- Linux-stable-mirror - lists.linaro.org

[PATCH v2 mm-hotfixes 4/5] x86/mm: convert p*d_populate{,_init} to _kernel variants

by Harry Yoo

Introduce p*d_populate_kernel_safe() and convert p*d_populate{,_init}() to p*d_populate_kernel{,_init}() to ensure synchronization of kernel mappings when populating PGD entries. By converting them, we eliminate the risk of forgetting to synchronize top-level page tables after populating PGD entries. Cc: stable(a)vger.kernel.org Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- arch/x86/include/asm/pgalloc.h | 20 ++++++++++++++++++++ arch/x86/mm/init_64.c | 25 +++++++++++++++++++------ arch/x86/mm/kasan_init_64.c | 8 ++++---- 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index ead834e8141a..aea3b16e7a35 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -122,6 +122,15 @@ static inline void p4d_populate_safe(struct mm_struct *mm, p4d_t *p4d, pud_t *pu set_p4d_safe(p4d, __p4d(_PAGE_TABLE | __pa(pud))); } +static inline void p4d_populate_kernel_safe(unsigned long addr, + p4d_t *p4d, pud_t *pud) +{ + paravirt_alloc_pud(&init_mm, __pa(pud) >> PAGE_SHIFT); + set_p4d_safe(p4d, __p4d(_PAGE_TABLE | __pa(pud))); + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) + arch_sync_kernel_mappings(addr, addr); +} + extern void ___pud_free_tlb(struct mmu_gather *tlb, pud_t *pud); static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pud, @@ -147,6 +156,17 @@ static inline void pgd_populate_safe(struct mm_struct *mm, pgd_t *pgd, p4d_t *p4 set_pgd_safe(pgd, __pgd(_PAGE_TABLE | __pa(p4d))); } +static inline void pgd_populate_kernel_safe(unsigned long addr, + pgd_t *pgd, p4d_t *p4d) +{ + if (!pgtable_l5_enabled()) + return; + paravirt_alloc_p4d(&init_mm, __pa(p4d) >> PAGE_SHIFT); + set_pgd_safe(pgd, __pgd(_PAGE_TABLE | __pa(p4d))); + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) + arch_sync_kernel_mappings(addr, addr); +} + extern void ___p4d_free_tlb(struct mmu_gather *tlb, p4d_t *p4d); static inline void __p4d_free_tlb(struct mmu_gather *tlb, p4d_t *p4d, diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index 3800479022e4..e4922b9c8403 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -75,6 +75,19 @@ DEFINE_POPULATE(pgd_populate, pgd, p4d, init) DEFINE_POPULATE(pud_populate, pud, pmd, init) DEFINE_POPULATE(pmd_populate_kernel, pmd, pte, init) +#define DEFINE_POPULATE_KERNEL(fname, type1, type2, init) \ +static inline void fname##_init(unsigned long addr, \ + type1##_t *arg1, type2##_t *arg2, bool init) \ +{ \ + if (init) \ + fname##_safe(addr, arg1, arg2); \ + else \ + fname(addr, arg1, arg2); \ +} + +DEFINE_POPULATE_KERNEL(pgd_populate_kernel, pgd, p4d, init) +DEFINE_POPULATE_KERNEL(p4d_populate_kernel, p4d, pud, init) + #define DEFINE_ENTRY(type1, type2, init) \ static inline void set_##type1##_init(type1##_t *arg1, \ type2##_t arg2, bool init) \ @@ -255,7 +268,7 @@ static p4d_t *fill_p4d(pgd_t *pgd, unsigned long vaddr) { if (pgd_none(*pgd)) { p4d_t *p4d = (p4d_t *)spp_getpage(); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(vaddr, pgd, p4d); if (p4d != p4d_offset(pgd, 0)) printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n", p4d, p4d_offset(pgd, 0)); @@ -267,7 +280,7 @@ static pud_t *fill_pud(p4d_t *p4d, unsigned long vaddr) { if (p4d_none(*p4d)) { pud_t *pud = (pud_t *)spp_getpage(); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(vaddr, p4d, pud); if (pud != pud_offset(p4d, 0)) printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n", pud, pud_offset(p4d, 0)); @@ -720,7 +733,7 @@ phys_p4d_init(p4d_t *p4d_page, unsigned long paddr, unsigned long paddr_end, page_size_mask, prot, init); spin_lock(&init_mm.page_table_lock); - p4d_populate_init(&init_mm, p4d, pud, init); + p4d_populate_kernel_init(vaddr, p4d, pud, init); spin_unlock(&init_mm.page_table_lock); } @@ -762,10 +775,10 @@ __kernel_physical_mapping_init(unsigned long paddr_start, spin_lock(&init_mm.page_table_lock); if (pgtable_l5_enabled()) - pgd_populate_init(&init_mm, pgd, p4d, init); + pgd_populate_kernel_init(vaddr, pgd, p4d, init); else - p4d_populate_init(&init_mm, p4d_offset(pgd, vaddr), - (pud_t *) p4d, init); + p4d_populate_kernel_init(vaddr, p4d_offset(pgd, vaddr), + (pud_t *) p4d, init); spin_unlock(&init_mm.page_table_lock); pgd_changed = true; diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c index 0539efd0d216..e825952d25b2 100644 --- a/arch/x86/mm/kasan_init_64.c +++ b/arch/x86/mm/kasan_init_64.c @@ -108,7 +108,7 @@ static void __init kasan_populate_p4d(p4d_t *p4d, unsigned long addr, if (p4d_none(*p4d)) { void *p = early_alloc(PAGE_SIZE, nid, true); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } pud = pud_offset(p4d, addr); @@ -128,7 +128,7 @@ static void __init kasan_populate_pgd(pgd_t *pgd, unsigned long addr, if (pgd_none(*pgd)) { p = early_alloc(PAGE_SIZE, nid, true); - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } p4d = p4d_offset(pgd, addr); @@ -255,7 +255,7 @@ static void __init kasan_shallow_populate_p4ds(pgd_t *pgd, if (p4d_none(*p4d)) { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE, true); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } while (p4d++, addr = next, addr != end); } @@ -273,7 +273,7 @@ static void __init kasan_shallow_populate_pgds(void *start, void *end) if (pgd_none(*pgd)) { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE, true); - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } /* -- 2.43.0

3 weeks, 1 day

1
0
0 0

[PATCH v2 mm-hotfixes 3/5] x86/mm: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()

by Harry Yoo

Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). It is inteneded to synchronize page tables via pgd_pouplate_kernel() when 5-level paging is in use and via p4d_pouplate_kernel() when 4-level paging is used. This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] Cc: stable(a)vger.kernel.org Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Closes: https://lore.kernel.org/linux-mm/20250311114420.240341-1-gwan-gyeong.mun@in… [1] Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- arch/x86/include/asm/pgalloc.h | 2 ++ arch/x86/mm/init_64.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index c88691b15f3c..ead834e8141a 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -10,6 +10,8 @@ #define __HAVE_ARCH_PTE_ALLOC_ONE #define __HAVE_ARCH_PGD_FREE +#define ARCH_PAGE_TABLE_SYNC_MASK \ + (pgtable_l5_enabled() ? PGTBL_PGD_MODIFIED : PGTBL_P4D_MODIFIED) #include <asm-generic/pgalloc.h> static inline int __paravirt_pgd_alloc(struct mm_struct *mm) { return 0; } diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index fdb6cab524f0..3800479022e4 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -223,6 +223,11 @@ static void sync_global_pgds(unsigned long start, unsigned long end) sync_global_pgds_l4(start, end); } +void arch_sync_kernel_mappings(unsigned long start, unsigned long end) +{ + sync_global_pgds(start, end); +} + /* * NOTE: This function is marked __ref because it calls __init function * (alloc_bootmem_pages). It's safe to do it ONLY when after_bootmem == 0. -- 2.43.0

3 weeks, 1 day

1
0
0 0

[PATCH v2 mm-hotfixes 2/5] mm: introduce and use {pgd,p4d}_populate_kernel()

by Harry Yoo

Introduce and use {pgd,p4d}_populate_kernel() in core MM code when populating PGD and P4D entries for the kernel address space. These helpers ensure proper synchronization of page tables when updating the kernel portion of top-level page tables. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile for following reasons: 1) It is easy to forget to perform the necessary page table synchronization when introducing new changes. For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory savings for compound devmaps") overlooked the need to synchronize page tables for the vmemmap area. 2) It is also easy to overlook that the vmemmap and direct mapping areas must not be accessed before explicit page table synchronization. For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges")) caused crashes by accessing the vmemmap area before calling sync_global_pgds(). To address this, as suggested by Dave Hansen, introduce _kernel() variants of the page table population helpers, which invoke architecture-specific hooks to properly synchronize page tables. They reuse existing infrastructure for vmalloc and ioremap. Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, and the actual synchronization is performed by arch_sync_kernel_mappings(). This change currently targets only x86_64, so only PGD and P4D level helpers are introduced. In theory, PUD and PMD level helpers can be added later if needed by other architectures. Currently this is a no-op, since no architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. Cc: stable(a)vger.kernel.org Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- include/asm-generic/pgalloc.h | 18 ++++++++++++++++-- mm/kasan/init.c | 10 +++++----- mm/percpu.c | 4 ++-- mm/sparse-vmemmap.c | 4 ++-- 4 files changed, 25 insertions(+), 11 deletions(-) diff --git a/include/asm-generic/pgalloc.h b/include/asm-generic/pgalloc.h index 7ff5d7ca4cd6..c05fea06b3fd 100644 --- a/include/asm-generic/pgalloc.h +++ b/include/asm-generic/pgalloc.h @@ -298,8 +298,8 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) /* * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. + * and let generic vmalloc, ioremap and page table update code know when + * arch_sync_kernel_mappings() needs to be called. */ #ifndef ARCH_PAGE_TABLE_SYNC_MASK #define ARCH_PAGE_TABLE_SYNC_MASK 0 @@ -312,6 +312,20 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) */ void arch_sync_kernel_mappings(unsigned long start, unsigned long end); +#define pgd_populate_kernel(addr, pgd, p4d) \ +do { \ + pgd_populate(&init_mm, pgd, p4d); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ +} while (0) + +#define p4d_populate_kernel(addr, p4d, pud) \ +do { \ + p4d_populate(&init_mm, p4d, pud); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ +} while (0) + #endif /* CONFIG_MMU */ #endif /* __ASM_GENERIC_PGALLOC_H */ diff --git a/mm/kasan/init.c b/mm/kasan/init.c index ced6b29fcf76..43de820ee282 100644 --- a/mm/kasan/init.c +++ b/mm/kasan/init.c @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } diff --git a/mm/percpu.c b/mm/percpu.c index 782cc148b39c..57450a03c432 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(unsigned long addr) if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c index fd2ab5118e13..e275310ac708 100644 --- a/mm/sparse-vmemmap.c +++ b/mm/sparse-vmemmap.c @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(pgd_t *pgd, unsigned long addr, int node) if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node) void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; } -- 2.43.0

3 weeks, 1 day

1
0
0 0

[PATCH v2 mm-hotfixes 1/5] mm: move page table sync declarations to asm/pgalloc.h

by Harry Yoo

Move ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to asm/pgalloc.h so that they can be used outside of vmalloc and ioremap. Cc: stable(a)vger.kernel.org Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- include/asm-generic/pgalloc.h | 16 ++++++++++++++++ include/linux/vmalloc.h | 16 ---------------- mm/vmalloc.c | 1 + 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/include/asm-generic/pgalloc.h b/include/asm-generic/pgalloc.h index 3c8ec3bfea44..7ff5d7ca4cd6 100644 --- a/include/asm-generic/pgalloc.h +++ b/include/asm-generic/pgalloc.h @@ -296,6 +296,22 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) } #endif +/* + * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values + * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() + * needs to be called. + */ +#ifndef ARCH_PAGE_TABLE_SYNC_MASK +#define ARCH_PAGE_TABLE_SYNC_MASK 0 +#endif + +/* + * There is no default implementation for arch_sync_kernel_mappings(). It is + * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK + * is 0. + */ +void arch_sync_kernel_mappings(unsigned long start, unsigned long end); + #endif /* CONFIG_MMU */ #endif /* __ASM_GENERIC_PGALLOC_H */ diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index fdc9aeb74a44..2759dac6be44 100644 --- a/include/linux/vmalloc.h +++ b/include/linux/vmalloc.h @@ -219,22 +219,6 @@ extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, int vmap_pages_range(unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, unsigned int page_shift); -/* - * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. - */ -#ifndef ARCH_PAGE_TABLE_SYNC_MASK -#define ARCH_PAGE_TABLE_SYNC_MASK 0 -#endif - -/* - * There is no default implementation for arch_sync_kernel_mappings(). It is - * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK - * is 0. - */ -void arch_sync_kernel_mappings(unsigned long start, unsigned long end); - /* * Lowlevel-APIs (not for driver use!) */ diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6dbcdceecae1..37d4a2783246 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -42,6 +42,7 @@ #include <linux/sched/mm.h> #include <asm/tlbflush.h> #include <asm/shmparam.h> +#include <asm/pgalloc.h> #include <linux/page_owner.h> #define CREATE_TRACE_POINTS -- 2.43.0

3 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] xhci: Disable stream for xHC controller with" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x cd65ee81240e8bc3c3119b46db7f60c80864b90b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-pebbly-diffused-9cd9@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cd65ee81240e8bc3c3119b46db7f60c80864b90b Mon Sep 17 00:00:00 2001 From: Hongyu Xie <xiehongyu1(a)kylinos.cn> Date: Fri, 27 Jun 2025 17:41:20 +0300 Subject: [PATCH] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Disable stream for platform xHC controller with broken stream. Fixes: 14aec589327a6 ("storage: accept some UAS devices if streams are unavailable") Cc: stable <stable(a)kernel.org> Signed-off-by: Hongyu Xie <xiehongyu1(a)kylinos.cn> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250627144127.3889714-3-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c index 6dab142e7278..c79d5ed48a08 100644 --- a/drivers/usb/host/xhci-plat.c +++ b/drivers/usb/host/xhci-plat.c @@ -328,7 +328,8 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s } usb3_hcd = xhci_get_usb3_hcd(xhci); - if (usb3_hcd && HCC_MAX_PSA(xhci->hcc_params) >= 4) + if (usb3_hcd && HCC_MAX_PSA(xhci->hcc_params) >= 4 && + !(xhci->quirks & XHCI_BROKEN_STREAMS)) usb3_hcd->can_do_streams = 1; if (xhci->shared_hcd) {

3 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] xhci: Disable stream for xHC controller with" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x cd65ee81240e8bc3c3119b46db7f60c80864b90b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070814-harmonica-eclipse-ad04@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cd65ee81240e8bc3c3119b46db7f60c80864b90b Mon Sep 17 00:00:00 2001 From: Hongyu Xie <xiehongyu1(a)kylinos.cn> Date: Fri, 27 Jun 2025 17:41:20 +0300 Subject: [PATCH] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Disable stream for platform xHC controller with broken stream. Fixes: 14aec589327a6 ("storage: accept some UAS devices if streams are unavailable") Cc: stable <stable(a)kernel.org> Signed-off-by: Hongyu Xie <xiehongyu1(a)kylinos.cn> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250627144127.3889714-3-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c index 6dab142e7278..c79d5ed48a08 100644 --- a/drivers/usb/host/xhci-plat.c +++ b/drivers/usb/host/xhci-plat.c @@ -328,7 +328,8 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s } usb3_hcd = xhci_get_usb3_hcd(xhci); - if (usb3_hcd && HCC_MAX_PSA(xhci->hcc_params) >= 4) + if (usb3_hcd && HCC_MAX_PSA(xhci->hcc_params) >= 4 && + !(xhci->quirks & XHCI_BROKEN_STREAMS)) usb3_hcd->can_do_streams = 1; if (xhci->shared_hcd) {

3 weeks, 1 day

2
1
0 0

Qualcomm Supply Chain - Sinldo Technology

by Alan Ye

[Sinldo Technology] Company Profile Hong Kong Sinldo Technology Co., Ltd. was established in 2009 and focuses on the supply chain of Qualcomm chips. As a leading supplier in the industry, We have established solid cooperative relationships with many internationally renowned manufacturers and are committed to providing customers with high-quality and reliable chip products. Business Scope： Import and distribution of Qualcomm chips Management and bidding for excess electronic components Provide high-quality customer service and technical support Mission Stable supply Vision Mutual benefit and Triumph Value Reduce Fees and increase efficiency Environment The company is located in the core business district, with convenient transportation, elegant environment and complete surrounding supporting facilities, which facilitates the travel and business exchanges of employees and customers. Milestones 2025 2020 2015 2009 It is expected to complete the upgrade strategic planning, further increase market share, and strive for sustainable development The company implemented a digital management system and began to actively develop online Deals channels The company has added multiple 4G Qualcomm chips and established partnerships with more OEM customers。 The company was formally established in Shenzhen and initially established cooperative relationships with global suppliers Company Environment Coastal Huanqing Building Office Area storehouse [Qualcomm]Company Spot [ WIFI6 - IPQ5018 Kits ] IPQ5018-0-MRQFN232-MT-01-0 QCN6102-0-DRQFN116-TR-01-0 QCA8337-AL3C Snapdragon SDM-450-B Kits SDM-450-B-792NSP-TR-01-0-AA WTR-2965-0-59F0WNSP-TR-07-1 PMI-8952-0-144WLNSP-TR-02-0-00 WCN-3680B-0-79BWLNSP-TR-05-1 PM-8953-0-187F0WNSP-TR-01-1 MDM9x07 Kits MDM-9607-0-328PSP-TR-00-0 MDM-9207-0-328PSP-TR-00-0 WTR-2965-0-59F0WNSP-TR-07-1 PMD-9607-0-94WLNSP-TR-04-2 [Sinldo Technology Co., Ltd.] Email：yesunjian888(a)gmail.com Skype：625285556(a)qq.com Address：Room 2305, Hai'an Huanqing Building, Futian Road, Futian District, Shenzhen Wechat Hit subscribe now to receive regular updates and our product’s latest features! Subscribe If you don't want to receive our emails, you can easily unsubscribe here. Alan Ye Purchasing Manager ：+86 136 0651 6680 QUALCOMM Supply chain : yesunjian888(a)gmail.com

3 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] Bluetooth: HCI: Set extended advertising data synchronously" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 89fb8acc38852116d38d721ad394aad7f2871670 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070626-clench-guts-9205@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 89fb8acc38852116d38d721ad394aad7f2871670 Mon Sep 17 00:00:00 2001 From: Christian Eggers <ceggers(a)arri.de> Date: Fri, 27 Jun 2025 09:05:08 +0200 Subject: [PATCH] Bluetooth: HCI: Set extended advertising data synchronously Currently, for controllers with extended advertising, the advertising data is set in the asynchronous response handler for extended adverstising params. As most advertising settings are performed in a synchronous context, the (asynchronous) setting of the advertising data is done too late (after enabling the advertising). Move setting of adverstising data from asynchronous response handler into synchronous context to fix ordering of HCI commands. Signed-off-by: Christian Eggers <ceggers(a)arri.de> Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") Cc: stable(a)vger.kernel.org v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri… Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 66052d6aaa1d..4d5ace9d245d 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2150,40 +2150,6 @@ static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, return rp->status; } -static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, - struct sk_buff *skb) -{ - struct hci_rp_le_set_ext_adv_params *rp = data; - struct hci_cp_le_set_ext_adv_params *cp; - struct adv_info *adv_instance; - - bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); - - if (rp->status) - return rp->status; - - cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); - if (!cp) - return rp->status; - - hci_dev_lock(hdev); - hdev->adv_addr_type = cp->own_addr_type; - if (!cp->handle) { - /* Store in hdev for instance 0 */ - hdev->adv_tx_power = rp->tx_power; - } else { - adv_instance = hci_find_adv_instance(hdev, cp->handle); - if (adv_instance) - adv_instance->tx_power = rp->tx_power; - } - /* Update adv data as tx power is known now */ - hci_update_adv_data(hdev, cp->handle); - - hci_dev_unlock(hdev); - - return rp->status; -} - static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, struct sk_buff *skb) { @@ -4164,8 +4130,6 @@ static const struct hci_cc { HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, hci_cc_le_read_num_adv_sets, sizeof(struct hci_rp_le_read_num_supported_adv_sets)), - HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, - sizeof(struct hci_rp_le_set_ext_adv_params)), HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, hci_cc_le_set_ext_adv_enable), HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 106862d47964..77b3691f3423 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1205,9 +1205,126 @@ static int hci_set_adv_set_random_addr_sync(struct hci_dev *hdev, u8 instance, sizeof(cp), &cp, HCI_CMD_TIMEOUT); } +static int +hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv, + const struct hci_cp_le_set_ext_adv_params *cp, + struct hci_rp_le_set_ext_adv_params *rp) +{ + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp), + cp, HCI_CMD_TIMEOUT); + + /* If command return a status event, skb will be set to -ENODATA */ + if (skb == ERR_PTR(-ENODATA)) + return 0; + + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", + HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb)); + return PTR_ERR(skb); + } + + if (skb->len != sizeof(*rp)) { + bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u", + HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len); + kfree_skb(skb); + return -EIO; + } + + memcpy(rp, skb->data, sizeof(*rp)); + kfree_skb(skb); + + if (!rp->status) { + hdev->adv_addr_type = cp->own_addr_type; + if (!cp->handle) { + /* Store in hdev for instance 0 */ + hdev->adv_tx_power = rp->tx_power; + } else if (adv) { + adv->tx_power = rp->tx_power; + } + } + + return rp->status; +} + +static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, + HCI_MAX_EXT_AD_LENGTH); + u8 len; + struct adv_info *adv = NULL; + int err; + + if (instance) { + adv = hci_find_adv_instance(hdev, instance); + if (!adv || !adv->adv_data_changed) + return 0; + } + + len = eir_create_adv_data(hdev, instance, pdu->data, + HCI_MAX_EXT_AD_LENGTH); + + pdu->length = len; + pdu->handle = adv ? adv->handle : instance; + pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; + pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; + + err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, + struct_size(pdu, data, len), pdu, + HCI_CMD_TIMEOUT); + if (err) + return err; + + /* Update data if the command succeed */ + if (adv) { + adv->adv_data_changed = false; + } else { + memcpy(hdev->adv_data, pdu->data, len); + hdev->adv_data_len = len; + } + + return 0; +} + +static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + struct hci_cp_le_set_adv_data cp; + u8 len; + + memset(&cp, 0, sizeof(cp)); + + len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); + + /* There's nothing to do if the data hasn't changed */ + if (hdev->adv_data_len == len && + memcmp(cp.data, hdev->adv_data, len) == 0) + return 0; + + memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); + hdev->adv_data_len = len; + + cp.length = len; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); +} + +int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) +{ + if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) + return 0; + + if (ext_adv_capable(hdev)) + return hci_set_ext_adv_data_sync(hdev, instance); + + return hci_set_adv_data_sync(hdev, instance); +} + int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; bool connectable; u32 flags; bdaddr_t random_addr; @@ -1316,8 +1433,12 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) cp.secondary_phy = HCI_ADV_PHY_1M; } - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err; @@ -1822,79 +1943,6 @@ int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason) sizeof(cp), &cp, HCI_CMD_TIMEOUT); } -static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, - HCI_MAX_EXT_AD_LENGTH); - u8 len; - struct adv_info *adv = NULL; - int err; - - if (instance) { - adv = hci_find_adv_instance(hdev, instance); - if (!adv || !adv->adv_data_changed) - return 0; - } - - len = eir_create_adv_data(hdev, instance, pdu->data, - HCI_MAX_EXT_AD_LENGTH); - - pdu->length = len; - pdu->handle = adv ? adv->handle : instance; - pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; - pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; - - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, - struct_size(pdu, data, len), pdu, - HCI_CMD_TIMEOUT); - if (err) - return err; - - /* Update data if the command succeed */ - if (adv) { - adv->adv_data_changed = false; - } else { - memcpy(hdev->adv_data, pdu->data, len); - hdev->adv_data_len = len; - } - - return 0; -} - -static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - struct hci_cp_le_set_adv_data cp; - u8 len; - - memset(&cp, 0, sizeof(cp)); - - len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); - - /* There's nothing to do if the data hasn't changed */ - if (hdev->adv_data_len == len && - memcmp(cp.data, hdev->adv_data, len) == 0) - return 0; - - memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); - hdev->adv_data_len = len; - - cp.length = len; - - return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); -} - -int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) -{ - if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) - return 0; - - if (ext_adv_capable(hdev)) - return hci_set_ext_adv_data_sync(hdev, instance); - - return hci_set_adv_data_sync(hdev, instance); -} - int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance, bool force) { @@ -6273,6 +6321,7 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, struct hci_conn *conn) { struct hci_cp_le_set_ext_adv_params cp; + struct hci_rp_le_set_ext_adv_params rp; int err; bdaddr_t random_addr; u8 own_addr_type; @@ -6314,8 +6363,12 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, if (err) return err; - err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); + err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp); + if (err) + return err; + + /* Update adv data as tx power is known now */ + err = hci_set_ext_adv_data_sync(hdev, cp.handle); if (err) return err;

3 weeks, 1 day

2
1
0 0

[PATCH] KVM: arm64: Filter out HCR_EL2.VSE when running in hypervisor context

by Marc Zyngier

HCR_EL2.VSE is delivering a virtual SError to the guest, and does not affect EL2 itself. However, when computing the host's HCR_EL2 value, we take the guest's view of HCR_EL2.VSE at face value, and apply it irrespective of the guest's exception level we are returning to. The result is that a L1 hypervisor injecting a virtual SError to an L2 by setting its HCR_EL2.VSE to 1 results in itself getting the SError as if it was a physical one if it traps for any reason before returning to L2. Fix it by filtering HCR_EL2.VSE out when entering the L1 host context. Fixes: 04ab519bb86df ("KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/hyp/vhe/switch.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switch.c index 477f1580ffeaa..eddda649d9ee1 100644 --- a/arch/arm64/kvm/hyp/vhe/switch.c +++ b/arch/arm64/kvm/hyp/vhe/switch.c @@ -68,6 +68,9 @@ static u64 __compute_hcr(struct kvm_vcpu *vcpu) if (!vcpu_el2_e2h_is_set(vcpu)) hcr |= HCR_NV1; + /* Virtual SErrors only apply to L2, not L1 */ + guest_hcr &= ~HCR_VSE; + write_sysreg_s(vcpu->arch.ctxt.vncr_array, SYS_VNCR_EL2); } else { host_data_clear_flag(VCPU_IN_HYP_CONTEXT); -- 2.39.2

3 weeks, 1 day

1
1
0 0

FAILED: patch "[PATCH] virtio-net: ensure the received length does not exceed" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070649-bauble-banish-de72@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 From: Bui Quang Minh <minhquangbui99(a)gmail.com> Date: Mon, 30 Jun 2025 21:42:10 +0700 Subject: [PATCH] virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. Cc: <stable(a)vger.kernel.org> Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index e53ba600605a..31661bcb3932 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -778,6 +778,26 @@ static unsigned int mergeable_ctx_to_truesize(void *mrg_ctx) return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); } +static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, + unsigned int len) +{ + unsigned int headroom, tailroom, room, truesize; + + truesize = mergeable_ctx_to_truesize(mrg_ctx); + headroom = mergeable_ctx_to_headroom(mrg_ctx); + tailroom = headroom ? sizeof(struct skb_shared_info) : 0; + room = SKB_DATA_ALIGN(headroom + tailroom); + + if (len > truesize - room) { + pr_debug("%s: rx error: len %u exceeds truesize %lu\n", + dev->name, len, (unsigned long)(truesize - room)); + DEV_STATS_INC(dev, rx_length_errors); + return -1; + } + + return 0; +} + static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen, unsigned int headroom, unsigned int len) @@ -1797,7 +1817,8 @@ static unsigned int virtnet_get_headroom(struct virtnet_info *vi) * across multiple buffers (num_buf > 1), and we make sure buffers * have enough headroom. */ -static struct page *xdp_linearize_page(struct receive_queue *rq, +static struct page *xdp_linearize_page(struct net_device *dev, + struct receive_queue *rq, int *num_buf, struct page *p, int offset, @@ -1817,18 +1838,27 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, memcpy(page_address(page) + page_off, page_address(p) + offset, *len); page_off += *len; + /* Only mergeable mode can go inside this while loop. In small mode, + * *num_buf == 1, so it cannot go inside. + */ while (--*num_buf) { unsigned int buflen; void *buf; + void *ctx; int off; - buf = virtnet_rq_get_buf(rq, &buflen, NULL); + buf = virtnet_rq_get_buf(rq, &buflen, &ctx); if (unlikely(!buf)) goto err_buf; p = virt_to_head_page(buf); off = buf - page_address(p); + if (check_mergeable_len(dev, ctx, buflen)) { + put_page(p); + goto err_buf; + } + /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. */ @@ -1917,7 +1947,7 @@ static struct sk_buff *receive_small_xdp(struct net_device *dev, headroom = vi->hdr_len + header_offset; buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); - xdp_page = xdp_linearize_page(rq, &num_buf, page, + xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, offset, header_offset, &tlen); if (!xdp_page) @@ -2252,7 +2282,7 @@ static void *mergeable_xdp_get_buf(struct virtnet_info *vi, */ if (!xdp_prog->aux->xdp_has_frags) { /* linearize data for XDP */ - xdp_page = xdp_linearize_page(rq, num_buf, + xdp_page = xdp_linearize_page(vi->dev, rq, num_buf, *page, offset, XDP_PACKET_HEADROOM, len);

3 weeks, 2 days

2
1
0 0

FAILED: patch "[PATCH] virtio-net: ensure the received length does not exceed" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025070649-freezing-truce-2745@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 From: Bui Quang Minh <minhquangbui99(a)gmail.com> Date: Mon, 30 Jun 2025 21:42:10 +0700 Subject: [PATCH] virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. Cc: <stable(a)vger.kernel.org> Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index e53ba600605a..31661bcb3932 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -778,6 +778,26 @@ static unsigned int mergeable_ctx_to_truesize(void *mrg_ctx) return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); } +static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, + unsigned int len) +{ + unsigned int headroom, tailroom, room, truesize; + + truesize = mergeable_ctx_to_truesize(mrg_ctx); + headroom = mergeable_ctx_to_headroom(mrg_ctx); + tailroom = headroom ? sizeof(struct skb_shared_info) : 0; + room = SKB_DATA_ALIGN(headroom + tailroom); + + if (len > truesize - room) { + pr_debug("%s: rx error: len %u exceeds truesize %lu\n", + dev->name, len, (unsigned long)(truesize - room)); + DEV_STATS_INC(dev, rx_length_errors); + return -1; + } + + return 0; +} + static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen, unsigned int headroom, unsigned int len) @@ -1797,7 +1817,8 @@ static unsigned int virtnet_get_headroom(struct virtnet_info *vi) * across multiple buffers (num_buf > 1), and we make sure buffers * have enough headroom. */ -static struct page *xdp_linearize_page(struct receive_queue *rq, +static struct page *xdp_linearize_page(struct net_device *dev, + struct receive_queue *rq, int *num_buf, struct page *p, int offset, @@ -1817,18 +1838,27 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, memcpy(page_address(page) + page_off, page_address(p) + offset, *len); page_off += *len; + /* Only mergeable mode can go inside this while loop. In small mode, + * *num_buf == 1, so it cannot go inside. + */ while (--*num_buf) { unsigned int buflen; void *buf; + void *ctx; int off; - buf = virtnet_rq_get_buf(rq, &buflen, NULL); + buf = virtnet_rq_get_buf(rq, &buflen, &ctx); if (unlikely(!buf)) goto err_buf; p = virt_to_head_page(buf); off = buf - page_address(p); + if (check_mergeable_len(dev, ctx, buflen)) { + put_page(p); + goto err_buf; + } + /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. */ @@ -1917,7 +1947,7 @@ static struct sk_buff *receive_small_xdp(struct net_device *dev, headroom = vi->hdr_len + header_offset; buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); - xdp_page = xdp_linearize_page(rq, &num_buf, page, + xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, offset, header_offset, &tlen); if (!xdp_page) @@ -2252,7 +2282,7 @@ static void *mergeable_xdp_get_buf(struct virtnet_info *vi, */ if (!xdp_prog->aux->xdp_has_frags) { /* linearize data for XDP */ - xdp_page = xdp_linearize_page(rq, num_buf, + xdp_page = xdp_linearize_page(vi->dev, rq, num_buf, *page, offset, XDP_PACKET_HEADROOM, len);

3 weeks, 2 days

2
1
0 0

Direct Access to ISE 2025 Leads-20% OFF!

by Mary Jennifer

Hi, Imagine having direct access to 1,605 top exhibitors and 86,571 attendees at Integrated Systems Europe (ISE) 2025. We have the latest comprehensive list with last-minute additions, helping you connect with decision-makers, industry leaders, and potential partners. Available Data Fields: Individual Email Address, Phone Number, Contact Name, Job Title, Company Name, Website, Physical Address, and more. Act fast — respond by July 20th to claim your 20% discount. Interested? Simply reply with “Send me pricing” and I’ll get all the details over to you. Best regards, Mary Jannifer Sr. Demand Generation Not interested? Reply “Unfollow” to opt out.

3 weeks, 2 days

1
0
0 0

[PATCH v4] char: xillybus: Fix error handling in xillybus_init_chrdev()

by Ma Ke

Use cdev_del() instead of direct kobject_put() when cdev_add() fails. This aligns with standard kernel practice and maintains consistency within the driver's own error paths. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v4: - Apologize, due to the long time that has passed since the last v2 version, I was negligent when submitting v3. I have now corrected it; Changes in v3: - modified the patch description, centralized cdev cleanup through standard API and maintained symmetry with driver's existing error handling; Changes in v2: - modified the patch as suggestions to avoid UAF. --- drivers/char/xillybus/xillybus_class.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c index c92a628e389e..493bbed918c2 100644 --- a/drivers/char/xillybus/xillybus_class.c +++ b/drivers/char/xillybus/xillybus_class.c @@ -103,8 +103,7 @@ int xillybus_init_chrdev(struct device *dev, unit->num_nodes); if (rc) { dev_err(dev, "Failed to add cdev.\n"); - /* kobject_put() is normally done by cdev_del() */ - kobject_put(&unit->cdev->kobj); + cdev_del(unit->cdev); goto unregister_chrdev; } -- 2.25.1

3 weeks, 2 days

3
2
0 0

[merged mm-hotfixes-stable] kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports has been removed from the -mm tree. Its filename was kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Marco Elver <elver(a)google.com> Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports Date: Wed, 16 Jul 2025 17:23:28 +0200 Since 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock"), more detailed info about the vmalloc mapping and the origin was dropped due to potential deadlocks. While fixing the deadlock is necessary, that patch was too quick in killing an otherwise useful feature, and did no due-diligence in understanding if an alternative option is available. Restore printing more helpful vmalloc allocation info in KASAN reports with the help of vmalloc_dump_obj(). Example report: | BUG: KASAN: vmalloc-out-of-bounds in vmalloc_oob+0x4c9/0x610 | Read of size 1 at addr ffffc900002fd7f3 by task kunit_try_catch/493 | | CPU: [...] | Call Trace: | <TASK> | dump_stack_lvl+0xa8/0xf0 | print_report+0x17e/0x810 | kasan_report+0x155/0x190 | vmalloc_oob+0x4c9/0x610 | [...] | | The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900002fd000 allocated at vmalloc_oob+0x36/0x610 | The buggy address belongs to the physical page: | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126364 | flags: 0x200000000000000(node=0|zone=2) | raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: kasan: bad access detected | | [..] Link: https://lkml.kernel.org/r/20250716152448.3877201-1-elver@google.com Fixes: 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock") Signed-off-by: Marco Elver <elver(a)google.com> Suggested-by: Uladzislau Rezki <urezki(a)gmail.com> Acked-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Yeoreum Yun <yeoreum.yun(a)arm.com> Cc: Yunseong Kim <ysk(a)kzalloc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/report.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/kasan/report.c~kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports +++ a/mm/kasan/report.c @@ -399,7 +399,9 @@ static void print_address_description(vo } if (is_vmalloc_addr(addr)) { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + pr_err("The buggy address belongs to a"); + if (!vmalloc_dump_obj(addr)) + pr_cont(" vmalloc virtual mapping\n"); page = vmalloc_to_page(addr); } _ Patches currently in -mm which might be from elver(a)google.com are

3 weeks, 2 days

1
0
0 0

[merged mm-hotfixes-stable] mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() has been removed from the -mm tree. Its filename was mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Nathan Chancellor <nathan(a)kernel.org> Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() Date: Tue, 15 Jul 2025 12:56:16 -0700 After a recent change in clang to expose uninitialized warnings from const variables [1], there is a false positive warning from the if statement in advisor_mode_show(). mm/ksm.c:3687:11: error: variable 'output' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 3687 | else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ksm.c:3690:33: note: uninitialized use occurs here 3690 | return sysfs_emit(buf, "%s\n", output); | ^~~~~~ Rewrite the if statement to implicitly make KSM_ADVISOR_NONE the else branch so that it is obvious to the compiler that ksm_advisor can only be KSM_ADVISOR_NONE or KSM_ADVISOR_SCAN_TIME due to the assignments in advisor_mode_store(). Link: https://lkml.kernel.org/r/20250715-ksm-fix-clang-21-uninit-warning-v1-1-f44… Fixes: 66790e9a735b ("mm/ksm: add sysfs knobs for advisor") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Closes: https://github.com/ClangBuiltLinux/linux/issues/2100 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Stefan Roesch <shr(a)devkernel.io> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/ksm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/ksm.c~mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show +++ a/mm/ksm.c @@ -3669,10 +3669,10 @@ static ssize_t advisor_mode_show(struct { const char *output; - if (ksm_advisor == KSM_ADVISOR_NONE) - output = "[none] scan-time"; - else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) output = "none [scan-time]"; + else + output = "[none] scan-time"; return sysfs_emit(buf, "%s\n", output); } _ Patches currently in -mm which might be from nathan(a)kernel.org are

3 weeks, 2 days

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-reject-invalid-file-types-when-reading-inodes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: reject invalid file types when reading inodes has been removed from the -mm tree. Its filename was nilfs2-reject-invalid-file-types-when-reading-inodes.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: reject invalid file types when reading inodes Date: Thu, 10 Jul 2025 22:49:08 +0900 To prevent inodes with invalid file types from tripping through the vfs and causing malfunctions or assertion failures, add a missing sanity check when reading an inode from a block device. If the file type is not valid, treat it as a filesystem error. Link: https://lkml.kernel.org/r/20250710134952.29862-1-konishi.ryusuke@gmail.com Fixes: 05fe58fdc10d ("nilfs2: inode operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+895c23f6917da440ed0d(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/inode.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/fs/nilfs2/inode.c~nilfs2-reject-invalid-file-types-when-reading-inodes +++ a/fs/nilfs2/inode.c @@ -472,11 +472,18 @@ static int __nilfs_read_inode(struct sup inode->i_op = &nilfs_symlink_inode_operations; inode_nohighmem(inode); inode->i_mapping->a_ops = &nilfs_aops; - } else { + } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || + S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { inode->i_op = &nilfs_special_inode_operations; init_special_inode( inode, inode->i_mode, huge_decode_dev(le64_to_cpu(raw_inode->i_device_code))); + } else { + nilfs_error(sb, + "invalid file type bits in mode 0%o for inode %lu", + inode->i_mode, ino); + err = -EIO; + goto failed_unmap; } nilfs_ifile_unmap_inode(raw_inode); brelse(bh); _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are

3 weeks, 2 days

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-fix-split_huge_page_test-for-folio_split-tests.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: fix split_huge_page_test for folio_split() tests has been removed from the -mm tree. Its filename was selftests-mm-fix-split_huge_page_test-for-folio_split-tests.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Zi Yan <ziy(a)nvidia.com> Subject: selftests/mm: fix split_huge_page_test for folio_split() tests Date: Tue, 8 Jul 2025 21:27:59 -0400 PID_FMT does not have an offset field, so folio_split() tests are not performed. Add PID_FMT_OFFSET with an offset field and use it to perform folio_split() tests. Link: https://lkml.kernel.org/r/20250709012800.3225727-1-ziy@nvidia.com Fixes: 80a5c494c89f ("selftests/mm: add tests for folio_split(), buddy allocator like split") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Tested-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Donet Tom <donettom(a)linux.ibm.com> Tested-by : Donet Tom <donettom(a)linux.ibm.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/split_huge_page_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/tools/testing/selftests/mm/split_huge_page_test.c~selftests-mm-fix-split_huge_page_test-for-folio_split-tests +++ a/tools/testing/selftests/mm/split_huge_page_test.c @@ -31,6 +31,7 @@ uint64_t pmd_pagesize; #define INPUT_MAX 80 #define PID_FMT "%d,0x%lx,0x%lx,%d" +#define PID_FMT_OFFSET "%d,0x%lx,0x%lx,%d,%d" #define PATH_FMT "%s,0x%lx,0x%lx,%d" #define PFN_MASK ((1UL<<55)-1) @@ -483,7 +484,7 @@ void split_thp_in_pagecache_to_order_at( write_debugfs(PID_FMT, getpid(), (uint64_t)addr, (uint64_t)addr + fd_size, order); else - write_debugfs(PID_FMT, getpid(), (uint64_t)addr, + write_debugfs(PID_FMT_OFFSET, getpid(), (uint64_t)addr, (uint64_t)addr + fd_size, order, offset); for (i = 0; i < fd_size; i++) _ Patches currently in -mm which might be from ziy(a)nvidia.com are mm-huge_memory-move-unrelated-code-out-of-__split_unmapped_folio.patch mm-huge_memory-remove-after_split-label-in-__split_unmapped_folio.patch mm-huge_memory-deduplicate-code-in-__folio_split.patch mm-huge_memory-convert-vm_bug-to-vm_warn-in-__folio_split.patch mm-huge_memory-get-frozen-folio-refcount-with-folio_expected_ref_count.patch mm-huge_memory-refactor-after-split-page-cache-code.patch

3 weeks, 2 days

1
0
0 0

[merged mm-hotfixes-stable] mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n has been removed from the -mm tree. Its filename was mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Date: Fri, 4 Jul 2025 19:30:53 +0900 Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for migrating zsmalloc pages using the movable_operations migration framework. However, the commit did not take into account that zsmalloc supports migration only when CONFIG_COMPACTION is enabled. Tracing shows that zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is not supported. This can result in unmovable pages being allocated from movable page blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. Possible user visible effects: - Some ZONE_MOVABLE memory can be not actually movable - CMA allocation can fail because of this - Increased memory fragmentation due to ignoring the page mobility grouping feature I'm not really sure who uses kernels without compaction support, though :( To fix this, clear the __GFP_MOVABLE flag when !IS_ENABLED(CONFIG_COMPACTION). Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com Fixes: 48b4800a1c6a ("zsmalloc: page migration support") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zsmalloc.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/zsmalloc.c~mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n +++ a/mm/zsmalloc.c @@ -1043,6 +1043,9 @@ static struct zspage *alloc_zspage(struc if (!zspage) return NULL; + if (!IS_ENABLED(CONFIG_COMPACTION)) + gfp &= ~__GFP_MOVABLE; + zspage->magic = ZSPAGE_MAGIC; zspage->pool = pool; zspage->class = class->index; _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are

3 weeks, 2 days

1
0
0 0

[merged mm-hotfixes-stable] mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list has been removed from the -mm tree. Its filename was mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jinjiang Tu <tujinjiang(a)huawei.com> Subject: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list Date: Fri, 27 Jun 2025 20:57:46 +0800 In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [tujinjiang(a)huawei.com: add comment to unmap_poisoned_folio()] Link: https://lkml.kernel.org/r/69fd4e00-1b13-d5f7-1c82-705c7d977ea4@huawei.com Link: https://lkml.kernel.org/r/20250627125747.3094074-2-tujinjiang@huawei.com Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> Fixes: 1b0449544c64 ("mm/vmscan: don't try to reclaim hwpoison folio") Reported-by: syzbot+3b220254df55d8ca8a61(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68412d57.050a0220.2461cf.000e.GAE@google.com/ Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 4 ++++ mm/vmscan.c | 8 ++++++++ 2 files changed, 12 insertions(+) --- a/mm/memory-failure.c~mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list +++ a/mm/memory-failure.c @@ -1561,6 +1561,10 @@ static int get_hwpoison_page(struct page return ret; } +/* + * The caller must guarantee the folio isn't large folio, except hugetlb. + * try_to_unmap() can't handle it. + */ int unmap_poisoned_folio(struct folio *folio, unsigned long pfn, bool must_kill) { enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON; --- a/mm/vmscan.c~mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list +++ a/mm/vmscan.c @@ -1138,6 +1138,14 @@ retry: goto keep; if (folio_contain_hwpoisoned_page(folio)) { + /* + * unmap_poisoned_folio() can't handle large + * folio, just skip it. memory_failure() will + * handle it if the UCE is triggered again. + */ + if (folio_test_large(folio)) + goto keep_locked; + unmap_poisoned_folio(folio, folio_pfn(folio), false); folio_unlock(folio); folio_put(folio); _ Patches currently in -mm which might be from tujinjiang(a)huawei.com are mm-memory_hotplug-fix-hwpoisoned-large-folio-handling-in-do_migrate_range.patch

3 weeks, 2 days

1
0
0 0

[PATCH] Fix SMB311 posix special file creation to servers which do not advertise reparse support

by Junhyeok Park

From: Steve French <stfrench(a)microsoft.com> Some servers (including Samba), support the SMB3.1.1 POSIX Extensions (which use reparse points for handling special files) but do not properly advertise file system attribute FILE_SUPPORTS_REPARSE_POINTS. Although we don't check for this attribute flag when querying special file information, we do check it when creating special files which causes them to fail unnecessarily. If we have negotiated SMB3.1.1 POSIX Extensions with the server we can expect the server to support creating special files via reparse points, and even if the server fails the operation due to really forbidding creating special files, then it should be no problem and is more likely to return a more accurate rc in any case (e.g. EACCES instead of EOPNOTSUPP). Allow creating special files as long as the server supports either reparse points or the SMB3.1.1 POSIX Extensions (note that if the "sfu" mount option is specified it uses a different way of storing special files that does not rely on reparse points). Cc: <stable(a)vger.kernel.org> Fixes: 6c06be908ca19 ("cifs: Check if server supports reparse points before using them") Acked-by: Ralph Boehme <slow(a)samba.org> Acked-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> --- fs/smb/client/smb2inode.c | 3 ++- fs/smb/client/smb2ops.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c index 2a3e46b8e15a..a11a2a693c51 100644 --- a/fs/smb/client/smb2inode.c +++ b/fs/smb/client/smb2inode.c @@ -1346,7 +1346,8 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data, * empty object on the server. */ if (!(le32_to_cpu(tcon->fsAttrInfo.Attributes) & FILE_SUPPORTS_REPARSE_POINTS)) - return ERR_PTR(-EOPNOTSUPP); + if (!tcon->posix_extensions) + return ERR_PTR(-EOPNOTSUPP); oparms = CIFS_OPARMS(cifs_sb, tcon, full_path, SYNCHRONIZE | DELETE | diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index cb659256d219..938a8a7c5d21 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -5260,7 +5260,8 @@ static int smb2_make_node(unsigned int xid, struct inode *inode, if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL) { rc = cifs_sfu_make_node(xid, inode, dentry, tcon, full_path, mode, dev); - } else if (le32_to_cpu(tcon->fsAttrInfo.Attributes) & FILE_SUPPORTS_REPARSE_POINTS) { + } else if ((le32_to_cpu(tcon->fsAttrInfo.Attributes) & FILE_SUPPORTS_REPARSE_POINTS) + || (tcon->posix_extensions)) { rc = smb2_mknod_reparse(xid, inode, dentry, tcon, full_path, mode, dev); } -- 2.34.1

3 weeks, 2 days

1
0
0 0

[merged mm-stable] mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery has been removed from the -mm tree. Its filename was mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Date: Thu, 10 Jul 2025 11:23:53 +0300 When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n: mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function] Fix this by moving the function to the respective existing ifdeffery for its the only user. See also: 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build") Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.i… Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Reviewed-by: Leon Romanovsky <leonro(a)nvidia.com> Reviewed-by: Alistair Popple <apopple(a)nvidia.com> Cc: Andriy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Bill Wendling <morbo(a)google.com> Cc: Jerome Glisse <jglisse(a)redhat.com> Cc: Justin Stitt <justinstitt(a)google.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/hmm.c~mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery +++ a/mm/hmm.c @@ -183,6 +183,7 @@ static inline unsigned long hmm_pfn_flag return order << HMM_PFN_ORDER_SHIFT; } +#ifdef CONFIG_TRANSPARENT_HUGEPAGE static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range, pmd_t pmd) { @@ -193,7 +194,6 @@ static inline unsigned long pmd_to_hmm_p hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT); } -#ifdef CONFIG_TRANSPARENT_HUGEPAGE static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr, unsigned long end, unsigned long hmm_pfns[], pmd_t pmd) _ Patches currently in -mm which might be from andriy.shevchenko(a)linux.intel.com are

3 weeks, 2 days

1
0
0 0

[merged mm-stable] mm-damon-core-commit-damos-target_nid.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: commit damos->target_nid has been removed from the -mm tree. Its filename was mm-damon-core-commit-damos-target_nid.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Bijan Tabatabai <bijantabatab(a)micron.com> Subject: mm/damon/core: commit damos->target_nid Date: Tue, 8 Jul 2025 19:47:29 -0500 When committing new scheme parameters from the sysfs, the target_nid field of the damos struct would not be copied. This would result in the target_nid field to retain its original value, despite being updated in the sysfs interface. This patch fixes this issue by copying target_nid in damos_commit(). Link: https://lkml.kernel.org/r/20250709004729.17252-1-bijan311@gmail.com Fixes: 83dc7bbaecae ("mm/damon/sysfs: use damon_commit_ctx()") Signed-off-by: Bijan Tabatabai <bijantabatab(a)micron.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Ravi Shankar Jonnalagadda <ravis.opensrc(a)micron.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/damon/core.c~mm-damon-core-commit-damos-target_nid +++ a/mm/damon/core.c @@ -978,6 +978,7 @@ static int damos_commit(struct damos *ds return err; dst->wmarks = src->wmarks; + dst->target_nid = src->target_nid; err = damos_commit_filters(dst, src); return err; _ Patches currently in -mm which might be from bijantabatab(a)micron.com are

3 weeks, 2 days

1
0
0 0

+ mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop has been added to the -mm mm-new branch. Its filename is mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop Date: Fri, 18 Jul 2025 14:51:39 +0800 ensure si->pages == si->max - 1 after setup_swap_extents() Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250718065139.61989-1-shikemeng@huaweicloud.com Fixes: 661383c6111a ("mm: swap: relaim the cached parts that got scanned") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/mm/swapfile.c~mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix +++ a/mm/swapfile.c @@ -3357,6 +3357,12 @@ SYSCALL_DEFINE2(swapon, const char __use error = nr_extents; goto bad_swap_unlock_inode; } + if (si->pages != si->max - 1) { + pr_err("swap:%u != (max:%u - 1)\n", si->pages, si->max); + error = -EINVAL; + goto bad_swap_unlock_inode; + } + maxpages = si->max; /* OK, set up the swap map and apply the bad block list */ _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop-fix.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

3 weeks, 2 days

1
0
0 0

+ mm-damon-core-commit-damos_quota_goal-nid.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: commit damos_quota_goal->nid has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-commit-damos_quota_goal-nid.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: commit damos_quota_goal->nid Date: Sat, 19 Jul 2025 11:19:32 -0700 DAMOS quota goal uses 'nid' field when the metric is DAMOS_QUOTA_NODE_MEM_{USED,FREE}_BP. But the goal commit function is not updating the goal's nid field. Fix it. Link: https://lkml.kernel.org/r/20250719181932.72944-1-sj@kernel.org Fixes: 0e1c773b501f ("mm/damon/core: introduce damos quota goal metrics for memory node utilization") [6.16.x] Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/mm/damon/core.c~mm-damon-core-commit-damos_quota_goal-nid +++ a/mm/damon/core.c @@ -754,6 +754,19 @@ static struct damos_quota_goal *damos_nt return NULL; } +static void damos_commit_quota_goal_union( + struct damos_quota_goal *dst, struct damos_quota_goal *src) +{ + switch (dst->metric) { + case DAMOS_QUOTA_NODE_MEM_USED_BP: + case DAMOS_QUOTA_NODE_MEM_FREE_BP: + dst->nid = src->nid; + break; + default: + break; + } +} + static void damos_commit_quota_goal( struct damos_quota_goal *dst, struct damos_quota_goal *src) { @@ -762,6 +775,7 @@ static void damos_commit_quota_goal( if (dst->metric == DAMOS_QUOTA_USER_INPUT) dst->current_value = src->current_value; /* keep last_psi_total as is, since it will be updated in next cycle */ + damos_commit_quota_goal_union(dst, src); } /** @@ -795,6 +809,7 @@ int damos_commit_quota_goals(struct damo src_goal->metric, src_goal->target_value); if (!new_goal) return -ENOMEM; + damos_commit_quota_goal_union(new_goal, src_goal); damos_add_quota_goal(dst, new_goal); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-commit-damos_quota_goal-nid.patch samples-damon-wsse-rename-to-have-damon_sample_-prefix.patch samples-damon-prcl-rename-to-have-damon_sample_-prefix.patch samples-damon-mtier-rename-to-have-damon_sample_-prefix.patch mm-damon-sysfs-use-damon-core-api-damon_is_running.patch mm-damon-sysfs-dont-hold-kdamond_lock-in-before_terminate.patch docs-mm-damon-maintainer-profile-update-for-mm-new-tree.patch mm-damon-add-struct-damos_migrate_dests.patch mm-damon-core-add-damos-migrate_dests-field.patch mm-damon-sysfs-schemes-implement-damos-action-destinations-directory.patch mm-damon-sysfs-schemes-set-damos-migrate_dests.patch docs-abi-damon-document-schemes-dests-directory.patch docs-admin-guide-mm-damon-usage-document-dests-directory.patch mm-damon-accept-parallel-damon_call-requests.patch mm-damon-core-introduce-repeat-mode-damon_call.patch mm-damon-stat-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-reclaim-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-lru_sort-use-damon_call-repeat-mode-instead-of-damon_callback.patch samples-damon-prcl-use-damon_call-repeat-mode-instead-of-damon_callback.patch samples-damon-wsse-use-damon_call-repeat-mode-instead-of-damon_callback.patch mm-damon-core-do-not-call-opscleanup-when-destroying-targets.patch mm-damon-core-add-cleanup_target-ops-callback.patch mm-damon-core-add-cleanup_target-ops-callback-fix.patch mm-damon-core-add-cleanup_target-ops-callback-fix-2.patch mm-damon-vaddr-put-pid-in-cleanup_target.patch mm-damon-sysfs-remove-damon_sysfs_destroy_targets.patch mm-damon-core-destroy-targets-when-kdamond_fn-finish.patch mm-damon-sysfs-remove-damon_sysfs_before_terminate.patch mm-damon-core-remove-damon_callback.patch mm-damon-sysfs-implement-refresh_ms-file-under-kdamond-directory.patch mm-damon-sysfs-implement-refresh_ms-file-internal-work.patch docs-admin-guide-mm-damon-usage-document-refresh_ms-file.patch docs-abi-damon-update-for-refresh_ms.patch

3 weeks, 2 days

1
0
0 0

[PATCH] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions

by Tim Harvey

The Linux hwmon sysfs API values for pwmX_auto_pointY_pwm represent an integer value between 0 (0%) to 255 (100%) and the pwmX_auto_pointY_temp represent millidegrees Celcius. Commit a6d80df47ee2 ("hwmon: (gsc-hwmon) fix fan pwm temperature scaling") properly addressed the incorrect scaling in the pwm_auto_point_temp_store implementation but erroneously scaled the pwm_auto_point_pwm_show (pwm value) instead of the pwm_auto_point_temp_show (temp value) resulting in: # cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_pwm 25500 # cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_temp 4500 Fix the scaling of these attributes: # cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_pwm 255 # cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_temp 45000 Fixes: a6d80df47ee2 ("hwmon: (gsc-hwmon) fix fan pwm temperature scaling") Cc: stable(a)vger.kernel.org Signed-off-by: Tim Harvey <tharvey(a)gateworks.com> --- drivers/hwmon/gsc-hwmon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/gsc-hwmon.c b/drivers/hwmon/gsc-hwmon.c index 0f9af82cebec..105b9f9dbec3 100644 --- a/drivers/hwmon/gsc-hwmon.c +++ b/drivers/hwmon/gsc-hwmon.c @@ -64,7 +64,7 @@ static ssize_t pwm_auto_point_temp_show(struct device *dev, return ret; ret = regs[0] | regs[1] << 8; - return sprintf(buf, "%d\n", ret * 10); + return sprintf(buf, "%d\n", ret * 100); } static ssize_t pwm_auto_point_temp_store(struct device *dev, @@ -99,7 +99,7 @@ static ssize_t pwm_auto_point_pwm_show(struct device *dev, { struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr); - return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10))); + return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10)) / 100); } static SENSOR_DEVICE_ATTR_RO(pwm1_auto_point1_pwm, pwm_auto_point_pwm, 0); -- 2.34.1

3 weeks, 2 days

2
1
0 0

[PATCH] mm/damon/core: commit damos_quota_goal->nid

by SeongJae Park

DAMOS quota goal uses 'nid' field when the metric is DAMOS_QUOTA_NODE_MEM_{USED,FREE}_BP. But the goal commit function is not updating the goal's nid field. Fix it. Fixes: 0e1c773b501f ("mm/damon/core: introduce damos quota goal metrics for memory node utilization") # 6.16.x Cc: stable(a)vger.kernel.org Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/mm/damon/core.c b/mm/damon/core.c index f3ec3bd736ec..52a48c9316bc 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -756,6 +756,19 @@ static struct damos_quota_goal *damos_nth_quota_goal( return NULL; } +static void damos_commit_quota_goal_union( + struct damos_quota_goal *dst, struct damos_quota_goal *src) +{ + switch (dst->metric) { + case DAMOS_QUOTA_NODE_MEM_USED_BP: + case DAMOS_QUOTA_NODE_MEM_FREE_BP: + dst->nid = src->nid; + break; + default: + break; + } +} + static void damos_commit_quota_goal( struct damos_quota_goal *dst, struct damos_quota_goal *src) { @@ -764,6 +777,7 @@ static void damos_commit_quota_goal( if (dst->metric == DAMOS_QUOTA_USER_INPUT) dst->current_value = src->current_value; /* keep last_psi_total as is, since it will be updated in next cycle */ + damos_commit_quota_goal_union(dst, src); } /** @@ -797,6 +811,7 @@ int damos_commit_quota_goals(struct damos_quota *dst, struct damos_quota *src) src_goal->metric, src_goal->target_value); if (!new_goal) return -ENOMEM; + damos_commit_quota_goal_union(new_goal, src_goal); damos_add_quota_goal(dst, new_goal); } return 0; base-commit: 5d6176edfeb848b1039a1a2c9c1c36dd7f83150f -- 2.39.5

3 weeks, 2 days

1
0
0 0

[for-linus][PATCH 2/2] tracing: Add down_write(trace_event_sem) when adding trace event

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0) -- 2.47.2

3 weeks, 2 days

1
0
0 0

[for-linus][PATCH 1/2] tracing/osnoise: Fix crash in timerlat_dump_stack()

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> We have observed kernel panics when using timerlat with stack saving, with the following dmesg output: memcpy: detected buffer overflow: 88 byte write of buffer size 0 WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0 CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy) Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e __timerlat_dump_stack() constructs the ftrace stack entry like this: struct stack_entry *entry; ... memcpy(&entry->caller, fstack->calls, size); entry->size = fstack->nr_entries; Since commit e7186af7fb26 ("tracing: Add back FORTIFY_SOURCE logic to kernel_stack event structure"), struct stack_entry marks its caller field with __counted_by(size). At the time of the memcpy, entry->size contains garbage from the ringbuffer, which under some circumstances is zero, triggering a kernel panic by buffer overflow. Populate the size field before the memcpy so that the out-of-bounds check knows the correct size. This is analogous to __ftrace_trace_stack(). Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Cc: Attila Fazekas <afazekas(a)redhat.com> Link: https://lore.kernel.org/20250716143601.7313-1-tglozar@redhat.com Fixes: e7186af7fb26 ("tracing: Add back FORTIFY_SOURCE logic to kernel_stack event structure") Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_osnoise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c index 6819b93309ce..fd259da0aa64 100644 --- a/kernel/trace/trace_osnoise.c +++ b/kernel/trace/trace_osnoise.c @@ -637,8 +637,8 @@ __timerlat_dump_stack(struct trace_buffer *buffer, struct trace_stack *fstack, u entry = ring_buffer_event_data(event); - memcpy(&entry->caller, fstack->calls, size); entry->size = fstack->nr_entries; + memcpy(&entry->caller, fstack->calls, size); trace_buffer_unlock_commit_nostack(buffer, event); } -- 2.47.2

3 weeks, 2 days

1
0
0 0

[PATCH v2] arm64: dts: apple: t8012-j132: Include touchbar framebuffer node

by Nick Chan

Apple T2 MacBookPro15,2 (j132) has a touchbar so include the framebuffer node. Cc: stable(a)vger.kernel.org Fixes: 4efbcb623e9bc ("arm64: dts: apple: Add T2 devices") Signed-off-by: Nick Chan <towinchenmi(a)gmail.com> --- Changes in v2: - CC stable list in Sign-off area. No content change. --- arch/arm64/boot/dts/apple/t8012-j132.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/apple/t8012-j132.dts b/arch/arm64/boot/dts/apple/t8012-j132.dts index 778a69be18dd81ab49076fb39ca4bc82f551e40f..7dcac51703ff60e0a6ef0929572a70adb65b580f 100644 --- a/arch/arm64/boot/dts/apple/t8012-j132.dts +++ b/arch/arm64/boot/dts/apple/t8012-j132.dts @@ -7,6 +7,7 @@ /dts-v1/; #include "t8012-jxxx.dtsi" +#include "t8012-touchbar.dtsi" / { model = "Apple T2 MacBookPro15,2 (j132)"; --- base-commit: e04c78d86a9699d136910cfc0bdcf01087e3267e change-id: 20250620-j132-fb-d7d5687d370d Best regards, -- Nick Chan <towinchenmi(a)gmail.com>

3 weeks, 3 days

2
1
0 0

[PATCH v3] char: xillybus: Fix error handling in xillybus_init_chrdev()

by Ma Ke

Use cdev_del() instead of direct kobject_put() when cdev_add() fails. This aligns with standard kernel practice and maintains consistency within the driver's own error paths. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - modified the patch description, centralized cdev cleanup through standard API and maintained symmetry with driver's existing error handling; Changes in v2: - modified the patch as suggestions to avoid UAF. --- drivers/char/xillybus/xillybus_class.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c index c92a628e389e..e79cf9a0caa4 100644 --- a/drivers/char/xillybus/xillybus_class.c +++ b/drivers/char/xillybus/xillybus_class.c @@ -103,8 +103,7 @@ int xillybus_init_chrdev(struct device *dev, unit->num_nodes); if (rc) { dev_err(dev, "Failed to add cdev.\n"); - /* kobject_put() is normally done by cdev_del() */ - kobject_put(&unit->cdev->kobj); + cdev_del(unit->cdev); goto unregister_chrdev; } @@ -157,8 +156,6 @@ int xillybus_init_chrdev(struct device *dev, device_destroy(&xillybus_class, MKDEV(unit->major, i + unit->lowest_minor)); - cdev_del(unit->cdev); - unregister_chrdev: unregister_chrdev_region(MKDEV(unit->major, unit->lowest_minor), unit->num_nodes); -- 2.25.1

3 weeks, 3 days

2
1
0 0

[PATCH] arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode

by Konrad Dybcio

From: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> 2290 was found in the field to also require this quirk, as long & high-bandwidth workloads (e.g. USB ethernet) are consistently able to crash the controller otherwise. The same change has been made for a number of SoCs in [1], but QCM2290 somehow escaped the list (even though the very closely related SM6115 was there). Upon a controller crash, the log would read: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up Add snps,parkmode-disable-ss-quirk to the DWC3 instance in order to prevent the aforementioned breakage. [1] https://lore.kernel.org/all/20240704152848.3380602-1-quic_kriskura@quicinc.… Cc: stable(a)vger.kernel.org Reported-by: Rob Clark <robin.clark(a)oss.qualcomm.com> Fixes: a64a0192b70c ("arm64: dts: qcom: Add initial QCM2290 device tree") Signed-off-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> --- arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/qcm2290.dtsi b/arch/arm64/boot/dts/qcom/qcm2290.dtsi index fa24b77a31a7504020390522fabb0b783d897366..6b7070dad3df946649660eac1d087c0e8b6fe26d 100644 --- a/arch/arm64/boot/dts/qcom/qcm2290.dtsi +++ b/arch/arm64/boot/dts/qcom/qcm2290.dtsi @@ -1454,6 +1454,7 @@ usb_dwc3: usb@4e00000 { snps,has-lpm-erratum; snps,hird-threshold = /bits/ 8 <0x10>; snps,usb3_lpm_capable; + snps,parkmode-disable-ss-quirk; maximum-speed = "super-speed"; dr_mode = "otg"; usb-role-switch; --- base-commit: 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a change-id: 20250708-topic-2290_usb-6632f12e5cd6 Best regards, -- Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com>

3 weeks, 3 days

2
1
0 0

[PATCH v2] usb: dwc3: qcom: Don't leave BCR asserted

by Krishna Kurapati

Leaving the USB BCR asserted prevents the associated GDSC to turn on. This blocks any subsequent attempts of probing the device, e.g. after a probe deferral, with the following showing in the log: [ 1.332226] usb30_prim_gdsc status stuck at 'off' Leave the BCR deasserted when exiting the driver to avoid this issue. Cc: stable(a)vger.kernel.org Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Signed-off-by: Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> --- Changes in v2: Added Fixes tag and CC'd stable. Link to v1: https://lore.kernel.org/all/20250604060019.2174029-1-krishna.kurapati@oss.q… drivers/usb/dwc3/dwc3-qcom.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c index 7334de85ad10..ca7e1c02773a 100644 --- a/drivers/usb/dwc3/dwc3-qcom.c +++ b/drivers/usb/dwc3/dwc3-qcom.c @@ -680,12 +680,12 @@ static int dwc3_qcom_probe(struct platform_device *pdev) ret = reset_control_deassert(qcom->resets); if (ret) { dev_err(&pdev->dev, "failed to deassert resets, err=%d\n", ret); - goto reset_assert; + return ret; } ret = clk_bulk_prepare_enable(qcom->num_clocks, qcom->clks); if (ret < 0) - goto reset_assert; + return ret; r = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (!r) { @@ -755,8 +755,6 @@ static int dwc3_qcom_probe(struct platform_device *pdev) dwc3_core_remove(&qcom->dwc); clk_disable: clk_bulk_disable_unprepare(qcom->num_clocks, qcom->clks); -reset_assert: - reset_control_assert(qcom->resets); return ret; } @@ -771,7 +769,6 @@ static void dwc3_qcom_remove(struct platform_device *pdev) clk_bulk_disable_unprepare(qcom->num_clocks, qcom->clks); dwc3_qcom_interconnect_exit(qcom); - reset_control_assert(qcom->resets); } static int dwc3_qcom_pm_suspend(struct device *dev) -- 2.34.1

3 weeks, 3 days

2
1
0 0

[PATCH v2] Revert "arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery"

by Josua Mayer

This reverts commit 8a1365c7bbc122bd843096f0008d259e7a8afc61. The commit in questions most notably breaks SD-Card on SolidRun LX2162A Clearfog by corrupting the pinmux in dynamic configuration area for non-i2c pins without pinmux node. It is further expected that it breaks SD Card-Detect, as well as CAN, DSPI and GPIOs on any board based on LX2160 SoC. Background: The LX2160 SoC is configured at power-on from RCW (Reset Configuration Word) typically located in the first 4k of boot media. This blob configures various clock rates and pin functions. The pinmux for i2c specifically is part of configuration words RCWSR12, RCWSR13 and RCWSR14 size 32 bit each. These values are accessible at read-only addresses 0x01e0012c following. For runtime (re-)configuration the SoC has a dynamic configuration area where alternative settings can be applied. The counterparts of RCWSR[12-14] can be overridden at 0x70010012c following. The commit in question used this area to switch i2c pins between i2c and gpio function at runtime using the pinctrl-single driver - which reads a 32-bit value, makes particular changes by bitmask and writes back the new value. SolidRun have observed that if the dynamic configuration is read first (before a write), it reads as zero regardless the initial values set by RCW. After the first write consecutive reads reflect the written value. Because multiple pins are configured from a single 32-bit value, this causes unintentional change of all bits (except those for i2c) being set to zero when the pinctrl driver applies the first configuration. See below a short list of which functions RCWSR12 alone controls: LX2162-CF RCWSR12: 0b0000100000000000 0000000000000110 IIC2_PMUX ||| ||| || | ||| |||XXX : I2C/GPIO/CD-WP IIC3_PMUX ||| ||| || | ||| XXX : I2C/GPIO/CAN/EVT IIC4_PMUX ||| ||| || | |||XXX||| : I2C/GPIO/CAN/EVT IIC5_PMUX ||| ||| || | XXX ||| : I2C/GPIO/SDHC-CLK IIC6_PMUX ||| ||| || |XXX||| ||| : I2C/GPIO/SDHC-CLK XSPI1_A_DATA74_PMUX ||| ||| XX X ||| ||| : XSPI/GPIO XSPI1_A_DATA30_PMUX ||| |||XXX|| | ||| ||| : XSPI/GPIO XSPI1_A_BASE_PMUX ||| XXX || | ||| ||| : XSPI/GPIO SDHC1_BASE_PMUX |||XXX||| || | ||| ||| : SDHC/GPIO/SPI SDHC1_DIR_PMUX XXX ||| || | ||| ||| : SDHC/GPIO/SPI RESERVED XX||| ||| || | ||| ||| : On LX2162A Clearfog the initial (ant intended) value is 0x08000006 - enabling card-detect on IIC2_PMUX and some LEDs on SDHC1_DIR_PMUX. Everything else is intentional zero (enabling I2C & XSPI). By reading zero from dynamic configuration area, the commit in question changes IIC2_PMUX to value 0 (I2C function), and SDHC1_DIR_PMUX to 0 (SDHC data direction function) - breaking card-detect and led gpios. This issue should affect any board based on LX2160 SoC that is using the same or earlier versions of NXP bootloader as SolidRun have tested, in particular: LSDK-21.08 and LS-5.15.71-2.2.0. Whether NXP added some extra initialisation in the bootloader on later releases was not investigated. However bootloader upgrade should not be necessary to run a newer Linux kernel. To work around this issue it is possible to explicitly define ALL pins controlled by any 32-bit value so that gradually after processing all pinctrl nodes the correct value is reached on all bits. This is a large task that should be done carefully on a per-board basis and not globally through the SoC dtsi. Therefore the commit in question is reverted. Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery") Cc: stable(a)vger.kernel.org Signed-off-by: Josua Mayer <josua(a)solid-run.com> --- Changes in v2: - changed to revert problematic commit, workaround is large effort - Link to v1: https://lore.kernel.org/r/f32c5525-3162-4acd-880c-99fc46d3a63d@solid-run.com --- arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 106 ------------------------- 1 file changed, 106 deletions(-) diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi index c9541403bcd8..eb1b4e607e2b 100644 --- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi +++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi @@ -749,10 +749,6 @@ i2c0: i2c@2000000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c0_scl>; - pinctrl-1 = <&i2c0_scl_gpio>; - scl-gpios = <&gpio0 3 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -765,10 +761,6 @@ i2c1: i2c@2010000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c1_scl>; - pinctrl-1 = <&i2c1_scl_gpio>; - scl-gpios = <&gpio0 31 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -781,10 +773,6 @@ i2c2: i2c@2020000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c2_scl>; - pinctrl-1 = <&i2c2_scl_gpio>; - scl-gpios = <&gpio0 29 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -797,10 +785,6 @@ i2c3: i2c@2030000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c3_scl>; - pinctrl-1 = <&i2c3_scl_gpio>; - scl-gpios = <&gpio0 27 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -813,10 +797,6 @@ i2c4: i2c@2040000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c4_scl>; - pinctrl-1 = <&i2c4_scl_gpio>; - scl-gpios = <&gpio0 25 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -829,10 +809,6 @@ i2c5: i2c@2050000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c5_scl>; - pinctrl-1 = <&i2c5_scl_gpio>; - scl-gpios = <&gpio0 23 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -845,10 +821,6 @@ i2c6: i2c@2060000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c6_scl>; - pinctrl-1 = <&i2c6_scl_gpio>; - scl-gpios = <&gpio1 16 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -861,10 +833,6 @@ i2c7: i2c@2070000 { clock-names = "ipg"; clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL QORIQ_CLK_PLL_DIV(16)>; - pinctrl-names = "default", "gpio"; - pinctrl-0 = <&i2c7_scl>; - pinctrl-1 = <&i2c7_scl_gpio>; - scl-gpios = <&gpio1 18 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; status = "disabled"; }; @@ -1700,80 +1668,6 @@ pcs18: ethernet-phy@0 { }; }; - pinmux_i2crv: pinmux@70010012c { - compatible = "pinctrl-single"; - reg = <0x00000007 0x0010012c 0x0 0xc>; - #address-cells = <1>; - #size-cells = <0>; - pinctrl-single,bit-per-mux; - pinctrl-single,register-width = <32>; - pinctrl-single,function-mask = <0x7>; - - i2c1_scl: i2c1-scl-pins { - pinctrl-single,bits = <0x0 0 0x7>; - }; - - i2c1_scl_gpio: i2c1-scl-gpio-pins { - pinctrl-single,bits = <0x0 0x1 0x7>; - }; - - i2c2_scl: i2c2-scl-pins { - pinctrl-single,bits = <0x0 0 (0x7 << 3)>; - }; - - i2c2_scl_gpio: i2c2-scl-gpio-pins { - pinctrl-single,bits = <0x0 (0x1 << 3) (0x7 << 3)>; - }; - - i2c3_scl: i2c3-scl-pins { - pinctrl-single,bits = <0x0 0 (0x7 << 6)>; - }; - - i2c3_scl_gpio: i2c3-scl-gpio-pins { - pinctrl-single,bits = <0x0 (0x1 << 6) (0x7 << 6)>; - }; - - i2c4_scl: i2c4-scl-pins { - pinctrl-single,bits = <0x0 0 (0x7 << 9)>; - }; - - i2c4_scl_gpio: i2c4-scl-gpio-pins { - pinctrl-single,bits = <0x0 (0x1 << 9) (0x7 << 9)>; - }; - - i2c5_scl: i2c5-scl-pins { - pinctrl-single,bits = <0x0 0 (0x7 << 12)>; - }; - - i2c5_scl_gpio: i2c5-scl-gpio-pins { - pinctrl-single,bits = <0x0 (0x1 << 12) (0x7 << 12)>; - }; - - i2c6_scl: i2c6-scl-pins { - pinctrl-single,bits = <0x4 0x2 0x7>; - }; - - i2c6_scl_gpio: i2c6-scl-gpio-pins { - pinctrl-single,bits = <0x4 0x1 0x7>; - }; - - i2c7_scl: i2c7-scl-pins { - pinctrl-single,bits = <0x4 0x2 0x7>; - }; - - i2c7_scl_gpio: i2c7-scl-gpio-pins { - pinctrl-single,bits = <0x4 0x1 0x7>; - }; - - i2c0_scl: i2c0-scl-pins { - pinctrl-single,bits = <0x8 0 (0x7 << 10)>; - }; - - i2c0_scl_gpio: i2c0-scl-gpio-pins { - pinctrl-single,bits = <0x8 (0x1 << 10) (0x7 << 10)>; - }; - }; - fsl_mc: fsl-mc@80c000000 { compatible = "fsl,qoriq-mc"; reg = <0x00000008 0x0c000000 0 0x40>, --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250710-lx2160-sd-cd-00bf38ae169e Best regards, -- Josua Mayer <josua(a)solid-run.com>

