy = i915_pmu_event_destroy; - } - return 0; } @@ -872,6 +858,24 @@ static int i915_pmu_event_event_idx(struct perf_event *event) return 0; } +static struct pmu *i915_pmu_get(struct pmu *base) +{ + struct i915_pmu *pmu = container_of(base, struct i915_pmu, base); + struct drm_i915_private *i915 = pmu_to_i915(pmu); + + drm_dev_get(&i915->drm); + + return base; +} + +static void i915_pmu_put(struct pmu *base) +{ + struct i915_pmu *pmu = container_of(base, struct i915_pmu, base); + struct drm_i915_private *i915 = pmu_to_i915(pmu); + + drm_dev_put(&i915->drm); +} + struct i915_str_attribute { struct device_attribute attr; const char *str; @@ -1154,6 +1158,8 @@ static void free_pmu(struct drm_device *dev, void *res) struct i915_pmu *pmu = res; struct drm_i915_private *i915 = pmu_to_i915(pmu); + perf_pmu_free(&pmu->base); + free_event_attributes(pmu); kfree(pmu->base.attr_groups); if (IS_DGFX(i915)) @@ -1299,6 +1305,8 @@ void i915_pmu_register(struct drm_i915_private *i915) pmu->base.stop = i915_pmu_event_stop; pmu->base.read = i915_pmu_event_read; pmu->base.event_idx = i915_pmu_event_event_idx; + pmu->base.get = i915_pmu_get; + pmu->base.put = i915_pmu_put; ret = perf_pmu_register(&pmu->base, pmu->name, -1); if (ret) -- 2.47.0

8 months, 2 weeks

2
1
0 0

[PATCH 6.11.y] mm: vmscan.c: fix OOM on swap stress test

by Chris Li

[ Upstream commit 0885ef4705607936fc36a38fd74356e1c465b023 ] I found a regression on mm-unstable during my swap stress test, using tmpfs to compile linux. The test OOM very soon after the make spawns many cc processes. It bisects down to this change: 33dfe9204f29b415bbc0abb1a50642d1ba94f5e9 (mm/gup: clear the LRU flag of a page before adding to LRU batch) Yu Zhao propose the fix: "I think this is one of the potential side effects -- Huge mentioned earlier about isolate_lru_folios():" I test that with it the swap stress test no longer OOM. Link: https://lore.kernel.org/r/CAOUHufYi9h0kz5uW3LHHS3ZrVwEq-kKp8S6N-MZUmErNAXoX… Link: https://lkml.kernel.org/r/20240905-lru-flag-v2-1-8a2d9046c594@kernel.org Fixes: 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") Signed-off-by: Chris Li <chrisl(a)kernel.org> Suggested-by: Yu Zhao <yuzhao(a)google.com> Suggested-by: Hugh Dickins <hughd(a)google.com> Closes: https://lore.kernel.org/all/CAF8kJuNP5iTj2p07QgHSGOJsiUfYpJ2f4R1Q5-3BN9JiD9… Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/vmscan.c b/mm/vmscan.c index bd489c1af2289..a8d61a8b68944 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -4300,7 +4300,7 @@ static bool sort_folio(struct lruvec *lruvec, struct folio *folio, struct scan_c } /* ineligible */ - if (zone > sc->reclaim_idx) { + if (!folio_test_lru(folio) || zone > sc->reclaim_idx) { gen = folio_inc_gen(lruvec, folio, false); list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); return true; --- base-commit: 8e24a758d14c0b1cd42ab0aea980a1030eea811f change-id: 20241015-stable-oom-fix-a6ab273b1817 Best regards, -- Chris Li <chrisl(a)kernel.org>

8 months, 2 weeks

3
2
0 0

+ revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Edward Liaw <edliaw(a)google.com> Subject: Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" Date: Fri, 18 Oct 2024 17:17:23 +0000 This reverts commit e61ef21e27e8deed8c474e9f47f4aa7bc37e138c. uffd_poll_thread may be called by other tests that do not initialize the pthread_barrier, so this approach is not correct. This will revert to using atomic_bool instead. Link: https://lkml.kernel.org/r/20241018171734.2315053-3-edliaw@google.com Fixes: e61ef21e27e8 ("selftests/mm: replace atomic_bool with pthread_barrier_t") Signed-off-by: Edward Liaw <edliaw(a)google.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/uffd-common.c | 5 ++--- tools/testing/selftests/mm/uffd-common.h | 3 ++- tools/testing/selftests/mm/uffd-unit-tests.c | 14 ++++++-------- 3 files changed, 10 insertions(+), 12 deletions(-) --- a/tools/testing/selftests/mm/uffd-common.c~revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t +++ a/tools/testing/selftests/mm/uffd-common.c @@ -18,7 +18,7 @@ bool test_uffdio_wp = true; unsigned long long *count_verify; uffd_test_ops_t *uffd_test_ops; uffd_test_case_ops_t *uffd_test_case_ops; -pthread_barrier_t ready_for_fork; +atomic_bool ready_for_fork; static int uffd_mem_fd_create(off_t mem_size, bool hugetlb) { @@ -519,8 +519,7 @@ void *uffd_poll_thread(void *arg) pollfd[1].fd = pipefd[cpu*2]; pollfd[1].events = POLLIN; - /* Ready for parent thread to fork */ - pthread_barrier_wait(&ready_for_fork); + ready_for_fork = true; for (;;) { ret = poll(pollfd, 2, -1); --- a/tools/testing/selftests/mm/uffd-common.h~revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t +++ a/tools/testing/selftests/mm/uffd-common.h @@ -33,6 +33,7 @@ #include <inttypes.h> #include <stdint.h> #include <sys/random.h> +#include <stdatomic.h> #include "../kselftest.h" #include "vm_util.h" @@ -104,7 +105,7 @@ extern bool map_shared; extern bool test_uffdio_wp; extern unsigned long long *count_verify; extern volatile bool test_uffdio_copy_eexist; -extern pthread_barrier_t ready_for_fork; +extern atomic_bool ready_for_fork; extern uffd_test_ops_t anon_uffd_test_ops; extern uffd_test_ops_t shmem_uffd_test_ops; --- a/tools/testing/selftests/mm/uffd-unit-tests.c~revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t +++ a/tools/testing/selftests/mm/uffd-unit-tests.c @@ -774,7 +774,7 @@ static void uffd_sigbus_test_common(bool char c; struct uffd_args args = { 0 }; - pthread_barrier_init(&ready_for_fork, NULL, 2); + ready_for_fork = false; fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK); @@ -791,9 +791,8 @@ static void uffd_sigbus_test_common(bool if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args)) err("uffd_poll_thread create"); - /* Wait for child thread to start before forking */ - pthread_barrier_wait(&ready_for_fork); - pthread_barrier_destroy(&ready_for_fork); + while (!ready_for_fork) + ; /* Wait for the poll_thread to start executing before forking */ pid = fork(); if (pid < 0) @@ -834,7 +833,7 @@ static void uffd_events_test_common(bool char c; struct uffd_args args = { 0 }; - pthread_barrier_init(&ready_for_fork, NULL, 2); + ready_for_fork = false; fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK); if (uffd_register(uffd, area_dst, nr_pages * page_size, @@ -845,9 +844,8 @@ static void uffd_events_test_common(bool if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args)) err("uffd_poll_thread create"); - /* Wait for child thread to start before forking */ - pthread_barrier_wait(&ready_for_fork); - pthread_barrier_destroy(&ready_for_fork); + while (!ready_for_fork) + ; /* Wait for the poll_thread to start executing before forking */ pid = fork(); if (pid < 0) _ Patches currently in -mm which might be from edliaw(a)google.com are revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch selftests-mm-fix-deadlock-for-fork-after-pthread_create-with-atomic_bool.patch

8 months, 2 weeks

1
0
0 0

+ revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Edward Liaw <edliaw(a)google.com> Subject: Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" Date: Fri, 18 Oct 2024 17:17:22 +0000 Patch series "selftests/mm: revert pthread_barrier change" On Android arm, pthread_create followed by a fork caused a deadlock in the case where the fork required work to be completed by the created thread. The previous patches incorrectly assumed that the parent would always initialize the pthread_barrier for the child thread. This reverts the change and replaces the fix for wp-fork-with-event with the original use of atomic_bool. This patch (of 3): This reverts commit e142cc87ac4ec618f2ccf5f68aedcd6e28a59d9d. fork_event_consumer may be called by other tests that do not initialize the pthread_barrier, so this approach is not correct. The subsequent patch will revert to using atomic_bool instead. Link: https://lkml.kernel.org/r/20241018171734.2315053-1-edliaw@google.com Link: https://lkml.kernel.org/r/20241018171734.2315053-2-edliaw@google.com Fixes: e142cc87ac4e ("fix deadlock for fork after pthread_create on ARM") Signed-off-by: Edward Liaw <edliaw(a)google.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/uffd-unit-tests.c | 7 ------- 1 file changed, 7 deletions(-) --- a/tools/testing/selftests/mm/uffd-unit-tests.c~revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm +++ a/tools/testing/selftests/mm/uffd-unit-tests.c @@ -241,9 +241,6 @@ static void *fork_event_consumer(void *d fork_event_args *args = data; struct uffd_msg msg = { 0 }; - /* Ready for parent thread to fork */ - pthread_barrier_wait(&ready_for_fork); - /* Read until a full msg received */ while (uffd_read_msg(args->parent_uffd, &msg)); @@ -311,12 +308,8 @@ static int pagemap_test_fork(int uffd, b /* Prepare a thread to resolve EVENT_FORK */ if (with_event) { - pthread_barrier_init(&ready_for_fork, NULL, 2); if (pthread_create(&thread, NULL, fork_event_consumer, &args)) err("pthread_create()"); - /* Wait for child thread to start before forking */ - pthread_barrier_wait(&ready_for_fork); - pthread_barrier_destroy(&ready_for_fork); } child = fork(); _ Patches currently in -mm which might be from edliaw(a)google.com are revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch selftests-mm-fix-deadlock-for-fork-after-pthread_create-with-atomic_bool.patch

