- Linux-stable-mirror - lists.linaro.org

[PATCH 03/15] dmaengine: cv1800b-dmamux: fix device leak on route allocation

by Johan Hovold

Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: db7d07b5add4 ("dmaengine: add driver for Sophgo CV18XX/SG200X dmamux") Cc: stable(a)vger.kernel.org # 6.17 Cc: Inochi Amaoto <inochiama(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/dma/cv1800b-dmamux.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/drivers/dma/cv1800b-dmamux.c b/drivers/dma/cv1800b-dmamux.c index e900d6595617..f7a952fcbc7d 100644 --- a/drivers/dma/cv1800b-dmamux.c +++ b/drivers/dma/cv1800b-dmamux.c @@ -102,11 +102,11 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec, struct llist_node *node; unsigned long flags; unsigned int chid, devid, cpuid; - int ret; + int ret = -EINVAL; if (dma_spec->args_count != DMAMUX_NCELLS) { dev_err(&pdev->dev, "invalid number of dma mux args\n"); - return ERR_PTR(-EINVAL); + goto err_put_pdev; } devid = dma_spec->args[0]; @@ -115,18 +115,18 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec, if (devid > MAX_DMA_MAPPING_ID) { dev_err(&pdev->dev, "invalid device id: %u\n", devid); - return ERR_PTR(-EINVAL); + goto err_put_pdev; } if (cpuid > MAX_DMA_CPU_ID) { dev_err(&pdev->dev, "invalid cpu id: %u\n", cpuid); - return ERR_PTR(-EINVAL); + goto err_put_pdev; } dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0); if (!dma_spec->np) { dev_err(&pdev->dev, "can't get dma master\n"); - return ERR_PTR(-EINVAL); + goto err_put_pdev; } spin_lock_irqsave(&dmamux->lock, flags); @@ -136,8 +136,6 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec, if (map->peripheral == devid && map->cpu == cpuid) goto found; } - - ret = -EINVAL; goto failed; } else { node = llist_del_first(&dmamux->free_maps); @@ -171,12 +169,17 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec, dev_dbg(&pdev->dev, "register channel %u for req %u (cpu %u)\n", chid, devid, cpuid); + put_device(&pdev->dev); + return map; failed: spin_unlock_irqrestore(&dmamux->lock, flags); of_node_put(dma_spec->np); dev_err(&pdev->dev, "errno %d\n", ret); +err_put_pdev: + put_device(&pdev->dev); + return ERR_PTR(ret); } -- 2.51.0

3 weeks, 6 days

1
0
0 0

[PATCH 02/15] dmaengine: bcm-sba-raid: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. Fixes: 743e1c8ffe4e ("dmaengine: Add Broadcom SBA RAID driver") Cc: stable(a)vger.kernel.org # 4.13 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/dma/bcm-sba-raid.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/dma/bcm-sba-raid.c b/drivers/dma/bcm-sba-raid.c index 7f0e76439ce5..ed037fa883f6 100644 --- a/drivers/dma/bcm-sba-raid.c +++ b/drivers/dma/bcm-sba-raid.c @@ -1699,7 +1699,7 @@ static int sba_probe(struct platform_device *pdev) /* Prealloc channel resource */ ret = sba_prealloc_channel_resources(sba); if (ret) - goto fail_free_mchan; + goto fail_put_mbox; /* Check availability of debugfs */ if (!debugfs_initialized()) @@ -1729,6 +1729,8 @@ static int sba_probe(struct platform_device *pdev) fail_free_resources: debugfs_remove_recursive(sba->root); sba_freeup_channel_resources(sba); +fail_put_mbox: + put_device(sba->mbox_dev); fail_free_mchan: mbox_free_channel(sba->mchan); return ret; @@ -1744,6 +1746,8 @@ static void sba_remove(struct platform_device *pdev) sba_freeup_channel_resources(sba); + put_device(sba->mbox_dev); + mbox_free_channel(sba->mchan); } -- 2.51.0

3 weeks, 6 days

1
0
0 0

[PATCH] usb: dwc3: gadget: Prevent EPs resource conflict during StartTransfer

by Selvarasu Ganesan

This commit fixes the below warning that occurs when a StartTransfer command is issued for bulk or interrupt endpoints in `dwc3_gadget_ep_enable` while a previous transfer on the same endpoint is still in progress. The gadget functions drivers can invoke usb_ep_enable (which triggers a new StartTransfer command) before the earlier transfer has completed. Because the previous StartTransfer is still active, `dwc3_gadget_ep_disable` can skip the required `EndTransfer` due to `DWC3_EP_DELAY_STOP`, leading to the endpoint resources are busy for previous StartTransfer and warning ("No resource for ep") from gadget driver. To resolve this, a check is added to `dwc3_gadget_ep_enable` that checks the `DWC3_EP_TRANSFER_STARTED` flag before issuing a new StartTransfer. By preventing a second StartTransfer on an already busy endpoint, the resource conflict is eliminated, the warning disappears, and potential kernel panics caused by `panic_on_warn` are avoided. ------------[ cut here ]------------ dwc3 13200000.dwc3: No resource for ep1out WARNING: CPU: 0 PID: 700 at drivers/usb/dwc3/gadget.c:398 dwc3_send_gadget_ep_cmd+0x2f8/0x76c Call trace: dwc3_send_gadget_ep_cmd+0x2f8/0x76c __dwc3_gadget_ep_enable+0x490/0x7c0 dwc3_gadget_ep_enable+0x6c/0xe4 usb_ep_enable+0x5c/0x15c mp_eth_stop+0xd4/0x11c __dev_close_many+0x160/0x1c8 __dev_change_flags+0xfc/0x220 dev_change_flags+0x24/0x70 devinet_ioctl+0x434/0x524 inet_ioctl+0xa8/0x224 sock_do_ioctl+0x74/0x128 sock_ioctl+0x3bc/0x468 __arm64_sys_ioctl+0xa8/0xe4 invoke_syscall+0x58/0x10c el0_svc_common+0xa8/0xdc do_el0_svc+0x1c/0x28 el0_svc+0x38/0x88 el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1a8/0x1ac Change-Id: Id292265a34448e566ef1ea882e313856423342dc Fixes: a97ea994605e ("usb: dwc3: gadget: offset Start Transfer latency for bulk EPs") Cc: stable(a)vger.kernel.org Signed-off-by: Selvarasu Ganesan <selvarasu.g(a)samsung.com> --- drivers/usb/dwc3/gadget.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index f95d1369bbc6..23e5c111da7c 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -951,8 +951,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action) * Issue StartTransfer here with no-op TRB so we can always rely on No * Response Update Transfer command. */ - if (usb_endpoint_xfer_bulk(desc) || - usb_endpoint_xfer_int(desc)) { + if ((usb_endpoint_xfer_bulk(desc) || + usb_endpoint_xfer_int(desc)) && + !(dep->flags & DWC3_EP_TRANSFER_STARTED)) { struct dwc3_gadget_ep_cmd_params params; struct dwc3_trb *trb; dma_addr_t trb_dma; -- 2.34.1

3 weeks, 6 days

1
1
0 0

[PATCH] drm/kmb: Fix error handling in kmb_probe

by Ma Ke

kmb_probe() obtain a reference to a platform device by of_find_device_by_node(). This call increases the reference count of the returned device, which should be dropped by calling put_device() when the device is no longer needed. However, the code fails to call put_device() in several error handling paths and the normal device removal path. This could result in reference count leaks that prevent the proper cleanup of the platform device when the driver is unloaded or during error recovery. Add put_device() in all code paths where dsi_pdev is no longer needed, including error paths and the normal removal path. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 7f7b96a8a0a1 ("drm/kmb: Add support for KeemBay Display") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/kmb/kmb_drv.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c index 32cda134ae3e..4fc9fdf92118 100644 --- a/drivers/gpu/drm/kmb/kmb_drv.c +++ b/drivers/gpu/drm/kmb/kmb_drv.c @@ -473,6 +473,8 @@ static void kmb_remove(struct platform_device *pdev) /* Unregister DSI host */ kmb_dsi_host_unregister(kmb->kmb_dsi); + if (kmb->kmb_dsi && kmb->kmb_dsi->pdev) + put_device(&kmb->kmb_dsi->pdev->dev); drm_atomic_helper_shutdown(drm); } @@ -517,17 +519,20 @@ static int kmb_probe(struct platform_device *pdev) ret = kmb_dsi_host_bridge_init(get_device(&dsi_pdev->dev)); if (ret == -EPROBE_DEFER) { - return -EPROBE_DEFER; + ret = -EPROBE_DEFER; + goto err_free2; } else if (ret) { DRM_ERROR("probe failed to initialize DSI host bridge\n"); - return ret; + goto err_free2; } /* Create DRM device */ kmb = devm_drm_dev_alloc(dev, &kmb_driver, struct kmb_drm_private, drm); - if (IS_ERR(kmb)) - return PTR_ERR(kmb); + if (IS_ERR(kmb)) { + ret = PTR_ERR(kmb); + goto err_free2; + } dev_set_drvdata(dev, &kmb->drm); @@ -576,7 +581,8 @@ static int kmb_probe(struct platform_device *pdev) err_free1: dev_set_drvdata(dev, NULL); kmb_dsi_host_unregister(kmb->kmb_dsi); - + err_free2: + put_device(&dsi_pdev->dev); return ret; } -- 2.17.1

3 weeks, 6 days

2
1
0 0

[PATCH 5.4.y] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

[ Upstream commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 ] syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [akpm(a)linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: SeongJae Park <sj(a)kernel.org> Tested-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ acsjakub: drop rust-compatibility change (no rust in 5.4) ] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- Why sending to stable version from before "fixes"? In the original patch, I set fixes tag to the change that allows the panic to manifest, not to the one that is real root-cause of the problem. The change that introduced the root-cause of the problem is: f8af4da3b4c1 ("ksm: the mm interface to ksm"), as pointed out by Vlastimil in [1]. Hence, as the older kernels can be affected by the flag-drop as well, backport to older kernels. [1]: https://lore.kernel.org/all/13c7242e-3a40-469b-9e99-8a65a21449bb@suse.cz/ include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 57cba6e4fdcd..be8c793233d3 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -293,7 +293,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Christof Hellmis Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 weeks, 6 days

2
1
0 0

[PATCH 5.10] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

by Eric Biggers

commit 44e8241c51f762aafa50ed116da68fd6ecdcc954 upstream. On big endian arm kernels, the arm optimized Curve25519 code produces incorrect outputs and fails the Curve25519 test. This has been true ever since this code was added. It seems that hardly anyone (or even no one?) actually uses big endian arm kernels. But as long as they're ostensibly supported, we should disable this code on them so that it's not accidentally used. Note: for future-proofing, use !CPU_BIG_ENDIAN instead of CPU_LITTLE_ENDIAN. Both of these are arch-specific options that could get removed in the future if big endian support gets dropped. Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") Cc: stable(a)vger.kernel.org Acked-by: Ard Biesheuvel <ardb(a)kernel.org> Link: https://lore.kernel.org/r/20251104054906.716914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/arm/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index c46c05548080..c5d676e7f16b 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -145,10 +145,10 @@ config CRYPTO_NHPOLY1305_NEON depends on KERNEL_MODE_NEON select CRYPTO_NHPOLY1305 config CRYPTO_CURVE25519_NEON tristate "NEON accelerated Curve25519 scalar multiplication library" - depends on KERNEL_MODE_NEON + depends on KERNEL_MODE_NEON && !CPU_BIG_ENDIAN select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 endif base-commit: df70e44fa05b01476a78d0f6a210354784ff0992 -- 2.51.2

3 weeks, 6 days

2
1
0 0

[PATCH] dmaengine: ti-dma-crossbar: Fix error handling in ti_am335x_xbar_route_allocate

by Ma Ke

ti_am335x_xbar_route_allocate() calls of_find_device_by_node() which increments the reference count of the platform device, but fails to call put_device() to decrement the reference count before returning. This could cause a reference count leak each time the function is called, preventing the platform device from being properly cleaned up and leading to memory leakage. Add proper put_device() calls in all exit paths to fix the reference count imbalance. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 42dbdcc6bf96 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/dma/ti/dma-crossbar.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c index 7f17ee87a6dc..58bc515ec8b3 100644 --- a/drivers/dma/ti/dma-crossbar.c +++ b/drivers/dma/ti/dma-crossbar.c @@ -80,33 +80,40 @@ static void *ti_am335x_xbar_route_allocate(struct of_phandle_args *dma_spec, struct platform_device *pdev = of_find_device_by_node(ofdma->of_node); struct ti_am335x_xbar_data *xbar = platform_get_drvdata(pdev); struct ti_am335x_xbar_map *map; + int ret; - if (dma_spec->args_count != 3) - return ERR_PTR(-EINVAL); + if (dma_spec->args_count != 3) { + ret = -EINVAL; + goto err_put_device; + } if (dma_spec->args[2] >= xbar->xbar_events) { dev_err(&pdev->dev, "Invalid XBAR event number: %d\n", dma_spec->args[2]); - return ERR_PTR(-EINVAL); + ret = -EINVAL; + goto err_put_device; } if (dma_spec->args[0] >= xbar->dma_requests) { dev_err(&pdev->dev, "Invalid DMA request line number: %d\n", dma_spec->args[0]); - return ERR_PTR(-EINVAL); + ret = -EINVAL; + goto err_put_device; } /* The of_node_put() will be done in the core for the node */ dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0); if (!dma_spec->np) { dev_err(&pdev->dev, "Can't get DMA master\n"); - return ERR_PTR(-EINVAL); + ret = -EINVAL; + goto err_put_device; } map = kzalloc(sizeof(*map), GFP_KERNEL); if (!map) { of_node_put(dma_spec->np); - return ERR_PTR(-ENOMEM); + ret = -ENOMEM; + goto err_put_device; } map->dma_line = (u16)dma_spec->args[0]; @@ -120,7 +127,12 @@ static void *ti_am335x_xbar_route_allocate(struct of_phandle_args *dma_spec, ti_am335x_xbar_write(xbar->iomem, map->dma_line, map->mux_val); + put_device(&pdev->dev); return map; + +err_put_device: + put_device(&pdev->dev); + return ERR_PTR(ret); } static const struct of_device_id ti_am335x_master_match[] __maybe_unused = { -- 2.17.1

3 weeks, 6 days

2
1
0 0

[PATCH 5.10.y] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

[ Upstream commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 ] syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [akpm(a)linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: SeongJae Park <sj(a)kernel.org> Tested-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ acsjakub: drop rust-compatibility change (no rust in 5.10) ] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- Why sending to stable version from before "fixes"? In the original patch, I set fixes tag to the change that allows the panic to manifest, not to the one that is real root-cause of the problem. The change that introduced the root-cause of the problem is: f8af4da3b4c1 ("ksm: the mm interface to ksm"), as pointed out by Vlastimil in [1]. Hence, as the older kernels can be affected by the flag-drop as well, backport to older kernels. [1]: https://lore.kernel.org/all/13c7242e-3a40-469b-9e99-8a65a21449bb@suse.cz/ include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index e168d87d6f2e..4787d39bbad4 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -296,7 +296,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Christof Hellmis Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 weeks, 6 days

2
1
0 0

[PATCH v2 5.10.y] fsdax: mark the iomap argument to dax_iomap_sector as const

by Eliav Farber

From: Christoph Hellwig <hch(a)lst.de> [ Upstream commit 7e4f4b2d689d959b03cb07dfbdb97b9696cb1076 ] Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Eliav Farber <farbere(a)amazon.com> --- V1 -> V2: Added missing 'Signed-off-by' Fixes: fs/dax.c: In function 'dax_iomap_iter': fs/dax.c:1147:44: error: passing argument 1 of 'dax_iomap_sector' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] const sector_t sector = dax_iomap_sector(iomap, pos); ^~~~~ fs/dax.c:1009:17: note: expected 'struct iomap *' but argument is of type 'const struct iomap *' static sector_t dax_iomap_sector(struct iomap *iomap, loff_t pos) ^~~~~~~~~~~~~~~~ The issue was introduced by the cherry-pick of commit 8df4919cb921 ("fsdax: switch dax_iomap_rw to use iomap_iter") https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/… The upstream change made callers pass a const struct iomap *: const struct iomap *iomap = &iomi->iomap; but dax_iomap_sector() still expected a mutable pointer: static sector_t dax_iomap_sector(struct iomap *iomap, loff_t pos) fs/dax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/dax.c b/fs/dax.c index 91820b9b50b7..2ca33ef5d519 100644 --- a/fs/dax.c +++ b/fs/dax.c @@ -1006,7 +1006,7 @@ int dax_writeback_mapping_range(struct address_space *mapping, } EXPORT_SYMBOL_GPL(dax_writeback_mapping_range); -static sector_t dax_iomap_sector(struct iomap *iomap, loff_t pos) +static sector_t dax_iomap_sector(const struct iomap *iomap, loff_t pos) { return (iomap->addr + (pos & PAGE_MASK) - iomap->offset) >> 9; } -- 2.47.3

3 weeks, 6 days

2
1
0 0

[PATCH 5.15] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

by Eric Biggers

commit 44e8241c51f762aafa50ed116da68fd6ecdcc954 upstream. On big endian arm kernels, the arm optimized Curve25519 code produces incorrect outputs and fails the Curve25519 test. This has been true ever since this code was added. It seems that hardly anyone (or even no one?) actually uses big endian arm kernels. But as long as they're ostensibly supported, we should disable this code on them so that it's not accidentally used. Note: for future-proofing, use !CPU_BIG_ENDIAN instead of CPU_LITTLE_ENDIAN. Both of these are arch-specific options that could get removed in the future if big endian support gets dropped. Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") Cc: stable(a)vger.kernel.org Acked-by: Ard Biesheuvel <ardb(a)kernel.org> Link: https://lore.kernel.org/r/20251104054906.716914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/arm/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index 149a5bd6b88c..d3d318df0e38 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -164,10 +164,10 @@ config CRYPTO_NHPOLY1305_NEON depends on KERNEL_MODE_NEON select CRYPTO_NHPOLY1305 config CRYPTO_CURVE25519_NEON tristate "NEON accelerated Curve25519 scalar multiplication library" - depends on KERNEL_MODE_NEON + depends on KERNEL_MODE_NEON && !CPU_BIG_ENDIAN select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 endif base-commit: cc5ec87693063acebb60f587e8a019ba9b94ae0e -- 2.51.2

3 weeks, 6 days

2
1
0 0

[PATCH 5.15.y] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

[ Upstream commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 ] syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [akpm(a)linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: SeongJae Park <sj(a)kernel.org> Tested-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ acsjakub: drop rust-compatibility change (no rust in 5.15) ] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- Why sending to stable version from before "fixes"? In the original patch, I set fixes tag to the change that allows the panic to manifest, not to the one that is real root-cause of the problem. The change that introduced the root-cause of the problem is: f8af4da3b4c1 ("ksm: the mm interface to ksm"), as pointed out by Vlastimil in [1]. Hence, as the older kernels can be affected by the flag-drop as well, backport to older kernels. [1]: https://lore.kernel.org/all/13c7242e-3a40-469b-9e99-8a65a21449bb@suse.cz/ include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 3598925561b1..071dd864a7b2 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -310,7 +310,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Christof Hellmis Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 weeks, 6 days

2
1
0 0

FAILED: patch "[PATCH] mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e84cb860ac3ce67ec6ecc364433fd5b412c448bc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102646-unwary-premises-4a2c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e84cb860ac3ce67ec6ecc364433fd5b412c448bc Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 20 Oct 2025 22:53:26 +0200 Subject: [PATCH] mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR The special C-flag case expects the ADD_ADDR to be received when switching to 'fully-established'. But for various reasons, the ADD_ADDR could be sent after the "4th ACK", and the special case doesn't work. On NIPA, the new test validating this special case for the C-flag failed a few times, e.g. 102 default limits, server deny join id 0 syn rx [FAIL] got 0 JOIN[s] syn rx expected 2 Server ns stats (...) MPTcpExtAddAddrTx 1 MPTcpExtEchoAdd 1 Client ns stats (...) MPTcpExtAddAddr 1 MPTcpExtEchoAddTx 1 synack rx [FAIL] got 0 JOIN[s] synack rx expected 2 ack rx [FAIL] got 0 JOIN[s] ack rx expected 2 join Rx [FAIL] see above syn tx [FAIL] got 0 JOIN[s] syn tx expected 2 join Tx [FAIL] see above I had a suspicion about what the issue could be: the ADD_ADDR might have been received after the switch to the 'fully-established' state. The issue was not easy to reproduce. The packet capture shown that the ADD_ADDR can indeed be sent with a delay, and the client would not try to establish subflows to it as expected. A simple fix is not to mark the endpoints as 'used' in the C-flag case, when looking at creating subflows to the remote initial IP address and port. In this case, there is no need to try. Note: newly added fullmesh endpoints will still continue to be used as expected, thanks to the conditions behind mptcp_pm_add_addr_c_flag_case. Fixes: 4b1ff850e0c1 ("mptcp: pm: in-kernel: usable client side with C-flag") Cc: stable(a)vger.kernel.org Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-1-82070… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c index e0f44dc232aa..2ae95476dba3 100644 --- a/net/mptcp/pm_kernel.c +++ b/net/mptcp/pm_kernel.c @@ -370,6 +370,10 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) } subflow: + /* No need to try establishing subflows to remote id0 if not allowed */ + if (mptcp_pm_add_addr_c_flag_case(msk)) + goto exit; + /* check if should create a new subflow */ while (msk->pm.local_addr_used < endp_subflow_max && msk->pm.extra_subflows < limit_extra_subflows) { @@ -401,6 +405,8 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) __mptcp_subflow_connect(sk, &local, &addrs[i]); spin_lock_bh(&msk->pm.lock); } + +exit: mptcp_pm_nl_check_work_pending(msk); }

3 weeks, 6 days

3
2
0 0

[PATCH v2 0/9] dt-bindings: PCI: qcom: Add missing required power-domains and resets

by Krzysztof Kozlowski

Changes in v2: - Add also resets - Drop cc-stable tag in the last patch - Link to v1: https://patch.msgid.link/20251029-dt-bindings-pci-qcom-fixes-power-domains-… Recent binding changes forgot to make power-domains and resets required. I am not updating SC8180xp because it will be fixed other way in my next patchset. Best regards, Krzysztof --- Krzysztof Kozlowski (9): dt-bindings: PCI: qcom,pcie-sa8775p: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-x1e80100: Add missing required power-domains and resets Documentation/devicetree/bindings/pci/qcom,pcie-sa8775p.yaml | 3 +++ Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml | 5 +++++ Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml | 3 +++ Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml | 5 +++++ Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml | 5 +++++ Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml | 5 +++++ Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml | 5 +++++ Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml | 5 +++++ Documentation/devicetree/bindings/pci/qcom,pcie-x1e80100.yaml | 5 +++++ 9 files changed, 41 insertions(+) --- base-commit: 326bbf6e2b1ce8d1e6166cce2ca414aa241c382f change-id: 20251029-dt-bindings-pci-qcom-fixes-power-domains-36a669b2e252 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

3 weeks, 6 days

4
10
0 0

[PATCH] media: az6007: validate I2C message length

by Nalivayko Sergey

syzbot reports a UBSAN issue as below: UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30 index 4096 is out of range for type 'unsigned char [4096]' CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x11c/0x160 lib/ubsan.c:453 az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821 __i2c_transfer+0x6b3/0x2190 drivers/i2c/i2c-core-base.c:2259 i2c_transfer drivers/i2c/i2c-core-base.c:2315 [inline] i2c_transfer+0x1da/0x380 drivers/i2c/i2c-core-base.c:2291 i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343 i2c_master_recv include/linux/i2c.h:79 [inline] i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155 do_loop_readv_writev fs/read_write.c:845 [inline] do_loop_readv_writev fs/read_write.c:833 [inline] vfs_readv+0x6bc/0x8a0 fs/read_write.c:1018 do_preadv+0x1af/0x270 fs/read_write.c:1130 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The issue occurs because the az6007 driver does not validate the length of the received I2C message. While iterating over st->data, the index 'j' may exceed the maximum buffer size of 4096 elements. Add validation of msgs.len based on buffer length value passed to __az6007_read/write functions to prevent out-of-bounds access. Reported-by: syzbot+0192952caa411a3be209(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d8913f1760bc090ee46e\ Fixes: 71d676345698 ("[media] dvb: Add a new driver for az6007") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 65ef045b74ca..c966de4ea6e1 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -770,6 +770,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W/R addr=0x%x len=%d/%d\n", addr, msgs[i].len, msgs[i + 1].len); + if (msgs[i + 1].len + 6 > ARRAY_SIZE(st->data)) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -788,7 +792,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); - if (msgs[i].len < 1) { + if (msgs[i].len < 1 || msgs[i].len - 1 > ARRAY_SIZE(st->data)) { ret = -EIO; goto err; } @@ -806,7 +810,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); - if (msgs[i].len < 1) { + if (msgs[i].len < 1 || msgs[i].len + 6 > ARRAY_SIZE(st->data)) { ret = -EIO; goto err; } -- 2.39.5

3 weeks, 6 days

1
0
0 0

[PATCH 5.10] ASoC: SOF: Intel: hda: Fix potential buffer overflow by snprintf()

by Alexandra Diupina

From: Takashi Iwai <tiwai(a)suse.de> commit 94c1ceb043c1a002de9649bb630c8e8347645982 upstream. snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in the buffer overflow (although it's unrealistic). This patch replaces with a safer version, scnprintf() for papering over such a potential issue. Fixes: 29c8e4398f02 ("ASoC: SOF: Intel: hda: add extended rom status dump to error log") Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Link: https://lore.kernel.org/r/20220801165420.25978-4-tiwai@suse.de Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Alexandra Diupina <adiupina(a)astralinux.ru> --- Backport fix for CVE-2022-50050 sound/soc/sof/intel/hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c index b4cc72483137..1d879c2b81e1 100644 --- a/sound/soc/sof/intel/hda.c +++ b/sound/soc/sof/intel/hda.c @@ -437,7 +437,7 @@ static void hda_dsp_dump_ext_rom_status(struct snd_sof_dev *sdev) for (i = 0; i < HDA_EXT_ROM_STATUS_SIZE; i++) { value = snd_sof_dsp_read(sdev, HDA_DSP_BAR, HDA_DSP_SRAM_REG_ROM_STATUS + i * 0x4); - len += snprintf(msg + len, sizeof(msg) - len, " 0x%x", value); + len += scnprintf(msg + len, sizeof(msg) - len, " 0x%x", value); } sof_dev_dbg_or_err(sdev->dev, hda->boot_iteration == HDA_FW_BOOT_ATTEMPTS, -- 2.30.2

3 weeks, 6 days

1
0
0 0

[PATCH] PCI: j721e: Add config guards for Cadence Host and Endpoint library APIs

by Siddharth Vadapalli

Commit under Fixes enabled loadable module support for the driver under the assumption that it shall be the sole user of the Cadence Host and Endpoint library APIs. This assumption guarantees that we won't end up in a case where the driver is built-in and the library support is built as a loadable module. With the introduction of [1], this assumption is no longer valid. The SG2042 driver could be built as a loadable module, implying that the Cadence Host library is also selected as a loadable module. However, the pci-j721e.c driver could be built-in as indicated by CONFIG_PCI_J721E=y due to which the Cadence Endpoint library is built-in. Despite the library drivers being built as specified by their respective consumers, since the 'pci-j721e.c' driver has references to the Cadence Host library APIs as well, we run into a build error as reported at [0]. Fix this by adding config guards as a temporary workaround. The proper fix is to split the 'pci-j721e.c' driver into independent Host and Endpoint drivers as aligned at [2]. Fixes: a2790bf81f0f ("PCI: j721e: Add support to build as a loadable module") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202511111705.MZ7ls8Hm-lkp@intel.com/ Cc: <stable(a)vger.kernel.org> [0]: https://lore.kernel.org/r/202511111705.MZ7ls8Hm-lkp@intel.com/ [1]: commit 1c72774df028 ("PCI: sg2042: Add Sophgo SG2042 PCIe driver") [2]: https://lore.kernel.org/r/37f6f8ce-12b2-44ee-a94c-f21b29c98821@app.fastmail… Suggested-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- drivers/pci/controller/cadence/pci-j721e.c | 43 +++++++++++++--------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index 5bc5ab20aa6d..67c5e02afccf 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -628,10 +628,12 @@ static int j721e_pcie_probe(struct platform_device *pdev) gpiod_set_value_cansleep(gpiod, 1); } - ret = cdns_pcie_host_setup(rc); - if (ret < 0) { - clk_disable_unprepare(pcie->refclk); - goto err_pcie_setup; + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { + ret = cdns_pcie_host_setup(rc); + if (ret < 0) { + clk_disable_unprepare(pcie->refclk); + goto err_pcie_setup; + } } break; @@ -642,9 +644,11 @@ static int j721e_pcie_probe(struct platform_device *pdev) goto err_get_sync; } - ret = cdns_pcie_ep_setup(ep); - if (ret < 0) - goto err_pcie_setup; + if (IS_ENABLED(CONFIG_PCI_J721E_EP)) { + ret = cdns_pcie_ep_setup(ep); + if (ret < 0) + goto err_pcie_setup; + } break; } @@ -669,10 +673,11 @@ static void j721e_pcie_remove(struct platform_device *pdev) struct cdns_pcie_ep *ep; struct cdns_pcie_rc *rc; - if (pcie->mode == PCI_MODE_RC) { + if (IS_ENABLED(CONFIG_PCI_J721E_HOST) && + pcie->mode == PCI_MODE_RC) { rc = container_of(cdns_pcie, struct cdns_pcie_rc, pcie); cdns_pcie_host_disable(rc); - } else { + } else if (IS_ENABLED(CONFIG_PCI_J721E_EP)) { ep = container_of(cdns_pcie, struct cdns_pcie_ep, pcie); cdns_pcie_ep_disable(ep); } @@ -739,10 +744,12 @@ static int j721e_pcie_resume_noirq(struct device *dev) gpiod_set_value_cansleep(pcie->reset_gpio, 1); } - ret = cdns_pcie_host_link_setup(rc); - if (ret < 0) { - clk_disable_unprepare(pcie->refclk); - return ret; + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { + ret = cdns_pcie_host_link_setup(rc); + if (ret < 0) { + clk_disable_unprepare(pcie->refclk); + return ret; + } } /* @@ -752,10 +759,12 @@ static int j721e_pcie_resume_noirq(struct device *dev) for (enum cdns_pcie_rp_bar bar = RP_BAR0; bar <= RP_NO_BAR; bar++) rc->avail_ib_bar[bar] = true; - ret = cdns_pcie_host_init(rc); - if (ret) { - clk_disable_unprepare(pcie->refclk); - return ret; + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { + ret = cdns_pcie_host_init(rc); + if (ret) { + clk_disable_unprepare(pcie->refclk); + return ret; + } } } -- 2.51.1

3 weeks, 6 days

2
1
0 0

[REGRESSION] Bluetooth adapter provided by `btusb` not recognized since v6.13.2

by incogcyberpunk＠proton.me

#regzbot introduced: v6.13.1..v6.13.2 Distro: Arch Linux Kernel: since v6.13.2 The bluetooth adapter would be recognized and the bluetooth worked flawlessly till v6.13.1 , but since the v6.13.2 , the bluetooth adapter doesn't get recognized by the bluetooth service and therefore the bluetooth functionality doesn't work . I suspect the bluetooth's driver failing to load at the kernel-level. - The output of bluetoothctl : $: bluetoothctl Agent registered [bluetoothctl]> list [bluetoothctl]> devices No default controller available [bluetoothctl]> - The output of systemctl status bluetooth.service : ● bluetooth.service - Bluetooth service Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; preset: disabled) Active: active (running) since Sat 2025-11-15 22:57:00 +0545; 1 day 8h ago Invocation: bddf190655fd4a4290d41cde594f2efa Docs: man:bluetoothd(8) Main PID: 617 (bluetoothd) Status: "Running" Tasks: 1 (limit: 18701) Memory: 2.8M (peak: 3.8M) CPU: 38ms CGroup: /system.slice/bluetooth.service └─617 /usr/lib/bluetooth/bluetoothd Nov 15 22:57:00 Incog systemd[1]: Starting Bluetooth service... Nov 15 22:57:00 Incog bluetoothd[617]: Bluetooth daemon 5.84 Nov 15 22:57:00 Incog systemd[1]: Started Bluetooth service. Nov 15 22:57:00 Incog bluetoothd[617]: Starting SDP server Nov 15 22:57:00 Incog bluetoothd[617]: Bluetooth management interface 1.23 initialized - The output of lspci is attached below . - The logs for journalctl -b for both v6.13.1 and v6.13.2 are attached below. Regards, IncogCyberpunk

3 weeks, 6 days

2
2
0 0

[PATCH] mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions

by Christian Marangi

Commit 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing result") introduced some kind of regression with parser on subpartitions where if a parser emits an error then the entire parsing process from the upper parser fails and partitions are deleted. Not checking for error in subpartitions was originally intended as special parser can emit error also in the case of the partition not correctly init (for example a wiped partition) or special case where the partition should be skipped due to some ENV variables externally provided (from bootloader for example) One example case is the TRX partition where, in the context of a wiped partition, returns a -ENOENT as the trx_magic is not found in the expected TRX header (as the partition is wiped) To better handle this and still keep some kind of error tracking (for example to catch -ENOMEM errors or -EINVAL errors), permit parser on subpartition to emit -ENOENT error, print a debug log and skip them accordingly. This results in giving better tracking of the status of the parser (instead of returning just 0, dropping any kind of signal that there is something wrong with the parser) and to some degree restore the original logic of the subpartitions parse. (worth to notice that some special partition might have all the special header present for the parser and declare 0 partition in it, this is why it would be wrong to simply return 0 in the case of a special partition that is NOT init for the scanning parser) Cc: stable(a)vger.kernel.org Fixes: 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing result") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/mtd/mtdpart.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c index 994e8c51e674..2876501a7814 100644 --- a/drivers/mtd/mtdpart.c +++ b/drivers/mtd/mtdpart.c @@ -425,9 +425,12 @@ int add_mtd_partitions(struct mtd_info *parent, mtd_add_partition_attrs(child); - /* Look for subpartitions */ + /* Look for subpartitions (skip if no maching parser found) */ ret = parse_mtd_partitions(child, parts[i].types, NULL); - if (ret < 0) { + if (ret < 0 && ret == -ENOENT) { + pr_debug("Skip parsing subpartitions: %d\n", ret); + continue; + } else if (ret < 0) { pr_err("Failed to parse subpartitions: %d\n", ret); goto err_del_partitions; } -- 2.51.0

3 weeks, 6 days

2
4
0 0

[PATCH] can: rcar_canfd: Fix controller mode setting for RZ/G2L SoCs

by Biju

From: Biju Das <biju.das.jz(a)bp.renesas.com> The commit 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting") applies to all SoCs except the RZ/G2L family of SoCs. As per RZ/G2L hardware manual "Figure 28.16 CAN Setting Procedure after the MCU is Reset" CAN mode needs to be set before channel reset. Add the mode_before_ch_rst variable to struct rcar_canfd_hw_info to handle this difference. The above commit also breaks CANFD functionality on RZ/G3E. Adapt this change to RZ/G3E, as well as it works ok by following the initialisation sequence of RZ/G2L. Fixes: 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- drivers/net/can/rcar/rcar_canfd.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c index 49ab65274b51..1724fa5dace6 100644 --- a/drivers/net/can/rcar/rcar_canfd.c +++ b/drivers/net/can/rcar/rcar_canfd.c @@ -444,6 +444,7 @@ struct rcar_canfd_hw_info { unsigned ch_interface_mode:1; /* Has channel interface mode */ unsigned shared_can_regs:1; /* Has shared classical can registers */ unsigned external_clk:1; /* Has external clock */ + unsigned mode_before_ch_rst:1; /* Has set mode before channel reset */ }; /* Channel priv data */ @@ -615,6 +616,7 @@ static const struct rcar_canfd_hw_info rcar_gen3_hw_info = { .ch_interface_mode = 0, .shared_can_regs = 0, .external_clk = 1, + .mode_before_ch_rst = 0, }; static const struct rcar_canfd_hw_info rcar_gen4_hw_info = { @@ -632,6 +634,7 @@ static const struct rcar_canfd_hw_info rcar_gen4_hw_info = { .ch_interface_mode = 1, .shared_can_regs = 1, .external_clk = 1, + .mode_before_ch_rst = 0, }; static const struct rcar_canfd_hw_info rzg2l_hw_info = { @@ -649,6 +652,7 @@ static const struct rcar_canfd_hw_info rzg2l_hw_info = { .ch_interface_mode = 0, .shared_can_regs = 0, .external_clk = 1, + .mode_before_ch_rst = 1, }; static const struct rcar_canfd_hw_info r9a09g047_hw_info = { @@ -666,6 +670,7 @@ static const struct rcar_canfd_hw_info r9a09g047_hw_info = { .ch_interface_mode = 1, .shared_can_regs = 1, .external_clk = 0, + .mode_before_ch_rst = 1, }; /* Helper functions */ @@ -806,6 +811,10 @@ static int rcar_canfd_reset_controller(struct rcar_canfd_global *gpriv) /* Reset Global error flags */ rcar_canfd_write(gpriv->base, RCANFD_GERFL, 0x0); + /* RZ/G2L SoC needs setting the mode before channel reset */ + if (gpriv->info->mode_before_ch_rst) + rcar_canfd_set_mode(gpriv); + /* Transition all Channels to reset mode */ for_each_set_bit(ch, &gpriv->channels_mask, gpriv->info->max_channels) { rcar_canfd_clear_bit(gpriv->base, @@ -826,7 +835,8 @@ static int rcar_canfd_reset_controller(struct rcar_canfd_global *gpriv) } /* Set the controller into appropriate mode */ - rcar_canfd_set_mode(gpriv); + if (!gpriv->info->mode_before_ch_rst) + rcar_canfd_set_mode(gpriv); return 0; } -- 2.43.0

3 weeks, 6 days

4
6
0 0

[PATCH] PCI: cadence: Kconfig: change PCIE_CADENCE configs from tristate to bool

by Siddharth Vadapalli

The drivers associated with the PCIE_CADENCE, PCIE_CADENCE_HOST AND PCIE_CADENCE_EP configs are used by multiple vendor drivers and serve as a library of helpers. Since the vendor drivers could individually be built as built-in or as loadable modules, it is possible to select a build configuration wherein a vendor driver is built-in while the library is built as a loadable module. This will result in a build error as reported in the 'Closes' link below. Address the build error by changing the library configs to be 'bool' instead of 'tristate'. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202511111705.MZ7ls8Hm-lkp@intel.com/ Fixes: 1c72774df028 ("PCI: sg2042: Add Sophgo SG2042 PCIe driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- drivers/pci/controller/cadence/Kconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/pci/controller/cadence/Kconfig b/drivers/pci/controller/cadence/Kconfig index 02a639e55fd8..980da64ce730 100644 --- a/drivers/pci/controller/cadence/Kconfig +++ b/drivers/pci/controller/cadence/Kconfig @@ -4,16 +4,16 @@ menu "Cadence-based PCIe controllers" depends on PCI config PCIE_CADENCE - tristate + bool config PCIE_CADENCE_HOST - tristate + bool depends on OF select IRQ_DOMAIN select PCIE_CADENCE config PCIE_CADENCE_EP - tristate + bool depends on OF depends on PCI_ENDPOINT select PCIE_CADENCE -- 2.51.1

3 weeks, 6 days

4
11
0 0

[PATCH 6.12.y] mm, percpu: do not consider sleepable allocations atomic

by mambaxin＠163.com

From: Michal Hocko <mhocko(a)suse.com> [ Upstream commit 9a5b183941b52f84c0f9e5f27ce44e99318c9e0f ] 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") has fixed a reclaim recursion for scoped GFP_NOFS context. It has done that by avoiding taking pcpu_alloc_mutex. This is a correct solution as the worker context with full GFP_KERNEL allocation/reclaim power and which is using the same lock cannot block the NOFS pcpu_alloc caller. On the other hand this is a very conservative approach that could lead to failures because pcpu_alloc lockless implementation is quite limited. We have a bug report about premature failures when scsi array of 193 devices is scanned. Sometimes (not consistently) the scanning aborts because the iscsid daemon fails to create the queue for a random scsi device during the scan. iscsid itself is running with PR_SET_IO_FLUSHER set so all allocations from this process context are GFP_NOIO. This in turn makes any pcpu_alloc lockless (without pcpu_alloc_mutex) which leads to pre-mature failures. It has turned out that iscsid has worked around this by dropping PR_SET_IO_FLUSHER (https://github.com/open-iscsi/open-iscsi/pull/382) when scanning host. But we can do better in this case on the kernel side and use pcpu_alloc_mutex for NOIO resp. NOFS constrained allocation scopes too. We just need the WQ worker to never trigger IO/FS reclaim. Achieve that by enforcing scoped GFP_NOIO for the whole execution of pcpu_balance_workfn (this will imply NOFS constrain as well). This will remove the dependency chain and preserve the full allocation power of the pcpu_alloc call. While at it make is_atomic really test for blockable allocations. Link: https://lkml.kernel.org/r/20250206122633.167896-1-mhocko@kernel.org Fixes: 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Filipe David Manana <fdmanana(a)suse.com> Cc: Tejun Heo <tj(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: chenxin <chenxinxin(a)xiaomi.com> --- mm/percpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/percpu.c b/mm/percpu.c index fb0307723da6..44764720b6d8 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1758,7 +1758,7 @@ void __percpu *pcpu_alloc_noprof(size_t size, size_t align, bool reserved, gfp = current_gfp_context(gfp); /* whitelisted flags that can be passed to the backing allocators */ pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = !gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); /* @@ -2203,7 +2203,12 @@ static void pcpu_balance_workfn(struct work_struct *work) * to grow other chunks. This then gives pcpu_reclaim_populated() time * to move fully free chunks to the active list to be freed if * appropriate. + * + * Enforce GFP_NOIO allocations because we have pcpu_alloc users + * constrained to GFP_NOIO/NOFS contexts and they could form lock + * dependency through pcpu_alloc_mutex */ + unsigned int flags = memalloc_noio_save(); mutex_lock(&pcpu_alloc_mutex); spin_lock_irq(&pcpu_lock); @@ -2214,6 +2219,7 @@ static void pcpu_balance_workfn(struct work_struct *work) spin_unlock_irq(&pcpu_lock); mutex_unlock(&pcpu_alloc_mutex); + memalloc_noio_restore(flags); } /** -- 2.50.1

3 weeks, 6 days

1
0
0 0

[PATCH 6.6.y] mm, percpu: do not consider sleepable allocations atomic

by mambaxin＠163.com

From: Michal Hocko <mhocko(a)suse.com> [ Upstream commit 9a5b183941b52f84c0f9e5f27ce44e99318c9e0f ] 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") has fixed a reclaim recursion for scoped GFP_NOFS context. It has done that by avoiding taking pcpu_alloc_mutex. This is a correct solution as the worker context with full GFP_KERNEL allocation/reclaim power and which is using the same lock cannot block the NOFS pcpu_alloc caller. On the other hand this is a very conservative approach that could lead to failures because pcpu_alloc lockless implementation is quite limited. We have a bug report about premature failures when scsi array of 193 devices is scanned. Sometimes (not consistently) the scanning aborts because the iscsid daemon fails to create the queue for a random scsi device during the scan. iscsid itself is running with PR_SET_IO_FLUSHER set so all allocations from this process context are GFP_NOIO. This in turn makes any pcpu_alloc lockless (without pcpu_alloc_mutex) which leads to pre-mature failures. It has turned out that iscsid has worked around this by dropping PR_SET_IO_FLUSHER (https://github.com/open-iscsi/open-iscsi/pull/382) when scanning host. But we can do better in this case on the kernel side and use pcpu_alloc_mutex for NOIO resp. NOFS constrained allocation scopes too. We just need the WQ worker to never trigger IO/FS reclaim. Achieve that by enforcing scoped GFP_NOIO for the whole execution of pcpu_balance_workfn (this will imply NOFS constrain as well). This will remove the dependency chain and preserve the full allocation power of the pcpu_alloc call. While at it make is_atomic really test for blockable allocations. Link: https://lkml.kernel.org/r/20250206122633.167896-1-mhocko@kernel.org Fixes: 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Filipe David Manana <fdmanana(a)suse.com> Cc: Tejun Heo <tj(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: chenxin <chenxinxin(a)xiaomi.com> --- mm/percpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/percpu.c b/mm/percpu.c index 38d5121c2b65..54c2988a7496 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1734,7 +1734,7 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved, gfp = current_gfp_context(gfp); /* whitelisted flags that can be passed to the backing allocators */ pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = !gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); /* @@ -2231,7 +2231,12 @@ static void pcpu_balance_workfn(struct work_struct *work) * to grow other chunks. This then gives pcpu_reclaim_populated() time * to move fully free chunks to the active list to be freed if * appropriate. + * + * Enforce GFP_NOIO allocations because we have pcpu_alloc users + * constrained to GFP_NOIO/NOFS contexts and they could form lock + * dependency through pcpu_alloc_mutex */ + unsigned int flags = memalloc_noio_save(); mutex_lock(&pcpu_alloc_mutex); spin_lock_irq(&pcpu_lock); @@ -2242,6 +2247,7 @@ static void pcpu_balance_workfn(struct work_struct *work) spin_unlock_irq(&pcpu_lock); mutex_unlock(&pcpu_alloc_mutex); + memalloc_noio_restore(flags); } /** -- 2.50.1

3 weeks, 6 days

1
0
0 0

[PATCH 6.1.y] mm, percpu: do not consider sleepable allocations atomic

by mambaxin＠163.com

From: Michal Hocko <mhocko(a)suse.com> [ Upstream commit 9a5b183941b52f84c0f9e5f27ce44e99318c9e0f ] 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") has fixed a reclaim recursion for scoped GFP_NOFS context. It has done that by avoiding taking pcpu_alloc_mutex. This is a correct solution as the worker context with full GFP_KERNEL allocation/reclaim power and which is using the same lock cannot block the NOFS pcpu_alloc caller. On the other hand this is a very conservative approach that could lead to failures because pcpu_alloc lockless implementation is quite limited. We have a bug report about premature failures when scsi array of 193 devices is scanned. Sometimes (not consistently) the scanning aborts because the iscsid daemon fails to create the queue for a random scsi device during the scan. iscsid itself is running with PR_SET_IO_FLUSHER set so all allocations from this process context are GFP_NOIO. This in turn makes any pcpu_alloc lockless (without pcpu_alloc_mutex) which leads to pre-mature failures. It has turned out that iscsid has worked around this by dropping PR_SET_IO_FLUSHER (https://github.com/open-iscsi/open-iscsi/pull/382) when scanning host. But we can do better in this case on the kernel side and use pcpu_alloc_mutex for NOIO resp. NOFS constrained allocation scopes too. We just need the WQ worker to never trigger IO/FS reclaim. Achieve that by enforcing scoped GFP_NOIO for the whole execution of pcpu_balance_workfn (this will imply NOFS constrain as well). This will remove the dependency chain and preserve the full allocation power of the pcpu_alloc call. While at it make is_atomic really test for blockable allocations. Link: https://lkml.kernel.org/r/20250206122633.167896-1-mhocko@kernel.org Fixes: 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Filipe David Manana <fdmanana(a)suse.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: chenxin <chenxinxin(a)xiaomi.com> --- mm/percpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/percpu.c b/mm/percpu.c index 39e645dfd46c..651101c895ed 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1737,7 +1737,7 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved, gfp = current_gfp_context(gfp); /* whitelisted flags that can be passed to the backing allocators */ pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = !gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); /* @@ -2237,7 +2237,12 @@ static void pcpu_balance_workfn(struct work_struct *work) * to grow other chunks. This then gives pcpu_reclaim_populated() time * to move fully free chunks to the active list to be freed if * appropriate. + * + * Enforce GFP_NOIO allocations because we have pcpu_alloc users + * constrained to GFP_NOIO/NOFS contexts and they could form lock + * dependency through pcpu_alloc_mutex */ + unsigned int flags = memalloc_noio_save(); mutex_lock(&pcpu_alloc_mutex); spin_lock_irq(&pcpu_lock); @@ -2248,6 +2253,7 @@ static void pcpu_balance_workfn(struct work_struct *work) spin_unlock_irq(&pcpu_lock); mutex_unlock(&pcpu_alloc_mutex); + memalloc_noio_restore(flags); } /** -- 2.50.1

3 weeks, 6 days

1
0
0 0

[PATCH 6.1.y] espintcp: fix skb leaks

by ruohanlan＠aliyun.com

From: Sabrina Dubroca <sd(a)queasysnail.net> [ Upstream commit 63c1f19a3be3169e51a5812d22a6d0c879414076 ] A few error paths are missing a kfree_skb. Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)") Signed-off-by: Sabrina Dubroca <sd(a)queasysnail.net> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> [ Minor context change fixed. ] Signed-off-by: Ruohan Lan <ruohanlan(a)aliyun.com> --- net/ipv4/esp4.c | 4 +++- net/ipv6/esp6.c | 4 +++- net/xfrm/espintcp.c | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 8f5417ff355d..a40f78a6474c 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -152,8 +152,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb) sk = esp_find_tcp_sk(x); err = PTR_ERR_OR_ZERO(sk); - if (err) + if (err) { + kfree_skb(skb); goto out; + } bh_lock_sock(sk); if (sock_owned_by_user(sk)) diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 085a83b807af..48963fc9057b 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -169,8 +169,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb) sk = esp6_find_tcp_sk(x); err = PTR_ERR_OR_ZERO(sk); - if (err) + if (err) { + kfree_skb(skb); goto out; + } bh_lock_sock(sk); if (sock_owned_by_user(sk)) diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c index d6fece1ed982..b26fbaead7a5 100644 --- a/net/xfrm/espintcp.c +++ b/net/xfrm/espintcp.c @@ -168,8 +168,10 @@ int espintcp_queue_out(struct sock *sk, struct sk_buff *skb) { struct espintcp_ctx *ctx = espintcp_getctx(sk); - if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) + if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) { + kfree_skb(skb); return -ENOBUFS; + } __skb_queue_tail(&ctx->out_queue, skb); -- 2.43.0

3 weeks, 6 days

2
1
0 0

[PATCH v3 0/1] Bluetooth: btqca: Add WCN6855 firmware priority selection feature

by Shuai Zhang

Update WCN6855 firmware to use the new FW file and added a fallback mechanism. changed v2: - Remove CC satble - Update commit - add test steps and log - Link to v2 https://lore.kernel.org/all/20251114081751.3940541-2-shuai.zhang@oss.qualco… Changes v2: - Add Fixes tag. - Add comments in the commit and code to explain the reason for the changes. - Link to v1 https://lore.kernel.org/all/20251112074638.1592864-1-quic_shuaz@quicinc.com/ Shuai Zhang (1): Bluetooth: btqca: Add WCN6855 firmware priority selection feature drivers/bluetooth/btqca.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) -- 2.34.1

4 weeks

2
2
0 0

[PATCH 6.1.y] Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'

by alvalan9＠foxmail.com

From: Arseniy Krasnov <avkrasnov(a)salutedevices.com> [ Upstream commit 2935e556850e9c94d7a00adf14d3cd7fe406ac03 ] Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_filter_clear()' kfree(uuids); // DOUBLE FREE <-------------------------preempted--------------------------------> uuids = NULL; To fix it let's add locking around 'kfree()' call and NULL pointer assignment. Otherwise the following backtrace fires: [ ] ------------[ cut here ]------------ [ ] kernel BUG at mm/slub.c:547! [ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 [ ] Tainted: [O]=OOT_MODULE [ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ ] pc : __slab_free+0xf8/0x348 [ ] lr : __slab_free+0x48/0x348 ... [ ] Call trace: [ ] __slab_free+0xf8/0x348 [ ] kfree+0x164/0x27c [ ] start_service_discovery+0x1d0/0x2c0 [ ] hci_sock_sendmsg+0x518/0x924 [ ] __sock_sendmsg+0x54/0x60 [ ] sock_write_iter+0x98/0xf8 [ ] do_iter_readv_writev+0xe4/0x1c8 [ ] vfs_writev+0x128/0x2b0 [ ] do_writev+0xfc/0x118 [ ] __arm64_sys_writev+0x20/0x2c [ ] invoke_syscall+0x68/0xf0 [ ] el0_svc_common.constprop.0+0x40/0xe0 [ ] do_el0_svc+0x1c/0x28 [ ] el0_svc+0x30/0xd0 [ ] el0t_64_sync_handler+0x100/0x12c [ ] el0t_64_sync+0x194/0x198 [ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) [ ] ---[ end trace 0000000000000000 ]--- Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled") Signed-off-by: Arseniy Krasnov <avkrasnov(a)salutedevices.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Minor context change fixed. ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- include/net/bluetooth/hci_core.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 4a1faf11785f..b0a7ceb99eec 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -28,7 +28,7 @@ #include <linux/idr.h> #include <linux/leds.h> #include <linux/rculist.h> - +#include <linux/spinlock.h> #include <net/bluetooth/hci.h> #include <net/bluetooth/hci_sync.h> #include <net/bluetooth/hci_sock.h> @@ -92,6 +92,7 @@ struct discovery_state { unsigned long scan_start; unsigned long scan_duration; unsigned long name_resolve_timeout; + spinlock_t lock; }; #define SUSPEND_NOTIFIER_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */ @@ -881,6 +882,7 @@ static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, static inline void discovery_init(struct hci_dev *hdev) { + spin_lock_init(&hdev->discovery.lock); hdev->discovery.state = DISCOVERY_STOPPED; INIT_LIST_HEAD(&hdev->discovery.all); INIT_LIST_HEAD(&hdev->discovery.unknown); @@ -895,8 +897,12 @@ static inline void hci_discovery_filter_clear(struct hci_dev *hdev) hdev->discovery.report_invalid_rssi = true; hdev->discovery.rssi = HCI_RSSI_INVALID; hdev->discovery.uuid_count = 0; + + spin_lock(&hdev->discovery.lock); kfree(hdev->discovery.uuids); hdev->discovery.uuids = NULL; + spin_unlock(&hdev->discovery.lock); + hdev->discovery.scan_start = 0; hdev->discovery.scan_duration = 0; } -- 2.43.0

4 weeks

2
1
0 0

[merged mm-stable] mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() has been removed from the -mm tree. Its filename was mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() Date: Sat, 1 Nov 2025 11:20:14 -0700 damon_sysfs_test_add_targets() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-21-sj@kernel.org Fixes: b8ee5575f763 ("mm/damon/sysfs-test: add a unit test for damon_sysfs_set_targets()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.7+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/sysfs-kunit.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) --- a/mm/damon/tests/sysfs-kunit.h~mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets +++ a/mm/damon/tests/sysfs-kunit.h @@ -45,16 +45,41 @@ static void damon_sysfs_test_add_targets struct damon_ctx *ctx; sysfs_targets = damon_sysfs_targets_alloc(); + if (!sysfs_targets) + kunit_skip(test, "sysfs_targets alloc fail"); sysfs_targets->nr = 1; sysfs_targets->targets_arr = kmalloc_array(1, sizeof(*sysfs_targets->targets_arr), GFP_KERNEL); + if (!sysfs_targets->targets_arr) { + kfree(sysfs_targets); + kunit_skip(test, "targets_arr alloc fail"); + } sysfs_target = damon_sysfs_target_alloc(); + if (!sysfs_target) { + kfree(sysfs_targets->targets_arr); + kfree(sysfs_targets); + kunit_skip(test, "sysfs_target alloc fail"); + } sysfs_target->pid = __damon_sysfs_test_get_any_pid(12, 100); sysfs_target->regions = damon_sysfs_regions_alloc(); + if (!sysfs_target->regions) { + kfree(sysfs_targets->targets_arr); + kfree(sysfs_targets); + kfree(sysfs_target); + kunit_skip(test, "sysfs_regions alloc fail"); + } + sysfs_targets->targets_arr[0] = sysfs_target; ctx = damon_new_ctx(); + if (!ctx) { + kfree(sysfs_targets->targets_arr); + kfree(sysfs_targets); + kfree(sysfs_target); + kfree(sysfs_target->regions); + kunit_skip(test, "ctx alloc fail"); + } damon_sysfs_add_targets(ctx, sysfs_targets); KUNIT_EXPECT_EQ(test, 1u, nr_damon_targets(ctx)); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() has been removed from the -mm tree. Its filename was mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Date: Sat, 1 Nov 2025 11:20:13 -0700 damon_test_split_evenly_succ() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-20-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/vaddr-kunit.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/mm/damon/tests/vaddr-kunit.h~mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ +++ a/mm/damon/tests/vaddr-kunit.h @@ -284,10 +284,17 @@ static void damon_test_split_evenly_succ unsigned long start, unsigned long end, unsigned int nr_pieces) { struct damon_target *t = damon_new_target(); - struct damon_region *r = damon_new_region(start, end); + struct damon_region *r; unsigned long expected_width = (end - start) / nr_pieces; unsigned long i = 0; + if (!t) + kunit_skip(test, "target alloc fail"); + r = damon_new_region(start, end); + if (!r) { + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } damon_add_region(r, t); KUNIT_EXPECT_EQ(test, damon_va_evenly_split_region(t, r, nr_pieces), 0); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() has been removed from the -mm tree. Its filename was mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Date: Sat, 1 Nov 2025 11:20:12 -0700 damon_test_split_evenly_fail() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-19-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/vaddr-kunit.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/mm/damon/tests/vaddr-kunit.h~mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail +++ a/mm/damon/tests/vaddr-kunit.h @@ -256,7 +256,16 @@ static void damon_test_split_evenly_fail unsigned long start, unsigned long end, unsigned int nr_pieces) { struct damon_target *t = damon_new_target(); - struct damon_region *r = damon_new_region(start, end); + struct damon_region *r; + + if (!t) + kunit_skip(test, "target alloc fail"); + + r = damon_new_region(start, end); + if (!r) { + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } damon_add_region(r, t); KUNIT_EXPECT_EQ(test, _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_do_test_apply_three_regions.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() has been removed from the -mm tree. Its filename was mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_do_test_apply_three_regions.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Date: Sat, 1 Nov 2025 11:20:11 -0700 damon_do_test_apply_three_regions() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-18-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/vaddr-kunit.h | 6 ++++++ 1 file changed, 6 insertions(+) --- a/mm/damon/tests/vaddr-kunit.h~mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_do_test_apply_three_regions +++ a/mm/damon/tests/vaddr-kunit.h @@ -136,8 +136,14 @@ static void damon_do_test_apply_three_re int i; t = damon_new_target(); + if (!t) + kunit_skip(test, "target alloc fail"); for (i = 0; i < nr_regions / 2; i++) { r = damon_new_region(regions[i * 2], regions[i * 2 + 1]); + if (!r) { + damon_destroy_target(t, NULL); + kunit_skip(test, "region alloc fail"); + } damon_add_region(r, t); } _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_set_filters_default_reject.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_set_filters_default_reject() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_set_filters_default_reject.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_set_filters_default_reject() Date: Sat, 1 Nov 2025 11:20:10 -0700 damon_test_set_filters_default_reject() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-17-sj@kernel.org Fixes: 094fb14913c7 ("mm/damon/tests/core-kunit: add a test for damos_set_filters_default_reject()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.16+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 6 ++++++ 1 file changed, 6 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_set_filters_default_reject +++ a/mm/damon/tests/core-kunit.h @@ -659,6 +659,8 @@ static void damon_test_set_filters_defau KUNIT_EXPECT_EQ(test, scheme.ops_filters_default_reject, false); target_filter = damos_new_filter(DAMOS_FILTER_TYPE_TARGET, true, true); + if (!target_filter) + kunit_skip(test, "filter alloc fail"); damos_add_filter(&scheme, target_filter); damos_set_filters_default_reject(&scheme); /* @@ -684,6 +686,10 @@ static void damon_test_set_filters_defau KUNIT_EXPECT_EQ(test, scheme.ops_filters_default_reject, false); anon_filter = damos_new_filter(DAMOS_FILTER_TYPE_ANON, true, true); + if (!anon_filter) { + damos_free_filter(target_filter); + kunit_skip(test, "anon_filter alloc fail"); + } damos_add_filter(&scheme, anon_filter); damos_set_filters_default_reject(&scheme); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-on-damos_test_filter_out.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-on-damos_test_filter_out.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out() Date: Sat, 1 Nov 2025 11:20:09 -0700 damon_test_filter_out() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-16-sj@kernel.org Fixes: 26713c890875 ("mm/damon/core-test: add a unit test for __damos_filter_out()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-on-damos_test_filter_out +++ a/mm/damon/tests/core-kunit.h @@ -542,11 +542,22 @@ static void damos_test_filter_out(struct struct damos_filter *f; f = damos_new_filter(DAMOS_FILTER_TYPE_ADDR, true, false); + if (!f) + kunit_skip(test, "filter alloc fail"); f->addr_range = (struct damon_addr_range){ .start = DAMON_MIN_REGION * 2, .end = DAMON_MIN_REGION * 6}; t = damon_new_target(); + if (!t) { + damos_destroy_filter(f); + kunit_skip(test, "target alloc fail"); + } r = damon_new_region(DAMON_MIN_REGION * 3, DAMON_MIN_REGION * 5); + if (!r) { + damos_destroy_filter(f); + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } damon_add_region(r, t); /* region in the range */ _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failure-on-damos_test_commit_filter.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failure on damos_test_commit_filter() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failure-on-damos_test_commit_filter.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failure on damos_test_commit_filter() Date: Sat, 1 Nov 2025 11:20:08 -0700 damon_test_commit_filter() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-15-sj@kernel.org Fixes: f6a4a150f1ec ("mm/damon/tests/core-kunit: add damos_commit_filter test") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.18+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failure-on-damos_test_commit_filter +++ a/mm/damon/tests/core-kunit.h @@ -516,11 +516,16 @@ static void damos_test_new_filter(struct static void damos_test_commit_filter(struct kunit *test) { - struct damos_filter *src_filter = damos_new_filter( - DAMOS_FILTER_TYPE_ANON, true, true); - struct damos_filter *dst_filter = damos_new_filter( - DAMOS_FILTER_TYPE_ACTIVE, false, false); + struct damos_filter *src_filter, *dst_filter; + src_filter = damos_new_filter(DAMOS_FILTER_TYPE_ANON, true, true); + if (!src_filter) + kunit_skip(test, "src filter alloc fail"); + dst_filter = damos_new_filter(DAMOS_FILTER_TYPE_ACTIVE, false, false); + if (!dst_filter) { + damos_destroy_filter(src_filter); + kunit_skip(test, "dst filter alloc fail"); + } damos_commit_filter(dst_filter, src_filter); KUNIT_EXPECT_EQ(test, dst_filter->type, src_filter->type); KUNIT_EXPECT_EQ(test, dst_filter->matching, src_filter->matching); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failres-in-damon_test_new_filter.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failres-in-damon_test_new_filter.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Date: Sat, 1 Nov 2025 11:20:07 -0700 damon_test_new_filter() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-14-sj@kernel.org Fixes: 2a158e956b98 ("mm/damon/core-test: add a test for damos_new_filter()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failres-in-damon_test_new_filter +++ a/mm/damon/tests/core-kunit.h @@ -505,6 +505,8 @@ static void damos_test_new_filter(struct struct damos_filter *filter; filter = damos_new_filter(DAMOS_FILTER_TYPE_ANON, true, false); + if (!filter) + kunit_skip(test, "filter alloc fail"); KUNIT_EXPECT_EQ(test, filter->type, DAMOS_FILTER_TYPE_ANON); KUNIT_EXPECT_EQ(test, filter->matching, true); KUNIT_EXPECT_PTR_EQ(test, filter->list.prev, &filter->list); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Date: Sat, 1 Nov 2025 11:20:06 -0700 damon_test_set_attrs() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-13-sj@kernel.org Fixes: aa13779be6b7 ("mm/damon/core-test: add a test for damon_set_attrs()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.5+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs +++ a/mm/damon/tests/core-kunit.h @@ -465,6 +465,9 @@ static void damon_test_set_attrs(struct .sample_interval = 5000, .aggr_interval = 100000,}; struct damon_attrs invalid_attrs; + if (!c) + kunit_skip(test, "ctx alloc fail"); + KUNIT_EXPECT_EQ(test, damon_set_attrs(c, &valid_attrs), 0); invalid_attrs = valid_attrs; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Date: Sat, 1 Nov 2025 11:20:05 -0700 damon_test_update_monitoring_result() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-12-sj@kernel.org Fixes: f4c978b6594b ("mm/damon/core-test: add a test for damon_update_monitoring_results()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.3+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result +++ a/mm/damon/tests/core-kunit.h @@ -429,6 +429,9 @@ static void damon_test_update_monitoring struct damon_attrs new_attrs; struct damon_region *r = damon_new_region(3, 7); + if (!r) + kunit_skip(test, "region alloc fail"); + r->nr_accesses = 15; r->nr_accesses_bp = 150000; r->age = 20; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Date: Sat, 1 Nov 2025 11:20:04 -0700 damon_test_set_regions() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-11-sj@kernel.org Fixes: 62f409560eb2 ("mm/damon/core-test: test damon_set_regions") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.1+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions +++ a/mm/damon/tests/core-kunit.h @@ -368,13 +368,26 @@ static void damon_test_ops_registration( static void damon_test_set_regions(struct kunit *test) { struct damon_target *t = damon_new_target(); - struct damon_region *r1 = damon_new_region(4, 16); - struct damon_region *r2 = damon_new_region(24, 32); + struct damon_region *r1, *r2; struct damon_addr_range range = {.start = 8, .end = 28}; unsigned long expects[] = {8, 16, 16, 24, 24, 28}; int expect_idx = 0; struct damon_region *r; + if (!t) + kunit_skip(test, "target alloc fail"); + r1 = damon_new_region(4, 16); + if (!r1) { + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } + r2 = damon_new_region(24, 32); + if (!r2) { + damon_free_target(t); + damon_free_region(r1); + kunit_skip(test, "second region alloc fail"); + } + damon_add_region(r1, t); damon_add_region(r2, t); damon_set_regions(t, &range, 1, DAMON_MIN_REGION); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Date: Sat, 1 Nov 2025 11:20:03 -0700 damon_test_ops_registration() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-10-sj@kernel.org Fixes: 4f540f5ab4f2 ("mm/damon/core-test: add a kunit test case for ops registration") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.19+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration +++ a/mm/damon/tests/core-kunit.h @@ -320,6 +320,9 @@ static void damon_test_ops_registration( struct damon_operations ops = {.id = DAMON_OPS_VADDR}, bak; bool need_cleanup = false; + if (!c) + kunit_skip(test, "ctx alloc fail"); + /* DAMON_OPS_VADDR is registered only if CONFIG_DAMON_VADDR is set */ if (!damon_is_registered_ops(DAMON_OPS_VADDR)) { bak.id = DAMON_OPS_VADDR; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_regions_of.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_regions_of.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Date: Sat, 1 Nov 2025 11:20:02 -0700 damon_test_split_regions_of() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-9-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_regions_of +++ a/mm/damon/tests/core-kunit.h @@ -278,15 +278,35 @@ static void damon_test_split_regions_of( struct damon_target *t; struct damon_region *r; + if (!c) + kunit_skip("ctx alloc fail"); t = damon_new_target(); + if (!t) { + damon_destroy_ctx(c); + kunit_skip(test, "target alloc fail"); + } r = damon_new_region(0, 22); + if (!r) { + damon_destroy_ctx(c); + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } damon_add_region(r, t); damon_split_regions_of(t, 2, DAMON_MIN_REGION); KUNIT_EXPECT_LE(test, damon_nr_regions(t), 2u); damon_free_target(t); t = damon_new_target(); + if (!t) { + damon_destroy_ctx(c); + kunit_skip(test, "second target alloc fail"); + } r = damon_new_region(0, 220); + if (!r) { + damon_destroy_ctx(c); + damon_free_target(t); + kunit_skip(test, "second region alloc fail"); + } damon_add_region(r, t); damon_split_regions_of(t, 4, DAMON_MIN_REGION); KUNIT_EXPECT_LE(test, damon_nr_regions(t), 4u); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Date: Sat, 1 Nov 2025 11:20:01 -0700 damon_test_merge_regions_of() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-8-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 6 ++++++ 1 file changed, 6 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of +++ a/mm/damon/tests/core-kunit.h @@ -248,8 +248,14 @@ static void damon_test_merge_regions_of( int i; t = damon_new_target(); + if (!t) + kunit_skip(test, "target alloc fail"); for (i = 0; i < ARRAY_SIZE(sa); i++) { r = damon_new_region(sa[i], ea[i]); + if (!r) { + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } r->nr_accesses = nrs[i]; r->nr_accesses_bp = nrs[i] * 10000; damon_add_region(r, t); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Date: Sat, 1 Nov 2025 11:20:00 -0700 damon_test_merge_two() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-7-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two +++ a/mm/damon/tests/core-kunit.h @@ -188,11 +188,21 @@ static void damon_test_merge_two(struct int i; t = damon_new_target(); + if (!t) + kunit_skip(test, "target alloc fail"); r = damon_new_region(0, 100); + if (!r) { + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } r->nr_accesses = 10; r->nr_accesses_bp = 100000; damon_add_region(r, t); r2 = damon_new_region(100, 300); + if (!r2) { + damon_free_target(t); + kunit_skip(test, "second region alloc fail"); + } r2->nr_accesses = 20; r2->nr_accesses_bp = 200000; damon_add_region(r2, t); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Date: Sat, 1 Nov 2025 11:19:59 -0700 damon_test_split_at() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-6-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at +++ a/mm/damon/tests/core-kunit.h @@ -148,8 +148,19 @@ static void damon_test_split_at(struct k struct damon_target *t; struct damon_region *r, *r_new; + if (!c) + kunit_skip(test, "ctx alloc fail"); t = damon_new_target(); + if (!t) { + damon_destroy_ctx(c); + kunit_skip(test, "target alloc fail"); + } r = damon_new_region(0, 100); + if (!r) { + damon_destroy_ctx(c); + damon_free_target(t); + kunit_skip(test, "region alloc fail"); + } r->nr_accesses_bp = 420000; r->nr_accesses = 42; r->last_nr_accesses = 15; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Date: Sat, 1 Nov 2025 11:19:58 -0700 damon_test_aggregate() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-5-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate +++ a/mm/damon/tests/core-kunit.h @@ -97,8 +97,15 @@ static void damon_test_aggregate(struct struct damon_region *r; int it, ir; + if (!ctx) + kunit_skip(test, "ctx alloc fail"); + for (it = 0; it < 3; it++) { t = damon_new_target(); + if (!t) { + damon_destroy_ctx(ctx); + kunit_skip(test, "target alloc fail"); + } damon_add_target(ctx, t); } @@ -106,6 +113,10 @@ static void damon_test_aggregate(struct damon_for_each_target(t, ctx) { for (ir = 0; ir < 3; ir++) { r = damon_new_region(saddr[it][ir], eaddr[it][ir]); + if (!r) { + damon_destroy_ctx(ctx); + kunit_skip(test, "region alloc fail"); + } r->nr_accesses = accesses[it][ir]; r->nr_accesses_bp = accesses[it][ir] * 10000; damon_add_region(r, t); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle memory failure from damon_test_target() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Date: Sat, 1 Nov 2025 11:19:57 -0700 damon_test_target() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-4-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 7 +++++++ 1 file changed, 7 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target +++ a/mm/damon/tests/core-kunit.h @@ -58,7 +58,14 @@ static void damon_test_target(struct kun struct damon_ctx *c = damon_new_ctx(); struct damon_target *t; + if (!c) + kunit_skip(test, "ctx alloc fail"); + t = damon_new_target(); + if (!t) { + damon_destroy_ctx(c); + kunit_skip(test, "target alloc fail"); + } KUNIT_EXPECT_EQ(test, 0u, nr_damon_targets(c)); damon_add_target(c, t); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Date: Sat, 1 Nov 2025 11:19:56 -0700 damon_test_regions() is assuming all dynamic memory allocation in it will succeed. Those are indeed likely in the real use cases since those allocations are too small to fail, but theoretically those could fail. In the case, inappropriate memory access can happen. Fix it by appropriately cleanup pre-allocated memory and skip the execution of the remaining tests in the failure cases. Link: https://lkml.kernel.org/r/20251101182021.74868-3-sj@kernel.org Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [5.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 6 ++++++ 1 file changed, 6 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions +++ a/mm/damon/tests/core-kunit.h @@ -20,11 +20,17 @@ static void damon_test_regions(struct ku struct damon_target *t; r = damon_new_region(1, 2); + if (!r) + kunit_skip(test, "region alloc fail"); KUNIT_EXPECT_EQ(test, 1ul, r->ar.start); KUNIT_EXPECT_EQ(test, 2ul, r->ar.end); KUNIT_EXPECT_EQ(test, 0u, r->nr_accesses); t = damon_new_target(); + if (!t) { + damon_free_region(r); + kunit_skip(test, "target alloc fail"); + } KUNIT_EXPECT_EQ(test, 0u, damon_nr_regions(t)); damon_add_region(r, t); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-damon-tests-core-kunit-fix-memory-leak-in-damon_test_set_filters_default_reject.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/tests/core-kunit: fix memory leak in damon_test_set_filters_default_reject() has been removed from the -mm tree. Its filename was mm-damon-tests-core-kunit-fix-memory-leak-in-damon_test_set_filters_default_reject.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/tests/core-kunit: fix memory leak in damon_test_set_filters_default_reject() Date: Sat, 1 Nov 2025 11:19:55 -0700 Patch series "mm/damon/tests: fix memory bugs in kunit tests". DAMON kunit tests were initially written assuming those will be run on environments that are well controlled and therefore tolerant to transient test failures and bugs in the test code itself. The user-mode linux based manual run of the tests is one example of such an environment. And the test code was written for adding more test coverage as fast as possible, over making those safe and reliable. As a result, the tests resulted in having a number of bugs including real memory leaks, theoretical unhandled memory allocation failures, and unused memory allocations. The allocation failures that are not handled well are unlikely in the real world, since those allocations are too small to fail. But in theory, it can happen and cause inappropriate memory access. It is arguable if bugs in test code can really harm users. But, anyway bugs are bugs that need to be fixed. Fix the bugs one by one. Also Cc stable@ for the fixes of memory leak and unhandled memory allocation failures. The unused memory allocations are only a matter of memory efficiency, so not Cc-ing stable@. The first patch fixes memory leaks in the test code for the DAMON core layer. Following fifteen, three, and one patches respectively fix unhandled memory allocation failures in the test code for DAMON core layer, virtual address space DAMON operation set, and DAMON sysfs interface, one by one per test function. Final two patches remove memory allocations that are correctly deallocated at the end, but not really being used by any code. This patch (of 22): Kunit test function for damos_set_filters_default_reject() allocates two 'struct damos_filter' objects and not deallocates those, so that the memory for the two objects are leaked for every time the test runs. Fix this by deallocating those objects at the end of the test code. Link: https://lkml.kernel.org/r/20251101182021.74868-1-sj@kernel.org Link: https://lkml.kernel.org/r/20251101182021.74868-2-sj@kernel.org Fixes: 094fb14913c7 ("mm/damon/tests/core-kunit: add a test for damos_set_filters_default_reject()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Brendan Higgins <brendan.higgins(a)linux.dev> Cc: David Gow <davidgow(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> [6.16+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/core-kunit.h | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/damon/tests/core-kunit.h~mm-damon-tests-core-kunit-fix-memory-leak-in-damon_test_set_filters_default_reject +++ a/mm/damon/tests/core-kunit.h @@ -598,6 +598,9 @@ static void damon_test_set_filters_defau */ KUNIT_EXPECT_EQ(test, scheme.core_filters_default_reject, false); KUNIT_EXPECT_EQ(test, scheme.ops_filters_default_reject, true); + + damos_free_filter(anon_filter); + damos_free_filter(target_filter); } static struct kunit_case damon_test_cases[] = { _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-tests-core-kunit-remove-dynamic-allocs-on-damos_test_commit_filter.patch mm-damon-tests-core-kunit-split-out-damos_test_commit_filter-core-logic.patch mm-damon-tests-core-kunit-extend-damos_test_commit_filter_for-for-union-fields.patch mm-damon-tests-core-kunit-add-test-cases-to-damos_test_commit_filter.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goal-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota_goals-test.patch mm-damon-tests-core-kunit-add-damos_commit_quota-test.patch mm-damon-core-pass-migrate_dests-to-damos_commit_dests.patch mm-damon-tests-core-kunit-add-damos_commit_dests-test.patch mm-damon-tests-core-kunit-add-damos_commit-test.patch mm-damon-tests-core-kunit-add-damon_commit_target_regions-test.patch mm-damon-rename-damos-core-filter-helpers-to-have-word-core.patch mm-damon-rename-damos-filters-to-damos-core_filters.patch mm-damon-vaddr-cleanup-using-pmd_trans_huge_lock.patch mm-damon-vaddr-use-vm_normal_folio_pmd-instead-of-damon_get_folio.patch mm-damon-vaddr-consistently-use-only-pmd_entry-for-damos_migrate.patch mm-damon-tests-core-kunit-remove-damon_min_region-redefinition.patch selftests-damon-sysfspy-merge-damon-status-dumping-into-commitment-assertion.patch docs-mm-damon-maintainer-profile-fix-a-typo-on-mm-untable-link.patch docs-mm-damon-maintainer-profile-fix-grammartical-errors.patch

4 weeks

1
0
0 0

[merged mm-stable] mm-swap-do-not-perform-synchronous-discard-during-allocation.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm, swap: do not perform synchronous discard during allocation has been removed from the -mm tree. Its filename was mm-swap-do-not-perform-synchronous-discard-during-allocation.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: mm, swap: do not perform synchronous discard during allocation Date: Fri, 24 Oct 2025 02:34:11 +0800 Patch series "mm, swap: misc cleanup and bugfix", v2. A few cleanups and a bugfix that are either suitable after the swap table phase I or found during code review. Patch 1 is a bugfix and needs to be included in the stable branch, the rest have no behavioral change. This patch (of 5): Since commit 1b7e90020eb77 ("mm, swap: use percpu cluster as allocation fast path"), swap allocation is protected by a local lock, which means we can't do any sleeping calls during allocation. However, the discard routine is not taken well care of. When the swap allocator failed to find any usable cluster, it would look at the pending discard cluster and try to issue some blocking discards. It may not necessarily sleep, but the cond_resched at the bio layer indicates this is wrong when combined with a local lock. And the bio GFP flag used for discard bio is also wrong (not atomic). It's arguable whether this synchronous discard is helpful at all. In most cases, the async discard is good enough. And the swap allocator is doing very differently at organizing the clusters since the recent change, so it is very rare to see discard clusters piling up. So far, no issues have been observed or reported with typical SSD setups under months of high pressure. This issue was found during my code review. But by hacking the kernel a bit: adding a mdelay(500) in the async discard path, this issue will be observable with WARNING triggered by the wrong GFP and cond_resched in the bio layer for debug builds. So now let's apply a hotfix for this issue: remove the synchronous discard in the swap allocation path. And when order 0 is failing with all cluster list drained on all swap devices, try to do a discard following the swap device priority list. If any discards released some cluster, try the allocation again. This way, we can still avoid OOM due to swap failure if the hardware is very slow and memory pressure is extremely high. This may cause more fragmentation issues if the discarding hardware is really slow. Ideally, we want to discard pending clusters before continuing to iterate the fragment cluster lists. This can be implemented in a cleaner way if we clean up the device list iteration part first. Link: https://lkml.kernel.org/r/20251024-swap-clean-after-swap-table-p1-v2-0-a709… Link: https://lkml.kernel.org/r/20251024-swap-clean-after-swap-table-p1-v2-1-c5b0… Fixes: 1b7e90020eb7 ("mm, swap: use percpu cluster as allocation fast path") Signed-off-by: Kairui Song <kasong(a)tencent.com> Acked-by: Nhat Pham <nphamcs(a)gmail.com> Acked-by: Chris Li <chrisl(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: "Huang, Ying" <ying.huang(a)linux.alibaba.com> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) --- a/mm/swapfile.c~mm-swap-do-not-perform-synchronous-discard-during-allocation +++ a/mm/swapfile.c @@ -1101,13 +1101,6 @@ new_cluster: goto done; } - /* - * We don't have free cluster but have some clusters in discarding, - * do discard now and reclaim them. - */ - if ((si->flags & SWP_PAGE_DISCARD) && swap_do_scheduled_discard(si)) - goto new_cluster; - if (order) goto done; @@ -1394,6 +1387,33 @@ start_over: return false; } +/* + * Discard pending clusters in a synchronized way when under high pressure. + * Return: true if any cluster is discarded. + */ +static bool swap_sync_discard(void) +{ + bool ret = false; + int nid = numa_node_id(); + struct swap_info_struct *si, *next; + + spin_lock(&swap_avail_lock); + plist_for_each_entry_safe(si, next, &swap_avail_heads[nid], avail_lists[nid]) { + spin_unlock(&swap_avail_lock); + if (get_swap_device_info(si)) { + if (si->flags & SWP_PAGE_DISCARD) + ret = swap_do_scheduled_discard(si); + put_swap_device(si); + } + if (ret) + return true; + spin_lock(&swap_avail_lock); + } + spin_unlock(&swap_avail_lock); + + return false; +} + /** * folio_alloc_swap - allocate swap space for a folio * @folio: folio we want to move to swap @@ -1432,11 +1452,17 @@ int folio_alloc_swap(struct folio *folio } } +again: local_lock(&percpu_swap_cluster.lock); if (!swap_alloc_fast(&entry, order)) swap_alloc_slow(&entry, order); local_unlock(&percpu_swap_cluster.lock); + if (unlikely(!order && !entry.val)) { + if (swap_sync_discard()) + goto again; + } + /* Need to call this even if allocation failed, for MEMCG_SWAP_FAIL. */ if (mem_cgroup_try_charge_swap(folio, entry)) goto out_free; _ Patches currently in -mm which might be from kasong(a)tencent.com are

4 weeks

1
0
0 0

[merged mm-stable] iommu-disable-sva-when-config_x86-is-set.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: iommu: disable SVA when CONFIG_X86 is set has been removed from the -mm tree. Its filename was iommu-disable-sva-when-config_x86-is-set.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lu Baolu <baolu.lu(a)linux.intel.com> Subject: iommu: disable SVA when CONFIG_X86 is set Date: Wed, 22 Oct 2025 16:26:27 +0800 Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Jean-Philippe Brucker <jean-philippe(a)linaro.org> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: Kevin Tian <kevin.tian(a)intel.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Robin Murohy <robin.murphy(a)arm.com> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vasant Hegde <vasant.hegde(a)amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Will Deacon <will(a)kernel.org> Cc: Yi Lai <yi1.lai(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/iommu/iommu-sva.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/iommu/iommu-sva.c~iommu-disable-sva-when-config_x86-is-set +++ a/drivers/iommu/iommu-sva.c @@ -77,6 +77,9 @@ struct iommu_sva *iommu_sva_bind_device( if (!group) return ERR_PTR(-ENODEV); + if (IS_ENABLED(CONFIG_X86)) + return ERR_PTR(-EOPNOTSUPP); + mutex_lock(&iommu_sva_lock); /* Allocate mm->pasid if necessary. */ _ Patches currently in -mm which might be from baolu.lu(a)linux.intel.com are