3 weeks, 3 days

2
2
0 0

[PATCH 1/4] dt-bindings: arm64: mediatek: add mt8395-evk-ufs board

by Macpaul Lin

Add a compatible string for the MediaTek mt8395-evk-ufs board. This board is the origin Genio 1200 EVK already mounted two main storages, one is eMMC, and the other is UFS. The system automatically prioritizes between eMMC and UFS via BROM detection, so user could not use both storage types simultaneously. As a result, mt8395-evk-ufs must be treated as a separate board. Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- Documentation/devicetree/bindings/arm/mediatek.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Documentation/devicetree/bindings/arm/mediatek.yaml b/Documentation/devicetree/bindings/arm/mediatek.yaml index a7e0a72f6e4c..cf8af943ab08 100644 --- a/Documentation/devicetree/bindings/arm/mediatek.yaml +++ b/Documentation/devicetree/bindings/arm/mediatek.yaml @@ -437,6 +437,7 @@ properties: - enum: - kontron,3-5-sbc-i1200 - mediatek,mt8395-evk + - mediatek,mt8395-evk-ufs - radxa,nio-12l - const: mediatek,mt8395 - const: mediatek,mt8195 -- 2.45.2

3 weeks, 3 days

3
7
0 0

patch "iio: adc: ad7173: fix setting ODR in probe" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix setting ODR in probe to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 6fa908abd19cc35c205f343b79c67ff38dbc9b76 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 10 Jul 2025 15:43:40 -0500 Subject: iio: adc: ad7173: fix setting ODR in probe Fix the setting of the ODR register value in the probe function for AD7177. The AD7177 chip has a different ODR value after reset than the other chips (0x7 vs. 0x0) and 0 is a reserved value on that chip. The driver already has this information available in odr_start_value and uses it when checking valid values when writing to the sampling_frequency attribute, but failed to set the correct initial value in the probe function. Fixes: 37ae8381ccda ("iio: adc: ad7173: add support for additional models") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250710-iio-adc-ad7173-fix-setting-odr-in-probe-v… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 2173455c0169..4413207be28f 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -1589,6 +1589,7 @@ static int ad7173_fw_parse_channel_config(struct iio_dev *indio_dev) chan_st_priv->cfg.bipolar = false; chan_st_priv->cfg.input_buf = st->info->has_input_buf; chan_st_priv->cfg.ref_sel = AD7173_SETUP_REF_SEL_INT_REF; + chan_st_priv->cfg.odr = st->info->odr_start_value; chan_st_priv->cfg.openwire_comp_chan = -1; st->adc_mode |= AD7173_ADC_MODE_REF_EN; if (st->info->data_reg_only_16bit) @@ -1655,7 +1656,7 @@ static int ad7173_fw_parse_channel_config(struct iio_dev *indio_dev) chan->scan_index = chan_index; chan->channel = ain[0]; chan_st_priv->cfg.input_buf = st->info->has_input_buf; - chan_st_priv->cfg.odr = 0; + chan_st_priv->cfg.odr = st->info->odr_start_value; chan_st_priv->cfg.openwire_comp_chan = -1; chan_st_priv->cfg.bipolar = fwnode_property_read_bool(child, "bipolar"); -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix calibration channel" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix calibration channel to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 1d9a21ffb43b6fd326ead98f0d0afd6d104b739a Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Tue, 8 Jul 2025 20:38:33 -0500 Subject: iio: adc: ad7173: fix calibration channel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the channel index values passed to ad_sd_calibrate() in ad7173_calibrate_all(). ad7173_calibrate_all() expects these values to be that of the CHANNELx register assigned to the channel, not the datasheet INPUTx number of the channel. The incorrect values were causing register writes to fail for some channels because they set the WEN bit that must always be 0 for register access and set the R/W bit to read instead of write. For other channels, the channel number was just wrong because the CHANNELx registers are generally assigned in reverse order and so almost never match the INPUTx numbers. Fixes: 031bdc8aee01 ("iio: adc: ad7173: add calibration support") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250708-iio-adc-ad7313-fix-calibration-channel-v1… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 1f9e91a2e3f9..2173455c0169 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -391,13 +391,12 @@ static int ad7173_calibrate_all(struct ad7173_state *st, struct iio_dev *indio_d if (indio_dev->channels[i].type != IIO_VOLTAGE) continue; - ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_ZERO, st->channels[i].ain); + ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_ZERO, i); if (ret < 0) return ret; if (st->info->has_internal_fs_calibration) { - ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_FULL, - st->channels[i].ain); + ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_FULL, i); if (ret < 0) return ret; } -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix num_slots" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix num_slots to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 92c247216918fcaa64244248ee38a0f1d342278c Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Sun, 6 Jul 2025 13:53:08 -0500 Subject: iio: adc: ad7173: fix num_slots MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the num_slots value for most chips in the ad7173 driver. The correct value is the number of CHANNELx registers on the chip. In commit 4310e15b3140 ("iio: adc: ad7173: don't make copy of ad_sigma_delta_info struct"), we refactored struct ad_sigma_delta_info to be static const data instead of being dynamically populated during driver probe. However, there was an existing bug in commit 76a1e6a42802 ("iio: adc: ad7173: add AD7173 driver") where num_slots was incorrectly set to the number of CONFIGx registers instead of the number of CHANNELx registers. This bug was partially propagated to the refactored code in that the 16-channel chips were only given 8 slots instead of 16 although we did managed to fix the 8-channel chips and one of the 4-channel chips in that commit. However, we botched two of the 4-channel chips and ended up incorrectly giving them 8 slots during the refactoring. This patch fixes that mistake on the 4-channel chips and also corrects the 16-channel chips to have 16 slots. Fixes: 4310e15b3140 ("iio: adc: ad7173: don't make copy of ad_sigma_delta_info struct") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250706-iio-adc-ad7173-fix-num_slots-on-most-chip… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 03412895f6dc..1f9e91a2e3f9 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -771,10 +771,26 @@ static const struct ad_sigma_delta_info ad7173_sigma_delta_info_8_slots = { .num_slots = 8, }; +static const struct ad_sigma_delta_info ad7173_sigma_delta_info_16_slots = { + .set_channel = ad7173_set_channel, + .append_status = ad7173_append_status, + .disable_all = ad7173_disable_all, + .disable_one = ad7173_disable_one, + .set_mode = ad7173_set_mode, + .has_registers = true, + .has_named_irqs = true, + .addr_shift = 0, + .read_mask = BIT(6), + .status_ch_mask = GENMASK(3, 0), + .data_reg = AD7173_REG_DATA, + .num_resetclks = 64, + .num_slots = 16, +}; + static const struct ad7173_device_info ad4111_device_info = { .name = "ad4111", .id = AD4111_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 8, .num_channels = 16, .num_configs = 8, @@ -796,7 +812,7 @@ static const struct ad7173_device_info ad4111_device_info = { static const struct ad7173_device_info ad4112_device_info = { .name = "ad4112", .id = AD4112_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 8, .num_channels = 16, .num_configs = 8, @@ -817,7 +833,7 @@ static const struct ad7173_device_info ad4112_device_info = { static const struct ad7173_device_info ad4113_device_info = { .name = "ad4113", .id = AD4113_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 8, .num_channels = 16, .num_configs = 8, @@ -836,7 +852,7 @@ static const struct ad7173_device_info ad4113_device_info = { static const struct ad7173_device_info ad4114_device_info = { .name = "ad4114", .id = AD4114_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 16, .num_channels = 16, .num_configs = 8, @@ -855,7 +871,7 @@ static const struct ad7173_device_info ad4114_device_info = { static const struct ad7173_device_info ad4115_device_info = { .name = "ad4115", .id = AD4115_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 16, .num_channels = 16, .num_configs = 8, @@ -874,7 +890,7 @@ static const struct ad7173_device_info ad4115_device_info = { static const struct ad7173_device_info ad4116_device_info = { .name = "ad4116", .id = AD4116_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 11, .num_channels = 16, .num_configs = 8, @@ -893,7 +909,7 @@ static const struct ad7173_device_info ad4116_device_info = { static const struct ad7173_device_info ad7172_2_device_info = { .name = "ad7172-2", .id = AD7172_2_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_4_slots, .num_voltage_in = 5, .num_channels = 4, .num_configs = 4, @@ -926,7 +942,7 @@ static const struct ad7173_device_info ad7172_4_device_info = { static const struct ad7173_device_info ad7173_8_device_info = { .name = "ad7173-8", .id = AD7173_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in = 17, .num_channels = 16, .num_configs = 8, @@ -943,7 +959,7 @@ static const struct ad7173_device_info ad7173_8_device_info = { static const struct ad7173_device_info ad7175_2_device_info = { .name = "ad7175-2", .id = AD7175_2_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_4_slots, .num_voltage_in = 5, .num_channels = 4, .num_configs = 4, @@ -960,7 +976,7 @@ static const struct ad7173_device_info ad7175_2_device_info = { static const struct ad7173_device_info ad7175_8_device_info = { .name = "ad7175-8", .id = AD7175_8_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in = 17, .num_channels = 16, .num_configs = 8, -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad_sigma_delta: change to buffer predisable" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad_sigma_delta: change to buffer predisable to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 66d4374d97f85516b5a22418c5e798aed2606dec Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 3 Jul 2025 16:07:44 -0500 Subject: iio: adc: ad_sigma_delta: change to buffer predisable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change the buffer disable callback from postdisable to predisable. This balances the existing posteanble callback. Using postdisable with posteanble can be problematic, for example, if update_scan_mode fails, it would call postdisable without ever having called posteanble, so the drivers using this would be in an unexpected state when postdisable was called. Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-… Cc: <stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad_sigma_delta.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c index 9d2dba0a0ee6..7852884703b0 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -582,7 +582,7 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev) return ret; } -static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) +static int ad_sd_buffer_predisable(struct iio_dev *indio_dev) { struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); @@ -682,7 +682,7 @@ static bool ad_sd_validate_scan_mask(struct iio_dev *indio_dev, const unsigned l static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = { .postenable = &ad_sd_buffer_postenable, - .postdisable = &ad_sd_buffer_postdisable, + .predisable = &ad_sd_buffer_predisable, .validate_scan_mask = &ad_sd_validate_scan_mask, }; -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix channels index for syscalib_mode" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix channels index for syscalib_mode to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 0eb8d7b25397330beab8ee62c681975b79f37223 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 3 Jul 2025 14:51:17 -0500 Subject: iio: adc: ad7173: fix channels index for syscalib_mode Fix the index used to look up the channel when accessing the syscalib_mode attribute. The address field is a 0-based index (same as scan_index) that it used to access the channel in the ad7173_channels array throughout the driver. The channels field, on the other hand, may not match the address field depending on the channel configuration specified in the device tree and could result in an out-of-bounds access. Fixes: 031bdc8aee01 ("iio: adc: ad7173: add calibration support") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250703-iio-adc-ad7173-fix-channels-index-for-sys… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index dd9fa35555c7..03412895f6dc 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -318,7 +318,7 @@ static int ad7173_set_syscalib_mode(struct iio_dev *indio_dev, { struct ad7173_state *st = iio_priv(indio_dev); - st->channels[chan->channel].syscalib_mode = mode; + st->channels[chan->address].syscalib_mode = mode; return 0; } @@ -328,7 +328,7 @@ static int ad7173_get_syscalib_mode(struct iio_dev *indio_dev, { struct ad7173_state *st = iio_priv(indio_dev); - return st->channels[chan->channel].syscalib_mode; + return st->channels[chan->address].syscalib_mode; } static ssize_t ad7173_write_syscalib(struct iio_dev *indio_dev, @@ -347,7 +347,7 @@ static ssize_t ad7173_write_syscalib(struct iio_dev *indio_dev, if (!iio_device_claim_direct(indio_dev)) return -EBUSY; - mode = st->channels[chan->channel].syscalib_mode; + mode = st->channels[chan->address].syscalib_mode; if (sys_calib) { if (mode == AD7173_SYSCALIB_ZERO_SCALE) ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_SYS_ZERO, -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: imu: bno055: fix OOB access of hw_xlate array" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: bno055: fix OOB access of hw_xlate array to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From 399b883ec828e436f1a721bf8551b4da8727e65b Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Wed, 9 Jul 2025 21:20:00 -0500 Subject: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array. By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202507100510.rGt1YOOx-lkp@intel.com/ Fixes: 4aefe1c2bd0c ("iio: imu: add Bosch Sensortec BNO055 core driver") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250709-iio-const-data-19-v2-1-fb3fc9191251@bayli… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/bno055/bno055.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/imu/bno055/bno055.c b/drivers/iio/imu/bno055/bno055.c index 3f4c18dc3ee9..0eb5e1334e55 100644 --- a/drivers/iio/imu/bno055/bno055.c +++ b/drivers/iio/imu/bno055/bno055.c @@ -118,6 +118,7 @@ struct bno055_sysfs_attr { int len; int *fusion_vals; int *hw_xlate; + int hw_xlate_len; int type; }; @@ -170,20 +171,24 @@ static int bno055_gyr_scale_vals[] = { 1000, 1877467, 2000, 1877467, }; +static int bno055_gyr_scale_hw_xlate[] = {0, 1, 2, 3, 4}; static struct bno055_sysfs_attr bno055_gyr_scale = { .vals = bno055_gyr_scale_vals, .len = ARRAY_SIZE(bno055_gyr_scale_vals), .fusion_vals = (int[]){1, 900}, - .hw_xlate = (int[]){4, 3, 2, 1, 0}, + .hw_xlate = bno055_gyr_scale_hw_xlate, + .hw_xlate_len = ARRAY_SIZE(bno055_gyr_scale_hw_xlate), .type = IIO_VAL_FRACTIONAL, }; static int bno055_gyr_lpf_vals[] = {12, 23, 32, 47, 64, 116, 230, 523}; +static int bno055_gyr_lpf_hw_xlate[] = {5, 4, 7, 3, 6, 2, 1, 0}; static struct bno055_sysfs_attr bno055_gyr_lpf = { .vals = bno055_gyr_lpf_vals, .len = ARRAY_SIZE(bno055_gyr_lpf_vals), .fusion_vals = (int[]){32}, - .hw_xlate = (int[]){5, 4, 7, 3, 6, 2, 1, 0}, + .hw_xlate = bno055_gyr_lpf_hw_xlate, + .hw_xlate_len = ARRAY_SIZE(bno055_gyr_lpf_hw_xlate), .type = IIO_VAL_INT, }; @@ -561,7 +566,7 @@ static int bno055_get_regmask(struct bno055_priv *priv, int *val, int *val2, idx = (hwval & mask) >> shift; if (attr->hw_xlate) - for (i = 0; i < attr->len; i++) + for (i = 0; i < attr->hw_xlate_len; i++) if (attr->hw_xlate[i] == idx) { idx = i; break; -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix setting ODR in probe" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix setting ODR in probe to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 6fa908abd19cc35c205f343b79c67ff38dbc9b76 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 10 Jul 2025 15:43:40 -0500 Subject: iio: adc: ad7173: fix setting ODR in probe Fix the setting of the ODR register value in the probe function for AD7177. The AD7177 chip has a different ODR value after reset than the other chips (0x7 vs. 0x0) and 0 is a reserved value on that chip. The driver already has this information available in odr_start_value and uses it when checking valid values when writing to the sampling_frequency attribute, but failed to set the correct initial value in the probe function. Fixes: 37ae8381ccda ("iio: adc: ad7173: add support for additional models") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250710-iio-adc-ad7173-fix-setting-odr-in-probe-v… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 2173455c0169..4413207be28f 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -1589,6 +1589,7 @@ static int ad7173_fw_parse_channel_config(struct iio_dev *indio_dev) chan_st_priv->cfg.bipolar = false; chan_st_priv->cfg.input_buf = st->info->has_input_buf; chan_st_priv->cfg.ref_sel = AD7173_SETUP_REF_SEL_INT_REF; + chan_st_priv->cfg.odr = st->info->odr_start_value; chan_st_priv->cfg.openwire_comp_chan = -1; st->adc_mode |= AD7173_ADC_MODE_REF_EN; if (st->info->data_reg_only_16bit) @@ -1655,7 +1656,7 @@ static int ad7173_fw_parse_channel_config(struct iio_dev *indio_dev) chan->scan_index = chan_index; chan->channel = ain[0]; chan_st_priv->cfg.input_buf = st->info->has_input_buf; - chan_st_priv->cfg.odr = 0; + chan_st_priv->cfg.odr = st->info->odr_start_value; chan_st_priv->cfg.openwire_comp_chan = -1; chan_st_priv->cfg.bipolar = fwnode_property_read_bool(child, "bipolar"); -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix num_slots" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix num_slots to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 92c247216918fcaa64244248ee38a0f1d342278c Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Sun, 6 Jul 2025 13:53:08 -0500 Subject: iio: adc: ad7173: fix num_slots MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the num_slots value for most chips in the ad7173 driver. The correct value is the number of CHANNELx registers on the chip. In commit 4310e15b3140 ("iio: adc: ad7173: don't make copy of ad_sigma_delta_info struct"), we refactored struct ad_sigma_delta_info to be static const data instead of being dynamically populated during driver probe. However, there was an existing bug in commit 76a1e6a42802 ("iio: adc: ad7173: add AD7173 driver") where num_slots was incorrectly set to the number of CONFIGx registers instead of the number of CHANNELx registers. This bug was partially propagated to the refactored code in that the 16-channel chips were only given 8 slots instead of 16 although we did managed to fix the 8-channel chips and one of the 4-channel chips in that commit. However, we botched two of the 4-channel chips and ended up incorrectly giving them 8 slots during the refactoring. This patch fixes that mistake on the 4-channel chips and also corrects the 16-channel chips to have 16 slots. Fixes: 4310e15b3140 ("iio: adc: ad7173: don't make copy of ad_sigma_delta_info struct") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250706-iio-adc-ad7173-fix-num_slots-on-most-chip… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 03412895f6dc..1f9e91a2e3f9 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -771,10 +771,26 @@ static const struct ad_sigma_delta_info ad7173_sigma_delta_info_8_slots = { .num_slots = 8, }; +static const struct ad_sigma_delta_info ad7173_sigma_delta_info_16_slots = { + .set_channel = ad7173_set_channel, + .append_status = ad7173_append_status, + .disable_all = ad7173_disable_all, + .disable_one = ad7173_disable_one, + .set_mode = ad7173_set_mode, + .has_registers = true, + .has_named_irqs = true, + .addr_shift = 0, + .read_mask = BIT(6), + .status_ch_mask = GENMASK(3, 0), + .data_reg = AD7173_REG_DATA, + .num_resetclks = 64, + .num_slots = 16, +}; + static const struct ad7173_device_info ad4111_device_info = { .name = "ad4111", .id = AD4111_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 8, .num_channels = 16, .num_configs = 8, @@ -796,7 +812,7 @@ static const struct ad7173_device_info ad4111_device_info = { static const struct ad7173_device_info ad4112_device_info = { .name = "ad4112", .id = AD4112_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 8, .num_channels = 16, .num_configs = 8, @@ -817,7 +833,7 @@ static const struct ad7173_device_info ad4112_device_info = { static const struct ad7173_device_info ad4113_device_info = { .name = "ad4113", .id = AD4113_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 8, .num_channels = 16, .num_configs = 8, @@ -836,7 +852,7 @@ static const struct ad7173_device_info ad4113_device_info = { static const struct ad7173_device_info ad4114_device_info = { .name = "ad4114", .id = AD4114_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 16, .num_channels = 16, .num_configs = 8, @@ -855,7 +871,7 @@ static const struct ad7173_device_info ad4114_device_info = { static const struct ad7173_device_info ad4115_device_info = { .name = "ad4115", .id = AD4115_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 16, .num_channels = 16, .num_configs = 8, @@ -874,7 +890,7 @@ static const struct ad7173_device_info ad4115_device_info = { static const struct ad7173_device_info ad4116_device_info = { .name = "ad4116", .id = AD4116_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in_div = 11, .num_channels = 16, .num_configs = 8, @@ -893,7 +909,7 @@ static const struct ad7173_device_info ad4116_device_info = { static const struct ad7173_device_info ad7172_2_device_info = { .name = "ad7172-2", .id = AD7172_2_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_4_slots, .num_voltage_in = 5, .num_channels = 4, .num_configs = 4, @@ -926,7 +942,7 @@ static const struct ad7173_device_info ad7172_4_device_info = { static const struct ad7173_device_info ad7173_8_device_info = { .name = "ad7173-8", .id = AD7173_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in = 17, .num_channels = 16, .num_configs = 8, @@ -943,7 +959,7 @@ static const struct ad7173_device_info ad7173_8_device_info = { static const struct ad7173_device_info ad7175_2_device_info = { .name = "ad7175-2", .id = AD7175_2_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_4_slots, .num_voltage_in = 5, .num_channels = 4, .num_configs = 4, @@ -960,7 +976,7 @@ static const struct ad7173_device_info ad7175_2_device_info = { static const struct ad7173_device_info ad7175_8_device_info = { .name = "ad7175-8", .id = AD7175_8_ID, - .sd_info = &ad7173_sigma_delta_info_8_slots, + .sd_info = &ad7173_sigma_delta_info_16_slots, .num_voltage_in = 17, .num_channels = 16, .num_configs = 8, -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix calibration channel" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix calibration channel to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 1d9a21ffb43b6fd326ead98f0d0afd6d104b739a Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Tue, 8 Jul 2025 20:38:33 -0500 Subject: iio: adc: ad7173: fix calibration channel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the channel index values passed to ad_sd_calibrate() in ad7173_calibrate_all(). ad7173_calibrate_all() expects these values to be that of the CHANNELx register assigned to the channel, not the datasheet INPUTx number of the channel. The incorrect values were causing register writes to fail for some channels because they set the WEN bit that must always be 0 for register access and set the R/W bit to read instead of write. For other channels, the channel number was just wrong because the CHANNELx registers are generally assigned in reverse order and so almost never match the INPUTx numbers. Fixes: 031bdc8aee01 ("iio: adc: ad7173: add calibration support") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250708-iio-adc-ad7313-fix-calibration-channel-v1… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 1f9e91a2e3f9..2173455c0169 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -391,13 +391,12 @@ static int ad7173_calibrate_all(struct ad7173_state *st, struct iio_dev *indio_d if (indio_dev->channels[i].type != IIO_VOLTAGE) continue; - ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_ZERO, st->channels[i].ain); + ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_ZERO, i); if (ret < 0) return ret; if (st->info->has_internal_fs_calibration) { - ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_FULL, - st->channels[i].ain); + ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_INT_FULL, i); if (ret < 0) return ret; } -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad7173: fix channels index for syscalib_mode" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: fix channels index for syscalib_mode to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 0eb8d7b25397330beab8ee62c681975b79f37223 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 3 Jul 2025 14:51:17 -0500 Subject: iio: adc: ad7173: fix channels index for syscalib_mode Fix the index used to look up the channel when accessing the syscalib_mode attribute. The address field is a 0-based index (same as scan_index) that it used to access the channel in the ad7173_channels array throughout the driver. The channels field, on the other hand, may not match the address field depending on the channel configuration specified in the device tree and could result in an out-of-bounds access. Fixes: 031bdc8aee01 ("iio: adc: ad7173: add calibration support") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250703-iio-adc-ad7173-fix-channels-index-for-sys… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index dd9fa35555c7..03412895f6dc 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -318,7 +318,7 @@ static int ad7173_set_syscalib_mode(struct iio_dev *indio_dev, { struct ad7173_state *st = iio_priv(indio_dev); - st->channels[chan->channel].syscalib_mode = mode; + st->channels[chan->address].syscalib_mode = mode; return 0; } @@ -328,7 +328,7 @@ static int ad7173_get_syscalib_mode(struct iio_dev *indio_dev, { struct ad7173_state *st = iio_priv(indio_dev); - return st->channels[chan->channel].syscalib_mode; + return st->channels[chan->address].syscalib_mode; } static ssize_t ad7173_write_syscalib(struct iio_dev *indio_dev, @@ -347,7 +347,7 @@ static ssize_t ad7173_write_syscalib(struct iio_dev *indio_dev, if (!iio_device_claim_direct(indio_dev)) return -EBUSY; - mode = st->channels[chan->channel].syscalib_mode; + mode = st->channels[chan->address].syscalib_mode; if (sys_calib) { if (mode == AD7173_SYSCALIB_ZERO_SCALE) ret = ad_sd_calibrate(&st->sd, AD7173_MODE_CAL_SYS_ZERO, -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: adc: ad_sigma_delta: change to buffer predisable" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad_sigma_delta: change to buffer predisable to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 66d4374d97f85516b5a22418c5e798aed2606dec Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 3 Jul 2025 16:07:44 -0500 Subject: iio: adc: ad_sigma_delta: change to buffer predisable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change the buffer disable callback from postdisable to predisable. This balances the existing posteanble callback. Using postdisable with posteanble can be problematic, for example, if update_scan_mode fails, it would call postdisable without ever having called posteanble, so the drivers using this would be in an unexpected state when postdisable was called. Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-… Cc: <stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad_sigma_delta.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c index 9d2dba0a0ee6..7852884703b0 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -582,7 +582,7 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev) return ret; } -static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) +static int ad_sd_buffer_predisable(struct iio_dev *indio_dev) { struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); @@ -682,7 +682,7 @@ static bool ad_sd_validate_scan_mask(struct iio_dev *indio_dev, const unsigned l static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = { .postenable = &ad_sd_buffer_postenable, - .postdisable = &ad_sd_buffer_postdisable, + .predisable = &ad_sd_buffer_predisable, .validate_scan_mask = &ad_sd_validate_scan_mask, }; -- 2.50.1

3 weeks, 3 days

1
0
0 0

patch "iio: imu: bno055: fix OOB access of hw_xlate array" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: bno055: fix OOB access of hw_xlate array to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From 399b883ec828e436f1a721bf8551b4da8727e65b Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Wed, 9 Jul 2025 21:20:00 -0500 Subject: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array. By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202507100510.rGt1YOOx-lkp@intel.com/ Fixes: 4aefe1c2bd0c ("iio: imu: add Bosch Sensortec BNO055 core driver") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250709-iio-const-data-19-v2-1-fb3fc9191251@bayli… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/bno055/bno055.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/imu/bno055/bno055.c b/drivers/iio/imu/bno055/bno055.c index 3f4c18dc3ee9..0eb5e1334e55 100644 --- a/drivers/iio/imu/bno055/bno055.c +++ b/drivers/iio/imu/bno055/bno055.c @@ -118,6 +118,7 @@ struct bno055_sysfs_attr { int len; int *fusion_vals; int *hw_xlate; + int hw_xlate_len; int type; }; @@ -170,20 +171,24 @@ static int bno055_gyr_scale_vals[] = { 1000, 1877467, 2000, 1877467, }; +static int bno055_gyr_scale_hw_xlate[] = {0, 1, 2, 3, 4}; static struct bno055_sysfs_attr bno055_gyr_scale = { .vals = bno055_gyr_scale_vals, .len = ARRAY_SIZE(bno055_gyr_scale_vals), .fusion_vals = (int[]){1, 900}, - .hw_xlate = (int[]){4, 3, 2, 1, 0}, + .hw_xlate = bno055_gyr_scale_hw_xlate, + .hw_xlate_len = ARRAY_SIZE(bno055_gyr_scale_hw_xlate), .type = IIO_VAL_FRACTIONAL, }; static int bno055_gyr_lpf_vals[] = {12, 23, 32, 47, 64, 116, 230, 523}; +static int bno055_gyr_lpf_hw_xlate[] = {5, 4, 7, 3, 6, 2, 1, 0}; static struct bno055_sysfs_attr bno055_gyr_lpf = { .vals = bno055_gyr_lpf_vals, .len = ARRAY_SIZE(bno055_gyr_lpf_vals), .fusion_vals = (int[]){32}, - .hw_xlate = (int[]){5, 4, 7, 3, 6, 2, 1, 0}, + .hw_xlate = bno055_gyr_lpf_hw_xlate, + .hw_xlate_len = ARRAY_SIZE(bno055_gyr_lpf_hw_xlate), .type = IIO_VAL_INT, }; @@ -561,7 +566,7 @@ static int bno055_get_regmask(struct bno055_priv *priv, int *val, int *val2, idx = (hwval & mask) >> shift; if (attr->hw_xlate) - for (i = 0; i < attr->len; i++) + for (i = 0; i < attr->hw_xlate_len; i++) if (attr->hw_xlate[i] == idx) { idx = i; break; -- 2.50.1

3 weeks, 3 days

1
0
0 0

Re: [tip: x86/urgent] cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU

by Logan Matthews

Sent from my iPhone

3 weeks, 3 days

1
0
0 0

[PATCH net v2 1/3] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint()

by Ma Ke

The fsl_mc_get_endpoint() function may call fsl_mc_device_lookup() twice, which would increment the device's reference count twice if both lookups find a device. This could lead to a reference count leak. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 1ac210d128ef ("bus: fsl-mc: add the fsl_mc_get_endpoint function") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/bus/fsl-mc/fsl-mc-bus.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c index 7671bd158545..c1c0a4759c7e 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -943,6 +943,7 @@ struct fsl_mc_device *fsl_mc_get_endpoint(struct fsl_mc_device *mc_dev, struct fsl_mc_obj_desc endpoint_desc = {{ 0 }}; struct dprc_endpoint endpoint1 = {{ 0 }}; struct dprc_endpoint endpoint2 = {{ 0 }}; + struct fsl_mc_bus *mc_bus; int state, err; mc_bus_dev = to_fsl_mc_device(mc_dev->dev.parent); @@ -966,6 +967,8 @@ struct fsl_mc_device *fsl_mc_get_endpoint(struct fsl_mc_device *mc_dev, strcpy(endpoint_desc.type, endpoint2.type); endpoint_desc.id = endpoint2.id; endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev); + if (endpoint) + return endpoint; /* * We know that the device has an endpoint because we verified by @@ -973,17 +976,13 @@ struct fsl_mc_device *fsl_mc_get_endpoint(struct fsl_mc_device *mc_dev, * yet discovered by the fsl-mc bus, thus the lookup returned NULL. * Force a rescan of the devices in this container and retry the lookup. */ - if (!endpoint) { - struct fsl_mc_bus *mc_bus = to_fsl_mc_bus(mc_bus_dev); - - if (mutex_trylock(&mc_bus->scan_mutex)) { - err = dprc_scan_objects(mc_bus_dev, true); - mutex_unlock(&mc_bus->scan_mutex); - } - - if (err < 0) - return ERR_PTR(err); + mc_bus = to_fsl_mc_bus(mc_bus_dev); + if (mutex_trylock(&mc_bus->scan_mutex)) { + err = dprc_scan_objects(mc_bus_dev, true); + mutex_unlock(&mc_bus->scan_mutex); } + if (err < 0) + return ERR_PTR(err); endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev); /* -- 2.25.1

3 weeks, 3 days

4
9
0 0

[PATCH 0/2] Fix undetected overflow when allocating IOVA

by Jason Gunthorpe

Syzkaller found this, the ALIGN() call can overflow and corrupt the allocation process. Fix the bug and add some test coverage. Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Jason Gunthorpe (2): iommufd: Prevent ALIGN() overflow iommufd/selftest: Test reserved regions near ULONG_MAX drivers/iommu/iommufd/io_pagetable.c | 41 +++++++++++++++---------- tools/testing/selftests/iommu/iommufd.c | 18 +++++++++++ 2 files changed, 43 insertions(+), 16 deletions(-) base-commit: 601b1d0d9395c711383452bd0d47037afbbb4bcf -- 2.43.0

3 weeks, 3 days

5
14
0 0

[PATCH 3/3] ntfs: Do not overwrite uptodate pages

by Matthew Wilcox (Oracle)

When reading a compressed file, we may read several pages in addition to the one requested. The current code will overwrite pages in the page cache with the data from disc which can definitely result in changes that have been made being lost. For example if we have four consecutie pages ABCD in the file compressed into a single extent, on first access, we'll bring in ABCD. Then we write to page B. Memory pressure results in the eviction of ACD. When we attempt to write to page C, we will overwrite the data in page B with the data currently on disk. I haven't investigated the decompression code to check whether it's OK to overwrite a clean page or whether it might be possible to see corrupt data. Out of an abundance of caution, decline to overwrite uptodate pages, not just dirty pages. Fixes: 4342306f0f0d (fs/ntfs3: Add file operations and implementation) Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: stable(a)vger.kernel.org --- fs/ntfs3/frecord.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c index 6fc7b2281fed..c3ce9cf4441e 100644 --- a/fs/ntfs3/frecord.c +++ b/fs/ntfs3/frecord.c @@ -2020,6 +2020,29 @@ int ni_fiemap(struct ntfs_inode *ni, struct fiemap_extent_info *fieinfo, return err; } +static struct page *ntfs_lock_new_page(struct address_space *mapping, + pgoff_t index, gfp_t gfp) +{ + struct folio *folio = __filemap_get_folio(mapping, index, + FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp); + struct page *page; + + if (IS_ERR(folio)) + return ERR_CAST(folio); + + if (!folio_test_uptodate(folio)) + return folio_file_page(folio, index); + + /* Use a temporary page to avoid data corruption */ + folio_unlock(folio); + folio_put(folio); + page = alloc_page(gfp); + if (!page) + return ERR_PTR(-ENOMEM); + __SetPageLocked(page); + return page; +} + /* * ni_readpage_cmpr * @@ -2074,9 +2097,9 @@ int ni_readpage_cmpr(struct ntfs_inode *ni, struct folio *folio) if (i == idx) continue; - pg = find_or_create_page(mapping, index, gfp_mask); - if (!pg) { - err = -ENOMEM; + pg = ntfs_lock_new_page(mapping, index, gfp_mask); + if (IS_ERR(pg)) { + err = PTR_ERR(pg); goto out1; } pages[i] = pg; @@ -2175,13 +2198,13 @@ int ni_decompress_file(struct ntfs_inode *ni) for (i = 0; i < pages_per_frame; i++, index++) { struct page *pg; - pg = find_or_create_page(mapping, index, gfp_mask); - if (!pg) { + pg = ntfs_lock_new_page(mapping, index, gfp_mask); + if (IS_ERR(pg)) { while (i--) { unlock_page(pages[i]); put_page(pages[i]); } - err = -ENOMEM; + err = PTR_ERR(pg); goto out; } pages[i] = pg; -- 2.47.2

3 weeks, 3 days

1
0
0 0

[PATCH 5.4 000/144] 5.4.296-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.296 release. There are 144 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 18 Jul 2025 14:12:35 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.296-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.296-rc2 Georg Kohmann <geokohma(a)cisco.com> net: ipv6: Discard next-hop MTU less than minimum link MTU Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Eric W. Biederman <ebiederm(a)xmission.com> proc: Clear the pieces of proc_inode that proc_evict_inode cares about Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Vladimir Oltean <vladimir.oltean(a)nxp.com> spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path Vladimir Oltean <vladimir.oltean(a)nxp.com> spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Leon Romanovsky <leon(a)kernel.org> RDMA/core: Create and destroy counters in the ib_core Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Jerome Neanne <jneanne(a)baylibre.com> regulator: gpio: Add input_supply support in gpio_regulator_config Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Omar Sandoval <osandov(a)fb.com> btrfs: don't abort filesystem when attempting to snapshot deleted subvolume Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Denis Arefev <arefev(a)swemel.ru> media: vivid: Change the siize of the composing Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Edward Adam Davis <eadavis(a)qq.com> media: cxusb: no longer judge rbuf when the write fails Sean Young <sean(a)mess.org> media: cxusb: use dev_dbg() rather than hand-rolled debug Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Rob Herring <robh(a)kernel.org> of: Add of_property_present() helper Michael Walle <michael(a)walle.cc> of: property: define of_property_read_u{8,16,32,64}_array() unconditionally Arnd Bergmann <arnd(a)arndb.de> kbuild: hdrcheck: fix cross build with clang Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add --target to correctly cross-compile UAPI headers with Clang Masahiro Yamada <masahiroy(a)kernel.org> bpfilter: match bit size of bpfilter_umh to that of the kernel Masahiro Yamada <masahiroy(a)kernel.org> kbuild: use -MMD instead of -MD to exclude system headers from dependency Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/x86/Kconfig | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/dma-buf/dma-resv.c | 5 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/bridge/cdns-dsi.c | 11 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 12 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/v3d/v3d_drv.h | 9 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 36 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/device.c | 1 + drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- .../infiniband/core/uverbs_std_types_counters.c | 17 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 55 ++-- drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 36 ++- drivers/media/usb/uvc/uvc_ctrl.c | 61 +++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 +- drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/phy/microchip.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 19 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 55 ++-- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +--- drivers/tty/serial/uartlite.c | 15 +- drivers/tty/vt/vt.c | 1 + drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/typec/altmodes/displayport.c | 5 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/ioctl.c | 3 + fs/btrfs/tree-log.c | 4 +- fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 144 +++++++--- fs/nfs/inode.c | 17 +- fs/overlayfs/util.c | 4 +- fs/proc/inode.c | 16 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/of.h | 291 ++++++++++----------- include/linux/regulator/gpio-regulator.h | 2 + include/linux/usb/typec_dp.h | 1 + include/rdma/ib_verbs.h | 7 +- include/uapi/linux/vm_sockets.h | 4 + init/Kconfig | 4 +- lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/bpfilter/Makefile | 5 +- net/ipv6/route.c | 3 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 ++++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/tipc/topsrv.c | 2 + net/vmw_vsock/vmci_transport.c | 4 +- scripts/Kbuild.include | 2 +- scripts/Makefile.host | 4 +- scripts/Makefile.lib | 8 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/soc/meson/meson-card-utils.c | 2 +- sound/usb/stream.c | 2 + usr/include/Makefile | 6 +- 132 files changed, 1183 insertions(+), 685 deletions(-)

3 weeks, 3 days

5
5
0 0

[PATCH 5.15 00/78] 5.15.189-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.189 release. There are 78 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:29 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.189-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.189-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Kurt Borja <kuurtb(a)gmail.com> platform/x86: think-lmi: Fix sysfs group cleanup Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Christian König <christian.koenig(a)amd.com> dma-buf: use new iterator in dma_resv_wait_timeout Christian König <christian.koenig(a)amd.com> dma-buf: add dma_resv_for_each_fence_unlocked v8 Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Hongyu Xie <xiehongyu1(a)kylinos.cn> xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: ensure the received length does not exceed allocated size Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Juergen Gross <jgross(a)suse.com> xen: replace xen_remap() with memremap() Edward Adam Davis <eadavis(a)qq.com> jfs: fix null ptr deref in dtInsertEntry John Fastabend <john.fastabend(a)gmail.com> bpf, sockmap: Fix skb refcnt race after locking changes Maksim Kiselev <bigunclemax(a)gmail.com> aoe: avoid potential deadlock at set_capacity Lee, Chun-Yi <joeyli.kernel(a)gmail.com> thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Andrii Nakryiko <andrii(a)kernel.org> bpf: fix precision backtracking instruction iteration David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Jesse Brandeburg <jesse.brandeburg(a)intel.com> ice: safer stats processing Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/xen/page.h | 3 - arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/aoe/aoeblk.c | 5 +- drivers/block/nbd.c | 6 +- drivers/dma-buf/dma-resv.c | 171 ++++++---- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/infiniband/hw/mlx5/main.c | 33 ++ drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/intel/ice/ice_main.c | 29 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/virtio_net.c | 44 ++- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/think-lmi.c | 35 +- drivers/pwm/pwm-mediatek.c | 15 +- .../intel/int340x_thermal/int3400_thermal.c | 9 +- drivers/tty/hvc/hvc_xen.c | 2 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 +- drivers/usb/host/xhci-plat.c | 3 +- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- drivers/xen/grant-table.c | 6 +- drivers/xen/xenbus/xenbus_probe.c | 3 +- fs/btrfs/inode.c | 36 +-- fs/jfs/jfs_dtree.c | 2 + fs/ksmbd/transport_rdma.c | 5 +- fs/ksmbd/vfs.c | 1 + fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/dma-resv.h | 95 ++++++ include/net/netfilter/nf_flow_table.h | 2 +- include/xen/arm/page.h | 3 - kernel/bpf/verifier.c | 21 +- kernel/events/core.c | 2 +- kernel/rseq.c | 60 +++- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/core/skmsg.c | 12 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- sound/soc/fsl/fsl_asrc.c | 3 +- 80 files changed, 1030 insertions(+), 576 deletions(-)

3 weeks, 3 days

8
8
0 0

RE: [PATCH] misc: rtsx: usb: Ensure mmc child device is active when card is present

by Gwendal Grignou

> > > - if (val & (SD_CD | MS_CD)) > > > + if (val & (SD_CD | MS_CD)) { > > > + device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child); > > Why not calling rtsx_usb_resume() here? > Because in this time rtsx_usb is not in runtime_suspend, only need to make sure child is not in suspend > Actually when the program came here this suspend will be rejected because return -EAGAIN > > > return -EAGAIN; > > > + } I meant: if (val & (SD_CD | MS_CD)) { rtsx_usb_resume(intf) return -EAGAIN; } It looks cleaner, as it indicates the the supsend is rejected and needs to be undone. The code is in the end indentical to the patch you are proposing. This is just for look anyway, the patch as-is is acceptable.

3 weeks, 3 days

1
0
0 0

[PATCH] sunvdc: Balance device refcount in vdc_port_mpgroup_check

by Ma Ke

Using device_find_child() to locate a probed virtual-device-port node causes a device refcount imbalance, as device_find_child() internally calls get_device() to increment the device’s reference count before returning its pointer. vdc_port_mpgroup_check() directly returns true upon finding a matching device without releasing the reference via put_device(). We should call put_device() to decrement refcount. As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/block/sunvdc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c index b5727dea15bd..b6dbd5dd2723 100644 --- a/drivers/block/sunvdc.c +++ b/drivers/block/sunvdc.c @@ -950,6 +950,7 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev) { struct vdc_check_port_data port_data; struct device *dev; + bool found = false; port_data.dev_no = vdev->dev_no; port_data.type = (char *)&vdev->type; @@ -957,10 +958,12 @@ static bool vdc_port_mpgroup_check(struct vio_dev *vdev) dev = device_find_child(vdev->dev.parent, &port_data, vdc_device_probed); - if (dev) - return true; + if (dev) { + found = true; + put_device(dev); + } - return false; + return found; } static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id) -- 2.25.1

3 weeks, 4 days

2
1
0 0

[PATCH v2] ice: Fix a null pointer dereference in ice_copy_and_init_pkg()

by Haoxiang Li

Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> --- Changes in v2: - modify the Fixes commit number. Thanks, Michal! --- drivers/net/ethernet/intel/ice/ice_ddp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/intel/ice/ice_ddp.c b/drivers/net/ethernet/intel/ice/ice_ddp.c index 59323c019544..351824dc3c62 100644 --- a/drivers/net/ethernet/intel/ice/ice_ddp.c +++ b/drivers/net/ethernet/intel/ice/ice_ddp.c @@ -2301,6 +2301,8 @@ enum ice_ddp_state ice_copy_and_init_pkg(struct ice_hw *hw, const u8 *buf, return ICE_DDP_PKG_ERR; buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL); + if (!buf_copy) + return ICE_DDP_PKG_ERR; state = ice_init_pkg(hw, buf_copy, len); if (!ice_is_init_pkg_successful(state)) { -- 2.25.1

3 weeks, 4 days

3
2
0 0

[PATCH] HID: apple: validate feature-report field count to prevent NULL pointer dereference

by Qasim Ijaz

A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power feature-report is expected to have two data fields, but if the descriptor declares one field then accessing field[1] and dereferencing it in apple_magic_backlight_report_set() becomes invalid since field[1] will be NULL. An example of a minimal descriptor which can cause the crash is something like the following where the report with ID 3 (power report) only references a single 1-byte field. When hid core parses the descriptor it will encounter the final feature tag, allocate a hid_report (all members of field[] will be zeroed out), create field structure and populate it, increasing the maxfield to 1. The subsequent field[1] access and dereference causes the crash. Usage Page (Vendor Defined 0xFF00) Usage (0x0F) Collection (Application) Report ID (1) Usage (0x01) Logical Minimum (0) Logical Maximum (255) Report Size (8) Report Count (1) Feature (Data,Var,Abs) Usage (0x02) Logical Maximum (32767) Report Size (16) Report Count (1) Feature (Data,Var,Abs) Report ID (3) Usage (0x03) Logical Minimum (0) Logical Maximum (1) Report Size (8) Report Count (1) Feature (Data,Var,Abs) End Collection Here we see the KASAN splat when the kernel dereferences the NULL pointer and crashes: [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary) [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Call Trace: [ 15.165691] <TASK> [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] To fix this issue we should validate the number of fields that the backlight and power reports have and if they do not have the required number of fields then bail. Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/hid-apple.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c index ed34f5cd5a91..183229ae5f02 100644 --- a/drivers/hid/hid-apple.c +++ b/drivers/hid/hid-apple.c @@ -890,7 +890,8 @@ static int apple_magic_backlight_init(struct hid_device *hdev) backlight->brightness = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_BRIGHTNESS]; backlight->power = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_POWER]; - if (!backlight->brightness || !backlight->power) + if (!backlight->brightness || backlight->brightness->maxfield < 2 || + !backlight->power || backlight->power->maxfield < 2) return -ENODEV; backlight->cdev.name = ":white:" LED_FUNCTION_KBD_BACKLIGHT; -- 2.39.5

3 weeks, 4 days

4
3
0 0

[PATCH] drm/panthor: Fix memory leak in panthor_ioctl_group_create()

by Jann Horn

When bailing out due to group_priority_permit() failure, the queue_args need to be freed. Fix it by rearranging the function to use the goto-on-error pattern, such that the success case flows straight without indentation while error cases jump forward to cleanup. Cc: stable(a)vger.kernel.org Fixes: 5f7762042f8a ("drm/panthor: Restrict high priorities on group_create") Signed-off-by: Jann Horn <jannh(a)google.com> --- testcase: ``` #include <err.h> #include <fcntl.h> #include <stddef.h> #include <sys/ioctl.h> #include <drm/panthor_drm.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) #define GPU_PATH "/dev/dri/by-path/platform-fb000000.gpu-card" int main(void) { int fd = SYSCHK(open(GPU_PATH, O_RDWR)); while (1) { struct drm_panthor_queue_create qc[16] = {}; struct drm_panthor_group_create gc = { .queues = { .stride = sizeof(struct drm_panthor_queue_create), .count = 16, .array = (unsigned long)qc }, .priority = PANTHOR_GROUP_PRIORITY_HIGH+1/*invalid*/ }; ioctl(fd, DRM_IOCTL_PANTHOR_GROUP_CREATE, &gc); } } ``` I have tested that without this patch, after running the testcase for a few seconds and then manually killing it, 2G of RAM in kmalloc-128 have been leaked. With the patch applied, the memory leak is gone. (By the way, get_maintainer.pl suggests that I also send this patch to the general DRM maintainers and the DRM-misc maintainers; looking at MAINTAINERS, it looks like it is normal that the general DRM maintainers are listed for everything under drivers/gpu/, but DRM-misc has exclusion rules for a bunch of drivers but not panthor. I don't know if that is intentional.) --- drivers/gpu/drm/panthor/panthor_drv.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c index c520f156e2d73f7e735f8bf2d6d8e8efacec9362..815c23cff25f305d884e8e3e263fa22888f7d5ce 100644 --- a/drivers/gpu/drm/panthor/panthor_drv.c +++ b/drivers/gpu/drm/panthor/panthor_drv.c @@ -1032,14 +1032,15 @@ static int panthor_ioctl_group_create(struct drm_device *ddev, void *data, ret = group_priority_permit(file, args->priority); if (ret) - return ret; + goto out; ret = panthor_group_create(pfile, args, queue_args); - if (ret >= 0) { - args->group_handle = ret; - ret = 0; - } + if (ret < 0) + goto out; + args->group_handle = ret; + ret = 0; +out: kvfree(queue_args); return ret; } --- base-commit: 9f8e716d46c68112484a23d1742d9ec725e082fc change-id: 20241113-panthor-fix-gcq-bailout-2d9ac36590ed -- Jann Horn <jannh(a)google.com>

3 weeks, 4 days

4
4
0 0

[PATCH] kasan: use vmalloc_dump_obj() for vmalloc error reports

by Marco Elver

Since 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock"), more detailed info about the vmalloc mapping and the origin was dropped due to potential deadlocks. While fixing the deadlock is necessary, that patch was too quick in killing an otherwise useful feature, and did no due-diligence in understanding if an alternative option is available. Restore printing more helpful vmalloc allocation info in KASAN reports with the help of vmalloc_dump_obj(). Example report: | BUG: KASAN: vmalloc-out-of-bounds in vmalloc_oob+0x4c9/0x610 | Read of size 1 at addr ffffc900002fd7f3 by task kunit_try_catch/493 | | CPU: [...] | Call Trace: | <TASK> | dump_stack_lvl+0xa8/0xf0 | print_report+0x17e/0x810 | kasan_report+0x155/0x190 | vmalloc_oob+0x4c9/0x610 | [...] | | The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900002fd000 allocated at vmalloc_oob+0x36/0x610 | The buggy address belongs to the physical page: | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126364 | flags: 0x200000000000000(node=0|zone=2) | raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: kasan: bad access detected | | [..] Fixes: 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock") Suggested-by: Uladzislau Rezki <urezki(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Yeoreum Yun <yeoreum.yun(a)arm.com> Cc: Yunseong Kim <ysk(a)kzalloc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Marco Elver <elver(a)google.com> --- mm/kasan/report.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/kasan/report.c b/mm/kasan/report.c index b0877035491f..62c01b4527eb 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -399,7 +399,9 @@ static void print_address_description(void *addr, u8 tag, } if (is_vmalloc_addr(addr)) { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + pr_err("The buggy address belongs to a"); + if (!vmalloc_dump_obj(addr)) + pr_cont(" vmalloc virtual mapping\n"); page = vmalloc_to_page(addr); } -- 2.50.0.727.gbf7dc18ff4-goog

3 weeks, 4 days

3
2
0 0

[PATCH v9 2/4] serial: 8250_dw: fix PSLVERR on RX_TIMEOUT

by Yunhui Cui

The DW UART may trigger the RX_TIMEOUT interrupt without data present and remain stuck in this state indefinitely. The dw8250_handle_irq() function detects this condition by checking if the UART_LSR_DR bit is not set when RX_TIMEOUT occurs. When detected, it performs a "dummy read" to recover the DW UART from this state. When the PSLVERR_RESP_EN parameter is set to 1, reading the UART_RX while the FIFO is enabled and UART_LSR_DR is not set will generate a PSLVERR error, which may lead to a system panic. There are two methods to prevent PSLVERR: one is to check if UART_LSR_DR is set before reading UART_RX when the FIFO is enabled, and the other is to read UART_RX when the FIFO is disabled. Given these two scenarios, the FIFO must be disabled before the "dummy read" operation and re-enabled afterward to maintain normal UART functionality. Fixes: 424d79183af0 ("serial: 8250_dw: Avoid "too much work" from bogus rx timeout interrupt") Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_dw.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c index 1902f29444a1c..082b7fcf251db 100644 --- a/drivers/tty/serial/8250/8250_dw.c +++ b/drivers/tty/serial/8250/8250_dw.c @@ -297,9 +297,17 @@ static int dw8250_handle_irq(struct uart_port *p) uart_port_lock_irqsave(p, &flags); status = serial_lsr_in(up); - if (!(status & (UART_LSR_DR | UART_LSR_BI))) + if (!(status & (UART_LSR_DR | UART_LSR_BI))) { + /* To avoid PSLVERR, disable the FIFO first. */ + if (up->fcr & UART_FCR_ENABLE_FIFO) + serial_out(up, UART_FCR, 0); + serial_port_in(p, UART_RX); + if (up->fcr & UART_FCR_ENABLE_FIFO) + serial_out(up, UART_FCR, up->fcr); + } + uart_port_unlock_irqrestore(p, flags); } -- 2.39.5

3 weeks, 4 days

4
5
0 0

[PATCH 6.6.y 0/2] regulator: pwm-regulator: fix boot hang issue

by Chukun Pan

This series backports the merged series: https://lore.kernel.org/all/20240113224628.377993-1-martin.blumenstingl@goo… The first patch has been backported. Backport the remaining two patches to fix boot hang issues on some Rockchip devices using pwm-regulator. Martin Blumenstingl (2): regulator: pwm-regulator: Calculate the output voltage for disabled PWMs regulator: pwm-regulator: Manage boot-on with disabled PWM channels drivers/regulator/pwm-regulator.c | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) -- 2.25.1

3 weeks, 4 days

1
2
0 0

[PATCH] drm/amdgpu: Initialize data to NULL in imu_v12_0_program_rlc_ram()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables and pointers [1], there is a warning in imu_v12_0_program_rlc_ram() because data is passed uninitialized to program_imu_rlc_ram(): drivers/gpu/drm/amd/amdgpu/imu_v12_0.c:374:30: error: variable 'data' is uninitialized when used here [-Werror,-Wuninitialized] 374 | program_imu_rlc_ram(adev, data, (const u32)size); | ^~~~ As this warning happens early in clang's frontend, it does not realize that due to the assignment of r to -EINVAL, program_imu_rlc_ram() is never actually called, and even if it were, data would not be dereferenced because size is 0. Just initialize data to NULL to silence the warning, as the commit that added program_imu_rlc_ram() mentioned it would eventually be used over the old method, at which point data can be properly initialized and used. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2107 Fixes: 56159fffaab5 ("drm/amdgpu: use new method to program rlc ram") Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/imu_v12_0.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/imu_v12_0.c b/drivers/gpu/drm/amd/amdgpu/imu_v12_0.c index df898dbb746e..8cb6b1854d24 100644 --- a/drivers/gpu/drm/amd/amdgpu/imu_v12_0.c +++ b/drivers/gpu/drm/amd/amdgpu/imu_v12_0.c @@ -362,7 +362,7 @@ static void program_imu_rlc_ram(struct amdgpu_device *adev, static void imu_v12_0_program_rlc_ram(struct amdgpu_device *adev) { u32 reg_data, size = 0; - const u32 *data; + const u32 *data = NULL; int r = -EINVAL; WREG32_SOC15(GC, 0, regGFX_IMU_RLC_RAM_INDEX, 0x2); --- base-commit: fff8e0504499a929f26e2fb7cf7e2c9854e37b91 change-id: 20250715-drm-amdgpu-fix-const-uninit-warning-db61fe5d135a Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 4 days

2
1
0 0

[PATCH 6.12.y] btrfs: fix block group refcount race in btrfs_create_pending_block_groups()

by alvalan9＠foxmail.com

From: Boris Burkov <boris(a)bur.io> [ Upstream commit 2d8e5168d48a91e7a802d3003e72afb4304bebfa ] Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to go unused and have 'btrfs_mark_bg_unused' called on it concurrently with 'btrfs_create_pending_block_groups'. This causes a number of issues, which were fixed with the block group flag 'BLOCK_GROUP_FLAG_NEW'. However, this fix is not quite complete. Since it does not use the unused_bg_lock, it is possible for the following race to occur: btrfs_create_pending_block_groups btrfs_mark_bg_unused if list_empty // false list_del_init clear_bit else if (test_bit) // true list_move_tail And we get into the exact same broken ref count and invalid new_bgs state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to prevent. The broken refcount aspect will result in a warning like: [1272.943527] refcount_t: underflow; use-after-free. [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs] [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108 [1272.946368] Tainted: [W]=WARN [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110 [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282 [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000 [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268 [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0 [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0 [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000 [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0 [1272.954474] Call Trace: [1272.954655] <TASK> [1272.954812] ? refcount_warn_saturate+0xba/0x110 [1272.955173] ? __warn.cold+0x93/0xd7 [1272.955487] ? refcount_warn_saturate+0xba/0x110 [1272.955816] ? report_bug+0xe7/0x120 [1272.956103] ? handle_bug+0x53/0x90 [1272.956424] ? exc_invalid_op+0x13/0x60 [1272.956700] ? asm_exc_invalid_op+0x16/0x20 [1272.957011] ? refcount_warn_saturate+0xba/0x110 [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs] [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs] [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs] [1272.958729] process_one_work+0x130/0x290 [1272.959026] worker_thread+0x2ea/0x420 [1272.959335] ? __pfx_worker_thread+0x10/0x10 [1272.959644] kthread+0xd7/0x1c0 [1272.959872] ? __pfx_kthread+0x10/0x10 [1272.960172] ret_from_fork+0x30/0x50 [1272.960474] ? __pfx_kthread+0x10/0x10 [1272.960745] ret_from_fork_asm+0x1a/0x30 [1272.961035] </TASK> [1272.961238] ---[ end trace 0000000000000000 ]--- Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc. Fix this fully by taking the lock around the list_del_init + clear_bit so that the two are done atomically. Fixes: 0657b20c5a76 ("btrfs: fix use-after-free of new block group that became unused") Reviewed-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Boris Burkov <boris(a)bur.io> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- fs/btrfs/block-group.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c index aa8656c8b7e7..dd35e29d8082 100644 --- a/fs/btrfs/block-group.c +++ b/fs/btrfs/block-group.c @@ -2780,8 +2780,11 @@ void btrfs_create_pending_block_groups(struct btrfs_trans_handle *trans) /* Already aborted the transaction if it failed. */ next: btrfs_dec_delayed_refs_rsv_bg_inserts(fs_info); + + spin_lock(&fs_info->unused_bgs_lock); list_del_init(&block_group->bg_list); clear_bit(BLOCK_GROUP_FLAG_NEW, &block_group->runtime_flags); + spin_unlock(&fs_info->unused_bgs_lock); /* * If the block group is still unused, add it to the list of -- 2.34.1

3 weeks, 4 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: fsl_sai: Force a software reset when starting in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071259-appendage-epidemic-aae1@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 Mon Sep 17 00:00:00 2001 From: Arun Raghavan <arun(a)asymptotic.io> Date: Thu, 26 Jun 2025 09:08:25 -0400 Subject: [PATCH] ASoC: fsl_sai: Force a software reset when starting in consumer mode On an imx8mm platform with an external clock provider, when running the receiver (arecord) and triggering an xrun with xrun_injection, we see a channel swap/offset. This happens sometimes when running only the receiver, but occurs reliably if a transmitter (aplay) is also concurrently running. It seems that the SAI loses track of frame sync during the trigger stop -> trigger start cycle that occurs during an xrun. Doing just a FIFO reset in this case does not suffice, and only a software reset seems to get it back on track. This looks like the same h/w bug that is already handled for the producer case, so we now do the reset unconditionally on config disable. Signed-off-by: Arun Raghavan <arun(a)asymptotic.io> Reported-by: Pieterjan Camerlynck <p.camerlynck(a)televic.com> Fixes: 3e3f8bd56955 ("ASoC: fsl_sai: fix no frame clk in master mode") Cc: stable(a)vger.kernel.org Reviewed-by: Fabio Estevam <festevam(a)gmail.com> Link: https://patch.msgid.link/20250626130858.163825-1-arun@arunraghavan.net Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c index af1a168d35e3..50af6b725670 100644 --- a/sound/soc/fsl/fsl_sai.c +++ b/sound/soc/fsl/fsl_sai.c @@ -803,13 +803,15 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir) * anymore. Add software reset to fix this issue. * This is a hardware bug, and will be fix in the * next sai version. + * + * In consumer mode, this can happen even after a + * single open/close, especially if both tx and rx + * are running concurrently. */ - if (!sai->is_consumer_mode[tx]) { - /* Software Reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); - /* Clear SR bit to finish the reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); - } + /* Software Reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); + /* Clear SR bit to finish the reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); } static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,

3 weeks, 4 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: fsl_sai: Force a software reset when starting in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071258-retiring-unspoken-567d@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 Mon Sep 17 00:00:00 2001 From: Arun Raghavan <arun(a)asymptotic.io> Date: Thu, 26 Jun 2025 09:08:25 -0400 Subject: [PATCH] ASoC: fsl_sai: Force a software reset when starting in consumer mode On an imx8mm platform with an external clock provider, when running the receiver (arecord) and triggering an xrun with xrun_injection, we see a channel swap/offset. This happens sometimes when running only the receiver, but occurs reliably if a transmitter (aplay) is also concurrently running. It seems that the SAI loses track of frame sync during the trigger stop -> trigger start cycle that occurs during an xrun. Doing just a FIFO reset in this case does not suffice, and only a software reset seems to get it back on track. This looks like the same h/w bug that is already handled for the producer case, so we now do the reset unconditionally on config disable. Signed-off-by: Arun Raghavan <arun(a)asymptotic.io> Reported-by: Pieterjan Camerlynck <p.camerlynck(a)televic.com> Fixes: 3e3f8bd56955 ("ASoC: fsl_sai: fix no frame clk in master mode") Cc: stable(a)vger.kernel.org Reviewed-by: Fabio Estevam <festevam(a)gmail.com> Link: https://patch.msgid.link/20250626130858.163825-1-arun@arunraghavan.net Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c index af1a168d35e3..50af6b725670 100644 --- a/sound/soc/fsl/fsl_sai.c +++ b/sound/soc/fsl/fsl_sai.c @@ -803,13 +803,15 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir) * anymore. Add software reset to fix this issue. * This is a hardware bug, and will be fix in the * next sai version. + * + * In consumer mode, this can happen even after a + * single open/close, especially if both tx and rx + * are running concurrently. */ - if (!sai->is_consumer_mode[tx]) { - /* Software Reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); - /* Clear SR bit to finish the reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); - } + /* Software Reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); + /* Clear SR bit to finish the reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); } static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,

3 weeks, 4 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: fsl_sai: Force a software reset when starting in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071258-wharf-revisit-b7a3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 Mon Sep 17 00:00:00 2001 From: Arun Raghavan <arun(a)asymptotic.io> Date: Thu, 26 Jun 2025 09:08:25 -0400 Subject: [PATCH] ASoC: fsl_sai: Force a software reset when starting in consumer mode On an imx8mm platform with an external clock provider, when running the receiver (arecord) and triggering an xrun with xrun_injection, we see a channel swap/offset. This happens sometimes when running only the receiver, but occurs reliably if a transmitter (aplay) is also concurrently running. It seems that the SAI loses track of frame sync during the trigger stop -> trigger start cycle that occurs during an xrun. Doing just a FIFO reset in this case does not suffice, and only a software reset seems to get it back on track. This looks like the same h/w bug that is already handled for the producer case, so we now do the reset unconditionally on config disable. Signed-off-by: Arun Raghavan <arun(a)asymptotic.io> Reported-by: Pieterjan Camerlynck <p.camerlynck(a)televic.com> Fixes: 3e3f8bd56955 ("ASoC: fsl_sai: fix no frame clk in master mode") Cc: stable(a)vger.kernel.org Reviewed-by: Fabio Estevam <festevam(a)gmail.com> Link: https://patch.msgid.link/20250626130858.163825-1-arun@arunraghavan.net Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c index af1a168d35e3..50af6b725670 100644 --- a/sound/soc/fsl/fsl_sai.c +++ b/sound/soc/fsl/fsl_sai.c @@ -803,13 +803,15 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir) * anymore. Add software reset to fix this issue. * This is a hardware bug, and will be fix in the * next sai version. + * + * In consumer mode, this can happen even after a + * single open/close, especially if both tx and rx + * are running concurrently. */ - if (!sai->is_consumer_mode[tx]) { - /* Software Reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); - /* Clear SR bit to finish the reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); - } + /* Software Reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); + /* Clear SR bit to finish the reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); } static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,

3 weeks, 4 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: fsl_sai: Force a software reset when starting in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071257-utility-ungodly-5f38@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 Mon Sep 17 00:00:00 2001 From: Arun Raghavan <arun(a)asymptotic.io> Date: Thu, 26 Jun 2025 09:08:25 -0400 Subject: [PATCH] ASoC: fsl_sai: Force a software reset when starting in consumer mode On an imx8mm platform with an external clock provider, when running the receiver (arecord) and triggering an xrun with xrun_injection, we see a channel swap/offset. This happens sometimes when running only the receiver, but occurs reliably if a transmitter (aplay) is also concurrently running. It seems that the SAI loses track of frame sync during the trigger stop -> trigger start cycle that occurs during an xrun. Doing just a FIFO reset in this case does not suffice, and only a software reset seems to get it back on track. This looks like the same h/w bug that is already handled for the producer case, so we now do the reset unconditionally on config disable. Signed-off-by: Arun Raghavan <arun(a)asymptotic.io> Reported-by: Pieterjan Camerlynck <p.camerlynck(a)televic.com> Fixes: 3e3f8bd56955 ("ASoC: fsl_sai: fix no frame clk in master mode") Cc: stable(a)vger.kernel.org Reviewed-by: Fabio Estevam <festevam(a)gmail.com> Link: https://patch.msgid.link/20250626130858.163825-1-arun@arunraghavan.net Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c index af1a168d35e3..50af6b725670 100644 --- a/sound/soc/fsl/fsl_sai.c +++ b/sound/soc/fsl/fsl_sai.c @@ -803,13 +803,15 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir) * anymore. Add software reset to fix this issue. * This is a hardware bug, and will be fix in the * next sai version. + * + * In consumer mode, this can happen even after a + * single open/close, especially if both tx and rx + * are running concurrently. */ - if (!sai->is_consumer_mode[tx]) { - /* Software Reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); - /* Clear SR bit to finish the reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); - } + /* Software Reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); + /* Clear SR bit to finish the reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); } static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,

3 weeks, 4 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: fsl_sai: Force a software reset when starting in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071256-clobber-annotate-b978@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 Mon Sep 17 00:00:00 2001 From: Arun Raghavan <arun(a)asymptotic.io> Date: Thu, 26 Jun 2025 09:08:25 -0400 Subject: [PATCH] ASoC: fsl_sai: Force a software reset when starting in consumer mode On an imx8mm platform with an external clock provider, when running the receiver (arecord) and triggering an xrun with xrun_injection, we see a channel swap/offset. This happens sometimes when running only the receiver, but occurs reliably if a transmitter (aplay) is also concurrently running. It seems that the SAI loses track of frame sync during the trigger stop -> trigger start cycle that occurs during an xrun. Doing just a FIFO reset in this case does not suffice, and only a software reset seems to get it back on track. This looks like the same h/w bug that is already handled for the producer case, so we now do the reset unconditionally on config disable. Signed-off-by: Arun Raghavan <arun(a)asymptotic.io> Reported-by: Pieterjan Camerlynck <p.camerlynck(a)televic.com> Fixes: 3e3f8bd56955 ("ASoC: fsl_sai: fix no frame clk in master mode") Cc: stable(a)vger.kernel.org Reviewed-by: Fabio Estevam <festevam(a)gmail.com> Link: https://patch.msgid.link/20250626130858.163825-1-arun@arunraghavan.net Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c index af1a168d35e3..50af6b725670 100644 --- a/sound/soc/fsl/fsl_sai.c +++ b/sound/soc/fsl/fsl_sai.c @@ -803,13 +803,15 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir) * anymore. Add software reset to fix this issue. * This is a hardware bug, and will be fix in the * next sai version. + * + * In consumer mode, this can happen even after a + * single open/close, especially if both tx and rx + * are running concurrently. */ - if (!sai->is_consumer_mode[tx]) { - /* Software Reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); - /* Clear SR bit to finish the reset */ - regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); - } + /* Software Reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); + /* Clear SR bit to finish the reset */ + regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); } static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,

3 weeks, 4 days

2
1
0 0

[PATCH] ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx

by edip＠medip.dev

From: Edip Hazuri <edip(a)medip.dev> The mute led on this laptop is using ALC245 but requires a quirk to work This patch enables the existing quirk for the device. Tested on my Victus 15-fa0xxx Laptop. The LED behaviour works as intended. Cc: <stable(a)vger.kernel.org> Signed-off-by: Edip Hazuri <edip(a)medip.dev> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 060db37ea..5cac18cff 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10769,6 +10769,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8a2e, "HP Envy 16", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8a30, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8a31, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a4f, "HP Victus 15-fa0xxx (MB 8A4F)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8a6e, "HP EDNA 360", ALC287_FIXUP_CS35L41_I2C_4), SND_PCI_QUIRK(0x103c, 0x8a74, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8a78, "HP Dev One", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), -- 2.50.1

3 weeks, 4 days

2
1
0 0

[PATCH] cxl/region: Fix potential double free of region device in delete_region_store

by Ma Ke

cxl_find_region_by_name() uses device_find_child_by_name() to locate a region device by name. This function implicitly increments the device's reference count before returning the pointer by calling device_find_child(). However, in delete_region_store(), after calling devm_release_action() which synchronously executes unregister_region(), an additional explicit put_device() is invoked. The unregister_region() callback already contains a put_device() call to decrement the reference count. This results in two consecutive decrements of the same device's reference count. First decrement occurs in unregister_region() via its put_device() call. Second decrement occurs in delete_region_store() via the explicit put_device(). We should remove the additional put_device(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 779dd20cfb56 ("cxl/region: Add region creation support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/cxl/core/region.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 6e5e1460068d..eacf726cf463 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -2672,7 +2672,6 @@ static ssize_t delete_region_store(struct device *dev, return PTR_ERR(cxlr); devm_release_action(port->uport_dev, unregister_region, cxlr); - put_device(&cxlr->dev); return len; } -- 2.25.1

3 weeks, 4 days

2
1
0 0

[PATCH] crypto: qat - flush misc workqueue during device shutdown

by Giovanni Cabiddu

Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded. Since the driver uses a shared workqueue (`qat_misc_wq`) across all devices and owned by intel_qat.ko, a deferred routine from the device-specific driver may still be pending in the queue. If this routine executes after the driver is unloaded, it can dereference freed memory, resulting in a page fault and kernel crash like the following: BUG: unable to handle page fault for address: ffa000002e50a01c #PF: supervisor read access in kernel mode RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] Call Trace: pm_bh_handler+0x1d2/0x250 [intel_qat] process_one_work+0x171/0x340 worker_thread+0x277/0x3a0 kthread+0xf0/0x120 ret_from_fork+0x2d/0x50 To prevent this, flush the misc workqueue during device shutdown to ensure that all pending work items are completed before the driver is unloaded. Note: This approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, but it ensures correctness and stability. Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Cc: stable(a)vger.kernel.org Reviewed-by: Ahsan Atta <ahsan.atta(a)intel.com> --- drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 + drivers/crypto/intel/qat/qat_common/adf_init.c | 1 + drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 +++++ 3 files changed, 7 insertions(+) diff --git a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h index eaa6388a6678..7a022bd4ae07 100644 --- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h +++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h @@ -189,6 +189,7 @@ void adf_exit_misc_wq(void); bool adf_misc_wq_queue_work(struct work_struct *work); bool adf_misc_wq_queue_delayed_work(struct delayed_work *work, unsigned long delay); +void adf_misc_wq_flush(void); #if defined(CONFIG_PCI_IOV) int adf_sriov_configure(struct pci_dev *pdev, int numvfs); void adf_disable_sriov(struct adf_accel_dev *accel_dev); diff --git a/drivers/crypto/intel/qat/qat_common/adf_init.c b/drivers/crypto/intel/qat/qat_common/adf_init.c index f189cce7d153..46491048e0bb 100644 --- a/drivers/crypto/intel/qat/qat_common/adf_init.c +++ b/drivers/crypto/intel/qat/qat_common/adf_init.c @@ -404,6 +404,7 @@ static void adf_dev_shutdown(struct adf_accel_dev *accel_dev) hw_data->exit_admin_comms(accel_dev); adf_cleanup_etr_data(accel_dev); + adf_misc_wq_flush(); adf_dev_restore(accel_dev); } diff --git a/drivers/crypto/intel/qat/qat_common/adf_isr.c b/drivers/crypto/intel/qat/qat_common/adf_isr.c index cae1aee5479a..12e565613661 100644 --- a/drivers/crypto/intel/qat/qat_common/adf_isr.c +++ b/drivers/crypto/intel/qat/qat_common/adf_isr.c @@ -407,3 +407,8 @@ bool adf_misc_wq_queue_delayed_work(struct delayed_work *work, { return queue_delayed_work(adf_misc_wq, work, delay); } + +void adf_misc_wq_flush(void) +{ + flush_workqueue(adf_misc_wq); +} base-commit: 9d21467fca15472efb701dad69abf685195845a4 -- 2.50.0

3 weeks, 4 days

2
1
0 0

[PATCH] crypto: acomp - Fix CFI failure due to type punning

by Eric Biggers

To avoid a crash when control flow integrity is enabled, make the workspace ("stream") free function use a consistent type, and call it through a function pointer that has that same type. Fixes: 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- crypto/deflate.c | 7 ++++++- crypto/zstd.c | 7 ++++++- include/crypto/internal/acompress.h | 5 +---- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/crypto/deflate.c b/crypto/deflate.c index fe8e4ad0fee10..21404515dc77e 100644 --- a/crypto/deflate.c +++ b/crypto/deflate.c @@ -46,13 +46,18 @@ static void *deflate_alloc_stream(void) ctx->stream.workspace = ctx->workspace; return ctx; } +static void deflate_free_stream(void *ctx) +{ + kvfree(ctx); +} + static struct crypto_acomp_streams deflate_streams = { .alloc_ctx = deflate_alloc_stream, - .cfree_ctx = kvfree, + .free_ctx = deflate_free_stream, }; static int deflate_compress_one(struct acomp_req *req, struct deflate_stream *ds) { diff --git a/crypto/zstd.c b/crypto/zstd.c index 657e0cf7b9524..ff5f596a4ea7e 100644 --- a/crypto/zstd.c +++ b/crypto/zstd.c @@ -52,13 +52,18 @@ static void *zstd_alloc_stream(void) ctx->wksp_size = wksp_size; return ctx; } +static void zstd_free_stream(void *ctx) +{ + kvfree(ctx); +} + static struct crypto_acomp_streams zstd_streams = { .alloc_ctx = zstd_alloc_stream, - .cfree_ctx = kvfree, + .free_ctx = zstd_free_stream, }; static int zstd_init(struct crypto_acomp *acomp_tfm) { int ret = 0; diff --git a/include/crypto/internal/acompress.h b/include/crypto/internal/acompress.h index ffffd88bbbad3..2d97440028ffd 100644 --- a/include/crypto/internal/acompress.h +++ b/include/crypto/internal/acompress.h @@ -61,14 +61,11 @@ struct crypto_acomp_stream { }; struct crypto_acomp_streams { /* These must come first because of struct scomp_alg. */ void *(*alloc_ctx)(void); - union { - void (*free_ctx)(void *); - void (*cfree_ctx)(const void *); - }; + void (*free_ctx)(void *); struct crypto_acomp_stream __percpu *streams; struct work_struct stream_work; cpumask_t stream_want; }; base-commit: 181698af38d3f93381229ad89c09b5bd0496661a -- 2.50.1