8 months, 2 weeks

1
0
0 0

[PATCH v3 1/1] nfsd: fix race between laundromat and free_stateid

by Olga Kornievskaia

There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely. Fixes: 2d4a532d385f ("nfsd: ensure that clp->cl_revoked list is protected by clp->cl_lock") CC: stable(a)vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev(a)redhat.com> --- v3. (1) adds refcount to nfsd4_revoke_states() (2) adds comments to revoke_delegation(), adds the WARN_ON_ONCE to make sure stid state is what is expected and changes unlock placement. --- fs/nfsd/nfs4state.c | 46 +++++++++++++++++++++++++++++++++++++-------- fs/nfsd/state.h | 2 ++ 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 7905ab9d8bc6..28e9b52b01fd 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -1351,21 +1351,47 @@ static void destroy_delegation(struct nfs4_delegation *dp) destroy_unhashed_deleg(dp); } +/** + * revoke_delegation - perform nfs4 delegation structure cleanup + * @dp: pointer to the delegation + * + * This function assumes that it's called either from the administrative + * interface (nfsd4_revoke_states()) that's revoking a specific delegation + * stateid or it's called from a laundromat thread (nfsd4_landromat()) that + * determined that this specific state has expired and needs to be revoked + * (both mark state with the appropriate stid sc_status mode). It is also + * assumed that a reference was take on the @dp state. + * + * If this function finds that the @dp state is SC_STATUS_FREED it means + * that a FREE_STATEID operation for this stateid has been processed and + * we can proceed to removing it from recalled list. However, if @dp state + * isn't marked SC_STATUS_FREED, it means we need place it on the cl_revoked + * list and wait for the FREE_STATEID to arrive from the client. At the same + * time, we need to mark it as SC_STATUS_FREEABLE to indicate to the + * nfsd4_free_stateid() function that this stateid has already been added + * to the cl_revoked list and that nfsd4_free_stateid() is now responsible + * for removing it from the list. Inspection of where the delegation state + * in the revocation process is protected by the clp->cl_lock. + */ static void revoke_delegation(struct nfs4_delegation *dp) { struct nfs4_client *clp = dp->dl_stid.sc_client; WARN_ON(!list_empty(&dp->dl_recall_lru)); + WARN_ON_ONCE(!(dp->dl_stid.sc_status & + (SC_STATUS_REVOKED | SC_STATUS_ADMIN_REVOKED))); trace_nfsd_stid_revoke(&dp->dl_stid); - if (dp->dl_stid.sc_status & - (SC_STATUS_REVOKED | SC_STATUS_ADMIN_REVOKED)) { - spin_lock(&clp->cl_lock); - refcount_inc(&dp->dl_stid.sc_count); - list_add(&dp->dl_recall_lru, &clp->cl_revoked); - spin_unlock(&clp->cl_lock); + spin_lock(&clp->cl_lock); + if (dp->dl_stid.sc_status & SC_STATUS_FREED) { + list_del_init(&dp->dl_recall_lru); + goto out; } + list_add(&dp->dl_recall_lru, &clp->cl_revoked); + dp->dl_stid.sc_status |= SC_STATUS_FREEABLE; +out: + spin_unlock(&clp->cl_lock); destroy_unhashed_deleg(dp); } @@ -1772,6 +1798,7 @@ void nfsd4_revoke_states(struct net *net, struct super_block *sb) mutex_unlock(&stp->st_mutex); break; case SC_TYPE_DELEG: + refcount_inc(&stid->sc_count); dp = delegstateid(stid); spin_lock(&state_lock); if (!unhash_delegation_locked( @@ -6606,6 +6633,7 @@ nfs4_laundromat(struct nfsd_net *nn) dp = list_entry (pos, struct nfs4_delegation, dl_recall_lru); if (!state_expired(&lt, dp->dl_time)) break; + refcount_inc(&dp->dl_stid.sc_count); unhash_delegation_locked(dp, SC_STATUS_REVOKED); list_add(&dp->dl_recall_lru, &reaplist); } @@ -7218,7 +7246,9 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, s->sc_status |= SC_STATUS_CLOSED; spin_unlock(&s->sc_lock); dp = delegstateid(s); - list_del_init(&dp->dl_recall_lru); + if (s->sc_status & SC_STATUS_FREEABLE) + list_del_init(&dp->dl_recall_lru); + s->sc_status |= SC_STATUS_FREED; spin_unlock(&cl->cl_lock); nfs4_put_stid(s); ret = nfs_ok; @@ -7548,7 +7578,7 @@ nfsd4_delegreturn(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, if ((status = fh_verify(rqstp, &cstate->current_fh, S_IFREG, 0))) return status; - status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, 0, &s, nn); + status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, SC_STATUS_REVOKED|SC_STATUS_FREEABLE, &s, nn); if (status) goto out; dp = delegstateid(s); diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h index 6351e6eca7cc..cc00d6b64b88 100644 --- a/fs/nfsd/state.h +++ b/fs/nfsd/state.h @@ -114,6 +114,8 @@ struct nfs4_stid { /* For a deleg stateid kept around only to process free_stateid's: */ #define SC_STATUS_REVOKED BIT(1) #define SC_STATUS_ADMIN_REVOKED BIT(2) +#define SC_STATUS_FREEABLE BIT(3) +#define SC_STATUS_FREED BIT(4) unsigned short sc_status; struct list_head sc_cp_list; -- 2.43.5

8 months, 2 weeks

3
2
0 0

[PATCH 6.11.y 0/3] : Yu Zhao's memory fix backport

by chrisl＠kernel.org

A few commits from Yu Zhao have been merged into 6.12. They need to be backported to 6.11. - c2a967f6ab0ec ("mm/hugetlb_vmemmap: don't synchronize_rcu() without HVO") - 95599ef684d01 ("mm/codetag: fix pgalloc_tag_split()") - e0a955bf7f61c ("mm/codetag: add pgalloc_tag_copy()") --- Yu Zhao (3): mm/hugetlb_vmemmap: don't synchronize_rcu() without HVO mm/codetag: fix pgalloc_tag_split() mm/codetag: add pgalloc_tag_copy() include/linux/alloc_tag.h | 24 ++++++++----------- include/linux/mm.h | 57 +++++++++++++++++++++++++++++++++++++++++++++ include/linux/pgalloc_tag.h | 31 ------------------------ mm/huge_memory.c | 2 +- mm/hugetlb_vmemmap.c | 40 +++++++++++++++---------------- mm/migrate.c | 1 + mm/page_alloc.c | 4 ++-- 7 files changed, 91 insertions(+), 68 deletions(-) --- base-commit: 8e24a758d14c0b1cd42ab0aea980a1030eea811f change-id: 20241016-stable-yuzhao-7779910482e8 Best regards, -- Chris Li <chrisl(a)kernel.org>

8 months, 2 weeks

5
9
0 0

[PATCH RESEND] fs/bfs: fix possible NULL pointer dereference caused by empty i_op/i_fop

by Andrew Kanner

Syzkaller reported and reproduced the following issue: loop0: detected capacity change from 0 to 64 overlayfs: fs on './file0' does not support file handles, \ falling back to index=off,nfs_export=off. BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Comm: syz-executor169 Not tainted 6.11.0-rc5-syzkaller-00176-g20371ba12063 #0 [...] Call Trace: <TASK> __lookup_slow+0x28c/0x3f0 fs/namei.c:1718 lookup_slow fs/namei.c:1735 [inline] lookup_one_unlocked+0x1a4/0x290 fs/namei.c:2898 ovl_lookup_positive_unlocked fs/overlayfs/namei.c:210 [inline] ovl_lookup_single+0x200/0xbd0 fs/overlayfs/namei.c:240 ovl_lookup_layer+0x417/0x510 fs/overlayfs/namei.c:333 ovl_lookup+0xcf7/0x2a60 fs/overlayfs/namei.c:1124 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_mknodat+0x18b/0x5b0 fs/namei.c:4125 __do_sys_mknod fs/namei.c:4171 [inline] __se_sys_mknod fs/namei.c:4169 [inline] __x64_sys_mknod+0x8c/0xa0 fs/namei.c:4169 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc4b42b2839 However, the actual root cause is not related to overlayfs: (gdb) p lower.dentry->d_inode->i_op $6 = (const struct inode_operations *) 0xffffffff8242fcc0 <empty_iops> (gdb) p lower.dentry->d_inode->i_op->lookup $7 = (struct dentry *(*) \ (struct inode *, struct dentry *, unsigned int)) 0x0 The inode, which is passed to ovl_lookup(), has an empty i_op, so the following __lookup_slow() hit NULL doing it's job: old = inode->i_op->lookup(inode, dentry, flags); bfs_fill_super()->bfs_iget() are skipping i_op/i_fop initialization if vnode type is not BFS_VDIR or BFS_VREG (e.g. corrupted fs). Adding extra error handling fixes the issue and syzkaller repro doesn't trigger anything bad anymore. Issue affects kernel builds with CONFIG_BFS_FS=y or =m only. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+94891a5155abdf6821b7(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/0000000000003d5bc30617238b6d@google.com/T/ Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Cc: stable(a)vger.kernel.org --- fs/bfs/inode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c index db81570c9637..e590b231ad20 100644 --- a/fs/bfs/inode.c +++ b/fs/bfs/inode.c @@ -70,6 +70,10 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino) inode->i_op = &bfs_file_inops; inode->i_fop = &bfs_file_operations; inode->i_mapping->a_ops = &bfs_aops; + } else { + pr_err("Bad i_vtype for inode %s:%08lx\n", inode->i_sb->s_id, ino); + brelse(bh); + goto error; } BFS_I(inode)->i_sblock = le32_to_cpu(di->i_sblock); -- 2.39.3