4 weeks

1
0
0 0

[merged mm-stable] mm-ksm-fix-exec-fork-inheritance-support-for-prctl.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/ksm: fix exec/fork inheritance support for prctl has been removed from the -mm tree. Its filename was mm-ksm-fix-exec-fork-inheritance-support-for-prctl.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: xu xin <xu.xin16(a)zte.com.cn> Subject: mm/ksm: fix exec/fork inheritance support for prctl Date: Tue, 7 Oct 2025 18:28:21 +0800 (CST) Patch series "ksm: fix exec/fork inheritance", v2. This series fixes exec/fork inheritance. See the detailed description of the issue below. This patch (of 2): Background ========== commit d7597f59d1d33 ("mm: add new api to enable ksm per process") introduced MMF_VM_MERGE_ANY for mm->flags, and allowed user to set it by prctl() so that the process's VMAs are forcibly scanned by ksmd. Subsequently, the 3c6f33b7273a ("mm/ksm: support fork/exec for prctl") supported inheriting the MMF_VM_MERGE_ANY flag when a task calls execve(). Finally, commit 3a9e567ca45fb ("mm/ksm: fix ksm exec support for prctl") fixed the issue that ksmd doesn't scan the mm_struct with MMF_VM_MERGE_ANY by adding the mm_slot to ksm_mm_head in __bprm_mm_init(). Problem ======= In some extreme scenarios, however, this inheritance of MMF_VM_MERGE_ANY during exec/fork can fail. For example, when the scanning frequency of ksmd is tuned extremely high, a process carrying MMF_VM_MERGE_ANY may still fail to pass it to the newly exec'd process. This happens because ksm_execve() is executed too early in the do_execve flow (prematurely adding the new mm_struct to the ksm_mm_slot list). As a result, before do_execve completes, ksmd may have already performed a scan and found that this new mm_struct has no VM_MERGEABLE VMAs, thus clearing its MMF_VM_MERGE_ANY flag. Consequently, when the new program executes, the flag MMF_VM_MERGE_ANY inheritance missed. Root reason =========== commit d7597f59d1d33 ("mm: add new api to enable ksm per process") clear the flag MMF_VM_MERGE_ANY when ksmd found no VM_MERGEABLE VMAs. Solution ======== Firstly, Don't clear MMF_VM_MERGE_ANY when ksmd found no VM_MERGEABLE VMAs, because perhaps their mm_struct has just been added to ksm_mm_slot list, and its process has not yet officially started running or has not yet performed mmap/brk to allocate anonymous VMAS. Secondly, recheck MMF_VM_MERGEABLE again if a process takes MMF_VM_MERGE_ANY, and create a mm_slot and join it into ksm_scan_list again. Link: https://lkml.kernel.org/r/20251007182504440BJgK8VXRHh8TD7IGSUIY4@zte.com.cn Link: https://lkml.kernel.org/r/20251007182821572h_SoFqYZXEP1mvWI4n9VL@zte.com.cn Fixes: 3c6f33b7273a ("mm/ksm: support fork/exec for prctl") Fixes: d7597f59d1d3 ("mm: add new api to enable ksm per process") Signed-off-by: xu xin <xu.xin16(a)zte.com.cn> Cc: Stefan Roesch <shr(a)devkernel.io> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Wang Yaxin <wang.yaxin(a)zte.com.cn> Cc: Yang Yang <yang.yang29(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/ksm.h | 4 ++-- mm/ksm.c | 20 +++++++++++++++++--- 2 files changed, 19 insertions(+), 5 deletions(-) --- a/include/linux/ksm.h~mm-ksm-fix-exec-fork-inheritance-support-for-prctl +++ a/include/linux/ksm.h @@ -17,7 +17,7 @@ #ifdef CONFIG_KSM int ksm_madvise(struct vm_area_struct *vma, unsigned long start, unsigned long end, int advice, vm_flags_t *vm_flags); -vm_flags_t ksm_vma_flags(const struct mm_struct *mm, const struct file *file, +vm_flags_t ksm_vma_flags(struct mm_struct *mm, const struct file *file, vm_flags_t vm_flags); int ksm_enable_merge_any(struct mm_struct *mm); int ksm_disable_merge_any(struct mm_struct *mm); @@ -103,7 +103,7 @@ bool ksm_process_mergeable(struct mm_str #else /* !CONFIG_KSM */ -static inline vm_flags_t ksm_vma_flags(const struct mm_struct *mm, +static inline vm_flags_t ksm_vma_flags(struct mm_struct *mm, const struct file *file, vm_flags_t vm_flags) { return vm_flags; --- a/mm/ksm.c~mm-ksm-fix-exec-fork-inheritance-support-for-prctl +++ a/mm/ksm.c @@ -2712,8 +2712,14 @@ no_vmas: spin_unlock(&ksm_mmlist_lock); mm_slot_free(mm_slot_cache, mm_slot); + /* + * Only clear MMF_VM_MERGEABLE. We must not clear + * MMF_VM_MERGE_ANY, because for those MMF_VM_MERGE_ANY process, + * perhaps their mm_struct has just been added to ksm_mm_slot + * list, and its process has not yet officially started running + * or has not yet performed mmap/brk to allocate anonymous VMAS. + */ mm_flags_clear(MMF_VM_MERGEABLE, mm); - mm_flags_clear(MMF_VM_MERGE_ANY, mm); mmap_read_unlock(mm); mmdrop(mm); } else { @@ -2831,12 +2837,20 @@ static int __ksm_del_vma(struct vm_area_ * * Returns: @vm_flags possibly updated to mark mergeable. */ -vm_flags_t ksm_vma_flags(const struct mm_struct *mm, const struct file *file, +vm_flags_t ksm_vma_flags(struct mm_struct *mm, const struct file *file, vm_flags_t vm_flags) { if (mm_flags_test(MMF_VM_MERGE_ANY, mm) && - __ksm_should_add_vma(file, vm_flags)) + __ksm_should_add_vma(file, vm_flags)) { vm_flags |= VM_MERGEABLE; + /* + * Generally, the flags here always include MMF_VM_MERGEABLE. + * However, in rare cases, this flag may be cleared by ksmd who + * scans a cycle without finding any mergeable vma. + */ + if (unlikely(!mm_flags_test(MMF_VM_MERGEABLE, mm))) + __ksm_enter(mm); + } return vm_flags; } _ Patches currently in -mm which might be from xu.xin16(a)zte.com.cn are

4 weeks

1
0
0 0

[PATCH] irqchip: Fix error handling in qcom_mpm_init

by Ma Ke

of_find_device_by_node() increments the reference count but it's never decremented, preventing proper device cleanup. Add put_device() properly to ensure references released before function return. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a6199bb514d8 ("irqchip: Add Qualcomm MPM controller driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/irqchip/irq-qcom-mpm.c | 56 +++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/drivers/irqchip/irq-qcom-mpm.c b/drivers/irqchip/irq-qcom-mpm.c index 8d569f7c5a7a..8e5303375261 100644 --- a/drivers/irqchip/irq-qcom-mpm.c +++ b/drivers/irqchip/irq-qcom-mpm.c @@ -333,14 +333,19 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) int i, irq; int ret; + if (!pdev) + return -ENODEV; + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); - if (!priv) - return -ENOMEM; + if (!priv) { + ret = -ENOMEM; + goto err_put_device; + } ret = of_property_read_u32(np, "qcom,mpm-pin-count", &pin_cnt); if (ret) { dev_err(dev, "failed to read qcom,mpm-pin-count: %d\n", ret); - return ret; + goto err_put_device; } priv->reg_stride = DIV_ROUND_UP(pin_cnt, 32); @@ -348,19 +353,22 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) ret = of_property_count_u32_elems(np, "qcom,mpm-pin-map"); if (ret < 0) { dev_err(dev, "failed to read qcom,mpm-pin-map: %d\n", ret); - return ret; + goto err_put_device; } if (ret % 2) { dev_err(dev, "invalid qcom,mpm-pin-map\n"); - return -EINVAL; + ret = -EINVAL; + goto err_put_device; } priv->map_cnt = ret / 2; priv->maps = devm_kcalloc(dev, priv->map_cnt, sizeof(*priv->maps), GFP_KERNEL); - if (!priv->maps) - return -ENOMEM; + if (!priv->maps) { + ret = -ENOMEM; + goto err_put_device; + } for (i = 0; i < priv->map_cnt; i++) { u32 pin, hwirq; @@ -386,19 +394,23 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) ret = of_address_to_resource(msgram_np, 0, &res); if (ret) { of_node_put(msgram_np); - return ret; + goto err_put_device; } /* Don't use devm_ioremap_resource, as we're accessing a shared region. */ priv->base = devm_ioremap(dev, res.start, resource_size(&res)); of_node_put(msgram_np); - if (!priv->base) - return -ENOMEM; + if (!priv->base) { + ret = -ENOMEM; + goto err_put_device; + } } else { /* Otherwise, fall back to simple MMIO. */ priv->base = devm_platform_ioremap_resource(pdev, 0); - if (IS_ERR(priv->base)) - return PTR_ERR(priv->base); + if (IS_ERR(priv->base)) { + ret = PTR_ERR(priv->base); + goto err_put_device; + } } for (i = 0; i < priv->reg_stride; i++) { @@ -410,21 +422,25 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) } irq = platform_get_irq(pdev, 0); - if (irq < 0) - return irq; + if (irq < 0) { + ret = irq; + goto err_put_device; + } genpd = &priv->genpd; genpd->flags = GENPD_FLAG_IRQ_SAFE; genpd->power_off = mpm_pd_power_off; genpd->name = devm_kasprintf(dev, GFP_KERNEL, "%s", dev_name(dev)); - if (!genpd->name) - return -ENOMEM; + if (!genpd->name) { + ret = -ENOMEM; + goto err_put_device; + } ret = pm_genpd_init(genpd, NULL, false); if (ret) { dev_err(dev, "failed to init genpd: %d\n", ret); - return ret; + goto err_put_device; } ret = of_genpd_add_provider_simple(np, genpd); @@ -438,7 +454,7 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) if (IS_ERR(priv->mbox_chan)) { ret = PTR_ERR(priv->mbox_chan); dev_err(dev, "failed to acquire IPC channel: %d\n", ret); - return ret; + goto remove_genpd; } parent_domain = irq_find_host(parent); @@ -466,6 +482,7 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) goto remove_domain; } + put_device(dev); return 0; remove_domain: @@ -474,6 +491,9 @@ static int qcom_mpm_init(struct device_node *np, struct device_node *parent) mbox_free_channel(priv->mbox_chan); remove_genpd: pm_genpd_remove(genpd); +err_put_device: + if (pdev) + put_device(dev); return ret; } -- 2.17.1

4 weeks

2
3
0 0

[PATCH 6.6] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

by Eric Biggers

commit 44e8241c51f762aafa50ed116da68fd6ecdcc954 upstream. On big endian arm kernels, the arm optimized Curve25519 code produces incorrect outputs and fails the Curve25519 test. This has been true ever since this code was added. It seems that hardly anyone (or even no one?) actually uses big endian arm kernels. But as long as they're ostensibly supported, we should disable this code on them so that it's not accidentally used. Note: for future-proofing, use !CPU_BIG_ENDIAN instead of CPU_LITTLE_ENDIAN. Both of these are arch-specific options that could get removed in the future if big endian support gets dropped. Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") Cc: stable(a)vger.kernel.org Acked-by: Ard Biesheuvel <ardb(a)kernel.org> Link: https://lore.kernel.org/r/20251104054906.716914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/arm/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index 847b7a003356..1f684e29cff2 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -2,11 +2,11 @@ menu "Accelerated Cryptographic Algorithms for CPU (arm)" config CRYPTO_CURVE25519_NEON tristate "Public key crypto: Curve25519 (NEON)" - depends on KERNEL_MODE_NEON + depends on KERNEL_MODE_NEON && !CPU_BIG_ENDIAN select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 help Curve25519 algorithm base-commit: 0a805b6ea8cda0caa268b396a2e5117f3772d849 -- 2.51.2

4 weeks

2
1
0 0

[PATCH 6.6.y] espintcp: fix skb leaks

by ruohanlan＠aliyun.com

From: Sabrina Dubroca <sd(a)queasysnail.net> [ Upstream commit 63c1f19a3be3169e51a5812d22a6d0c879414076 ] A few error paths are missing a kfree_skb. Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)") Signed-off-by: Sabrina Dubroca <sd(a)queasysnail.net> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> [ Minor context change fixed. ] Signed-off-by: Ruohan Lan <ruohanlan(a)aliyun.com> --- net/ipv4/esp4.c | 4 +++- net/ipv6/esp6.c | 4 +++- net/xfrm/espintcp.c | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 49fd664f50fc..2caf6a2a819b 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -152,8 +152,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb) sk = esp_find_tcp_sk(x); err = PTR_ERR_OR_ZERO(sk); - if (err) + if (err) { + kfree_skb(skb); goto out; + } bh_lock_sock(sk); if (sock_owned_by_user(sk)) diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 7e4c8628cf98..2caaab61b996 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -169,8 +169,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb) sk = esp6_find_tcp_sk(x); err = PTR_ERR_OR_ZERO(sk); - if (err) + if (err) { + kfree_skb(skb); goto out; + } bh_lock_sock(sk); if (sock_owned_by_user(sk)) diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c index d3b3f9e720b3..427072285b8c 100644 --- a/net/xfrm/espintcp.c +++ b/net/xfrm/espintcp.c @@ -169,8 +169,10 @@ int espintcp_queue_out(struct sock *sk, struct sk_buff *skb) { struct espintcp_ctx *ctx = espintcp_getctx(sk); - if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) + if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) { + kfree_skb(skb); return -ENOBUFS; + } __skb_queue_tail(&ctx->out_queue, skb); -- 2.43.0

4 weeks

2
1
0 0

[PATCH 6.6.y] net: dsa: improve shutdown sequence

by Rajani Kantha

From: Vladimir Oltean <vladimir.oltean(a)nxp.com> [ Upstream commit 6c24a03a61a245fe34d47582898331fa034b6ccd ] Alexander Sverdlin presents 2 problems during shutdown with the lan9303 driver. One is specific to lan9303 and the other just happens to reproduce there. The first problem is that lan9303 is unique among DSA drivers in that it calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown, not remove): phy_state_machine() -> ... -> dsa_user_phy_read() -> ds->ops->phy_read() -> lan9303_phy_read() -> chip->ops->phy_read() -> lan9303_mdio_phy_read() -> dev_get_drvdata() But we never stop the phy_state_machine(), so it may continue to run after dsa_switch_shutdown(). Our common pattern in all DSA drivers is to set drvdata to NULL to suppress the remove() method that may come afterwards. But in this case it will result in an NPD. The second problem is that the way in which we set dp->master->dsa_ptr = NULL; is concurrent with receive packet processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL, but afterwards, rather than continuing to use that non-NULL value, dev->dsa_ptr is dereferenced again and again without NULL checks: dsa_master_find_slave() and many other places. In between dereferences, there is no locking to ensure that what was valid once continues to be valid. Both problems have the common aspect that closing the master interface solves them. In the first case, dev_close(master) triggers the NETDEV_GOING_DOWN event in dsa_slave_netdevice_event() which closes slave ports as well. dsa_port_disable_rt() calls phylink_stop(), which synchronously stops the phylink state machine, and ds->ops->phy_read() will thus no longer call into the driver after this point. In the second case, dev_close(master) should do this, as per Documentation/networking/driver.rst: | Quiescence | ---------- | | After the ndo_stop routine has been called, the hardware must | not receive or transmit any data. All in flight packets must | be aborted. If necessary, poll or wait for completion of | any reset commands. So it should be sufficient to ensure that later, when we zeroize master->dsa_ptr, there will be no concurrent dsa_switch_rcv() call on this master. The addition of the netif_device_detach() function is to ensure that ioctls, rtnetlinks and ethtool requests on the slave ports no longer propagate down to the driver - we're no longer prepared to handle them. The race condition actually did not exist when commit 0650bf52b31f ("net: dsa: be compatible with masters which unregister on shutdown") first introduced dsa_switch_shutdown(). It was created later, when we stopped unregistering the slave interfaces from a bad spot, and we just replaced that sequence with a racy zeroization of master->dsa_ptr (one which doesn't ensure that the interfaces aren't up). Reported-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Closes: https://lore.kernel.org/netdev/2d2e3bba17203c14a5ffdabc174e3b6bbb9ad438.cam… Closes: https://lore.kernel.org/netdev/c1bf4de54e829111e0e4a70e7bd1cf523c9550ff.cam… Fixes: ee534378f005 ("net: dsa: fix panic when DSA master device unbinds on shutdown") Reviewed-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Tested-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Signed-off-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Link: https://patch.msgid.link/20240913203549.3081071-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [ Modification: Using dp->master and dp->slave instead of dp->conduit and dp->user ] Signed-off-by: Rajani Kantha <681739313(a)139.com> --- net/dsa/dsa.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c index 07736edc8b6a..c9bf1a9a6c99 100644 --- a/net/dsa/dsa.c +++ b/net/dsa/dsa.c @@ -1613,6 +1613,7 @@ EXPORT_SYMBOL_GPL(dsa_unregister_switch); void dsa_switch_shutdown(struct dsa_switch *ds) { struct net_device *master, *slave_dev; + LIST_HEAD(close_list); struct dsa_port *dp; mutex_lock(&dsa2_mutex); @@ -1622,10 +1623,16 @@ void dsa_switch_shutdown(struct dsa_switch *ds) rtnl_lock(); + dsa_switch_for_each_cpu_port(dp, ds) + list_add(&dp->master->close_list, &close_list); + + dev_close_many(&close_list, true); + dsa_switch_for_each_user_port(dp, ds) { master = dsa_port_to_master(dp); slave_dev = dp->slave; + netif_device_detach(slave_dev); netdev_upper_dev_unlink(master, slave_dev); } -- 2.17.1

4 weeks

3
2
0 0

[PATCH] phy: HiSilicon: Fix error handling in hi3670_pcie_get_resources_from_pcie

by Ma Ke

In hi3670_pcie_get_resources_from_pcie(), the reference obtained via bus_find_device_by_of_node() is never released with put_device(). Each call to this function increments the reference count of the PCIe device without decrementing it, preventing proper device cleanup. And the device node obtained via of_get_child_by_name() is never released with of_node_put(). This could cause a leak of the node reference. Add proper resource cleanup using goto labels to ensure all acquired references are released before function return, regardless of the exit path. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 73075011ffff ("phy: HiSilicon: Add driver for Kirin 970 PCIe PHY") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/phy/hisilicon/phy-hi3670-pcie.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/phy/hisilicon/phy-hi3670-pcie.c b/drivers/phy/hisilicon/phy-hi3670-pcie.c index dbc7dcce682b..4c67a7613261 100644 --- a/drivers/phy/hisilicon/phy-hi3670-pcie.c +++ b/drivers/phy/hisilicon/phy-hi3670-pcie.c @@ -560,7 +560,8 @@ static int hi3670_pcie_get_resources_from_pcie(struct hi3670_pcie_phy *phy) { struct device_node *pcie_port; struct device *dev = phy->dev; - struct device *pcie_dev; + struct device *pcie_dev = NULL; + int ret = 0; pcie_port = of_get_child_by_name(dev->parent->of_node, "pcie"); if (!pcie_port) { @@ -572,7 +573,8 @@ static int hi3670_pcie_get_resources_from_pcie(struct hi3670_pcie_phy *phy) pcie_dev = bus_find_device_by_of_node(&platform_bus_type, pcie_port); if (!pcie_dev) { dev_err(dev, "Didn't find pcie device\n"); - return -ENODEV; + ret = -ENODEV; + goto out_put_node; } /* @@ -586,9 +588,14 @@ static int hi3670_pcie_get_resources_from_pcie(struct hi3670_pcie_phy *phy) phy->apb = dev_get_regmap(pcie_dev, "kirin_pcie_apb"); if (!phy->apb) { dev_err(dev, "Failed to get APB regmap\n"); - return -ENODEV; + ret = -ENODEV; + goto out_put_device; } +out_put_device: + put_device(pcie_dev); +out_put_node: + of_node_put(pcie_port); return 0; } -- 2.17.1

4 weeks

2
1
0 0

[tip: x86/boot] x86/acpi/boot: Correct acpi_is_processor_usable() check again

by tip-bot2 for Yazen Ghannam

The following commit has been merged into the x86/boot branch of tip: Commit-ID: 845ed7e04d9ae0146d5e003a5defd90eb95535fc Gitweb: https://git.kernel.org/tip/845ed7e04d9ae0146d5e003a5defd90eb95535fc Author: Yazen Ghannam <yazen.ghannam(a)amd.com> AuthorDate: Tue, 11 Nov 2025 14:53:57 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Sun, 16 Nov 2025 21:00:02 +01:00 x86/acpi/boot: Correct acpi_is_processor_usable() check again ACPI v6.3 defined a new "Online Capable" MADT LAPIC flag. This bit is used in conjunction with the "Enabled" MADT LAPIC flag to determine if a CPU can be enabled/hotplugged by the OS after boot. Before the new bit was defined, the "Enabled" bit was explicitly described like this (ACPI v6.0 wording provided): "If zero, this processor is unusable, and the operating system support will not attempt to use it" This means that CPU hotplug (based on MADT) is not possible. Many BIOS implementations follow this guidance. They may include LAPIC entries in MADT for unavailable CPUs, but since these entries are marked with "Enabled=0" it is expected that the OS will completely ignore these entries. However, QEMU will do the same (include entries with "Enabled=0") for the purpose of allowing CPU hotplug within the guest. Comment from QEMU function pc_madt_cpu_entry(): /* ACPI spec says that LAPIC entry for non present * CPU may be omitted from MADT or it must be marked * as disabled. However omitting non present CPU from * MADT breaks hotplug on linux. So possible CPUs * should be put in MADT but kept disabled. */ Recent Linux topology changes broke the QEMU use case. A following fix for the QEMU use case broke bare metal topology enumeration. Rework the Linux MADT LAPIC flags check to allow the QEMU use case only for guests and to maintain the ACPI spec behavior for bare metal. Remove an unnecessary check added to fix a bare metal case introduced by the QEMU "fix". [ bp: Change logic as Michal suggested. ] Fixes: fed8d8773b8e ("x86/acpi/boot: Correct acpi_is_processor_usable() check") Fixes: f0551af02130 ("x86/topology: Ignore non-present APIC IDs in a present package") Closes: https://lore.kernel.org/r/20251024204658.3da9bf3f.michal.pecio@gmail.com Reported-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Tested-by: Michal Pecio <michal.pecio(a)gmail.com> Tested-by: Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20251111145357.4031846-1-yazen.ghannam@amd.com --- arch/x86/kernel/acpi/boot.c | 12 ++++++++---- arch/x86/kernel/cpu/topology.c | 15 --------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c index 9fa321a..d6138b2 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -35,6 +35,7 @@ #include <asm/smp.h> #include <asm/i8259.h> #include <asm/setup.h> +#include <asm/hypervisor.h> #include "sleep.h" /* To include x86_acpi_suspend_lowlevel */ static int __initdata acpi_force = 0; @@ -164,11 +165,14 @@ static bool __init acpi_is_processor_usable(u32 lapic_flags) if (lapic_flags & ACPI_MADT_ENABLED) return true; - if (!acpi_support_online_capable || - (lapic_flags & ACPI_MADT_ONLINE_CAPABLE)) - return true; + if (acpi_support_online_capable) + return lapic_flags & ACPI_MADT_ONLINE_CAPABLE; - return false; + /* + * QEMU expects legacy "Enabled=0" LAPIC entries to be counted as usable + * in order to support CPU hotplug in guests. + */ + return !hypervisor_is_type(X86_HYPER_NATIVE); } static int __init diff --git a/arch/x86/kernel/cpu/topology.c b/arch/x86/kernel/cpu/topology.c index 6073a16..425404e 100644 --- a/arch/x86/kernel/cpu/topology.c +++ b/arch/x86/kernel/cpu/topology.c @@ -27,7 +27,6 @@ #include <xen/xen.h> #include <asm/apic.h> -#include <asm/hypervisor.h> #include <asm/io_apic.h> #include <asm/mpspec.h> #include <asm/msr.h> @@ -240,20 +239,6 @@ static __init void topo_register_apic(u32 apic_id, u32 acpi_id, bool present) cpuid_to_apicid[cpu] = apic_id; topo_set_cpuids(cpu, apic_id, acpi_id); } else { - u32 pkgid = topo_apicid(apic_id, TOPO_PKG_DOMAIN); - - /* - * Check for present APICs in the same package when running - * on bare metal. Allow the bogosity in a guest. - */ - if (hypervisor_is_type(X86_HYPER_NATIVE) && - topo_unit_count(pkgid, TOPO_PKG_DOMAIN, phys_cpu_present_map)) { - pr_info_once("Ignoring hot-pluggable APIC ID %x in present package.\n", - apic_id); - topo_info.nr_rejected_cpus++; - return; - } - topo_info.nr_disabled_cpus++; }

4 weeks

1
0
0 0

[PATCH 6.6.y] net: allow small head cache usage with large MAX_SKB_FRAGS values

by jetlan9＠163.com

From: Paolo Abeni <pabeni(a)redhat.com> [ Upstream commit 14ad6ed30a10afbe91b0749d6378285f4225d482 ] Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 584330 hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache. Reported-by: Sabrina Dubroca <sd(a)queasysnail.net> Suggested-by: Eric Dumazet <edumazet(a)google.com> Fixes: 3948b05950fd ("net: introduce a config option to tweak MAX_SKB_FRAGS") Reviewed-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [ Minor context change fixed. ] Signed-off-by: Wenshan Lan <jetlan9(a)163.com> --- include/net/gro.h | 3 +++ net/core/gro.c | 3 --- net/core/skbuff.c | 10 +++++++--- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/include/net/gro.h b/include/net/gro.h index 018343254c90..9260ed367c91 100644 --- a/include/net/gro.h +++ b/include/net/gro.h @@ -10,6 +10,9 @@ #include <linux/skbuff.h> #include <net/udp.h> +/* This should be increased if a protocol with a bigger head is added. */ +#define GRO_MAX_HEAD (MAX_HEADER + 128) + struct napi_gro_cb { union { struct { diff --git a/net/core/gro.c b/net/core/gro.c index 397cf5984250..b8cc44406e69 100644 --- a/net/core/gro.c +++ b/net/core/gro.c @@ -6,9 +6,6 @@ #define MAX_GRO_SKBS 8 -/* This should be increased if a protocol with a bigger head is added. */ -#define GRO_MAX_HEAD (MAX_HEADER + 128) - static DEFINE_SPINLOCK(offload_lock); struct list_head offload_base __read_mostly = LIST_HEAD_INIT(offload_base); /* Maximum number of GRO_NORMAL skbs to batch up for list-RX */ diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 867832f8bbae..073e2c527407 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -67,6 +67,7 @@ #include <net/dst.h> #include <net/sock.h> #include <net/checksum.h> +#include <net/gro.h> #include <net/gso.h> #include <net/ip6_checksum.h> #include <net/xfrm.h> @@ -96,7 +97,9 @@ static struct kmem_cache *skbuff_ext_cache __ro_after_init; static struct kmem_cache *skb_small_head_cache __ro_after_init; -#define SKB_SMALL_HEAD_SIZE SKB_HEAD_ALIGN(MAX_TCP_HEADER) +#define GRO_MAX_HEAD_PAD (GRO_MAX_HEAD + NET_SKB_PAD + NET_IP_ALIGN) +#define SKB_SMALL_HEAD_SIZE SKB_HEAD_ALIGN(max(MAX_TCP_HEADER, \ + GRO_MAX_HEAD_PAD)) /* We want SKB_SMALL_HEAD_CACHE_SIZE to not be a power of two. * This should ensure that SKB_SMALL_HEAD_HEADROOM is a unique @@ -708,7 +711,7 @@ struct sk_buff *__netdev_alloc_skb(struct net_device *dev, unsigned int len, /* If requested length is either too small or too big, * we use kmalloc() for skb->head allocation. */ - if (len <= SKB_WITH_OVERHEAD(1024) || + if (len <= SKB_WITH_OVERHEAD(SKB_SMALL_HEAD_CACHE_SIZE) || len > SKB_WITH_OVERHEAD(PAGE_SIZE) || (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) { skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE); @@ -785,7 +788,8 @@ struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len, * When the small frag allocator is available, prefer it over kmalloc * for small fragments */ - if ((!NAPI_HAS_SMALL_PAGE_FRAG && len <= SKB_WITH_OVERHEAD(1024)) || + if ((!NAPI_HAS_SMALL_PAGE_FRAG && + len <= SKB_WITH_OVERHEAD(SKB_SMALL_HEAD_CACHE_SIZE)) || len > SKB_WITH_OVERHEAD(PAGE_SIZE) || (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) { skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX | SKB_ALLOC_NAPI, -- 2.43.0

4 weeks

2
1
0 0

[PATCH can] can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling

by Marc Kleine-Budde

Reading the interrupt register `SUN4I_REG_INT_ADDR` causes all of its bits to be reset. If we ever reach the condition of handling more than `SUN4I_CAN_MAX_IRQ` IRQs, we will have read the register and reset all its bits but without actually handling the interrupt inside of the loop body. This may, among other issues, cause us to never `netif_wake_queue()` again after a transmission interrupt. Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") Cc: stable(a)vger.kernel.org Co-developed-by: Thomas Mühlbacher <tmuehlbacher(a)posteo.net> Signed-off-by: Thomas Mühlbacher <tmuehlbacher(a)posteo.net> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- I've ported the fix from the sja1000 driver to the sun4i_can, which based on the sja1000 driver. --- drivers/net/can/sun4i_can.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/sun4i_can.c b/drivers/net/can/sun4i_can.c index 53bfd873de9b..0a7ba0942839 100644 --- a/drivers/net/can/sun4i_can.c +++ b/drivers/net/can/sun4i_can.c @@ -657,8 +657,8 @@ static irqreturn_t sun4i_can_interrupt(int irq, void *dev_id) u8 isrc, status; int n = 0; - while ((isrc = readl(priv->base + SUN4I_REG_INT_ADDR)) && - (n < SUN4I_CAN_MAX_IRQ)) { + while ((n < SUN4I_CAN_MAX_IRQ) && + (isrc = readl(priv->base + SUN4I_REG_INT_ADDR))) { n++; status = readl(priv->base + SUN4I_REG_STA_ADDR); --- base-commit: 5442a9da69789741bfda39f34ee7f69552bf0c56 change-id: 20251116-sun4i-fix-loop-f265621b6a99 Best regards, -- Marc Kleine-Budde <mkl(a)pengutronix.de>

4 weeks

2
3
0 0

[PATCH 6.6.y] net: fix NULL pointer dereference in l3mdev_l3_rcv

by Rajani Kantha

From: Wang Liang <wangliang74(a)huawei.com> [ Upstream commit 0032c99e83b9ce6d5995d65900aa4b6ffb501cce ] When delete l3s ipvlan: ip link del link eth0 ipvlan1 type ipvlan mode l3s This may cause a null pointer dereference: Call trace: ip_rcv_finish+0x48/0xd0 ip_rcv+0x5c/0x100 __netif_receive_skb_one_core+0x64/0xb0 __netif_receive_skb+0x20/0x80 process_backlog+0xb4/0x204 napi_poll+0xe8/0x294 net_rx_action+0xd8/0x22c __do_softirq+0x12c/0x354 This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this: (CPU1) | (CPU2) l3mdev_l3_rcv() | check dev->priv_flags: | master = skb->dev; | | | ipvlan_l3s_unregister() | set dev->priv_flags | dev->l3mdev_ops = NULL; | visit master->l3mdev_ops | To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan. Suggested-by: David Ahern <dsahern(a)kernel.org> Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") Signed-off-by: Wang Liang <wangliang74(a)huawei.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250321090353.1170545-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Rajani Kantha <681739313(a)139.com> --- drivers/net/ipvlan/ipvlan_l3s.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c index d5b05e803219..ca35a50bb640 100644 --- a/drivers/net/ipvlan/ipvlan_l3s.c +++ b/drivers/net/ipvlan/ipvlan_l3s.c @@ -224,5 +224,4 @@ void ipvlan_l3s_unregister(struct ipvl_port *port) dev->priv_flags &= ~IFF_L3MDEV_RX_HANDLER; ipvlan_unregister_nf_hook(read_pnet(&port->pnet)); - dev->l3mdev_ops = NULL; } -- 2.17.1

4 weeks

2
1
0 0

[PATCH 6.12] f2fs: fix to avoid overflow while left shift operation

by Rajani Kantha

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 0fe1c6bec54ea68ed8c987b3890f2296364e77bb ] Should cast type of folio->index from pgoff_t to loff_t to avoid overflow while left shift operation. Fixes: 3265d3db1f16 ("f2fs: support partial truncation on compressed inode") Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [ Modification: Using rpages[i]->index instead of folio->index due to it was changed since commit:1cda5bc0b2fe ("f2fs: Use a folio in f2fs_truncate_partial_cluster()") on 6.14 ] Signed-off-by: Rajani Kantha <681739313(a)139.com> --- fs/f2fs/compress.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c index b05bb7bfa14c..fcd21bb060cd 100644 --- a/fs/f2fs/compress.c +++ b/fs/f2fs/compress.c @@ -1236,7 +1236,7 @@ int f2fs_truncate_partial_cluster(struct inode *inode, u64 from, bool lock) int i; for (i = cluster_size - 1; i >= 0; i--) { - loff_t start = rpages[i]->index << PAGE_SHIFT; + loff_t start = (loff_t)rpages[i]->index << PAGE_SHIFT; if (from <= start) { zero_user_segment(rpages[i], 0, PAGE_SIZE); -- 2.17.1

4 weeks

2
1
0 0

[PATCH 6.12] Bluetooth: MGMT: Fix possible UAFs

by Chen Yu

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Upstream commit 302a1f674c00dd5581ab8e493ef44767c5101aab ] This attemps to fix possible UAFs caused by struct mgmt_pending being freed while still being processed like in the following trace, in order to fix mgmt_pending_valid is introduce and use to check if the mgmt_pending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd is left on the list it can still be accessed and freed. BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55 CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 12210: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247 add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 sock_write_iter+0x258/0x330 net/socket.c:1133 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 12221: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4648 [inline] kfree+0x18e/0x440 mm/slub.c:4847 mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444 hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526 sock_do_ioctl+0xd9/0x300 net/socket.c:1192 sock_ioctl+0x576/0x790 net/socket.c:1313 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED") Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync") Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync") Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP") Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE") Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME") Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION") Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor") Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY") Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING") Reported-by: cen zhang <zzzccc427(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Chen Yu <xnguchen(a)sina.cn> --- net/bluetooth/mgmt.c | 259 ++++++++++++++++++++++++++------------ net/bluetooth/mgmt_util.c | 46 +++++++ net/bluetooth/mgmt_util.h | 3 + 3 files changed, 231 insertions(+), 77 deletions(-) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 57295c3a8920..9b1e11f8e1f8 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) struct mgmt_mode *cp; /* Make sure cmd still outstanding. */ - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; cp = cmd->param; @@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) mgmt_status(err)); } - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); } static int set_powered_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_mode *cp; + struct mgmt_mode cp; + + mutex_lock(&hdev->mgmt_pending_lock); /* Make sure cmd still outstanding. */ - if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); return -ECANCELED; + } - cp = cmd->param; + memcpy(&cp, cmd->param, sizeof(cp)); + + mutex_unlock(&hdev->mgmt_pending_lock); BT_DBG("%s", hdev->name); - return hci_set_powered_sync(hdev, cp->val); + return hci_set_powered_sync(hdev, cp.val); } static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data, @@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data, bt_dev_dbg(hdev, "err %d", err); /* Make sure cmd still outstanding. */ - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; hci_dev_lock(hdev); @@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data, new_settings(hdev, cmd->sk); done: - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); hci_dev_unlock(hdev); } static int set_discoverable_sync(struct hci_dev *hdev, void *data) { + if (!mgmt_pending_listed(hdev, data)) + return -ECANCELED; + BT_DBG("%s", hdev->name); return hci_update_discoverable_sync(hdev); @@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data, bt_dev_dbg(hdev, "err %d", err); /* Make sure cmd still outstanding. */ - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; hci_dev_lock(hdev); @@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data, new_settings(hdev, cmd->sk); done: - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); hci_dev_unlock(hdev); } @@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev, static int set_connectable_sync(struct hci_dev *hdev, void *data) { + if (!mgmt_pending_listed(hdev, data)) + return -ECANCELED; + BT_DBG("%s", hdev->name); return hci_update_connectable_sync(hdev); @@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) { struct cmd_lookup match = { NULL, hdev }; struct mgmt_pending_cmd *cmd = data; - struct mgmt_mode *cp = cmd->param; - u8 enable = cp->val; + struct mgmt_mode *cp; + u8 enable; bool changed; /* Make sure cmd still outstanding. */ - if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; + cp = cmd->param; + enable = cp->val; + if (err) { u8 mgmt_err = mgmt_status(err); @@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) new_settings(hdev, NULL); } - mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, - cmd_status_rsp, &mgmt_err); + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); return; } @@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED); } - mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match); + settings_rsp(cmd, &match); if (changed) new_settings(hdev, match.sk); @@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) static int set_ssp_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_mode *cp = cmd->param; + struct mgmt_mode cp; bool changed = false; int err; - if (cp->val) + mutex_lock(&hdev->mgmt_pending_lock); + + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; + } + + memcpy(&cp, cmd->param, sizeof(cp)); + + mutex_unlock(&hdev->mgmt_pending_lock); + + if (cp.val) changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED); - err = hci_write_ssp_mode_sync(hdev, cp->val); + err = hci_write_ssp_mode_sync(hdev, cp.val); if (!err && changed) hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); @@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) static void set_le_complete(struct hci_dev *hdev, void *data, int err) { + struct mgmt_pending_cmd *cmd = data; struct cmd_lookup match = { NULL, hdev }; u8 status = mgmt_status(err); bt_dev_dbg(hdev, "err %d", err); - if (status) { - mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp, - &status); + if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) return; + + if (status) { + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); + goto done; } - mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match); + settings_rsp(cmd, &match); new_settings(hdev, match.sk); if (match.sk) sock_put(match.sk); + +done: + mgmt_pending_free(cmd); } static int set_le_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_mode *cp = cmd->param; - u8 val = !!cp->val; + struct mgmt_mode cp; + u8 val; int err; + mutex_lock(&hdev->mgmt_pending_lock); + + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; + } + + memcpy(&cp, cmd->param, sizeof(cp)); + val = !!cp.val; + + mutex_unlock(&hdev->mgmt_pending_lock); + if (!val) { hci_clear_adv_instance_sync(hdev, NULL, 0x00, true); @@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) { struct mgmt_pending_cmd *cmd = data; u8 status = mgmt_status(err); - struct sock *sk = cmd->sk; + struct sock *sk; + + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + sk = cmd->sk; if (status) { mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, @@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) static int set_mesh_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_cp_set_mesh *cp = cmd->param; - size_t len = cmd->param_len; + struct mgmt_cp_set_mesh cp; + size_t len; + + mutex_lock(&hdev->mgmt_pending_lock); + + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; + } + + memcpy(&cp, cmd->param, sizeof(cp)); + + mutex_unlock(&hdev->mgmt_pending_lock); + + len = cmd->param_len; memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types)); - if (cp->enable) + if (cp.enable) hci_dev_set_flag(hdev, HCI_MESH); else hci_dev_clear_flag(hdev, HCI_MESH); - hdev->le_scan_interval = __le16_to_cpu(cp->period); - hdev->le_scan_window = __le16_to_cpu(cp->window); + hdev->le_scan_interval = __le16_to_cpu(cp.period); + hdev->le_scan_window = __le16_to_cpu(cp.window); - len -= sizeof(*cp); + len -= sizeof(cp); /* If filters don't fit, forward all adv pkts */ if (len <= sizeof(hdev->mesh_ad_types)) - memcpy(hdev->mesh_ad_types, cp->ad_types, len); + memcpy(hdev->mesh_ad_types, cp.ad_types, len); hci_update_passive_scan_sync(hdev); return 0; @@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data) static void set_name_complete(struct hci_dev *hdev, void *data, int err) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_cp_set_local_name *cp = cmd->param; + struct mgmt_cp_set_local_name *cp; u8 status = mgmt_status(err); bt_dev_dbg(hdev, "err %d", err); - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; + cp = cmd->param; + if (status) { mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, status); @@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err) hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL); } - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); } static int set_name_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_cp_set_local_name *cp = cmd->param; + struct mgmt_cp_set_local_name cp; + + mutex_lock(&hdev->mgmt_pending_lock); + + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; + } + + memcpy(&cp, cmd->param, sizeof(cp)); + + mutex_unlock(&hdev->mgmt_pending_lock); if (lmp_bredr_capable(hdev)) { - hci_update_name_sync(hdev, cp->name); + hci_update_name_sync(hdev, cp.name); hci_update_eir_sync(hdev); } @@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip) static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) { struct mgmt_pending_cmd *cmd = data; - struct sk_buff *skb = cmd->skb; + struct sk_buff *skb; u8 status = mgmt_status(err); - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) - return; + skb = cmd->skb; if (!status) { if (!skb) @@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) if (skb && !IS_ERR(skb)) kfree_skb(skb); - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); } static int set_default_phy_sync(struct hci_dev *hdev, void *data) @@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data) struct mgmt_pending_cmd *cmd = data; struct mgmt_cp_set_phy_configuration *cp = cmd->param; struct hci_cp_le_set_default_phy cp_phy; - u32 selected_phys = __le32_to_cpu(cp->selected_phys); + u32 selected_phys; + + selected_phys = __le32_to_cpu(cp->selected_phys); memset(&cp_phy, 0, sizeof(cp_phy)); @@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev, goto unlock; } - cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, + cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, len); if (!cmd) err = -ENOMEM; @@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, { struct mgmt_rp_add_adv_patterns_monitor rp; struct mgmt_pending_cmd *cmd = data; - struct adv_monitor *monitor = cmd->user_data; + struct adv_monitor *monitor; + + /* This is likely the result of hdev being closed and mgmt_index_removed + * is attempting to clean up any pending command so + * hci_adv_monitors_clear is about to be called which will take care of + * freeing the adv_monitor instances. + */ + if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)) + return; + + monitor = cmd->user_data; hci_dev_lock(hdev); @@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct adv_monitor *monitor = cmd->user_data; + struct adv_monitor *mon; + + mutex_lock(&hdev->mgmt_pending_lock); + + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; + } + + mon = cmd->user_data; + + mutex_unlock(&hdev->mgmt_pending_lock); - return hci_add_adv_monitor(hdev, monitor); + return hci_add_adv_monitor(hdev, mon); } static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, @@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev, status); } -static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err) +static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, + int err) { struct mgmt_rp_read_local_oob_data mgmt_rp; size_t rp_size = sizeof(mgmt_rp); @@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e bt_dev_dbg(hdev, "status %d", status); if (status) { - mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status); + mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, + status); goto remove; } @@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err) bt_dev_dbg(hdev, "err %d", err); - if (err == -ECANCELED) - return; - - if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) && - cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) && - cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), cmd->param, 1); - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED: DISCOVERY_FINDING); @@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err) static int start_discovery_sync(struct hci_dev *hdev, void *data) { + if (!mgmt_pending_listed(hdev, data)) + return -ECANCELED; + return hci_start_discovery_sync(hdev); } @@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err) { struct mgmt_pending_cmd *cmd = data; - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev)) + if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) return; bt_dev_dbg(hdev, "err %d", err); mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), cmd->param, 1); - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); if (!err) hci_discovery_set_state(hdev, DISCOVERY_STOPPED); @@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err) static int stop_discovery_sync(struct hci_dev *hdev, void *data) { + if (!mgmt_pending_listed(hdev, data)) + return -ECANCELED; + return hci_stop_discovery_sync(hdev); } @@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err) static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) { + struct mgmt_pending_cmd *cmd = data; struct cmd_lookup match = { NULL, hdev }; u8 instance; struct adv_info *adv_instance; u8 status = mgmt_status(err); + if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) + return; + if (status) { - mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, - cmd_status_rsp, &status); + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); + mgmt_pending_free(cmd); return; } @@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) else hci_dev_clear_flag(hdev, HCI_ADVERTISING); - mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp, - &match); + settings_rsp(cmd, &match); new_settings(hdev, match.sk); @@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) static int set_adv_sync(struct hci_dev *hdev, void *data) { struct mgmt_pending_cmd *cmd = data; - struct mgmt_mode *cp = cmd->param; - u8 val = !!cp->val; + struct mgmt_mode cp; + u8 val; - if (cp->val == 0x02) + mutex_lock(&hdev->mgmt_pending_lock); + + if (!__mgmt_pending_listed(hdev, cmd)) { + mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; + } + + memcpy(&cp, cmd->param, sizeof(cp)); + + mutex_unlock(&hdev->mgmt_pending_lock); + + val = !!cp.val; + + if (cp.val == 0x02) hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE); else hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE); @@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data, u8 status = mgmt_status(err); u16 eir_len; - if (err == -ECANCELED || - cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev)) - return; - if (!status) { if (!skb) status = MGMT_STATUS_FAILED; @@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data, kfree_skb(skb); kfree(mgmt_rp); - mgmt_pending_remove(cmd); + mgmt_pending_free(cmd); } static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, @@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, struct mgmt_pending_cmd *cmd; int err; - cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, + cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, cp, sizeof(*cp)); if (!cmd) return -ENOMEM; diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c index a88a07da3947..aa7b5585cb26 100644 --- a/net/bluetooth/mgmt_util.c +++ b/net/bluetooth/mgmt_util.c @@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd) mgmt_pending_free(cmd); } +bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) +{ + struct mgmt_pending_cmd *tmp; + + lockdep_assert_held(&hdev->mgmt_pending_lock); + + if (!cmd) + return false; + + list_for_each_entry(tmp, &hdev->mgmt_pending, list) { + if (cmd == tmp) + return true; + } + + return false; +} + +bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) +{ + bool listed; + + mutex_lock(&hdev->mgmt_pending_lock); + listed = __mgmt_pending_listed(hdev, cmd); + mutex_unlock(&hdev->mgmt_pending_lock); + + return listed; +} + +bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) +{ + bool listed; + + if (!cmd) + return false; + + mutex_lock(&hdev->mgmt_pending_lock); + + listed = __mgmt_pending_listed(hdev, cmd); + if (listed) + list_del(&cmd->list); + + mutex_unlock(&hdev->mgmt_pending_lock); + + return listed; +} + void mgmt_mesh_foreach(struct hci_dev *hdev, void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), void *data, struct sock *sk) diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h index 024e51dd6937..bcba8c9d8952 100644 --- a/net/bluetooth/mgmt_util.h +++ b/net/bluetooth/mgmt_util.h @@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode, void *data, u16 len); void mgmt_pending_free(struct mgmt_pending_cmd *cmd); void mgmt_pending_remove(struct mgmt_pending_cmd *cmd); +bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); +bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); +bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); void mgmt_mesh_foreach(struct hci_dev *hdev, void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), void *data, struct sock *sk); -- 2.17.1

4 weeks

2
1
0 0

[PATCH 6.12.y 0/2] Backport 2 commits to 6.12.y to fix

by Rajani Kantha

Backport commit:5701875f9609 ("ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()" to linux 6.12 branch. The fix depends on commit:69f3a3039b0d ("ext4: introduce ITAIL helper") In order to make a clean backport on stable kernel, backport 2 commits. Ye Bin (2): ext4: introduce ITAIL helper ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() fs/ext4/inode.c | 5 +++++ fs/ext4/xattr.c | 32 ++++---------------------------- fs/ext4/xattr.h | 10 ++++++++++ 3 files changed, 19 insertions(+), 28 deletions(-) -- 2.17.1

4 weeks

2
3
0 0

[PATCH stable 6.1.y] nfsd: use __clamp in nfsd4_get_drc_mem()

by NeilBrown

From: NeilBrown <neil(a)brown.name> A recent change to clamp_t() in 6.1.y caused fs/nfsd/nfs4state.c to fail to compile with gcc-9. The code was written with the assumption that when "max < min", clamp(val, min, max) would return max. This assumption is not documented as an API promise and the change cause a compile failure if it could be statically determined that "max < min". The relevant code was no longer present upstream when the clamp() change landed there, so there is no upstream change to backport. As there is no clear case that the code is functioning incorrectly, the patch aims to restore the behaviour to exactly that before the clamp change, and to match what compilers other than gcc-9 produce. clamp_t(type,v,min,max) is replaced with __clamp((type)v, (type)min, (type)max) Some of those type casts are unnecessary but they are included to make the code obviously correct. (__clamp() is the same as clamp(), but without the static API usage test). Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220745#c0 Fixes: 1519fbc8832b ("minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()") Signed-off-by: NeilBrown <neil(a)brown.name> --- fs/nfsd/nfs4state.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 08bfc2b29b65..d485a140d36d 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -1822,8 +1822,9 @@ static u32 nfsd4_get_drc_mem(struct nfsd4_channel_attrs *ca, struct nfsd_net *nn */ scale_factor = max_t(unsigned int, 8, nn->nfsd_serv->sv_nrthreads); - avail = clamp_t(unsigned long, avail, slotsize, - total_avail/scale_factor); + avail = __clamp((unsigned long)avail, + (unsigned long)slotsize, + (unsigned long)(total_avail/scale_factor)); num = min_t(int, num, avail / slotsize); num = max_t(int, num, 1); nfsd_drc_mem_used += num * slotsize; -- 2.50.0.107.gf914562f5916.dirty

4 weeks

5
7
0 0

[PATCH 6.12.y] proc: fix the issue of proc_mem_open returning NULL

by Jakub Acs

From: Penglei Jiang <superman.xpt(a)gmail.com> [ Upstream commit 65c66047259fad1b868d4454bc5af95b46a5f954 ] proc_mem_open() can return an errno, NULL, or mm_struct*. If it fails to acquire mm, it returns NULL, but the caller does not check for the case when the return value is NULL. The following conditions lead to failure in acquiring mm: - The task is a kernel thread (PF_KTHREAD) - The task is exiting (PF_EXITING) Changes: - Add documentation comments for the return value of proc_mem_open(). - Add checks in the caller to return -ESRCH when proc_mem_open() returns NULL. Link: https://lkml.kernel.org/r/20250404063357.78891-1-superman.xpt@gmail.com Reported-by: syzbot+f9238a0a31f9b5603fef(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000f52642060d4e3750@google.com Signed-off-by: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Adrian Ratiu <adrian.ratiu(a)collabora.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Felix Moessbauer <felix.moessbauer(a)siemens.com> Cc: Jeff layton <jlayton(a)kernel.org> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ acsjakub: applied cleanly ] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- fs/proc/base.c | 12 +++++++++--- fs/proc/task_mmu.c | 12 ++++++------ fs/proc/task_nommu.c | 4 ++-- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index a2541f5204af..d060af34a6e8 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -828,7 +828,13 @@ static const struct file_operations proc_single_file_operations = { .release = single_release, }; - +/* + * proc_mem_open() can return errno, NULL or mm_struct*. + * + * - Returns NULL if the task has no mm (PF_KTHREAD or PF_EXITING) + * - Returns mm_struct* on success + * - Returns error code on failure + */ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode) { struct task_struct *task = get_proc_task(inode); @@ -853,8 +859,8 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) { struct mm_struct *mm = proc_mem_open(inode, mode); - if (IS_ERR(mm)) - return PTR_ERR(mm); + if (IS_ERR_OR_NULL(mm)) + return mm ? PTR_ERR(mm) : -ESRCH; file->private_data = mm; return 0; diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 8f5ad591d762..08a06fd37f0e 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -212,8 +212,8 @@ static int proc_maps_open(struct inode *inode, struct file *file, priv->inode = inode; priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); - if (IS_ERR(priv->mm)) { - int err = PTR_ERR(priv->mm); + if (IS_ERR_OR_NULL(priv->mm)) { + int err = priv->mm ? PTR_ERR(priv->mm) : -ESRCH; seq_release_private(inode, file); return err; @@ -1316,8 +1316,8 @@ static int smaps_rollup_open(struct inode *inode, struct file *file) priv->inode = inode; priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); - if (IS_ERR(priv->mm)) { - ret = PTR_ERR(priv->mm); + if (IS_ERR_OR_NULL(priv->mm)) { + ret = priv->mm ? PTR_ERR(priv->mm) : -ESRCH; single_release(inode, file); goto out_free; @@ -2049,8 +2049,8 @@ static int pagemap_open(struct inode *inode, struct file *file) struct mm_struct *mm; mm = proc_mem_open(inode, PTRACE_MODE_READ); - if (IS_ERR(mm)) - return PTR_ERR(mm); + if (IS_ERR_OR_NULL(mm)) + return mm ? PTR_ERR(mm) : -ESRCH; file->private_data = mm; return 0; } diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c index bce674533000..59bfd61d653a 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c @@ -260,8 +260,8 @@ static int maps_open(struct inode *inode, struct file *file, priv->inode = inode; priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); - if (IS_ERR(priv->mm)) { - int err = PTR_ERR(priv->mm); + if (IS_ERR_OR_NULL(priv->mm)) { + int err = priv->mm ? PTR_ERR(priv->mm) : -ESRCH; seq_release_private(inode, file); return err; -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Christof Hellmis Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

4 weeks

2
1
0 0

[PATCH v2] HID: memory leak in dualshock4_get_calibration_data

by Eslam Khafagy

function dualshock4_get_calibration_data allocates memory to pointer buf. however the function may exit prematurely due to transfer_failure in this case it does not handle freeing memory. this patch handles memory deallocation at exit. Reported-by: syzbot+4f5f81e1456a1f645bf8(a)syzkaller.appspotmail.com Tested-by: syzbot+4f5f81e1456a1f645bf8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/691560c4.a70a0220.3124cb.0019.GAE@google.com/T/ Fixes: 947992c7fa9e0 ("HID: playstation: DS4: Fix calibration workaround for clone devices") Cc: stable(a)vger.kernel.org Signed-off-by: Eslam Khafagy <eslam.medhat1993(a)gmail.com> --- v2: * Adding tag "Cc: stable(a)vger.kernel.org" v1: https://lore.kernel.org/all/20251115022323.1395726-1-eslam.medhat1993@gmail… --- drivers/hid/hid-playstation.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c index 63f6eb9030d1..fef81b7e27c1 100644 --- a/drivers/hid/hid-playstation.c +++ b/drivers/hid/hid-playstation.c @@ -1992,9 +1992,6 @@ static int dualshock4_get_calibration_data(struct dualshock4 *ds4) acc_z_plus = get_unaligned_le16(&buf[31]); acc_z_minus = get_unaligned_le16(&buf[33]); - /* Done parsing the buffer, so let's free it. */ - kfree(buf); - /* * Set gyroscope calibration and normalization parameters. * Data values will be normalized to 1/DS4_GYRO_RES_PER_DEG_S degree/s. @@ -2041,6 +2038,10 @@ static int dualshock4_get_calibration_data(struct dualshock4 *ds4) ds4->accel_calib_data[2].sens_denom = range_2g; transfer_failed: + /* First free buf if still allocated */ + if(buf) + kfree(buf); + /* * Sanity check gyro calibration data. This is needed to prevent crashes * during report handling of virtual, clone or broken devices not implementing -- 2.43.0

4 weeks

2
2
0 0

[PATCH v2 1/2] crypto: scatterwalk - Fix memcpy_sglist() to always succeed

by Eric Biggers

The original implementation of memcpy_sglist() was broken because it didn't handle scatterlists that describe exactly the same memory, which is a case that many callers rely on. The current implementation is broken too because it calls the skcipher_walk functions which can fail. It ignores any errors from those functions. Fix it by replacing it with a new implementation written from scratch. It always succeeds. It's also a bit faster, since it avoids the overhead of skcipher_walk. skcipher_walk includes a lot of functionality (such as alignmask handling) that's irrelevant here. Reported-by: Colin Ian King <coking(a)nvidia.com> Closes: https://lore.kernel.org/r/20251114122620.111623-1-coking@nvidia.com Fixes: 131bdceca1f0 ("crypto: scatterwalk - Add memcpy_sglist") Fixes: 0f8d42bf128d ("crypto: scatterwalk - Move skcipher walk and use it for memcpy_sglist") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- crypto/scatterwalk.c | 97 +++++++++++++++++++++++++++++++----- include/crypto/scatterwalk.h | 52 +++++++++++-------- 2 files changed, 115 insertions(+), 34 deletions(-) diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c index 1d010e2a1b1a..b95e5974e327 100644 --- a/crypto/scatterwalk.c +++ b/crypto/scatterwalk.c @@ -99,30 +99,101 @@ void memcpy_to_sglist(struct scatterlist *sg, unsigned int start, scatterwalk_start_at_pos(&walk, sg, start); memcpy_to_scatterwalk(&walk, buf, nbytes); } EXPORT_SYMBOL_GPL(memcpy_to_sglist); +/** + * memcpy_sglist() - Copy data from one scatterlist to another + * @dst: The destination scatterlist. Can be NULL if @nbytes == 0. + * @src: The source scatterlist. Can be NULL if @nbytes == 0. + * @nbytes: Number of bytes to copy + * + * The scatterlists can describe exactly the same memory, in which case this + * function is a no-op. No other overlaps are supported. + * + * Context: Any context + */ void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src, unsigned int nbytes) { - struct skcipher_walk walk = {}; + unsigned int src_offset, dst_offset; - if (unlikely(nbytes == 0)) /* in case sg == NULL */ + if (unlikely(nbytes == 0)) /* in case src and/or dst is NULL */ return; - walk.total = nbytes; - - scatterwalk_start(&walk.in, src); - scatterwalk_start(&walk.out, dst); + src_offset = src->offset; + dst_offset = dst->offset; + for (;;) { + /* Compute the length to copy this step. */ + unsigned int len = min3(src->offset + src->length - src_offset, + dst->offset + dst->length - dst_offset, + nbytes); + struct page *src_page = sg_page(src); + struct page *dst_page = sg_page(dst); + const void *src_virt; + void *dst_virt; + + if (IS_ENABLED(CONFIG_HIGHMEM)) { + /* HIGHMEM: we may have to actually map the pages. */ + const unsigned int src_oip = offset_in_page(src_offset); + const unsigned int dst_oip = offset_in_page(dst_offset); + const unsigned int limit = PAGE_SIZE; + + /* Further limit len to not cross a page boundary. */ + len = min3(len, limit - src_oip, limit - dst_oip); + + /* Compute the source and destination pages. */ + src_page += src_offset / PAGE_SIZE; + dst_page += dst_offset / PAGE_SIZE; + + if (src_page != dst_page) { + /* Copy between different pages. */ + memcpy_page(dst_page, dst_oip, + src_page, src_oip, len); + flush_dcache_page(dst_page); + } else if (src_oip != dst_oip) { + /* Copy between different parts of same page. */ + dst_virt = kmap_local_page(dst_page); + memcpy(dst_virt + dst_oip, dst_virt + src_oip, + len); + kunmap_local(dst_virt); + flush_dcache_page(dst_page); + } /* Else, it's the same memory. No action needed. */ + } else { + /* + * !HIGHMEM: no mapping needed. Just work in the linear + * buffer of each sg entry. Note that we can cross page + * boundaries, as they are not significant in this case. + */ + src_virt = page_address(src_page) + src_offset; + dst_virt = page_address(dst_page) + dst_offset; + if (src_virt != dst_virt) { + memcpy(dst_virt, src_virt, len); + if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) + __scatterwalk_flush_dcache_pages( + dst_page, dst_offset, len); + } /* Else, it's the same memory. No action needed. */ + } + nbytes -= len; + if (nbytes == 0) /* No more to copy? */ + break; - skcipher_walk_first(&walk, true); - do { - if (walk.src.virt.addr != walk.dst.virt.addr) - memcpy(walk.dst.virt.addr, walk.src.virt.addr, - walk.nbytes); - skcipher_walk_done(&walk, 0); - } while (walk.nbytes); + /* + * There's more to copy. Advance the offsets by the length + * copied this step, and advance the sg entries as needed. + */ + src_offset += len; + if (src_offset >= src->offset + src->length) { + src = sg_next(src); + src_offset = src->offset; + } + dst_offset += len; + if (dst_offset >= dst->offset + dst->length) { + dst = sg_next(dst); + dst_offset = dst->offset; + } + } } EXPORT_SYMBOL_GPL(memcpy_sglist); struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2], struct scatterlist *src, diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h index 83d14376ff2b..f485454e3955 100644 --- a/include/crypto/scatterwalk.h +++ b/include/crypto/scatterwalk.h @@ -225,10 +225,38 @@ static inline void scatterwalk_done_src(struct scatter_walk *walk, { scatterwalk_unmap(walk); scatterwalk_advance(walk, nbytes); } +/* + * Flush the dcache of any pages that overlap the region + * [offset, offset + nbytes) relative to base_page. + * + * This should be called only when ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, to ensure + * that all relevant code (including the call to sg_page() in the caller, if + * applicable) gets fully optimized out when !ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE. + */ +static inline void __scatterwalk_flush_dcache_pages(struct page *base_page, + unsigned int offset, + unsigned int nbytes) +{ + unsigned int num_pages; + + base_page += offset / PAGE_SIZE; + offset %= PAGE_SIZE; + + /* + * This is an overflow-safe version of + * num_pages = DIV_ROUND_UP(offset + nbytes, PAGE_SIZE). + */ + num_pages = nbytes / PAGE_SIZE; + num_pages += DIV_ROUND_UP(offset + (nbytes % PAGE_SIZE), PAGE_SIZE); + + for (unsigned int i = 0; i < num_pages; i++) + flush_dcache_page(base_page + i); +} + /** * scatterwalk_done_dst() - Finish one step of a walk of destination scatterlist * @walk: the scatter_walk * @nbytes: the number of bytes processed this step, less than or equal to the * number of bytes that scatterwalk_next() returned. @@ -238,31 +266,13 @@ static inline void scatterwalk_done_src(struct scatter_walk *walk, */ static inline void scatterwalk_done_dst(struct scatter_walk *walk, unsigned int nbytes) { scatterwalk_unmap(walk); - /* - * Explicitly check ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE instead of just - * relying on flush_dcache_page() being a no-op when not implemented, - * since otherwise the BUG_ON in sg_page() does not get optimized out. - * This also avoids having to consider whether the loop would get - * reliably optimized out or not. - */ - if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) { - struct page *base_page; - unsigned int offset; - int start, end, i; - - base_page = sg_page(walk->sg); - offset = walk->offset; - start = offset >> PAGE_SHIFT; - end = start + (nbytes >> PAGE_SHIFT); - end += (offset_in_page(offset) + offset_in_page(nbytes) + - PAGE_SIZE - 1) >> PAGE_SHIFT; - for (i = start; i < end; i++) - flush_dcache_page(base_page + i); - } + if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) + __scatterwalk_flush_dcache_pages(sg_page(walk->sg), + walk->offset, nbytes); scatterwalk_advance(walk, nbytes); } void scatterwalk_skip(struct scatter_walk *walk, unsigned int nbytes); -- 2.51.2

4 weeks, 1 day

1
0
0 0

[PATCH 1/2] crypto: scatterwalk - Fix memcpy_sglist() to always succeed

by Eric Biggers

The original implementation of memcpy_sglist() was broken because it didn't handle overlapping scatterlists. The current implementation is broken too because it calls the skcipher_walk functions which can fail. It ignores any errors from those functions. Fix it by replacing it with a new implementation written from scratch. It always succeeds. It's also a bit faster, since it avoids the overhead of skcipher_walk. skcipher_walk includes a lot of functionality (such as alignmask handling) that's irrelevant here. Reported-by: Colin Ian King <coking(a)nvidia.com> Closes: https://lore.kernel.org/r/20251114122620.111623-1-coking@nvidia.com Fixes: 131bdceca1f0 ("crypto: scatterwalk - Add memcpy_sglist") Fixes: 0f8d42bf128d ("crypto: scatterwalk - Move skcipher walk and use it for memcpy_sglist") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- crypto/scatterwalk.c | 103 ++++++++++++++++++++++++++++++----- include/crypto/scatterwalk.h | 52 +++++++++++------- 2 files changed, 121 insertions(+), 34 deletions(-) diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c index 1d010e2a1b1a..af6c17bfcadb 100644 --- a/crypto/scatterwalk.c +++ b/crypto/scatterwalk.c @@ -99,30 +99,107 @@ void memcpy_to_sglist(struct scatterlist *sg, unsigned int start, scatterwalk_start_at_pos(&walk, sg, start); memcpy_to_scatterwalk(&walk, buf, nbytes); } EXPORT_SYMBOL_GPL(memcpy_to_sglist); +/** + * memcpy_sglist() - Copy data from one scatterlist to another + * @dst: The destination scatterlist. Can be NULL if @nbytes == 0. + * @src: The source scatterlist. Can be NULL if @nbytes == 0. + * @nbytes: Number of bytes to copy + * + * The scatterlists can overlap. Hence this really acts like memmove(), not + * memcpy(). + * + * Context: Any context + */ void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src, unsigned int nbytes) { - struct skcipher_walk walk = {}; + unsigned int src_offset, dst_offset; - if (unlikely(nbytes == 0)) /* in case sg == NULL */ + if (unlikely(nbytes == 0)) /* in case src and/or dst is NULL */ return; - walk.total = nbytes; - - scatterwalk_start(&walk.in, src); - scatterwalk_start(&walk.out, dst); + src_offset = src->offset; + dst_offset = dst->offset; + for (;;) { + /* Compute the length to copy this step. */ + unsigned int len = min3(src->offset + src->length - src_offset, + dst->offset + dst->length - dst_offset, + nbytes); + struct page *src_page = sg_page(src); + struct page *dst_page = sg_page(dst); + const void *src_virt; + void *dst_virt; + + if (IS_ENABLED(CONFIG_HIGHMEM)) { + /* HIGHMEM: we may have to actually map the pages. */ + const unsigned int src_oip = offset_in_page(src_offset); + const unsigned int dst_oip = offset_in_page(dst_offset); + const unsigned int limit = PAGE_SIZE; + + /* Further limit len to not cross a page boundary. */ + len = min3(len, limit - src_oip, limit - dst_oip); + + /* Compute the source and destination pages. */ + src_page += src_offset / PAGE_SIZE; + dst_page += dst_offset / PAGE_SIZE; + + if (src_page != dst_page) { + /* + * Copy between different pages. + * No need for memmove(), as the pages differ. + */ + src_virt = kmap_local_page(src_page); + dst_virt = kmap_local_page(dst_page); + memcpy(dst_virt + dst_oip, src_virt + src_oip, + len); + flush_dcache_page(dst_page); + kunmap_local(dst_virt); + kunmap_local(src_virt); + } else if (src_oip != dst_oip) { + /* Copy between different parts of same page */ + dst_virt = kmap_local_page(dst_page); + memmove(dst_virt + dst_oip, dst_virt + src_oip, + len); + flush_dcache_page(dst_page); + kunmap_local(dst_virt); + } /* Exact overlap. No action needed. */ + } else { + /* + * !HIGHMEM: no mapping needed. Just work in the linear + * buffer of each sg entry. + */ + src_virt = page_address(src_page) + src_offset; + dst_virt = page_address(dst_page) + dst_offset; + if (src_virt != dst_virt) { + memmove(dst_virt, src_virt, len); + if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) + __scatterwalk_flush_dcache_pages( + dst_page, dst_offset, len); + } + } + nbytes -= len; + if (nbytes == 0) /* No more to copy? */ + break; - skcipher_walk_first(&walk, true); - do { - if (walk.src.virt.addr != walk.dst.virt.addr) - memcpy(walk.dst.virt.addr, walk.src.virt.addr, - walk.nbytes); - skcipher_walk_done(&walk, 0); - } while (walk.nbytes); + /* + * There's more to copy. Advance the offsets by the length + * copied this step, and advance the sg entries as needed. + */ + src_offset += len; + if (src_offset >= src->offset + src->length) { + src = sg_next(src); + src_offset = src->offset; + } + dst_offset += len; + if (dst_offset >= dst->offset + dst->length) { + dst = sg_next(dst); + dst_offset = dst->offset; + } + } } EXPORT_SYMBOL_GPL(memcpy_sglist); struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2], struct scatterlist *src, diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h index 83d14376ff2b..f485454e3955 100644 --- a/include/crypto/scatterwalk.h +++ b/include/crypto/scatterwalk.h @@ -225,10 +225,38 @@ static inline void scatterwalk_done_src(struct scatter_walk *walk, { scatterwalk_unmap(walk); scatterwalk_advance(walk, nbytes); } +/* + * Flush the dcache of any pages that overlap the region + * [offset, offset + nbytes) relative to base_page. + * + * This should be called only when ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, to ensure + * that all relevant code (including the call to sg_page() in the caller, if + * applicable) gets fully optimized out when !ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE. + */ +static inline void __scatterwalk_flush_dcache_pages(struct page *base_page, + unsigned int offset, + unsigned int nbytes) +{ + unsigned int num_pages; + + base_page += offset / PAGE_SIZE; + offset %= PAGE_SIZE; + + /* + * This is an overflow-safe version of + * num_pages = DIV_ROUND_UP(offset + nbytes, PAGE_SIZE). + */ + num_pages = nbytes / PAGE_SIZE; + num_pages += DIV_ROUND_UP(offset + (nbytes % PAGE_SIZE), PAGE_SIZE); + + for (unsigned int i = 0; i < num_pages; i++) + flush_dcache_page(base_page + i); +} + /** * scatterwalk_done_dst() - Finish one step of a walk of destination scatterlist * @walk: the scatter_walk * @nbytes: the number of bytes processed this step, less than or equal to the * number of bytes that scatterwalk_next() returned. @@ -238,31 +266,13 @@ static inline void scatterwalk_done_src(struct scatter_walk *walk, */ static inline void scatterwalk_done_dst(struct scatter_walk *walk, unsigned int nbytes) { scatterwalk_unmap(walk); - /* - * Explicitly check ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE instead of just - * relying on flush_dcache_page() being a no-op when not implemented, - * since otherwise the BUG_ON in sg_page() does not get optimized out. - * This also avoids having to consider whether the loop would get - * reliably optimized out or not. - */ - if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) { - struct page *base_page; - unsigned int offset; - int start, end, i; - - base_page = sg_page(walk->sg); - offset = walk->offset; - start = offset >> PAGE_SHIFT; - end = start + (nbytes >> PAGE_SHIFT); - end += (offset_in_page(offset) + offset_in_page(nbytes) + - PAGE_SIZE - 1) >> PAGE_SHIFT; - for (i = start; i < end; i++) - flush_dcache_page(base_page + i); - } + if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) + __scatterwalk_flush_dcache_pages(sg_page(walk->sg), + walk->offset, nbytes); scatterwalk_advance(walk, nbytes); } void scatterwalk_skip(struct scatter_walk *walk, unsigned int nbytes); -- 2.51.2

4 weeks, 1 day

1
1
0 0

[merged mm-hotfixes-stable] mm-swap-fix-potential-uaf-issue-for-vma-readahead.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm, swap: fix potential UAF issue for VMA readahead has been removed from the -mm tree. Its filename was mm-swap-fix-potential-uaf-issue-for-vma-readahead.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: mm, swap: fix potential UAF issue for VMA readahead Date: Tue, 11 Nov 2025 21:36:08 +0800 Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry. Link: https://lkml.kernel.org/r/20251111-swap-fix-vma-uaf-v1-1-41c660e58562@tence… Fixes: 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning") Suggested-by: Huang Ying <ying.huang(a)linux.alibaba.com> Signed-off-by: Kairui Song <kasong(a)tencent.com> Acked-by: Chris Li <chrisl(a)kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap_state.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/mm/swap_state.c~mm-swap-fix-potential-uaf-issue-for-vma-readahead +++ a/mm/swap_state.c @@ -748,6 +748,8 @@ static struct folio *swap_vma_readahead( blk_start_plug(&plug); for (addr = start; addr < end; ilx++, addr += PAGE_SIZE) { + struct swap_info_struct *si = NULL; + if (!pte++) { pte = pte_offset_map(vmf->pmd, addr); if (!pte) @@ -761,8 +763,19 @@ static struct folio *swap_vma_readahead( continue; pte_unmap(pte); pte = NULL; + /* + * Readahead entry may come from a device that we are not + * holding a reference to, try to grab a reference, or skip. + */ + if (swp_type(entry) != swp_type(targ_entry)) { + si = get_swap_device(entry); + if (!si) + continue; + } folio = __read_swap_cache_async(entry, gfp_mask, mpol, ilx, &page_allocated, false); + if (si) + put_swap_device(si); if (!folio) continue; if (page_allocated) { _ Patches currently in -mm which might be from kasong(a)tencent.com are mm-swap-do-not-perform-synchronous-discard-during-allocation.patch mm-swap-rename-helper-for-setup-bad-slots.patch mm-swap-cleanup-swap-entry-allocation-parameter.patch mm-migrate-swap-drop-usage-of-folio_index.patch mm-swap-remove-redundant-argument-for-isolating-a-cluster.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/user_events: fix type cast for write_index packed member in perf_test has been removed from the -mm tree. Its filename was selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> Subject: selftests/user_events: fix type cast for write_index packed member in perf_test Date: Thu, 6 Nov 2025 15:25:32 +0530 Accessing 'reg.write_index' directly triggers a -Waddress-of-packed-member warning due to potential unaligned pointer access: perf_test.c:239:38: warning: taking address of packed member 'write_index' of class or structure 'user_reg' may result in an unaligned pointer value [-Waddress-of-packed-member] 239 | ASSERT_NE(-1, write(self->data_fd, &reg.write_index, | ^~~~~~~~~~~~~~~ Since write(2) works with any alignment. Casting '&reg.write_index' explicitly to 'void *' to suppress this warning. Link: https://lkml.kernel.org/r/20251106095532.15185-1-ankitkhushwaha.linux@gmail… Fixes: 42187bdc3ca4 ("selftests/user_events: Add perf self-test for empty arguments events") Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> Cc: Beau Belgrave <beaub(a)linux.microsoft.com> Cc: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: sunliming <sunliming(a)kylinos.cn> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/user_events/perf_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/testing/selftests/user_events/perf_test.c~selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test +++ a/tools/testing/selftests/user_events/perf_test.c @@ -236,7 +236,7 @@ TEST_F(user, perf_empty_events) { ASSERT_EQ(1 << reg.enable_bit, self->check); /* Ensure write shows up at correct offset */ - ASSERT_NE(-1, write(self->data_fd, &reg.write_index, + ASSERT_NE(-1, write(self->data_fd, (void *)&reg.write_index, sizeof(reg.write_index))); val = (void *)(((char *)perf_page) + perf_page->data_offset); ASSERT_EQ(PERF_RECORD_SAMPLE, *val); _ Patches currently in -mm which might be from ankitkhushwaha.linux(a)gmail.com are selftest-mm-fix-pointer-comparison-in-mremap_test.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] lib-test_kho-check-if-kho-is-enabled.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: lib/test_kho: check if KHO is enabled has been removed from the -mm tree. Its filename was lib-test_kho-check-if-kho-is-enabled.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Subject: lib/test_kho: check if KHO is enabled Date: Thu, 6 Nov 2025 17:06:35 -0500 We must check whether KHO is enabled prior to issuing KHO commands, otherwise KHO internal data structures are not initialized. Link: https://lkml.kernel.org/r/20251106220635.2608494-1-pasha.tatashin@soleen.com Fixes: b753522bed0b ("kho: add test for kexec handover") Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202511061629.e242724-lkp@intel.com Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/test_kho.c | 3 +++ 1 file changed, 3 insertions(+) --- a/lib/test_kho.c~lib-test_kho-check-if-kho-is-enabled +++ a/lib/test_kho.c @@ -301,6 +301,9 @@ static int __init kho_test_init(void) phys_addr_t fdt_phys; int err; + if (!kho_is_enabled()) + return 0; + err = kho_retrieve_subtree(KHO_TEST_FDT, &fdt_phys); if (!err) return kho_test_restore(fdt_phys); _ Patches currently in -mm which might be from pasha.tatashin(a)soleen.com are kho-make-debugfs-interface-optional.patch kho-add-interfaces-to-unpreserve-folios-page-ranges-and-vmalloc.patch memblock-unpreserve-memory-in-case-of-error.patch test_kho-unpreserve-memory-in-case-of-error.patch kho-dont-unpreserve-memory-during-abort.patch liveupdate-kho-move-to-kernel-liveupdate.patch liveupdate-kho-move-to-kernel-liveupdate-fix.patch maintainers-update-kho-maintainers.patch kho-fix-misleading-log-message-in-kho_populate.patch kho-convert-__kho_abort-to-return-void.patch kho-introduce-high-level-memory-allocation-api.patch kho-preserve-fdt-folio-only-once-during-initialization.patch kho-verify-deserialization-status-and-fix-fdt-alignment-access.patch kho-always-expose-output-fdt-in-debugfs.patch kho-simplify-serialization-and-remove-__kho_abort.patch kho-remove-global-preserved_mem_map-and-store-state-in-fdt.patch kho-remove-abort-functionality-and-support-state-refresh.patch kho-update-fdt-dynamically-for-subtree-addition-removal.patch kho-allow-kexec-load-before-kho-finalization.patch kho-allow-memory-preservation-state-updates-after-finalization.patch kho-add-kconfig-option-to-enable-kho-by-default.patch liveupdate-luo_core-luo_ioctl-live-update-orchestrator.patch liveupdate-luo_core-integrate-with-kho.patch liveupdate-luo_core-integrate-with-kho-fix.patch reboot-call-liveupdate_reboot-before-kexec.patch liveupdate-luo_session-add-sessions-support.patch liveupdate-luo_session-add-sessions-support-fix.patch liveupdate-luo_ioctl-add-user-interface.patch liveupdate-luo_file-implement-file-systems-callbacks.patch liveupdate-luo_session-add-ioctls-for-file-preservation-and-state-management.patch liveupdate-luo_flb-introduce-file-lifecycle-bound-global-state.patch docs-add-luo-documentation.patch maintainers-add-liveupdate-entry.patch mm-memfd_luo-allow-preserving-memfd-fix.patch selftests-liveupdate-add-userspace-api-selftests.patch selftests-liveupdate-add-kexec-based-selftest-for-session-lifecycle.patch selftests-liveupdate-add-kexec-test-for-multiple-and-empty-sessions.patch tests-liveupdate-add-in-kernel-liveupdate-test.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-huge_memory-fix-folio-split-check-for-anon-folios-in-swapcache.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/huge_memory: fix folio split check for anon folios in swapcache has been removed from the -mm tree. Its filename was mm-huge_memory-fix-folio-split-check-for-anon-folios-in-swapcache.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Zi Yan <ziy(a)nvidia.com> Subject: mm/huge_memory: fix folio split check for anon folios in swapcache Date: Wed, 5 Nov 2025 11:29:10 -0500 Both uniform and non uniform split check missed the check to prevent splitting anon folios in swapcache to non-zero order. Splitting anon folios in swapcache to non-zero order can cause data corruption since swapcache only support PMD order and order-0 entries. This can happen when one use split_huge_pages under debugfs to split anon folios in swapcache. In-tree callers do not perform such an illegal operation. Only debugfs interface could trigger it. I will put adding a test case on my TODO list. Fix the check. Link: https://lkml.kernel.org/r/20251105162910.752266-1-ziy@nvidia.com Fixes: 58729c04cf10 ("mm/huge_memory: add buddy allocator like (non-uniform) folio_split()") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: "David Hildenbrand (Red Hat)" <david(a)kernel.org> Closes: https://lore.kernel.org/all/dc0ecc2c-4089-484f-917f-920fdca4c898@kernel.org/ Acked-by: David Hildenbrand (Red Hat) <david(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Lance Yang <lance.yang(a)linux.dev> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Nico Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-fix-folio-split-check-for-anon-folios-in-swapcache +++ a/mm/huge_memory.c @@ -3522,7 +3522,8 @@ bool non_uniform_split_supported(struct /* order-1 is not supported for anonymous THP. */ VM_WARN_ONCE(warns && new_order == 1, "Cannot split to order-1 folio"); - return new_order != 1; + if (new_order == 1) + return false; } else if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !mapping_large_folio_support(folio->mapping)) { /* @@ -3553,7 +3554,8 @@ bool uniform_split_supported(struct foli if (folio_test_anon(folio)) { VM_WARN_ONCE(warns && new_order == 1, "Cannot split to order-1 folio"); - return new_order != 1; + if (new_order == 1) + return false; } else if (new_order) { if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !mapping_large_folio_support(folio->mapping)) { _ Patches currently in -mm which might be from ziy(a)nvidia.com are mm-huge_memory-add-split_huge_page_to_order.patch mm-memory-failure-improve-large-block-size-folio-handling.patch mm-huge_memory-fix-kernel-doc-comments-for-folio_split-and-related.patch mm-huge_memory-fix-kernel-doc-comments-for-folio_split-and-related-fix.patch mm-huge_memory-fix-kernel-doc-comments-for-folio_split-and-related-fix-2.patch migrate-optimise-alloc_migration_target-fix.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] crash-fix-crashkernel-resource-shrink.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: crash: fix crashkernel resource shrink has been removed from the -mm tree. Its filename was crash-fix-crashkernel-resource-shrink.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Sourabh Jain <sourabhjain(a)linux.ibm.com> Subject: crash: fix crashkernel resource shrink Date: Sun, 2 Nov 2025 01:07:41 +0530 When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI <snip...> Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 <snip...> This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory. Link: https://lkml.kernel.org/r/20251101193741.289252-1-sourabhjain@linux.ibm.com Fixes: 16c6006af4d4 ("kexec: enable kexec_crash_size to support two crash kernel regions") Signed-off-by: Sourabh Jain <sourabhjain(a)linux.ibm.com> Acked-by: Baoquan He <bhe(a)redhat.com> Cc: Zhen Lei <thunder.leizhen(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/crash_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/crash_core.c~crash-fix-crashkernel-resource-shrink +++ a/kernel/crash_core.c @@ -373,7 +373,7 @@ static int __crash_shrink_memory(struct old_res->start = 0; old_res->end = 0; } else { - crashk_res.end = ram_res->start - 1; + old_res->end = ram_res->start - 1; } crash_free_reserved_phys_range(ram_res->start, ram_res->end); _ Patches currently in -mm which might be from sourabhjain(a)linux.ibm.com are

4 weeks, 1 day

1
0
0 0

[PATCH v2] ksmbd: vfs_cache: avoid integer overflow in inode_hash()

by Qianchang Zhao

inode_hash() currently mixes a hash value with the super_block pointer using an unbounded multiplication: tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / L1_CACHE_BYTES; On 64-bit kernels this multiplication can overflow and wrap in unsigned long arithmetic. While this is not a memory-safety issue, it is an unbounded integer operation and weakens the mixing properties of the hash. Replace the pointer*hash multiply with hash_long() over a mixed value (hashval ^ (unsigned long)sb) and keep the existing shift/mask. This removes the overflow source and reuses the standard hash helper already used in other kernel code. This is an integer wraparound / robustness issue (CWE-190/CWE-407), not a memory-safety bug. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/vfs_cache.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c index dfed6fce8..a62ea5aae 100644 --- a/fs/smb/server/vfs_cache.c +++ b/fs/smb/server/vfs_cache.c @@ -10,6 +10,7 @@ #include <linux/vmalloc.h> #include <linux/kthread.h> #include <linux/freezer.h> +#include <linux/hash.h> #include "glob.h" #include "vfs_cache.h" @@ -65,12 +66,8 @@ static void fd_limit_close(void) static unsigned long inode_hash(struct super_block *sb, unsigned long hashval) { - unsigned long tmp; - - tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / - L1_CACHE_BYTES; - tmp = tmp ^ ((tmp ^ GOLDEN_RATIO_PRIME) >> inode_hash_shift); - return tmp & inode_hash_mask; + unsigned long mixed = hashval ^ (unsigned long)sb; + return hash_long(mixed, inode_hash_shift) & inode_hash_mask; } static struct ksmbd_inode *__ksmbd_inode_lookup(struct dentry *de) -- 2.34.1

4 weeks, 1 day

2
1
0 0

⚡DUOONE OLED SPAN/FOLD Is LIVE — Super Early Bird Deals Are Running Fast!

by InnLead Innovative

4 weeks, 1 day

1
0
0 0

[PATCH] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32

by nicolas.ferre＠microchip.com

From: Nicolas Ferre <nicolas.ferre(a)microchip.com> Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo size of 32 data. Fix flexcom/spi nodes where this property is wrong. Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions") Cc: <stable(a)vger.kernel.org> # 5.8+ Signed-off-by: Nicolas Ferre <nicolas.ferre(a)microchip.com> --- arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/arm/boot/dts/microchip/sama5d2.dtsi b/arch/arm/boot/dts/microchip/sama5d2.dtsi index 17430d7f2055..fde890f18d20 100644 --- a/arch/arm/boot/dts/microchip/sama5d2.dtsi +++ b/arch/arm/boot/dts/microchip/sama5d2.dtsi @@ -571,7 +571,7 @@ AT91_XDMAC_DT_PERID(11))>, AT91_XDMAC_DT_PER_IF(1) | AT91_XDMAC_DT_PERID(12))>; dma-names = "tx", "rx"; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; status = "disabled"; }; @@ -642,7 +642,7 @@ AT91_XDMAC_DT_PERID(13))>, AT91_XDMAC_DT_PER_IF(1) | AT91_XDMAC_DT_PERID(14))>; dma-names = "tx", "rx"; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; status = "disabled"; }; @@ -854,7 +854,7 @@ AT91_XDMAC_DT_PERID(15))>, AT91_XDMAC_DT_PER_IF(1) | AT91_XDMAC_DT_PERID(16))>; dma-names = "tx", "rx"; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; status = "disabled"; }; @@ -925,7 +925,7 @@ AT91_XDMAC_DT_PERID(17))>, AT91_XDMAC_DT_PER_IF(1) | AT91_XDMAC_DT_PERID(18))>; dma-names = "tx", "rx"; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; status = "disabled"; }; @@ -997,7 +997,7 @@ AT91_XDMAC_DT_PERID(19))>, AT91_XDMAC_DT_PER_IF(1) | AT91_XDMAC_DT_PERID(20))>; dma-names = "tx", "rx"; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; status = "disabled"; }; -- 2.43.0

4 weeks, 1 day

2
1
0 0

Re: Request to backport data corruption fix to stable

by Steve French

Sasha, Also wanted to make sure stable gets this patch from David Howells that fixes a regression that was mentioned in some of the same email threads. It fixes an important stable regression in cifs_readv when cache=none. Bharath has also reviewed and tested it with 6.6 stable. See attached. On Fri, Nov 14, 2025 at 9:00 AM Sasha Levin <sashal(a)kernel.org> wrote: > > On Fri, Nov 14, 2025 at 04:42:57PM +0530, Shyam Prasad N wrote: > >Hi Greg/Sasha, > > > >Over the last few months, a few users have reported a data corruption > >with Linux SMB kernel client filesystem. This is one such report: > >https://lore.kernel.org/linux-cifs/36fb31bf2c854cdc930a3415f5551dcd@izw-ber… > > > >The issue is now well understood. Attached is a fix for this issue. > >I've made sure that the fix is stopping the data corruption and also > >not regressing other write patterns. > > > >The regression seems to have been introduced during a refactoring of > >this code path during the v6.3 and continued to exist till v6.9, > >before the code was refactored again with netfs helper library > >integration in v6.10. > > > >I request you to include this change in all stable trees for > >v6.3..v6.9. I've done my testing on stable-6.6. Please let me know if > >you want this tested on any other kernels. > > I'll queue it up for 6.6, thanks! > > -- > Thanks, > Sasha -- Thanks, Steve

4 weeks, 1 day

2
1
0 0

[PATCH] Bluetooth: btusb: Add one more ID 0x13d3:0x3612 for Realtek 8852CE

by Levi Zim via B4 Relay

From: Levi Zim <rsworktech(a)outlook.com> Devices with ID 13d3:3612 are found in ASUS TUF Gaming A16 (2025) and ASUS TX Gaming FA608FM. The corresponding device info from /sys/kernel/debug/usb/devices is T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=02 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3612 Rev= 0.00 S: Manufacturer=Realtek S: Product=Bluetooth Radio C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms Signed-off-by: Levi Zim <rsworktech(a)outlook.com> --- drivers/bluetooth/btusb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 8085fabadde8ff01171783b59226589757bbbbbc..d1e62b3158166a33153a6dfaade03fd3fb7d8231 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -552,6 +552,8 @@ static const struct usb_device_id quirks_table[] = { BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x13d3, 0x3592), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3612), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x0489, 0xe122), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, --- base-commit: 302a1f674c00dd5581ab8e493ef44767c5101aab change-id: 20250927-ble-13d3-3612-53a2246e4862 Best regards, -- Levi Zim <rsworktech(a)outlook.com>

4 weeks, 1 day

4
3
0 0

Re: Compile Error fs/nfsd/nfs4state.o - clamp() low limit slotsize greater than high limit total_avail/scale_factor

by Mike-SPC via Bugspray Bot

Mike-SPC writes via Kernel.org Bugzilla: Hi there, at first: Thanks for patching and investigation. I've tested the patch mentioned in https://lkml.org/lkml/2025/11/10/12 and it works (for me). Thanks again and regards, Michael View: https://bugzilla.kernel.org/show_bug.cgi?id=220745#c17 You can reply to this message to join the discussion. -- Deet-doot-dot, I am a bot. Kernel.org Bugzilla (bugspray 0.1-dev)

4 weeks, 1 day

1
0
0 0

Get the Fruit Attraction 2025 Attendee List!

by Karlee Howell

Hi, We’re offering exclusive access to the Fruit Attraction 2025 Visitor Contact List — your direct connection to verified buyers, importers, exporters, and industry leaders from the global fresh produce, logistics, and agri-innovation market. We have 97,137 verified visitor contacts in our database. You’ll receive full contact data: Individual Email Address, Phone Number, Contact Name, Job Title, Company Name, Website, Physical Address, LinkedIn Profile, and more. All data is fully 100% GDPR-compliant and ethically sourced 20% Off—Respond Before Nov 20. Let me know if you are Interested to see the pricing? Reply “Send me Pricing.” Best regards, Karlee Howell Sr. Marketing Manager Prefer not to receive these emails? Just reply “NOT INTERESTED”.