3 weeks, 4 days

3
2
0 0

[PATCH] rv: Ensure containers are registered first

by Nam Cao

If rv_register_monitor() is called with a non-NULL parent pointer (i.e. by monitors inside a container), it is expected that the parent (a.k.a container) is already registered. The containers seem to always be registered first. I suspect because of the order in Makefile. But nothing guarantees this. If this registering order is changed, "strange" things happen. For example, if the container is registered last, rv_is_container_monitor() incorrectly says this is NOT a container. .enable() is then called, which is NULL for container, thus we have a NULL pointer deref crash. Guarantee that containers are registered first. Fixes: cb85c660fcd4 ("rv: Add option for nested monitors and include sched") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- include/linux/rv.h | 5 +++++ kernel/trace/rv/monitors/pagefault/pagefault.c | 4 ++-- kernel/trace/rv/monitors/rtapp/rtapp.c | 4 ++-- kernel/trace/rv/monitors/sched/sched.c | 4 ++-- kernel/trace/rv/monitors/sco/sco.c | 4 ++-- kernel/trace/rv/monitors/scpd/scpd.c | 4 ++-- kernel/trace/rv/monitors/sleep/sleep.c | 4 ++-- kernel/trace/rv/monitors/sncid/sncid.c | 4 ++-- kernel/trace/rv/monitors/snep/snep.c | 4 ++-- kernel/trace/rv/monitors/snroc/snroc.c | 4 ++-- kernel/trace/rv/monitors/tss/tss.c | 4 ++-- kernel/trace/rv/monitors/wip/wip.c | 4 ++-- kernel/trace/rv/monitors/wwnr/wwnr.c | 4 ++-- tools/verification/rvgen/rvgen/templates/container/main.c | 4 ++-- tools/verification/rvgen/rvgen/templates/dot2k/main.c | 4 ++-- tools/verification/rvgen/rvgen/templates/ltl2k/main.c | 4 ++-- 16 files changed, 35 insertions(+), 30 deletions(-) diff --git a/include/linux/rv.h b/include/linux/rv.h index 97baf58d88b2..094c9f62389c 100644 --- a/include/linux/rv.h +++ b/include/linux/rv.h @@ -119,5 +119,10 @@ static inline bool rv_reacting_on(void) } #endif /* CONFIG_RV_REACTORS */ +#define rv_container_init device_initcall +#define rv_container_exit __exitcall +#define rv_monitor_init late_initcall +#define rv_monitor_exit __exitcall + #endif /* CONFIG_RV */ #endif /* _LINUX_RV_H */ diff --git a/kernel/trace/rv/monitors/pagefault/pagefault.c b/kernel/trace/rv/monitors/pagefault/pagefault.c index 9fe6123b2200..2b226d27ddff 100644 --- a/kernel/trace/rv/monitors/pagefault/pagefault.c +++ b/kernel/trace/rv/monitors/pagefault/pagefault.c @@ -80,8 +80,8 @@ static void __exit unregister_pagefault(void) rv_unregister_monitor(&rv_pagefault); } -module_init(register_pagefault); -module_exit(unregister_pagefault); +rv_monitor_init(register_pagefault); +rv_monitor_exit(unregister_pagefault); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Nam Cao <namcao(a)linutronix.de>"); diff --git a/kernel/trace/rv/monitors/rtapp/rtapp.c b/kernel/trace/rv/monitors/rtapp/rtapp.c index fd75fc927d65..b078327e71bf 100644 --- a/kernel/trace/rv/monitors/rtapp/rtapp.c +++ b/kernel/trace/rv/monitors/rtapp/rtapp.c @@ -25,8 +25,8 @@ static void __exit unregister_rtapp(void) rv_unregister_monitor(&rv_rtapp); } -module_init(register_rtapp); -module_exit(unregister_rtapp); +rv_container_init(register_rtapp); +rv_container_exit(unregister_rtapp); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Nam Cao <namcao(a)linutronix.de>"); diff --git a/kernel/trace/rv/monitors/sched/sched.c b/kernel/trace/rv/monitors/sched/sched.c index 905e03c3c934..e89e193bd8e0 100644 --- a/kernel/trace/rv/monitors/sched/sched.c +++ b/kernel/trace/rv/monitors/sched/sched.c @@ -30,8 +30,8 @@ static void __exit unregister_sched(void) rv_unregister_monitor(&rv_sched); } -module_init(register_sched); -module_exit(unregister_sched); +rv_container_init(register_sched); +rv_container_exit(unregister_sched); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/sco/sco.c b/kernel/trace/rv/monitors/sco/sco.c index 4cff59220bfc..b96e09e64a2f 100644 --- a/kernel/trace/rv/monitors/sco/sco.c +++ b/kernel/trace/rv/monitors/sco/sco.c @@ -80,8 +80,8 @@ static void __exit unregister_sco(void) rv_unregister_monitor(&rv_sco); } -module_init(register_sco); -module_exit(unregister_sco); +rv_monitor_init(register_sco); +rv_monitor_exit(unregister_sco); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/scpd/scpd.c b/kernel/trace/rv/monitors/scpd/scpd.c index cbdd6a5f8d7f..a4c8e78fa768 100644 --- a/kernel/trace/rv/monitors/scpd/scpd.c +++ b/kernel/trace/rv/monitors/scpd/scpd.c @@ -88,8 +88,8 @@ static void __exit unregister_scpd(void) rv_unregister_monitor(&rv_scpd); } -module_init(register_scpd); -module_exit(unregister_scpd); +rv_monitor_init(register_scpd); +rv_monitor_exit(unregister_scpd); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/sleep/sleep.c b/kernel/trace/rv/monitors/sleep/sleep.c index eea447b06907..6980f8de725d 100644 --- a/kernel/trace/rv/monitors/sleep/sleep.c +++ b/kernel/trace/rv/monitors/sleep/sleep.c @@ -229,8 +229,8 @@ static void __exit unregister_sleep(void) rv_unregister_monitor(&rv_sleep); } -module_init(register_sleep); -module_exit(unregister_sleep); +rv_monitor_init(register_sleep); +rv_monitor_exit(unregister_sleep); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Nam Cao <namcao(a)linutronix.de>"); diff --git a/kernel/trace/rv/monitors/sncid/sncid.c b/kernel/trace/rv/monitors/sncid/sncid.c index f5037cd6214c..97a126c6083a 100644 --- a/kernel/trace/rv/monitors/sncid/sncid.c +++ b/kernel/trace/rv/monitors/sncid/sncid.c @@ -88,8 +88,8 @@ static void __exit unregister_sncid(void) rv_unregister_monitor(&rv_sncid); } -module_init(register_sncid); -module_exit(unregister_sncid); +rv_monitor_init(register_sncid); +rv_monitor_exit(unregister_sncid); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/snep/snep.c b/kernel/trace/rv/monitors/snep/snep.c index 0076ba6d7ea4..376a856ebffa 100644 --- a/kernel/trace/rv/monitors/snep/snep.c +++ b/kernel/trace/rv/monitors/snep/snep.c @@ -88,8 +88,8 @@ static void __exit unregister_snep(void) rv_unregister_monitor(&rv_snep); } -module_init(register_snep); -module_exit(unregister_snep); +rv_monitor_init(register_snep); +rv_monitor_exit(unregister_snep); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/snroc/snroc.c b/kernel/trace/rv/monitors/snroc/snroc.c index bb1f60d55296..e4439605b4b6 100644 --- a/kernel/trace/rv/monitors/snroc/snroc.c +++ b/kernel/trace/rv/monitors/snroc/snroc.c @@ -77,8 +77,8 @@ static void __exit unregister_snroc(void) rv_unregister_monitor(&rv_snroc); } -module_init(register_snroc); -module_exit(unregister_snroc); +rv_monitor_init(register_snroc); +rv_monitor_exit(unregister_snroc); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/tss/tss.c b/kernel/trace/rv/monitors/tss/tss.c index 542787e6524f..8f960c9fe0ff 100644 --- a/kernel/trace/rv/monitors/tss/tss.c +++ b/kernel/trace/rv/monitors/tss/tss.c @@ -83,8 +83,8 @@ static void __exit unregister_tss(void) rv_unregister_monitor(&rv_tss); } -module_init(register_tss); -module_exit(unregister_tss); +rv_monitor_init(register_tss); +rv_monitor_exit(unregister_tss); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Gabriele Monaco <gmonaco(a)redhat.com>"); diff --git a/kernel/trace/rv/monitors/wip/wip.c b/kernel/trace/rv/monitors/wip/wip.c index ed758fec8608..5c39c6074bd3 100644 --- a/kernel/trace/rv/monitors/wip/wip.c +++ b/kernel/trace/rv/monitors/wip/wip.c @@ -80,8 +80,8 @@ static void __exit unregister_wip(void) rv_unregister_monitor(&rv_wip); } -module_init(register_wip); -module_exit(unregister_wip); +rv_monitor_init(register_wip); +rv_monitor_exit(unregister_wip); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Daniel Bristot de Oliveira <bristot(a)kernel.org>"); diff --git a/kernel/trace/rv/monitors/wwnr/wwnr.c b/kernel/trace/rv/monitors/wwnr/wwnr.c index 172f31c4b0f3..ec671546f571 100644 --- a/kernel/trace/rv/monitors/wwnr/wwnr.c +++ b/kernel/trace/rv/monitors/wwnr/wwnr.c @@ -79,8 +79,8 @@ static void __exit unregister_wwnr(void) rv_unregister_monitor(&rv_wwnr); } -module_init(register_wwnr); -module_exit(unregister_wwnr); +rv_monitor_init(register_wwnr); +rv_monitor_exit(unregister_wwnr); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Daniel Bristot de Oliveira <bristot(a)kernel.org>"); diff --git a/tools/verification/rvgen/rvgen/templates/container/main.c b/tools/verification/rvgen/rvgen/templates/container/main.c index 89fc17cf8958..5820c9705d0f 100644 --- a/tools/verification/rvgen/rvgen/templates/container/main.c +++ b/tools/verification/rvgen/rvgen/templates/container/main.c @@ -30,8 +30,8 @@ static void __exit unregister_%%MODEL_NAME%%(void) rv_unregister_monitor(&rv_%%MODEL_NAME%%); } -module_init(register_%%MODEL_NAME%%); -module_exit(unregister_%%MODEL_NAME%%); +rv_container_init(register_%%MODEL_NAME%%); +rv_container_exit(unregister_%%MODEL_NAME%%); MODULE_LICENSE("GPL"); MODULE_AUTHOR("dot2k: auto-generated"); diff --git a/tools/verification/rvgen/rvgen/templates/dot2k/main.c b/tools/verification/rvgen/rvgen/templates/dot2k/main.c index 83044a20c89a..d6bd248aba9c 100644 --- a/tools/verification/rvgen/rvgen/templates/dot2k/main.c +++ b/tools/verification/rvgen/rvgen/templates/dot2k/main.c @@ -83,8 +83,8 @@ static void __exit unregister_%%MODEL_NAME%%(void) rv_unregister_monitor(&rv_%%MODEL_NAME%%); } -module_init(register_%%MODEL_NAME%%); -module_exit(unregister_%%MODEL_NAME%%); +rv_monitor_init(register_%%MODEL_NAME%%); +rv_monitor_exit(unregister_%%MODEL_NAME%%); MODULE_LICENSE("GPL"); MODULE_AUTHOR("dot2k: auto-generated"); diff --git a/tools/verification/rvgen/rvgen/templates/ltl2k/main.c b/tools/verification/rvgen/rvgen/templates/ltl2k/main.c index f85d076fbf78..2069a7a0f1ae 100644 --- a/tools/verification/rvgen/rvgen/templates/ltl2k/main.c +++ b/tools/verification/rvgen/rvgen/templates/ltl2k/main.c @@ -94,8 +94,8 @@ static void __exit unregister_%%MODEL_NAME%%(void) rv_unregister_monitor(&rv_%%MODEL_NAME%%); } -module_init(register_%%MODEL_NAME%%); -module_exit(unregister_%%MODEL_NAME%%); +rv_monitor_init(register_%%MODEL_NAME%%); +rv_monitor_exit(unregister_%%MODEL_NAME%%); MODULE_LICENSE("GPL"); MODULE_AUTHOR(/* TODO */); -- 2.39.5

3 weeks, 4 days

3
3
0 0

Re: [PATCH] misc: rtsx: usb: Ensure mmc child device is active when card is present

by Gwendal Grignou

> --- > drivers/misc/cardreader/rtsx_usb.c | 16 +++++++++------- > 1 file changed, 9 insertions(+), 7 deletions(-) > > diff --git a/drivers/misc/cardreader/rtsx_usb.c b/drivers/misc/cardreader/rtsx_usb.c > index 148107a4547c..d007a4455ce5 100644 > --- a/drivers/misc/cardreader/rtsx_usb.c > +++ b/drivers/misc/cardreader/rtsx_usb.c > @@ -698,6 +698,12 @@ static void rtsx_usb_disconnect(struct usb_interface *intf) > } > > #ifdef CONFIG_PM > +static int rtsx_usb_resume_child(struct device *dev, void *data) > +{ > + pm_request_resume(dev); > + return 0; > +} > + > static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message) > { > struct rtsx_ucr *ucr = > @@ -713,8 +719,10 @@ static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message) > mutex_unlock(&ucr->dev_mutex); > > /* Defer the autosuspend if card exists */ > - if (val & (SD_CD | MS_CD)) > + if (val & (SD_CD | MS_CD)) { > + device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child); Why not calling rtsx_usb_resume() here? > return -EAGAIN; > + } > } else { > /* There is an ongoing operation*/ > return -EAGAIN; > @@ -724,12 +732,6 @@ static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message) > return 0; > } > > -static int rtsx_usb_resume_child(struct device *dev, void *data) > -{ > - pm_request_resume(dev); > - return 0; > -} > - > static int rtsx_usb_resume(struct usb_interface *intf) > { > device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child); > -- > 2.25.1 >

3 weeks, 4 days

2
1
0 0

[PATCH v2] media: lirc: Fix error handling in lirc_register()

by Ma Ke

When cdev_device_add() failed, calling put_device() to explicitly release dev->lirc_dev. Otherwise, it could cause the fault of the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - move get_device() before cdev_device_add() to adjust the timing of parent device reference. --- drivers/media/rc/lirc_dev.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index a2257dc2f25d..7d4942925993 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -736,11 +736,11 @@ int lirc_register(struct rc_dev *dev) cdev_init(&dev->lirc_cdev, &lirc_fops); + get_device(&dev->dev); + err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev); if (err) - goto out_ida; - - get_device(&dev->dev); + goto out_put_device; switch (dev->driver_type) { case RC_DRIVER_SCANCODE: @@ -764,7 +764,8 @@ int lirc_register(struct rc_dev *dev) return 0; -out_ida: +out_put_device: + put_device(&dev->lirc_dev); ida_free(&lirc_ida, minor); return err; } -- 2.25.1

3 weeks, 4 days

1
0
0 0

[PATCH v2 RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.25.1

3 weeks, 4 days

1
0
0 0

[PATCH RESEND] fsi/core: fix error handling in fsi_slave_init()

by Ma Ke

Once cdev_device_add() failed, we should use put_device() to decrement reference count for cleanup. Or it could cause memory leak. Although operations in err_free_ida are similar to the operations in callback function fsi_slave_release(), put_device() is a correct handling operation as comments require when cdev_device_add() fails. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 371975b0b075 ("fsi/core: Fix error paths on CFAM init") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/fsi/fsi-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index 50e8736039fe..c494fc0bd747 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -1084,7 +1084,8 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) rc = cdev_device_add(&slave->cdev, &slave->dev); if (rc) { dev_err(&slave->dev, "Error %d creating slave device\n", rc); - goto err_free_ida; + put_device(&slave->dev); + return rc; } /* Now that we have the cdev registered with the core, any fatal @@ -1110,8 +1111,6 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) return 0; -err_free_ida: - fsi_free_minor(slave->dev.devt); err_free: of_node_put(slave->dev.of_node); kfree(slave); -- 2.25.1

3 weeks, 4 days

1
0
0 0

[PATCH 2/2] eventpoll: Fix epoll_wait() report false negative

by Nam Cao

ep_events_available() checks for available events by looking at ep->rdllist and ep->ovflist. However, this is done without a lock, therefore the returned value is not reliable. Because it is possible that both checks on ep->rdllist and ep->ovflist are false while ep_start_scan() or ep_done_scan() is being executed on other CPUs, despite events are available. This bug can be observed by: 1. Create an eventpoll with at least one ready level-triggered event 2. Create multiple threads who do epoll_wait() with zero timeout. The threads do not consume the events, therefore all epoll_wait() should return at least one event. If one thread is executing ep_events_available() while another thread is executing ep_start_scan() or ep_done_scan(), epoll_wait() may wrongly return no event for the former thread. This reproducer is implemented as TEST(epoll65) in tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c Fix it by skipping ep_events_available(), just call ep_try_send_events() directly. epoll_sendevents() (io_uring) suffers the same problem, fix that as well. There is still ep_busy_loop() who uses ep_events_available() without lock, but it is probably okay (?) for busy-polling. Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") Fixes: ae3a4f1fdc2c ("eventpoll: add epoll_sendevents() helper") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0fbf5dfedb24..541481eafc20 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2022,7 +2022,7 @@ static int ep_schedule_timeout(ktime_t *to) static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, int maxevents, struct timespec64 *timeout) { - int res, eavail, timed_out = 0; + int res, eavail = 1, timed_out = 0; u64 slack = 0; wait_queue_entry_t wait; ktime_t expires, *to = NULL; @@ -2041,16 +2041,6 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, timed_out = 1; } - /* - * This call is racy: We may or may not see events that are being added - * to the ready list under the lock (e.g., in IRQ callbacks). For cases - * with a non-zero timeout, this thread will check the ready list under - * lock and will add to the wait queue. For cases with a zero - * timeout, the user by definition should not care and will have to - * recheck again. - */ - eavail = ep_events_available(ep); - while (1) { if (eavail) { res = ep_try_send_events(ep, events, maxevents); @@ -2496,9 +2486,7 @@ int epoll_sendevents(struct file *file, struct epoll_event __user *events, * Racy call, but that's ok - it should get retried based on * poll readiness anyway. */ - if (ep_events_available(ep)) - return ep_try_send_events(ep, events, maxevents); - return 0; + return ep_try_send_events(ep, events, maxevents); } /* -- 2.39.5

3 weeks, 4 days

2
2
0 0

[PATCH] vhost/net: Replace wait_queue with completion in ubufs reference

by Nikolay Kuratov

When operating on struct vhost_net_ubuf_ref, the following execution sequence is theoretically possible: CPU0 is finalizing DMA operation CPU1 is doing VHOST_NET_SET_BACKEND // &ubufs->refcount == 2 vhost_net_ubuf_put() vhost_net_ubuf_put_wait_and_free(oldubufs) vhost_net_ubuf_put_and_wait() vhost_net_ubuf_put() int r = atomic_sub_return(1, &ubufs->refcount); // r = 1 int r = atomic_sub_return(1, &ubufs->refcount); // r = 0 wait_event(ubufs->wait, !atomic_read(&ubufs->refcount)); // no wait occurs here because condition is already true kfree(ubufs); if (unlikely(!r)) wake_up(&ubufs->wait); // use-after-free This leads to use-after-free on ubufs access. This happens because CPU1 skips waiting for wake_up() when refcount is already zero. To prevent that use a completion instead of wait_queue as the ubufs notification mechanism. wait_for_completion() guarantees that there will be complete() call prior to its return. We also need to reinit completion because refcnt == 0 does not mean freeing in case of vhost_net_flush() - it then sets refcnt back to 1. AFAIK concurrent calls to vhost_net_ubuf_put_and_wait() with the same ubufs object aren't possible since those calls (through vhost_net_flush() or vhost_net_set_backend()) are protected by the device mutex. So reinit_completion() right after wait_for_completion() should be fine. Cc: stable(a)vger.kernel.org Fixes: 0ad8b480d6ee9 ("vhost: fix ref cnt checking deadlock") Reported-by: Andrey Ryabinin <arbn(a)yandex-team.com> Suggested-by: Andrey Smetanin <asmetanin(a)yandex-team.ru> Signed-off-by: Nikolay Kuratov <kniv(a)yandex-team.ru> --- drivers/vhost/net.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 7cbfc7d718b3..454d179fffeb 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -94,7 +94,7 @@ struct vhost_net_ubuf_ref { * >1: outstanding ubufs */ atomic_t refcount; - wait_queue_head_t wait; + struct completion wait; struct vhost_virtqueue *vq; }; @@ -240,7 +240,7 @@ vhost_net_ubuf_alloc(struct vhost_virtqueue *vq, bool zcopy) if (!ubufs) return ERR_PTR(-ENOMEM); atomic_set(&ubufs->refcount, 1); - init_waitqueue_head(&ubufs->wait); + init_completion(&ubufs->wait); ubufs->vq = vq; return ubufs; } @@ -249,14 +249,15 @@ static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs) { int r = atomic_sub_return(1, &ubufs->refcount); if (unlikely(!r)) - wake_up(&ubufs->wait); + complete_all(&ubufs->wait); return r; } static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) { vhost_net_ubuf_put(ubufs); - wait_event(ubufs->wait, !atomic_read(&ubufs->refcount)); + wait_for_completion(&ubufs->wait); + reinit_completion(&ubufs->wait); } static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) -- 2.34.1

3 weeks, 4 days

2
1
0 0

Re: [PATCH bpf-next v5 2/2] selftests/bpf: Add tests with stack ptr register in conditional jmp

by Shung-Hsi Yu

Hi Andrii and Yonghong, On Fri, May 23, 2025 at 09:13:40PM -0700, Yonghong Song wrote: > Add two tests: > - one test has 'rX <op> r10' where rX is not r10, and > - another test has 'rX <op> rY' where rX and rY are not r10 > but there is an early insn 'rX = r10'. > > Without previous verifier change, both tests will fail. > > Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> > --- > .../selftests/bpf/progs/verifier_precision.c | 53 +++++++++++++++++++ > 1 file changed, 53 insertions(+) I was looking this commit (5ffb537e416e) since it was a BPF selftest test for CVE-2025-38279, but upon looking I found that the commit differs from the patch, there is an extra hunk that changed kernel/bpf/verifier.c that wasn't found the Yonghong's original patch. I suppose it was meant to be squashed into the previous commit e2d2115e56c4 "bpf: Do not include stack ptr register in precision backtracking bookkeeping"? Since stable backports got only e2d2115e56c4, but not the 5ffb537e416e here with the extra change for kernel/bpf/verifier.c, I'd guess the backtracking logic in the stable kernel isn't correct at the moment, so I'll send 5ffb537e416e "selftests/bpf: Add tests with stack ptr register in conditional jmp" to stable as well. Let me know if that's not the right thing to do. Shung-Hsi diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 98c52829936e..a7d6e0c5928b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16456,6 +16456,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, if (src_reg->type == PTR_TO_STACK) insn_flags |= INSN_F_SRC_REG_STACK; + if (dst_reg->type == PTR_TO_STACK) + insn_flags |= INSN_F_DST_REG_STACK; } else { if (insn->src_reg != BPF_REG_0) { verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); @@ -16465,10 +16467,11 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, memset(src_reg, 0, sizeof(*src_reg)); src_reg->type = SCALAR_VALUE; __mark_reg_known(src_reg, insn->imm); + + if (dst_reg->type == PTR_TO_STACK) + insn_flags |= INSN_F_DST_REG_STACK; } - if (dst_reg->type == PTR_TO_STACK) - insn_flags |= INSN_F_DST_REG_STACK; if (insn_flags) { err = push_insn_history(env, this_branch, insn_flags, 0); if (err) > diff --git a/tools/testing/selftests/bpf/progs/verifier_precision.c b/tools/testing/selftests/bpf/progs/verifier_precision.c ...

3 weeks, 4 days

2
2
0 0

[PATCH] cifs: reset iface weights when we cannot find a candidate

by nspmangalore＠gmail.com

From: Shyam Prasad N <sprasad(a)microsoft.com> We now do a weighted selection of server interfaces when allocating new channels. The weights are decided based on the speed advertised. The fulfilled weight for an interface is a counter that is used to track the interface selection. It should be reset back to zero once all interfaces fulfilling their weight. In cifs_chan_update_iface, this reset logic was missing. As a result when the server interface list changes, the client may not be able to find a new candidate for other channels after all interfaces have been fulfilled. Fixes: a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed") Cc: <stable(a)vger.kernel.org> Signed-off-by: Shyam Prasad N <sprasad(a)microsoft.com> --- fs/smb/client/sess.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c index 330bc3d25bad..0a8c2fcc9ded 100644 --- a/fs/smb/client/sess.c +++ b/fs/smb/client/sess.c @@ -332,6 +332,7 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) struct cifs_server_iface *old_iface = NULL; struct cifs_server_iface *last_iface = NULL; struct sockaddr_storage ss; + int retry = 0; spin_lock(&ses->chan_lock); chan_index = cifs_ses_get_chan_index(ses, server); @@ -360,6 +361,7 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) return; } +try_again: last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, iface_head); iface_min_speed = last_iface->speed; @@ -397,6 +399,13 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) } if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { + list_for_each_entry(iface, &ses->iface_list, iface_head) + iface->weight_fulfilled = 0; + + /* see if it can be satisfied in second attempt */ + if (!retry++) + goto try_again; + iface = NULL; cifs_dbg(FYI, "unable to find a suitable iface\n"); } -- 2.43.0

3 weeks, 4 days

2
1
0 0

[PATCH 5.4.y 0/6] Backport few sch_sfq fixes

by Harshit Mogalapalli

commit: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit") fixes CVE-2024-57996 and commit: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation") fixes CVE-2025-37752 and commit: 7ca52541c05c ("net_sched: sch_sfq: reject invalid perturb period") fixes CVE-2025-38193. Patches 3, 5, 6 are CVE fixes for above mentioned CVEs. Patch 1,2 and 4 are pulled in as stable-deps. Testing performed on the patched 5.4.295 kernel with the above 5 patches: (Used latest upstream kselftests for tc-testing) $ uname -a Linux hamogala-kdevoci8-1 5.4.295-master.20250717.el8.rc2.x86_64 #1 SMP Thu Jul 17 00:57:21 PDT 2025 x86_64 x86_64 x86_64 GNU/Linux $ python3.12 ./tdc.py -f tc-tests/qdiscs/sfq.json -- ns/SubPlugin.__init__ Test 7482: Create SFQ with default setting Test c186: Create SFQ with limit setting Test ae23: Create SFQ with perturb setting Test a430: Create SFQ with quantum setting Test 4539: Create SFQ with divisor setting Test b089: Create SFQ with flows setting Test 99a0: Create SFQ with depth setting Test 7389: Create SFQ with headdrop setting Test 6472: Create SFQ with redflowlimit setting Test 8929: Show SFQ class Test 4d6f: Check that limit of 1 is rejected Test 7f8f: Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) Test 5168: Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) All test results: 1..13 ok 1 7482 - Create SFQ with default setting ok 2 c186 - Create SFQ with limit setting ok 3 ae23 - Create SFQ with perturb setting ok 4 a430 - Create SFQ with quantum setting ok 5 4539 - Create SFQ with divisor setting ok 6 b089 - Create SFQ with flows setting ok 7 99a0 - Create SFQ with depth setting ok 8 7389 - Create SFQ with headdrop setting ok 9 6472 - Create SFQ with redflowlimit setting ok 10 8929 - Show SFQ class ok 11 4d6f - Check that limit of 1 is rejected ok 12 7f8f - Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) ok 13 5168 - Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) Thanks, Harshit Eric Dumazet (3): net_sched: sch_sfq: annotate data-races around q->perturb_period net_sched: sch_sfq: handle bigger packets net_sched: sch_sfq: reject invalid perturb period Octavian Purdila (3): net_sched: sch_sfq: don't allow 1 packet limit net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: move the limit validation net/sched/sch_sfq.c | 114 +++++++++++++++++++++++++++++--------------- 1 file changed, 75 insertions(+), 39 deletions(-) -- 2.47.1

3 weeks, 4 days

2
12
0 0

[PATCH stable 6.6 0/2] selftests/bpf: revert changes from "check bpf_dummy_struct_ops program params for test runs"

by Shung-Hsi Yu

This patchset reverts BPF selftests changes backported from "check bpf_dummy_struct_ops program params for test runs" series[1]. The changes are causing BPF selftests to fail on stable 6.6 kernel due to missing dependencies (mainly the "Support PTR_MAYBE_NULL for struct_ops arguments." series[2]). Please see individual patch for detail. 1: https://lore.kernel.org/bpf/20240424012821.595216-1-eddyz87@gmail.com/ 2: https://lore.kernel.org/bpf/20240209023750.1153905-1-thinker.li@gmail.com/ Shung-Hsi Yu (2): Revert "selftests/bpf: adjust dummy_st_ops_success to detect additional error" Revert "selftests/bpf: dummy_st_ops should reject 0 for non-nullable params" .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 ------------------- .../bpf/progs/dummy_st_ops_success.c | 13 ++------- 2 files changed, 2 insertions(+), 38 deletions(-) -- 2.50.1

3 weeks, 4 days

2
4
0 0

[to-be-updated] mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary has been removed from the -mm tree. Its filename was mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary Date: Mon, 7 Jul 2025 21:07:40 +0900 folio_test_anon() and folio_test_ksm() may return false positives when the folio is a typed page (except hugetlb), because lower bits of folio->mapping field can be set even if it doesn't mean FOLIO_MAPPING_* flags. To avoid false positives, folio_test_{anon,ksm}() should be called only if !page_has_type(&folio->page) || folio_test_hugetlb(folio). However, the check can be skipped if a folio is or will be mapped to userspace because typed pages that are not hugetlb folios cannot be mapped to userspace. As folio_expected_ref_count() already does the check, introduce a helper function folio_has_mapcount() and use it in folio_expected_ref_count() and stable_page_flags(). Update the comment in FOLIO_MAPPING_* flags accordingly. This fixes tools/mm/page-types reporting pages with KPF_SLAB, KPF_ANON and KPF_SLAB (with flags, page-counts, MB omitted): $ sudo ./page-types | grep slab _______S___________________________________ slab _______S____a________x_____________________ slab,anonymous,ksm Link: https://lkml.kernel.org/r/20250707120740.4413-1-harry.yoo@oracle.com Fixes: 130d4df57390 ("mm/sl[au]b: rearrange struct slab fields to allow larger rcu_head") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/page.c | 19 +++++++++++-------- include/linux/mm.h | 2 +- include/linux/page-flags.h | 20 ++++++++++++++------ 3 files changed, 26 insertions(+), 15 deletions(-) --- a/fs/proc/page.c~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/fs/proc/page.c @@ -148,18 +148,21 @@ u64 stable_page_flags(const struct page folio = page_folio(page); k = folio->flags; - mapping = (unsigned long)folio->mapping; - is_anon = mapping & FOLIO_MAPPING_ANON; /* * pseudo flags for the well known (anonymous) memory mapped pages */ - if (page_mapped(page)) - u |= 1 << KPF_MMAP; - if (is_anon) { - u |= 1 << KPF_ANON; - if (mapping & FOLIO_MAPPING_KSM) - u |= 1 << KPF_KSM; + if (folio_has_mapcount(folio)) { + mapping = (unsigned long)folio->mapping; + is_anon = mapping & FOLIO_MAPPING_ANON; + + if (page_mapped(page)) + u |= 1 << KPF_MMAP; + if (is_anon) { + u |= 1 << KPF_ANON; + if (mapping & FOLIO_MAPPING_KSM) + u |= 1 << KPF_KSM; + } } /* --- a/include/linux/mm.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/mm.h @@ -2169,7 +2169,7 @@ static inline int folio_expected_ref_cou const int order = folio_order(folio); int ref_count = 0; - if (WARN_ON_ONCE(page_has_type(&folio->page) && !folio_test_hugetlb(folio))) + if (WARN_ON_ONCE(!folio_has_mapcount(folio))) return 0; if (folio_test_anon(folio)) { --- a/include/linux/page-flags.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/page-flags.h @@ -706,12 +706,15 @@ PAGEFLAG_FALSE(VmemmapSelfHosted, vmemma * address_space which maps the folio from disk; whereas "folio_mapped" * refers to user virtual address space into which the folio is mapped. * - * For slab pages, since slab reuses the bits in struct page to store its - * internal states, the folio->mapping does not exist as such, nor do - * these flags below. So in order to avoid testing non-existent bits, - * please make sure that folio_test_slab(folio) actually evaluates to - * false before calling the following functions (e.g., folio_test_anon). - * See mm/slab.h. + * For certain typed pages like slabs, since they reuse bits in struct page + * to store internal states, folio->mapping does not point to a valid + * mapping, nor do these flags exist. To avoid testing non-existent bits, + * make sure folio_has_mapcount() actually evaluates to true before calling + * the following functions (e.g., folio_test_anon). + * + * The folio_has_mapcount() check can be skipped if the folio is mapped + * to userspace, since a folio with !folio_has_mapcount() cannot be mapped + * to userspace at all. */ #define FOLIO_MAPPING_ANON 0x1 #define FOLIO_MAPPING_ANON_KSM 0x2 @@ -1092,6 +1095,11 @@ static inline bool PageHuge(const struct return folio_test_hugetlb(page_folio(page)); } +static inline bool folio_has_mapcount(const struct folio *folio) +{ + return !page_has_type(&folio->page) || folio_test_hugetlb(folio); +} + /* * Check if a page is currently marked HWPoisoned. Note that this check is * best effort only and inherently racy: there is no way to synchronize with _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch

3 weeks, 4 days

1
0
0 0

[ath10k][QCA9377] Firmware crashes on Dell Inspiron 5567 (IRQ #16, all modern distro kernels)

by Bandhan Pramanik

Hello, This is to inform all that constant firmware crashes have been seen in the "Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter", which was shipped with the Dell Inspiron 5567 laptops. This affects every kernel release, including the stable and the longterm ones. All the logs have been taken after livebooting an Arch Linux ISO. Every distro has been tried, and it has been confirmed that some error of this kind is shown in every distro. ## Steps to reproduce the issue 1. Boot/liveboot any Linux ISO through this card (and possibly, this laptop). 2. Wi-Fi network interface appears. 3. Connect the Wi-Fi router to the computer. 4. A few moments/minutes after that, the touchpad stops working, and the network interface cannot even access the Internet anymore (BUT, the network interface might disappear, might not disappear). ## Affected distros and the necessary workarounds This has been the pattern on every distro and their corresponding kernels (LMDE, Linux Mint, Pop!_OS, Zorin, Kubuntu, KDE Neon, elementaryOS, Fedora, and even Arch). The fix which made these distros usable is to add two things: - Adding "options ath10k_core skip_otp=y" to a new conf file in /etc/modprobe.d. - Adding "pci=noaer" in GRUB kernel parameters so that the logs are not flooded with Multiple Correctable Errors. To defend my case (that it occurs in the other models of Inspiron 5567 too), I have recently contacted someone running Linux Mint on the same model. The answer was the same: the touchpad and the Wi-Fi stop simultaneously. ## Some of the limitations The kernel was tainted, but the other things have been properly noted in case they might provide some useful details. As stated, investigating why IRQ #16 is disabled will probably give us the answer. ## Logs provided All the logs in a combined manner can be found here: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180 - Full dmesg: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Hostnamectl: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - lspci: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Modinfo of the driver: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Ping command: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - /proc/interrupts: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - IP addr command (Heavily Redacted): https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… Lastly, this issue on the GitHub repository of Pop!_OS 'might' be relevant: https://github.com/pop-os/pop/issues/1470 It would be highly appreciated if the matter were looked into. Thanks, Bandhan Pramanik

3 weeks, 4 days

1
4
0 0

[TEST REGRESSION] stable-rc/linux-6.12.y: kselftest.breakpoints.breakpoints_step_after_suspend_test on stm32mp157a-dhcor-avenger96

by KernelCI bot

Hello, New test failure found on stable-rc/linux-6.12.y: kselftest.breakpoints.breakpoints_step_after_suspend_test running on stm32mp157a-dhcor-avenger96 giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git branch: linux-6.12.y commit HEAD: d50d16f002928cde05a54e0049ddc203323ae7ac test id: maestro:687945d32ce2c1874ed4d342 status: FAIL start time: log: https://files.kernelci.org/kselftest-breakpoints-6876a2d634612746bbcec7ff/l… # Test details: - test path: kselftest.breakpoints.breakpoints_step_after_suspend_test - platform: stm32mp157a-dhcor-avenger96 - compatibles: arrow,stm32mp157a-avenger96 | dh,stm32mp157a-dhcor-som | st,stm32mp157 - config: multi_v7_defconfig - architecture: arm - compiler: gcc-12 Dashboard: https://d.kernelci.org/t/maestro:687945d32ce2c1874ed4d342 Log excerpt: ===================================================== of an unmet condition check (ConditionPathExists=/sys/kernel/mm/hugepages). [ 28.116033] systemd[1]: dev-mqueue.mount - POSIX Message Queue File System was skipped because of an unmet condition check (ConditionPathExists=/proc/sys/fs/mqueue). [ 28.180697] systemd[1]: Mounting sys-kernel-debug.mount - Kernel Debug File System... Mounting [0;1;39msys-kernel-debug.…[0m - Kernel Debug File System... [ 28.217714] systemd[1]: Mounting sys-kernel-tracing.mount - Kernel Trace File System... Mounting [0;1;39msys-kernel-tracin…[0m - Kernel Trace File System... [ 28.291406] systemd[1]: Starting kmod-static-nodes.service - Create List of Static Device Nodes... Starting [0;1;39mkmod-static-nodes…ate List of Static Device Nodes... [ 28.331680] systemd[1]: Starting modprobe(a)configfs.service - Load Kernel Module configfs... Starting [0;1;39mmodprobe@configfs…m - Load Kernel Module configfs... [ 28.371165] systemd[1]: Starting modprobe(a)dm_mod.service - Load Kernel Module dm_mod... Starting [0;1;39mmodprobe(a)dm_mod.s...[0m - Load Kernel Module dm_mod... [ 28.408054] systemd[1]: Starting modprobe(a)drm.service - Load Kernel Module drm... Starting [0;1;39mmodprobe(a)drm.service[0m - Load Kernel Module drm... [ 28.449915] systemd[1]: Starting modprobe(a)efi_pstore.service - Load Kernel Module efi_pstore... Starting [0;1;39mmodprobe@efi_psto…- Load Kernel Module efi_pstore... [ 28.487986] systemd[1]: Starting modprobe(a)fuse.service - Load Kernel Module fuse... Starting [0;1;39mmodprobe(a)fuse.ser...e[0m - Load Kernel Module fuse... [ 28.532255] systemd[1]: Starting modprobe(a)loop.service - Load Kernel Module loop... Starting [0;1;39mmodprobe(a)loop.ser...e[0m - Load Kernel Module loop... [ 28.563256] systemd[1]: systemd-journald.service: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling. [ 28.574983] systemd[1]: (This warning is only shown for the first unit using IP firewalling.) [ 28.588124] systemd[1]: Starting systemd-journald.service - Journal Service... Starting [0;1;39msystemd-journald.service[0m - Journal Service... [ 28.682143] systemd[1]: Starting systemd-modules-load.service - Load Kernel Modules... Starting [0;1;39msystemd-modules-l…rvice[0m - Load Kernel Modules... [ 28.726528] systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line... Starting [0;1;39msystemd-network-g… units from Kernel command line... [ 28.831292] systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems... Starting [0;1;39msystemd-remount-f…nt Root and Kernel File Systems... [ 28.868196] systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices... Starting [0;1;39msystemd-udev-trig…[0m - Coldplug All udev Devices... [ 28.925905] systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System. [[0;32m OK [0m] Mounted [0;1;39msys-kernel-debug.m…nt[0m - Kernel Debug File System. [ 28.971980] systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System. [[0;32m OK [0m] Mounted [0;1;39msys-kernel-tracing…nt[0m - Kernel Trace File System. [ 29.004249] systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes. [[0;32m OK [0m] Finished [0;1;39mkmod-static-nodes…reate List of Static Device Nodes. [ 29.106198] systemd[1]: modprobe(a)configfs.service: Deactivated successfully. [ 29.121680] systemd[1]: Finished modprobe(a)configfs.service - Load Kernel Module configfs. [[0;32m OK [0m] Finished [0;1;39mmodprobe@configfs…[0m - Load Kernel Module configfs. [ 29.142952] systemd[1]: modprobe(a)dm_mod.service: Deactivated successfully. [ 29.160513] systemd[1]: Finished modprobe(a)dm_mod.service - Load Kernel Module dm_mod. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)dm_mod.s...e[0m - Load Kernel Module dm_mod. [ 29.203027] systemd[1]: modprobe(a)drm.service: Deactivated successfully. [ 29.209669] systemd[1]: Finished modprobe(a)drm.service - Load Kernel Module drm. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)drm.service[0m - Load Kernel Module drm. [ 29.251945] systemd[1]: Started systemd-journald.service - Journal Service. [[0;32m OK [0m] Started [0;1;39msystemd-journald.service[0m - Journal Service. [[0;32m OK [0m] Finished [0;1;39mmodprobe@efi_psto…m - Load Kernel Module efi_pstore. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)fuse.service[0m - Load Kernel Module fuse. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)loop.service[0m - Load Kernel Module loop. [[0;32m OK [0m] Finished [0;1;39msystemd-modules-l…service[0m - Load Kernel Modules. [[0;32m OK [0m] Finished [0;1;39msystemd-network-g…rk units from Kernel command line. [[0;32m OK [0m] Finished [0;1;39msystemd-remount-f…ount Root and Kernel File Systems. [[0;32m OK [0m] Reached target [0;1;39mnetwork-pre…get[0m - Preparation for Network. Mounting [0;1;39msys-kernel-config…ernel Configuration File System... Starting [0;1;39msystemd-journal-f…h Journal to Persistent Storage... Starting [0;1;39msystemd-random-se…ice[0m - Load/Save Random Seed... Starting [0;1;39msystemd-sysctl.se…ce[0m - Apply Kernel Variables... Starting [0;1;39msystemd-sysusers.…rvice[0m - Create System Users... [[0;32m OK [0m] Mounted [0;1;39msys-kernel-config.… Kernel Configuration File System. [ 29.895899] systemd-journald[191]: Received client request to flush runtime journal. [[0;32m OK [0m] Finished [0;1;39msystemd-random-se…rvice[0m - Load/Save Random Seed. [[0;32m OK [0m] Finished [0;1;39msystemd-sysctl.service[0m - Apply Kernel Variables. [[0;32m OK [0m] Finished [0;1;39msystemd-sysusers.service[0m - Create System Users. Starting [0;1;39msystemd-tmpfiles-…ate Static Device Nodes in /dev... [[0;32m OK [0m] Finished [0;1;39msystemd-journal-f…ush Journal to Persistent Storage. [[0;32m OK [0m] Finished [0;1;39msystemd-tmpfiles-…reate Static Device Nodes in /dev. [[0;32m OK [0m] Reached target [0;1;39mlocal-fs-pr…reparation for Local File Systems. [[0;32m OK [0m] Reached target [0;1;39mlocal-fs.target[0m - Local File Systems. Starting [0;1;39msystemd-tmpfiles-…te System Files and Directories... Starting [0;1;39msystemd-udevd.ser…ger for Device Events and Files... [[0;32m OK [0m] Started [0;1;39msystemd-udevd.serv…nager for Device Events and Files. [[0;32m OK [0m] Finished [0;1;39msystemd-tmpfiles-…eate System Files and Directories. Starting [0;1;39msystemd-networkd.…ice[0m - Network Configuration... Starting [0;1;39msystemd-timesyncd… - Network Time Synchronization... Starting [0;1;39msystemd-update-ut…rd System Boot/Shutdown in UTMP... [[0;32m OK [0m] Finished [0;1;39msystemd-update-ut…cord System Boot/Shutdown in UTMP. [[0;32m OK [0m] Finished [0;1;39msystemd-udev-trig…e[0m - Coldplug All udev Devices. [[0;32m OK [0m] Started [0;1;39msystemd-timesyncd.…0m - Network Time Synchronization. [[0;32m OK [0m] Started [0;1;39msystemd-networkd.service[0m - Network Configuration. [[0;32m OK [0m] Found device [0;1;39mdev-ttySTM0.device[0m - /dev/ttySTM0. [[0;32m OK [0m] Reached target [0;1;39mbluetooth.target[0m - Bluetooth Support. [[0;32m OK [0m] Reached target [0;1;39mnetwork.target[0m - Network. [[0;32m OK [0m] Reached target [0;1;39mtime-set.target[0m - System Time Set. [[0;32m OK [0m] Reached target [0;1;39musb-gadget.…m - Hardware activated USB gadget. [[0;32m OK [0m] Listening on [0;1;39msystemd-rfkil…l Switch Status /dev/rfkill Watch. Starting [0;1;39mmodprobe(a)dm_mod.s...[0m - Load Kernel Module dm_mod... Starting [0;1;39mmodprobe@efi_psto…- Load Kernel Module efi_pstore... Starting [0;1;39mmodprobe(a)fuse.ser...e[0m - Load Kernel Module fuse... Starting [0;1;39mmodprobe(a)loop.ser...e[0m - Load Kernel Module loop... [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)dm_mod.s...e[0m - Load Kernel Module dm_mod. [[0;32m OK [0m] Finished [0;1;39mmodprobe@efi_psto…m - Load Kernel Module efi_pstore. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)fuse.service[0m - Load Kernel Module fuse. [[0;32m OK [0m] Finished [0;1;39mmodprobe(a)loop.service[0m - Load Kernel Module loop. [[0;32m OK [0m] Reached target [0;1;39msysinit.target[0m - System Initialization. [[0;32m OK [0m] Started [0;1;39mapt-daily.timer[0m - Daily apt download activities. [[0;32m OK [0m] Started [0;1;39mapt-daily-upgrade.… apt upgrade and clean activities. [[0;32m OK [0m] Started [0;1;39mdpkg-db-backup.tim… Daily dpkg database backup timer. [[0;32m OK [0m] Started [0;1;39me2scrub_all.timer…etadata Check for All Filesystems. [[0;32m OK [0m] Started [0;1;39mfstrim.timer[0m - Discard unused blocks once a week. [[0;32m OK [0m] Started [0;1;39msystemd-tmpfiles-c… Cleanup of Temporary Directories. [[0;32m OK [0m] Reached target [0;1;39mtimers.target[0m - Timer Units. [[0;32m OK [0m] Listening on [0;1;39mdbus.socket[…- D-Bus System Message Bus Socket. [[0;32m OK [0m] Reached target [0;1;39msockets.target[0m - Socket Units. [[0;32m OK [0m] Reached target [0;1;39mbasic.target[0m - Basic System. Starting [0;1;39malsa-restore.serv…- Save/Restore Sound Card State... Starting [0;1;39mdbus.service[0m - D-Bus System Message Bus... Starting [0;1;39me2scrub_reap.serv…e ext4 Metadata Check Snapshots... Starting [0;1;39msystemd-logind.se…ice[0m - User Login Management... Starting [0;1;39msystemd-rfkill.se…Load/Save RF Kill Switch Status... Starting [0;1;39msystemd-user-sess…vice[0m - Permit User Sessions... [[0;32m OK [0m] Finished [0;1;39malsa-restore.serv…m - Save/Restore Sound Card State. [[0;32m OK [0m] Reached target [0;1;39msound.target[0m - Sound Card. [[0;32m OK [0m] Started [0;1;39msystemd-rfkill.ser…- Load/Save RF Kill Switch Status. [[0;32m OK [0m] Finished [0;1;39msystemd-user-sess…ervice[0m - Permit User Sessions. [[0;32m OK [0m] Started [0;1;39mgetty(a)tty1.service[0m - Getty on tty1. [[0;32m OK [0m] Started [0;1;39mserial-getty@ttyST…ice[0m - Serial Getty on ttySTM0. [[0;32m OK [0m] Reached target [0;1;39mgetty.target[0m - Login Prompts. [[0;32m OK [0m] Started [0;1;39mdbus.service[0m - D-Bus System Message Bus. Starting [0;1;39msystemd-hostnamed.service[0m - Hostname Service... [[0;32m OK [0m] Started [0;1;39msystemd-logind.service[0m - User Login Management. [[0;32m OK [0m] Finished [0;1;39me2scrub_reap.serv…ine ext4 Metadata Check Snapshots. [[0;32m OK [0m] Reached target [0;1;39mmulti-user.target[0m - Multi-User System. [[0;32m OK [0m] Reached target [0;1;39mgraphical.target[0m - Graphical Interface. Starting [0;1;39msystemd-update-ut… Record Runlevel Change in UTMP... [[0;32m OK [0m] Finished [0;1;39msystemd-update-ut… - Record Runlevel Change in UTMP. [[0;32m OK [0m] Started [0;1;39msystemd-hostnamed.service[0m - Hostname Service. Debian GNU/Linux 12 debian-bookworm-armhf ttySTM0 debian-bookworm-armhf login: root (automatic login) Linux debian-bookworm-armhf 6.12.39-rc2 #1 SMP Tue Jul 15 18:39:20 UTC 2025 armv7l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. / # / # export NFS_ROOTFS='/var/lib/lava/dispatcher/tmp/1574985/extract-nfsrootfs-w6q8rnvr' export NFS_ROOTFS='/var/lib/lava/dispatcher/tmp/1574985/extract-nfsrootfs-w6q8rnvr' / # export NFS_SERVER_IP='172.16.0.3' export NFS_SERVER_IP='172.16.0.3' / # # # / # export SHELL=/bin/bash export SHELL=/bin/bash / # . /lava-1574985/environment . /lava-1574985/environment / # /lava-1574985/bin/lava-test-runner /lava-1574985/0 /lava-1574985/bin/lava-test-runner /lava-1574985/0 + export TESTRUN_ID=0_timesync-off + TESTRUN_ID=0_timesync-off + cd /lava-1574985/0/tests/0_timesync-off ++ cat uuid + UUID=1574985_1.6.2.4.1 + set +x <LAVA_SIGNAL_STARTRUN 0_timesync-off 1574985_1.6.2.4.1> + systemctl stop systemd-timesyncd + set +x <LAVA_SIGNAL_ENDRUN 0_timesync-off 1574985_1.6.2.4.1> + export TESTRUN_ID=1_kselftest-breakpoints + TESTRUN_ID=1_kselftest-breakpoints + cd /lava-1574985/0/tests/1_kselftest-breakpoints ++ cat uuid + UUID=1574985_1.6.2.4.5 + set +x <LAVA_SIGNAL_STARTRUN 1_kselftest-breakpoints 1574985_1.6.2.4.5> + cd ./automated/linux/kselftest/ + ./kselftest.sh -c breakpoints -T '' -t kselftest_armhf.tar.gz -s True -u https://files.kernelci.org/kbuild-gcc-12-arm-6876975b34612746bbce6ee9/kself… -L '' -S /dev/null -b '' -g '' -e '' -p /opt/kselftests/mainline/ -n 1 -i 1 -E '' INFO: install_deps skipped --2025-07-17 18:49:22-- https://files.kernelci.org/kbuild-gcc-12-arm-6876975b34612746bbce6ee9/kself… Resolving files.kernelci.org (files.kernelci.org)... 20.171.243.82 Connecting to files.kernelci.org (files.kernelci.org)|20.171.243.82|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 9351030 (8.9M) [application/gzip] Saving to: 'kselftest_armhf.tar.gz' kselftest_armhf.tar 0%[ ] 0 --.-KB/s ?kselftest_armhf.tar 1%[ ] 103.76K 357KB/s ?kselftest_armhf.tar 4%[ ] 439.76K 756KB/s ?kselftest_armhf.tar 12%[=> ] 1.13M 1.45MB/s ?kselftest_armhf.tar 23%[===> ] 2.13M 2.17MB/s ?kselftest_armhf.tar 35%[======> ] 3.13M 2.64MB/s ?kselftest_armhf.tar 46%[========> ] 4.13M 2.98MB/s ?kselftest_armhf.tar 57%[==========> ] 5.13M 3.24MB/s ?kselftest_armhf.tar 68%[============> ] 6.13M 3.43MB/s ?kselftest_armhf.tar 79%[==============> ] 7.13M 3.59MB/s ?kselftest_armhf.tar 90%[=================> ] 8.06M 3.57MB/s ?kselftest_armhf.tar 100%[===================>] 8.92M 3.66MB/s in 2.4s 2025-07-17 18:49:25 (3.66 MB/s) - 'kselftest_armhf.tar.gz' saved [9351030/9351030] skiplist: ======================================== ======================================== breakpoints:step_after_suspend_test ============== Tests to run =============== breakpoints:step_after_suspend_test ===========End Tests to run =============== shardfile-breakpoints pass [ 67.220163] kselftest: Running tests in breakpoints TAP version 13 1..1 # timeout set to 45 # selftests: breakpoints: step_after_suspend_test [ 67.432985] PM: suspend entry (deep) [ 67.449347] Filesystems sync: 0.014 seconds [ 67.458329] Freezing user space processes [ 67.462606] Freezing user space processes completed (elapsed 0.001 seconds) [ 67.468205] OOM killer disabled. [ 67.471493] Freezing remaining freezable tasks [ 67.477234] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 67.483366] printk: Suspending console(s) (use no_console_suspend to debug) [ 67.611609] stm32-dwmac 5800a000.ethernet end0: Link is Down [ 67.624958] Disabling non-boot CPUs ... [ 67.626403] CPU1 killed. [ 67.628604] Enabling non-boot CPUs ... [ 67.630318] CPU1 is up [ 67.638677] stm32-dwmac 5800a000.ethernet end0: configuring for phy/rgmii link mode [ 67.640262] dwmac4: Master AXI performs any burst length [ 67.640314] stm32-dwmac 5800a000.ethernet end0: No Safety Features support found [ 67.640345] stm32-dwmac 5800a000.ethernet end0: Invalid PTP clock rate [ 67.640361] stm32-dwmac 5800a000.ethernet end0: PTP init failed [ 67.642550] stm32-dwmac 5800a000.ethernet end0: Link is Up - 1Gbps/Full - flow control off [ 67.910193] usb 2-1: reset high-speed USB device number 2 using ehci-platform [ 68.257543] OOM killer enabled. [ 68.260709] Restarting tasks ... done. [ 68.267811] random: crng reseeded on system resumption [ 68.281019] PM: suspend exit # TAP version 13 # Bail out! Failed to enter Suspend state # # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:0 not ok 1 selftests: breakpoints: step_after_suspend_test # exit=1 WARNING: Optional imports not found, TAP 13 output will be ignored. To parse yaml, see requirements in docs: https://tappy.readthedocs.io/en/latest/consumers.html#tap-version-13 breakpoints_step_after_suspend_test fail + ../../utils/send-to-lava.sh ./output/result.txt <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=shardfile-breakpoints RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=breakpoints_step_after_suspend_test RESULT=fail> + set +x <LAVA_SIGNAL_ENDRUN 1_kselftest-breakpoints 1574985_1.6.2.4.5> <LAVA_TEST_RUNNER EXIT> / # ===================================================== #kernelci test maestro:687945d32ce2c1874ed4d342 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 weeks, 4 days

2
1
0 0

FYI

by Allen Cheng

Good day, I sent you a message a few hours ago, but no reply yet, or did you not receive it? Kindly read my letter and reply. I want to make an inquiry Thanks. Dr.Allen Cheng Human Resource Manager | Product Research Assistant FGP Ltd "Email ini dan dokumen lampirannya ditujukan untuk digunakan oleh penerima e-mail. Apabila anda bukan orang yang tepat untuk menerima e-mail ini segera hapus e-mail ini. Isi e-mail ini mungkin tidak mewakili pandangan dan/atau pendapat PT. Transportasi Jakarta, kecuali bila dinyatakan dengan jelas demikian. Informasi yang terdapat dalam e-mail ini dapat bersifat rahasia. Dilarang memperbanyak, menyebarkan dan menyalin informasi rahasia kepada pihak lain tanpa persetujuan PT. Transportasi Jakart tidak bertanggung jawab atas penggunaan email ini oleh bukan penerima e-mail yang dituju dan atas kerusakan yang diakibatkan oleh e-mail ini jika terkena virus atau gangguan komunikasi."

3 weeks, 4 days

1
0
0 0

[PATCH] vfio: cdx: Fix missing GENERIC_MSI_IRQ on compile test

by Krzysztof Kozlowski

VFIO_CDX driver uses msi_domain_alloc_irqs() which is provided by non-user-visible GENERIC_MSI_IRQ, thus it should select that option directly. VFIO_CDX depends on CDX_BUS, which also will select GENERIC_MSI_IRQ (separate fix), nevertheless driver should poll what is being used there instead of relying on bus Kconfig. Without the fix on CDX_BUS compile test fails: drivers/vfio/cdx/intr.c: In function ‘vfio_cdx_msi_enable’: drivers/vfio/cdx/intr.c:41:15: error: implicit declaration of function ‘msi_domain_alloc_irqs’; did you mean ‘irq_domain_alloc_irqs’? [-Wimplicit-function-declaration] Reported-by: Randy Dunlap <rdunlap(a)infradead.org> Closes: https://lore.kernel.org/r/4a6fd102-f8e0-42f3-b789-6e3340897032@infradead.or… Fixes: 848e447e000c ("vfio/cdx: add interrupt support") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/vfio/cdx/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/vfio/cdx/Kconfig b/drivers/vfio/cdx/Kconfig index e6de0a0caa32..90cf3dee5dba 100644 --- a/drivers/vfio/cdx/Kconfig +++ b/drivers/vfio/cdx/Kconfig @@ -9,6 +9,7 @@ config VFIO_CDX tristate "VFIO support for CDX bus devices" depends on CDX_BUS select EVENTFD + select GENERIC_MSI_IRQ help Driver to enable VFIO support for the devices on CDX bus. This is required to make use of CDX devices present in -- 2.48.1

3 weeks, 4 days

2
1
0 0

[PATCH] bus: mhi: ep: Fix chained transfer handling in read path

by Sumit Kumar

From: Sumit Kumar <sumk(a)qti.qualcomm.com> The current implementation of mhi_ep_read_channel, in case of chained transactions, assumes the End of Transfer(EOT) bit is received with the doorbell. As a result, it may incorrectly advance mhi_chan->rd_offset beyond wr_offset during host-to-device transfers when EOT has not yet arrived. This can lead to access of unmapped host memory, causing IOMMU faults and processing of stale TREs. This change modifies the loop condition to ensure rd_offset remains behind wr_offset, allowing the function to process only valid TREs up to the current write pointer. This prevents premature reads and ensures safe traversal of chained TREs. Fixes: 5301258899773 ("bus: mhi: ep: Add support for reading from the host") Cc: stable(a)vger.kernel.org Co-developed-by: Akhil Vinod <akhvin(a)qti.qualcomm.com> Signed-off-by: Akhil Vinod <akhvin(a)qti.qualcomm.com> Signed-off-by: Sumit Kumar <sumk(a)qti.qualcomm.com> --- drivers/bus/mhi/ep/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/bus/mhi/ep/main.c b/drivers/bus/mhi/ep/main.c index b3eafcf2a2c50d95e3efd3afb27038ecf55552a5..2e134f44952d1070c62c24aeca9effc7fd325860 100644 --- a/drivers/bus/mhi/ep/main.c +++ b/drivers/bus/mhi/ep/main.c @@ -468,7 +468,7 @@ static int mhi_ep_read_channel(struct mhi_ep_cntrl *mhi_cntrl, mhi_chan->rd_offset = (mhi_chan->rd_offset + 1) % ring->ring_size; } - } while (buf_left && !tr_done); + } while (buf_left && !tr_done && mhi_chan->rd_offset != ring->wr_offset); return 0; --- base-commit: 4c06e63b92038fadb566b652ec3ec04e228931e8 change-id: 20250709-chained_transfer-0b95f8afa487 Best regards, -- Sumit Kumar <quic_sumk(a)quicinc.com>

3 weeks, 4 days

4
4
0 0

Linux 6.15.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.15.7 kernel. All users of the 6.15 kernel series must upgrade. The updated 6.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_hash.rst | 8 Documentation/bpf/map_lru_hash_update.dot | 6 Documentation/devicetree/bindings/clock/mediatek,mt8188-clock.yaml | 3 Makefile | 2 arch/arm64/kernel/cpufeature.c | 57 +- arch/arm64/kernel/process.c | 5 arch/arm64/mm/fault.c | 30 - arch/arm64/mm/proc.S | 1 arch/riscv/kernel/vdso/vdso.lds.S | 2 arch/s390/crypto/sha1_s390.c | 2 arch/s390/crypto/sha256_s390.c | 3 arch/s390/crypto/sha512_s390.c | 3 arch/um/drivers/vector_kern.c | 42 - arch/x86/Kconfig | 2 arch/x86/coco/sev/core.c | 22 arch/x86/include/asm/msr-index.h | 1 arch/x86/include/asm/sev.h | 17 arch/x86/kernel/cpu/amd.c | 10 arch/x86/kernel/cpu/mce/amd.c | 28 - arch/x86/kernel/cpu/mce/core.c | 24 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/hyperv.c | 3 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 drivers/acpi/battery.c | 19 drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/block/ublk_drv.c | 3 drivers/bluetooth/hci_qca.c | 13 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/clk/clk-scmi.c | 18 drivers/clk/imx/clk-imx95-blk-ctl.c | 12 drivers/edac/ecs.c | 4 drivers/edac/mem_repair.c | 1 drivers/edac/scrub.c | 1 drivers/gpio/gpiolib.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v8.c | 8 drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 1 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 - drivers/gpu/drm/drm_framebuffer.c | 31 + drivers/gpu/drm/drm_gem.c | 74 ++ drivers/gpu/drm/drm_internal.h | 2 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/imagination/pvr_power.c | 4 drivers/gpu/drm/nouveau/nouveau_debugfs.c | 6 drivers/gpu/drm/nouveau/nouveau_debugfs.h | 5 drivers/gpu/drm/nouveau/nouveau_drm.c | 4 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 drivers/gpu/drm/xe/xe_lmtt.c | 11 drivers/gpu/drm/xe/xe_migrate.c | 2 drivers/gpu/drm/xe/xe_pci.c | 1 drivers/gpu/drm/xe/xe_pm.c | 11 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-nintendo.c | 38 + drivers/hid/hid-quirks.c | 3 drivers/irqchip/Kconfig | 1 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 4 drivers/md/raid10.c | 12 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/airoha/airoha_eth.c | 1 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 18 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 drivers/net/ethernet/renesas/rtsn.c | 5 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 3 drivers/net/phy/qcom/at803x.c | 27 - drivers/net/phy/qcom/qca808x.c | 2 drivers/net/phy/qcom/qcom-phy-lib.c | 25 drivers/net/phy/qcom/qcom.h | 5 drivers/net/phy/smsc.c | 57 ++ drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/marvell/mwifiex/util.c | 4 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 40 - drivers/net/wireless/mediatek/mt76/mt7996/main.c | 5 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 188 +++++-- drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 16 drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pci/pci-acpi.c | 23 drivers/pinctrl/nuvoton/pinctrl-ma35.c | 10 drivers/pinctrl/pinctrl-amd.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 20 drivers/pwm/core.c | 2 drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/gadget/function/u_serial.c | 12 fs/btrfs/free-space-tree.c | 16 fs/erofs/data.c | 21 fs/erofs/decompressor.c | 12 fs/erofs/fileio.c | 6 fs/erofs/internal.h | 6 fs/erofs/zdata.c | 13 fs/erofs/zmap.c | 9 fs/eventpoll.c | 12 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 fs/proc/task_mmu.c | 14 fs/smb/server/smb2pdu.c | 29 - fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/drm_framebuffer.h | 7 include/drm/spsc_queue.h | 4 include/linux/blkdev.h | 5 include/linux/ieee80211.h | 45 + include/linux/io_uring_types.h | 2 include/linux/mm.h | 5 include/linux/psp-sev.h | 2 include/net/af_vsock.h | 2 include/net/bluetooth/hci_core.h | 3 include/net/netfilter/nf_flow_table.h | 2 include/sound/soc-acpi.h | 13 include/trace/events/erofs.h | 2 io_uring/msg_ring.c | 4 io_uring/opdef.c | 1 io_uring/zcrx.c | 3 kernel/bpf/bpf_lru_list.c | 9 kernel/bpf/bpf_lru_list.h | 1 kernel/events/core.c | 6 kernel/module/main.c | 4 kernel/sched/core.c | 7 kernel/sched/deadline.c | 10 kernel/stop_machine.c | 20 lib/alloc_tag.c | 3 lib/maple_tree.c | 1 mm/damon/core.c | 8 mm/kasan/report.c | 45 - mm/rmap.c | 46 + mm/vmalloc.c | 22 net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +- net/bluetooth/hci_event.c | 3 net/bluetooth/hci_sync.c | 4 net/ipv4/tcp.c | 2 net/ipv6/addrconf.c | 9 net/mac80211/cfg.c | 14 net/mac80211/mlme.c | 7 net/mac80211/parse.c | 6 net/mac80211/util.c | 9 net/netlink/af_netlink.c | 82 +-- net/rxrpc/call_accept.c | 4 net/sched/sch_api.c | 23 net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 +- net/wireless/nl80211.c | 7 net/wireless/util.c | 52 +- samples/damon/prcl.c | 8 samples/damon/wsse.c | 8 scripts/gdb/linux/constants.py.in | 7 scripts/gdb/linux/interrupts.py | 16 scripts/gdb/linux/mapletree.py | 252 ++++++++++ scripts/gdb/linux/vfs.py | 2 scripts/gdb/linux/xarray.py | 28 + sound/isa/ad1816a/ad1816a.c | 2 sound/pci/hda/patch_realtek.c | 10 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs35l56-shared.c | 2 sound/soc/codecs/rt721-sdca.c | 23 sound/soc/fsl/fsl_asrc.c | 3 sound/soc/fsl/fsl_sai.c | 14 sound/soc/intel/boards/Kconfig | 1 sound/soc/intel/common/Makefile | 2 sound/soc/intel/common/soc-acpi-intel-arl-match.c | 21 sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 sound/soc/sof/intel/hda.c | 6 tools/arch/x86/include/asm/msr-index.h | 1 tools/include/linux/kallsyms.h | 4 tools/objtool/check.c | 1 tools/testing/selftests/bpf/test_lru_map.c | 105 ++-- tools/testing/selftests/net/lib.sh | 2 virt/kvm/kvm_main.c | 3 203 files changed, 2006 insertions(+), 827 deletions(-) Aaron Thompson (1): drm/nouveau: Do not fail module init on debugfs errors Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alessio Belle (1): drm/imagination: Fix kernel crash when hard resetting the GPU Alex Deucher (1): drm/amdkfd: add hqd_sdma_get_doorbell callbacks for gfx7/8 Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Anshuman Khandual (1): arm64/mm: Drop wrong writes into TCR2_EL1 Arun Raghavan (1): ASoC: fsl_sai: Force a software reset when starting in consumer mode Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Bard Liao (4): ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH ASoC: soc-acpi: add get_function_tplg_files ops ASoC: Intel: add sof_sdw_get_tplg_files ops ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Ben Skeggs (1): drm/nouveau/gsp: fix potential leak of memory used during acpi init Carolina Jubran (2): net/mlx5: Reset bw_share field when changing a node's parent net/mlx5e: Fix race between DIM disable and net_dim() Chao Yu (2): erofs: fix to add missing tracepoint in erofs_read_folio() erofs: fix to add missing tracepoint in erofs_readahead() Charles Keepax (1): ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Chintan Vankar (1): net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Chris Chiu (1): ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Christophe JAILLET (1): net: airoha: Fix an error handling path in airoha_probe() Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniel J. Ogorchock (1): HID: nintendo: avoid bluetooth suspend/resume stalls Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (2): rxrpc: Fix bug due to prealloc collision rxrpc: Fix oops due to non-existence of prealloc backlog struct David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Deren Wu (2): wifi: mt76: mt7921: prevent decap offload config before STA initialization wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Edip Hazuri (1): ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx Eric Biggers (1): crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() EricChan (1): net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Fangrui Song (1): riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Felix Fietkau (1): wifi: rt2x00: fix remove callback type mismatch Fengnan Chang (1): io_uring: make fallocate be hashed work Filipe Manana (1): btrfs: fix assertion when building free space tree Florian Fainelli (3): scripts/gdb: fix interrupts display after MCP on x86 scripts/gdb: de-reference per-CPU MCE interrupts scripts/gdb: fix interrupts.py after maple tree conversion Gao Xiang (3): erofs: address D-cache aliasing erofs: fix large fragment handling erofs: refine readahead tracepoint Greg Kroah-Hartman (1): Linux 6.15.7 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hangbin Liu (1): selftests: net: lib: fix shift count out of range Haoxiang Li (1): net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Harry Yoo (1): lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Heiko Carstens (1): objtool: Add missing endian conversion to read_annotate() Henry Martin (1): wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Honggyu Kim (3): mm/damon: fix divide by zero in damon_get_intervals_score() samples/damon: fix damon sample prcl for start failure samples/damon: fix damon sample wsse for start failure Hugo Villeneuve (1): gpiolib: fix performance regression when using gpio_chip_get_multiple() Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() Illia Ostapyshyn (1): scripts: gdb: vfs: support external dentry names JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jack Yu (1): ASoC: rt721-sdca: fix boost gain calculation error Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jason Xing (1): bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL Jens Axboe (1): io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Jianbo Liu (1): net/mlx5e: Add new prio for promiscuous mode Jiawen Wu (1): net: wangxun: revert the adjustment of the IRQ vector sequence Jiayuan Chen (1): tcp: Correct signedness in skb remaining space calculation Johannes Berg (1): wifi: mac80211: fix non-transmitted BSSID profile search Julien Massot (1): dt-bindings: clock: mediatek: Add #reset-cells property for MT8188 Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kent Russell (1): drm/amdgpu: Include sdma_4_4_4.bin Kevin Brodsky (1): arm64: poe: Handle spurious Overlay faults Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (2): wifi: cfg80211: fix S1G beacon head validation in nl80211 wifi: mac80211: correctly identify S1G short beacon Lance Yang (1): mm/rmap: fix potential out-of-bounds page table access during batched unmap Liam Merwick (1): KVM: Allow CPU to reschedule while setting per-page memory attributes Linus Torvalds (1): eventpoll: don't decrement ep refcount while still holding the ep mutex Long Li (1): net: mana: Record doorbell physical address in PF mode Lorenzo Bianconi (5): wifi: mt76: Assume __mt76_connac_mcu_alloc_sta_req runs in atomic context wifi: mt76: Move RCU section in mt7996_mcu_set_fixed_field() wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl_fixed() wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl() wifi: mt76: Remove RCU section in mt7996_mac_sta_rc_work() Luiz Augusto von Dentz (4): Bluetooth: hci_sync: Fix not disabling advertising instance Bluetooth: hci_core: Remove check of BDADDR_ANY in hci_conn_hash_lookup_big_state Bluetooth: hci_sync: Fix attempting to send HCI_Disconnect to BIS handle Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luo Gengkun (1): perf/core: Fix the WARN_ON_ONCE is out of lock protected region Luo Jie (2): net: phy: qcom: move the WoL function to shared library net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Manuel Andreas (1): KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush Mario Limonciello (1): pinctrl: amd: Clear GPIO debounce for suspend Mark Brown (1): arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Auld (1): drm/xe/bmg: fix compressed VRAM handling Matthew Brost (3): drm/sched: Increment job count before swapping tail spsc queue Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" drm/xe: Allocate PF queue size on pow2 boundary Michael Lo (1): wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Wajdeczko (1): drm/xe/pf: Clear all LMTT pages on alloc Mikhail Paulyshka (2): x86/rdrand: Disable RDSEED on AMD Cyan Skillfish x86/CPU/AMD: Disable INVLPGB on Zen2 Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Ming Yen Hsieh (1): wifi: mt76: mt7925: fix the wrong config for tx interrupt Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Miquel Raynal (1): pinctrl: nuvoton: Fix boot on ma35dx platforms Miri Korenblit (1): wifi: mac80211: add the virtual monitor after reconfig complete Moon Hee Lee (1): wifi: mac80211: reject VHT opmode for unsupported channel widths Nam Cao (1): irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nikunj A Dadhania (2): KVM: SVM: Add missing member in SNP_LAUNCH_START command structure x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation Oleksij Rempel (5): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Pankaj Raghav (1): block: reject bs > ps block devices when THP is disabled Pavel Begunkov (1): io_uring/zcrx: fix pp destruction warnings Peter Ujfalusi (1): ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Peter Zijlstra (2): sched/core: Fix migrate_swap() vs. hotplug perf: Revert to requiring CAP_SYS_ADMIN for uprobes Petr Pavlu (1): module: Fix memory deallocation on error path in move_module() Philip Yang (1): drm/amdkfd: Don't call mmput from MMU notifier callback Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Richard Fitzgerald (1): ASoC: cs35l56: probe() should fail if the device ID is not recognized Ronnie Sahlberg (1): ublk: sanity check add_dev input for underflow Sascha Hauer (1): clk: scmi: Handle case where child clocks are initialized before their parents Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level SeongJae Park (1): mm/damon/core: handle damon_call_control as normal under kdmond deactivation Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shiju Jose (1): EDAC: Initialize EDAC features sysfs attributes Shravya KN (1): bnxt_en: Fix DCB ETS validation Shruti Parab (1): bnxt_en: Flush FW trace before copying to the coredump Shuai Zhang (1): driver: bluetooth: hci_qca:fix unable to load the BT driver Shuicheng Lin (2): drm/xe/pm: Restore display pm if there is error after display suspend drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Stefano Garzarella (1): vsock: fix `vsock_proto` declaration Takashi Iwai (1): ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai (1): ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Thomas Weißschuh (1): sched: Fix preemption string of preempt_dynamic_none Thomas Zimmermann (2): drm/gem: Acquire references on GEM handles for framebuffers drm/framebuffer: Acquire internal references on GEM handles Thorsten Blum (1): ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Tim Crawford (1): ALSA: hda/realtek: Add quirks for some Clevo laptops Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (2): pwm: Fix invalid state detection pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Vitor Soares (1): wifi: mwifiex: discard erroneous disassoc frames on STA interface Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Willem de Bruijn (2): bpf: Adjust free target to avoid global starvation of LRU map selftests/bpf: adapt one more case in test_lru_map to the new target_free Xiaolei Wang (1): clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (4): x86/mce/amd: Add default names for MCA banks and blocks x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails x86/mce: Ensure user polling settings are honored when restarting timer Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zhe Qiao (1): Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Zheng Qixing (2): md/raid1,raid10: strip REQ_NOWAIT from member bios nbd: fix uaf in nbd_genl_connect() error path kuyo chang (1): sched/deadline: Fix dl_server runtime calculation formula