8 months, 2 weeks

1
0
0 0

[PATCH v2] nfsd: fix race between laundromat and free_stateid

by Olga Kornievskaia

There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: leases_conflict+0x68/0x370 kernel: __break_lease+0x204/0xc38 kernel: nfsd_open_break_lease+0x8c/0xf0 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fix that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely. Fixes: 2d4a532d385f ("nfsd: ensure that clp->cl_revoked list is protected by clp->cl_lock") CC: stable(a)vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev(a)redhat.com> --- fs/nfsd/nfs4state.c | 15 ++++++++++++--- fs/nfsd/state.h | 2 ++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index ac1859c7cc9d..cb989802e896 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -1370,10 +1370,16 @@ static void revoke_delegation(struct nfs4_delegation *dp) if (dp->dl_stid.sc_status & (SC_STATUS_REVOKED | SC_STATUS_ADMIN_REVOKED)) { spin_lock(&clp->cl_lock); - refcount_inc(&dp->dl_stid.sc_count); + if (dp->dl_stid.sc_status & SC_STATUS_FREED) { + list_del_init(&dp->dl_recall_lru); + spin_unlock(&clp->cl_lock); + goto out; + } list_add(&dp->dl_recall_lru, &clp->cl_revoked); + dp->dl_stid.sc_status |= SC_STATUS_FREEABLE; spin_unlock(&clp->cl_lock); } +out: destroy_unhashed_deleg(dp); } @@ -6545,6 +6551,7 @@ nfs4_laundromat(struct nfsd_net *nn) dp = list_entry (pos, struct nfs4_delegation, dl_recall_lru); if (!state_expired(&lt, dp->dl_time)) break; + refcount_inc(&dp->dl_stid.sc_count); unhash_delegation_locked(dp, SC_STATUS_REVOKED); list_add(&dp->dl_recall_lru, &reaplist); } @@ -7156,7 +7163,9 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, if (s->sc_status & SC_STATUS_REVOKED) { spin_unlock(&s->sc_lock); dp = delegstateid(s); - list_del_init(&dp->dl_recall_lru); + if (s->sc_status & SC_STATUS_FREEABLE) + list_del_init(&dp->dl_recall_lru); + s->sc_status |= SC_STATUS_FREED; spin_unlock(&cl->cl_lock); nfs4_put_stid(s); ret = nfs_ok; @@ -7486,7 +7495,7 @@ nfsd4_delegreturn(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, if ((status = fh_verify(rqstp, &cstate->current_fh, S_IFREG, 0))) return status; - status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, 0, &s, nn); + status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, SC_STATUS_REVOKED|SC_STATUS_FREEABLE, &s, nn); if (status) goto out; dp = delegstateid(s); diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h index 79c743c01a47..35b3564c065f 100644 --- a/fs/nfsd/state.h +++ b/fs/nfsd/state.h @@ -114,6 +114,8 @@ struct nfs4_stid { /* For a deleg stateid kept around only to process free_stateid's: */ #define SC_STATUS_REVOKED BIT(1) #define SC_STATUS_ADMIN_REVOKED BIT(2) +#define SC_STATUS_FREEABLE BIT(3) +#define SC_STATUS_FREED BIT(4) unsigned short sc_status; struct list_head sc_cp_list; -- 2.43.5

8 months, 2 weeks

3
2
0 0

[PATCH] resource,kexec: walk_system_ram_res_rev must retain resource flags

by Gregory Price

walk_system_ram_res_rev() erroneously discards resource flags when passing the information to the callback. This causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have these resources selected during kexec to store kexec buffers if that memory happens to be at placed above normal system ram. This leads to undefined behavior after reboot. If the kexec buffer is never touched, nothing happens. If the kexec buffer is touched, it could lead to a crash (like below) or undefined behavior. Tested on a system with CXL memory expanders with driver managed memory, TPM enabled, and CONFIG_IMA_KEXEC=y. Adding printk's showed the flags were being discarded and as a result the check for IORESOURCE_SYSRAM_DRIVER_MANAGED passes. find_next_iomem_res: name(System RAM (kmem)) start(10000000000) end(1034fffffff) flags(83000200) locate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0) [.] BUG: unable to handle page fault for address: ffff89834ffff000 [.] #PF: supervisor read access in kernel mode [.] #PF: error_code(0x0000) - not-present page [.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0 [.] Oops: 0000 [#1] SMP [.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0 [.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286 [.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000 [.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018 [.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900 [.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000 [.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000 [.] FS: 0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000 [.] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [.] ata5: SATA link down (SStatus 0 SControl 300) [.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0 [.] PKRU: 55555554 [.] Call Trace: [.] <TASK> [.] ? __die+0x78/0xc0 [.] ? page_fault_oops+0x2a8/0x3a0 [.] ? exc_page_fault+0x84/0x130 [.] ? asm_exc_page_fault+0x22/0x30 [.] ? ima_restore_measurement_list+0x95/0x4b0 [.] ? template_desc_init_fields+0x317/0x410 [.] ? crypto_alloc_tfm_node+0x9c/0xc0 [.] ? init_ima_lsm+0x30/0x30 [.] ima_load_kexec_buffer+0x72/0xa0 [.] ima_init+0x44/0xa0 [.] __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0 [.] ? init_ima_lsm+0x30/0x30 [.] do_one_initcall+0xad/0x200 [.] ? idr_alloc_cyclic+0xaa/0x110 [.] ? new_slab+0x12c/0x420 [.] ? new_slab+0x12c/0x420 [.] ? number+0x12a/0x430 [.] ? sysvec_apic_timer_interrupt+0xa/0x80 [.] ? asm_sysvec_apic_timer_interrupt+0x16/0x20 [.] ? parse_args+0xd4/0x380 [.] ? parse_args+0x14b/0x380 [.] kernel_init_freeable+0x1c1/0x2b0 [.] ? rest_init+0xb0/0xb0 [.] kernel_init+0x16/0x1a0 [.] ret_from_fork+0x2f/0x40 [.] ? rest_init+0xb0/0xb0 [.] ret_from_fork_asm+0x11/0x20 [.] </TASK> Link: https://lore.kernel.org/all/20231114091658.228030-1-bhe@redhat.com/ Fixes: 7acf164b259d ("resource: add walk_system_ram_res_rev()") Cc: stable(a)vger.kernel.org Signed-off-by: Gregory Price <gourry(a)gourry.net> --- kernel/resource.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/resource.c b/kernel/resource.c index b730bd28b422..4101016e8b20 100644 --- a/kernel/resource.c +++ b/kernel/resource.c @@ -459,9 +459,7 @@ int walk_system_ram_res_rev(u64 start, u64 end, void *arg, rams_size += 16; } - rams[i].start = res.start; - rams[i++].end = res.end; - + rams[i++] = res; start = res.end + 1; } -- 2.43.0

8 months, 2 weeks

4
10
0 0

[RFC][PATCH] mm: Split locks in remap_file_pages()

by Roberto Sassu

From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Commit ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") fixed a security issue, it added an LSM check when trying to remap file pages, so that LSMs have the opportunity to evaluate such action like for other memory operations such as mmap() and mprotect(). However, that commit called security_mmap_file() inside the mmap_lock lock, while the other calls do it before taking the lock, after commit 8b3ec6814c83 ("take security_mmap_file() outside of ->mmap_sem"). This caused lock inversion issue with IMA which was taking the mmap_lock and i_mutex lock in the opposite way when the remap_file_pages() system call was called. Solve the issue by splitting the critical region in remap_file_pages() in two regions: the first takes a read lock of mmap_lock and retrieves the VMA and the file associated, and calculate the 'prot' and 'flags' variable; the second takes a write lock on mmap_lock, checks that the VMA flags and the VMA file descriptor are the same as the ones obtained in the first critical region (otherwise the system call fails), and calls do_mmap(). In between, after releasing the read lock and taking the write lock, call security_mmap_file(), and solve the lock inversion issue. Cc: stable(a)vger.kernel.org Fixes: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") Reported-by: syzbot+91ae49e1c1a2634d20c0(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-security-module/66f7b10e.050a0220.46d20.0036.… Reviewed-by: Roberto Sassu <roberto.sassu(a)huawei.com> (Calculate prot and flags earlier) Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> --- mm/mmap.c | 62 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 17 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 9c0fb43064b5..762944427e03 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1640,6 +1640,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, unsigned long populate = 0; unsigned long ret = -EINVAL; struct file *file; + vm_flags_t vm_flags; pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.\n", current->comm, current->pid); @@ -1656,12 +1657,53 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, if (pgoff + (size >> PAGE_SHIFT) < pgoff) return ret; - if (mmap_write_lock_killable(mm)) + if (mmap_read_lock_killable(mm)) + return -EINTR; + + vma = vma_lookup(mm, start); + + if (!vma || !(vma->vm_flags & VM_SHARED)) { + mmap_read_unlock(mm); + return -EINVAL; + } + + prot |= vma->vm_flags & VM_READ ? PROT_READ : 0; + prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0; + prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0; + + flags &= MAP_NONBLOCK; + flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE; + if (vma->vm_flags & VM_LOCKED) + flags |= MAP_LOCKED; + + /* Save vm_flags used to calculate prot and flags, and recheck later. */ + vm_flags = vma->vm_flags; + file = get_file(vma->vm_file); + + mmap_read_unlock(mm); + + ret = security_mmap_file(file, prot, flags); + if (ret) { + fput(file); + return ret; + } + + ret = -EINVAL; + + if (mmap_write_lock_killable(mm)) { + fput(file); return -EINTR; + } vma = vma_lookup(mm, start); - if (!vma || !(vma->vm_flags & VM_SHARED)) + if (!vma) + goto out; + + if (vma->vm_flags != vm_flags) + goto out; + + if (vma->vm_file != file) goto out; if (start + size > vma->vm_end) { @@ -1689,25 +1731,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, goto out; } - prot |= vma->vm_flags & VM_READ ? PROT_READ : 0; - prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0; - prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0; - - flags &= MAP_NONBLOCK; - flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE; - if (vma->vm_flags & VM_LOCKED) - flags |= MAP_LOCKED; - - file = get_file(vma->vm_file); - ret = security_mmap_file(vma->vm_file, prot, flags); - if (ret) - goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); -out_fput: - fput(file); out: mmap_write_unlock(mm); + fput(file); if (populate) mm_populate(ret, populate); if (!IS_ERR_VALUE(ret)) -- 2.34.1

8 months, 2 weeks

3
4
0 0

[PATCH v3] comedi: Flush partial mappings in error case

by Jann Horn

If some remap_pfn_range() calls succeeded before one failed, we still have buffer pages mapped into the userspace page tables when we drop the buffer reference with comedi_buf_map_put(bm). The userspace mappings are only cleaned up later in the mmap error path. Fix it by explicitly flushing all mappings in our VMA on the error path. See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case"). Cc: stable(a)vger.kernel.org Fixes: ed9eccbe8970 ("Staging: add comedi core") Signed-off-by: Jann Horn <jannh(a)google.com> --- Note: compile-tested only; I don't actually have comedi hardware, and I don't know anything about comedi. --- Changes in v3: - gate zapping ptes on CONFIG_MMU (Intel kernel test robot) - Link to v2: https://lore.kernel.org/r/20241015-comedi-tlb-v2-1-cafb0e27dd9a@google.com Changes in v2: - only do the zapping in the pfnmap path (Ian Abbott) - use zap_vma_ptes() instead of zap_page_range_single() (Ian Abbott) - Link to v1: https://lore.kernel.org/r/20241014-comedi-tlb-v1-1-4b699144b438@google.com --- drivers/comedi/comedi_fops.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 1b481731df96..b9df9b19d4bd 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -2407,6 +2407,18 @@ static int comedi_mmap(struct file *file, struct vm_area_struct *vma) start += PAGE_SIZE; } + +#ifdef CONFIG_MMU + /* + * Leaving behind a partial mapping of a buffer we're about to + * drop is unsafe, see remap_pfn_range_notrack(). + * We need to zap the range here ourselves instead of relying + * on the automatic zapping in remap_pfn_range() because we call + * remap_pfn_range() in a loop. + */ + if (retval) + zap_vma_ptes(vma, vma->vm_start, size); +#endif } if (retval == 0) { --- base-commit: 6485cf5ea253d40d507cd71253c9568c5470cd27 change-id: 20241014-comedi-tlb-400246505961 -- Jann Horn <jannh(a)google.com>