4 weeks, 1 day

1
0
0 0

Sports bags, backpacks, sportswear

by HILL APEX

Hi linux-stable-mirror(a)lists.linaro.org We make sublimated sports bags, backpacks, and sportswear. To get delivery prices, please: 1. Visit hillapex.com and pick an item. 2. Let us know your order quantity. 3. Provide your country name. Best regards, Saad Afzal Founder | Hill Apex 📧 Email: saad(a)hillapex.com 🌐 Website: hillapex.com 📞 Phone/WhatsApp: +92 300 7101027 📍 Address: Chenab Ranger’s Road, 51310 Sialkot, Pakistan

1 month

1
0
0 0

[tip: x86/boot] x86/acpi/boot: Correct acpi_is_processor_usable() check again

by tip-bot2 for Yazen Ghannam

The following commit has been merged into the x86/boot branch of tip: Commit-ID: 1c7ac68c05bc0327d725dd10aa05f5120f868250 Gitweb: https://git.kernel.org/tip/1c7ac68c05bc0327d725dd10aa05f5120f868250 Author: Yazen Ghannam <yazen.ghannam(a)amd.com> AuthorDate: Tue, 11 Nov 2025 14:53:57 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 14 Nov 2025 21:00:26 +01:00 x86/acpi/boot: Correct acpi_is_processor_usable() check again ACPI v6.3 defined a new "Online Capable" MADT LAPIC flag. This bit is used in conjunction with the "Enabled" MADT LAPIC flag to determine if a CPU can be enabled/hotplugged by the OS after boot. Before the new bit was defined, the "Enabled" bit was explicitly described like this (ACPI v6.0 wording provided): "If zero, this processor is unusable, and the operating system support will not attempt to use it" This means that CPU hotplug (based on MADT) is not possible. Many BIOS implementations follow this guidance. They may include LAPIC entries in MADT for unavailable CPUs, but since these entries are marked with "Enabled=0" it is expected that the OS will completely ignore these entries. However, QEMU will do the same (include entries with "Enabled=0") for the purpose of allowing CPU hotplug within the guest. Comment from QEMU function pc_madt_cpu_entry(): /* ACPI spec says that LAPIC entry for non present * CPU may be omitted from MADT or it must be marked * as disabled. However omitting non present CPU from * MADT breaks hotplug on linux. So possible CPUs * should be put in MADT but kept disabled. */ Recent Linux topology changes broke the QEMU use case. A following fix for the QEMU use case broke bare metal topology enumeration. Rework the Linux MADT LAPIC flags check to allow the QEMU use case only for guests and to maintain the ACPI spec behavior for bare metal. Remove an unnecessary check added to fix a bare metal case introduced by the QEMU "fix". [ bp: Change logic as Michal suggested. ] Fixes: fed8d8773b8e ("x86/acpi/boot: Correct acpi_is_processor_usable() check") Fixes: f0551af02130 ("x86/topology: Ignore non-present APIC IDs in a present package") Closes: https://lore.kernel.org/r/20251024204658.3da9bf3f.michal.pecio@gmail.com Reported-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Tested-by: Michal Pecio <michal.pecio(a)gmail.com> Tested-by: Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20251111145357.4031846-1-yazen.ghannam@amd.com --- arch/x86/kernel/acpi/boot.c | 12 ++++++++---- arch/x86/kernel/cpu/topology.c | 15 --------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c index 9fa321a..d6138b2 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -35,6 +35,7 @@ #include <asm/smp.h> #include <asm/i8259.h> #include <asm/setup.h> +#include <asm/hypervisor.h> #include "sleep.h" /* To include x86_acpi_suspend_lowlevel */ static int __initdata acpi_force = 0; @@ -164,11 +165,14 @@ static bool __init acpi_is_processor_usable(u32 lapic_flags) if (lapic_flags & ACPI_MADT_ENABLED) return true; - if (!acpi_support_online_capable || - (lapic_flags & ACPI_MADT_ONLINE_CAPABLE)) - return true; + if (acpi_support_online_capable) + return lapic_flags & ACPI_MADT_ONLINE_CAPABLE; - return false; + /* + * QEMU expects legacy "Enabled=0" LAPIC entries to be counted as usable + * in order to support CPU hotplug in guests. + */ + return !hypervisor_is_type(X86_HYPER_NATIVE); } static int __init diff --git a/arch/x86/kernel/cpu/topology.c b/arch/x86/kernel/cpu/topology.c index 6073a16..425404e 100644 --- a/arch/x86/kernel/cpu/topology.c +++ b/arch/x86/kernel/cpu/topology.c @@ -27,7 +27,6 @@ #include <xen/xen.h> #include <asm/apic.h> -#include <asm/hypervisor.h> #include <asm/io_apic.h> #include <asm/mpspec.h> #include <asm/msr.h> @@ -240,20 +239,6 @@ static __init void topo_register_apic(u32 apic_id, u32 acpi_id, bool present) cpuid_to_apicid[cpu] = apic_id; topo_set_cpuids(cpu, apic_id, acpi_id); } else { - u32 pkgid = topo_apicid(apic_id, TOPO_PKG_DOMAIN); - - /* - * Check for present APICs in the same package when running - * on bare metal. Allow the bogosity in a guest. - */ - if (hypervisor_is_type(X86_HYPER_NATIVE) && - topo_unit_count(pkgid, TOPO_PKG_DOMAIN, phys_cpu_present_map)) { - pr_info_once("Ignoring hot-pluggable APIC ID %x in present package.\n", - apic_id); - topo_info.nr_rejected_cpus++; - return; - } - topo_info.nr_disabled_cpus++; }

1 month

1
0
0 0

btrfs task hung in `lock_extent` syzbot report and CVE-2024-35784

by Andrey Kalachev

Hi. I've check c-repro [1] on 6.1.y branch and found that repro still produce the crash on 6.1.y. I notice that syzbot bisection result [2] is incorrect: indeed, the hung was fixed by upstream commit b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking"). Also, I saw CVE-2024-35784 [3][4] vulnerability, that have direct relation with that syzbot report. Therefore, syzbot reproducer provided additional way to check for CVE-2024-35784. I attempted to fix CVE-2024-35784 in stable 6.1.y (over v6.1.157), and found that the initial fix commit b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking") introduced regressions [5][6]. IMHO here is the minimum patch series to eliminate CVE-2024-35784 from 6.1.y: b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking") (Initial fix of the CVE-2024-35784) a1a4a9ca77f1 ("btrfs: fix race between ordered extent completion and fiemap") (Fixes: b0ad381fa769) 978b63f7464a ("btrfs: fix race when detecting delalloc ranges during fiemap") (Fixes: b0ad381fa769) 1cab1375ba6d ("btrfs: reuse cloned extent buffer during fiemap to avoid re-allocations") (Optimization: 978b63f7464a) 53e24158684b ("btrfs: set start on clone before calling copy_extent_buffer_full") (Fixes: 1cab1375ba6d) Required patches attached. Only two patches in the series have minor backport modifications due to v6.1.157 btrfs code differences. The remaining patches are identical to the upstream. Regards, AK Reported-by: syzbot+f8217aae382555004877(a)syzkaller.appspotmail.com ---- [1] https://syzkaller.appspot.com/text?tag=ReproC&x=12b4c88b280000 [2] https://syzkaller.appspot.com/bug?extid=f8217aae382555004877 [3] https://lore.kernel.org/all/2024051704-CVE-2024-35784-6dec@gregkh/ [4] https://cve.org/CVERecord/?id=CVE-2024-35784 [5] https://lore.kernel.org/linux-btrfs/cover.1709202499.git.fdmanana@suse.com/ [6] https://lore.kernel.org/all/20240304211551.880347593@linuxfoundation.org/

1 month

1
12
0 0

[PATCH 0/6] Hello,

by Miquel Raynal

Here is a series adding support for 6 Winbond SPI NOR chips. Describing these chips is needed otherwise the block protection feature is not available. Everything else looks fine otherwise. In practice I am only adding 6 very similar IDs but I split the commits because the amount of meta data to show proof that all the chips have been tested and work is pretty big. As the commits simply add an ID, I am Cc'ing stable with the hope to get these backported to LTS kernels as allowed by the stable rules (see link below, but I hope I am doing this right). Link: https://elixir.bootlin.com/linux/v6.17.7/source/Documentation/process/stabl… Thanks, Miquèl --- Miquel Raynal (6): mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips drivers/mtd/spi-nor/winbond.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) --- base-commit: 479ba7fc704936b74a91ee352fe113d6391d562f change-id: 20251105-winbond-v6-18-rc1-spi-nor-7f78cb2785d6 Best regards, -- Miquel Raynal <miquel.raynal(a)bootlin.com>

1 month

4
13
0 0

[PATCH RFC 0/2] ASoC: codecs: pm4125: Two minor fixes for potential issues

by Krzysztof Kozlowski

I marked these as fixes, but the issue is not likely to trigger in normal conditions. Not tested on hardware, please kindly provide tested-by, the best with some probe bind/unbind cycle. Best regards, Krzysztof --- Krzysztof Kozlowski (2): ASoC: codecs: pm4125: Fix potential conflict when probing two devices ASoC: codecs: pm4125: Remove irq_chip on component unbind sound/soc/codecs/pm4125.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- base-commit: d22122bd89bc5ce7b3e057d99679ca50a72a8245 change-id: 20251023-asoc-regmap-irq-chip-bb2053c32168 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

1 month

2
4
0 0

[PATCH] amba: tegra-ahb: fix device leak on smmu enable

by Johan Hovold

Make sure to drop the reference taken to the ahb platform device when looking up its driver data while enabling the smmu. Note that holding a reference to a device does not prevent its driver data from going away. Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB") Cc: stable(a)vger.kernel.org # 3.5 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/amba/tegra-ahb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/amba/tegra-ahb.c b/drivers/amba/tegra-ahb.c index c0e8b765522d..f23c3ed01810 100644 --- a/drivers/amba/tegra-ahb.c +++ b/drivers/amba/tegra-ahb.c @@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_node *dn) if (!dev) return -EPROBE_DEFER; ahb = dev_get_drvdata(dev); + put_device(dev); val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL); val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE; gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL); -- 2.49.1

1 month

3
3
0 0

[PATCH] soc/tegra: fuse: Do not register SoC device on ACPI boot

by Kartik Rajput

On Tegra platforms using ACPI, the SMCCC driver already registers the SoC device. This makes the registration performed by the Tegra fuse driver redundant. When booted via ACPI, skip registering the SoC device and suppress printing SKU information from the Tegra fuse driver, as this information is already provided by the SMCCC driver. Fixes: 972167c69080 ("soc/tegra: fuse: Add ACPI support for Tegra194 and Tegra234") Cc: stable(a)vger.kernel.org Signed-off-by: Kartik Rajput <kkartik(a)nvidia.com> --- drivers/soc/tegra/fuse/fuse-tegra.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c index d27667283846..74d2fedea71c 100644 --- a/drivers/soc/tegra/fuse/fuse-tegra.c +++ b/drivers/soc/tegra/fuse/fuse-tegra.c @@ -182,8 +182,6 @@ static int tegra_fuse_probe(struct platform_device *pdev) } fuse->soc->init(fuse); - tegra_fuse_print_sku_info(&tegra_sku_info); - tegra_soc_device_register(); err = tegra_fuse_add_lookups(fuse); if (err) -- 2.43.0

1 month

2
1
0 0

You have (4) important emails awaiting delivery to your inbox

by lists.linaro.org Email Team

1 month

1
0
0 0

[6.17 stable request] netfilter: nft_ct: add seqadj extension for natted connections

by Florian Westphal

Hello Greg, hello Sasha, Could you please queue up 90918e3b6404 ("netfilter: nft_ct: add seqadj extension for natted connections") for 6.17? As-is some more esoteric configurations may not work and provide warning splat: Missing nfct_seqadj_ext_add() setup call WARNING: .. at net/netfilter/nf_conntrack_seqadj.c:41 ... [nf_conntrack] etc. I don't think this fix has risks and I'm not aware of any dependencies. Thanks for maintaining the stable trees!

1 month

2
1
0 0

⏰Gear up — less than 23 Hours Left to Secure Your VIP DUOONE OLED SPAN/FOLD Perk!

by InnLead Innovative

1 month

1
0
0 0

[PATCH v3 1/3] rpmsg: char: Remove put_device() in rpmsg_eptdev_add()

by Dawei Li

put_device() is called on error path of rpmsg_eptdev_add() to cleanup resource attached to eptdev->dev, unfortunately it's bogus cause dev->release() is not set yet. When a struct device instance is destroyed, driver core framework checks the possible release() callback from candidates below: - struct device::release() - dev->type->release() - dev->class->dev_release() Rpmsg eptdev owns none of them so WARN() will complaint the absence of release(): [ 159.112182] ------------[ cut here ]------------ [ 159.112188] Device '(null)' does not have a release() function, it is broken and must be fixed. See Documentation/core-api/kobject.rst. [ 159.112205] WARNING: CPU: 2 PID: 1975 at drivers/base/core.c:2567 device_release+0x7a/0x90 Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") Cc: stable(a)vger.kernel.org Signed-off-by: Dawei Li <dawei.li(a)linux.dev> --- drivers/rpmsg/rpmsg_char.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c index 34b35ea74aab..1b8297b373f0 100644 --- a/drivers/rpmsg/rpmsg_char.c +++ b/drivers/rpmsg/rpmsg_char.c @@ -494,7 +494,6 @@ static int rpmsg_eptdev_add(struct rpmsg_eptdev *eptdev, if (cdev) ida_free(&rpmsg_minor_ida, MINOR(dev->devt)); free_eptdev: - put_device(dev); kfree(eptdev); return ret; -- 2.25.1

1 month

2
3
0 0

[PATCH v2] drm/xe: Prevent BIT() overflow when handling invalid prefetch region

by Shuicheng Lin

If user provides a large value (such as 0x80) for parameter prefetch_mem_region_instance in vm_bind ioctl, it will cause BIT(prefetch_region) overflow as below: " ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in drivers/gpu/drm/xe/xe_vm.c:3414:7 shift exponent 128 is too large for 64-bit type 'long unsigned int' CPU: 8 UID: 0 PID: 53120 Comm: xe_exec_system_ Tainted: G W 6.18.0-rc1-lgci-xe-kernel+ #200 PREEMPT(voluntary) Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 0812 02/24/2023 Call Trace: <TASK> dump_stack_lvl+0xa0/0xc0 dump_stack+0x10/0x20 ubsan_epilogue+0x9/0x40 __ubsan_handle_shift_out_of_bounds+0x10e/0x170 ? mutex_unlock+0x12/0x20 xe_vm_bind_ioctl.cold+0x20/0x3c [xe] ... " Fix it by validating prefetch_region before the BIT() usage. v2: Add Closes and Cc stable kernels. (Matt) Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6478 Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Shuicheng Lin <shuicheng.lin(a)intel.com> --- drivers/gpu/drm/xe/xe_vm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 8fb5cc6a69ec..7cac646bdf1c 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -3411,8 +3411,10 @@ static int vm_bind_ioctl_check_args(struct xe_device *xe, struct xe_vm *vm, op == DRM_XE_VM_BIND_OP_PREFETCH) || XE_IOCTL_DBG(xe, prefetch_region && op != DRM_XE_VM_BIND_OP_PREFETCH) || - XE_IOCTL_DBG(xe, (prefetch_region != DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC && - !(BIT(prefetch_region) & xe->info.mem_region_mask))) || + XE_IOCTL_DBG(xe, (prefetch_region != DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC && + /* Guard against undefined shift in BIT(prefetch_region) */ + (prefetch_region >= (sizeof(xe->info.mem_region_mask) * 8) || + !(BIT(prefetch_region) & xe->info.mem_region_mask)))) || XE_IOCTL_DBG(xe, obj && op == DRM_XE_VM_BIND_OP_UNMAP) || XE_IOCTL_DBG(xe, (flags & DRM_XE_VM_BIND_FLAG_MADVISE_AUTORESET) && -- 2.49.0

1 month

2
1
0 0

[PATCH] clk: tegra: tegra124-emc: Fix memory leak in load_timings_from_dt() on krealloc() failure

by Wentao Liang

The function load_timings_from_dt() directly assigns the result of krealloc() to tegra->timings, which causes a memory leak when krealloc() fails. When krealloc() returns NULL, the original pointer is lost, making it impossible to free the previously allocated memory. This fix uses a temporary variable to store the krealloc() result and only updates tegra->timings after successful allocation, preserving the original pointer in case of failure. Fixes: 888ca40e2843 ("clk: tegra: emc: Support multiple RAM codes") Cc: stable(a)vger.kernel.org Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/clk/tegra/clk-tegra124-emc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c index 2a6db0434281..ed4972fa6dab 100644 --- a/drivers/clk/tegra/clk-tegra124-emc.c +++ b/drivers/clk/tegra/clk-tegra124-emc.c @@ -444,6 +444,7 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra, u32 ram_code) { struct emc_timing *timings_ptr; + struct emc_timing *new_timings; struct device_node *child; int child_count = of_get_child_count(node); int i = 0, err; @@ -451,10 +452,15 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra, size = (tegra->num_timings + child_count) * sizeof(struct emc_timing); - tegra->timings = krealloc(tegra->timings, size, GFP_KERNEL); - if (!tegra->timings) + new_timings = krealloc(tegra->timings, size, GFP_KERNEL); + if (!new_timings) { + kfree(tegra->timings); + tegra->timings = NULL; + tegra->num_timings = 0; return -ENOMEM; + } + tegra->timings = new_timings; timings_ptr = tegra->timings + tegra->num_timings; tegra->num_timings += child_count; -- 2.34.1

1 month

3
2
0 0

[PATCH 1/2] ARM: dts: microchip: sama7d65: fix uart fifo size to 32

by nicolas.ferre＠microchip.com

From: Nicolas Ferre <nicolas.ferre(a)microchip.com> On some flexcom nodes related to uart, the fifo sizes were wrong: fix them to 32 data. Note that product datasheet is being reviewed to fix inconsistency, but this value is validated by product's designers. Fixes: 261dcfad1b59 ("ARM: dts: microchip: add sama7d65 SoC DT") Fixes: b51e4aea3ecf ("ARM: dts: microchip: sama7d65: Add FLEXCOMs to sama7d65 SoC") Cc: <stable(a)vger.kernel.org> # 6.16+ Signed-off-by: Nicolas Ferre <nicolas.ferre(a)microchip.com> --- arch/arm/boot/dts/microchip/sama7d65.dtsi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm/boot/dts/microchip/sama7d65.dtsi b/arch/arm/boot/dts/microchip/sama7d65.dtsi index e53e2dd6d530..cd2cf9a6f40b 100644 --- a/arch/arm/boot/dts/microchip/sama7d65.dtsi +++ b/arch/arm/boot/dts/microchip/sama7d65.dtsi @@ -557,7 +557,7 @@ uart4: serial@200 { dma-names = "tx", "rx"; atmel,use-dma-rx; atmel,use-dma-tx; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; atmel,usart-mode = <AT91_USART_MODE_SERIAL>; status = "disabled"; }; @@ -618,7 +618,7 @@ uart6: serial@200 { clocks = <&pmc PMC_TYPE_PERIPHERAL 40>; clock-names = "usart"; atmel,usart-mode = <AT91_USART_MODE_SERIAL>; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; status = "disabled"; }; }; @@ -643,7 +643,7 @@ uart7: serial@200 { dma-names = "tx", "rx"; atmel,use-dma-rx; atmel,use-dma-tx; - atmel,fifo-size = <16>; + atmel,fifo-size = <32>; atmel,usart-mode = <AT91_USART_MODE_SERIAL>; status = "disabled"; }; -- 2.43.0

1 month

2
3
0 0

[PATCH v2] atm/fore200e: Fix possible data race in fore200e_open()

by Gui-Dong Han

Protect access to fore200e->available_cell_rate with rate_mtx lock to prevent potential data race. In this case, since the update depends on a prior read, a data race could lead to a wrong fore200e.available_cell_rate value. The field fore200e.available_cell_rate is generally protected by the lock fore200e.rate_mtx when accessed. In all other read and write cases, this field is consistently protected by the lock, except for this case and during initialization. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <2045gemini(a)gmail.com> --- v2: * Added a description of the data race hazard in fore200e_open(), as suggested by Jakub Kicinski and Simon Horman. --- drivers/atm/fore200e.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c index 4fea1149e003..f62e38571440 100644 --- a/drivers/atm/fore200e.c +++ b/drivers/atm/fore200e.c @@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc) vcc->dev_data = NULL; + mutex_lock(&fore200e->rate_mtx); fore200e->available_cell_rate += vcc->qos.txtp.max_pcr; + mutex_unlock(&fore200e->rate_mtx); kfree(fore200e_vcc); return -EINVAL; -- 2.25.1

1 month

3
5
0 0

[PATCH v2 0/1] Bluetooth: btqca: Add WCN6855 firmware priority selection feature

by Shuai Zhang

Fixed WCN6855 firmware to use the correct FW file and added a fallback mechanism. Changes v2: - Add Fixes tag. - Add comments in the commit and code to explain the reason for the changes. - Link to v1 https://lore.kernel.org/all/20251112074638.1592864-1-quic_shuaz@quicinc.com/ Shuai Zhang (1): Bluetooth: btqca: Add WCN6855 firmware priority selection feature drivers/bluetooth/btqca.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) -- 2.34.1

1 month

3
6
0 0

[PATCH] nvmem: layouts: fix nvmem_layout_bus_uevent

by srini＠kernel.org

From: Wentao Guan <guanwentao(a)uniontech.com> correctly check the ENODEV return value. Fixes: 810b790033cc ("nvmem: layouts: fix automatic module loading") CC: stable(a)vger.kernel.org Co-developed-by: WangYuli <wangyl5933(a)chinaunicom.cn> Signed-off-by: WangYuli <wangyl5933(a)chinaunicom.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> --- Hi Greg, There is only one nvmem fix in this cycle, Can you pl pick this fix for 6.18 release. thanks, --srini drivers/nvmem/layouts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvmem/layouts.c b/drivers/nvmem/layouts.c index f381ce1e84bd..7ebe53249035 100644 --- a/drivers/nvmem/layouts.c +++ b/drivers/nvmem/layouts.c @@ -51,7 +51,7 @@ static int nvmem_layout_bus_uevent(const struct device *dev, int ret; ret = of_device_uevent_modalias(dev, env); - if (ret != ENODEV) + if (ret != -ENODEV) return ret; return 0; -- 2.51.0

1 month

1
0
0 0

[PATCH] powerpc/powermac: Fix reference count leak in i2c probe functions

by Miaoqian Lin

The of_find_node_by_name() function returns a device tree node with its reference count incremented. The caller is responsible for calling of_node_put() to release this reference when done. Fixes: 730745a5c450 ("[PATCH] 1/5 powerpc: Rework PowerMac i2c part 1") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- arch/powerpc/platforms/powermac/low_i2c.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c index 02474e27df9b..f04dbb93bbfa 100644 --- a/arch/powerpc/platforms/powermac/low_i2c.c +++ b/arch/powerpc/platforms/powermac/low_i2c.c @@ -802,8 +802,10 @@ static void __init pmu_i2c_probe(void) for (channel = 1; channel <= 2; channel++) { sz = sizeof(struct pmac_i2c_bus) + sizeof(struct adb_request); bus = kzalloc(sz, GFP_KERNEL); - if (bus == NULL) + if (bus == NULL) { + of_node_put(busnode); return; + } bus->controller = busnode; bus->busnode = busnode; @@ -928,6 +930,7 @@ static void __init smu_i2c_probe(void) bus = kzalloc(sz, GFP_KERNEL); if (bus == NULL) { of_node_put(busnode); + of_node_put(controller); return; } -- 2.39.5 (Apple Git-154)

1 month

2
1
0 0

[PATCH v4] arm64: dts: st: Add memory-region-names property for stm32mp257f-ev1

by Patrice Chotard

In order to set the AMCR register, which configures the memory-region split between ospi1 and ospi2, we need to identify the ospi instance. By using memory-region-names, it allows to identify the ospi instance this memory-region belongs to. Fixes: cad2492de91c ("arm64: dts: st: Add SPI NOR flash support on stm32mp257f-ev1 board") Cc: stable(a)vger.kernel.org Signed-off-by: Patrice Chotard <patrice.chotard(a)foss.st.com> --- Changes in v4: - Rebase on v6.18-rc1 - Link to v3: https://lore.kernel.org/r/20250811-upstream_fix_dts_omm-v3-1-c4186b7667cb@f… Changes in v3: - Set again "Cc: <stable(a)vger.kernel.org>" - Link to v2: https://lore.kernel.org/r/20250811-upstream_fix_dts_omm-v2-1-00ff55076bd5@f… Changes in v2: - Update commit message. - Use correct memory-region-names value. - Remove "Cc: <stable(a)vger.kernel.org>" tag as the fixed patch is not part of a LTS. - Link to v1: https://lore.kernel.org/r/20250806-upstream_fix_dts_omm-v1-1-e68c15ed422d@f… --- arch/arm64/boot/dts/st/stm32mp257f-ev1.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts b/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts index 6e165073f732..bb6d6393d2e4 100644 --- a/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts +++ b/arch/arm64/boot/dts/st/stm32mp257f-ev1.dts @@ -266,6 +266,7 @@ &i2c8 { &ommanager { memory-region = <&mm_ospi1>; + memory-region-names = "ospi1"; pinctrl-0 = <&ospi_port1_clk_pins_a &ospi_port1_io03_pins_a &ospi_port1_cs0_pins_a>; --- base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787 change-id: 20250806-upstream_fix_dts_omm-c006b69042f1 Best regards, -- Patrice Chotard <patrice.chotard(a)foss.st.com>

1 month

2
1
0 0

[PATCH v2] media: uvcvideo: Return queued buffers on start_streaming() failure

by Laurent Pinchart

From: Michal Pecio <michal.pecio(a)gmail.com> Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; done on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm. xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120 Fixes: 7dd56c47784a ("media: uvcvideo: Remove stream->is_streaming field") Cc: stable(a)vger.kernel.org Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Reviewed-by: Ricardo Ribalda <ribalda(a)chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://patch.msgid.link/20251015133642.3dede646.michal.pecio@gmail.com Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> --- Changes since v1: - Reorganize error path --- drivers/media/usb/uvc/uvc_queue.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c index 790184c9843d..e838c6c1893a 100644 --- a/drivers/media/usb/uvc/uvc_queue.c +++ b/drivers/media/usb/uvc/uvc_queue.c @@ -177,18 +177,20 @@ static int uvc_start_streaming_video(struct vb2_queue *vq, unsigned int count) ret = uvc_pm_get(stream->dev); if (ret) - return ret; + goto err_buffers; queue->buf_used = 0; ret = uvc_video_start_streaming(stream); - if (ret == 0) - return 0; + if (ret) + goto err_pm; + return 0; + +err_pm: uvc_pm_put(stream->dev); - +err_buffers: uvc_queue_return_buffers(queue, UVC_BUF_STATE_QUEUED); - return ret; } base-commit: d363bdfa0ec6b19a4f40b572cec70430d5b13ad6 -- Regards, Laurent Pinchart

1 month

2
1
0 0

[PATCH 6.12.y] wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path

by jetlan9＠163.com

From: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> [ Upstream commit 68410c5bd381a81bcc92b808e7dc4e6b9ed25d11 ] If a shared IRQ is used by the driver due to platform limitation, then the IRQ affinity hint is set right after the allocation of IRQ vectors in ath11k_pci_alloc_msi(). This does no harm unless one of the functions requesting the IRQ fails and attempt to free the IRQ. This results in the below warning: WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c Call trace: free_irq+0x278/0x29c ath11k_pcic_free_irq+0x70/0x10c [ath11k] ath11k_pci_probe+0x800/0x820 [ath11k_pci] local_pci_probe+0x40/0xbc The warning is due to not clearing the affinity hint before freeing the IRQs. So to fix this issue, clear the IRQ affinity hint before calling ath11k_pcic_free_irq() in the error path. The affinity will be cleared once again further down the error path due to code organization, but that does no harm. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1 Cc: Baochen Qiang <quic_bqiang(a)quicinc.com> Fixes: 39564b475ac5 ("wifi: ath11k: fix boot failure with one MSI vector") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> Reviewed-by: Baochen Qiang <quic_bqiang(a)quicinc.com> Link: https://patch.msgid.link/20250225053447.16824-2-manivannan.sadhasivam@linar… Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Wenshan Lan <jetlan9(a)163.com> --- drivers/net/wireless/ath/ath11k/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c index 6ebfa5d02e2e..c1d576ff77fa 100644 --- a/drivers/net/wireless/ath/ath11k/pci.c +++ b/drivers/net/wireless/ath/ath11k/pci.c @@ -936,6 +936,8 @@ static int ath11k_pci_probe(struct pci_dev *pdev, return 0; err_free_irq: + /* __free_irq() expects the caller to have cleared the affinity hint */ + ath11k_pci_set_irq_affinity_hint(ab_pci, NULL); ath11k_pcic_free_irq(ab); err_ce_free: -- 2.43.0

1 month

1
0
0 0

[PATCH v1] LoongArch: BPF: Disable bpf trampoline kernel module function trace

by Vincent Li

The current LoongArch BPF trampoline implementation is incompatible with tracing functions in kernel modules. This causes several severe and user-visible problems: * Kernel lockups when a BPF program is attached to a module function [0]. * The `bpf_selftests/module_attach` test fails consistently. * Critical kernel modules like WireGuard experience traffic disruption when their functions are traced with fentry [1]. Given the severity and the potential for other unknown side-effects, it is safest to disable the feature entirely for now. This patch prevents the BPF subsystem from allowing trampoline attachments to module functions on LoongArch. This is a temporary mitigation until the core issues in the trampoline code for module handling can be identified and fixed. [root@fedora bpf]# ./test_progs -a module_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko... Successfully loaded bpf_testmod.ko. test_module_attach:PASS:skel_open 0 nsec test_module_attach:PASS:set_attach_target 0 nsec test_module_attach:PASS:set_attach_target_explicit 0 nsec test_module_attach:PASS:skel_load 0 nsec libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP test_module_attach:FAIL:skel_attach skeleton attach failed: -524 Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED Successfully unloaded bpf_testmod.ko. [0]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C… [1]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcF… Cc: stable(a)vger.kernel.org Fixes: f9b6b41f0cf3 (“LoongArch: BPF: Add basic bpf trampoline support”) Acked-by: Hengqi Chen <hengqi.chen(a)gmail.com> Signed-off-by: Vincent Li <vincent.mc.li(a)gmail.com> --- arch/loongarch/net/bpf_jit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c index cbe53d0b7fb0..49c1d4b95404 100644 --- a/arch/loongarch/net/bpf_jit.c +++ b/arch/loongarch/net/bpf_jit.c @@ -1624,6 +1624,9 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i /* Direct jump skips 5 NOP instructions */ else if (is_bpf_text_address((unsigned long)orig_call)) orig_call += LOONGARCH_BPF_FENTRY_NBYTES; + /* Module tracing not supported - causes kernel lockups */ + else if (is_module_text_address((unsigned long)orig_call)) + return -ENOTSUPP; if (flags & BPF_TRAMP_F_CALL_ORIG) { move_addr(ctx, LOONGARCH_GPR_A0, (const u64)im); -- 2.38.1

1 month

2
1
0 0

[PATCH 6.12.y 0/1] Backport "ALSA: hda: Fix missing pointer check in hda_component_manager_init function" to 6.12

by Rajani Kantha

Propose backporting commit:1cf11d80db5df ("ALSA: hda: Fix missing pointer check in hda_component_manager_init function") to the 6.12.y stable branch. The current 6.12 branch does not include commit:6014e9021b28 ("ALSA: hda: Move codec drivers into sound/hda/codecs directory"), so the patch has been updated to reflect the original source code path. Denis Arefev (1): ALSA: hda: Fix missing pointer check in hda_component_manager_init function sound/pci/hda/hda_component.c | 4 ++++ 1 file changed, 4 insertions(+) -- 2.17.1

1 month

1
1
0 0

+ selftests-mm-fix-division-by-zero-in-uffd-unit-tests.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftests/mm: fix division-by-zero in uffd-unit-tests has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftests-mm-fix-division-by-zero-in-uffd-unit-tests.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Carlos Llamas <cmllamas(a)google.com> Subject: selftests/mm: fix division-by-zero in uffd-unit-tests Date: Thu, 13 Nov 2025 03:46:22 +0000 Commit 4dfd4bba8578 ("selftests/mm/uffd: refactor non-composite global vars into struct") moved some of the operations previously implemented in uffd_setup_environment() earlier in the main test loop. The calculation of nr_pages, which involves a division by page_size, now occurs before checking that default_huge_page_size() returns a non-zero This leads to a division-by-zero error on systems with !CONFIG_HUGETLB. Fix this by relocating the non-zero page_size check before the nr_pages calculation, as it was originally implemented. Link: https://lkml.kernel.org/r/20251113034623.3127012-1-cmllamas@google.com Fixes: 4dfd4bba8578 ("selftests/mm/uffd: refactor non-composite global vars into struct") Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Acked-by: David Hildenbrand (Red Hat) <david(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/uffd-unit-tests.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) --- a/tools/testing/selftests/mm/uffd-unit-tests.c~selftests-mm-fix-division-by-zero-in-uffd-unit-tests +++ a/tools/testing/selftests/mm/uffd-unit-tests.c @@ -1758,10 +1758,15 @@ int main(int argc, char *argv[]) uffd_test_ops = mem_type->mem_ops; uffd_test_case_ops = test->test_case_ops; - if (mem_type->mem_flag & (MEM_HUGETLB_PRIVATE | MEM_HUGETLB)) + if (mem_type->mem_flag & (MEM_HUGETLB_PRIVATE | MEM_HUGETLB)) { gopts.page_size = default_huge_page_size(); - else + if (gopts.page_size == 0) { + uffd_test_skip("huge page size is 0, feature missing?"); + continue; + } + } else { gopts.page_size = psize(); + } /* Ensure we have at least 2 pages */ gopts.nr_pages = MAX(UFFD_TEST_MEM_SIZE, gopts.page_size * 2) @@ -1776,12 +1781,6 @@ int main(int argc, char *argv[]) continue; uffd_test_start("%s on %s", test->name, mem_type->name); - if ((mem_type->mem_flag == MEM_HUGETLB || - mem_type->mem_flag == MEM_HUGETLB_PRIVATE) && - (default_huge_page_size() == 0)) { - uffd_test_skip("huge page size is 0, feature missing?"); - continue; - } if (!uffd_feature_supported(test)) { uffd_test_skip("feature missing"); continue; _ Patches currently in -mm which might be from cmllamas(a)google.com are selftests-mm-fix-division-by-zero-in-uffd-unit-tests.patch

1 month

1
0
0 0

[PATCH] media: uvcvideo: Fix support for V4L2_CTRL_FLAG_HAS_WHICH_MIN_MAX

by Ricardo Ribalda

The VIDIOC_G_EXT_CTRLS with which V4L2_CTRL_WHICH_(MIN|MAX)_VAL can only work for controls that have previously announced support for it. This patch fixes the following v4l2-compliance error: info: checking extended control 'User Controls' (0x00980001) fail: v4l2-test-controls.cpp(980): ret != EINVAL (got 13) test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL Fixes: 39d2c891c96e ("media: uvcvideo: support V4L2_CTRL_WHICH_MIN/MAX_VAL") Cc: stable(a)vger.kernel.org Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- drivers/media/usb/uvc/uvc_ctrl.c | 11 +++++++++-- drivers/media/usb/uvc/uvc_v4l2.c | 9 ++++++--- drivers/media/usb/uvc/uvcvideo.h | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 2905505c240c060e5034ea12d33b59d5702f2e1f..2f7d5cdd18e072a47fb5906da0f847dd449911b4 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1432,7 +1432,7 @@ static bool uvc_ctrl_is_readable(u32 which, struct uvc_control *ctrl, * auto_exposure=1, exposure_time_absolute=251. */ int uvc_ctrl_is_accessible(struct uvc_video_chain *chain, u32 v4l2_id, - const struct v4l2_ext_controls *ctrls, + const struct v4l2_ext_controls *ctrls, u32 which, unsigned long ioctl) { struct uvc_control_mapping *master_map = NULL; @@ -1442,14 +1442,21 @@ int uvc_ctrl_is_accessible(struct uvc_video_chain *chain, u32 v4l2_id, s32 val; int ret; int i; + bool is_which_min_max = (ioctl == VIDIOC_G_EXT_CTRLS && + (which == V4L2_CTRL_WHICH_MIN_VAL || + which == V4L2_CTRL_WHICH_MAX_VAL)); if (__uvc_query_v4l2_class(chain, v4l2_id, 0) >= 0) - return -EACCES; + return is_which_min_max ? -EINVAL : -EACCES; ctrl = uvc_find_control(chain, v4l2_id, &mapping); if (!ctrl) return -EINVAL; + if ((!(ctrl->info.flags & UVC_CTRL_FLAG_GET_MAX) || + !(ctrl->info.flags & UVC_CTRL_FLAG_GET_MIN)) && is_which_min_max) + return -EINVAL; + if (ioctl == VIDIOC_G_EXT_CTRLS) return uvc_ctrl_is_readable(ctrls->which, ctrl, mapping); diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index 9e4a251eca88085a1b4e0e854370015855be92ee..d5274dc94da3c60f1f4566b307dd445f30c4f45f 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -765,6 +765,7 @@ static int uvc_ioctl_query_ext_ctrl(struct file *file, void *priv, static int uvc_ctrl_check_access(struct uvc_video_chain *chain, struct v4l2_ext_controls *ctrls, + u32 which, unsigned long ioctl) { struct v4l2_ext_control *ctrl = ctrls->controls; @@ -772,7 +773,8 @@ static int uvc_ctrl_check_access(struct uvc_video_chain *chain, int ret = 0; for (i = 0; i < ctrls->count; ++ctrl, ++i) { - ret = uvc_ctrl_is_accessible(chain, ctrl->id, ctrls, ioctl); + ret = uvc_ctrl_is_accessible(chain, ctrl->id, ctrls, which, + ioctl); if (ret) break; } @@ -806,7 +808,7 @@ static int uvc_ioctl_g_ext_ctrls(struct file *file, void *priv, which = V4L2_CTRL_WHICH_CUR_VAL; } - ret = uvc_ctrl_check_access(chain, ctrls, VIDIOC_G_EXT_CTRLS); + ret = uvc_ctrl_check_access(chain, ctrls, which, VIDIOC_G_EXT_CTRLS); if (ret < 0) return ret; @@ -840,7 +842,8 @@ static int uvc_ioctl_s_try_ext_ctrls(struct uvc_fh *handle, if (!ctrls->count) return 0; - ret = uvc_ctrl_check_access(chain, ctrls, ioctl); + ret = uvc_ctrl_check_access(chain, ctrls, V4L2_CTRL_WHICH_CUR_VAL, + ioctl); if (ret < 0) return ret; diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index ed7bad31f75ca474c1037d666d5310c78dd764df..d583425893a5f716185153a07aae9bfe20182964 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -786,7 +786,7 @@ int uvc_ctrl_get(struct uvc_video_chain *chain, u32 which, struct v4l2_ext_control *xctrl); int uvc_ctrl_set(struct uvc_fh *handle, struct v4l2_ext_control *xctrl); int uvc_ctrl_is_accessible(struct uvc_video_chain *chain, u32 v4l2_id, - const struct v4l2_ext_controls *ctrls, + const struct v4l2_ext_controls *ctrls, u32 which, unsigned long ioctl); int uvc_xu_ctrl_query(struct uvc_video_chain *chain, --- base-commit: c218ce4f98eccf5a40de64c559c52d61e9cc78ee change-id: 20251028-uvc-fix-which-c3ba1fb68ed5 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

1 month

2
2
0 0

patch "iio: humditiy: hdc3020: fix units for thresholds and hysteresis" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: humditiy: hdc3020: fix units for thresholds and hysteresis to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From cb372b4f46d4285e5d2c07ba734374151b8e34e7 Mon Sep 17 00:00:00 2001 From: Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> Date: Thu, 16 Oct 2025 07:20:39 +0200 Subject: iio: humditiy: hdc3020: fix units for thresholds and hysteresis According to the ABI the units after application of scale and offset are milli degree celsius for temperature thresholds and milli percent for relative humidity thresholds. Currently the resulting units are degree celsius for temperature thresholds and hysteresis and percent for relative humidity thresholds and hysteresis. Change scale factor to fix this issue. Fixes: 3ad0e7e5f0cb ("iio: humidity: hdc3020: add threshold events support") Reported-by: Chris Lesiak <chris.lesiak(a)licorbio.com> Reviewed-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Signed-off-by: Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/humidity/hdc3020.c | 69 ++++++++++++++++++++-------------- 1 file changed, 41 insertions(+), 28 deletions(-) diff --git a/drivers/iio/humidity/hdc3020.c b/drivers/iio/humidity/hdc3020.c index 8aa567d9aded..78b2c171c8da 100644 --- a/drivers/iio/humidity/hdc3020.c +++ b/drivers/iio/humidity/hdc3020.c @@ -72,6 +72,9 @@ #define HDC3020_MAX_TEMP_HYST_MICRO 164748607 #define HDC3020_MAX_HUM_MICRO 99220264 +/* Divide 65535 from the datasheet by 5 to avoid overflows */ +#define HDC3020_THRESH_FRACTION (65535 / 5) + struct hdc3020_data { struct i2c_client *client; struct gpio_desc *reset_gpio; @@ -376,15 +379,18 @@ static int hdc3020_thresh_get_temp(u16 thresh) int temp; /* - * Get the temperature threshold from 9 LSBs, shift them to get - * the truncated temperature threshold representation and - * calculate the threshold according to the formula in the - * datasheet. Result is degree celsius scaled by 65535. + * Get the temperature threshold from 9 LSBs, shift them to get the + * truncated temperature threshold representation and calculate the + * threshold according to the explicit formula in the datasheet: + * T(C) = -45 + (175 * temp) / 65535. + * Additionally scale by HDC3020_THRESH_FRACTION to avoid precision loss + * when calculating threshold and hysteresis values. Result is degree + * celsius scaled by HDC3020_THRESH_FRACTION. */ temp = FIELD_GET(HDC3020_THRESH_TEMP_MASK, thresh) << HDC3020_THRESH_TEMP_TRUNC_SHIFT; - return -2949075 + (175 * temp); + return -2949075 / 5 + (175 / 5 * temp); } static int hdc3020_thresh_get_hum(u16 thresh) @@ -394,13 +400,16 @@ static int hdc3020_thresh_get_hum(u16 thresh) /* * Get the humidity threshold from 7 MSBs, shift them to get the * truncated humidity threshold representation and calculate the - * threshold according to the formula in the datasheet. Result is - * percent scaled by 65535. + * threshold according to the explicit formula in the datasheet: + * RH(%) = 100 * hum / 65535. + * Additionally scale by HDC3020_THRESH_FRACTION to avoid precision loss + * when calculating threshold and hysteresis values. Result is percent + * scaled by HDC3020_THRESH_FRACTION. */ hum = FIELD_GET(HDC3020_THRESH_HUM_MASK, thresh) << HDC3020_THRESH_HUM_TRUNC_SHIFT; - return hum * 100; + return hum * 100 / 5; } static u16 hdc3020_thresh_set_temp(int s_temp, u16 curr_thresh) @@ -455,8 +464,8 @@ int hdc3020_thresh_clr(s64 s_thresh, s64 s_hyst, enum iio_event_direction dir) else s_clr = s_thresh + s_hyst; - /* Divide by 65535 to get units of micro */ - return div_s64(s_clr, 65535); + /* Divide by HDC3020_THRESH_FRACTION to get units of micro */ + return div_s64(s_clr, HDC3020_THRESH_FRACTION); } static int _hdc3020_write_thresh(struct hdc3020_data *data, u16 reg, u16 val) @@ -507,7 +516,7 @@ static int hdc3020_write_thresh(struct iio_dev *indio_dev, clr = ret; /* Scale value to include decimal part into calculations */ - s_val = (val < 0) ? (val * 1000000 - val2) : (val * 1000000 + val2); + s_val = (val < 0) ? (val * 1000 - val2) : (val * 1000 + val2); switch (chan->type) { case IIO_TEMP: switch (info) { @@ -523,7 +532,8 @@ static int hdc3020_write_thresh(struct iio_dev *indio_dev, /* Calculate old hysteresis */ s_thresh = (s64)hdc3020_thresh_get_temp(thresh) * 1000000; s_clr = (s64)hdc3020_thresh_get_temp(clr) * 1000000; - s_hyst = div_s64(abs(s_thresh - s_clr), 65535); + s_hyst = div_s64(abs(s_thresh - s_clr), + HDC3020_THRESH_FRACTION); /* Set new threshold */ thresh = reg_val; /* Set old hysteresis */ @@ -532,16 +542,17 @@ static int hdc3020_write_thresh(struct iio_dev *indio_dev, case IIO_EV_INFO_HYSTERESIS: /* * Function hdc3020_thresh_get_temp returns temperature - * in degree celsius scaled by 65535. Scale by 1000000 - * to be able to subtract scaled hysteresis value. + * in degree celsius scaled by HDC3020_THRESH_FRACTION. + * Scale by 1000000 to be able to subtract scaled + * hysteresis value. */ s_thresh = (s64)hdc3020_thresh_get_temp(thresh) * 1000000; /* * Units of s_val are in micro degree celsius, scale by - * 65535 to get same units as s_thresh. + * HDC3020_THRESH_FRACTION to get same units as s_thresh. */ s_val = min(abs(s_val), HDC3020_MAX_TEMP_HYST_MICRO); - s_hyst = (s64)s_val * 65535; + s_hyst = (s64)s_val * HDC3020_THRESH_FRACTION; s_clr = hdc3020_thresh_clr(s_thresh, s_hyst, dir); s_clr = max(s_clr, HDC3020_MIN_TEMP_MICRO); s_clr = min(s_clr, HDC3020_MAX_TEMP_MICRO); @@ -565,7 +576,8 @@ static int hdc3020_write_thresh(struct iio_dev *indio_dev, /* Calculate old hysteresis */ s_thresh = (s64)hdc3020_thresh_get_hum(thresh) * 1000000; s_clr = (s64)hdc3020_thresh_get_hum(clr) * 1000000; - s_hyst = div_s64(abs(s_thresh - s_clr), 65535); + s_hyst = div_s64(abs(s_thresh - s_clr), + HDC3020_THRESH_FRACTION); /* Set new threshold */ thresh = reg_val; /* Try to set old hysteresis */ @@ -574,15 +586,16 @@ static int hdc3020_write_thresh(struct iio_dev *indio_dev, case IIO_EV_INFO_HYSTERESIS: /* * Function hdc3020_thresh_get_hum returns relative - * humidity in percent scaled by 65535. Scale by 1000000 - * to be able to subtract scaled hysteresis value. + * humidity in percent scaled by HDC3020_THRESH_FRACTION. + * Scale by 1000000 to be able to subtract scaled + * hysteresis value. */ s_thresh = (s64)hdc3020_thresh_get_hum(thresh) * 1000000; /* - * Units of s_val are in micro percent, scale by 65535 - * to get same units as s_thresh. + * Units of s_val are in micro percent, scale by + * HDC3020_THRESH_FRACTION to get same units as s_thresh. */ - s_hyst = (s64)s_val * 65535; + s_hyst = (s64)s_val * HDC3020_THRESH_FRACTION; s_clr = hdc3020_thresh_clr(s_thresh, s_hyst, dir); s_clr = max(s_clr, 0); s_clr = min(s_clr, HDC3020_MAX_HUM_MICRO); @@ -630,7 +643,7 @@ static int hdc3020_read_thresh(struct iio_dev *indio_dev, thresh = hdc3020_thresh_get_temp(ret); switch (info) { case IIO_EV_INFO_VALUE: - *val = thresh; + *val = thresh * MILLI; break; case IIO_EV_INFO_HYSTERESIS: ret = hdc3020_read_be16(data, reg_clr); @@ -638,18 +651,18 @@ static int hdc3020_read_thresh(struct iio_dev *indio_dev, return ret; clr = hdc3020_thresh_get_temp(ret); - *val = abs(thresh - clr); + *val = abs(thresh - clr) * MILLI; break; default: return -EOPNOTSUPP; } - *val2 = 65535; + *val2 = HDC3020_THRESH_FRACTION; return IIO_VAL_FRACTIONAL; case IIO_HUMIDITYRELATIVE: thresh = hdc3020_thresh_get_hum(ret); switch (info) { case IIO_EV_INFO_VALUE: - *val = thresh; + *val = thresh * MILLI; break; case IIO_EV_INFO_HYSTERESIS: ret = hdc3020_read_be16(data, reg_clr); @@ -657,12 +670,12 @@ static int hdc3020_read_thresh(struct iio_dev *indio_dev, return ret; clr = hdc3020_thresh_get_hum(ret); - *val = abs(thresh - clr); + *val = abs(thresh - clr) * MILLI; break; default: return -EOPNOTSUPP; } - *val2 = 65535; + *val2 = HDC3020_THRESH_FRACTION; return IIO_VAL_FRACTIONAL; default: return -EOPNOTSUPP; -- 2.51.2

1 month

1
0
0 0

patch "iio: humditiy: hdc3020: fix units for temperature and humidity" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: humditiy: hdc3020: fix units for temperature and humidity to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 7b8dc11c0a830caa0d890c603d597161c6c26095 Mon Sep 17 00:00:00 2001 From: Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> Date: Thu, 16 Oct 2025 07:20:38 +0200 Subject: iio: humditiy: hdc3020: fix units for temperature and humidity measurement According to the ABI the units after application of scale and offset are milli degrees for temperature measurements and milli percent for relative humidity measurements. Currently the resulting units are degree celsius for temperature measurements and percent for relative humidity measurements. Change scale factor to fix this issue. Fixes: c9180b8e39be ("iio: humidity: Add driver for ti HDC302x humidity sensors") Reported-by: Chris Lesiak <chris.lesiak(a)licorbio.com> Suggested-by: Chris Lesiak <chris.lesiak(a)licorbio.com> Reviewed-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Signed-off-by: Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/humidity/hdc3020.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/humidity/hdc3020.c b/drivers/iio/humidity/hdc3020.c index ffb25596d3a8..8aa567d9aded 100644 --- a/drivers/iio/humidity/hdc3020.c +++ b/drivers/iio/humidity/hdc3020.c @@ -301,9 +301,9 @@ static int hdc3020_read_raw(struct iio_dev *indio_dev, case IIO_CHAN_INFO_SCALE: *val2 = 65536; if (chan->type == IIO_TEMP) - *val = 175; + *val = 175 * MILLI; else - *val = 100; + *val = 100 * MILLI; return IIO_VAL_FRACTIONAL; case IIO_CHAN_INFO_OFFSET: -- 2.51.2

1 month

1
0
0 0

patch "iio: adc: ad7124: fix temperature channel" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7124: fix temperature channel to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From e2cc390a6629c76924a2740c54b144b9b28fca59 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Fri, 10 Oct 2025 15:24:31 -0500 Subject: iio: adc: ad7124: fix temperature channel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix temperature channel not working due to gain and offset not being initialized. For channels other than the voltage ones calibration is skipped (which is OK). However that results in the calibration register values tracked in st->channels[i].cfg all being zero. These zeros are later written to hardware before a measurement is made which caused the raw temperature readings to be always 8388608 (0x800000). To fix it, we just make sure the gain and offset values are set to the default values and still return early without doing an internal calibration. While here, add a comment explaining why we don't bother calibrating the temperature channel. Fixes: 47036a03a303 ("iio: adc: ad7124: Implement internal calibration at probe time") Reviewed-by: Marcelo Schmitt <marcelo.schmitt(a)analog.com> Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7124.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c index 910b40393f77..61623cc6cb25 100644 --- a/drivers/iio/adc/ad7124.c +++ b/drivers/iio/adc/ad7124.c @@ -1525,10 +1525,6 @@ static int __ad7124_calibrate_all(struct ad7124_state *st, struct iio_dev *indio int ret, i; for (i = 0; i < st->num_channels; i++) { - - if (indio_dev->channels[i].type != IIO_VOLTAGE) - continue; - /* * For calibration the OFFSET register should hold its reset default * value. For the GAIN register there is no such requirement but @@ -1538,6 +1534,14 @@ static int __ad7124_calibrate_all(struct ad7124_state *st, struct iio_dev *indio st->channels[i].cfg.calibration_offset = 0x800000; st->channels[i].cfg.calibration_gain = st->gain_default; + /* + * Only the main voltage input channels are important enough + * to be automatically calibrated here. For everything else, + * just use the default values set above. + */ + if (indio_dev->channels[i].type != IIO_VOLTAGE) + continue; + /* * Full-scale calibration isn't supported at gain 1, so skip in * that case. Note that untypically full-scale calibration has -- 2.51.2

1 month

1
0
0 0

patch "iio: accel: fix ADXL355 startup race condition" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: accel: fix ADXL355 startup race condition to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From c92c1bc408e9e11ae3c7011b062fdd74c09283a3 Mon Sep 17 00:00:00 2001 From: Valek Andrej <andrej.v(a)skyrain.eu> Date: Tue, 14 Oct 2025 09:13:44 +0200 Subject: iio: accel: fix ADXL355 startup race condition There is an race-condition where device is not full working after SW reset. Therefore it's necessary to wait some time after reset and verify shadow registers values by reading and comparing the values before/after reset. This mechanism is described in datasheet at least from revision D. Fixes: 12ed27863ea3 ("iio: accel: Add driver support for ADXL355") Signed-off-by: Valek Andrej <andrej.v(a)skyrain.eu> Signed-off-by: Kessler Markus <markus.kessler(a)hilti.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/adxl355_core.c | 44 ++++++++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/drivers/iio/accel/adxl355_core.c b/drivers/iio/accel/adxl355_core.c index 2e00fd51b4d5..5fc7f814b907 100644 --- a/drivers/iio/accel/adxl355_core.c +++ b/drivers/iio/accel/adxl355_core.c @@ -56,6 +56,8 @@ #define ADXL355_POWER_CTL_DRDY_MSK BIT(2) #define ADXL355_SELF_TEST_REG 0x2E #define ADXL355_RESET_REG 0x2F +#define ADXL355_BASE_ADDR_SHADOW_REG 0x50 +#define ADXL355_SHADOW_REG_COUNT 5 #define ADXL355_DEVID_AD_VAL 0xAD #define ADXL355_DEVID_MST_VAL 0x1D @@ -294,7 +296,12 @@ static void adxl355_fill_3db_frequency_table(struct adxl355_data *data) static int adxl355_setup(struct adxl355_data *data) { unsigned int regval; + int retries = 5; /* the number is chosen based on empirical reasons */ int ret; + u8 *shadow_regs __free(kfree) = kzalloc(ADXL355_SHADOW_REG_COUNT, GFP_KERNEL); + + if (!shadow_regs) + return -ENOMEM; ret = regmap_read(data->regmap, ADXL355_DEVID_AD_REG, &regval); if (ret) @@ -321,14 +328,41 @@ static int adxl355_setup(struct adxl355_data *data) if (regval != ADXL355_PARTID_VAL) dev_warn(data->dev, "Invalid DEV ID 0x%02x\n", regval); - /* - * Perform a software reset to make sure the device is in a consistent - * state after start-up. - */ - ret = regmap_write(data->regmap, ADXL355_RESET_REG, ADXL355_RESET_CODE); + /* Read shadow registers to be compared after reset */ + ret = regmap_bulk_read(data->regmap, + ADXL355_BASE_ADDR_SHADOW_REG, + shadow_regs, ADXL355_SHADOW_REG_COUNT); if (ret) return ret; + do { + if (--retries == 0) { + dev_err(data->dev, "Shadow registers mismatch\n"); + return -EIO; + } + + /* + * Perform a software reset to make sure the device is in a consistent + * state after start-up. + */ + ret = regmap_write(data->regmap, ADXL355_RESET_REG, + ADXL355_RESET_CODE); + if (ret) + return ret; + + /* Wait at least 5ms after software reset */ + usleep_range(5000, 10000); + + /* Read shadow registers for comparison */ + ret = regmap_bulk_read(data->regmap, + ADXL355_BASE_ADDR_SHADOW_REG, + data->buffer.buf, + ADXL355_SHADOW_REG_COUNT); + if (ret) + return ret; + } while (memcmp(shadow_regs, data->buffer.buf, + ADXL355_SHADOW_REG_COUNT)); + ret = regmap_update_bits(data->regmap, ADXL355_POWER_CTL_REG, ADXL355_POWER_CTL_DRDY_MSK, FIELD_PREP(ADXL355_POWER_CTL_DRDY_MSK, 1)); -- 2.51.2

1 month

1
0
0 0

patch "iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 3af0c1fb1cdc351b64ff1a4bc06d491490c1f10a Mon Sep 17 00:00:00 2001 From: Francesco Lavra <flavra(a)baylibre.com> Date: Fri, 17 Oct 2025 19:32:08 +0200 Subject: iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields The `decimator` and `batch` fields of struct st_lsm6dsx_settings are arrays indexed by sensor type, not by sensor hardware identifier; moreover, the `batch` field is only used for the accelerometer and gyroscope. Change the array size for `decimator` from ST_LSM6DSX_MAX_ID to ST_LSM6DSX_ID_MAX, and change the array size for `batch` from ST_LSM6DSX_MAX_ID to 2; move the enum st_lsm6dsx_sensor_id definition so that the ST_LSM6DSX_ID_MAX value is usable within the struct st_lsm6dsx_settings definition. Fixes: 801a6e0af0c6c ("iio: imu: st_lsm6dsx: add support to LSM6DSO") Signed-off-by: Francesco Lavra <flavra(a)baylibre.com> Acked-by: Lorenzo Bianconi <lorenzo(a)kernel.org> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h index c225b246c8a5..bca136392e99 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h @@ -252,6 +252,15 @@ struct st_lsm6dsx_event_settings { u8 wakeup_src_x_mask; }; +enum st_lsm6dsx_sensor_id { + ST_LSM6DSX_ID_GYRO, + ST_LSM6DSX_ID_ACC, + ST_LSM6DSX_ID_EXT0, + ST_LSM6DSX_ID_EXT1, + ST_LSM6DSX_ID_EXT2, + ST_LSM6DSX_ID_MAX +}; + enum st_lsm6dsx_ext_sensor_id { ST_LSM6DSX_ID_MAGN, }; @@ -337,23 +346,14 @@ struct st_lsm6dsx_settings { struct st_lsm6dsx_odr_table_entry odr_table[2]; struct st_lsm6dsx_samples_to_discard samples_to_discard[2]; struct st_lsm6dsx_fs_table_entry fs_table[2]; - struct st_lsm6dsx_reg decimator[ST_LSM6DSX_MAX_ID]; - struct st_lsm6dsx_reg batch[ST_LSM6DSX_MAX_ID]; + struct st_lsm6dsx_reg decimator[ST_LSM6DSX_ID_MAX]; + struct st_lsm6dsx_reg batch[2]; struct st_lsm6dsx_fifo_ops fifo_ops; struct st_lsm6dsx_hw_ts_settings ts_settings; struct st_lsm6dsx_shub_settings shub_settings; struct st_lsm6dsx_event_settings event_settings; }; -enum st_lsm6dsx_sensor_id { - ST_LSM6DSX_ID_GYRO, - ST_LSM6DSX_ID_ACC, - ST_LSM6DSX_ID_EXT0, - ST_LSM6DSX_ID_EXT1, - ST_LSM6DSX_ID_EXT2, - ST_LSM6DSX_ID_MAX, -}; - enum st_lsm6dsx_fifo_mode { ST_LSM6DSX_FIFO_BYPASS = 0x0, ST_LSM6DSX_FIFO_CONT = 0x6, -- 2.51.2

1 month

1
0
0 0

patch "iio: adc: ad7280a: fix ad7280_store_balance_timer()" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7280a: fix ad7280_store_balance_timer() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From bd886cdcbf9e746f61c74035a3acd42e9108e115 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Fri, 10 Oct 2025 10:44:45 -0500 Subject: iio: adc: ad7280a: fix ad7280_store_balance_timer() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use correct argument to iio_str_to_fixpoint() to parse 3 decimal places. iio_str_to_fixpoint() has a bit of an unintuitive API where the fract_mult parameter is the multiplier of the first decimal place as if it was already an integer. So to get 3 decimal places, fract_mult must be 100 rather than 1000. Fixes: 96ccdbc07a74 ("staging:iio:adc:ad7280a: Standardize extended ABI naming") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7280a.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/adc/ad7280a.c b/drivers/iio/adc/ad7280a.c index dda2986ccda0..50a6ff7c8b1c 100644 --- a/drivers/iio/adc/ad7280a.c +++ b/drivers/iio/adc/ad7280a.c @@ -541,7 +541,7 @@ static ssize_t ad7280_store_balance_timer(struct iio_dev *indio_dev, int val, val2; int ret; - ret = iio_str_to_fixpoint(buf, 1000, &val, &val2); + ret = iio_str_to_fixpoint(buf, 100, &val, &val2); if (ret) return ret; -- 2.51.2

1 month

1
0
0 0

patch "iio:common:ssp_sensors: Fix an error handling path ssp_probe()" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio:common:ssp_sensors: Fix an error handling path ssp_probe() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 21553258b94861a73d7f2cf15469d69240e1170d Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Fri, 10 Oct 2025 20:58:48 +0200 Subject: iio:common:ssp_sensors: Fix an error handling path ssp_probe() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If an error occurs after a successful mfd_add_devices() call, it should be undone by a corresponding mfd_remove_devices() call, as already done in the remove function. Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver") Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/iio/common/ssp_sensors/ssp_dev.c b/drivers/iio/common/ssp_sensors/ssp_dev.c index 1e167dc673ca..da09c9f3ceb6 100644 --- a/drivers/iio/common/ssp_sensors/ssp_dev.c +++ b/drivers/iio/common/ssp_sensors/ssp_dev.c @@ -503,7 +503,7 @@ static int ssp_probe(struct spi_device *spi) ret = spi_setup(spi); if (ret < 0) { dev_err(&spi->dev, "Failed to setup spi\n"); - return ret; + goto err_setup_spi; } data->fw_dl_state = SSP_FW_DL_STATE_NONE; @@ -568,6 +568,8 @@ static int ssp_probe(struct spi_device *spi) err_setup_irq: mutex_destroy(&data->pending_lock); mutex_destroy(&data->comm_lock); +err_setup_spi: + mfd_remove_devices(&spi->dev); dev_err(&spi->dev, "Probe failed!\n"); -- 2.51.2

1 month

1
0
0 0

patch "iio: buffer-dmaengine: enable .get_dma_dev()" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: buffer-dmaengine: enable .get_dma_dev() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 3db847df994d475db7812dde90376f2848bcd30a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa(a)analog.com> Date: Tue, 7 Oct 2025 10:15:23 +0100 Subject: iio: buffer-dmaengine: enable .get_dma_dev() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wire up the .get_dma_dev() callback to use the DMA buffer infrastructure's implementation. This ensures that DMABUF operations use the correct DMA device for mapping, which is essential for proper operation on systems where memory is mapped above the 32-bit range. Without this callback, the core would fall back to using the IIO device's parent, which may not have the appropriate DMA mask configuration for high memory access. Fixes: 7a86d469983a ("iio: buffer-dmaengine: Support new DMABUF based userspace API") Reviewed-by: David Lechner <dlechner(a)baylibre.com> Signed-off-by: Nuno Sá <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/buffer/industrialio-buffer-dmaengine.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/buffer/industrialio-buffer-dmaengine.c b/drivers/iio/buffer/industrialio-buffer-dmaengine.c index e9d9a7d39fe1..27dd56334345 100644 --- a/drivers/iio/buffer/industrialio-buffer-dmaengine.c +++ b/drivers/iio/buffer/industrialio-buffer-dmaengine.c @@ -177,6 +177,8 @@ static const struct iio_buffer_access_funcs iio_dmaengine_buffer_ops = { .lock_queue = iio_dma_buffer_lock_queue, .unlock_queue = iio_dma_buffer_unlock_queue, + .get_dma_dev = iio_dma_buffer_get_dma_dev, + .modes = INDIO_BUFFER_HARDWARE, .flags = INDIO_BUFFER_FLAG_FIXED_WATERMARK, }; -- 2.51.2

1 month

1
0
0 0

patch "iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 8a6b7989ff0cd0a95c93be1927f2af7ad10f28de Mon Sep 17 00:00:00 2001 From: Olivier Moysan <olivier.moysan(a)foss.st.com> Date: Thu, 2 Oct 2025 13:22:49 +0200 Subject: iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Initially st,adc-alt-channel property was defined as an enum in the DFSDM binding. The DFSDM binding has been changed to use the new IIO backend framework, along with the adoption of IIO generic channels. In this new binding st,adc-alt-channel is defined as a boolean property, but it is still handled has an enum in DFSDM driver. Fix st,adc-alt-channel property handling in DFSDM driver. Fixes: 3208fa0cd919 ("iio: adc: stm32-dfsdm: adopt generic channels bindings") Signed-off-by: Olivier Moysan <olivier.moysan(a)foss.st.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/stm32-dfsdm-adc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/stm32-dfsdm-adc.c b/drivers/iio/adc/stm32-dfsdm-adc.c index 74b1b4dc6e81..9664b9bd75d4 100644 --- a/drivers/iio/adc/stm32-dfsdm-adc.c +++ b/drivers/iio/adc/stm32-dfsdm-adc.c @@ -725,9 +725,8 @@ static int stm32_dfsdm_generic_channel_parse_of(struct stm32_dfsdm *dfsdm, } df_ch->src = val; - ret = fwnode_property_read_u32(node, "st,adc-alt-channel", &df_ch->alt_si); - if (ret != -EINVAL) - df_ch->alt_si = 0; + if (fwnode_property_present(node, "st,adc-alt-channel")) + df_ch->alt_si = 1; if (adc->dev_data->type == DFSDM_IIO) { backend = devm_iio_backend_fwnode_get(&indio_dev->dev, NULL, node); -- 2.51.2

1 month

1
0
0 0

patch "iio: pressure: bmp280: correct meas_time_us calculation" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: pressure: bmp280: correct meas_time_us calculation to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 0bf1bfde53b30da7fd7f4a6c3db5b8e77888958d Mon Sep 17 00:00:00 2001 From: Achim Gratz <Achim.Gratz(a)Stromeko.DE> Date: Sun, 28 Sep 2025 19:26:28 +0200 Subject: iio: pressure: bmp280: correct meas_time_us calculation Correction of meas_time_us initialization based on an observation and partial patch by David Lechner. The constant part of the measurement time (as described in the datasheet and implemented in the BM(P/E)2 Sensor API) was apparently forgotten (it was already correctly applied for the BMP380) and is now used. There was also another thinko in bmp280_wait_conv: data->oversampling_humid can actually have a value of 0 (for an oversampling_ratio of 1), so it can not be used to detect the presence of the humidity measurement capability. Use data->chip_info->oversampling_humid_avail instead, which is NULL for chips that cannot measure humidity and therefore must skip that part of the calculation. Closes: https://lore.kernel.org/linux-iio/875xgfg0wz.fsf@Gerda.invalid/ Fixes: 26ccfaa9ddaa ("iio: pressure: bmp280: Use sleep and forced mode for oneshot captures") Suggested-by: David Lechner <dlechner(a)baylibre.com> Tested-by: Achim Gratz <Achim.Gratz(a)Stromeko.DE> Signed-off-by: Achim Gratz <Achim.Gratz(a)Stromeko.DE> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/pressure/bmp280-core.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c index c04e8bb4c993..d983ce9c0b99 100644 --- a/drivers/iio/pressure/bmp280-core.c +++ b/drivers/iio/pressure/bmp280-core.c @@ -1040,13 +1040,16 @@ static int bmp280_wait_conv(struct bmp280_data *data) unsigned int reg, meas_time_us; int ret; - /* Check if we are using a BME280 device */ - if (data->oversampling_humid) - meas_time_us = BMP280_PRESS_HUMID_MEAS_OFFSET + - BIT(data->oversampling_humid) * BMP280_MEAS_DUR; + /* Constant part of the measurement time */ + meas_time_us = BMP280_MEAS_OFFSET; - else - meas_time_us = 0; + /* + * Check if we are using a BME280 device, + * Humidity measurement time + */ + if (data->chip_info->oversampling_humid_avail) + meas_time_us += BMP280_PRESS_HUMID_MEAS_OFFSET + + BIT(data->oversampling_humid) * BMP280_MEAS_DUR; /* Pressure measurement time */ meas_time_us += BMP280_PRESS_HUMID_MEAS_OFFSET + -- 2.51.2

1 month

1
0
0 0

patch "iio: adc: rtq6056: Correct the sign bit index" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: rtq6056: Correct the sign bit index to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 9b45744bf09fc2a3287e05287141d6e123c125a7 Mon Sep 17 00:00:00 2001 From: ChiYuan Huang <cy_huang(a)richtek.com> Date: Thu, 18 Sep 2025 11:10:59 +0800 Subject: iio: adc: rtq6056: Correct the sign bit index The vshunt/current reported register is a signed 16bit integer. The sign bit index should be '15', not '16'. Fixes: 4396f45d211b ("iio: adc: Add rtq6056 support") Reported-by: Andy Hsu <andy_ya_hsu(a)wiwynn.com> Signed-off-by: ChiYuan Huang <cy_huang(a)richtek.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/rtq6056.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/adc/rtq6056.c b/drivers/iio/adc/rtq6056.c index ad9738228b7f..2bf3a09ac6b0 100644 --- a/drivers/iio/adc/rtq6056.c +++ b/drivers/iio/adc/rtq6056.c @@ -300,7 +300,7 @@ static int rtq6056_adc_read_channel(struct rtq6056_priv *priv, return IIO_VAL_INT; case RTQ6056_REG_SHUNTVOLT: case RTQ6056_REG_CURRENT: - *val = sign_extend32(regval, 16); + *val = sign_extend32(regval, 15); return IIO_VAL_INT; default: return -EINVAL; -- 2.51.2

1 month

1
0
0 0

patch "iio: adc: ad7380: fix SPI offload trigger rate" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7380: fix SPI offload trigger rate to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 632757312d7eb320b66ca60e0cfe098ec53cee08 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Fri, 19 Sep 2025 15:50:34 -0500 Subject: iio: adc: ad7380: fix SPI offload trigger rate Add a special case to double the SPI offload trigger rate when all channels of a single-ended chip are enabled in a buffered read. The single-ended chips in the AD738x family can only do simultaneous sampling of half their channels and have a multiplexer to allow reading the other half. To comply with the IIO definition of sampling_frequency, we need to trigger twice as often when the sequencer is enabled to so that both banks can be read in a single sample period. Fixes: bbeaec81a03e ("iio: ad7380: add support for SPI offload") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7380.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/iio/adc/ad7380.c b/drivers/iio/adc/ad7380.c index fa251dc1aae6..bfd908deefc0 100644 --- a/drivers/iio/adc/ad7380.c +++ b/drivers/iio/adc/ad7380.c @@ -1227,6 +1227,14 @@ static int ad7380_offload_buffer_postenable(struct iio_dev *indio_dev) if (ret) return ret; + /* + * When the sequencer is required to read all channels, we need to + * trigger twice per sample period in order to read one complete set + * of samples. + */ + if (st->seq) + config.periodic.frequency_hz *= 2; + ret = spi_offload_trigger_enable(st->offload, st->offload_trigger, &config); if (ret) spi_unoptimize_message(&st->offload_msg); -- 2.51.2

1 month

1
0
0 0

patch "iio: adc: ad4030: Fix _scale value for common-mode channels" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad4030: Fix _scale value for common-mode channels to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From ffc74ad539136ae9e16f7b5f2e4582e88018cd49 Mon Sep 17 00:00:00 2001 From: Marcelo Schmitt <marcelo.schmitt(a)analog.com> Date: Thu, 18 Sep 2025 14:37:27 -0300 Subject: iio: adc: ad4030: Fix _scale value for common-mode channels Previously, the driver always used the amount of precision bits of differential input channels to provide the scale to mV. Though, differential and common-mode voltage channels have different amount of precision bits and the correct number of precision bits must be considered to get to a proper mV scale factor for each one. Use channel specific number of precision bits to provide the correct scale value for each channel. Fixes: de67f28abe58 ("iio: adc: ad4030: check scan_type for error") Fixes: 949abd1ca5a4 ("iio: adc: ad4030: add averaging support") Signed-off-by: Marcelo Schmitt <marcelo.schmitt(a)analog.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad4030.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/adc/ad4030.c b/drivers/iio/adc/ad4030.c index 1bc2f9a22470..d8bee6a4215a 100644 --- a/drivers/iio/adc/ad4030.c +++ b/drivers/iio/adc/ad4030.c @@ -385,7 +385,7 @@ static int ad4030_get_chan_scale(struct iio_dev *indio_dev, struct ad4030_state *st = iio_priv(indio_dev); const struct iio_scan_type *scan_type; - scan_type = iio_get_current_scan_type(indio_dev, st->chip->channels); + scan_type = iio_get_current_scan_type(indio_dev, chan); if (IS_ERR(scan_type)) return PTR_ERR(scan_type); -- 2.51.2

1 month

1
0
0 0

Optimiza tu reclutamiento con PsicoSmart

by Valeria Pérez

Mejora tus contrataciones con PsicoSmart body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Evalúa talento de forma objetiva y mejora tus contrataciones con PsicoSmart. Hola, , ¿Te ha pasado que un candidato luce perfecto en entrevista, pero en el trabajo no encaja como esperabas? En selección, confiar solo en la percepción puede llevar a decisiones costosas. Por eso quiero presentarte PsicoSmart, una herramienta creada para que los equipos de Recursos Humanos tomen decisiones más objetivas y acertadas. Con PsicoSmart puedes: Aplicar 31 pruebas psicométricas que evalúan liderazgo, honestidad, comunicación e inteligencia. Validar conocimientos técnicos con más de 2,500 exámenes especializados. Supervisar la identidad de quien responde mediante captura fotográfica automática durante la evaluación. Gestionar todo desde una sola plataforma, accesible desde cualquier dispositivo. Aprovecha el Buen Fin del 1 al 22 de noviembre y obtén hasta 15% de descuento. Si estás buscando mejorar tus procesos de contratación, esta puede ser una excelente oportunidad. Para más información, puedes responder este correo o contactarme directamente; mis datos están al final del mensaje. Saludos, -------------- Atte.: Valeria Pérez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqwiseup">click aquí</a>