3 weeks, 5 days

1
1
0 0

Linux 6.12.39

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.39 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_hash.rst | 8 Documentation/bpf/map_lru_hash_update.dot | 6 Makefile | 2 arch/arm64/kernel/cpufeature.c | 45 +-- arch/arm64/kernel/process.c | 5 arch/arm64/mm/fault.c | 30 +- arch/riscv/kernel/vdso/vdso.lds.S | 2 arch/s390/crypto/sha1_s390.c | 2 arch/s390/crypto/sha256_s390.c | 3 arch/s390/crypto/sha512_s390.c | 3 arch/um/drivers/vector_kern.c | 42 --- arch/x86/Kconfig | 2 arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/amd.c | 7 arch/x86/kernel/cpu/mce/amd.c | 28 +- arch/x86/kernel/cpu/mce/core.c | 24 - arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/cpuid.c | 4 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 - crypto/ecc.c | 2 drivers/acpi/battery.c | 19 - drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/block/ublk_drv.c | 3 drivers/bluetooth/hci_qca.c | 13 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/clk/clk-scmi.c | 18 - drivers/clk/imx/clk-imx95-blk-ctl.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 30 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 +-- drivers/gpu/drm/drm_framebuffer.c | 31 ++ drivers/gpu/drm/drm_gem.c | 74 ++++- drivers/gpu/drm/drm_internal.h | 2 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/imagination/pvr_power.c | 4 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 + drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 drivers/gpu/drm/xe/xe_lmtt.c | 11 drivers/gpu/drm/xe/xe_migrate.c | 2 drivers/gpu/drm/xe/xe_pci.c | 1 drivers/gpu/drm/xe/xe_pm.c | 8 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-nintendo.c | 38 ++ drivers/hid/hid-quirks.c | 3 drivers/irqchip/Kconfig | 1 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 drivers/net/ethernet/renesas/rtsn.c | 5 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 - drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 - drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 3 drivers/net/phy/qcom/at803x.c | 27 -- drivers/net/phy/qcom/qca808x.c | 2 drivers/net/phy/qcom/qcom-phy-lib.c | 25 + drivers/net/phy/qcom/qcom.h | 5 drivers/net/phy/smsc.c | 57 +++- drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/marvell/mwifiex/util.c | 4 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pci/pci-acpi.c | 23 - drivers/pinctrl/pinctrl-amd.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/pwm/core.c | 2 drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/gadget/function/u_serial.c | 12 fs/btrfs/free-space-tree.c | 16 - fs/erofs/data.c | 21 + fs/erofs/decompressor.c | 12 fs/erofs/fileio.c | 6 fs/erofs/internal.h | 2 fs/erofs/zdata.c | 251 ++++++++---------- fs/erofs/zutil.c | 7 fs/eventpoll.c | 12 fs/netfs/write_collect.c | 2 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 - fs/proc/task_mmu.c | 14 - fs/smb/server/smb2pdu.c | 29 -- fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/drm_framebuffer.h | 7 include/drm/spsc_queue.h | 4 include/linux/ieee80211.h | 45 ++- include/linux/math.h | 12 include/linux/mm.h | 5 include/linux/psp-sev.h | 2 include/net/af_vsock.h | 2 include/net/netfilter/nf_flow_table.h | 2 include/sound/soc-acpi.h | 13 include/trace/events/erofs.h | 2 io_uring/opdef.c | 1 kernel/bpf/bpf_lru_list.c | 9 kernel/bpf/bpf_lru_list.h | 1 kernel/events/core.c | 6 kernel/rseq.c | 60 +++- kernel/sched/core.c | 5 kernel/sched/deadline.c | 10 kernel/stop_machine.c | 20 - lib/alloc_tag.c | 3 lib/maple_tree.c | 1 mm/kasan/report.c | 13 mm/vmalloc.c | 22 + net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +++- net/bluetooth/hci_event.c | 3 net/bluetooth/hci_sync.c | 2 net/ipv4/tcp.c | 2 net/ipv6/addrconf.c | 9 net/mac80211/mlme.c | 7 net/mac80211/parse.c | 6 net/netlink/af_netlink.c | 82 +++--- net/rxrpc/call_accept.c | 4 net/sched/sch_api.c | 23 + net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/nl80211.c | 7 net/wireless/util.c | 52 +++ rust/kernel/init/macros.rs | 2 scripts/gdb/linux/constants.py.in | 7 scripts/gdb/linux/interrupts.py | 16 - scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++ scripts/gdb/linux/xarray.py | 28 ++ sound/isa/ad1816a/ad1816a.c | 2 sound/pci/hda/patch_realtek.c | 7 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs35l56-shared.c | 2 sound/soc/fsl/fsl_asrc.c | 3 sound/soc/fsl/fsl_sai.c | 14 - sound/soc/intel/boards/Kconfig | 1 sound/soc/intel/common/Makefile | 2 sound/soc/intel/common/soc-acpi-intel-arl-match.c | 66 ++++ sound/soc/intel/common/sof-function-topology-lib.c | 136 ++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 + sound/soc/sof/intel/hda.c | 6 tools/arch/x86/include/asm/msr-index.h | 1 tools/include/linux/kallsyms.h | 4 tools/testing/selftests/bpf/test_lru_map.c | 105 +++---- tools/testing/selftests/net/forwarding/lib.sh | 113 -------- tools/testing/selftests/net/lib.sh | 115 ++++++++ virt/kvm/kvm_main.c | 3 176 files changed, 2012 insertions(+), 874 deletions(-) Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alessio Belle (1): drm/imagination: Fix kernel crash when hard resetting the GPU Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Arun Raghavan (1): ASoC: fsl_sai: Force a software reset when starting in consumer mode Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Bard Liao (4): ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH ASoC: soc-acpi: add get_function_tplg_files ops ASoC: Intel: add sof_sdw_get_tplg_files ops ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Ben Skeggs (1): drm/nouveau/gsp: fix potential leak of memory used during acpi init Borislav Petkov (AMD) (1): KVM: SVM: Set synthesized TSA CPUID flags Carolina Jubran (1): net/mlx5e: Fix race between DIM disable and net_dim() Chao Yu (2): erofs: fix to add missing tracepoint in erofs_read_folio() erofs: fix to add missing tracepoint in erofs_readahead() Charles Keepax (1): ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Chintan Vankar (1): net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Chunhai Guo (1): erofs: free pclusters if no cached folio is attached Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniel J. Ogorchock (1): HID: nintendo: avoid bluetooth suspend/resume stalls Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (3): rxrpc: Fix bug due to prealloc collision rxrpc: Fix oops due to non-existence of prealloc backlog struct netfs: Fix ref leak on inserted extra subreq in write retry David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Deren Wu (2): wifi: mt76: mt7921: prevent decap offload config before STA initialization wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Eric Biggers (1): crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() EricChan (1): net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Fangrui Song (1): riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Felix Fietkau (1): wifi: rt2x00: fix remove callback type mismatch Fengnan Chang (1): io_uring: make fallocate be hashed work Filipe Manana (1): btrfs: fix assertion when building free space tree Flora Cui (2): drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics drm/amdgpu/ip_discovery: add missing ip_discovery fw Florian Fainelli (3): scripts/gdb: fix interrupts display after MCP on x86 scripts/gdb: de-reference per-CPU MCE interrupts scripts/gdb: fix interrupts.py after maple tree conversion Gao Xiang (5): erofs: address D-cache aliasing erofs: get rid of `z_erofs_next_pcluster_t` erofs: tidy up zdata.c erofs: refine readahead tracepoint erofs: fix rare pcluster memory leak after unmounting Greg Kroah-Hartman (1): Linux 6.12.39 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hangbin Liu (1): selftests: net: lib: fix shift count out of range Haoxiang Li (1): net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Harry Yoo (1): lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Henry Martin (1): wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jason Xing (1): bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL Jianbo Liu (1): net/mlx5e: Add new prio for promiscuous mode Jiawen Wu (1): net: wangxun: revert the adjustment of the IRQ vector sequence Jiayuan Chen (1): tcp: Correct signedness in skb remaining space calculation Johannes Berg (1): wifi: mac80211: fix non-transmitted BSSID profile search Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kevin Brodsky (1): arm64: poe: Handle spurious Overlay faults Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (2): wifi: cfg80211: fix S1G beacon head validation in nl80211 wifi: mac80211: correctly identify S1G short beacon Liam Merwick (1): KVM: Allow CPU to reschedule while setting per-page memory attributes Linus Torvalds (1): eventpoll: don't decrement ep refcount while still holding the ep mutex Long Li (1): net: mana: Record doorbell physical address in PF mode Luiz Augusto von Dentz (2): Bluetooth: hci_sync: Fix not disabling advertising instance Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Lukas Wunner (1): crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Luo Gengkun (1): perf/core: Fix the WARN_ON_ONCE is out of lock protected region Luo Jie (2): net: phy: qcom: move the WoL function to shared library net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Mario Limonciello (1): pinctrl: amd: Clear GPIO debounce for suspend Mark Brown (1): arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Auld (1): drm/xe/bmg: fix compressed VRAM handling Matthew Brost (3): drm/sched: Increment job count before swapping tail spsc queue Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" drm/xe: Allocate PF queue size on pow2 boundary Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michael Lo (1): wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Wajdeczko (1): drm/xe/pf: Clear all LMTT pages on alloc Miguel Ojeda (1): rust: init: allow `dead_code` warnings for Rust >= 1.89.0 Mikhail Paulyshka (1): x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Ming Yen Hsieh (1): wifi: mt76: mt7925: fix the wrong config for tx interrupt Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Nam Cao (1): irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nikunj A Dadhania (1): KVM: SVM: Add missing member in SNP_LAUNCH_START command structure Oleksij Rempel (5): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Peter Ujfalusi (1): ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Peter Zijlstra (2): sched/core: Fix migrate_swap() vs. hotplug perf: Revert to requiring CAP_SYS_ADMIN for uprobes Petr Machata (1): selftests: net: lib: Move logging from forwarding/lib.sh here Philip Yang (1): drm/amdkfd: Don't call mmput from MMU notifier callback Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Richard Fitzgerald (1): ASoC: cs35l56: probe() should fail if the device ID is not recognized Ronnie Sahlberg (1): ublk: sanity check add_dev input for underflow Sascha Hauer (1): clk: scmi: Handle case where child clocks are initialized before their parents Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shravya KN (1): bnxt_en: Fix DCB ETS validation Shuai Zhang (1): driver: bluetooth: hci_qca:fix unable to load the BT driver Shuicheng Lin (1): drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Simon Trimmer (2): ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Srinivasan Shanmugam (1): drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Stefano Garzarella (1): vsock: fix `vsock_proto` declaration Takashi Iwai (1): ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai (1): ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Thomas Zimmermann (2): drm/gem: Acquire references on GEM handles for framebuffers drm/framebuffer: Acquire internal references on GEM handles Thorsten Blum (1): ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Tim Crawford (1): ALSA: hda/realtek: Add quirks for some Clevo laptops Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (2): pwm: Fix invalid state detection pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Vitor Soares (1): wifi: mwifiex: discard erroneous disassoc frames on STA interface Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Willem de Bruijn (2): bpf: Adjust free target to avoid global starvation of LRU map selftests/bpf: adapt one more case in test_lru_map to the new target_free Xiaolei Wang (1): clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (4): x86/mce/amd: Add default names for MCA banks and blocks x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails x86/mce: Ensure user polling settings are honored when restarting timer Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zhe Qiao (1): Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path kuyo chang (1): sched/deadline: Fix dl_server runtime calculation formula

3 weeks, 5 days

1
1
0 0

Linux 6.6.99

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.99 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/bpf/map_hash.rst | 8 Documentation/bpf/map_lru_hash_update.dot | 6 Makefile | 2 arch/um/drivers/vector_kern.c | 42 -- arch/x86/Kconfig | 2 arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/amd.c | 7 arch/x86/kernel/cpu/mce/amd.c | 28 - arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 crypto/ecc.c | 2 drivers/acpi/battery.c | 19 - drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/block/ublk_drv.c | 3 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/gpu/drm/drm_framebuffer.c | 31 + drivers/gpu/drm/drm_gem.c | 74 +++- drivers/gpu/drm/drm_internal.h | 2 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-quirks.c | 3 drivers/input/keyboard/atkbd.c | 3 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 - drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 57 +++ drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/pinctrl-amd.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 - drivers/usb/cdns3/cdnsp-gadget.c | 6 drivers/usb/cdns3/cdnsp-gadget.h | 11 drivers/usb/cdns3/cdnsp-ring.c | 27 - drivers/usb/dwc3/core.c | 9 drivers/usb/dwc3/gadget.c | 22 - drivers/usb/gadget/function/u_serial.c | 12 fs/btrfs/btrfs_inode.h | 2 fs/btrfs/free-space-tree.c | 16 fs/btrfs/inode.c | 18 - fs/btrfs/transaction.c | 2 fs/btrfs/tree-log.c | 331 +++++++++++-------- fs/erofs/data.c | 2 fs/eventpoll.c | 12 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 - fs/proc/task_mmu.c | 14 fs/smb/client/cifsglob.h | 3 fs/smb/client/cifsproto.h | 13 fs/smb/client/connect.c | 47 +- fs/smb/client/dfs.c | 73 ++-- fs/smb/client/dfs.h | 42 +- fs/smb/client/dfs_cache.c | 186 ++++++---- fs/smb/client/fs_context.h | 1 fs/smb/client/misc.c | 9 fs/smb/client/namespace.c | 2 fs/smb/server/smb2pdu.c | 29 - fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/drm_framebuffer.h | 7 include/drm/spsc_queue.h | 4 include/linux/math.h | 12 include/linux/mm.h | 5 include/net/af_vsock.h | 2 include/net/netfilter/nf_flow_table.h | 2 io_uring/opdef.c | 1 kernel/bpf/bpf_lru_list.c | 9 kernel/bpf/bpf_lru_list.h | 1 kernel/events/core.c | 6 kernel/rseq.c | 60 ++- lib/maple_tree.c | 14 mm/kasan/report.c | 13 mm/vmalloc.c | 22 - net/appletalk/ddp.c | 1 net/atm/clip.c | 64 ++- net/bluetooth/hci_event.c | 39 -- net/bluetooth/hci_sync.c | 215 +++++++----- net/ipv4/tcp.c | 2 net/ipv6/addrconf.c | 9 net/netlink/af_netlink.c | 82 ++-- net/rxrpc/call_accept.c | 4 net/sched/sch_api.c | 23 - net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 ++- net/wireless/util.c | 52 ++- scripts/gdb/linux/constants.py.in | 7 scripts/gdb/linux/interrupts.py | 16 scripts/gdb/linux/mapletree.py | 252 ++++++++++++++ scripts/gdb/linux/xarray.py | 28 + sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs35l56-shared.c | 2 sound/soc/fsl/fsl_asrc.c | 3 tools/arch/x86/include/asm/msr-index.h | 1 tools/build/feature/Makefile | 25 + tools/include/linux/kallsyms.h | 4 tools/perf/Makefile.perf | 27 + tools/testing/selftests/bpf/test_lru_map.c | 105 +++--- 117 files changed, 1937 insertions(+), 1031 deletions(-) Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alexander Gordeev (1): mm/vmalloc: leave lazy MMU mode on PTE mapping error Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Chao Yu (1): erofs: fix to add missing tracepoint in erofs_read_folio() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian Eggers (1): Bluetooth: HCI: Set extended advertising data synchronously Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (2): rxrpc: Fix bug due to prealloc collision rxrpc: Fix oops due to non-existence of prealloc backlog struct David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() EricChan (1): net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Fengnan Chang (1): io_uring: make fallocate be hashed work Filipe Manana (6): btrfs: remove noinline from btrfs_update_inode() btrfs: remove redundant root argument from btrfs_update_inode_fallback() btrfs: remove redundant root argument from fixup_inode_link_count() btrfs: return a btrfs_inode from btrfs_iget_logging() btrfs: fix inode lookup error handling during log replay btrfs: fix assertion when building free space tree Florian Fainelli (3): scripts/gdb: fix interrupts display after MCP on x86 scripts/gdb: de-reference per-CPU MCE interrupts scripts/gdb: fix interrupts.py after maple tree conversion Greg Kroah-Hartman (1): Linux 6.6.99 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jiayuan Chen (1): tcp: Correct signedness in skb remaining space calculation Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (3): usb: gadget: u_serial: Fix race condition in TTY wakeup Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" usb: dwc3: Abort suspend on soft disconnect failure Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lee Jones (1): usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Leo Yan (1): perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Liam R. Howlett (1): maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Linus Torvalds (1): eventpoll: don't decrement ep refcount while still holding the ep mutex Long Li (1): net: mana: Record doorbell physical address in PF mode Luiz Augusto von Dentz (2): Bluetooth: hci_sync: Fix not disabling advertising instance Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Lukas Wunner (1): crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Luo Gengkun (1): perf/core: Fix the WARN_ON_ONCE is out of lock protected region Mario Limonciello (1): pinctrl: amd: Clear GPIO debounce for suspend Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Mikhail Paulyshka (1): x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Oleksij Rempel (4): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Paulo Alcantara (3): smb: client: avoid unnecessary reconnects when refreshing referrals smb: client: fix DFS interlink failover smb: client: fix potential race in cifs_put_tcon() Pawel Laszczak (2): usb:cdnsp: remove TRB_FLUSH_ENDPOINT command usb: cdnsp: Fix issue with CV Bad Descriptor test Peter Zijlstra (1): perf: Revert to requiring CAP_SYS_ADMIN for uprobes Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Richard Fitzgerald (1): ASoC: cs35l56: probe() should fail if the device ID is not recognized Ronnie Sahlberg (1): ublk: sanity check add_dev input for underflow Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shravya KN (1): bnxt_en: Fix DCB ETS validation Shyam Prasad N (1): cifs: all initializations for tcon should happen in tcon_info_alloc Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Stefano Garzarella (1): vsock: fix `vsock_proto` declaration Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Thomas Zimmermann (2): drm/gem: Acquire references on GEM handles for framebuffers drm/framebuffer: Acquire internal references on GEM handles Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Willem de Bruijn (2): bpf: Adjust free target to avoid global starvation of LRU map selftests/bpf: adapt one more case in test_lru_map to the new target_free Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (3): x86/mce/amd: Add default names for MCA banks and blocks x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path

3 weeks, 5 days

1
1
0 0

Linux 6.1.146

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.146 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/um/drivers/vector_kern.c | 42 --- arch/x86/Kconfig | 2 arch/x86/Makefile | 2 arch/x86/include/asm/cpufeatures.h | 2 arch/x86/kernel/cpu/mce/amd.c | 15 - arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kvm/svm/sev.c | 4 arch/x86/kvm/xen.c | 15 - drivers/acpi/battery.c | 19 - drivers/atm/idt77252.c | 5 drivers/block/nbd.c | 6 drivers/char/ipmi/ipmi_msghandler.c | 3 drivers/gpu/drm/drm_gem.c | 10 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/tegra/nvdec.c | 6 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-quirks.c | 3 drivers/input/joystick/xpad.c | 2 drivers/input/keyboard/atkbd.c | 3 drivers/md/md-bitmap.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/ibm/ibmvnic.h | 8 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/platform/x86/ideapad-laptop.c | 19 + drivers/pwm/pwm-mediatek.c | 13 drivers/tty/vt/vt.c | 1 drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++++-------------- drivers/usb/cdns3/cdnsp-ep0.c | 18 + drivers/usb/cdns3/cdnsp-gadget.c | 6 drivers/usb/cdns3/cdnsp-gadget.h | 11 drivers/usb/cdns3/cdnsp-ring.c | 27 - drivers/usb/dwc3/core.c | 9 drivers/usb/dwc3/gadget.c | 22 - drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/host/xhci-mem.c | 4 drivers/usb/host/xhci-pci.c | 30 ++ drivers/usb/host/xhci.h | 1 drivers/vhost/scsi.c | 7 fs/anon_inodes.c | 23 + fs/btrfs/free-space-tree.c | 16 - fs/btrfs/inode.c | 28 +- fs/erofs/data.c | 2 fs/erofs/zdata.c | 126 +++------ fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 - fs/smb/server/smb2pdu.c | 29 -- fs/smb/server/transport_rdma.c | 5 fs/smb/server/vfs.c | 1 include/drm/drm_file.h | 3 include/drm/spsc_queue.h | 4 include/linux/fs.h | 2 include/net/netfilter/nf_flow_table.h | 2 include/trace/events/erofs.h | 16 - kernel/events/core.c | 2 kernel/rseq.c | 60 +++- lib/maple_tree.c | 7 mm/kasan/report.c | 13 mm/secretmem.c | 11 net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +++- net/bluetooth/hci_sync.c | 2 net/ipv6/addrconf.c | 9 net/netlink/af_netlink.c | 82 +++-- net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 23 + net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 +++ sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/fsl/fsl_asrc.c | 3 tools/include/linux/kallsyms.h | 4 86 files changed, 900 insertions(+), 588 deletions(-) Achill Gilgenast (1): kallsyms: fix build without execinfo Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alexey Dobriyan (1): x86/boot: Compile boot code with -std=gnu11 too Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Basavaraj Natikar (1): xhci: Allow RPM on the USB controller (1022:43f7) by default Chao Yu (1): erofs: fix to add missing tracepoint in erofs_read_folio() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (1): drm/ttm: fix error handling in ttm_buffer_object_transfer Dan Carpenter (1): ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct David Woodhouse (1): KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Filipe Manana (2): btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: fix assertion when building free space tree Gao Xiang (3): erofs: allocate extra bvec pages directly instead of retrying erofs: avoid on-stack pagepool directly passed by arguments erofs: adapt folios for z_erofs_read_folio() Greg Kroah-Hartman (1): Linux 6.1.146 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Håkon Bugge (1): md/md-bitmap: fix GPF in bitmap_get_stats() JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jack Wang (1): x86: Fix X86_FEATURE_VERW_CLEAR definition Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup usb: dwc3: Abort suspend on soft disconnect failure Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lee Jones (1): usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Liam R. Howlett (1): maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Luiz Augusto von Dentz (1): Bluetooth: hci_sync: Fix not disabling advertising instance Mathy Vanhoef (1): wifi: prevent A-MSDU attacks in mesh networks Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Mikko Perttunen (1): drm/tegra: nvdec: Fix dma_alloc_coherent error check Mingming Cao (1): ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Namjae Jeon (1): ksmbd: fix potential use-after-free in oplock/lease break ack Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleksij Rempel (3): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Pawel Laszczak (2): usb:cdnsp: remove TRB_FLUSH_ENDPOINT command usb: cdnsp: Fix issue with CV Bad Descriptor test Peter Zijlstra (1): perf: Revert to requiring CAP_SYS_ADMIN for uprobes Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): usb: xhci: quirk for data loss in ISOC transfers Rong Zhang (1): platform/x86: ideapad-laptop: use usleep_range() for EC polling Sean Christopherson (1): KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shivank Garg (1): fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Shravya KN (1): bnxt_en: Fix DCB ETS validation Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Wei Yang (1): maple_tree: fix mt_destroy_walk() on root leaf node Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald (1): ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Yeoreum Yun (1): kasan: remove kasan_find_vm_area() to prevent possible deadlock Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yue Hu (2): erofs: remove the member readahead from struct z_erofs_decompress_frontend erofs: clean up z_erofs_pcluster_readmore() Yuzuru10 (1): ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path

3 weeks, 5 days

1
1
0 0

Linux 5.15.189

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.189 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/um/drivers/vector_kern.c | 42 - arch/x86/Kconfig | 2 arch/x86/include/asm/cpufeatures.h | 2 arch/x86/include/asm/xen/page.h | 3 arch/x86/kernel/cpu/mce/amd.c | 15 arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 drivers/acpi/battery.c | 19 drivers/atm/idt77252.c | 5 drivers/block/aoe/aoeblk.c | 5 drivers/block/nbd.c | 6 drivers/dma-buf/dma-resv.c | 171 ++++--- drivers/gpu/drm/drm_gem.c | 10 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/hid/hid-ids.h | 6 drivers/hid/hid-lenovo.c | 8 drivers/hid/hid-multitouch.c | 8 drivers/hid/hid-quirks.c | 3 drivers/infiniband/hw/mlx5/main.c | 33 + drivers/input/joystick/xpad.c | 2 drivers/input/keyboard/atkbd.c | 3 drivers/md/raid1.c | 1 drivers/md/raid10.c | 10 drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 29 - drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 28 + drivers/net/usb/qmi_wwan.c | 1 drivers/net/virtio_net.c | 44 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/qcom/pinctrl-msm.c | 20 drivers/pwm/pwm-mediatek.c | 15 drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 9 drivers/tty/hvc/hvc_xen.c | 2 drivers/tty/vt/vt.c | 1 drivers/usb/cdns3/cdnsp-debug.h | 358 +++++++--------- drivers/usb/cdns3/cdnsp-ep0.c | 18 drivers/usb/cdns3/cdnsp-gadget.c | 6 drivers/usb/cdns3/cdnsp-gadget.h | 11 drivers/usb/cdns3/cdnsp-ring.c | 27 - drivers/usb/dwc3/core.c | 9 drivers/usb/dwc3/gadget.c | 22 drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/host/xhci-mem.c | 4 drivers/usb/host/xhci-pci.c | 30 + drivers/usb/host/xhci-plat.c | 3 drivers/usb/host/xhci.h | 1 drivers/vhost/scsi.c | 7 drivers/xen/grant-table.c | 6 drivers/xen/xenbus/xenbus_probe.c | 3 fs/btrfs/inode.c | 36 - fs/jfs/jfs_dtree.c | 2 fs/ksmbd/transport_rdma.c | 5 fs/ksmbd/vfs.c | 1 fs/proc/array.c | 6 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 include/drm/drm_file.h | 3 include/drm/spsc_queue.h | 4 include/linux/dma-resv.h | 95 ++++ include/net/netfilter/nf_flow_table.h | 2 include/xen/arm/page.h | 3 kernel/bpf/verifier.c | 21 kernel/events/core.c | 2 kernel/rseq.c | 60 ++ net/appletalk/ddp.c | 1 net/atm/clip.c | 64 ++ net/core/skmsg.c | 12 net/ipv6/addrconf.c | 9 net/netlink/af_netlink.c | 82 ++- net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 23 - net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 57 ++ sound/soc/fsl/fsl_asrc.c | 3 79 files changed, 1015 insertions(+), 546 deletions(-) Akira Inoue (1): HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Al Viro (2): fix proc_sys_compare() handling of in-lookup dentries ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Alok Tiwari (1): net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Andrii Nakryiko (1): bpf: fix precision backtracking instruction iteration Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Basavaraj Natikar (1): xhci: Allow RPM on the USB controller (1022:43f7) by default Bui Quang Minh (1): virtio-net: ensure the received length does not exceed allocated size Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (3): dma-buf: add dma_resv_for_each_fence_unlocked v8 dma-buf: use new iterator in dma_resv_wait_timeout dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Edward Adam Davis (1): jfs: fix null ptr deref in dtInsertEntry Eric Dumazet (1): netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Filipe Manana (2): btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: use btrfs_record_snapshot_destroy() during rmdir Greg Kroah-Hartman (1): Linux 5.15.189 Guillaume Nault (1): gre: Fix IPv6 multicast route creation. Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Hongyu Xie (1): xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jack Wang (1): x86: Fix X86_FEATURE_VERW_CLEAR definition Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Jesse Brandeburg (1): ice: safer stats processing John Fastabend (1): bpf, sockmap: Fix skb refcnt race after locking changes Juergen Gross (1): xen: replace xen_remap() with memremap() Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kuen-Han Tsai (2): usb: gadget: u_serial: Fix race condition in TTY wakeup usb: dwc3: Abort suspend on soft disconnect failure Kuniyuki Iwashima (6): netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lee Jones (1): usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Lee, Chun-Yi (1): thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Maksim Kiselev (1): aoe: avoid potential deadlock at set_capacity Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nigel Croxon (1): raid10: cleanup memleak at raid10_make_request Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleg Nesterov (1): fs/proc: do_task_stat: use __for_each_thread() Oleksij Rempel (3): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Patrisious Haddad (1): RDMA/mlx5: Fix vport loopback for MPV device Pawel Laszczak (2): usb:cdnsp: remove TRB_FLUSH_ENDPOINT command usb: cdnsp: Fix issue with CV Bad Descriptor test Peter Zijlstra (1): perf: Revert to requiring CAP_SYS_ADMIN for uprobes Rafael J. Wysocki (1): Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): usb: xhci: quirk for data loss in ISOC transfers Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shravya KN (1): bnxt_en: Fix DCB ETS validation Simona Vetter (1): drm/gem: Fix race in drm_gem_handle_create_tail() Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefan Metzmacher (1): smb: server: make use of rdma_destroy_qp() Thomas Fourier (1): atm: idt77252: Add missing `dma_map_error()` Tiwei Bie (1): um: vector: Reduce stack usage in vector_eth_configure() Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Zheng Qixing (1): nbd: fix uaf in nbd_genl_connect() error path

3 weeks, 5 days

1
1
0 0

Linux 5.10.240

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.240 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 2 Documentation/ABI/testing/sysfs-driver-ufs | 2 Documentation/admin-guide/hw-vuln/index.rst | 1 Documentation/admin-guide/hw-vuln/indirect-target-selection.rst | 156 +++++ Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst | 4 Documentation/admin-guide/kernel-parameters.txt | 28 Documentation/devicetree/bindings/serial/8250.yaml | 2 Makefile | 2 arch/arm64/mm/mmu.c | 3 arch/powerpc/include/uapi/asm/ioctls.h | 8 arch/s390/Makefile | 2 arch/s390/purgatory/Makefile | 2 arch/um/drivers/ubd_user.c | 2 arch/um/drivers/vector_kern.c | 42 - arch/um/include/asm/asm-prototypes.h | 5 arch/x86/Kconfig | 22 arch/x86/entry/entry.S | 8 arch/x86/include/asm/alternative.h | 26 arch/x86/include/asm/cpu.h | 13 arch/x86/include/asm/cpufeature.h | 5 arch/x86/include/asm/cpufeatures.h | 14 arch/x86/include/asm/disabled-features.h | 2 arch/x86/include/asm/irqflags.h | 4 arch/x86/include/asm/msr-index.h | 13 arch/x86/include/asm/mwait.h | 19 arch/x86/include/asm/nospec-branch.h | 50 + arch/x86/include/asm/required-features.h | 2 arch/x86/include/asm/text-patching.h | 31 + arch/x86/kernel/alternative.c | 308 +++++++++- arch/x86/kernel/cpu/amd.c | 58 + arch/x86/kernel/cpu/bugs.c | 272 ++++++++ arch/x86/kernel/cpu/common.c | 77 ++ arch/x86/kernel/cpu/mce/amd.c | 15 arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 arch/x86/kernel/cpu/scattered.c | 1 arch/x86/kernel/ftrace.c | 4 arch/x86/kernel/kprobes/core.c | 39 - arch/x86/kernel/module.c | 14 arch/x86/kernel/process.c | 15 arch/x86/kernel/static_call.c | 2 arch/x86/kernel/vmlinux.lds.S | 8 arch/x86/kvm/cpuid.c | 31 - arch/x86/kvm/cpuid.h | 1 arch/x86/kvm/svm/vmenter.S | 3 arch/x86/kvm/vmx/vmx.c | 2 arch/x86/kvm/x86.c | 4 arch/x86/lib/retpoline.S | 39 + arch/x86/net/bpf_jit_comp.c | 8 arch/x86/um/asm/checksum.h | 3 drivers/acpi/acpi_pad.c | 7 drivers/acpi/acpica/dsmethod.c | 7 drivers/acpi/battery.c | 19 drivers/ata/pata_cs5536.c | 2 drivers/atm/idt77252.c | 5 drivers/base/cpu.c | 15 drivers/dma-buf/dma-resv.c | 2 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 drivers/gpu/drm/bridge/cdns-dsi.c | 27 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 drivers/gpu/drm/i915/selftests/i915_request.c | 20 drivers/gpu/drm/i915/selftests/mock_request.c | 2 drivers/gpu/drm/tegra/dc.c | 17 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/udl/udl_drv.c | 2 drivers/gpu/drm/v3d/v3d_drv.h | 7 drivers/gpu/drm/v3d/v3d_gem.c | 2 drivers/gpu/drm/v3d/v3d_irq.c | 38 - drivers/hid/hid-ids.h | 5 drivers/hid/hid-quirks.c | 3 drivers/hid/wacom_sys.c | 6 drivers/hv/channel_mgmt.c | 117 ++- drivers/hv/hyperv_vmbus.h | 19 drivers/hv/vmbus_drv.c | 2 drivers/hwmon/pmbus/max34440.c | 48 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/pressure/zpa2326.c | 2 drivers/infiniband/core/iwcm.c | 38 - drivers/infiniband/core/iwcm.h | 2 drivers/infiniband/hw/mlx5/counters.c | 2 drivers/infiniband/hw/mlx5/devx.c | 2 drivers/infiniband/hw/mlx5/main.c | 33 + drivers/input/joystick/xpad.c | 5 drivers/input/keyboard/atkbd.c | 3 drivers/leds/led-class-multicolor.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/bcache/super.c | 7 drivers/md/dm-raid.c | 2 drivers/md/md-bitmap.c | 2 drivers/md/raid1.c | 1 drivers/media/platform/omap3isp/ispccdc.c | 8 drivers/media/platform/omap3isp/ispstat.c | 6 drivers/media/usb/uvc/uvc_ctrl.c | 61 + drivers/mfd/max14577.c | 1 drivers/misc/vmw_vmci/vmci_host.c | 9 drivers/mmc/host/mtk-sd.c | 39 - drivers/mmc/host/sdhci.c | 9 drivers/mmc/host/sdhci.h | 16 drivers/net/can/m_can/m_can.c | 2 drivers/net/can/m_can/tcan4x5x.c | 9 drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/atheros/atlx/atl1.c | 78 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/cisco/enic/enic_main.c | 4 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 +++- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/sun/niu.c | 31 - drivers/net/ethernet/sun/niu.h | 4 drivers/net/ethernet/xilinx/ll_temac_main.c | 2 drivers/net/phy/microchip.c | 2 drivers/net/phy/smsc.c | 28 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/ath/ath6kl/bmi.c | 4 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 drivers/pci/controller/pci-hyperv.c | 17 drivers/pinctrl/qcom/pinctrl-msm.c | 20 drivers/platform/mellanox/mlxbf-tmfifo.c | 3 drivers/pwm/pwm-mediatek.c | 15 drivers/regulator/gpio-regulator.c | 4 drivers/rtc/lib_test.c | 2 drivers/rtc/rtc-cmos.c | 10 drivers/scsi/qla2xxx/qla_mbx.c | 2 drivers/scsi/qla4xxx/ql4_os.c | 2 drivers/scsi/ufs/ufs-sysfs.c | 4 drivers/spi/spi-fsl-dspi.c | 11 drivers/staging/rtl8723bs/core/rtw_security.c | 46 - drivers/target/target_core_pr.c | 4 drivers/tty/vt/vt.c | 1 drivers/uio/uio_hv_generic.c | 18 drivers/usb/class/cdc-wdm.c | 23 drivers/usb/common/usb-conn-gpio.c | 25 drivers/usb/core/quirks.c | 3 drivers/usb/core/usb.c | 14 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/host/xhci-dbgcap.c | 4 drivers/usb/host/xhci-dbgtty.c | 1 drivers/usb/typec/altmodes/displayport.c | 5 drivers/usb/typec/tcpm/tcpci_maxim.c | 20 drivers/vhost/scsi.c | 7 fs/btrfs/inode.c | 36 - fs/btrfs/tree-log.c | 4 fs/btrfs/volumes.c | 6 fs/ceph/file.c | 2 fs/cifs/misc.c | 8 fs/f2fs/super.c | 30 fs/jfs/jfs_dmap.c | 41 - fs/namespace.c | 8 fs/nfs/flexfilelayout/flexfilelayout.c | 121 ++- fs/nfs/inode.c | 17 fs/nfs/nfs4proc.c | 12 fs/nfs/pnfs.c | 4 fs/overlayfs/util.c | 4 fs/proc/array.c | 6 fs/proc/inode.c | 2 fs/proc/proc_sysctl.c | 18 include/drm/spsc_queue.h | 4 include/linux/cpu.h | 3 include/linux/hyperv.h | 2 include/linux/ipv6.h | 1 include/linux/module.h | 5 include/linux/usb/typec_dp.h | 1 include/uapi/linux/vm_sockets.h | 30 kernel/events/core.c | 2 kernel/rcu/tree.c | 4 kernel/rseq.c | 60 + lib/test_objagg.c | 4 net/appletalk/ddp.c | 1 net/atm/clip.c | 75 +- net/atm/resources.c | 3 net/bluetooth/l2cap_core.c | 9 net/ipv6/ip6_output.c | 9 net/mac80211/rx.c | 4 net/mac80211/util.c | 2 net/netlink/af_netlink.c | 82 +- net/rose/rose_route.c | 15 net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 42 - net/sched/sch_sfq.c | 10 net/tipc/topsrv.c | 2 net/vmw_vsock/af_vsock.c | 78 ++ net/vmw_vsock/vmci_transport.c | 4 sound/isa/sb/sb16_main.c | 4 sound/pci/hda/hda_bind.c | 2 sound/pci/hda/hda_intel.c | 3 sound/soc/fsl/fsl_asrc.c | 3 sound/usb/stream.c | 2 tools/lib/bpf/btf_dump.c | 3 202 files changed, 2709 insertions(+), 793 deletions(-) Al Viro (2): attach_recursive_mnt(): do not lock the covering tree when sliding something under it fix proc_sys_compare() handling of in-lookup dentries Alexandre Belloni (1): rtc: lib_test: add MODULE_LICENSE Alexandru Ardelean (1): uio: uio_hv_generic: use devm_kzalloc() for private data alloc Alexis Czezar Torreno (1): hwmon: (pmbus/max34440) Fix support for max34451 Alok Tiwari (2): enic: fix incorrect MTU comparison in enic_change_mtu() net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Amit Sunil Dhamne (1): usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Andra Paraschiv (4): vm_sockets: Add flags field in the vsock address data structure vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path af_vsock: Assign the vsock transport considering the vsock address flags Andrei Kuchynski (1): usb: typec: displayport: Fix potential deadlock Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Aradhya Bhatia (4): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Badhri Jagan Sridharan (1): usb: typec: tcpci_maxim: Fix uninitialized return variable Bart Van Assche (1): scsi: ufs: core: Fix spelling of a sysfs attribute name Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Benjamin Coddington (1): NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Borislav Petkov (5): x86/bugs: Rename MDS machinery to something more generic x86/bugs: Add a Transient Scheduler Attacks mitigation KVM: x86: add support for CPUID leaf 0x80000021 KVM: SVM: Advertise TSA CPUID bits to guests x86/process: Move the buffer clearing before MONITOR Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Brett A C Sheffield (Librecast) (1): Revert "ipv6: save dontfrag in cork" Brett Werling (1): can: tcan4x5x: fix power regulator retrieval during probe Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chance Yang (1): usb: common: usb-conn-gpio: use a unique name for usb connector device Chao Yu (1): f2fs: don't over-report free space or inodes in statvfs Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (1): dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Dan Carpenter (2): drm/i915/selftests: Change mock_request() to return error pointers lib: test_objagg: Set error message in check_expect_hints_stats() Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct David Thompson (1): platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Dev Jain (1): arm64: Restrict pagetable teardown to avoid false warning Dexuan Cui (1): PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Eric Dumazet (2): net_sched: sch_sfq: reject invalid perturb period atm: clip: prevent NULL deref in clip_push() Filipe Manana (3): btrfs: fix missing error handling when searching for inode refs during log replay btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: use btrfs_record_snapshot_destroy() during rmdir Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fushuai Wang (1): dpaa2-eth: fix xdp_rxq_info leak George Kennedy (1): VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Greg Kroah-Hartman (1): Linux 5.10.240 Gustavo A. R. Silva (1): net: rose: Fix fall-through warnings for Clang Haiyang Zhang (1): Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID HarshaVardhana S A (1): vsock/vmci: Clear the vmci transport packet properly when initializing it Heinz Mauelshagen (1): dm-raid: fix variable in journal device check Ioana Ciornei (2): dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb James Clark (1): spi: spi-fsl-dspi: Clear completion counter before initiating transfer Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Janusz Krzysztofik (1): drm/i915/gt: Fix timeline left held on VMA alloc error Jay Cornwall (1): drm/amdkfd: Fix race in GWS queue scheduling Johannes Berg (3): ata: pata_cs5536: fix build on 32-bit UML wifi: mac80211: drop invalid source address OCB frames wifi: ath6kl: remove WARN on bad firmware input Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization Junlin Yang (2): usb: typec: tcpci_maxim: remove redundant assignment usb: typec: tcpci_maxim: add terminating newlines to logging Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kohei Enju (1): rose: fix dangling neighbour pointers in rose_rt_device_down() Krzysztof Kozlowski (1): mfd: max14577: Fix wakeup source leaks on device unbind Kuen-Han Tsai (1): usb: gadget: u_serial: Fix race condition in TTY wakeup Kuniyuki Iwashima (8): atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Linggang Zeng (1): bcache: fix NULL pointer in cache_set_flush() Lion Ackermann (1): net/sched: Always pass notifications when child class becomes empty Long Li (1): uio_hv_generic: Align ring size to system page Madhavan Srinivasan (1): powerpc: Fix struct termio related ioctl macros Manivannan Sadhasivam (1): regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Marek Szyprowski (2): media: omap3isp: use sgtable-based scatterlist wrappers drm/exynos: fimd: Guard display clock control with runtime PM calls Mark Harmstone (1): btrfs: update superblock's device bytes_used when dropping chunk Mark Zhang (1): RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert Masami Hiramatsu (Google) (2): mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data mtk-sd: Prevent memory corruption from DMA map failure Mateusz Jończyk (1): rtc: cmos: use spin_lock_irqsave in cmos_interrupt Mathias Nyman (1): xhci: dbc: Flush queued requests before stopping dbc Matt Reynolds (1): Input: xpad - add support for Amazon Game Controller Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Maurizio Lombardi (1): scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Maíra Canal (1): drm/v3d: Disable interrupts before resetting the GPU Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michal Luczaj (3): vsock: Fix transport_{g2h,h2g} TOCTOU vsock: Fix transport_* TOCTOU vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Nathan Chancellor (2): s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Nicolas Pitre (1): vt: add missing notification when switching back to text mode Niklas Cassel (1): PCI: cadence-ep: Correct PBA offset in .set_msix() callback Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleg Nesterov (1): fs/proc: do_task_stat: use __for_each_thread() Oleksij Rempel (3): net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Olga Kornievskaia (1): NFSv4.2: fix listxattr to return selinux security label Oliver Neukum (1): Logitech C-270 even more broken Pali Rohár (1): cifs: Fix cifs_query_path_info() for Windows NT servers Patrisious Haddad (2): RDMA/mlx5: Fix CC counters query for MPV RDMA/mlx5: Fix vport loopback for MPV device Pawan Gupta (7): Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Fix undefined reference to cpu_wants_rethunk_at() x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs Peng Fan (1): mailbox: Not protect module_put with spin_lock_irqsave Peter Zijlstra (5): perf: Revert to requiring CAP_SYS_ADMIN for uprobes x86/alternatives: Introduce int3_emulate_jcc() x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak Qiu-ji Chen (1): drm/tegra: Fix a possible null pointer dereference RD Babiera (1): usb: typec: altmodes/displayport: do not index invalid pin_assignments Radu Bulie (2): dpaa2-eth: Update dpni_get_single_step_cfg command dpaa2-eth: Update SINGLE_STEP register access Rafael J. Wysocki (2): ACPICA: Refuse to evaluate a method if arguments are missing Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): amd-xgbe: align CL37 AN sequence as per databook Ricardo Ribalda (3): media: uvcvideo: Return the number of processed controls media: uvcvideo: Send control events for partial succeeds media: uvcvideo: Rollback non processed entities on error Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Sami Tolvanen (1): um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Saurabh Sengar (2): Drivers: hv: vmbus: Add utility function for querying ring size uio_hv_generic: Query the ringbuffer size for device Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Sergey Senozhatsky (1): mtk-sd: reset host->mrq on prepare_data() error Shengjiu Wang (1): ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Shin'ichiro Kawasaki (1): RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Shravya KN (1): bnxt_en: Fix DCB ETS validation Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Sven Schwermer (1): leds: multicolor: Fix intensity setting while SW blinking Takashi Iwai (1): ALSA: sb: Force to disable DMAs once when DMA mode is changed Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Fourier (5): scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() nui: Fix dma_mapping_error() check ethernet: atl1: Add missing DMA mapping error checks and count errors atm: idt77252: Add missing `dma_map_error()` Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Thomas Gleixner (1): x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Thomas Zimmermann (1): drm/udl: Unregister device before cleaning up on disconnect Tigran Mkrtchyan (1): flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Tiwei Bie (2): um: ubd: Add missing error check in start_io_thread() um: vector: Reduce stack usage in vector_eth_configure() Trond Myklebust (1): NFSv4/flexfiles: Fix handling of NFS level errors in I/O Uladzislau Rezki (Sony) (1): rcu: Return early if callback is not specified Ulf Hansson (1): Revert "mmc: sdhci: Disable SD card clock before changing parameters" Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vicki Pfau (1): Input: xpad - add VID for Turtle Beach controllers Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Victor Shih (1): mmc: sdhci: Add a helper function for dump register in dynamic debug mode Vijendar Mukunda (1): ALSA: hda: Add new pci id for AMD GPU display HD audio controller Vitaly Kuznetsov (1): Drivers: hv: Rename 'alloced' to 'allocated' Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Weihang Li (1): RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Wolfram Sang (2): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages Wupeng Ma (1): VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yao Zi (1): dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (1): md/md-bitmap: fix dm-raid max_write_behind setting Yuan Chen (1): libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yue Hu (1): mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Łukasz Bartosik (1): xhci: dbctty: disable ECHO flag by default

3 weeks, 5 days

1
1
0 0

Linux 5.4.296

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.296 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-driver-ufs | 2 Makefile | 2 arch/arm64/mm/mmu.c | 3 arch/powerpc/include/uapi/asm/ioctls.h | 8 arch/s390/Makefile | 2 arch/s390/purgatory/Makefile | 2 arch/um/drivers/ubd_user.c | 2 arch/x86/Kconfig | 2 arch/x86/kernel/cpu/mce/amd.c | 15 - arch/x86/kernel/cpu/mce/core.c | 8 arch/x86/kernel/cpu/mce/intel.c | 1 drivers/acpi/acpi_pad.c | 7 drivers/acpi/acpica/dsmethod.c | 7 drivers/acpi/battery.c | 19 - drivers/ata/pata_cs5536.c | 2 drivers/atm/idt77252.c | 5 drivers/dma-buf/dma-resv.c | 5 drivers/dma/xilinx/xilinx_dma.c | 2 drivers/gpu/drm/bridge/cdns-dsi.c | 11 drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 3 drivers/gpu/drm/i915/selftests/i915_request.c | 20 - drivers/gpu/drm/i915/selftests/mock_request.c | 2 drivers/gpu/drm/tegra/dc.c | 12 drivers/gpu/drm/tegra/hub.c | 4 drivers/gpu/drm/tegra/hub.h | 3 drivers/gpu/drm/v3d/v3d_drv.h | 9 drivers/gpu/drm/v3d/v3d_gem.c | 2 drivers/gpu/drm/v3d/v3d_irq.c | 36 +- drivers/hid/hid-ids.h | 5 drivers/hid/hid-quirks.c | 3 drivers/hid/wacom_sys.c | 6 drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 drivers/i2c/busses/i2c-tiny-usb.c | 6 drivers/iio/pressure/zpa2326.c | 2 drivers/infiniband/core/device.c | 1 drivers/infiniband/core/iwcm.c | 38 +- drivers/infiniband/core/iwcm.h | 2 drivers/infiniband/core/uverbs_std_types_counters.c | 17 - drivers/infiniband/hw/mlx5/devx.c | 2 drivers/infiniband/hw/mlx5/main.c | 55 ++- drivers/input/joystick/xpad.c | 5 drivers/input/keyboard/atkbd.c | 3 drivers/mailbox/mailbox.c | 2 drivers/md/dm-raid.c | 2 drivers/md/md-bitmap.c | 2 drivers/md/raid1.c | 1 drivers/media/platform/omap3isp/ispccdc.c | 8 drivers/media/platform/omap3isp/ispstat.c | 6 drivers/media/platform/vivid/vivid-vid-cap.c | 2 drivers/media/usb/dvb-usb/cxusb.c | 36 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 +++- drivers/mfd/max14577.c | 1 drivers/misc/vmw_vmci/vmci_host.c | 9 drivers/mmc/host/mtk-sd.c | 39 +- drivers/mmc/host/sdhci.c | 9 drivers/mmc/host/sdhci.h | 16 + drivers/net/can/m_can/m_can.c | 2 drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 drivers/net/ethernet/amd/xgbe/xgbe.h | 4 drivers/net/ethernet/atheros/atlx/atl1.c | 78 +++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 drivers/net/ethernet/cisco/enic/enic_main.c | 4 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 drivers/net/ethernet/sun/niu.c | 31 ++ drivers/net/ethernet/sun/niu.h | 4 drivers/net/phy/microchip.c | 2 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/ath/ath6kl/bmi.c | 4 drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 drivers/pinctrl/qcom/pinctrl-msm.c | 20 + drivers/platform/mellanox/mlxbf-tmfifo.c | 3 drivers/pwm/pwm-mediatek.c | 15 - drivers/regulator/gpio-regulator.c | 19 + drivers/scsi/qla4xxx/ql4_os.c | 2 drivers/scsi/ufs/ufs-sysfs.c | 4 drivers/spi/spi-fsl-dspi.c | 55 ++- drivers/staging/rtl8723bs/core/rtw_security.c | 46 --- drivers/tty/serial/uartlite.c | 15 - drivers/tty/vt/vt.c | 1 drivers/usb/class/cdc-wdm.c | 23 - drivers/usb/core/quirks.c | 3 drivers/usb/core/usb.c | 14 drivers/usb/gadget/function/f_tcm.c | 4 drivers/usb/gadget/function/u_serial.c | 6 drivers/usb/typec/altmodes/displayport.c | 5 fs/btrfs/inode.c | 36 +- fs/btrfs/ioctl.c | 3 fs/btrfs/tree-log.c | 4 fs/ceph/file.c | 2 fs/cifs/misc.c | 8 fs/jfs/jfs_dmap.c | 41 -- fs/namespace.c | 8 fs/nfs/flexfilelayout/flexfilelayout.c | 144 +++++++-- fs/nfs/inode.c | 17 - fs/overlayfs/util.c | 4 fs/proc/inode.c | 16 - fs/proc/proc_sysctl.c | 18 - include/drm/spsc_queue.h | 4 include/linux/of.h | 291 +++++++++----------- include/linux/regulator/gpio-regulator.h | 2 include/linux/usb/typec_dp.h | 1 include/rdma/ib_verbs.h | 7 include/uapi/linux/vm_sockets.h | 4 init/Kconfig | 4 lib/test_objagg.c | 4 net/appletalk/ddp.c | 1 net/atm/clip.c | 64 +++- net/atm/resources.c | 3 net/bluetooth/l2cap_core.c | 9 net/bpfilter/Makefile | 5 net/ipv6/route.c | 3 net/mac80211/rx.c | 4 net/mac80211/util.c | 2 net/netlink/af_netlink.c | 82 +++-- net/rose/rose_route.c | 15 - net/rxrpc/call_accept.c | 3 net/sched/sch_api.c | 42 +- net/tipc/topsrv.c | 2 net/vmw_vsock/vmci_transport.c | 4 scripts/Kbuild.include | 2 scripts/Makefile.host | 4 scripts/Makefile.lib | 8 sound/isa/sb/sb16_main.c | 4 sound/pci/hda/hda_bind.c | 2 sound/soc/meson/meson-card-utils.c | 2 sound/usb/stream.c | 2 usr/include/Makefile | 6 132 files changed, 1178 insertions(+), 680 deletions(-) Al Viro (2): attach_recursive_mnt(): do not lock the covering tree when sliding something under it fix proc_sys_compare() handling of in-lookup dentries Alok Tiwari (1): enic: fix incorrect MTU comparison in enic_change_mtu() Andrei Kuchynski (1): usb: typec: displayport: Fix potential deadlock Andy Shevchenko (1): usb: Add checks for snprintf() calls in usb_alloc_dev() Aradhya Bhatia (3): drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() drm/bridge: cdns-dsi: Fix connecting to next bridge drm/bridge: cdns-dsi: Check return value when getting default PHY config Arnd Bergmann (1): kbuild: hdrcheck: fix cross build with clang Bart Van Assche (1): scsi: ufs: core: Fix spelling of a sysfs attribute name Bartosz Golaszewski (1): pinctrl: qcom: msm: mark certain pins as invalid for interrupts Cezary Rojewski (1): ALSA: hda: Ignore unsol events for cards being shut down Chen Yufeng (1): usb: potential integer overflow in usbg_make_tpg() Chia-Lin Kao (AceLan) (1): HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Christian König (1): dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Dan Carpenter (2): lib: test_objagg: Set error message in check_expect_hints_stats() drm/i915/selftests: Change mock_request() to return error pointers Daniil Dulov (1): wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Dave Kleikamp (1): fs/jfs: consolidate sanity checking in dbMount David Howells (1): rxrpc: Fix oops due to non-existence of prealloc backlog struct David Thompson (1): platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Denis Arefev (1): media: vivid: Change the siize of the composing Dev Jain (1): arm64: Restrict pagetable teardown to avoid false warning Dmitry Kandybka (1): ceph: fix possible integer overflow in ceph_zero_objects() Edward Adam Davis (1): media: cxusb: no longer judge rbuf when the write fails Eric W. Biederman (1): proc: Clear the pieces of proc_inode that proc_evict_inode cares about Filipe Manana (3): btrfs: fix missing error handling when searching for inode refs during log replay btrfs: propagate last_unlink_trans earlier when doing a rmdir btrfs: use btrfs_record_snapshot_destroy() during rmdir Frédéric Danis (1): Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fushuai Wang (1): dpaa2-eth: fix xdp_rxq_info leak Georg Kohmann (1): net: ipv6: Discard next-hop MTU less than minimum link MTU George Kennedy (1): VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Greg Kroah-Hartman (1): Linux 5.4.296 Gustavo A. R. Silva (1): net: rose: Fix fall-through warnings for Clang Hans de Goede (1): Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID HarshaVardhana S A (1): vsock/vmci: Clear the vmci transport packet properly when initializing it Heinz Mauelshagen (1): dm-raid: fix variable in journal device check JP Kobryn (1): x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Jakub Kicinski (1): netlink: make sure we allow at least one dump skb Jakub Lewalski (1): tty: serial: uartlite: register uart driver in init James Clark (1): spi: spi-fsl-dspi: Clear completion counter before initiating transfer Jann Horn (1): x86/mm: Disable hugetlb page table sharing on 32-bit Janusz Krzysztofik (1): drm/i915/gt: Fix timeline left held on VMA alloc error Jerome Neanne (1): regulator: gpio: Add input_supply support in gpio_regulator_config Johannes Berg (3): ata: pata_cs5536: fix build on 32-bit UML wifi: mac80211: drop invalid source address OCB frames wifi: ath6kl: remove WARN on bad firmware input Jonathan Cameron (1): iio: pressure: zpa2326: Use aligned_s64 for the timestamp Jos Wang (1): usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Kaustabh Chakraborty (1): drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Kees Cook (1): ovl: Check for NULL d_inode() in ovl_dentry_upper() Kito Xu (1): net: appletalk: Fix device refcount leak in atrtr_create() Kohei Enju (1): rose: fix dangling neighbour pointers in rose_rt_device_down() Krzysztof Kozlowski (1): mfd: max14577: Fix wakeup source leaks on device unbind Kuen-Han Tsai (1): usb: gadget: u_serial: Fix race condition in TTY wakeup Kuniyuki Iwashima (8): atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. netlink: Fix wraparounds of sk->sk_rmem_alloc. tipc: Fix use-after-free in tipc_conn_close(). atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix infinite recursive call of clip_push(). netlink: Fix rmem check in netlink_broadcast_deliver(). Lachlan Hodges (1): wifi: mac80211: fix beacon interval calculation overflow Leon Romanovsky (1): RDMA/core: Create and destroy counters in the ib_core Lion Ackermann (1): net/sched: Always pass notifications when child class becomes empty Madhavan Srinivasan (1): powerpc: Fix struct termio related ioctl macros Manivannan Sadhasivam (1): regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Marek Szyprowski (2): media: omap3isp: use sgtable-based scatterlist wrappers drm/exynos: fimd: Guard display clock control with runtime PM calls Mark Zhang (1): RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert Martin Blumenstingl (1): ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Masahiro Yamada (3): kbuild: use -MMD instead of -MD to exclude system headers from dependency bpfilter: match bit size of bpfilter_umh to that of the kernel kbuild: add --target to correctly cross-compile UAPI headers with Clang Masami Hiramatsu (Google) (2): mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data mtk-sd: Prevent memory corruption from DMA map failure Matt Reynolds (1): Input: xpad - add support for Amazon Game Controller Matthew Brost (1): drm/sched: Increment job count before swapping tail spsc queue Maíra Canal (1): drm/v3d: Disable interrupts before resetting the GPU Michael Walle (1): of: property: define of_property_read_u{8,16,32,64}_array() unconditionally Nathan Chancellor (2): s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Nicolas Pitre (1): vt: add missing notification when switching back to text mode Nilton Perim Neto (1): Input: xpad - support Acer NGR 200 Controller Oleksij Rempel (1): net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oliver Neukum (1): Logitech C-270 even more broken Omar Sandoval (1): btrfs: don't abort filesystem when attempting to snapshot deleted subvolume Pali Rohár (1): cifs: Fix cifs_query_path_info() for Windows NT servers Patrisious Haddad (2): RDMA/mlx5: Fix CC counters query for MPV RDMA/mlx5: Fix vport loopback for MPV device Peng Fan (1): mailbox: Not protect module_put with spin_lock_irqsave Qasim Ijaz (3): HID: wacom: fix memory leak on kobject creation failure HID: wacom: fix memory leak on sysfs attribute creation failure HID: wacom: fix kobject reference count leak RD Babiera (1): usb: typec: altmodes/displayport: do not index invalid pin_assignments Rafael J. Wysocki (2): ACPICA: Refuse to evaluate a method if arguments are missing Revert "ACPI: battery: negate current when discharging" Raju Rangoju (1): amd-xgbe: align CL37 AN sequence as per databook Ricardo Ribalda (3): media: uvcvideo: Return the number of processed controls media: uvcvideo: Send control events for partial succeeds media: uvcvideo: Rollback non processed entities on error Rob Herring (1): of: Add of_property_present() helper Robert Hodaszi (1): usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Sean Nyekjaer (1): can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Sean Young (1): media: cxusb: use dev_dbg() rather than hand-rolled debug Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Sergey Senozhatsky (1): mtk-sd: reset host->mrq on prepare_data() error Shin'ichiro Kawasaki (1): RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Shravya KN (1): bnxt_en: Fix DCB ETS validation Simon Horman (1): net: enetc: Correct endianness handling in _enetc_rd_reg64 Somnath Kotur (1): bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Stefano Garzarella (1): vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Takashi Iwai (1): ALSA: sb: Force to disable DMAs once when DMA mode is changed Thierry Reding (1): drm/tegra: Assign plane type before registration Thomas Fourier (4): scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() nui: Fix dma_mapping_error() check ethernet: atl1: Add missing DMA mapping error checks and count errors atm: idt77252: Add missing `dma_map_error()` Thomas Gessler (1): dmaengine: xilinx_dma: Set dma_device directions Tigran Mkrtchyan (1): flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Tiwei Bie (1): um: ubd: Add missing error check in start_io_thread() Trond Myklebust (1): NFSv4/flexfiles: Fix handling of NFS level errors in I/O Ulf Hansson (1): Revert "mmc: sdhci: Disable SD card clock before changing parameters" Uwe Kleine-König (1): pwm: mediatek: Ensure to disable clocks in error path Vasiliy Kovalev (1): jfs: validate AG parameters in dbMount() to prevent crashes Vicki Pfau (1): Input: xpad - add VID for Turtle Beach controllers Victor Nogueira (1): net/sched: Abort __tc_modify_qdisc if parent class does not exist Victor Shih (1): mmc: sdhci: Add a helper function for dump register in dynamic debug mode Vladimir Oltean (2): spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path Wang Jinchao (1): md/raid1: Fix stack memory use after return in raid1_reshape Weihang Li (1): RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Wolfram Sang (2): i2c: tiny-usb: disable zero-length read messages i2c: robotfuzz-osif: disable zero-length read messages Wupeng Ma (1): VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Xiaowei Li (1): net: usb: qmi_wwan: add SIMCom 8230C composition Yazen Ghannam (2): x86/mce/amd: Fix threshold limit reset x86/mce: Don't remove sysfs if thresholding sysfs init fails Youngjun Lee (1): ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Yu Kuai (1): md/md-bitmap: fix dm-raid max_write_behind setting Yue Haibing (1): atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Yue Hu (1): mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Zhang Heng (1): HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY

3 weeks, 5 days

1
1
0 0

[PATCH vulns] CVE-2022-49501: Fix affected versions

by He Zhe

As mentioned in the commit log of the fix, it is commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()") that causes this CVE. Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- cve/published/2022/CVE-2022-49501.vulnerable | 1 + 1 file changed, 1 insertion(+) create mode 100644 cve/published/2022/CVE-2022-49501.vulnerable diff --git a/cve/published/2022/CVE-2022-49501.vulnerable b/cve/published/2022/CVE-2022-49501.vulnerable new file mode 100644 index 000000000..138b53caf --- /dev/null +++ b/cve/published/2022/CVE-2022-49501.vulnerable @@ -0,0 +1 @@ +2c9d6c2b871d5841ce26ede3e81fd37e2e33c42c -- 2.34.1

3 weeks, 5 days

2
1
0 0

[PATCH v2] iommu/amd: Fix geometry.aperture_end for V2 tables

by Jason Gunthorpe

The AMD IOMMU documentation seems pretty clear that the V2 table follows the normal CPU expectation of sign extension. This is shown in Figure 25: AMD64 Long Mode 4-Kbyte Page Address Translation Where bits Sign-Extend [63:57] == [56]. This is typical for x86 which would have three regions in the page table: lower, non-canonical, upper. The manual describes that the V1 table does not sign extend in section 2.2.4 Sharing AMD64 Processor and IOMMU Page Tables GPA-to-SPA Further, Vasant has checked this and indicates the HW has an addtional behavior that the manual does not yet describe. The AMDv2 table does not have the sign extended behavior when attached to PASID 0, which may explain why this has gone unnoticed. The iommu domain geometry does not directly support sign extended page tables. The driver should report only one of the lower/upper spaces. Solve this by removing the top VA bit from the geometry to use only the lower space. This will also make the iommu_domain work consistently on all PASID 0 and PASID != 1. Adjust dma_max_address() to remove the top VA bit. It now returns: 5 Level: Before 0x1ffffffffffffff After 0x0ffffffffffffff 4 Level: Before 0xffffffffffff After 0x7fffffffffff Fixes: 11c439a19466 ("iommu/amd/pgtbl_v2: Fix domain max address") Link: https://lore.kernel.org/all/8858d4d6-d360-4ef0-935c-bfd13ea54f42@amd.com/ Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> --- drivers/iommu/amd/iommu.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) v2: - Revise the commit message and comment with the new information from Vasant. v1: https://patch.msgid.link/r/0-v1-6925ece6b623+296-amdv2_geo_jgg@nvidia.com diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 3117d99cf83d0d..1baa9d3583f369 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -2526,8 +2526,21 @@ static inline u64 dma_max_address(enum protection_domain_mode pgtable) if (pgtable == PD_MODE_V1) return ~0ULL; - /* V2 with 4/5 level page table */ - return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1); + /* + * V2 with 4/5 level page table. Note that "2.2.6.5 AMD64 4-Kbyte Page + * Translation" shows that the V2 table sign extends the top of the + * address space creating a reserved region in the middle of the + * translation, just like the CPU does. Further Vasant says the docs are + * incomplete and this only applies to non-zero PASIDs. If the AMDv2 + * page table is assigned to the 0 PASID then there is no sign extension + * check. + * + * Since the IOMMU must have a fixed geometry, and the core code does + * not understand sign extended addressing, we have to chop off the high + * bit to get consistent behavior with attachments of the domain to any + * PASID. + */ + return ((1ULL << (PM_LEVEL_SHIFT(amd_iommu_gpt_level) - 1)) - 1); } static bool amd_iommu_hd_support(struct amd_iommu *iommu) base-commit: eb328711b15b17987021dbb674f446b7b008dca5 -- 2.43.0

3 weeks, 5 days

4
8
0 0

[PATCH] ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on reset)

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> There is an issue possible where TI AM33xx SoCs do not boot properly after a reset if EMU0/EMU1 pins were used as GPIO and have been driving low level actively prior to reset [1]. "Advisory 1.0.36 EMU0 and EMU1: Terminals Must be Pulled High Before ICEPick Samples The state of the EMU[1:0] terminals are latched during reset to determine ICEPick boot mode. For normal device operation, these terminals must be pulled up to a valid high logic level ( > VIH min) before ICEPick samples the state of these terminals, which occurs [five CLK_M_OSC clock cycles - 10 ns] after the falling edge of WARMRSTn. Many applications may not require the secondary GPIO function of the EMU[1:0] terminals. In this case, they would only be connected to pull-up resistors, which ensures they are always high when ICEPick samples. However, some applications may need to use these terminals as GPIO where they could be driven low before reset is asserted. This usage of the EMU[1:0] terminals may require special attention to ensure the terminals are allowed to return to a valid high-logic level before ICEPick samples the state of these terminals. When any device reset is asserted, the pin mux mode of EMU[1:0] terminals configured to operate as GPIO (mode 7) will change back to EMU input (mode 0) on the falling edge of WARMRSTn. This only provides a short period of time for the terminals to return high if driven low before reset is asserted... If the EMU[1:0] terminals are configured to operate as GPIO, the product should be designed such these terminals can be pulled to a valid high-logic level within 190 ns after the falling edge of WARMRSTn." We've noticed this problem with custom am335x hardware in combination with recently implemented cold reset method (commit 6521f6a195c70 ("ARM: AM33xx: PRM: Implement REBOOT_COLD")). It looks like the problem can affect other HW, for instance AM335x Chiliboard, because the latter has LEDs on GPIO3_7/GPIO3_8 as well. One option would be to check if the pins are in GPIO mode and either switch to output active high, or switch to input and poll until the external pull-ups have brought the pins to the desired high state. But fighting with GPIO driver for these pins is probably not the most straight forward approch in a reboot handler. Fortunately we can easily control pinmuxing here and rely on the external pull-ups. TI recommends 4k7 external pull up resistors [2] and even with quite conservative estimation for pin capacity (1 uF should never happen) the required delay shall not exceed 5ms. [1] Link: https://www.ti.com/lit/pdf/sprz360 [2] Link: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/8… Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- arch/arm/mach-omap2/am33xx-restart.c | 36 ++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/arch/arm/mach-omap2/am33xx-restart.c b/arch/arm/mach-omap2/am33xx-restart.c index fcf3d557aa786..3cdf223addcc2 100644 --- a/arch/arm/mach-omap2/am33xx-restart.c +++ b/arch/arm/mach-omap2/am33xx-restart.c @@ -2,12 +2,46 @@ /* * am33xx-restart.c - Code common to all AM33xx machines. */ +#include <dt-bindings/pinctrl/am33xx.h> +#include <linux/delay.h> #include <linux/kernel.h> #include <linux/reboot.h> #include "common.h" +#include "control.h" #include "prm.h" +/* + * Advisory 1.0.36 EMU0 and EMU1: Terminals Must be Pulled High Before + * ICEPick Samples + * + * If EMU0/EMU1 pins have been used as GPIO outputs and actively driving low + * level, the device might not reboot in normal mode. We are in a bad position + * to override GPIO state here, so just switch the pins into EMU input mode + * (that's what reset will do anyway) and wait a bit, because the state will be + * latched 190 ns after reset. + */ +static void am33xx_advisory_1_0_36(void) +{ + u32 emu0 = omap_ctrl_readl(AM335X_PIN_EMU0); + u32 emu1 = omap_ctrl_readl(AM335X_PIN_EMU1); + + /* If both pins are in EMU mode, nothing to do */ + if (!(emu0 & 7) && !(emu1 & 7)) + return; + + /* Switch GPIO3_7/GPIO3_8 into EMU0/EMU1 modes respectively */ + omap_ctrl_writel(emu0 & ~7, AM335X_PIN_EMU0); + omap_ctrl_writel(emu1 & ~7, AM335X_PIN_EMU1); + + /* + * Give pull-ups time to load the pin/PCB trace capacity. + * 5 ms shall be enough to load 1 uF (would be huge capacity for these + * pins) with TI-recommended 4k7 external pull-ups. + */ + mdelay(5); +} + /** * am33xx_restart - trigger a software restart of the SoC * @mode: the "reboot mode", see arch/arm/kernel/{setup,process}.c @@ -18,6 +52,8 @@ */ void am33xx_restart(enum reboot_mode mode, const char *cmd) { + am33xx_advisory_1_0_36(); + /* TODO: Handle cmd if necessary */ prm_reboot_mode = mode; -- 2.50.1

3 weeks, 5 days

1
0
0 0

Backport 36569780b0d6 ("sched: Change nr_uninterruptible type to unsigned long") to linux-stable

by Aruna Ramakrishna

Hi maintainers, Please consider backporting this upstream commit: 36569780b0d6 ("sched: Change nr_uninterruptible type to unsigned long”) into all stable branches newer than (and including) linux-5.14.y. This fixes an overflow bug introduced in commit: e6fe3f422be1 ("sched: Make multiple runqueue task counters 32-bit”) which was merged into 5.14. I forgot to tag the original patch for inclusion into stable - I apologize for the oversight. The patch should apply cleanly to all versions - let me know if you’d like me to send a separate patch for stable. Thanks very much, Aruna

3 weeks, 5 days

1
0
0 0

[PATCH net] phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()

by Nathan Chancellor

A new warning in clang [1] points out a place in pep_sock_accept() where dst is uninitialized then passed as a const pointer to pep_find_pipe(): net/phonet/pep.c:829:37: error: variable 'dst' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] 829 | newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); | ^~~: Move the call to pn_skb_get_dst_sockaddr(), which initializes dst, to before the call to pep_find_pipe(), so that dst is consistently used initialized throughout the function. Cc: stable(a)vger.kernel.org Fixes: f7ae8d59f661 ("Phonet: allocate sock from accept syscall rather than soft IRQ") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Closes: https://github.com/ClangBuiltLinux/linux/issues/2101 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- net/phonet/pep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/phonet/pep.c b/net/phonet/pep.c index 53a858478e22..62527e1ebb88 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -826,6 +826,7 @@ static struct sock *pep_sock_accept(struct sock *sk, } /* Check for duplicate pipe handle */ + pn_skb_get_dst_sockaddr(skb, &dst); newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); if (unlikely(newsk)) { __sock_put(newsk); @@ -850,7 +851,6 @@ static struct sock *pep_sock_accept(struct sock *sk, newsk->sk_destruct = pipe_destruct; newpn = pep_sk(newsk); - pn_skb_get_dst_sockaddr(skb, &dst); pn_skb_get_src_sockaddr(skb, &src); newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst); newpn->pn_sk.dobject = pn_sockaddr_get_object(&src); --- base-commit: 0e9418961f897be59b1fab6e31ae1b09a0bae902 change-id: 20250715-net-phonet-fix-uninit-const-pointer-64f0182b11e1 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 5 days

2
1
0 0

[PATCH v9 1/4] serial: 8250: fix panic due to PSLVERR

by Yunhui Cui

When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_port.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 6d7b8c4667c9c..07fe818dffa34 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2376,9 +2376,10 @@ int serial8250_do_startup(struct uart_port *port) /* * Now, initialize the UART */ - serial_port_out(port, UART_LCR, UART_LCR_WLEN8); uart_port_lock_irqsave(port, &flags); + serial_port_out(port, UART_LCR, UART_LCR_WLEN8); + if (up->port.flags & UPF_FOURPORT) { if (!up->port.irq) up->port.mctrl |= TIOCM_OUT1; -- 2.39.5

3 weeks, 5 days

4
3
0 0

[PATCH v2 1/3] bus: mhi: host: keep bhi buffer through suspend cycle

by Muhammad Usama Anjum

When there is memory pressure, at resume time dma_alloc_coherent() returns error which in turn fails the loading of firmware and hence the driver crashes: kernel: kworker/u33:5: page allocation failure: order:7, mode:0xc04(GFP_NOIO|GFP_DMA32), nodemask=(null),cpuset=/,mems_allowed=0 kernel: CPU: 1 UID: 0 PID: 7693 Comm: kworker/u33:5 Not tainted 6.11.11-valve17-1-neptune-611-g027868a0ac03 #1 3843143b92e9da0fa2d3d5f21f51beaed15c7d59 kernel: Hardware name: Valve Galileo/Galileo, BIOS F7G0112 08/01/2024 kernel: Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi] kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x4e/0x70 kernel: warn_alloc+0x164/0x190 kernel: ? srso_return_thunk+0x5/0x5f kernel: ? __alloc_pages_direct_compact+0xaf/0x360 kernel: __alloc_pages_slowpath.constprop.0+0xc75/0xd70 kernel: __alloc_pages_noprof+0x321/0x350 kernel: __dma_direct_alloc_pages.isra.0+0x14a/0x290 kernel: dma_direct_alloc+0x70/0x270 kernel: mhi_fw_load_handler+0x126/0x340 [mhi a96cb91daba500cc77f86bad60c1f332dc3babdf] kernel: mhi_pm_st_worker+0x5e8/0xac0 [mhi a96cb91daba500cc77f86bad60c1f332dc3babdf] kernel: ? srso_return_thunk+0x5/0x5f kernel: process_one_work+0x17e/0x330 kernel: worker_thread+0x2ce/0x3f0 kernel: ? __pfx_worker_thread+0x10/0x10 kernel: kthread+0xd2/0x100 kernel: ? __pfx_kthread+0x10/0x10 kernel: ret_from_fork+0x34/0x50 kernel: ? __pfx_kthread+0x10/0x10 kernel: ret_from_fork_asm+0x1a/0x30 kernel: </TASK> kernel: Mem-Info: kernel: active_anon:513809 inactive_anon:152 isolated_anon:0 active_file:359315 inactive_file:2487001 isolated_file:0 unevictable:637 dirty:19 writeback:0 slab_reclaimable:160391 slab_unreclaimable:39729 mapped:175836 shmem:51039 pagetables:4415 sec_pagetables:0 bounce:0 kernel_misc_reclaimable:0 free:125666 free_pcp:0 free_cma:0 In above example, if we sum all the consumed memory, it comes out to be 15.5GB and free memory is ~ 500MB from a total of 16GB RAM. Even though memory is present. But all of the dma memory has been exhausted or fragmented. Fix it by allocating it only once and then reuse the same allocated memory. As we'll allocate this memory only once, this memory will stay allocated. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: cd457afb1667 ("bus: mhi: core: Add support for downloading firmware over BHIe") Cc: stable(a)vger.kernel.org Cc: Krishna Chaitanya Chundru <krishna.chundru(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Reported here: https://lore.kernel.org/all/ead32f5b-730a-4b81-b38f-93d822f990c6@collabora.… Still a lot of more fixes are required. Hence, I'm not adding closes tag. Changes since v1: - fix mhi_load_image_bhi() - Cc stable and fix tested on tag --- drivers/bus/mhi/host/boot.c | 25 +++++++++++++++---------- drivers/bus/mhi/host/init.c | 5 +++++ drivers/bus/mhi/host/internal.h | 2 ++ include/linux/mhi.h | 1 + 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c index b3a85aa3c4768..9fc983bc12d49 100644 --- a/drivers/bus/mhi/host/boot.c +++ b/drivers/bus/mhi/host/boot.c @@ -302,8 +302,8 @@ static int mhi_fw_load_bhi(struct mhi_controller *mhi_cntrl, return -EIO; } -static void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, - struct image_info *image_info) +void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, + struct image_info *image_info) { struct mhi_buf *mhi_buf = image_info->mhi_buf; @@ -455,18 +455,23 @@ static enum mhi_fw_load_type mhi_fw_load_type_get(const struct mhi_controller *m static int mhi_load_image_bhi(struct mhi_controller *mhi_cntrl, const u8 *fw_data, size_t size) { - struct image_info *image; + struct image_info **image = &mhi_cntrl->bhi_image; int ret; - ret = mhi_alloc_bhi_buffer(mhi_cntrl, &image, size); - if (ret) - return ret; + if (!(*image)) { + ret = mhi_alloc_bhi_buffer(mhi_cntrl, image, size); + if (ret) + return ret; - /* Load the firmware into BHI vec table */ - memcpy(image->mhi_buf->buf, fw_data, size); + /* Load the firmware into BHI vec table */ + memcpy((*image)->mhi_buf->buf, fw_data, size); + } - ret = mhi_fw_load_bhi(mhi_cntrl, &image->mhi_buf[image->entries - 1]); - mhi_free_bhi_buffer(mhi_cntrl, image); + ret = mhi_fw_load_bhi(mhi_cntrl, &(*image)->mhi_buf[(*image)->entries - 1]); + if (ret) { + mhi_free_bhi_buffer(mhi_cntrl, *image); + *image = NULL; + } return ret; } diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 6e06e4efec765..2e0f18c939e68 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -1228,6 +1228,11 @@ void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) mhi_cntrl->rddm_image = NULL; } + if (mhi_cntrl->bhi_image) { + mhi_free_bhi_buffer(mhi_cntrl, mhi_cntrl->bhi_image); + mhi_cntrl->bhi_image = NULL; + } + mhi_deinit_dev_ctxt(mhi_cntrl); } EXPORT_SYMBOL_GPL(mhi_unprepare_after_power_down); diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h index 1054e67bb450d..60b0699323375 100644 --- a/drivers/bus/mhi/host/internal.h +++ b/drivers/bus/mhi/host/internal.h @@ -324,6 +324,8 @@ int mhi_alloc_bhie_table(struct mhi_controller *mhi_cntrl, struct image_info **image_info, size_t alloc_size); void mhi_free_bhie_table(struct mhi_controller *mhi_cntrl, struct image_info *image_info); +void mhi_free_bhi_buffer(struct mhi_controller *mhi_cntrl, + struct image_info *image_info); /* Power management APIs */ enum mhi_pm_state __must_check mhi_tryset_pm_state( diff --git a/include/linux/mhi.h b/include/linux/mhi.h index 4c567907933a5..593012f779d97 100644 --- a/include/linux/mhi.h +++ b/include/linux/mhi.h @@ -391,6 +391,7 @@ struct mhi_controller { size_t reg_len; struct image_info *fbc_image; struct image_info *rddm_image; + struct image_info *bhi_image; struct mhi_chan *mhi_chan; struct list_head lpm_chans; int *irq; -- 2.39.5

3 weeks, 5 days

3
4
0 0

[PATCH v2 0/1] nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails

by Rick Wertenbroek

Changes from v1 : - Updated comment for nvmet_pci_epf_queue_response() per Damien's suggestion. - Fixed typo in commit message. - Added 3 tags in commit message: Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver") Cc: stable(a)vger.kernel.org Best regards, Rick Rick Wertenbroek (1): nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails drivers/nvme/target/pci-epf.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) -- 2.25.1

3 weeks, 5 days

4
4
0 0

[PATCH v2 1/1] arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default

by Aleksandrs Vinarskis

pm8010 is a camera specific PMIC, and may not be present on some devices. These may instead use a dedicated vreg for this purpose (Dell XPS 9345, Dell Inspiron..) or use USB webcam instead of a MIPI one alltogether (Lenovo Thinbook 16, Lenovo Yoga..). Disable pm8010 by default, let platforms that actually have one onboard enable it instead. Cc: <stable(a)vger.kernel.org> Fixes: 2559e61e7ef4 ("arm64: dts: qcom: x1e80100-pmics: Add the missing PMICs") Reviewed-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Signed-off-by: Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> --- arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi b/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi index e3888bc143a0..621890ada153 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e80100-pmics.dtsi @@ -475,6 +475,8 @@ pm8010: pmic@c { #address-cells = <1>; #size-cells = <0>; + status = "disabled"; + pm8010_temp_alarm: temp-alarm@2400 { compatible = "qcom,spmi-temp-alarm"; reg = <0x2400>; -- 2.48.1