8 months, 2 weeks

2
2
0 0

[PATCH RESEND] vdpa: solidrun: Fix UB bug with devres

by Philipp Stanner

In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). Cc: stable(a)vger.kernel.org # v6.3 Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Closes: https://lore.kernel.org/all/74e9109a-ac59-49e2-9b1d-d825c9c9f891@wanadoo.fr/ Suggested-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/vdpa/solidrun/snet_main.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/solidrun/snet_main.c b/drivers/vdpa/solidrun/snet_main.c index 99428a04068d..c8b74980dbd1 100644 --- a/drivers/vdpa/solidrun/snet_main.c +++ b/drivers/vdpa/solidrun/snet_main.c @@ -555,7 +555,7 @@ static const struct vdpa_config_ops snet_config_ops = { static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) { - char name[50]; + char *name; int ret, i, mask = 0; /* We don't know which BAR will be used to communicate.. * We will map every bar with len > 0. @@ -573,7 +573,10 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) return -ENODEV; } - snprintf(name, sizeof(name), "psnet[%s]-bars", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + ret = pcim_iomap_regions(pdev, mask, name); if (ret) { SNET_ERR(pdev, "Failed to request and map PCI BARs\n"); @@ -590,10 +593,13 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) static int snet_open_vf_bar(struct pci_dev *pdev, struct snet *snet) { - char name[50]; + char *name; int ret; - snprintf(name, sizeof(name), "snet[%s]-bar", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "snet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + /* Request and map BAR */ ret = pcim_iomap_regions(pdev, BIT(snet->psnet->cfg.vf_bar), name); if (ret) { -- 2.46.1

8 months, 2 weeks

5
7
0 0

FAILED: patch "[PATCH] KVM: s390: gaccess: Check if guest address is in memslot" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x e8061f06185be0a06a73760d6526b8b0feadfe52 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101827-implosion-twilight-c8e1@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8061f06185be0a06a73760d6526b8b0feadfe52 Mon Sep 17 00:00:00 2001 From: Nico Boehr <nrb(a)linux.ibm.com> Date: Tue, 17 Sep 2024 17:18:33 +0200 Subject: [PATCH] KVM: s390: gaccess: Check if guest address is in memslot Previously, access_guest_page() did not check whether the given guest address is inside of a memslot. This is not a problem, since kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case. However, -EFAULT is also returned when copy_to/from_user fails. When emulating a guest instruction, the address being outside a memslot usually means that an addressing exception should be injected into the guest. Failure in copy_to/from_user however indicates that something is wrong in userspace and hence should be handled there. To be able to distinguish these two cases, return PGM_ADDRESSING in access_guest_page() when the guest address is outside guest memory. In access_guest_real(), populate vcpu->arch.pgm.code such that kvm_s390_inject_prog_cond() can be used in the caller for injecting into the guest (if applicable). Since this adds a new return value to access_guest_page(), we need to make sure that other callers are not confused by the new positive return value. There are the following users of access_guest_page(): - access_guest_with_key() does the checking itself (in guest_range_to_gpas()), so this case should never happen. Even if, the handling is set up properly. - access_guest_real() just passes the return code to its callers, which are: - read_guest_real() - see below - write_guest_real() - see below There are the following users of read_guest_real(): - ar_translation() in gaccess.c which already returns PGM_* - setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always return -EFAULT on read_guest_read() nonzero return - no change - shadow_crycb(), handle_stfle() always present this as validity, this could be handled better but doesn't change current behaviour - no change There are the following users of write_guest_real(): - kvm_s390_store_status_unloaded() always returns -EFAULT on write_guest_real() failure. Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions") Cc: stable(a)vger.kernel.org Signed-off-by: Nico Boehr <nrb(a)linux.ibm.com> Reviewed-by: Heiko Carstens <hca(a)linux.ibm.com> Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com Acked-by: Janosch Frank <frankja(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c index e65f597e3044..a688351f4ab5 100644 --- a/arch/s390/kvm/gaccess.c +++ b/arch/s390/kvm/gaccess.c @@ -828,6 +828,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, const gfn_t gfn = gpa_to_gfn(gpa); int rc; + if (!gfn_to_memslot(kvm, gfn)) + return PGM_ADDRESSING; if (mode == GACC_STORE) rc = kvm_write_guest_page(kvm, gfn, data, offset, len); else @@ -985,6 +987,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, gra += fragment_len; data += fragment_len; } + if (rc > 0) + vcpu->arch.pgm.code = rc; return rc; } diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h index b320d12aa049..3fde45a151f2 100644 --- a/arch/s390/kvm/gaccess.h +++ b/arch/s390/kvm/gaccess.h @@ -405,11 +405,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data, * @len: number of bytes to copy * * Copy @len bytes from @data (kernel space) to @gra (guest real address). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest low address and key protection are not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying from @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to guest memory. */ @@ -428,11 +429,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data, * @len: number of bytes to copy * * Copy @len bytes from @gra (guest real address) to @data (kernel space). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest key protection is not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying to @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to kernel space. */

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] KVM: s390: gaccess: Check if guest address is in memslot" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x e8061f06185be0a06a73760d6526b8b0feadfe52 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101826-gracious-singer-816f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8061f06185be0a06a73760d6526b8b0feadfe52 Mon Sep 17 00:00:00 2001 From: Nico Boehr <nrb(a)linux.ibm.com> Date: Tue, 17 Sep 2024 17:18:33 +0200 Subject: [PATCH] KVM: s390: gaccess: Check if guest address is in memslot Previously, access_guest_page() did not check whether the given guest address is inside of a memslot. This is not a problem, since kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case. However, -EFAULT is also returned when copy_to/from_user fails. When emulating a guest instruction, the address being outside a memslot usually means that an addressing exception should be injected into the guest. Failure in copy_to/from_user however indicates that something is wrong in userspace and hence should be handled there. To be able to distinguish these two cases, return PGM_ADDRESSING in access_guest_page() when the guest address is outside guest memory. In access_guest_real(), populate vcpu->arch.pgm.code such that kvm_s390_inject_prog_cond() can be used in the caller for injecting into the guest (if applicable). Since this adds a new return value to access_guest_page(), we need to make sure that other callers are not confused by the new positive return value. There are the following users of access_guest_page(): - access_guest_with_key() does the checking itself (in guest_range_to_gpas()), so this case should never happen. Even if, the handling is set up properly. - access_guest_real() just passes the return code to its callers, which are: - read_guest_real() - see below - write_guest_real() - see below There are the following users of read_guest_real(): - ar_translation() in gaccess.c which already returns PGM_* - setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always return -EFAULT on read_guest_read() nonzero return - no change - shadow_crycb(), handle_stfle() always present this as validity, this could be handled better but doesn't change current behaviour - no change There are the following users of write_guest_real(): - kvm_s390_store_status_unloaded() always returns -EFAULT on write_guest_real() failure. Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions") Cc: stable(a)vger.kernel.org Signed-off-by: Nico Boehr <nrb(a)linux.ibm.com> Reviewed-by: Heiko Carstens <hca(a)linux.ibm.com> Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com Acked-by: Janosch Frank <frankja(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c index e65f597e3044..a688351f4ab5 100644 --- a/arch/s390/kvm/gaccess.c +++ b/arch/s390/kvm/gaccess.c @@ -828,6 +828,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, const gfn_t gfn = gpa_to_gfn(gpa); int rc; + if (!gfn_to_memslot(kvm, gfn)) + return PGM_ADDRESSING; if (mode == GACC_STORE) rc = kvm_write_guest_page(kvm, gfn, data, offset, len); else @@ -985,6 +987,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, gra += fragment_len; data += fragment_len; } + if (rc > 0) + vcpu->arch.pgm.code = rc; return rc; } diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h index b320d12aa049..3fde45a151f2 100644 --- a/arch/s390/kvm/gaccess.h +++ b/arch/s390/kvm/gaccess.h @@ -405,11 +405,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data, * @len: number of bytes to copy * * Copy @len bytes from @data (kernel space) to @gra (guest real address). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest low address and key protection are not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying from @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to guest memory. */ @@ -428,11 +429,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data, * @len: number of bytes to copy * * Copy @len bytes from @gra (guest real address) to @data (kernel space). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest key protection is not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying to @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to kernel space. */

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] KVM: s390: gaccess: Check if guest address is in memslot" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e8061f06185be0a06a73760d6526b8b0feadfe52 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101824-departure-oversight-aa1e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8061f06185be0a06a73760d6526b8b0feadfe52 Mon Sep 17 00:00:00 2001 From: Nico Boehr <nrb(a)linux.ibm.com> Date: Tue, 17 Sep 2024 17:18:33 +0200 Subject: [PATCH] KVM: s390: gaccess: Check if guest address is in memslot Previously, access_guest_page() did not check whether the given guest address is inside of a memslot. This is not a problem, since kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case. However, -EFAULT is also returned when copy_to/from_user fails. When emulating a guest instruction, the address being outside a memslot usually means that an addressing exception should be injected into the guest. Failure in copy_to/from_user however indicates that something is wrong in userspace and hence should be handled there. To be able to distinguish these two cases, return PGM_ADDRESSING in access_guest_page() when the guest address is outside guest memory. In access_guest_real(), populate vcpu->arch.pgm.code such that kvm_s390_inject_prog_cond() can be used in the caller for injecting into the guest (if applicable). Since this adds a new return value to access_guest_page(), we need to make sure that other callers are not confused by the new positive return value. There are the following users of access_guest_page(): - access_guest_with_key() does the checking itself (in guest_range_to_gpas()), so this case should never happen. Even if, the handling is set up properly. - access_guest_real() just passes the return code to its callers, which are: - read_guest_real() - see below - write_guest_real() - see below There are the following users of read_guest_real(): - ar_translation() in gaccess.c which already returns PGM_* - setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always return -EFAULT on read_guest_read() nonzero return - no change - shadow_crycb(), handle_stfle() always present this as validity, this could be handled better but doesn't change current behaviour - no change There are the following users of write_guest_real(): - kvm_s390_store_status_unloaded() always returns -EFAULT on write_guest_real() failure. Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions") Cc: stable(a)vger.kernel.org Signed-off-by: Nico Boehr <nrb(a)linux.ibm.com> Reviewed-by: Heiko Carstens <hca(a)linux.ibm.com> Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com Acked-by: Janosch Frank <frankja(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c index e65f597e3044..a688351f4ab5 100644 --- a/arch/s390/kvm/gaccess.c +++ b/arch/s390/kvm/gaccess.c @@ -828,6 +828,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, const gfn_t gfn = gpa_to_gfn(gpa); int rc; + if (!gfn_to_memslot(kvm, gfn)) + return PGM_ADDRESSING; if (mode == GACC_STORE) rc = kvm_write_guest_page(kvm, gfn, data, offset, len); else @@ -985,6 +987,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, gra += fragment_len; data += fragment_len; } + if (rc > 0) + vcpu->arch.pgm.code = rc; return rc; } diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h index b320d12aa049..3fde45a151f2 100644 --- a/arch/s390/kvm/gaccess.h +++ b/arch/s390/kvm/gaccess.h @@ -405,11 +405,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data, * @len: number of bytes to copy * * Copy @len bytes from @data (kernel space) to @gra (guest real address). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest low address and key protection are not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying from @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to guest memory. */ @@ -428,11 +429,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data, * @len: number of bytes to copy * * Copy @len bytes from @gra (guest real address) to @data (kernel space). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest key protection is not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying to @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to kernel space. */