1 month

1
0
0 0

Linux 6.17.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.8 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/display/msm/gmu.yaml | 34 Documentation/devicetree/bindings/eeprom/at25.yaml | 8 Documentation/netlink/specs/dpll.yaml | 2 Documentation/netlink/specs/fou.yaml | 4 Makefile | 2 arch/arc/include/asm/bitops.h | 2 arch/arm/boot/dts/nvidia/tegra20-asus-tf101.dts | 5 arch/arm/boot/dts/nvidia/tegra30-lg-p880.dts | 4 arch/arm/mach-at91/pm_suspend.S | 8 arch/arm64/boot/dts/xilinx/versal-net.dtsi | 2 arch/arm64/boot/dts/xilinx/zynqmp-zcu106-revA.dts | 4 arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 arch/loongarch/include/asm/inst.h | 5 arch/loongarch/kernel/inst.c | 12 arch/mips/boot/dts/lantiq/danube.dtsi | 6 arch/mips/boot/dts/lantiq/danube_easy50712.dts | 4 arch/mips/lantiq/xway/sysctrl.c | 2 arch/mips/sgi-ip22/ip22-platform.c | 32 arch/openrisc/kernel/module.c | 4 arch/parisc/include/asm/video.h | 2 arch/parisc/kernel/unwind.c | 13 arch/powerpc/kernel/eeh_driver.c | 2 arch/riscv/kernel/module-sections.c | 8 arch/riscv/kernel/stacktrace.c | 21 arch/riscv/mm/ptdump.c | 2 arch/riscv/net/bpf_jit_comp64.c | 5 arch/s390/Kconfig | 1 arch/s390/crypto/phmac_s390.c | 52 - arch/s390/include/asm/pci.h | 1 arch/s390/mm/dump_pagetables.c | 21 arch/s390/pci/pci_event.c | 7 arch/s390/pci/pci_irq.c | 9 arch/sparc/include/asm/elf_64.h | 1 arch/sparc/include/asm/io_64.h | 6 arch/sparc/include/asm/video.h | 2 arch/sparc/kernel/module.c | 1 arch/um/drivers/ssl.c | 5 arch/x86/Makefile | 2 arch/x86/entry/vsyscall/vsyscall_64.c | 17 arch/x86/events/intel/ds.c | 3 arch/x86/include/asm/amd/node.h | 1 arch/x86/include/asm/runtime-const.h | 4 arch/x86/include/asm/tdx.h | 2 arch/x86/include/asm/uaccess_64.h | 10 arch/x86/include/asm/video.h | 2 arch/x86/kernel/amd_node.c | 150 +-- arch/x86/kernel/cpu/amd.c | 11 arch/x86/kernel/cpu/common.c | 6 arch/x86/kernel/cpu/microcode/amd.c | 2 arch/x86/kernel/cpu/mshyperv.c | 11 arch/x86/kernel/fpu/core.c | 3 arch/x86/kernel/kvm.c | 20 arch/x86/kvm/vmx/tdx.c | 9 arch/x86/net/bpf_jit_comp.c | 2 arch/x86/video/video-common.c | 25 arch/x86/virt/vmx/tdx/tdx.c | 21 block/blk-cgroup.c | 23 block/blk-map.c | 2 block/blk-merge.c | 21 drivers/accel/amdxdna/aie2_ctx.c | 59 - drivers/accel/amdxdna/aie2_pci.c | 37 drivers/accel/amdxdna/aie2_pci.h | 5 drivers/accel/amdxdna/amdxdna_ctx.c | 26 drivers/accel/amdxdna/amdxdna_ctx.h | 2 drivers/accel/amdxdna/amdxdna_pci_drv.c | 74 - drivers/accel/amdxdna/amdxdna_pci_drv.h | 4 drivers/accel/habanalabs/common/memory.c | 2 drivers/accel/habanalabs/gaudi/gaudi.c | 19 drivers/accel/habanalabs/gaudi2/gaudi2.c | 15 drivers/accel/habanalabs/gaudi2/gaudi2_coresight.c | 2 drivers/acpi/acpi_mrrm.c | 3 drivers/acpi/acpi_video.c | 4 drivers/acpi/acpica/dsmethod.c | 10 drivers/acpi/button.c | 4 drivers/acpi/device_sysfs.c | 2 drivers/acpi/fan.h | 7 drivers/acpi/fan_attr.c | 2 drivers/acpi/fan_core.c | 36 drivers/acpi/fan_hwmon.c | 11 drivers/acpi/prmt.c | 19 drivers/acpi/property.c | 24 drivers/acpi/resource.c | 7 drivers/acpi/scan.c | 4 drivers/acpi/spcr.c | 10 drivers/acpi/video_detect.c | 8 drivers/base/regmap/regmap-slimbus.c | 6 drivers/bluetooth/btintel.c | 3 drivers/bluetooth/btintel_pcie.c | 20 drivers/bluetooth/btmtksdio.c | 12 drivers/bluetooth/btrtl.c | 4 drivers/bluetooth/btusb.c | 21 drivers/bluetooth/hci_bcsp.c | 3 drivers/bus/mhi/host/internal.h | 2 drivers/bus/mhi/host/pci_generic.c | 16 drivers/bus/mhi/host/pm.c | 2 drivers/char/hw_random/timeriomem-rng.c | 2 drivers/char/misc.c | 12 drivers/clk/at91/clk-master.c | 3 drivers/clk/at91/clk-sam9x60-pll.c | 75 - drivers/clk/at91/pmc.h | 1 drivers/clk/at91/sam9x60.c | 2 drivers/clk/at91/sam9x7.c | 6 drivers/clk/at91/sama7d65.c | 4 drivers/clk/at91/sama7g5.c | 2 drivers/clk/clk-scmi.c | 11 drivers/clk/qcom/gcc-ipq6018.c | 60 - drivers/clk/renesas/rzv2h-cpg.c | 13 drivers/clk/samsung/clk-exynos990.c | 2 drivers/clk/sunxi-ng/ccu-sun6i-rtc.c | 11 drivers/clk/thead/clk-th1520-ap.c | 44 - drivers/clk/ti/clk-33xx.c | 2 drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 drivers/clocksource/hyperv_timer.c | 10 drivers/clocksource/timer-rtl-otto.c | 26 drivers/clocksource/timer-vf-pit.c | 22 drivers/cpufreq/cpufreq_ondemand.c | 25 drivers/cpufreq/cpufreq_ondemand.h | 23 drivers/cpufreq/longhaul.c | 3 drivers/cpufreq/tegra186-cpufreq.c | 27 drivers/cpufreq/ti-cpufreq.c | 2 drivers/cpuidle/cpuidle.c | 8 drivers/cpuidle/governors/menu.c | 73 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 5 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 2 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-trng.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 drivers/crypto/aspeed/aspeed-acry.c | 2 drivers/crypto/caam/ctrl.c | 4 drivers/crypto/ccp/hsti.c | 2 drivers/crypto/ccp/sev-dev.c | 10 drivers/crypto/hisilicon/qm.c | 78 + drivers/crypto/intel/qat/qat_common/qat_uclo.c | 2 drivers/dma-buf/dma-fence.c | 2 drivers/dma/dw-edma/dw-edma-core.c | 22 drivers/dma/idxd/init.c | 2 drivers/dma/idxd/registers.h | 1 drivers/dma/mv_xor.c | 4 drivers/dma/sh/shdma-base.c | 25 drivers/dma/sh/shdmac.c | 17 drivers/extcon/extcon-adc-jack.c | 2 drivers/extcon/extcon-axp288.c | 2 drivers/extcon/extcon-fsa9480.c | 2 drivers/firewire/ohci.c | 12 drivers/firmware/qcom/qcom_scm.c | 4 drivers/firmware/qcom/qcom_tzmem.c | 1 drivers/firmware/ti_sci.c | 57 + drivers/firmware/ti_sci.h | 3 drivers/gpio/gpiolib-swnode.c | 2 drivers/gpio/gpiolib.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 53 - drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 19 drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 66 + drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 21 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 68 - drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 125 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 123 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 40 drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.h | 4 drivers/gpu/drm/amd/amdgpu/atom.c | 4 drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 12 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 20 drivers/gpu/drm/amd/amdgpu/mes_userqueue.c | 23 drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c | 32 drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c | 35 drivers/gpu/drm/amd/amdgpu/soc15.c | 1 drivers/gpu/drm/amd/amdgpu/umc_v12_0.c | 5 drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 11 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 20 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 19 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 20 drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 11 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 25 drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.c | 56 + drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.h | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 185 +++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 17 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c | 86 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 34 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 13 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 2 drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 3 drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 5 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 16 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c | 142 +++ drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.h | 5 drivers/gpu/drm/amd/display/dc/core/dc.c | 27 drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c | 2 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 14 drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 4 drivers/gpu/drm/amd/display/dc/dc_helper.c | 5 drivers/gpu/drm/amd/display/dc/dc_stream.h | 3 drivers/gpu/drm/amd/display/dc/dccg/dcn401/dcn401_dccg.c | 2 drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c | 1 drivers/gpu/drm/amd/display/dc/dm_services.h | 2 drivers/gpu/drm/amd/display/dc/dml/dcn301/dcn301_fpu.c | 20 drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 2 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 28 drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 3 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 5 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 73 - drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 5 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 drivers/gpu/drm/amd/display/dc/inc/hw/timing_generator.h | 1 drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 18 drivers/gpu/drm/amd/display/dc/link/link_detection.c | 5 drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 drivers/gpu/drm/amd/display/dc/link/link_validation.c | 6 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_dpia_bw.c | 60 - drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 9 drivers/gpu/drm/amd/display/dc/optc/dcn32/dcn32_optc.h | 1 drivers/gpu/drm/amd/display/dc/optc/dcn35/dcn35_optc.c | 18 drivers/gpu/drm/amd/display/dc/optc/dcn401/dcn401_optc.c | 5 drivers/gpu/drm/amd/display/dc/resource/dce100/dce100_resource.c | 10 drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c | 21 drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c | 10 drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 1 drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c | 7 drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h | 18 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn32.c | 53 - drivers/gpu/drm/amd/display/dmub/src/dmub_dcn32.h | 8 drivers/gpu/drm/amd/display/include/dal_asic_id.h | 5 drivers/gpu/drm/amd/include/amd_cper.h | 2 drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h | 2 drivers/gpu/drm/amd/pm/amdgpu_pm.c | 5 drivers/gpu/drm/amd/pm/legacy-dpm/si_smc.c | 26 drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 3 drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 drivers/gpu/drm/ast/ast_drv.h | 8 drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 23 drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 18 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 12 drivers/gpu/drm/bridge/display-connector.c | 3 drivers/gpu/drm/drm_gem_atomic_helper.c | 8 drivers/gpu/drm/drm_gpusvm.c | 33 drivers/gpu/drm/drm_panel_backlight_quirks.c | 2 drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 drivers/gpu/drm/i915/display/intel_dmc.c | 55 + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 drivers/gpu/drm/mediatek/mtk_plane.c | 24 drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 10 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 113 ++ drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 1 drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 20 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 17 drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c | 35 drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.h | 3 drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 15 drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 10 drivers/gpu/drm/msm/msm_gem.c | 31 drivers/gpu/drm/msm/msm_gem.h | 6 drivers/gpu/drm/msm/msm_gem_prime.c | 2 drivers/gpu/drm/msm/msm_gem_submit.c | 9 drivers/gpu/drm/msm/msm_gem_vma.c | 2 drivers/gpu/drm/msm/registers/gen_header.py | 7 drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 drivers/gpu/drm/nouveau/dispnv50/disp.h | 1 drivers/gpu/drm/nouveau/dispnv50/wndw.c | 24 drivers/gpu/drm/nouveau/dispnv50/wndwca7e.c | 33 drivers/gpu/drm/nouveau/nouveau_sched.c | 14 drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c | 3 drivers/gpu/drm/panel/panel-edp.c | 1 drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 31 drivers/gpu/drm/panthor/panthor_gpu.c | 7 drivers/gpu/drm/panthor/panthor_mmu.c | 4 drivers/gpu/drm/radeon/radeon_drv.c | 25 drivers/gpu/drm/radeon/radeon_kms.c | 1 drivers/gpu/drm/scheduler/sched_entity.c | 40 drivers/gpu/drm/sitronix/st7571-i2c.c | 7 drivers/gpu/drm/tidss/tidss_crtc.c | 7 drivers/gpu/drm/tidss/tidss_dispc.c | 16 drivers/gpu/drm/tidss/tidss_drv.c | 9 drivers/gpu/drm/tiny/sharp-memory.c | 27 drivers/gpu/drm/xe/abi/guc_errors_abi.h | 3 drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 1 drivers/gpu/drm/xe/xe_bo.c | 41 drivers/gpu/drm/xe/xe_configfs.c | 9 drivers/gpu/drm/xe/xe_device.c | 12 drivers/gpu/drm/xe/xe_device_sysfs.c | 8 drivers/gpu/drm/xe/xe_gt.c | 21 drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 24 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h | 1 drivers/gpu/drm/xe/xe_guc.c | 40 drivers/gpu/drm/xe/xe_guc_ads.c | 35 drivers/gpu/drm/xe/xe_guc_ct.c | 50 + drivers/gpu/drm/xe/xe_guc_ct.h | 1 drivers/gpu/drm/xe/xe_guc_log.h | 2 drivers/gpu/drm/xe/xe_hwmon.c | 8 drivers/gpu/drm/xe/xe_i2c.c | 2 drivers/gpu/drm/xe/xe_lmtt.c | 9 drivers/gpu/drm/xe/xe_migrate.c | 14 drivers/gpu/drm/xe/xe_pm.c | 8 drivers/gpu/drm/xe/xe_pt.c | 4 drivers/gpu/drm/xe/xe_pt_types.h | 3 drivers/gpu/drm/xe/xe_vm.c | 34 drivers/gpu/drm/xe/xe_vram_freq.c | 4 drivers/gpu/drm/xe/xe_wa.c | 17 drivers/gpu/drm/xe/xe_wa_oob.rules | 3 drivers/gpu/nova-core/regs.rs | 5 drivers/gpu/nova-core/regs/macros.rs | 2 drivers/hid/hid-asus.c | 6 drivers/hid/hid-ids.h | 2 drivers/hid/hid-universal-pidff.c | 20 drivers/hid/i2c-hid/i2c-hid-acpi.c | 8 drivers/hid/i2c-hid/i2c-hid-core.c | 28 drivers/hid/i2c-hid/i2c-hid.h | 2 drivers/hid/usbhid/hid-pidff.c | 42 drivers/hid/usbhid/hid-pidff.h | 2 drivers/hwmon/asus-ec-sensors.c | 2 drivers/hwmon/dell-smm-hwmon.c | 21 drivers/hwmon/k10temp.c | 10 drivers/hwmon/lenovo-ec-sensors.c | 34 drivers/hwmon/sbtsi_temp.c | 46 - drivers/hwmon/sy7636a-hwmon.c | 1 drivers/i3c/master/dw-i3c-master.c | 23 drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c | 3 drivers/iio/adc/ad7124.c | 62 + drivers/iio/adc/imx93_adc.c | 18 drivers/iio/adc/spear_adc.c | 9 drivers/iio/imu/bmi270/bmi270_i2c.c | 2 drivers/infiniband/core/uverbs_std_types_cq.c | 1 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 11 drivers/infiniband/hw/efa/efa_verbs.c | 16 drivers/infiniband/hw/hns/hns_roce_cq.c | 58 + drivers/infiniband/hw/hns/hns_roce_device.h | 4 drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 drivers/infiniband/hw/hns/hns_roce_main.c | 4 drivers/infiniband/hw/hns/hns_roce_qp.c | 2 drivers/infiniband/hw/irdma/Kconfig | 7 drivers/infiniband/hw/irdma/pble.c | 2 drivers/infiniband/hw/irdma/verbs.c | 4 drivers/infiniband/hw/irdma/verbs.h | 8 drivers/infiniband/hw/mana/cq.c | 26 drivers/infiniband/hw/mana/device.c | 3 drivers/infiniband/hw/mana/mana_ib.h | 3 drivers/infiniband/ulp/ipoib/ipoib_main.c | 21 drivers/iommu/amd/amd_iommu_types.h | 5 drivers/iommu/amd/init.c | 284 ++++-- drivers/iommu/amd/iommu.c | 2 drivers/iommu/apple-dart.c | 5 drivers/iommu/intel/debugfs.c | 10 drivers/iommu/intel/iommu.h | 1 drivers/iommu/intel/perf.c | 10 drivers/iommu/intel/perf.h | 5 drivers/iommu/intel/prq.c | 7 drivers/iommu/iommufd/iova_bitmap.c | 5 drivers/irqchip/irq-gic-v2m.c | 13 drivers/irqchip/irq-loongson-eiointc.c | 21 drivers/irqchip/irq-loongson-pch-lpc.c | 9 drivers/irqchip/irq-sifive-plic.c | 6 drivers/md/dm-target.c | 3 drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 drivers/media/i2c/Kconfig | 2 drivers/media/i2c/adv7180.c | 48 - drivers/media/i2c/ir-kbd-i2c.c | 6 drivers/media/i2c/og01a1b.c | 6 drivers/media/i2c/ov08x40.c | 2 drivers/media/pci/intel/ipu6/ipu6-isys-subdev.c | 6 drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 drivers/media/pci/ivtv/ivtv-driver.h | 3 drivers/media/pci/ivtv/ivtv-fileops.c | 18 drivers/media/pci/ivtv/ivtv-irq.c | 4 drivers/media/pci/mgb4/mgb4_vin.c | 3 drivers/media/platform/amphion/vpu_v4l2.c | 7 drivers/media/platform/nxp/imx-mipi-csis.c | 23 drivers/media/platform/nxp/imx8-isi/imx8-isi-video.c | 156 +-- drivers/media/platform/qcom/camss/camss-csiphy-3ph-1-0.c | 89 ++ drivers/media/platform/qcom/camss/camss.h | 1 drivers/media/platform/verisilicon/hantro_drv.c | 2 drivers/media/platform/verisilicon/hantro_v4l2.c | 6 drivers/media/rc/imon.c | 61 - drivers/media/rc/redrat3.c | 2 drivers/media/tuners/xc4000.c | 8 drivers/media/tuners/xc5000.c | 12 drivers/media/usb/uvc/uvc_driver.c | 15 drivers/memstick/core/memstick.c | 8 drivers/mfd/cs42l43.c | 8 drivers/mfd/da9063-i2c.c | 27 drivers/mfd/intel-lpss-pci.c | 13 drivers/mfd/kempld-core.c | 32 drivers/mfd/macsmc.c | 1 drivers/mfd/madera-core.c | 4 drivers/mfd/mfd-core.c | 1 drivers/mfd/qnap-mcu.c | 6 drivers/mfd/simple-mfd-i2c.c | 2 drivers/mfd/stmpe-i2c.c | 1 drivers/mfd/stmpe.c | 3 drivers/misc/eeprom/at25.c | 67 - drivers/misc/mei/main.c | 18 drivers/misc/pci_endpoint_test.c | 12 drivers/mmc/host/renesas_sdhi_core.c | 6 drivers/mmc/host/sdhci-msm.c | 15 drivers/mmc/host/sdhci-pci-core.c | 15 drivers/net/can/rcar/rcar_canfd.c | 5 drivers/net/dsa/b53/b53_common.c | 36 drivers/net/dsa/b53/b53_regs.h | 3 drivers/net/dsa/dsa_loop.c | 9 drivers/net/dsa/microchip/ksz9477.c | 98 +- drivers/net/dsa/microchip/ksz9477_reg.h | 3 drivers/net/dsa/microchip/ksz_common.c | 49 + drivers/net/dsa/microchip/ksz_common.h | 2 drivers/net/dsa/ocelot/felix.c | 4 drivers/net/dsa/ocelot/felix.h | 3 drivers/net/dsa/ocelot/felix_vsc9959.c | 3 drivers/net/ethernet/broadcom/bnge/bnge_rmem.c | 9 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 20 drivers/net/ethernet/broadcom/bnxt/bnxt.h | 7 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 8 drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.h | 1 drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 drivers/net/ethernet/cadence/macb_main.c | 4 drivers/net/ethernet/google/gve/gve_ptp.c | 15 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 drivers/net/ethernet/huawei/hinic3/hinic3_irq.c | 2 drivers/net/ethernet/huawei/hinic3/hinic3_nic_io.h | 15 drivers/net/ethernet/huawei/hinic3/hinic3_rx.c | 10 drivers/net/ethernet/huawei/hinic3/hinic3_rx.h | 24 drivers/net/ethernet/huawei/hinic3/hinic3_tx.c | 81 + drivers/net/ethernet/huawei/hinic3/hinic3_tx.h | 18 drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 2 drivers/net/ethernet/intel/ice/ice_trace.h | 10 drivers/net/ethernet/intel/idpf/idpf.h | 2 drivers/net/ethernet/intel/idpf/idpf_lib.c | 140 ++- drivers/net/ethernet/intel/idpf/idpf_txrx.c | 146 --- drivers/net/ethernet/intel/ixgbe/ixgbe_e610.c | 59 - drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 3 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 1 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 16 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 24 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 72 - drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 12 drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 33 drivers/net/ethernet/meta/fbnic/fbnic_pci.c | 2 drivers/net/ethernet/microchip/lan865x/lan865x.c | 1 drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c | 18 drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 2 drivers/net/ethernet/microchip/lan966x/lan966x_main.h | 4 drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c | 8 drivers/net/ethernet/microchip/sparx5/Kconfig | 2 drivers/net/ethernet/microsoft/mana/hw_channel.c | 7 drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 2 drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 34 drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 1 drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 2 drivers/net/ethernet/realtek/Kconfig | 2 drivers/net/ethernet/realtek/r8169_main.c | 6 drivers/net/ethernet/renesas/sh_eth.c | 4 drivers/net/ethernet/sfc/mae.c | 4 drivers/net/ethernet/smsc/smsc911x.c | 14 drivers/net/ethernet/stmicro/stmmac/common.h | 1 drivers/net/ethernet/stmicro/stmmac/stmmac_est.c | 9 drivers/net/ethernet/stmicro/stmmac/stmmac_est.h | 1 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 drivers/net/ethernet/ti/icssg/icssg_config.c | 7 drivers/net/ethernet/wangxun/libwx/wx_ethtool.c | 7 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 drivers/net/hamradio/6pack.c | 57 - drivers/net/mdio/mdio-airoha.c | 2 drivers/net/mdio/of_mdio.c | 1 drivers/net/netconsole.c | 10 drivers/net/phy/dp83640.c | 58 - drivers/net/phy/dp83867.c | 6 drivers/net/phy/fixed_phy.c | 1 drivers/net/phy/marvell.c | 39 drivers/net/phy/mscc/mscc.h | 3 drivers/net/phy/mscc/mscc_main.c | 40 drivers/net/phy/phy.c | 15 drivers/net/usb/asix_devices.c | 12 drivers/net/usb/qmi_wwan.c | 6 drivers/net/usb/usbnet.c | 2 drivers/net/virtio_net.c | 51 - drivers/net/wan/framer/pef2256/pef2256.c | 7 drivers/net/wireless/ath/ath10k/mac.c | 12 drivers/net/wireless/ath/ath10k/wmi.c | 40 drivers/net/wireless/ath/ath11k/core.c | 54 + drivers/net/wireless/ath/ath11k/mac.c | 10 drivers/net/wireless/ath/ath12k/dp.h | 2 drivers/net/wireless/ath/ath12k/mac.c | 156 +-- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 14 drivers/net/wireless/intel/iwlwifi/mld/link.c | 12 drivers/net/wireless/intel/iwlwifi/mld/stats.c | 11 drivers/net/wireless/intel/iwlwifi/pcie/gen1_2/internal.h | 3 drivers/net/wireless/mediatek/mt76/eeprom.c | 9 drivers/net/wireless/mediatek/mt76/mac80211.c | 2 drivers/net/wireless/mediatek/mt76/mt76.h | 2 drivers/net/wireless/mediatek/mt76/mt7603/eeprom.c | 3 drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt7615/init.c | 5 drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h | 7 drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 6 drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/init.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/init.c | 4 drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 26 drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c | 3 drivers/net/wireless/mediatek/mt76/mt7996/init.c | 6 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 102 +- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 1 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 drivers/net/wireless/mediatek/mt76/tx.c | 3 drivers/net/wireless/realtek/rtw88/sdio.c | 4 drivers/net/wireless/realtek/rtw89/coex.c | 5 drivers/net/wireless/realtek/rtw89/core.c | 59 + drivers/net/wireless/realtek/rtw89/core.h | 10 drivers/net/wireless/realtek/rtw89/debug.h | 1 drivers/net/wireless/realtek/rtw89/fw.c | 4 drivers/net/wireless/realtek/rtw89/mac.c | 20 drivers/net/wireless/realtek/rtw89/mac.h | 1 drivers/net/wireless/realtek/rtw89/phy.c | 9 drivers/net/wireless/realtek/rtw89/rtw8851b_rfk.c | 85 + drivers/net/wireless/realtek/rtw89/rtw8851bu.c | 3 drivers/net/wireless/realtek/rtw89/rtw8852bu.c | 2 drivers/net/wireless/realtek/rtw89/txrx.h | 1 drivers/net/wireless/virtual/mac80211_hwsim.c | 7 drivers/net/wwan/t7xx/t7xx_pci.c | 1 drivers/ntb/hw/epf/ntb_hw_epf.c | 103 +- drivers/nvme/host/core.c | 8 drivers/nvme/host/fc.c | 10 drivers/nvme/target/auth.c | 5 drivers/nvme/target/fc.c | 16 drivers/pci/controller/cadence/pcie-cadence-host.c | 2 drivers/pci/controller/cadence/pcie-cadence.c | 4 drivers/pci/controller/cadence/pcie-cadence.h | 6 drivers/pci/controller/dwc/pci-imx6.c | 4 drivers/pci/controller/dwc/pcie-designware.c | 4 drivers/pci/endpoint/functions/pci-epf-test.c | 7 drivers/pci/p2pdma.c | 2 drivers/pci/pci-driver.c | 2 drivers/pci/pci.c | 5 drivers/pci/pcie/aer.c | 4 drivers/pci/pcie/err.c | 3 drivers/pci/quirks.c | 3 drivers/phy/cadence/cdns-dphy.c | 4 drivers/phy/renesas/r8a779f0-ether-serdes.c | 28 drivers/phy/rockchip/phy-rockchip-inno-csidphy.c | 5 drivers/pinctrl/pinctrl-keembay.c | 7 drivers/pinctrl/pinctrl-single.c | 4 drivers/pinctrl/renesas/pinctrl-rzg2l.c | 12 drivers/platform/x86/amd/pmf/pmf.h | 15 drivers/platform/x86/amd/pmf/spc.c | 48 - drivers/platform/x86/intel/int3472/clk_and_regulator.c | 5 drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c | 76 + drivers/platform/x86/lenovo/think-lmi.c | 11 drivers/platform/x86/x86-android-tablets/core.c | 6 drivers/platform/x86/x86-android-tablets/other.c | 6 drivers/pmdomain/apple/pmgr-pwrstate.c | 1 drivers/power/supply/qcom_battmgr.c | 8 drivers/power/supply/sbs-charger.c | 16 drivers/ptp/ptp_clock.c | 13 drivers/ptp/ptp_ocp.c | 6 drivers/pwm/pwm-pca9685.c | 46 - drivers/remoteproc/qcom_q6v5.c | 5 drivers/remoteproc/wkup_m3_rproc.c | 6 drivers/rpmsg/rpmsg_char.c | 3 drivers/rtc/rtc-pcf2127.c | 19 drivers/rtc/rtc-rx8025.c | 2 drivers/rtc/rtc-zynqmp.c | 19 drivers/scsi/libfc/fc_encode.h | 2 drivers/scsi/lpfc/lpfc_debugfs.h | 3 drivers/scsi/lpfc/lpfc_els.c | 21 drivers/scsi/lpfc/lpfc_init.c | 7 drivers/scsi/lpfc/lpfc_nportdisc.c | 23 drivers/scsi/lpfc/lpfc_scsi.c | 14 drivers/scsi/lpfc/lpfc_sli.c | 3 drivers/scsi/mpi3mr/mpi3mr_fw.c | 13 drivers/scsi/mpi3mr/mpi3mr_os.c | 10 drivers/scsi/mpi3mr/mpi3mr_transport.c | 11 drivers/scsi/mpt3sas/mpt3sas_transport.c | 3 drivers/scsi/pm8001/pm8001_ctl.c | 24 drivers/scsi/pm8001/pm8001_init.c | 1 drivers/scsi/pm8001/pm8001_sas.h | 4 drivers/scsi/qla2xxx/qla_os.c | 5 drivers/scsi/scsi_error.c | 4 drivers/soc/aspeed/aspeed-socinfo.c | 4 drivers/soc/qcom/smem.c | 2 drivers/soc/tegra/fuse/fuse-tegra30.c | 122 ++ drivers/soc/ti/k3-socinfo.c | 10 drivers/soc/ti/pruss.c | 2 drivers/spi/spi-loopback-test.c | 12 drivers/spi/spi-qpic-snand.c | 11 drivers/spi/spi-rpc-if.c | 2 drivers/tee/tee_core.c | 2 drivers/thermal/gov_step_wise.c | 15 drivers/thunderbolt/tb.c | 2 drivers/tty/serdev/core.c | 11 drivers/tty/serial/ip22zilog.c | 352 +++----- drivers/tty/serial/max3100.c | 2 drivers/tty/serial/max310x.c | 3 drivers/tty/serial/qcom_geni_serial.c | 92 -- drivers/tty/vt/vt_ioctl.c | 4 drivers/ufs/core/ufs-mcq.c | 11 drivers/ufs/core/ufs-sysfs.c | 2 drivers/ufs/core/ufs-sysfs.h | 1 drivers/ufs/core/ufshcd.c | 36 drivers/ufs/host/ufs-exynos.c | 8 drivers/ufs/host/ufs-mediatek.c | 227 ++++- drivers/ufs/host/ufs-qcom.c | 31 drivers/ufs/host/ufs-qcom.h | 2 drivers/ufs/host/ufshcd-pci.c | 70 + drivers/usb/cdns3/cdnsp-gadget.c | 8 drivers/usb/gadget/function/f_fs.c | 8 drivers/usb/gadget/function/f_hid.c | 4 drivers/usb/gadget/function/f_ncm.c | 3 drivers/usb/host/xhci-pci.c | 43 drivers/usb/host/xhci-plat.c | 1 drivers/usb/mon/mon_bin.c | 14 drivers/vfio/pci/nvgrace-gpu/main.c | 2 drivers/vfio/pci/vfio_pci_intrs.c | 7 drivers/vfio/vfio_main.c | 2 drivers/video/backlight/lp855x_bl.c | 2 drivers/video/fbdev/aty/atyfb_base.c | 8 drivers/video/fbdev/core/bitblit.c | 33 drivers/video/fbdev/core/fb_fillrect.h | 3 drivers/video/fbdev/core/fbcon.c | 19 drivers/video/fbdev/core/fbmem.c | 1 drivers/video/fbdev/pvr2fb.c | 2 drivers/video/fbdev/valkyriefb.c | 2 drivers/watchdog/s3c2410_wdt.c | 10 fs/9p/v9fs.c | 9 fs/btrfs/extent_io.c | 8 fs/btrfs/file.c | 10 fs/btrfs/qgroup.c | 4 fs/ceph/dir.c | 3 fs/ceph/file.c | 6 fs/ceph/ioctl.c | 17 fs/ceph/locks.c | 5 fs/ceph/mds_client.c | 8 fs/ceph/mdsmap.c | 14 fs/ceph/super.c | 14 fs/ceph/super.h | 14 fs/crypto/inline_crypt.c | 3 fs/exfat/balloc.c | 72 + fs/exfat/fatent.c | 11 fs/ext4/fast_commit.c | 2 fs/ext4/xattr.c | 2 fs/f2fs/extent_cache.c | 6 fs/f2fs/node.c | 17 fs/f2fs/sysfs.c | 9 fs/fuse/dev.c | 1 fs/fuse/inode.c | 11 fs/fuse/virtio_fs.c | 6 fs/hpfs/namei.c | 18 fs/jfs/inode.c | 8 fs/jfs/jfs_txnmgr.c | 9 fs/namespace.c | 15 fs/nfs/nfs4proc.c | 6 fs/nfs/nfs4state.c | 3 fs/nfsd/nfs4proc.c | 21 fs/nfsd/nfs4state.c | 1 fs/nfsd/nfs4xdr.c | 12 fs/nfsd/nfsd.h | 3 fs/nfsd/xdr4.h | 1 fs/ntfs3/inode.c | 1 fs/open.c | 10 fs/orangefs/xattr.c | 12 fs/overlayfs/dir.c | 22 fs/smb/client/cached_dir.c | 17 fs/smb/client/smb2ops.c | 3 fs/smb/client/smb2pdu.c | 7 fs/smb/client/transport.c | 10 fs/smb/server/transport_tcp.c | 7 fs/xfs/xfs_iomap.c | 82 + include/asm-generic/vmlinux.lds.h | 2 include/hyperv/hvhdk_mini.h | 1 include/linux/bio.h | 4 include/linux/blk_types.h | 11 include/linux/blkdev.h | 7 include/linux/cgroup.h | 1 include/linux/f2fs_fs.h | 1 include/linux/fbcon.h | 2 include/linux/filter.h | 2 include/linux/mfd/qnap-mcu.h | 2 include/linux/pci.h | 2 include/linux/platform_data/x86/int3472.h | 1 include/linux/regmap.h | 2 include/linux/shdma-base.h | 2 include/linux/tnum.h | 3 include/linux/virtio_net.h | 3 include/net/bluetooth/hci.h | 1 include/net/bluetooth/hci_core.h | 11 include/net/bluetooth/l2cap.h | 4 include/net/bluetooth/mgmt.h | 4 include/net/cfg80211.h | 78 + include/net/cls_cgroup.h | 2 include/net/inet_connection_sock.h | 5 include/net/inet_hashtables.h | 2 include/net/inet_timewait_sock.h | 3 include/net/nfc/nci_core.h | 2 include/net/rps.h | 7 include/net/sock.h | 4 include/net/xdp.h | 5 include/scsi/scsi_device.h | 10 include/sound/tas2781-dsp.h | 8 include/uapi/drm/drm_fourcc.h | 25 include/uapi/linux/virtio_net.h | 3 include/ufs/ufs_quirks.h | 3 include/ufs/ufshcd.h | 9 include/ufs/ufshci.h | 4 io_uring/memmap.c | 2 io_uring/notif.c | 5 io_uring/rsrc.c | 18 io_uring/zcrx.c | 9 kernel/bpf/helpers.c | 4 kernel/bpf/ringbuf.c | 2 kernel/bpf/tnum.c | 8 kernel/bpf/verifier.c | 4 kernel/cgroup/cgroup.c | 24 kernel/events/core.c | 20 kernel/events/uprobes.c | 7 kernel/futex/syscalls.c | 106 +- kernel/power/hibernate.c | 30 kernel/power/main.c | 22 kernel/sched/ext.c | 8 kernel/trace/ftrace.c | 2 kernel/trace/ring_buffer.c | 4 kernel/trace/trace_events_hist.c | 6 kernel/trace/trace_fprobe.c | 7 lib/crypto/Makefile | 2 lib/kunit/Kconfig | 11 lib/kunit/kunit-test.c | 2 net/8021q/vlan.c | 2 net/9p/trans_fd.c | 9 net/batman-adv/originator.c | 14 net/bluetooth/hci_conn.c | 27 net/bluetooth/hci_event.c | 18 net/bluetooth/hci_sync.c | 21 net/bluetooth/iso.c | 33 net/bluetooth/l2cap_core.c | 4 net/bluetooth/mgmt.c | 32 net/bluetooth/rfcomm/tty.c | 26 net/bluetooth/sco.c | 7 net/bridge/br.c | 5 net/bridge/br_forward.c | 5 net/bridge/br_if.c | 1 net/bridge/br_input.c | 4 net/bridge/br_mst.c | 10 net/bridge/br_private.h | 13 net/core/dev.c | 64 + net/core/filter.c | 1 net/core/net-sysfs.c | 4 net/core/netpoll.c | 7 net/core/page_pool.c | 12 net/core/sock.c | 15 net/dsa/tag_brcm.c | 10 net/ethernet/eth.c | 5 net/ipv4/fou_nl.c | 4 net/ipv4/inet_connection_sock.c | 12 net/ipv4/inet_diag.c | 14 net/ipv4/inet_hashtables.c | 44 - net/ipv4/inet_timewait_sock.c | 1 net/ipv4/ip_input.c | 11 net/ipv4/netfilter/nf_reject_ipv4.c | 25 net/ipv4/nexthop.c | 6 net/ipv4/route.c | 2 net/ipv4/tcp.c | 4 net/ipv4/tcp_fastopen.c | 7 net/ipv4/udp_tunnel_nic.c | 2 net/ipv6/addrconf.c | 4 net/ipv6/ah6.c | 50 - net/ipv6/netfilter/nf_reject_ipv6.c | 30 net/ipv6/raw.c | 2 net/ipv6/udp.c | 2 net/mac80211/cfg.c | 23 net/mac80211/chan.c | 2 net/mac80211/ieee80211_i.h | 12 net/mac80211/iface.c | 25 net/mac80211/key.c | 11 net/mac80211/link.c | 4 net/mac80211/mesh.c | 3 net/mac80211/mlme.c | 62 - net/mac80211/status.c | 21 net/mptcp/protocol.c | 61 - net/mptcp/protocol.h | 2 net/netfilter/nf_tables_api.c | 47 - net/rds/rds.h | 2 net/sctp/diag.c | 21 net/wireless/core.c | 56 + net/wireless/nl80211.c | 3 net/wireless/scan.c | 9 net/wireless/trace.h | 21 rust/Makefile | 15 rust/kernel/devres.rs | 2 rust/kernel/kunit.rs | 7 rust/kernel/sync/condvar.rs | 2 rust/macros/kunit.rs | 48 - scripts/Makefile.vmlinux_o | 15 scripts/kernel-doc.py | 34 security/integrity/ima/ima_appraise.c | 23 sound/drivers/serial-generic.c | 12 sound/hda/codecs/realtek/alc269.c | 10 sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 12 sound/soc/codecs/cs-amp-lib-test.c | 1 sound/soc/codecs/es8323.c | 17 sound/soc/codecs/rt722-sdca-sdw.c | 2 sound/soc/codecs/rt722-sdca.c | 14 sound/soc/codecs/rt722-sdca.h | 6 sound/soc/codecs/tas2781-fmwlib.c | 12 sound/soc/codecs/tas2781-i2c.c | 6 sound/soc/codecs/tlv320aic3x.c | 32 sound/soc/codecs/wsa883x.c | 57 + sound/soc/fsl/fsl_micfil.c | 4 sound/soc/fsl/fsl_sai.c | 11 sound/soc/intel/avs/pcm.c | 15 sound/soc/mediatek/mt8173/mt8173-rt5650.c | 2 sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 2 sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c | 2 sound/soc/mediatek/mt8186/mt8186-mt6366.c | 2 sound/soc/mediatek/mt8188/mt8188-mt6359.c | 8 sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c | 2 sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 1 sound/soc/mediatek/mt8195/mt8195-mt6359.c | 4 sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 1 sound/soc/meson/aiu-encoder-i2s.c | 9 sound/soc/qcom/qdsp6/q6asm.c | 2 sound/soc/qcom/sc8280xp.c | 3 sound/soc/renesas/rcar/msiof.c | 54 + sound/soc/renesas/rz-ssi.c | 25 sound/soc/sdw_utils/soc_sdw_utils.c | 1 sound/soc/soc-ops.c | 1 sound/soc/sof/ipc4-pcm.c | 56 + sound/soc/stm/stm32_sai_sub.c | 8 sound/usb/mixer.c | 7 sound/usb/mixer_s1810c.c | 49 - sound/usb/quirks.c | 3 sound/usb/validate.c | 9 tools/bpf/bpftool/btf_dumper.c | 2 tools/bpf/bpftool/prog.c | 2 tools/include/linux/bitmap.h | 1 tools/lib/bpf/bpf_tracing.h | 2 tools/lib/bpf/usdt.bpf.h | 44 - tools/lib/bpf/usdt.c | 62 + tools/lib/thermal/Makefile | 9 tools/net/ynl/lib/ynl-priv.h | 14 tools/net/ynl/lib/ynl.c | 6 tools/net/ynl/pyynl/ethtool.py | 3 tools/net/ynl/pyynl/ynl_gen_c.py | 2 tools/power/cpupower/lib/cpuidle.c | 5 tools/power/cpupower/lib/cpupower.c | 2 tools/power/x86/turbostat/turbostat.c | 2 tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 30 tools/testing/kunit/configs/arch_uml.config | 5 tools/testing/selftests/Makefile | 2 tools/testing/selftests/arm64/abi/tpidr2.c | 6 tools/testing/selftests/bpf/benchs/bench_sockmap.c | 5 tools/testing/selftests/bpf/prog_tests/arena_spin_lock.c | 13 tools/testing/selftests/bpf/prog_tests/bpf_cookie.c | 3 tools/testing/selftests/bpf/progs/arena_spin_lock.c | 5 tools/testing/selftests/bpf/progs/verifier_arena_large.c | 1 tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 tools/testing/selftests/bpf/test_xsk.sh | 2 tools/testing/selftests/drivers/net/hds.py | 39 tools/testing/selftests/drivers/net/hw/devmem.py | 14 tools/testing/selftests/drivers/net/hw/ncdevmem.c | 4 tools/testing/selftests/drivers/net/hw/rss_ctx.py | 11 tools/testing/selftests/drivers/net/lib/py/__init__.py | 2 tools/testing/selftests/drivers/net/lib/py/env.py | 41 tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 tools/testing/selftests/net/fcnal-test.sh | 432 +++++----- tools/testing/selftests/net/forwarding/custom_multipath_hash.sh | 2 tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh | 2 tools/testing/selftests/net/forwarding/ip6_forward_instats_vrf.sh | 6 tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh | 2 tools/testing/selftests/net/forwarding/lib.sh | 8 tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q_lag.sh | 2 tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh | 4 tools/testing/selftests/net/gro.c | 12 tools/testing/selftests/net/lib.sh | 32 tools/testing/selftests/net/lib/py/utils.py | 18 tools/testing/selftests/net/lib/xdp_native.bpf.c | 98 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 6 tools/testing/selftests/net/netlink-dumps.c | 43 tools/testing/selftests/net/psock_tpacket.c | 4 tools/testing/selftests/net/tfo_passive.sh | 2 tools/testing/selftests/net/traceroute.sh | 51 - tools/testing/selftests/pci_endpoint/pci_endpoint_test.c | 4 tools/testing/selftests/thermal/intel/workload_hint/workload_hint_test.c | 2 tools/testing/selftests/ublk/test_generic_01.sh | 4 tools/testing/selftests/ublk/test_generic_02.sh | 4 tools/testing/selftests/ublk/test_generic_12.sh | 4 tools/testing/selftests/ublk/test_null_01.sh | 4 tools/testing/selftests/ublk/test_null_02.sh | 4 tools/testing/selftests/ublk/test_stress_05.sh | 4 tools/testing/selftests/vsock/vmtest.sh | 8 usr/include/headers_check.pl | 2 933 files changed, 9976 insertions(+), 4490 deletions(-) Aaron Kling (1): cpufreq: tegra186: Initialize all cores to max frequencies Abdun Nihaal (2): sfc: fix potential memory leak in efx_mae_process_mport() Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() Adam Holliday (1): ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo Adrian Hunter (4): scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL scsi: ufs: core: Add a quirk to suppress link_startup_again scsi: ufs: core: Fix invalid probe error return value Akash Goel (1): dma-fence: Fix safe access wrapper to call timeline name method Akhil P Oommen (5): drm/msm/a6xx: Fix GMU firmware parser drm/msm/adreno: Add speedbins for A663 GPU drm/msm/adreno: Add speedbin data for A623 GPU drm/msm/adreno: Add fenced regwrite support drm/msm/a6xx: Switch to GMU AO counter Al Viro (4): move_mount(2): take sanity checks in 'beneath' case into do_lock_mount() allow finish_no_open(file, ERR_PTR(-E...)) sparc64: fix prototypes of reads[bwl]() nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Albin Babu Varghese (1): fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Aleksander Jan Bajkowski (5): mips: lantiq: danube: add missing properties to cpu node mips: lantiq: danube: add model to EASY50712 dts mips: lantiq: danube: add missing device_type in pci node mips: lantiq: xway: sysctrl: rename stp clock mips: lantiq: danube: rename stp node on EASY50712 reference board Alessandro Zanni (1): selftest: net: Fix error message if empty variable Alex Deucher (9): drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h drm/amdgpu: fix SPDX header on amd_cper.h drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h drm/amd/display: add more cyan skillfish devices drm/amdgpu/vpe: cancel delayed work in hw_fini drm/amd: add more cyan skillfish PCI ids drm/amdgpu: don't enable SMU on cyan skillfish drm/amdgpu: add support for cyan skillfish gpu_info drm/amdgpu/smu: Handle S0ix for vangogh Alex Hung (2): drm/amd/display: Add HDR workaround for a specific eDP drm/amd/display: Fix black screen with HDMI outputs Alex Mastro (1): vfio: return -ENOTTY for unsupported device feature Alexander Lobakin (1): idpf: link NAPIs to queues Alexander Stein (2): mfd: stmpe: Remove IRQ domain upon removal mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexander Usyskin (1): mei: make a local copy of client uuid in connect Alexandre Courbot (1): gpu: nova-core: register: allow fields named `offset` Alexey Klimov (2): regmap: slimbus: fix bus_context pointer in regmap init calls ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() Alice Chao (3): scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO mode change scsi: ufs: host: mediatek: Fix invalid access in vccqx handling scsi: ufs: host: mediatek: Fix adapt issue after PA_Init Alistair Francis (1): nvme: Use non zero KATO for persistent discovery connections Allen Li (1): drm/amd/display: Add fast sync field in ultra sleep more for DMUB Alok Tiwari (4): udp_tunnel: use netdev_warn() instead of netdev_WARN() ionic: use int type for err in ionic_get_module_eeprom_by_page scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() net: mdio: Check regmap pointer returned by device_node_to_regmap() Aloka Dixit (1): wifi: mac80211: reset FILS discovery and unsol probe resp intervals Amber Lin (1): drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Amery Hung (3): bpf: Clear pfmemalloc flag when freeing all fragments selftests: drv-net: Pull data before parsing headers selftests: drv-net: Reload pkt pointer after calling filter_udphdr Amir Goldstein (1): ovl: make sure that ovl_create_real() returns a hashed dentry Amirreza Zarrabi (1): tee: allow a driver to allocate a tee_device without a pool Andreas Kemnade (1): hwmon: sy7636a: add alias Andrew Davis (2): rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper Andrii Nakryiko (1): libbpf: Fix powerpc's stack register definition in bpf_tracing.h Anil S Keshavamurthy (1): dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family platforms Anna Maniscalco (1): drm/msm: make sure last_fence is always updated Antheas Kapenekakis (2): drm: panel-backlight-quirks: Make EDID match optional HID: asus: add Z13 folio to generic group for multitouch to work Anthony Iliopoulos (1): NFSv4.1: fix mount hang after CREATE_SESSION failure Antonino Maniscalco (1): drm/msm: make sure to not queue up recovery more than once Anubhav Singh (2): selftests/net: fix out-of-order delivery of FIN in gro:tcp test selftests/net: use destination options instead of hop-by-hop Ariel D'Alessandro (1): drm/mediatek: Disable AFBC support on Mediatek DRM driver Arkadiusz Bokowy (1): Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames Armin Wolf (4): ACPI: fan: Use platform device for devres-related actions ACPI: fan: Use ACPI handle when retrieving _FST hwmon: (dell-smm) Remove Dell Precision 490 custom config data hwmon: (dell-smm) Add support for Dell OptiPlex 7040 Arnd Bergmann (1): mfd: madera: Work around false-positive -Wininitialized warning Asbjørn Sloth Tønnesen (2): netlink: specs: fou: change local-v6/peer-v6 check tools: ynl-gen: validate nested arrays Ashish Kalra (4): iommu/amd: Add support to remap/unmap IOMMU buffers for kdump iommu/amd: Skip enabling command/event buffers for kdump iommu/amd: Reuse device table for kdump crypto: ccp: Skip SEV and SNP INIT for kdump boot Aurabindo Pillai (4): drm/amd/display: fix condition for setting timing_adjust_pending drm/amd/display: fix dmub access race condition drm/amd/display: Fix vupdate_offload_work doc drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler Ausef Yousof (2): drm/amd/display: dont wait for pipe update during medupdate/highirq drm/amd/display: fix dml ms order of operations Avadhut Naik (1): hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models Balamanikandan Gunasundar (1): clk: at91: sam9x7: Add peripheral clock id for pmecc Baochen Qiang (1): Revert "wifi: ath10k: avoid unnecessary wait for service ready message" Bard Liao (1): ASoC: soc_sdw_utils: remove cs42l43 component_name Bart Van Assche (4): scsi: core: Fix the unit attention counter implementation scsi: ufs: core: Disable timestamp functionality if not supported scsi: ufs: core: Fix a race condition related to the "hid" attribute group scsi: ufs: core: Revert "Make HID attributes visible" Bartosz Golaszewski (3): pinctrl: keembay: release allocated memory in detach path gpio: swnode: don't use the swnode's name as the key for GPIO lookup gpiolib: fix invalid pointer access in debugfs Bastien Curutchet (2): mfd: core: Increment of_node's refcount before linking it to the platform device net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463 Ben Copeland (1): hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex Benjamin Berg (4): wifi: cfg80211: add an hrtimer based delayed work item wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work wifi: mac80211: use wiphy_hrtimer_work for ttlm_work wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work Benjamin Lin (1): wifi: mt76: mt7996: Temporarily disable EPCS Bharat Uppal (1): scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on suspend Bhargava Marreddy (1): bng_en: make bnge_alloc_ring() self-unwind on failure Bibo Mao (1): irqchip/loongson-eiointc: Route interrupt parsed from bios table Biju Das (4): mmc: host: renesas_sdhi: Fix the actual clock pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control registers spi: rpc-if: Add resume support for RZ/G3E can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4 Bobby Eshleman (1): selftests/vsock: avoid false-positives when checking dmesg Brahmajit Das (1): net: intel: fm10k: Fix parameter idx set but not used Breno Leitao (1): netpoll: Fix deadlock in memory allocation under spinlock Bruno Thomsen (1): rtc: pcf2127: fix watchdog interrupt mask on pcf2131 Bryan Brattlof (1): soc: ti: k3-socinfo: Add information for AM62L SR1.1 Bui Quang Minh (2): virtio-net: drop the multi-buffer XDP packet in zerocopy virtio-net: fix received length check in big packets Caleb Sander Mateos (1): io_uring/rsrc: respect submitter_task in io_register_clone_buffers() Carolina Jubran (1): net/mlx5e: Don't query FEC statistics when FEC is disabled Ce Sun (4): drm/amdgpu: Avoid rma causes GPU duplicate reset drm/amdgpu: Effective health check before reset drm/amdgpu: Correct the loss of aca bank reg info drm/amdgpu: Correct the counts of nr_banks and nr_errors Cen Zhang (1): Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once Cezary Rojewski (3): ASoC: Intel: avs: Unprepare a stream when XRUN occurs ASoC: Intel: avs: Disable periods-elapsed work when closing PCM ASoC: Intel: avs: Do not share the name pointer between components Chaitanya Kumar Borah (1): drm/xe/wcl: Extend L3bank mask workaround Chandrakanth Patil (3): scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link speed scsi: mpi3mr: Fix I/O failures during controller reset scsi: mpi3mr: Fix controller init failure on fault during queue creation Chandrashekar Devegowda (1): Bluetooth: btintel_pcie: Define hdev->wakeup() callback Chang S. Bae (1): x86/fpu: Ensure XFD state on signal delivery Chao Yu (1): f2fs: fix to detect potential corrupted nid in free_nid_list Charalampos Mitrodimas (1): net: ipv6: fix field-spanning memcpy warning in AH output Charles Keepax (1): mfd: cs42l43: Move IRQ enable/disable to encompass force suspend Chelsy Ratnawat (1): media: fix uninitialized symbol warnings Chen Pei (1): ACPI: SPCR: Support Precise Baud Rate field Chen Wang (1): PCI: cadence: Check for the existence of cdns_pcie::ops before using it Chen Yufeng (1): usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget Chen-Yu Tsai (1): clk: sunxi-ng: sun6i-rtc: Add A523 specifics Chengchang Tang (1): RDMA/hns: Fix recv CQ and QP cache affinity Chenghao Duan (1): riscv: bpf: Fix uninitialized symbol 'retval_off' Chenglei Xie (1): drm/amdgpu: refactor bad_page_work for corner case handling Chi Zhang (1): pinctrl: single: fix bias pull up/down handling in pin_config_set Chi Zhiling (1): exfat: limit log print for IO error Chia-I Wu (1): drm/panthor: check bo offset alignment in vm bind Chih-Kang Chang (2): wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status wifi: rtw89: obtain RX path from ppdu status IE00 Ching-Te Ku (1): wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch Chris Lu (3): Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during reset Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925 Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922 Christian Bruel (3): irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment selftests: pci_endpoint: Skip IRQ test if IRQ is out of range. misc: pci_endpoint_test: Skip IRQ tests if irq is out of range Christian König (1): drm/amdgpu: reject gang submissions under SRIOV Christoph Hellwig (1): dm error: mark as DM_TARGET_PASSES_INTEGRITY Christoph Paasch (1): net: When removing nexthops, don't call synchronize_net if it is not necessary Christopher Orr (1): drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345 Christopher Ruehl (1): power: supply: qcom_battmgr: add OOI chemistry Chuande Chen (1): hwmon: (sbtsi_temp) AMD CPU extended temperature range support Chuck Lever (3): NFSD: Define actions for the new time_deleg FATTR4 attributes NFSD: Fix crash in nfsd4_read_release() Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" ChunHao Lin (1): r8169: set EEE speed down ratio to 1 Chunyan Zhang (1): riscv: stacktrace: Disable KASAN checks for non-current tasks Claudiu Beznea (2): ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume serdev: Drop dev_pm_domain_detach() call Clay King (2): drm/amd/display: ensure committing streams is seamless drm/amd/display: incorrect conditions for failing dto calculations Coiby Xu (1): ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Colin Foster (1): smsc911x: add second read of EEPROM mac when possible corruption seen Cristian Birsan (1): clk: at91: add ACR in all PLL settings Cruise Hung (1): drm/amd/display: Remove check DPIA HPD status for BW Allocation Cryolitia PukNgae (2): iio: imu: bmi270: Match PNP ID found on newer GPD firmware ALSA: usb-audio: apply quirk for MOONDROP Quark2 Damien Le Moal (2): block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL block: make REQ_OP_ZONE_OPEN a write operation Dan Carpenter (2): wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() octeontx2-pf: Fix devm_kcalloc() error checking Daniel Lezcano (1): clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Daniel Palmer (4): fbdev: atyfb: Check if pll_ops->init_pll failed drm/radeon: Do not kfree() devres managed rdev drm/radeon: Remove calls to drm_put_dev() eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP Daniel Wagner (2): nvmet-fc: avoid scheduling association deletion twice nvme-fc: use lock accessing port_state and rport state Danny Wang (1): drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off Dapeng Mi (2): perf/x86/intel: Fix KASAN global-out-of-bounds warning perf/core: Fix system hang caused by cpu-clock usage Darrick J. Wong (2): xfs: fix delalloc write failures in software-provided atomic writes xfs: fix various problems in xfs_atomic_write_cow_iomap_begin David Ahern (2): selftests: Disable dad for ipv6 in fcnal-test.sh selftests: Replace sleep with slowwait David Francis (1): drm/amdgpu: Allow kfd CRIU with no buffer objects David Lechner (1): iio: adc: ad7124: do not require mclk David Ober (1): hwmon: (lenovo-ec-sensors) Update P8 supprt David Rosca (1): drm/sched: avoid killing parent entity on child SIGKILL David Yang (1): selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt Dennis Beier (1): cpufreq/longhaul: handle NULL policy in longhaul_exit Denzeel Oliva (1): clk: samsung: exynos990: Add missing USB clock registers to HSI0 Devendra K Verma (1): dmaengine: dw-edma: Set status for callback_result Dillon Varone (2): drm/amd/display: Consider sink max slice width limitation for dsc drm/amd/display: Add missing post flip calls Dimitri John Ledkov (1): kbuild: align modinfo section for Secureboot Authenticode EDK2 compat Dmitry Baryshkov (2): drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts drm/bridge: write full Audio InfoFrame Dragos Tatulea (4): page_pool: Clamp pool size to max 16K pages net/mlx5e: SHAMPO, Fix header mapping for 64K pages net/mlx5e: SHAMPO, Fix skb size check for 64K pages net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages Emanuele Ghidoli (1): net: phy: dp83867: Disable EEE support as not implemented Emil Dahl Juhl (1): tools: lib: thermal: don't preserve owner in install Emmanuel Grumbach (1): wifi: nl80211: call kfree without a NULL check Eric Dumazet (5): idpf: do not linearize big TSO packets inet_diag: annotate data-races in inet_diag_bc_sk() tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() net: call cond_resched() less often in __release_sock() ipv6: np->rxpmtu race annotation Eric Huang (1): drm/amdkfd: fix vram allocation failure for a special case Erick Shepherd (1): mmc: sdhci: Disable SD card clock before changing parameters Fabien Proriol (1): power: supply: sbs-charger: Support multiple devices Fan Gong (2): hinic3: Queue pair endianness improvements hinic3: Fix missing napi->dev in netif_queue_set_napi Fangzhi Zuo (1): drm/amd/display: Fix pbn_div Calculation Error Farhan Ali (1): s390/pci: Restore IRQ unconditionally for the zPCI device Felix Fietkau (3): wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error wifi: mt76: use altx queue for offchannel tx on connac+ wifi: mt76: improve phy reset on hw restart Fenglin Wu (1): power: supply: qcom_battmgr: handle charging state change notifications Fiona Ebner (1): smb: client: transport: avoid reconnects triggered by pending task work Florian Fuchs (1): fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Florian Schmaus (1): kunit: test_dev_action: Correctly cast 'priv' pointer to long* Florian Westphal (2): netfilter: nf_tables: all transaction allocations can now sleep netfilter: nf_reject: don't reply to icmp error messages Forest Crossman (1): usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Francisco Gutierrez (1): scsi: pm80xx: Fix race condition caused by static variables Frédéric Danis (1): Revert "Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()" Gabor Juhos (1): spi: spi-qpic-snand: handle 'use_ecc' parameter of qcom_spi_config_cw_read() Gal Pressman (1): net/mlx5e: Fix return value in case of module EEPROM read error Gaurav Jain (1): crypto: caam - double the entropy delay interval for retry Gautam R A (1): bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() Geert Uytterhoeven (1): kbuild: uapi: Strip comments before size type check Geoffrey McRae (1): drm/amdkfd: return -ENOTTY for unsupported IOCTLs Gerd Bayer (1): s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Gokul Sivakumar (1): wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Greg Kroah-Hartman (1): Linux 6.17.8 Gregory Price (1): x86/CPU/AMD: Add RDSEED fix for Zen5 Guangshuo Li (1): drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() Gustavo Luiz Duarte (1): netconsole: Acquire su_mutex before navigating configs hierarchy Haibo Chen (1): iio: adc: imx93_adc: load calibrated values even calibration failed Haiyang Zhang (1): net: mana: Reduce waiting time if HWC not responding Hangbin Liu (2): tools: ynl: avoid print_field when there is no reply net: vlan: sync VLAN features with lower device Hannes Reinecke (1): nvmet-auth: update sc_c in host response Hans de Goede (3): ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[] ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() platform/x86: x86-android-tablets: Stop using EPROBE_DEFER Hao Yao (1): media: ov08x40: Fix the horizontal flip control Haotian Zhang (3): crypto: aspeed - fix double free caused by devm ASoC: mediatek: Fix double pm_runtime_disable in remove functions net: wan: framer: pef2256: Switch to devm_mfd_add_devices() Harald Freudenberger (1): crypto: s390/phmac - Do not modify the req->nbytes value Harikrishna Shenoy (1): phy: cadence: cdns-dphy: Enable lower resolutions in dphy Harini T (2): arm64: versal-net: Update rtc calibration value rtc: zynqmp: Restore alarm functionality after kexec transition Hariprasad Kelam (1): Octeontx2-af: Broadcast XON on all channels Hector Martin (1): iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs Heijligen, Thomas (1): mfd: kempld: Switch back to earlier ->init() behavior Heiko Carstens (1): s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP Heiko Stuebner (4): mfd: qnap-mcu: Handle errors returned from qnap_mcu_write mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header drm/panel: ilitek-ili9881c: turn off power-supply when init fails drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to (un-)prepare Heiner Kallweit (2): net: phy: fixed_phy: let fixed_phy_unregister free the phy_device net: phy: dp83640: improve phydev and driver removal handling Helge Deller (1): parisc: Avoid crash due to unaligned access in unwinder Heng Zhou (1): drm/amdgpu: fix nullptr err of vm_handle_moved Henrique Carvalho (3): smb: client: fix potential cfid UAF in smb2_query_info_compound smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() smb: client: fix potential UAF in smb2_close_cached_fid() Horatiu Vultur (1): lan966x: Fix sleeping in atomic context Howard Hsu (1): wifi: mt76: mt7996: support writing MAC TXD for AddBA Request Hoyoung Seo (1): scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS Ian Rogers (1): tools bitmap: Add missing asm-generic/bitsperlong.h include Icenowy Zheng (1): clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL Ido Schimmel (3): bridge: Redirect to backup port when port is administratively down selftests: traceroute: Use require_command() selftests: traceroute: Return correct value on failure Ilan Peer (3): wifi: mac80211: Fix HE capabilities element check wifi: mac80211: Get the correct interface for non-netdev skb status wifi: mac80211: Track NAN interface start/stop Ilia Gavrilov (1): Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() Ilpo Järvinen (1): mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs Inochi Amaoto (1): irqchip/sifive-plic: Respect mask state when setting affinity Ioana Ciornei (1): mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA Ivan Lipski (2): drm/amd/display: Fix incorrect return of vblank enable on unconfigured crtc drm/amd/display: Support HW cursor 180 rot for any number of pipe splits Ivan Pravdin (1): Bluetooth: bcsp: receive data only if registered Jack Kao (1): wifi: mt76: mt7925: add pci restore for hibernate Jacky Bai (1): clk: scmi: Add duty cycle ops only when duty cycle is supported Jacob Moroni (3): RDMA/irdma: Fix SD index calculation RDMA/irdma: Remove unused struct irdma_cq fields RDMA/irdma: Set irdma_cq cq_num field during CQ create Jaegeuk Kim (1): f2fs: fix wrong layout information on 16KB page Jakub Kicinski (9): selftests: drv-net: devmem: add / correct the IPv6 support selftests: drv-net: devmem: flip the direction of Tx tests selftests: drv-net: wait for carrier selftests: drv-net: hds: restore hds settings selftests: drv-net: rss_ctx: fix the queue count check selftests: drv-net: rss_ctx: make the test pass with few queues selftests: net: make the dump test less sensitive to mem accounting selftests: net: replace sleeps in fcnal-test with waits page_pool: always add GFP_NOWARN for ATOMIC allocations Jakub Sitnicki (1): tcp: Update bind bucket state on port release James Jones (2): drm: define NVIDIA DRM format modifiers for GB20x drm/nouveau: Advertise correct modifiers on GB20x Janne Grunau (2): pmdomain: apple: Add "apple,t8103-pmgr-pwrstate" mfd: macsmc: Add "apple,t8103-smc" compatible Jarkko Nikula (1): i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C Jason Gunthorpe (1): iommufd: Don't overflow during division for dirty tracking Jayesh Choudhary (1): drm/tidss: Set crtc modesetting parameters with adjusted mode Jedrzej Jagielski (1): ixgbe: reduce number of reads when getting OROM data Jens Kehne (1): mfd: da9063: Split chip variant reading in two bus transactions Jens Reidel (1): soc: qcom: smem: Fix endian-unaware access of num_entries Jerome Brunet (1): NTB: epf: Allow arbitrary BAR mapping Jesse.Zhang (2): drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails drm/amdgpu: Fix fence signaling race condition in userqueue Jessica Zhang (2): drm/msm/dpu: Filter modes based on adjusted mode clock drm/msm/dpu: Fix adjusted mode clock check for 3d merge Jianbo Liu (1): net/mlx5e: Prevent entering switchdev mode with inconsistent netns Jiawei Zhao (1): libbpf: Fix USDT SIB argument handling causing unrecognized register error Jiawen Wu (2): net: wangxun: limit tx_max_coalesced_frames_irq net: libwx: fix device bus LAN ID Jiayi Li (1): memstick: Add timeout to prevent indefinite waiting Jiayuan Chen (1): selftests/bpf: Fix incorrect array size calculation Jie Zhang (1): dt-bindings: display/msm/gmu: Update Adreno 623 bindings Jijie Shao (1): net: hns3: return error code when function fails Jiri Olsa (1): uprobe: Do not emulate/sstep original instruction when ip is changed Johan Hovold (2): Bluetooth: rfcomm: fix modem control handling drm/mediatek: Fix device use-after-free on unbind Johannes Berg (1): wifi: mac80211: fix key tailroom accounting leak John Harrison (2): drm/xe/guc: Add more GuC load error status codes drm/xe/guc: Return an error code if the GuC load fails John Keeping (1): ALSA: serial-generic: remove shared static buffer John Smith (2): drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland Jonas Gorski (6): net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx net: dsa: b53: fix resetting speed and pause on forced link net: dsa: b53: fix bcm63xx RGMII port link adjustment net: dsa: b53: fix enabling ip multicast net: dsa: b53: stop reading ARL entries if search is done net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips Jonas Schwöbel (1): ARM: tegra: p880: set correct touchscreen clipping Josephine Pfeiffer (1): riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro Joshua Rogers (1): smb: client: validate change notify buffer before copy Josua Mayer (1): rtc: pcf2127: clear minute/second interrupt Julian Sun (1): ext4: increase IO priority of fastcommit Junjie Cao (1): fbdev: bitblit: bound-check glyph index in bit_putcs* Junxian Huang (1): RDMA/hns: Fix wrong WQE data when QP wraps around Juraj Šarinay (1): net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Justin Tee (6): scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup scsi: lpfc: Define size of debugfs entry for xri rebalancing scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology Kai Huang (1): x86/virt/tdx: Use precalculated TDVPR page physical address Kaibo Ma (1): rust: kunit: allow `cfg` on `test`s Kalesh AP (1): bnxt_en: Fix a possible memory leak in bnxt_ptp_init Karthi Kandasamy (1): drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream Karthik M (1): wifi: ath12k: free skb during idr cleanup callback Karunika Choo (1): drm/panthor: Serialize GPU cache flush operations Kashyap Desai (1): bnxt_en: Always provide max entry and entry size in coredump segments Kaushlendra Kumar (6): ACPI: button: Call input_free_device() on failing input device registration ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object tools/cpupower: fix error return value in cpupower_write_sysfs() tools/cpupower: Fix incorrect size in cpuidle_state_disable() tools/power turbostat: Fix incorrect sorting of PMT telemetry tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage Kees Cook (1): arc: Fix __fls() const-foldability via __builtin_clzl() Keith Busch (1): block: check for valid bio while splitting Kendall Willis (1): firmware: ti_sci: Enable abort handling of entry to LPM Kent Russell (1): drm/amdkfd: Handle lack of READ permissions in SVM mapping Kiran K (2): Bluetooth: btintel_pcie: Fix event packet loss issue Bluetooth: btintel: Add support for BlazarIW core Kirill A. Shutemov (1): x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall Koakuma (1): sparc/module: Add R_SPARC_UA64 relocation handling Konstantin Sinyuk (1): accel/habanalabs/gaudi2: read preboot status after recovering from dirty state Konstantin Taranov (1): RDMA/mana_ib: Drain send wrs of GSI QP Kotresh HR (1): ceph: fix multifs mds auth caps issue Krishna Kumar (1): net: Prevent RPS table overwrite of active flows Krishna Kurapati (1): usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Krzysztof Kozlowski (6): extcon: adc-jack: Fix wakeup source leaks on device unbind extcon: fsa9480: Fix wakeup source leaks on device unbind extcon: axp288: Fix wakeup source leaks on device unbind drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL drm/msm/dsi/phy_7nm: Fix missing initial VCO rate extcon: adc-jack: Cleanup wakeup source only if it was enabled Kuan-Chung Chen (3): wifi: rtw89: wow: remove notify during WoWLAN net-detect wifi: rtw89: fix BSSID comparison for non-transmitted BSSID wifi: rtw89: 8851b: rfk: update IQK TIA setting Kumar Kartikeya Dwivedi (1): bpf: Do not limit bpf_cgroup_from_id to current's namespace Kuninori Morimoto (4): ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver ASoC: renesas: msiof: use reset controller ASoC: renesas: msiof: tidyup DMAC stop timing ASoC: renesas: msiof: set SIFCTR register Kuniyuki Iwashima (1): net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. Laurent Pinchart (3): media: pci: ivtv: Don't create fake v4l2_fh media: amphion: Delete v4l2_fh synchronously in .release() media: imx-mipi-csis: Only set clock rate when specified in DT Len Brown (2): tools/power x86_energy_perf_policy: Enhance HWP enable tools/power x86_energy_perf_policy: Prefer driver HWP limits Li RongQing (2): virtio_fs: fix the hash table using in virtio_fs_enqueue_req() x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT Lijo Lazar (4): drm/amd/pm: Use cached metrics data on aldebaran drm/amd/pm: Use cached metrics data on arcturus drm/amdgpu: Release hive reference properly drm/amdgpu: Report individual reset error Linus Torvalds (1): x86: uaccess: don't use runtime-const rewriting in modules Lizhi Hou (1): accel/amdxdna: Unify pm and rpm suspend and resume callbacks Lizhi Xu (1): usbnet: Prevents free active kevent Lo-an Chen (1): drm/amd/display: Init dispclk from bootup clock for DCN314 Loic Poulain (3): wifi: ath10k: Fix memory leak on unsupported WMI command media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence wifi: ath10k: Fix connection after GTK rekeying Lorenzo Bianconi (1): wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link() Lu Baolu (1): iommu/vt-d: Remove LPIG from page group response descriptor Luiz Augusto von Dentz (8): Bluetooth: ISO: Fix BIS connection dst_type handling Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 Bluetooth: ISO: Fix another instance of dst_type handling Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS Bluetooth: hci_core: Fix tracking of periodic advertisement Bluetooth: ISO: Don't initiate CIS connections if there are no buffers Bluetooth: ISO: Use sk_sndtimeo as conn_timeout Bluetooth: SCO: Fix UAF on sco_conn_free Lukas Wunner (2): PCI/ERR: Update device error_state already after reset thunderbolt: Use is_pciehp instead of is_hotplug_bridge Maarten Lankhorst (1): drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. Maarten Zanders (1): ASoC: fsl_sai: Fix sync error in consumer mode Malin Jonsson (1): bpf: Conditionally include dynptr copy kfuncs Mangesh Gadre (3): drm/amdgpu: Initialize jpeg v5_0_1 ras function drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest Manikanta Guntupalli (1): i3c: dw: Add shutdown support to dw_i3c_master driver Marcos Del Sol Vives (1): PCI: Disable MSI on RDC PCI to PCIe bridges Marcus Folkesson (1): drm/st7571-i2c: add support for inverted pixel format Marek Szyprowski (1): media: videobuf2: forbid remove_bufs when legacy fileio is active Marek Vasut (1): PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs Mario Limonciello (6): drm/amd: Check that VPE has reached DPM0 in idle handler drm/amd/display: Indicate when custom brightness curves are in use drm/amd/display: Set up pixel encoding for YCBCR422 PCI/PM: Skip resuming to D0 if device is disconnected drm/amd/display: Add fallback path for YCBCR422 x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode Mario Limonciello (AMD) (6): ACPI: video: force native for Lenovo 82K8 fbcon: Use screen info to find primary device Fix access to video_is_primary_device() when compiled without CONFIG_VIDEO drm/amd: Avoid evicting resources at S5 HID: i2c-hid: Resolve touchpad issues on Dell systems during S4 x86/microcode/AMD: Add more known models to entry sign checking Mark Pearson (2): wifi: ath11k: Add missing platform IDs for quirk table platform/x86: think-lmi: Add extra TC BIOS error messages Marko Mäkelä (1): clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf Markus Heidelberg (2): eeprom: at25: support Cypress FRAMs without device ID dt-bindings: eeprom: at25: use "size" for FRAMs without device ID Markus Stockhausen (2): clocksource/drivers/timer-rtl-otto: Work around dying timers clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts Martin Tůma (1): media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS Martin Willi (1): wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup Masami Hiramatsu (Google) (2): tracing: tprobe-events: Fix to register tracepoint correctly tracing: tprobe-events: Fix to put tracepoint_user when disable the tprobe Matthew Auld (3): drm/xe: rework PDE PAT index selection drm/gpusvm: fix hmm_pfn_to_map_order() usage drm/xe: improve dma-resv handling for backup object Matthew Brost (1): drm/xe: Do not wake device during a GT reset Matthew Schwartz (1): drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power is disabled on DCN30 Matthias Schiffer (1): clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled Matthieu Baerts (NGI0) (1): selftests: mptcp: join: allow more time to send ADD_ADDR Mauro Carvalho Chehab (1): docs: kernel-doc: avoid script crash on ancient Python Meghana Malladi (1): net: ti: icssg-prueth: Fix fdb hash size configuration Mehdi Djait (1): media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR Melissa Wen (2): drm/amd/display: change dc stream color settings only in atomic commit drm/amd/display: update color on atomic commit time Meng Li (1): drm/amd/amdgpu: Release xcp drm memory after unplug Miaoqian Lin (4): net: usb: asix_devices: Check return value of usbnet_get_endpoints fbdev: valkyriefb: Fix reference count leak in valkyriefb_init s390/mm: Fix memory leak in add_marker() when kvrealloc() fails riscv: Fix memory leak in module_frob_arch_sections() Miaoqing Pan (1): Revert "wifi: ath12k: Fix missing station power save configuration" Michael Chan (1): bnxt_en: Shutdown FW DMA in bnxt_shutdown() Michael Dege (1): phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet Michael Riesch (1): phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 Michael S. Tsirkin (1): virtio_net: fix alignment for virtio_net_hdr_v1_hash Michael Strauss (3): drm/amd/display: Move setup_stream_attribute drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration drm/amd/display: Cache streams targeting link when performing LT automation Michal Pecio (1): usb: xhci-pci: Fix USB2-only root hub registration Michal Wajdeczko (4): drm/xe/configfs: Enforce canonical device names drm/xe/pf: Don't resume device from restart worker drm/xe/guc: Set upper limit of H2G retries over CTB drm/xe/guc: Always add CT disable action during second init step Miguel Ojeda (4): rust: condvar: fix broken intra-doc link rust: devres: fix private intra-doc link rust: kbuild: workaround `rustdoc` doctests modifier bug rust: kbuild: treat `build_error` and `rustdoc` as kernel objects Mike Marshall (1): orangefs: fix xattr related buffer overflow... Miklos Szeredi (1): fuse: zero initialize inode private data Ming Wang (1): irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller Miri Korenblit (3): wifi: iwlwifi: pcie: remember when interrupts are disabled wifi: mac80211: count reg connection element in the size wifi: cfg80211: update the time stamps in hidden ssid Miroslav Lichvar (1): ptp: Limit time setting of PTP clocks Mohammad Heib (2): net: ionic: add dma_wmb() before ringing TX doorbell net: ionic: map SKB after pseudo-header checksum prep Mohammad Rafi Shaik (1): ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers Mohsin Bashir (1): eth: fbnic: Reset hw stats upon PCI error Moti Haimovski (1): accel/habanalabs: support mapping cb with vmalloc-backed coherent memory Mukesh Ojha (1): firmware: qcom: scm: preserve assign_mem() error return value Mykyta Yatsenko (1): selftests/bpf: Fix flaky bpf_cookie selftest Nai-Chen Cheng (1): selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Namjae Jeon (2): exfat: validate cluster allocation bits of the allocation bitmap ksmbd: use sock_create_kern interface to create kernel socket Nathan Chancellor (2): lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC kbuild: Strip trailing padding bytes from modules.builtin.modinfo Nicholas Kazlauskas (1): drm/amd/display: Fix DMCUB loading sequence for DCN3.2 Nicolas Ferre (2): ARM: at91: pm: save and restore ACR during PLL disable/enable clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register Nidhish A N (1): wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list Nikita Travkin (1): firmware: qcom: tzmem: disable sc7180 platform Niklas Cassel (1): PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() Niklas Neronin (1): usb: xhci-pci: add support for hosts with zero USB3 ports Niklas Schnelle (2): powerpc/eeh: Use result of error_detected() in uevent s390/pci: Use pci_uevent_ers() in PCI recovery Niklas Söderlund (4): media: adv7180: Add missing lock in suspend callback media: adv7180: Do not write format to device in set_fmt media: adv7180: Only validate format in querystd net: sh_eth: Disable WoL if system can not suspend Nikolay Aleksandrov (2): net: bridge: fix use-after-free due to MST port state bypass net: bridge: fix MST static key usage Niranjan H Y (1): ASoC: ops: improve snd_soc_get_volsw Nithyanantham Paramasivam (1): wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 Noorain Eqbal (1): bpf: Sync pending IRQ work before freeing ring buffer Nuno Das Neves (1): hyperv: Add missing field to hv_output_map_device_interrupt Oleg Nesterov (1): 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN Oleksij Rempel (3): net: stmmac: Correctly handle Rx checksum offload errors net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR net: phy: clear link parameters on admin link down Olga Kornievskaia (1): NFSv4: handle ERR_GRACE on delegation recalls Olivier Moysan (1): ASoC: stm32: sai: manage context in set_sysclk callback Ondrej Mosnacek (1): bpf: Do not audit capability check in do_jit() Oscar Maes (1): net: ipv4: allow directed broadcast routes to use dst hint Ostrowski Rafal (1): drm/amd/display: Update tiled to tiled copy command Ovidiu Bunea (1): drm/amd/display: Fix dmub_cmd header alignment Ovidiu Panait (1): crypto: sun8i-ce - remove channel timeout field Owen Gu (1): usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Palash Kambar (2): scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS controller v5 scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8 Paolo Abeni (4): mptcp: drop bogus optimization in __mptcp_check_push() mptcp: restore window probe mptcp: leverage skb deferral free mptcp: fix MSG_PEEK stream corruption Paresh Bhagat (1): cpufreq: ti: Add support for AM62D2 Parthiban Veerasooran (1): microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl support Paul Chaignon (1): bpf: Use tnums for JEQ/JNE is_branch_taken logic Paul Hsieh (1): drm/amd/display: update dpp/disp clock from smu clock table Paul Kocialkowski (1): media: verisilicon: Explicitly disable selection api ioctls for decoders Pauli Virtanen (1): Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete Pavan Chebbi (1): bnxt_en: Add Hyper-V VF ID Pavel Begunkov (5): io_uring/zctx: check chained notif contexts io_uring/zcrx: check all niovs filled with dma addresses io_uring/zcrx: account niov arrays to cgroup io_uring: fix types for region size calulation io_uring: fix regbuf vector size truncation Perry Yuan (1): drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled Peter Chiu (1): wifi: mt76: mt7996: disable promiscuous mode by default Peter Ujfalusi (1): ASoC: SOF: ipc4-pcm: Add fixup for channels Peter Wang (9): scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration scsi: ufs: host: mediatek: Fix PWM mode switch issue scsi: ufs: host: mediatek: Change reset sequence for improved stability scsi: ufs: host: mediatek: Enhance recovery on resume failure scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure scsi: ufs: host: mediatek: Correct system PM flow scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode changes scsi: ufs: core: Change MCQ interrupt enable flow Peter Zijlstra (1): x86/build: Disable SSE4a Petr Machata (2): selftests: net: lib.sh: Don't defer failed commands net: bridge: Install FDB for bridge MAC on VLAN 0 Petr Oros (2): tools: ynl: fix string attribute length to include null terminator dpll: spec: add missing module-name and clock-id to pin-get reply Philip Yang (2): drm/amdkfd: Fix mmap write lock not release drm/amdkfd: Don't clear PT after process killed Philipp Stanner (2): drm/sched: Fix race in drm_sched_entity_select_rq() drm/nouveau: Fix race in nouveau_sched_fini() Pierre-Eric Pelloux-Prayer (1): drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb Ping-Ke Shih (3): wifi: rtw89: print just once for unknown C2H events wifi: rtw88: sdio: use indirect IO for device registers before power-on wifi: rtw89: add dummy C2H handlers for BCN resend and update done Piotr Piórkowski (1): drm/xe/pf: Program LMTT directory pointer on all GTs within a tile Pranav Tyagi (1): futex: Don't leak robust_list pointer on exec race Prike Liang (3): drm/amdgpu: validate userq input args drm/amdgpu: validate userq buffer virtual address and size drm/amdgpu/userq: assign an error code for invalid userq va Primoz Fiser (1): ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 Punit Agrawal (1): ACPI: SPCR: Check for table version when using precise baudrate Qendrim Maxhuni (1): net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Qianfeng Rong (3): crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() scsi: pm8001: Use int instead of u32 to store error codes media: redrat3: use int type to store negative error codes Qingfang Deng (1): 6pack: drop redundant locking and refcounting Qiu Wenbo (1): platform/x86: int3472: Fix double free of GPIO device during unregister Qu Wenruo (1): btrfs: ensure no dirty metadata is written back for an fs with errors Quan Zhou (1): wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device Quanmin Yan (1): fbcon: Set fb_display[i]->mode to NULL when the mode is released Quanyang Wang (1): arm64: zynqmp: Disable coresight by default Raag Jadav (1): drm/xe/i2c: Enable bus mastering Radhey Shyam Pandey (1): arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106 Rafael J. Wysocki (6): cpuidle: governors: menu: Rearrange main loop in menu_select() cpuidle: governors: menu: Select polling state in some more cases PM: hibernate: Combine return paths in power_down() PM: sleep: Allow pm_restrict_gfp_mask() stacking thermal: gov_step_wise: Allow cooling level to be reduced earlier cpuidle: Fail cpuidle device registration if there is one already Rameshkumar Sundaram (1): wifi: ath11k: avoid bit operation on key flags Ramya Gnanasekar (1): wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in lower bands Randall P. Embry (2): 9p: fix /sys/fs/9p/caches overwriting itself 9p: sysfs_init: don't hardcode error to ENOMEM Ranjan Kumar (1): scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate Raphael Pinsonneault-Thibeault (1): Bluetooth: hci_event: validate skb length for unknown CC opcode Relja Vojvodic (1): drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting Riana Tauro (1): drm/xe: Set GT as wedged before sending wedged uevent Ricardo B. Marlière (2): selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh Ricardo Ribalda (1): media: uvcvideo: Use heuristic to find stream entity Richard Fitzgerald (1): ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h Richard Leitner (1): media: nxp: imx8-isi: Fix streaming cleanup on release Richard Zhu (1): PCI: imx6: Enable the Vaux supply if available Rob Clark (4): drm/msm: Fix GEM free for imported dma-bufs drm/msm: Ensure vm is created in VM_BIND ioctl drm/msm: Fix 32b size truncation drm/msm/registers: Generate _HI/LO builders for reg64 Rob Herring (Arm) (1): drm/msm: Use of_reserved_mem_region_to_resource() for "memory-region" Robert Marko (1): net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X Rodrigo Gobbi (1): iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Rohan G Thomas (2): net: phy: marvell: Fix 88e1510 downshift counter errata net: stmmac: est: Drop frames causing HLBS error Rong Zhang (2): hwmon: (k10temp) Add device ID for Strix Halo drm/amd/display: Fix NULL deref in debugfs odm_combine_segments Rosen Penev (2): dmaengine: mv_xor: match alloc_wc and free_wc wifi: mt76: mt76_eeprom_override to int Roy Vegard Ovesen (4): ALSA: usb-audio: fix control pipe direction ALSA: usb-audio: add mono main switch to Presonus S1824c ALSA: usb-audio: don't log messages meant for 1810c when initializing 1824c ALSA: usb-audio: don't apply interface quirk to Presonus S1824c Ryan Chen (1): soc: aspeed: socinfo: Add AST27xx silicon IDs Ryan Wanner (1): clk: at91: clk-master: Add check for divide by 3 Sakari Ailus (2): media: ipu6: isys: Set embedded data type correctly for metadata formats ACPI: property: Return present device nodes only on fwnode interface Saket Dumbre (1): ACPICA: Update dsmethod.c to get rid of unused variable warning Saket Kumar Bhaskar (1): selftests/bpf: Fix arena_spin_lock selftest failure Sam van Kampen (1): ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU Sammy Hsu (1): net: wwan: t7xx: add support for HP DRMR-H01 Sangwook Shin (1): watchdog: s3c2410_wdt: Fix max_timeout being calculated larger Sarthak Garg (1): mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Sascha Hauer (1): tools: lib: thermal: use pkg-config to locate libnl3 Sathishkumar S (3): drm/amdgpu: Check vcn sram load return value drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff drm/amdgpu: Fix unintended error log in VCN5_0_0 Satyanarayana K V P (1): drm/xe/guc: Add devm release action to safely tear down CT Seyediman Seyedarab (2): drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot() Shang song (Lenovo) (1): ACPI: PRM: Skip handlers with NULL handler_address or NULL VA Shantiprasad Shettar (1): bnxt_en: Fix warning in bnxt_dl_reload_down() Shardul Bankar (1): btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation Shaurya Rane (1): jfs: fix uninitialized waitqueue in transaction manager Shawn Guo (1): regmap: irq: Correct documentation of wake_invert flag Shayne Chen (1): wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO Shenghao Ding (2): ASoC: tas2781: Add keyword "init" in profile section ALSA: hda/tas2781: Enable init_profile_id for device initialization Shengjiu Wang (2): ASoC: fsl_sai: fix bit order for DSD format ASoC: fsl_micfil: correct the endian format for DSD Shimrra Shai (3): ASoC: es8323: enable DAPM power widgets for playback DAC and output ASoC: es8323: remove DAC enablement write from es8323_probe ASoC: es8323: add proper left/right mixer controls via DAPM Shruti Parab (1): bnxt_en: Add fw log trace support for 5731X/5741X chips Shubhrajyoti Datta (1): clk: clocking-wizard: Fix output clock register offset for Versal platforms Shuhao Fu (1): RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE Shuming Fan (1): ASoC: rt722: add settings for rt722VB Shyam Sundar S K (1): platform/x86/amd/pmf: Fix the custom bios input handling mechanism Simon Richter (1): drm/xe: Make page size consistent in loop Sk Anirban (1): drm/xe/ptl: Apply Wa_16026007364 Slark Xiao (1): bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU variants Sohil Mehta (1): cpufreq: ondemand: Update the efficient idle check for Intel extended Families Somashekhar Puttagangaiah (1): wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR Sridevi Arvindekar (1): drm/amd/display: Fix for test crash due to power gating Srinivas Kandagatla (1): ASoC: qdsp6: q6asm: do not sleep while atomic Srinivas Pandruvada (3): thermal: intel: selftests: workload_hint: Mask unsupported types platform/x86/intel-uncore-freq: Fix warning in partitioned system platform/x86/intel-uncore-freq: Present unique domain ID per package Srinivasan Shanmugam (1): drm/amdgpu: Fix function header names in amdgpu_connectors.c Stanislav Fomichev (2): selftests: ncdevmem: don't retry EFAULT net: devmem: expose tcp_recvmsg_locked errors Stanley.Yang (1): drm/amdgpu: Fix vcn v5.0.1 poison irq call trace Stefan Wahren (1): ethernet: Extend device_get_mac_address() to use NVMEM Stefan Wiehler (3): sctp: Hold RCU read lock while iterating over address list sctp: Prevent TOCTOU out-of-bounds write sctp: Hold sock lock while iterating over address list Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid handling handover twice Steven Rostedt (1): ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up Stuart Summers (2): drm/xe/pcode: Initialize data0 for pcode read routine drm/xe: Cancel pending TLB inval workers on teardown Sungho Kim (1): PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Sunil V L (1): ACPI: scan: Update honor list for RPMI System MSI Sven Eckelmann (1): batman-adv: Release references to inactive interfaces Svyatoslav Ryhel (4): soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups ARM: tegra: transformer-20: add missing magnetometer interrupt ARM: tegra: transformer-20: fix audio-codec interrupt video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Takashi Iwai (1): ALSA: usb-audio: Add validation of UAC2/UAC3 effect units Takashi Sakamoto (1): firewire: ohci: move self_id_complete tracepoint after validating register Tangudu Tilak Tirumalesh (2): drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms drm/xe: Extend Wa_22021007897 to Xe3 platforms Tao Zhou (1): drm/amdgpu: add range check for RAS bad page address Tatyana Nikolova (1): RDMA/irdma: Update Kconfig Tejun Heo (1): sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU Terry Cheong (1): ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks Tetsuo Handa (3): media: imon: make send_packet() more robust ntfs3: pretend $Extend records as regular files jfs: Verify inode mode when loading from disk Thomas Andreatta (1): dmaengine: sh: setup_xref error handling Thomas Bogendoerfer (1): tty: serial: ip22zilog: Use platform device for probing Thomas Weißschuh (7): spi: loopback-test: Don't use %pK through printk soc: ti: pruss: don't use %pK through printk bpf: Don't use %pK through printk kselftest/arm64: tpidr2: Switch to waitpid() over wait4() kunit: Enable PCI on UML without triggering WARN() ice: Don't use %pK through printk or tracepoints kunit: Extend kconfig help text for KUNIT_UML_PCI Thomas Zimmermann (3): drm/sysfb: Do not dereference NULL pointer in plane reset drm/ast: Clear preserved bits from register output value drm/sharp-memory: Do not access GEM-DMA vaddr directly Théo Lebrun (1): net: macb: avoid dealing with endianness in macb_set_hwaddr() Tiezhu Yang (2): net: stmmac: Check stmmac_hw_setup() in stmmac_resume() LoongArch: Handle new atomic instructions for probes Tim Hostetler (2): gve: Implement gettimex64 with -EOPNOTSUPP gve: Implement settime64 with -EOPNOTSUPP Timothy Pearson (1): vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices Timur Kristóf (7): drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2) drm/amd/pm: Increase SMC timeout on SI and warn (v3) drm/amd/display: Don't use non-registered VUPDATE on DCE 6 drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4 drm/amd/display: Fix DVI-D/HDMI adapters drm/amd/display: Disable VRR on DCE 6 drm/amd/display: Reject modes with too high pixel clock on DCE6-10 Timur Tabi (1): drm/nouveau: always set RMDevidCheckIgnore for GSP-RM Tiwei Bie (1): um: Fix help message for ssl-non-raw Tom Stellard (1): bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21 Tomasz Pakuła (2): HID: pidff: Use direction fix only for conditional effects HID: pidff: PERMISSIVE_CONTROL quirk autodetection Tomer Tayar (1): accel/habanalabs: return ENOMEM if less than requested pages were pinned Tomeu Vizoso (1): drm/etnaviv: fix flush sequence logic Tomi Valkeinen (4): drm/tidss: Use the crtc_* timings when programming the HW drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST drm/tidss: Remove early fb Tommaso Merciai (1): clk: renesas: rzv2h: Re-assert reset on deassert timeout Tony Luck (1): ACPI: MRRM: Check revision of MRRM table Tristram Ha (1): net: dsa: microchip: Fix reserved multicast address table programming TungYu Lu (1): drm/amd/display: Wait until OTG enable state is cleared Tushar Dave (1): vfio/nvgrace-gpu: Add GB300 SKU to the devid table Tvrtko Ursulin (1): drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl Uday Shankar (1): selftests: ublk: fix behavior when fio is not installed Ujwal Kundur (1): rds: Fix endianness annotation for RDS_MPATH_HASH Uwe Kleine-König (1): pwm: pca9685: Use bulk write to atomicially update registers Vadim Fedorenko (1): ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2 Val Packett (1): firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455 Valerio Setti (1): ASoC: meson: aiu-encoder-i2s: fix bit clock polarity Vered Yavniely (1): accel/habanalabs/gaudi2: fix BMON disable configuration Vernon Yang (1): PCI/AER: Fix NULL pointer access by aer_info Viacheslav Dubeyko (3): ceph: add checking of wait_for_completion_killable() return value ceph: fix potential race condition in ceph_ioctl_lazyio() ceph: refactor wake_up_bit() pattern of calling Viken Dadhaniya (1): serial: qcom-geni: Add DFS clock mode support to GENI UART driver Ville Syrjälä (1): drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S Vitaly Prosyak (1): drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit Vivek Pernamitta (1): bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state Vlad Dumitrescu (1): IB/ipoib: Ignore L3 master device Vladimir Oltean (2): net: phy: mscc: report and configure in-band auto-negotiation for SGMII/QSGMII net: dsa: felix: support phy-mode = "10g-qxgmii" Vladimir Riabchun (1): ftrace: Fix softlockup in ftrace_module_enable Vladimir Zapolskiy (1): media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer Wake Liu (2): selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 selftests/net: Ensure assert() triggers in psock_tpacket.c Wang Liang (1): selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh Wayne Lin (1): drm/amd/display: Enable mst when it's detected but yet to be initialized Wei Liu (1): clocksource: hyper-v: Skip unnecessary checks for the root partition Weili Qian (2): crypto: hisilicon/qm - invalidate queues in use crypto: hisilicon/qm - clear all VF configurations in the hardware William Wu (1): usb: gadget: f_hid: Fix zero length packet transfer Wonkon Kim (1): scsi: ufs: core: Initialize value of an attribute returned by uic cmd Xi Ruoyao (1): drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with DC_FP_START Xiang Liu (4): drm/amdgpu: Update IPID value for bad page threshold CPER drm/amdgpu: Skip poison aca bank from UE channel drm/amdgpu: Notify pmfw bad page threshold exceeded drm/amdgpu: Correct info field of bad page threshold exceed CPER Xichao Zhao (2): hwrng: timeriomem - Use us_to_ktime() where appropriate tty: serial: Modify the use of dev_err_probe() Xin Wang (1): drm/xe: Ensure GT is in C0 during resumes Xion Wang (1): char: Use list_del_init() in misc_deregister() to reinitialize list pointer Yafang Shao (1): net/cls_cgroup: Fix task_get_classid() during qdisc run YanLong Dai (1): RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp Yang Wang (2): drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() drm/amd/pm: refine amdgpu pm sysfs node error code Yazen Ghannam (1): x86/amd_node: Fix AMD root device caching Yifan Zhang (2): amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw amd/amdkfd: enhance kfd process check in switch partition Yihan Zhu (1): drm/amd/display: wait for otg update pending latch before clock optimization Yikang Yue (1): fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink Yonghong Song (1): selftests/bpf: Fix selftest verifier_arena_large failure Yongpeng Yang (1): fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT Yu Kuai (1): blk-cgroup: fix possible deadlock while configuring policy Yue Haibing (1): ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled Yuhao Jiang (1): ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Yunseong Kim (1): crypto: ccp - Fix incorrect payload size calculation in psp_poulate_hsti() Yunxiang Li (1): drm/amdgpu: skip mgpu fan boost for multi-vf Yuta Hayama (1): rtc: rx8025: fix incorrect register reference Zenm Chen (2): wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1 wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1 Zhanjun Dong (1): drm/xe/guc: Increase GuC crash dump buffer size Zijun Hu (2): char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor char: misc: Does not request module for miscdevice with dynamic minor Zilin Guan (1): tracing: Fix memory leaks in create_field_var() Zizhi Wo (1): tty/vt: Add missing return value for VT_RESIZE in vt_ioctl() Zong-Zhe Yang (1): wifi: rtw89: renew a completion for each H2C command waiting C2H event Zsolt Kajtar (1): fbdev: core: Fix ubsan warning in pixel_to_pat austinchang (1): btrfs: mark dirty extent range for out of bound prealloc extents chenmiao (1): openrisc: Add R_OR1K_32_PCREL relocation type module support chuguangqing (1): fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock raub camaioni (1): usb: gadget: f_ncm: Fix MAC assignment NCM ethernet wangzijie (1): f2fs: fix infinite loop in __insert_extent_tree() wenglianfa (1): RDMA/hns: Fix the modification of max_send_sge

1 month

1
1
0 0

Linux 6.12.58

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.58 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/netlink/specs/dpll.yaml | 2 Makefile | 2 arch/arc/include/asm/bitops.h | 2 arch/arm/boot/dts/nvidia/tegra20-asus-tf101.dts | 5 arch/arm/boot/dts/nvidia/tegra30-lg-p880.dts | 4 arch/arm/mach-at91/pm_suspend.S | 8 arch/arm64/boot/dts/xilinx/zynqmp-zcu106-revA.dts | 4 arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 arch/loongarch/include/asm/inst.h | 5 arch/loongarch/kernel/inst.c | 12 arch/mips/boot/dts/lantiq/danube.dtsi | 6 arch/mips/boot/dts/lantiq/danube_easy50712.dts | 4 arch/mips/lantiq/xway/sysctrl.c | 2 arch/mips/sgi-ip22/ip22-platform.c | 32 arch/openrisc/kernel/module.c | 4 arch/parisc/include/asm/video.h | 2 arch/parisc/kernel/unwind.c | 13 arch/powerpc/kernel/eeh_driver.c | 2 arch/riscv/kernel/stacktrace.c | 21 arch/riscv/mm/ptdump.c | 2 arch/riscv/net/bpf_jit_comp64.c | 5 arch/s390/Kconfig | 1 arch/s390/include/asm/pci.h | 1 arch/s390/mm/dump_pagetables.c | 19 arch/s390/pci/pci_event.c | 7 arch/s390/pci/pci_irq.c | 9 arch/sparc/include/asm/elf_64.h | 1 arch/sparc/include/asm/io_64.h | 6 arch/sparc/include/asm/video.h | 2 arch/sparc/kernel/module.c | 1 arch/um/drivers/ssl.c | 5 arch/x86/entry/vsyscall/vsyscall_64.c | 17 arch/x86/events/intel/ds.c | 3 arch/x86/include/asm/runtime-const.h | 17 arch/x86/include/asm/uaccess_64.h | 22 arch/x86/include/asm/video.h | 2 arch/x86/kernel/cpu/amd.c | 35 arch/x86/kernel/cpu/common.c | 6 arch/x86/kernel/cpu/microcode/amd.c | 2 arch/x86/kernel/fpu/core.c | 3 arch/x86/kernel/kvm.c | 20 arch/x86/lib/getuser.S | 12 arch/x86/net/bpf_jit_comp.c | 13 block/blk-cgroup.c | 23 drivers/accel/habanalabs/common/memory.c | 2 drivers/accel/habanalabs/gaudi/gaudi.c | 19 drivers/accel/habanalabs/gaudi2/gaudi2.c | 15 drivers/accel/habanalabs/gaudi2/gaudi2_coresight.c | 2 drivers/acpi/acpi_video.c | 4 drivers/acpi/acpica/dsmethod.c | 10 drivers/acpi/button.c | 4 drivers/acpi/device_sysfs.c | 2 drivers/acpi/fan.h | 8 drivers/acpi/fan_attr.c | 39 drivers/acpi/fan_core.c | 61 - drivers/acpi/fan_hwmon.c | 19 drivers/acpi/prmt.c | 19 drivers/acpi/property.c | 24 drivers/acpi/resource.c | 7 drivers/acpi/scan.c | 4 drivers/acpi/spcr.c | 10 drivers/acpi/video_detect.c | 8 drivers/base/regmap/regmap-slimbus.c | 6 drivers/bluetooth/btmtksdio.c | 12 drivers/bluetooth/btrtl.c | 4 drivers/bluetooth/btusb.c | 19 drivers/bluetooth/hci_bcsp.c | 3 drivers/bus/mhi/host/internal.h | 2 drivers/bus/mhi/host/pm.c | 2 drivers/char/misc.c | 40 drivers/clk/at91/clk-master.c | 3 drivers/clk/at91/clk-sam9x60-pll.c | 75 - drivers/clk/at91/sam9x7.c | 1 drivers/clk/clk-scmi.c | 11 drivers/clk/qcom/gcc-ipq6018.c | 60 - drivers/clk/sunxi-ng/ccu-sun6i-rtc.c | 11 drivers/clk/ti/clk-33xx.c | 2 drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 drivers/clocksource/timer-rtl-otto.c | 26 drivers/clocksource/timer-vf-pit.c | 22 drivers/cpufreq/cpufreq_ondemand.c | 25 drivers/cpufreq/cpufreq_ondemand.h | 23 drivers/cpufreq/longhaul.c | 3 drivers/cpufreq/tegra186-cpufreq.c | 27 drivers/cpufreq/ti-cpufreq.c | 2 drivers/cpuidle/cpuidle.c | 8 drivers/cpuidle/governors/menu.c | 73 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 5 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 2 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-trng.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 drivers/crypto/aspeed/aspeed-acry.c | 2 drivers/crypto/caam/ctrl.c | 4 drivers/crypto/ccp/hsti.c | 2 drivers/crypto/ccp/sev-dev.c | 10 drivers/crypto/hisilicon/qm.c | 78 + drivers/crypto/intel/qat/qat_common/qat_uclo.c | 2 drivers/dma/dw-edma/dw-edma-core.c | 22 drivers/dma/mv_xor.c | 4 drivers/dma/sh/shdma-base.c | 25 drivers/dma/sh/shdmac.c | 17 drivers/extcon/extcon-adc-jack.c | 2 drivers/firewire/ohci.c | 12 drivers/firmware/qcom/qcom_scm.c | 2 drivers/firmware/qcom/qcom_tzmem.c | 1 drivers/gpio/gpiolib-swnode.c | 2 drivers/gpio/gpiolib.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 53 - drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 15 drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 66 + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 21 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 75 - drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 34 drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.c | 1 drivers/gpu/drm/amd/amdgpu/atom.c | 4 drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 11 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 13 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 19 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 10 drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 9 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 25 drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.c | 56 + drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.h | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 100 ++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c | 86 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 10 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 13 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 2 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 16 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c | 142 +++ drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.h | 5 drivers/gpu/drm/amd/display/dc/core/dc.c | 25 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 14 drivers/gpu/drm/amd/display/dc/dc_helper.c | 5 drivers/gpu/drm/amd/display/dc/dc_stream.h | 3 drivers/gpu/drm/amd/display/dc/dccg/dcn401/dcn401_dccg.c | 2 drivers/gpu/drm/amd/display/dc/dm_services.h | 2 drivers/gpu/drm/amd/display/dc/dml/dcn301/dcn301_fpu.c | 20 drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 2 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 28 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 73 - drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 5 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 drivers/gpu/drm/amd/display/dc/link/link_detection.c | 5 drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 9 drivers/gpu/drm/amd/display/dc/optc/dcn401/dcn401_optc.c | 5 drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 1 drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c | 7 drivers/gpu/drm/amd/display/include/dal_asic_id.h | 5 drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 3 drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 drivers/gpu/drm/ast/ast_drv.h | 8 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 12 drivers/gpu/drm/bridge/display-connector.c | 3 drivers/gpu/drm/drm_gem_atomic_helper.c | 8 drivers/gpu/drm/drm_panel_backlight_quirks.c | 2 drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 drivers/gpu/drm/mediatek/mtk_plane.c | 24 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 3 drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 10 drivers/gpu/drm/msm/registers/gen_header.py | 7 drivers/gpu/drm/nouveau/nouveau_sched.c | 14 drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 drivers/gpu/drm/panthor/panthor_gpu.c | 7 drivers/gpu/drm/panthor/panthor_mmu.c | 4 drivers/gpu/drm/radeon/radeon_drv.c | 25 drivers/gpu/drm/radeon/radeon_kms.c | 1 drivers/gpu/drm/scheduler/sched_entity.c | 73 - drivers/gpu/drm/scheduler/sched_main.c | 6 drivers/gpu/drm/tidss/tidss_crtc.c | 7 drivers/gpu/drm/tidss/tidss_dispc.c | 16 drivers/gpu/drm/xe/abi/guc_errors_abi.h | 3 drivers/gpu/drm/xe/xe_bo.c | 28 drivers/gpu/drm/xe/xe_gt.c | 19 drivers/gpu/drm/xe/xe_guc.c | 32 drivers/gpu/drm/xe/xe_guc_ct.c | 10 drivers/gpu/drm/xe/xe_guc_log.h | 2 drivers/hid/hid-asus.c | 6 drivers/hid/hid-ids.h | 2 drivers/hid/hid-universal-pidff.c | 20 drivers/hid/i2c-hid/i2c-hid-acpi.c | 8 drivers/hid/i2c-hid/i2c-hid-core.c | 28 drivers/hid/i2c-hid/i2c-hid.h | 2 drivers/hid/usbhid/hid-pidff.c | 42 drivers/hid/usbhid/hid-pidff.h | 2 drivers/hwmon/asus-ec-sensors.c | 2 drivers/hwmon/dell-smm-hwmon.c | 14 drivers/hwmon/k10temp.c | 10 drivers/hwmon/lenovo-ec-sensors.c | 34 drivers/hwmon/sbtsi_temp.c | 46 - drivers/hwmon/sy7636a-hwmon.c | 1 drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c | 3 drivers/iio/adc/imx93_adc.c | 18 drivers/iio/adc/spear_adc.c | 9 drivers/infiniband/hw/hns/hns_roce_cq.c | 58 + drivers/infiniband/hw/hns/hns_roce_device.h | 4 drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 drivers/infiniband/hw/hns/hns_roce_main.c | 4 drivers/infiniband/hw/hns/hns_roce_qp.c | 2 drivers/infiniband/hw/irdma/Kconfig | 7 drivers/infiniband/hw/irdma/pble.c | 2 drivers/infiniband/hw/irdma/verbs.c | 4 drivers/infiniband/hw/irdma/verbs.h | 8 drivers/infiniband/ulp/ipoib/ipoib_main.c | 21 drivers/iommu/amd/init.c | 28 drivers/iommu/apple-dart.c | 5 drivers/iommu/intel/debugfs.c | 10 drivers/iommu/intel/perf.c | 10 drivers/iommu/intel/perf.h | 5 drivers/iommu/iommufd/iova_bitmap.c | 5 drivers/irqchip/irq-gic-v2m.c | 13 drivers/irqchip/irq-loongson-pch-lpc.c | 9 drivers/irqchip/irq-sifive-plic.c | 6 drivers/md/dm-target.c | 3 drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 drivers/media/i2c/Kconfig | 2 drivers/media/i2c/adv7180.c | 48 - drivers/media/i2c/ir-kbd-i2c.c | 6 drivers/media/i2c/og01a1b.c | 6 drivers/media/i2c/ov08x40.c | 2 drivers/media/pci/intel/ipu6/ipu6-isys-subdev.c | 6 drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 drivers/media/pci/ivtv/ivtv-driver.h | 3 drivers/media/pci/ivtv/ivtv-fileops.c | 18 drivers/media/pci/ivtv/ivtv-irq.c | 4 drivers/media/pci/mgb4/mgb4_vin.c | 3 drivers/media/platform/amphion/vpu_v4l2.c | 7 drivers/media/platform/verisilicon/hantro_drv.c | 2 drivers/media/platform/verisilicon/hantro_v4l2.c | 6 drivers/media/rc/imon.c | 61 - drivers/media/rc/redrat3.c | 2 drivers/media/tuners/xc4000.c | 8 drivers/media/tuners/xc5000.c | 12 drivers/media/usb/uvc/uvc_driver.c | 15 drivers/memstick/core/memstick.c | 8 drivers/mfd/da9063-i2c.c | 27 drivers/mfd/intel-lpss-pci.c | 13 drivers/mfd/kempld-core.c | 32 drivers/mfd/madera-core.c | 4 drivers/mfd/mfd-core.c | 1 drivers/mfd/stmpe-i2c.c | 1 drivers/mfd/stmpe.c | 3 drivers/mmc/host/renesas_sdhi_core.c | 6 drivers/mmc/host/sdhci-msm.c | 15 drivers/net/dsa/b53/b53_common.c | 27 drivers/net/dsa/b53/b53_regs.h | 3 drivers/net/dsa/dsa_loop.c | 9 drivers/net/dsa/microchip/ksz9477.c | 98 +- drivers/net/dsa/microchip/ksz9477_reg.h | 3 drivers/net/dsa/microchip/ksz_common.c | 49 + drivers/net/dsa/microchip/ksz_common.h | 2 drivers/net/dsa/ocelot/felix.c | 4 drivers/net/dsa/ocelot/felix.h | 3 drivers/net/dsa/ocelot/felix_vsc9959.c | 3 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 75 + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 drivers/net/ethernet/cadence/macb_main.c | 4 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 2 drivers/net/ethernet/intel/ice/ice_trace.h | 10 drivers/net/ethernet/intel/idpf/idpf.h | 2 drivers/net/ethernet/intel/idpf/idpf_lib.c | 102 ++ drivers/net/ethernet/intel/idpf/idpf_txrx.c | 129 -- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 12 drivers/net/ethernet/microchip/lan865x/lan865x.c | 1 drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c | 18 drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 2 drivers/net/ethernet/microchip/lan966x/lan966x_main.h | 4 drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c | 8 drivers/net/ethernet/microchip/sparx5/Kconfig | 2 drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 34 drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 1 drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 2 drivers/net/ethernet/realtek/Kconfig | 2 drivers/net/ethernet/realtek/r8169_main.c | 6 drivers/net/ethernet/renesas/sh_eth.c | 4 drivers/net/ethernet/sfc/mae.c | 4 drivers/net/ethernet/smsc/smsc911x.c | 14 drivers/net/ethernet/stmicro/stmmac/common.h | 1 drivers/net/ethernet/stmicro/stmmac/stmmac_est.c | 9 drivers/net/ethernet/stmicro/stmmac/stmmac_est.h | 1 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 drivers/net/ethernet/ti/icssg/icssg_config.c | 7 drivers/net/ethernet/wangxun/libwx/wx_ethtool.c | 7 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 drivers/net/hamradio/6pack.c | 57 - drivers/net/mdio/of_mdio.c | 1 drivers/net/phy/fixed_phy.c | 1 drivers/net/phy/marvell.c | 39 drivers/net/phy/phy.c | 13 drivers/net/usb/asix_devices.c | 12 drivers/net/usb/qmi_wwan.c | 6 drivers/net/usb/usbnet.c | 2 drivers/net/virtio_net.c | 36 drivers/net/wan/framer/pef2256/pef2256.c | 7 drivers/net/wireless/ath/ath10k/mac.c | 12 drivers/net/wireless/ath/ath10k/wmi.c | 40 drivers/net/wireless/ath/ath11k/core.c | 54 + drivers/net/wireless/ath/ath11k/core.h | 3 drivers/net/wireless/ath/ath11k/mac.c | 61 + drivers/net/wireless/ath/ath11k/wmi.c | 11 drivers/net/wireless/ath/ath11k/wmi.h | 10 drivers/net/wireless/ath/ath12k/dp.h | 2 drivers/net/wireless/ath/ath12k/mac.c | 34 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 14 drivers/net/wireless/mediatek/mt76/eeprom.c | 9 drivers/net/wireless/mediatek/mt76/mt76.h | 2 drivers/net/wireless/mediatek/mt76/mt7603/eeprom.c | 3 drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt7615/init.c | 5 drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 6 drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/init.c | 4 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/init.c | 4 drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c | 3 drivers/net/wireless/mediatek/mt76/mt7996/init.c | 5 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 drivers/net/wireless/realtek/rtw88/sdio.c | 4 drivers/net/wireless/realtek/rtw89/core.c | 59 + drivers/net/wireless/realtek/rtw89/core.h | 10 drivers/net/wireless/realtek/rtw89/debug.h | 1 drivers/net/wireless/realtek/rtw89/fw.c | 4 drivers/net/wireless/realtek/rtw89/mac.c | 7 drivers/net/wireless/realtek/rtw89/phy.c | 7 drivers/net/wireless/realtek/rtw89/txrx.h | 1 drivers/net/wireless/virtual/mac80211_hwsim.c | 7 drivers/net/wwan/t7xx/t7xx_pci.c | 1 drivers/ntb/hw/epf/ntb_hw_epf.c | 103 +- drivers/nvme/host/core.c | 8 drivers/nvme/host/fc.c | 10 drivers/nvme/target/fc.c | 16 drivers/pci/controller/cadence/pcie-cadence-host.c | 2 drivers/pci/controller/cadence/pcie-cadence.c | 4 drivers/pci/controller/cadence/pcie-cadence.h | 6 drivers/pci/controller/dwc/pci-imx6.c | 4 drivers/pci/controller/dwc/pcie-designware.c | 4 drivers/pci/endpoint/functions/pci-epf-test.c | 7 drivers/pci/p2pdma.c | 2 drivers/pci/pci-driver.c | 2 drivers/pci/pci.c | 5 drivers/pci/pcie/err.c | 3 drivers/pci/quirks.c | 3 drivers/phy/cadence/cdns-dphy.c | 4 drivers/phy/renesas/r8a779f0-ether-serdes.c | 28 drivers/phy/rockchip/phy-rockchip-inno-csidphy.c | 5 drivers/pinctrl/pinctrl-keembay.c | 7 drivers/pinctrl/pinctrl-single.c | 4 drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c | 2 drivers/pmdomain/apple/pmgr-pwrstate.c | 1 drivers/power/supply/qcom_battmgr.c | 8 drivers/power/supply/sbs-charger.c | 16 drivers/ptp/ptp_clock.c | 13 drivers/pwm/pwm-pca9685.c | 46 - drivers/remoteproc/qcom_q6v5.c | 5 drivers/remoteproc/wkup_m3_rproc.c | 6 drivers/rpmsg/rpmsg_char.c | 3 drivers/rtc/rtc-pcf2127.c | 19 drivers/rtc/rtc-rx8025.c | 2 drivers/scsi/libfc/fc_encode.h | 2 drivers/scsi/lpfc/lpfc_debugfs.h | 3 drivers/scsi/lpfc/lpfc_els.c | 21 drivers/scsi/lpfc/lpfc_init.c | 7 drivers/scsi/lpfc/lpfc_nportdisc.c | 23 drivers/scsi/lpfc/lpfc_scsi.c | 14 drivers/scsi/lpfc/lpfc_sli.c | 3 drivers/scsi/mpi3mr/mpi3mr_fw.c | 13 drivers/scsi/mpi3mr/mpi3mr_os.c | 2 drivers/scsi/mpt3sas/mpt3sas_transport.c | 3 drivers/scsi/pm8001/pm8001_ctl.c | 24 drivers/scsi/pm8001/pm8001_init.c | 1 drivers/scsi/pm8001/pm8001_sas.h | 4 drivers/scsi/qla2xxx/qla_os.c | 5 drivers/soc/aspeed/aspeed-socinfo.c | 4 drivers/soc/qcom/smem.c | 2 drivers/soc/tegra/fuse/fuse-tegra30.c | 122 ++ drivers/soc/ti/pruss.c | 2 drivers/spi/spi-loopback-test.c | 12 drivers/spi/spi-rpc-if.c | 2 drivers/tee/tee_core.c | 2 drivers/thermal/gov_step_wise.c | 15 drivers/thunderbolt/tb.c | 2 drivers/tty/serial/ip22zilog.c | 352 +++----- drivers/tty/serial/max3100.c | 2 drivers/tty/serial/max310x.c | 3 drivers/tty/vt/vt_ioctl.c | 4 drivers/ufs/core/ufshcd.c | 16 drivers/ufs/host/ufs-exynos.c | 8 drivers/ufs/host/ufs-mediatek.c | 222 ++++- drivers/ufs/host/ufshcd-pci.c | 70 + drivers/usb/cdns3/cdnsp-gadget.c | 8 drivers/usb/gadget/function/f_fs.c | 8 drivers/usb/gadget/function/f_hid.c | 4 drivers/usb/gadget/function/f_ncm.c | 3 drivers/usb/host/xhci-pci.c | 43 drivers/usb/host/xhci-plat.c | 1 drivers/usb/mon/mon_bin.c | 14 drivers/vfio/pci/vfio_pci_intrs.c | 7 drivers/vfio/vfio_main.c | 2 drivers/video/backlight/lp855x_bl.c | 2 drivers/video/fbdev/aty/atyfb_base.c | 8 drivers/video/fbdev/core/bitblit.c | 33 drivers/video/fbdev/core/fbcon.c | 19 drivers/video/fbdev/core/fbmem.c | 1 drivers/video/fbdev/pvr2fb.c | 2 drivers/video/fbdev/valkyriefb.c | 2 drivers/watchdog/s3c2410_wdt.c | 10 fs/9p/v9fs.c | 9 fs/btrfs/extent_io.c | 8 fs/btrfs/file.c | 10 fs/btrfs/qgroup.c | 4 fs/ceph/dir.c | 3 fs/ceph/file.c | 6 fs/ceph/ioctl.c | 17 fs/ceph/locks.c | 5 fs/ceph/mds_client.c | 8 fs/ceph/mdsmap.c | 14 fs/ceph/super.c | 14 fs/ceph/super.h | 14 fs/exfat/balloc.c | 72 + fs/exfat/fatent.c | 11 fs/ext4/fast_commit.c | 2 fs/ext4/xattr.c | 2 fs/f2fs/extent_cache.c | 6 fs/f2fs/node.c | 17 fs/f2fs/sysfs.c | 9 fs/fuse/inode.c | 11 fs/hpfs/namei.c | 18 fs/jfs/inode.c | 8 fs/jfs/jfs_txnmgr.c | 9 fs/nfs/nfs4proc.c | 6 fs/nfs/nfs4state.c | 3 fs/nfsd/nfs4proc.c | 7 fs/ntfs3/inode.c | 1 fs/open.c | 10 fs/orangefs/xattr.c | 12 fs/smb/client/cached_dir.c | 16 fs/smb/client/smb2ops.c | 3 fs/smb/client/smb2pdu.c | 7 fs/smb/client/transport.c | 10 fs/smb/server/transport_tcp.c | 7 include/drm/gpu_scheduler.h | 23 include/linux/blk_types.h | 11 include/linux/bpf_verifier.h | 7 include/linux/cgroup.h | 1 include/linux/f2fs_fs.h | 1 include/linux/fbcon.h | 2 include/linux/filter.h | 3 include/linux/pci.h | 2 include/linux/shdma-base.h | 2 include/linux/tnum.h | 3 include/net/bluetooth/hci.h | 1 include/net/bluetooth/hci_core.h | 13 include/net/bluetooth/mgmt.h | 2 include/net/cls_cgroup.h | 2 include/net/nfc/nci_core.h | 2 include/net/xdp.h | 5 include/ufs/ufs_quirks.h | 3 include/ufs/ufshcd.h | 8 include/ufs/ufshci.h | 4 io_uring/notif.c | 5 kernel/bpf/core.c | 5 kernel/bpf/helpers.c | 2 kernel/bpf/ringbuf.c | 2 kernel/bpf/tnum.c | 8 kernel/bpf/verifier.c | 100 ++ kernel/cgroup/cgroup.c | 24 kernel/events/uprobes.c | 7 kernel/futex/syscalls.c | 106 +- kernel/sched/ext.c | 8 kernel/trace/ftrace.c | 2 kernel/trace/ring_buffer.c | 4 kernel/trace/trace_events_hist.c | 6 lib/crypto/Makefile | 2 lib/kunit/kunit-test.c | 2 net/8021q/vlan.c | 2 net/9p/trans_fd.c | 9 net/bluetooth/hci_event.c | 19 net/bluetooth/hci_sync.c | 21 net/bluetooth/iso.c | 11 net/bluetooth/mgmt.c | 6 net/bluetooth/rfcomm/tty.c | 26 net/bluetooth/sco.c | 7 net/bridge/br.c | 5 net/bridge/br_forward.c | 5 net/bridge/br_if.c | 1 net/bridge/br_input.c | 4 net/bridge/br_mst.c | 10 net/bridge/br_private.h | 13 net/core/filter.c | 1 net/core/page_pool.c | 12 net/core/sock.c | 15 net/dsa/tag_brcm.c | 70 - net/ethernet/eth.c | 5 net/ipv4/inet_diag.c | 14 net/ipv4/ip_input.c | 11 net/ipv4/netfilter/nf_reject_ipv4.c | 25 net/ipv4/nexthop.c | 6 net/ipv4/route.c | 2 net/ipv4/tcp.c | 4 net/ipv4/tcp_fastopen.c | 7 net/ipv4/udp_tunnel_nic.c | 2 net/ipv6/addrconf.c | 4 net/ipv6/ah6.c | 50 - net/ipv6/netfilter/nf_reject_ipv6.c | 30 net/ipv6/raw.c | 2 net/ipv6/udp.c | 2 net/mac80211/cfg.c | 20 net/mac80211/ieee80211_i.h | 2 net/mac80211/iface.c | 9 net/mac80211/key.c | 10 net/mac80211/mesh.c | 3 net/mac80211/mlme.c | 5 net/mptcp/protocol.c | 18 net/mptcp/protocol.h | 2 net/rds/rds.h | 2 net/sctp/diag.c | 21 security/integrity/ima/ima_appraise.c | 23 sound/drivers/serial-generic.c | 12 sound/pci/hda/patch_realtek.c | 17 sound/soc/codecs/cs-amp-lib-test.c | 1 sound/soc/codecs/tlv320aic3x.c | 32 sound/soc/fsl/fsl_sai.c | 11 sound/soc/intel/avs/pcm.c | 3 sound/soc/mediatek/mt8173/mt8173-rt5650.c | 2 sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 2 sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c | 2 sound/soc/mediatek/mt8186/mt8186-mt6366.c | 2 sound/soc/mediatek/mt8188/mt8188-mt6359.c | 8 sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c | 2 sound/soc/mediatek/mt8195/mt8195-mt6359.c | 4 sound/soc/meson/aiu-encoder-i2s.c | 9 sound/soc/qcom/qdsp6/q6asm.c | 2 sound/soc/qcom/sc8280xp.c | 3 sound/soc/sof/ipc4-pcm.c | 56 + sound/soc/stm/stm32_sai_sub.c | 8 sound/usb/mixer.c | 7 sound/usb/mixer_s1810c.c | 28 sound/usb/validate.c | 9 tools/bpf/bpftool/btf_dumper.c | 2 tools/bpf/bpftool/prog.c | 2 tools/include/linux/bitmap.h | 1 tools/lib/bpf/bpf_tracing.h | 2 tools/lib/bpf/usdt.bpf.h | 44 - tools/lib/bpf/usdt.c | 62 + tools/lib/thermal/Makefile | 9 tools/net/ynl/lib/ynl-priv.h | 4 tools/power/cpupower/lib/cpuidle.c | 5 tools/power/cpupower/lib/cpupower.c | 2 tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 30 tools/testing/selftests/Makefile | 2 tools/testing/selftests/bpf/prog_tests/bpf_cookie.c | 3 tools/testing/selftests/bpf/progs/verifier_arena_large.c | 1 tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 tools/testing/selftests/bpf/test_xsk.sh | 2 tools/testing/selftests/drivers/net/hw/rss_ctx.py | 11 tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 tools/testing/selftests/net/fcnal-test.sh | 432 +++++----- tools/testing/selftests/net/forwarding/custom_multipath_hash.sh | 2 tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh | 2 tools/testing/selftests/net/forwarding/ip6_forward_instats_vrf.sh | 6 tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh | 2 tools/testing/selftests/net/forwarding/lib.sh | 8 tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q_lag.sh | 2 tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh | 4 tools/testing/selftests/net/gro.c | 12 tools/testing/selftests/net/mptcp/mptcp_join.sh | 6 tools/testing/selftests/net/psock_tpacket.c | 4 tools/testing/selftests/net/traceroute.sh | 51 - tools/testing/selftests/thermal/intel/workload_hint/workload_hint_test.c | 2 usr/include/headers_check.pl | 2 612 files changed, 5854 insertions(+), 2705 deletions(-) Aaron Kling (1): cpufreq: tegra186: Initialize all cores to max frequencies Abdun Nihaal (2): sfc: fix potential memory leak in efx_mae_process_mport() Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() Adrian Hunter (3): scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL scsi: ufs: core: Add a quirk to suppress link_startup_again Akhil P Oommen (1): drm/msm/a6xx: Fix GMU firmware parser Al Viro (3): allow finish_no_open(file, ERR_PTR(-E...)) sparc64: fix prototypes of reads[bwl]() nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Albin Babu Varghese (1): fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Aleksander Jan Bajkowski (5): mips: lantiq: danube: add missing properties to cpu node mips: lantiq: danube: add model to EASY50712 dts mips: lantiq: danube: add missing device_type in pci node mips: lantiq: xway: sysctrl: rename stp clock mips: lantiq: danube: rename stp node on EASY50712 reference board Alex Deucher (5): drm/amd/display: add more cyan skillfish devices drm/amd: add more cyan skillfish PCI ids drm/amdgpu: don't enable SMU on cyan skillfish drm/amdgpu: add support for cyan skillfish gpu_info drm/amdgpu/smu: Handle S0ix for vangogh Alex Hung (1): drm/amd/display: Fix black screen with HDMI outputs Alex Mastro (1): vfio: return -ENOTTY for unsupported device feature Alexander Stein (2): mfd: stmpe: Remove IRQ domain upon removal mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexey Klimov (2): regmap: slimbus: fix bus_context pointer in regmap init calls ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() Alice Chao (2): scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO mode change scsi: ufs: host: mediatek: Fix invalid access in vccqx handling Alistair Francis (1): nvme: Use non zero KATO for persistent discovery connections Alok Tiwari (2): udp_tunnel: use netdev_warn() instead of netdev_WARN() scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Amber Lin (1): drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Amery Hung (1): bpf: Clear pfmemalloc flag when freeing all fragments Amirreza Zarrabi (1): tee: allow a driver to allocate a tee_device without a pool Andreas Kemnade (1): hwmon: sy7636a: add alias Andrew Davis (2): rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper Andrii Nakryiko (1): libbpf: Fix powerpc's stack register definition in bpf_tracing.h Antheas Kapenekakis (2): drm: panel-backlight-quirks: Make EDID match optional HID: asus: add Z13 folio to generic group for multitouch to work Anthony Iliopoulos (1): NFSv4.1: fix mount hang after CREATE_SESSION failure Antonino Maniscalco (1): drm/msm: make sure to not queue up recovery more than once Anubhav Singh (2): selftests/net: fix out-of-order delivery of FIN in gro:tcp test selftests/net: use destination options instead of hop-by-hop Ariel D'Alessandro (1): drm/mediatek: Disable AFBC support on Mediatek DRM driver Arkadiusz Bokowy (1): Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames Armin Wolf (3): ACPI: fan: Use ACPI handle when retrieving _FST ACPI: fan: Use platform device for devres-related actions hwmon: (dell-smm) Remove Dell Precision 490 custom config data Arnd Bergmann (1): mfd: madera: Work around false-positive -Wininitialized warning Ashish Kalra (2): iommu/amd: Skip enabling command/event buffers for kdump crypto: ccp: Skip SEV and SNP INIT for kdump boot Aurabindo Pillai (1): drm/amd/display: fix condition for setting timing_adjust_pending Ausef Yousof (1): drm/amd/display: fix dml ms order of operations Avadhut Naik (1): hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models Balamanikandan Gunasundar (1): clk: at91: sam9x7: Add peripheral clock id for pmecc Baochen Qiang (1): Revert "wifi: ath10k: avoid unnecessary wait for service ready message" Bart Van Assche (1): scsi: ufs: core: Disable timestamp functionality if not supported Bartosz Golaszewski (3): pinctrl: keembay: release allocated memory in detach path gpio: swnode: don't use the swnode's name as the key for GPIO lookup gpiolib: fix invalid pointer access in debugfs Bastien Curutchet (2): mfd: core: Increment of_node's refcount before linking it to the platform device net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463 Ben Copeland (1): hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex Benjamin Lin (1): wifi: mt76: mt7996: Temporarily disable EPCS Bharat Uppal (1): scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on suspend Biju Das (2): mmc: host: renesas_sdhi: Fix the actual clock spi: rpc-if: Add resume support for RZ/G3E Brahmajit Das (1): net: intel: fm10k: Fix parameter idx set but not used Bruno Thomsen (1): rtc: pcf2127: fix watchdog interrupt mask on pcf2131 Bui Quang Minh (2): virtio-net: drop the multi-buffer XDP packet in zerocopy virtio-net: fix received length check in big packets Carolina Jubran (1): net/mlx5e: Don't query FEC statistics when FEC is disabled Ce Sun (2): drm/amdgpu: Avoid rma causes GPU duplicate reset drm/amdgpu: Correct the counts of nr_banks and nr_errors Cen Zhang (1): Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once Cezary Rojewski (2): ASoC: Intel: avs: Unprepare a stream when XRUN occurs ASoC: Intel: avs: Disable periods-elapsed work when closing PCM Chandrakanth Patil (2): scsi: mpi3mr: Fix I/O failures during controller reset scsi: mpi3mr: Fix controller init failure on fault during queue creation Chang S. Bae (1): x86/fpu: Ensure XFD state on signal delivery Chao Yu (1): f2fs: fix to detect potential corrupted nid in free_nid_list Charalampos Mitrodimas (1): net: ipv6: fix field-spanning memcpy warning in AH output Chelsy Ratnawat (1): media: fix uninitialized symbol warnings Chen Pei (1): ACPI: SPCR: Support Precise Baud Rate field Chen Wang (1): PCI: cadence: Check for the existence of cdns_pcie::ops before using it Chen Yufeng (1): usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget Chen-Yu Tsai (1): clk: sunxi-ng: sun6i-rtc: Add A523 specifics Chengchang Tang (1): RDMA/hns: Fix recv CQ and QP cache affinity Chenghao Duan (1): riscv: bpf: Fix uninitialized symbol 'retval_off' Chi Zhang (1): pinctrl: single: fix bias pull up/down handling in pin_config_set Chi Zhiling (1): exfat: limit log print for IO error Chia-I Wu (1): drm/panthor: check bo offset alignment in vm bind Chih-Kang Chang (1): wifi: rtw89: obtain RX path from ppdu status IE00 Chris Lu (2): Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during reset Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922 Christian Bruel (1): irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment Christian König (1): drm/amdgpu: reject gang submissions under SRIOV Christoph Hellwig (1): dm error: mark as DM_TARGET_PASSES_INTEGRITY Christoph Paasch (1): net: When removing nexthops, don't call synchronize_net if it is not necessary Christopher Ruehl (1): power: supply: qcom_battmgr: add OOI chemistry Chuande Chen (1): hwmon: (sbtsi_temp) AMD CPU extended temperature range support Chuck Lever (1): NFSD: Fix crash in nfsd4_read_release() ChunHao Lin (1): r8169: set EEE speed down ratio to 1 Chunyan Zhang (1): riscv: stacktrace: Disable KASAN checks for non-current tasks Clay King (2): drm/amd/display: ensure committing streams is seamless drm/amd/display: incorrect conditions for failing dto calculations Coiby Xu (1): ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Colin Foster (1): smsc911x: add second read of EEPROM mac when possible corruption seen Cryolitia PukNgae (1): ALSA: usb-audio: apply quirk for MOONDROP Quark2 Damien Le Moal (2): block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL block: make REQ_OP_ZONE_OPEN a write operation Daniel Lezcano (1): clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Daniel Palmer (4): fbdev: atyfb: Check if pll_ops->init_pll failed drm/radeon: Do not kfree() devres managed rdev drm/radeon: Remove calls to drm_put_dev() eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP Daniel Wagner (2): nvmet-fc: avoid scheduling association deletion twice nvme-fc: use lock accessing port_state and rport state Danny Wang (1): drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off Dapeng Mi (1): perf/x86/intel: Fix KASAN global-out-of-bounds warning David Ahern (2): selftests: Disable dad for ipv6 in fcnal-test.sh selftests: Replace sleep with slowwait David Francis (1): drm/amdgpu: Allow kfd CRIU with no buffer objects David Ober (1): hwmon: (lenovo-ec-sensors) Update P8 supprt David Rosca (1): drm/sched: avoid killing parent entity on child SIGKILL David Yang (1): selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt Dennis Beier (1): cpufreq/longhaul: handle NULL policy in longhaul_exit Devendra K Verma (1): dmaengine: dw-edma: Set status for callback_result Dmitry Baryshkov (1): drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts Dragos Tatulea (2): page_pool: Clamp pool size to max 16K pages net/mlx5e: SHAMPO, Fix skb size check for 64K pages Emil Dahl Juhl (1): tools: lib: thermal: don't preserve owner in install Eric Dumazet (5): idpf: do not linearize big TSO packets inet_diag: annotate data-races in inet_diag_bc_sk() tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() net: call cond_resched() less often in __release_sock() ipv6: np->rxpmtu race annotation Eric Huang (1): drm/amdkfd: fix vram allocation failure for a special case Fabien Proriol (1): power: supply: sbs-charger: Support multiple devices Fangzhi Zuo (1): drm/amd/display: Fix pbn_div Calculation Error Farhan Ali (1): s390/pci: Restore IRQ unconditionally for the zPCI device Felix Fietkau (1): wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error Fenglin Wu (1): power: supply: qcom_battmgr: handle charging state change notifications Fiona Ebner (1): smb: client: transport: avoid reconnects triggered by pending task work Florian Fuchs (1): fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Florian Schmaus (1): kunit: test_dev_action: Correctly cast 'priv' pointer to long* Florian Westphal (1): netfilter: nf_reject: don't reply to icmp error messages Forest Crossman (1): usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Francisco Gutierrez (1): scsi: pm80xx: Fix race condition caused by static variables Gal Pressman (1): net/mlx5e: Fix return value in case of module EEPROM read error Gaurav Jain (1): crypto: caam - double the entropy delay interval for retry Geert Uytterhoeven (1): kbuild: uapi: Strip comments before size type check Geoffrey McRae (1): drm/amdkfd: return -ENOTTY for unsupported IOCTLs Gerd Bayer (1): s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Gokul Sivakumar (1): wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Greg Kroah-Hartman (1): Linux 6.12.58 Gregory Price (1): x86/CPU/AMD: Add RDSEED fix for Zen5 Guangshuo Li (1): drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() Haibo Chen (1): iio: adc: imx93_adc: load calibrated values even calibration failed Hangbin Liu (1): net: vlan: sync VLAN features with lower device Hans de Goede (2): ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[] ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() Hao Yao (1): media: ov08x40: Fix the horizontal flip control Haotian Zhang (2): crypto: aspeed - fix double free caused by devm net: wan: framer: pef2256: Switch to devm_mfd_add_devices() Harikrishna Shenoy (1): phy: cadence: cdns-dphy: Enable lower resolutions in dphy Hector Martin (1): iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs Heijligen, Thomas (1): mfd: kempld: Switch back to earlier ->init() behavior Heiko Carstens (1): s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP Heiner Kallweit (1): net: phy: fixed_phy: let fixed_phy_unregister free the phy_device Helge Deller (1): parisc: Avoid crash due to unaligned access in unwinder Heng Zhou (1): drm/amdgpu: fix nullptr err of vm_handle_moved Henrique Carvalho (2): smb: client: fix potential cfid UAF in smb2_query_info_compound smb: client: fix potential UAF in smb2_close_cached_fid() Hongguang Gao (2): bnxt_en: Refactor bnxt_free_ctx_mem() bnxt_en: Add a 'force' parameter to bnxt_free_ctx_mem() Horatiu Vultur (1): lan966x: Fix sleeping in atomic context Hoyoung Seo (1): scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS Ian Rogers (1): tools bitmap: Add missing asm-generic/bitsperlong.h include Ido Schimmel (3): bridge: Redirect to backup port when port is administratively down selftests: traceroute: Use require_command() selftests: traceroute: Return correct value on failure Ilan Peer (2): wifi: mac80211: Fix HE capabilities element check wifi: mac80211: Track NAN interface start/stop Ilia Gavrilov (1): Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() Ilpo Järvinen (1): mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs Inochi Amaoto (1): irqchip/sifive-plic: Respect mask state when setting affinity Iulia Tanasescu (1): Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave Ivan Lipski (2): drm/amd/display: Fix incorrect return of vblank enable on unconfigured crtc drm/amd/display: Support HW cursor 180 rot for any number of pipe splits Ivan Pravdin (1): Bluetooth: bcsp: receive data only if registered Jacky Bai (1): clk: scmi: Add duty cycle ops only when duty cycle is supported Jacob Moroni (3): RDMA/irdma: Fix SD index calculation RDMA/irdma: Remove unused struct irdma_cq fields RDMA/irdma: Set irdma_cq cq_num field during CQ create Jaegeuk Kim (1): f2fs: fix wrong layout information on 16KB page Jakub Kicinski (4): selftests: drv-net: rss_ctx: fix the queue count check selftests: drv-net: rss_ctx: make the test pass with few queues selftests: net: replace sleeps in fcnal-test with waits page_pool: always add GFP_NOWARN for ATOMIC allocations Janne Grunau (1): pmdomain: apple: Add "apple,t8103-pmgr-pwrstate" Jarkko Nikula (1): i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C Jason Gunthorpe (1): iommufd: Don't overflow during division for dirty tracking Jayesh Choudhary (1): drm/tidss: Set crtc modesetting parameters with adjusted mode Jens Kehne (1): mfd: da9063: Split chip variant reading in two bus transactions Jens Reidel (1): soc: qcom: smem: Fix endian-unaware access of num_entries Jerome Brunet (1): NTB: epf: Allow arbitrary BAR mapping Jiawei Zhao (1): libbpf: Fix USDT SIB argument handling causing unrecognized register error Jiawen Wu (2): net: wangxun: limit tx_max_coalesced_frames_irq net: libwx: fix device bus LAN ID Jiayi Li (1): memstick: Add timeout to prevent indefinite waiting Jijie Shao (1): net: hns3: return error code when function fails Jiri Olsa (1): uprobe: Do not emulate/sstep original instruction when ip is changed Johan Hovold (2): Bluetooth: rfcomm: fix modem control handling drm/mediatek: Fix device use-after-free on unbind Johannes Berg (1): wifi: mac80211: fix key tailroom accounting leak John Harrison (2): drm/xe/guc: Add more GuC load error status codes drm/xe/guc: Return an error code if the GuC load fails John Keeping (1): ALSA: serial-generic: remove shared static buffer John Smith (2): drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland Jonas Gorski (5): net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx net: dsa: b53: fix resetting speed and pause on forced link net: dsa: b53: fix bcm63xx RGMII port link adjustment net: dsa: b53: fix enabling ip multicast net: dsa: b53: stop reading ARL entries if search is done Jonas Schwöbel (1): ARM: tegra: p880: set correct touchscreen clipping Josephine Pfeiffer (1): riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro Joshua Grisham (1): ACPI: fan: Add fan speed reporting for fans with only _FST Joshua Rogers (1): smb: client: validate change notify buffer before copy Josua Mayer (1): rtc: pcf2127: clear minute/second interrupt Julian Sun (1): ext4: increase IO priority of fastcommit Junjie Cao (1): fbdev: bitblit: bound-check glyph index in bit_putcs* Junxian Huang (1): RDMA/hns: Fix wrong WQE data when QP wraps around Juraj Šarinay (1): net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Justin Tee (6): scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup scsi: lpfc: Define size of debugfs entry for xri rebalancing scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology Kailang Yang (1): ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again Kalesh AP (1): bnxt_en: Fix a possible memory leak in bnxt_ptp_init Karthi Kandasamy (1): drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream Karthik M (1): wifi: ath12k: free skb during idr cleanup callback Karunika Choo (1): drm/panthor: Serialize GPU cache flush operations Kaushlendra Kumar (5): ACPI: button: Call input_free_device() on failing input device registration ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object tools/cpupower: fix error return value in cpupower_write_sysfs() tools/cpupower: Fix incorrect size in cpuidle_state_disable() tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage Kees Cook (1): arc: Fix __fls() const-foldability via __builtin_clzl() Kent Russell (1): drm/amdkfd: Handle lack of READ permissions in SVM mapping Kirill A. Shutemov (2): x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall x86/runtime-const: Add the RUNTIME_CONST_PTR assembly macro Koakuma (1): sparc/module: Add R_SPARC_UA64 relocation handling Konstantin Sinyuk (1): accel/habanalabs/gaudi2: read preboot status after recovering from dirty state Kotresh HR (1): ceph: fix multifs mds auth caps issue Krishna Kurapati (1): usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Krzysztof Kozlowski (4): extcon: adc-jack: Fix wakeup source leaks on device unbind drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL drm/msm/dsi/phy_7nm: Fix missing initial VCO rate extcon: adc-jack: Cleanup wakeup source only if it was enabled Kuan-Chung Chen (2): wifi: rtw89: wow: remove notify during WoWLAN net-detect wifi: rtw89: fix BSSID comparison for non-transmitted BSSID Kumar Kartikeya Dwivedi (1): bpf: Do not limit bpf_cgroup_from_id to current's namespace Kuniyuki Iwashima (1): net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. Laurent Pinchart (2): media: pci: ivtv: Don't create fake v4l2_fh media: amphion: Delete v4l2_fh synchronously in .release() Len Brown (2): tools/power x86_energy_perf_policy: Enhance HWP enable tools/power x86_energy_perf_policy: Prefer driver HWP limits Li RongQing (1): x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT Lijo Lazar (2): drm/amd/pm: Use cached metrics data on aldebaran drm/amd/pm: Use cached metrics data on arcturus Linus Torvalds (2): x86: use cmov for user address masking x86: uaccess: don't use runtime-const rewriting in modules Lizhi Xu (1): usbnet: Prevents free active kevent Lo-an Chen (1): drm/amd/display: Init dispclk from bootup clock for DCN314 Loic Poulain (2): wifi: ath10k: Fix memory leak on unsupported WMI command wifi: ath10k: Fix connection after GTK rekeying Luiz Augusto von Dentz (5): Bluetooth: ISO: Fix BIS connection dst_type handling Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 Bluetooth: ISO: Fix another instance of dst_type handling Bluetooth: hci_core: Fix tracking of periodic advertisement Bluetooth: SCO: Fix UAF on sco_conn_free Lukas Wunner (2): PCI/ERR: Update device error_state already after reset thunderbolt: Use is_pciehp instead of is_hotplug_bridge Maarten Lankhorst (1): drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. Maarten Zanders (1): ASoC: fsl_sai: Fix sync error in consumer mode Mangesh Gadre (1): drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest Marcos Del Sol Vives (1): PCI: Disable MSI on RDC PCI to PCIe bridges Marek Szyprowski (1): media: videobuf2: forbid remove_bufs when legacy fileio is active Marek Vasut (1): PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs Mario Limonciello (4): drm/amd: Check that VPE has reached DPM0 in idle handler drm/amd/display: Set up pixel encoding for YCBCR422 PCI/PM: Skip resuming to D0 if device is disconnected drm/amd/display: Add fallback path for YCBCR422 Mario Limonciello (AMD) (5): ACPI: video: force native for Lenovo 82K8 Fix access to video_is_primary_device() when compiled without CONFIG_VIDEO drm/amd: Avoid evicting resources at S5 HID: i2c-hid: Resolve touchpad issues on Dell systems during S4 x86/microcode/AMD: Add more known models to entry sign checking Mark Pearson (1): wifi: ath11k: Add missing platform IDs for quirk table Marko Mäkelä (1): clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf Markus Stockhausen (2): clocksource/drivers/timer-rtl-otto: Work around dying timers clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts Martin Tůma (1): media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS Martin Willi (1): wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup Matthew Brost (1): drm/xe: Do not wake device during a GT reset Matthias Schiffer (1): clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled Matthieu Baerts (NGI0) (1): selftests: mptcp: join: allow more time to send ADD_ADDR Meghana Malladi (1): net: ti: icssg-prueth: Fix fdb hash size configuration Mehdi Djait (1): media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR Melissa Wen (2): drm/amd/display: change dc stream color settings only in atomic commit drm/amd/display: update color on atomic commit time Meng Li (1): drm/amd/amdgpu: Release xcp drm memory after unplug Miaoqian Lin (3): net: usb: asix_devices: Check return value of usbnet_get_endpoints fbdev: valkyriefb: Fix reference count leak in valkyriefb_init s390/mm: Fix memory leak in add_marker() when kvrealloc() fails Michael Dege (1): phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet Michael Riesch (1): phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 Michael Strauss (2): drm/amd/display: Move setup_stream_attribute drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration Michal Pecio (1): usb: xhci-pci: Fix USB2-only root hub registration Michal Wajdeczko (1): drm/xe/guc: Set upper limit of H2G retries over CTB Mike Marshall (1): orangefs: fix xattr related buffer overflow... Miklos Szeredi (1): fuse: zero initialize inode private data Ming Wang (1): irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller Miri Korenblit (1): wifi: mac80211: don't mark keys for inactive links as uploaded Miroslav Lichvar (1): ptp: Limit time setting of PTP clocks Mohammad Heib (2): net: ionic: add dma_wmb() before ringing TX doorbell net: ionic: map SKB after pseudo-header checksum prep Moti Haimovski (1): accel/habanalabs: support mapping cb with vmalloc-backed coherent memory Mukesh Ojha (1): firmware: qcom: scm: preserve assign_mem() error return value Mykyta Yatsenko (1): selftests/bpf: Fix flaky bpf_cookie selftest Nai-Chen Cheng (1): selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Namjae Jeon (2): exfat: validate cluster allocation bits of the allocation bitmap ksmbd: use sock_create_kern interface to create kernel socket Nathan Chancellor (1): lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC Nicolas Ferre (2): ARM: at91: pm: save and restore ACR during PLL disable/enable clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register Nidhish A N (1): wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list Nikita Travkin (1): firmware: qcom: tzmem: disable sc7180 platform Niklas Cassel (1): PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() Niklas Neronin (1): usb: xhci-pci: add support for hosts with zero USB3 ports Niklas Schnelle (2): powerpc/eeh: Use result of error_detected() in uevent s390/pci: Use pci_uevent_ers() in PCI recovery Niklas Söderlund (4): media: adv7180: Add missing lock in suspend callback media: adv7180: Do not write format to device in set_fmt media: adv7180: Only validate format in querystd net: sh_eth: Disable WoL if system can not suspend Nikolay Aleksandrov (2): net: bridge: fix use-after-free due to MST port state bypass net: bridge: fix MST static key usage Nithyanantham Paramasivam (1): wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 Noorain Eqbal (1): bpf: Sync pending IRQ work before freeing ring buffer Oleg Nesterov (1): 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN Oleksij Rempel (2): net: stmmac: Correctly handle Rx checksum offload errors net: phy: clear link parameters on admin link down Olga Kornievskaia (1): NFSv4: handle ERR_GRACE on delegation recalls Olivier Moysan (1): ASoC: stm32: sai: manage context in set_sysclk callback Ondrej Mosnacek (1): bpf: Do not audit capability check in do_jit() Oscar Maes (1): net: ipv4: allow directed broadcast routes to use dst hint Ovidiu Panait (1): crypto: sun8i-ce - remove channel timeout field Owen Gu (1): usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Paolo Abeni (2): mptcp: drop bogus optimization in __mptcp_check_push() mptcp: restore window probe Paresh Bhagat (1): cpufreq: ti: Add support for AM62D2 Parthiban Veerasooran (1): microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl support Paul Chaignon (1): bpf: Use tnums for JEQ/JNE is_branch_taken logic Paul Hsieh (1): drm/amd/display: update dpp/disp clock from smu clock table Paul Kocialkowski (1): media: verisilicon: Explicitly disable selection api ioctls for decoders Pavan Chebbi (1): bnxt_en: Add Hyper-V VF ID Pavel Begunkov (1): io_uring/zctx: check chained notif contexts Peter Ujfalusi (1): ASoC: SOF: ipc4-pcm: Add fixup for channels Peter Wang (8): scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration scsi: ufs: host: mediatek: Fix PWM mode switch issue scsi: ufs: host: mediatek: Change reset sequence for improved stability scsi: ufs: host: mediatek: Enhance recovery on resume failure scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure scsi: ufs: host: mediatek: Correct system PM flow scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode changes Petr Machata (1): net: bridge: Install FDB for bridge MAC on VLAN 0 Petr Oros (2): tools: ynl: fix string attribute length to include null terminator dpll: spec: add missing module-name and clock-id to pin-get reply Philip Yang (1): drm/amdkfd: Fix mmap write lock not release Philipp Stanner (2): drm/nouveau: Fix race in nouveau_sched_fini() drm/sched: Fix race in drm_sched_entity_select_rq() Pierre-Eric Pelloux-Prayer (1): drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb Ping-Ke Shih (2): wifi: rtw89: print just once for unknown C2H events wifi: rtw88: sdio: use indirect IO for device registers before power-on Pranav Tyagi (1): futex: Don't leak robust_list pointer on exec race Primoz Fiser (1): ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 Punit Agrawal (1): ACPI: SPCR: Check for table version when using precise baudrate Qendrim Maxhuni (1): net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Qianfeng Rong (3): crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() scsi: pm8001: Use int instead of u32 to store error codes media: redrat3: use int type to store negative error codes Qingfang Deng (1): 6pack: drop redundant locking and refcounting Qu Wenruo (1): btrfs: ensure no dirty metadata is written back for an fs with errors Quan Zhou (1): wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device Quanmin Yan (1): fbcon: Set fb_display[i]->mode to NULL when the mode is released Quanyang Wang (1): arm64: zynqmp: Disable coresight by default Radhey Shyam Pandey (1): arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106 Rafael J. Wysocki (4): cpuidle: governors: menu: Rearrange main loop in menu_select() cpuidle: governors: menu: Select polling state in some more cases thermal: gov_step_wise: Allow cooling level to be reduced earlier cpuidle: Fail cpuidle device registration if there is one already Rameshkumar Sundaram (1): wifi: ath11k: avoid bit operation on key flags Ramya Gnanasekar (1): wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in lower bands Randall P. Embry (2): 9p: fix /sys/fs/9p/caches overwriting itself 9p: sysfs_init: don't hardcode error to ENOMEM Ranjan Kumar (1): scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate Raphael Pinsonneault-Thibeault (1): Bluetooth: hci_event: validate skb length for unknown CC opcode Relja Vojvodic (1): drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting Ricardo B. Marlière (2): selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh Ricardo Ribalda (1): media: uvcvideo: Use heuristic to find stream entity Richard Fitzgerald (1): ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h Richard Zhu (1): PCI: imx6: Enable the Vaux supply if available Rob Clark (1): drm/msm/registers: Generate _HI/LO builders for reg64 Robert Marko (1): net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X Rodrigo Gobbi (1): iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Rohan G Thomas (2): net: phy: marvell: Fix 88e1510 downshift counter errata net: stmmac: est: Drop frames causing HLBS error Rong Zhang (2): hwmon: (k10temp) Add device ID for Strix Halo drm/amd/display: Fix NULL deref in debugfs odm_combine_segments Rosen Penev (2): dmaengine: mv_xor: match alloc_wc and free_wc wifi: mt76: mt76_eeprom_override to int Roy Vegard Ovesen (2): ALSA: usb-audio: fix control pipe direction ALSA: usb-audio: add mono main switch to Presonus S1824c Ryan Chen (1): soc: aspeed: socinfo: Add AST27xx silicon IDs Ryan Wanner (1): clk: at91: clk-master: Add check for divide by 3 Sakari Ailus (2): media: ipu6: isys: Set embedded data type correctly for metadata formats ACPI: property: Return present device nodes only on fwnode interface Saket Dumbre (1): ACPICA: Update dsmethod.c to get rid of unused variable warning Sam van Kampen (1): ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU Sammy Hsu (1): net: wwan: t7xx: add support for HP DRMR-H01 Sangwook Shin (1): watchdog: s3c2410_wdt: Fix max_timeout being calculated larger Sarthak Garg (1): mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Sascha Hauer (1): tools: lib: thermal: use pkg-config to locate libnl3 Sathishkumar S (3): drm/amdgpu: Check vcn sram load return value drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff drm/amdgpu: Fix unintended error log in VCN5_0_0 Seyediman Seyedarab (2): drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot() Shang song (Lenovo) (1): ACPI: PRM: Skip handlers with NULL handler_address or NULL VA Shardul Bankar (1): btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation Shaurya Rane (1): jfs: fix uninitialized waitqueue in transaction manager Shengjiu Wang (1): ASoC: fsl_sai: fix bit order for DSD format Shruti Parab (1): bnxt_en: Add mem_valid bit to struct bnxt_ctx_mem_type Shubhrajyoti Datta (1): clk: clocking-wizard: Fix output clock register offset for Versal platforms Sohil Mehta (1): cpufreq: ondemand: Update the efficient idle check for Intel extended Families Sridevi Arvindekar (1): drm/amd/display: Fix for test crash due to power gating Srinivas Kandagatla (1): ASoC: qdsp6: q6asm: do not sleep while atomic Srinivas Pandruvada (2): thermal: intel: selftests: workload_hint: Mask unsupported types platform/x86/intel-uncore-freq: Fix warning in partitioned system Srinivasan Shanmugam (1): drm/amdgpu: Fix function header names in amdgpu_connectors.c Stanislav Fomichev (1): net: devmem: expose tcp_recvmsg_locked errors Stefan Wahren (1): ethernet: Extend device_get_mac_address() to use NVMEM Stefan Wiehler (3): sctp: Hold RCU read lock while iterating over address list sctp: Prevent TOCTOU out-of-bounds write sctp: Hold sock lock while iterating over address list Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid handling handover twice Steven Rostedt (1): ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up Sungho Kim (1): PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Sunil V L (1): ACPI: scan: Update honor list for RPMI System MSI Svyatoslav Ryhel (4): soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups ARM: tegra: transformer-20: add missing magnetometer interrupt ARM: tegra: transformer-20: fix audio-codec interrupt video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Takashi Iwai (1): ALSA: usb-audio: Add validation of UAC2/UAC3 effect units Takashi Sakamoto (1): firewire: ohci: move self_id_complete tracepoint after validating register Tao Zhou (1): drm/amdgpu: add range check for RAS bad page address Tatyana Nikolova (1): RDMA/irdma: Update Kconfig Tejun Heo (1): sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU Terry Cheong (1): ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks Tetsuo Handa (3): media: imon: make send_packet() more robust ntfs3: pretend $Extend records as regular files jfs: Verify inode mode when loading from disk Thadeu Lima de Souza Cascardo (1): char: misc: restrict the dynamic range to exclude reserved minors Thomas Andreatta (1): dmaengine: sh: setup_xref error handling Thomas Bogendoerfer (1): tty: serial: ip22zilog: Use platform device for probing Thomas Weißschuh (4): spi: loopback-test: Don't use %pK through printk soc: ti: pruss: don't use %pK through printk bpf: Don't use %pK through printk ice: Don't use %pK through printk or tracepoints Thomas Zimmermann (2): drm/sysfb: Do not dereference NULL pointer in plane reset drm/ast: Clear preserved bits from register output value Théo Lebrun (1): net: macb: avoid dealing with endianness in macb_set_hwaddr() Tiezhu Yang (2): net: stmmac: Check stmmac_hw_setup() in stmmac_resume() LoongArch: Handle new atomic instructions for probes Timothy Pearson (1): vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices Timur Kristóf (3): drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2) drm/amd/display: Fix DVI-D/HDMI adapters drm/amd/display: Disable VRR on DCE 6 Tiwei Bie (1): um: Fix help message for ssl-non-raw Tom Stellard (1): bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21 Tomasz Pakuła (2): HID: pidff: Use direction fix only for conditional effects HID: pidff: PERMISSIVE_CONTROL quirk autodetection Tomer Tayar (1): accel/habanalabs: return ENOMEM if less than requested pages were pinned Tomeu Vizoso (1): drm/etnaviv: fix flush sequence logic Tomi Valkeinen (3): drm/tidss: Use the crtc_* timings when programming the HW drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST Tristram Ha (1): net: dsa: microchip: Fix reserved multicast address table programming TungYu Lu (1): drm/amd/display: Wait until OTG enable state is cleared Tvrtko Ursulin (3): drm/sched: Optimise drm_sched_entity_push_job drm/sched: Re-group and rename the entity run-queue lock drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl Ujwal Kundur (1): rds: Fix endianness annotation for RDS_MPATH_HASH Uwe Kleine-König (1): pwm: pca9685: Use bulk write to atomicially update registers Valerio Setti (1): ASoC: meson: aiu-encoder-i2s: fix bit clock polarity Vered Yavniely (1): accel/habanalabs/gaudi2: fix BMON disable configuration Viacheslav Dubeyko (3): ceph: add checking of wait_for_completion_killable() return value ceph: fix potential race condition in ceph_ioctl_lazyio() ceph: refactor wake_up_bit() pattern of calling Vivek Pernamitta (1): bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state Vlad Dumitrescu (1): IB/ipoib: Ignore L3 master device Vladimir Oltean (1): net: dsa: felix: support phy-mode = "10g-qxgmii" Vladimir Riabchun (1): ftrace: Fix softlockup in ftrace_module_enable Vladimir Zapolskiy (1): media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer Wake Liu (2): selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 selftests/net: Ensure assert() triggers in psock_tpacket.c Wang Liang (1): selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh Wayne Lin (1): drm/amd/display: Enable mst when it's detected but yet to be initialized Weili Qian (2): crypto: hisilicon/qm - invalidate queues in use crypto: hisilicon/qm - clear all VF configurations in the hardware William Wu (1): usb: gadget: f_hid: Fix zero length packet transfer Wonkon Kim (1): scsi: ufs: core: Initialize value of an attribute returned by uic cmd Xi Ruoyao (1): drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with DC_FP_START Xiang Liu (1): drm/amdgpu: Skip poison aca bank from UE channel Xichao Zhao (1): tty: serial: Modify the use of dev_err_probe() Xion Wang (1): char: Use list_del_init() in misc_deregister() to reinitialize list pointer Yafang Shao (1): net/cls_cgroup: Fix task_get_classid() during qdisc run Yang Wang (1): drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() Yifan Zhang (1): amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw Yikang Yue (1): fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink Yonghong Song (3): bpf: Find eligible subprogs for private stack support bpf, x86: Avoid repeated usage of bpf_prog->aux->stack_depth selftests/bpf: Fix selftest verifier_arena_large failure Yu Kuai (1): blk-cgroup: fix possible deadlock while configuring policy Yu Zhang(Yuriy) (1): wifi: ath11k: add support for MU EDCA Yue Haibing (1): ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled Yuhao Jiang (1): ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Yunseong Kim (1): crypto: ccp - Fix incorrect payload size calculation in psp_poulate_hsti() Yuta Hayama (1): rtc: rx8025: fix incorrect register reference Zhanjun Dong (1): drm/xe/guc: Increase GuC crash dump buffer size Zijun Hu (2): char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor char: misc: Does not request module for miscdevice with dynamic minor Zilin Guan (1): tracing: Fix memory leaks in create_field_var() Zizhi Wo (1): tty/vt: Add missing return value for VT_RESIZE in vt_ioctl() Zong-Zhe Yang (1): wifi: rtw89: renew a completion for each H2C command waiting C2H event austinchang (1): btrfs: mark dirty extent range for out of bound prealloc extents chenmiao (1): openrisc: Add R_OR1K_32_PCREL relocation type module support chuguangqing (1): fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock raub camaioni (1): usb: gadget: f_ncm: Fix MAC assignment NCM ethernet wangzijie (1): f2fs: fix infinite loop in __insert_extent_tree() wenglianfa (1): RDMA/hns: Fix the modification of max_send_sge Álvaro Fernández Rojas (1): net: dsa: tag_brcm: legacy: reorganize functions

1 month

1
1
0 0

[PATCH 6.12 00/40] 6.12.57-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.57 release. There are 40 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 02 Nov 2025 14:00:34 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.57-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.57-rc1 Edward Cree <ecree.xilinx(a)gmail.com> sfc: fix NULL dereferences in ef100_process_design_param() Xiaogang Chen <xiaogang.chen(a)amd.com> udmabuf: fix a buf size overflow issue during udmabuf creation Aditya Kumar Singh <quic_adisi(a)quicinc.com> wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() Kees Bakker <kees(a)ijzerbout.nl> iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE William Breathitt Gray <wbg(a)kernel.org> gpio: idio-16: Define fixed direction of the GPIO lines Ioana Ciornei <ioana.ciornei(a)nxp.com> gpio: regmap: add the .fixed_direction_output configuration parameter Mathieu Dubois-Briand <mathieu.dubois-briand(a)bootlin.com> gpio: regmap: Allow to allocate regmap-irq device Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> bits: introduce fixed-type GENMASK_U*() Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> bits: add comments and newlines to #if, #else and #endif directives Wang Liang <wangliang74(a)huawei.com> bonding: check xdp prog when set bond mode Hangbin Liu <liuhangbin(a)gmail.com> bonding: return detailed error when loading native XDP fails Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Chao Yu <chao(a)kernel.org> f2fs: fix to avoid panic once fallocation fails for pinfile Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: mark 'delete re-add signal' as skipped if not supported Geliang Tang <geliang(a)kernel.org> selftests: mptcp: disable add_addr retrans in endpoint_tests Jonathan Corbet <corbet(a)lwn.net> docs: kdoc: handle the obsolescensce of docutils.ErrorString() Menglong Dong <menglong8.dong(a)gmail.com> arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c Tejun Heo <tj(a)kernel.org> sched_ext: Make qmap dump operation non-destructive Filipe Manana <fdmanana(a)suse.com> btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: add inode extref checks Filipe Manana <fdmanana(a)suse.com> btrfs: abort transaction if we fail to update inode in log replay dir fixup Filipe Manana <fdmanana(a)suse.com> btrfs: use level argument in log tree walk callback replay_one_buffer() Filipe Manana <fdmanana(a)suse.com> btrfs: always drop log root tree reference in btrfs_replay_log() Thorsten Blum <thorsten.blum(a)linux.dev> btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io() Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: refine extent allocator hint selection Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: return error from btrfs_zone_finish_endio() Filipe Manana <fdmanana(a)suse.com> btrfs: abort transaction in the process_one_buffer() log tree walk callback Filipe Manana <fdmanana(a)suse.com> btrfs: abort transaction on specific error places when walking log tree Chen Ridong <chenridong(a)huawei.com> cpuset: Use new excpus for nocpu error check when enabling root partition Avadhut Naik <avadhut.naik(a)amd.com> EDAC/mc_sysfs: Increase legacy channel support to 16 David Kaplan <david.kaplan(a)amd.com> x86/bugs: Fix reporting of LFENCE retpoline David Kaplan <david.kaplan(a)amd.com> x86/bugs: Report correct retbleed mitigation status Jiri Olsa <jolsa(a)kernel.org> seccomp: passthrough uprobe systemcall without filtering Josh Poimboeuf <jpoimboe(a)kernel.org> perf: Skip user unwind if the task is a kernel thread Josh Poimboeuf <jpoimboe(a)kernel.org> perf: Have get_perf_callchain() return NULL if crosstask and user are set Steven Rostedt <rostedt(a)goodmis.org> perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of current->mm == NULL Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK Richard Guy Briggs <rgb(a)redhat.com> audit: record fanotify event regardless of presence of rules Xiang Mei <xmei5(a)asu.edu> net/sched: sch_qfq: Fix null-deref in agg_dequeue ------------- Diffstat: Documentation/sphinx/kernel_abi.py | 4 +- Documentation/sphinx/kernel_feat.py | 4 +- Documentation/sphinx/kernel_include.py | 6 ++- Documentation/sphinx/maintainers_include.py | 4 +- Makefile | 4 +- arch/alpha/kernel/asm-offsets.c | 1 + arch/arc/kernel/asm-offsets.c | 1 + arch/arm/kernel/asm-offsets.c | 2 + arch/arm64/kernel/asm-offsets.c | 1 + arch/csky/kernel/asm-offsets.c | 1 + arch/hexagon/kernel/asm-offsets.c | 1 + arch/loongarch/kernel/asm-offsets.c | 2 + arch/m68k/kernel/asm-offsets.c | 1 + arch/microblaze/kernel/asm-offsets.c | 1 + arch/mips/kernel/asm-offsets.c | 2 + arch/nios2/kernel/asm-offsets.c | 1 + arch/openrisc/kernel/asm-offsets.c | 1 + arch/parisc/kernel/asm-offsets.c | 1 + arch/powerpc/kernel/asm-offsets.c | 1 + arch/riscv/kernel/asm-offsets.c | 1 + arch/s390/kernel/asm-offsets.c | 1 + arch/sh/kernel/asm-offsets.c | 1 + arch/sparc/kernel/asm-offsets.c | 1 + arch/um/kernel/asm-offsets.c | 2 + arch/x86/events/intel/core.c | 10 ++-- arch/x86/include/asm/perf_event.h | 6 ++- arch/x86/kernel/cpu/bugs.c | 9 ++-- arch/x86/kvm/pmu.h | 2 +- arch/xtensa/kernel/asm-offsets.c | 1 + drivers/dma-buf/udmabuf.c | 2 +- drivers/edac/edac_mc_sysfs.c | 24 ++++++++++ drivers/gpio/gpio-idio-16.c | 5 ++ drivers/gpio/gpio-regmap.c | 53 ++++++++++++++++++-- drivers/iommu/intel/iommu.c | 7 +-- drivers/net/bonding/bond_main.c | 11 +++-- drivers/net/bonding/bond_options.c | 3 ++ drivers/net/ethernet/sfc/ef100_netdev.c | 6 +-- drivers/net/ethernet/sfc/ef100_nic.c | 47 ++++++++---------- drivers/net/wireless/ath/ath12k/mac.c | 6 +-- fs/btrfs/disk-io.c | 2 +- fs/btrfs/extent-tree.c | 6 ++- fs/btrfs/inode.c | 7 +-- fs/btrfs/scrub.c | 3 +- fs/btrfs/transaction.c | 2 +- fs/btrfs/tree-checker.c | 37 ++++++++++++++ fs/btrfs/tree-log.c | 64 +++++++++++++++++++------ fs/btrfs/zoned.c | 8 ++-- fs/btrfs/zoned.h | 9 ++-- fs/f2fs/file.c | 8 ++-- fs/f2fs/segment.c | 20 ++++---- include/linux/audit.h | 2 +- include/linux/bitops.h | 1 - include/linux/bits.h | 38 ++++++++++++++- include/linux/gpio/regmap.h | 16 +++++++ include/net/bonding.h | 1 + include/net/pkt_sched.h | 25 +++++++++- kernel/cgroup/cpuset.c | 6 +-- kernel/events/callchain.c | 16 +++---- kernel/events/core.c | 7 +-- kernel/seccomp.c | 32 ++++++++++--- net/mptcp/pm_netlink.c | 6 +++ net/sched/sch_api.c | 10 ---- net/sched/sch_hfsc.c | 16 ------- net/sched/sch_qfq.c | 2 +- net/wireless/reg.c | 4 ++ tools/sched_ext/scx_qmap.bpf.c | 18 ++++++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 3 +- 67 files changed, 442 insertions(+), 164 deletions(-)

1 month

13
53
0 0

[PATCH v5 0/9] Error recovery for vfio-pci devices on s390x

by Farhan Ali

Hi, This Linux kernel patch series introduces support for error recovery for passthrough PCI devices on System Z (s390x). Background ---------- For PCI devices on s390x an operating system receives platform specific error events from firmware rather than through AER.Today for passthrough/userspace devices, we don't attempt any error recovery and ignore any error events for the devices. The passthrough/userspace devices are managed by the vfio-pci driver. The driver does register error handling callbacks (error_detected), and on an error trigger an eventfd to userspace. But we need a mechanism to notify userspace (QEMU/guest/userspace drivers) about the error event. Proposal -------- We can expose this error information (currently only the PCI Error Code) via a device feature. Userspace can then obtain the error information via VFIO_DEVICE_FEATURE ioctl and take appropriate actions such as driving a device reset. This is how a typical flow for passthrough devices to a VM would work: For passthrough devices to a VM, the driver bound to the device on the host is vfio-pci. vfio-pci driver does support the error_detected() callback (vfio_pci_core_aer_err_detected()), and on an PCI error s390x recovery code on the host will call the vfio-pci error_detected() callback. The vfio-pci error_detected() callback will notify userspace/QEMU via an eventfd, and return PCI_ERS_RESULT_CAN_RECOVER. At this point the s390x error recovery on the host will skip any further action(see patch 6) and let userspace drive the error recovery. Once userspace/QEMU is notified, it then injects this error into the VM so device drivers in the VM can take recovery actions. For example for a passthrough NVMe device, the VM's OS NVMe driver will access the device. At this point the VM's NVMe driver's error_detected() will drive the recovery by returning PCI_ERS_RESULT_NEED_RESET, and the s390x error recovery in the VM's OS will try to do a reset. Resets are privileged operations and so the VM will need intervention from QEMU to perform the reset. QEMU will invoke the VFIO_DEVICE_RESET ioctl to now notify the host that the VM is requesting a reset of the device. The vfio-pci driver on the host will then perform the reset on the device to recover it. Thanks Farhan ChangeLog --------- v4 series https://lore.kernel.org/all/20250924171628.826-1-alifm@linux.ibm.com/ v4 -> v5 - Rebase on 6.18-rc5 - Move bug fixes to the beginning of the series (patch 1 and 2). These patches were posted as a separate fixes series https://lore.kernel.org/all/a14936ac-47d6-461b-816f-0fd66f869b0f@linux.ibm.… - Add matching pci_put_dev() for pci_get_slot() (patch 6). v3 series https://lore.kernel.org/all/20250911183307.1910-1-alifm@linux.ibm.com/ v3 -> v4 - Remove warn messages for each PCI capability not restored (patch 1) - Check PCI_COMMAND and PCI_STATUS register for error value instead of device id (patch 1) - Fix kernel crash in patch 3 - Added reviewed by tags - Address comments from Niklas's (patches 4, 5, 7) - Fix compilation error non s390x system (patch 8) - Explicitly align struct vfio_device_feature_zpci_err (patch 8) v2 series https://lore.kernel.org/all/20250825171226.1602-1-alifm@linux.ibm.com/ v2 -> v3 - Patch 1 avoids saving any config space state if the device is in error (suggested by Alex) - Patch 2 adds additional check only for FLR reset to try other function reset method (suggested by Alex). - Patch 3 fixes a bug in s390 for resetting PCI devices with multiple functions. Creates a new flag pci_slot to allow per function slot. - Patch 4 fixes a bug in s390 for resource to bus address translation. - Rebase on 6.17-rc5 v1 series https://lore.kernel.org/all/20250813170821.1115-1-alifm@linux.ibm.com/ v1 - > v2 - Patches 1 and 2 adds some additional checks for FLR/PM reset to try other function reset method (suggested by Alex). - Patch 3 fixes a bug in s390 for resetting PCI devices with multiple functions. - Patch 7 adds a new device feature for zPCI devices for the VFIO_DEVICE_FEATURE ioctl. The ioctl is used by userspace to retriece any PCI error information for the device (suggested by Alex). - Patch 8 adds a reset_done() callback for the vfio-pci driver, to restore the state of the device after a reset. - Patch 9 removes the pcie check for triggering VFIO_PCI_ERR_IRQ_INDEX. Farhan Ali (9): PCI: Allow per function PCI slots s390/pci: Add architecture specific resource/bus address translation PCI: Avoid saving error values for config space PCI: Add additional checks for flr reset s390/pci: Update the logic for detecting passthrough device s390/pci: Store PCI error information for passthrough devices vfio-pci/zdev: Add a device feature for error information vfio: Add a reset_done callback for vfio-pci driver vfio: Remove the pcie check for VFIO_PCI_ERR_IRQ_INDEX arch/s390/include/asm/pci.h | 29 ++++++++ arch/s390/pci/pci.c | 75 +++++++++++++++++++++ arch/s390/pci/pci_event.c | 107 +++++++++++++++++------------- drivers/pci/host-bridge.c | 4 +- drivers/pci/pci.c | 37 +++++++++-- drivers/pci/pcie/aer.c | 3 + drivers/pci/pcie/dpc.c | 3 + drivers/pci/pcie/ptm.c | 3 + drivers/pci/slot.c | 25 ++++++- drivers/pci/tph.c | 3 + drivers/pci/vc.c | 3 + drivers/vfio/pci/vfio_pci_core.c | 20 ++++-- drivers/vfio/pci/vfio_pci_intrs.c | 3 +- drivers/vfio/pci/vfio_pci_priv.h | 9 +++ drivers/vfio/pci/vfio_pci_zdev.c | 45 ++++++++++++- include/linux/pci.h | 1 + include/uapi/linux/vfio.h | 15 +++++ 17 files changed, 321 insertions(+), 64 deletions(-) -- 2.43.0

1 month

2
10
0 0

[PATCH 6.12 000/562] 6.12.58-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.58 release. There are 562 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 13 Nov 2025 01:22:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.58-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.58-rc2 Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix black screen with HDMI outputs Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Fix function header names in amdgpu_connectors.c Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu: Fix unintended error log in VCN5_0_0 Punit Agrawal <punit.agrawal(a)oss.qualcomm.com> ACPI: SPCR: Check for table version when using precise baudrate Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> extcon: adc-jack: Cleanup wakeup source only if it was enabled Melissa Wen <mwen(a)igalia.com> drm/amd/display: update color on atomic commit time Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: core: Add a quirk to suppress link_startup_again Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers Nathan Chancellor <nathan(a)kernel.org> lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: fix received length check in big packets Rong Zhang <i(a)rong.moe> drm/amd/display: Fix NULL deref in debugfs odm_combine_segments Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/smu: Handle S0ix for vangogh Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix potential UAF in smb2_close_cached_fid() Joshua Rogers <linux(a)joshua.hu> smb: client: validate change notify buffer before copy Mario Limonciello (AMD) <superm1(a)kernel.org> x86/microcode/AMD: Add more known models to entry sign checking Yuta Hayama <hayama(a)lineo.co.jp> rtc: rx8025: fix incorrect register reference Helge Deller <deller(a)gmx.de> parisc: Avoid crash due to unaligned access in unwinder Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Don't overflow during division for dirty tracking Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Enable mst when it's detected but yet to be initialized Zilin Guan <zilin(a)seu.edu.cn> tracing: Fix memory leaks in create_field_var() Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: fix MST static key usage Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: fix use-after-free due to MST port state bypass Horatiu Vultur <horatiu.vultur(a)microchip.com> lan966x: Fix sleeping in atomic context Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix reserved multicast address table programming Haotian Zhang <vulab(a)iscas.ac.cn> net: wan: framer: pef2256: Switch to devm_mfd_add_devices() Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: SHAMPO, Fix skb size check for 64K pages Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix fdb hash size configuration Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix return value in case of module EEPROM read error Martin Willi <martin(a)strongswan.org> wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup Hongguang Gao <hongguang.gao(a)broadcom.com> bnxt_en: Add a 'force' parameter to bnxt_free_ctx_mem() Hongguang Gao <hongguang.gao(a)broadcom.com> bnxt_en: Refactor bnxt_free_ctx_mem() Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Add mem_valid bit to struct bnxt_ctx_mem_type Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix a possible memory leak in bnxt_ptp_init Qendrim Maxhuni <qendrim.maxhuni(a)garderos.com> net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Mohammad Heib <mheib(a)redhat.com> net: ionic: map SKB after pseudo-header checksum prep Mohammad Heib <mheib(a)redhat.com> net: ionic: add dma_wmb() before ringing TX doorbell Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Hold sock lock while iterating over address list Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Prevent TOCTOU out-of-bounds write Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Hold RCU read lock while iterating over address list Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: stop reading ARL entries if search is done Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix enabling ip multicast Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix bcm63xx RGMII port link adjustment Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix resetting speed and pause on forced link Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpiolib: fix invalid pointer access in debugfs Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: swnode: don't use the swnode's name as the key for GPIO lookup Hangbin Liu <liuhangbin(a)gmail.com> net: vlan: sync VLAN features with lower device Wang Liang <wangliang74(a)huawei.com> selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh Anubhav Singh <anubhavsinggh(a)google.com> selftests/net: use destination options instead of hop-by-hop Anubhav Singh <anubhavsinggh(a)google.com> selftests/net: fix out-of-order delivery of FIN in gro:tcp test Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: tag_brcm: legacy: reorganize functions Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Bluetooth: hci_event: validate skb length for unknown CC opcode Josephine Pfeiffer <hi(a)josie.lol> riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: stacktrace: Disable KASAN checks for non-current tasks Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix device bus LAN ID Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Revert "wifi: ath10k: avoid unnecessary wait for service ready message" Ariel D'Alessandro <ariel.dalessandro(a)collabora.com> drm/mediatek: Disable AFBC support on Mediatek DRM driver Marek Szyprowski <m.szyprowski(a)samsung.com> media: videobuf2: forbid remove_bufs when legacy fileio is active Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Use heuristic to find stream entity Qu Wenruo <wqu(a)suse.com> btrfs: ensure no dirty metadata is written back for an fs with errors Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again Linus Torvalds <torvalds(a)linux-foundation.org> x86: uaccess: don't use runtime-const rewriting in modules Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/runtime-const: Add the RUNTIME_CONST_PTR assembly macro Linus Torvalds <torvalds(a)linux-foundation.org> x86: use cmov for user address masking Kotresh HR <khiremat(a)redhat.com> ceph: fix multifs mds auth caps issue Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: refactor wake_up_bit() pattern of calling Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: fix potential race condition in ceph_ioctl_lazyio() Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: add checking of wait_for_completion_killable() return value Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mmap write lock not release Valerio Setti <vsetti(a)baylibre.com> ASoC: meson: aiu-encoder-i2s: fix bit clock polarity Geert Uytterhoeven <geert(a)linux-m68k.org> kbuild: uapi: Strip comments before size type check Sammy Hsu <zelda3121(a)gmail.com> net: wwan: t7xx: add support for HP DRMR-H01 Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix watchdog interrupt mask on pcf2131 Albin Babu Varghese <albinbabuvarghese20(a)gmail.com> fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Sascha Hauer <s.hauer(a)pengutronix.de> tools: lib: thermal: use pkg-config to locate libnl3 Emil Dahl Juhl <juhl.emildahl(a)gmail.com> tools: lib: thermal: don't preserve owner in install Ian Rogers <irogers(a)google.com> tools bitmap: Add missing asm-generic/bitsperlong.h include Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle new atomic instructions for probes Sakari Ailus <sakari.ailus(a)linux.intel.com> ACPI: property: Return present device nodes only on fwnode interface Hoyoung Seo <hy50.seo(a)samsung.com> scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS Randall P. Embry <rpembry(a)gmail.com> 9p: sysfs_init: don't hardcode error to ENOMEM Aaron Kling <webgeek1234(a)gmail.com> cpufreq: tegra186: Initialize all cores to max frequencies Randall P. Embry <rpembry(a)gmail.com> 9p: fix /sys/fs/9p/caches overwriting itself Jerome Brunet <jbrunet(a)baylibre.com> NTB: epf: Allow arbitrary BAR mapping Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> clk: clocking-wizard: Fix output clock register offset for Versal platforms Jacky Bai <ping.bai(a)nxp.com> clk: scmi: Add duty cycle ops only when duty cycle is supported Matthias Schiffer <matthias.schiffer(a)tq-group.com> clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled Oleg Nesterov <oleg(a)redhat.com> 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN Nicolas Ferre <nicolas.ferre(a)microchip.com> clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register Ryan Wanner <Ryan.Wanner(a)microchip.com> clk: at91: clk-master: Add check for divide by 3 Balamanikandan Gunasundar <balamanikandan.gunasundar(a)microchip.com> clk: at91: sam9x7: Add peripheral clock id for pmecc Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: save and restore ACR during PLL disable/enable Josua Mayer <josua(a)solid-run.com> rtc: pcf2127: clear minute/second interrupt Chen-Yu Tsai <wens(a)csie.org> clk: sunxi-ng: sun6i-rtc: Add A523 specifics Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix help message for ssl-non-raw Yikang Yue <yikangy2(a)illinois.edu> fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink Marko Mäkelä <marko.makela(a)iki.fi> clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf austinchang <austinchang(a)synology.com> btrfs: mark dirty extent range for out of bound prealloc extents Shardul Bankar <shardulsb08(a)gmail.com> btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong WQE data when QP wraps around wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix the modification of max_send_sge Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix recv CQ and QP cache affinity Jacob Moroni <jmoroni(a)google.com> RDMA/irdma: Set irdma_cq cq_num field during CQ create Jacob Moroni <jmoroni(a)google.com> RDMA/irdma: Remove unused struct irdma_cq fields Jacob Moroni <jmoroni(a)google.com> RDMA/irdma: Fix SD index calculation Saket Dumbre <saket.dumbre(a)intel.com> ACPICA: Update dsmethod.c to get rid of unused variable warning Mario Limonciello <Mario.Limonciello(a)amd.com> drm/amd/display: Add fallback path for YCBCR422 Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> char: misc: restrict the dynamic range to exclude reserved minors Michal Pecio <michal.pecio(a)gmail.com> usb: xhci-pci: Fix USB2-only root hub registration Coiby Xu <coxu(a)redhat.com> ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Fiona Ebner <f.ebner(a)proxmox.com> smb: client: transport: avoid reconnects triggered by pending task work Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: use sock_create_kern interface to create kernel socket Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace: Fix softlockup in ftrace_module_enable Mike Marshall <hubcap(a)omnibond.com> orangefs: fix xattr related buffer overflow... Dragos Tatulea <dtatulea(a)nvidia.com> page_pool: Clamp pool size to max 16K pages Qingfang Deng <dqfext(a)gmail.com> 6pack: drop redundant locking and refcounting Namjae Jeon <linkinjeon(a)kernel.org> exfat: validate cluster allocation bits of the allocation bitmap Chi Zhiling <chizhiling(a)kylinos.cn> exfat: limit log print for IO error Rohan G Thomas <rohan.g.thomas(a)altera.com> net: stmmac: est: Drop frames causing HLBS error Roy Vegard Ovesen <roy.vegard.ovesen(a)gmail.com> ALSA: usb-audio: add mono main switch to Presonus S1824c Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: bcsp: receive data only if registered Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922 Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SCO: Fix UAF on sco_conn_free Arkadiusz Bokowy <arkadiusz.bokowy(a)gmail.com> Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames Théo Lebrun <theo.lebrun(a)bootlin.com> net: macb: avoid dealing with endianness in macb_set_hwaddr() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Don't query FEC statistics when FEC is disabled Timothy Pearson <tpearson(a)raptorengineering.com> vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices Sunil V L <sunilvl(a)ventanamicro.com> ACPI: scan: Update honor list for RPMI System MSI Primoz Fiser <primoz.fiser(a)norik.com> ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 Olivier Moysan <olivier.moysan(a)foss.st.com> ASoC: stm32: sai: manage context in set_sysclk callback Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw Julian Sun <sunjunchao(a)bytedance.com> ext4: increase IO priority of fastcommit chuguangqing <chuguangqing(a)inspur.com> fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock Moti Haimovski <moti.haimovski(a)intel.com> accel/habanalabs: support mapping cb with vmalloc-backed coherent memory Konstantin Sinyuk <konstantin.sinyuk(a)intel.com> accel/habanalabs/gaudi2: read preboot status after recovering from dirty state Tomer Tayar <tomer.tayar(a)intel.com> accel/habanalabs: return ENOMEM if less than requested pages were pinned Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate Vered Yavniely <vered.yavniely(a)intel.com> accel/habanalabs/gaudi2: fix BMON disable configuration Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Petr Machata <petrm(a)nvidia.com> net: bridge: Install FDB for bridge MAC on VLAN 0 Al Viro <viro(a)zeniv.linux.org.uk> nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Anthony Iliopoulos <ailiop(a)suse.com> NFSv4.1: fix mount hang after CREATE_SESSION failure Olga Kornievskaia <okorniev(a)redhat.com> NFSv4: handle ERR_GRACE on delegation recalls Melissa Wen <mwen(a)igalia.com> drm/amd/display: change dc stream color settings only in atomic commit Sridevi Arvindekar <sarvinde(a)amd.com> drm/amd/display: Fix for test crash due to power gating Lo-an Chen <lo-an.chen(a)amd.com> drm/amd/display: Init dispclk from bootup clock for DCN314 Karthi Kandasamy <karthi.kandasamy(a)amd.com> drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream Bastien Curutchet <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463 Nithyanantham Paramasivam <nithyanantham.paramasivam(a)oss.qualcomm.com> wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 Stephan Gerhold <stephan.gerhold(a)linaro.org> remoteproc: qcom: q6v5: Avoid handling handover twice David Yang <mmyangfl(a)gmail.com> selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt Mario Limonciello <mario.limonciello(a)amd.com> PCI/PM: Skip resuming to D0 if device is disconnected Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - clear all VF configurations in the hardware Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - invalidate queues in use Alex Mastro <amastro(a)fb.com> vfio: return -ENOTTY for unsupported device feature Al Viro <viro(a)zeniv.linux.org.uk> sparc64: fix prototypes of reads[bwl]() Koakuma <koachan(a)protonmail.com> sparc/module: Add R_SPARC_UA64 relocation handling Chen Wang <unicorn_wang(a)outlook.com> PCI: cadence: Check for the existence of cdns_pcie::ops before using it ChunHao Lin <hau(a)realtek.com> r8169: set EEE speed down ratio to 1 Brahmajit Das <listout(a)listout.xyz> net: intel: fm10k: Fix parameter idx set but not used Ilan Peer <ilan.peer(a)intel.com> wifi: mac80211: Track NAN interface start/stop Loic Poulain <loic.poulain(a)oss.qualcomm.com> wifi: ath10k: Fix connection after GTK rekeying Seyediman Seyedarab <ImanDevel(a)gmail.com> iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot() Vivek Pernamitta <quic_vpernami(a)quicinc.com> bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state Robert Marko <robert.marko(a)sartura.hr> net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: clear link parameters on admin link down Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() Guangshuo Li <lgs201920130244(a)gmail.com> drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> jfs: fix uninitialized waitqueue in transaction manager Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> jfs: Verify inode mode when loading from disk Vlad Dumitrescu <vdumitrescu(a)nvidia.com> IB/ipoib: Ignore L3 master device Tatyana Nikolova <tatyana.e.nikolova(a)intel.com> RDMA/irdma: Update Kconfig Eric Dumazet <edumazet(a)google.com> ipv6: np->rxpmtu race annotation Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci-pci: add support for hosts with zero USB3 ports Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: renew a completion for each H2C command waiting C2H event Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw89: obtain RX path from ppdu status IE00 wangzijie <wangzijie1(a)honor.com> f2fs: fix infinite loop in __insert_extent_tree() Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Forest Crossman <cyrozap(a)gmail.com> usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Al Viro <viro(a)zeniv.linux.org.uk> allow finish_no_open(file, ERR_PTR(-E...)) Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Define size of debugfs entry for xri rebalancing Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Disable timestamp functionality if not supported Nai-Chen Cheng <bleach1827(a)gmail.com> selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Christian König <christian.koenig(a)amd.com> drm/amdgpu: reject gang submissions under SRIOV John Harrison <John.C.Harrison(a)Intel.com> drm/xe/guc: Return an error code if the GuC load fails Mario Limonciello (AMD) <superm1(a)kernel.org> HID: i2c-hid: Resolve touchpad issues on Dell systems during S4 Stefan Wahren <wahrenst(a)gmx.net> ethernet: Extend device_get_mac_address() to use NVMEM Jakub Kicinski <kuba(a)kernel.org> page_pool: always add GFP_NOWARN for ATOMIC allocations Xi Ruoyao <xry111(a)xry111.site> drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with DC_FP_START Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Disable VRR on DCE 6 Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fix DVI-D/HDMI adapters Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd: Avoid evicting resources at S5 Ausef Yousof <Ausef.Yousof(a)amd.com> drm/amd/display: fix dml ms order of operations Mario Limonciello <Mario.Limonciello(a)amd.com> drm/amd/display: Set up pixel encoding for YCBCR422 Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error John Keeping <jkeeping(a)inmusicbrands.com> ALSA: serial-generic: remove shared static buffer Rosen Penev <rosenp(a)gmail.com> wifi: mt76: mt76_eeprom_override to int Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7996: Temporarily disable EPCS Quan Zhou <quan.zhou(a)mediatek.com> wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device Yafang Shao <laoar.shao(a)gmail.com> net/cls_cgroup: Fix task_get_classid() during qdisc run Gaurav Jain <gaurav.jain(a)nxp.com> crypto: caam - double the entropy delay interval for retry Yunseong Kim <ysk(a)kzalloc.com> crypto: ccp - Fix incorrect payload size calculation in psp_poulate_hsti() Niklas Cassel <cassel(a)kernel.org> PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - remove channel timeout field Sangwook Shin <sw617.shin(a)samsung.com> watchdog: s3c2410_wdt: Fix max_timeout being calculated larger Antheas Kapenekakis <lkml(a)antheas.dev> HID: asus: add Z13 folio to generic group for multitouch to work Alok Tiwari <alok.a.tiwari(a)oracle.com> udp_tunnel: use netdev_warn() instead of netdev_WARN() Stanislav Fomichev <sdf(a)fomichev.me> net: devmem: expose tcp_recvmsg_locked errors David Ahern <dsahern(a)kernel.org> selftests: Replace sleep with slowwait Daniel Palmer <daniel(a)thingy.jp> eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP David Ahern <dsahern(a)kernel.org> selftests: Disable dad for ipv6 in fcnal-test.sh Li RongQing <lirongqing(a)baidu.com> x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT Florian Westphal <fw(a)strlen.de> netfilter: nf_reject: don't reply to icmp error messages chenmiao <chenmiao.ku(a)gmail.com> openrisc: Add R_OR1K_32_PCREL relocation type module support Ido Schimmel <idosch(a)nvidia.com> selftests: traceroute: Return correct value on failure Ido Schimmel <idosch(a)nvidia.com> selftests: traceroute: Use require_command() Qianfeng Rong <rongqianfeng(a)vivo.com> media: redrat3: use int type to store negative error codes Jakub Kicinski <kuba(a)kernel.org> selftests: net: replace sleeps in fcnal-test with waits Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: sh_eth: Disable WoL if system can not suspend Rob Clark <robin.clark(a)oss.qualcomm.com> drm/msm/registers: Generate _HI/LO builders for reg64 Michael Riesch <michael.riesch(a)collabora.com> phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 Michael Dege <michael.dege(a)renesas.com> phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet Mario Limonciello (AMD) <superm1(a)kernel.org> Fix access to video_is_primary_device() when compiled without CONFIG_VIDEO Harikrishna Shenoy <h-shenoy(a)ti.com> phy: cadence: cdns-dphy: Enable lower resolutions in dphy Ilan Peer <ilan.peer(a)intel.com> wifi: mac80211: Fix HE capabilities element check Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> ntfs3: pretend $Extend records as regular files Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode changes Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Correct system PM flow Rohan G Thomas <rohan.g.thomas(a)altera.com> net: phy: marvell: Fix 88e1510 downshift counter errata Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Enhance recovery on resume failure Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: allow more time to send ADD_ADDR Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix wrong layout information on 16KB page Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer Hao Yao <hao.yao(a)intel.com> media: ov08x40: Fix the horizontal flip control Nidhish A N <nidhish.a.n(a)intel.com> wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list Marek Vasut <marek.vasut+renesas(a)mailbox.org> PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs Xion Wang <xion.wang(a)mediatek.com> char: Use list_del_init() in misc_deregister() to reinitialize list pointer Antonino Maniscalco <antomani103(a)gmail.com> drm/msm: make sure to not queue up recovery more than once Zizhi Wo <wozizhi(a)huaweicloud.com> tty/vt: Add missing return value for VT_RESIZE in vt_ioctl() Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget William Wu <william.wu(a)rock-chips.com> usb: gadget: f_hid: Fix zero length packet transfer Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: support phy-mode = "10g-qxgmii" Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix pbn_div Calculation Error Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add support for cyan skillfish gpu_info Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: don't enable SMU on cyan skillfish Alex Deucher <alexander.deucher(a)amd.com> drm/amd: add more cyan skillfish PCI ids Hector Martin <marcan(a)marcan.st> iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs Ashish Kalra <ashish.kalra(a)amd.com> crypto: ccp: Skip SEV and SNP INIT for kdump boot Ashish Kalra <ashish.kalra(a)amd.com> iommu/amd: Skip enabling command/event buffers for kdump Colin Foster <colin.foster(a)in-advantage.com> smsc911x: add second read of EEPROM mac when possible corruption seen Eric Dumazet <edumazet(a)google.com> net: call cond_resched() less often in __release_sock() Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/guc: Set upper limit of H2G retries over CTB Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Enable the Vaux supply if available Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: apply quirk for MOONDROP Quark2 Ramya Gnanasekar <ramya.gnanasekar(a)oss.qualcomm.com> wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in lower bands Paul Kocialkowski <paulk(a)sys-base.io> media: verisilicon: Explicitly disable selection api ioctls for decoders Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: adv7180: Only validate format in querystd Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: adv7180: Do not write format to device in set_fmt Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: adv7180: Add missing lock in suspend callback Juraj Šarinay <juraj(a)sarinay.com> net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Antheas Kapenekakis <lkml(a)antheas.dev> drm: panel-backlight-quirks: Make EDID match optional Chia-I Wu <olvaffe(a)gmail.com> drm/panthor: check bo offset alignment in vm bind Yue Haibing <yuehaibing(a)huawei.com> ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled Jakub Kicinski <kuba(a)kernel.org> selftests: drv-net: rss_ctx: make the test pass with few queues Zhanjun Dong <zhanjun.dong(a)intel.com> drm/xe/guc: Increase GuC crash dump buffer size David Francis <David.Francis(a)amd.com> drm/amdgpu: Allow kfd CRIU with no buffer objects Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> drm/msm/dsi/phy_7nm: Fix missing initial VCO rate Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL Devendra K Verma <devverma(a)amd.com> dmaengine: dw-edma: Set status for callback_result Rosen Penev <rosenp(a)gmail.com> dmaengine: mv_xor: match alloc_wc and free_wc Thomas Andreatta <thomasandreatta2000(a)gmail.com> dmaengine: sh: setup_xref error handling Miroslav Lichvar <mlichvar(a)redhat.com> ptp: Limit time setting of PTP clocks Bharat Uppal <bharat.uppal(a)samsung.com> scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on suspend Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: pm8001: Use int instead of u32 to store error codes Qianfeng Rong <rongqianfeng(a)vivo.com> crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() Eric Dumazet <edumazet(a)google.com> tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Parthiban Veerasooran <parthiban.veerasooran(a)microchip.com> microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl support Eric Dumazet <edumazet(a)google.com> inet_diag: annotate data-races in inet_diag_bc_sk() Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: rename stp node on EASY50712 reference board Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: xway: sysctrl: rename stp clock Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add missing device_type in pci node Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add model to EASY50712 dts Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add missing properties to cpu node Timur Kristóf <timur.kristof(a)gmail.com> drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2) Mangesh Gadre <Mangesh.Gadre(a)amd.com> drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest Clay King <clayking(a)amd.com> drm/amd/display: incorrect conditions for failing dto calculations Relja Vojvodic <rvojvodi(a)amd.com> drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-pcm: Add fixup for channels Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS Chelsy Ratnawat <chelsyratnawat2001(a)gmail.com> media: fix uninitialized symbol warnings Jakub Kicinski <kuba(a)kernel.org> selftests: drv-net: rss_ctx: fix the queue count check Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel-uncore-freq: Fix warning in partitioned system Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Support HW cursor 180 rot for any number of pipe splits Eric Huang <jinhuieric.huang(a)amd.com> drm/amdkfd: fix vram allocation failure for a special case Ce Sun <cesun102(a)amd.com> drm/amdgpu: Correct the counts of nr_banks and nr_errors Miklos Szeredi <mszeredi(a)redhat.com> fuse: zero initialize inode private data Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: fixed_phy: let fixed_phy_unregister free the phy_device Andrew Davis <afd(a)ti.com> remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> extcon: adc-jack: Fix wakeup source leaks on device unbind Francisco Gutierrez <frankramirez(a)google.com> scsi: pm80xx: Fix race condition caused by static variables Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Fix controller init failure on fault during queue creation Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Fix I/O failures during controller reset Oscar Maes <oscmaes92(a)gmail.com> net: ipv4: allow directed broadcast routes to use dst hint Andrew Davis <afd(a)ti.com> rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ipu6: isys: Set embedded data type correctly for metadata formats Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: limit tx_max_coalesced_frames_irq Ujwal Kundur <ujwal.kundur(a)gmail.com> rds: Fix endianness annotation for RDS_MPATH_HASH Eric Dumazet <edumazet(a)google.com> idpf: do not linearize big TSO packets Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add validation of UAC2/UAC3 effect units Xichao Zhao <zhao.xichao(a)vivo.com> tty: serial: Modify the use of dev_err_probe() Pavan Chebbi <pavan.chebbi(a)broadcom.com> bnxt_en: Add Hyper-V VF ID Sungho Kim <sungho.kim(a)furiosa.ai> PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Chao Yu <chao(a)kernel.org> f2fs: fix to detect potential corrupted nid in free_nid_list Kuniyuki Iwashima <kuniyu(a)google.com> net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. Oleksij Rempel <o.rempel(a)pengutronix.de> net: stmmac: Correctly handle Rx checksum offload errors Christoph Paasch <cpaasch(a)openai.com> net: When removing nexthops, don't call synchronize_net if it is not necessary Zijun Hu <zijun.hu(a)oss.qualcomm.com> char: misc: Does not request module for miscdevice with dynamic minor Zijun Hu <zijun.hu(a)oss.qualcomm.com> char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor Christoph Hellwig <hch(a)lst.de> dm error: mark as DM_TARGET_PASSES_INTEGRITY Kuan-Chung Chen <damon.chen(a)realtek.com> wifi: rtw89: fix BSSID comparison for non-transmitted BSSID Kuan-Chung Chen <damon.chen(a)realtek.com> wifi: rtw89: wow: remove notify during WoWLAN net-detect raub camaioni <raubcameo(a)gmail.com> usb: gadget: f_ncm: Fix MAC assignment NCM ethernet Haibo Chen <haibo.chen(a)nxp.com> iio: adc: imx93_adc: load calibrated values even calibration failed Rodrigo Gobbi <rodrigo.gobbi.7(a)gmail.com> iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Kent Russell <kent.russell(a)amd.com> drm/amdkfd: Handle lack of READ permissions in SVM mapping Heng Zhou <Heng.Zhou(a)amd.com> drm/amdgpu: fix nullptr err of vm_handle_moved Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: PERMISSIVE_CONTROL quirk autodetection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Use direction fix only for conditional effects Karunika Choo <karunika.choo(a)arm.com> drm/panthor: Serialize GPU cache flush operations Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> media: imon: make send_packet() more robust Charalampos Mitrodimas <charmitro(a)posteo.net> net: ipv6: fix field-spanning memcpy warning in AH output Alice Chao <alice.chao(a)mediatek.com> scsi: ufs: host: mediatek: Fix invalid access in vccqx handling Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Change reset sequence for improved stability Alice Chao <alice.chao(a)mediatek.com> scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO mode change Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix PWM mode switch issue Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration Ido Schimmel <idosch(a)nvidia.com> bridge: Redirect to backup port when port is administratively down Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Use pci_uevent_ers() in PCI recovery Niklas Schnelle <schnelle(a)linux.ibm.com> powerpc/eeh: Use result of error_detected() in uevent Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> tty: serial: ip22zilog: Use platform device for probing Lukas Wunner <lukas(a)wunner.de> thunderbolt: Use is_pciehp instead of is_hotplug_bridge Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> ice: Don't use %pK through printk or tracepoints Tiezhu Yang <yangtiezhu(a)loongson.cn> net: stmmac: Check stmmac_hw_setup() in stmmac_resume() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall Lukas Wunner <lukas(a)wunner.de> PCI/ERR: Update device error_state already after reset Mehdi Djait <mehdi.djait(a)linux.intel.com> media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR Jayesh Choudhary <j-choudhary(a)ti.com> drm/tidss: Set crtc modesetting parameters with adjusted mode Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Use the crtc_* timings when programming the HW Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: amphion: Delete v4l2_fh synchronously in .release() Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: pci: ivtv: Don't create fake v4l2_fh Geoffrey McRae <geoffrey.mcrae(a)amd.com> drm/amdkfd: return -ENOTTY for unsupported IOCTLs Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw88: sdio: use indirect IO for device registers before power-on Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: print just once for unknown C2H events Wake Liu <wakel(a)google.com> selftests/net: Ensure assert() triggers in psock_tpacket.c Wake Liu <wakel(a)google.com> selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 Marcos Del Sol Vives <marcos(a)orca.pet> PCI: Disable MSI on RDC PCI to PCIe bridges TungYu Lu <tungyu.lu(a)amd.com> drm/amd/display: Wait until OTG enable state is cleared Danny Wang <Danny.Wang(a)amd.com> drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off Terry Cheong <htcheong(a)chromium.org> ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks Seyediman Seyedarab <imandevel(a)gmail.com> drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Use cached metrics data on arcturus Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Use cached metrics data on aldebaran Paul Hsieh <Paul.Hsieh(a)amd.com> drm/amd/display: update dpp/disp clock from smu clock table Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: add more cyan skillfish devices Xiang Liu <xiang.liu(a)amd.com> drm/amdgpu: Skip poison aca bank from UE channel Meng Li <li.meng(a)amd.com> drm/amd/amdgpu: Release xcp drm memory after unplug Ce Sun <cesun102(a)amd.com> drm/amdgpu: Avoid rma causes GPU duplicate reset Maarten Lankhorst <dev(a)lankhorst.se> drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. John Harrison <John.C.Harrison(a)Intel.com> drm/xe/guc: Add more GuC load error status codes Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Move setup_stream_attribute Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu: Check vcn sram load return value Tao Zhou <tao.zhou1(a)amd.com> drm/amdgpu: add range check for RAS bad page address Clay King <clayking(a)amd.com> drm/amd/display: ensure committing streams is seamless Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: fix condition for setting timing_adjust_pending Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs Bastien Curutchet <bastien.curutchet(a)bootlin.com> mfd: core: Increment of_node's refcount before linking it to the platform device Jens Kehne <jens.kehne(a)agilent.com> mfd: da9063: Split chip variant reading in two bus transactions Arnd Bergmann <arnd(a)arndb.de> mfd: madera: Work around false-positive -Wininitialized warning Alexander Stein <alexander.stein(a)ew.tq-group.com> mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexander Stein <alexander.stein(a)ew.tq-group.com> mfd: stmpe: Remove IRQ domain upon removal Len Brown <len.brown(a)intel.com> tools/power x86_energy_perf_policy: Prefer driver HWP limits Len Brown <len.brown(a)intel.com> tools/power x86_energy_perf_policy: Enhance HWP enable Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage Mykyta Yatsenko <yatsenko(a)meta.com> selftests/bpf: Fix flaky bpf_cookie selftest Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/cpupower: Fix incorrect size in cpuidle_state_disable() Armin Wolf <W_Armin(a)gmx.de> hwmon: (dell-smm) Remove Dell Precision 490 custom config data Ben Copeland <ben.copeland(a)linaro.org> hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex Jiri Olsa <jolsa(a)kernel.org> uprobe: Do not emulate/sstep original instruction when ip is changed Alistair Francis <alistair.francis(a)wdc.com> nvme: Use non zero KATO for persistent discovery connections Amery Hung <ameryhung(a)gmail.com> bpf: Clear pfmemalloc flag when freeing all fragments Chenghao Duan <duanchenghao(a)kylinos.cn> riscv: bpf: Fix uninitialized symbol 'retval_off' Yu Kuai <yukuai3(a)huawei.com> blk-cgroup: fix possible deadlock while configuring policy Markus Stockhausen <markus.stockhausen(a)gmx.de> clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts Markus Stockhausen <markus.stockhausen(a)gmx.de> clocksource/drivers/timer-rtl-otto: Work around dying timers Daniel Lezcano <daniel.lezcano(a)linaro.org> clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Chen Pei <cp0613(a)linux.alibaba.com> ACPI: SPCR: Support Precise Baud Rate field Biju Das <biju.das.jz(a)bp.renesas.com> spi: rpc-if: Add resume support for RZ/G3E Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix selftest verifier_arena_large failure Pranav Tyagi <pranav.tyagi03(a)gmail.com> futex: Don't leak robust_list pointer on exec race Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: Fail cpuidle device registration if there is one already Tom Stellard <tstellar(a)redhat.com> bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21 Fenglin Wu <fenglin.wu(a)oss.qualcomm.com> power: supply: qcom_battmgr: handle charging state change notifications Janne Grunau <j(a)jannau.net> pmdomain: apple: Add "apple,t8103-pmgr-pwrstate" Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/cpupower: fix error return value in cpupower_write_sysfs() Svyatoslav Ryhel <clamor95(a)gmail.com> video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Jarkko Nikula <jarkko.nikula(a)linux.intel.com> i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C Kumar Kartikeya Dwivedi <memxor(a)gmail.com> bpf: Do not limit bpf_cgroup_from_id to current's namespace Daniel Wagner <wagi(a)kernel.org> nvme-fc: use lock accessing port_state and rport state Daniel Wagner <wagi(a)kernel.org> nvmet-fc: avoid scheduling association deletion twice Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> tee: allow a driver to allocate a tee_device without a pool Hans de Goede <hansg(a)kernel.org> ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: pca9685: Use bulk write to atomicially update registers Sarthak Garg <quic_sartgarg(a)quicinc.com> mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Nikita Travkin <nikita(a)trvn.ru> firmware: qcom: tzmem: disable sc7180 platform Svyatoslav Ryhel <clamor95(a)gmail.com> ARM: tegra: transformer-20: fix audio-codec interrupt Svyatoslav Ryhel <clamor95(a)gmail.com> ARM: tegra: transformer-20: add missing magnetometer interrupt Jonas Schwöbel <jonasschwoebel(a)yahoo.de> ARM: tegra: p880: set correct touchscreen clipping Svyatoslav Ryhel <clamor95(a)gmail.com> soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106 Quanyang Wang <quanyang.wang(a)windriver.com> arm64: zynqmp: Disable coresight by default Sohil Mehta <sohil.mehta(a)intel.com> cpufreq: ondemand: Update the efficient idle check for Intel extended Families Ming Wang <wangming01(a)loongson.cn> irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller Andreas Kemnade <andreas(a)kemnade.info> hwmon: sy7636a: add alias Fabien Proriol <fabien.proriol(a)viavisolutions.com> power: supply: sbs-charger: Support multiple devices Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: keembay: release allocated memory in detach path Chuande Chen <chuachen(a)cisco.com> hwmon: (sbtsi_temp) AMD CPU extended temperature range support David Ober <dober6023(a)gmail.com> hwmon: (lenovo-ec-sensors) Update P8 supprt Rong Zhang <i(a)rong.moe> hwmon: (k10temp) Add device ID for Strix Halo Avadhut Naik <avadhut.naik(a)amd.com> hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models Christopher Ruehl <chris.ruehl(a)gtsys.com.hk> power: supply: qcom_battmgr: add OOI chemistry Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: intel: selftests: workload_hint: Mask unsupported types Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_step_wise: Allow cooling level to be reduced earlier Hans de Goede <hansg(a)kernel.org> ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[] Sam van Kampen <sam(a)tehsvk.net> ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU Shang song (Lenovo) <shangsong2(a)foxmail.com> ACPI: PRM: Skip handlers with NULL handler_address or NULL VA Christian Bruel <christian.bruel(a)foss.st.com> irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment Ricardo B. Marlière <rbm(a)suse.com> selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh Yuan Chen <chenyuan(a)kylinos.cn> bpftool: Add CET-aware symbol matching for x86_64 architectures Kees Cook <kees(a)kernel.org> arc: Fix __fls() const-foldability via __builtin_clzl() Dennis Beier <nanovim(a)gmail.com> cpufreq/longhaul: handle NULL policy in longhaul_exit Ricardo B. Marlière <rbm(a)suse.com> selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 Jiawei Zhao <phoenix500526(a)163.com> libbpf: Fix USDT SIB argument handling causing unrecognized register error Mario Limonciello (AMD) <superm1(a)kernel.org> ACPI: video: force native for Lenovo 82K8 Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zctx: check chained notif contexts Inochi Amaoto <inochiama(a)gmail.com> irqchip/sifive-plic: Respect mask state when setting affinity Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: ohci: move self_id_complete tracepoint after validating register Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Use tnums for JEQ/JNE is_branch_taken logic Paresh Bhagat <p-bhagat(a)ti.com> cpufreq: ti: Add support for AM62D2 Jiayi Li <lijiayi(a)kylinos.cn> memstick: Add timeout to prevent indefinite waiting Biju Das <biju.das.jz(a)bp.renesas.com> mmc: host: renesas_sdhi: Fix the actual clock Chi Zhang <chizhang(a)asrmicro.com> pinctrl: single: fix bias pull up/down handling in pin_config_set Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> bpf: Don't use %pK through printk Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> soc: ti: pruss: don't use %pK through printk Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> spi: loopback-test: Don't use %pK through printk Jens Reidel <adrian(a)mainlining.org> soc: qcom: smem: Fix endian-unaware access of num_entries Mukesh Ojha <mukesh.ojha(a)oss.qualcomm.com> firmware: qcom: scm: preserve assign_mem() error return value Ryan Chen <ryan_chen(a)aspeedtech.com> soc: aspeed: socinfo: Add AST27xx silicon IDs Heiko Carstens <hca(a)linux.ibm.com> s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP Gerd Bayer <gbayer(a)linux.ibm.com> s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Philipp Stanner <phasta(a)kernel.org> drm/sched: Fix race in drm_sched_entity_select_rq() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Re-group and rename the entity run-queue lock Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Optimise drm_sched_entity_push_job Owen Gu <guhuinan(a)xiaomi.com> usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Gregory Price <gourry(a)gourry.net> x86/CPU/AMD: Add RDSEED fix for Zen5 Heijligen, Thomas <thomas.heijligen(a)secunet.com> mfd: kempld: Switch back to earlier ->init() behavior Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: governors: menu: Select polling state in some more cases Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: governors: menu: Rearrange main loop in menu_select() Tejun Heo <tj(a)kernel.org> sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU Armin Wolf <W_Armin(a)gmx.de> ACPI: fan: Use platform device for devres-related actions Joshua Grisham <josh(a)joshuagrisham.com> ACPI: fan: Add fan speed reporting for fans with only _FST Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Fix incorrect return of vblank enable on unconfigured crtc Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Check that VPE has reached DPM0 in idle handler Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Clear preserved bits from register output value Johan Hovold <johan(a)kernel.org> drm/mediatek: Fix device use-after-free on unbind Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix race in nouveau_sched_fini() David Rosca <david.rosca(a)amd.com> drm/sched: avoid killing parent entity on child SIGKILL Thomas Zimmermann <tzimmermann(a)suse.de> drm/sysfb: Do not dereference NULL pointer in plane reset Matthew Brost <matthew.brost(a)intel.com> drm/xe: Do not wake device during a GT reset Miaoqian Lin <linmq006(a)gmail.com> s390/mm: Fix memory leak in add_marker() when kvrealloc() fails Alexey Klimov <alexey.klimov(a)linaro.org> regmap: slimbus: fix bus_context pointer in regmap init calls Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Fix KASAN global-out-of-bounds warning Damien Le Moal <dlemoal(a)kernel.org> block: make REQ_OP_ZONE_OPEN a write operation Damien Le Moal <dlemoal(a)kernel.org> block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL Armin Wolf <W_Armin(a)gmx.de> ACPI: fan: Use ACPI handle when retrieving _FST John Smith <itistotalbotnet(a)gmail.com> drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland John Smith <itistotalbotnet(a)gmail.com> drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji Yang Wang <kevinyang.wang(a)amd.com> drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() Daniel Palmer <daniel(a)0x0f.com> drm/radeon: Remove calls to drm_put_dev() Daniel Palmer <daniel(a)0x0f.com> drm/radeon: Do not kfree() devres managed rdev Maarten Zanders <maarten(a)zanders.be> ASoC: fsl_sai: Fix sync error in consumer mode Petr Oros <poros(a)redhat.com> dpll: spec: add missing module-name and clock-id to pin-get reply Abdun Nihaal <nihaal(a)cse.iitm.ac.in> sfc: fix potential memory leak in efx_mae_process_mport() Jijie Shao <shaojijie(a)huawei.com> net: hns3: return error code when function fails Petr Oros <poros(a)redhat.com> tools: ynl: fix string attribute length to include null terminator Tomeu Vizoso <tomeu(a)tomeuvizoso.net> drm/etnaviv: fix flush sequence logic Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix tracking of periodic advertisement Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix another instance of dst_type handling Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during reset Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix BIS connection dst_type handling Iulia Tanasescu <iulia.tanasescu(a)nxp.com> Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave Cen Zhang <zzzccc427(a)163.com> Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once Lizhi Xu <lizhi.xu(a)windriver.com> usbnet: Prevents free active kevent Andrii Nakryiko <andrii(a)kernel.org> libbpf: Fix powerpc's stack register definition in bpf_tracing.h Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: fix bit order for DSD format Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: avs: Disable periods-elapsed work when closing PCM Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: avs: Unprepare a stream when XRUN occurs Haotian Zhang <vulab(a)iscas.ac.cn> crypto: aspeed - fix double free caused by devm Ondrej Mosnacek <omosnace(a)redhat.com> bpf: Do not audit capability check in do_jit() Yonghong Song <yonghong.song(a)linux.dev> bpf, x86: Avoid repeated usage of bpf_prog->aux->stack_depth Yonghong Song <yonghong.song(a)linux.dev> bpf: Find eligible subprogs for private stack support Wonkon Kim <wkon.kim(a)samsung.com> scsi: ufs: core: Initialize value of an attribute returned by uic cmd Noorain Eqbal <nooraineqbal(a)gmail.com> bpf: Sync pending IRQ work before freeing ring buffer Florian Schmaus <florian.schmaus(a)codasip.com> kunit: test_dev_action: Correctly cast 'priv' pointer to long* Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix key tailroom accounting leak Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: don't mark keys for inactive links as uploaded Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h Roy Vegard Ovesen <roy.vegard.ovesen(a)gmail.com> ALSA: usb-audio: fix control pipe direction Akhil P Oommen <akhilpo(a)oss.qualcomm.com> drm/msm/a6xx: Fix GMU firmware parser Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath11k: avoid bit operation on key flags Yu Zhang(Yuriy) <quic_yuzha(a)quicinc.com> wifi: ath11k: add support for MU EDCA Karthik M <quic_karm(a)quicinc.com> wifi: ath12k: free skb during idr cleanup callback Mark Pearson <mpearson-lenovo(a)squebb.ca> wifi: ath11k: Add missing platform IDs for quirk table Loic Poulain <loic.poulain(a)oss.qualcomm.com> wifi: ath10k: Fix memory leak on unsupported WMI command Chang S. Bae <chang.seok.bae(a)intel.com> x86/fpu: Ensure XFD state on signal delivery Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix potential cfid UAF in smb2_query_info_compound Farhan Ali <alifm(a)linux.ibm.com> s390/pci: Restore IRQ unconditionally for the zPCI device Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> ASoC: qdsp6: q6asm: do not sleep while atomic Paolo Abeni <pabeni(a)redhat.com> mptcp: restore window probe Paolo Abeni <pabeni(a)redhat.com> mptcp: drop bogus optimization in __mptcp_check_push() Miaoqian Lin <linmq006(a)gmail.com> fbdev: valkyriefb: Fix reference count leak in valkyriefb_init Florian Fuchs <fuchsfl(a)gmail.com> fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Johan Hovold <johan(a)kernel.org> Bluetooth: rfcomm: fix modem control handling Junjie Cao <junjie.cao(a)intel.com> fbdev: bitblit: bound-check glyph index in bit_putcs* Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: drop the multi-buffer XDP packet in zerocopy Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> ACPI: button: Call input_free_device() on failing input device registration Yuhao Jiang <danisjiang(a)gmail.com> ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Daniel Palmer <daniel(a)0x0f.com> fbdev: atyfb: Check if pll_ops->init_pll failed Quanmin Yan <yanquanmin1(a)huawei.com> fbcon: Set fb_display[i]->mode to NULL when the mode is released Miaoqian Lin <linmq006(a)gmail.com> net: usb: asix_devices: Check return value of usbnet_get_endpoints Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix crash in nfsd4_read_release() ------------- Diffstat: Documentation/netlink/specs/dpll.yaml | 2 + Makefile | 4 +- arch/arc/include/asm/bitops.h | 2 + arch/arm/boot/dts/nvidia/tegra20-asus-tf101.dts | 5 +- arch/arm/boot/dts/nvidia/tegra30-lg-p880.dts | 4 +- arch/arm/mach-at91/pm_suspend.S | 8 +- arch/arm64/boot/dts/xilinx/zynqmp-zcu106-revA.dts | 4 +- arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 + arch/loongarch/include/asm/inst.h | 5 + arch/loongarch/kernel/inst.c | 12 + arch/mips/boot/dts/lantiq/danube.dtsi | 6 + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 4 +- arch/mips/lantiq/xway/sysctrl.c | 2 +- arch/mips/sgi-ip22/ip22-platform.c | 32 ++ arch/openrisc/kernel/module.c | 4 + arch/parisc/include/asm/video.h | 2 +- arch/parisc/kernel/unwind.c | 13 +- arch/powerpc/kernel/eeh_driver.c | 2 +- arch/riscv/kernel/stacktrace.c | 21 +- arch/riscv/mm/ptdump.c | 2 +- arch/riscv/net/bpf_jit_comp64.c | 5 +- arch/s390/Kconfig | 1 - arch/s390/include/asm/pci.h | 1 - arch/s390/mm/dump_pagetables.c | 19 +- arch/s390/pci/pci_event.c | 7 +- arch/s390/pci/pci_irq.c | 9 +- arch/sparc/include/asm/elf_64.h | 1 + arch/sparc/include/asm/io_64.h | 6 +- arch/sparc/include/asm/video.h | 2 + arch/sparc/kernel/module.c | 1 + arch/um/drivers/ssl.c | 5 +- arch/x86/entry/vsyscall/vsyscall_64.c | 17 +- arch/x86/events/intel/ds.c | 3 +- arch/x86/include/asm/runtime-const.h | 17 + arch/x86/include/asm/uaccess_64.h | 22 +- arch/x86/include/asm/video.h | 2 + arch/x86/kernel/cpu/amd.c | 35 ++ arch/x86/kernel/cpu/common.c | 6 +- arch/x86/kernel/cpu/microcode/amd.c | 2 + arch/x86/kernel/fpu/core.c | 3 + arch/x86/kernel/kvm.c | 20 +- arch/x86/lib/getuser.S | 12 +- arch/x86/net/bpf_jit_comp.c | 13 +- block/blk-cgroup.c | 23 +- drivers/accel/habanalabs/common/memory.c | 2 +- drivers/accel/habanalabs/gaudi/gaudi.c | 19 + drivers/accel/habanalabs/gaudi2/gaudi2.c | 15 +- drivers/accel/habanalabs/gaudi2/gaudi2_coresight.c | 2 +- drivers/acpi/acpi_video.c | 4 +- drivers/acpi/acpica/dsmethod.c | 10 +- drivers/acpi/button.c | 4 +- drivers/acpi/device_sysfs.c | 2 +- drivers/acpi/fan.h | 8 +- drivers/acpi/fan_attr.c | 39 +- drivers/acpi/fan_core.c | 61 ++- drivers/acpi/fan_hwmon.c | 19 +- drivers/acpi/prmt.c | 19 +- drivers/acpi/property.c | 24 +- drivers/acpi/resource.c | 7 + drivers/acpi/scan.c | 4 + drivers/acpi/spcr.c | 10 +- drivers/acpi/video_detect.c | 8 + drivers/base/regmap/regmap-slimbus.c | 6 +- drivers/bluetooth/btmtksdio.c | 12 + drivers/bluetooth/btrtl.c | 4 +- drivers/bluetooth/btusb.c | 19 + drivers/bluetooth/hci_bcsp.c | 3 + drivers/bus/mhi/host/internal.h | 2 + drivers/bus/mhi/host/pm.c | 2 +- drivers/char/misc.c | 40 +- drivers/clk/at91/clk-master.c | 3 + drivers/clk/at91/clk-sam9x60-pll.c | 75 ++-- drivers/clk/at91/sam9x7.c | 1 + drivers/clk/clk-scmi.c | 11 +- drivers/clk/qcom/gcc-ipq6018.c | 60 +-- drivers/clk/sunxi-ng/ccu-sun6i-rtc.c | 11 + drivers/clk/ti/clk-33xx.c | 2 + drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 +- drivers/clocksource/timer-rtl-otto.c | 26 +- drivers/clocksource/timer-vf-pit.c | 22 +- drivers/cpufreq/cpufreq_ondemand.c | 25 +- drivers/cpufreq/cpufreq_ondemand.h | 23 ++ drivers/cpufreq/longhaul.c | 3 + drivers/cpufreq/tegra186-cpufreq.c | 27 +- drivers/cpufreq/ti-cpufreq.c | 2 + drivers/cpuidle/cpuidle.c | 8 +- drivers/cpuidle/governors/menu.c | 79 ++-- .../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 1 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 5 +- drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 2 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-trng.c | 1 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- drivers/crypto/aspeed/aspeed-acry.c | 2 - drivers/crypto/caam/ctrl.c | 4 +- drivers/crypto/ccp/hsti.c | 2 +- drivers/crypto/ccp/sev-dev.c | 10 + drivers/crypto/hisilicon/qm.c | 78 ++-- drivers/crypto/intel/qat/qat_common/qat_uclo.c | 2 +- drivers/dma/dw-edma/dw-edma-core.c | 22 ++ drivers/dma/mv_xor.c | 4 +- drivers/dma/sh/shdma-base.c | 25 +- drivers/dma/sh/shdmac.c | 17 +- drivers/extcon/extcon-adc-jack.c | 2 + drivers/firewire/ohci.c | 12 +- drivers/firmware/qcom/qcom_scm.c | 2 +- drivers/firmware/qcom/qcom_tzmem.c | 1 + drivers/gpio/gpiolib-swnode.c | 2 +- drivers/gpio/gpiolib.c | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 53 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 66 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 21 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 + drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 77 ++-- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 34 +- drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.c | 1 + drivers/gpu/drm/amd/amdgpu/atom.c | 4 + drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 11 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 13 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 19 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 10 +- drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 9 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 25 ++ drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.c | 56 ++- drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.h | 1 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 100 ++++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 3 + .../drm/amd/display/amdgpu_dm/amdgpu_dm_color.c | 86 ++-- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 10 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 3 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 13 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 2 +- .../drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 16 + .../amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c | 142 ++++++- .../amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.h | 5 + drivers/gpu/drm/amd/display/dc/core/dc.c | 25 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 14 +- drivers/gpu/drm/amd/display/dc/dc_helper.c | 5 + drivers/gpu/drm/amd/display/dc/dc_stream.h | 3 + .../drm/amd/display/dc/dccg/dcn401/dcn401_dccg.c | 2 +- drivers/gpu/drm/amd/display/dc/dm_services.h | 2 + .../gpu/drm/amd/display/dc/dml/dcn301/dcn301_fpu.c | 20 +- .../drm/amd/display/dc/dml2/display_mode_core.c | 2 +- .../drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 + .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 28 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 + .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 73 ++-- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 5 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 + .../gpu/drm/amd/display/dc/link/link_detection.c | 5 + drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 - .../display/dc/link/protocols/link_dp_training.c | 9 +- .../drm/amd/display/dc/optc/dcn401/dcn401_optc.c | 5 + .../display/dc/resource/dcn314/dcn314_resource.c | 1 + .../display/dc/virtual/virtual_stream_encoder.c | 7 + drivers/gpu/drm/amd/display/include/dal_asic_id.h | 5 + .../gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- .../drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 + drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- drivers/gpu/drm/ast/ast_drv.h | 8 +- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 12 +- drivers/gpu/drm/bridge/display-connector.c | 3 +- drivers/gpu/drm/drm_gem_atomic_helper.c | 8 +- drivers/gpu/drm/drm_panel_backlight_quirks.c | 2 +- drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 - drivers/gpu/drm/mediatek/mtk_plane.c | 24 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 3 + drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 10 + drivers/gpu/drm/msm/registers/gen_header.py | 7 + drivers/gpu/drm/nouveau/nouveau_sched.c | 14 +- drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 +- drivers/gpu/drm/panthor/panthor_gpu.c | 7 + drivers/gpu/drm/panthor/panthor_mmu.c | 4 +- drivers/gpu/drm/radeon/radeon_drv.c | 25 +- drivers/gpu/drm/radeon/radeon_kms.c | 1 - drivers/gpu/drm/scheduler/sched_entity.c | 73 ++-- drivers/gpu/drm/scheduler/sched_main.c | 6 +- drivers/gpu/drm/tidss/tidss_crtc.c | 7 +- drivers/gpu/drm/tidss/tidss_dispc.c | 16 +- drivers/gpu/drm/xe/abi/guc_errors_abi.h | 3 + drivers/gpu/drm/xe/xe_bo.c | 28 +- drivers/gpu/drm/xe/xe_gt.c | 19 +- drivers/gpu/drm/xe/xe_guc.c | 32 +- drivers/gpu/drm/xe/xe_guc_ct.c | 10 + drivers/gpu/drm/xe/xe_guc_log.h | 2 +- drivers/hid/hid-asus.c | 6 +- drivers/hid/hid-ids.h | 2 +- drivers/hid/hid-universal-pidff.c | 20 +- drivers/hid/i2c-hid/i2c-hid-acpi.c | 8 + drivers/hid/i2c-hid/i2c-hid-core.c | 28 +- drivers/hid/i2c-hid/i2c-hid.h | 2 + drivers/hid/usbhid/hid-pidff.c | 42 +- drivers/hid/usbhid/hid-pidff.h | 2 +- drivers/hwmon/asus-ec-sensors.c | 2 +- drivers/hwmon/dell-smm-hwmon.c | 14 - drivers/hwmon/k10temp.c | 10 + drivers/hwmon/lenovo-ec-sensors.c | 34 +- drivers/hwmon/sbtsi_temp.c | 46 ++- drivers/hwmon/sy7636a-hwmon.c | 1 + drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c | 3 + drivers/iio/adc/imx93_adc.c | 18 +- drivers/iio/adc/spear_adc.c | 9 +- drivers/infiniband/hw/hns/hns_roce_cq.c | 58 ++- drivers/infiniband/hw/hns/hns_roce_device.h | 4 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 +- drivers/infiniband/hw/hns/hns_roce_main.c | 4 + drivers/infiniband/hw/hns/hns_roce_qp.c | 2 - drivers/infiniband/hw/irdma/Kconfig | 7 +- drivers/infiniband/hw/irdma/pble.c | 2 +- drivers/infiniband/hw/irdma/verbs.c | 4 +- drivers/infiniband/hw/irdma/verbs.h | 8 +- drivers/infiniband/ulp/ipoib/ipoib_main.c | 21 +- drivers/iommu/amd/init.c | 28 +- drivers/iommu/apple-dart.c | 5 + drivers/iommu/intel/debugfs.c | 10 +- drivers/iommu/intel/perf.c | 10 +- drivers/iommu/intel/perf.h | 5 +- drivers/iommu/iommufd/iova_bitmap.c | 5 +- drivers/irqchip/irq-gic-v2m.c | 13 +- drivers/irqchip/irq-loongson-pch-lpc.c | 9 +- drivers/irqchip/irq-sifive-plic.c | 6 +- drivers/md/dm-target.c | 3 +- drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 + drivers/media/i2c/Kconfig | 2 +- drivers/media/i2c/adv7180.c | 48 +-- drivers/media/i2c/ir-kbd-i2c.c | 6 +- drivers/media/i2c/og01a1b.c | 6 +- drivers/media/i2c/ov08x40.c | 2 +- drivers/media/pci/intel/ipu6/ipu6-isys-subdev.c | 6 + drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 - drivers/media/pci/ivtv/ivtv-driver.h | 3 +- drivers/media/pci/ivtv/ivtv-fileops.c | 18 +- drivers/media/pci/ivtv/ivtv-irq.c | 4 +- drivers/media/pci/mgb4/mgb4_vin.c | 3 +- drivers/media/platform/amphion/vpu_v4l2.c | 7 +- drivers/media/platform/verisilicon/hantro_drv.c | 2 + drivers/media/platform/verisilicon/hantro_v4l2.c | 6 +- drivers/media/rc/imon.c | 61 +-- drivers/media/rc/redrat3.c | 2 +- drivers/media/tuners/xc4000.c | 8 +- drivers/media/tuners/xc5000.c | 12 +- drivers/media/usb/uvc/uvc_driver.c | 15 +- drivers/memstick/core/memstick.c | 8 +- drivers/mfd/da9063-i2c.c | 27 +- drivers/mfd/intel-lpss-pci.c | 13 + drivers/mfd/kempld-core.c | 32 +- drivers/mfd/madera-core.c | 4 +- drivers/mfd/mfd-core.c | 1 + drivers/mfd/stmpe-i2c.c | 1 + drivers/mfd/stmpe.c | 3 + drivers/mmc/host/renesas_sdhi_core.c | 6 +- drivers/mmc/host/sdhci-msm.c | 15 + drivers/net/dsa/b53/b53_common.c | 27 +- drivers/net/dsa/b53/b53_regs.h | 3 +- drivers/net/dsa/dsa_loop.c | 9 +- drivers/net/dsa/microchip/ksz9477.c | 98 ++++- drivers/net/dsa/microchip/ksz9477_reg.h | 3 +- drivers/net/dsa/microchip/ksz_common.c | 49 +++ drivers/net/dsa/microchip/ksz_common.h | 2 + drivers/net/dsa/ocelot/felix.c | 4 + drivers/net/dsa/ocelot/felix.h | 3 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 75 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 +- drivers/net/ethernet/cadence/macb_main.c | 4 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 +- drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 +- drivers/net/ethernet/intel/ice/ice_main.c | 2 +- drivers/net/ethernet/intel/ice/ice_trace.h | 10 +- drivers/net/ethernet/intel/idpf/idpf.h | 2 + drivers/net/ethernet/intel/idpf/idpf_lib.c | 102 ++++- drivers/net/ethernet/intel/idpf/idpf_txrx.c | 129 ++---- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 12 +- drivers/net/ethernet/microchip/lan865x/lan865x.c | 1 + .../ethernet/microchip/lan966x/lan966x_ethtool.c | 18 +- .../net/ethernet/microchip/lan966x/lan966x_main.c | 2 - .../net/ethernet/microchip/lan966x/lan966x_main.h | 4 +- .../ethernet/microchip/lan966x/lan966x_vcap_impl.c | 8 +- drivers/net/ethernet/microchip/sparx5/Kconfig | 2 +- drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 34 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 1 - drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 2 - drivers/net/ethernet/realtek/Kconfig | 2 +- drivers/net/ethernet/realtek/r8169_main.c | 6 +- drivers/net/ethernet/renesas/sh_eth.c | 4 + drivers/net/ethernet/sfc/mae.c | 4 + drivers/net/ethernet/smsc/smsc911x.c | 14 +- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/stmmac_est.c | 9 +- drivers/net/ethernet/stmicro/stmmac/stmmac_est.h | 1 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 +- drivers/net/ethernet/ti/icssg/icssg_config.c | 7 + drivers/net/ethernet/wangxun/libwx/wx_ethtool.c | 7 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 +- drivers/net/hamradio/6pack.c | 57 +-- drivers/net/mdio/of_mdio.c | 1 - drivers/net/phy/fixed_phy.c | 1 + drivers/net/phy/marvell.c | 39 +- drivers/net/phy/phy.c | 13 + drivers/net/usb/asix_devices.c | 12 +- drivers/net/usb/qmi_wwan.c | 6 + drivers/net/usb/usbnet.c | 2 + drivers/net/virtio_net.c | 36 +- drivers/net/wan/framer/pef2256/pef2256.c | 7 +- drivers/net/wireless/ath/ath10k/mac.c | 12 +- drivers/net/wireless/ath/ath10k/wmi.c | 40 +- drivers/net/wireless/ath/ath11k/core.c | 54 ++- drivers/net/wireless/ath/ath11k/core.h | 3 +- drivers/net/wireless/ath/ath11k/mac.c | 61 ++- drivers/net/wireless/ath/ath11k/wmi.c | 11 +- drivers/net/wireless/ath/ath11k/wmi.h | 10 +- drivers/net/wireless/ath/ath12k/dp.h | 2 +- drivers/net/wireless/ath/ath12k/mac.c | 34 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +- .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 +- .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 +- drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 14 +- drivers/net/wireless/mediatek/mt76/eeprom.c | 9 +- drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- drivers/net/wireless/mediatek/mt76/mt7603/eeprom.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7615/init.c | 5 +- drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 6 +- drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/init.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/init.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7996/init.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 +- drivers/net/wireless/realtek/rtw88/sdio.c | 4 + drivers/net/wireless/realtek/rtw89/core.c | 61 ++- drivers/net/wireless/realtek/rtw89/core.h | 12 +- drivers/net/wireless/realtek/rtw89/debug.h | 1 + drivers/net/wireless/realtek/rtw89/fw.c | 4 +- drivers/net/wireless/realtek/rtw89/mac.c | 7 +- drivers/net/wireless/realtek/rtw89/phy.c | 7 +- drivers/net/wireless/realtek/rtw89/txrx.h | 1 + drivers/net/wireless/virtual/mac80211_hwsim.c | 7 +- drivers/net/wwan/t7xx/t7xx_pci.c | 1 + drivers/ntb/hw/epf/ntb_hw_epf.c | 103 ++--- drivers/nvme/host/core.c | 8 +- drivers/nvme/host/fc.c | 10 +- drivers/nvme/target/fc.c | 16 +- drivers/pci/controller/cadence/pcie-cadence-host.c | 2 +- drivers/pci/controller/cadence/pcie-cadence.c | 4 +- drivers/pci/controller/cadence/pcie-cadence.h | 6 +- drivers/pci/controller/dwc/pci-imx6.c | 4 + drivers/pci/controller/dwc/pcie-designware.c | 4 +- drivers/pci/endpoint/functions/pci-epf-test.c | 7 +- drivers/pci/p2pdma.c | 2 +- drivers/pci/pci-driver.c | 2 +- drivers/pci/pci.c | 5 + drivers/pci/pcie/err.c | 3 +- drivers/pci/quirks.c | 3 +- drivers/phy/cadence/cdns-dphy.c | 4 +- drivers/phy/renesas/r8a779f0-ether-serdes.c | 28 ++ drivers/phy/rockchip/phy-rockchip-inno-csidphy.c | 5 +- drivers/pinctrl/pinctrl-keembay.c | 7 +- drivers/pinctrl/pinctrl-single.c | 4 +- .../intel/uncore-frequency/uncore-frequency-tpmi.c | 2 +- drivers/pmdomain/apple/pmgr-pwrstate.c | 1 + drivers/power/supply/qcom_battmgr.c | 8 +- drivers/power/supply/sbs-charger.c | 16 +- drivers/ptp/ptp_clock.c | 13 +- drivers/pwm/pwm-pca9685.c | 46 ++- drivers/remoteproc/qcom_q6v5.c | 5 + drivers/remoteproc/wkup_m3_rproc.c | 6 +- drivers/rpmsg/rpmsg_char.c | 3 +- drivers/rtc/rtc-pcf2127.c | 19 +- drivers/rtc/rtc-rx8025.c | 2 +- drivers/scsi/libfc/fc_encode.h | 2 +- drivers/scsi/lpfc/lpfc_debugfs.h | 3 + drivers/scsi/lpfc/lpfc_els.c | 21 +- drivers/scsi/lpfc/lpfc_init.c | 7 - drivers/scsi/lpfc/lpfc_nportdisc.c | 23 +- drivers/scsi/lpfc/lpfc_scsi.c | 14 +- drivers/scsi/lpfc/lpfc_sli.c | 3 +- drivers/scsi/mpi3mr/mpi3mr_fw.c | 13 + drivers/scsi/mpi3mr/mpi3mr_os.c | 2 + drivers/scsi/mpt3sas/mpt3sas_transport.c | 3 + drivers/scsi/pm8001/pm8001_ctl.c | 24 +- drivers/scsi/pm8001/pm8001_init.c | 1 + drivers/scsi/pm8001/pm8001_sas.h | 4 + drivers/scsi/qla2xxx/qla_os.c | 5 - drivers/soc/aspeed/aspeed-socinfo.c | 4 + drivers/soc/qcom/smem.c | 2 +- drivers/soc/tegra/fuse/fuse-tegra30.c | 122 ++++++ drivers/soc/ti/pruss.c | 2 +- drivers/spi/spi-loopback-test.c | 12 +- drivers/spi/spi-rpc-if.c | 2 + drivers/tee/tee_core.c | 2 +- drivers/thermal/gov_step_wise.c | 15 +- drivers/thunderbolt/tb.c | 2 +- drivers/tty/serial/ip22zilog.c | 360 +++++++---------- drivers/tty/serial/max3100.c | 2 +- drivers/tty/serial/max310x.c | 3 +- drivers/tty/vt/vt_ioctl.c | 4 +- drivers/ufs/core/ufshcd.c | 16 +- drivers/ufs/host/ufs-exynos.c | 8 + drivers/ufs/host/ufs-mediatek.c | 222 ++++++++--- drivers/ufs/host/ufshcd-pci.c | 70 +++- drivers/usb/cdns3/cdnsp-gadget.c | 8 +- drivers/usb/gadget/function/f_fs.c | 8 +- drivers/usb/gadget/function/f_hid.c | 4 +- drivers/usb/gadget/function/f_ncm.c | 3 +- drivers/usb/host/xhci-pci.c | 45 ++- drivers/usb/host/xhci-plat.c | 1 + drivers/usb/mon/mon_bin.c | 14 +- drivers/vfio/pci/vfio_pci_intrs.c | 7 + drivers/vfio/vfio_main.c | 2 +- drivers/video/backlight/lp855x_bl.c | 2 +- drivers/video/fbdev/aty/atyfb_base.c | 8 +- drivers/video/fbdev/core/bitblit.c | 33 +- drivers/video/fbdev/core/fbcon.c | 19 + drivers/video/fbdev/core/fbmem.c | 1 + drivers/video/fbdev/pvr2fb.c | 2 +- drivers/video/fbdev/valkyriefb.c | 2 + drivers/watchdog/s3c2410_wdt.c | 10 +- fs/9p/v9fs.c | 9 +- fs/btrfs/extent_io.c | 8 + fs/btrfs/file.c | 10 + fs/btrfs/qgroup.c | 4 +- fs/ceph/dir.c | 3 +- fs/ceph/file.c | 6 +- fs/ceph/ioctl.c | 17 +- fs/ceph/locks.c | 5 +- fs/ceph/mds_client.c | 8 + fs/ceph/mdsmap.c | 14 +- fs/ceph/super.c | 14 - fs/ceph/super.h | 14 + fs/exfat/balloc.c | 72 +++- fs/exfat/fatent.c | 11 +- fs/ext4/fast_commit.c | 2 +- fs/ext4/xattr.c | 2 +- fs/f2fs/extent_cache.c | 6 + fs/f2fs/node.c | 17 +- fs/f2fs/sysfs.c | 9 +- fs/fuse/inode.c | 11 +- fs/hpfs/namei.c | 18 +- fs/jfs/inode.c | 8 +- fs/jfs/jfs_txnmgr.c | 9 +- fs/nfs/nfs4proc.c | 6 +- fs/nfs/nfs4state.c | 3 + fs/nfsd/nfs4proc.c | 7 +- fs/ntfs3/inode.c | 1 + fs/open.c | 10 +- fs/orangefs/xattr.c | 12 +- fs/smb/client/cached_dir.c | 16 +- fs/smb/client/smb2ops.c | 3 +- fs/smb/client/smb2pdu.c | 7 +- fs/smb/client/transport.c | 10 +- fs/smb/server/transport_tcp.c | 7 +- include/drm/gpu_scheduler.h | 23 +- include/linux/blk_types.h | 11 +- include/linux/bpf_verifier.h | 7 + include/linux/cgroup.h | 1 + include/linux/f2fs_fs.h | 1 + include/linux/fbcon.h | 2 + include/linux/filter.h | 3 +- include/linux/pci.h | 2 +- include/linux/shdma-base.h | 2 +- include/linux/tnum.h | 3 + include/net/bluetooth/hci.h | 1 + include/net/bluetooth/hci_core.h | 13 +- include/net/bluetooth/mgmt.h | 2 +- include/net/cls_cgroup.h | 2 +- include/net/nfc/nci_core.h | 2 +- include/net/xdp.h | 5 + include/ufs/ufs_quirks.h | 3 + include/ufs/ufshcd.h | 8 + include/ufs/ufshci.h | 4 +- io_uring/notif.c | 5 + kernel/bpf/core.c | 5 + kernel/bpf/helpers.c | 2 +- kernel/bpf/ringbuf.c | 2 + kernel/bpf/tnum.c | 8 + kernel/bpf/verifier.c | 100 ++++- kernel/cgroup/cgroup.c | 24 +- kernel/events/uprobes.c | 7 + kernel/futex/syscalls.c | 106 ++--- kernel/sched/ext.c | 8 +- kernel/trace/ftrace.c | 2 + kernel/trace/ring_buffer.c | 4 + kernel/trace/trace_events_hist.c | 6 +- lib/crypto/Makefile | 2 +- lib/kunit/kunit-test.c | 2 +- net/8021q/vlan.c | 2 + net/9p/trans_fd.c | 9 +- net/bluetooth/hci_event.c | 19 +- net/bluetooth/hci_sync.c | 23 +- net/bluetooth/iso.c | 11 +- net/bluetooth/mgmt.c | 6 +- net/bluetooth/rfcomm/tty.c | 26 +- net/bluetooth/sco.c | 7 + net/bridge/br.c | 5 + net/bridge/br_forward.c | 5 +- net/bridge/br_if.c | 1 + net/bridge/br_input.c | 4 +- net/bridge/br_mst.c | 10 +- net/bridge/br_private.h | 13 +- net/core/filter.c | 1 + net/core/page_pool.c | 12 +- net/core/sock.c | 15 +- net/dsa/tag_brcm.c | 70 ++-- net/ethernet/eth.c | 5 +- net/ipv4/inet_diag.c | 14 +- net/ipv4/ip_input.c | 11 +- net/ipv4/netfilter/nf_reject_ipv4.c | 25 ++ net/ipv4/nexthop.c | 6 + net/ipv4/route.c | 2 +- net/ipv4/tcp.c | 4 +- net/ipv4/tcp_fastopen.c | 7 +- net/ipv4/udp_tunnel_nic.c | 2 +- net/ipv6/addrconf.c | 4 +- net/ipv6/ah6.c | 50 ++- net/ipv6/netfilter/nf_reject_ipv6.c | 30 ++ net/ipv6/raw.c | 2 +- net/ipv6/udp.c | 2 +- net/mac80211/cfg.c | 20 +- net/mac80211/ieee80211_i.h | 2 + net/mac80211/iface.c | 9 + net/mac80211/key.c | 10 +- net/mac80211/mesh.c | 3 + net/mac80211/mlme.c | 5 +- net/mptcp/protocol.c | 18 +- net/mptcp/protocol.h | 2 +- net/rds/rds.h | 2 +- net/sctp/diag.c | 23 +- security/integrity/ima/ima_appraise.c | 23 +- sound/drivers/serial-generic.c | 12 +- sound/pci/hda/patch_realtek.c | 17 +- sound/soc/codecs/cs-amp-lib-test.c | 1 + sound/soc/codecs/tlv320aic3x.c | 32 +- sound/soc/fsl/fsl_sai.c | 11 +- sound/soc/intel/avs/pcm.c | 3 + sound/soc/mediatek/mt8173/mt8173-rt5650.c | 2 +- sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 2 +- .../mt8183/mt8183-mt6358-ts3a227-max98357.c | 2 +- sound/soc/mediatek/mt8186/mt8186-mt6366.c | 2 +- sound/soc/mediatek/mt8188/mt8188-mt6359.c | 8 +- .../mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c | 2 +- sound/soc/mediatek/mt8195/mt8195-mt6359.c | 4 +- sound/soc/meson/aiu-encoder-i2s.c | 9 +- sound/soc/qcom/qdsp6/q6asm.c | 2 +- sound/soc/qcom/sc8280xp.c | 3 + sound/soc/sof/ipc4-pcm.c | 56 +++ sound/soc/stm/stm32_sai_sub.c | 8 + sound/usb/mixer.c | 7 + sound/usb/mixer_s1810c.c | 28 +- sound/usb/validate.c | 9 +- tools/bpf/bpftool/btf_dumper.c | 2 +- tools/bpf/bpftool/link.c | 54 ++- tools/bpf/bpftool/prog.c | 2 +- tools/include/linux/bitmap.h | 1 + tools/lib/bpf/bpf_tracing.h | 2 +- tools/lib/bpf/usdt.bpf.h | 44 ++- tools/lib/bpf/usdt.c | 62 ++- tools/lib/thermal/Makefile | 9 +- tools/net/ynl/lib/ynl-priv.h | 4 +- tools/power/cpupower/lib/cpuidle.c | 5 +- tools/power/cpupower/lib/cpupower.c | 2 +- .../x86_energy_perf_policy.c | 30 +- tools/testing/selftests/Makefile | 2 +- .../testing/selftests/bpf/prog_tests/bpf_cookie.c | 3 +- .../selftests/bpf/progs/verifier_arena_large.c | 1 + tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 +- tools/testing/selftests/bpf/test_xsk.sh | 2 + tools/testing/selftests/drivers/net/hw/rss_ctx.py | 11 +- .../selftests/drivers/net/netdevsim/Makefile | 4 + tools/testing/selftests/net/fcnal-test.sh | 432 +++++++++++---------- .../net/forwarding/custom_multipath_hash.sh | 2 +- .../net/forwarding/gre_custom_multipath_hash.sh | 2 +- .../net/forwarding/ip6_forward_instats_vrf.sh | 6 +- .../net/forwarding/ip6gre_custom_multipath_hash.sh | 2 +- tools/testing/selftests/net/forwarding/lib.sh | 8 +- .../net/forwarding/mirror_gre_bridge_1q_lag.sh | 2 +- .../net/forwarding/mirror_gre_vlan_bridge_1q.sh | 4 +- tools/testing/selftests/net/gro.c | 12 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 6 +- tools/testing/selftests/net/psock_tpacket.c | 4 +- tools/testing/selftests/net/traceroute.sh | 51 +-- .../intel/workload_hint/workload_hint_test.c | 2 + usr/include/headers_check.pl | 2 + 613 files changed, 5918 insertions(+), 2723 deletions(-)

1 month

15
18
0 0

[PATCH] scsi: sg: Do not sleep in atomic context

by Bart Van Assche

sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 4c62c597c7be..b3af9b78fa12 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2208,9 +2208,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags);

1 month

1
0
0 0

[PATCH] drm/bridge: samsung-dsim: Fix device node reference leak in samsung_dsim_parse_dt

by Miaoqian Lin

The function samsung_dsim_parse_dt() calls of_graph_get_endpoint_by_regs() to get the endpoint device node, but fails to call of_node_put() to release the reference when the function returns. This results in a device node reference leak. Fix this by adding the missing of_node_put() call before returning from the function. Found via static analysis and code review. Fixes: 77169a11d4e9 ("drm/bridge: samsung-dsim: add driver support for exynos7870 DSIM bridge") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/gpu/drm/bridge/samsung-dsim.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/bridge/samsung-dsim.c b/drivers/gpu/drm/bridge/samsung-dsim.c index eabc4c32f6ab..1a5acd5077ad 100644 --- a/drivers/gpu/drm/bridge/samsung-dsim.c +++ b/drivers/gpu/drm/bridge/samsung-dsim.c @@ -2086,6 +2086,7 @@ static int samsung_dsim_parse_dt(struct samsung_dsim *dsi) if (lane_polarities[1]) dsi->swap_dn_dp_data = true; } + of_node_put(endpoint); return 0; } -- 2.39.5 (Apple Git-154)

1 month

2
1
0 0

[PATCH] LoongArch: BPF: Disable bpf trampoline kernel module function trace

by Vincent Li

The current LoongArch BPF trampoline implementation is incompatible with tracing functions in kernel modules. This causes several severe and user-visible problems: * Kernel lockups when a BPF program is attached to a module function [0]. * The `bpf_selftests/module_attach` test fails consistently. * Critical kernel modules like WireGuard experience traffic disruption when their functions are traced with fentry [1]. Given the severity and the potential for other unknown side-effects, it is safest to disable the feature entirely for now. This patch prevents the BPF subsystem from allowing trampoline attachments to module functions on LoongArch. This is a temporary mitigation until the core issues in the trampoline code for module handling can be identified and fixed. [root@fedora bpf]# ./test_progs -a module_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko... Successfully loaded bpf_testmod.ko. test_module_attach:PASS:skel_open 0 nsec test_module_attach:PASS:set_attach_target 0 nsec test_module_attach:PASS:set_attach_target_explicit 0 nsec test_module_attach:PASS:skel_load 0 nsec libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP test_module_attach:FAIL:skel_attach skeleton attach failed: -524 Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED Successfully unloaded bpf_testmod.ko. [0]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C… [1]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcF… Cc: stable(a)vger.kernel.org Fixes: f9b6b41f0cf3 (“LoongArch: BPF: Add basic bpf trampoline support”) Closes: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C… Acked-by: Hengqi Chen <hengqi.chen(a)gmail.com> Signed-off-by: Vincent Li <vincent.mc.li(a)gmail.com> --- arch/loongarch/net/bpf_jit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c index cbe53d0b7fb0..49c1d4b95404 100644 --- a/arch/loongarch/net/bpf_jit.c +++ b/arch/loongarch/net/bpf_jit.c @@ -1624,6 +1624,9 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i /* Direct jump skips 5 NOP instructions */ else if (is_bpf_text_address((unsigned long)orig_call)) orig_call += LOONGARCH_BPF_FENTRY_NBYTES; + /* Module tracing not supported - causes kernel lockups */ + else if (is_module_text_address((unsigned long)orig_call)) + return -ENOTSUPP; if (flags & BPF_TRAMP_F_CALL_ORIG) { move_addr(ctx, LOONGARCH_GPR_A0, (const u64)im); -- 2.38.1

1 month

1
1
0 0

[PATCH] LoongArch: BPF: Disable bpf trampoline kernel module function trace

by Vincent Li

The current LoongArch BPF trampoline implementation is incompatible with tracing functions in kernel modules. This causes several severe and user-visible problems: * Kernel lockups when a BPF program is attached to a module function [0]. * The `bpf_selftests/module_attach` test fails consistently. * Critical kernel modules like WireGuard experience traffic disruption when their functions are traced with fentry [1]. Given the severity and the potential for other unknown side-effects, it is safest to disable the feature entirely for now. This patch prevents the BPF subsystem from allowing trampoline attachments to module functions on LoongArch. This is a temporary mitigation until the core issues in the trampoline code for module handling can be identified and fixed. [root@fedora bpf]# ./test_progs -a module_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko... Successfully loaded bpf_testmod.ko. test_module_attach:PASS:skel_open 0 nsec test_module_attach:PASS:set_attach_target 0 nsec test_module_attach:PASS:set_attach_target_explicit 0 nsec test_module_attach:PASS:skel_load 0 nsec libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP test_module_attach:FAIL:skel_attach skeleton attach failed: -524 Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED Successfully unloaded bpf_testmod.ko. [0]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C… [1]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcF… Cc: stable(a)vger.kernel.org Fixes: f9b6b41f0cf3 (“LoongArch: BPF: Add basic bpf trampoline support”) Closes: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C… Acked-by: Hengqi Chen <hengqi.chen(a)gmail.com> Signed-off-by: Vincent Li <vincent.mc.li(a)gmail.com> --- arch/loongarch/net/bpf_jit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c index cbe53d0b7fb0..49c1d4b95404 100644 --- a/arch/loongarch/net/bpf_jit.c +++ b/arch/loongarch/net/bpf_jit.c @@ -1624,6 +1624,9 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i /* Direct jump skips 5 NOP instructions */ else if (is_bpf_text_address((unsigned long)orig_call)) orig_call += LOONGARCH_BPF_FENTRY_NBYTES; + /* Module tracing not supported - causes kernel lockups */ + else if (is_module_text_address((unsigned long)orig_call)) + return -ENOTSUPP; if (flags & BPF_TRAMP_F_CALL_ORIG) { move_addr(ctx, LOONGARCH_GPR_A0, (const u64)im); -- 2.38.1

1 month

1
0
0 0

Re: Patch "mptcp: drop bogus optimization in __mptcp_check_push()" has been added to the 5.15-stable tree

by Matthieu Baerts

Hi Greg, Sasha, On 03/11/2025 02:38, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > mptcp: drop bogus optimization in __mptcp_check_push() > > to the 5.15-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch > and it can be found in the queue-5.15 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Can you please drop this patch from v5.15? It looks like it is causing some issues with MP_PRIO tests. I think that's because back then, the path is selected differently, with the use of 'msk->last_snd' which will bypass some decisions to where to send the next data. I will try to check if another version of this patch is needed for v5.15. Cheers, Matt (I kept the patch below just in case some people from the MPTCP ML want to react.) > From stable+bounces-192087-greg=kroah.com(a)vger.kernel.org Mon Nov 3 05:15:58 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sun, 2 Nov 2025 15:15:50 -0500 > Subject: mptcp: drop bogus optimization in __mptcp_check_push() > To: stable(a)vger.kernel.org > Cc: Paolo Abeni <pabeni(a)redhat.com>, Geliang Tang <geliang(a)kernel.org>, Mat Martineau <martineau(a)kernel.org>, "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org>, Jakub Kicinski <kuba(a)kernel.org>, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20251102201550.3588174-1-sashal(a)kernel.org> > > From: Paolo Abeni <pabeni(a)redhat.com> > > [ Upstream commit 27b0e701d3872ba59c5b579a9e8a02ea49ad3d3b ] > > Accessing the transmit queue without owning the msk socket lock is > inherently racy, hence __mptcp_check_push() could actually quit early > even when there is pending data. > > That in turn could cause unexpected tx lock and timeout. > > Dropping the early check avoids the race, implicitly relaying on later > tests under the relevant lock. With such change, all the other > mptcp_send_head() call sites are now under the msk socket lock and we > can additionally drop the now unneeded annotation on the transmit head > pointer accesses. > > Fixes: 6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks") > Cc: stable(a)vger.kernel.org > Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> > Reviewed-by: Geliang Tang <geliang(a)kernel.org> > Tested-by: Geliang Tang <geliang(a)kernel.org> > Reviewed-by: Mat Martineau <martineau(a)kernel.org> > Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> > Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-1-38ffff5a9ec8@… > Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> > [ split upstream __subflow_push_pending modification across __mptcp_push_pending and __mptcp_subflow_push_pending ] > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > net/mptcp/protocol.c | 13 +++++-------- > net/mptcp/protocol.h | 2 +- > 2 files changed, 6 insertions(+), 9 deletions(-) > > --- a/net/mptcp/protocol.c > +++ b/net/mptcp/protocol.c > @@ -1137,7 +1137,7 @@ static void __mptcp_clean_una(struct soc > if (WARN_ON_ONCE(!msk->recovery)) > break; > > - WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); > + msk->first_pending = mptcp_send_next(sk); > } > > dfrag_clear(sk, dfrag); > @@ -1674,7 +1674,7 @@ void __mptcp_push_pending(struct sock *s > > mptcp_update_post_push(msk, dfrag, ret); > } > - WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); > + msk->first_pending = mptcp_send_next(sk); > } > > /* at this point we held the socket lock for the last subflow we used */ > @@ -1732,7 +1732,7 @@ static void __mptcp_subflow_push_pending > > mptcp_update_post_push(msk, dfrag, ret); > } > - WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); > + msk->first_pending = mptcp_send_next(sk); > } > > out: > @@ -1850,7 +1850,7 @@ static int mptcp_sendmsg(struct sock *sk > get_page(dfrag->page); > list_add_tail(&dfrag->list, &msk->rtx_queue); > if (!msk->first_pending) > - WRITE_ONCE(msk->first_pending, dfrag); > + msk->first_pending = dfrag; > } > pr_debug("msk=%p dfrag at seq=%llu len=%u sent=%u new=%d\n", msk, > dfrag->data_seq, dfrag->data_len, dfrag->already_sent, > @@ -2645,7 +2645,7 @@ static void __mptcp_clear_xmit(struct so > struct mptcp_sock *msk = mptcp_sk(sk); > struct mptcp_data_frag *dtmp, *dfrag; > > - WRITE_ONCE(msk->first_pending, NULL); > + msk->first_pending = NULL; > list_for_each_entry_safe(dfrag, dtmp, &msk->rtx_queue, list) > dfrag_clear(sk, dfrag); > } > @@ -3114,9 +3114,6 @@ void __mptcp_data_acked(struct sock *sk) > > void __mptcp_check_push(struct sock *sk, struct sock *ssk) > { > - if (!mptcp_send_head(sk)) > - return; > - > if (!sock_owned_by_user(sk)) { > struct sock *xmit_ssk = mptcp_subflow_get_send(mptcp_sk(sk)); > > --- a/net/mptcp/protocol.h > +++ b/net/mptcp/protocol.h > @@ -325,7 +325,7 @@ static inline struct mptcp_data_frag *mp > { > const struct mptcp_sock *msk = mptcp_sk(sk); > > - return READ_ONCE(msk->first_pending); > + return msk->first_pending; > } > > static inline struct mptcp_data_frag *mptcp_send_next(struct sock *sk) Cheers, Matt -- Sponsored by the NGI0 Core fund.

1 month

2
1
0 0

[PATCH] iommu/amd: Fix pci_segment memleak in alloc_pci_segment()

by Jinhui Guo

Fix a memory leak of struct amd_iommu_pci_segment in alloc_pci_segment() when system memory (or contiguous memory) is insufficient. Fixes: 04230c119930 ("iommu/amd: Introduce per PCI segment device table") Fixes: eda797a27795 ("iommu/amd: Introduce per PCI segment rlookup table") Fixes: 99fc4ac3d297 ("iommu/amd: Introduce per PCI segment alias_table") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> --- drivers/iommu/amd/init.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index ba9e582a8bbe..77afd5884984 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -1608,13 +1608,22 @@ static struct amd_iommu_pci_seg *__init alloc_pci_segment(u16 id, list_add_tail(&pci_seg->list, &amd_iommu_pci_seg_list); if (alloc_dev_table(pci_seg)) - return NULL; + goto err_free_pci_seg; if (alloc_alias_table(pci_seg)) - return NULL; + goto err_free_dev_table; if (alloc_rlookup_table(pci_seg)) - return NULL; + goto err_free_alias_table; return pci_seg; + +err_free_alias_table: + free_alias_table(pci_seg); +err_free_dev_table: + free_dev_table(pci_seg); +err_free_pci_seg: + list_del(&pci_seg->list); + kfree(pci_seg); + return NULL; } static struct amd_iommu_pci_seg *__init get_pci_segment(u16 id, -- 2.20.1

1 month

2
2
0 0

[PATCH] tty: serial: sh-sci: fix RSCI FIFO overrun handling

by Cosmin Tanislav

The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]--- Cc: stable(a)vger.kernel.org Fixes: 0666e3fe95ab ("serial: sh-sci: Add support for RZ/T2H SCI") Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa(a)renesas.com> --- drivers/tty/serial/sh-sci.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index 538b2f991609..62bb62b82cbe 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -1014,16 +1014,18 @@ static int sci_handle_fifo_overrun(struct uart_port *port) struct sci_port *s = to_sci_port(port); const struct plat_sci_reg *reg; int copied = 0; - u16 status; + u32 status; - reg = sci_getreg(port, s->params->overrun_reg); - if (!reg->size) - return 0; + if (s->type != SCI_PORT_RSCI) { + reg = sci_getreg(port, s->params->overrun_reg); + if (!reg->size) + return 0; + } - status = sci_serial_in(port, s->params->overrun_reg); + status = s->ops->read_reg(port, s->params->overrun_reg); if (status & s->params->overrun_mask) { status &= ~s->params->overrun_mask; - sci_serial_out(port, s->params->overrun_reg, status); + s->ops->write_reg(port, s->params->overrun_reg, status); port->icount.overrun++; -- 2.51.0

1 month

3
4
0 0

[PATCH v5] block: Remove queue freezing from several sysfs store callbacks

by Bart Van Assche

Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. This patch may cause a small delay in applying the new settings. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: Nilay Shroff <nilay(a)linux.ibm.com> Cc: Martin Wilck <mwilck(a)suse.com> Cc: Benjamin Marzinski <bmarzins(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: af2814149883 ("block: freeze the queue in queue_attr_store") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- Changes compared to v4: - Use WRITE_ONCE() to update bdi->ra_pages. - Move a data_race() annotation from queue_io_timeout_store() into blk_queue_rq_timeout(). Changes compared to v3: - Added two data_race() annotations. Changes compared to v2: - Dropped the controversial patch "block: Restrict the duration of sysfs attribute changes". Changes compared to v1: - Added patch "block: Restrict the duration of sysfs attribute changes". - Remove queue freezing from more sysfs callbacks. block/blk-settings.c | 9 ++++++++- block/blk-sysfs.c | 30 ++++++++++++------------------ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/block/blk-settings.c b/block/blk-settings.c index 78dfef117623..b5587cc535e5 100644 --- a/block/blk-settings.c +++ b/block/blk-settings.c @@ -23,7 +23,14 @@ void blk_queue_rq_timeout(struct request_queue *q, unsigned int timeout) { - WRITE_ONCE(q->rq_timeout, timeout); + /* + * Use WRITE_ONCE() to write q->rq_timeout once. Use data_race() to + * suppress KCSAN race reports against the write below. + */ + data_race(({ + WRITE_ONCE(q->rq_timeout, timeout); + 0; + })); } EXPORT_SYMBOL_GPL(blk_queue_rq_timeout); diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index 76c47fe9b8d6..99e78d907c1c 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -143,21 +143,26 @@ queue_ra_store(struct gendisk *disk, const char *page, size_t count) { unsigned long ra_kb; ssize_t ret; - unsigned int memflags; struct request_queue *q = disk->queue; ret = queue_var_store(&ra_kb, page, count); if (ret < 0) return ret; /* - * ->ra_pages is protected by ->limits_lock because it is usually - * calculated from the queue limits by queue_limits_commit_update. + * The ->ra_pages change below is protected by ->limits_lock because it + * is usually calculated from the queue limits by + * queue_limits_commit_update(). + * + * bdi->ra_pages reads are not serialized against bdi->ra_pages writes. + * Use WRITE_ONCE() to write bdi->ra_pages once. Use data_race() to + * suppress KCSAN race reports against the write below. */ mutex_lock(&q->limits_lock); - memflags = blk_mq_freeze_queue(q); - disk->bdi->ra_pages = ra_kb >> (PAGE_SHIFT - 10); + data_race(({ + WRITE_ONCE(disk->bdi->ra_pages, ra_kb >> (PAGE_SHIFT - 10)); + 0; + })); mutex_unlock(&q->limits_lock); - blk_mq_unfreeze_queue(q, memflags); return ret; } @@ -375,21 +380,18 @@ static ssize_t queue_nomerges_store(struct gendisk *disk, const char *page, size_t count) { unsigned long nm; - unsigned int memflags; struct request_queue *q = disk->queue; ssize_t ret = queue_var_store(&nm, page, count); if (ret < 0) return ret; - memflags = blk_mq_freeze_queue(q); blk_queue_flag_clear(QUEUE_FLAG_NOMERGES, q); blk_queue_flag_clear(QUEUE_FLAG_NOXMERGES, q); if (nm == 2) blk_queue_flag_set(QUEUE_FLAG_NOMERGES, q); else if (nm) blk_queue_flag_set(QUEUE_FLAG_NOXMERGES, q); - blk_mq_unfreeze_queue(q, memflags); return ret; } @@ -409,7 +411,6 @@ queue_rq_affinity_store(struct gendisk *disk, const char *page, size_t count) #ifdef CONFIG_SMP struct request_queue *q = disk->queue; unsigned long val; - unsigned int memflags; ret = queue_var_store(&val, page, count); if (ret < 0) @@ -421,7 +422,6 @@ queue_rq_affinity_store(struct gendisk *disk, const char *page, size_t count) * are accessed individually using atomic test_bit operation. So we * don't grab any lock while updating these flags. */ - memflags = blk_mq_freeze_queue(q); if (val == 2) { blk_queue_flag_set(QUEUE_FLAG_SAME_COMP, q); blk_queue_flag_set(QUEUE_FLAG_SAME_FORCE, q); @@ -432,7 +432,6 @@ queue_rq_affinity_store(struct gendisk *disk, const char *page, size_t count) blk_queue_flag_clear(QUEUE_FLAG_SAME_COMP, q); blk_queue_flag_clear(QUEUE_FLAG_SAME_FORCE, q); } - blk_mq_unfreeze_queue(q, memflags); #endif return ret; } @@ -446,11 +445,9 @@ static ssize_t queue_poll_delay_store(struct gendisk *disk, const char *page, static ssize_t queue_poll_store(struct gendisk *disk, const char *page, size_t count) { - unsigned int memflags; ssize_t ret = count; struct request_queue *q = disk->queue; - memflags = blk_mq_freeze_queue(q); if (!(q->limits.features & BLK_FEAT_POLL)) { ret = -EINVAL; goto out; @@ -459,7 +456,6 @@ static ssize_t queue_poll_store(struct gendisk *disk, const char *page, pr_info_ratelimited("writes to the poll attribute are ignored.\n"); pr_info_ratelimited("please use driver specific parameters instead.\n"); out: - blk_mq_unfreeze_queue(q, memflags); return ret; } @@ -472,7 +468,7 @@ static ssize_t queue_io_timeout_show(struct gendisk *disk, char *page) static ssize_t queue_io_timeout_store(struct gendisk *disk, const char *page, size_t count) { - unsigned int val, memflags; + unsigned int val; int err; struct request_queue *q = disk->queue; @@ -480,9 +476,7 @@ static ssize_t queue_io_timeout_store(struct gendisk *disk, const char *page, if (err || val == 0) return -EINVAL; - memflags = blk_mq_freeze_queue(q); blk_queue_rq_timeout(q, msecs_to_jiffies(val)); - blk_mq_unfreeze_queue(q, memflags); return count; }

1 month

3
4
0 0

[PATCH v2] ASoC: Intel: avs: Fix potential buffer overflow by snprintf()

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in a buffer overflow (although it's unrealistic). This patch replaces it with a safer version, scnprintf() for papering over such a potential issue. Link: https://github.com/KSPP/linux/issues/105 'Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")' Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- Thank you for the feedback and the suggestions. Corrected the indentation & commit message. V1: https://lore.kernel.org/all/20251112120235.54328-2-hariconscious@gmail.com/ sound/soc/intel/avs/debugfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c index 3534de46f9e4..cdb82392b9ee 100644 --- a/sound/soc/intel/avs/debugfs.c +++ b/sound/soc/intel/avs/debugfs.c @@ -119,9 +119,9 @@ static ssize_t probe_points_read(struct file *file, char __user *to, size_t coun } for (i = 0; i < num_desc; i++) { - ret = snprintf(buf + len, PAGE_SIZE - len, - "Id: %#010x Purpose: %d Node id: %#x\n", - desc[i].id.value, desc[i].purpose, desc[i].node_id.val); + ret = scnprintf(buf + len, PAGE_SIZE - len, + "Id: %#010x Purpose: %d Node id: %#x\n", + desc[i].id.value, desc[i].purpose, desc[i].node_id.val); if (ret < 0) goto free_desc; len += ret; base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 -- 2.43.0

1 month

6
6
0 0

Re:Good day,

by Harry Schofield ESQ

Re:Good day, Hope you are well, my first email returned undelivered, please can I provide you with more information through this email?. Best regards, Harry Schofield

1 month

1
0
0 0

[PATCH v2] leds: leds-lp50xx: enable chip before any communication

by Christian Hitz

From: Christian Hitz <christian.hitz(a)bbv.ch> If a GPIO is used to control the chip's enable pin, it needs to be pulled high before any i2c communication is attempted. Currently, the enable GPIO handling is not correct. Assume the enable GPIO is low when the probe function is entered. In this case the device is in SHUTDOWN mode and does not react to i2c commands. During probe the following sequence happens: 1. The call to lp50xx_reset() on line 548 has no effect as i2c is not possible yet. 2. Then - on line 552 - lp50xx_enable_disable() is called. As "priv->enable_gpio“ has not yet been initialized, setting the GPIO has no effect. Also the i2c enable command is not executed as the device is still in SHUTDOWN. 3. On line 556 the call to lp50xx_probe_dt() finally parses the rest of the DT and the configured priv->enable_gpio is set up. As a result the device is still in SHUTDOWN mode and not ready for operation. Split lp50xx_enable_disable() into distinct enable and disable functions to enforce correct ordering between enable_gpio manipulations and i2c commands. Read enable_gpio configuration from DT before attempting to manipulate enable_gpio. Add delays to observe correct wait timing after manipulating enable_gpio and before any i2c communication. Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Hitz <christian.hitz(a)bbv.ch> --- Changes in v2: - Unconditionally reset in lp50xx_enable - Define magic numbers - Improve log message --- drivers/leds/leds-lp50xx.c | 55 +++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c index 94f8ef6b482c..d3485d814cf4 100644 --- a/drivers/leds/leds-lp50xx.c +++ b/drivers/leds/leds-lp50xx.c @@ -50,6 +50,12 @@ #define LP50XX_SW_RESET 0xff #define LP50XX_CHIP_EN BIT(6) +#define LP50XX_CHIP_DISABLE 0x00 +#define LP50XX_START_TIME_US 500 +#define LP50XX_RESET_TIME_US 3 + +#define LP50XX_EN_GPIO_LOW 0 +#define LP50XX_EN_GPIO_HIGH 1 /* There are 3 LED outputs per bank */ #define LP50XX_LEDS_PER_MODULE 3 @@ -371,19 +377,42 @@ static int lp50xx_reset(struct lp50xx *priv) return regmap_write(priv->regmap, priv->chip_info->reset_reg, LP50XX_SW_RESET); } -static int lp50xx_enable_disable(struct lp50xx *priv, int enable_disable) +static int lp50xx_enable(struct lp50xx *priv) { int ret; - ret = gpiod_direction_output(priv->enable_gpio, enable_disable); + if (priv->enable_gpio) { + ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_HIGH); + if (ret) + return ret; + + udelay(LP50XX_START_TIME_US); + } + + ret = lp50xx_reset(priv); if (ret) return ret; - if (enable_disable) - return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN); - else - return regmap_write(priv->regmap, LP50XX_DEV_CFG0, 0); + return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN); +} +static int lp50xx_disable(struct lp50xx *priv) +{ + int ret; + + ret = regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_DISABLE); + if (ret) + return ret; + + if (priv->enable_gpio) { + ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_LOW); + if (ret) + return ret; + + udelay(LP50XX_RESET_TIME_US); + } + + return 0; } static int lp50xx_probe_leds(struct fwnode_handle *child, struct lp50xx *priv, @@ -447,6 +476,10 @@ static int lp50xx_probe_dt(struct lp50xx *priv) return dev_err_probe(priv->dev, PTR_ERR(priv->enable_gpio), "Failed to get enable GPIO\n"); + ret = lp50xx_enable(priv); + if (ret) + return ret; + priv->regulator = devm_regulator_get(priv->dev, "vled"); if (IS_ERR(priv->regulator)) priv->regulator = NULL; @@ -547,14 +580,6 @@ static int lp50xx_probe(struct i2c_client *client) return ret; } - ret = lp50xx_reset(led); - if (ret) - return ret; - - ret = lp50xx_enable_disable(led, 1); - if (ret) - return ret; - return lp50xx_probe_dt(led); } @@ -563,7 +588,7 @@ static void lp50xx_remove(struct i2c_client *client) struct lp50xx *led = i2c_get_clientdata(client); int ret; - ret = lp50xx_enable_disable(led, 0); + ret = lp50xx_disable(led); if (ret) dev_err(led->dev, "Failed to disable chip\n"); -- 2.51.1

1 month

2
1
0 0

[PATCH] arm64: dts: qcom: lemans-evk: Enable Bluetooth support

by Wei Deng

There's a WCN6855 WiFi/Bluetooth module on an M.2 card. To make Bluetooth work, we need to define the necessary device tree nodes, including UART configuration and power supplies. Since there is no standard M.2 binding in the device tree at present, the PMU is described using dedicated PMU nodes to represent the internal regulators required by the module. The 3.3V supply for the module is assumed to come directly from the main board supply, which is 12V. To model this in the device tree, we add a fixed 12V regulator node as the DC-IN source and connect it to the 3.3V regulator node. Signed-off-by: Wei Deng <wei.deng(a)oss.qualcomm.com> --- arch/arm64/boot/dts/qcom/lemans-evk.dts | 115 ++++++++++++++++++++++++ 1 file changed, 115 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/lemans-evk.dts b/arch/arm64/boot/dts/qcom/lemans-evk.dts index b40fa203e4a2..c87291e3c6ac 100644 --- a/arch/arm64/boot/dts/qcom/lemans-evk.dts +++ b/arch/arm64/boot/dts/qcom/lemans-evk.dts @@ -21,6 +21,7 @@ aliases { ethernet0 = &ethernet0; mmc1 = &sdhc; serial0 = &uart10; + serial1 = &uart17; }; dmic: audio-codec-0 { @@ -110,6 +111,17 @@ vmmc_sdc: regulator-vmmc-sdc { regulator-max-microvolt = <2950000>; }; + vreg_dcin_12v: regulator-dcin-12v { + compatible = "regulator-fixed"; + + regulator-name = "VREG_DCIN_12V"; + regulator-min-microvolt = <12000000>; + regulator-max-microvolt = <12000000>; + + regulator-boot-on; + regulator-always-on; + }; + vreg_sdc: regulator-vreg-sdc { compatible = "regulator-gpio"; @@ -123,6 +135,75 @@ vreg_sdc: regulator-vreg-sdc { startup-delay-us = <100>; }; + + vreg_wcn_3p3: regulator-wcn-3p3 { + compatible = "regulator-fixed"; + + regulator-name = "VREG_WCN_3P3"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; + + vin-supply = <&vreg_dcin_12v>; + + regulator-boot-on; + }; + + wcn6855-pmu { + compatible = "qcom,wcn6855-pmu"; + + vddio-supply = <&vreg_wcn_3p3>; + vddaon-supply = <&vreg_wcn_3p3>; + vddpmu-supply = <&vreg_wcn_3p3>; + vddpmumx-supply = <&vreg_wcn_3p3>; + vddpmucx-supply = <&vreg_wcn_3p3>; + vddrfa0p95-supply = <&vreg_wcn_3p3>; + vddrfa1p3-supply = <&vreg_wcn_3p3>; + vddrfa1p9-supply = <&vreg_wcn_3p3>; + vddpcielp3-supply = <&vreg_wcn_3p3>; + vddpcielp9-supply = <&vreg_wcn_3p3>; + + regulators { + vreg_pmu_rfa_cmn: ldo0 { + regulator-name = "vreg_pmu_rfa_cmn"; + }; + + vreg_pmu_aon_0p59: ldo1 { + regulator-name = "vreg_pmu_aon_0p59"; + }; + + vreg_pmu_wlcx_0p8: ldo2 { + regulator-name = "vreg_pmu_wlcx_0p8"; + }; + + vreg_pmu_wlmx_0p85: ldo3 { + regulator-name = "vreg_pmu_wlmx_0p85"; + }; + + vreg_pmu_btcmx_0p85: ldo4 { + regulator-name = "vreg_pmu_btcmx_0p85"; + }; + + vreg_pmu_rfa_0p8: ldo5 { + regulator-name = "vreg_pmu_rfa_0p8"; + }; + + vreg_pmu_rfa_1p2: ldo6 { + regulator-name = "vreg_pmu_rfa_1p2"; + }; + + vreg_pmu_rfa_1p8: ldo7 { + regulator-name = "vreg_pmu_rfa_1p8"; + }; + + vreg_pmu_pcie_0p9: ldo8 { + regulator-name = "vreg_pmu_pcie_0p9"; + }; + + vreg_pmu_pcie_1p8: ldo9 { + regulator-name = "vreg_pmu_pcie_1p8"; + }; + }; + }; }; &apps_rsc { @@ -627,6 +708,22 @@ &qupv3_id_2 { status = "okay"; }; +&qup_uart17_cts { + bias-disable; +}; + +&qup_uart17_rts { + bias-pull-down; +}; + +&qup_uart17_tx { + bias-pull-up; +}; + +&qup_uart17_rx { + bias-pull-down; +}; + &remoteproc_adsp { firmware-name = "qcom/sa8775p/adsp.mbn"; @@ -761,6 +858,24 @@ &uart10 { status = "okay"; }; +&uart17 { + status = "okay"; + + bluetooth: bluetooth { + compatible = "qcom,wcn6855-bt"; + max-speed = <3200000>; + + vddrfacmn-supply = <&vreg_pmu_rfa_cmn>; + vddaon-supply = <&vreg_pmu_aon_0p59>; + vddwlcx-supply = <&vreg_pmu_wlcx_0p8>; + vddwlmx-supply = <&vreg_pmu_wlmx_0p85>; + vddbtcmx-supply = <&vreg_pmu_btcmx_0p85>; + vddrfa0p8-supply = <&vreg_pmu_rfa_0p8>; + vddrfa1p2-supply = <&vreg_pmu_rfa_1p2>; + vddrfa1p8-supply = <&vreg_pmu_rfa_1p8>; + }; +}; + &ufs_mem_hc { reset-gpios = <&tlmm 149 GPIO_ACTIVE_LOW>; vcc-supply = <&vreg_l8a>; -- 2.25.1

1 month

5
8
0 0

[PATCH printk v1 0/1] Fix reported suspend failures

by John Ogness

Hi, There have been multiple reports [0][1] (+ 2 offlist) of suspend failing when NBCON console drivers are in use. With the help of NXP and NVIDIA we were able to isolate the problem and verify the fix. The first NBCON drivers appeared in 6.13, so currently there is no LTS kernel that requires this series. But it should go into 6.17.x and 6.18. John Ogness [0] https://lore.kernel.org/lkml/80b020fc-c18a-4da4-b222-16da1cab2f4c@nvidia.com [1] https://lore.kernel.org/lkml/DB9PR04MB8429E7DDF2D93C2695DE401D92C4A@DB9PR04… John Ogness (1): printk: Avoid scheduling irq_work on suspend kernel/printk/internal.h | 8 ++++--- kernel/printk/printk.c | 51 ++++++++++++++++++++++++++++------------ 2 files changed, 41 insertions(+), 18 deletions(-) base-commit: e9a6fb0bcdd7609be6969112f3fbfcce3b1d4a7c -- 2.47.3

1 month

3
7
0 0

[PATCH v2 0/4] Rust: Fix typedefs for resource_size_t and phys_addr_t

by Alice Ryhl

This changes ResourceSize to use the resource_size_t typedef (currently ResourceSize is defined as phys_addr_t), and moves ResourceSize to kernel::io and defines PhysAddr next to it. Any usage of ResourceSize or bindings::phys_addr_t that references a physical address is updated to use the new PhysAddr typedef. I included some cc stable annotations because I think it is useful to backport this to v6.18. This is to make backporting drivers to the 6.18 LTS easier as we will not have to worry about changing imports when backporting. Signed-off-by: Alice Ryhl <aliceryhl(a)google.com> --- Changes in v2: - Fix build error in last patch. - Add cc stable. - Link to v1: https://lore.kernel.org/r/20251106-resource-phys-typedefs-v1-0-0c0edc7301ce… --- Alice Ryhl (4): rust: io: define ResourceSize as resource_size_t rust: io: move ResourceSize to top-level io module rust: scatterlist: import ResourceSize from kernel::io rust: io: add typedef for phys_addr_t rust/kernel/devres.rs | 18 +++++++++++++++--- rust/kernel/io.rs | 26 +++++++++++++++++++++++--- rust/kernel/io/resource.rs | 13 ++++++------- rust/kernel/scatterlist.rs | 2 +- 4 files changed, 45 insertions(+), 14 deletions(-) --- base-commit: 211ddde0823f1442e4ad052a2f30f050145ccada change-id: 20251106-resource-phys-typedefs-6db37927d159 Best regards, -- Alice Ryhl <aliceryhl(a)google.com>

1 month

3
10
0 0

[PATCH v2 1/1] Bluetooth: btqca: Add WCN6855 firmware priority selection feature

by Shuai Zhang

The prefix "wcn" corresponds to the WCN685x chip, while entries without the "wcn" prefix correspond to the QCA2066 chip. There are some feature differences between the two. However, due to historical reasons, WCN685x chip has been using firmware without the "wcn" prefix. The mapping between the chip and its corresponding firmware has now been corrected. Cc: stable(a)vger.kernel.org Fixes: 30209aeff75f ("Bluetooth: qca: Expand firmware-name to load specific rampatch") Signed-off-by: Shuai Zhang <shuai.zhang(a)oss.qualcomm.com> --- drivers/bluetooth/btqca.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index 7c958d606..8e0004ef7 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -847,8 +847,12 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, "qca/msbtfw%02x.mbn", rom_ver); break; case QCA_WCN6855: + /* Due to historical reasons, WCN685x chip has been using firmware + * without the "wcn" prefix. The mapping between the chip and its + * corresponding firmware has now been corrected. + */ snprintf(config.fwname, sizeof(config.fwname), - "qca/hpbtfw%02x.tlv", rom_ver); + "qca/wcnhpbtfw%02x.tlv", rom_ver); break; case QCA_WCN7850: snprintf(config.fwname, sizeof(config.fwname), @@ -861,6 +865,13 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, } err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + + if (!rampatch_name && err < 0 && soc_type == QCA_WCN6855) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpbtfw%02x.tlv", rom_ver); + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + } + if (err < 0) { bt_dev_err(hdev, "QCA Failed to download patch (%d)", err); return err; @@ -923,7 +934,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, case QCA_WCN6855: qca_read_fw_board_id(hdev, &boardid); qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), - "hpnv", soc_type, ver, rom_ver, boardid); + "wcnhpnv", soc_type, ver, rom_ver, boardid); break; case QCA_WCN7850: qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), @@ -936,6 +947,13 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, } err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + + if (!firmware_name && err < 0 && soc_type == QCA_WCN6855) { + qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), + "hpnv", soc_type, ver, rom_ver, boardid); + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + } + if (err < 0) { bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err); return err; -- 2.34.1

1 month

1
0
0 0

[PATCH v2 1/1] Bluetooth: btqca: Add WCN6855 firmware priority selection feature

by Shuai Zhang

The prefix "wcn" corresponds to the WCN685x chip, while entries without the "wcn" prefix correspond to the QCA2066 chip. There are some feature differences between the two. However, due to historical reasons, WCN685x chip has been using firmware without the "wcn" prefix. The mapping between the chip and its corresponding firmware has now been corrected. Cc: stable(a)vger.kernel.org Fixes: 30209aeff75f ("Bluetooth: qca: Expand firmware-name to load specific rampatch") Signed-off-by: Shuai Zhang <shuai.zhang(a)oss.qualcomm.com> --- drivers/bluetooth/btqca.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index 7c958d606..8e0004ef7 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -847,8 +847,12 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, "qca/msbtfw%02x.mbn", rom_ver); break; case QCA_WCN6855: + /* Due to historical reasons, WCN685x chip has been using firmware + * without the "wcn" prefix. The mapping between the chip and its + * corresponding firmware has now been corrected. + */ snprintf(config.fwname, sizeof(config.fwname), - "qca/hpbtfw%02x.tlv", rom_ver); + "qca/wcnhpbtfw%02x.tlv", rom_ver); break; case QCA_WCN7850: snprintf(config.fwname, sizeof(config.fwname), @@ -861,6 +865,13 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, } err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + + if (!rampatch_name && err < 0 && soc_type == QCA_WCN6855) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpbtfw%02x.tlv", rom_ver); + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + } + if (err < 0) { bt_dev_err(hdev, "QCA Failed to download patch (%d)", err); return err; @@ -923,7 +934,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, case QCA_WCN6855: qca_read_fw_board_id(hdev, &boardid); qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), - "hpnv", soc_type, ver, rom_ver, boardid); + "wcnhpnv", soc_type, ver, rom_ver, boardid); break; case QCA_WCN7850: qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), @@ -936,6 +947,13 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, } err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + + if (!firmware_name && err < 0 && soc_type == QCA_WCN6855) { + qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), + "hpnv", soc_type, ver, rom_ver, boardid); + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + } + if (err < 0) { bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err); return err; -- 2.34.1

1 month

1
0
0 0

[PATCH v2 1/1] Bluetooth: btqca: Add WCN6855 firmware priority selection feature

by Shuai Zhang

The prefix "wcn" corresponds to the WCN685x chip, while entries without the "wcn" prefix correspond to the QCA2066 chip. There are some feature differences between the two. However, due to historical reasons, WCN685x chip has been using firmware without the "wcn" prefix. The mapping between the chip and its corresponding firmware has now been corrected. Cc: stable(a)vger.kernel.org Fixes: 30209aeff75f ("Bluetooth: qca: Expand firmware-name to load specific rampatch") Signed-off-by: Shuai Zhang <shuai.zhang(a)oss.qualcomm.com> --- drivers/bluetooth/btqca.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index 7c958d606..8e0004ef7 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -847,8 +847,12 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, "qca/msbtfw%02x.mbn", rom_ver); break; case QCA_WCN6855: + /* Due to historical reasons, WCN685x chip has been using firmware + * without the "wcn" prefix. The mapping between the chip and its + * corresponding firmware has now been corrected. + */ snprintf(config.fwname, sizeof(config.fwname), - "qca/hpbtfw%02x.tlv", rom_ver); + "qca/wcnhpbtfw%02x.tlv", rom_ver); break; case QCA_WCN7850: snprintf(config.fwname, sizeof(config.fwname), @@ -861,6 +865,13 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, } err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + + if (!rampatch_name && err < 0 && soc_type == QCA_WCN6855) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpbtfw%02x.tlv", rom_ver); + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + } + if (err < 0) { bt_dev_err(hdev, "QCA Failed to download patch (%d)", err); return err; @@ -923,7 +934,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, case QCA_WCN6855: qca_read_fw_board_id(hdev, &boardid); qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), - "hpnv", soc_type, ver, rom_ver, boardid); + "wcnhpnv", soc_type, ver, rom_ver, boardid); break; case QCA_WCN7850: qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), @@ -936,6 +947,13 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, } err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + + if (!firmware_name && err < 0 && soc_type == QCA_WCN6855) { + qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname), + "hpnv", soc_type, ver, rom_ver, boardid); + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + } + if (err < 0) { bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err); return err; -- 2.34.1

1 month

1
0
0 0

[PATCH 1/3] drm/plane: Fix create_in_format_blob() return value

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> create_in_format_blob() is either supposed to return a valid pointer or an error, but never NULL. The caller will dereference the blob when it is not an error, and thus will oops if NULL returned. Return proper error values in the failure cases. Cc: stable(a)vger.kernel.org Cc: Arun R Murthy <arun.r.murthy(a)intel.com> Fixes: 0d6dcd741c26 ("drm/plane: modify create_in_formats to acommodate async") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/drm_plane.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c index 38f82391bfda..a30493ed9715 100644 --- a/drivers/gpu/drm/drm_plane.c +++ b/drivers/gpu/drm/drm_plane.c @@ -210,7 +210,7 @@ static struct drm_property_blob *create_in_format_blob(struct drm_device *dev, formats_size = sizeof(__u32) * plane->format_count; if (WARN_ON(!formats_size)) { /* 0 formats are never expected */ - return 0; + return ERR_PTR(-EINVAL); } modifiers_size = @@ -226,7 +226,7 @@ static struct drm_property_blob *create_in_format_blob(struct drm_device *dev, blob = drm_property_create_blob(dev, blob_size, NULL); if (IS_ERR(blob)) - return NULL; + return blob; blob_data = blob->data; blob_data->version = FORMAT_BLOB_CURRENT; -- 2.49.1

1 month

2
1
0 0

[PATCH] ksmbd: vfs_cache: avoid integer overflow in inode_hash()

by Qianchang Zhao

inode_hash() currently mixes a name-derived hash with the super_block pointer using an unbounded multiplication: tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / L1_CACHE_BYTES; On 64-bit kernels this multiplication can overflow for many inputs. With attacker-chosen filenames (authenticated client), overflowed products collapse into a small set of buckets, saturating a few chains and degrading lookups from O(1) to O(n). This produces second-scale latency spikes and high CPU usage in ksmbd workers (algorithmic DoS). Replace the pointer*hash multiply with hash_long() over a mixed value (hashval ^ (unsigned long)sb) and keep the existing shift/mask. This removes the overflow source and improves bucket distribution under adversarial inputs without changing external behavior. This is an algorithmic-complexity issue (CWE-190/CWE-407), not a memory-safety bug. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/vfs_cache.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c index dfed6fce8..ac18edf56 100644 --- a/fs/smb/server/vfs_cache.c +++ b/fs/smb/server/vfs_cache.c @@ -10,6 +10,7 @@ #include <linux/vmalloc.h> #include <linux/kthread.h> #include <linux/freezer.h> +#include <linux/hash.h> #include "glob.h" #include "vfs_cache.h" @@ -65,12 +66,8 @@ static void fd_limit_close(void) static unsigned long inode_hash(struct super_block *sb, unsigned long hashval) { - unsigned long tmp; - - tmp = (hashval * (unsigned long)sb) ^ (GOLDEN_RATIO_PRIME + hashval) / - L1_CACHE_BYTES; - tmp = tmp ^ ((tmp ^ GOLDEN_RATIO_PRIME) >> inode_hash_shift); - return tmp & inode_hash_mask; + return hash_long(hashval ^ (unsigned long)sb, inode_hash_shift) & + inode_hash_mask; } static struct ksmbd_inode *__ksmbd_inode_lookup(struct dentry *de) -- 2.34.1

1 month

1
0
0 0

[PATCH] scsi: target: tcm_loop: fix segfault in tcm_loop_tpg_address_show()

by Hamza Mahfooz

If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] ... Call Trace: <TASK> configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0 ... Cc: stable(a)vger.kernel.org Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs") Signed-off-by: Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> --- drivers/target/loopback/tcm_loop.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c index c7b7da629741..01a8e349dc4d 100644 --- a/drivers/target/loopback/tcm_loop.c +++ b/drivers/target/loopback/tcm_loop.c @@ -894,6 +894,9 @@ static ssize_t tcm_loop_tpg_address_show(struct config_item *item, struct tcm_loop_tpg, tl_se_tpg); struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba; + if (!tl_hba->sh) + return -ENODEV; + return snprintf(page, PAGE_SIZE, "%d:0:%d\n", tl_hba->sh->host_no, tl_tpg->tl_tpgt); } -- 2.49.0

1 month

4
3
0 0

, capacitación sin seguimiento no es desarrollo

by Mariann Rivas

Mejora el clima organizacional body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Invierte en capacitación que realmente desarrolla a tu equipo con Vorecol Learning. Hola, , Invertir en capacitación no siempre significa que tu equipo esté creciendo. Sin un buen seguimiento, los cursos pueden no tener el efecto esperado. Vorecol Learning es una plataforma que te ayuda a gestionar el aprendizaje de tu equipo de forma sencilla y efectiva. Con Vorecol Learning puedes: Capacitar a tu personal, desde uno hasta cinco mil colaboradores, con cursos hechos a la medida de las necesidades de tu empresa. Ver cómo avanza cada persona y entregar certificados al terminar los cursos, asegurando que aprendieron de verdad. Permitir que tus colaboradores estudien cuando quieran y desde cualquier dispositivo, con evaluaciones que confirman lo aprendido. Esta plataforma está diseñada para que la capacitación sea una herramienta real para el desarrollo de tu equipo, no solo una lista de tareas por cumplir. Aprovecha el Buen Fin del 1 al 22 de noviembre con hasta 15% de descuento y potencia el aprendizaje en tu empresa con Vorecol Learning. Responde a este correo o contáctame; mis datos están abajo. Saludos, -------------- Atte.: Mariann Rivas Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqwtseup">click aquí</a>

1 month

1
0
0 0

+ mm-memfd-fix-information-leak-in-hugetlb-folios.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/memfd: fix information leak in hugetlb folios has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memfd-fix-information-leak-in-hugetlb-folios.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: mm/memfd: fix information leak in hugetlb folios Date: Wed, 12 Nov 2025 20:20:34 +0530 When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2. Folios are not marked uptodate before adding to page cache 3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache() The memfd allocation path bypasses the normal page fault handler (hugetlb_no_page) which would handle all of these initialization steps. This is problematic especially for udmabuf use cases where folios are pinned and directly accessed by userspace via DMA. Fix by matching the initialization pattern used in hugetlb_no_page(): - Zero the folio using folio_zero_user() which is optimized for huge pages - Mark it uptodate with folio_mark_uptodate() - Take hugetlb_fault_mutex before adding to page cache to prevent races The folio_zero_user() change also fixes a potential security issue where uninitialized kernel memory could be disclosed to userspace through read() or mmap() operations on the memfd. Link: https://lkml.kernel.org/r/20251112145034.2320452-1-kartikey406@gmail.com Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+f64019ba229e3a5c411b(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20251112031631.2315651-1-kartikey406@gmail.com/ [v1] Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b Suggested-by: Oscar Salvador <osalvador(a)suse.de> Suggested-by: David Hildenbrand <david(a)redhat.com> Tested-by: syzbot+f64019ba229e3a5c411b(a)syzkaller.appspotmail.com Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> (v2) Cc: Christoph Hellwig <hch(a)lst.de> (v6) Cc: Dave Airlie <airlied(a)redhat.com> Cc: Gerd Hoffmann <kraxel(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memfd.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) --- a/mm/memfd.c~mm-memfd-fix-information-leak-in-hugetlb-folios +++ a/mm/memfd.c @@ -96,9 +96,36 @@ struct folio *memfd_alloc_folio(struct f NULL, gfp_mask); if (folio) { + u32 hash; + + /* + * Zero the folio to prevent information leaks to userspace. + * Use folio_zero_user() which is optimized for huge/gigantic + * pages. Pass 0 as addr_hint since this is not a faulting path + * and we don't have a user virtual address yet. + */ + folio_zero_user(folio, 0); + + /* + * Mark the folio uptodate before adding to page cache, + * as required by filemap.c and other hugetlb paths. + */ + __folio_mark_uptodate(folio); + + /* + * Serialize hugepage allocation and instantiation to prevent + * races with concurrent allocations, as required by all other + * callers of hugetlb_add_to_page_cache(). + */ + hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + err = hugetlb_add_to_page_cache(folio, memfd->f_mapping, idx); + + mutex_unlock(&hugetlb_fault_mutex_table[hash]); + if (err) { folio_put(folio); goto err_unresv; _ Patches currently in -mm which might be from kartikey406(a)gmail.com are mm-memfd-fix-information-leak-in-hugetlb-folios.patch ocfs2-validate-cl_bpc-in-allocator-inodes-to-prevent-divide-by-zero.patch

1 month

1
0
0 0

[PATCH v2] coresight: etm-perf: Fix reference count leak in etm_setup_aux

by Ma Ke

In etm_setup_aux(), when a user sink is obtained via coresight_get_sink_by_id(), it increments the reference count of the sink device. However, if the sink is used in path building, the path holds a reference, but the initial reference from coresight_get_sink_by_id() is not released, causing a reference count leak. We should release the initial reference after the path is built. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch as suggestions. --- drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c index f677c08233ba..8a5a59434cc9 100644 --- a/drivers/hwtracing/coresight/coresight-etm-perf.c +++ b/drivers/hwtracing/coresight/coresight-etm-perf.c @@ -454,6 +454,11 @@ static void *etm_setup_aux(struct perf_event *event, void **pages, goto err; out: + if (user_sink) { + put_device(&user_sink->dev); + user_sink = NULL; + } + return event_data; err: -- 2.17.1

1 month

2
1
0 0

دعوة لنشر الأبحاث والمقالات العلمية

by journal

###**🌟 فرصتك للنشر في مجلات علمية محكمة دوليًا – دعوة مفتوحة للباحثين والأكاديميين** **انضم إلى النخبة العلمية… وانشر أبحاثك معنا.** **انطلاقًا من إيماننا بأن البحث العلمي هو الركيزة الأساسية لنهضة المجتمعات وتقدمها،** يسر*فكر للدراسات والتطوير* أن تتشرف بدعوتكم للنشر في مجلاتها العلمية المحكمة، التي تمثل منبرًا أكاديميًا رصينًا لاحتضان الأفكار الأصيلة، والمشاريع البحثية الجادة، والرؤى التي تسهم في إنتاج معرفة تطبيقية تخدم قضايا الإنسان والمجتمع. إن دعوتنا هذه تأتي ضمن رؤيتنا في تمكين الباحثين والكتّاب في العالم العربي والإسلامي من إيصال أبحاثهم إلى أوسع نطاق، والمساهمة الفاعلة في الحراك العلمي محليًا ودوليًا، عبر منصات نشر معتمدة وموثوقة. ➡️ **قدّم مخطوطتك الآن:** [https://7m8ue.r.ag.d.sendibm3.com/mk/cl/f/sh/WCPzyXJTZ7nvI8YYc4qB1knr1PmTmi… ####عامل تأثير عربي=2.7 مجلة ريحان للنشر العلمي ----------------------- (Rihan Journal for Scientific Publishing) ###$50 *مجلة علمية دولية، محكّمة، شهرية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2709-2097** تستقبل المجلة الأبحاث والمقالات العلمية بثلاث لغات: **العربية، الإنجليزية، والتركية**، في مختلف التخصصات، وتخضع جميع المواد المقدمة لعملية تحكيم علمي صارمة، تضمن جودة المحتوى وموثوقيته الأكاديمية. ####عامل تأثير عربي=1.7 مجلة ايبرس للنشر الطبي ---------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2959-5371** تأسست مجلة إيبرس للنشر الطبي عام 2022، لتكون منصة علمية رصينة في مجال العلوم الطبية والصحية، ووجهة موثوقة للباحثين والطلبة وأعضاء الهيئات التدريسية والأكاديميين لنشر أبحاثهم الأصيلة، ومراجعاتهم العلمية، ومشاركتهم في تطوير المعرفة الطبية الحديثة. تستقبل المجلة الدراسات والأبحاث باللغة **العربية، الإنجليزية، والتركية**، وتخضع جميع المواد لعملية تحكيم علمي دقيقة، وفق أعلى المعايير الأكاديمية الدولية. مجلة طُوى للعلوم الاجتماعية --------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3104-7211** **مجلة طُوى** هي منصة أكاديمية تُعنى بنشر البحوث والدراسات الأصيلة في **مجالات العلوم الاجتماعية المتداخلة**، بما يسهم في إنتاج معرفة تحليلية معمقة حول قضايا الإنسان والمجتمع. تلتزم المجلة بمعايير **التحكيم العلمي الرصين**، وتُرحّب بالأعمال المقدّمة باللغات: **العربية، الإنجليزية، والتركية**. جاء اختيار اسم "طُوى" استلهامًا من **الوادي المقدّس طُوى**، تعبيرًا عن قدسية المعرفة، وإيمانًا بأن الفكر العلمي رسالة إنسانية لا تقل أثرًا وعمقًا عن أي رسالة تغيير أو بناء مجتمعي. مجلة زنوبيا لدراسات المرأة والطفل والاسرة ----------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير* بالتعاون مع **المنتدى الثقافي النسائي السوري** رقم التسلسل المعياري الدولي: **ISSN: 3104-7874** تُعنى **مجلة زنوبيا** بنشر البحوث والدراسات الأكاديمية التي تتناول قضايا **المرأة، والطفل، والأسرة** من زوايا علمية، اجتماعية، وثقافية متعددة، مع التركيز على التحديات والتحولات المعاصرة التي تمس هذه الفئات داخل السياقات العربية والعالمية. وتوفّر المجلة منبرًا أكاديميًا موثوقًا يعزز التفكير النقدي والتحليل العلمي البنّاء، ويسعى لإبراز التجارب والرؤى التي تدعم التمكين المجتمعي. مجلة زكا للعلوم المالية والاقتصادية والإدارية --------------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي **ISSN: 3104-7289** تُعنى **مجلة زكا** بنشر أبحاث علمية أصيلة وعالية الجودة في مجالات: **إدارة الأعمال، الاقتصاد، المحاسبة، العلوم المالية، التسويق، الاقتصاد الإسلامي، الإدارة العامة، والتمويل**. وتمثل المجلة منصة أكاديمية رصينة تستهدف الباحثين، الأكاديميين، وطلبة الدراسات العليا في التخصصات المالية والإدارية، وتسعى إلى الإسهام الفعّال في تطوير المعرفة الاقتصادية والإدارية، وفقًا لأحدث المعايير العلمية والمنهجيات البحثية الحديثة. مجلة روح للعلوم الإنسانية ------------------------- ###$50 **(RUH Journal of Humanities)** *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3105-2436** تهدف **مجلة روح للعلوم الإنسانية** إلى نشر الأبحاث العلمية المتميزة في مختلف مجالات العلوم الإنسانية، وتعزيز الفكر الأكاديمي والنقاش العلمي المتخصص في القضايا الإنسانية المعاصرة على المستويين العربي والعالمي. تُعد المجلة منصة أكاديمية رصينة تجمع الباحثين من تخصصات متعددة لتبادل المعرفة، وتحفيز الدراسات الرصينة ذات الأثر المجتمعي والثقافي، وتوسيع دائرة الحوار العلمي حول الإنسان والمجتمع. جاء اختيار اسم **"روح"** ليعكس جوهر العلوم الإنسانية، التي تنطلق من فهم الإنسان: مشاعره، ثقافته، سلوكه، وتاريخه. تشير الكلمة إلى **العنصر الحيوي** الذي يمنح الإنسان والمجتمع معناهما، مما يرسّخ رؤية المجلة في أن **العلوم الإنسانية هي الروح النابضة لفهم المجتمعات وتطورها**. دعوة للتبرع ------------ ###$10 ###🎓 ساهم في نهضة العلم في سوريا – كن جزءًا من التغيير الحقيقي! إذا كنت تؤمن بقوة المعرفة وأهمية دعم البحث العلمي في سوريا، فقد حان الوقت لتشارك في صناعة الأمل. **تبرعك اليوم لا يُقدَّر بثمن…** إنه استثمار في العقول، وفي جيل جديد من الباحثين والمفكرين الذين يسعون لإعادة بناء المجتمع على أسس علمية وإنسانية. 📢 **ساهم في صناعة الأمل… تبرعك اليوم يصنع فرقاً حقيقياً غداً!** المؤتمرات العلمية ----------------- ###$100 ###🏛️ **مركز فكر للمؤتمرات العلمية** **مركز فكر للمؤتمرات العلمية** هو أحد برامج مركز فكر للدراسات والتطوير، يُعنى بتنظيم المؤتمرات والملتقيات العلمية المتخصصة، بهدف دعم البحث الأكاديمي وتوسيع دائرة الحوار المعرفي حول القضايا المعاصرة التي تهم المجتمعات العربية والعالمية. ينطلق المركز من رؤية تؤمن بأن **المؤتمر العلمي ليس مجرد حدث أكاديمي، بل هو منصة استراتيجية لإنتاج المعرفة، وتبادل الخبرات، وصياغة حلول مستندة إلى البحث العلمي**. ###📚 **مجالات المؤتمرات:** العلوم الإنسانية والاجتماعية العلوم الطبية والصحية الدراسات الاقتصادية والمالية دراسات المرأة والطفل والأسرة البيئة والتنمية المستدامة التكنولوجيا والتحول الرقمي التعليم والتربية **مع خالص الشكر والتقدير،** ============================ **نثمّن وقتكم واهتمامكم، ونتطلع إلى تعاون مثمر يجمعنا في خدمة البحث العلمي والمجتمع.** ====================================================================================== **نؤمن أن العمل المشترك هو مفتاح التغيير الحقيقي، ونرحّب بكم دائمًا ضمن شبكتنا العلمية والمجتمعية.** ==================================================================================================== ➡️ **قدّم مخطوطتك الآن:** [https://forms.gle/g7McfPrkaYYDFC2N6](https://forms.gle/g7McfPrkaYYDFC2N6) Maria Abdel Rahim [pr@rjsp.org](mailto:ahmet@rjsp.org) rihanjournal(a)gmail.com [00905306359001](https://) gazimuhtarpas 29600,gazantap [Unsubscribe](https://7m8ue.r.ag.d.sendibm3.com/mk/un/v2/sh/7nVTPdbLJ2bPbEmD…

1 month

1
0
0 0

[PATCH net v1] ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

by Chuang Wang

The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1 Cc: stable(a)vger.kernel.org Fixes: 67d6d681e15b ("ipv4: make exception cache less predictible") Signed-off-by: Chuang Wang <nashuiliang(a)gmail.com> --- v0 -> v1: - Expanded commit description to fully document the race condition, including the sit driver's call chain and stack trace. - Added Ido Schimmel's validation method. --- net/ipv4/route.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 6d27d3610c1c..b549d6a57307 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -607,6 +607,11 @@ static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash) oldest_p = fnhe_p; } } + + /* Clear oldest->fnhe_daddr to prevent this fnhe from being + * rebound with new dsts in rt_bind_exception(). + */ + oldest->fnhe_daddr = 0; fnhe_flush_routes(oldest); *oldest_p = oldest->fnhe_next; kfree_rcu(oldest, rcu); -- 2.47.3

1 month

4
3
0 0

[PATCH v3 0/2] Enable 1GHz OPP am335x-bonegreen-eco

by Kory Maincent (TI.com)

The vdd_mpu regulator maximum voltage was previously limited to 1.2985V, which prevented the CPU from reaching the 1GHz operating point. This limitation was put in place because voltage changes were not working correctly, causing the board to stall when attempting higher frequencies. Increase the maximum voltage to 1.3515V to allow the full 1GHz OPP to be used. Add a TPS65219 PMIC driver fixes that properly implement the LOCK register handling, to make voltage transitions work reliably. Changes in v3: - Remove an unused variable - Link to v2: https://lore.kernel.org/r/20251106-fix_tps65219-v2-0-a7d608c4272f@bootlin.c… Changes in v2: - Setup a custom regmap_bus only for the TPS65214 instead of checking the chip_id every time reg_write is called. - Add the am335x-bonegreen-eco devicetree change in the same patch series. Signed-off-by: Kory Maincent (TI.com) <kory.maincent(a)bootlin.com> --- Kory Maincent (TI.com) (2): mfd: tps65219: Implement LOCK register handling for TPS65214 ARM: dts: am335x-bonegreen-eco: Enable 1GHz OPP by increasing vdd_mpu voltage arch/arm/boot/dts/ti/omap/am335x-bonegreen-eco.dts | 2 +- drivers/mfd/tps65219.c | 49 +++++++++++++++++++++- include/linux/mfd/tps65219.h | 2 + 3 files changed, 51 insertions(+), 2 deletions(-) --- base-commit: 1c353dc8d962de652bc7ad2ba2e63f553331391c change-id: 20251106-fix_tps65219-dd62141d22cf Best regards, -- Köry Maincent, Bootlin Embedded Linux and kernel engineering https://bootlin.com

1 month

2
2
0 0

[PATCH] shmem: fix tmpfs reconfiguration (remount) when noswap is set

by Mike Yuan

In systemd we're trying to switch the internal credentials setup logic to new mount API [1], and I noticed fsconfig(FSCONFIG_CMD_RECONFIGURE) consistently fails on tmpfs with noswap option. This can be trivially reproduced with the following: ``` int fs_fd = fsopen("tmpfs", 0); fsconfig(fs_fd, FSCONFIG_SET_FLAG, "noswap", NULL, 0); fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); fsmount(fs_fd, 0, 0); fsconfig(fs_fd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0); <------ EINVAL ``` After some digging the culprit is shmem_reconfigure() rejecting !(ctx->seen & SHMEM_SEEN_NOSWAP) && sbinfo->noswap, which is bogus as ctx->seen serves as a mask for whether certain options are touched at all. On top of that, noswap option doesn't use fsparam_flag_no, hence it's not really possible to "reenable" swap to begin with. Drop the check and redundant SHMEM_SEEN_NOSWAP flag. [1] https://github.com/systemd/systemd/pull/39637 Fixes: 2c6efe9cf2d7 ("shmem: add support to ignore swap") Signed-off-by: Mike Yuan <me(a)yhndnzj.com> Cc: Luis Chamberlain <mcgrof(a)kernel.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> --- mm/shmem.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index b9081b817d28..1b976414d6fa 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -131,8 +131,7 @@ struct shmem_options { #define SHMEM_SEEN_INODES 2 #define SHMEM_SEEN_HUGE 4 #define SHMEM_SEEN_INUMS 8 -#define SHMEM_SEEN_NOSWAP 16 -#define SHMEM_SEEN_QUOTA 32 +#define SHMEM_SEEN_QUOTA 16 }; #ifdef CONFIG_TRANSPARENT_HUGEPAGE @@ -4677,7 +4676,6 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param) "Turning off swap in unprivileged tmpfs mounts unsupported"); } ctx->noswap = true; - ctx->seen |= SHMEM_SEEN_NOSWAP; break; case Opt_quota: if (fc->user_ns != &init_user_ns) @@ -4827,14 +4825,15 @@ static int shmem_reconfigure(struct fs_context *fc) err = "Current inum too high to switch to 32-bit inums"; goto out; } - if ((ctx->seen & SHMEM_SEEN_NOSWAP) && ctx->noswap && !sbinfo->noswap) { + + /* + * "noswap" doesn't use fsparam_flag_no, i.e. there's no "swap" + * counterpart for (re-)enabling swap. + */ + if (ctx->noswap && !sbinfo->noswap) { err = "Cannot disable swap on remount"; goto out; } - if (!(ctx->seen & SHMEM_SEEN_NOSWAP) && !ctx->noswap && sbinfo->noswap) { - err = "Cannot enable swap on remount if it was disabled on first mount"; - goto out; - } if (ctx->seen & SHMEM_SEEN_QUOTA && !sb_any_quota_loaded(fc->root->d_sb)) { base-commit: 0d7bee10beeb59b1133bf5a4749b17a4ef3bbb01 -- 2.51.1

1 month

3
2
0 0

[PATCH] slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves

by Miaoqian Lin

The function qcom_slim_ngd_notify_slaves() calls of_slim_get_device() which internally uses device_find_child() to obtain a device reference. According to the device_find_child() documentation, the caller must drop the reference with put_device() after use. Found via static analysis and this is similar to commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/slimbus/qcom-ngd-ctrl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c index 4fb66986cc22..cd40ab839c54 100644 --- a/drivers/slimbus/qcom-ngd-ctrl.c +++ b/drivers/slimbus/qcom-ngd-ctrl.c @@ -1241,6 +1241,7 @@ static void qcom_slim_ngd_notify_slaves(struct qcom_slim_ngd_ctrl *ctrl) if (slim_get_logical_addr(sbdev)) dev_err(ctrl->dev, "Failed to get logical address\n"); + put_device(&sbdev->dev); } } -- 2.39.5 (Apple Git-154)

1 month

5
5
0 0

[PATCH 6.12] io_uring/napi: fix io_napi_entry RCU accesses

by Stepan Artuhov

From: Olivier Langlois <olivier(a)trillion01.com> [Upstream commit 45b3941d09d13b3503309be1f023b83deaf69b4d ] correct 3 RCU structures modifications that were not using the RCU functions to make their update. Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Pavel Begunkov <asml.silence(a)gmail.com> Cc: io-uring(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: lvc-project(a)linuxtesting.org Signed-off-by: Olivier Langlois <olivier(a)trillion01.com> Link: https://lore.kernel.org/r/9f53b5169afa8c7bf3665a0b19dc2f7061173530.17288288… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> [Stepan Artuhov: cherry-picked a commit] Signed-off-by: Stepan Artuhov <s.artuhov(a)tssltd.ru> --- io_uring/napi.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/io_uring/napi.c b/io_uring/napi.c index d0cf694d0172..fa959fd32042 100644 --- a/io_uring/napi.c +++ b/io_uring/napi.c @@ -81,19 +81,24 @@ void __io_napi_add(struct io_ring_ctx *ctx, struct socket *sock) } hlist_add_tail_rcu(&e->node, hash_list); - list_add_tail(&e->list, &ctx->napi_list); + list_add_tail_rcu(&e->list, &ctx->napi_list); spin_unlock(&ctx->napi_lock); } static void __io_napi_remove_stale(struct io_ring_ctx *ctx) { struct io_napi_entry *e; - unsigned int i; spin_lock(&ctx->napi_lock); - hash_for_each(ctx->napi_ht, i, e, node) { - if (time_after(jiffies, e->timeout)) { - list_del(&e->list); + /* + * list_for_each_entry_safe() is not required as long as: + * 1. list_del_rcu() does not reset the deleted node next pointer + * 2. kfree_rcu() delays the memory freeing until the next quiescent + * state + */ + list_for_each_entry(e, &ctx->napi_list, list) { + if (time_after(jiffies, READ_ONCE(e->timeout))) { + list_del_rcu(&e->list); hash_del_rcu(&e->node); kfree_rcu(e, rcu); } @@ -204,13 +209,13 @@ void io_napi_init(struct io_ring_ctx *ctx) void io_napi_free(struct io_ring_ctx *ctx) { struct io_napi_entry *e; - unsigned int i; spin_lock(&ctx->napi_lock); - hash_for_each(ctx->napi_ht, i, e, node) { + list_for_each_entry(e, &ctx->napi_list, list) { hash_del_rcu(&e->node); kfree_rcu(e, rcu); } + INIT_LIST_HEAD_RCU(&ctx->napi_list); spin_unlock(&ctx->napi_lock); } -- 2.39.5

1 month

1
0
0 0

[PATCH v2] powerpc, mm: Fix mprotect on book3s 32-bit

by Dave Vasilevsky

On 32-bit book3s with hash-MMUs, tlb_flush() was a no-op. This was unnoticed because all uses until recently were for unmaps, and thus handled by __tlb_remove_tlb_entry(). After commit 4a18419f71cd ("mm/mprotect: use mmu_gather") in kernel 5.19, tlb_gather_mmu() started being used for mprotect as well. This caused mprotect to simply not work on these machines: int *ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); *ptr = 1; // force HPTE to be created mprotect(ptr, 4096, PROT_READ); *ptr = 2; // should segfault, but succeeds Fixed by making tlb_flush() actually flush TLB pages. This finally agrees with the behaviour of boot3s64's tlb_flush(). Fixes: 4a18419f71cd ("mm/mprotect: use mmu_gather") Signed-off-by: Dave Vasilevsky <dave(a)vasilevsky.ca> Cc: stable(a)vger.kernel.org --- Changes in v2: - Flush entire TLB if full mm is requested. - Link to v1: https://lore.kernel.org/r/20251027-vasi-mprotect-g3-v1-1-3c5187085f9a@vasil… --- arch/powerpc/include/asm/book3s/32/tlbflush.h | 8 ++++++-- arch/powerpc/mm/book3s32/tlb.c | 9 +++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/include/asm/book3s/32/tlbflush.h b/arch/powerpc/include/asm/book3s/32/tlbflush.h index e43534da5207aa3b0cb3c07b78e29b833c141f3f..b8c587ad2ea954f179246a57d6e86e45e91dcfdc 100644 --- a/arch/powerpc/include/asm/book3s/32/tlbflush.h +++ b/arch/powerpc/include/asm/book3s/32/tlbflush.h @@ -11,6 +11,7 @@ void hash__flush_tlb_mm(struct mm_struct *mm); void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr); void hash__flush_range(struct mm_struct *mm, unsigned long start, unsigned long end); +void hash__flush_gather(struct mmu_gather *tlb); #ifdef CONFIG_SMP void _tlbie(unsigned long address); @@ -28,9 +29,12 @@ void _tlbia(void); */ static inline void tlb_flush(struct mmu_gather *tlb) { - /* 603 needs to flush the whole TLB here since it doesn't use a hash table. */ - if (!mmu_has_feature(MMU_FTR_HPTE_TABLE)) + if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) { + hash__flush_gather(tlb); + } else { + /* 603 needs to flush the whole TLB here since it doesn't use a hash table. */ _tlbia(); + } } static inline void flush_range(struct mm_struct *mm, unsigned long start, unsigned long end) diff --git a/arch/powerpc/mm/book3s32/tlb.c b/arch/powerpc/mm/book3s32/tlb.c index 9ad6b56bfec96e989b96f027d075ad5812500854..e54a7b0112322e5818d80facd2e3c7722e6dd520 100644 --- a/arch/powerpc/mm/book3s32/tlb.c +++ b/arch/powerpc/mm/book3s32/tlb.c @@ -105,3 +105,12 @@ void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr) flush_hash_pages(mm->context.id, vmaddr, pmd_val(*pmd), 1); } EXPORT_SYMBOL(hash__flush_tlb_page); + +void hash__flush_gather(struct mmu_gather *tlb) +{ + if (tlb->fullmm || tlb->need_flush_all) + hash__flush_tlb_mm(tlb->mm); + else + hash__flush_range(tlb->mm, tlb->start, tlb->end); +} +EXPORT_SYMBOL(hash__flush_gather); --- base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 change-id: 20251027-vasi-mprotect-g3-f8f5278d4140 Best regards, -- Dave Vasilevsky <dave(a)vasilevsky.ca>

1 month

3
2
0 0

[PATCH 0/3] rust_binder: fix unsoundness due to combining List::remove with mem:take

by Alice Ryhl

See the first patch for details on the bug. Signed-off-by: Alice Ryhl <aliceryhl(a)google.com> --- Alice Ryhl (3): rust_binder: fix race condition on death_list rust_binder: avoid mem::take on delivered_deaths rust: list: add warning to List::remove docs about mem::take drivers/android/binder/node.rs | 6 +++--- drivers/android/binder/process.rs | 8 ++++++-- rust/kernel/list.rs | 3 +++ 3 files changed, 12 insertions(+), 5 deletions(-) --- base-commit: 211ddde0823f1442e4ad052a2f30f050145ccada change-id: 20251111-binder-fix-list-remove-41c29c75ffc9 Best regards, -- Alice Ryhl <aliceryhl(a)google.com>

1 month

3
4
0 0

[PATCH] mm, swap: fix potential UAF issue for VMA readahead

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry. Cc: stable(a)vger.kernel.org Fixes: 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning") Suggested-by: Huang Ying <ying.huang(a)linux.alibaba.com> Signed-off-by: Kairui Song <kasong(a)tencent.com> --- Sending as a new patch instead of V2 because the approach is very different. Previous patch: https://lore.kernel.org/linux-mm/20251110-revert-78524b05f1a3-v1-1-88313f2b… --- mm/swap_state.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/mm/swap_state.c b/mm/swap_state.c index 0cf9853a9232..da0481e163a4 100644 --- a/mm/swap_state.c +++ b/mm/swap_state.c @@ -745,6 +745,7 @@ static struct folio *swap_vma_readahead(swp_entry_t targ_entry, gfp_t gfp_mask, blk_start_plug(&plug); for (addr = start; addr < end; ilx++, addr += PAGE_SIZE) { + struct swap_info_struct *si = NULL; softleaf_t entry; if (!pte++) { @@ -759,8 +760,19 @@ static struct folio *swap_vma_readahead(swp_entry_t targ_entry, gfp_t gfp_mask, continue; pte_unmap(pte); pte = NULL; + /* + * Readahead entry may come from a device that we are not + * holding a reference to, try to grab a reference, or skip. + */ + if (swp_type(entry) != swp_type(targ_entry)) { + si = get_swap_device(entry); + if (!si) + continue; + } folio = __read_swap_cache_async(entry, gfp_mask, mpol, ilx, &page_allocated, false); + if (si) + put_swap_device(si); if (!folio) continue; if (page_allocated) { --- base-commit: 565d240810a6c9689817a9f3d08f80adf488ca59 change-id: 20251111-swap-fix-vma-uaf-bec70969250f Best regards, -- Kairui Song <kasong(a)tencent.com>

1 month

4
5
0 0

[PATCH net v1 1/1] net: dsa: microchip: lan937x: Fix RGMII delay tuning

by Oleksij Rempel

Correct RGMII delay application logic in lan937x_set_tune_adj(). The function was missing `data16 &= ~PORT_TUNE_ADJ` before setting the new delay value. This caused the new value to be bitwise-OR'd with the existing PORT_TUNE_ADJ field instead of replacing it. For example, when setting the RGMII 2 TX delay on port 4, the intended TUNE_ADJUST value of 0 (RGMII_2_TX_DELAY_2NS) was incorrectly OR'd with the default 0x1B (from register value 0xDA3), leaving the delay at the wrong setting. This patch adds the missing mask to clear the field, ensuring the correct delay value is written. Physical measurements on the RGMII TX lines confirm the fix, showing the delay changing from ~1ns (before change) to ~2ns. While testing on i.MX 8MP showed this was within the platform's timing tolerance, it did not match the intended hardware-characterized value. Fixes: b19ac41faa3f ("net: dsa: microchip: apply rgmii tx and rx delay in phylink mac config") Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> --- drivers/net/dsa/microchip/lan937x_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/dsa/microchip/lan937x_main.c b/drivers/net/dsa/microchip/lan937x_main.c index b1ae3b9de3d1..5a1496fff445 100644 --- a/drivers/net/dsa/microchip/lan937x_main.c +++ b/drivers/net/dsa/microchip/lan937x_main.c @@ -540,6 +540,7 @@ static void lan937x_set_tune_adj(struct ksz_device *dev, int port, ksz_pread16(dev, port, reg, &data16); /* Update tune Adjust */ + data16 &= ~PORT_TUNE_ADJ; data16 |= FIELD_PREP(PORT_TUNE_ADJ, val); ksz_pwrite16(dev, port, reg, data16); -- 2.47.3

1 month

2
1
0 0

You have (4) important emails awaiting delivery to your inbox

by Linux Support Mail

1 month

1
0
0 0

[PATCH v2] intel_th: Fix error handling in intel_th_output_open

by Ma Ke

intel_th_output_open() calls bus_find_device_by_devt() which internally increments the device reference count via get_device(), but this reference is not properly released in several error paths. When device driver is unavailable, file operations cannot be obtained, or the driver's open method fails, the function returns without calling put_device(), leading to a permanent device reference count leak. This prevents the device from being properly released and could cause resource exhaustion over time. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch to fix uninitialized variable 'err' warnings. --- drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c index 47d9e6c3bac0..fdb9d022d875 100644 --- a/drivers/hwtracing/intel_th/core.c +++ b/drivers/hwtracing/intel_th/core.c @@ -810,13 +810,17 @@ static int intel_th_output_open(struct inode *inode, struct file *file) int err; dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); - if (!dev || !dev->driver) - return -ENODEV; + if (!dev || !dev->driver) { + err = -ENODEV; + goto out_no_device; + } thdrv = to_intel_th_driver(dev->driver); fops = fops_get(thdrv->fops); - if (!fops) - return -ENODEV; + if (!fops) { + err = -ENODEV; + goto out_put_device; + } replace_fops(file, fops); @@ -824,10 +828,16 @@ static int intel_th_output_open(struct inode *inode, struct file *file) if (file->f_op->open) { err = file->f_op->open(inode, file); - return err; + if (err) + goto out_put_device; } return 0; + +out_put_device: + put_device(dev); +out_no_device: + return err; } static const struct file_operations intel_th_output_fops = { -- 2.17.1

1 month

1
0
0 0

[PATCH v2 0/2] Enable 1GHz OPP am335x-bonegreen-eco

by Kory Maincent (TI.com)

The vdd_mpu regulator maximum voltage was previously limited to 1.2985V, which prevented the CPU from reaching the 1GHz operating point. This limitation was put in place because voltage changes were not working correctly, causing the board to stall when attempting higher frequencies. Increase the maximum voltage to 1.3515V to allow the full 1GHz OPP to be used. Add a TPS65219 PMIC driver fixes that properly implement the LOCK register handling, to make voltage transitions work reliably. Changes in v2: - Setup a custom regmap_bus only for the TPS65214 instead of checking the chip_id every time reg_write is called. - Add the am335x-bonegreen-eco devicetree change in the same patch series. Signed-off-by: Kory Maincent (TI.com) <kory.maincent(a)bootlin.com> --- Kory Maincent (TI.com) (2): mfd: tps65219: Implement LOCK register handling for TPS65214 ARM: dts: am335x-bonegreen-eco: Enable 1GHz OPP by increasing vdd_mpu voltage arch/arm/boot/dts/ti/omap/am335x-bonegreen-eco.dts | 2 +- drivers/mfd/tps65219.c | 51 +++++++++++++++++++++- include/linux/mfd/tps65219.h | 2 + 3 files changed, 53 insertions(+), 2 deletions(-) --- base-commit: 1c353dc8d962de652bc7ad2ba2e63f553331391c change-id: 20251106-fix_tps65219-dd62141d22cf Best regards, -- Köry Maincent, Bootlin Embedded Linux and kernel engineering https://bootlin.com

1 month

5
5
0 0

[PATCH v3] PCI: dw-rockchip: Prevent advertising L1 Substates support

by Niklas Cassel

The L1 substates support requires additional steps to work, namely: -Proper handling of the CLKREQ# sideband signal. (It is mostly handled by hardware, but software still needs to set the clkreq fields in the PCIE_CLIENT_POWER_CON register to match the hardware implementation.) -Program the frequency of the aux clock into the DSP_PCIE_PL_AUX_CLK_FREQ_OFF register. (During L1 substates the core_clk is turned off and the aux_clk is used instead.) These steps are currently missing from the driver. For more details, see section '18.6.6.4 L1 Substate' in the RK3658 TRM 1.1 Part 2, or section '11.6.6.4 L1 Substate' in the RK3588 TRM 1.0 Part2. While this has always been a problem when using e.g. CONFIG_PCIEASPM_POWER_SUPERSAVE=y, or when modifying /sys/bus/pci/devices/.../link/l1_2_aspm, the lacking driver support for L1 substates became more apparent after commit f3ac2ff14834 ("PCI/ASPM: Enable all ClockPM and ASPM states for devicetree platforms"), which enabled ASPM also for CONFIG_PCIEASPM_DEFAULT=y. When using e.g. an NVMe drive connected to the PCIe controller, the problem will be seen as: nvme nvme0: controller is down; will reset: CSTS=0xffffffff, PCI_STATUS=0x10 nvme nvme0: Does your device have a faulty power saving mode enabled? nvme nvme0: Try "nvme_core.default_ps_max_latency_us=0 pcie_aspm=off pcie_port_pm=off" and report a bug Thus, prevent advertising L1 Substates support until proper driver support is added. Cc: stable(a)vger.kernel.org Fixes: 0e898eb8df4e ("PCI: rockchip-dwc: Add Rockchip RK356X host controller driver") Fixes: f3ac2ff14834 ("PCI/ASPM: Enable all ClockPM and ASPM states for devicetree platforms") Acked-by: Shawn Lin <shawn.lin(a)rock-chips.com> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- Changes since v2: -Improve commit message (Bjorn) drivers/pci/controller/dwc/pcie-dw-rockchip.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-dw-rockchip.c b/drivers/pci/controller/dwc/pcie-dw-rockchip.c index 3e2752c7dd09..84f882abbca5 100644 --- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c +++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c @@ -200,6 +200,25 @@ static bool rockchip_pcie_link_up(struct dw_pcie *pci) return FIELD_GET(PCIE_LINKUP_MASK, val) == PCIE_LINKUP; } +/* + * See e.g. section '11.6.6.4 L1 Substate' in the RK3588 TRM V1.0 for the steps + * needed to support L1 substates. Currently, not a single rockchip platform + * performs these steps, so disable L1 substates until there is proper support. + */ +static void rockchip_pcie_disable_l1sub(struct dw_pcie *pci) +{ + u32 cap, l1subcap; + + cap = dw_pcie_find_ext_capability(pci, PCI_EXT_CAP_ID_L1SS); + if (cap) { + l1subcap = dw_pcie_readl_dbi(pci, cap + PCI_L1SS_CAP); + l1subcap &= ~(PCI_L1SS_CAP_L1_PM_SS | PCI_L1SS_CAP_ASPM_L1_1 | + PCI_L1SS_CAP_ASPM_L1_2 | PCI_L1SS_CAP_PCIPM_L1_1 | + PCI_L1SS_CAP_PCIPM_L1_2); + dw_pcie_writel_dbi(pci, cap + PCI_L1SS_CAP, l1subcap); + } +} + static void rockchip_pcie_enable_l0s(struct dw_pcie *pci) { u32 cap, lnkcap; @@ -264,6 +283,7 @@ static int rockchip_pcie_host_init(struct dw_pcie_rp *pp) irq_set_chained_handler_and_data(irq, rockchip_pcie_intx_handler, rockchip); + rockchip_pcie_disable_l1sub(pci); rockchip_pcie_enable_l0s(pci); return 0; @@ -301,6 +321,7 @@ static void rockchip_pcie_ep_init(struct dw_pcie_ep *ep) struct dw_pcie *pci = to_dw_pcie_from_ep(ep); enum pci_barno bar; + rockchip_pcie_disable_l1sub(pci); rockchip_pcie_enable_l0s(pci); rockchip_pcie_ep_hide_broken_ats_cap_rk3588(ep); -- 2.51.0

1 month

5
17
0 0

[PATCH stable] fbdev: Fix out-of-bounds issue in sys_fillrect()

by Gu Bowen

There was an out-of-bounds issue found by syzkaller test on v6.6. BUG: unable to handle page fault for address: ffffc90000c3f000 PGD 100000067 P4D 100000067 PUD 100c80067 PMD 10ac1c067 PTE 0 Oops: 0002 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 6521 Comm: syz.3.1365 Not tainted 6.6.0+ #82 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:memset64 arch/x86/include/asm/string_64.h:58 [inline] RIP: 0010:memset_l include/linux/string.h:168 [inline] RIP: 0010:bitfill_aligned drivers/video/fbdev/core/sysfillrect.c:53 [inline] RIP: 0010:bitfill_aligned+0x144/0x1c0 drivers/video/fbdev/core/sysfillrect.c:25 Code: 23 04 24 48 31 d0 49 89 46 f8 44 89 e0 44 29 f8 29 c3 e8 9f 39 49 fe 89 d8 31 d2 4c 89 f7 41 f7 f4 48 89 c3 48 89 c1 48 89 e8 <f3> 48 ab 31 ff 4c 89 ee e8 df 2f 49 fe 4d 85 ed 0f 84 6b ff ff ff RSP: 0018:ffff888119ce7418 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000180 RCX: 0000000000000180 RDX: 0000000000000000 RSI: ffffc90003873000 RDI: ffffc90000c3f000 RBP: 0000000000000000 R08: 0000000000006000 R09: 0000000000000040 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000040 R13: 0000000000000000 R14: ffffc90000c3f000 R15: 0000000000000000 FS: 00007f1704b926c0(0000) GS:ffff8881f5980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90000c3f000 CR3: 00000001230d0002 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 000000000000e000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> sys_fillrect+0x429/0x830 drivers/video/fbdev/core/sysfillrect.c:281 drm_fbdev_generic_defio_fillrect+0x27/0x140 drivers/gpu/drm/drm_fbdev_generic.c:37 bit_clear+0x183/0x220 drivers/video/fbdev/core/bitblit.c:73 __fbcon_clear+0x5ea/0x670 drivers/video/fbdev/core/fbcon.c:1281 fbcon_scroll+0x41e/0x560 drivers/video/fbdev/core/fbcon.c:1847 con_scroll+0x464/0x6a0 drivers/tty/vt/vt.c:577 lf+0x274/0x2d0 drivers/tty/vt/vt.c:1461 do_con_trol+0x5ea/0x3d80 drivers/tty/vt/vt.c:2149 do_con_write+0x780/0x10c0 drivers/tty/vt/vt.c:2905 con_write+0x28/0xc0 drivers/tty/vt/vt.c:3245 do_output_char+0x5de/0x850 drivers/tty/n_tty.c:433 process_output drivers/tty/n_tty.c:500 [inline] n_tty_write+0x442/0xb00 drivers/tty/n_tty.c:2406 iterate_tty_write+0x2b5/0x630 drivers/tty/tty_io.c:1017 file_tty_write.constprop.0+0x20c/0x3b0 drivers/tty/tty_io.c:1088 call_write_iter include/linux/fs.h:2085 [inline] do_iter_readv_writev+0x210/0x3c0 fs/read_write.c:737 do_iter_write+0x181/0x4e0 fs/read_write.c:862 vfs_writev+0x15b/0x4d0 fs/read_write.c:935 do_writev+0x136/0x370 fs/read_write.c:978 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 When the virtual console is rotated in the backend state, it can lead to inconsistencies between the size of the virtual console's size and its hook functions. In such cases, clearing the screen may result in out-of-bounds issue. Fix it by adding a check in sys_fillrect() and moving set_blitting_type() to the visible area of the VC. CC: stable(a)vger.kernel.org # fbdev had been refactored on 6.15-rc1 Fixes: 68648ed1f58d ("fbdev: add drawing functions for framebuffers in system RAM") Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 2 +- drivers/video/fbdev/core/sysfillrect.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index b49f15a3442e..a6602f230089 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2702,9 +2702,9 @@ static void fbcon_modechanged(struct fb_info *info) return; p = &fb_display[vc->vc_num]; - set_blitting_type(vc, info); if (con_is_visible(vc)) { + set_blitting_type(vc, info); var_to_display(p, &info->var, info); cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres); rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); diff --git a/drivers/video/fbdev/core/sysfillrect.c b/drivers/video/fbdev/core/sysfillrect.c index bcdcaeae6538..e5c4ee317b0b 100644 --- a/drivers/video/fbdev/core/sysfillrect.c +++ b/drivers/video/fbdev/core/sysfillrect.c @@ -238,6 +238,7 @@ void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect) u32 bpp = p->var.bits_per_pixel; unsigned long *dst; int dst_idx, left; + long dst_offset; if (p->state != FBINFO_STATE_RUNNING) return; @@ -277,6 +278,11 @@ void sys_fillrect(struct fb_info *p, const struct fb_fillrect *rect) } while (height--) { dst += dst_idx >> (ffs(bits) - 1); + dst_offset = (unsigned long)dst - (unsigned long)p->screen_base; + if (dst_offset < 0 || dst_offset >= p->fix.smem_len) { + pr_err("dst offset out of bound: dst_offset(%ld)", dst_offset); + return; + } dst_idx &= (bits - 1); fill_op32(p, dst, dst_idx, pat, width*bpp, bits); dst_idx += p->fix.line_length*8; -- 2.43.0

1 month

1
0
0 0

[PATCH] net: Fix error handling in netdev_register_kobject

by Ma Ke

After calling device_initialize(), the reference count of the device is set to 1. If device_add() fails or register_queue_kobjects() fails, the function returns without calling put_device() to release the initial reference, causing a memory leak of the device structure. Similarly, in netdev_unregister_kobject(), after calling device_del(), there is no call to put_device() to release the initial reference, leading to a memory leak. Add put_device() in the error paths of netdev_register_kobject() and after device_del() in netdev_unregister_kobject() to properly release the device references. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a1b3f594dc5f ("net: Expose all network devices in a namespaces in sysfs") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- net/core/net-sysfs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index ca878525ad7c..d3895f26a0c8 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -2327,6 +2327,7 @@ void netdev_unregister_kobject(struct net_device *ndev) pm_runtime_set_memalloc_noio(dev, false); device_del(dev); + put_device(dev); } /* Create sysfs entries for network device. */ @@ -2357,7 +2358,7 @@ int netdev_register_kobject(struct net_device *ndev) error = device_add(dev); if (error) - return error; + goto out_put_device; error = register_queue_kobjects(ndev); if (error) { @@ -2367,6 +2368,10 @@ int netdev_register_kobject(struct net_device *ndev) pm_runtime_set_memalloc_noio(dev, true); + return 0; + +out_put_device: + put_device(dev); return error; } -- 2.17.1

1 month

4
3
0 0

[PATCH] arm64/pageattr: Propagate return value from __change_memory_common

by Dev Jain

Post a166563e7ec3 ("arm64: mm: support large block mapping when rodata=full"), __change_memory_common has a real chance of failing due to split failure. Before that commit, this line was introduced in c55191e96caa, still having a chance of failing if it needs to allocate pagetable memory in apply_to_page_range, although that has never been observed to be true. In general, we should always propagate the return value to the caller. Cc: stable(a)vger.kernel.org Fixes: c55191e96caa ("arm64: mm: apply r/o permissions of VM areas to its linear alias as well") Signed-off-by: Dev Jain <dev.jain(a)arm.com> --- Based on Linux 6.18-rc4. arch/arm64/mm/pageattr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c index 5135f2d66958..b4ea86cd3a71 100644 --- a/arch/arm64/mm/pageattr.c +++ b/arch/arm64/mm/pageattr.c @@ -148,6 +148,7 @@ static int change_memory_common(unsigned long addr, int numpages, unsigned long size = PAGE_SIZE * numpages; unsigned long end = start + size; struct vm_struct *area; + int ret; int i; if (!PAGE_ALIGNED(addr)) { @@ -185,8 +186,10 @@ static int change_memory_common(unsigned long addr, int numpages, if (rodata_full && (pgprot_val(set_mask) == PTE_RDONLY || pgprot_val(clear_mask) == PTE_RDONLY)) { for (i = 0; i < area->nr_pages; i++) { - __change_memory_common((u64)page_address(area->pages[i]), + ret = __change_memory_common((u64)page_address(area->pages[i]), PAGE_SIZE, set_mask, clear_mask); + if (ret) + return ret; } } -- 2.30.2

1 month

5
21
0 0

[PATCH v2 01/17] drm/xe/svm: Fix a debug printout

by Thomas Hellström

Avoid spamming the log with drm_info(). Use drm_dbg() instead. Fixes: cc795e041034 ("drm/xe/svm: Make xe_svm_range_needs_migrate_to_vram() public") Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.17+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/xe/xe_svm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_svm.c b/drivers/gpu/drm/xe/xe_svm.c index 55c5a0eb82e1..894e8f092e3f 100644 --- a/drivers/gpu/drm/xe/xe_svm.c +++ b/drivers/gpu/drm/xe/xe_svm.c @@ -941,7 +941,7 @@ bool xe_svm_range_needs_migrate_to_vram(struct xe_svm_range *range, struct xe_vm xe_assert(vm->xe, IS_DGFX(vm->xe)); if (xe_svm_range_in_vram(range)) { - drm_info(&vm->xe->drm, "Range is already in VRAM\n"); + drm_dbg(&vm->xe->drm, "Range is already in VRAM\n"); return false; } -- 2.51.1

1 month

2
1
0 0

[PATCH stable] notifiers: Add oops check in blocking_notifier_call_chain()

by Yi Yang

In hrtimer_interrupt(), interrupts are disabled when acquiring a spinlock, which subsequently triggers an oops. During the oops call chain, blocking_notifier_call_chain() invokes _cond_resched, ultimately leading to a hard lockup. Call Stack: hrtimer_interrupt//raw_spin_lock_irqsave __hrtimer_run_queues page_fault do_page_fault bad_area_nosemaphore no_context oops_end bust_spinlocks unblank_screen do_unblank_screen fbcon_blank fb_notifier_call_chain blocking_notifier_call_chain down_read _cond_resched If the system is in an oops state, use down_read_trylock instead of a blocking lock acquisition. If the trylock fails, skip executing the notifier callbacks to avoid potential deadlocks or unsafe operations during the oops handling process. Cc: stable(a)vger.kernel.org # 6.6 Fixes: fe9d4f576324 ("Add kernel/notifier.c") Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- kernel/notifier.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/kernel/notifier.c b/kernel/notifier.c index b3ce28f39eb6..ebff2315fac2 100644 --- a/kernel/notifier.c +++ b/kernel/notifier.c @@ -384,9 +384,18 @@ int blocking_notifier_call_chain(struct blocking_notifier_head *nh, * is, we re-check the list after having taken the lock anyway: */ if (rcu_access_pointer(nh->head)) { - down_read(&nh->rwsem); - ret = notifier_call_chain(&nh->head, val, v, -1, NULL); - up_read(&nh->rwsem); + if (!oops_in_progress) { + down_read(&nh->rwsem); + ret = notifier_call_chain(&nh->head, val, v, -1, NULL); + up_read(&nh->rwsem); + } else { + if (down_read_trylock(&nh->rwsem)) { + ret = notifier_call_chain(&nh->head, val, v, -1, NULL); + up_read(&nh->rwsem); + } else { + ret = NOTIFY_BAD; + } + } } return ret; } -- 2.25.1

1 month

3
3
0 0

[PATCH net 0/6] selftests: mptcp: join: fix some flaky tests

by Matthieu Baerts (NGI0)

When looking at the recent CI results on NIPA and MPTCP CIs, a few MPTCP Join tests are marked as unstable. Here are some fixes for that. - Patch 1: a small fix for mptcp_connect.sh, printing a note as initially intended. For >=v5.13. - Patch 2: avoid unexpected reset when closing subflows. For >= 5.13. - Patches 3-4: longer transfer when not waiting for the end. For >=5.18. - Patch 5: read all received data when expecting a reset. For >= v6.1. - Patch 6: a fix to properly kill background tasks. For >= v6.5. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (6): selftests: mptcp: connect: fix fallback note due to OoO selftests: mptcp: join: rm: set backup flag selftests: mptcp: join: endpoints: longer transfer selftests: mptcp: join: userspace: longer transfer selftests: mptcp: connect: trunc: read all recv data selftests: mptcp: join: properly kill background tasks tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 +++-- tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 90 +++++++++++----------- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 +++++ 4 files changed, 80 insertions(+), 51 deletions(-) --- base-commit: 96a9178a29a6b84bb632ebeb4e84cf61191c73d5 change-id: 20251108-net-mptcp-sft-join-unstable-5a28cdb6ea54 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month

3
8
0 0

FAILED: patch "[PATCH] rust: kbuild: treat `build_error` and `rustdoc` as kernel" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 16c43a56b79e2c3220b043236369a129d508c65a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025110816-catalog-residency-716f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 16c43a56b79e2c3220b043236369a129d508c65a Mon Sep 17 00:00:00 2001 From: Miguel Ojeda <ojeda(a)kernel.org> Date: Sun, 2 Nov 2025 22:28:52 +0100 Subject: [PATCH] rust: kbuild: treat `build_error` and `rustdoc` as kernel objects Even if normally `build_error` isn't a kernel object, it should still be treated as such so that we pass the same flags. Similarly, `rustdoc` targets are never kernel objects, but we need to treat them as such. Otherwise, starting with Rust 1.91.0 (released 2025-10-30), `rustc` will complain about missing sanitizer flags since `-Zsanitizer` is a target modifier too [1]: error: mixing `-Zsanitizer` will cause an ABI mismatch in crate `build_error` --> rust/build_error.rs:3:1 | 3 | //! Build-time error. | ^ | = help: the `-Zsanitizer` flag modifies the ABI so Rust crates compiled with different values of this flag cannot be used together safely = note: unset `-Zsanitizer` in this crate is incompatible with `-Zsanitizer=kernel-address` in dependency `core` = help: set `-Zsanitizer=kernel-address` in this crate or unset `-Zsanitizer` in `core` = help: if you are sure this will not cause problems, you may use `-Cunsafe-allow-abi-mismatch=sanitizer` to silence this error Thus explicitly mark them as kernel objects. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: https://github.com/rust-lang/rust/pull/138736 [1] Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Justin M. Forbes <jforbes(a)fedoraproject.org> Link: https://patch.msgid.link/20251102212853.1505384-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> diff --git a/rust/Makefile b/rust/Makefile index 23c7ae905bd2..a9fb9354b659 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -127,9 +127,14 @@ rustdoc-core: private rustc_target_flags = --edition=$(core-edition) $(core-cfgs rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs rustdoc-clean FORCE +$(call if_changed,rustdoc) +# Even if `rustdoc` targets are not kernel objects, they should still be +# treated as such so that we pass the same flags. Otherwise, for instance, +# `rustdoc` will complain about missing sanitizer flags causing an ABI mismatch. +rustdoc-compiler_builtins: private is-kernel-object := y rustdoc-compiler_builtins: $(src)/compiler_builtins.rs rustdoc-core FORCE +$(call if_changed,rustdoc) +rustdoc-ffi: private is-kernel-object := y rustdoc-ffi: $(src)/ffi.rs rustdoc-core FORCE +$(call if_changed,rustdoc) @@ -147,6 +152,7 @@ rustdoc-pin_init: $(src)/pin-init/src/lib.rs rustdoc-pin_init_internal \ rustdoc-macros FORCE +$(call if_changed,rustdoc) +rustdoc-kernel: private is-kernel-object := y rustdoc-kernel: private rustc_target_flags = --extern ffi --extern pin_init \ --extern build_error --extern macros \ --extern bindings --extern uapi @@ -522,6 +528,10 @@ $(obj)/pin_init.o: $(src)/pin-init/src/lib.rs $(obj)/compiler_builtins.o \ $(obj)/$(libpin_init_internal_name) $(obj)/$(libmacros_name) FORCE +$(call if_changed_rule,rustc_library) +# Even if normally `build_error` is not a kernel object, it should still be +# treated as such so that we pass the same flags. Otherwise, for instance, +# `rustc` will complain about missing sanitizer flags causing an ABI mismatch. +$(obj)/build_error.o: private is-kernel-object := y $(obj)/build_error.o: private skip_gendwarfksyms = 1 $(obj)/build_error.o: $(src)/build_error.rs $(obj)/compiler_builtins.o FORCE +$(call if_changed_rule,rustc_library)

1 month

4
4
0 0

[merged mm-nonmm-stable] crash-let-architecture-decide-crash-memory-export-to-iomem_resource.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: crash: let architecture decide crash memory export to iomem_resource has been removed from the -mm tree. Its filename was crash-let-architecture-decide-crash-memory-export-to-iomem_resource.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Sourabh Jain <sourabhjain(a)linux.ibm.com> Subject: crash: let architecture decide crash memory export to iomem_resource Date: Thu, 16 Oct 2025 19:58:31 +0530 With the generic crashkernel reservation, the kernel emits the following warning on powerpc: WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/mem.c:341 add_system_ram_resources+0xfc/0x180 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-auto-12607-g5472d60c129f #1 VOLUNTARY Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries NIP: c00000000201de3c LR: c00000000201de34 CTR: 0000000000000000 REGS: c000000127cef8a0 TRAP: 0700 Not tainted (6.17.0-auto-12607-g5472d60c129f) MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 84000840 XER: 20040010 CFAR: c00000000017eed0 IRQMASK: 0 GPR00: c00000000201de34 c000000127cefb40 c0000000016a8100 0000000000000001 GPR04: c00000012005aa00 0000000020000000 c000000002b705c8 0000000000000000 GPR08: 000000007fffffff fffffffffffffff0 c000000002db8100 000000011fffffff GPR12: c00000000201dd40 c000000002ff0000 c0000000000112bc 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 c0000000015a3808 GPR24: c00000000200468c c000000001699888 0000000000000106 c0000000020d1950 GPR28: c0000000014683f8 0000000081000200 c0000000015c1868 c000000002b9f710 NIP [c00000000201de3c] add_system_ram_resources+0xfc/0x180 LR [c00000000201de34] add_system_ram_resources+0xf4/0x180 Call Trace: add_system_ram_resources+0xf4/0x180 (unreliable) do_one_initcall+0x60/0x36c do_initcalls+0x120/0x220 kernel_init_freeable+0x23c/0x390 kernel_init+0x34/0x26c ret_from_kernel_user_thread+0x14/0x1c This warning occurs due to a conflict between crashkernel and System RAM iomem resources. The generic crashkernel reservation adds the crashkernel memory range to /proc/iomem during early initialization. Later, all memblock ranges are added to /proc/iomem as System RAM. If the crashkernel region overlaps with any memblock range, it causes a conflict while adding those memblock regions as iomem resources, triggering the above warning. The conflicting memblock regions are then omitted from /proc/iomem. For example, if the following crashkernel region is added to /proc/iomem: 20000000-11fffffff : Crash kernel then the following memblock regions System RAM regions fail to be inserted: 00000000-7fffffff : System RAM 80000000-257fffffff : System RAM Fix this by not adding the crashkernel memory to /proc/iomem on powerpc. Introduce an architecture hook to let each architecture decide whether to export the crashkernel region to /proc/iomem. For more info checkout commit c40dd2f766440 ("powerpc: Add System RAM to /proc/iomem") and commit bce074bdbc36 ("powerpc: insert System RAM resource to prevent crashkernel conflict") Note: Before switching to the generic crashkernel reservation, powerpc never exported the crashkernel region to /proc/iomem. Link: https://lkml.kernel.org/r/20251016142831.144515-1-sourabhjain@linux.ibm.com Fixes: e3185ee438c2 ("powerpc/crash: use generic crashkernel reservation"). Signed-off-by: Sourabh Jain <sourabhjain(a)linux.ibm.com> Reported-by: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Closes: https://lore.kernel.org/all/90937fe0-2e76-4c82-b27e-7b8a7fe3ac69@linux.ibm.… Tested-by: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Cc: Baoquan he <bhe(a)redhat.com> Cc: Hari Bathini <hbathini(a)linux.ibm.com> Cc: Madhavan Srinivasan <maddy(a)linux.ibm.com> Cc: Mahesh Salgaonkar <mahesh(a)linux.ibm.com> Cc: Michael Ellerman <mpe(a)ellerman.id.au> Cc: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/powerpc/include/asm/crash_reserve.h | 8 ++++++++ include/linux/crash_reserve.h | 6 ++++++ kernel/crash_reserve.c | 3 +++ 3 files changed, 17 insertions(+) --- a/arch/powerpc/include/asm/crash_reserve.h~crash-let-architecture-decide-crash-memory-export-to-iomem_resource +++ a/arch/powerpc/include/asm/crash_reserve.h @@ -5,4 +5,12 @@ /* crash kernel regions are Page size agliged */ #define CRASH_ALIGN PAGE_SIZE +#ifdef CONFIG_ARCH_HAS_GENERIC_CRASHKERNEL_RESERVATION +static inline bool arch_add_crash_res_to_iomem(void) +{ + return false; +} +#define arch_add_crash_res_to_iomem arch_add_crash_res_to_iomem +#endif + #endif /* _ASM_POWERPC_CRASH_RESERVE_H */ --- a/include/linux/crash_reserve.h~crash-let-architecture-decide-crash-memory-export-to-iomem_resource +++ a/include/linux/crash_reserve.h @@ -32,6 +32,12 @@ int __init parse_crashkernel(char *cmdli void __init reserve_crashkernel_cma(unsigned long long cma_size); #ifdef CONFIG_ARCH_HAS_GENERIC_CRASHKERNEL_RESERVATION +#ifndef arch_add_crash_res_to_iomem +static inline bool arch_add_crash_res_to_iomem(void) +{ + return true; +} +#endif #ifndef DEFAULT_CRASH_KERNEL_LOW_SIZE #define DEFAULT_CRASH_KERNEL_LOW_SIZE (128UL << 20) #endif --- a/kernel/crash_reserve.c~crash-let-architecture-decide-crash-memory-export-to-iomem_resource +++ a/kernel/crash_reserve.c @@ -524,6 +524,9 @@ void __init reserve_crashkernel_cma(unsi #ifndef HAVE_ARCH_ADD_CRASH_RES_TO_IOMEM_EARLY static __init int insert_crashkernel_resources(void) { + if (!arch_add_crash_res_to_iomem()) + return 0; + if (crashk_res.start < crashk_res.end) insert_resource(&iomem_resource, &crashk_res); _ Patches currently in -mm which might be from sourabhjain(a)linux.ibm.com are crash-fix-crashkernel-resource-shrink.patch

1 month

1
0
0 0

[merged mm-nonmm-stable] scs-fix-a-wrong-parameter-in-__scs_magic.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: scs: fix a wrong parameter in __scs_magic has been removed from the -mm tree. Its filename was scs-fix-a-wrong-parameter-in-__scs_magic.patch This patch was dropped because it was merged into the mm-nonmm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Zhichi Lin <zhichi.lin(a)vivo.com> Subject: scs: fix a wrong parameter in __scs_magic Date: Sat, 11 Oct 2025 16:22:22 +0800 __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead to: 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. Link: https://lkml.kernel.org/r/20251011082222.12965-1-zhichi.lin@vivo.com Fixes: 5bbaf9d1fcb9 ("scs: Add support for stack usage debugging") Signed-off-by: Jiyuan Xie <xiejiyuan(a)vivo.com> Signed-off-by: Zhichi Lin <zhichi.lin(a)vivo.com> Reviewed-by: Sami Tolvanen <samitolvanen(a)google.com> Acked-by: Will Deacon <will(a)kernel.org> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Marco Elver <elver(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: Yee Lee <yee.lee(a)mediatek.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/scs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/scs.c~scs-fix-a-wrong-parameter-in-__scs_magic +++ a/kernel/scs.c @@ -135,7 +135,7 @@ static void scs_check_usage(struct task_ if (!IS_ENABLED(CONFIG_DEBUG_STACK_USAGE)) return; - for (p = task_scs(tsk); p < __scs_magic(tsk); ++p) { + for (p = task_scs(tsk); p < __scs_magic(task_scs(tsk)); ++p) { if (!READ_ONCE_NOCHECK(*p)) break; used += sizeof(*p); _ Patches currently in -mm which might be from zhichi.lin(a)vivo.com are

1 month

1
0
0 0

[PATCH v2] f2fs: invalidate dentry cache on failed whiteout creation

by Deepanshu Kartikey

F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") Reported-by: syzbot+632cf32276a9a564188d(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d Suggested-by: Chao Yu <chao(a)kernel.org> Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1] Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- Changes in v2: - Added detailed explanation about VFS not calling d_move() in error path, resulting in new_dentry still pointing to inode with zeroed i_nlink (suggested by Chao Yu) - Added Fixes tag pointing to commit 7e01e7ad746b - Added Cc: stable(a)vger.kernel.org for backporting to stable kernels --- fs/f2fs/namei.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index b882771e4699..712479b7b93d 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -1053,9 +1053,11 @@ static int f2fs_rename(struct mnt_idmap *idmap, struct inode *old_dir, if (whiteout) { set_inode_flag(whiteout, FI_INC_LINK); err = f2fs_add_link(old_dentry, whiteout); - if (err) + if (err) { + d_invalidate(old_dentry); + d_invalidate(new_dentry); goto put_out_dir; - + } spin_lock(&whiteout->i_lock); whiteout->i_state &= ~I_LINKABLE; spin_unlock(&whiteout->i_lock); -- 2.43.0

1 month

3
2
0 0

[PATCH 2/6] KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()

by Yosry Ahmed

svm_update_lbrv() is called when MSR_IA32_DEBUGCTLMSR is updated, and on nested transitions where LBRV is used. It checks whether LBRV enablement needs to be changed in the current VMCB, and if it does, it also recalculate intercepts to LBR MSRs. However, there are cases where intercepts need to be updated even when LBRV enablement doesn't. Example scenario: - L1 has MSR_IA32_DEBUGCTLMSR cleared. - L1 runs L2 without LBR_CTL_ENABLE (no LBRV). - L2 sets DEBUGCTLMSR_LBR in MSR_IA32_DEBUGCTLMSR, svm_update_lbrv() sets LBR_CTL_ENABLE in VMCB02 and disables intercepts to LBR MSRs. - L2 exits to L1, svm_update_lbrv() is not called on this transition. - L1 clears MSR_IA32_DEBUGCTLMSR, svm_update_lbrv() finds that LBR_CTL_ENABLE is already cleared in VMCB01 and does nothing. - Intercepts remain disabled, L1 reads to LBR MSRs read the host MSRs. Fix it by always recalculating intercepts in svm_update_lbrv(). Fixes: 1d5a1b5860ed ("KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running") Cc: stable(a)vger.kernel.org Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> --- arch/x86/kvm/svm/svm.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d25c56b30b4e2..26ab75ecf1c67 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -806,25 +806,29 @@ void svm_copy_lbrs(struct vmcb *to_vmcb, struct vmcb *from_vmcb) vmcb_mark_dirty(to_vmcb, VMCB_LBR); } -void svm_enable_lbrv(struct kvm_vcpu *vcpu) +static void __svm_enable_lbrv(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK; - svm_recalc_lbr_msr_intercepts(vcpu); /* Move the LBR msrs to the vmcb02 so that the guest can see them. */ if (is_guest_mode(vcpu)) svm_copy_lbrs(svm->vmcb, svm->vmcb01.ptr); } -static void svm_disable_lbrv(struct kvm_vcpu *vcpu) +void svm_enable_lbrv(struct kvm_vcpu *vcpu) +{ + __svm_enable_lbrv(vcpu); + svm_recalc_lbr_msr_intercepts(vcpu); +} + +static void __svm_disable_lbrv(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); KVM_BUG_ON(sev_es_guest(vcpu->kvm), vcpu->kvm); svm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK; - svm_recalc_lbr_msr_intercepts(vcpu); /* * Move the LBR msrs back to the vmcb01 to avoid copying them @@ -853,13 +857,18 @@ void svm_update_lbrv(struct kvm_vcpu *vcpu) (is_guest_mode(vcpu) && guest_cpu_cap_has(vcpu, X86_FEATURE_LBRV) && (svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK)); - if (enable_lbrv == current_enable_lbrv) - return; + if (enable_lbrv && !current_enable_lbrv) + __svm_enable_lbrv(vcpu); + else if (!enable_lbrv && current_enable_lbrv) + __svm_disable_lbrv(vcpu); - if (enable_lbrv) - svm_enable_lbrv(vcpu); - else - svm_disable_lbrv(vcpu); + /* + * During nested transitions, it is possible that the current VMCB has + * LBR_CTL set, but the previous LBR_CTL had it cleared (or vice versa). + * In this case, even though LBR_CTL does not need an update, intercepts + * do, so always recalculate the intercepts here. + */ + svm_recalc_lbr_msr_intercepts(vcpu); } void disable_nmi_singlestep(struct vcpu_svm *svm) -- 2.51.2.1041.gc1ab5b90ca-goog

1 month

2
3
0 0

Your linux-stable-mirror@lists.linaro.org have 23 messages pending.

by lists.linaro.org Server Support

1 month

1
0
0 0

Re: [PATCH v2] kallsyms: Fix wrong "big" kernel symbol type read from procfs

by Miguel Ojeda

On Fri, 11 Oct 2024 22:38:53 +0800 Zheng Yejian <zhengyejian(a)huaweicloud.com> wrote: > > Currently when the length of a symbol is longer than 0x7f characters, > its type shown in /proc/kallsyms can be incorrect. > > I found this issue when reading the code, but it can be reproduced by > following steps: > > 1. Define a function which symbol length is 130 characters: > > #define X13(x) x##x##x##x##x##x##x##x##x##x##x##x##x > static noinline void X13(x123456789)(void) > { > printk("hello world\n"); > } > > 2. The type in vmlinux is 't': > > $ nm vmlinux | grep x123456 > ffffffff816290f0 t x123456789x123456789x123456789x12[...] > > 3. Then boot the kernel, the type shown in /proc/kallsyms becomes 'g' > instead of the expected 't': > > # cat /proc/kallsyms | grep x123456 > ffffffff816290f0 g x123456789x123456789x123456789x12[...] > > The root cause is that, after commit 73bbb94466fd ("kallsyms: support > "big" kernel symbols"), ULEB128 was used to encode symbol name length. > That is, for "big" kernel symbols of which name length is longer than > 0x7f characters, the length info is encoded into 2 bytes. > > kallsyms_get_symbol_type() expects to read the first char of the > symbol name which indicates the symbol type. However, due to the > "big" symbol case not being handled, the symbol type read from > /proc/kallsyms may be wrong, so handle it properly. > > Cc: stable(a)vger.kernel.org > Fixes: 73bbb94466fd ("kallsyms: support "big" kernel symbols") > Signed-off-by: Zheng Yejian <zhengyejian(a)huaweicloud.com> Gary made me aware of this thread (thanks!) -- we are coming from: https://lore.kernel.org/all/aQjua6zkEHYNVN3X@x1/ For which I sent this patch without knowing about this one: https://lore.kernel.org/rust-for-linux/20251107050414.511648-1-ojeda@kernel… This has been seen now by Arnaldo (Cc'ing) in a real system, so I think we should take this one since it was first, with: Cc: stable(a)vger.kernel.org Thanks! Cheers, Miguel

1 month

1
0
0 0

[PATCH cgroup/for-6.18-fixes] cgroup: Skip showing PID 0 in cgroup.procs and cgroup.threads

by Tejun Heo

css_task_iter_next() pins and returns a task, but the task can do whatever between that and cgroup_procs_show() being called, including dying and losing its PID. When that happens, task_pid_vnr() returns 0. d245698d727a ("cgroup: Defer task cgroup unlink until after the task is done switching out") makes this more likely as tasks now stay iterable with css_task_iter_next() until the last schedule is complete, which can be after the task has lost its PID. Showing "0" in cgroup.procs or cgroup.threads is confusing and can lead to surprising outcomes. For example, if a user tries to kill PID 0, it kills all processes in the current process group. Skip entries with PID 0 by returning SEQ_SKIP. Cc: stable(a)vger.kernel.org Signed-off-by: Tejun Heo <tj(a)kernel.org> --- kernel/cgroup/cgroup.c | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -5287,6 +5287,17 @@ static void *cgroup_procs_start(struct s static int cgroup_procs_show(struct seq_file *s, void *v) { + pid_t pid = task_pid_vnr(v); + + /* + * css_task_iter_next() could have visited a task which has already lost + * its PID but is not dead yet or the task could have been unhashed + * since css_task_iter_next(). In such cases, $pid would be 0 here. + * Don't confuse userspace with it. + */ + if (unlikely(!pid)) + return SEQ_SKIP; + seq_printf(s, "%d\n", task_pid_vnr(v)); return 0; }

1 month

3
5
0 0

+ mm-swap-fix-potential-uaf-issue-for-vma-readahead.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm, swap: fix potential UAF issue for VMA readahead has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-swap-fix-potential-uaf-issue-for-vma-readahead.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: mm, swap: fix potential UAF issue for VMA readahead Date: Tue, 11 Nov 2025 21:36:08 +0800 Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry. Link: https://lkml.kernel.org/r/20251111-swap-fix-vma-uaf-v1-1-41c660e58562@tence… Fixes: 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning") Suggested-by: Huang Ying <ying.huang(a)linux.alibaba.com> Signed-off-by: Kairui Song <kasong(a)tencent.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap_state.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/mm/swap_state.c~mm-swap-fix-potential-uaf-issue-for-vma-readahead +++ a/mm/swap_state.c @@ -748,6 +748,8 @@ static struct folio *swap_vma_readahead( blk_start_plug(&plug); for (addr = start; addr < end; ilx++, addr += PAGE_SIZE) { + struct swap_info_struct *si = NULL; + if (!pte++) { pte = pte_offset_map(vmf->pmd, addr); if (!pte) @@ -761,8 +763,19 @@ static struct folio *swap_vma_readahead( continue; pte_unmap(pte); pte = NULL; + /* + * Readahead entry may come from a device that we are not + * holding a reference to, try to grab a reference, or skip. + */ + if (swp_type(entry) != swp_type(targ_entry)) { + si = get_swap_device(entry); + if (!si) + continue; + } folio = __read_swap_cache_async(entry, gfp_mask, mpol, ilx, &page_allocated, false); + if (si) + put_swap_device(si); if (!folio) continue; if (page_allocated) { _ Patches currently in -mm which might be from kasong(a)tencent.com are mm-swap-fix-potential-uaf-issue-for-vma-readahead.patch mm-swap-do-not-perform-synchronous-discard-during-allocation.patch mm-swap-rename-helper-for-setup-bad-slots.patch mm-swap-cleanup-swap-entry-allocation-parameter.patch mm-migrate-swap-drop-usage-of-folio_index.patch mm-swap-remove-redundant-argument-for-isolating-a-cluster.patch revert-mm-swap-avoid-redundant-swap-device-pinning.patch

1 month

1
0
0 0

Your linux-stable-mirror@lists.linaro.org have 24 messages pending.

by lists.linaro.org Server Support

1 month

1
0
0 0

[PATCH 6.1] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

by Eric Biggers

commit 44e8241c51f762aafa50ed116da68fd6ecdcc954 upstream. On big endian arm kernels, the arm optimized Curve25519 code produces incorrect outputs and fails the Curve25519 test. This has been true ever since this code was added. It seems that hardly anyone (or even no one?) actually uses big endian arm kernels. But as long as they're ostensibly supported, we should disable this code on them so that it's not accidentally used. Note: for future-proofing, use !CPU_BIG_ENDIAN instead of CPU_LITTLE_ENDIAN. Both of these are arch-specific options that could get removed in the future if big endian support gets dropped. Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") Cc: stable(a)vger.kernel.org Acked-by: Ard Biesheuvel <ardb(a)kernel.org> Link: https://lore.kernel.org/r/20251104054906.716914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/arm/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index 3858c4d4cb98..f6323b84631f 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -2,11 +2,11 @@ menu "Accelerated Cryptographic Algorithms for CPU (arm)" config CRYPTO_CURVE25519_NEON tristate "Public key crypto: Curve25519 (NEON)" - depends on KERNEL_MODE_NEON + depends on KERNEL_MODE_NEON && !CPU_BIG_ENDIAN select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 help Curve25519 algorithm base-commit: f6e38ae624cf7eb96fb444a8ca2d07caa8d9c8fe -- 2.51.2

1 month

1
0
0 0

[PATCH 6.12] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

by Eric Biggers

commit 44e8241c51f762aafa50ed116da68fd6ecdcc954 upstream. On big endian arm kernels, the arm optimized Curve25519 code produces incorrect outputs and fails the Curve25519 test. This has been true ever since this code was added. It seems that hardly anyone (or even no one?) actually uses big endian arm kernels. But as long as they're ostensibly supported, we should disable this code on them so that it's not accidentally used. Note: for future-proofing, use !CPU_BIG_ENDIAN instead of CPU_LITTLE_ENDIAN. Both of these are arch-specific options that could get removed in the future if big endian support gets dropped. Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") Cc: stable(a)vger.kernel.org Acked-by: Ard Biesheuvel <ardb(a)kernel.org> Link: https://lore.kernel.org/r/20251104054906.716914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/arm/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index f87e63b2212e..df2ae5c6af95 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -2,11 +2,11 @@ menu "Accelerated Cryptographic Algorithms for CPU (arm)" config CRYPTO_CURVE25519_NEON tristate - depends on KERNEL_MODE_NEON + depends on KERNEL_MODE_NEON && !CPU_BIG_ENDIAN select CRYPTO_KPP select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 default CRYPTO_LIB_CURVE25519_INTERNAL help base-commit: 8a243ecde1f6447b8e237f2c1c67c0bb67d16d67 -- 2.51.2

1 month

1
0
0 0

[PATCH 6.17] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

by Eric Biggers

commit 44e8241c51f762aafa50ed116da68fd6ecdcc954 upstream. On big endian arm kernels, the arm optimized Curve25519 code produces incorrect outputs and fails the Curve25519 test. This has been true ever since this code was added. It seems that hardly anyone (or even no one?) actually uses big endian arm kernels. But as long as they're ostensibly supported, we should disable this code on them so that it's not accidentally used. Note: for future-proofing, use !CPU_BIG_ENDIAN instead of CPU_LITTLE_ENDIAN. Both of these are arch-specific options that could get removed in the future if big endian support gets dropped. Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") Cc: stable(a)vger.kernel.org Acked-by: Ard Biesheuvel <ardb(a)kernel.org> Link: https://lore.kernel.org/r/20251104054906.716914-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- arch/arm/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index 1e5f3cdf691c..a00ab9265280 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -2,11 +2,11 @@ menu "Accelerated Cryptographic Algorithms for CPU (arm)" config CRYPTO_CURVE25519_NEON tristate - depends on KERNEL_MODE_NEON + depends on KERNEL_MODE_NEON && !CPU_BIG_ENDIAN select CRYPTO_KPP select CRYPTO_LIB_CURVE25519_GENERIC select CRYPTO_ARCH_HAVE_LIB_CURVE25519 default CRYPTO_LIB_CURVE25519_INTERNAL help base-commit: 7660ce69123ea73b22930fcf20d995ad310049ef -- 2.51.2

1 month

1
0
0 0

[PATCH v2 1/1] fuse: fix readahead reclaim deadlock

by Joanne Koong

Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()). Fixes: e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") Cc: stable(a)vger.kernel.org Signed-off-by: Joanne Koong <joannelkoong(a)gmail.com> Reported-by: Omar Sandoval <osandov(a)fb.com> --- fs/fuse/file.c | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index f1ef77a0be05..654e21ee93fb 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -100,7 +100,7 @@ static void fuse_release_end(struct fuse_mount *fm, struct fuse_args *args, kfree(ra); } -static void fuse_file_put(struct fuse_file *ff, bool sync) +static void fuse_file_put(struct fuse_file *ff, bool sync, bool isdir) { if (refcount_dec_and_test(&ff->count)) { struct fuse_release_args *ra = &ff->args->release_args; @@ -110,7 +110,9 @@ static void fuse_file_put(struct fuse_file *ff, bool sync) fuse_file_io_release(ff, ra->inode); if (!args) { - /* Do nothing when server does not implement 'open' */ + /* Do nothing when server does not implement 'opendir' */ + } else if (!isdir && ff->fm->fc->no_open) { + fuse_release_end(ff->fm, args, 0); } else if (sync) { fuse_simple_request(ff->fm, args); fuse_release_end(ff->fm, args, 0); @@ -131,8 +133,17 @@ struct fuse_file *fuse_file_open(struct fuse_mount *fm, u64 nodeid, struct fuse_file *ff; int opcode = isdir ? FUSE_OPENDIR : FUSE_OPEN; bool open = isdir ? !fc->no_opendir : !fc->no_open; + bool release = !isdir || open; - ff = fuse_file_alloc(fm, open); + /* + * ff->args->release_args still needs to be allocated (so we can hold an + * inode reference while there are pending inflight file operations when + * ->release() is called, see fuse_prepare_release()) even if + * fc->no_open is set else it becomes possible for reclaim to deadlock + * if while servicing the readahead request the server triggers reclaim + * and reclaim evicts the inode of the file being read ahead. + */ + ff = fuse_file_alloc(fm, release); if (!ff) return ERR_PTR(-ENOMEM); @@ -152,13 +163,14 @@ struct fuse_file *fuse_file_open(struct fuse_mount *fm, u64 nodeid, fuse_file_free(ff); return ERR_PTR(err); } else { - /* No release needed */ - kfree(ff->args); - ff->args = NULL; - if (isdir) + if (isdir) { + /* No release needed */ + kfree(ff->args); + ff->args = NULL; fc->no_opendir = 1; - else + } else { fc->no_open = 1; + } } } @@ -363,7 +375,7 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff, * own ref to the file, the IO completion has to drop the ref, which is * how the fuse server can end up closing its clients' files. */ - fuse_file_put(ff, false); + fuse_file_put(ff, false, isdir); } void fuse_release_common(struct file *file, bool isdir) @@ -394,7 +406,7 @@ void fuse_sync_release(struct fuse_inode *fi, struct fuse_file *ff, { WARN_ON(refcount_read(&ff->count) > 1); fuse_prepare_release(fi, ff, flags, FUSE_RELEASE, true); - fuse_file_put(ff, true); + fuse_file_put(ff, true, false); } EXPORT_SYMBOL_GPL(fuse_sync_release); @@ -891,7 +903,7 @@ static void fuse_readpages_end(struct fuse_mount *fm, struct fuse_args *args, folio_put(ap->folios[i]); } if (ia->ff) - fuse_file_put(ia->ff, false); + fuse_file_put(ia->ff, false, false); fuse_io_free(ia); } @@ -1815,7 +1827,7 @@ static void fuse_writepage_free(struct fuse_writepage_args *wpa) if (wpa->bucket) fuse_sync_bucket_dec(wpa->bucket); - fuse_file_put(wpa->ia.ff, false); + fuse_file_put(wpa->ia.ff, false, false); kfree(ap->folios); kfree(wpa); @@ -1968,7 +1980,7 @@ int fuse_write_inode(struct inode *inode, struct writeback_control *wbc) ff = __fuse_write_file_get(fi); err = fuse_flush_times(inode, ff); if (ff) - fuse_file_put(ff, false); + fuse_file_put(ff, false, false); return err; } @@ -2186,7 +2198,7 @@ static int fuse_iomap_writeback_submit(struct iomap_writepage_ctx *wpc, } if (data->ff) - fuse_file_put(data->ff, false); + fuse_file_put(data->ff, false, false); return error; } -- 2.47.3

1 month

2
3
0 0

Mejora la gestión de compensaciones en tu empresa

by Daniel Rodríguez

Optimiza la gestión de compensaciones Garantiza remuneraciones justas y competitivas con Vorecol Compensation Management. Hola , Garantizar remuneraciones justas y competitivas es clave para atraer y retener talento, pero muchas veces determinar el salario adecuado puede ser complejo. Con Vorecol Compensation Management podrás establecer con precisión el salario para cada puesto, respaldado por criterios objetivos basados en los factores más relevantes de tu organización. Con Vorecol Compensation Management puedes: • Determinar salarios adecuados y equitativos para todos los roles. • Respaldar las decisiones de compensación con justificaciones objetivas. • Facilitar la transparencia y confianza en la gestión de remuneraciones. Esto permite crear un entorno laboral más justo, motivador y competitivo, beneficiando tanto a tu equipo como a la empresa. Aprovecha el Buen Fin del 1 al 22 de noviembre con hasta 15% de descuento y descubre cómo optimizar la gestión de compensaciones. Puedes responder a este correo o contactarme directamente; mis datos están al final del mensaje. Saludos, -------------- Atte.: Daniel Rodríguez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqwwseup">click aquí</a>

1 month

1
0
0 0

[PATCH] coresight: etm-perf: Fix reference count leak in etm_setup_aux

by Ma Ke

In etm_setup_aux(), when a user sink is obtained via coresight_get_sink_by_id(), it increments the reference count of the sink device. However, if the sink is used in path building, the path holds a reference, but the initial reference from coresight_get_sink_by_id() is not released, causing a reference count leak. We should release the initial reference after the path is built. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c index f677c08233ba..6584f6aa87bf 100644 --- a/drivers/hwtracing/coresight/coresight-etm-perf.c +++ b/drivers/hwtracing/coresight/coresight-etm-perf.c @@ -453,6 +453,11 @@ static void *etm_setup_aux(struct perf_event *event, void **pages, if (!event_data->snk_config) goto err; + if (user_sink) { + put_device(&user_sink->dev); + user_sink = NULL; + } + out: return event_data; -- 2.17.1

1 month

2
1
0 0

[PATCH] net: fealnx: fixed possible out of band acces to an array

by Ilya Krutskih

fixed possible out of band access to an array If the fealnx_init_one() function is called more than MAX_UNITS times or card_idx is less than zero Added a check: 0 <= card_idx < MAX_UNITS Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Ilya Krutskih <devsec(a)tpz.ru> --- drivers/net/ethernet/fealnx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c index 6ac8547ef9b8..c7f2141a01fe 100644 --- a/drivers/net/ethernet/fealnx.c +++ b/drivers/net/ethernet/fealnx.c @@ -491,8 +491,8 @@ static int fealnx_init_one(struct pci_dev *pdev, card_idx++; sprintf(boardname, "fealnx%d", card_idx); - - option = card_idx < MAX_UNITS ? options[card_idx] : 0; + if (card_idx >= 0) + option = card_idx < MAX_UNITS ? options[card_idx] : 0; i = pci_enable_device(pdev); if (i) return i; @@ -623,7 +623,7 @@ static int fealnx_init_one(struct pci_dev *pdev, np->default_port = option & 15; } - if (card_idx < MAX_UNITS && full_duplex[card_idx] > 0) + if ((0 <= card_idx && MAX_UNITS > card_idx) && full_duplex[card_idx] > 0) np->mii.full_duplex = full_duplex[card_idx]; if (np->mii.full_duplex) { -- 2.43.0

1 month

3
2
0 0

[PATCH] intel_th: Fix error handling in intel_th_output_open

by Ma Ke

intel_th_output_open() calls bus_find_device_by_devt() which internally increments the device reference count via get_device(), but this reference is not properly released in several error paths. When device driver is unavailable, file operations cannot be obtained, or the driver's open method fails, the function returns without calling put_device(), leading to a permanent device reference count leak. This prevents the device from being properly released and could cause resource exhaustion over time. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/hwtracing/intel_th/core.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c index 47d9e6c3bac0..ecc4b4ff5cf6 100644 --- a/drivers/hwtracing/intel_th/core.c +++ b/drivers/hwtracing/intel_th/core.c @@ -811,12 +811,12 @@ static int intel_th_output_open(struct inode *inode, struct file *file) dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); if (!dev || !dev->driver) - return -ENODEV; + goto out_no_device; thdrv = to_intel_th_driver(dev->driver); fops = fops_get(thdrv->fops); if (!fops) - return -ENODEV; + goto out_put_device; replace_fops(file, fops); @@ -824,10 +824,16 @@ static int intel_th_output_open(struct inode *inode, struct file *file) if (file->f_op->open) { err = file->f_op->open(inode, file); - return err; + if (err) + goto out_put_device; } return 0; + +out_put_device: + put_device(dev); +out_no_device: + return err; } static const struct file_operations intel_th_output_fops = { -- 2.17.1

1 month

2
1
0 0

[PATCH v12 1/3] NFSD: Make FILE_SYNC WRITEs comply with spec

by Chuck Lever

From: Chuck Lever <chuck.lever(a)oracle.com> Mike noted that when NFSD responds to an NFS_FILE_SYNC WRITE, it does not also persist file time stamps. To wit, Section 18.32.3 of RFC 8881 mandates: > The client specifies with the stable parameter the method of how > the data is to be processed by the server. If stable is > FILE_SYNC4, the server MUST commit the data written plus all file > system metadata to stable storage before returning results. This > corresponds to the NFSv2 protocol semantics. Any other behavior > constitutes a protocol violation. If stable is DATA_SYNC4, then > the server MUST commit all of the data to stable storage and > enough of the metadata to retrieve the data before returning. Commit 3f3503adb332 ("NFSD: Use vfs_iocb_iter_write()") replaced: - flags |= RWF_SYNC; with: + kiocb.ki_flags |= IOCB_DSYNC; which appears to be correct given: if (flags & RWF_SYNC) kiocb_flags |= IOCB_DSYNC; in kiocb_set_rw_flags(). However the author of that commit did not appreciate that the previous line in kiocb_set_rw_flags() results in IOCB_SYNC also being set: kiocb_flags |= (__force int) (flags & RWF_SUPPORTED); RWF_SUPPORTED contains RWF_SYNC, and RWF_SYNC is the same bit as IOCB_SYNC. Reviewers at the time did not catch the omission. Reported-by: Mike Snitzer <snitzer(a)kernel.org> Closes: https://lore.kernel.org/linux-nfs/20251018005431.3403-1-cel@kernel.org/T/#t Fixes: 3f3503adb332 ("NFSD: Use vfs_iocb_iter_write()") Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Reviewed-by: NeilBrown <neil(a)brown.name> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/nfsd/vfs.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index f537a7b4ee01..5333d49910d9 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -1314,8 +1314,18 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, stable = NFS_UNSTABLE; init_sync_kiocb(&kiocb, file); kiocb.ki_pos = offset; - if (stable && !fhp->fh_use_wgather) - kiocb.ki_flags |= IOCB_DSYNC; + if (likely(!fhp->fh_use_wgather)) { + switch (stable) { + case NFS_FILE_SYNC: + /* persist data and timestamps */ + kiocb.ki_flags |= IOCB_DSYNC | IOCB_SYNC; + break; + case NFS_DATA_SYNC: + /* persist data only */ + kiocb.ki_flags |= IOCB_DSYNC; + break; + } + } nvecs = xdr_buf_to_bvec(rqstp->rq_bvec, rqstp->rq_maxpages, payload); iov_iter_bvec(&iter, ITER_SOURCE, rqstp->rq_bvec, nvecs, *cnt); -- 2.51.0

1 month

1
0
0 0

[PATCH v2] usb: mtu3: fix possible NULL pointer dereference in ep0_rx_state()

by Pavel Zhigulin

The function 'ep0_rx_state()' accessed 'mreq->request' before verifying that mreq was valid. If 'next_ep0_request()' returned NULL, this could lead to a NULL pointer dereference. The return value of 'next_ep0_request()' is checked in every other code path except here. It appears that the intended 'if (mreq)' check was mistakenly written as 'if (req)', since the req pointer cannot be NULL when mreq is not NULL. Initialize 'mreq' and 'req' to NULL by default, and switch 'req' NULL-checking to 'mreq' non-NULL check to prevent invalid memory access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver") Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> --- v2: Add <stable(a)vger.kernel.org> to CC list v1: https://lore.kernel.org/all/20251027193152.3906497-1-Pavel.Zhigulin@kaspers… drivers/usb/mtu3/mtu3_gadget_ep0.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/usb/mtu3/mtu3_gadget_ep0.c b/drivers/usb/mtu3/mtu3_gadget_ep0.c index e4fd1bb14a55..ee7466ca4d99 100644 --- a/drivers/usb/mtu3/mtu3_gadget_ep0.c +++ b/drivers/usb/mtu3/mtu3_gadget_ep0.c @@ -508,8 +508,8 @@ static int handle_standard_request(struct mtu3 *mtu, /* receive an data packet (OUT) */ static void ep0_rx_state(struct mtu3 *mtu) { - struct mtu3_request *mreq; - struct usb_request *req; + struct mtu3_request *mreq = NULL; + struct usb_request *req = NULL; void __iomem *mbase = mtu->mac_base; u32 maxp; u32 csr; @@ -519,10 +519,11 @@ static void ep0_rx_state(struct mtu3 *mtu) csr = mtu3_readl(mbase, U3D_EP0CSR) & EP0_W1C_BITS; mreq = next_ep0_request(mtu); - req = &mreq->request; /* read packet and ack; or stall because of gadget driver bug */ - if (req) { + if (mreq) { + req = &mreq->request; + void *buf = req->buf + req->actual; unsigned int len = req->length - req->actual; -- 2.43.0

1 month

2
1
0 0

[PATCH v2] EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection

by niravkumarlaxmidas.rabara＠altera.com

From: Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> The current single-bit error injection mechanism flips bits directly in ECC RAM by performing write and read operations. When the ECC RAM is actively used by the Ethernet or USB controller, this approach sometimes trigger a false double-bit error. Switch both Ethernet and USB EDAC devices to use the INTTEST register (altr_edac_a10_device_inject_fops) for single-bit error injection, similar to the existing double-bit error injection method. Fixes: 064acbd4f4ab ("EDAC, altera: Add Stratix10 peripheral support") Cc: stable(a)vger.kernel.org Signed-off-by: Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> --- v2 changes: - Add missing Cc tag v1 link: https://lore.kernel.org/all/20251101051723.917688-1-niravkumarlaxmidas.raba… drivers/edac/altera_edac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/edac/altera_edac.c b/drivers/edac/altera_edac.c index 103b2c2eba2a..5c5d4585d8ae 100644 --- a/drivers/edac/altera_edac.c +++ b/drivers/edac/altera_edac.c @@ -1357,7 +1357,7 @@ static const struct edac_device_prv_data a10_enetecc_data = { .ue_set_mask = ALTR_A10_ECC_TDERRA, .set_err_ofst = ALTR_A10_ECC_INTTEST_OFST, .ecc_irq_handler = altr_edac_a10_ecc_irq, - .inject_fops = &altr_edac_a10_device_inject2_fops, + .inject_fops = &altr_edac_a10_device_inject_fops, }; #endif /* CONFIG_EDAC_ALTERA_ETHERNET */ @@ -1447,7 +1447,7 @@ static const struct edac_device_prv_data a10_usbecc_data = { .ue_set_mask = ALTR_A10_ECC_TDERRA, .set_err_ofst = ALTR_A10_ECC_INTTEST_OFST, .ecc_irq_handler = altr_edac_a10_ecc_irq, - .inject_fops = &altr_edac_a10_device_inject2_fops, + .inject_fops = &altr_edac_a10_device_inject_fops, }; #endif /* CONFIG_EDAC_ALTERA_USB */ -- 2.25.1

1 month

3
2
0 0

[PATCH v2] EDAC/altera: Handle OCRAM ECC enable after warm reset

by niravkumarlaxmidas.rabara＠altera.com

From: Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> The OCRAM ECC is always enabled either by the BootROM or by the Secure Device Manager (SDM) during a power-on reset on SoCFPGA. However, during a warm reset, the OCRAM content is retained to preserve data, while the control and status registers are reset to their default values. As a result, ECC must be explicitly re-enabled after a warm reset. Fixes: 17e47dc6db4f ("EDAC/altera: Add Stratix10 OCRAM ECC support") Cc: stable(a)vger.kernel.org Signed-off-by: Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> Acked-by: Dinh Nguyen <dinguyen(a)kernel.org> --- v2 changes: - Add Fixes and Cc tags - Retains Acked-by from v1 patch v1 link: https://lore.kernel.org/all/20251103140920.1060643-1-niravkumarlaxmidas.rab… drivers/edac/altera_edac.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/edac/altera_edac.c b/drivers/edac/altera_edac.c index 103b2c2eba2a..a776d61027f2 100644 --- a/drivers/edac/altera_edac.c +++ b/drivers/edac/altera_edac.c @@ -1184,10 +1184,22 @@ altr_check_ocram_deps_init(struct altr_edac_device_dev *device) if (ret) return ret; - /* Verify OCRAM has been initialized */ + /* + * Verify that OCRAM has been initialized. + * During a warm reset, OCRAM contents are retained, but the control + * and status registers are reset to their default values. Therefore, + * ECC must be explicitly re-enabled in the control register. + * Error condition: if INITCOMPLETEA is clear and ECC_EN is already set. + */ if (!ecc_test_bits(ALTR_A10_ECC_INITCOMPLETEA, - (base + ALTR_A10_ECC_INITSTAT_OFST))) - return -ENODEV; + (base + ALTR_A10_ECC_INITSTAT_OFST))) { + if (!ecc_test_bits(ALTR_A10_ECC_EN, + (base + ALTR_A10_ECC_CTRL_OFST))) + ecc_set_bits(ALTR_A10_ECC_EN, + (base + ALTR_A10_ECC_CTRL_OFST)); + else + return -ENODEV; + } /* Enable IRQ on Single Bit Error */ writel(ALTR_A10_ECC_SERRINTEN, (base + ALTR_A10_ECC_ERRINTENS_OFST)); -- 2.25.1

1 month

2
1
0 0

[PATCH 0/2] fuse: Fix missing fuse_copy_finish in dev_uring.c

by Bernd Schubert

Both argument copies in dev_uring.c miss fuse_copy_finish. Signed-off-by: Bernd Schubert <bschubert(a)ddn.com> --- Bernd Schubert (1): fuse: Fix whitespace for fuse_uring_args_to_ring() comment Cheng Ding (1): fuse: missing copy_finish in fuse-over-io-uring argument copies fs/fuse/dev.c | 2 +- fs/fuse/dev_uring.c | 18 ++++++++++++------ fs/fuse/fuse_dev_i.h | 1 + 3 files changed, 14 insertions(+), 7 deletions(-) --- base-commit: 6548d364a3e850326831799d7e3ea2d7bb97ba08 change-id: 20251021-io-uring-fixes-copy-finish-07ae602e2ab1 Best regards, -- Bernd Schubert <bschubert(a)ddn.com>

1 month

3
3
0 0

[PATCH v2 0/2] Fix SSR unable to wake up bug

by Shuai Zhang

This patch series fixes delayed hw_error handling during SSR. Patch 1 adds a wakeup to ensure hw_error is processed promptly after coredump collection. Patch 2 corrects the timeout unit from jiffies to ms. Changes v2: - Split timeout conversion into a separate patch. - Clarified commit messages and added test case description. - Link to v1 https://lore.kernel.org/all/20251104112601.2670019-1-quic_shuaz@quicinc.com/ Shuai Zhang (2): Bluetooth: qca: Fix delayed hw_error handling due to missing wakeup during SSR Bluetooth: hci_qca: Convert timeout from jiffies to ms drivers/bluetooth/hci_qca.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.34.1

1 month

3
5
0 0

[tip: sched/core] sched/eevdf: Fix min_vruntime vs avg_vruntime

by tip-bot2 for Peter Zijlstra

The following commit has been merged into the sched/core branch of tip: Commit-ID: 79f3f9bedd149ea438aaeb0fb6a083637affe205 Gitweb: https://git.kernel.org/tip/79f3f9bedd149ea438aaeb0fb6a083637affe205 Author: Peter Zijlstra <peterz(a)infradead.org> AuthorDate: Wed, 02 Apr 2025 20:07:34 +02:00 Committer: Peter Zijlstra <peterz(a)infradead.org> CommitterDate: Tue, 11 Nov 2025 12:33:38 +01:00 sched/eevdf: Fix min_vruntime vs avg_vruntime Basically, from the constraint that the sum of lag is zero, you can infer that the 0-lag point is the weighted average of the individual vruntime, which is what we're trying to compute: \Sum w_i * v_i avg = -------------- \Sum w_i Now, since vruntime takes the whole u64 (worse, it wraps), this multiplication term in the numerator is not something we can compute; instead we do the min_vruntime (v0 henceforth) thing like: v_i = (v_i - v0) + v0 This does two things: - it keeps the key: (v_i - v0) 'small'; - it creates a relative 0-point in the modular space. If you do that subtitution and work it all out, you end up with: \Sum w_i * (v_i - v0) avg = --------------------- + v0 \Sum w_i Since you cannot very well track a ratio like that (and not suffer terrible numerical problems) we simpy track the numerator and denominator individually and only perform the division when strictly needed. Notably, the numerator lives in cfs_rq->avg_vruntime and the denominator lives in cfs_rq->avg_load. The one extra 'funny' is that these numbers track the entities in the tree, and current is typically outside of the tree, so avg_vruntime() adds current when needed before doing the division. (vruntime_eligible() elides the division by cross-wise multiplication) Anyway, as mentioned above, we currently use the CFS era min_vruntime for this purpose. However, this thing can only move forward, while the above avg can in fact move backward (when a non-eligible task leaves, the average becomes smaller), this can cause trouble when through happenstance (or construction) these values drift far enough apart to wreck the game. Replace cfs_rq::min_vruntime with cfs_rq::zero_vruntime which is kept near/at avg_vruntime, following its motion. The down-side is that this requires computing the avg more often. Fixes: 147f3efaa241 ("sched/fair: Implement an EEVDF-like scheduling policy") Reported-by: Zicheng Qu <quzicheng(a)huawei.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://patch.msgid.link/20251106111741.GC4068168@noisy.programming.kicks-a… Cc: stable(a)vger.kernel.org --- kernel/sched/debug.c | 8 +-- kernel/sched/fair.c | 114 +++++++++--------------------------------- kernel/sched/sched.h | 4 +- 3 files changed, 31 insertions(+), 95 deletions(-) diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c index 02e16b7..41caa22 100644 --- a/kernel/sched/debug.c +++ b/kernel/sched/debug.c @@ -796,7 +796,7 @@ static void print_rq(struct seq_file *m, struct rq *rq, int rq_cpu) void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq) { - s64 left_vruntime = -1, min_vruntime, right_vruntime = -1, left_deadline = -1, spread; + s64 left_vruntime = -1, zero_vruntime, right_vruntime = -1, left_deadline = -1, spread; struct sched_entity *last, *first, *root; struct rq *rq = cpu_rq(cpu); unsigned long flags; @@ -819,15 +819,15 @@ void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq) last = __pick_last_entity(cfs_rq); if (last) right_vruntime = last->vruntime; - min_vruntime = cfs_rq->min_vruntime; + zero_vruntime = cfs_rq->zero_vruntime; raw_spin_rq_unlock_irqrestore(rq, flags); SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "left_deadline", SPLIT_NS(left_deadline)); SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "left_vruntime", SPLIT_NS(left_vruntime)); - SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "min_vruntime", - SPLIT_NS(min_vruntime)); + SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "zero_vruntime", + SPLIT_NS(zero_vruntime)); SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "avg_vruntime", SPLIT_NS(avg_vruntime(cfs_rq))); SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "right_vruntime", diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 4a11a83..8d971d4 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -554,7 +554,7 @@ static inline bool entity_before(const struct sched_entity *a, static inline s64 entity_key(struct cfs_rq *cfs_rq, struct sched_entity *se) { - return (s64)(se->vruntime - cfs_rq->min_vruntime); + return (s64)(se->vruntime - cfs_rq->zero_vruntime); } #define __node_2_se(node) \ @@ -606,13 +606,13 @@ static inline s64 entity_key(struct cfs_rq *cfs_rq, struct sched_entity *se) * * Which we track using: * - * v0 := cfs_rq->min_vruntime + * v0 := cfs_rq->zero_vruntime * \Sum (v_i - v0) * w_i := cfs_rq->avg_vruntime * \Sum w_i := cfs_rq->avg_load * - * Since min_vruntime is a monotonic increasing variable that closely tracks - * the per-task service, these deltas: (v_i - v), will be in the order of the - * maximal (virtual) lag induced in the system due to quantisation. + * Since zero_vruntime closely tracks the per-task service, these + * deltas: (v_i - v), will be in the order of the maximal (virtual) lag + * induced in the system due to quantisation. * * Also, we use scale_load_down() to reduce the size. * @@ -671,7 +671,7 @@ u64 avg_vruntime(struct cfs_rq *cfs_rq) avg = div_s64(avg, load); } - return cfs_rq->min_vruntime + avg; + return cfs_rq->zero_vruntime + avg; } /* @@ -732,7 +732,7 @@ static int vruntime_eligible(struct cfs_rq *cfs_rq, u64 vruntime) load += weight; } - return avg >= (s64)(vruntime - cfs_rq->min_vruntime) * load; + return avg >= (s64)(vruntime - cfs_rq->zero_vruntime) * load; } int entity_eligible(struct cfs_rq *cfs_rq, struct sched_entity *se) @@ -740,42 +740,14 @@ int entity_eligible(struct cfs_rq *cfs_rq, struct sched_entity *se) return vruntime_eligible(cfs_rq, se->vruntime); } -static u64 __update_min_vruntime(struct cfs_rq *cfs_rq, u64 vruntime) +static void update_zero_vruntime(struct cfs_rq *cfs_rq) { - u64 min_vruntime = cfs_rq->min_vruntime; - /* - * open coded max_vruntime() to allow updating avg_vruntime - */ - s64 delta = (s64)(vruntime - min_vruntime); - if (delta > 0) { - avg_vruntime_update(cfs_rq, delta); - min_vruntime = vruntime; - } - return min_vruntime; -} + u64 vruntime = avg_vruntime(cfs_rq); + s64 delta = (s64)(vruntime - cfs_rq->zero_vruntime); -static void update_min_vruntime(struct cfs_rq *cfs_rq) -{ - struct sched_entity *se = __pick_root_entity(cfs_rq); - struct sched_entity *curr = cfs_rq->curr; - u64 vruntime = cfs_rq->min_vruntime; - - if (curr) { - if (curr->on_rq) - vruntime = curr->vruntime; - else - curr = NULL; - } + avg_vruntime_update(cfs_rq, delta); - if (se) { - if (!curr) - vruntime = se->min_vruntime; - else - vruntime = min_vruntime(vruntime, se->min_vruntime); - } - - /* ensure we never gain time by being placed backwards. */ - cfs_rq->min_vruntime = __update_min_vruntime(cfs_rq, vruntime); + cfs_rq->zero_vruntime = vruntime; } static inline u64 cfs_rq_min_slice(struct cfs_rq *cfs_rq) @@ -848,6 +820,7 @@ RB_DECLARE_CALLBACKS(static, min_vruntime_cb, struct sched_entity, static void __enqueue_entity(struct cfs_rq *cfs_rq, struct sched_entity *se) { avg_vruntime_add(cfs_rq, se); + update_zero_vruntime(cfs_rq); se->min_vruntime = se->vruntime; se->min_slice = se->slice; rb_add_augmented_cached(&se->run_node, &cfs_rq->tasks_timeline, @@ -859,6 +832,7 @@ static void __dequeue_entity(struct cfs_rq *cfs_rq, struct sched_entity *se) rb_erase_augmented_cached(&se->run_node, &cfs_rq->tasks_timeline, &min_vruntime_cb); avg_vruntime_sub(cfs_rq, se); + update_zero_vruntime(cfs_rq); } struct sched_entity *__pick_root_entity(struct cfs_rq *cfs_rq) @@ -1226,7 +1200,6 @@ static void update_curr(struct cfs_rq *cfs_rq) curr->vruntime += calc_delta_fair(delta_exec, curr); resched = update_deadline(cfs_rq, curr); - update_min_vruntime(cfs_rq); if (entity_is_task(curr)) { /* @@ -3808,15 +3781,6 @@ static void reweight_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, if (!curr) __enqueue_entity(cfs_rq, se); cfs_rq->nr_queued++; - - /* - * The entity's vruntime has been adjusted, so let's check - * whether the rq-wide min_vruntime needs updated too. Since - * the calculations above require stable min_vruntime rather - * than up-to-date one, we do the update at the end of the - * reweight process. - */ - update_min_vruntime(cfs_rq); } } @@ -5429,15 +5393,6 @@ dequeue_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int flags) update_cfs_group(se); - /* - * Now advance min_vruntime if @se was the entity holding it back, - * except when: DEQUEUE_SAVE && !DEQUEUE_MOVE, in this case we'll be - * put back on, and if we advance min_vruntime, we'll be placed back - * further than we started -- i.e. we'll be penalized. - */ - if ((flags & (DEQUEUE_SAVE | DEQUEUE_MOVE)) != DEQUEUE_SAVE) - update_min_vruntime(cfs_rq); - if (flags & DEQUEUE_DELAYED) finish_delayed_dequeue_entity(se); @@ -9015,7 +8970,6 @@ static void yield_task_fair(struct rq *rq) if (entity_eligible(cfs_rq, se)) { se->vruntime = se->deadline; se->deadline += calc_delta_fair(se->slice, se); - update_min_vruntime(cfs_rq); } } @@ -13078,23 +13032,6 @@ static inline void task_tick_core(struct rq *rq, struct task_struct *curr) * Which shows that S and s_i transform alike (which makes perfect sense * given that S is basically the (weighted) average of s_i). * - * Then: - * - * x -> s_min := min{s_i} (8) - * - * to obtain: - * - * \Sum_i w_i (s_i - s_min) - * S = s_min + ------------------------ (9) - * \Sum_i w_i - * - * Which already looks familiar, and is the basis for our current - * approximation: - * - * S ~= s_min (10) - * - * Now, obviously, (10) is absolute crap :-), but it sorta works. - * * So the thing to remember is that the above is strictly UP. It is * possible to generalize to multiple runqueues -- however it gets really * yuck when you have to add affinity support, as illustrated by our very @@ -13116,23 +13053,23 @@ static inline void task_tick_core(struct rq *rq, struct task_struct *curr) * Let, for our runqueue 'k': * * T_k = \Sum_i w_i s_i - * W_k = \Sum_i w_i ; for all i of k (11) + * W_k = \Sum_i w_i ; for all i of k (8) * * Then we can write (6) like: * * T_k - * S_k = --- (12) + * S_k = --- (9) * W_k * * From which immediately follows that: * * T_k + T_l - * S_k+l = --------- (13) + * S_k+l = --------- (10) * W_k + W_l * * On which we can define a combined lag: * - * lag_k+l(i) := S_k+l - s_i (14) + * lag_k+l(i) := S_k+l - s_i (11) * * And that gives us the tools to compare tasks across a combined runqueue. * @@ -13143,7 +13080,7 @@ static inline void task_tick_core(struct rq *rq, struct task_struct *curr) * using (7); this only requires storing single 'time'-stamps. * * b) when comparing tasks between 2 runqueues of which one is forced-idle, - * compare the combined lag, per (14). + * compare the combined lag, per (11). * * Now, of course cgroups (I so hate them) make this more interesting in * that a) seems to suggest we need to iterate all cgroup on a CPU at such @@ -13191,12 +13128,11 @@ static inline void task_tick_core(struct rq *rq, struct task_struct *curr) * every tick. This limits the observed divergence due to the work * conservancy. * - * On top of that, we can improve upon things by moving away from our - * horrible (10) hack and moving to (9) and employing (13) here. + * On top of that, we can improve upon things by employing (10) here. */ /* - * se_fi_update - Update the cfs_rq->min_vruntime_fi in a CFS hierarchy if needed. + * se_fi_update - Update the cfs_rq->zero_vruntime_fi in a CFS hierarchy if needed. */ static void se_fi_update(const struct sched_entity *se, unsigned int fi_seq, bool forceidle) @@ -13210,7 +13146,7 @@ static void se_fi_update(const struct sched_entity *se, unsigned int fi_seq, cfs_rq->forceidle_seq = fi_seq; } - cfs_rq->min_vruntime_fi = cfs_rq->min_vruntime; + cfs_rq->zero_vruntime_fi = cfs_rq->zero_vruntime; } } @@ -13263,11 +13199,11 @@ bool cfs_prio_less(const struct task_struct *a, const struct task_struct *b, /* * Find delta after normalizing se's vruntime with its cfs_rq's - * min_vruntime_fi, which would have been updated in prior calls + * zero_vruntime_fi, which would have been updated in prior calls * to se_fi_update(). */ delta = (s64)(sea->vruntime - seb->vruntime) + - (s64)(cfs_rqb->min_vruntime_fi - cfs_rqa->min_vruntime_fi); + (s64)(cfs_rqb->zero_vruntime_fi - cfs_rqa->zero_vruntime_fi); return delta > 0; } @@ -13513,7 +13449,7 @@ static void set_next_task_fair(struct rq *rq, struct task_struct *p, bool first) void init_cfs_rq(struct cfs_rq *cfs_rq) { cfs_rq->tasks_timeline = RB_ROOT_CACHED; - cfs_rq->min_vruntime = (u64)(-(1LL << 20)); + cfs_rq->zero_vruntime = (u64)(-(1LL << 20)); raw_spin_lock_init(&cfs_rq->removed.lock); } diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 82e74e8..5a3cf81 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -681,10 +681,10 @@ struct cfs_rq { s64 avg_vruntime; u64 avg_load; - u64 min_vruntime; + u64 zero_vruntime; #ifdef CONFIG_SCHED_CORE unsigned int forceidle_seq; - u64 min_vruntime_fi; + u64 zero_vruntime_fi; #endif struct rb_root_cached tasks_timeline;

1 month

1
0
0 0

[PATCH 6/6] Revert "PCI: dwc: Don't wait for link up if driver can detect Link Up event"

by Niklas Cassel

This reverts commit 8d3bf19f1b585a3cc0027f508b64c33484db8d0d. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number after initial scan during boot. The long term plan is to migrate this driver to the pwrctrl framework, once it adds proper support for powering up and enumerating PCIe switches. Cc: stable(a)vger.kernel.org Suggested-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-designware-host.c | 10 ++-------- drivers/pci/controller/dwc/pcie-designware.h | 1 - 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index e92513c5bda5..f7e13dc16653 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -664,14 +664,8 @@ int dw_pcie_host_init(struct dw_pcie_rp *pp) goto err_remove_edma; } - /* - * Note: Skip the link up delay only when a Link Up IRQ is present. - * If there is no Link Up IRQ, we should not bypass the delay - * because that would require users to manually rescan for devices. - */ - if (!pp->use_linkup_irq) - /* Ignore errors, the link may come up later */ - dw_pcie_wait_for_link(pci); + /* Ignore errors, the link may come up later */ + dw_pcie_wait_for_link(pci); ret = pci_host_probe(bridge); if (ret) diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h index e995f692a1ec..640827e9d093 100644 --- a/drivers/pci/controller/dwc/pcie-designware.h +++ b/drivers/pci/controller/dwc/pcie-designware.h @@ -426,7 +426,6 @@ struct dw_pcie_rp { bool use_atu_msg; int msg_atu_index; struct resource *msg_res; - bool use_linkup_irq; struct pci_eq_presets presets; struct pci_config_window *cfg; bool ecam_enabled; -- 2.51.1

1 month

1
0
0 0

[PATCH 5/6] Revert "PCI: qcom: Enumerate endpoints based on Link up event in 'global_irq' interrupt"

by Niklas Cassel

This reverts commit 4581403f67929d02c197cb187c4e1e811c9e762a. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number after initial scan during boot. The long term plan is to migrate this driver to the pwrctrl framework, once it adds proper support for powering up and enumerating PCIe switches. Cc: stable(a)vger.kernel.org Suggested-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-qcom.c | 58 +------------------------- 1 file changed, 1 insertion(+), 57 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c index 28f5f7acb92a..b10e8adc79bb 100644 --- a/drivers/pci/controller/dwc/pcie-qcom.c +++ b/drivers/pci/controller/dwc/pcie-qcom.c @@ -55,9 +55,6 @@ #define PARF_AXI_MSTR_WR_ADDR_HALT_V2 0x1a8 #define PARF_Q2A_FLUSH 0x1ac #define PARF_LTSSM 0x1b0 -#define PARF_INT_ALL_STATUS 0x224 -#define PARF_INT_ALL_CLEAR 0x228 -#define PARF_INT_ALL_MASK 0x22c #define PARF_SID_OFFSET 0x234 #define PARF_BDF_TRANSLATE_CFG 0x24c #define PARF_DBI_BASE_ADDR_V2 0x350 @@ -134,9 +131,6 @@ /* PARF_LTSSM register fields */ #define LTSSM_EN BIT(8) -/* PARF_INT_ALL_{STATUS/CLEAR/MASK} register fields */ -#define PARF_INT_ALL_LINK_UP BIT(13) - /* PARF_NO_SNOOP_OVERRIDE register fields */ #define WR_NO_SNOOP_OVERRIDE_EN BIT(1) #define RD_NO_SNOOP_OVERRIDE_EN BIT(3) @@ -1604,32 +1598,6 @@ static void qcom_pcie_init_debugfs(struct qcom_pcie *pcie) qcom_pcie_link_transition_count); } -static irqreturn_t qcom_pcie_global_irq_thread(int irq, void *data) -{ - struct qcom_pcie *pcie = data; - struct dw_pcie_rp *pp = &pcie->pci->pp; - struct device *dev = pcie->pci->dev; - u32 status = readl_relaxed(pcie->parf + PARF_INT_ALL_STATUS); - - writel_relaxed(status, pcie->parf + PARF_INT_ALL_CLEAR); - - if (FIELD_GET(PARF_INT_ALL_LINK_UP, status)) { - msleep(PCIE_RESET_CONFIG_WAIT_MS); - dev_dbg(dev, "Received Link up event. Starting enumeration!\n"); - /* Rescan the bus to enumerate endpoint devices */ - pci_lock_rescan_remove(); - pci_rescan_bus(pp->bridge->bus); - pci_unlock_rescan_remove(); - - qcom_pcie_icc_opp_update(pcie); - } else { - dev_WARN_ONCE(dev, 1, "Received unknown event. INT_STATUS: 0x%08x\n", - status); - } - - return IRQ_HANDLED; -} - static void qcom_pci_free_msi(void *ptr) { struct dw_pcie_rp *pp = (struct dw_pcie_rp *)ptr; @@ -1774,8 +1742,7 @@ static int qcom_pcie_probe(struct platform_device *pdev) struct dw_pcie_rp *pp; struct resource *res; struct dw_pcie *pci; - int ret, irq; - char *name; + int ret; pcie_cfg = of_device_get_match_data(dev); if (!pcie_cfg) { @@ -1932,27 +1899,6 @@ static int qcom_pcie_probe(struct platform_device *pdev) goto err_phy_exit; } - name = devm_kasprintf(dev, GFP_KERNEL, "qcom_pcie_global_irq%d", - pci_domain_nr(pp->bridge->bus)); - if (!name) { - ret = -ENOMEM; - goto err_host_deinit; - } - - irq = platform_get_irq_byname_optional(pdev, "global"); - if (irq > 0) { - ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, - qcom_pcie_global_irq_thread, - IRQF_ONESHOT, name, pcie); - if (ret) { - dev_err_probe(&pdev->dev, ret, - "Failed to request Global IRQ\n"); - goto err_host_deinit; - } - - writel_relaxed(PARF_INT_ALL_LINK_UP, pcie->parf + PARF_INT_ALL_MASK); - } - qcom_pcie_icc_opp_update(pcie); if (pcie->mhi) @@ -1960,8 +1906,6 @@ static int qcom_pcie_probe(struct platform_device *pdev) return 0; -err_host_deinit: - dw_pcie_host_deinit(pp); err_phy_exit: list_for_each_entry_safe(port, tmp, &pcie->ports, list) { phy_exit(port->phy); -- 2.51.1

1 month

1
0
0 0

[PATCH 4/6] Revert "PCI: qcom: Enable MSI interrupts together with Link up if 'Global IRQ' is supported"

by Niklas Cassel

This reverts commit ba4a2e2317b9faeca9193ed6d3193ddc3cf2aba3. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number after initial scan during boot. The long term plan is to migrate this driver to the pwrctrl framework, once it adds proper support for powering up and enumerating PCIe switches. Cc: stable(a)vger.kernel.org Suggested-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-qcom.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c index 70c0ae8b7523..28f5f7acb92a 100644 --- a/drivers/pci/controller/dwc/pcie-qcom.c +++ b/drivers/pci/controller/dwc/pcie-qcom.c @@ -136,7 +136,6 @@ /* PARF_INT_ALL_{STATUS/CLEAR/MASK} register fields */ #define PARF_INT_ALL_LINK_UP BIT(13) -#define PARF_INT_MSI_DEV_0_7 GENMASK(30, 23) /* PARF_NO_SNOOP_OVERRIDE register fields */ #define WR_NO_SNOOP_OVERRIDE_EN BIT(1) @@ -1951,8 +1950,7 @@ static int qcom_pcie_probe(struct platform_device *pdev) goto err_host_deinit; } - writel_relaxed(PARF_INT_ALL_LINK_UP | PARF_INT_MSI_DEV_0_7, - pcie->parf + PARF_INT_ALL_MASK); + writel_relaxed(PARF_INT_ALL_LINK_UP, pcie->parf + PARF_INT_ALL_MASK); } qcom_pcie_icc_opp_update(pcie); -- 2.51.1

1 month

1
0
0 0

[PATCH 3/6] Revert "PCI: qcom: Don't wait for link if we can detect Link Up"

by Niklas Cassel

This reverts commit 36971d6c5a9a134c15760ae9fd13c6d5f9a36abb. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number after initial scan during boot. The long term plan is to migrate this driver to the pwrctrl framework, once it adds proper support for powering up and enumerating PCIe switches. Cc: stable(a)vger.kernel.org Suggested-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-qcom.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c index c48a20602d7f..70c0ae8b7523 100644 --- a/drivers/pci/controller/dwc/pcie-qcom.c +++ b/drivers/pci/controller/dwc/pcie-qcom.c @@ -1927,10 +1927,6 @@ static int qcom_pcie_probe(struct platform_device *pdev) platform_set_drvdata(pdev, pcie); - irq = platform_get_irq_byname_optional(pdev, "global"); - if (irq > 0) - pp->use_linkup_irq = true; - ret = dw_pcie_host_init(pp); if (ret) { dev_err(dev, "cannot initialize host\n"); @@ -1944,6 +1940,7 @@ static int qcom_pcie_probe(struct platform_device *pdev) goto err_host_deinit; } + irq = platform_get_irq_byname_optional(pdev, "global"); if (irq > 0) { ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, qcom_pcie_global_irq_thread, -- 2.51.1

1 month

1
0
0 0

[PATCH 2/6] Revert "PCI: dw-rockchip: Enumerate endpoints based on dll_link_up IRQ"

by Niklas Cassel

This reverts commit 0e0b45ab5d770a748487ba0ae8f77d1fb0f0de3e. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number after initial scan during boot. The long term plan is to migrate this driver to the pwrctrl framework, once it adds proper support for powering up and enumerating PCIe switches. Cc: stable(a)vger.kernel.org Suggested-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-dw-rockchip.c | 59 +------------------ 1 file changed, 3 insertions(+), 56 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-dw-rockchip.c b/drivers/pci/controller/dwc/pcie-dw-rockchip.c index 07378ececd88..7eceec8c9c83 100644 --- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c +++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c @@ -448,34 +448,6 @@ static const struct dw_pcie_ops dw_pcie_ops = { .stop_link = rockchip_pcie_stop_link, }; -static irqreturn_t rockchip_pcie_rc_sys_irq_thread(int irq, void *arg) -{ - struct rockchip_pcie *rockchip = arg; - struct dw_pcie *pci = &rockchip->pci; - struct dw_pcie_rp *pp = &pci->pp; - struct device *dev = pci->dev; - u32 reg; - - reg = rockchip_pcie_readl_apb(rockchip, PCIE_CLIENT_INTR_STATUS_MISC); - rockchip_pcie_writel_apb(rockchip, reg, PCIE_CLIENT_INTR_STATUS_MISC); - - dev_dbg(dev, "PCIE_CLIENT_INTR_STATUS_MISC: %#x\n", reg); - dev_dbg(dev, "LTSSM_STATUS: %#x\n", rockchip_pcie_get_ltssm(rockchip)); - - if (reg & PCIE_RDLH_LINK_UP_CHGED) { - if (rockchip_pcie_link_up(pci)) { - msleep(PCIE_RESET_CONFIG_WAIT_MS); - dev_dbg(dev, "Received Link up event. Starting enumeration!\n"); - /* Rescan the bus to enumerate endpoint devices */ - pci_lock_rescan_remove(); - pci_rescan_bus(pp->bridge->bus); - pci_unlock_rescan_remove(); - } - } - - return IRQ_HANDLED; -} - static irqreturn_t rockchip_pcie_ep_sys_irq_thread(int irq, void *arg) { struct rockchip_pcie *rockchip = arg; @@ -508,29 +480,14 @@ static irqreturn_t rockchip_pcie_ep_sys_irq_thread(int irq, void *arg) return IRQ_HANDLED; } -static int rockchip_pcie_configure_rc(struct platform_device *pdev, - struct rockchip_pcie *rockchip) +static int rockchip_pcie_configure_rc(struct rockchip_pcie *rockchip) { - struct device *dev = &pdev->dev; struct dw_pcie_rp *pp; - int irq, ret; u32 val; if (!IS_ENABLED(CONFIG_PCIE_ROCKCHIP_DW_HOST)) return -ENODEV; - irq = platform_get_irq_byname(pdev, "sys"); - if (irq < 0) - return irq; - - ret = devm_request_threaded_irq(dev, irq, NULL, - rockchip_pcie_rc_sys_irq_thread, - IRQF_ONESHOT, "pcie-sys-rc", rockchip); - if (ret) { - dev_err(dev, "failed to request PCIe sys IRQ\n"); - return ret; - } - /* LTSSM enable control mode */ val = FIELD_PREP_WM16(PCIE_LTSSM_ENABLE_ENHANCE, 1); rockchip_pcie_writel_apb(rockchip, val, PCIE_CLIENT_HOT_RESET_CTRL); @@ -542,17 +499,7 @@ static int rockchip_pcie_configure_rc(struct platform_device *pdev, pp = &rockchip->pci.pp; pp->ops = &rockchip_pcie_host_ops; - ret = dw_pcie_host_init(pp); - if (ret) { - dev_err(dev, "failed to initialize host\n"); - return ret; - } - - /* unmask DLL up/down indicator */ - val = FIELD_PREP_WM16(PCIE_RDLH_LINK_UP_CHGED, 0); - rockchip_pcie_writel_apb(rockchip, val, PCIE_CLIENT_INTR_MASK_MISC); - - return ret; + return dw_pcie_host_init(pp); } static int rockchip_pcie_configure_ep(struct platform_device *pdev, @@ -678,7 +625,7 @@ static int rockchip_pcie_probe(struct platform_device *pdev) switch (data->mode) { case DW_PCIE_RC_TYPE: - ret = rockchip_pcie_configure_rc(pdev, rockchip); + ret = rockchip_pcie_configure_rc(rockchip); if (ret) goto deinit_clk; break; -- 2.51.1

1 month

1
0
0 0

[PATCH 1/6] Revert "PCI: dw-rockchip: Don't wait for link since we can detect Link Up"

by Niklas Cassel

This reverts commit ec9fd499b9c60a187ac8d6414c3c343c77d32e42. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number after initial scan during boot. The long term plan is to migrate this driver to the pwrctrl framework, once it adds proper support for powering up and enumerating PCIe switches. Cc: stable(a)vger.kernel.org Suggested-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-dw-rockchip.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/pci/controller/dwc/pcie-dw-rockchip.c b/drivers/pci/controller/dwc/pcie-dw-rockchip.c index 3e2752c7dd09..07378ececd88 100644 --- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c +++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c @@ -541,7 +541,6 @@ static int rockchip_pcie_configure_rc(struct platform_device *pdev, pp = &rockchip->pci.pp; pp->ops = &rockchip_pcie_host_ops; - pp->use_linkup_irq = true; ret = dw_pcie_host_init(pp); if (ret) { -- 2.51.1

1 month

1
0
0 0

[PATCH net v5 2/3] net,mptcp: fix proto fallback detection with BPF

by Jiayuan Chen

The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]--- Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Cc: <stable(a)vger.kernel.org> Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Reviewed-by: Jakub Sitnicki <jakub(a)cloudflare.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/protocol.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 2d6b8de35c44..90b4aeca2596 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -61,11 +61,13 @@ static u64 mptcp_wnd_end(const struct mptcp_sock *msk) static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk) { + unsigned short family = READ_ONCE(sk->sk_family); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) - if (sk->sk_prot == &tcpv6_prot) + if (family == AF_INET6) return &inet6_stream_ops; #endif - WARN_ON_ONCE(sk->sk_prot != &tcp_prot); + WARN_ON_ONCE(family != AF_INET); return &inet_stream_ops; } -- 2.43.0

1 month

2
1
0 0

[PATCH] ARM: dts: nxp: imx6ul: correct SAI3 interrupt line

by Maarten Zanders

The i.MX6UL reference manual lists two possible interrupt lines for SAI3 (56 and 57, offset +32). The current device tree entry uses the first one (24), which prevents IRQs from being handled properly. Use the second interrupt line (25), which does allow interrupts to work as expected. Fixes: 36e2edf6ac07 ("ARM: dts: imx6ul: add sai support") Signed-off-by: Maarten Zanders <maarten(a)zanders.be> Cc: stable(a)vger.kernel.org --- arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi b/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi index 6de224dd2bb9..6eb80f867f50 100644 --- a/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi +++ b/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi @@ -339,7 +339,7 @@ sai3: sai@2030000 { #sound-dai-cells = <0>; compatible = "fsl,imx6ul-sai", "fsl,imx6sx-sai"; reg = <0x02030000 0x4000>; - interrupts = <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>; + interrupts = <GIC_SPI 25 IRQ_TYPE_LEVEL_HIGH>; clocks = <&clks IMX6UL_CLK_SAI3_IPG>, <&clks IMX6UL_CLK_SAI3>, <&clks IMX6UL_CLK_DUMMY>, <&clks IMX6UL_CLK_DUMMY>; -- 2.51.0

1 month

2
1
0 0

[PATCH v3] w1: therm: Fix off-by-one buffer overflow in alarms_store

by Thorsten Blum

The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtol() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. Cc: stable(a)vger.kernel.org Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- Compile-tested only. Changes in v3: - Add integer range check for 'temp' to match kstrtoint() behavior - Explicitly cast 'temp' to int when calling int_to_short() - Link to v2: https://lore.kernel.org/lkml/20251029130045.70127-2-thorsten.blum@linux.dev/ Changes in v2: - Fix buffer overflow instead of truncating the copy using strscpy() - Parse buffer directly using simple_strtol() as suggested by David - Update patch subject and description - Link to v1: https://lore.kernel.org/lkml/20251017170047.114224-2-thorsten.blum@linux.de… --- drivers/w1/slaves/w1_therm.c | 102 ++++++++++++----------------------- 1 file changed, 35 insertions(+), 67 deletions(-) diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c index 9ccedb3264fb..1dad9fa1ec4a 100644 --- a/drivers/w1/slaves/w1_therm.c +++ b/drivers/w1/slaves/w1_therm.c @@ -1836,59 +1836,32 @@ static ssize_t alarms_store(struct device *device, struct w1_slave *sl = dev_to_w1_slave(device); struct therm_info info; u8 new_config_register[3]; /* array of data to be written */ - int temp, ret; - char *token = NULL; + long temp; + int ret; s8 tl, th; /* 1 byte per value + temp ring order */ - char *p_args, *orig; + const char *p = buf; + char *endp; - p_args = orig = kmalloc(size, GFP_KERNEL); - /* Safe string copys as buf is const */ - if (!p_args) { - dev_warn(device, - "%s: error unable to allocate memory %d\n", - __func__, -ENOMEM); - return size; + temp = simple_strtol(p, &endp, 10); + if (temp < INT_MIN || temp > INT_MAX || p == endp || *endp != ' ') { + dev_info(device, "%s: error parsing args %d\n", + __func__, -EINVAL); + goto err; } - strcpy(p_args, buf); - - /* Split string using space char */ - token = strsep(&p_args, " "); + /* Cast to short to eliminate out of range values */ + tl = int_to_short((int)temp); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - - /* Convert 1st entry to int */ - ret = kstrtoint (token, 10, &temp); - if (ret) { - dev_info(device, - "%s: error parsing args %d\n", __func__, ret); - goto free_m; - } - - tl = int_to_short(temp); - - /* Split string using space char */ - token = strsep(&p_args, " "); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - /* Convert 2nd entry to int */ - ret = kstrtoint (token, 10, &temp); - if (ret) { - dev_info(device, - "%s: error parsing args %d\n", __func__, ret); - goto free_m; + p = endp + 1; + temp = simple_strtol(p, &endp, 10); + if (temp < INT_MIN || temp > INT_MAX || p == endp) { + dev_info(device, "%s: error parsing args %d\n", + __func__, -EINVAL); + goto err; } + /* Cast to short to eliminate out of range values */ + th = int_to_short((int)temp); - /* Prepare to cast to short by eliminating out of range values */ - th = int_to_short(temp); - - /* Reorder if required th and tl */ + /* Reorder if required */ if (tl > th) swap(tl, th); @@ -1897,35 +1870,30 @@ static ssize_t alarms_store(struct device *device, * (th : byte 2 - tl: byte 3) */ ret = read_scratchpad(sl, &info); - if (!ret) { - new_config_register[0] = th; /* Byte 2 */ - new_config_register[1] = tl; /* Byte 3 */ - new_config_register[2] = info.rom[4];/* Byte 4 */ - } else { - dev_info(device, - "%s: error reading from the slave device %d\n", - __func__, ret); - goto free_m; + if (ret) { + dev_info(device, "%s: error reading from the slave device %d\n", + __func__, ret); + goto err; } + new_config_register[0] = th; /* Byte 2 */ + new_config_register[1] = tl; /* Byte 3 */ + new_config_register[2] = info.rom[4]; /* Byte 4 */ /* Write data in the device RAM */ if (!SLAVE_SPECIFIC_FUNC(sl)) { - dev_info(device, - "%s: Device not supported by the driver %d\n", - __func__, -ENODEV); - goto free_m; + dev_info(device, "%s: Device not supported by the driver %d\n", + __func__, -ENODEV); + goto err; } ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); - if (ret) - dev_info(device, - "%s: error writing to the slave device %d\n", + if (ret) { + dev_info(device, "%s: error writing to the slave device %d\n", __func__, ret); + goto err; + } -free_m: - /* free allocated memory */ - kfree(orig); - +err: return size; } -- 2.51.0

1 month

3
4
0 0

[PATCH] drm/sched: Fix UB in spsc_queue

by Philipp Stanner

The spsc_queue is an unlocked, highly asynchronous piece of infrastructure. Its inline function spsc_queue_peek() obtains the head entry of the queue. This access is performed without READ_ONCE() and is, therefore, undefined behavior. In order to prevent the compiler from ever reordering that access, or even optimizing it away, a READ_ONCE() is strictly necessary. This is easily proven by the fact that spsc_queue_pop() uses this very pattern to access the head. Add READ_ONCE() to spsc_queue_peek(). Cc: stable(a)vger.kernel.org # v4.16+ Fixes: 27105db6c63a ("drm/amdgpu: Add SPSC queue to scheduler.") Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- I think this makes it less broken, but I'm not even sure if it's enough or more memory barriers or an rcu_dereference() would be correct. The spsc_queue is, of course, not documented and the existing barrier comments are either false or not telling. If someone has an idea, shoot us the info. Otherwise I think this is the right thing to do for now. P. --- include/drm/spsc_queue.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/drm/spsc_queue.h b/include/drm/spsc_queue.h index ee9df8cc67b7..39bada748ffc 100644 --- a/include/drm/spsc_queue.h +++ b/include/drm/spsc_queue.h @@ -54,7 +54,7 @@ static inline void spsc_queue_init(struct spsc_queue *queue) static inline struct spsc_node *spsc_queue_peek(struct spsc_queue *queue) { - return queue->head; + return READ_ONCE(queue->head); } static inline int spsc_queue_count(struct spsc_queue *queue) -- 2.49.0

1 month

3
8
0 0