3 weeks, 5 days

1
1
0 0

[PATCH v2] drm/sched: Remove optimization that causes hang when killing dependent jobs

by Lin.Cao

When application A submits jobs and application B submits a job with a dependency on A's fence, the normal flow wakes up the scheduler after processing each job. However, the optimization in drm_sched_entity_add_dependency_cb() uses a callback that only clears dependencies without waking up the scheduler. When application A is killed before its jobs can run, the callback gets triggered but only clears the dependency without waking up the scheduler, causing the scheduler to enter sleep state and application B to hang. Remove the optimization by deleting drm_sched_entity_clear_dep() and its usage, ensuring the scheduler is always woken up when dependencies are cleared. Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") Cc: stable(a)vger.kernel.org # v4.6+ Signed-off-by: Lin.Cao <lincao12(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index e671aa241720..ac678de7fe5e 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -355,17 +355,6 @@ void drm_sched_entity_destroy(struct drm_sched_entity *entity) } EXPORT_SYMBOL(drm_sched_entity_destroy); -/* drm_sched_entity_clear_dep - callback to clear the entities dependency */ -static void drm_sched_entity_clear_dep(struct dma_fence *f, - struct dma_fence_cb *cb) -{ - struct drm_sched_entity *entity = - container_of(cb, struct drm_sched_entity, cb); - - entity->dependency = NULL; - dma_fence_put(f); -} - /* * drm_sched_entity_wakeup - callback to clear the entity's dependency and * wake up the scheduler @@ -376,7 +365,8 @@ static void drm_sched_entity_wakeup(struct dma_fence *f, struct drm_sched_entity *entity = container_of(cb, struct drm_sched_entity, cb); - drm_sched_entity_clear_dep(f, cb); + entity->dependency = NULL; + dma_fence_put(f); drm_sched_wakeup(entity->rq->sched); } @@ -429,13 +419,6 @@ static bool drm_sched_entity_add_dependency_cb(struct drm_sched_entity *entity) fence = dma_fence_get(&s_fence->scheduled); dma_fence_put(entity->dependency); entity->dependency = fence; - if (!dma_fence_add_callback(fence, &entity->cb, - drm_sched_entity_clear_dep)) - return true; - - /* Ignore it when it is already scheduled */ - dma_fence_put(fence); - return false; } if (!dma_fence_add_callback(entity->dependency, &entity->cb, -- 2.46.1

3 weeks, 5 days

2
1
0 0

[PATCH v4 2/9] vsock/virtio: Validate length in packet header before skb_put()

by Will Deacon

When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Will Deacon <will(a)kernel.org> --- net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index f0e48e6911fc..eb08a393413d 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -624,8 +624,9 @@ static void virtio_transport_rx_work(struct work_struct *work) do { virtqueue_disable_cb(vq); for (;;) { + unsigned int len, payload_len; + struct virtio_vsock_hdr *hdr; struct sk_buff *skb; - unsigned int len; if (!virtio_transport_more_replies(vsock)) { /* Stop rx until the device processes already @@ -642,12 +643,19 @@ static void virtio_transport_rx_work(struct work_struct *work) vsock->rx_buf_nr--; /* Drop short/long packets */ - if (unlikely(len < sizeof(struct virtio_vsock_hdr) || + if (unlikely(len < sizeof(*hdr) || len > virtio_vsock_skb_len(skb))) { kfree_skb(skb); continue; } + hdr = virtio_vsock_hdr(skb); + payload_len = le32_to_cpu(hdr->len); + if (unlikely(payload_len > len - sizeof(*hdr))) { + kfree_skb(skb); + continue; + } + virtio_vsock_skb_rx_put(skb); virtio_transport_deliver_tap_pkt(skb); virtio_transport_recv_pkt(&virtio_transport, skb); -- 2.50.0.727.gbf7dc18ff4-goog

3 weeks, 5 days

2
1
0 0

[PATCH 5.10 000/209] 5.10.240-rc3 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.240 release. There are 209 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:35 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.240-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.240-rc3 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Borislav Petkov <bp(a)kernel.org> x86/process: Move the buffer clearing before MONITOR Borislav Petkov <bp(a)kernel.org> KVM: SVM: Advertise TSA CPUID bits to guests Borislav Petkov <bp(a)kernel.org> KVM: x86: add support for CPUID leaf 0x80000021 Borislav Petkov <bp(a)kernel.org> x86/bugs: Add a Transient Scheduler Attacks mitigation Borislav Petkov <bp(a)kernel.org> x86/bugs: Rename MDS machinery to something more generic Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: lib_test: add MODULE_LICENSE Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Thomas Gleixner <tglx(a)linutronix.de> x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Fix undefined reference to cpu_wants_rethunk_at() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Josh Poimboeuf <jpoimboe(a)kernel.org> x86/alternatives: Remove faulty optimization Borislav Petkov (AMD) <bp(a)alien8.de> x86/alternative: Optimize returns patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Introduce int3_emulate_jcc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bhi: Define SPEC_CTRL_BHI_DIS_S Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Assign the vsock transport considering the vsock address flags Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add flags field in the vsock address data structure Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Flush queued requests before stopping dbc Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbctty: disable ECHO flag by default Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Ioana Ciornei <ioana.ciornei(a)nxp.com> net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update SINGLE_STEP register access Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update dpni_get_single_step_cfg command Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Benjamin Coddington <bcodding(a)redhat.com> NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Mateusz Jończyk <mat.jonczyk(a)o2.pl> rtc: cmos: use spin_lock_irqsave in cmos_interrupt Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: reject invalid perturb period Niklas Cassel <cassel(a)kernel.org> PCI: cadence-ep: Correct PBA offset in .set_msix() callback Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Vitaly Kuznetsov <vkuznets(a)redhat.com> Drivers: hv: Rename 'alloced' to 'allocated' Haiyang Zhang <haiyangz(a)microsoft.com> Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Alexandru Ardelean <alexandru.ardelean(a)analog.com> uio: uio_hv_generic: use devm_kzalloc() for private data alloc Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix power regulator retrieval during probe Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: add terminating newlines to logging Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: remove redundant assignment Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpci_maxim: Fix uninitialized return variable Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 2 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 28 ++ Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/drivers/vector_kern.c | 42 +-- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 22 +- arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeature.h | 5 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 2 +- arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 50 ++-- arch/x86/include/asm/required-features.h | 2 +- arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 272 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 77 +++++- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/process.c | 15 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/cpuid.c | 31 ++- arch/x86/kvm/cpuid.h | 1 + arch/x86/kvm/svm/vmenter.S | 3 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/base/cpu.c | 15 + drivers/dma-buf/dma-resv.c | 2 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 7 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 38 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 121 +++++--- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 +++- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 33 +++ drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 ++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/m_can/tcan4x5x.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 ++++++++-- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 4 +- drivers/rtc/lib_test.c | 2 + drivers/rtc/rtc-cmos.c | 10 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/vt/vt.c | 1 + drivers/uio/uio_hv_generic.c | 18 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/usb/typec/tcpm/tcpci_maxim.c | 20 +- drivers/vhost/scsi.c | 7 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 17 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/cpu.h | 3 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/module.h | 5 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 30 +- kernel/events/core.c | 2 +- kernel/rcu/tree.c | 4 + kernel/rseq.c | 60 +++- lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 75 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 +++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/sched/sch_sfq.c | 10 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 78 +++++- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/fsl/fsl_asrc.c | 3 +- sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 204 files changed, 2750 insertions(+), 821 deletions(-)

3 weeks, 5 days

8
7
0 0

[PATCH v2] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 12 ++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..dafa9bdbb3d32 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,18 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

3 weeks, 5 days

2
2
0 0

[PATCH v4 1/9] vhost/vsock: Avoid allocating arbitrarily-sized SKBs

by Will Deacon

vhost_vsock_alloc_skb() returns NULL for packets advertising a length larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, this is only checked once the SKB has been allocated and, if the length in the packet header is zero, the SKB may not be freed immediately. Hoist the size check before the SKB allocation so that an iovec larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected outright. The subsequent check on the length field in the header can then simply check that the allocated SKB is indeed large enough to hold the packet. Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Signed-off-by: Will Deacon <will(a)kernel.org> --- drivers/vhost/vsock.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 802153e23073..66a0f060770e 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, len = iov_length(vq->iov, out); + if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) + return NULL; + /* len contains both payload and hdr */ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); if (!skb) @@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, return skb; /* The pkt is too big or the length in the header is invalid */ - if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || - payload_len + sizeof(*hdr) > len) { + if (payload_len + sizeof(*hdr) > len) { kfree_skb(skb); return NULL; } -- 2.50.0.727.gbf7dc18ff4-goog

3 weeks, 5 days

3
2
0 0

[PATCH 6.1 00/89] 6.1.146-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.146 release. There are 89 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:20 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.146-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.146-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: adapt folios for z_erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: avoid on-stack pagepool directly passed by arguments Gao Xiang <xiang(a)kernel.org> erofs: allocate extra bvec pages directly instead of retrying Yue Hu <huyue2(a)coolpad.com> erofs: clean up z_erofs_pcluster_readmore() Yue Hu <huyue2(a)coolpad.com> erofs: remove the member readahead from struct z_erofs_decompress_frontend Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Zhang Rui <rui.zhang(a)intel.com> platform/x86: think-lmi: Fix sysfs group cleanup Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Shivank Garg <shivankg(a)amd.com> fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Alexey Dobriyan <adobriyan(a)gmail.com> x86/boot: Compile boot code with -std=gnu11 too David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: use usleep_range() for EC polling Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/Makefile | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/ideapad-laptop.c | 19 +- drivers/powercap/intel_rapl_common.c | 22 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 +++++++++++++------------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 ++- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- fs/anon_inodes.c | 23 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 28 +- fs/erofs/data.c | 2 + fs/erofs/zdata.c | 124 ++++----- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/fs.h | 2 + include/net/netfilter/nf_flow_table.h | 2 +- include/trace/events/erofs.h | 16 +- kernel/events/core.c | 2 +- kernel/rseq.c | 60 ++++- lib/maple_tree.c | 7 +- mm/kasan/report.c | 13 +- mm/secretmem.c | 11 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/bluetooth/hci_sync.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 ++++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 +++- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/fsl/fsl_asrc.c | 3 +- tools/include/linux/kallsyms.h | 4 + 87 files changed, 924 insertions(+), 594 deletions(-)

3 weeks, 5 days

10
9
0 0

[PATCH 6.6 000/111] 6.6.99-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.99 release. There are 111 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:12 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.99-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.99-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Lukas Wunner <lukas(a)wunner.de> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential race in cifs_put_tcon() Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Shyam Prasad N <sprasad(a)microsoft.com> cifs: all initializations for tcon should happen in tcon_info_alloc Paulo Alcantara <pc(a)manguebit.com> smb: client: fix DFS interlink failover Paulo Alcantara <pc(a)manguebit.com> smb: client: avoid unnecessary reconnects when refreshing referrals Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Filipe Manana <fdmanana(a)suse.com> btrfs: fix inode lookup error handling during log replay Filipe Manana <fdmanana(a)suse.com> btrfs: return a btrfs_inode from btrfs_iget_logging() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from fixup_inode_link_count() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from btrfs_update_inode_fallback() Filipe Manana <fdmanana(a)suse.com> btrfs: remove noinline from btrfs_update_inode() Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Christian Eggers <ceggers(a)arri.de> Bluetooth: HCI: Set extended advertising data synchronously Leo Yan <leo.yan(a)arm.com> perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- crypto/ecc.c | 2 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_framebuffer.c | 31 +- drivers/gpu/drm/drm_gem.c | 74 ++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 57 +++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 18 +- fs/btrfs/transaction.c | 2 +- fs/btrfs/tree-log.c | 331 +++++++++++-------- fs/erofs/data.c | 2 + fs/eventpoll.c | 12 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/client/cifsglob.h | 3 + fs/smb/client/cifsproto.h | 13 +- fs/smb/client/connect.c | 47 ++- fs/smb/client/dfs.c | 73 ++--- fs/smb/client/dfs.h | 42 ++- fs/smb/client/dfs_cache.c | 198 +++++++----- fs/smb/client/fs_context.h | 1 + fs/smb/client/misc.c | 9 + fs/smb/client/namespace.c | 2 +- fs/smb/server/smb2pdu.c | 29 +- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/math.h | 12 + include/linux/mm.h | 5 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/rseq.c | 60 +++- lib/maple_tree.c | 14 +- mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/bluetooth/hci_event.c | 39 +-- net/bluetooth/hci_sync.c | 215 ++++++++----- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 ++- scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++ scripts/gdb/linux/xarray.py | 28 ++ sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/build/feature/Makefile | 25 +- tools/include/linux/kallsyms.h | 4 + tools/perf/Makefile.perf | 27 +- tools/testing/selftests/bpf/test_lru_map.c | 105 +++--- 117 files changed, 1948 insertions(+), 1042 deletions(-) From gregkh(a)linuxfoundation.org Tue Jul 15 18:35:42 2025 Message-ID: <20250715163542.121531643(a)linuxfoundation.org> User-Agent: quilt/0.68 Date: Tue, 15 Jul 2025 18:35:43 +0200 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> To: stable(a)vger.kernel.org Cc: patches(a)lists.linux.dev, linux-kernel(a)vger.kernel.org, torvalds(a)linux-foundation.org, akpm(a)linux-foundation.org, linux(a)roeck-us.net, shuah(a)kernel.org, patches(a)kernelci.org, lkft-triage(a)lists.linaro.org, pavel(a)denx.de, jonathanh(a)nvidia.com, f.fainelli(a)gmail.com, sudipm.mukherjee(a)gmail.com, srw(a)sladewatkins.net, rwarsow(a)gmx.de, conor(a)kernel.org, hargar(a)microsoft.com, broonie(a)kernel.org, Jann Horn <jannh(a)google.com>, Alexander Viro <viro(a)zeniv.linux.org.uk>, Christian Brauner <brauner(a)kernel.org>, Jan Kara <jack(a)suse.cz>, Linus Torvalds <torvalds(a)linux-foundation.org> X-stable: review X-Patchwork-Hint: ignore Subject: [PATCH 6.6 001/111] eventpoll: dont decrement ep refcount while still holding the ep mutex MIME-Version: 1.0 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Linus Torvalds <torvalds(a)linux-foundation.org> commit 8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2 upstream. Jann Horn points out that epoll is decrementing the ep refcount and then doing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead to a use-after-free. That pattern is actually fine for the very last reference, because the code in question will delay the actual call to "ep_free(ep)" until after it has unlocked the mutex. But it's wrong for the much subtler "next to last" case when somebody *else* may also be dropping their reference and free the ep while we're still using the mutex. Note that this is true even if that other user is also using the same ep mutex: mutexes, unlike spinlocks, can not be used for object ownership, even if they guarantee mutual exclusion. A mutex "unlock" operation is not atomic, and as one user is still accessing the mutex as part of unlocking it, another user can come in and get the now released mutex and free the data structure while the first user is still cleaning up. See our mutex documentation in Documentation/locking/mutex-design.rst, in particular the section [1] about semantics: "mutex_unlock() may access the mutex structure even after it has internally released the lock already - so it's not safe for another context to acquire the mutex and assume that the mutex_unlock() context is not using the structure anymore" So if we drop our ep ref before the mutex unlock, but we weren't the last one, we may then unlock the mutex, another user comes in, drops _their_ reference and releases the 'ep' as it now has no users - all while the mutex_unlock() is still accessing it. Fix this by simply moving the ep refcount dropping to outside the mutex: the refcount itself is atomic, and doesn't need mutex protection (that's the whole _point_ of refcounts: unlike mutexes, they are inherently about object lifetimes). Reported-by: Jann Horn <jannh(a)google.com> Link: https://docs.kernel.org/locking/mutex-design.html#semantics [1] Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jan Kara <jack(a)suse.cz> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/eventpoll.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -772,7 +772,7 @@ static bool __ep_remove(struct eventpoll call_rcu(&epi->rcu, epi_rcu_free); percpu_counter_dec(&ep->user->epoll_watches); - return ep_refcount_dec_and_test(ep); + return true; } /* @@ -780,14 +780,14 @@ static bool __ep_remove(struct eventpoll */ static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi) { - WARN_ON_ONCE(__ep_remove(ep, epi, false)); + if (__ep_remove(ep, epi, false)) + WARN_ON_ONCE(ep_refcount_dec_and_test(ep)); } static void ep_clear_and_put(struct eventpoll *ep) { struct rb_node *rbp, *next; struct epitem *epi; - bool dispose; /* We need to release all tasks waiting for these file */ if (waitqueue_active(&ep->poll_wait)) @@ -820,10 +820,8 @@ static void ep_clear_and_put(struct even cond_resched(); } - dispose = ep_refcount_dec_and_test(ep); mutex_unlock(&ep->mtx); - - if (dispose) + if (ep_refcount_dec_and_test(ep)) ep_free(ep); } @@ -1003,7 +1001,7 @@ again: dispose = __ep_remove(ep, epi, true); mutex_unlock(&ep->mtx); - if (dispose) + if (dispose && ep_refcount_dec_and_test(ep)) ep_free(ep); goto again; }

3 weeks, 5 days

10
9
0 0

[PATCH 5.10 000/355] 5.10.239-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.239 release. There are 355 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 25 Jun 2025 13:05:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.239-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.239-rc1 Tengda Wu <wutengda(a)huaweicloud.com> arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Peter Zijlstra <peterz(a)infradead.org> perf: Fix sample vs do_exit() Aaron Lu <ziqianlu(a)bytedance.com> Revert "bpf: allow precision tracking for programs with subprogs" Aaron Lu <ziqianlu(a)bytedance.com> Revert "bpf: stop setting precise in current state" Aaron Lu <ziqianlu(a)bytedance.com> Revert "bpf: aggressively forget precise markings during state checkpointing" Aaron Lu <ziqianlu(a)bytedance.com> Revert "selftests/bpf: make test_align selftest more robust" Heiko Carstens <hca(a)linux.ibm.com> s390/pci: Fix __pcilg_mio_inuser() inline assembly David Gow <davidgow(a)google.com> rtc: test: Fix invalid format specifier. Eddie James <eajames(a)linux.ibm.com> hwmon: (occ) Fix P10 VRM temp sensors Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: don't allow 1 packet limit Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: handle bigger packets Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: annotate data-races around q->perturb_period Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Make rtc_time64_to_tm() support dates before 1970 Cassio Neri <cassio.neri(a)gmail.com> rtc: Improve performance of rtc_time64_to_tm(). Add tests. Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE Paul Chaignon <paul.chaignon(a)gmail.com> net: Fix checksum update for ILA adj-transport Eliav Farber <farbere(a)amazon.com> net/ipv4: fix type mismatch in inet_ehash_locks_alloc() causing build failure James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs Liu Song <liusong(a)linux.alibaba.com> arm64: spectre: increase parameters that can be used to turn off bhb mitigation individually James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Hou Tao <houtao1(a)huawei.com> arm64: insn: add encoders for atomic operations Hou Tao <houtao1(a)huawei.com> arm64: move AARCH64_BREAK_FAULT into insn-def.h Julien Thierry <jthierry(a)redhat.com> arm64: insn: Add barrier encodings Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Increment the runtime usage counter for the earlycon device Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Colin Foster <colin.foster(a)in-advantage.com> ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Shengyu Qu <wiagn233(a)outlook.com> ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Eric Dumazet <edumazet(a)google.com> net: atm: fix /proc/net/atm/lec handling Eric Dumazet <edumazet(a)google.com> net: atm: add lec_mutex Kuniyuki Iwashima <kuniyu(a)google.com> calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). Haixia Qu <hxqu(a)hillstonenet.com> tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Kuniyuki Iwashima <kuniyu(a)google.com> atm: atmtcp: Free invalid length skb in atmtcp_c_send(). Kuniyuki Iwashima <kuniyu(a)google.com> mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). Dmitry Antipov <dmantipov(a)yandex.ru> wifi: carl9170: do not ping device which has failed to load firmware Krishna Kumar <krikku(a)gmail.com> net: ice: Perform accurate aRFS flow match Justin Sanders <jsanders.devel(a)gmail.com> aoe: clean device rq_list in aoedev_downdev() Simon Horman <horms(a)kernel.org> pldmfw: Select CRC32 when PLDMFW is selected Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) fix unaligned accesses Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) Rework attribute registration for stack usage Eddie James <eajames(a)linux.ibm.com> hwmon: (occ) Add soft minimum power cap attribute Eddie James <eajames(a)linux.ibm.com> hwmon: (occ) Add new temperature sensor type Jacob Keller <jacob.e.keller(a)intel.com> drm/nouveau/bl: increase buffer size to avoid truncate warning Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: remove unused trace event erofs_destroy_inode Jann Horn <jannh(a)google.com> mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race Liu Shixin <liushixin2(a)huawei.com> mm: hugetlb: independent PMD page table shared count Jann Horn <jannh(a)google.com> mm/hugetlb: unshare page tables during VMA split, not before James Houghton <jthoughton(a)google.com> hugetlb: unshare some PMDs when splitting VMAs Jonathan Lane <jon(a)borg.moe> ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Takashi Iwai <tiwai(a)suse.de> ALSA: hda/intel: Add Thinkpad E15 to PM deny list wangdicheng <wangdicheng(a)kylinos.cn> ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card WangYuli <wangyuli(a)uniontech.com> Input: sparcspkr - avoid unannotated fall-through Terry Junge <linuxhid(a)cosmicgizmosystems.com> HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Kuniyuki Iwashima <kuniyu(a)google.com> atm: Revert atm_account_tx() if copy_from_iter_full() fails. Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Marek Szyprowski <m.szyprowski(a)samsung.com> udmabuf: use sgtable-based scatterlist wrappers Peter Oberparleiter <oberpar(a)linux.ibm.com> scsi: s390: zfcp: Ensure synchronous unit_add Dexuan Cui <decui(a)microsoft.com> scsi: storvsc: Increase the timeouts to storvsc_timeout Fedor Pchelkin <pchelkin(a)ispras.ru> jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Artem Sadovnikov <a.sadovnikov(a)ispras.ru> jffs2: check that raw node were preallocated before writing summary Andrew Morton <akpm(a)linux-foundation.org> drivers/rapidio/rio_cm.c: prevent possible heap overwrite Breno Leitao <leitao(a)debian.org> Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Stop overwriting data buffer Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Fix list usage Maximilian Luz <luzmaximilian(a)gmail.com> platform: Add Surface platform directory Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Jann Horn <jannh(a)google.com> tee: Prevent size calculation wraparound on 32-bit kernels Sukrut Bellary <sbellary(a)baylibre.com> ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Laurentiu Tudor <laurentiu.tudor(a)nxp.com> bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Marcus Folkesson <marcus.folkesson(a)gmail.com> watchdog: da9052_wdt: respect TWDMIN Kyungwook Boo <bookyungwook(a)gmail.com> i40e: fix MMIO write access to an invalid page in i40e_clear_hw Zijun Hu <quic_zijuhu(a)quicinc.com> sock: Correct error checking condition for (assign|release)_proto_idx() Daniel Wagner <wagi(a)kernel.org> scsi: lpfc: Use memcpy() for BIOS version Zijun Hu <quic_zijuhu(a)quicinc.com> software node: Correct a OOB check in software_node_get_reference_args() Ido Schimmel <idosch(a)nvidia.com> vxlan: Do not treat dst cache initialization errors as fatal Sean Christopherson <seanjc(a)google.com> iommu/amd: Ensure GA log notifier callbacks finish running before module unload Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Heiko Stuebner <heiko(a)sntech.de> clk: rockchip: rk3036: mark ddrphy as critical Benjamin Berg <benjamin(a)sipsolutions.net> wifi: mac80211: do not offer a mesh path if forwarding is disabled Jason Xing <kernelxing(a)tencent.com> net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Jason Xing <kernelxing(a)tencent.com> net: atlantic: generate software timestamp just before the doorbell Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Eric Dumazet <edumazet(a)google.com> tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Eric Dumazet <edumazet(a)google.com> tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Moon Yeounsu <yyyynoom(a)gmail.com> net: dlink: add synchronization for stats update Tali Perry <tali.perry1(a)gmail.com> i2c: npcm: Add clock toggle recovery Petr Malat <oss(a)malat.biz> sctp: Do not wake readers in __sctp_write_space() Henk Vergonet <henk.vergonet(a)gmail.com> wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Alok Tiwari <alok.a.tiwari(a)oracle.com> emulex/benet: correct command version selection in be_cmd_get_stats() Tan En De <ende.tan(a)starfivetech.com> i2c: designware: Invoke runtime suspend on quick slave re-registration Zilin Guan <zilin(a)seu.edu.cn> tipc: use kfree_sensitive() for aead cleanup Sergio Perez Gonzalez <sperezglz(a)gmail.com> net: macb: Check return value of dma_set_mask_and_coherent() Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Force sync policy boost with global boost on sysfs update George Moussalem <george.moussalem(a)outlook.com> thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for IP v2+ Simon Schuster <schuster.simon(a)siemens-energy.com> nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults Wentao Liang <vulab(a)iscas.ac.cn> media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() Hans Verkuil <hverkuil(a)xs4all.nl> media: tc358743: ignore video while HPD is low Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: don't select single flush for active CTL blocks Dylan Wolff <wolffd(a)comp.nus.edu.sg> jfs: Fix null-ptr-deref in jfs_ioc_trim Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: fix CSIB handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx8: fix CSIB handling Zhang Yi <yi.zhang(a)huawei.com> ext4: prevent stale extent cache entries caused by concurrent get es_cache Long Li <leo.lilong(a)huawei.com> sunrpc: fix race in cache cleanup causing stale nextcheck time Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: rkvdec: Initialize the m2m context before the controls Aditya Dutt <duttaditya18(a)gmail.com> jfs: fix array-index-out-of-bounds read in add_missing_indices Zhang Yi <yi.zhang(a)huawei.com> ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in ext4_ext_remove_space() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx7: fix CSIB handling Nas Chung <nas.chung(a)chipsnmedia.com> media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: fix CSIB handling Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Increase HFI response timeout Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() Nas Chung <nas.chung(a)chipsnmedia.com> media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/hdmi: add runtime PM calls to DDC transfer function Namjae Jeon <linkinjeon(a)kernel.org> exfat: fix double free in delayed_free Damon Ding <damon.ding(a)rock-chips.com> drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq() Long Li <leo.lilong(a)huawei.com> sunrpc: update nextcheck time when adding new cache entries Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx6: fix CSIB handling Peter Marheine <pmarheine(a)chromium.org> ACPI: battery: negate current when discharging Charan Teja Kalla <quic_charante(a)quicinc.com> PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Yuanjun Gong <ruc_gongyuanjun(a)163.com> ASoC: tegra210_ahub: Add check to of_device_get_match_data() gldrk <me(a)rarity.fan> ACPICA: utilities: Fix overflow check in vsnprintf() Jerry Lv <Jerry.Lv(a)axis.com> power: supply: bq27xxx: Retrieve again when busy Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi parse and parseext cache leaks Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change Ahmed Salem <x0rw3ll(a)gmail.com> ACPICA: Avoid sequence overread in call to strncmp() Guilherme G. Piccoli <gpiccoli(a)igalia.com> clocksource: Fix the CPUs' choice in the watchdog per CPU verification Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi operand cache leak in dswstate.c David Lechner <dlechner(a)baylibre.com> iio: adc: ad7606_spi: fix reg write value mask Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Fix temperature calculation Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix lock symmetry in pci_slot_unlock() Huacai Chen <chenhuacai(a)loongson.cn> PCI: Add ACS quirk for Loongson PCIe Long Li <longli(a)microsoft.com> uio_hv_generic: Use correct size for interrupt and monitor pages Wentao Liang <vulab(a)iscas.ac.cn> regulator: max14577: Add error check for max14577_read_reg() Khem Raj <raj.khem(a)gmail.com> mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: ad5933: Correct settling cycles encoding per datasheet Qasim Ijaz <qasdev00(a)gmail.com> net: ch9200: fix uninitialised access during mii_nway_restart Ye Bin <yebin10(a)huawei.com> ftrace: Fix UAF when lookup kallsym after ftrace disabled Mikulas Patocka <mpatocka(a)redhat.com> dm-mirror: fix a tiny race condition Wentao Liang <vulab(a)iscas.ac.cn> mtd: nand: sunxi: Add randomizer configuration before randomizer enable Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Jinliang Zheng <alexjlzheng(a)tencent.com> mm: fix ratelimit_pages update error in dirty_ratio_handler() Jeongjun Park <aha310510(a)gmail.com> ipc: fix to protect IPCS lookups using RCU Da Xue <da(a)libre.computer> clk: meson-g12a: add missing fclk_div2 to spicc Arnd Bergmann <arnd(a)arndb.de> parisc: fix building with gcc-15 GONG Ruiqi <gongruiqi1(a)huawei.com> vgacon: Add check for vc_origin address range in vgacon_scroll() Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> EDAC/altera: Use correct write width with the INTTEST register Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> NFC: nci: uart: Set tty->disc_data only in success path Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sit_bitmap_size Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: prevent kernel warning due to negative i_nlink from corrupted image Dan Carpenter <dan.carpenter(a)linaro.org> Input: ims-pcu - check record size in ims_pcu_flash_firmware() Zhang Yi <yi.zhang(a)huawei.com> ext4: ensure i_size is smaller than maxbytes Zhang Yi <yi.zhang(a)huawei.com> ext4: factor out ext4_get_maxbytes() Jan Kara <jack(a)suse.cz> ext4: fix calculation of credits for extent tree modification Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: inline: fix len overflow in ext4_prepare_inline_data Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Tasos Sahanidis <tasos(a)tasossah.com> ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix conflict between power_up and SYSERR Andreas Kemnade <andreas(a)kemnade.info> ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 Ross Stutterheim <ross.stutterheim(a)garmin.com> ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Denis Arefev <arefev(a)swemel.ru> media: vivid: Change the siize of the composing Edward Adam Davis <eadavis(a)qq.com> media: vidtv: Terminating the subsequent process of initialization failure Marek Szyprowski <m.szyprowski(a)samsung.com> media: videobuf2: use sgtable-based scatterlist wrappers Loic Poulain <loic.poulain(a)oss.qualcomm.com> media: venus: Fix probe error handling Ma Ke <make24(a)iscas.ac.cn> media: v4l2-dev: fix error handling in __video_register_device() Wentao Liang <vulab(a)iscas.ac.cn> media: gspca: Add error handling for stv06xx_read_sensor() Edward Adam Davis <eadavis(a)qq.com> media: cxusb: no longer judge rbuf when the write fails Johan Hovold <johan+linaro(a)kernel.org> media: ov8856: suppress probe deferral errors Mingcong Bai <jeffbai(a)aosc.io> wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 Jeongjun Park <aha310510(a)gmail.com> jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: Initialize ssc before laundromat_work to prevent NULL dereference NeilBrown <neil(a)brown.name> nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Christian Lamparter <chunkeey(a)gmail.com> wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Wentao Liang <vulab(a)iscas.ac.cn> ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() Alexander Aring <aahringo(a)redhat.com> gfs2: move msleep to sleepable context Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Do not chain submitted requests Zijun Hu <quic_zijuhu(a)quicinc.com> configfs: Do not override creating attribute file failure in populate_attrs() Eric Dumazet <edumazet(a)google.com> tcp: tcp_data_ready() must look at SOCK_DONE Arnd Bergmann <arnd(a)arndb.de> kbuild: hdrcheck: fix cross build with clang Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: fix bitsize and target detection on clang Oliver Neukum <oneukum(a)suse.com> net: usb: aqc111: debug info before sanitation Eric Dumazet <edumazet(a)google.com> calipso: unlock rcu before returning -EAFNOSUPPORT Thomas Gleixner <tglx(a)linutronix.de> x86/iopl: Cure TIF_IO_BITMAP inconsistencies Stefano Stabellini <stefano.stabellini(a)amd.com> xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: Flush altsetting 0 endpoints before reinitializating them after reset. Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for clang Nathan Chancellor <nathan(a)kernel.org> kbuild: Add KBUILD_CPPFLAGS to as-option invocation Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Nathan Chancellor <nathan(a)kernel.org> kbuild: Add CLANG_FLAGS to as-instr Nathan Chancellor <nathan(a)kernel.org> mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang Nick Desaulniers <ndesaulniers(a)google.com> kbuild: Update assembler calls to use proper flags and language target Nathan Chancellor <nathan(a)kernel.org> MIPS: Prefer cc-option for additions to cflags Nathan Chancellor <nathan(a)kernel.org> MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option Nick Desaulniers <ndesaulniers(a)google.com> x86/boot/compressed: prefer cc-option for CFLAGS additions Oleg Nesterov <oleg(a)redhat.com> posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Zijun Hu <quic_zijuhu(a)quicinc.com> fs/filesystems: Fix potential unsigned integer underflow in fs_name() Eric Dumazet <edumazet(a)google.com> net_sched: ets: fix a race in ets_qdisc_change() Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Eric Dumazet <edumazet(a)google.com> net_sched: tbf: fix a race in tbf_change() Eric Dumazet <edumazet(a)google.com> net_sched: red: fix a race in __red_change() Eric Dumazet <edumazet(a)google.com> net_sched: prio: fix a race in prio_tune() Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix return value when searching for existing flow group Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Ensure fw pages are always allocated on same NUMA Jakub Raczynski <j.raczynski(a)samsung.com> net/mdiobus: Fix potential out-of-bounds read/write access Andrew Lunn <andrew(a)lunn.ch> net: mdio: C22 is now optional, EOPNOTSUPP if not provided Carlos Fernandez <carlos.fernandez(a)technica-engineering.de> macsec: MACsec SCI assignment for ES = 0 Michal Luczaj <mhal(a)rbox.co> net: Fix TOCTOU issue in sk_is_readable() Cong Wang <cong.wang(a)bytedance.com> net: Rename ->stream_memory_read to ->sock_is_readable Cong Wang <cong.wang(a)bytedance.com> bpf: Clean up sockmap related Kconfigs Eric Dumazet <edumazet(a)google.com> tcp: factorize logic into tcp_epollin_ready() Robert Malz <robert.malz(a)canonical.com> i40e: retry VFLR handling if there is ongoing VF reset Robert Malz <robert.malz(a)canonical.com> i40e: return false from i40e_reset_vf if reset is in progress Haren Myneni <haren(a)linux.ibm.com> powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Haren Myneni <haren(a)linux.ibm.com> powerpc/vas: Move VAS API to book3s common platform Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: fix a potential crash on gso_skb handling Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: iscsi: Fix incorrect error path labels for flashnode operations Caleb Connolly <caleb.connolly(a)linaro.org> ath10k: snoc: fix unbalanced IRQ enable in crash recovery Wen Gong <wgong(a)codeaurora.org> ath10k: prevent deinitializing NAPI twice Wen Gong <wgong(a)codeaurora.org> ath10k: add atomic protection for device recovery Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Clean sci_ports[0] after at earlycon exit Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Move runtime PM enable to sci_probe_single() Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Check if TX data was written to device in .tx_empty() Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am65-main: Fix sdhci node properties Nishanth Menon <nm(a)ti.com> arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics-rmi - fix crash with unsupported versions of F34 zhang songyi <zhang.songyi(a)zte.com.cn> Input: synaptics-rmi4 - convert to use sysfs_emit() APIs Dan Carpenter <dan.carpenter(a)linaro.org> pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Al Viro <viro(a)zeniv.linux.org.uk> do_change_type(): refuse to operate on unmounted/not ours mounts Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: correctly report gso type for UDP tunnels Michal Kubiak <michal.kubiak(a)intel.com> ice: create new Tx scheduler nodes for new queues only Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Álvaro Fernández Rojas <noltari(a)gmail.com> spi: bcm63xx-hsspi: fix shared reset Álvaro Fernández Rojas <noltari(a)gmail.com> spi: bcm63xx-spi: fix shared reset Dan Carpenter <dan.carpenter(a)linaro.org> net/mlx4_en: Prevent potential integer overflow calculating Hz Yanqing Wang <ot_yanqing.wang(a)mediatek.com> driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Charalampos Mitrodimas <charmitro(a)posteo.net> net: tipc: fix refcount warning in tipc_aead_encrypt Alok Tiwari <alok.a.tiwari(a)oracle.com> gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Quentin Schulz <quentin.schulz(a)cherry.de> net: stmmac: platform: guarantee uniqueness of bus_id Nicolas Pitre <npitre(a)baylibre.com> vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() WangYuli <wangyuli(a)uniontech.com> MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Fix 3dB filter frequency reading Henry Martin <bsdhenrymartin(a)gmail.com> serial: Fix potential null-ptr-deref in mlb_usio_probe() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> usb: renesas_usbhs: Reorder clock handling and power management in probe Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Fix offset calculation for .start_secs < 0 Bjorn Helgaas <bhelgaas(a)google.com> PCI/DPC: Initialize aer_err_info before using it Henry Martin <bsdhenrymartin(a)gmail.com> dmaengine: ti: Add NULL check in udma_probe() Hans Zhang <18255117159(a)163.com> PCI: cadence: Fix runtime atomic count underflow Wolfram Sang <wsa+renesas(a)sang-engineering.com> rtc: sh: assign correct interrupts with DT Li Lingfeng <lilingfeng3(a)huawei.com> nfs: ignore SB_RDONLY when remounting nfs Li Lingfeng <lilingfeng3(a)huawei.com> nfs: clear SB_RDONLY before getting superblock Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf record: Fix incorrect --user-regs comments Leo Yan <leo.yan(a)arm.com> perf tests switch-tracking: Fix timestamp comparison Alexey Gladkov <legion(a)kernel.org> mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Dan Carpenter <dan.carpenter(a)linaro.org> rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Adrian Hunter <adrian.hunter(a)intel.com> perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Henry Martin <bsdhenrymartin(a)gmail.com> backlight: pm8941: Add NULL check in wled_configure() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf ui browser hists: Set actions->thread before calling do_zoom_thread() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf build: Warn when libdebuginfod devel files are not available Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Fix attribute addition Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Remove bogus void member Sergey Shtylyov <s.shtylyov(a)omp.ru> fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Henry Martin <bsdhenrymartin(a)gmail.com> soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Su Hui <suhui(a)nfschina.com> soc: aspeed: lpc: Fix impossible judgment condition Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: fix double-free on mc_dev Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Wentao Liang <vulab(a)iscas.ac.cn> nilfs2: add pointer check for nilfs_direct_propagate() Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check return result of sb_min_blocksize Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mm-beacon: Fix RTC capacitive load Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: at91sam9263: fix NAND chip selects Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to correct check conditions in f2fs_cross_rename Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: use d_inode(dentry) cleanup dentry->d_inode Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Faicker Mo <faicker.mo(a)zenlayer.com> net: openvswitch: Fix the dead loop of MPLS parse Kuniyuki Iwashima <kuniyu(a)amazon.com> calipso: Don't call calipso functions for AF_INET sk. Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net: usb: aqc111: fix error handling of usbnet read calls Fernando Fernandez Mancera <fmancera(a)suse.de> netfilter: nft_tunnel: fix geneve_opt dump Li RongQing <lirongqing(a)baidu.com> vfio/type1: Fix error unwind in migration dirty bitmap allocation Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Toke Høiland-Jørgensen <toke(a)toke.dk> wifi: ath9k_htc: Abort software beacon handling if disabled Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Store backchain even for leaf progs Vincent Knecht <vincent.knecht(a)mailoo.org> clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Tao Chen <chen.dylane(a)linux.dev> bpf: Fix WARN() in get_bpf_raw_tp_regs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> pinctrl: at91: Fix possible out-of-boundary access Anton Protopopov <a.s.protopopov(a)gmail.com> libbpf: Use proper errno value in nlattr Jiayuan Chen <jiayuan.chen(a)linux.dev> ktls, sockmap: Fix missing uncharge operation Henry Martin <bsdhenrymartin(a)gmail.com> clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Huajian Yang <huajianyang(a)asrmicro.com> netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Chao Yu <chao(a)kernel.org> f2fs: clean up w/ fscrypt_is_bounce_page() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: do not ignore hardware read error during DPK Hari Kalavakunta <kalavakunta.hari.prasad(a)gmail.com> net: ncsi: Fix GCPS 64-bit member variables Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sbi->total_valid_block_count Stone Zhang <quic_stonez(a)quicinc.com> wifi: ath11k: fix node corruption in ar->arvifs list Huang Yiwei <quic_hyiwei(a)quicinc.com> firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Biju Das <biju.das.jz(a)bp.renesas.com> drm/tegra: rgb: Fix the unbound reference count Kees Cook <kees(a)kernel.org> drm/vkms: Adjust vkms_state->active_planes allocation type Biju Das <biju.das.jz(a)bp.renesas.com> drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Neill Kapron <nkapron(a)google.com> selftests/seccomp: fix syscall_restart test for arm compat Miaoqian Lin <linmq006(a)gmail.com> firmware: psci: Fix refcount leak in psci_dt_init Finn Thain <fthain(a)linux-m68k.org> m68k: mac: Fix macintosh_config for Mac II Jonas Karlman <jonas(a)kwiboo.se> media: rkvdec: Fix frame size enumeration Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add seqno waiter for sync_files Geert Uytterhoeven <geert+renesas(a)glider.be> spi: sh-msiof: Fix maximum DMA transfer size Armin Wolf <W_Armin(a)gmx.de> ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Zijun Hu <quic_zijuhu(a)quicinc.com> PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Alexander Shiyan <eagle.alexander923(a)gmail.com> power: reset: at91-reset: Optimize at91_reset() Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/skx_common: Fix general protection fault Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - move fallback ahash_request to the end of the struct Herbert Xu <herbert(a)gondor.apana.org.au> crypto: xts - Only add ecb if it is not already there Herbert Xu <herbert(a)gondor.apana.org.au> crypto: lrw - Only add ecb if it is not already there Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Avoid empty transfer descriptor Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Handle zero-length skcipher requests Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Sanitize CPUID(0x80000000) output Corentin Labbe <clabbe.montjoie(a)gmail.com> crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Qing Wang <wangqing7171(a)gmail.com> perf/core: Fix broken throttling when max_samples_per_tick=1 Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: gfs2_create_inode error handling fix Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Sergey Senozhatsky <senozhatsky(a)chromium.org> thunderbolt: Do not double dequeue a configuration request Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix timeout value in get_stb Hongyu Xie <xiehongyu1(a)kylinos.cn> usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li <lijiayi(a)kylinos.cn> usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Gautham R. Shenoy <gautham.shenoy(a)amd.com> acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: set GPIO output value before setting direction Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Pan Taixi <pantaixi(a)huaweicloud.com> tracing: Fix compilation warning on arm32 ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 7 +- MAINTAINERS | 9 + Makefile | 11 +- arch/arm/boot/dts/am335x-bone-common.dtsi | 8 + arch/arm/boot/dts/at91sam9263ek.dts | 2 +- arch/arm/boot/dts/qcom-apq8064.dtsi | 13 +- arch/arm/boot/dts/tny_a9263.dts | 2 +- arch/arm/boot/dts/usb_a9263.dts | 4 +- arch/arm/mach-omap2/clockdomain.h | 1 + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- arch/arm/mach-omap2/cm33xx.c | 14 +- arch/arm/mach-omap2/pmic-cpcap.c | 6 +- arch/arm/mm/ioremap.c | 4 +- .../boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 + .../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 - arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 20 +- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/debug-monitors.h | 12 - arch/arm64/include/asm/insn.h | 114 +++++++- arch/arm64/include/asm/spectre.h | 4 +- arch/arm64/kernel/insn.c | 199 ++++++++++++- arch/arm64/kernel/proton-pack.c | 202 ++++++++------ arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/net/bpf_jit.h | 11 +- arch/arm64/net/bpf_jit_comp.c | 58 +++- arch/arm64/xen/hypercall.S | 21 +- arch/m68k/mac/config.c | 2 +- arch/mips/Makefile | 6 +- .../boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 + arch/mips/loongson2ef/Platform | 2 +- arch/mips/vdso/Makefile | 1 + arch/nios2/include/asm/pgtable.h | 16 ++ arch/parisc/boot/compressed/Makefile | 1 + arch/powerpc/include/asm/vas.h | 3 + arch/powerpc/kernel/eeh.c | 2 + arch/powerpc/platforms/Kconfig | 1 + arch/powerpc/platforms/Makefile | 1 + arch/powerpc/platforms/book3s/Kconfig | 15 + arch/powerpc/platforms/book3s/Makefile | 2 + .../platforms/{powernv => book3s}/vas-api.c | 11 +- arch/powerpc/platforms/powernv/Kconfig | 14 - arch/powerpc/platforms/powernv/Makefile | 2 +- arch/powerpc/platforms/powernv/vas.h | 2 - arch/s390/net/bpf_jit_comp.c | 12 +- arch/s390/pci/pci_mmio.c | 2 +- arch/x86/boot/compressed/Makefile | 2 +- arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/cpu/common.c | 17 +- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- arch/x86/kernel/ioport.c | 13 +- arch/x86/kernel/process.c | 6 + crypto/lrw.c | 4 +- crypto/xts.c | 4 +- drivers/acpi/acpica/dsutils.c | 9 +- drivers/acpi/acpica/psobject.c | 52 +--- drivers/acpi/acpica/utprint.c | 7 +- drivers/acpi/apei/Kconfig | 1 + drivers/acpi/apei/ghes.c | 2 +- drivers/acpi/battery.c | 19 +- drivers/acpi/osi.c | 1 - drivers/ata/pata_via.c | 3 +- drivers/atm/atmtcp.c | 4 +- drivers/base/power/domain.c | 2 +- drivers/base/power/main.c | 3 +- drivers/base/power/runtime.c | 2 +- drivers/base/swnode.c | 2 +- drivers/block/aoe/aoedev.c | 8 + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +- drivers/bus/fsl-mc/mc-io.c | 19 +- drivers/bus/fsl-mc/mc-sys.c | 2 +- drivers/bus/mhi/host/pm.c | 18 +- drivers/bus/ti-sysc.c | 49 ---- drivers/clk/bcm/clk-raspberrypi.c | 2 + drivers/clk/meson/g12a.c | 1 + drivers/clk/qcom/gcc-msm8939.c | 4 +- drivers/clk/rockchip/clk-rk3036.c | 1 + drivers/cpufreq/acpi-cpufreq.c | 2 +- drivers/cpufreq/cpufreq.c | 6 +- drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- .../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +- drivers/crypto/marvell/cesa/cesa.c | 2 +- drivers/crypto/marvell/cesa/cesa.h | 9 +- drivers/crypto/marvell/cesa/cipher.c | 3 + drivers/crypto/marvell/cesa/hash.c | 2 +- drivers/crypto/marvell/cesa/tdma.c | 53 ++-- drivers/dma-buf/udmabuf.c | 5 +- drivers/dma/ti/k3-udma.c | 3 +- drivers/edac/altera_edac.c | 6 +- drivers/edac/skx_common.c | 1 + drivers/firmware/Kconfig | 1 - drivers/firmware/arm_sdei.c | 11 +- drivers/firmware/psci/psci.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 - drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 4 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 18 +- drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dml/Makefile | 3 +- drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 5 +- drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 2 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 3 +- drivers/gpu/drm/msm/hdmi/hdmi_i2c.c | 14 +- drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +- drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +- drivers/gpu/drm/tegra/rgb.c | 14 +- drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 ++ drivers/hid/hid-hyperv.c | 5 +- drivers/hid/usbhid/hid-core.c | 25 +- drivers/hwmon/occ/common.c | 307 ++++++++++++--------- drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/i2c/busses/i2c-npcm7xx.c | 12 +- drivers/iio/adc/ad7124.c | 4 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + drivers/infiniband/hw/hns/hns_roce_main.c | 1 - drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - drivers/infiniband/hw/mlx5/qpc.c | 30 +- drivers/input/misc/ims-pcu.c | 6 + drivers/input/misc/sparcspkr.c | 22 +- drivers/input/rmi4/rmi_f34.c | 135 +++++---- drivers/iommu/amd/iommu.c | 8 + drivers/md/dm-raid1.c | 5 +- drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 +- drivers/media/i2c/ov8856.c | 9 +- drivers/media/i2c/tc358743.c | 4 + drivers/media/platform/exynos4-is/fimc-is-regs.c | 1 + drivers/media/platform/qcom/venus/core.c | 16 +- drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 3 +- drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 +- drivers/media/v4l2-core/v4l2-dev.c | 14 +- drivers/mfd/exynos-lpass.c | 1 - drivers/mfd/stmpe-spi.c | 2 +- drivers/mtd/nand/raw/sunxi_nand.c | 2 + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 - drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 + drivers/net/ethernet/cadence/macb_main.c | 6 +- drivers/net/ethernet/dlink/dl2k.c | 14 +- drivers/net/ethernet/dlink/dl2k.h | 2 + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/google/gve/gve_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_common.c | 7 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 48 ++++ drivers/net/ethernet/intel/ice/ice_sched.c | 11 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 +- .../net/ethernet/mellanox/mlx5/core/pagealloc.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/vport.c | 18 +- drivers/net/ethernet/microchip/lan743x_main.c | 4 +- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +- drivers/net/macsec.c | 40 ++- drivers/net/phy/mdio_bus.c | 16 +- drivers/net/phy/mscc/mscc_ptp.c | 4 +- drivers/net/usb/aqc111.c | 10 +- drivers/net/usb/ch9200.c | 7 +- drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++ drivers/net/vxlan/vxlan_core.c | 8 +- drivers/net/wireless/ath/ath10k/ahb.c | 5 +- drivers/net/wireless/ath/ath10k/core.c | 36 +++ drivers/net/wireless/ath/ath10k/core.h | 9 + drivers/net/wireless/ath/ath10k/debug.c | 6 +- drivers/net/wireless/ath/ath10k/mac.c | 1 + drivers/net/wireless/ath/ath10k/pci.c | 9 +- drivers/net/wireless/ath/ath10k/sdio.c | 11 +- drivers/net/wireless/ath/ath10k/snoc.c | 12 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- drivers/net/wireless/ath/ath11k/core.c | 8 +- drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 + drivers/net/wireless/ath/carl9170/usb.c | 19 +- drivers/net/wireless/intersil/p54/fwio.c | 2 + drivers/net/wireless/intersil/p54/p54.h | 1 + drivers/net/wireless/intersil/p54/txrx.c | 13 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 + .../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 10 + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 +- drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +- drivers/pci/pci.c | 3 +- drivers/pci/pcie/dpc.c | 2 +- drivers/pci/quirks.c | 23 ++ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 35 ++- drivers/pinctrl/pinctrl-at91.c | 6 +- drivers/platform/Kconfig | 2 + drivers/platform/Makefile | 1 + drivers/platform/surface/Kconfig | 14 + drivers/platform/surface/Makefile | 5 + drivers/platform/x86/dell_rbu.c | 6 +- drivers/power/reset/at91-reset.c | 5 +- drivers/power/supply/bq27xxx_battery.c | 2 +- drivers/power/supply/bq27xxx_battery_i2c.c | 13 +- drivers/rapidio/rio_cm.c | 3 + drivers/regulator/max14577-regulator.c | 5 +- drivers/rpmsg/qcom_smd.c | 2 +- drivers/rtc/Kconfig | 10 + drivers/rtc/Makefile | 1 + drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 121 ++++++-- drivers/rtc/lib_test.c | 79 ++++++ drivers/rtc/rtc-sh.c | 12 +- drivers/s390/scsi/zfcp_sysfs.c | 2 + drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- drivers/scsi/lpfc/lpfc_sli.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 11 +- drivers/scsi/storvsc_drv.c | 10 +- drivers/soc/aspeed/aspeed-lpc-snoop.c | 17 +- drivers/spi/spi-bcm63xx-hsspi.c | 2 +- drivers/spi/spi-bcm63xx.c | 2 +- drivers/spi/spi-sh-msiof.c | 13 +- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- drivers/staging/media/rkvdec/rkvdec.c | 24 +- drivers/tee/tee_core.c | 11 +- drivers/thermal/qcom/tsens.c | 10 +- drivers/thunderbolt/ctl.c | 5 + drivers/tty/serial/milbeaut_usio.c | 5 +- drivers/tty/serial/sh-sci.c | 97 +++++-- drivers/tty/vt/vt_ioctl.c | 2 - drivers/uio/uio_hv_generic.c | 4 +- drivers/usb/class/usbtmc.c | 4 +- drivers/usb/core/hub.c | 16 +- drivers/usb/core/quirks.c | 3 + drivers/usb/gadget/function/f_hid.c | 12 +- drivers/usb/renesas_usbhs/common.c | 50 +++- drivers/usb/storage/unusual_uas.h | 7 + drivers/vfio/vfio_iommu_type1.c | 2 +- drivers/video/backlight/qcom-wled.c | 6 +- drivers/video/console/vgacon.c | 2 +- drivers/video/fbdev/core/fbcvt.c | 2 +- drivers/video/fbdev/core/fbmem.c | 4 +- drivers/watchdog/da9052_wdt.c | 1 + fs/configfs/dir.c | 2 +- fs/exfat/nls.c | 1 + fs/ext4/ext4.h | 7 + fs/ext4/extents.c | 39 ++- fs/ext4/file.c | 7 +- fs/ext4/inline.c | 2 +- fs/ext4/inode.c | 3 +- fs/ext4/ioctl.c | 8 +- fs/f2fs/data.c | 2 +- fs/f2fs/f2fs.h | 10 +- fs/f2fs/namei.c | 19 +- fs/f2fs/super.c | 12 +- fs/filesystems.c | 14 +- fs/gfs2/inode.c | 3 +- fs/gfs2/lock_dlm.c | 3 +- fs/jbd2/transaction.c | 5 +- fs/jffs2/erase.c | 4 +- fs/jffs2/scan.c | 4 +- fs/jffs2/summary.c | 7 +- fs/jfs/jfs_discard.c | 3 +- fs/jfs/jfs_dtree.c | 18 +- fs/namespace.c | 4 + fs/nfs/super.c | 19 ++ fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/nfssvc.c | 6 +- fs/nilfs2/btree.c | 4 +- fs/nilfs2/direct.c | 3 + fs/squashfs/super.c | 5 + include/acpi/actypes.h | 2 +- include/linux/arm_sdei.h | 4 +- include/linux/atmdev.h | 6 + include/linux/bpf.h | 26 +- include/linux/bpf_types.h | 6 +- include/linux/hid.h | 3 +- include/linux/hugetlb.h | 6 + include/linux/mlx5/driver.h | 1 + include/linux/mm.h | 3 + include/linux/mm_types.h | 3 + include/linux/skmsg.h | 18 ++ include/net/checksum.h | 2 +- include/net/sock.h | 11 +- include/net/tcp.h | 28 +- include/net/tls.h | 2 +- include/net/udp.h | 4 +- include/trace/events/erofs.h | 18 -- include/uapi/linux/bpf.h | 2 + include/uapi/linux/videodev2.h | 12 +- init/Kconfig | 1 + ipc/shm.c | 5 +- kernel/bpf/verifier.c | 175 +----------- kernel/events/core.c | 23 +- kernel/exit.c | 17 +- kernel/power/wakelock.c | 3 + kernel/time/clocksource.c | 2 +- kernel/time/posix-cpu-timers.c | 9 + kernel/trace/bpf_trace.c | 2 +- kernel/trace/ftrace.c | 10 +- kernel/trace/trace.c | 2 +- lib/Kconfig | 1 + mm/huge_memory.c | 2 +- mm/hugetlb.c | 117 +++++++- mm/mmap.c | 8 + mm/page-writeback.c | 2 +- net/Kconfig | 6 +- net/atm/common.c | 1 + net/atm/lec.c | 12 +- net/atm/raw.c | 2 +- net/bluetooth/l2cap_core.c | 3 +- net/bridge/netfilter/nf_conntrack_bridge.c | 12 +- net/core/Makefile | 6 +- net/core/filter.c | 5 +- net/core/skmsg.c | 145 +++++----- net/core/sock.c | 4 +- net/core/sock_map.c | 2 + net/core/utils.c | 4 +- net/ipv4/Makefile | 2 +- net/ipv4/inet_hashtables.c | 2 +- net/ipv4/route.c | 4 + net/ipv4/tcp.c | 21 +- net/ipv4/tcp_bpf.c | 8 +- net/ipv4/tcp_input.c | 74 ++--- net/ipv6/calipso.c | 8 + net/ipv6/ila/ila_common.c | 6 +- net/ipv6/netfilter.c | 12 +- net/ipv6/netfilter/nft_fib_ipv6.c | 13 +- net/mac80211/mesh_hwmp.c | 6 +- net/mpls/af_mpls.c | 4 +- net/ncsi/internal.h | 21 +- net/ncsi/ncsi-pkt.h | 23 +- net/ncsi/ncsi-rsp.c | 21 +- net/netfilter/nft_socket.c | 5 +- net/netfilter/nft_tunnel.c | 8 +- net/netlabel/netlabel_kapi.c | 5 + net/nfc/nci/uart.c | 8 +- net/openvswitch/flow.c | 2 +- net/sched/sch_ets.c | 10 +- net/sched/sch_prio.c | 2 +- net/sched/sch_red.c | 2 +- net/sched/sch_sfq.c | 117 +++++--- net/sched/sch_tbf.c | 2 +- net/sctp/socket.c | 3 +- net/sunrpc/cache.c | 17 +- net/tipc/crypto.c | 8 +- net/tipc/udp_media.c | 4 +- net/tls/tls_main.c | 4 +- net/tls/tls_sw.c | 9 +- scripts/Kbuild.include | 8 +- scripts/Kconfig.include | 2 +- scripts/as-version.sh | 2 +- scripts/gcc-plugins/gcc-common.h | 32 +++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 +-- security/selinux/xfrm.c | 2 +- sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/tas2770.c | 30 +- sound/soc/meson/meson-card-utils.c | 2 +- sound/soc/qcom/sdm845.c | 4 + sound/soc/tegra/tegra210_ahub.c | 2 + sound/usb/mixer_maps.c | 12 + tools/include/uapi/linux/bpf.h | 2 + tools/lib/bpf/nlattr.c | 15 +- tools/perf/Makefile.config | 2 + tools/perf/builtin-record.c | 2 +- tools/perf/scripts/python/exported-sql-viewer.py | 5 +- tools/perf/tests/switch-tracking.c | 2 +- tools/perf/ui/browsers/hists.c | 2 +- tools/testing/selftests/bpf/prog_tests/align.c | 36 +-- tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +- usr/include/Makefile | 2 +- 369 files changed, 3117 insertions(+), 1586 deletions(-)

3 weeks, 5 days

8
364
0 0

[PATCH 6.12 000/165] 6.12.39-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.39 release. There are 165 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 16:35:06 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.39-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.39-rc2 Michael Jeanson <mjeanson(a)efficios.com> rseq: Fix segfault on registration when rseq_cs is non-zero Lukas Wunner <lukas(a)wunner.de> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Mark Brown <broonie(a)kernel.org> arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: revert the adjustment of the IRQ vector sequence Gao Xiang <xiang(a)kernel.org> erofs: fix rare pcluster memory leak after unmounting Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Daniel J. Ogorchock <djogorchock(a)gmail.com> HID: nintendo: avoid bluetooth suspend/resume stalls Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Fangrui Song <i(a)maskray.me> riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Shuai Zhang <quic_shuaz(a)quicinc.com> driver: bluetooth: hci_qca:fix unable to load the BT driver Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirks for some Clevo laptops Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai <kirinode0(a)gmail.com> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add new prio for promiscuous mode Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix race between DIM disable and net_dim() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Hangbin Liu <liuhangbin(a)gmail.com> selftests: net: lib: fix shift count out of range Petr Machata <petrm(a)nvidia.com> selftests: net: lib: Move logging from forwarding/lib.sh here Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_readahead() Gao Xiang <xiang(a)kernel.org> erofs: refine readahead tracepoint Gao Xiang <xiang(a)kernel.org> erofs: tidy up zdata.c Gao Xiang <xiang(a)kernel.org> erofs: get rid of `z_erofs_next_pcluster_t` Chunhai Guo <guochunhai(a)vivo.com> erofs: free pclusters if no cached folio is attached Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Clear all LMTT pages on alloc Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Henry Martin <bsdhenrymartin(a)gmail.com> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/gsp: fix potential leak of memory used during acpi init Felix Fietkau <nbd(a)nbd.name> wifi: rt2x00: fix remove callback type mismatch Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix non-transmitted BSSID profile search Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: correctly identify S1G short beacon Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: cfg80211: fix S1G beacon head validation in nl80211 David Howells <dhowells(a)redhat.com> netfs: Fix ref leak on inserted extra subreq in write retry Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Gao Xiang <xiang(a)kernel.org> erofs: address D-cache aliasing Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Sascha Hauer <s.hauer(a)pengutronix.de> clk: scmi: Handle case where child clocks are initialized before their parents Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Xiaolei Wang <xiaolei.wang(a)windriver.com> clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Miguel Ojeda <ojeda(a)kernel.org> rust: init: allow `dead_code` warnings for Rust >= 1.89.0 Harry Yoo <harry.yoo(a)oracle.com> lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Zhe Qiao <qiaozhe(a)iscas.ac.cn> Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Allocate PF queue size on pow2 boundary Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" Matthew Auld <matthew.auld(a)intel.com> drm/xe/bmg: fix compressed VRAM handling Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Don't call mmput from MMU notifier callback Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix kernel crash when hard resetting the GPU Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong config for tx interrupt Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: prevent decap offload config before STA initialization Vitor Soares <vitor.soares(a)toradex.com> wifi: mwifiex: discard erroneous disassoc frames on STA interface Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Fix invalid state detection Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Haoxiang Li <haoxiang_li2024(a)163.com> net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Liam Merwick <liam.merwick(a)oracle.com> KVM: Allow CPU to reschedule while setting per-page memory attributes Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Nikunj A Dadhania <nikunj(a)amd.com> KVM: SVM: Add missing member in SNP_LAUNCH_START command structure David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Ensure user polling settings are honored when restarting timer Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Chintan Vankar <c-vankar(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: move the WoL function to shared library Kevin Brodsky <kevin.brodsky(a)arm.com> arm64: poe: Handle spurious Overlay faults Jason Xing <kernelxing(a)tencent.com> bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL kuyo chang <kuyo.chang(a)mediatek.com> sched/deadline: Fix dl_server runtime calculation formula Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix migrate_swap() vs. hotplug Nam Cao <namcao(a)linutronix.de> irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: add sof_sdw_get_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: soc-acpi: add get_function_tplg_files ops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Eric Biggers <ebiggers(a)kernel.org> crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Flora Cui <flora.cui(a)amd.com> drm/amdgpu/ip_discovery: add missing ip_discovery fw Flora Cui <flora.cui(a)amd.com> drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/arm64/kernel/cpufeature.c | 45 ++-- arch/arm64/kernel/process.c | 5 + arch/arm64/mm/fault.c | 30 ++- arch/riscv/kernel/vdso/vdso.lds.S | 2 +- arch/s390/crypto/sha1_s390.c | 2 + arch/s390/crypto/sha256_s390.c | 3 + arch/s390/crypto/sha512_s390.c | 3 + arch/um/drivers/vector_kern.c | 42 ++-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 ++- arch/x86/kernel/cpu/mce/core.c | 24 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- crypto/ecc.c | 2 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/bluetooth/hci_qca.c | 13 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/clk/clk-scmi.c | 20 +- drivers/clk/imx/clk-imx95-blk-ctl.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 30 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 ++-- drivers/gpu/drm/drm_framebuffer.c | 31 ++- drivers/gpu/drm/drm_gem.c | 74 +++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/imagination/pvr_power.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +- drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 + drivers/gpu/drm/xe/xe_lmtt.c | 11 + drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/gpu/drm/xe/xe_pci.c | 1 - drivers/gpu/drm/xe/xe_pm.c | 8 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-nintendo.c | 38 +++- drivers/hid/hid-quirks.c | 3 + drivers/irqchip/Kconfig | 1 + drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/renesas/rtsn.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 +- drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 3 +- drivers/net/phy/qcom/at803x.c | 27 --- drivers/net/phy/qcom/qca808x.c | 2 +- drivers/net/phy/qcom/qcom-phy-lib.c | 25 ++ drivers/net/phy/qcom/qcom.h | 5 + drivers/net/phy/smsc.c | 57 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/marvell/mwifiex/util.c | 4 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/pci-acpi.c | 23 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/core.c | 2 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/free-space-tree.c | 16 +- fs/erofs/data.c | 21 +- fs/erofs/decompressor.c | 12 +- fs/erofs/fileio.c | 6 +- fs/erofs/internal.h | 2 +- fs/erofs/zdata.c | 251 +++++++++----------- fs/erofs/zutil.c | 7 +- fs/eventpoll.c | 12 +- fs/netfs/write_collect.c | 2 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/ieee80211.h | 45 +++- include/linux/math.h | 12 + include/linux/mm.h | 5 + include/linux/psp-sev.h | 2 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- include/sound/soc-acpi.h | 13 ++ include/trace/events/erofs.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/rseq.c | 60 ++++- kernel/sched/core.c | 5 + kernel/sched/deadline.c | 10 +- kernel/stop_machine.c | 20 +- lib/alloc_tag.c | 3 + lib/maple_tree.c | 1 + mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 ++++-- net/bluetooth/hci_event.c | 3 + net/bluetooth/hci_sync.c | 2 +- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/mac80211/mlme.c | 7 +- net/mac80211/parse.c | 6 +- net/netlink/af_netlink.c | 90 +++++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 ++++- net/wireless/nl80211.c | 7 +- net/wireless/util.c | 52 ++++- rust/kernel/init/macros.rs | 2 + scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++++ scripts/gdb/linux/xarray.py | 28 +++ sound/isa/ad1816a/ad1816a.c | 2 +- sound/pci/hda/patch_realtek.c | 7 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- sound/soc/intel/boards/Kconfig | 1 + sound/soc/intel/common/Makefile | 2 +- sound/soc/intel/common/soc-acpi-intel-arl-match.c | 66 +++++- sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 ++ sound/soc/sof/intel/hda.c | 6 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/include/linux/kallsyms.h | 4 + tools/testing/selftests/bpf/test_lru_map.c | 105 ++++----- tools/testing/selftests/net/forwarding/lib.sh | 113 --------- tools/testing/selftests/net/lib.sh | 115 ++++++++++ virt/kvm/kvm_main.c | 3 + 175 files changed, 2014 insertions(+), 880 deletions(-)

3 weeks, 5 days

10
9
0 0

[PATCH 6.15 000/192] 6.15.7-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.7 release. There are 192 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.7-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.7-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Nikunj A Dadhania <nikunj(a)amd.com> x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: revert the adjustment of the IRQ vector sequence Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Daniel J. Ogorchock <djogorchock(a)gmail.com> HID: nintendo: avoid bluetooth suspend/resume stalls Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Fangrui Song <i(a)maskray.me> riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Shuai Zhang <quic_shuaz(a)quicinc.com> driver: bluetooth: hci_qca:fix unable to load the BT driver Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirks for some Clevo laptops Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Jack Yu <jack.yu(a)realtek.com> ASoC: rt721-sdca: fix boost gain calculation error Tamura Dai <kirinode0(a)gmail.com> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Flush FW trace before copying to the coredump Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add new prio for promiscuous mode Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix race between DIM disable and net_dim() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Reset bw_share field when changing a node's parent Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Restore display pm if there is error after display suspend Hangbin Liu <liuhangbin(a)gmail.com> selftests: net: lib: fix shift count out of range Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: add the virtual monitor after reconfig complete Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_readahead() Gao Xiang <xiang(a)kernel.org> erofs: refine readahead tracepoint Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Clear all LMTT pages on alloc Pankaj Raghav <p.raghav(a)samsung.com> block: reject bs > ps block devices when THP is disabled Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Henry Martin <bsdhenrymartin(a)gmail.com> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Remove RCU section in mt7996_mac_sta_rc_work() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl_fixed() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Move RCU section in mt7996_mcu_set_fixed_field() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: Assume __mt76_connac_mcu_alloc_sta_req runs in atomic context Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/gsp: fix potential leak of memory used during acpi init Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zcrx: fix pp destruction warnings Felix Fietkau <nbd(a)nbd.name> wifi: rt2x00: fix remove callback type mismatch Moon Hee Lee <moonhee.lee.ca(a)gmail.com> wifi: mac80211: reject VHT opmode for unsupported channel widths Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix non-transmitted BSSID profile search Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: correctly identify S1G short beacon Zheng Qixing <zhengqixing(a)huawei.com> md/raid1,raid10: strip REQ_NOWAIT from member bios Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: cfg80211: fix S1G beacon head validation in nl80211 Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Gao Xiang <xiang(a)kernel.org> erofs: fix large fragment handling Gao Xiang <xiang(a)kernel.org> erofs: address D-cache aliasing Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Sascha Hauer <s.hauer(a)pengutronix.de> clk: scmi: Handle case where child clocks are initialized before their parents Julien Massot <julien.massot(a)collabora.com> dt-bindings: clock: mediatek: Add #reset-cells property for MT8188 Mikhail Paulyshka <me(a)mixaill.net> x86/CPU/AMD: Disable INVLPGB on Zen2 Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Xiaolei Wang <xiaolei.wang(a)windriver.com> clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Harry Yoo <harry.yoo(a)oracle.com> lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: fix damon sample wsse for start failure Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: fix damon sample prcl for start failure Honggyu Kim <honggyu.kim(a)sk.com> mm/damon: fix divide by zero in damon_get_intervals_score() SeongJae Park <sj(a)kernel.org> mm/damon/core: handle damon_call_control as normal under kdmond deactivation Lance Yang <lance.yang(a)linux.dev> mm/rmap: fix potential out-of-bounds page table access during batched unmap Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Illia Ostapyshyn <illia(a)yshyn.com> scripts: gdb: vfs: support external dentry names Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Zhe Qiao <qiaozhe(a)iscas.ac.cn> Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Allocate PF queue size on pow2 boundary Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Aaron Thompson <dev(a)aaront.org> drm/nouveau: Do not fail module init on debugfs errors Matthew Brost <matthew.brost(a)intel.com> Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" Matthew Auld <matthew.auld(a)intel.com> drm/xe/bmg: fix compressed VRAM handling Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add hqd_sdma_get_doorbell callbacks for gfx7/8 Kent Russell <kent.russell(a)amd.com> drm/amdgpu: Include sdma_4_4_4.bin Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Don't call mmput from MMU notifier callback Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix kernel crash when hard resetting the GPU Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong config for tx interrupt Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: prevent decap offload config before STA initialization Vitor Soares <vitor.soares(a)toradex.com> wifi: mwifiex: discard erroneous disassoc frames on STA interface Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Fix invalid state detection Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Miquel Raynal <miquel.raynal(a)bootlin.com> pinctrl: nuvoton: Fix boot on ma35dx platforms Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Hugo Villeneuve <hvilleneuve(a)dimonoff.com> gpiolib: fix performance regression when using gpio_chip_get_multiple() Haoxiang Li <haoxiang_li2024(a)163.com> net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Mark Brown <broonie(a)kernel.org> arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> sched: Fix preemption string of preempt_dynamic_none Liam Merwick <liam.merwick(a)oracle.com> KVM: Allow CPU to reschedule while setting per-page memory attributes Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Nikunj A Dadhania <nikunj(a)amd.com> KVM: SVM: Add missing member in SNP_LAUNCH_START command structure Manuel Andreas <manuel.andreas(a)tum.de> KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Ensure user polling settings are honored when restarting timer Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Eric Biggers <ebiggers(a)kernel.org> crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Chintan Vankar <c-vankar(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Petr Pavlu <petr.pavlu(a)suse.com> module: Fix memory deallocation on error path in move_module() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: airoha: Fix an error handling path in airoha_probe() Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: move the WoL function to shared library Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/mm: Drop wrong writes into TCR2_EL1 Kevin Brodsky <kevin.brodsky(a)arm.com> arm64: poe: Handle spurious Overlay faults Jason Xing <kernelxing(a)tencent.com> bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL kuyo chang <kuyo.chang(a)mediatek.com> sched/deadline: Fix dl_server runtime calculation formula Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix attempting to send HCI_Disconnect to BIS handle Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Remove check of BDADDR_ANY in hci_conn_hash_lookup_big_state Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Heiko Carstens <hca(a)linux.ibm.com> objtool: Add missing endian conversion to read_annotate() Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix migrate_swap() vs. hotplug Nam Cao <namcao(a)linutronix.de> irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Shiju Jose <shiju.jose(a)huawei.com> EDAC: Initialize EDAC features sysfs attributes Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: add sof_sdw_get_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: soc-acpi: add get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- .../bindings/clock/mediatek,mt8188-clock.yaml | 3 + Makefile | 4 +- arch/arm64/kernel/cpufeature.c | 57 +++-- arch/arm64/kernel/process.c | 5 + arch/arm64/mm/fault.c | 30 ++- arch/arm64/mm/proc.S | 1 - arch/riscv/kernel/vdso/vdso.lds.S | 2 +- arch/s390/crypto/sha1_s390.c | 2 + arch/s390/crypto/sha256_s390.c | 3 + arch/s390/crypto/sha512_s390.c | 3 + arch/um/drivers/vector_kern.c | 42 ++-- arch/x86/Kconfig | 2 +- arch/x86/coco/sev/core.c | 22 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/include/asm/sev.h | 17 +- arch/x86/kernel/cpu/amd.c | 10 + arch/x86/kernel/cpu/mce/amd.c | 28 ++- arch/x86/kernel/cpu/mce/core.c | 24 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/hyperv.c | 3 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/bluetooth/hci_qca.c | 13 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/clk/clk-scmi.c | 20 +- drivers/clk/imx/clk-imx95-blk-ctl.c | 12 +- drivers/edac/ecs.c | 4 +- drivers/edac/mem_repair.c | 1 + drivers/edac/scrub.c | 1 + drivers/gpio/gpiolib.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v8.c | 8 + drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 ++-- drivers/gpu/drm/drm_framebuffer.c | 31 ++- drivers/gpu/drm/drm_gem.c | 74 +++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/imagination/pvr_power.c | 4 +- drivers/gpu/drm/nouveau/nouveau_debugfs.c | 6 +- drivers/gpu/drm/nouveau/nouveau_debugfs.h | 5 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +- drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 + drivers/gpu/drm/xe/xe_lmtt.c | 11 + drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/gpu/drm/xe/xe_pci.c | 1 - drivers/gpu/drm/xe/xe_pm.c | 11 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-nintendo.c | 38 +++- drivers/hid/hid-quirks.c | 3 + drivers/irqchip/Kconfig | 1 + drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 12 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/airoha/airoha_eth.c | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 18 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/renesas/rtsn.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 +- drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 3 +- drivers/net/phy/qcom/at803x.c | 27 --- drivers/net/phy/qcom/qca808x.c | 2 +- drivers/net/phy/qcom/qcom-phy-lib.c | 25 ++ drivers/net/phy/qcom/qcom.h | 5 + drivers/net/phy/smsc.c | 57 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/marvell/mwifiex/util.c | 4 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 40 +--- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 188 ++++++++++----- drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 16 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/pci-acpi.c | 23 +- drivers/pinctrl/nuvoton/pinctrl-ma35.c | 10 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/core.c | 2 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/free-space-tree.c | 16 +- fs/erofs/data.c | 21 +- fs/erofs/decompressor.c | 12 +- fs/erofs/fileio.c | 6 +- fs/erofs/internal.h | 6 +- fs/erofs/zdata.c | 13 +- fs/erofs/zmap.c | 9 +- fs/eventpoll.c | 12 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/blkdev.h | 5 + include/linux/ieee80211.h | 45 +++- include/linux/io_uring_types.h | 2 + include/linux/mm.h | 5 + include/linux/psp-sev.h | 2 + include/net/af_vsock.h | 2 +- include/net/bluetooth/hci_core.h | 3 +- include/net/netfilter/nf_flow_table.h | 2 +- include/sound/soc-acpi.h | 13 ++ include/trace/events/erofs.h | 2 +- io_uring/msg_ring.c | 4 +- io_uring/opdef.c | 1 + io_uring/zcrx.c | 3 - kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/module/main.c | 4 +- kernel/sched/core.c | 7 +- kernel/sched/deadline.c | 10 +- kernel/stop_machine.c | 20 +- lib/alloc_tag.c | 3 + lib/maple_tree.c | 1 + mm/damon/core.c | 8 +- mm/kasan/report.c | 45 +--- mm/rmap.c | 46 ++-- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 ++++-- net/bluetooth/hci_event.c | 3 + net/bluetooth/hci_sync.c | 4 +- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/mac80211/cfg.c | 14 ++ net/mac80211/mlme.c | 7 +- net/mac80211/parse.c | 6 +- net/mac80211/util.c | 9 +- net/netlink/af_netlink.c | 90 +++++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 ++++- net/wireless/nl80211.c | 7 +- net/wireless/util.c | 52 ++++- samples/damon/prcl.c | 8 +- samples/damon/wsse.c | 8 +- scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++++ scripts/gdb/linux/vfs.py | 2 +- scripts/gdb/linux/xarray.py | 28 +++ sound/isa/ad1816a/ad1816a.c | 2 +- sound/pci/hda/patch_realtek.c | 10 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/codecs/rt721-sdca.c | 23 +- sound/soc/fsl/fsl_asrc.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- sound/soc/intel/boards/Kconfig | 1 + sound/soc/intel/common/Makefile | 2 +- sound/soc/intel/common/soc-acpi-intel-arl-match.c | 21 +- sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 ++ sound/soc/sof/intel/hda.c | 6 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/include/linux/kallsyms.h | 4 + tools/objtool/check.c | 1 + tools/testing/selftests/bpf/test_lru_map.c | 105 ++++----- tools/testing/selftests/net/lib.sh | 2 +- virt/kvm/kvm_main.c | 3 + 203 files changed, 2012 insertions(+), 833 deletions(-)