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] KVM: s390: gaccess: Check if guest address is in memslot" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e8061f06185be0a06a73760d6526b8b0feadfe52 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101823-tractor-twitter-a318@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e8061f06185be0a06a73760d6526b8b0feadfe52 Mon Sep 17 00:00:00 2001 From: Nico Boehr <nrb(a)linux.ibm.com> Date: Tue, 17 Sep 2024 17:18:33 +0200 Subject: [PATCH] KVM: s390: gaccess: Check if guest address is in memslot Previously, access_guest_page() did not check whether the given guest address is inside of a memslot. This is not a problem, since kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case. However, -EFAULT is also returned when copy_to/from_user fails. When emulating a guest instruction, the address being outside a memslot usually means that an addressing exception should be injected into the guest. Failure in copy_to/from_user however indicates that something is wrong in userspace and hence should be handled there. To be able to distinguish these two cases, return PGM_ADDRESSING in access_guest_page() when the guest address is outside guest memory. In access_guest_real(), populate vcpu->arch.pgm.code such that kvm_s390_inject_prog_cond() can be used in the caller for injecting into the guest (if applicable). Since this adds a new return value to access_guest_page(), we need to make sure that other callers are not confused by the new positive return value. There are the following users of access_guest_page(): - access_guest_with_key() does the checking itself (in guest_range_to_gpas()), so this case should never happen. Even if, the handling is set up properly. - access_guest_real() just passes the return code to its callers, which are: - read_guest_real() - see below - write_guest_real() - see below There are the following users of read_guest_real(): - ar_translation() in gaccess.c which already returns PGM_* - setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always return -EFAULT on read_guest_read() nonzero return - no change - shadow_crycb(), handle_stfle() always present this as validity, this could be handled better but doesn't change current behaviour - no change There are the following users of write_guest_real(): - kvm_s390_store_status_unloaded() always returns -EFAULT on write_guest_real() failure. Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions") Cc: stable(a)vger.kernel.org Signed-off-by: Nico Boehr <nrb(a)linux.ibm.com> Reviewed-by: Heiko Carstens <hca(a)linux.ibm.com> Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com Acked-by: Janosch Frank <frankja(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c index e65f597e3044..a688351f4ab5 100644 --- a/arch/s390/kvm/gaccess.c +++ b/arch/s390/kvm/gaccess.c @@ -828,6 +828,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa, const gfn_t gfn = gpa_to_gfn(gpa); int rc; + if (!gfn_to_memslot(kvm, gfn)) + return PGM_ADDRESSING; if (mode == GACC_STORE) rc = kvm_write_guest_page(kvm, gfn, data, offset, len); else @@ -985,6 +987,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, gra += fragment_len; data += fragment_len; } + if (rc > 0) + vcpu->arch.pgm.code = rc; return rc; } diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h index b320d12aa049..3fde45a151f2 100644 --- a/arch/s390/kvm/gaccess.h +++ b/arch/s390/kvm/gaccess.h @@ -405,11 +405,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data, * @len: number of bytes to copy * * Copy @len bytes from @data (kernel space) to @gra (guest real address). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest low address and key protection are not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying from @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to guest memory. */ @@ -428,11 +429,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data, * @len: number of bytes to copy * * Copy @len bytes from @gra (guest real address) to @data (kernel space). - * It is up to the caller to ensure that the entire guest memory range is - * valid memory before calling this function. * Guest key protection is not checked. * - * Returns zero on success or -EFAULT on error. + * Returns zero on success, -EFAULT when copying to @data failed, or + * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info + * is also stored to allow injecting into the guest (if applicable) using + * kvm_s390_inject_prog_cond(). * * If an error occurs data may have been copied partially to kernel space. */

8 months, 2 weeks

1
0
0 0

[PATCH 5.10] gfs2: Fix potential glock use-after-free on unmount

by He Zhe

From: Andreas Gruenbacher <agruenba(a)redhat.com> commit 0636b34b44589b142700ac137b5f69802cfe2e37 upstream. When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead. Fixes: fb6791d100d1b ("GFS2: skip dlm_unlock calls in unmount") Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Cc: David Teigland <teigland(a)redhat.com> CVE: CVE-2024-38570 [Zhe: sd_glock_wait in gfs2_glock_free_later is not renamed to sd_kill_wait yet. So still use sd_glock_wait in gfs2_glock_free_later in this case.] Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- fs/gfs2/glock.c | 35 ++++++++++++++++++++++++++++++++--- fs/gfs2/glock.h | 1 + fs/gfs2/incore.h | 1 + fs/gfs2/lock_dlm.c | 13 +++++++++++-- fs/gfs2/ops_fstype.c | 1 + fs/gfs2/super.c | 3 --- 6 files changed, 46 insertions(+), 8 deletions(-) diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c index b0f01a8e3776..11206d810344 100644 --- a/fs/gfs2/glock.c +++ b/fs/gfs2/glock.c @@ -159,19 +159,46 @@ static bool glock_blocked_by_withdraw(struct gfs2_glock *gl) return true; } -void gfs2_glock_free(struct gfs2_glock *gl) +static void __gfs2_glock_free(struct gfs2_glock *gl) { - struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; - gfs2_glock_assert_withdraw(gl, atomic_read(&gl->gl_revokes) == 0); rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms); smp_mb(); wake_up_glock(gl); call_rcu(&gl->gl_rcu, gfs2_glock_dealloc); +} + +void gfs2_glock_free(struct gfs2_glock *gl) { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; + + __gfs2_glock_free(gl); if (atomic_dec_and_test(&sdp->sd_glock_disposal)) wake_up(&sdp->sd_glock_wait); } +void gfs2_glock_free_later(struct gfs2_glock *gl) { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; + + spin_lock(&lru_lock); + list_add(&gl->gl_lru, &sdp->sd_dead_glocks); + spin_unlock(&lru_lock); + if (atomic_dec_and_test(&sdp->sd_glock_disposal)) + wake_up(&sdp->sd_glock_wait); +} + +static void gfs2_free_dead_glocks(struct gfs2_sbd *sdp) +{ + struct list_head *list = &sdp->sd_dead_glocks; + + while(!list_empty(list)) { + struct gfs2_glock *gl; + + gl = list_first_entry(list, struct gfs2_glock, gl_lru); + list_del_init(&gl->gl_lru); + __gfs2_glock_free(gl); + } +} + /** * gfs2_glock_hold() - increment reference count on glock * @gl: The glock to hold @@ -2016,6 +2043,8 @@ void gfs2_gl_hash_clear(struct gfs2_sbd *sdp) wait_event_timeout(sdp->sd_glock_wait, atomic_read(&sdp->sd_glock_disposal) == 0, HZ * 600); + gfs2_lm_unmount(sdp); + gfs2_free_dead_glocks(sdp); glock_hash_walk(dump_glock_func, sdp); } diff --git a/fs/gfs2/glock.h b/fs/gfs2/glock.h index 53813364517b..b81b369e7485 100644 --- a/fs/gfs2/glock.h +++ b/fs/gfs2/glock.h @@ -253,6 +253,7 @@ extern void gfs2_glock_finish_truncate(struct gfs2_inode *ip); extern void gfs2_glock_thaw(struct gfs2_sbd *sdp); extern void gfs2_glock_add_to_lru(struct gfs2_glock *gl); extern void gfs2_glock_free(struct gfs2_glock *gl); +extern void gfs2_glock_free_later(struct gfs2_glock *gl); extern int __init gfs2_glock_init(void); extern void gfs2_glock_exit(void); diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h index f8858d995b24..44cee9a4eef6 100644 --- a/fs/gfs2/incore.h +++ b/fs/gfs2/incore.h @@ -863,6 +863,7 @@ struct gfs2_sbd { struct gfs2_holder sd_freeze_gh; atomic_t sd_freeze_state; struct mutex sd_freeze_mutex; + struct list_head sd_dead_glocks; char sd_fsname[GFS2_FSNAME_LEN + 3 * sizeof(int) + 2]; char sd_table_name[GFS2_FSNAME_LEN]; diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c index 5564aa8b4592..9aad03f0dcdf 100644 --- a/fs/gfs2/lock_dlm.c +++ b/fs/gfs2/lock_dlm.c @@ -118,6 +118,11 @@ static void gdlm_ast(void *arg) struct gfs2_glock *gl = arg; unsigned ret = gl->gl_state; + /* If the glock is dead, we only react to a dlm_unlock() reply. */ + if (__lockref_is_dead(&gl->gl_lockref) && + gl->gl_lksb.sb_status != -DLM_EUNLOCK) + return; + gfs2_update_reply_times(gl); BUG_ON(gl->gl_lksb.sb_flags & DLM_SBF_DEMOTED); @@ -168,6 +173,9 @@ static void gdlm_bast(void *arg, int mode) { struct gfs2_glock *gl = arg; + if (__lockref_is_dead(&gl->gl_lockref)) + return; + switch (mode) { case DLM_LOCK_EX: gfs2_glock_cb(gl, LM_ST_UNLOCKED); @@ -286,6 +294,8 @@ static void gdlm_put_lock(struct gfs2_glock *gl) struct lm_lockstruct *ls = &sdp->sd_lockstruct; int error; + BUG_ON(!__lockref_is_dead(&gl->gl_lockref)); + if (gl->gl_lksb.sb_lkid == 0) { gfs2_glock_free(gl); return; @@ -305,7 +315,7 @@ static void gdlm_put_lock(struct gfs2_glock *gl) if (test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags) && !gl->gl_lksb.sb_lvbptr) { - gfs2_glock_free(gl); + gfs2_glock_free_later(gl); return; } @@ -315,7 +325,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl) fs_err(sdp, "gdlm_unlock %x,%llx err=%d\n", gl->gl_name.ln_type, (unsigned long long)gl->gl_name.ln_number, error); - return; } } diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 648f7336043f..4a8c070d14cf 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -141,6 +141,7 @@ static struct gfs2_sbd *init_sbd(struct super_block *sb) init_waitqueue_head(&sdp->sd_log_flush_wait); atomic_set(&sdp->sd_freeze_state, SFS_UNFROZEN); mutex_init(&sdp->sd_freeze_mutex); + INIT_LIST_HEAD(&sdp->sd_dead_glocks); return sdp; diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c index 8cf4ef61cdc4..039d678b1689 100644 --- a/fs/gfs2/super.c +++ b/fs/gfs2/super.c @@ -662,10 +662,7 @@ static void gfs2_put_super(struct super_block *sb) gfs2_gl_hash_clear(sdp); truncate_inode_pages_final(&sdp->sd_aspace); gfs2_delete_debugfs_file(sdp); - /* Unmount the locking protocol */ - gfs2_lm_unmount(sdp); - /* At this point, we're through participating in the lockspace */ gfs2_sys_fs_del(sdp); free_sbd(sdp); } -- 2.25.1

8 months, 2 weeks

2
9
0 0

[PATCH 4.19] net: dsa: mv88e6xxx: Fix out-of-bound access

by hsimeliere.opensource＠witekio.com

From: Joseph Huang <Joseph.Huang(a)garmin.com> commit 528876d867a23b5198022baf2e388052ca67c952 upstream. If an ATU violation was caused by a CPU Load operation, the SPID could be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array). Fixes: 75c05a74e745 ("net: dsa: mv88e6xxx: Fix counting of ATU violations") Signed-off-by: Joseph Huang <Joseph.Huang(a)garmin.com> Reviewed-by: Andrew Lunn <andrew(a)lunn.ch> Link: https://patch.msgid.link/20240819235251.1331763-1-Joseph.Huang@garmin.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c index ea243840ee0f..aca35c9d9fbd 100644 --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c @@ -363,7 +363,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id) dev_err_ratelimited(chip->dev, "ATU full violation for %pM portvec %x spid %d\n", entry.mac, entry.portvec, spid); - chip->ports[spid].atu_full_violation++; + if (spid < ARRAY_SIZE(chip->ports)) + chip->ports[spid].atu_full_violation++; } mutex_unlock(&chip->reg_lock); -- 2.43.0

8 months, 2 weeks

1
0
0 0

[PATCH 05/13] media: mgb4: protect driver against spectre

by Mauro Carvalho Chehab

Frequency range is set from sysfs via frequency_range_store(), being vulnerable to spectre, as reported by smatch: drivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r] drivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half. 'reg_set' Fix it. Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> --- drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/pci/mgb4/mgb4_cmt.c b/drivers/media/pci/mgb4/mgb4_cmt.c index 70dc78ef193c..a25b68403bc6 100644 --- a/drivers/media/pci/mgb4/mgb4_cmt.c +++ b/drivers/media/pci/mgb4/mgb4_cmt.c @@ -227,6 +227,8 @@ void mgb4_cmt_set_vin_freq_range(struct mgb4_vin_dev *vindev, u32 config; size_t i; + freq_range = array_index_nospec(freq_range, ARRAY_SIZE(cmt_vals_in)); + addr = cmt_addrs_in[vindev->config->id]; reg_set = cmt_vals_in[freq_range]; -- 2.47.0

8 months, 2 weeks

2
3
0 0

[PATCH v2] remoteproc: qcom_q6v5_pas: disable auto boot for wpss

by Balaji Pothunoori

Currently, the rproc "atomic_t power" variable is incremented during: a. WPSS rproc auto boot. b. AHB power on for ath11k. During AHB power off (rmmod ath11k_ahb.ko), rproc_shutdown fails to unload the WPSS firmware because the rproc->power value is '2', causing the atomic_dec_and_test(&rproc->power) condition to fail. Consequently, during AHB power on (insmod ath11k_ahb.ko), QMI_WLANFW_HOST_CAP_REQ_V01 fails due to the host and firmware QMI states being out of sync. Fixes: 300ed425dfa9 ("remoteproc: qcom_q6v5_pas: Add SC7280 ADSP, CDSP & WPSS") Cc: stable(a)vger.kernel.org Signed-off-by: Balaji Pothunoori <quic_bpothuno(a)quicinc.com> --- v2: updated commit text. added Fixes/cc:stable tags. drivers/remoteproc/qcom_q6v5_pas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c index ef82835e98a4..05963d7924df 100644 --- a/drivers/remoteproc/qcom_q6v5_pas.c +++ b/drivers/remoteproc/qcom_q6v5_pas.c @@ -1344,7 +1344,7 @@ static const struct adsp_data sc7280_wpss_resource = { .crash_reason_smem = 626, .firmware_name = "wpss.mdt", .pas_id = 6, - .auto_boot = true, + .auto_boot = false, .proxy_pd_names = (char*[]){ "cx", "mx", -- 2.34.1

8 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: prevent MPC handshake on port-based signal endpoints" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 3d041393ea8c815f773020fb4a995331a69c0139 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101809-refinish-concave-f892@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d041393ea8c815f773020fb4a995331a69c0139 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Mon, 14 Oct 2024 16:06:00 +0200 Subject: [PATCH] mptcp: prevent MPC handshake on port-based signal endpoints Syzkaller reported a lockdep splat: ============================================ WARNING: possible recursive locking detected 6.11.0-rc6-syzkaller-00019-g67784a74e258 #0 Not tainted -------------------------------------------- syz-executor364/5113 is trying to acquire lock: ffff8880449f1958 (k-slock-AF_INET){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff8880449f1958 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock+0x2cd/0xf40 net/core/sock.c:2328 but task is already holding lock: ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock+0x2cd/0xf40 net/core/sock.c:2328 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(k-slock-AF_INET); lock(k-slock-AF_INET); *** DEADLOCK *** May be due to missing lock nesting notation 7 locks held by syz-executor364/5113: #0: ffff8880449f0e18 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1607 [inline] #0: ffff8880449f0e18 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x153/0x1b10 net/mptcp/protocol.c:1806 #1: ffff88803fe39ad8 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1607 [inline] #1: ffff88803fe39ad8 (k-sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg_fastopen+0x11f/0x530 net/mptcp/protocol.c:1727 #2: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline] #2: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #2: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x5f/0x1b80 net/ipv4/ip_output.c:470 #3: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline] #3: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #3: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1390 net/ipv4/ip_output.c:228 #4: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] #4: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x33b/0x15b0 net/core/dev.c:6104 #5: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline] #5: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #5: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0x230/0x5f0 net/ipv4/ip_input.c:232 #6: ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #6: ffff88803fe3cb58 (k-slock-AF_INET){+.-.}-{2:2}, at: sk_clone_lock+0x2cd/0xf40 net/core/sock.c:2328 stack backtrace: CPU: 0 UID: 0 PID: 5113 Comm: syz-executor364 Not tainted 6.11.0-rc6-syzkaller-00019-g67784a74e258 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 check_deadlock kernel/locking/lockdep.c:3061 [inline] validate_chain+0x15d3/0x5900 kernel/locking/lockdep.c:3855 __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] sk_clone_lock+0x2cd/0xf40 net/core/sock.c:2328 mptcp_sk_clone_init+0x32/0x13c0 net/mptcp/protocol.c:3279 subflow_syn_recv_sock+0x931/0x1920 net/mptcp/subflow.c:874 tcp_check_req+0xfe4/0x1a20 net/ipv4/tcp_minisocks.c:853 tcp_v4_rcv+0x1c3e/0x37f0 net/ipv4/tcp_ipv4.c:2267 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x1763/0x3e90 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:235 ip_local_out net/ipv4/ip_output.c:129 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:535 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6542 [inline] tcp_rcv_state_process+0x2c32/0x4570 net/ipv4/tcp_input.c:6729 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1934 sk_backlog_rcv include/net/sock.h:1111 [inline] __release_sock+0x214/0x350 net/core/sock.c:3004 release_sock+0x61/0x1f0 net/core/sock.c:3558 mptcp_sendmsg_fastopen+0x1ad/0x530 net/mptcp/protocol.c:1733 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1812 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f04fb13a6b9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd651f42d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f04fb13a6b9 RDX: 0000000000000001 RSI: 0000000020000d00 RDI: 0000000000000004 RBP: 00007ffd651f4310 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000020000080 R11: 0000000000000246 R12: 00000000000f4240 R13: 00007f04fb187449 R14: 00007ffd651f42f4 R15: 00007ffd651f4300 </TASK> As noted by Cong Wang, the splat is false positive, but the code path leading to the report is an unexpected one: a client is attempting an MPC handshake towards the in-kernel listener created by the in-kernel PM for a port based signal endpoint. Such connection will be never accepted; many of them can make the listener queue full and preventing the creation of MPJ subflow via such listener - its intended role. Explicitly detect this scenario at initial-syn time and drop the incoming MPC request. Fixes: 1729cf186d8a ("mptcp: create the listening socket for new port") Cc: stable(a)vger.kernel.org Reported-by: syzbot+f4aacdfef2c6a6529c3e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f4aacdfef2c6a6529c3e Cc: Cong Wang <cong.wang(a)bytedance.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20241014-net-mptcp-mpc-port-endp-v2-1-7faea8e6b6ae… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/mib.c b/net/mptcp/mib.c index ad88bd3c58df..19eb9292bd60 100644 --- a/net/mptcp/mib.c +++ b/net/mptcp/mib.c @@ -17,6 +17,7 @@ static const struct snmp_mib mptcp_snmp_list[] = { SNMP_MIB_ITEM("MPCapableFallbackSYNACK", MPTCP_MIB_MPCAPABLEACTIVEFALLBACK), SNMP_MIB_ITEM("MPCapableSYNTXDrop", MPTCP_MIB_MPCAPABLEACTIVEDROP), SNMP_MIB_ITEM("MPCapableSYNTXDisabled", MPTCP_MIB_MPCAPABLEACTIVEDISABLED), + SNMP_MIB_ITEM("MPCapableEndpAttempt", MPTCP_MIB_MPCAPABLEENDPATTEMPT), SNMP_MIB_ITEM("MPFallbackTokenInit", MPTCP_MIB_TOKENFALLBACKINIT), SNMP_MIB_ITEM("MPTCPRetrans", MPTCP_MIB_RETRANSSEGS), SNMP_MIB_ITEM("MPJoinNoTokenFound", MPTCP_MIB_JOINNOTOKEN), diff --git a/net/mptcp/mib.h b/net/mptcp/mib.h index 3206cdda8bb1..128282982843 100644 --- a/net/mptcp/mib.h +++ b/net/mptcp/mib.h @@ -12,6 +12,7 @@ enum linux_mptcp_mib_field { MPTCP_MIB_MPCAPABLEACTIVEFALLBACK, /* Client-side fallback during 3-way handshake */ MPTCP_MIB_MPCAPABLEACTIVEDROP, /* Client-side fallback due to a MPC drop */ MPTCP_MIB_MPCAPABLEACTIVEDISABLED, /* Client-side disabled due to past issues */ + MPTCP_MIB_MPCAPABLEENDPATTEMPT, /* Prohibited MPC to port-based endp */ MPTCP_MIB_TOKENFALLBACKINIT, /* Could not init/allocate token */ MPTCP_MIB_RETRANSSEGS, /* Segments retransmitted at the MPTCP-level */ MPTCP_MIB_JOINNOTOKEN, /* Received MP_JOIN but the token was not found */ diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index f6f0a38a0750..1a78998fe1f4 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -1121,6 +1121,7 @@ static int mptcp_pm_nl_create_listen_socket(struct sock *sk, */ inet_sk_state_store(newsk, TCP_LISTEN); lock_sock(ssk); + WRITE_ONCE(mptcp_subflow_ctx(ssk)->pm_listener, true); err = __inet_listen_sk(ssk, backlog); if (!err) mptcp_event_pm_listener(ssk, MPTCP_EVENT_LISTENER_CREATED); diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 74417aae08d0..568a72702b08 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -535,6 +535,7 @@ struct mptcp_subflow_context { __unused : 8; bool data_avail; bool scheduled; + bool pm_listener; /* a listener managed by the kernel PM? */ u32 remote_nonce; u64 thmac; u32 local_nonce; diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 25dde81bcb75..6170f2fff71e 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -132,6 +132,13 @@ static void subflow_add_reset_reason(struct sk_buff *skb, u8 reason) } } +static int subflow_reset_req_endp(struct request_sock *req, struct sk_buff *skb) +{ + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEENDPATTEMPT); + subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); + return -EPERM; +} + /* Init mptcp request socket. * * Returns an error code if a JOIN has failed and a TCP reset @@ -165,6 +172,8 @@ static int subflow_check_req(struct request_sock *req, if (opt_mp_capable) { SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEPASSIVE); + if (unlikely(listener->pm_listener)) + return subflow_reset_req_endp(req, skb); if (opt_mp_join) return 0; } else if (opt_mp_join) { @@ -172,6 +181,8 @@ static int subflow_check_req(struct request_sock *req, if (mp_opt.backup) SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINSYNBACKUPRX); + } else if (unlikely(listener->pm_listener)) { + return subflow_reset_req_endp(req, skb); } if (opt_mp_capable && listener->request_mptcp) {