3 weeks, 5 days

20
212
0 0

[PATCH net v2 5/5] rxrpc: Fix to use conn aborts for conn-wide failures

by David Howells

Fix rxrpc to use connection-level aborts for things that affect the whole connection, such as the service ID not matching a local service. Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure") Reported-by: Jeffrey Altman <jaltman(a)auristor.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- Notes: Changes ======= ver #2) - Moved trace note declaration out to earlier patch that uses it net/rxrpc/ar-internal.h | 3 +++ net/rxrpc/call_accept.c | 12 ++++++------ net/rxrpc/io_thread.c | 14 ++++++++++++++ net/rxrpc/output.c | 19 ++++++++++--------- net/rxrpc/security.c | 8 ++++---- 5 files changed, 37 insertions(+), 19 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index df1a618dbf7d..5b7342d43486 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -44,6 +44,7 @@ enum rxrpc_skb_mark { RXRPC_SKB_MARK_SERVICE_CONN_SECURED, /* Service connection response has been verified */ RXRPC_SKB_MARK_REJECT_BUSY, /* Reject with BUSY */ RXRPC_SKB_MARK_REJECT_ABORT, /* Reject with ABORT (code in skb->priority) */ + RXRPC_SKB_MARK_REJECT_CONN_ABORT, /* Reject with connection ABORT (code in skb->priority) */ }; /* @@ -1253,6 +1254,8 @@ int rxrpc_encap_rcv(struct sock *, struct sk_buff *); void rxrpc_error_report(struct sock *); bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, s32 abort_code, int err); +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err); int rxrpc_io_thread(void *data); void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb); static inline void rxrpc_wake_up_io_thread(struct rxrpc_local *local) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index a4d76f2da684..00982a030744 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -374,8 +374,8 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_lock(&rx->incoming_lock); if (rx->sk.sk_state == RXRPC_SERVER_LISTEN_DISABLED || rx->sk.sk_state == RXRPC_CLOSE) { - rxrpc_direct_abort(skb, rxrpc_abort_shut_down, - RX_INVALID_OPERATION, -ESHUTDOWN); + rxrpc_direct_conn_abort(skb, rxrpc_abort_shut_down, + RX_INVALID_OPERATION, -ESHUTDOWN); goto no_call; } @@ -422,12 +422,12 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, unsupported_service: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EOPNOTSUPP); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EOPNOTSUPP); unsupported_security: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EKEYREJECTED); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EKEYREJECTED); no_call: spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index 27b650d30f4d..e939ecf417c4 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -97,6 +97,20 @@ bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, return false; } +/* + * Directly produce a connection abort from a packet. + */ +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err) +{ + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + + trace_rxrpc_abort(0, why, sp->hdr.cid, 0, sp->hdr.seq, abort_code, err); + skb->mark = RXRPC_SKB_MARK_REJECT_CONN_ABORT; + skb->priority = abort_code; + return false; +} + static bool rxrpc_bad_message(struct sk_buff *skb, enum rxrpc_abort_reason why) { return rxrpc_direct_abort(skb, why, RX_PROTOCOL_ERROR, -EBADMSG); diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index 17c33b5cf7dd..8b5903b6e481 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -829,7 +829,13 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) msg.msg_controllen = 0; msg.msg_flags = 0; - memset(&whdr, 0, sizeof(whdr)); + whdr = (struct rxrpc_wire_header) { + .epoch = htonl(sp->hdr.epoch), + .cid = htonl(sp->hdr.cid), + .callNumber = htonl(sp->hdr.callNumber), + .serviceId = htons(sp->hdr.serviceId), + .flags = ~sp->hdr.flags & RXRPC_CLIENT_INITIATED, + }; switch (skb->mark) { case RXRPC_SKB_MARK_REJECT_BUSY: @@ -837,6 +843,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) size = sizeof(whdr); ioc = 1; break; + case RXRPC_SKB_MARK_REJECT_CONN_ABORT: + whdr.callNumber = 0; + fallthrough; case RXRPC_SKB_MARK_REJECT_ABORT: whdr.type = RXRPC_PACKET_TYPE_ABORT; code = htonl(skb->priority); @@ -850,14 +859,6 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) if (rxrpc_extract_addr_from_skb(&srx, skb) == 0) { msg.msg_namelen = srx.transport_len; - whdr.epoch = htonl(sp->hdr.epoch); - whdr.cid = htonl(sp->hdr.cid); - whdr.callNumber = htonl(sp->hdr.callNumber); - whdr.serviceId = htons(sp->hdr.serviceId); - whdr.flags = sp->hdr.flags; - whdr.flags ^= RXRPC_CLIENT_INITIATED; - whdr.flags &= RXRPC_CLIENT_INITIATED; - iov_iter_kvec(&msg.msg_iter, WRITE, iov, ioc, size); ret = do_udp_sendmsg(local->socket, &msg, size); if (ret < 0) diff --git a/net/rxrpc/security.c b/net/rxrpc/security.c index 078d91a6b77f..2bfbf2b2bb37 100644 --- a/net/rxrpc/security.c +++ b/net/rxrpc/security.c @@ -140,15 +140,15 @@ const struct rxrpc_security *rxrpc_get_incoming_security(struct rxrpc_sock *rx, sec = rxrpc_security_lookup(sp->hdr.securityIndex); if (!sec) { - rxrpc_direct_abort(skb, rxrpc_abort_unsupported_security, - RX_INVALID_OPERATION, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_unsupported_security, + RX_INVALID_OPERATION, -EKEYREJECTED); return NULL; } if (sp->hdr.securityIndex != RXRPC_SECURITY_NONE && !rx->securities) { - rxrpc_direct_abort(skb, rxrpc_abort_no_service_key, - sec->no_key_abort, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_no_service_key, + sec->no_key_abort, -EKEYREJECTED); return NULL; }

3 weeks, 5 days

1
0
0 0

[PATCH net v2 4/5] rxrpc: Fix transmission of an abort in response to an abort

by David Howells

Under some circumstances, such as when a server socket is closing, ABORT packets will be generated in response to incoming packets. Unfortunately, this also may include generating aborts in response to incoming aborts - which may cause a cycle. It appears this may be made possible by giving the client a multicast address. Fix this such that rxrpc_reject_packet() will refuse to generate aborts in response to aborts. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Linus Torvalds <torvalds(a)linux-foundation.org> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/output.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index ef7b3096c95e..17c33b5cf7dd 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -814,6 +814,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) __be32 code; int ret, ioc; + if (sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) + return; /* Never abort an abort. */ + rxrpc_see_skb(skb, rxrpc_skb_see_reject); iov[0].iov_base = &whdr;

3 weeks, 5 days

1
0
0 0

[PATCH net v2 3/5] rxrpc: Fix notification vs call-release vs recvmsg

by David Howells

When a call is released, rxrpc takes the spinlock and removes it from ->recvmsg_q in an effort to prevent racing recvmsg() invocations from seeing the same call. Now, rxrpc_recvmsg() only takes the spinlock when actually removing a call from the queue; it doesn't, however, take it in the lead up to that when it checks to see if the queue is empty. It *does* hold the socket lock, which prevents a recvmsg/recvmsg race - but this doesn't prevent sendmsg from ending the call because sendmsg() drops the socket lock and relies on the call->user_mutex. Fix this by firstly removing the bit in rxrpc_release_call() that dequeues the released call and, instead, rely on recvmsg() to simply discard released calls (done in a preceding fix). Secondly, rxrpc_notify_socket() is abandoned if the call is already marked as released rather than trying to be clever by setting both pointers in call->recvmsg_link to NULL to trick list_empty(). This isn't perfect and can still race, resulting in a released call on the queue, but recvmsg() will now clean that up. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- Notes: Changes ======= ver #2) - Moved in missing trace note declaration from later patch include/trace/events/rxrpc.h | 3 ++- net/rxrpc/call_object.c | 28 ++++++++++++---------------- net/rxrpc/recvmsg.c | 4 ++++ 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index e7dcfb1369b6..de6f6d25767c 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -322,10 +322,10 @@ EM(rxrpc_call_put_kernel, "PUT kernel ") \ EM(rxrpc_call_put_poke, "PUT poke ") \ EM(rxrpc_call_put_recvmsg, "PUT recvmsg ") \ + EM(rxrpc_call_put_release_recvmsg_q, "PUT rls-rcmq") \ EM(rxrpc_call_put_release_sock, "PUT rls-sock") \ EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \ EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \ - EM(rxrpc_call_put_unnotify, "PUT unnotify") \ EM(rxrpc_call_put_userid_exists, "PUT u-exists") \ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ @@ -338,6 +338,7 @@ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_notify_released, "SEE nfy-rlsd") \ EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 15067ff7b1f2..918f41d97a2f 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -561,7 +561,7 @@ static void rxrpc_cleanup_rx_buffers(struct rxrpc_call *call) void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) { struct rxrpc_connection *conn = call->conn; - bool put = false, putu = false; + bool putu = false; _enter("{%d,%d}", call->debug_id, refcount_read(&call->ref)); @@ -573,23 +573,13 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) rxrpc_put_call_slot(call); - /* Make sure we don't get any more notifications */ + /* Note that at this point, the call may still be on or may have been + * added back on to the socket receive queue. recvmsg() must discard + * released calls. The CALL_RELEASED flag should prevent further + * notifications. + */ spin_lock_irq(&rx->recvmsg_lock); - - if (!list_empty(&call->recvmsg_link)) { - _debug("unlinking once-pending call %p { e=%lx f=%lx }", - call, call->events, call->flags); - list_del(&call->recvmsg_link); - put = true; - } - - /* list_empty() must return false in rxrpc_notify_socket() */ - call->recvmsg_link.next = NULL; - call->recvmsg_link.prev = NULL; - spin_unlock_irq(&rx->recvmsg_lock); - if (put) - rxrpc_put_call(call, rxrpc_call_put_unnotify); write_lock(&rx->call_lock); @@ -638,6 +628,12 @@ void rxrpc_release_calls_on_socket(struct rxrpc_sock *rx) rxrpc_put_call(call, rxrpc_call_put_release_sock); } + while ((call = list_first_entry_or_null(&rx->recvmsg_q, + struct rxrpc_call, recvmsg_link))) { + list_del_init(&call->recvmsg_link); + rxrpc_put_call(call, rxrpc_call_put_release_recvmsg_q); + } + _leave(""); } diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 6990e37697de..7fa7e77f6bb9 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -29,6 +29,10 @@ void rxrpc_notify_socket(struct rxrpc_call *call) if (!list_empty(&call->recvmsg_link)) return; + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_notify_released); + return; + } rcu_read_lock();

3 weeks, 5 days

1
0
0 0

[PATCH net v2 2/5] rxrpc: Fix recv-recv race of completed call

by David Howells

If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in and its recvmsg can pop the call off the socket queue again. In such a case, the first thread will be receiving stuff from the call and the second thread will be blocked on call->user_mutex. The first thread can, at this point, process both the event that it picked call for and the event that the second thread picked the call for and may see the call terminate - in which case the call will be "released", decoupling the call from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control message). The first thread will return okay, but then the second thread will wake up holding the user_mutex and, if it sees that the call has been released by the first thread, it will BUG thusly: kernel BUG at net/rxrpc/recvmsg.c:474! Fix this by just dequeuing the call and ignoring it if it is seen to be already released. We can't tell userspace about it anyway as the user call ID has become stale. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 3 +++ net/rxrpc/call_accept.c | 1 + net/rxrpc/recvmsg.c | 19 +++++++++++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 378d2dfc7392..e7dcfb1369b6 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -330,12 +330,15 @@ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ EM(rxrpc_call_see_activate_client, "SEE act-clnt") \ + EM(rxrpc_call_see_already_released, "SEE alrdy-rl") \ EM(rxrpc_call_see_connect_failed, "SEE con-fail") \ EM(rxrpc_call_see_connected, "SEE connect ") \ EM(rxrpc_call_see_conn_abort, "SEE conn-abt") \ + EM(rxrpc_call_see_discard, "SEE discard ") \ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 226b4bf82747..a4d76f2da684 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -219,6 +219,7 @@ void rxrpc_discard_prealloc(struct rxrpc_sock *rx) tail = b->call_backlog_tail; while (CIRC_CNT(head, tail, size) > 0) { struct rxrpc_call *call = b->call_backlog[tail]; + rxrpc_see_call(call, rxrpc_call_see_discard); rcu_assign_pointer(call->socket, rx); if (rx->app_ops && rx->app_ops->discard_new_call) { diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 86a27fb55a1c..6990e37697de 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -447,6 +447,16 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, goto try_again; } + rxrpc_see_call(call, rxrpc_call_see_recvmsg); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + list_del_init(&call->recvmsg_link); + spin_unlock_irq(&rx->recvmsg_lock); + release_sock(&rx->sk); + trace_rxrpc_recvmsg(call->debug_id, rxrpc_recvmsg_unqueue, 0); + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } if (!(flags & MSG_PEEK)) list_del_init(&call->recvmsg_link); else @@ -470,8 +480,13 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, release_sock(&rx->sk); - if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) - BUG(); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + mutex_unlock(&call->user_mutex); + if (!(flags & MSG_PEEK)) + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } ret = rxrpc_recvmsg_user_id(call, msg, flags); if (ret < 0)

3 weeks, 5 days

1
0
0 0

[PATCH net v2 1/5] rxrpc: Fix irq-disabled in local_bh_enable()

by David Howells

The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. Unfortunately, the IP layer uses local_bh_enable() which, config dependent, throws a warning if IRQs are enabled: WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0 ... RIP: 0010:__local_bh_enable_ip+0x43/0xd0 ... Call Trace: <TASK> rt_cache_route+0x7e/0xa0 rt_set_nexthop.isra.0+0x3b3/0x3f0 __mkroute_output+0x43a/0x460 ip_route_output_key_hash+0xf7/0x140 ip_route_output_flow+0x1b/0x90 rxrpc_assess_MTU_size.isra.0+0x2a0/0x590 rxrpc_new_incoming_peer+0x46/0x120 rxrpc_alloc_incoming_call+0x1b1/0x400 rxrpc_new_incoming_call+0x1da/0x5e0 rxrpc_input_packet+0x827/0x900 rxrpc_io_thread+0x403/0xb60 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 ... hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50 hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70 softirqs last enabled at (0): copy_process+0xc61/0x2730 softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90 Fix this by moving the call to rxrpc_assess_MTU_size() out of rxrpc_init_peer() and further up the stack where it can be done without interrupts disabled. It shouldn't be a problem for rxrpc_new_incoming_call() to do it after the locks are dropped as pmtud is going to be performed by the I/O thread - and we're in the I/O thread at this point. Fixes: a2ea9a907260 ("rxrpc: Use irq-disabling spinlocks between app and I/O thread") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/ar-internal.h | 1 + net/rxrpc/call_accept.c | 1 + net/rxrpc/peer_object.c | 6 ++---- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 376e33dce8c1..df1a618dbf7d 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -1383,6 +1383,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *, const struct sockaddr_rxrpc *); struct rxrpc_peer *rxrpc_lookup_peer(struct rxrpc_local *local, struct sockaddr_rxrpc *srx, gfp_t gfp); +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer); struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *, gfp_t, enum rxrpc_peer_trace); void rxrpc_new_incoming_peer(struct rxrpc_local *local, struct rxrpc_peer *peer); diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 49fccee1a726..226b4bf82747 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -406,6 +406,7 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); + rxrpc_assess_MTU_size(local, call->peer); if (hlist_unhashed(&call->error_link)) { spin_lock_irq(&call->peer->lock); diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c index e2f35e6c04d6..366431b0736c 100644 --- a/net/rxrpc/peer_object.c +++ b/net/rxrpc/peer_object.c @@ -149,8 +149,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *local, * assess the MTU size for the network interface through which this peer is * reached */ -static void rxrpc_assess_MTU_size(struct rxrpc_local *local, - struct rxrpc_peer *peer) +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer) { struct net *net = local->net; struct dst_entry *dst; @@ -277,8 +276,6 @@ static void rxrpc_init_peer(struct rxrpc_local *local, struct rxrpc_peer *peer, peer->hdrsize += sizeof(struct rxrpc_wire_header); peer->max_data = peer->if_mtu - peer->hdrsize; - - rxrpc_assess_MTU_size(local, peer); } /* @@ -297,6 +294,7 @@ static struct rxrpc_peer *rxrpc_create_peer(struct rxrpc_local *local, if (peer) { memcpy(&peer->srx, srx, sizeof(*srx)); rxrpc_init_peer(local, peer, hash_key); + rxrpc_assess_MTU_size(local, peer); } _leave(" = %p", peer);

3 weeks, 5 days

1
0
0 0

[PATCH v2] arm64: dts: qcom: qcs615: add missing dt property in QUP SEs

by Viken Dadhaniya

Add the missing required-opps and operating-points-v2 properties to several I2C, SPI, and UART nodes in the QUP SEs. Fixes: f6746dc9e379 ("arm64: dts: qcom: qcs615: Add QUPv3 configuration") Cc: stable(a)vger.kernel.org Signed-off-by: Viken Dadhaniya <viken.dadhaniya(a)oss.qualcomm.com> --- v1 -> v2: - Added Fixes and Cc tag. v1 Link: https://lore.kernel.org/all/20250626102826.3422984-1-viken.dadhaniya@oss.qu… --- --- arch/arm64/boot/dts/qcom/qcs615.dtsi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/qcs615.dtsi b/arch/arm64/boot/dts/qcom/qcs615.dtsi index bfbb21035492..e033b53f0f0f 100644 --- a/arch/arm64/boot/dts/qcom/qcs615.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi @@ -631,6 +631,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, interconnect-names = "qup-core", "qup-config"; power-domains = <&rpmhpd RPMHPD_CX>; + operating-points-v2 = <&qup_opp_table>; status = "disabled"; }; @@ -654,6 +655,7 @@ &config_noc SLAVE_QUP_0 QCOM_ICC_TAG_ALWAYS>, "qup-config", "qup-memory"; power-domains = <&rpmhpd RPMHPD_CX>; + required-opps = <&rpmhpd_opp_low_svs>; dmas = <&gpi_dma0 0 1 QCOM_GPI_I2C>, <&gpi_dma0 1 1 QCOM_GPI_I2C>; dma-names = "tx", @@ -681,6 +683,7 @@ &config_noc SLAVE_QUP_0 QCOM_ICC_TAG_ALWAYS>, "qup-config", "qup-memory"; power-domains = <&rpmhpd RPMHPD_CX>; + required-opps = <&rpmhpd_opp_low_svs>; dmas = <&gpi_dma0 0 2 QCOM_GPI_I2C>, <&gpi_dma0 1 2 QCOM_GPI_I2C>; dma-names = "tx", @@ -703,6 +706,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, interconnect-names = "qup-core", "qup-config"; power-domains = <&rpmhpd RPMHPD_CX>; + operating-points-v2 = <&qup_opp_table>; dmas = <&gpi_dma0 0 2 QCOM_GPI_SPI>, <&gpi_dma0 1 2 QCOM_GPI_SPI>; dma-names = "tx", @@ -728,6 +732,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, interconnect-names = "qup-core", "qup-config"; power-domains = <&rpmhpd RPMHPD_CX>; + operating-points-v2 = <&qup_opp_table>; status = "disabled"; }; @@ -751,6 +756,7 @@ &config_noc SLAVE_QUP_0 QCOM_ICC_TAG_ALWAYS>, "qup-config", "qup-memory"; power-domains = <&rpmhpd RPMHPD_CX>; + required-opps = <&rpmhpd_opp_low_svs>; dmas = <&gpi_dma0 0 3 QCOM_GPI_I2C>, <&gpi_dma0 1 3 QCOM_GPI_I2C>; dma-names = "tx", -- 2.34.1

3 weeks, 5 days

3
2
0 0

[PATCH] ext4: check fast symlink for ea_inode correctly

by Andreas Dilger

The check for a fast symlink in the presence of only an external xattr inode is incorrect. If a fast symlink does not have an xattr block (i_file_acl == 0), but does have an external xattr inode that increases inode i_blocks, then the check for a fast symlink will incorrectly fail and __ext4_iget()->ext4_ind_check_inode() will report the inode is corrupt when it "validates" i_data[] on the next read: # ln -s foo /mnt/tmp/bar # setfattr -h -n trusted.test \ -v "$(yes | head -n 4000)" /mnt/tmp/bar # umount /mnt/tmp # mount /mnt/tmp # ls -l /mnt/tmp ls: cannot access '/mnt/tmp/bar': Structure needs cleaning total 4 ? l?????????? ? ? ? ? ? bar # dmesg | tail -1 EXT4-fs error (device dm-8): __ext4_iget:5098: inode #24578: block 7303014: comm ls: invalid block (note that "block 7303014" = 0x6f6f66 = "foo" in LE order). ext4_inode_is_fast_symlink() should check the superblock EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode EXT4_EA_INODE_FL, since the latter is only set on the xattr inode itself, and not on the inode that uses this xattr. Cc: stable(a)vger.kernel.org Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems") Signed-off-by: Andreas Dilger <adilger(a)whamcloud.com> Reviewed-by: Li Dongyang <dongyangli(a)ddn.com> Reviewed-by: Alex Zhuravlev <bzzz(a)whamcloud.com> Reviewed-by: Oleg Drokin <green(a)whamcloud.com> Reviewed-on: https://review.whamcloud.com/59879 Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121 --- fs/ext4/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index be9a4cba35fd..caca88521c75 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -146,7 +146,7 @@ static inline int ext4_begin_ordered_truncate(struct inode *inode, */ int ext4_inode_is_fast_symlink(struct inode *inode) { - if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { + if (!ext4_has_feature_ea_inode(inode->i_sb)) { int ea_blocks = EXT4_I(inode)->i_file_acl ? EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0; -- 2.43.5

3 weeks, 5 days

1
0
0 0

[PATCH] i2c: qup: jump out of the loop in case of timeout

by Yang Xiwen via B4 Relay

From: Yang Xiwen <forbidden405(a)outlook.com> Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and return to the caller with -ETIMEDOUT. Cc: stable(a)vger.kernel.org Signed-off-by: Yang Xiwen <forbidden405(a)outlook.com> --- drivers/i2c/busses/i2c-qup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c index 3a36d682ed57..5b053e51f4c9 100644 --- a/drivers/i2c/busses/i2c-qup.c +++ b/drivers/i2c/busses/i2c-qup.c @@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup_i2c_dev *qup, int len) if (!(status & I2C_STATUS_BUS_ACTIVE)) break; - if (time_after(jiffies, timeout)) + if (time_after(jiffies, timeout)) { ret = -ETIMEDOUT; + break; + } usleep_range(len, len * 2); } --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250615-qca-i2c-d41bb61aa59e Best regards, -- Yang Xiwen <forbidden405(a)outlook.com>

3 weeks, 5 days

4
3
0 0

Access Target Contacts from the GSX 2025 Audience

by Lena Schwekendiek

Hi , Planning to get the GSX 2025 attendee list? Expo Name: Global Security Exchange (GSX) 2025 Total Number of records: 17,000 records List includes: Company Name, Contact Name, Job Title, Mailing Address, Phone, Emails, etc. Interested in moving forward with these leads? Let me know, and I'll share the price. Can't wait for your reply Regards Lena Marketing Manager Pro Tech Insights., Please reply with REMOVE if you don't wish to receive further emails

3 weeks, 5 days

1
0
0 0

[PATCH 1/7] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> On g4x we currently use the 96MHz non-SSC refclk, which can't actually generate an exact 2.7 Gbps link rate. In practice we end up with 2.688 Gbps which seems to be close enough to actually work, but link training is currently failing due to miscalculating the DP_LINK_BW value (we calcualte it directly from port_clock which reflects the actual PLL outpout frequency). Ideas how to fix this: - nudge port_clock back up to 270000 during PLL computation/readout - track port_clock and the nominal link rate separately so they might differ a bit - switch to the 100MHz refclk, but that one should be SSC so perhaps not something we want While we ponder about a better solution apply some band aid to the immediate issue of miscalculated DP_LINK_BW value. With this I can again use 2.7 Gbps link rate on g4x. Cc: stable(a)vger.kernel.org Fixes: 665a7b04092c ("drm/i915: Feed the DPLL output freq back into crtc_state") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_dp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index f48912f308df..7976fec88606 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -1606,6 +1606,12 @@ int intel_dp_rate_select(struct intel_dp *intel_dp, int rate) void intel_dp_compute_rate(struct intel_dp *intel_dp, int port_clock, u8 *link_bw, u8 *rate_select) { + struct intel_display *display = to_intel_display(intel_dp); + + /* FIXME g4x can't generate an exact 2.7GHz with the 96MHz non-SSC refclk */ + if (display->platform.g4x && port_clock == 268800) + port_clock = 270000; + /* eDP 1.4 rate select method. */ if (intel_dp->use_rate_select) { *link_bw = 0; -- 2.49.0

3 weeks, 5 days

3
3
0 0

+ kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marco Elver <elver(a)google.com> Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports Date: Wed, 16 Jul 2025 17:23:28 +0200 Since 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock"), more detailed info about the vmalloc mapping and the origin was dropped due to potential deadlocks. While fixing the deadlock is necessary, that patch was too quick in killing an otherwise useful feature, and did no due-diligence in understanding if an alternative option is available. Restore printing more helpful vmalloc allocation info in KASAN reports with the help of vmalloc_dump_obj(). Example report: | BUG: KASAN: vmalloc-out-of-bounds in vmalloc_oob+0x4c9/0x610 | Read of size 1 at addr ffffc900002fd7f3 by task kunit_try_catch/493 | | CPU: [...] | Call Trace: | <TASK> | dump_stack_lvl+0xa8/0xf0 | print_report+0x17e/0x810 | kasan_report+0x155/0x190 | vmalloc_oob+0x4c9/0x610 | [...] | | The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900002fd000 allocated at vmalloc_oob+0x36/0x610 | The buggy address belongs to the physical page: | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126364 | flags: 0x200000000000000(node=0|zone=2) | raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: kasan: bad access detected | | [..] Link: https://lkml.kernel.org/r/20250716152448.3877201-1-elver@google.com Fixes: 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock") Signed-off-by: Marco Elver <elver(a)google.com> Suggested-by: Uladzislau Rezki <urezki(a)gmail.com> Acked-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Yeoreum Yun <yeoreum.yun(a)arm.com> Cc: Yunseong Kim <ysk(a)kzalloc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/report.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/kasan/report.c~kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports +++ a/mm/kasan/report.c @@ -399,7 +399,9 @@ static void print_address_description(vo } if (is_vmalloc_addr(addr)) { - pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + pr_err("The buggy address belongs to a"); + if (!vmalloc_dump_obj(addr)) + pr_cont(" vmalloc virtual mapping\n"); page = vmalloc_to_page(addr); } _ Patches currently in -mm which might be from elver(a)google.com are kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch

3 weeks, 5 days

1
0
0 0

[PATCH 1/2] s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again

by Ilya Leoshkevich

Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g. perf's on_switch() prog to reappear. Restore the fix and add a comment. Fixes: 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") Cc: stable(a)vger.kernel.org Signed-off-by: Ilya Leoshkevich <iii(a)linux.ibm.com> --- arch/s390/net/bpf_jit_comp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c index 8bb738f1b1b6..bb17efe29d65 100644 --- a/arch/s390/net/bpf_jit_comp.c +++ b/arch/s390/net/bpf_jit_comp.c @@ -576,7 +576,15 @@ static void bpf_jit_plt(struct bpf_plt *plt, void *ret, void *target) { memcpy(plt, &bpf_plt, sizeof(*plt)); plt->ret = ret; - plt->target = target; + /* + * (target == NULL) implies that the branch to this PLT entry was + * patched and became a no-op. However, some CPU could have jumped + * to this PLT entry before patching and may be still executing it. + * + * Since the intention in this case is to make the PLT entry a no-op, + * make the target point to the return label instead of NULL. + */ + plt->target = target ?: ret; } /* -- 2.50.1

3 weeks, 5 days

1
0
0 0

[PATCH net 3/5] rxrpc: Fix notification vs call-release vs recvmsg

by David Howells

When a call is released, rxrpc takes the spinlock and removes it from ->recvmsg_q in an effort to prevent racing recvmsg() invocations from seeing the same call. Now, rxrpc_recvmsg() only takes the spinlock when actually removing a call from the queue; it doesn't, however, take it in the lead up to that when it checks to see if the queue is empty. It *does* hold the socket lock, which prevents a recvmsg/recvmsg race - but this doesn't prevent sendmsg from ending the call because sendmsg() drops the socket lock and relies on the call->user_mutex. Fix this by firstly removing the bit in rxrpc_release_call() that dequeues the released call and, instead, rely on recvmsg() to simply discard released calls (done in a preceding fix). Secondly, rxrpc_notify_socket() is abandoned if the call is already marked as released rather than trying to be clever by setting both pointers in call->recvmsg_link to NULL to trick list_empty(). This isn't perfect and can still race, resulting in a released call on the queue, but recvmsg() will now clean that up. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 2 +- net/rxrpc/call_object.c | 28 ++++++++++++---------------- net/rxrpc/recvmsg.c | 4 ++++ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index e7dcfb1369b6..8e5a73eb5268 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -325,7 +325,6 @@ EM(rxrpc_call_put_release_sock, "PUT rls-sock") \ EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \ EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \ - EM(rxrpc_call_put_unnotify, "PUT unnotify") \ EM(rxrpc_call_put_userid_exists, "PUT u-exists") \ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ @@ -338,6 +337,7 @@ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_notify_released, "SEE nfy-rlsd") \ EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 15067ff7b1f2..918f41d97a2f 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -561,7 +561,7 @@ static void rxrpc_cleanup_rx_buffers(struct rxrpc_call *call) void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) { struct rxrpc_connection *conn = call->conn; - bool put = false, putu = false; + bool putu = false; _enter("{%d,%d}", call->debug_id, refcount_read(&call->ref)); @@ -573,23 +573,13 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call) rxrpc_put_call_slot(call); - /* Make sure we don't get any more notifications */ + /* Note that at this point, the call may still be on or may have been + * added back on to the socket receive queue. recvmsg() must discard + * released calls. The CALL_RELEASED flag should prevent further + * notifications. + */ spin_lock_irq(&rx->recvmsg_lock); - - if (!list_empty(&call->recvmsg_link)) { - _debug("unlinking once-pending call %p { e=%lx f=%lx }", - call, call->events, call->flags); - list_del(&call->recvmsg_link); - put = true; - } - - /* list_empty() must return false in rxrpc_notify_socket() */ - call->recvmsg_link.next = NULL; - call->recvmsg_link.prev = NULL; - spin_unlock_irq(&rx->recvmsg_lock); - if (put) - rxrpc_put_call(call, rxrpc_call_put_unnotify); write_lock(&rx->call_lock); @@ -638,6 +628,12 @@ void rxrpc_release_calls_on_socket(struct rxrpc_sock *rx) rxrpc_put_call(call, rxrpc_call_put_release_sock); } + while ((call = list_first_entry_or_null(&rx->recvmsg_q, + struct rxrpc_call, recvmsg_link))) { + list_del_init(&call->recvmsg_link); + rxrpc_put_call(call, rxrpc_call_put_release_recvmsg_q); + } + _leave(""); } diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 6990e37697de..7fa7e77f6bb9 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -29,6 +29,10 @@ void rxrpc_notify_socket(struct rxrpc_call *call) if (!list_empty(&call->recvmsg_link)) return; + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_notify_released); + return; + } rcu_read_lock();

3 weeks, 5 days

2
1
0 0

[PATCH] usb: atm: cxacru: Zero initialize bp in cxacru_heavy_init()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables [1], there is a warning in cxacru_heavy_init(): drivers/usb/atm/cxacru.c:1104:6: error: variable 'bp' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 1104 | if (instance->modem_type->boot_rom_patch) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/usb/atm/cxacru.c:1113:39: note: uninitialized use occurs here 1113 | cxacru_upload_firmware(instance, fw, bp); | ^~ drivers/usb/atm/cxacru.c:1104:2: note: remove the 'if' if its condition is always true 1104 | if (instance->modem_type->boot_rom_patch) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/usb/atm/cxacru.c:1095:32: note: initialize the variable 'bp' to silence this warning 1095 | const struct firmware *fw, *bp; | ^ | = NULL This warning occurs in clang's frontend before inlining occurs, so it cannot notice that bp is only used within cxacru_upload_firmware() under the same condition that initializes it in cxacru_heavy_init(). Just initialize bp to NULL to silence the warning without functionally changing the code, which is what happens with modern compilers when they support '-ftrivial-auto-var-init=zero' (CONFIG_INIT_STACK_ALL_ZERO=y). Cc: stable(a)vger.kernel.org Fixes: 1b0e61465234 ("[PATCH] USB ATM: driver for the Conexant AccessRunner chipset cxacru") Closes: https://github.com/ClangBuiltLinux/linux/issues/2102 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/usb/atm/cxacru.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index a12ab90b3db7..b7c3b224a759 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -1092,7 +1092,7 @@ static int cxacru_find_firmware(struct cxacru_data *instance, static int cxacru_heavy_init(struct usbatm_data *usbatm_instance, struct usb_interface *usb_intf) { - const struct firmware *fw, *bp; + const struct firmware *fw, *bp = NULL; struct cxacru_data *instance = usbatm_instance->driver_data; int ret = cxacru_find_firmware(instance, "fw", &fw); --- base-commit: fdfa018c6962c86d2faa183187669569be4d513f change-id: 20250715-usb-cxacru-fix-clang-21-uninit-warning-9430d96c6bc1 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 5 days

2
7
0 0

[PATCH v4 1/1] mm/rmap: fix potential out-of-bounds page table access during batched unmap

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> As pointed out by David[1], the batched unmap logic in try_to_unmap_one() may read past the end of a PTE table when a large folio's PTE mappings are not fully contained within a single page table. While this scenario might be rare, an issue triggerable from userspace must be fixed regardless of its likelihood. This patch fixes the out-of-bounds access by refactoring the logic into a new helper, folio_unmap_pte_batch(). The new helper correctly calculates the safe batch size by capping the scan at both the VMA and PMD boundaries. To simplify the code, it also supports partial batching (i.e., any number of pages from 1 up to the calculated safe maximum), as there is no strong reason to special-case for fully mapped folios. [1] https://lore.kernel.org/linux-mm/a694398c-9f03-4737-81b9-7e49c857fcbe@redha… Cc: <stable(a)vger.kernel.org> Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/a694398c-9f03-4737-81b9-7e49c857fcbe@redha… Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large folios during reclamation") Suggested-by: Barry Song <baohua(a)kernel.org> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- v3 -> v4: - Add Reported-by + Closes tags (per David) - Pick RB from Lorenzo - thanks! - Pick AB from David - thanks! - https://lore.kernel.org/linux-mm/20250630011305.23754-1-lance.yang@linux.dev v2 -> v3: - Tweak changelog (per Barry and David) - Pick AB from Barry - thanks! - https://lore.kernel.org/linux-mm/20250627062319.84936-1-lance.yang@linux.dev v1 -> v2: - Update subject and changelog (per Barry) - https://lore.kernel.org/linux-mm/20250627025214.30887-1-lance.yang@linux.dev mm/rmap.c | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/mm/rmap.c b/mm/rmap.c index fb63d9256f09..1320b88fab74 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1845,23 +1845,32 @@ void folio_remove_rmap_pud(struct folio *folio, struct page *page, #endif } -/* We support batch unmapping of PTEs for lazyfree large folios */ -static inline bool can_batch_unmap_folio_ptes(unsigned long addr, - struct folio *folio, pte_t *ptep) +static inline unsigned int folio_unmap_pte_batch(struct folio *folio, + struct page_vma_mapped_walk *pvmw, + enum ttu_flags flags, pte_t pte) { const fpb_t fpb_flags = FPB_IGNORE_DIRTY | FPB_IGNORE_SOFT_DIRTY; - int max_nr = folio_nr_pages(folio); - pte_t pte = ptep_get(ptep); + unsigned long end_addr, addr = pvmw->address; + struct vm_area_struct *vma = pvmw->vma; + unsigned int max_nr; + + if (flags & TTU_HWPOISON) + return 1; + if (!folio_test_large(folio)) + return 1; + /* We may only batch within a single VMA and a single page table. */ + end_addr = pmd_addr_end(addr, vma->vm_end); + max_nr = (end_addr - addr) >> PAGE_SHIFT; + + /* We only support lazyfree batching for now ... */ if (!folio_test_anon(folio) || folio_test_swapbacked(folio)) - return false; + return 1; if (pte_unused(pte)) - return false; - if (pte_pfn(pte) != folio_pfn(folio)) - return false; + return 1; - return folio_pte_batch(folio, addr, ptep, pte, max_nr, fpb_flags, NULL, - NULL, NULL) == max_nr; + return folio_pte_batch(folio, addr, pvmw->pte, pte, max_nr, fpb_flags, + NULL, NULL, NULL); } /* @@ -2024,9 +2033,7 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, if (pte_dirty(pteval)) folio_mark_dirty(folio); } else if (likely(pte_present(pteval))) { - if (folio_test_large(folio) && !(flags & TTU_HWPOISON) && - can_batch_unmap_folio_ptes(address, folio, pvmw.pte)) - nr_pages = folio_nr_pages(folio); + nr_pages = folio_unmap_pte_batch(folio, &pvmw, flags, pteval); end_addr = address + nr_pages * PAGE_SIZE; flush_cache_range(vma, address, end_addr); @@ -2206,13 +2213,16 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, hugetlb_remove_rmap(folio); } else { folio_remove_rmap_ptes(folio, subpage, nr_pages, vma); - folio_ref_sub(folio, nr_pages - 1); } if (vma->vm_flags & VM_LOCKED) mlock_drain_local(); - folio_put(folio); - /* We have already batched the entire folio */ - if (nr_pages > 1) + folio_put_refs(folio, nr_pages); + + /* + * If we are sure that we batched the entire folio and cleared + * all PTEs, we can just optimize and stop right here. + */ + if (nr_pages == folio_nr_pages(folio)) goto walk_done; continue; walk_abort: -- 2.49.0

3 weeks, 6 days

6
7
0 0

[PATCH 5.4 000/148] 5.4.296-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.296 release. There are 148 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.296-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.296-rc1 Georg Kohmann <geokohma(a)cisco.com> net: ipv6: Discard next-hop MTU less than minimum link MTU Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Eric W. Biederman <ebiederm(a)xmission.com> proc: Clear the pieces of proc_inode that proc_evict_inode cares about Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Vladimir Oltean <vladimir.oltean(a)nxp.com> spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path Vladimir Oltean <vladimir.oltean(a)nxp.com> spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Leon Romanovsky <leon(a)kernel.org> RDMA/core: Create and destroy counters in the ib_core Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Jerome Neanne <jneanne(a)baylibre.com> regulator: gpio: Add input_supply support in gpio_regulator_config Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Omar Sandoval <osandov(a)fb.com> btrfs: don't abort filesystem when attempting to snapshot deleted subvolume Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Denis Arefev <arefev(a)swemel.ru> media: vivid: Change the siize of the composing Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Edward Adam Davis <eadavis(a)qq.com> media: cxusb: no longer judge rbuf when the write fails Sean Young <sean(a)mess.org> media: cxusb: use dev_dbg() rather than hand-rolled debug Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ASoC: meson: meson-card-utils: use of_property_present() for DT parsing Rob Herring <robh(a)kernel.org> of: Add of_property_present() helper Michael Walle <michael(a)walle.cc> of: property: define of_property_read_u{8,16,32,64}_array() unconditionally Arnd Bergmann <arnd(a)arndb.de> kbuild: hdrcheck: fix cross build with clang Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add --target to correctly cross-compile UAPI headers with Clang Masahiro Yamada <masahiroy(a)kernel.org> bpfilter: match bit size of bpfilter_umh to that of the kernel Masahiro Yamada <masahiroy(a)kernel.org> kbuild: use -MMD instead of -MD to exclude system headers from dependency Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/x86/Kconfig | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/dma-buf/dma-resv.c | 5 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/bridge/cdns-dsi.c | 11 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 12 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/v3d/v3d_drv.h | 9 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 36 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/device.c | 1 + drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- .../infiniband/core/uverbs_std_types_counters.c | 17 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 55 ++-- drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 36 ++- drivers/media/usb/uvc/uvc_ctrl.c | 61 +++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 +- drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/phy/microchip.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 19 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 55 ++-- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +--- drivers/tty/serial/uartlite.c | 15 +- drivers/tty/vt/vt.c | 1 + drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/typec/altmodes/displayport.c | 5 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/ioctl.c | 3 + fs/btrfs/tree-log.c | 4 +- fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 144 +++++++--- fs/nfs/inode.c | 17 +- fs/overlayfs/util.c | 4 +- fs/proc/inode.c | 16 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/of.h | 291 ++++++++++----------- include/linux/regulator/gpio-regulator.h | 2 + include/linux/usb/typec_dp.h | 1 + include/rdma/ib_verbs.h | 7 +- include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 4 + init/Kconfig | 4 +- kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/bpfilter/Makefile | 5 +- net/ipv6/route.c | 3 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 ++++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/tipc/topsrv.c | 2 + net/vmw_vsock/vmci_transport.c | 4 +- scripts/Kbuild.include | 2 +- scripts/Makefile.host | 4 +- scripts/Makefile.lib | 8 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/soc/meson/meson-card-utils.c | 2 +- sound/usb/stream.c | 2 + usr/include/Makefile | 6 +- 135 files changed, 1221 insertions(+), 706 deletions(-)

3 weeks, 6 days

4
153
0 0

[PATCH 5.15 00/77] 5.15.189-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.189 release. There are 77 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.189-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.189-rc1 Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Kurt Borja <kuurtb(a)gmail.com> platform/x86: think-lmi: Fix sysfs group cleanup Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Christian König <christian.koenig(a)amd.com> dma-buf: use new iterator in dma_resv_wait_timeout Christian König <christian.koenig(a)amd.com> dma-buf: add dma_resv_for_each_fence_unlocked v8 Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Hongyu Xie <xiehongyu1(a)kylinos.cn> xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: ensure the received length does not exceed allocated size Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Juergen Gross <jgross(a)suse.com> xen: replace xen_remap() with memremap() Edward Adam Davis <eadavis(a)qq.com> jfs: fix null ptr deref in dtInsertEntry John Fastabend <john.fastabend(a)gmail.com> bpf, sockmap: Fix skb refcnt race after locking changes Maksim Kiselev <bigunclemax(a)gmail.com> aoe: avoid potential deadlock at set_capacity Lee, Chun-Yi <joeyli.kernel(a)gmail.com> thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Andrii Nakryiko <andrii(a)kernel.org> bpf: fix precision backtracking instruction iteration David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Jesse Brandeburg <jesse.brandeburg(a)intel.com> ice: safer stats processing Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/xen/page.h | 3 - arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/aoe/aoeblk.c | 5 +- drivers/block/nbd.c | 6 +- drivers/dma-buf/dma-resv.c | 171 ++++++---- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/infiniband/hw/mlx5/main.c | 33 ++ drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/intel/ice/ice_main.c | 29 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/virtio_net.c | 44 ++- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/think-lmi.c | 35 +- drivers/pwm/pwm-mediatek.c | 15 +- .../intel/int340x_thermal/int3400_thermal.c | 9 +- drivers/tty/hvc/hvc_xen.c | 2 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 +- drivers/usb/host/xhci-plat.c | 3 +- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- drivers/xen/grant-table.c | 6 +- drivers/xen/xenbus/xenbus_probe.c | 3 +- fs/btrfs/inode.c | 36 +-- fs/jfs/jfs_dtree.c | 2 + fs/ksmbd/transport_rdma.c | 5 +- fs/ksmbd/vfs.c | 1 + fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/dma-resv.h | 95 ++++++ include/net/netfilter/nf_flow_table.h | 2 +- include/xen/arm/page.h | 3 - kernel/bpf/verifier.c | 21 +- kernel/events/core.c | 2 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/core/skmsg.c | 12 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- sound/soc/fsl/fsl_asrc.c | 3 +- 79 files changed, 982 insertions(+), 564 deletions(-)

3 weeks, 6 days

5
85
0 0

[PATCH 6.1 00/88] 6.1.146-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.146 release. There are 88 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.146-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.146-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jack Wang <jinpu.wang(a)ionos.com> x86: Fix X86_FEATURE_VERW_CLEAR definition Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: adapt folios for z_erofs_read_folio() Gao Xiang <xiang(a)kernel.org> erofs: avoid on-stack pagepool directly passed by arguments Gao Xiang <xiang(a)kernel.org> erofs: allocate extra bvec pages directly instead of retrying Yue Hu <huyue2(a)coolpad.com> erofs: clean up z_erofs_pcluster_readmore() Yue Hu <huyue2(a)coolpad.com> erofs: remove the member readahead from struct z_erofs_decompress_frontend Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Zhang Rui <rui.zhang(a)intel.com> platform/x86: think-lmi: Fix sysfs group cleanup Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Raju Rangoju <Raju.Rangoju(a)amd.com> usb: xhci: quirk for data loss in ISOC transfers Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Allow RPM on the USB controller (1022:43f7) by default Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Shivank Garg <shivankg(a)amd.com> fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Alexey Dobriyan <adobriyan(a)gmail.com> x86/boot: Compile boot code with -std=gnu11 too David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: use usleep_range() for EC polling Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling ------------- Diffstat: Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/Makefile | 2 +- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/joystick/xpad.c | 2 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/x86/ideapad-laptop.c | 19 +- drivers/powercap/intel_rapl_common.c | 22 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 +++++++++++++------------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-mem.c | 4 + drivers/usb/host/xhci-pci.c | 30 ++- drivers/usb/host/xhci.h | 1 + drivers/vhost/scsi.c | 7 +- fs/anon_inodes.c | 23 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 28 +- fs/erofs/data.c | 2 + fs/erofs/zdata.c | 124 ++++----- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/spsc_queue.h | 4 +- include/linux/fs.h | 2 + include/net/netfilter/nf_flow_table.h | 2 +- include/trace/events/erofs.h | 16 +- kernel/events/core.c | 2 +- lib/maple_tree.c | 7 +- mm/kasan/report.c | 13 +- mm/secretmem.c | 11 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++-- net/bluetooth/hci_sync.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 ++++--- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 +++- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/fsl/fsl_asrc.c | 3 +- tools/include/linux/kallsyms.h | 4 + 86 files changed, 876 insertions(+), 582 deletions(-)

3 weeks, 6 days

5
92
0 0

[PATCH 6.6 000/109] 6.6.99-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.99 release. There are 109 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.99-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.99-rc1 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential race in cifs_put_tcon() Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Shyam Prasad N <sprasad(a)microsoft.com> cifs: all initializations for tcon should happen in tcon_info_alloc Paulo Alcantara <pc(a)manguebit.com> smb: client: fix DFS interlink failover Paulo Alcantara <pc(a)manguebit.com> smb: client: avoid unnecessary reconnects when refreshing referrals Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Abort suspend on soft disconnect failure Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with CV Bad Descriptor test Lee Jones <lee(a)kernel.org> usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Pawel Laszczak <pawell(a)cadence.com> usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Filipe Manana <fdmanana(a)suse.com> btrfs: fix inode lookup error handling during log replay Filipe Manana <fdmanana(a)suse.com> btrfs: return a btrfs_inode from btrfs_iget_logging() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from fixup_inode_link_count() Filipe Manana <fdmanana(a)suse.com> btrfs: remove redundant root argument from btrfs_update_inode_fallback() Filipe Manana <fdmanana(a)suse.com> btrfs: remove noinline from btrfs_update_inode() Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Christian Eggers <ceggers(a)arri.de> Bluetooth: HCI: Set extended advertising data synchronously Leo Yan <leo.yan(a)arm.com> perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Liam R. Howlett <Liam.Howlett(a)oracle.com> maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/um/drivers/vector_kern.c | 42 +-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/gpu/drm/drm_framebuffer.c | 31 +- drivers/gpu/drm/drm_gem.c | 74 ++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-quirks.c | 3 + drivers/input/keyboard/atkbd.c | 3 +- drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 57 +++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/cdns3/cdnsp-debug.h | 358 ++++++++++----------- drivers/usb/cdns3/cdnsp-ep0.c | 18 +- drivers/usb/cdns3/cdnsp-gadget.c | 6 +- drivers/usb/cdns3/cdnsp-gadget.h | 11 +- drivers/usb/cdns3/cdnsp-ring.c | 27 +- drivers/usb/dwc3/core.c | 9 +- drivers/usb/dwc3/gadget.c | 22 +- drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/free-space-tree.c | 16 +- fs/btrfs/inode.c | 18 +- fs/btrfs/transaction.c | 2 +- fs/btrfs/tree-log.c | 331 +++++++++++-------- fs/erofs/data.c | 2 + fs/eventpoll.c | 12 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/client/cifsglob.h | 3 + fs/smb/client/cifsproto.h | 13 +- fs/smb/client/connect.c | 47 ++- fs/smb/client/dfs.c | 73 ++--- fs/smb/client/dfs.h | 42 ++- fs/smb/client/dfs_cache.c | 198 +++++++----- fs/smb/client/fs_context.h | 1 + fs/smb/client/misc.c | 9 + fs/smb/client/namespace.c | 2 +- fs/smb/server/smb2pdu.c | 29 +- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/mm.h | 5 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- lib/maple_tree.c | 14 +- mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 +++- net/bluetooth/hci_event.c | 39 +-- net/bluetooth/hci_sync.c | 215 ++++++++----- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/netlink/af_netlink.c | 90 +++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 +++- net/wireless/util.c | 52 ++- scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++ scripts/gdb/linux/xarray.py | 28 ++ sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/build/feature/Makefile | 25 +- tools/include/linux/kallsyms.h | 4 + tools/perf/Makefile.perf | 27 +- tools/testing/selftests/bpf/test_lru_map.c | 105 +++--- 114 files changed, 1887 insertions(+), 1029 deletions(-)

3 weeks, 6 days

3
111
0 0

[PATCH 6.12 000/163] 6.12.39-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.39 release. There are 163 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.39-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.39-rc1 Mark Brown <broonie(a)kernel.org> arm64: Filter out SME hwcaps when FEAT_SME isn't implemented Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix potential use-after-free in oplock/lease break ack Yeoreum Yun <yeoreum.yun(a)arm.com> kasan: remove kasan_find_vm_area() to prevent possible deadlock Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: revert the adjustment of the IRQ vector sequence Gao Xiang <xiang(a)kernel.org> erofs: fix rare pcluster memory leak after unmounting Willem de Bruijn <willemb(a)google.com> selftests/bpf: adapt one more case in test_lru_map to the new target_free Daniel J. Ogorchock <djogorchock(a)gmail.com> HID: nintendo: avoid bluetooth suspend/resume stalls Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Fangrui Song <i(a)maskray.me> riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment Willem de Bruijn <willemb(a)google.com> bpf: Adjust free target to avoid global starvation of LRU map Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix assertion when building free space tree Long Li <longli(a)microsoft.com> net: mana: Record doorbell physical address in PF mode Akira Inoue <niyarium(a)gmail.com> HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Shuai Zhang <quic_shuaz(a)quicinc.com> driver: bluetooth: hci_qca:fix unable to load the BT driver Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirks for some Clevo laptops Yasmin Fitzgerald <sunoflife1.git(a)gmail.com> ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Yuzuru10 <yuzuru_10(a)proton.me> ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Fengnan Chang <changfengnan(a)bytedance.com> io_uring: make fallocate be hashed work Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 Tamura Dai <kirinode0(a)gmail.com> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Ronnie Sahlberg <rsahlberg(a)whamcloud.com> ublk: sanity check add_dev input for underflow Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Add new prio for promiscuous mode Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix race between DIM disable and net_dim() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() Hangbin Liu <liuhangbin(a)gmail.com> selftests: net: lib: fix shift count out of range Petr Machata <petrm(a)nvidia.com> selftests: net: lib: Move logging from forwarding/lib.sh here Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits Mingming Cao <mmc(a)linux.ibm.com> ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Eric Dumazet <edumazet(a)google.com> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_readahead() Gao Xiang <xiang(a)kernel.org> erofs: refine readahead tracepoint Gao Xiang <xiang(a)kernel.org> erofs: tidy up zdata.c Gao Xiang <xiang(a)kernel.org> erofs: get rid of `z_erofs_next_pcluster_t` Chunhai Guo <guochunhai(a)vivo.com> erofs: free pclusters if no cached folio is attached Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Clear all LMTT pages on alloc Zheng Qixing <zhengqixing(a)huawei.com> nbd: fix uaf in nbd_genl_connect() error path Henry Martin <bsdhenrymartin(a)gmail.com> wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/gsp: fix potential leak of memory used during acpi init Felix Fietkau <nbd(a)nbd.name> wifi: rt2x00: fix remove callback type mismatch Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix non-transmitted BSSID profile search Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: correctly identify S1G short beacon Nigel Croxon <ncroxon(a)redhat.com> raid10: cleanup memleak at raid10_make_request Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: nvdec: Fix dma_alloc_coherent error check Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: cfg80211: fix S1G beacon head validation in nl80211 David Howells <dhowells(a)redhat.com> netfs: Fix ref leak on inserted extra subreq in write retry Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic count Gao Xiang <xiang(a)kernel.org> erofs: address D-cache aliasing Chao Yu <chao(a)kernel.org> erofs: fix to add missing tracepoint in erofs_read_folio() Al Viro <viro(a)zeniv.linux.org.uk> ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Stefan Metzmacher <metze(a)samba.org> smb: server: make use of rdma_destroy_qp() Sascha Hauer <s.hauer(a)pengutronix.de> clk: scmi: Handle case where child clocks are initialized before their parents Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Mikhail Paulyshka <me(a)mixaill.net> x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Xiaolei Wang <xiaolei.wang(a)windriver.com> clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data Miguel Ojeda <ojeda(a)kernel.org> rust: init: allow `dead_code` warnings for Rust >= 1.89.0 Harry Yoo <harry.yoo(a)oracle.com> lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() Alexander Gordeev <agordeev(a)linux.ibm.com> mm/vmalloc: leave lazy MMU mode on PTE mapping error Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts.py after maple tree conversion Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: de-reference per-CPU MCE interrupts Florian Fainelli <florian.fainelli(a)broadcom.com> scripts/gdb: fix interrupts display after MCP on x86 Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: fix the inaccurate memory statistics issue for users Wei Yang <richard.weiyang(a)gmail.com> maple_tree: fix mt_destroy_walk() on root leaf node Achill Gilgenast <fossdd(a)pwned.life> kallsyms: fix build without execinfo Zhe Qiao <qiaozhe(a)iscas.ac.cn> Revert "PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Matthew Brost <matthew.brost(a)intel.com> drm/xe: Allocate PF queue size on pow2 boundary Thomas Zimmermann <tzimmermann(a)suse.de> drm/framebuffer: Acquire internal references on GEM handles Kuen-Han Tsai <khtsai(a)google.com> Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> Revert "drm/xe/xe2: Enable Indirect Ring State support for Xe2" Matthew Auld <matthew.auld(a)intel.com> drm/xe/bmg: fix compressed VRAM handling Simona Vetter <simona.vetter(a)ffwll.ch> drm/gem: Fix race in drm_gem_handle_create_tail() Christian König <christian.koenig(a)amd.com> drm/ttm: fix error handling in ttm_buffer_object_transfer Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Thomas Zimmermann <tzimmermann(a)suse.de> drm/gem: Acquire references on GEM handles for framebuffers Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Don't call mmput from MMU notifier callback Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix kernel crash when hard resetting the GPU Michael Lo <michael.lo(a)mediatek.com> wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong config for tx interrupt Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Deren Wu <deren.wu(a)mediatek.com> wifi: mt76: mt7921: prevent decap offload config before STA initialization Vitor Soares <vitor.soares(a)toradex.com> wifi: mwifiex: discard erroneous disassoc frames on STA interface Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> wifi: prevent A-MSDU attacks in mesh networks Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: Fix invalid state detection Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts Håkon Bugge <haakon.bugge(a)oracle.com> md/md-bitmap: fix GPF in bitmap_get_stats() Haoxiang Li <haoxiang_li2024(a)163.com> net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 multicast route creation. Arun Raghavan <arun(a)asymptotic.io> ASoC: fsl_sai: Force a software reset when starting in consumer mode Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Liam Merwick <liam.merwick(a)oracle.com> KVM: Allow CPU to reschedule while setting per-page memory attributes Sean Christopherson <seanjc(a)google.com> KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Nikunj A Dadhania <nikunj(a)amd.com> KVM: SVM: Add missing member in SNP_LAUNCH_START command structure David Woodhouse <dwmw(a)amazon.co.uk> KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table. JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Ensure user polling settings are honored when restarting timer Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Dan Carpenter <dan.carpenter(a)linaro.org> ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct David Howells <dhowells(a)redhat.com> rxrpc: Fix bug due to prealloc collision Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Chintan Vankar <c-vankar(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Force predictable MDI-X state on LAN87xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap EricChan <chenchuangyu(a)xiaomi.com> net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Jiayuan Chen <jiayuan.chen(a)linux.dev> tcp: Correct signedness in skb remaining space calculation Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: fix `vsock_proto` declaration Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol() Luo Jie <quic_luoj(a)quicinc.com> net: phy: qcom: move the WoL function to shared library Kevin Brodsky <kevin.brodsky(a)arm.com> arm64: poe: Handle spurious Overlay faults Jason Xing <kernelxing(a)tencent.com> bnxt_en: eliminate the compile warning in bnxt_request_irq due to CONFIG_RFS_ACCEL kuyo chang <kuyo.chang(a)mediatek.com> sched/deadline: Fix dl_server runtime calculation formula Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Mario Limonciello <mario.limonciello(a)amd.com> pinctrl: amd: Clear GPIO debounce for suspend Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix not disabling advertising instance Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs35l56: probe() should fail if the device ID is not recognized Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix migrate_swap() vs. hotplug Nam Cao <namcao(a)linutronix.de> irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix the WARN_ON_ONCE is out of lock protected region Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: add sof_sdw_get_tplg_files ops Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: soc-acpi: add get_function_tplg_files ops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops Simon Trimmer <simont(a)opensource.cirrus.com> ASoC: Intel: soc-acpi: arl: Correct naming of a cs35l56 address struct Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select SND_SOC_ACPI_INTEL_MATCH Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV Eric Biggers <ebiggers(a)kernel.org> crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2 Flora Cui <flora.cui(a)amd.com> drm/amdgpu/ip_discovery: add missing ip_discovery fw Flora Cui <flora.cui(a)amd.com> drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Linus Torvalds <torvalds(a)linux-foundation.org> eventpoll: don't decrement ep refcount while still holding the ep mutex ------------- Diffstat: Documentation/bpf/map_hash.rst | 8 +- Documentation/bpf/map_lru_hash_update.dot | 6 +- Makefile | 4 +- arch/arm64/kernel/cpufeature.c | 45 ++-- arch/arm64/kernel/process.c | 5 + arch/arm64/mm/fault.c | 30 ++- arch/riscv/kernel/vdso/vdso.lds.S | 2 +- arch/s390/crypto/sha1_s390.c | 2 + arch/s390/crypto/sha256_s390.c | 3 + arch/s390/crypto/sha512_s390.c | 3 + arch/um/drivers/vector_kern.c | 42 ++-- arch/x86/Kconfig | 2 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/mce/amd.c | 28 ++- arch/x86/kernel/cpu/mce/core.c | 24 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kvm/svm/sev.c | 4 + arch/x86/kvm/xen.c | 15 +- drivers/acpi/battery.c | 19 +- drivers/atm/idt77252.c | 5 + drivers/block/nbd.c | 6 +- drivers/block/ublk_drv.c | 3 +- drivers/bluetooth/hci_qca.c | 13 +- drivers/char/ipmi/ipmi_msghandler.c | 3 +- drivers/clk/clk-scmi.c | 20 +- drivers/clk/imx/clk-imx95-blk-ctl.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 30 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 43 ++-- drivers/gpu/drm/drm_framebuffer.c | 31 ++- drivers/gpu/drm/drm_gem.c | 74 +++++- drivers/gpu/drm/drm_internal.h | 2 + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/imagination/pvr_power.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +- drivers/gpu/drm/tegra/nvdec.c | 6 +- drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 1 + drivers/gpu/drm/xe/xe_lmtt.c | 11 + drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/gpu/drm/xe/xe_pci.c | 1 - drivers/gpu/drm/xe/xe_pm.c | 8 +- drivers/hid/hid-ids.h | 6 + drivers/hid/hid-lenovo.c | 8 + drivers/hid/hid-multitouch.c | 8 +- drivers/hid/hid-nintendo.c | 38 +++- drivers/hid/hid-quirks.c | 3 + drivers/irqchip/Kconfig | 1 + drivers/md/md-bitmap.c | 3 +- drivers/md/raid1.c | 1 + drivers/md/raid10.c | 10 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.h | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +- drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 + drivers/net/ethernet/renesas/rtsn.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 +- drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 3 +- drivers/net/phy/qcom/at803x.c | 27 --- drivers/net/phy/qcom/qca808x.c | 2 +- drivers/net/phy/qcom/qcom-phy-lib.c | 25 ++ drivers/net/phy/qcom/qcom.h | 5 + drivers/net/phy/smsc.c | 57 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/marvell/mwifiex/util.c | 4 +- .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +- drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/pci-acpi.c | 23 +- drivers/pinctrl/pinctrl-amd.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/pwm/core.c | 2 +- drivers/pwm/pwm-mediatek.c | 13 +- drivers/tty/vt/vt.c | 1 + drivers/usb/gadget/function/u_serial.c | 12 +- fs/btrfs/free-space-tree.c | 16 +- fs/erofs/data.c | 21 +- fs/erofs/decompressor.c | 12 +- fs/erofs/fileio.c | 6 +- fs/erofs/internal.h | 2 +- fs/erofs/zdata.c | 251 +++++++++----------- fs/erofs/zutil.c | 7 +- fs/eventpoll.c | 12 +- fs/netfs/write_collect.c | 2 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 14 +- fs/smb/server/smb2pdu.c | 29 +-- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/vfs.c | 1 + include/drm/drm_file.h | 3 + include/drm/drm_framebuffer.h | 7 + include/drm/spsc_queue.h | 4 +- include/linux/ieee80211.h | 45 +++- include/linux/mm.h | 5 + include/linux/psp-sev.h | 2 + include/net/af_vsock.h | 2 +- include/net/netfilter/nf_flow_table.h | 2 +- include/sound/soc-acpi.h | 13 ++ include/trace/events/erofs.h | 2 +- io_uring/opdef.c | 1 + kernel/bpf/bpf_lru_list.c | 9 +- kernel/bpf/bpf_lru_list.h | 1 + kernel/events/core.c | 6 +- kernel/sched/core.c | 5 + kernel/sched/deadline.c | 10 +- kernel/stop_machine.c | 20 +- lib/alloc_tag.c | 3 + lib/maple_tree.c | 1 + mm/kasan/report.c | 13 +- mm/vmalloc.c | 22 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 64 ++++-- net/bluetooth/hci_event.c | 3 + net/bluetooth/hci_sync.c | 2 +- net/ipv4/tcp.c | 2 +- net/ipv6/addrconf.c | 9 +- net/mac80211/mlme.c | 7 +- net/mac80211/parse.c | 6 +- net/netlink/af_netlink.c | 90 +++++--- net/rxrpc/call_accept.c | 4 + net/sched/sch_api.c | 23 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 57 ++++- net/wireless/nl80211.c | 7 +- net/wireless/util.c | 52 ++++- rust/kernel/init/macros.rs | 2 + scripts/gdb/linux/constants.py.in | 7 + scripts/gdb/linux/interrupts.py | 16 +- scripts/gdb/linux/mapletree.py | 252 +++++++++++++++++++++ scripts/gdb/linux/xarray.py | 28 +++ sound/isa/ad1816a/ad1816a.c | 2 +- sound/pci/hda/patch_realtek.c | 7 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/cs35l56-shared.c | 2 +- sound/soc/fsl/fsl_asrc.c | 3 +- sound/soc/fsl/fsl_sai.c | 14 +- sound/soc/intel/boards/Kconfig | 1 + sound/soc/intel/common/Makefile | 2 +- sound/soc/intel/common/soc-acpi-intel-arl-match.c | 66 +++++- sound/soc/intel/common/sof-function-topology-lib.c | 136 +++++++++++ sound/soc/intel/common/sof-function-topology-lib.h | 15 ++ sound/soc/sof/intel/hda.c | 6 +- tools/arch/x86/include/asm/msr-index.h | 1 + tools/include/linux/kallsyms.h | 4 + tools/testing/selftests/bpf/test_lru_map.c | 105 ++++----- tools/testing/selftests/net/forwarding/lib.sh | 113 --------- tools/testing/selftests/net/lib.sh | 115 ++++++++++ virt/kvm/kvm_main.c | 3 + 172 files changed, 1953 insertions(+), 867 deletions(-)

3 weeks, 6 days

6
169
0 0

[TEST REGRESSION] stable-rc/linux-6.12.y: kselftest.seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 on bcm2837-rpi-3-b-plus

by KernelCI bot

Hello, New test failure found on stable-rc/linux-6.12.y: kselftest.seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 running on bcm2837-rpi-3-b-plus giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git branch: linux-6.12.y commit HEAD: d50d16f002928cde05a54e0049ddc203323ae7ac test id: maestro:687779f42ce2c1874ed2365d status: FAIL timestamp: 2025-07-16 10:14:31.303039+00:00 log: https://files.kernelci.org/kselftest-seccomp-6876c79234612746bbcf9a7e/log.t… # Test details: - test path: kselftest.seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 - platform: bcm2837-rpi-3-b-plus - compatibles: raspberrypi,3-model-b-plus | rbrcm | bcm2837; - config: defconfig+arm64-chromebook+kselftest - architecture: arm64 - compiler: gcc-12 Dashboard: https://d.kernelci.org/t/maestro:687779f42ce2c1874ed2365d Log excerpt: ===================================================== t_is_kill_inside pass seccomp_seccomp_bpf_global_unknown_ret_is_kill_above_allow pass seccomp_seccomp_bpf_global_KILL_all pass seccomp_seccomp_bpf_global_KILL_one pass seccomp_seccomp_bpf_global_KILL_one_arg_one pass seccomp_seccomp_bpf_global_KILL_one_arg_six pass seccomp_seccomp_bpf_global_KILL_thread pass seccomp_seccomp_bpf_global_KILL_process pass seccomp_seccomp_bpf_global_KILL_unknown pass seccomp_seccomp_bpf_global_arg_out_of_range pass seccomp_seccomp_bpf_global_ERRNO_valid pass seccomp_seccomp_bpf_global_ERRNO_zero pass seccomp_seccomp_bpf_global_ERRNO_capped pass seccomp_seccomp_bpf_global_ERRNO_order pass seccomp_seccomp_bpf_global_negative_ENOSYS pass seccomp_seccomp_bpf_global_seccomp_syscall pass seccomp_seccomp_bpf_global_seccomp_syscall_mode_lock pass seccomp_seccomp_bpf_global_detect_seccomp_filter_flags pass seccomp_seccomp_bpf_global_TSYNC_first pass seccomp_seccomp_bpf_global_syscall_restart pass seccomp_seccomp_bpf_global_filter_flag_log pass seccomp_seccomp_bpf_global_get_action_avail pass seccomp_seccomp_bpf_global_get_metadata_Kernel_does_not_support_PTRACE_SECCOMP_GET_METADATA_missing_CONFIG_CHECKPOINT_RESTORE skip seccomp_seccomp_bpf_global_user_notification_basic pass seccomp_seccomp_bpf_global_user_notification_with_tsync pass seccomp_seccomp_bpf_global_user_notification_kill_in_middle pass seccomp_seccomp_bpf_global_user_notification_signal pass seccomp_seccomp_bpf_global_user_notification_closed_listener pass seccomp_seccomp_bpf_global_user_notification_child_pid_ns pass seccomp_seccomp_bpf_global_user_notification_sibling_pid_ns pass seccomp_seccomp_bpf_global_user_notification_fault_recv pass seccomp_seccomp_bpf_global_seccomp_get_notif_sizes pass seccomp_seccomp_bpf_global_user_notification_continue pass seccomp_seccomp_bpf_global_user_notification_filter_empty pass seccomp_seccomp_bpf_global_user_ioctl_notification_filter_empty pass seccomp_seccomp_bpf_global_user_notification_filter_empty_threaded pass seccomp_seccomp_bpf_global_user_notification_addfd pass seccomp_seccomp_bpf_global_user_notification_addfd_rlimit pass seccomp_seccomp_bpf_global_user_notification_sync pass seccomp_seccomp_bpf_global_user_notification_fifo pass seccomp_seccomp_bpf_global_user_notification_wait_killable_pre_notification pass seccomp_seccomp_bpf_global_user_notification_wait_killable pass seccomp_seccomp_bpf_global_user_notification_wait_killable_fatal pass seccomp_seccomp_bpf_global_tsync_vs_dead_thread_leader pass seccomp_seccomp_bpf_TRAP_dfl pass seccomp_seccomp_bpf_TRAP_ign pass seccomp_seccomp_bpf_TRAP_handler pass seccomp_seccomp_bpf_precedence_allow_ok pass seccomp_seccomp_bpf_precedence_kill_is_highest pass seccomp_seccomp_bpf_precedence_kill_is_highest_in_any_order pass seccomp_seccomp_bpf_precedence_trap_is_second pass seccomp_seccomp_bpf_precedence_trap_is_second_in_any_order pass seccomp_seccomp_bpf_precedence_errno_is_third pass seccomp_seccomp_bpf_precedence_errno_is_third_in_any_order pass seccomp_seccomp_bpf_precedence_trace_is_fourth pass seccomp_seccomp_bpf_precedence_trace_is_fourth_in_any_order pass seccomp_seccomp_bpf_precedence_log_is_fifth pass seccomp_seccomp_bpf_precedence_log_is_fifth_in_any_order pass seccomp_seccomp_bpf_TRACE_poke_read_has_side_effects pass seccomp_seccomp_bpf_TRACE_poke_getpid_runs_normally pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_negative_ENOSYS pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_allowed pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_redirected pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_errno pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_faked pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_immediate pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_skip_after pass seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_after pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_negative_ENOSYS pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_allowed pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_redirected pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_errno pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_faked pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_immediate pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_skip_after pass seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_after pass seccomp_seccomp_bpf_TSYNC_siblings_fail_prctl pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_ancestor pass seccomp_seccomp_bpf_TSYNC_two_sibling_want_nnp pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_no_filter pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence pass seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence_no_tid_in_err pass seccomp_seccomp_bpf_TSYNC_two_siblings_not_under_filter pass seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_setoptions_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE skip seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_seize_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE skip seccomp_seccomp_bpf pass seccomp_seccomp_benchmark_native_1_bitmap pass seccomp_seccomp_benchmark_native_1_filter pass seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 fail seccomp_seccomp_benchmark_1_bitmapped_2_bitmapped pass seccomp_seccomp_benchmark_entry_1_bitmapped pass seccomp_seccomp_benchmark_entry_2_bitmapped pass seccomp_seccomp_benchmark_native_entry_per_filter_4_4_filters_total pass seccomp_seccomp_benchmark fail + ../../utils/send-to-lava.sh ./output/result.txt <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=shardfile-seccomp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_kcmp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_strict_support RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_strict_cannot_call_prctl RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_no_new_privs_support RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_support RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_without_nnp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_filter_size_limits RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_filter_chain_limits RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_cannot_move_to_strict RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_mode_filter_get_seccomp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ALLOW_all RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_empty_prog RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_log_all RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_unknown_ret_is_kill_inside RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_unknown_ret_is_kill_above_allow RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_all RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_one RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_one_arg_one RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_one_arg_six RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_thread RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_process RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_KILL_unknown RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_arg_out_of_range RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_valid RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_zero RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_capped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_ERRNO_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_negative_ENOSYS RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_seccomp_syscall RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_seccomp_syscall_mode_lock RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_detect_seccomp_filter_flags RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_TSYNC_first RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_syscall_restart RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_filter_flag_log RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_get_action_avail RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_get_metadata_Kernel_does_not_support_PTRACE_SECCOMP_GET_METADATA_missing_CONFIG_CHECKPOINT_RESTORE RESULT=skip> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_basic RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_with_tsync RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_kill_in_middle RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_signal RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_closed_listener RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_child_pid_ns RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_sibling_pid_ns RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_fault_recv RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_seccomp_get_notif_sizes RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_continue RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_filter_empty RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_ioctl_notification_filter_empty RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_filter_empty_threaded RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_addfd RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_addfd_rlimit RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_sync RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_fifo RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_wait_killable_pre_notification RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_wait_killable RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_user_notification_wait_killable_fatal RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_global_tsync_vs_dead_thread_leader RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRAP_dfl RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRAP_ign RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRAP_handler RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_allow_ok RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_kill_is_highest RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_kill_is_highest_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trap_is_second RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trap_is_second_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_errno_is_third RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_errno_is_third_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trace_is_fourth RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_trace_is_fourth_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_log_is_fifth RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_precedence_log_is_fifth_in_any_order RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_poke_read_has_side_effects RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_poke_getpid_runs_normally RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_negative_ENOSYS RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_allowed RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_redirected RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_errno RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_syscall_faked RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_immediate RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_skip_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_ptrace_kill_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_negative_ENOSYS RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_allowed RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_redirected RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_errno RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_syscall_faked RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_immediate RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_skip_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TRACE_syscall_seccomp_kill_after RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_siblings_fail_prctl RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_ancestor RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_sibling_want_nnp RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_no_filter RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_with_one_divergence_no_tid_in_err RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_TSYNC_two_siblings_not_under_filter RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_setoptions_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE RESULT=skip> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf_O_SUSPEND_SECCOMP_seize_Kernel_does_not_support_PTRACE_O_SUSPEND_SECCOMP_missing_CONFIG_CHECKPOINT_RESTORE RESULT=skip> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_bpf RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_native_1_bitmap RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_native_1_filter RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4 RESULT=fail> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_1_bitmapped_2_bitmapped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_entry_1_bitmapped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_entry_2_bitmapped RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark_native_entry_per_filter_4_4_filters_total RESULT=pass> <LAVA_SIGNAL_TESTCASE TEST_CASE_ID=seccomp_seccomp_benchmark RESULT=fail> + set +x <LAVA_SIGNAL_ENDRUN 1_kselftest-seccomp 1575830_1.6.2.4.5> <LAVA_TEST_RUNNER EXIT> / # ===================================================== #kernelci test maestro:687779f42ce2c1874ed2365d Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

3 weeks, 6 days

3
3
0 0

[PATCH v2] nvmem: layouts: u-boot-env: remove crc32 endianness conversion

by srini＠kernel.org

From: "Michael C. Pratt" <mcpratt(a)pm.me> On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Michael C. Pratt <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> --- Changes since v1: - removed long list of short git ids as it was too much for small patch. drivers/nvmem/layouts/u-boot-env.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset; -- 2.43.0

3 weeks, 6 days

1
0
0 0

[PATCH 6.12 1/2] arm64: defconfig: enable DRM_DISPLAY_CONNECTOR as a module

by Macpaul Lin

From: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> [ Upstream commit 691b5b53dbcc30bb3572cbb255374990723af0d2 ] The display connector family of bridges is used on a plenty of ARM64 platforms (including, but not being limited to several Qualcomm Robotics and Dragonboard platforms). It doesn't make sense for the DRM drivers to select the driver, so select it via the defconfig. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://lore.kernel.org/r/20250214-arm64-display-connector-v1-1-306bca76316… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> [ Backport to 6.12.y ] Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> --- arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index 7e475f38f3e1..219ef05ee5a7 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -911,6 +911,7 @@ CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20=m CONFIG_DRM_PANEL_SITRONIX_ST7703=m CONFIG_DRM_PANEL_TRULY_NT35597_WQXGA=m CONFIG_DRM_PANEL_VISIONOX_VTDR6130=m +CONFIG_DRM_DISPLAY_CONNECTOR=m CONFIG_DRM_FSL_LDB=m CONFIG_DRM_LONTIUM_LT8912B=m CONFIG_DRM_LONTIUM_LT9611=m -- 2.45.2

3 weeks, 6 days

4
4
0 0

[PATCH v2] media: pci: ivtv: Add missing check after DMA map

by Thomas Fourier

The DMA map functions can fail and should be tested for errors. If the mapping fails, free blanking_ptr and set it to 0. As 0 is a valid DMA address, use blanking_ptr to test if the DMA address is set. Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> --- v1 -> v2: - Fix Fixes: line - Add Cc: stable drivers/media/pci/ivtv/ivtv-irq.c | 2 +- drivers/media/pci/ivtv/ivtv-yuv.c | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/media/pci/ivtv/ivtv-irq.c b/drivers/media/pci/ivtv/ivtv-irq.c index 748c14e87963..4d63daa01eed 100644 --- a/drivers/media/pci/ivtv/ivtv-irq.c +++ b/drivers/media/pci/ivtv/ivtv-irq.c @@ -351,7 +351,7 @@ void ivtv_dma_stream_dec_prepare(struct ivtv_stream *s, u32 offset, int lock) /* Insert buffer block for YUV if needed */ if (s->type == IVTV_DEC_STREAM_TYPE_YUV && f->offset_y) { - if (yi->blanking_dmaptr) { + if (yi->blanking_ptr) { s->sg_pending[idx].src = yi->blanking_dmaptr; s->sg_pending[idx].dst = offset; s->sg_pending[idx].size = 720 * 16; diff --git a/drivers/media/pci/ivtv/ivtv-yuv.c b/drivers/media/pci/ivtv/ivtv-yuv.c index 2d9274537725..71f040106647 100644 --- a/drivers/media/pci/ivtv/ivtv-yuv.c +++ b/drivers/media/pci/ivtv/ivtv-yuv.c @@ -125,7 +125,7 @@ static int ivtv_yuv_prep_user_dma(struct ivtv *itv, struct ivtv_user_dma *dma, ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size); /* If we've offset the y plane, ensure top area is blanked */ - if (f->offset_y && yi->blanking_dmaptr) { + if (f->offset_y && yi->blanking_ptr) { dma->SGarray[dma->SG_length].size = cpu_to_le32(720*16); dma->SGarray[dma->SG_length].src = cpu_to_le32(yi->blanking_dmaptr); dma->SGarray[dma->SG_length].dst = cpu_to_le32(IVTV_DECODER_OFFSET + yuv_offset[frame]); @@ -929,6 +929,12 @@ static void ivtv_yuv_init(struct ivtv *itv) yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev, yi->blanking_ptr, 720 * 16, DMA_TO_DEVICE); + if (dma_mapping_error(&itv->pdev->dev, yi->blanking_dmaptr)) { + kfree(yi->blanking_ptr); + yi->blanking_ptr = NULL; + yi->blanking_dmaptr = 0; + IVTV_DEBUG_WARN("Failed to dma_map yuv blanking buffer\n"); + } } else { yi->blanking_dmaptr = 0; IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n"); -- 2.43.0

3 weeks, 6 days

1
0
0 0

[PATCH 6.6.y] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented

by Mark Brown

[ Upstream commit a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac ] We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Mark Brown <broonie(a)kernel.org> --- arch/arm64/kernel/cpufeature.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 82778258855d..b6d381f743f3 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2804,6 +2804,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -2875,20 +2882,20 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, MOPS, IMP, CAP_HWCAP, KERNEL_HWCAP_MOPS), HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME - HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP(ID_MATCH_ID(has_sme_feature, AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), #endif /* CONFIG_ARM64_SME */ {}, }; --- base-commit: 9247f4e6573a4d05fe70c3e90dbd53da26e8c5cb change-id: 20250715-stable-6-6-sme-feat-filt-5e942478105f Best regards, -- Mark Brown <broonie(a)kernel.org>

3 weeks, 6 days

1
0
0 0

[regression] Wireguard fragmentation fails with VXLAN since 8930424777e4 ("tunnels: Accept PACKET_HOST skb_tunnel_check_pmtu().") causing network timeouts

by Salvatore Bonaccorso

Hi, Charles Bordet reported the following issue (full context in https://bugs.debian.org/1108860) > Dear Maintainer, > > What led up to the situation? > We run a production environment using Debian 12 VMs, with a network > topology involving VXLAN tunnels encapsulated inside Wireguard > interfaces. This setup has worked reliably for over a year, with MTU set > to 1500 on all interfaces except the Wireguard interface (set to 1420). > Wireguard kernel fragmentation allowed this configuration to function > without issues, even though the effective path MTU is lower than 1500. > > What exactly did you do (or not do) that was effective (or ineffective)? > We performed a routine system upgrade, updating all packages include the > kernel. After the upgrade, we observed severe network issues (timeouts, > very slow HTTP/HTTPS, and apt update failures) on all VMs behind the > router. SSH and small-packet traffic continued to work. > > To diagnose, we: > > * Restored a backup (with the previous kernel): the problem disappeared. > * Repeated the upgrade, confirming the issue reappeared. > * Systematically tested each kernel version from 6.1.124-1 up to > 6.1.140-1. The problem first appears with kernel 6.1.135-1; all earlier > versions work as expected. > * Kernel version from the backports (6.12.32-1) did not resolve the > problem. > > What was the outcome of this action? > > * With kernel 6.1.135-1 or later, network timeouts occur for > large-packet protocols (HTTP, apt, etc.), while SSH and small-packet > protocols work. > * With kernel 6.1.133-1 or earlier, everything works as expected. > > What outcome did you expect instead? > We expected the network to function as before, with Wireguard handling > fragmentation transparently and no application-level timeouts, > regardless of the kernel version. While triaging the issue we found that the commit 8930424777e4 ("tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu()." introduces the issue and Charles confirmed that the issue was present as well in 6.12.35 and 6.15.4 (other version up could potentially still be affected, but we wanted to check it is not a 6.1.y specific regression). Reverthing the commit fixes Charles' issue. Does that ring a bell? Regards, Salvatore

3 weeks, 6 days

3
2
0 0

[PATCH net 5/5] rxrpc: Fix to use conn aborts for conn-wide failures

by David Howells

Fix rxrpc to use connection-level aborts for things that affect the whole connection, such as the service ID not matching a local service. Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure") Reported-by: Jeffrey Altman <jaltman(a)auristor.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 1 + net/rxrpc/ar-internal.h | 3 +++ net/rxrpc/call_accept.c | 12 ++++++------ net/rxrpc/io_thread.c | 14 ++++++++++++++ net/rxrpc/output.c | 19 ++++++++++--------- net/rxrpc/security.c | 8 ++++---- 6 files changed, 38 insertions(+), 19 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 8e5a73eb5268..de6f6d25767c 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -322,6 +322,7 @@ EM(rxrpc_call_put_kernel, "PUT kernel ") \ EM(rxrpc_call_put_poke, "PUT poke ") \ EM(rxrpc_call_put_recvmsg, "PUT recvmsg ") \ + EM(rxrpc_call_put_release_recvmsg_q, "PUT rls-rcmq") \ EM(rxrpc_call_put_release_sock, "PUT rls-sock") \ EM(rxrpc_call_put_release_sock_tba, "PUT rls-sk-a") \ EM(rxrpc_call_put_sendmsg, "PUT sendmsg ") \ diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index df1a618dbf7d..5b7342d43486 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -44,6 +44,7 @@ enum rxrpc_skb_mark { RXRPC_SKB_MARK_SERVICE_CONN_SECURED, /* Service connection response has been verified */ RXRPC_SKB_MARK_REJECT_BUSY, /* Reject with BUSY */ RXRPC_SKB_MARK_REJECT_ABORT, /* Reject with ABORT (code in skb->priority) */ + RXRPC_SKB_MARK_REJECT_CONN_ABORT, /* Reject with connection ABORT (code in skb->priority) */ }; /* @@ -1253,6 +1254,8 @@ int rxrpc_encap_rcv(struct sock *, struct sk_buff *); void rxrpc_error_report(struct sock *); bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, s32 abort_code, int err); +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err); int rxrpc_io_thread(void *data); void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb); static inline void rxrpc_wake_up_io_thread(struct rxrpc_local *local) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index a4d76f2da684..00982a030744 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -374,8 +374,8 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_lock(&rx->incoming_lock); if (rx->sk.sk_state == RXRPC_SERVER_LISTEN_DISABLED || rx->sk.sk_state == RXRPC_CLOSE) { - rxrpc_direct_abort(skb, rxrpc_abort_shut_down, - RX_INVALID_OPERATION, -ESHUTDOWN); + rxrpc_direct_conn_abort(skb, rxrpc_abort_shut_down, + RX_INVALID_OPERATION, -ESHUTDOWN); goto no_call; } @@ -422,12 +422,12 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, unsupported_service: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EOPNOTSUPP); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EOPNOTSUPP); unsupported_security: read_unlock_irq(&local->services_lock); - return rxrpc_direct_abort(skb, rxrpc_abort_service_not_offered, - RX_INVALID_OPERATION, -EKEYREJECTED); + return rxrpc_direct_conn_abort(skb, rxrpc_abort_service_not_offered, + RX_INVALID_OPERATION, -EKEYREJECTED); no_call: spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index 27b650d30f4d..e939ecf417c4 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -97,6 +97,20 @@ bool rxrpc_direct_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, return false; } +/* + * Directly produce a connection abort from a packet. + */ +bool rxrpc_direct_conn_abort(struct sk_buff *skb, enum rxrpc_abort_reason why, + s32 abort_code, int err) +{ + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + + trace_rxrpc_abort(0, why, sp->hdr.cid, 0, sp->hdr.seq, abort_code, err); + skb->mark = RXRPC_SKB_MARK_REJECT_CONN_ABORT; + skb->priority = abort_code; + return false; +} + static bool rxrpc_bad_message(struct sk_buff *skb, enum rxrpc_abort_reason why) { return rxrpc_direct_abort(skb, why, RX_PROTOCOL_ERROR, -EBADMSG); diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index 17c33b5cf7dd..8b5903b6e481 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -829,7 +829,13 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) msg.msg_controllen = 0; msg.msg_flags = 0; - memset(&whdr, 0, sizeof(whdr)); + whdr = (struct rxrpc_wire_header) { + .epoch = htonl(sp->hdr.epoch), + .cid = htonl(sp->hdr.cid), + .callNumber = htonl(sp->hdr.callNumber), + .serviceId = htons(sp->hdr.serviceId), + .flags = ~sp->hdr.flags & RXRPC_CLIENT_INITIATED, + }; switch (skb->mark) { case RXRPC_SKB_MARK_REJECT_BUSY: @@ -837,6 +843,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) size = sizeof(whdr); ioc = 1; break; + case RXRPC_SKB_MARK_REJECT_CONN_ABORT: + whdr.callNumber = 0; + fallthrough; case RXRPC_SKB_MARK_REJECT_ABORT: whdr.type = RXRPC_PACKET_TYPE_ABORT; code = htonl(skb->priority); @@ -850,14 +859,6 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) if (rxrpc_extract_addr_from_skb(&srx, skb) == 0) { msg.msg_namelen = srx.transport_len; - whdr.epoch = htonl(sp->hdr.epoch); - whdr.cid = htonl(sp->hdr.cid); - whdr.callNumber = htonl(sp->hdr.callNumber); - whdr.serviceId = htons(sp->hdr.serviceId); - whdr.flags = sp->hdr.flags; - whdr.flags ^= RXRPC_CLIENT_INITIATED; - whdr.flags &= RXRPC_CLIENT_INITIATED; - iov_iter_kvec(&msg.msg_iter, WRITE, iov, ioc, size); ret = do_udp_sendmsg(local->socket, &msg, size); if (ret < 0) diff --git a/net/rxrpc/security.c b/net/rxrpc/security.c index 078d91a6b77f..2bfbf2b2bb37 100644 --- a/net/rxrpc/security.c +++ b/net/rxrpc/security.c @@ -140,15 +140,15 @@ const struct rxrpc_security *rxrpc_get_incoming_security(struct rxrpc_sock *rx, sec = rxrpc_security_lookup(sp->hdr.securityIndex); if (!sec) { - rxrpc_direct_abort(skb, rxrpc_abort_unsupported_security, - RX_INVALID_OPERATION, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_unsupported_security, + RX_INVALID_OPERATION, -EKEYREJECTED); return NULL; } if (sp->hdr.securityIndex != RXRPC_SECURITY_NONE && !rx->securities) { - rxrpc_direct_abort(skb, rxrpc_abort_no_service_key, - sec->no_key_abort, -EKEYREJECTED); + rxrpc_direct_conn_abort(skb, rxrpc_abort_no_service_key, + sec->no_key_abort, -EKEYREJECTED); return NULL; }

3 weeks, 6 days

1
0
0 0

[PATCH net 4/5] rxrpc: Fix transmission of an abort in response to an abort

by David Howells

Under some circumstances, such as when a server socket is closing, ABORT packets will be generated in response to incoming packets. Unfortunately, this also may include generating aborts in response to incoming aborts - which may cause a cycle. It appears this may be made possible by giving the client a multicast address. Fix this such that rxrpc_reject_packet() will refuse to generate aborts in response to aborts. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Linus Torvalds <torvalds(a)linux-foundation.org> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/output.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c index ef7b3096c95e..17c33b5cf7dd 100644 --- a/net/rxrpc/output.c +++ b/net/rxrpc/output.c @@ -814,6 +814,9 @@ void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb) __be32 code; int ret, ioc; + if (sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) + return; /* Never abort an abort. */ + rxrpc_see_skb(skb, rxrpc_skb_see_reject); iov[0].iov_base = &whdr;

3 weeks, 6 days

1
0
0 0

[PATCH net 2/5] rxrpc: Fix recv-recv race of completed call

by David Howells

If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in and its recvmsg can pop the call off the socket queue again. In such a case, the first thread will be receiving stuff from the call and the second thread will be blocked on call->user_mutex. The first thread can, at this point, process both the event that it picked call for and the event that the second thread picked the call for and may see the call terminate - in which case the call will be "released", decoupling the call from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control message). The first thread will return okay, but then the second thread will wake up holding the user_mutex and, if it sees that the call has been released by the first thread, it will BUG thusly: kernel BUG at net/rxrpc/recvmsg.c:474! Fix this by just dequeuing the call and ignoring it if it is seen to be already released. We can't tell userspace about it anyway as the user call ID has become stale. Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- include/trace/events/rxrpc.h | 3 +++ net/rxrpc/call_accept.c | 1 + net/rxrpc/recvmsg.c | 19 +++++++++++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 378d2dfc7392..e7dcfb1369b6 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -330,12 +330,15 @@ EM(rxrpc_call_put_userid, "PUT user-id ") \ EM(rxrpc_call_see_accept, "SEE accept ") \ EM(rxrpc_call_see_activate_client, "SEE act-clnt") \ + EM(rxrpc_call_see_already_released, "SEE alrdy-rl") \ EM(rxrpc_call_see_connect_failed, "SEE con-fail") \ EM(rxrpc_call_see_connected, "SEE connect ") \ EM(rxrpc_call_see_conn_abort, "SEE conn-abt") \ + EM(rxrpc_call_see_discard, "SEE discard ") \ EM(rxrpc_call_see_disconnected, "SEE disconn ") \ EM(rxrpc_call_see_distribute_error, "SEE dist-err") \ EM(rxrpc_call_see_input, "SEE input ") \ + EM(rxrpc_call_see_recvmsg, "SEE recvmsg ") \ EM(rxrpc_call_see_release, "SEE release ") \ EM(rxrpc_call_see_userid_exists, "SEE u-exists") \ EM(rxrpc_call_see_waiting_call, "SEE q-conn ") \ diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 226b4bf82747..a4d76f2da684 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -219,6 +219,7 @@ void rxrpc_discard_prealloc(struct rxrpc_sock *rx) tail = b->call_backlog_tail; while (CIRC_CNT(head, tail, size) > 0) { struct rxrpc_call *call = b->call_backlog[tail]; + rxrpc_see_call(call, rxrpc_call_see_discard); rcu_assign_pointer(call->socket, rx); if (rx->app_ops && rx->app_ops->discard_new_call) { diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index 86a27fb55a1c..6990e37697de 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -447,6 +447,16 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, goto try_again; } + rxrpc_see_call(call, rxrpc_call_see_recvmsg); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + list_del_init(&call->recvmsg_link); + spin_unlock_irq(&rx->recvmsg_lock); + release_sock(&rx->sk); + trace_rxrpc_recvmsg(call->debug_id, rxrpc_recvmsg_unqueue, 0); + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } if (!(flags & MSG_PEEK)) list_del_init(&call->recvmsg_link); else @@ -470,8 +480,13 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, release_sock(&rx->sk); - if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) - BUG(); + if (test_bit(RXRPC_CALL_RELEASED, &call->flags)) { + rxrpc_see_call(call, rxrpc_call_see_already_released); + mutex_unlock(&call->user_mutex); + if (!(flags & MSG_PEEK)) + rxrpc_put_call(call, rxrpc_call_put_recvmsg); + goto try_again; + } ret = rxrpc_recvmsg_user_id(call, msg, flags); if (ret < 0)

3 weeks, 6 days

1
0
0 0

[PATCH net 1/5] rxrpc: Fix irq-disabled in local_bh_enable()

by David Howells

The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. Unfortunately, the IP layer uses local_bh_enable() which, config dependent, throws a warning if IRQs are enabled: WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0 ... RIP: 0010:__local_bh_enable_ip+0x43/0xd0 ... Call Trace: <TASK> rt_cache_route+0x7e/0xa0 rt_set_nexthop.isra.0+0x3b3/0x3f0 __mkroute_output+0x43a/0x460 ip_route_output_key_hash+0xf7/0x140 ip_route_output_flow+0x1b/0x90 rxrpc_assess_MTU_size.isra.0+0x2a0/0x590 rxrpc_new_incoming_peer+0x46/0x120 rxrpc_alloc_incoming_call+0x1b1/0x400 rxrpc_new_incoming_call+0x1da/0x5e0 rxrpc_input_packet+0x827/0x900 rxrpc_io_thread+0x403/0xb60 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 ... hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50 hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70 softirqs last enabled at (0): copy_process+0xc61/0x2730 softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90 Fix this by moving the call to rxrpc_assess_MTU_size() out of rxrpc_init_peer() and further up the stack where it can be done without interrupts disabled. It shouldn't be a problem for rxrpc_new_incoming_call() to do it after the locks are dropped as pmtud is going to be performed by the I/O thread - and we're in the I/O thread at this point. Fixes: a2ea9a907260 ("rxrpc: Use irq-disabling spinlocks between app and I/O thread") Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Jeffrey Altman <jaltman(a)auristor.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Jakub Kicinski <kuba(a)kernel.org> cc: Paolo Abeni <pabeni(a)redhat.com> cc: "David S. Miller" <davem(a)davemloft.net> cc: Eric Dumazet <edumazet(a)google.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: netdev(a)vger.kernel.org cc: stable(a)vger.kernel.org --- net/rxrpc/ar-internal.h | 1 + net/rxrpc/call_accept.c | 1 + net/rxrpc/peer_object.c | 6 ++---- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 376e33dce8c1..df1a618dbf7d 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -1383,6 +1383,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *, const struct sockaddr_rxrpc *); struct rxrpc_peer *rxrpc_lookup_peer(struct rxrpc_local *local, struct sockaddr_rxrpc *srx, gfp_t gfp); +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer); struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *, gfp_t, enum rxrpc_peer_trace); void rxrpc_new_incoming_peer(struct rxrpc_local *local, struct rxrpc_peer *peer); diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 49fccee1a726..226b4bf82747 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -406,6 +406,7 @@ bool rxrpc_new_incoming_call(struct rxrpc_local *local, spin_unlock(&rx->incoming_lock); read_unlock_irq(&local->services_lock); + rxrpc_assess_MTU_size(local, call->peer); if (hlist_unhashed(&call->error_link)) { spin_lock_irq(&call->peer->lock); diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c index e2f35e6c04d6..366431b0736c 100644 --- a/net/rxrpc/peer_object.c +++ b/net/rxrpc/peer_object.c @@ -149,8 +149,7 @@ struct rxrpc_peer *rxrpc_lookup_peer_rcu(struct rxrpc_local *local, * assess the MTU size for the network interface through which this peer is * reached */ -static void rxrpc_assess_MTU_size(struct rxrpc_local *local, - struct rxrpc_peer *peer) +void rxrpc_assess_MTU_size(struct rxrpc_local *local, struct rxrpc_peer *peer) { struct net *net = local->net; struct dst_entry *dst; @@ -277,8 +276,6 @@ static void rxrpc_init_peer(struct rxrpc_local *local, struct rxrpc_peer *peer, peer->hdrsize += sizeof(struct rxrpc_wire_header); peer->max_data = peer->if_mtu - peer->hdrsize; - - rxrpc_assess_MTU_size(local, peer); } /* @@ -297,6 +294,7 @@ static struct rxrpc_peer *rxrpc_create_peer(struct rxrpc_local *local, if (peer) { memcpy(&peer->srx, srx, sizeof(*srx)); rxrpc_init_peer(local, peer, hash_key); + rxrpc_assess_MTU_size(local, peer); } _leave(" = %p", peer);

3 weeks, 6 days

1
0
0 0

Re: [PATCH 6.15 000/192] 6.15.7-rc1 review

by Dileep malepu

> This is the start of the stable review cycle for the 6.15.7 release. > There are 192 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Thu, 17 Jul 2025 13:07:32 +0000. > Anything received after that time might be too late. > > The whole patch series can be found in one patch at: > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.7-rc1… > or in the git tree and branch at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y > and the diffstat can be found below. > > thanks, > > greg k-h Tested Linux kernel 6.15.7-rc1 on Fedora 37 (x86_64) with Intel i7-11800H. All major tests including boot, Wi-Fi, Bluetooth, audio, video, and USB mass storage detection passed successfully. Kernel Version : 6.15.7-rc1 Fedora Version : 37 (Thirty Seven) Processor : 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz Build Architecture: x86_64 Test Results: - Boot Test : PASS - Wi-Fi Test : PASS - Bluetooth Test : PASS - Audio Test : PASS - Video Test : PASS - USB Mass Storage Drive Detect : PASS Tested-by: Dileep Malepu <dileep.debian(a)gmail.com>

3 weeks, 6 days

1
0
0 0

[PATCH] kernel/fork: Increase minimum number of allowed threads

by Hauke Mehrtens

From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> A modern Linux system creates much more than 20 threads at bootup. When I booted up OpenWrt in qemu the system sometimes failed to boot up when it wanted to create the 419th thread. The VM had 128MB RAM and the calculation in set_max_threads() calculated that max_threads should be set to 419. When the system booted up it tried to notify the user space about every device it created because CONFIG_UEVENT_HELPER was set and used. I counted 1299 calles to call_usermodehelper_setup(), all of them try to create a new thread and call the userspace hotplug script in it. This fixes bootup of Linux on systems with low memory. I saw the problem with qemu 10.0.2 using these commands: qemu-system-aarch64 -machine virt -cpu cortex-a57 -nographic Cc: stable(a)vger.kernel.org Signed-off-by: Hauke Mehrtens <hauke(a)hauke-m.de> --- kernel/fork.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/fork.c b/kernel/fork.c index 7966c9a1c163..388299525f3c 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -115,7 +115,7 @@ /* * Minimum number of threads to boot the kernel */ -#define MIN_THREADS 20 +#define MIN_THREADS 600 /* * Maximum number of threads -- 2.50.1

3 weeks, 6 days

2
2
0 0

[PATCH v5 2/3] drm/amdgpu: Reset the clear flag in buddy during resume

by Arunpravin Paneer Selvam

- Added a handler in DRM buddy manager to reset the cleared flag for the blocks in the freelist. - This is necessary because, upon resuming, the VRAM becomes cluttered with BIOS data, yet the VRAM backend manager believes that everything has been cleared. v2: - Add lock before accessing drm_buddy_clear_reset_blocks()(Matthew Auld) - Force merge the two dirty blocks.(Matthew Auld) - Add a new unit test case for this issue.(Matthew Auld) - Having this function being able to flip the state either way would be good. (Matthew Brost) v3(Matthew Auld): - Do merge step first to avoid the use of extra reset flag. Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Suggested-by: Christian König <christian.koenig(a)amd.com> Acked-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 --- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 17 ++++++++ drivers/gpu/drm/drm_buddy.c | 43 ++++++++++++++++++++ include/drm/drm_buddy.h | 2 + 5 files changed, 65 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index 723ab95d8c48..ac92220f9fc3 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -5327,6 +5327,8 @@ int amdgpu_device_resume(struct drm_device *dev, bool notify_clients) dev->dev->power.disable_depth--; #endif } + + amdgpu_vram_mgr_clear_reset_blocks(adev); adev->in_suspend = false; if (amdgpu_acpi_smart_shift_update(dev, AMDGPU_SS_DEV_D0)) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h index 215c198e4aff..2309df3f68a9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h @@ -155,6 +155,7 @@ int amdgpu_vram_mgr_reserve_range(struct amdgpu_vram_mgr *mgr, uint64_t start, uint64_t size); int amdgpu_vram_mgr_query_page_status(struct amdgpu_vram_mgr *mgr, uint64_t start); +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev); bool amdgpu_res_cpu_visible(struct amdgpu_device *adev, struct ttm_resource *res); diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c index abdc52b0895a..07c936e90d8e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c @@ -782,6 +782,23 @@ uint64_t amdgpu_vram_mgr_vis_usage(struct amdgpu_vram_mgr *mgr) return atomic64_read(&mgr->vis_usage); } +/** + * amdgpu_vram_mgr_clear_reset_blocks - reset clear blocks + * + * @adev: amdgpu device pointer + * + * Reset the cleared drm buddy blocks. + */ +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev) +{ + struct amdgpu_vram_mgr *mgr = &adev->mman.vram_mgr; + struct drm_buddy *mm = &mgr->mm; + + mutex_lock(&mgr->lock); + drm_buddy_reset_clear(mm, false); + mutex_unlock(&mgr->lock); +} + /** * amdgpu_vram_mgr_intersects - test each drm buddy block for intersection * diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a1e652b7631d..a94061f373de 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -405,6 +405,49 @@ drm_get_buddy(struct drm_buddy_block *block) } EXPORT_SYMBOL(drm_get_buddy); +/** + * drm_buddy_reset_clear - reset blocks clear state + * + * @mm: DRM buddy manager + * @is_clear: blocks clear state + * + * Reset the clear state based on @is_clear value for each block + * in the freelist. + */ +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) +{ + u64 root_size, size, start; + unsigned int order; + int i; + + size = mm->size; + for (i = 0; i < mm->n_roots; ++i) { + order = ilog2(size) - ilog2(mm->chunk_size); + start = drm_buddy_block_offset(mm->roots[i]); + __force_merge(mm, start, start + size, order); + + root_size = mm->chunk_size << order; + size -= root_size; + } + + for (i = 0; i <= mm->max_order; ++i) { + struct drm_buddy_block *block; + + list_for_each_entry_reverse(block, &mm->free_list[i], link) { + if (is_clear != drm_buddy_block_is_clear(block)) { + if (is_clear) { + mark_cleared(block); + mm->clear_avail += drm_buddy_block_size(mm, block); + } else { + clear_reset(block); + mm->clear_avail -= drm_buddy_block_size(mm, block); + } + } + } + } +} +EXPORT_SYMBOL(drm_buddy_reset_clear); + /** * drm_buddy_free_block - free a block * diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 9689a7c5dd36..513837632b7d 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -160,6 +160,8 @@ int drm_buddy_block_trim(struct drm_buddy *mm, u64 new_size, struct list_head *blocks); +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear); + void drm_buddy_free_block(struct drm_buddy *mm, struct drm_buddy_block *block); void drm_buddy_free_list(struct drm_buddy *mm, -- 2.43.0

3 weeks, 6 days

3
5
0 0

[PATCH] PCI: j721e: Fix programming sequence of "strap" settings

by Siddharth Vadapalli

The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. In the PCIe Controller's register space, the same set of registers that correspond to the Root-Port configuration space when the Controller is configured for Root-Complex mode of operation, also correspond to the Physical Function configuration space when the Controller is configured for Endpoint mode of operation. As a result, the "reset-value" of these set of registers _should_ vary depending on the selected mode of operation. This is the expected behavior according to the description of the registers and their reset values in the Technical Reference Manual for the SoCs. However, it is observed that the "reset-value" seen in practice do not match the description. To be precise, when the Controller is configured for Root-Complex mode of operation, the "reset-value" of the Root-Port configuration space reflect the "reset-value" corresponding to the Physical Function configuration space. This can be attributed to the fact that the "strap" settings play a role in "switching" the "reset-value" of the registers to match the expected values as determined by the selected mode of operation. Since the "strap" settings are sampled the moment the PCIe Controller is powered ON, the "reset-value" of the registers are setup at that point in time. As a result, if the "strap" settings are programmed at a later point in time, it _will not_ update the "reset-value" of the registers. This will cause the Physical Function configuration space to be seen when the Root-Port configuration space is accessed after programming the PCIe Controller for Root-Complex mode of operation. Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. This will ensure that the "strap" settings that have been sampled convey the intended mode of operation, thereby resulting in the "reset-value" of the registers being accurate. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit 155a3c003e55 Merge tag 'for-6.16/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm of Mainline Linux. Patch has been validated on the J7200 SoC which is affected by the existing programming sequence of the "strap" settings. Regards, Siddharth. drivers/pci/controller/cadence/pci-j721e.c | 82 ++++++++++++++-------- 1 file changed, 53 insertions(+), 29 deletions(-) diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index 6c93f39d0288..d5e7cb7277dc 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -19,6 +19,7 @@ #include <linux/of.h> #include <linux/pci.h> #include <linux/platform_device.h> +#include <linux/pm_domain.h> #include <linux/pm_runtime.h> #include <linux/regmap.h> @@ -173,10 +174,9 @@ static const struct cdns_pcie_ops j721e_pcie_ops = { .link_up = j721e_pcie_link_up, }; -static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct regmap *syscon, - unsigned int offset) +static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct device *dev, + struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; u32 mask = J721E_MODE_RC; u32 mode = pcie->mode; u32 val = 0; @@ -193,9 +193,9 @@ static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct regmap *syscon, } static int j721e_pcie_set_link_speed(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *np = dev->of_node; int link_speed; u32 val = 0; @@ -214,9 +214,9 @@ static int j721e_pcie_set_link_speed(struct j721e_pcie *pcie, } static int j721e_pcie_set_lane_count(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; u32 lanes = pcie->num_lanes; u32 mask = BIT(8); u32 val = 0; @@ -234,9 +234,9 @@ static int j721e_pcie_set_lane_count(struct j721e_pcie *pcie, } static int j721e_enable_acspcie_refclk(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *node = dev->of_node; u32 mask = ACSPCIE_PAD_DISABLE_MASK; struct of_phandle_args args; @@ -263,9 +263,8 @@ static int j721e_enable_acspcie_refclk(struct j721e_pcie *pcie, return 0; } -static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) +static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie, struct device *dev) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *node = dev->of_node; struct of_phandle_args args; unsigned int offset = 0; @@ -284,19 +283,19 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; - ret = j721e_pcie_set_mode(pcie, syscon, offset); + ret = j721e_pcie_set_mode(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); return ret; } - ret = j721e_pcie_set_link_speed(pcie, syscon, offset); + ret = j721e_pcie_set_link_speed(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set link speed\n"); return ret; } - ret = j721e_pcie_set_lane_count(pcie, syscon, offset); + ret = j721e_pcie_set_lane_count(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set num-lanes\n"); return ret; @@ -308,7 +307,7 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!syscon) return 0; - return j721e_enable_acspcie_refclk(pcie, syscon); + return j721e_enable_acspcie_refclk(pcie, dev, syscon); } static int cdns_ti_pcie_config_read(struct pci_bus *bus, unsigned int devfn, @@ -469,6 +468,47 @@ static int j721e_pcie_probe(struct platform_device *pdev) if (!pcie) return -ENOMEM; + pcie->mode = mode; + + ret = of_property_read_u32(node, "num-lanes", &num_lanes); + if (ret || num_lanes > data->max_lanes) { + dev_warn(dev, "num-lanes property not provided or invalid, setting num-lanes to 1\n"); + num_lanes = 1; + } + + pcie->num_lanes = num_lanes; + pcie->max_lanes = data->max_lanes; + + /* + * The PCIe Controller's registers have different "reset-value" depending + * on the "strap" settings programmed into the Controller's Glue Layer. + * This is because the same set of registers are used for representing the + * Physical Function configuration space in Endpoint mode and for + * representing the Root-Port configuration space in Root-Complex mode. + * + * The registers latch onto a "reset-value" based on the "strap" settings + * sampled after the Controller is powered on. Therefore, for the + * "reset-value" to be accurate, it is necessary to program the "strap" + * settings when the Controller is powered off, and power on the Controller + * after the "strap" settings have been programmed. + * + * The "strap" settings are programmed by "j721e_pcie_ctrl_init()". + * Therefore, power off the Controller before invoking "j721e_pcie_ctrl_init()", + * program the "strap" settings, and then power on the Controller. This ensures + * that the reset values are accurate and reflect the "strap" settings. + */ + dev_pm_domain_detach(dev, true); + + ret = j721e_pcie_ctrl_init(pcie, dev); + if (ret < 0) + return ret; + + ret = dev_pm_domain_attach(dev, true); + if (ret < 0) { + dev_err(dev, "failed to power on PCIe Controller\n"); + return ret; + } + switch (mode) { case PCI_MODE_RC: if (!IS_ENABLED(CONFIG_PCI_J721E_HOST)) @@ -510,7 +550,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) return 0; } - pcie->mode = mode; pcie->linkdown_irq_regfield = data->linkdown_irq_regfield; base = devm_platform_ioremap_resource_byname(pdev, "intd_cfg"); @@ -523,15 +562,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) return PTR_ERR(base); pcie->user_cfg_base = base; - ret = of_property_read_u32(node, "num-lanes", &num_lanes); - if (ret || num_lanes > data->max_lanes) { - dev_warn(dev, "num-lanes property not provided or invalid, setting num-lanes to 1\n"); - num_lanes = 1; - } - - pcie->num_lanes = num_lanes; - pcie->max_lanes = data->max_lanes; - if (dma_set_mask_and_coherent(dev, DMA_BIT_MASK(48))) return -EINVAL; @@ -547,12 +577,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) goto err_get_sync; } - ret = j721e_pcie_ctrl_init(pcie); - if (ret < 0) { - dev_err_probe(dev, ret, "pm_runtime_get_sync failed\n"); - goto err_get_sync; - } - ret = devm_request_irq(dev, irq, j721e_pcie_link_irq_handler, 0, "j721e-pcie-link-down-irq", pcie); if (ret < 0) { @@ -680,7 +704,7 @@ static int j721e_pcie_resume_noirq(struct device *dev) struct cdns_pcie *cdns_pcie = pcie->cdns_pcie; int ret; - ret = j721e_pcie_ctrl_init(pcie); + ret = j721e_pcie_ctrl_init(pcie, dev); if (ret < 0) return ret; -- 2.34.1

3 weeks, 6 days

1
0
0 0

[PATCH] memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()

by Nathan Chancellor

A new warning in clang [1] points out that id_reg is uninitialized then passed to memstick_init_req() as a const pointer: drivers/memstick/core/memstick.c:330:59: error: variable 'id_reg' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] 330 | memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, | ^~~~~~ Commit de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning") intentionally passed this variable uninitialized to avoid an -Wnonnull warning from a NULL value that was previously there because id_reg is never read from the call to memstick_init_req() in h_memstick_read_dev_id(). Just zero initialize id_reg to avoid the warning, which is likely happening in the majority of builds using modern compilers that support '-ftrivial-auto-var-init=zero'. Cc: stable(a)vger.kernel.org Fixes: de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Closes: https://github.com/ClangBuiltLinux/linux/issues/2105 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/memstick/core/memstick.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c index 043b9ec756ff..7f3f47db4c98 100644 --- a/drivers/memstick/core/memstick.c +++ b/drivers/memstick/core/memstick.c @@ -324,7 +324,7 @@ EXPORT_SYMBOL(memstick_init_req); static int h_memstick_read_dev_id(struct memstick_dev *card, struct memstick_request **mrq) { - struct ms_id_register id_reg; + struct ms_id_register id_reg = {}; if (!(*mrq)) { memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, --- base-commit: ff09b71bf9daeca4f21d6e5e449641c9fad75b53 change-id: 20250715-memstick-fix-uninit-const-pointer-ed6f138bf40d Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 6 days

2
1
0 0

[PATCH v2 3/3] bus: mhi: keep device context through suspend cycles

by Muhammad Usama Anjum

Don't deinitialize the device context while going into suspend or hibernation cycles. Otherwise the resume may fail if at resume time, the memory pressure is high and no dma memory is available. At resume, only reset the read/write ring pointers as rings may have stale data. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") Cc: Krishna Chaitanya Chundru <krishna.chundru(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Add logic to reset rings at resume --- drivers/bus/mhi/host/init.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 46ed0ae2ac285..6513012311ce3 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -474,6 +474,24 @@ static int mhi_init_dev_ctxt(struct mhi_controller *mhi_cntrl) return ret; } +static void mhi_reset_dev_rings(struct mhi_controller *mhi_cntrl) +{ + struct mhi_event *mhi_event = mhi_cntrl->mhi_event; + struct mhi_cmd *mhi_cmd = mhi_cntrl->mhi_cmd; + struct mhi_ring *ring; + int i; + + for (i = 0; i < mhi_cntrl->total_ev_rings; i++, mhi_event++) { + ring = &mhi_event->ring; + ring->rp = ring->wp = ring->base; + } + + for (i = 0; i < NR_OF_CMD_RINGS; i++, mhi_cmd++) { + ring = &mhi_cmd->ring; + ring->rp = ring->wp = ring->base; + } +} + int mhi_init_mmio(struct mhi_controller *mhi_cntrl) { u32 val; @@ -1133,9 +1151,13 @@ int mhi_prepare_for_power_up(struct mhi_controller *mhi_cntrl) mutex_lock(&mhi_cntrl->pm_mutex); - ret = mhi_init_dev_ctxt(mhi_cntrl); - if (ret) - goto error_dev_ctxt; + if (!mhi_cntrl->mhi_ctxt) { + ret = mhi_init_dev_ctxt(mhi_cntrl); + if (ret) + goto error_dev_ctxt; + } else { + mhi_reset_dev_rings(mhi_cntrl); + } ret = mhi_read_reg(mhi_cntrl, mhi_cntrl->regs, BHIOFF, &bhi_off); if (ret) { @@ -1212,8 +1234,6 @@ void mhi_deinit_dev_ctxt(struct mhi_controller *mhi_cntrl) { mhi_cntrl->bhi = NULL; mhi_cntrl->bhie = NULL; - - __mhi_deinit_dev_ctxt(mhi_cntrl); } void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) @@ -1239,6 +1259,7 @@ void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) } mhi_deinit_dev_ctxt(mhi_cntrl); + __mhi_deinit_dev_ctxt(mhi_cntrl); } EXPORT_SYMBOL_GPL(mhi_unprepare_after_power_down); -- 2.39.5

3 weeks, 6 days

2
1
0 0

[PATCH v2 2/3] bus: mhi: host: keep bhie buffer through suspend cycle

by Muhammad Usama Anjum

When there is memory pressure, at resume time dma_alloc_coherent() returns error which in turn fails the loading of the firmware and hence the driver crashes. Fix it by allocating only once and then reuse the same allocated memory. As we'll allocate this memory only once, this memory will stays allocated. Fixes: f88f1d0998ea ("bus: mhi: host: Add a policy to enable image transfer via BHIe in PBL") Cc: Krishna Chaitanya Chundru <krishna.chundru(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Added in v2 --- drivers/bus/mhi/host/boot.c | 19 ++++++++++++------- drivers/bus/mhi/host/init.c | 5 +++++ include/linux/mhi.h | 1 + 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c index 9fc983bc12d49..9f35ce9d670e7 100644 --- a/drivers/bus/mhi/host/boot.c +++ b/drivers/bus/mhi/host/boot.c @@ -478,17 +478,22 @@ static int mhi_load_image_bhi(struct mhi_controller *mhi_cntrl, const u8 *fw_dat static int mhi_load_image_bhie(struct mhi_controller *mhi_cntrl, const u8 *fw_data, size_t size) { - struct image_info *image; + struct image_info **image = &mhi_cntrl->bhie_image; int ret; - ret = mhi_alloc_bhie_table(mhi_cntrl, &image, size); - if (ret) - return ret; + if (!(*image)) { + ret = mhi_alloc_bhie_table(mhi_cntrl, image, size); + if (ret) + return ret; - mhi_firmware_copy_bhie(mhi_cntrl, fw_data, size, image); + mhi_firmware_copy_bhie(mhi_cntrl, fw_data, size, *image); + } - ret = mhi_fw_load_bhie(mhi_cntrl, &image->mhi_buf[image->entries - 1]); - mhi_free_bhie_table(mhi_cntrl, image); + ret = mhi_fw_load_bhie(mhi_cntrl, &(*image)->mhi_buf[(*image)->entries - 1]); + if (ret) { + mhi_free_bhie_table(mhi_cntrl, *image); + *image = NULL; + } return ret; } diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 2e0f18c939e68..46ed0ae2ac285 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -1228,6 +1228,11 @@ void mhi_unprepare_after_power_down(struct mhi_controller *mhi_cntrl) mhi_cntrl->rddm_image = NULL; } + if (mhi_cntrl->bhie_image) { + mhi_free_bhie_table(mhi_cntrl, mhi_cntrl->bhie_image); + mhi_cntrl->bhie_image = NULL; + } + if (mhi_cntrl->bhi_image) { mhi_free_bhi_buffer(mhi_cntrl, mhi_cntrl->bhi_image); mhi_cntrl->bhi_image = NULL; diff --git a/include/linux/mhi.h b/include/linux/mhi.h index 593012f779d97..77986cd66fda3 100644 --- a/include/linux/mhi.h +++ b/include/linux/mhi.h @@ -391,6 +391,7 @@ struct mhi_controller { size_t reg_len; struct image_info *fbc_image; struct image_info *rddm_image; + struct image_info *bhie_image; struct image_info *bhi_image; struct mhi_chan *mhi_chan; struct list_head lpm_chans; -- 2.39.5

3 weeks, 6 days

2
1
0 0

[PATCH] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()

by Nathan Chancellor

A new warning in clang [1] complains that diq_start in wlc_lcnphy_tx_iqlo_cal() is passed uninitialized as a const pointer to wlc_lcnphy_common_read_table(): drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:2728:13: error: variable 'diq_start' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] 2728 | &diq_start, 1, 16, 69); | ^~~~~~~~~ The table pointer passed to wlc_lcnphy_common_read_table() should not be considered constant, as wlc_phy_read_table() is ultimately going to update it. Remove the const qualifier from the tbl_ptr to clear up the warning. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2108 Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c index d0faba240561..b4bba67a45ec 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c @@ -919,7 +919,7 @@ void wlc_lcnphy_read_table(struct brcms_phy *pi, struct phytbl_info *pti) static void wlc_lcnphy_common_read_table(struct brcms_phy *pi, u32 tbl_id, - const u16 *tbl_ptr, u32 tbl_len, + u16 *tbl_ptr, u32 tbl_len, u32 tbl_width, u32 tbl_offset) { struct phytbl_info tab; --- base-commit: bbc19fef578970158847a41d9b6b6b218034b8c2 change-id: 20250715-brcmsmac-fix-uninit-const-pointer-d35114a50936 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 6 days

2
1
0 0

[PATCH v4 1/1] eventpoll: Replace rwlock with spinlock

by Nam Cao

The ready event list of an epoll object is protected by read-write semaphore: - The consumer (waiter) acquires the write lock and takes items. - the producer (waker) takes the read lock and adds items. The point of this design is enabling epoll to scale well with large number of producers, as multiple producers can hold the read lock at the same time. Unfortunately, this implementation may cause scheduling priority inversion problem. Suppose the consumer has higher scheduling priority than the producer. The consumer needs to acquire the write lock, but may be blocked by the producer holding the read lock. Since read-write semaphore does not support priority-boosting for the readers (even with CONFIG_PREEMPT_RT=y), we have a case of priority inversion: a higher priority consumer is blocked by a lower priority producer. This problem was reported in [1]. Furthermore, this could also cause stall problem, as described in [2]. Fix this problem by replacing rwlock with spinlock. This reduces the event bandwidth, as the producers now have to contend with each other for the spinlock. According to the benchmark from https://github.com/rouming/test-tools/blob/master/stress-epoll.c: On 12 x86 CPUs: Before After Diff threads events/ms events/ms 8 7162 4956 -31% 16 8733 5383 -38% 32 7968 5572 -30% 64 10652 5739 -46% 128 11236 5931 -47% On 4 riscv CPUs: Before After Diff threads events/ms events/ms 8 2958 2833 -4% 16 3323 3097 -7% 32 3451 3240 -6% 64 3554 3178 -11% 128 3601 3235 -10% Although the numbers look bad, it should be noted that this benchmark creates multiple threads who do nothing except constantly generating new epoll events, thus contention on the spinlock is high. For real workload, the event rate is likely much lower, and the performance drop is not as bad. Using another benchmark (perf bench epoll wait) where spinlock contention is lower, improvement is even observed on x86: On 12 x86 CPUs: Before: Averaged 110279 operations/sec (+- 1.09%), total secs = 8 After: Averaged 114577 operations/sec (+- 2.25%), total secs = 8 On 4 riscv CPUs: Before: Averaged 175767 operations/sec (+- 0.62%), total secs = 8 After: Averaged 167396 operations/sec (+- 0.23%), total secs = 8 In conclusion, no one is likely to be upset over this change. After all, spinlock was used originally for years, and the commit which converted to rwlock didn't mention a real workload, just that the benchmark numbers are nice. This patch is not exactly the revert of commit a218cc491420 ("epoll: use rwlock in order to reduce ep_poll_callback() contention"), because git revert conflicts in some places which are not obvious on the resolution. This patch is intended to be backported, therefore go with the obvious approach: - Replace rwlock_t with spinlock_t one to one - Delete list_add_tail_lockless() and chain_epi_lockless(). These were introduced to allow producers to concurrently add items to the list. But now that spinlock no longer allows producers to touch the event list concurrently, these two functions are not necessary anymore. Fixes: a218cc491420 ("epoll: use rwlock in order to reduce ep_poll_callback() contention") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 139 +++++++++---------------------------------------- 1 file changed, 26 insertions(+), 113 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0fbf5dfedb24..a171f7e7dacc 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -46,10 +46,10 @@ * * 1) epnested_mutex (mutex) * 2) ep->mtx (mutex) - * 3) ep->lock (rwlock) + * 3) ep->lock (spinlock) * * The acquire order is the one listed above, from 1 to 3. - * We need a rwlock (ep->lock) because we manipulate objects + * We need a spinlock (ep->lock) because we manipulate objects * from inside the poll callback, that might be triggered from * a wake_up() that in turn might be called from IRQ context. * So we can't sleep inside the poll callback and hence we need @@ -195,7 +195,7 @@ struct eventpoll { struct list_head rdllist; /* Lock which protects rdllist and ovflist */ - rwlock_t lock; + spinlock_t lock; /* RB tree root used to store monitored fd structs */ struct rb_root_cached rbr; @@ -740,10 +740,10 @@ static void ep_start_scan(struct eventpoll *ep, struct list_head *txlist) * in a lockless way. */ lockdep_assert_irqs_enabled(); - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); list_splice_init(&ep->rdllist, txlist); WRITE_ONCE(ep->ovflist, NULL); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } static void ep_done_scan(struct eventpoll *ep, @@ -751,7 +751,7 @@ static void ep_done_scan(struct eventpoll *ep, { struct epitem *epi, *nepi; - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* * During the time we spent inside the "sproc" callback, some * other events might have been queued by the poll callback. @@ -792,7 +792,7 @@ static void ep_done_scan(struct eventpoll *ep, wake_up(&ep->wq); } - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } static void ep_get(struct eventpoll *ep) @@ -867,10 +867,10 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force) rb_erase_cached(&epi->rbn, &ep->rbr); - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); if (ep_is_linked(epi)) list_del_init(&epi->rdllink); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); wakeup_source_unregister(ep_wakeup_source(epi)); /* @@ -1151,7 +1151,7 @@ static int ep_alloc(struct eventpoll **pep) return -ENOMEM; mutex_init(&ep->mtx); - rwlock_init(&ep->lock); + spin_lock_init(&ep->lock); init_waitqueue_head(&ep->wq); init_waitqueue_head(&ep->poll_wait); INIT_LIST_HEAD(&ep->rdllist); @@ -1238,100 +1238,10 @@ struct file *get_epoll_tfile_raw_ptr(struct file *file, int tfd, } #endif /* CONFIG_KCMP */ -/* - * Adds a new entry to the tail of the list in a lockless way, i.e. - * multiple CPUs are allowed to call this function concurrently. - * - * Beware: it is necessary to prevent any other modifications of the - * existing list until all changes are completed, in other words - * concurrent list_add_tail_lockless() calls should be protected - * with a read lock, where write lock acts as a barrier which - * makes sure all list_add_tail_lockless() calls are fully - * completed. - * - * Also an element can be locklessly added to the list only in one - * direction i.e. either to the tail or to the head, otherwise - * concurrent access will corrupt the list. - * - * Return: %false if element has been already added to the list, %true - * otherwise. - */ -static inline bool list_add_tail_lockless(struct list_head *new, - struct list_head *head) -{ - struct list_head *prev; - - /* - * This is simple 'new->next = head' operation, but cmpxchg() - * is used in order to detect that same element has been just - * added to the list from another CPU: the winner observes - * new->next == new. - */ - if (!try_cmpxchg(&new->next, &new, head)) - return false; - - /* - * Initially ->next of a new element must be updated with the head - * (we are inserting to the tail) and only then pointers are atomically - * exchanged. XCHG guarantees memory ordering, thus ->next should be - * updated before pointers are actually swapped and pointers are - * swapped before prev->next is updated. - */ - - prev = xchg(&head->prev, new); - - /* - * It is safe to modify prev->next and new->prev, because a new element - * is added only to the tail and new->next is updated before XCHG. - */ - - prev->next = new; - new->prev = prev; - - return true; -} - -/* - * Chains a new epi entry to the tail of the ep->ovflist in a lockless way, - * i.e. multiple CPUs are allowed to call this function concurrently. - * - * Return: %false if epi element has been already chained, %true otherwise. - */ -static inline bool chain_epi_lockless(struct epitem *epi) -{ - struct eventpoll *ep = epi->ep; - - /* Fast preliminary check */ - if (epi->next != EP_UNACTIVE_PTR) - return false; - - /* Check that the same epi has not been just chained from another CPU */ - if (cmpxchg(&epi->next, EP_UNACTIVE_PTR, NULL) != EP_UNACTIVE_PTR) - return false; - - /* Atomically exchange tail */ - epi->next = xchg(&ep->ovflist, epi); - - return true; -} - /* * This is the callback that is passed to the wait queue wakeup * mechanism. It is called by the stored file descriptors when they * have events to report. - * - * This callback takes a read lock in order not to contend with concurrent - * events from another file descriptor, thus all modifications to ->rdllist - * or ->ovflist are lockless. Read lock is paired with the write lock from - * ep_start/done_scan(), which stops all list modifications and guarantees - * that lists state is seen correctly. - * - * Another thing worth to mention is that ep_poll_callback() can be called - * concurrently for the same @epi from different CPUs if poll table was inited - * with several wait queues entries. Plural wakeup from different CPUs of a - * single wait queue is serialized by wq.lock, but the case when multiple wait - * queues are used should be detected accordingly. This is detected using - * cmpxchg() operation. */ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, void *key) { @@ -1342,7 +1252,7 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v unsigned long flags; int ewake = 0; - read_lock_irqsave(&ep->lock, flags); + spin_lock_irqsave(&ep->lock, flags); ep_set_busy_poll_napi_id(epi); @@ -1371,12 +1281,15 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v * chained in ep->ovflist and requeued later on. */ if (READ_ONCE(ep->ovflist) != EP_UNACTIVE_PTR) { - if (chain_epi_lockless(epi)) + if (epi->next == EP_UNACTIVE_PTR) { + epi->next = READ_ONCE(ep->ovflist); + WRITE_ONCE(ep->ovflist, epi); ep_pm_stay_awake_rcu(epi); + } } else if (!ep_is_linked(epi)) { /* In the usual case, add event to ready list. */ - if (list_add_tail_lockless(&epi->rdllink, &ep->rdllist)) - ep_pm_stay_awake_rcu(epi); + list_add_tail(&epi->rdllink, &ep->rdllist); + ep_pm_stay_awake_rcu(epi); } /* @@ -1409,7 +1322,7 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v pwake++; out_unlock: - read_unlock_irqrestore(&ep->lock, flags); + spin_unlock_irqrestore(&ep->lock, flags); /* We have to call this outside the lock */ if (pwake) @@ -1744,7 +1657,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, } /* We have to drop the new item inside our item list to keep track of it */ - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* record NAPI ID of new item if present */ ep_set_busy_poll_napi_id(epi); @@ -1761,7 +1674,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, pwake++; } - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); /* We have to call this outside the lock */ if (pwake) @@ -1825,7 +1738,7 @@ static int ep_modify(struct eventpoll *ep, struct epitem *epi, * list, push it inside. */ if (ep_item_poll(epi, &pt, 1)) { - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); if (!ep_is_linked(epi)) { list_add_tail(&epi->rdllink, &ep->rdllist); ep_pm_stay_awake(epi); @@ -1836,7 +1749,7 @@ static int ep_modify(struct eventpoll *ep, struct epitem *epi, if (waitqueue_active(&ep->poll_wait)) pwake++; } - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } /* We have to call this outside the lock */ @@ -2088,7 +2001,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, init_wait(&wait); wait.func = ep_autoremove_wake_function; - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* * Barrierless variant, waitqueue_active() is called under * the same lock on wakeup ep_poll_callback() side, so it @@ -2107,7 +2020,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, if (!eavail) __add_wait_queue_exclusive(&ep->wq, &wait); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); if (!eavail) timed_out = !ep_schedule_timeout(to) || @@ -2123,7 +2036,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, eavail = 1; if (!list_empty_careful(&wait.entry)) { - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* * If the thread timed out and is not on the wait queue, * it means that the thread was woken up after its @@ -2134,7 +2047,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, if (timed_out) eavail = list_empty(&wait.entry); __remove_wait_queue(&ep->wq, &wait); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } } } -- 2.39.5

3 weeks, 6 days

3
4
0 0

[PATCH v4 2/3] drm/amdgpu: Reset the clear flag in buddy during resume

by Arunpravin Paneer Selvam

- Added a handler in DRM buddy manager to reset the cleared flag for the blocks in the freelist. - This is necessary because, upon resuming, the VRAM becomes cluttered with BIOS data, yet the VRAM backend manager believes that everything has been cleared. v2: - Add lock before accessing drm_buddy_clear_reset_blocks()(Matthew Auld) - Force merge the two dirty blocks.(Matthew Auld) - Add a new unit test case for this issue.(Matthew Auld) - Having this function being able to flip the state either way would be good. (Matthew Brost) v3(Matthew Auld): - Do merge step first to avoid the use of extra reset flag. Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Suggested-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 --- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 17 ++++++++ drivers/gpu/drm/drm_buddy.c | 43 ++++++++++++++++++++ include/drm/drm_buddy.h | 2 + 5 files changed, 65 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index 723ab95d8c48..ac92220f9fc3 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -5327,6 +5327,8 @@ int amdgpu_device_resume(struct drm_device *dev, bool notify_clients) dev->dev->power.disable_depth--; #endif } + + amdgpu_vram_mgr_clear_reset_blocks(adev); adev->in_suspend = false; if (amdgpu_acpi_smart_shift_update(dev, AMDGPU_SS_DEV_D0)) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h index 215c198e4aff..2309df3f68a9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h @@ -155,6 +155,7 @@ int amdgpu_vram_mgr_reserve_range(struct amdgpu_vram_mgr *mgr, uint64_t start, uint64_t size); int amdgpu_vram_mgr_query_page_status(struct amdgpu_vram_mgr *mgr, uint64_t start); +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev); bool amdgpu_res_cpu_visible(struct amdgpu_device *adev, struct ttm_resource *res); diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c index abdc52b0895a..07c936e90d8e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c @@ -782,6 +782,23 @@ uint64_t amdgpu_vram_mgr_vis_usage(struct amdgpu_vram_mgr *mgr) return atomic64_read(&mgr->vis_usage); } +/** + * amdgpu_vram_mgr_clear_reset_blocks - reset clear blocks + * + * @adev: amdgpu device pointer + * + * Reset the cleared drm buddy blocks. + */ +void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev) +{ + struct amdgpu_vram_mgr *mgr = &adev->mman.vram_mgr; + struct drm_buddy *mm = &mgr->mm; + + mutex_lock(&mgr->lock); + drm_buddy_reset_clear(mm, false); + mutex_unlock(&mgr->lock); +} + /** * amdgpu_vram_mgr_intersects - test each drm buddy block for intersection * diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a1e652b7631d..a94061f373de 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -405,6 +405,49 @@ drm_get_buddy(struct drm_buddy_block *block) } EXPORT_SYMBOL(drm_get_buddy); +/** + * drm_buddy_reset_clear - reset blocks clear state + * + * @mm: DRM buddy manager + * @is_clear: blocks clear state + * + * Reset the clear state based on @is_clear value for each block + * in the freelist. + */ +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) +{ + u64 root_size, size, start; + unsigned int order; + int i; + + size = mm->size; + for (i = 0; i < mm->n_roots; ++i) { + order = ilog2(size) - ilog2(mm->chunk_size); + start = drm_buddy_block_offset(mm->roots[i]); + __force_merge(mm, start, start + size, order); + + root_size = mm->chunk_size << order; + size -= root_size; + } + + for (i = 0; i <= mm->max_order; ++i) { + struct drm_buddy_block *block; + + list_for_each_entry_reverse(block, &mm->free_list[i], link) { + if (is_clear != drm_buddy_block_is_clear(block)) { + if (is_clear) { + mark_cleared(block); + mm->clear_avail += drm_buddy_block_size(mm, block); + } else { + clear_reset(block); + mm->clear_avail -= drm_buddy_block_size(mm, block); + } + } + } + } +} +EXPORT_SYMBOL(drm_buddy_reset_clear); + /** * drm_buddy_free_block - free a block * diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 9689a7c5dd36..513837632b7d 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -160,6 +160,8 @@ int drm_buddy_block_trim(struct drm_buddy *mm, u64 new_size, struct list_head *blocks); +void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear); + void drm_buddy_free_block(struct drm_buddy *mm, struct drm_buddy_block *block); void drm_buddy_free_list(struct drm_buddy *mm, -- 2.43.0

3 weeks, 6 days

3
2
0 0

[PATCH stable 6.12] selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar

by Shung-Hsi Yu

From: Ihor Solodrai <ihor.solodrai(a)pm.me> Commit f01750aecdfb8bfb02842f60af3d805a3ae7267a upstream. token/obj_priv_implicit_token_envvar test may fail in an environment where the process executing tests can not write to the root path. Example: https://github.com/libbpf/libbpf/actions/runs/11844507007/job/33007897936 Change default path used by the test to /tmp/bpf-token-fs, and make it runtime configurable via an environment variable. Signed-off-by: Ihor Solodrai <ihor.solodrai(a)pm.me> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/bpf/20241115003853.864397-1-ihor.solodrai@pm.me Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- Without this patch test_prog's token/obj_priv_implicit_token_envvar test will fail. --- .../testing/selftests/bpf/prog_tests/token.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/token.c b/tools/testing/selftests/bpf/prog_tests/token.c index fe86e4fdb89c..c3ab9b6fb069 100644 --- a/tools/testing/selftests/bpf/prog_tests/token.c +++ b/tools/testing/selftests/bpf/prog_tests/token.c @@ -828,8 +828,12 @@ static int userns_obj_priv_btf_success(int mnt_fd, struct token_lsm *lsm_skel) return validate_struct_ops_load(mnt_fd, true /* should succeed */); } +static const char *token_bpffs_custom_dir() +{ + return getenv("BPF_SELFTESTS_BPF_TOKEN_DIR") ?: "/tmp/bpf-token-fs"; +} + #define TOKEN_ENVVAR "LIBBPF_BPF_TOKEN_PATH" -#define TOKEN_BPFFS_CUSTOM "/bpf-token-fs" static int userns_obj_priv_implicit_token(int mnt_fd, struct token_lsm *lsm_skel) { @@ -892,6 +896,7 @@ static int userns_obj_priv_implicit_token(int mnt_fd, struct token_lsm *lsm_skel static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *lsm_skel) { + const char *custom_dir = token_bpffs_custom_dir(); LIBBPF_OPTS(bpf_object_open_opts, opts); struct dummy_st_ops_success *skel; int err; @@ -909,10 +914,10 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l * BPF token implicitly, unless pointed to it through * LIBBPF_BPF_TOKEN_PATH envvar */ - rmdir(TOKEN_BPFFS_CUSTOM); - if (!ASSERT_OK(mkdir(TOKEN_BPFFS_CUSTOM, 0777), "mkdir_bpffs_custom")) + rmdir(custom_dir); + if (!ASSERT_OK(mkdir(custom_dir, 0777), "mkdir_bpffs_custom")) goto err_out; - err = sys_move_mount(mnt_fd, "", AT_FDCWD, TOKEN_BPFFS_CUSTOM, MOVE_MOUNT_F_EMPTY_PATH); + err = sys_move_mount(mnt_fd, "", AT_FDCWD, custom_dir, MOVE_MOUNT_F_EMPTY_PATH); if (!ASSERT_OK(err, "move_mount_bpffs")) goto err_out; @@ -925,7 +930,7 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l goto err_out; } - err = setenv(TOKEN_ENVVAR, TOKEN_BPFFS_CUSTOM, 1 /*overwrite*/); + err = setenv(TOKEN_ENVVAR, custom_dir, 1 /*overwrite*/); if (!ASSERT_OK(err, "setenv_token_path")) goto err_out; @@ -951,11 +956,11 @@ static int userns_obj_priv_implicit_token_envvar(int mnt_fd, struct token_lsm *l if (!ASSERT_ERR(err, "obj_empty_token_path_load")) goto err_out; - rmdir(TOKEN_BPFFS_CUSTOM); + rmdir(custom_dir); unsetenv(TOKEN_ENVVAR); return 0; err_out: - rmdir(TOKEN_BPFFS_CUSTOM); + rmdir(custom_dir); unsetenv(TOKEN_ENVVAR); return -EINVAL; } -- 2.50.1

3 weeks, 6 days

1
0
0 0

[PATCH 0/3] Fixes/improvements for SM6350 UFS

by Luca Weiss

Fix the order of the freq-table-hz property, then convert to OPP tables and add interconnect support for UFS for the SM6350 SoC. Signed-off-by: Luca Weiss <luca.weiss(a)fairphone.com> --- Luca Weiss (3): arm64: dts: qcom: sm6350: Fix wrong order of freq-table-hz for UFS arm64: dts: qcom: sm6350: Add OPP table support to UFSHC arm64: dts: qcom: sm6350: Add interconnect support to UFS arch/arm64/boot/dts/qcom/sm6350.dtsi | 49 ++++++++++++++++++++++++++++-------- 1 file changed, 39 insertions(+), 10 deletions(-) --- base-commit: eea255893718268e1ab852fb52f70c613d109b99 change-id: 20250314-sm6350-ufs-things-53c5de9fec5e Best regards, -- Luca Weiss <luca.weiss(a)fairphone.com>

3 weeks, 6 days

2
3
0 0

[PATCH] tracing/probes: Avoid using params uninitialized in parse_btf_arg()

by Nathan Chancellor

After a recent change in clang to strengthen uninitialized warnings [1], it points out that in one of the error paths in parse_btf_arg(), params is used uninitialized: kernel/trace/trace_probe.c:660:19: warning: variable 'params' is uninitialized when used here [-Wuninitialized] 660 | return PTR_ERR(params); | ^~~~~~ Match many other NO_BTF_ENTRY error cases and return -ENOENT, clearing up the warning. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2110 Fixes: d157d7694460 ("tracing/probes: Support BTF field access from $retval") Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- kernel/trace/trace_probe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c index 424751cdf31f..40830a3ecd96 100644 --- a/kernel/trace/trace_probe.c +++ b/kernel/trace/trace_probe.c @@ -657,7 +657,7 @@ static int parse_btf_arg(char *varname, ret = query_btf_context(ctx); if (ret < 0 || ctx->nr_params == 0) { trace_probe_log_err(ctx->offset, NO_BTF_ENTRY); - return PTR_ERR(params); + return -ENOENT; } } params = ctx->params; --- base-commit: 6921d1e07cb5eddec830801087b419194fde0803 change-id: 20250715-trace_probe-fix-const-uninit-warning-7dc3accce903 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 6 days

2
1
0 0

[PATCH net v2] net: libwx: fix multicast packets received count

by Jiawen Wu

Multicast good packets received by PF rings that pass ethternet MAC address filtering are counted for rtnl_link_stats64.multicast. The counter is not cleared on read. Fix the duplicate counting on updating statistics. Fixes: 46b92e10d631 ("net: libwx: support hardware statistics") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- v1 -> v2: - add code comment --- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 0f4be72116b8..7ae3786d90b8 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2778,6 +2778,8 @@ void wx_update_stats(struct wx *wx) hwstats->fdirmiss += rd32(wx, WX_RDB_FDIR_MISS); } + /* qmprc is not cleared on read, manual reset it */ + hwstats->qmprc = 0; for (i = wx->num_vfs * wx->num_rx_queues_per_pool; i < wx->mac.max_rx_queues; i++) hwstats->qmprc += rd32(wx, WX_PX_MPRC(i)); -- 2.48.1

3 weeks, 6 days

3
2
0 0

[PATCH net 0/3] mptcp: fix fallback-related races

by Matthieu Baerts (NGI0)

This series contains 3 fixes somewhat related to various races we have while handling fallback. The root cause of the issues addressed here is that the check for "we can fallback to tcp now" and the related action are not atomic. That also applies to fallback due to MP_FAIL -- where the window race is even wider. Address the issue introducing an additional spinlock to bundle together all the relevant events, as per patch 1 and 2. These fixes can be backported up to v5.19 and v5.15. Note that mptcp_disconnect() unconditionally clears the fallback status (zeroing msk->flags) but don't touch the `allows_infinite_fallback` flag. Such issue is addressed in patch 3, and can be backported up to v5.17. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Paolo Abeni (3): mptcp: make fallback action and fallback decision atomic mptcp: plug races between subflow fail and subflow creation mptcp: reset fallback status gracefully at disconnect() time net/mptcp/options.c | 3 ++- net/mptcp/pm.c | 8 +++++++- net/mptcp/protocol.c | 56 ++++++++++++++++++++++++++++++++++++++++++++-------- net/mptcp/protocol.h | 29 ++++++++++++++++++++------- net/mptcp/subflow.c | 30 +++++++++++++++++----------- 5 files changed, 98 insertions(+), 28 deletions(-) --- base-commit: b640daa2822a39ff76e70200cb2b7b892b896dce change-id: 20250714-net-mptcp-fallback-races-a99f171cf5ca Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

3 weeks, 6 days

2
4
0 0

[PATCH] drm/msm/dpu: Initialize crtc_state to NULL in dpu_plane_virtual_atomic_check()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables and pointers [1], there is a warning around crtc_state in dpu_plane_virtual_atomic_check(): drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1145:6: error: variable 'crtc_state' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 1145 | if (plane_state->crtc) | ^~~~~~~~~~~~~~~~~ drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1149:58: note: uninitialized use occurs here 1149 | ret = dpu_plane_atomic_check_nosspp(plane, plane_state, crtc_state); | ^~~~~~~~~~ drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1145:2: note: remove the 'if' if its condition is always true 1145 | if (plane_state->crtc) | ^~~~~~~~~~~~~~~~~~~~~~ 1146 | crtc_state = drm_atomic_get_new_crtc_state(state, drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1139:35: note: initialize the variable 'crtc_state' to silence this warning 1139 | struct drm_crtc_state *crtc_state; | ^ | = NULL Initialize crtc_state to NULL like other places in the driver do, so that it is consistently initialized. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2106 Fixes: 774bcfb73176 ("drm/msm/dpu: add support for virtual planes") Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c index 421138bc3cb7..30ff21c01a36 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c @@ -1136,7 +1136,7 @@ static int dpu_plane_virtual_atomic_check(struct drm_plane *plane, struct drm_plane_state *old_plane_state = drm_atomic_get_old_plane_state(state, plane); struct dpu_plane_state *pstate = to_dpu_plane_state(plane_state); - struct drm_crtc_state *crtc_state; + struct drm_crtc_state *crtc_state = NULL; int ret; if (IS_ERR(plane_state)) --- base-commit: d3deabe4c619875714b9a844b1a3d9752dbae1dd change-id: 20250715-drm-msm-fix-const-uninit-warning-2b93cef9f1c6 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 6 days

2
1
0 0

[PATCH] wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data()

by Nathan Chancellor

A new warning in clang [1] points out a couple of places where a hdr variable is not initialized then passed along to skb_put_data(). drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:1894:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] 1894 | skb_put_data(skb, &hdr, sizeof(hdr)); | ^~~ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:3386:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] 3386 | skb_put_data(skb, &hdr, sizeof(hdr)); | ^~~ Zero initialize these headers as done in other places in the driver when there is nothing stored in the header. Cc: stable(a)vger.kernel.org Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d44… [1] Closes: https://github.com/ClangBuiltLinux/linux/issues/2104 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c index 994526c65bfc..640abb4dce7f 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c @@ -1879,8 +1879,8 @@ mt7996_mcu_get_mmps_mode(enum ieee80211_smps_mode smps) int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev, void *data, u16 version) { + struct uni_header hdr = {}; struct ra_fixed_rate *req; - struct uni_header hdr; struct sk_buff *skb; struct tlv *tlv; int len; @@ -3373,7 +3373,7 @@ int mt7996_mcu_set_hdr_trans(struct mt7996_dev *dev, bool hdr_trans) { struct { u8 __rsv[4]; - } __packed hdr; + } __packed hdr = {}; struct hdr_trans_blacklist *req_blacklist; struct hdr_trans_en *req_en; struct sk_buff *skb; --- base-commit: eb8352ee2d1e70f916fac02094dca2b435076fa4 change-id: 20250715-mt7996-fix-uninit-const-pointer-01e1dd03d444 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 6 days

1
0
0 0

[PATCH linux-6.12.y 1/2] selftests/bpf: Add a test for arena range tree algorithm

by Yifei Liu

From: Alexei Starovoitov <ast(a)kernel.org> Add a test that verifies specific behavior of arena range tree algorithm and adjust existing big_alloc1 test due to use of global data in arena. Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Acked-by: Kumar Kartikeya Dwivedi <memxor(a)gmail.com> Link: https://lore.kernel.org/bpf/20241108025616.17625-3-alexei.starovoitov@gmail… (cherry picked from commit e58358afa84e8e271a296459d35d1715c7572013) [Yifei: This commit fixes the failure of verifier_arena_large test over 64k page size kernels. This commit also introduce some new tests targeting the new feature, arena range tree algorithm, which is not in linux-6.12.y, I just comment out the test headers so that it would not be run here. If this feature is introduced later, we can just uncomment those two lines.] Signed-off-by: Yifei Liu <yifei.l.liu(a)oracle.com> --- .../bpf/progs/verifier_arena_large.c | 110 +++++++++++++++++- 1 file changed, 108 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/verifier_arena_large.c b/tools/testing/selftests/bpf/progs/verifier_arena_large.c index 6065f862d964..f318675814c6 100644 --- a/tools/testing/selftests/bpf/progs/verifier_arena_large.c +++ b/tools/testing/selftests/bpf/progs/verifier_arena_large.c @@ -29,12 +29,12 @@ int big_alloc1(void *ctx) if (!page1) return 1; *page1 = 1; - page2 = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE - PAGE_SIZE, + page2 = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE - PAGE_SIZE * 2, 1, NUMA_NO_NODE, 0); if (!page2) return 2; *page2 = 2; - no_page = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE, + no_page = bpf_arena_alloc_pages(&arena, base + ARENA_SIZE - PAGE_SIZE, 1, NUMA_NO_NODE, 0); if (no_page) return 3; @@ -66,4 +66,110 @@ int big_alloc1(void *ctx) #endif return 0; } + +#if defined(__BPF_FEATURE_ADDR_SPACE_CAST) +#define PAGE_CNT 100 +__u8 __arena * __arena page[PAGE_CNT]; /* occupies the first page */ +__u8 __arena *base; + +/* + * Check that arena's range_tree algorithm allocates pages sequentially + * on the first pass and then fills in all gaps on the second pass. + */ +__noinline int alloc_pages(int page_cnt, int pages_atonce, bool first_pass, + int max_idx, int step) +{ + __u8 __arena *pg; + int i, pg_idx; + + for (i = 0; i < page_cnt; i++) { + pg = bpf_arena_alloc_pages(&arena, NULL, pages_atonce, + NUMA_NO_NODE, 0); + if (!pg) + return step; + pg_idx = (pg - base) / PAGE_SIZE; + if (first_pass) { + /* Pages must be allocated sequentially */ + if (pg_idx != i) + return step + 100; + } else { + /* Allocator must fill into gaps */ + if (pg_idx >= max_idx || (pg_idx & 1)) + return step + 200; + } + *pg = pg_idx; + page[pg_idx] = pg; + cond_break; + } + return 0; +} + +//SEC("syscall") +//__success __retval(0) +int big_alloc2(void *ctx) +{ + __u8 __arena *pg; + int i, err; + + base = bpf_arena_alloc_pages(&arena, NULL, 1, NUMA_NO_NODE, 0); + if (!base) + return 1; + bpf_arena_free_pages(&arena, (void __arena *)base, 1); + + err = alloc_pages(PAGE_CNT, 1, true, PAGE_CNT, 2); + if (err) + return err; + + /* Clear all even pages */ + for (i = 0; i < PAGE_CNT; i += 2) { + pg = page[i]; + if (*pg != i) + return 3; + bpf_arena_free_pages(&arena, (void __arena *)pg, 1); + page[i] = NULL; + cond_break; + } + + /* Allocate into freed gaps */ + err = alloc_pages(PAGE_CNT / 2, 1, false, PAGE_CNT, 4); + if (err) + return err; + + /* Free pairs of pages */ + for (i = 0; i < PAGE_CNT; i += 4) { + pg = page[i]; + if (*pg != i) + return 5; + bpf_arena_free_pages(&arena, (void __arena *)pg, 2); + page[i] = NULL; + page[i + 1] = NULL; + cond_break; + } + + /* Allocate 2 pages at a time into freed gaps */ + err = alloc_pages(PAGE_CNT / 4, 2, false, PAGE_CNT, 6); + if (err) + return err; + + /* Check pages without freeing */ + for (i = 0; i < PAGE_CNT; i += 2) { + pg = page[i]; + if (*pg != i) + return 7; + cond_break; + } + + pg = bpf_arena_alloc_pages(&arena, NULL, 1, NUMA_NO_NODE, 0); + + if (!pg) + return 8; + /* + * The first PAGE_CNT pages are occupied. The new page + * must be above. + */ + if ((pg - base) / PAGE_SIZE < PAGE_CNT) + return 9; + return 0; +} +#endif char _license[] SEC("license") = "GPL"; -- 2.46.0