8 months, 2 weeks

3
2
0 0

[PATCH 5.10 5.15 1/3] io_uring/sqpoll: do not allow pinning outside of cpuset

by Felix Moessbauer

commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream. The submit queue polling threads are userland threads that just never exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF, the affinity of the poller thread is set to the cpu specified in sq_thread_cpu. However, this CPU can be outside of the cpuset defined by the cgroup cpuset controller. This violates the rules defined by the cpuset controller and is a potential issue for realtime applications. In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in case no explicit pinning is required by inheriting the one of the creating task. In case of explicit pinning, the check is more complicated, as also a cpu outside of the parent cpumask is allowed. We implemented this by using cpuset_cpus_allowed (that has support for cgroup cpusets) and testing if the requested cpu is in the set. Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker") Signed-off-by: Felix Moessbauer <felix.moessbauer(a)siemens.com> Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.c… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- io_uring/io_uring.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 8ed2c65529714..6b6fd244233f8 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -56,6 +56,7 @@ #include <linux/mm.h> #include <linux/mman.h> #include <linux/percpu.h> +#include <linux/cpuset.h> #include <linux/slab.h> #include <linux/blkdev.h> #include <linux/bvec.h> @@ -8746,10 +8747,12 @@ static int io_sq_offload_create(struct io_ring_ctx *ctx, return 0; if (p->flags & IORING_SETUP_SQ_AFF) { + struct cpumask allowed_mask; int cpu = p->sq_thread_cpu; ret = -EINVAL; - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + cpuset_cpus_allowed(current, &allowed_mask); + if (!cpumask_test_cpu(cpu, &allowed_mask)) goto err_sqpoll; sqd->sq_cpu = cpu; } else { -- 2.39.5

8 months, 2 weeks

2
3
0 0

[PATCH 5.10 0/1] wifi: rtl8xxxu: Fix the error handling of the probe function

by Daniil Dulov

Svacer reports a NULL-pointer dereference in rtl8xxxu_probe(). After having been compared to a NULL value, pointer hw is passed as 1st parameter in call to ieee80211_free_hw(), where it is dereferenced. The problem is present in 5.10 stable release and can be fixed by the following upstream patch that can be cleanly applied to 5.10 branch.

8 months, 2 weeks

1
1
0 0

FAILED: patch "[PATCH] tcp: fix mptcp DSS corruption due to large pmtu xmit" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 4dabcdf581217e60690467a37c956a5b8dbc6bd9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101432-shucking-snagged-7c42@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 4dabcdf58121 ("tcp: fix mptcp DSS corruption due to large pmtu xmit") 65249feb6b3d ("net: add support for skbs with unreadable frags") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4dabcdf581217e60690467a37c956a5b8dbc6bd9 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 8 Oct 2024 13:04:53 +0200 Subject: [PATCH] tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> move_skbs_to_msk net/mptcp/protocol.c:811 [inline] mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854 subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490 tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283 tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451 dev_queue_xmit include/linux/netdevice.h:3094 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline] tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015 tcp_push_pending_frames include/net/tcp.h:2107 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline] tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x214/0x350 net/core/sock.c:3072 release_sock+0x61/0x1f0 net/core/sock.c:3626 mptcp_push_release net/mptcp/protocol.c:1486 [inline] __mptcp_push_pending+0x6b5/0x9f0 net/mptcp/protocol.c:1625 mptcp_sendmsg+0x10bb/0x1b10 net/mptcp/protocol.c:1903 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2603 ___sys_sendmsg net/socket.c:2657 [inline] __sys_sendmsg+0x2aa/0x390 net/socket.c:2686 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb06e9317f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe2cfd4f98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fb06e97f468 RCX: 00007fb06e9317f9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005 RBP: 00007fb06e97f446 R08: 0000555500000000 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fb06e97f406 R13: 0000000000000001 R14: 00007ffe2cfd4fe0 R15: 0000000000000003 </TASK> Additionally syzkaller provided a nice reproducer. The repro enables pmtu on the loopback device, leading to tcp_mtu_probe() generating very large probe packets. tcp_can_coalesce_send_queue_head() currently does not check for mptcp-level invariants, and allowed the creation of cross-DSS probes, leading to the mentioned corruption. Address the issue teaching tcp_can_coalesce_send_queue_head() about mptcp using the tcp_skb_can_collapse(), also reducing the code duplication. Fixes: 85712484110d ("tcp: coalesce/collapse must respect MPTCP extensions") Cc: stable(a)vger.kernel.org Reported-by: syzbot+d1bff73460e33101f0e7(a)syzkaller.appspotmail.com Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/513 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Acked-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20241008-net-mptcp-fallback-fixes-v1-2-c6fb8e93e55… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 4fd746bd4d54..68804fd01daf 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2342,10 +2342,7 @@ static bool tcp_can_coalesce_send_queue_head(struct sock *sk, int len) if (len <= skb->len) break; - if (unlikely(TCP_SKB_CB(skb)->eor) || - tcp_has_tx_tstamp(skb) || - !skb_pure_zcopy_same(skb, next) || - skb_frags_readable(skb) != skb_frags_readable(next)) + if (tcp_has_tx_tstamp(skb) || !tcp_skb_can_collapse(skb, next)) return false; len -= skb->len;

8 months, 2 weeks

3
2
0 0

[PATCH 6.1.y 5.15.y] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

by Sherry Yang

From: "Wachowski, Karol" <karol.wachowski(a)intel.com> commit 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 upstream. Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Return -EINVAL early if COW mapping is detected. This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0; Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") Cc: Noralf Trønnes <noralf(a)tronnes.org> Cc: Eric Anholt <eric(a)anholt.net> Cc: Rob Herring <robh(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.2+ Signed-off-by: Wachowski, Karol <karol.wachowski(a)intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20240520100514.925681-1-jacek… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Sherry: bp to fix CVE-2024-39497, ignore context change due to missing commit 21aa27ddc582 ("drm/shmem-helper: Switch to reservation lock")] Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> --- drivers/gpu/drm/drm_gem_shmem_helper.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index e33f06bb66eb..fb8093577245 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -638,6 +638,9 @@ int drm_gem_shmem_mmap(struct drm_gem_shmem_object *shmem, struct vm_area_struct return ret; } + if (is_cow_mapping(vma->vm_flags)) + return -EINVAL; + ret = drm_gem_shmem_get_pages(shmem); if (ret) return ret; -- 2.46.0

8 months, 2 weeks

2
1
0 0

[PATCH 5.15, 5.10, 5.4, 4.19 1/1] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()

by Saeed Mirzamohammadi

From: Breno Leitao <leitao(a)debian.org> commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb upstream. Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000 Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin") Cc: stable(a)vger.kernel.org # 4.19+ Signed-off-by: Breno Leitao <leitao(a)debian.org> Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> (cherry picked from commit 92c77807d938145c7c3350c944ef9f39d7f6017c) Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- virt/kvm/kvm_main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 801ab0635bc32..8734d5bbd951e 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -3525,12 +3525,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) { struct kvm *kvm = me->kvm; struct kvm_vcpu *vcpu; - int last_boosted_vcpu = me->kvm->last_boosted_vcpu; + int last_boosted_vcpu; int yielded = 0; int try = 3; int pass; int i; + last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu); kvm_vcpu_set_in_spin_loop(me, true); /* * We boost the priority of a VCPU that is runnable but not @@ -3561,7 +3562,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) yielded = kvm_vcpu_yield_to(vcpu); if (yielded > 0) { - kvm->last_boosted_vcpu = i; + WRITE_ONCE(kvm->last_boosted_vcpu, i); break; } else if (yielded < 0) { try--; -- 2.46.0

8 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] maple_tree: correct tree corruption on spanning store" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bea07fd63192b61209d48cbb81ef474cc3ee4c62 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101840-army-handstand-92f8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bea07fd63192b61209d48cbb81ef474cc3ee4c62 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Mon, 7 Oct 2024 16:28:32 +0100 Subject: [PATCH] maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree corruption bug that appears to have been in existence since the inception of the algorithm. This bug seems far more likely to happen since commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()"), which is the point at which reports started to be submitted concerning this bug. We were made definitely aware of the bug thanks to the kind efforts of Bert Karwatzki who helped enormously in my being able to track this down and identify the cause of it. The bug arises when an attempt is made to perform a spanning store across two leaf nodes, where the right leaf node is the rightmost child of the shared parent, AND the store completely consumes the right-mode node. This results in mas_wr_spanning_store() mitakenly duplicating the new and existing entries at the maximum pivot within the range, and thus maple tree corruption. The fix patch corrects this by detecting this scenario and disallowing the mistaken duplicate copy. The fix patch commit message goes into great detail as to how this occurs. This series also includes a test which reliably reproduces the issue, and asserts that the fix works correctly. Bert has kindly tested the fix and confirmed it resolved his issues. Also Mikhail Gavrilov kindly reported what appears to be precisely the same bug, which this fix should also resolve. This patch (of 2): There has been a subtle bug present in the maple tree implementation from its inception. This arises from how stores are performed - when a store occurs, it will overwrite overlapping ranges and adjust the tree as necessary to accommodate this. A range may always ultimately span two leaf nodes. In this instance we walk the two leaf nodes, determine which elements are not overwritten to the left and to the right of the start and end of the ranges respectively and then rebalance the tree to contain these entries and the newly inserted one. This kind of store is dubbed a 'spanning store' and is implemented by mas_wr_spanning_store(). In order to reach this stage, mas_store_gfp() invokes mas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to walk the tree and update the object (mas) to traverse to the location where the write should be performed, determining its store type. When a spanning store is required, this function returns false stopping at the parent node which contains the target range, and mas_wr_store_type() marks the mas->store_type as wr_spanning_store to denote this fact. When we go to perform the store in mas_wr_spanning_store(), we first determine the elements AFTER the END of the range we wish to store (that is, to the right of the entry to be inserted) - we do this by walking to the NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we have just determined contains the range over which we intend to write. We then turn our attention to the entries to the left of the entry we are inserting, whose state is represented by l_mas, and copy these into a 'big node', which is a special node which contains enough slots to contain two leaf node's worth of data. We then copy the entry we wish to store immediately after this - the copy and the insertion of the new entry is performed by mas_store_b_node(). After this we copy the elements to the right of the end of the range which we are inserting, if we have not exceeded the length of the node (i.e. r_mas.offset <= r_mas.end). Herein lies the bug - under very specific circumstances, this logic can break and corrupt the maple tree. Consider the following tree: Height 0 Root Node / \ pivot = 0xffff / \ pivot = ULONG_MAX / \ 1 A [-----] ... / \ pivot = 0x4fff / \ pivot = 0xffff / \ 2 (LEAVES) B [-----] [-----] C ^--- Last pivot 0xffff. Now imagine we wish to store an entry in the range [0x4000, 0xffff] (note that all ranges expressed in maple tree code are inclusive): 1. mas_store_gfp() descends the tree, finds node A at <=0xffff, then determines that this is a spanning store across nodes B and C. The mas state is set such that the current node from which we traverse further is node A. 2. In mas_wr_spanning_store() we try to find elements to the right of pivot 0xffff by searching for an index of 0x10000: - mas_wr_walk_index() invokes mas_wr_walk_descend() and mas_wr_node_walk() in turn. - mas_wr_node_walk() loops over entries in node A until EITHER it finds an entry whose pivot equals or exceeds 0x10000 OR it reaches the final entry. - Since no entry has a pivot equal to or exceeding 0x10000, pivot 0xffff is selected, leading to node C. - mas_wr_walk_traverse() resets the mas state to traverse node C. We loop around and invoke mas_wr_walk_descend() and mas_wr_node_walk() in turn once again. - Again, we reach the last entry in node C, which has a pivot of 0xffff. 3. We then copy the elements to the left of 0x4000 in node B to the big node via mas_store_b_node(), and insert the new [0x4000, 0xffff] entry too. 4. We determine whether we have any entries to copy from the right of the end of the range via - and with r_mas set up at the entry at pivot 0xffff, r_mas.offset <= r_mas.end, and then we DUPLICATE the entry at pivot 0xffff. 5. BUG! The maple tree is corrupted with a duplicate entry. This requires a very specific set of circumstances - we must be spanning the last element in a leaf node, which is the last element in the parent node. spanning store across two leaf nodes with a range that ends at that shared pivot. A potential solution to this problem would simply be to reset the walk each time we traverse r_mas, however given the rarity of this situation it seems that would be rather inefficient. Instead, this patch detects if the right hand node is populated, i.e. has anything we need to copy. We do so by only copying elements from the right of the entry being inserted when the maximum value present exceeds the last, rather than basing this on offset position. The patch also updates some comments and eliminates the unused bool return value in mas_wr_walk_index(). The work performed in commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()") seems to have made the probability of this event much more likely, which is the point at which reports started to be submitted concerning this bug. The motivation for this change arose from Bert Karwatzki's report of encountering mm instability after the release of kernel v6.12-rc1 which, after the use of CONFIG_DEBUG_VM_MAPLE_TREE and similar configuration options, was identified as maple tree corruption. After Bert very generously provided his time and ability to reproduce this event consistently, I was able to finally identify that the issue discussed in this commit message was occurring for him. Link: https://lkml.kernel.org/r/cover.1728314402.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/48b349a2a0f7c76e18772712d0997a5e12ab0a3b.17283144… Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Bert Karwatzki <spasswolf(a)web.de> Closes: https://lore.kernel.org/all/20241001023402.3374-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf(a)web.de> Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov(a)gmail.com> Closes: https://lore.kernel.org/all/CABXGCsOPwuoNOqSMmAvWO2Fz4TEmPnjFj-b7iF+XFRu1h7… Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov(a)gmail.com> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/lib/maple_tree.c b/lib/maple_tree.c index ce7c7a7a8258..3619301dda2e 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -2196,6 +2196,8 @@ static inline void mas_node_or_none(struct ma_state *mas, /* * mas_wr_node_walk() - Find the correct offset for the index in the @mas. + * If @mas->index cannot be found within the containing + * node, we traverse to the last entry in the node. * @wr_mas: The maple write state * * Uses mas_slot_locked() and does not need to worry about dead nodes. @@ -3532,7 +3534,7 @@ static bool mas_wr_walk(struct ma_wr_state *wr_mas) return true; } -static bool mas_wr_walk_index(struct ma_wr_state *wr_mas) +static void mas_wr_walk_index(struct ma_wr_state *wr_mas) { struct ma_state *mas = wr_mas->mas; @@ -3541,11 +3543,9 @@ static bool mas_wr_walk_index(struct ma_wr_state *wr_mas) wr_mas->content = mas_slot_locked(mas, wr_mas->slots, mas->offset); if (ma_is_leaf(wr_mas->type)) - return true; + return; mas_wr_walk_traverse(wr_mas); - } - return true; } /* * mas_extend_spanning_null() - Extend a store of a %NULL to include surrounding %NULLs. @@ -3765,8 +3765,8 @@ static noinline void mas_wr_spanning_store(struct ma_wr_state *wr_mas) memset(&b_node, 0, sizeof(struct maple_big_node)); /* Copy l_mas and store the value in b_node. */ mas_store_b_node(&l_wr_mas, &b_node, l_mas.end); - /* Copy r_mas into b_node. */ - if (r_mas.offset <= r_mas.end) + /* Copy r_mas into b_node if there is anything to copy. */ + if (r_mas.max > r_mas.last) mas_mab_cp(&r_mas, r_mas.offset, r_mas.end, &b_node, b_node.b_end + 1); else

8 months, 2 weeks

3
2
0 0

[PATCH 2/4] xhci: Mitigate failed set dequeue pointer commands

by Mathias Nyman

Avoid xHC host from processing a cancelled URB by always turning cancelled URB TDs into no-op TRBs before queuing a 'Set TR Deq' command. If the command fails then xHC will start processing the cancelled TD instead of skipping it once endpoint is restarted, causing issues like Babble error. This is not a complete solution as a failed 'Set TR Deq' command does not guarantee xHC TRB caches are cleared. Fixes: 4db356924a50 ("xhci: turn cancelled td cleanup to its own function") Cc: stable(a)vger.kernel.org Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 4d664ba53fe9..7dedf31bbddd 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1023,7 +1023,7 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) td_to_noop(xhci, ring, cached_td, false); cached_td->cancel_status = TD_CLEARED; } - + td_to_noop(xhci, ring, td, false); td->cancel_status = TD_CLEARING_CACHE; cached_td = td; break; -- 2.25.1

8 months, 2 weeks

2
4
0 0

[PATCH v2 08/13] media: ar0521: don't overflow when checking PLL values

by Mauro Carvalho Chehab

The PLL checks are comparing 64 bit integers with 32 bit ones, as reported by Coverity. Depending on the values of the variables, this may underflow. Fix it ensuring that both sides of the expression are u64. Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Acked-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> --- drivers/media/i2c/ar0521.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/ar0521.c b/drivers/media/i2c/ar0521.c index fc27238dd4d3..24873149096c 100644 --- a/drivers/media/i2c/ar0521.c +++ b/drivers/media/i2c/ar0521.c @@ -255,10 +255,10 @@ static u32 calc_pll(struct ar0521_dev *sensor, u32 freq, u16 *pre_ptr, u16 *mult continue; /* Minimum value */ if (new_mult > 254) break; /* Maximum, larger pre won't work either */ - if (sensor->extclk_freq * (u64)new_mult < AR0521_PLL_MIN * + if (sensor->extclk_freq * (u64)new_mult < (u64)AR0521_PLL_MIN * new_pre) continue; - if (sensor->extclk_freq * (u64)new_mult > AR0521_PLL_MAX * + if (sensor->extclk_freq * (u64)new_mult > (u64)AR0521_PLL_MAX * new_pre) break; /* Larger pre won't work either */ new_pll = div64_round_up(sensor->extclk_freq * (u64)new_mult, -- 2.47.0

8 months, 2 weeks

2
1
0 0

[PATCH 5.10 0/1] iommu/amd: Prepare for multiple DMA domain types

by Daniil Dulov

Svacer reports possible dereference of a NULL-pointer in amd_iommu_probe_finalize(). The problem is present in 5.10 stable release and can be fixed by the following upstream patch. In order to apply this patch, the incoming changes had to be manually accepted. This action was necessary due to some differences in the code of amd_iommu_probe_finalize() of the upstream version and 5.10 version of the kernel.

8 months, 2 weeks

2
2
0 0