3 weeks, 6 days

1
1
0 0

[PATCH] mm/ksm: Fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show()

by Nathan Chancellor

After a recent change in clang to expose uninitialized warnings from const variables [1], there is a warning from the if statement in advisor_mode_show(). mm/ksm.c:3687:11: error: variable 'output' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 3687 | else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ksm.c:3690:33: note: uninitialized use occurs here 3690 | return sysfs_emit(buf, "%s\n", output); | ^~~~~~ Rewrite the if statement to implicitly make KSM_ADVISOR_NONE the else branch so that it is obvious to the compiler that ksm_advisor can only be KSM_ADVISOR_NONE or KSM_ADVISOR_SCAN_TIME due to the assignments in advisor_mode_store(). Cc: stable(a)vger.kernel.org Fixes: 66790e9a735b ("mm/ksm: add sysfs knobs for advisor") Closes: https://github.com/ClangBuiltLinux/linux/issues/2100 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- mm/ksm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mm/ksm.c b/mm/ksm.c index 2b0210d41c55..160787bb121c 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -3682,10 +3682,10 @@ static ssize_t advisor_mode_show(struct kobject *kobj, { const char *output; - if (ksm_advisor == KSM_ADVISOR_NONE) - output = "[none] scan-time"; - else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) output = "none [scan-time]"; + else + output = "[none] scan-time"; return sysfs_emit(buf, "%s\n", output); } --- base-commit: fed48693bdfeca666f7536ba88a05e9a4e5523b6 change-id: 20250715-ksm-fix-clang-21-uninit-warning-bea5a6b886ce Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 6 days

3
2
0 0

+ mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Nathan Chancellor <nathan(a)kernel.org> Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() Date: Tue, 15 Jul 2025 12:56:16 -0700 After a recent change in clang to expose uninitialized warnings from const variables [1], there is a false positive warning from the if statement in advisor_mode_show(). mm/ksm.c:3687:11: error: variable 'output' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] 3687 | else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ksm.c:3690:33: note: uninitialized use occurs here 3690 | return sysfs_emit(buf, "%s\n", output); | ^~~~~~ Rewrite the if statement to implicitly make KSM_ADVISOR_NONE the else branch so that it is obvious to the compiler that ksm_advisor can only be KSM_ADVISOR_NONE or KSM_ADVISOR_SCAN_TIME due to the assignments in advisor_mode_store(). Link: https://lkml.kernel.org/r/20250715-ksm-fix-clang-21-uninit-warning-v1-1-f44… Fixes: 66790e9a735b ("mm/ksm: add sysfs knobs for advisor") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Closes: https://github.com/ClangBuiltLinux/linux/issues/2100 Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cd… [1] Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: David Hildenbrand <david(a)redhat.com> Cc: Stefan Roesch <shr(a)devkernel.io> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/ksm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/ksm.c~mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show +++ a/mm/ksm.c @@ -3669,10 +3669,10 @@ static ssize_t advisor_mode_show(struct { const char *output; - if (ksm_advisor == KSM_ADVISOR_NONE) - output = "[none] scan-time"; - else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) output = "none [scan-time]"; + else + output = "[none] scan-time"; return sysfs_emit(buf, "%s\n", output); } _ Patches currently in -mm which might be from nathan(a)kernel.org are mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch panic-add-panic_sys_info-sysctl-to-take-human-readable-string-parameter-fix.patch

3 weeks, 6 days

1
0
0 0

[PATCH V6] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> Since commit d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") reuses TPM2 support code for the CC platforms, when launching a TDX virtual machine with coco measurement enabled, the following error log is generated: [Firmware Bug]: Failed to parse event in TPM Final Events Log Call Trace: efi_config_parse_tables() efi_tpm_eventlog_init() tpm2_calc_event_log_size() __calc_tpm2_event_size() The pcr_idx value in the Intel TDX log header is 1, causing the function __calc_tpm2_event_size() to fail to recognize the log header, ultimately leading to the "Failed to parse event in TPM Final Events Log" error. Intel misread the spec and wrongly sets pcrIndex to 1 in the header and since they did this, we fear others might, so we're relaxing the header check. There's no danger of this causing problems because we check for the TCG_SPECID_SIG signature as the next thing. Fixes: d228814b1913 ("efi/libstub: Add get_event_log() support for CC platforms") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: stable(a)vger.kernel.org --- V6: - improve commit message suggested by James V5: - remove the pcr_index check without adding any replacement checks suggested by James and Sathyanarayanan V4: - remove cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT) suggested by Ard V3: - fix build error V2: - limit the fix for CC only suggested by Jarkko and Sathyanarayanan include/linux/tpm_eventlog.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 891368e..05c0ae5 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -202,8 +202,7 @@ static __always_inline u32 __calc_tpm2_event_size(struct tcg_pcr_event2_head *ev event_type = event->event_type; /* Verify that it's the log header */ - if (event_header->pcr_idx != 0 || - event_header->event_type != NO_ACTION || + if (event_header->event_type != NO_ACTION || memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { size = 0; goto out; -- 2.7.4

3 weeks, 6 days

4
3
0 0

[PATCH 6.12] KVM: SVM: Set synthesized TSA CPUID flags

by Borislav Petkov

From: "Borislav Petkov (AMD)" <bp(a)alien8.de> VERW_CLEAR is supposed to be set only by the hypervisor to denote TSA mitigation support to a guest. SQ_NO and L1_NO are both synthesizable, and are going to be set by hw CPUID on future machines. So keep the kvm_cpu_cap_init_kvm_defined() invocation *and* set them when synthesized. This fix is stable-only. Co-developed-by: Jinpu Wang <jinpu.wang(a)ionos.com> Signed-off-by: Jinpu Wang <jinpu.wang(a)ionos.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> --- arch/x86/kvm/cpuid.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 02196db26a08..8f587c5bb6bc 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -822,6 +822,7 @@ void kvm_set_cpu_caps(void) kvm_cpu_cap_check_and_set(X86_FEATURE_SBPB); kvm_cpu_cap_check_and_set(X86_FEATURE_IBPB_BRTYPE); kvm_cpu_cap_check_and_set(X86_FEATURE_SRSO_NO); + kvm_cpu_cap_check_and_set(X86_FEATURE_VERW_CLEAR); kvm_cpu_cap_init_kvm_defined(CPUID_8000_0022_EAX, F(PERFMON_V2) @@ -831,6 +832,9 @@ void kvm_set_cpu_caps(void) F(TSA_SQ_NO) | F(TSA_L1_NO) ); + kvm_cpu_cap_check_and_set(X86_FEATURE_TSA_SQ_NO); + kvm_cpu_cap_check_and_set(X86_FEATURE_TSA_L1_NO); + /* * Synthesize "LFENCE is serializing" into the AMD-defined entry in * KVM's supported CPUID if the feature is reported as supported by the -- 2.43.0

3 weeks, 6 days

1
0
0 0

[PATCH] net: dpaa2: Fix device reference count leak in MAC endpoint handling

by Ma Ke

The fsl_mc_get_endpoint() function uses device_find_child() for localization, which implicitly calls get_device() to increment the device's reference count before returning the pointer. However, the caller dpaa2_switch_port_connect_mac() and dpaa2_eth_connect_mac() fails to properly release this reference in multiple scenarios. We should call put_device() to decrement reference count properly. As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink") Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++--- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 ++++++++++++--- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c index b82f121cadad..f1543039a5b6 100644 --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c @@ -4666,12 +4666,19 @@ static int dpaa2_eth_connect_mac(struct dpaa2_eth_priv *priv) return PTR_ERR(dpmac_dev); } - if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) + if (IS_ERR(dpmac_dev)) return 0; + if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { + put_device(&dpmac_dev->dev); + return 0; + } + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); - if (!mac) + if (!mac) { + put_device(&dpmac_dev->dev); return -ENOMEM; + } mac->mc_dev = dpmac_dev; mac->mc_io = priv->mc_io; @@ -4679,7 +4686,7 @@ static int dpaa2_eth_connect_mac(struct dpaa2_eth_priv *priv) err = dpaa2_mac_open(mac); if (err) - goto err_free_mac; + goto err_put_device; if (dpaa2_mac_is_type_phy(mac)) { err = dpaa2_mac_connect(mac); @@ -4703,6 +4710,8 @@ static int dpaa2_eth_connect_mac(struct dpaa2_eth_priv *priv) err_close_mac: dpaa2_mac_close(mac); +err_put_device: + put_device(&dpmac_dev->dev); err_free_mac: kfree(mac); return err; diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c index 147a93bf9fa9..6bf1c164129a 100644 --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c @@ -1448,12 +1448,20 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv) if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) return PTR_ERR(dpmac_dev); - if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) + if (IS_ERR(dpmac_dev)) return 0; + + if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { + put_device(&dpmac_dev->dev); + return 0; + } mac = kzalloc(sizeof(*mac), GFP_KERNEL); - if (!mac) + if (!mac) { + put_device(&dpmac_dev->dev); return -ENOMEM; + } mac->mc_dev = dpmac_dev; mac->mc_io = port_priv->ethsw_data->mc_io; @@ -1461,7 +1469,7 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv) err = dpaa2_mac_open(mac); if (err) - goto err_free_mac; + goto err_put_device; if (dpaa2_mac_is_type_phy(mac)) { err = dpaa2_mac_connect(mac); @@ -1481,6 +1489,8 @@ static int dpaa2_switch_port_connect_mac(struct ethsw_port_priv *port_priv) err_close_mac: dpaa2_mac_close(mac); +err_put_device: + put_device(&dpmac_dev->dev); err_free_mac: kfree(mac); return err; -- 2.25.1

4 weeks

2
1
0 0

[PATCH v3 7/7] Revert "drm/gem-dma: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_dma_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c index b7f033d4352a..4f0320df858f 100644 --- a/drivers/gpu/drm/drm_gem_dma_helper.c +++ b/drivers/gpu/drm/drm_gem_dma_helper.c @@ -230,7 +230,7 @@ void drm_gem_dma_free(struct drm_gem_dma_object *dma_obj) if (drm_gem_is_imported(gem_obj)) { if (dma_obj->vaddr) - dma_buf_vunmap_unlocked(gem_obj->dma_buf, &map); + dma_buf_vunmap_unlocked(gem_obj->import_attach->dmabuf, &map); drm_prime_gem_destroy(gem_obj, dma_obj->sgt); } else if (dma_obj->vaddr) { if (dma_obj->map_noncoherent) -- 2.50.0

4 weeks

1
0
0 0

[PATCH v3 6/7] Revert "drm/gem-shmem: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit 1a148af06000e545e714fe3210af3d77ff903c11. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_shmem_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 8ac0b1fa5287..5d1349c34afd 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -351,7 +351,7 @@ int drm_gem_shmem_vmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - ret = dma_buf_vmap(obj->dma_buf, map); + ret = dma_buf_vmap(obj->import_attach->dmabuf, map); } else { pgprot_t prot = PAGE_KERNEL; @@ -413,7 +413,7 @@ void drm_gem_shmem_vunmap_locked(struct drm_gem_shmem_object *shmem, dma_resv_assert_held(obj->resv); if (drm_gem_is_imported(obj)) { - dma_buf_vunmap(obj->dma_buf, map); + dma_buf_vunmap(obj->import_attach->dmabuf, map); } else { dma_resv_assert_held(shmem->base.resv); -- 2.50.0

4 weeks

1
0
0 0

[PATCH v3 5/7] Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index 618ce725cd75..fefb2a0f6b40 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -420,6 +420,7 @@ EXPORT_SYMBOL(drm_gem_fb_vunmap); static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_data_direction dir, unsigned int num_planes) { + struct dma_buf_attachment *import_attach; struct drm_gem_object *obj; int ret; @@ -428,9 +429,10 @@ static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_dat obj = drm_gem_fb_get_obj(fb, num_planes); if (!obj) continue; + import_attach = obj->import_attach; if (!drm_gem_is_imported(obj)) continue; - ret = dma_buf_end_cpu_access(obj->dma_buf, dir); + ret = dma_buf_end_cpu_access(import_attach->dmabuf, dir); if (ret) drm_err(fb->dev, "dma_buf_end_cpu_access(%u, %d) failed: %d\n", ret, num_planes, dir); @@ -453,6 +455,7 @@ static void __drm_gem_fb_end_cpu_access(struct drm_framebuffer *fb, enum dma_dat */ int drm_gem_fb_begin_cpu_access(struct drm_framebuffer *fb, enum dma_data_direction dir) { + struct dma_buf_attachment *import_attach; struct drm_gem_object *obj; unsigned int i; int ret; @@ -463,9 +466,10 @@ int drm_gem_fb_begin_cpu_access(struct drm_framebuffer *fb, enum dma_data_direct ret = -EINVAL; goto err___drm_gem_fb_end_cpu_access; } + import_attach = obj->import_attach; if (!drm_gem_is_imported(obj)) continue; - ret = dma_buf_begin_cpu_access(obj->dma_buf, dir); + ret = dma_buf_begin_cpu_access(import_attach->dmabuf, dir); if (ret) goto err___drm_gem_fb_end_cpu_access; } -- 2.50.0

4 weeks

1
0
0 0

[PATCH v3 4/7] Revert "drm/prime: Use dma_buf from GEM object instance"

by Thomas Zimmermann

This reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reviewed-by: Simona Vetter <simona.vetter(a)ffwll.ch> Acked-by: Christian König <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> # v6.15+ --- drivers/gpu/drm/drm_prime.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index b703f83874e1..a23fc712a8b7 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -453,7 +453,13 @@ struct dma_buf *drm_gem_prime_handle_to_dmabuf(struct drm_device *dev, } mutex_lock(&dev->object_name_lock); - /* re-export the original imported/exported object */ + /* re-export the original imported object */ + if (obj->import_attach) { + dmabuf = obj->import_attach->dmabuf; + get_dma_buf(dmabuf); + goto out_have_obj; + } + if (obj->dma_buf) { get_dma_buf(obj->dma_buf); dmabuf = obj->dma_buf; -- 2.50.0

4 weeks

1
0
0 0

[PATCH v2 1/1] x86/fred: Remove ENDBR64 from FRED entry points

by Xin Li (Intel)

The FRED specification v9.0 states that there is no need for FRED event handlers to begin with ENDBR64, because in the presence of supervisor indirect branch tracking, FRED event delivery does not enter the WAIT_FOR_ENDBRANCH state. As a result, remove ENDBR64 from FRED entry points. Then add ANNOTATE_NOENDBR to indicate that FRED entry points will never be used for indirect calls to suppress an objtool warning. This change implies that any indirect CALL/JMP to FRED entry points causes #CP in the presence of supervisor indirect branch tracking. Credit goes to Jennifer Miller <jmill(a)asu.edu> and other contributors from Arizona State University whose work led to this change. Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: Jennifer Miller <jmill(a)asu.edu> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Andrew Cooper <andrew.cooper3(a)citrix.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: stable(a)vger.kernel.org # v6.9+ --- Change in v2: *) CC stable and add a fixes tag (PeterZ). --- arch/x86/entry/entry_64_fred.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S index 29c5c32c16c3..907bd233c6c1 100644 --- a/arch/x86/entry/entry_64_fred.S +++ b/arch/x86/entry/entry_64_fred.S @@ -16,7 +16,7 @@ .macro FRED_ENTER UNWIND_HINT_END_OF_STACK - ENDBR + ANNOTATE_NOENDBR PUSH_AND_CLEAR_REGS movq %rsp, %rdi /* %rdi -> pt_regs */ .endm -- 2.50.1

4 weeks

1
0
0 0

[PATCH net] hv_netvsc: Switch VF namespace in netvsc_open instead

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the VF namespace switching code from the NETDEV_REGISTER event handler to netvsc_open(). Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Reported-by: Cathy Avery <cavery(a)redhat.com> Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- drivers/net/hyperv/netvsc_drv.c | 43 ++++++++++----------------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 42d98e99566e..074ecc346108 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -135,6 +135,19 @@ static int netvsc_open(struct net_device *net) } if (vf_netdev) { + if (!net_eq(dev_net(net), dev_net(vf_netdev))) { + ret = dev_change_net_namespace(vf_netdev, dev_net(net), + "eth%d"); + if (ret) + netdev_err(vf_netdev, + "Cannot move to same ns as %s: %d\n", + net->name, ret); + else + netdev_info(vf_netdev, + "Moved VF to namespace with: %s\n", + net->name); + } + /* Setting synthetic device up transparently sets * slave as up. If open fails, then slave will be * still be offline (and not used). @@ -2772,31 +2785,6 @@ static struct hv_driver netvsc_drv = { }, }; -/* Set VF's namespace same as the synthetic NIC */ -static void netvsc_event_set_vf_ns(struct net_device *ndev) -{ - struct net_device_context *ndev_ctx = netdev_priv(ndev); - struct net_device *vf_netdev; - int ret; - - vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); - if (!vf_netdev) - return; - - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { - ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), - "eth%d"); - if (ret) - netdev_err(vf_netdev, - "Cannot move to same namespace as %s: %d\n", - ndev->name, ret); - else - netdev_info(vf_netdev, - "Moved VF to namespace with: %s\n", - ndev->name); - } -} - /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2809,11 +2797,6 @@ static int netvsc_netdev_event(struct notifier_block *this, struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); int ret = 0; - if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); - return NOTIFY_DONE; - } - ret = check_dev_is_matching_vf(event_dev); if (ret != 0) return NOTIFY_DONE; -- 2.34.1

4 weeks

3
2
0 0

[PATCH] net: 9p: fix double req put in p9_fd_cancelled

by Nalivayko Sergey

Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: <TASK> p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Add an explicit check for REQ_STATUS_ERROR in p9_fd_cancelled before processing the request. Skip processing if the request is already in the error state, as it has been removed and its resources cleaned up. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- net/9p/trans_fd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a69422366a23..a6054a392a90 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -721,9 +721,9 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req) spin_lock(&m->req_lock); /* Ignore cancelled request if message has been received - * before lock. - */ - if (req->status == REQ_STATUS_RCVD) { + * or cancelled with error before lock. + */ + if (req->status == REQ_STATUS_RCVD || req->status == REQ_STATUS_ERROR) { spin_unlock(&m->req_lock); return 0; } -- 2.30.2

4 weeks

1
0
0 0

[PATCH net,v2] hv_netvsc: Switch VF namespace in netvsc_open instead

by Haiyang Zhang

From: Haiyang Zhang <haiyangz(a)microsoft.com> The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the VF namespace switching code from the NETDEV_REGISTER event handler to netvsc_open(). Cc: stable(a)vger.kernel.org Cc: cavery(a)redhat.com Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- v2: verified it's applicable to net, fixed cc list. --- drivers/net/hyperv/netvsc_drv.c | 43 ++++++++++----------------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 42d98e99566e..074ecc346108 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -135,6 +135,19 @@ static int netvsc_open(struct net_device *net) } if (vf_netdev) { + if (!net_eq(dev_net(net), dev_net(vf_netdev))) { + ret = dev_change_net_namespace(vf_netdev, dev_net(net), + "eth%d"); + if (ret) + netdev_err(vf_netdev, + "Cannot move to same ns as %s: %d\n", + net->name, ret); + else + netdev_info(vf_netdev, + "Moved VF to namespace with: %s\n", + net->name); + } + /* Setting synthetic device up transparently sets * slave as up. If open fails, then slave will be * still be offline (and not used). @@ -2772,31 +2785,6 @@ static struct hv_driver netvsc_drv = { }, }; -/* Set VF's namespace same as the synthetic NIC */ -static void netvsc_event_set_vf_ns(struct net_device *ndev) -{ - struct net_device_context *ndev_ctx = netdev_priv(ndev); - struct net_device *vf_netdev; - int ret; - - vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); - if (!vf_netdev) - return; - - if (!net_eq(dev_net(ndev), dev_net(vf_netdev))) { - ret = dev_change_net_namespace(vf_netdev, dev_net(ndev), - "eth%d"); - if (ret) - netdev_err(vf_netdev, - "Cannot move to same namespace as %s: %d\n", - ndev->name, ret); - else - netdev_info(vf_netdev, - "Moved VF to namespace with: %s\n", - ndev->name); - } -} - /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2809,11 +2797,6 @@ static int netvsc_netdev_event(struct notifier_block *this, struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); int ret = 0; - if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); - return NOTIFY_DONE; - } - ret = check_dev_is_matching_vf(event_dev); if (ret != 0) return NOTIFY_DONE; -- 2.34.1

4 weeks

3
2
0 0

[PATCH 5.10 000/208] 5.10.240-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.240 release. There are 208 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 17 Jul 2025 15:03:34 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.240-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.240-rc2 Borislav Petkov <bp(a)kernel.org> x86/process: Move the buffer clearing before MONITOR Borislav Petkov <bp(a)kernel.org> KVM: SVM: Advertise TSA CPUID bits to guests Borislav Petkov <bp(a)kernel.org> KVM: x86: add support for CPUID leaf 0x80000021 Borislav Petkov <bp(a)kernel.org> x86/bugs: Add a Transient Scheduler Attacks mitigation Borislav Petkov <bp(a)kernel.org> x86/bugs: Rename MDS machinery to something more generic Jann Horn <jannh(a)google.com> x86/mm: Disable hugetlb page table sharing on 32-bit Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: protect vq->log_used with vq->mutex Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Zhang Heng <zhangheng(a)kylinos.cn> HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Nicolas Pitre <npitre(a)baylibre.com> vt: add missing notification when switching back to text mode Xiaowei Li <xiaowei.li(a)simcom.com> net: usb: qmi_wwan: add SIMCom 8230C composition Tiwei Bie <tiwei.btw(a)antgroup.com> um: vector: Reduce stack usage in vector_eth_configure() Thomas Fourier <fourier.thomas(a)gmail.com> atm: idt77252: Add missing `dma_map_error()` Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix DCB ETS validation Alok Tiwari <alok.a.tiwari(a)oracle.com> net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Sean Nyekjaer <sean(a)geanix.com> can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Oleksij Rempel <linux(a)rempel-privat.de> net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Kito Xu <veritas501(a)foxmail.com> net: appletalk: Fix device refcount leak in atrtr_create() Wang Jinchao <wangjinchao600(a)gmail.com> md/raid1: Fix stack memory use after return in raid1_reshape Daniil Dulov <d.dulov(a)aladdin.ru> wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Christian König <christian.koenig(a)amd.com> dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - support Acer NGR 200 Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - add VID for Turtle Beach controllers Matt Reynolds <mattreynolds(a)chromium.org> Input: xpad - add support for Amazon Game Controller Jakub Kicinski <kuba(a)kernel.org> netlink: make sure we allow at least one dump skb Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix rmem check in netlink_broadcast_deliver(). Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Ensure to disable clocks in error path Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: lib_test: add MODULE_LICENSE Thomas Fourier <fourier.thomas(a)gmail.com> ethernet: atl1: Add missing DMA mapping error checks and count errors Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "ACPI: battery: negate current when discharging" Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: u_serial: Fix race condition in TTY wakeup Matthew Brost <matthew.brost(a)intel.com> drm/sched: Increment job count before swapping tail spsc queue Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: qcom: msm: mark certain pins as invalid for interrupts JP Kobryn <inwardvessel(a)gmail.com> x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce: Don't remove sysfs if thresholding sysfs init fails Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Fix threshold limit reset Peter Zijlstra <peterz(a)infradead.org> x86/its: FineIBT-paranoid vs ITS Eric Biggers <ebiggers(a)google.com> x86/its: Fix build errors when CONFIG_MODULES=n Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Thomas Gleixner <tglx(a)linutronix.de> x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Fix undefined reference to cpu_wants_rethunk_at() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Josh Poimboeuf <jpoimboe(a)kernel.org> x86/alternatives: Remove faulty optimization Borislav Petkov (AMD) <bp(a)alien8.de> x86/alternative: Optimize returns patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions Peter Zijlstra <peterz(a)infradead.org> x86/alternatives: Introduce int3_emulate_jcc() Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bhi: Define SPEC_CTRL_BHI_DIS_S Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation David Howells <dhowells(a)redhat.com> rxrpc: Fix oops due to non-existence of prealloc backlog struct Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use __for_each_thread() Victor Nogueira <victor(a)mojatatu.com> net/sched: Abort __tc_modify_qdisc if parent class does not exist Yue Haibing <yuehaibing(a)huawei.com> atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix infinite recursive call of clip_push(). Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix memory leak of struct clip_vcc. Kuniyuki Iwashima <kuniyu(a)google.com> atm: clip: Fix potential null-ptr-deref in to_atmarpd(). Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Oleksij Rempel <linux(a)rempel-privat.de> net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Michal Luczaj <mhal(a)rbox.co> vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_* TOCTOU Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Assign the vsock transport considering the vsock address flags Andra Paraschiv <andraprs(a)amazon.com> af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag Andra Paraschiv <andraprs(a)amazon.com> vm_sockets: Add flags field in the vsock address data structure Michal Luczaj <mhal(a)rbox.co> vsock: Fix transport_{g2h,h2g} TOCTOU Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_conn_close(). Kuniyuki Iwashima <kuniyu(a)google.com> netlink: Fix wraparounds of sk->sk_rmem_alloc. Al Viro <viro(a)zeniv.linux.org.uk> fix proc_sys_compare() handling of in-lookup dentries Peter Zijlstra <peterz(a)infradead.org> perf: Revert to requiring CAP_SYS_ADMIN for uprobes Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Send control events for partial succeeds Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Return the number of processed controls Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: displayport: Fix potential deadlock Oliver Neukum <oneukum(a)suse.com> Logitech C-270 even more broken Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Flush queued requests before stopping dbc Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbctty: disable ECHO flag by default Fushuai Wang <wangfushuai(a)baidu.com> dpaa2-eth: fix xdp_rxq_info leak Ioana Ciornei <ioana.ciornei(a)nxp.com> net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update SINGLE_STEP register access Radu Bulie <radu-andrei.bulie(a)nxp.com> dpaa2-eth: Update dpni_get_single_step_cfg command Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf Filipe Manana <fdmanana(a)suse.com> btrfs: use btrfs_record_snapshot_destroy() during rmdir Filipe Manana <fdmanana(a)suse.com> btrfs: propagate last_unlink_trans earlier when doing a rmdir Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/flexfiles: Fix handling of NFS level errors in I/O Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback for MPV device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Disable interrupts before resetting the GPU Sergey Senozhatsky <senozhatsky(a)chromium.org> mtk-sd: reset host->mrq on prepare_data() error Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Prevent memory corruption from DMA map failure Yue Hu <huyue2(a)yulong.com> mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data() Manivannan Sadhasivam <mani(a)kernel.org> regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu: Return early if callback is not specified Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPICA: Refuse to evaluate a method if arguments are missing Johannes Berg <johannes.berg(a)intel.com> wifi: ath6kl: remove WARN on bad firmware input Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: drop invalid source address OCB frames Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc: Fix struct termio related ioctl macros Johannes Berg <johannes.berg(a)intel.com> ata: pata_cs5536: fix build on 32-bit UML Takashi Iwai <tiwai(a)suse.de> ALSA: sb: Force to disable DMAs once when DMA mode is changed Lion Ackermann <nnamrec(a)gmail.com> net/sched: Always pass notifications when child class becomes empty Thomas Fourier <fourier.thomas(a)gmail.com> nui: Fix dma_mapping_error() check Kohei Enju <enjuk(a)amazon.com> rose: fix dangling neighbour pointers in rose_rt_device_down() Gustavo A. R. Silva <gustavoars(a)kernel.org> net: rose: Fix fall-through warnings for Clang Alok Tiwari <alok.a.tiwari(a)oracle.com> enic: fix incorrect MTU comparison in enic_change_mtu() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: align CL37 AN sequence as per databook Dan Carpenter <dan.carpenter(a)linaro.org> lib: test_objagg: Set error message in check_expect_hints_stats() Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/gt: Fix timeline left held on VMA alloc error Dan Carpenter <dan.carpenter(a)linaro.org> drm/i915/selftests: Change mock_request() to return error pointers James Clark <james.clark(a)linaro.org> spi: spi-fsl-dspi: Clear completion counter before initiating transfer Marek Szyprowski <m.szyprowski(a)samsung.com> drm/exynos: fimd: Guard display clock control with runtime PM calls Filipe Manana <fdmanana(a)suse.com> btrfs: fix missing error handling when searching for inode refs during log replay Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix CC counters query for MPV Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix spelling of a sysfs attribute name Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() Benjamin Coddington <bcodding(a)redhat.com> NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN Kuniyuki Iwashima <kuniyu(a)google.com> nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. Mark Zhang <markzhang(a)nvidia.com> RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert David Thompson <davthompson(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment Masami Hiramatsu (Google) <mhiramat(a)kernel.org> mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: do not index invalid pin_assignments Ulf Hansson <ulf.hansson(a)linaro.org> Revert "mmc: sdhci: Disable SD card clock before changing parameters" Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci: Add a helper function for dump register in dynamic debug mode HarshaVardhana S A <harshavardhana.sa(a)broadcom.com> vsock/vmci: Clear the vmci transport packet properly when initializing it Mateusz Jończyk <mat.jonczyk(a)o2.pl> rtc: cmos: use spin_lock_irqsave in cmos_interrupt Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: reject invalid perturb period Niklas Cassel <cassel(a)kernel.org> PCI: cadence-ep: Correct PBA offset in .set_msix() callback Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Vitaly Kuznetsov <vkuznets(a)redhat.com> Drivers: hv: Rename 'alloced' to 'allocated' Haiyang Zhang <haiyangz(a)microsoft.com> Drivers: hv: vmbus: Fix duplicate CPU assignments within a device Alexandru Ardelean <alexandru.ardelean(a)analog.com> uio: uio_hv_generic: use devm_kzalloc() for private data alloc Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction Weihang Li <liweihang(a)huawei.com> RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix power regulator retrieval during probe Marek Szyprowski <m.szyprowski(a)samsung.com> media: omap3isp: use sgtable-based scatterlist wrappers Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: add terminating newlines to logging Junlin Yang <yangjunlin(a)yulong.com> usb: typec: tcpci_maxim: remove redundant assignment Badhri Jagan Sridharan <badhri(a)google.com> usb: typec: tcpci_maxim: Fix uninitialized return variable Wupeng Ma <mawupeng1(a)huawei.com> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify George Kennedy <george.kennedy(a)oracle.com> VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix read_stb function and get_stb ioctl Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Add USBTMC_IOCTL_GET_STB Dave Penkler <dpenkler(a)gmail.com> USB: usbtmc: Fix reading stale status byte Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 2 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 28 ++ Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/drivers/vector_kern.c | 42 +-- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 22 +- arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeature.h | 5 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 2 +- arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 50 ++-- arch/x86/include/asm/required-features.h | 2 +- arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 272 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 77 +++++- arch/x86/kernel/cpu/mce/amd.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kernel/cpu/mce/intel.c | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/process.c | 15 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/cpuid.c | 31 ++- arch/x86/kvm/cpuid.h | 1 + arch/x86/kvm/svm/vmenter.S | 3 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpi_pad.c | 7 +- drivers/acpi/acpica/dsmethod.c | 7 + drivers/acpi/battery.c | 19 +- drivers/ata/pata_cs5536.c | 2 +- drivers/atm/idt77252.c | 5 + drivers/base/cpu.c | 15 + drivers/dma-buf/dma-resv.c | 2 +- drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 4 + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 7 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 38 ++- drivers/hid/hid-ids.h | 5 + drivers/hid/hid-quirks.c | 3 + drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 121 +++++--- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 +++- drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/core/iwcm.c | 38 +-- drivers/infiniband/core/iwcm.h | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 33 +++ drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/atkbd.c | 3 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/md/raid1.c | 1 + drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 61 ++-- drivers/mfd/max14577.c | 1 + drivers/misc/vmw_vmci/vmci_host.c | 9 +- drivers/mmc/host/mtk-sd.c | 39 ++- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 ++ drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/m_can/tcan4x5x.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 ++++-- drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 141 ++++++++-- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 20 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/sun/niu.c | 31 ++- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- drivers/net/phy/microchip.c | 2 +- drivers/net/phy/smsc.c | 28 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 5 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- drivers/pwm/pwm-mediatek.c | 15 +- drivers/regulator/gpio-regulator.c | 4 +- drivers/rtc/lib_test.c | 2 + drivers/rtc/rtc-cmos.c | 10 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 46 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/vt/vt.c | 1 + drivers/uio/uio_hv_generic.c | 18 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/class/usbtmc.c | 53 ++-- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/gadget/function/u_serial.c | 6 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/usb/typec/tcpm/tcpci_maxim.c | 20 +- drivers/vhost/scsi.c | 7 +- fs/btrfs/inode.c | 36 +-- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 17 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- fs/proc/array.c | 6 +- fs/proc/inode.c | 2 +- fs/proc/proc_sysctl.c | 18 +- include/drm/spsc_queue.h | 4 +- include/linux/cpu.h | 3 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/module.h | 5 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/usb/tmc.h | 2 + include/uapi/linux/vm_sockets.h | 30 +- kernel/events/core.c | 2 +- kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/appletalk/ddp.c | 1 + net/atm/clip.c | 75 +++-- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/netlink/af_netlink.c | 90 +++--- net/rose/rose_route.c | 15 +- net/rxrpc/call_accept.c | 3 + net/sched/sch_api.c | 42 +-- net/sched/sch_sfq.c | 10 +- net/tipc/topsrv.c | 2 + net/vmw_vsock/af_vsock.c | 78 +++++- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 4 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/fsl/fsl_asrc.c | 3 +- sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 203 files changed, 2702 insertions(+), 809 deletions(-)

4 weeks

1
0
0 0

[PATCH] Revert "soundwire: qcom: Add set_channel_map api support"

by Amit Pundir

This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. This patch broke Dragonboard 845c (sdm845). I see: Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f20003e8 [#1] SMP pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mo… Bug #1: The zeroeth element of ctrl->pconfig[] is supposed to be unused. We start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128. Bug #2: There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts memory like Yongqin Liu pointed out. Bug 3: Like Jie Gan pointed out, it erases all the tx information with the rx information. Cc: <stable(a)vger.kernel.org> # v6.15+ Signed-off-by: Amit Pundir <amit.pundir(a)linaro.org> --- drivers/soundwire/qcom.c | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c index 295a46dc2be7..0f45e3404756 100644 --- a/drivers/soundwire/qcom.c +++ b/drivers/soundwire/qcom.c @@ -156,7 +156,6 @@ struct qcom_swrm_port_config { u8 word_length; u8 blk_group_count; u8 lane_control; - u8 ch_mask; }; /* @@ -1049,13 +1048,9 @@ static int qcom_swrm_port_enable(struct sdw_bus *bus, { u32 reg = SWRM_DP_PORT_CTRL_BANK(enable_ch->port_num, bank); struct qcom_swrm_ctrl *ctrl = to_qcom_sdw(bus); - struct qcom_swrm_port_config *pcfg; u32 val; - pcfg = &ctrl->pconfig[enable_ch->port_num]; ctrl->reg_read(ctrl, reg, &val); - if (pcfg->ch_mask != SWR_INVALID_PARAM && pcfg->ch_mask != 0) - enable_ch->ch_mask = pcfg->ch_mask; if (enable_ch->enable) val |= (enable_ch->ch_mask << SWRM_DP_PORT_CTRL_EN_CHAN_SHFT); @@ -1275,26 +1270,6 @@ static void *qcom_swrm_get_sdw_stream(struct snd_soc_dai *dai, int direction) return ctrl->sruntime[dai->id]; } -static int qcom_swrm_set_channel_map(struct snd_soc_dai *dai, - unsigned int tx_num, const unsigned int *tx_slot, - unsigned int rx_num, const unsigned int *rx_slot) -{ - struct qcom_swrm_ctrl *ctrl = dev_get_drvdata(dai->dev); - int i; - - if (tx_slot) { - for (i = 0; i < tx_num; i++) - ctrl->pconfig[i].ch_mask = tx_slot[i]; - } - - if (rx_slot) { - for (i = 0; i < rx_num; i++) - ctrl->pconfig[i].ch_mask = rx_slot[i]; - } - - return 0; -} - static int qcom_swrm_startup(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) { @@ -1331,7 +1306,6 @@ static const struct snd_soc_dai_ops qcom_swrm_pdm_dai_ops = { .shutdown = qcom_swrm_shutdown, .set_stream = qcom_swrm_set_sdw_stream, .get_stream = qcom_swrm_get_sdw_stream, - .set_channel_map = qcom_swrm_set_channel_map, }; static const struct snd_soc_component_driver qcom_swrm_dai_component = { -- 2.43.0

4 weeks

3
2
0 0

[PATCH 6.12.y] arm64: Filter out SME hwcaps when FEAT_SME isn't implemented

by Mark Brown

[ Upstream commit a75ad2fc76a2ab70817c7eed3163b66ea84ca6ac ] We have a number of hwcaps for various SME subfeatures enumerated via ID_AA64SMFR0_EL1. Currently we advertise these without cross checking against the main SME feature, advertised in ID_AA64PFR1_EL1.SME which means that if the two are out of sync userspace can see a confusing situation where SME subfeatures are advertised without the base SME hwcap. This can be readily triggered by using the arm64.nosme override which only masks out ID_AA64PFR1_EL1.SME, and there have also been reports of VMMs which do the same thing. Fix this as we did previously for SVE in 064737920bdb ("arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented") by filtering out the SME subfeature hwcaps when FEAT_SME is not present. Fixes: 5e64b862c482 ("arm64/sme: Basic enumeration support") Reported-by: Yury Khrustalev <yury.khrustalev(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250620-arm64-sme-filter-hwcaps-v1-1-02b9d3c2d8e… Signed-off-by: Will Deacon <will(a)kernel.org> --- arch/arm64/kernel/cpufeature.c | 45 ++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 05ccf4ec278f..9ca5ffd8d817 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2959,6 +2959,13 @@ static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) } #endif +#ifdef CONFIG_ARM64_SME +static bool has_sme_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sme() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3037,25 +3044,25 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR2_EL1, BC, IMP, CAP_HWCAP, KERNEL_HWCAP_HBC), #ifdef CONFIG_ARM64_SME HWCAP_CAP(ID_AA64PFR1_EL1, SME, IMP, CAP_HWCAP, KERNEL_HWCAP_SME), - HWCAP_CAP(ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), - HWCAP_CAP(ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), - HWCAP_CAP(ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), - HWCAP_CAP(ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), - HWCAP_CAP(ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), - HWCAP_CAP(ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), - HWCAP_CAP(ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), - HWCAP_CAP(ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, FA64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_FA64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, LUTv2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_LUTV2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2p1, CAP_HWCAP, KERNEL_HWCAP_SME2P1), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SMEver, SME2, CAP_HWCAP, KERNEL_HWCAP_SME2), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F64F64, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F64F64), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I16I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I16I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16B16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F16, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F16), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F8F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F8F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, I8I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_I8I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, B16F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_B16F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, BI32I32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_BI32I32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, F32F32, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_F32F32), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8FMA), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP4, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP4), + HWCAP_CAP_MATCH_ID(has_sme_feature, ID_AA64SMFR0_EL1, SF8DP2, IMP, CAP_HWCAP, KERNEL_HWCAP_SME_SF8DP2), #endif /* CONFIG_ARM64_SME */ HWCAP_CAP(ID_AA64FPFR0_EL1, F8CVT, IMP, CAP_HWCAP, KERNEL_HWCAP_F8CVT), HWCAP_CAP(ID_AA64FPFR0_EL1, F8FMA, IMP, CAP_HWCAP, KERNEL_HWCAP_F8FMA), --- base-commit: fbad404f04d758c52bae79ca20d0e7fe5fef91d3 change-id: 20250714-stable-6-12-sme-feat-filt-8e58f0a8c08d Best regards, -- Mark Brown <broonie(a)kernel.org>

4 weeks

2
2
0 0

FAILED: patch "[PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x fea18c686320a53fce7ad62a87a3e1d10ad02f31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071315-rural-exploring-3260@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fea18c686320a53fce7ad62a87a3e1d10ad02f31 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Mon, 23 Jun 2025 09:57:21 +0200 Subject: [PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in case an error is encountered. Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/ Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ab986dd09b6a..6dbcdceecae1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -514,6 +514,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, int *nr, pgtbl_mod_mask *mask) { + int err = 0; pte_t *pte; /* @@ -530,12 +531,18 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, do { struct page *page = pages[*nr]; - if (WARN_ON(!pte_none(ptep_get(pte)))) - return -EBUSY; - if (WARN_ON(!page)) - return -ENOMEM; - if (WARN_ON(!pfn_valid(page_to_pfn(page)))) - return -EINVAL; + if (WARN_ON(!pte_none(ptep_get(pte)))) { + err = -EBUSY; + break; + } + if (WARN_ON(!page)) { + err = -ENOMEM; + break; + } + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { + err = -EINVAL; + break; + } set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; @@ -543,7 +550,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, arch_leave_lazy_mmu_mode(); *mask |= PGTBL_PTE_MODIFIED; - return 0; + + return err; } static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,

4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x fea18c686320a53fce7ad62a87a3e1d10ad02f31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071316-jawed-backward-2063@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fea18c686320a53fce7ad62a87a3e1d10ad02f31 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Mon, 23 Jun 2025 09:57:21 +0200 Subject: [PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in case an error is encountered. Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/ Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ab986dd09b6a..6dbcdceecae1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -514,6 +514,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, int *nr, pgtbl_mod_mask *mask) { + int err = 0; pte_t *pte; /* @@ -530,12 +531,18 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, do { struct page *page = pages[*nr]; - if (WARN_ON(!pte_none(ptep_get(pte)))) - return -EBUSY; - if (WARN_ON(!page)) - return -ENOMEM; - if (WARN_ON(!pfn_valid(page_to_pfn(page)))) - return -EINVAL; + if (WARN_ON(!pte_none(ptep_get(pte)))) { + err = -EBUSY; + break; + } + if (WARN_ON(!page)) { + err = -ENOMEM; + break; + } + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { + err = -EINVAL; + break; + } set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; @@ -543,7 +550,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, arch_leave_lazy_mmu_mode(); *mask |= PGTBL_PTE_MODIFIED; - return 0; + + return err; } static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,

4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x fea18c686320a53fce7ad62a87a3e1d10ad02f31 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025071323-settling-calculus-60b3@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fea18c686320a53fce7ad62a87a3e1d10ad02f31 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Mon, 23 Jun 2025 09:57:21 +0200 Subject: [PATCH] mm/vmalloc: leave lazy MMU mode on PTE mapping error vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in case an error is encountered. Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/ Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index ab986dd09b6a..6dbcdceecae1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -514,6 +514,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, int *nr, pgtbl_mod_mask *mask) { + int err = 0; pte_t *pte; /* @@ -530,12 +531,18 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, do { struct page *page = pages[*nr]; - if (WARN_ON(!pte_none(ptep_get(pte)))) - return -EBUSY; - if (WARN_ON(!page)) - return -ENOMEM; - if (WARN_ON(!pfn_valid(page_to_pfn(page)))) - return -EINVAL; + if (WARN_ON(!pte_none(ptep_get(pte)))) { + err = -EBUSY; + break; + } + if (WARN_ON(!page)) { + err = -ENOMEM; + break; + } + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { + err = -EINVAL; + break; + } set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; @@ -543,7 +550,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, arch_leave_lazy_mmu_mode(); *mask |= PGTBL_PTE_MODIFIED; - return 0; + + return err; } static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,

4 weeks

2
1
0 0

Re: Patch "Bluetooth: HCI: Set extended advertising data synchronously" has been added to the 5.10-stable tree

by Christian Eggers

Hi Sasha, the changes in hci_request.c look quite different from what I submitted for mainline (and also from the version for 6.6 LTS). Are you sure that everything went correctly? regards, Christian On Monday, 14 July 2025, 19:37:07 CEST, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > Bluetooth: HCI: Set extended advertising data synchronously > > to the 5.10-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bluetooth-hci-set-extended-advertising-data-synchron.patch > and it can be found in the queue-5.10 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 8766e406adb9b3c4bd8c0506a71bbbf99a43906d > Author: Christian Eggers <ceggers(a)arri.de> > Date: Sat Jul 12 02:08:03 2025 -0400 > > Bluetooth: HCI: Set extended advertising data synchronously > > [ Upstream commit 89fb8acc38852116d38d721ad394aad7f2871670 ] > > Currently, for controllers with extended advertising, the advertising > data is set in the asynchronous response handler for extended > adverstising params. As most advertising settings are performed in a > synchronous context, the (asynchronous) setting of the advertising data > is done too late (after enabling the advertising). > > Move setting of adverstising data from asynchronous response handler > into synchronous context to fix ordering of HCI commands. > > Signed-off-by: Christian Eggers <ceggers(a)arri.de> > Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") > Cc: stable(a)vger.kernel.org > v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri… > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 7f26c1aab9a06..2cc4aaba09abe 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -1726,36 +1726,6 @@ static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) > hci_dev_unlock(hdev); > } > > -static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) > -{ > - struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; > - struct hci_cp_le_set_ext_adv_params *cp; > - struct adv_info *adv_instance; > - > - BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); > - > - if (rp->status) > - return; > - > - cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); > - if (!cp) > - return; > - > - hci_dev_lock(hdev); > - hdev->adv_addr_type = cp->own_addr_type; > - if (!hdev->cur_adv_instance) { > - /* Store in hdev for instance 0 */ > - hdev->adv_tx_power = rp->tx_power; > - } else { > - adv_instance = hci_find_adv_instance(hdev, > - hdev->cur_adv_instance); > - if (adv_instance) > - adv_instance->tx_power = rp->tx_power; > - } > - /* Update adv data as tx power is known now */ > - hci_req_update_adv_data(hdev, hdev->cur_adv_instance); > - hci_dev_unlock(hdev); > -} > > static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) > { > @@ -3601,9 +3571,6 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, > hci_cc_le_read_num_adv_sets(hdev, skb); > break; > > - case HCI_OP_LE_SET_EXT_ADV_PARAMS: > - hci_cc_set_ext_adv_param(hdev, skb); > - break; > > case HCI_OP_LE_SET_EXT_ADV_ENABLE: > hci_cc_le_set_ext_adv_enable(hdev, skb); > diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c > index 7ce6db1ac558a..743ba58941f8b 100644 > --- a/net/bluetooth/hci_request.c > +++ b/net/bluetooth/hci_request.c > @@ -2179,6 +2179,9 @@ int __hci_req_setup_ext_adv_instance(struct hci_request *req, u8 instance) > > hci_req_add(req, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(cp), &cp); > > + /* Update adv data after setting ext adv params */ > + __hci_req_update_adv_data(req, instance); > + > if (own_addr_type == ADDR_LE_DEV_RANDOM && > bacmp(&random_addr, BDADDR_ANY)) { > struct hci_cp_le_set_adv_set_rand_addr cp; >

4 weeks

2
1
0 0

temporary hung tasks on XFS since updating to 6.6.92

by Christian Theune

Hi, in the last week, after updating to 6.6.92, we’ve encountered a number of VMs reporting temporarily hung tasks blocking the whole system for a few minutes. They unblock by themselves and have similar tracebacks. The IO PSIs show 100% pressure for that time, but the underlying devices are still processing read and write IO (well within their capacity). I’ve eliminated the underlying storage (Ceph) as the source of problems as I couldn’t find any latency outliers or significant queuing during that time. I’ve seen somewhat similar reports on 6.6.88 and 6.6.77, but those might have been different outliers. I’m attaching 3 logs - my intuition and the data so far leads me to consider this might be a kernel bug. I haven’t found a way to reproduce this, yet. Regards, Christian -- Christian Theune · ct(a)flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

4 weeks

3
13
0 0

[PATCH v3 2/9] vsock/virtio: Validate length in packet header before skb_put()

by Will Deacon

When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Will Deacon <will(a)kernel.org> --- net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index f0e48e6911fc..bd2c6aaa1a93 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -624,8 +624,9 @@ static void virtio_transport_rx_work(struct work_struct *work) do { virtqueue_disable_cb(vq); for (;;) { + unsigned int len, payload_len; + struct virtio_vsock_hdr *hdr; struct sk_buff *skb; - unsigned int len; if (!virtio_transport_more_replies(vsock)) { /* Stop rx until the device processes already @@ -642,12 +643,19 @@ static void virtio_transport_rx_work(struct work_struct *work) vsock->rx_buf_nr--; /* Drop short/long packets */ - if (unlikely(len < sizeof(struct virtio_vsock_hdr) || + if (unlikely(len < sizeof(*hdr) || len > virtio_vsock_skb_len(skb))) { kfree_skb(skb); continue; } + hdr = virtio_vsock_hdr(skb); + payload_len = le32_to_cpu(hdr->len); + if (payload_len > len - sizeof(*hdr)) { + kfree_skb(skb); + continue; + } + virtio_vsock_skb_rx_put(skb); virtio_transport_deliver_tap_pkt(skb); virtio_transport_recv_pkt(&virtio_transport, skb); -- 2.50.0.727.gbf7dc18ff4-goog

4 weeks

2
1
0 0

[PATCH RESEND] fs/ntfs3: Fix a resource leak bug in wnd_extend()

by Haoxiang Li

Add put_bh() to decrease the refcount of 'bh' after the job is finished, preventing a resource leak. Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- fs/ntfs3/bitmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c index 04107b950717..65d05e6a0566 100644 --- a/fs/ntfs3/bitmap.c +++ b/fs/ntfs3/bitmap.c @@ -1371,6 +1371,7 @@ int wnd_extend(struct wnd_bitmap *wnd, size_t new_bits) mark_buffer_dirty(bh); unlock_buffer(bh); /* err = sync_dirty_buffer(bh); */ + put_bh(bh); b0 = 0; bits -= op; -- 2.25.1

4 weeks

1
0
0 0

[PATCH v3 1/9] vhost/vsock: Avoid allocating arbitrarily-sized SKBs

by Will Deacon

vhost_vsock_alloc_skb() returns NULL for packets advertising a length larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, this is only checked once the SKB has been allocated and, if the length in the packet header is zero, the SKB may not be freed immediately. Hoist the size check before the SKB allocation so that an iovec larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected outright. The subsequent check on the length field in the header can then simply check that the allocated SKB is indeed large enough to hold the packet. Cc: <stable(a)vger.kernel.org> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Will Deacon <will(a)kernel.org> --- drivers/vhost/vsock.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 802153e23073..66a0f060770e 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, len = iov_length(vq->iov, out); + if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) + return NULL; + /* len contains both payload and hdr */ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); if (!skb) @@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq, return skb; /* The pkt is too big or the length in the header is invalid */ - if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || - payload_len + sizeof(*hdr) > len) { + if (payload_len + sizeof(*hdr) > len) { kfree_skb(skb); return NULL; } -- 2.50.0.727.gbf7dc18ff4-goog

4 weeks

2
1
0 0

[PATCH net 0/2] selftests: mptcp: connect: cover alt modes

by Matthieu Baerts (NGI0)

mptcp_connect.sh can be executed manually with "-m <MODE>" and "-C" to make sure everything works as expected when using "mmap" and "sendfile" modes instead of "poll", and with the MPTCP checksum support. These modes should be validated, but they are not when the selftests are executed via the kselftest helpers. It means that most CIs validating these selftests, like NIPA for the net development trees and LKFT for the stable ones, are not covering these modes. To fix that, new test programs have been added, simply calling mptcp_connect.sh with the right parameters. The first patch can be backported up to v5.6, and the second one up to v5.14. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (2): selftests: mptcp: connect: also cover alt modes selftests: mptcp: connect: also cover checksum tools/testing/selftests/net/mptcp/Makefile | 3 ++- tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh | 4 ++++ tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh | 4 ++++ tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh | 4 ++++ 4 files changed, 14 insertions(+), 1 deletion(-) --- base-commit: b640daa2822a39ff76e70200cb2b7b892b896dce change-id: 20250714-net-mptcp-sft-connect-alt-c1aaf073ef4e Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

4 weeks

2
3
0 0

[PATCH 5.4] net: ipv6: Discard next-hop MTU less than minimum link MTU

by WangYuli

From: Georg Kohmann <geokohma(a)cisco.com> [ Upstream commit 4a65dff81a04f874fa6915c7f069b4dc2c4010e4 ] When a ICMPV6_PKT_TOOBIG report a next-hop MTU that is less than the IPv6 minimum link MTU, the estimated path MTU is reduced to the minimum link MTU. This behaviour breaks TAHI IPv6 Core Conformance Test v6LC4.1.6: Packet Too Big Less than IPv6 MTU. Referring to RFC 8201 section 4: "If a node receives a Packet Too Big message reporting a next-hop MTU that is less than the IPv6 minimum link MTU, it must discard it. A node must not reduce its estimate of the Path MTU below the IPv6 minimum link MTU on receipt of a Packet Too Big message." Drop the path MTU update if reported MTU is less than the minimum link MTU. Signed-off-by: Georg Kohmann <geokohma(a)cisco.com> Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- net/ipv6/route.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index b321cec71127..93bae134e730 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2765,7 +2765,8 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, if (confirm_neigh) dst_confirm_neigh(dst, daddr); - mtu = max_t(u32, mtu, IPV6_MIN_MTU); + if (mtu < IPV6_MIN_MTU) + return; if (mtu >= dst_mtu(dst)) return; -- 2.50.0

4 weeks

1
0
0 0

[PATCH 5.4/5.10/5.15/6.1/6.6] Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID

by Wang Hai

From: Hans de Goede <hdegoede(a)redhat.com> commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 upstream. After commit 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode") not only the getid command is skipped, but also the de-activating of the keyboard at the end of atkbd_probe(), potentially re-introducing the problem fixed by commit be2d7e4233a4 ("Input: atkbd - fix multi-byte scancode handling on reconnect"). Make sure multi-byte scancode handling on reconnect is still handled correctly by not skipping the atkbd_deactivate() call. Fixes: 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode") Tested-by: Paul Menzel <pmenzel(a)molgen.mpg.de> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Link: https://lore.kernel.org/r/20240126160724.13278-3-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/input/keyboard/atkbd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c index b3a856333d4e..de59fc1a24bc 100644 --- a/drivers/input/keyboard/atkbd.c +++ b/drivers/input/keyboard/atkbd.c @@ -805,11 +805,11 @@ static int atkbd_probe(struct atkbd *atkbd) "keyboard reset failed on %s\n", ps2dev->serio->phys); if (atkbd_skip_getid(atkbd)) { atkbd->id = 0xab83; - return 0; + goto deactivate_kbd; } /* * Then we check the keyboard ID. We should get 0xab83 under normal conditions. * Some keyboards report different values, but the first byte is always 0xab or @@ -842,10 +842,11 @@ static int atkbd_probe(struct atkbd *atkbd) "NCD terminal keyboards are only supported on non-translating controllers. " "Use i8042.direct=1 to disable translation.\n"); return -1; } +deactivate_kbd: /* * Make sure nothing is coming from the keyboard and disturbs our * internal state. */ if (!atkbd_skip_deactivate) -- 2.17.1

4 weeks

2
1
0 0

[PATCH] media: pci: intel: Balance device refcount when destroying devices

by Ma Ke

Using ipu_bridge_get_ivsc_csi_dev() to locate the device could cause an imbalance in the device's reference count. ipu_bridge_get_ivsc_csi_dev() calls device_find_child_by_name() to implement the localization, and device_find_child_by_name() calls an implicit get_device() to increment the device's reference count before returning the pointer. Throughout the entire implementation process, no mechanism releases resources properly. This leads to a memory leak because the reference count of the device is never decremented. As the comment of device_find_child_by_name() says, 'NOTE: you will need to drop the reference with put_device() after use'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: c66821f381ae ("media: pci: intel: Add IVSC support for IPU bridge driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/media/pci/intel/ipu-bridge.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c index 83e682e1a4b7..f8b4672accab 100644 --- a/drivers/media/pci/intel/ipu-bridge.c +++ b/drivers/media/pci/intel/ipu-bridge.c @@ -192,6 +192,7 @@ static int ipu_bridge_check_ivsc_dev(struct ipu_sensor *sensor, sensor->csi_dev = csi_dev; sensor->ivsc_adev = adev; + put_device(csi_dev); } return 0; -- 2.25.1

4 weeks

2
1
0 0

[PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

by Nikunj A Dadhania

Require a minimum GHCB version of 2 when starting SEV-SNP guests through KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an incompatible GHCB version (less than 2), reject the request early rather than allowing the guest to start with an incorrect protocol version and fail later. Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB protocol version") Cc: Thomas Lendacky <thomas.lendacky(a)amd.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Michael Roth <michael.roth(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Nikunj A Dadhania <nikunj(a)amd.com> --- arch/x86/kvm/svm/sev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index a12e78b67466..91d06fb91ba2 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -435,6 +435,9 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, if (unlikely(sev->active)) return -EINVAL; + if (snp_active && data->ghcb_version && data->ghcb_version < 2) + return -EINVAL; + sev->active = true; sev->es_active = es_active; sev->vmsa_features = data->vmsa_features; -- 2.43.0

4 weeks

3
6
0 0

[REGRESSION] thunderbolt: Fix a logic error in wake on connect

by Alyssa Ross

On Fri, Apr 11, 2025 at 10:14:44AM -0500, Mario Limonciello wrote: > From: Mario Limonciello <mario.limonciello(a)amd.com> > > commit a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect > on USB4 ports") introduced a sysfs file to control wake up policy > for a given USB4 port that defaulted to disabled. > > However when testing commit 4bfeea6ec1c02 ("thunderbolt: Use wake > on connect and disconnect over suspend") I found that it was working > even without making changes to the power/wakeup file (which defaults > to disabled). This is because of a logic error doing a bitwise or > of the wake-on-connect flag with device_may_wakeup() which should > have been a logical AND. > > Adjust the logic so that policy is only applied when wakeup is > actually enabled. > > Fixes: a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect on USB4 ports") > Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Hi! There have been a couple of reports of a Thunderbolt regression in recent stable kernels, and one reporter has now bisected it to this change: • https://bugzilla.kernel.org/show_bug.cgi?id=220284 • https://github.com/NixOS/nixpkgs/issues/420730 Both reporters are CCed, and say it starts working after the module is reloaded. Link: https://lore.kernel.org/r/bug-220284-208809@https.bugzilla.kernel.org%2F/ (for regzbot) > --- > drivers/thunderbolt/usb4.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/thunderbolt/usb4.c b/drivers/thunderbolt/usb4.c > index e51d01671d8e7..3e96f1afd4268 100644 > --- a/drivers/thunderbolt/usb4.c > +++ b/drivers/thunderbolt/usb4.c > @@ -440,10 +440,10 @@ int usb4_switch_set_wake(struct tb_switch *sw, unsigned int flags) > bool configured = val & PORT_CS_19_PC; > usb4 = port->usb4; > > - if (((flags & TB_WAKE_ON_CONNECT) | > + if (((flags & TB_WAKE_ON_CONNECT) && > device_may_wakeup(&usb4->dev)) && !configured) > val |= PORT_CS_19_WOC; > - if (((flags & TB_WAKE_ON_DISCONNECT) | > + if (((flags & TB_WAKE_ON_DISCONNECT) && > device_may_wakeup(&usb4->dev)) && configured) > val |= PORT_CS_19_WOD; > if ((flags & TB_WAKE_ON_USB4) && configured) > -- > 2.43.0 >

4 weeks

3
5
0 0

Re: [PATCH 6.6 087150] Input atkbd - skip ATKBD_CMD_GETID in translated mode

by Wang Hai

On 1970/1/1 8:00, wrote: > 6.6-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From Hans de Goede hdegoede(a)redhat.com > > [ Upstream commit 936e4d49ecbc8c404790504386e1422b599dec39 ] > > There have been multiple reports of keyboard issues on recent laptop models > which can be worked around by setting i8042.dumbkbd, with the downside > being this breaks the capslock LED. > > It seems that these issues are caused by recent laptops getting confused by > ATKBD_CMD_GETID. Rather then adding and endless growing list of quirks for > this, just skip ATKBD_CMD_GETID alltogether on laptops in translated mode. > > The main goal of sending ATKBD_CMD_GETID is to skip binding to ps2 > micetouchpads and those are never used in translated mode. > > Examples of laptop models which benefit from skipping ATKBD_CMD_GETID > > HP Laptop 15s-fq2xxx, HP laptop 15s-fq4xxx and HP Laptop 15-dy2xxx > models the kbd stops working for the first 2 - 5 minutes after boot > (waiting for EC watchdog reset) > > On HP Spectre x360 13-aw2xxx atkbd fails to probe the keyboard > > At least 9 different Lenovo models have issues with ATKBD_CMD_GETID, see > httpsgithub.comyescallopatkbd-nogetid > > This has been tested on > > 1. A MSI B550M PRO-VDH WIFI desktop, where the i8042 controller is not > in translated mode when no keyboard is plugged in and with a ps2 kbd > a AT Translated Set 2 keyboard devinputevent# node shows up > > 2. A Lenovo ThinkPad X1 Yoga gen 8 (always has a translated set 2 keyboard) > > Reported-by Shang Ye yesh25(a)mail2.sysu.edu.cn > Closes httpslore.kernel.orglinux-input886D6167733841AE+20231017135318.11142-1-yesh25(a)mail2.sysu.edu.cn > Closes httpsgithub.comyescallopatkbd-nogetid > Reported-by gurevitch mail(a)gurevit.ch > Closes httpslore.kernel.orglinux-input2iAJTwqZV6lQs26cTb38RNYqxvsink6SRmrZ5h0cBUSuf9NT0tZTsf9fEAbbto2maavHJEOP8GA1evlKa6xjKOsaskDhtJWxjcnrgPigzVo=(a)gurevit.ch > Reported-by Egor Ignatov egori(a)altlinux.org > Closes httpslore.kernel.orgall20210609073333.8425-1-egori(a)altlinux.org > Reported-by Anton Zhilyaev anton(a)cpp.in > Closes httpslore.kernel.orglinux-input20210201160336.16008-1-anton(a)cpp.in > Closes httpsbugzilla.redhat.comshow_bug.cgiid=2086156 > Signed-off-by Hans de Goede hdegoede(a)redhat.com > Link httpslore.kernel.orgr20231115174625.7462-1-hdegoede(a)redhat.com > Signed-off-by Dmitry Torokhov dmitry.torokhov(a)gmail.com > Signed-off-by Sasha Levin sashal(a)kernel.org > --- Hi, Hans I noticed there's a subsequent bugfix [1] for this patch, but it hasn't been merged into the stable-6.6 branch. Based on the bugfix description, the issue should exist there as well. Would you like this patch to be merged into the stable-6.6 branch?" [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…

4 weeks

2
2
0 0

[PATCH v6.1] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Cc: stable(a)vger.kernel.org#6.1.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index 3077cb9d58d6..87f2f56fd20a 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -568,8 +568,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, vs->compl_bitmap); } else @@ -1173,8 +1175,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

4 weeks

1
0
0 0

[PATCH v5.15] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Cc: stable(a)vger.kernel.org#5.15.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index f9930887fdd2..2c19fa02141d 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -563,8 +563,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, signal); } else @@ -1166,8 +1168,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

4 weeks

1
0
0 0

[PATCH v5.10 v2] vhost-scsi: protect vq->log_used with vq->mutex

by Xinyu Zheng

From: Dongli Zhang <dongli.zhang(a)oracle.com> [ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ] The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Cc: stable(a)vger.kernel.org#5.10.x Cc: gregkh(a)linuxfoundation.org Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Reviewed-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [ Conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- V1 -> V2: Remove unnecessary CVE tag drivers/vhost/scsi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index a23a65e7d828..fcde3752b4f1 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -579,8 +579,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); if (likely(ret == sizeof(v_rsp))) { struct vhost_scsi_virtqueue *q; - vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); + mutex_lock(&q->vq.mutex); + vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + mutex_unlock(&q->vq.mutex); vq = q - vs->vqs; __set_bit(vq, signal); } else @@ -1193,8 +1195,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) else resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + mutex_lock(&tmf->svq->vq.mutex); vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, tmf->vq_desc, &tmf->resp_iov, resp_code); + mutex_unlock(&tmf->svq->vq.mutex); + vhost_scsi_release_tmf_res(tmf); } -- 2.34.1

4 weeks

1
0
0 0

Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel

by Aaron Lu

Hello, Wei reported when loading his bpf prog in 5.10.200 kernel, host would panic, this didn't happen in 5.10.135 kernel. Test on latest v5.10.238 still has this panic. [ 26.531718] BUG: kernel NULL pointer dereference, address: 0000000000000168 [ 26.538093] #PF: supervisor read access in kernel mode [ 26.542727] #PF: error_code(0x0000) - not-present page [ 26.548093] PGD 10f3e9067 P4D 10f332067 PUD 10f0c5067 PMD 0 [ 26.553211] Oops: 0000 [#1] SMP NOPTI [ 26.556531] CPU: 2 PID: 541 Comm: main Not tainted 5.10.238-00267-g01e7e36b8606 #63 [ 26.563816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 26.572357] RIP: 0010:__mark_chain_precision+0x24b/0x4d0 [ 26.576572] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6 [ 26.589100] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216 [ 26.592612] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003 [ 26.597416] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78 [ 26.601362] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004 [ 26.604261] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000 [ 26.607202] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140 [ 26.610327] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000 [ 26.613678] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.616105] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0 [ 26.619059] Call Trace: [ 26.620118] adjust_reg_min_max_vals+0x133/0x340 [ 26.622048] ? krealloc+0x63/0xe0 [ 26.623435] do_check+0x38c/0xa80 [ 26.624859] do_check_common+0x15b/0x280 [ 26.626496] bpf_check+0xbe1/0xd30 [ 26.627939] ? srso_alias_return_thunk+0x5/0x7f [ 26.629796] ? trace_hardirqs_on+0x1a/0xd0 [ 26.631503] ? srso_alias_return_thunk+0x5/0x7f [ 26.633402] bpf_prog_load+0x422/0x8a0 [ 26.634987] ? srso_alias_return_thunk+0x5/0x7f [ 26.636864] ? __handle_mm_fault+0x3cb/0x6d0 [ 26.638658] ? srso_alias_return_thunk+0x5/0x7f [ 26.640543] ? lock_release+0xe3/0x110 [ 26.642114] __do_sys_bpf+0x485/0xdf0 [ 26.643624] do_syscall_64+0x33/0x40 [ 26.645110] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ 26.647190] RIP: 0033:0x409a6e [ 26.648470] Code: 24 28 44 8b 44 24 2c e9 70 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48 [ 26.656154] RSP: 002b:000000c00199edc0 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 [ 26.659451] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000409a6e [ 26.662375] RDX: 0000000000000098 RSI: 000000c00199f290 RDI: 0000000000000005 [ 26.665267] RBP: 000000c00199ee00 R08: 0000000000000000 R09: 0000000000000000 [ 26.668204] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 26.671125] R13: 0000000000000080 R14: 000000c000002380 R15: 8080808080808080 [ 26.674085] Modules linked in: [ 26.675363] CR2: 0000000000000168 [ 26.676772] ---[ end trace 3fc192ee4dabbf12 ]--- [ 26.678667] RIP: 0010:__mark_chain_precision+0x24b/0x4d0 [ 26.680926] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6 [ 26.688665] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216 [ 26.690828] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003 [ 26.693777] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78 [ 26.696680] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004 [ 26.699651] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000 [ 26.702561] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140 [ 26.705522] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000 [ 26.708806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.711179] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0 [ 26.714143] Kernel panic - not syncing: Fatal exception [ 26.716893] Kernel Offset: disabled [ 26.718911] Rebooting in 5 seconds.. I did a bisect in linux-5.10.y branch and found the fbc is commit 2474ec58b96d("bpf: allow precision tracking for programs with subprogs"). I noticed there is a commit in Linus master branch that has a fix tag for this bisected commit: commit 81335f90e8a8("bpf: unconditionally reset backtrack_state masks on global func exit"), I tried to apply it in this 5.10.y branch but since the bases are quite different, clean apply is not possible, I end up with the following diff: diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 40ac67a04ab75..71da33fb96552 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2118,11 +2118,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int r bitmap_from_u64(mask, reg_mask); for_each_set_bit(i, mask, 32) { reg = &st->frame[0]->regs[i]; - if (reg->type != SCALAR_VALUE) { - reg_mask &= ~(1u << i); - continue; - } - reg->precise = true; + reg_mask &= ~(1u << i); + if (reg->type == SCALAR_VALUE) + reg->precise = true; } return 0; } But it didn't make any difference. Here are the reproduce steps: 1 clone this repo https://github.com/bytedance/vArmor-ebpf and switch to panic-analysis branch; 2 make build A binary named main should be built. I used golang compiler downloaded here: https://go.dev/dl/go1.24.3.linux-amd64.tar.gz but other golang compiler may also work. Run main as root and it will panic the host(kernel needs CONFIG_BPF_LSM). Full dmesg and config are attached, feel free to let me know if you need any additional info, thanks. P.S. linux-5.15.y has the same situation.

4 weeks

3
11
0 0

[PATCH 1/1] iommu/sva: Invalidate KVA range on kernel TLB flush

by Lu Baolu

The vmalloc() and vfree() functions manage virtually contiguous, but not necessarily physically contiguous, kernel memory regions. When vfree() unmaps such a region, it tears down the associated kernel page table entries and frees the physical pages. In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. Architectures like x86 share static kernel address mappings across all user page tables, allowing the IOMMU to access the kernel portion of these tables. Modern IOMMUs often cache page table entries to optimize walk performance, even for intermediate page table levels. If kernel page table mappings are changed (e.g., by vfree()), but the IOMMU's internal caches retain stale entries, Use-After-Free (UAF) vulnerability condition arises. If these freed page table pages are reallocated for a different purpose, potentially by an attacker, the IOMMU could misinterpret the new data as valid page table entries. This allows the IOMMU to walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. To mitigate this, introduce a new iommu interface to flush IOMMU caches and fence pending page table walks when kernel page mappings are updated. This interface should be invoked from architecture-specific code that manages combined user and kernel page tables. Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Cc: stable(a)vger.kernel.org Co-developed-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- arch/x86/mm/tlb.c | 2 ++ drivers/iommu/iommu-sva.c | 32 +++++++++++++++++++++++++++++++- include/linux/iommu.h | 4 ++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 39f80111e6f1..a41499dfdc3f 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -12,6 +12,7 @@ #include <linux/task_work.h> #include <linux/mmu_notifier.h> #include <linux/mmu_context.h> +#include <linux/iommu.h> #include <asm/tlbflush.h> #include <asm/mmu_context.h> @@ -1540,6 +1541,7 @@ void flush_tlb_kernel_range(unsigned long start, unsigned long end) kernel_tlb_flush_range(info); put_flush_tlb_info(); + iommu_sva_invalidate_kva_range(start, end); } /* diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c index 1a51cfd82808..154384eab8a3 100644 --- a/drivers/iommu/iommu-sva.c +++ b/drivers/iommu/iommu-sva.c @@ -10,6 +10,8 @@ #include "iommu-priv.h" static DEFINE_MUTEX(iommu_sva_lock); +static DEFINE_STATIC_KEY_FALSE(iommu_sva_present); +static LIST_HEAD(iommu_sva_mms); static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, struct mm_struct *mm); @@ -42,6 +44,7 @@ static struct iommu_mm_data *iommu_alloc_mm_data(struct mm_struct *mm, struct de return ERR_PTR(-ENOSPC); } iommu_mm->pasid = pasid; + iommu_mm->mm = mm; INIT_LIST_HEAD(&iommu_mm->sva_domains); /* * Make sure the write to mm->iommu_mm is not reordered in front of @@ -132,8 +135,13 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm if (ret) goto out_free_domain; domain->users = 1; - list_add(&domain->next, &mm->iommu_mm->sva_domains); + if (list_empty(&iommu_mm->sva_domains)) { + if (list_empty(&iommu_sva_mms)) + static_branch_enable(&iommu_sva_present); + list_add(&iommu_mm->mm_list_elm, &iommu_sva_mms); + } + list_add(&domain->next, &iommu_mm->sva_domains); out: refcount_set(&handle->users, 1); mutex_unlock(&iommu_sva_lock); @@ -175,6 +183,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle) list_del(&domain->next); iommu_domain_free(domain); } + + if (list_empty(&iommu_mm->sva_domains)) { + list_del(&iommu_mm->mm_list_elm); + if (list_empty(&iommu_sva_mms)) + static_branch_disable(&iommu_sva_present); + } + mutex_unlock(&iommu_sva_lock); kfree(handle); } @@ -312,3 +327,18 @@ static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, return domain; } + +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) +{ + struct iommu_mm_data *iommu_mm; + + might_sleep(); + + if (!static_branch_unlikely(&iommu_sva_present)) + return; + + guard(mutex)(&iommu_sva_lock); + list_for_each_entry(iommu_mm, &iommu_sva_mms, mm_list_elm) + mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end); +} +EXPORT_SYMBOL_GPL(iommu_sva_invalidate_kva_range); diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 156732807994..31330c12b8ee 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -1090,7 +1090,9 @@ struct iommu_sva { struct iommu_mm_data { u32 pasid; + struct mm_struct *mm; struct list_head sva_domains; + struct list_head mm_list_elm; }; int iommu_fwspec_init(struct device *dev, struct fwnode_handle *iommu_fwnode); @@ -1571,6 +1573,7 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm); void iommu_sva_unbind_device(struct iommu_sva *handle); u32 iommu_sva_get_pasid(struct iommu_sva *handle); +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end); #else static inline struct iommu_sva * iommu_sva_bind_device(struct device *dev, struct mm_struct *mm) @@ -1595,6 +1598,7 @@ static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm) } static inline void mm_pasid_drop(struct mm_struct *mm) {} +static inline void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) {} #endif /* CONFIG_IOMMU_SVA */ #ifdef CONFIG_IOMMU_IOPF -- 2.43.0

4 weeks

11
22
0 0

[PATCH net-next v2 1/2] net: ipv4: fix incorrect MTU in broadcast routes

by Oscar Maes

Currently, __mkroute_output overrules the MTU value configured for broadcast routes. This buggy behaviour can be reproduced with: ip link set dev eth1 mtu 9000 ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500 The maximum packet size should be 1500, but it is actually 8000: ping -b 192.168.0.255 -s 8000 Fix __mkroute_output to allow MTU values to be configured for for broadcast routes (to support a mixed-MTU local-area-network). Signed-off-by: Oscar Maes <oscmaes92(a)gmail.com> --- net/ipv4/route.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 64ba377cd..f639a2ae8 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2588,7 +2588,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res, do_cache = true; if (type == RTN_BROADCAST) { flags |= RTCF_BROADCAST | RTCF_LOCAL; - fi = NULL; } else if (type == RTN_MULTICAST) { flags |= RTCF_MULTICAST | RTCF_LOCAL; if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, -- 2.39.5

4 weeks

3
3
0 0

[PATCH AUTOSEL 5.4] rxrpc: Fix oops due to non-existence of prealloc backlog struct

by Sasha Levin

From: David Howells <dhowells(a)redhat.com> [ Upstream commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 ] If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque(a)tencent.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: LePremierHomme <kwqcheii(a)proton.me> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Willy Tarreau <w(a)1wt.eu> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Fixes a Critical Kernel Oops**: The commit addresses a NULL pointer dereference that causes a kernel crash when `rx->backlog` is NULL. At line 257 of the original code, `smp_load_acquire(&b->call_backlog_head)` would dereference a NULL pointer if no preallocation was done. 2. **Minimal and Safe Fix**: The fix is a simple defensive check: ```c + if (!b) + return NULL; ``` This is placed immediately after obtaining the backlog pointer and before any usage. The fix has zero risk of regression - if `b` is NULL, the code would have crashed anyway. 3. **Clear Reproducible Scenario**: The bug occurs in a specific but realistic scenario - when an AF_RXRPC service socket is opened and bound but no calls are preallocated (meaning `rxrpc_service_prealloc()` was never called to allocate the backlog structure). 4. **Follows Stable Kernel Rules**: This fix meets all criteria for stable backporting: - Fixes a real bug that users can hit - Small and contained change (2 lines) - Obviously correct with no side effects - Already tested and merged upstream 5. **Similar to Previously Backported Fixes**: Looking at Similar Commit #2 which was marked YES, it also fixed an oops in the rxrpc preallocation/backlog system with minimal changes. The commit prevents a kernel crash with a trivial NULL check, making it an ideal candidate for stable backporting. net/rxrpc/call_accept.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index 55fb3744552de..99f05057e4c90 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -281,6 +281,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, unsigned short call_tail, conn_tail, peer_tail; unsigned short call_count, conn_count; + if (!b) + return NULL; + /* #calls >= #conns >= #peers must hold true. */ call_head = smp_load_acquire(&b->call_backlog_head); call_tail = b->call_backlog_tail; -- 2.39.5

4 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror