- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] wifi: ath11k: fix dest ring-buffer corruption" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 8c1ba5091fa9a2d1478da63173b16a701bdf86bb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082141-perfectly-basil-f53e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8c1ba5091fa9a2d1478da63173b16a701bdf86bb Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Wed, 4 Jun 2025 16:34:53 +0200 Subject: [PATCH] wifi: ath11k: fix dest ring-buffer corruption Add the missing memory barrier to make sure that destination ring descriptors are read after the head pointers to avoid using stale data on weakly ordered architectures like aarch64. The barrier is added to the ath11k_hal_srng_access_begin() helper for symmetry with follow-on fixes for source ring buffer corruption which will add barriers to ath11k_hal_srng_access_end(). Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org # 5.6 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Baochen Qiang <quic_bqiang(a)quicinc.com> Link: https://patch.msgid.link/20250604143457.26032-2-johan+linaro@kernel.org Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c index be9395f2ed8b..878ce30b307c 100644 --- a/drivers/net/wireless/ath/ath11k/ce.c +++ b/drivers/net/wireless/ath/ath11k/ce.c @@ -395,9 +395,6 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe, goto err; } - /* Make sure descriptor is read after the head pointer. */ - dma_rmb(); - *nbytes = ath11k_hal_ce_dst_status_get_length(desc); *skb = pipe->dest_ring->skb[sw_index]; diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 9230a965f6f0..065fc40e2541 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2650,9 +2650,6 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, try_again: ath11k_hal_srng_access_begin(ab, srng); - /* Make sure descriptor is read after the head pointer. */ - dma_rmb(); - while (likely(desc = (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab, srng))) { diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index a6513aa6fbfa..0aa73774150c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -825,13 +825,23 @@ u32 *ath11k_hal_srng_src_peek(struct ath11k_base *ab, struct hal_srng *srng) void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng) { + u32 hp; + lockdep_assert_held(&srng->lock); if (srng->ring_dir == HAL_SRNG_DIR_SRC) { srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; } else { - srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + + if (hp != srng->u.dst_ring.cached_hp) { + srng->u.dst_ring.cached_hp = hp; + /* Make sure descriptor is read after the head + * pointer. + */ + dma_rmb(); + } /* Try to prefetch the next descriptor in the ring */ if (srng->flags & HAL_SRNG_FLAGS_CACHED)

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] wifi: ath11k: fix dest ring-buffer corruption" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8c1ba5091fa9a2d1478da63173b16a701bdf86bb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082140-deuce-radiator-ccc5@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8c1ba5091fa9a2d1478da63173b16a701bdf86bb Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Wed, 4 Jun 2025 16:34:53 +0200 Subject: [PATCH] wifi: ath11k: fix dest ring-buffer corruption Add the missing memory barrier to make sure that destination ring descriptors are read after the head pointers to avoid using stale data on weakly ordered architectures like aarch64. The barrier is added to the ath11k_hal_srng_access_begin() helper for symmetry with follow-on fixes for source ring buffer corruption which will add barriers to ath11k_hal_srng_access_end(). Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org # 5.6 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Baochen Qiang <quic_bqiang(a)quicinc.com> Link: https://patch.msgid.link/20250604143457.26032-2-johan+linaro@kernel.org Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c index be9395f2ed8b..878ce30b307c 100644 --- a/drivers/net/wireless/ath/ath11k/ce.c +++ b/drivers/net/wireless/ath/ath11k/ce.c @@ -395,9 +395,6 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe, goto err; } - /* Make sure descriptor is read after the head pointer. */ - dma_rmb(); - *nbytes = ath11k_hal_ce_dst_status_get_length(desc); *skb = pipe->dest_ring->skb[sw_index]; diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 9230a965f6f0..065fc40e2541 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2650,9 +2650,6 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, try_again: ath11k_hal_srng_access_begin(ab, srng); - /* Make sure descriptor is read after the head pointer. */ - dma_rmb(); - while (likely(desc = (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab, srng))) { diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index a6513aa6fbfa..0aa73774150c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -825,13 +825,23 @@ u32 *ath11k_hal_srng_src_peek(struct ath11k_base *ab, struct hal_srng *srng) void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng) { + u32 hp; + lockdep_assert_held(&srng->lock); if (srng->ring_dir == HAL_SRNG_DIR_SRC) { srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; } else { - srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + + if (hp != srng->u.dst_ring.cached_hp) { + srng->u.dst_ring.cached_hp = hp; + /* Make sure descriptor is read after the head + * pointer. + */ + dma_rmb(); + } /* Try to prefetch the next descriptor in the ring */ if (srng->flags & HAL_SRNG_FLAGS_CACHED)

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] iio: adc: ad_sigma_delta: change to buffer predisable" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 66d4374d97f85516b5a22418c5e798aed2606dec # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082109-mutual-easily-fafd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 66d4374d97f85516b5a22418c5e798aed2606dec Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 3 Jul 2025 16:07:44 -0500 Subject: [PATCH] iio: adc: ad_sigma_delta: change to buffer predisable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change the buffer disable callback from postdisable to predisable. This balances the existing posteanble callback. Using postdisable with posteanble can be problematic, for example, if update_scan_mode fails, it would call postdisable without ever having called posteanble, so the drivers using this would be in an unexpected state when postdisable was called. Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-… Cc: <stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c index 9d2dba0a0ee6..7852884703b0 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -582,7 +582,7 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev) return ret; } -static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) +static int ad_sd_buffer_predisable(struct iio_dev *indio_dev) { struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); @@ -682,7 +682,7 @@ static bool ad_sd_validate_scan_mask(struct iio_dev *indio_dev, const unsigned l static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = { .postenable = &ad_sd_buffer_postenable, - .postdisable = &ad_sd_buffer_postdisable, + .predisable = &ad_sd_buffer_predisable, .validate_scan_mask = &ad_sd_validate_scan_mask, };

3 weeks, 6 days

1
0
0 0

[PATCH v5.10 0/2] x86/irq: Plug vector setup race

by Jinjie Ruan

There is a vector setup race, which overwrites the interrupt descriptor in the per CPU vector array resulting in a disfunctional device. CPU0 CPU1 interrupt is raised in APIC IRR but not handled free_irq() per_cpu(vector_irq, CPU1)[vector] = VECTOR_SHUTDOWN; request_irq() common_interrupt() d = this_cpu_read(vector_irq[vector]); per_cpu(vector_irq, CPU1)[vector] = desc; if (d == VECTOR_SHUTDOWN) this_cpu_write(vector_irq[vector], VECTOR_UNUSED); free_irq() cannot observe the pending vector in the CPU1 APIC as there is no way to query the remote CPUs APIC IRR. This requires that request_irq() uses the same vector/CPU as the one which was freed, but this also can be triggered by a spurious interrupt. Interestingly enough this problem managed to be hidden for more than a decade. Prevent this by reevaluating vector_irq under the vector lock, which is held by the interrupt activation code when vector_irq is updated. Fixes: 9345005f4eed ("x86/irq: Fix do_IRQ() interrupt warning for cpu hotplug retriggered irqs") Cc: stable(a)vger.kernel.org#5.10.x Cc: gregkh(a)linuxfoundation.org Jacob Pan (1): x86/irq: Factor out handler invocation from common_interrupt() Thomas Gleixner (1): x86/irq: Plug vector setup race arch/x86/kernel/irq.c | 70 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 56 insertions(+), 14 deletions(-) -- 2.34.1

3 weeks, 6 days

2
3
0 0

FAILED: patch "[PATCH] ovl: use I_MUTEX_PARENT when locking parent in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082114-ocelot-graceless-5693@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 Mon Sep 17 00:00:00 2001 From: NeilBrown <neil(a)brown.name> Date: Mon, 4 Aug 2025 22:11:28 +1000 Subject: [PATCH] ovl: use I_MUTEX_PARENT when locking parent in ovl_create_temp() ovl_create_temp() treats "workdir" as a parent in which it creates an object so it should use I_MUTEX_PARENT. Prior to the commit identified below the lock was taken by the caller which sometimes used I_MUTEX_PARENT and sometimes used I_MUTEX_NORMAL. The use of I_MUTEX_NORMAL was incorrect but unfortunately copied into ovl_create_temp(). Note to backporters: This patch only applies after the last Fixes given below (post v6.16). To fix the bug in v6.7 and later the inode_lock() call in ovl_copy_up_workdir() needs to nest using I_MUTEX_PARENT. Link: https://lore.kernel.org/all/67a72070.050a0220.3d72c.0022.GAE@google.com/ Cc: stable(a)vger.kernel.org Reported-by: syzbot+7836a68852a10ec3d790(a)syzkaller.appspotmail.com Tested-by: syzbot+7836a68852a10ec3d790(a)syzkaller.appspotmail.com Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held") Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.") Signed-off-by: NeilBrown <neil(a)brown.name> Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index 70b8687dc45e..dbd63a74df4b 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -225,7 +225,7 @@ struct dentry *ovl_create_temp(struct ovl_fs *ofs, struct dentry *workdir, struct ovl_cattr *attr) { struct dentry *ret; - inode_lock(workdir->d_inode); + inode_lock_nested(workdir->d_inode, I_MUTEX_PARENT); ret = ovl_create_real(ofs, workdir, ovl_lookup_temp(ofs, workdir), attr); inode_unlock(workdir->d_inode);

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] ovl: use I_MUTEX_PARENT when locking parent in" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082114-donator-nursing-1c9c@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 Mon Sep 17 00:00:00 2001 From: NeilBrown <neil(a)brown.name> Date: Mon, 4 Aug 2025 22:11:28 +1000 Subject: [PATCH] ovl: use I_MUTEX_PARENT when locking parent in ovl_create_temp() ovl_create_temp() treats "workdir" as a parent in which it creates an object so it should use I_MUTEX_PARENT. Prior to the commit identified below the lock was taken by the caller which sometimes used I_MUTEX_PARENT and sometimes used I_MUTEX_NORMAL. The use of I_MUTEX_NORMAL was incorrect but unfortunately copied into ovl_create_temp(). Note to backporters: This patch only applies after the last Fixes given below (post v6.16). To fix the bug in v6.7 and later the inode_lock() call in ovl_copy_up_workdir() needs to nest using I_MUTEX_PARENT. Link: https://lore.kernel.org/all/67a72070.050a0220.3d72c.0022.GAE@google.com/ Cc: stable(a)vger.kernel.org Reported-by: syzbot+7836a68852a10ec3d790(a)syzkaller.appspotmail.com Tested-by: syzbot+7836a68852a10ec3d790(a)syzkaller.appspotmail.com Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held") Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.") Signed-off-by: NeilBrown <neil(a)brown.name> Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index 70b8687dc45e..dbd63a74df4b 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -225,7 +225,7 @@ struct dentry *ovl_create_temp(struct ovl_fs *ofs, struct dentry *workdir, struct ovl_cattr *attr) { struct dentry *ret; - inode_lock(workdir->d_inode); + inode_lock_nested(workdir->d_inode, I_MUTEX_PARENT); ret = ovl_create_real(ofs, workdir, ovl_lookup_temp(ofs, workdir), attr); inode_unlock(workdir->d_inode);

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: ti: k3-am62*: Move eMMC pinmux to top level board" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a0b8da04153eb61cc2eaeeea5cc404e91e557f6b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082105-bonelike-everyone-8281@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a0b8da04153eb61cc2eaeeea5cc404e91e557f6b Mon Sep 17 00:00:00 2001 From: Judith Mendez <jm(a)ti.com> Date: Mon, 7 Jul 2025 14:08:30 -0500 Subject: [PATCH] arm64: dts: ti: k3-am62*: Move eMMC pinmux to top level board file This moves pinmux child nodes for sdhci0 node from k3-am62x-sk-common to each top level board file. This is needed since we require internal pullups for AM62x SK and not for AM62 LP SK since it has external pullups on DATA 1-7. Internal pulls are required for AM62 SK as per JESD84 spec recommendation to prevent unconnected lines floating. Fixes: d19a66ae488a ("arm64: dts: ti: k3-am625-sk: Enable on board peripherals") Cc: stable(a)vger.kernel.org Signed-off-by: Judith Mendez <jm(a)ti.com> Link: https://lore.kernel.org/r/20250707190830.3951619-1-jm@ti.com Signed-off-by: Vignesh Raghavendra <vigneshr(a)ti.com> diff --git a/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts b/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts index aafdb90c0eb7..4609f366006e 100644 --- a/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts +++ b/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts @@ -74,6 +74,22 @@ vddshv_sdio: regulator-4 { }; &main_pmx0 { + main_mmc0_pins_default: main-mmc0-default-pins { + bootph-all; + pinctrl-single,pins = < + AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (V3) MMC0_CMD */ + AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (Y1) MMC0_CLK */ + AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (V2) MMC0_DAT0 */ + AM62X_IOPAD(0x210, PIN_INPUT, 0) /* (V1) MMC0_DAT1 */ + AM62X_IOPAD(0x20c, PIN_INPUT, 0) /* (W2) MMC0_DAT2 */ + AM62X_IOPAD(0x208, PIN_INPUT, 0) /* (W1) MMC0_DAT3 */ + AM62X_IOPAD(0x204, PIN_INPUT, 0) /* (Y2) MMC0_DAT4 */ + AM62X_IOPAD(0x200, PIN_INPUT, 0) /* (W3) MMC0_DAT5 */ + AM62X_IOPAD(0x1fc, PIN_INPUT, 0) /* (W4) MMC0_DAT6 */ + AM62X_IOPAD(0x1f8, PIN_INPUT, 0) /* (V4) MMC0_DAT7 */ + >; + }; + vddshv_sdio_pins_default: vddshv-sdio-default-pins { pinctrl-single,pins = < AM62X_IOPAD(0x07c, PIN_OUTPUT, 7) /* (M19) GPMC0_CLK.GPIO0_31 */ @@ -144,6 +160,14 @@ exp2: gpio@23 { }; }; +&sdhci0 { + bootph-all; + non-removable; + pinctrl-names = "default"; + pinctrl-0 = <&main_mmc0_pins_default>; + status = "okay"; +}; + &sdhci1 { vmmc-supply = <&vdd_mmc1>; vqmmc-supply = <&vddshv_sdio>; diff --git a/arch/arm64/boot/dts/ti/k3-am625-sk.dts b/arch/arm64/boot/dts/ti/k3-am625-sk.dts index 2fbfa3719345..d240165bda9c 100644 --- a/arch/arm64/boot/dts/ti/k3-am625-sk.dts +++ b/arch/arm64/boot/dts/ti/k3-am625-sk.dts @@ -106,6 +106,22 @@ vcc_1v8: regulator-5 { }; &main_pmx0 { + main_mmc0_pins_default: main-mmc0-default-pins { + bootph-all; + pinctrl-single,pins = < + AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (Y3) MMC0_CMD */ + AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (AB1) MMC0_CLK */ + AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (AA2) MMC0_DAT0 */ + AM62X_IOPAD(0x210, PIN_INPUT_PULLUP, 0) /* (AA1) MMC0_DAT1 */ + AM62X_IOPAD(0x20c, PIN_INPUT_PULLUP, 0) /* (AA3) MMC0_DAT2 */ + AM62X_IOPAD(0x208, PIN_INPUT_PULLUP, 0) /* (Y4) MMC0_DAT3 */ + AM62X_IOPAD(0x204, PIN_INPUT_PULLUP, 0) /* (AB2) MMC0_DAT4 */ + AM62X_IOPAD(0x200, PIN_INPUT_PULLUP, 0) /* (AC1) MMC0_DAT5 */ + AM62X_IOPAD(0x1fc, PIN_INPUT_PULLUP, 0) /* (AD2) MMC0_DAT6 */ + AM62X_IOPAD(0x1f8, PIN_INPUT_PULLUP, 0) /* (AC2) MMC0_DAT7 */ + >; + }; + main_rgmii2_pins_default: main-rgmii2-default-pins { bootph-all; pinctrl-single,pins = < @@ -195,6 +211,14 @@ exp1: gpio@22 { }; }; +&sdhci0 { + bootph-all; + non-removable; + pinctrl-names = "default"; + pinctrl-0 = <&main_mmc0_pins_default>; + status = "okay"; +}; + &sdhci1 { vmmc-supply = <&vdd_mmc1>; vqmmc-supply = <&vdd_sd_dv>; diff --git a/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi b/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi index ee8337bfbbfd..13e1d36123d5 100644 --- a/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi @@ -203,22 +203,6 @@ AM62X_IOPAD(0x0b4, PIN_INPUT_PULLUP, 1) /* (K24/H19) GPMC0_CSn3.I2C2_SDA */ >; }; - main_mmc0_pins_default: main-mmc0-default-pins { - bootph-all; - pinctrl-single,pins = < - AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (Y3/V3) MMC0_CMD */ - AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (AB1/Y1) MMC0_CLK */ - AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (AA2/V2) MMC0_DAT0 */ - AM62X_IOPAD(0x210, PIN_INPUT, 0) /* (AA1/V1) MMC0_DAT1 */ - AM62X_IOPAD(0x20c, PIN_INPUT, 0) /* (AA3/W2) MMC0_DAT2 */ - AM62X_IOPAD(0x208, PIN_INPUT, 0) /* (Y4/W1) MMC0_DAT3 */ - AM62X_IOPAD(0x204, PIN_INPUT, 0) /* (AB2/Y2) MMC0_DAT4 */ - AM62X_IOPAD(0x200, PIN_INPUT, 0) /* (AC1/W3) MMC0_DAT5 */ - AM62X_IOPAD(0x1fc, PIN_INPUT, 0) /* (AD2/W4) MMC0_DAT6 */ - AM62X_IOPAD(0x1f8, PIN_INPUT, 0) /* (AC2/V4) MMC0_DAT7 */ - >; - }; - main_mmc1_pins_default: main-mmc1-default-pins { bootph-all; pinctrl-single,pins = < @@ -457,14 +441,6 @@ &main_i2c2 { clock-frequency = <400000>; }; -&sdhci0 { - bootph-all; - status = "okay"; - non-removable; - pinctrl-names = "default"; - pinctrl-0 = <&main_mmc0_pins_default>; -}; - &sdhci1 { /* SD/MMC */ bootph-all;

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: ti: k3-am62*: Move eMMC pinmux to top level board" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a0b8da04153eb61cc2eaeeea5cc404e91e557f6b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082104-stilt-flick-296a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a0b8da04153eb61cc2eaeeea5cc404e91e557f6b Mon Sep 17 00:00:00 2001 From: Judith Mendez <jm(a)ti.com> Date: Mon, 7 Jul 2025 14:08:30 -0500 Subject: [PATCH] arm64: dts: ti: k3-am62*: Move eMMC pinmux to top level board file This moves pinmux child nodes for sdhci0 node from k3-am62x-sk-common to each top level board file. This is needed since we require internal pullups for AM62x SK and not for AM62 LP SK since it has external pullups on DATA 1-7. Internal pulls are required for AM62 SK as per JESD84 spec recommendation to prevent unconnected lines floating. Fixes: d19a66ae488a ("arm64: dts: ti: k3-am625-sk: Enable on board peripherals") Cc: stable(a)vger.kernel.org Signed-off-by: Judith Mendez <jm(a)ti.com> Link: https://lore.kernel.org/r/20250707190830.3951619-1-jm@ti.com Signed-off-by: Vignesh Raghavendra <vigneshr(a)ti.com> diff --git a/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts b/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts index aafdb90c0eb7..4609f366006e 100644 --- a/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts +++ b/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts @@ -74,6 +74,22 @@ vddshv_sdio: regulator-4 { }; &main_pmx0 { + main_mmc0_pins_default: main-mmc0-default-pins { + bootph-all; + pinctrl-single,pins = < + AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (V3) MMC0_CMD */ + AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (Y1) MMC0_CLK */ + AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (V2) MMC0_DAT0 */ + AM62X_IOPAD(0x210, PIN_INPUT, 0) /* (V1) MMC0_DAT1 */ + AM62X_IOPAD(0x20c, PIN_INPUT, 0) /* (W2) MMC0_DAT2 */ + AM62X_IOPAD(0x208, PIN_INPUT, 0) /* (W1) MMC0_DAT3 */ + AM62X_IOPAD(0x204, PIN_INPUT, 0) /* (Y2) MMC0_DAT4 */ + AM62X_IOPAD(0x200, PIN_INPUT, 0) /* (W3) MMC0_DAT5 */ + AM62X_IOPAD(0x1fc, PIN_INPUT, 0) /* (W4) MMC0_DAT6 */ + AM62X_IOPAD(0x1f8, PIN_INPUT, 0) /* (V4) MMC0_DAT7 */ + >; + }; + vddshv_sdio_pins_default: vddshv-sdio-default-pins { pinctrl-single,pins = < AM62X_IOPAD(0x07c, PIN_OUTPUT, 7) /* (M19) GPMC0_CLK.GPIO0_31 */ @@ -144,6 +160,14 @@ exp2: gpio@23 { }; }; +&sdhci0 { + bootph-all; + non-removable; + pinctrl-names = "default"; + pinctrl-0 = <&main_mmc0_pins_default>; + status = "okay"; +}; + &sdhci1 { vmmc-supply = <&vdd_mmc1>; vqmmc-supply = <&vddshv_sdio>; diff --git a/arch/arm64/boot/dts/ti/k3-am625-sk.dts b/arch/arm64/boot/dts/ti/k3-am625-sk.dts index 2fbfa3719345..d240165bda9c 100644 --- a/arch/arm64/boot/dts/ti/k3-am625-sk.dts +++ b/arch/arm64/boot/dts/ti/k3-am625-sk.dts @@ -106,6 +106,22 @@ vcc_1v8: regulator-5 { }; &main_pmx0 { + main_mmc0_pins_default: main-mmc0-default-pins { + bootph-all; + pinctrl-single,pins = < + AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (Y3) MMC0_CMD */ + AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (AB1) MMC0_CLK */ + AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (AA2) MMC0_DAT0 */ + AM62X_IOPAD(0x210, PIN_INPUT_PULLUP, 0) /* (AA1) MMC0_DAT1 */ + AM62X_IOPAD(0x20c, PIN_INPUT_PULLUP, 0) /* (AA3) MMC0_DAT2 */ + AM62X_IOPAD(0x208, PIN_INPUT_PULLUP, 0) /* (Y4) MMC0_DAT3 */ + AM62X_IOPAD(0x204, PIN_INPUT_PULLUP, 0) /* (AB2) MMC0_DAT4 */ + AM62X_IOPAD(0x200, PIN_INPUT_PULLUP, 0) /* (AC1) MMC0_DAT5 */ + AM62X_IOPAD(0x1fc, PIN_INPUT_PULLUP, 0) /* (AD2) MMC0_DAT6 */ + AM62X_IOPAD(0x1f8, PIN_INPUT_PULLUP, 0) /* (AC2) MMC0_DAT7 */ + >; + }; + main_rgmii2_pins_default: main-rgmii2-default-pins { bootph-all; pinctrl-single,pins = < @@ -195,6 +211,14 @@ exp1: gpio@22 { }; }; +&sdhci0 { + bootph-all; + non-removable; + pinctrl-names = "default"; + pinctrl-0 = <&main_mmc0_pins_default>; + status = "okay"; +}; + &sdhci1 { vmmc-supply = <&vdd_mmc1>; vqmmc-supply = <&vdd_sd_dv>; diff --git a/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi b/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi index ee8337bfbbfd..13e1d36123d5 100644 --- a/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi @@ -203,22 +203,6 @@ AM62X_IOPAD(0x0b4, PIN_INPUT_PULLUP, 1) /* (K24/H19) GPMC0_CSn3.I2C2_SDA */ >; }; - main_mmc0_pins_default: main-mmc0-default-pins { - bootph-all; - pinctrl-single,pins = < - AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (Y3/V3) MMC0_CMD */ - AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (AB1/Y1) MMC0_CLK */ - AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (AA2/V2) MMC0_DAT0 */ - AM62X_IOPAD(0x210, PIN_INPUT, 0) /* (AA1/V1) MMC0_DAT1 */ - AM62X_IOPAD(0x20c, PIN_INPUT, 0) /* (AA3/W2) MMC0_DAT2 */ - AM62X_IOPAD(0x208, PIN_INPUT, 0) /* (Y4/W1) MMC0_DAT3 */ - AM62X_IOPAD(0x204, PIN_INPUT, 0) /* (AB2/Y2) MMC0_DAT4 */ - AM62X_IOPAD(0x200, PIN_INPUT, 0) /* (AC1/W3) MMC0_DAT5 */ - AM62X_IOPAD(0x1fc, PIN_INPUT, 0) /* (AD2/W4) MMC0_DAT6 */ - AM62X_IOPAD(0x1f8, PIN_INPUT, 0) /* (AC2/V4) MMC0_DAT7 */ - >; - }; - main_mmc1_pins_default: main-mmc1-default-pins { bootph-all; pinctrl-single,pins = < @@ -457,14 +441,6 @@ &main_i2c2 { clock-frequency = <400000>; }; -&sdhci0 { - bootph-all; - status = "okay"; - non-removable; - pinctrl-names = "default"; - pinctrl-0 = <&main_mmc0_pins_default>; -}; - &sdhci1 { /* SD/MMC */ bootph-all;

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: octeontx2 - Fix address alignment issue on ucode" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b7b88b4939e71ef2aed8238976a2bbabcb63a790 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082132-trimmer-going-5925@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b7b88b4939e71ef2aed8238976a2bbabcb63a790 Mon Sep 17 00:00:00 2001 From: Bharat Bhushan <bbhushan2(a)marvell.com> Date: Thu, 22 May 2025 15:36:25 +0530 Subject: [PATCH] crypto: octeontx2 - Fix address alignment issue on ucode loading octeontx2 crypto driver allocates memory using kmalloc/kzalloc, and uses this memory for dma (does dma_map_single()). It assumes that kmalloc/kzalloc will return 128-byte aligned address. But kmalloc/kzalloc returns 8-byte aligned address after below changes: "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the smaller cache_line_size()" Completion address should be 32-Byte alignment when loading microcode. Signed-off-by: Bharat Bhushan <bbhushan2(a)marvell.com> Cc: <stable(a)vger.kernel.org> # v6.5+ Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c index 9095dea2748d..56645b3eb717 100644 --- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c +++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c @@ -1491,12 +1491,13 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf) union otx2_cpt_opcode opcode; union otx2_cpt_res_s *result; union otx2_cpt_inst_s inst; + dma_addr_t result_baddr; dma_addr_t rptr_baddr; struct pci_dev *pdev; - u32 len, compl_rlen; int timeout = 10000; + void *base, *rptr; int ret, etype; - void *rptr; + u32 len; /* * We don't get capabilities if it was already done @@ -1519,22 +1520,28 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf) if (ret) goto delete_grps; - compl_rlen = ALIGN(sizeof(union otx2_cpt_res_s), OTX2_CPT_DMA_MINALIGN); - len = compl_rlen + LOADFVC_RLEN; + /* Allocate extra memory for "rptr" and "result" pointer alignment */ + len = LOADFVC_RLEN + ARCH_DMA_MINALIGN + + sizeof(union otx2_cpt_res_s) + OTX2_CPT_RES_ADDR_ALIGN; - result = kzalloc(len, GFP_KERNEL); - if (!result) { + base = kzalloc(len, GFP_KERNEL); + if (!base) { ret = -ENOMEM; goto lf_cleanup; } - rptr_baddr = dma_map_single(&pdev->dev, (void *)result, len, - DMA_BIDIRECTIONAL); + + rptr = PTR_ALIGN(base, ARCH_DMA_MINALIGN); + rptr_baddr = dma_map_single(&pdev->dev, rptr, len, DMA_BIDIRECTIONAL); if (dma_mapping_error(&pdev->dev, rptr_baddr)) { dev_err(&pdev->dev, "DMA mapping failed\n"); ret = -EFAULT; - goto free_result; + goto free_rptr; } - rptr = (u8 *)result + compl_rlen; + + result = (union otx2_cpt_res_s *)PTR_ALIGN(rptr + LOADFVC_RLEN, + OTX2_CPT_RES_ADDR_ALIGN); + result_baddr = ALIGN(rptr_baddr + LOADFVC_RLEN, + OTX2_CPT_RES_ADDR_ALIGN); /* Fill in the command */ opcode.s.major = LOADFVC_MAJOR_OP; @@ -1546,14 +1553,14 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf) /* 64-bit swap for microcode data reads, not needed for addresses */ cpu_to_be64s(&iq_cmd.cmd.u); iq_cmd.dptr = 0; - iq_cmd.rptr = rptr_baddr + compl_rlen; + iq_cmd.rptr = rptr_baddr; iq_cmd.cptr.u = 0; for (etype = 1; etype < OTX2_CPT_MAX_ENG_TYPES; etype++) { result->s.compcode = OTX2_CPT_COMPLETION_CODE_INIT; iq_cmd.cptr.s.grp = otx2_cpt_get_eng_grp(&cptpf->eng_grps, etype); - otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr); + otx2_cpt_fill_inst(&inst, &iq_cmd, result_baddr); lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]); timeout = 10000; @@ -1576,8 +1583,8 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf) error_no_response: dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL); -free_result: - kfree(result); +free_rptr: + kfree(base); lf_cleanup: otx2_cptlf_shutdown(lfs); delete_grps:

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] ext4: fix hole length calculation overflow in non-extent" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082129-kung-accuracy-abdf@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 Mon Sep 17 00:00:00 2001 From: Zhang Yi <yi.zhang(a)huawei.com> Date: Mon, 11 Aug 2025 14:45:32 +0800 Subject: [PATCH] ext4: fix hole length calculation overflow in non-extent inodes In a filesystem with a block size larger than 4KB, the hole length calculation for a non-extent inode in ext4_ind_map_blocks() can easily exceed INT_MAX. Then it could return a zero length hole and trigger the following waring and infinite in the iomap infrastructure. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190 CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary) Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : iomap_iter_done+0x148/0x190 lr : iomap_iter+0x174/0x230 sp : ffff8000880af740 x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000 x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000 x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48 x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000 x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000 x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44 x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000 x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000 Call trace: iomap_iter_done+0x148/0x190 (P) iomap_iter+0x174/0x230 iomap_fiemap+0x154/0x1d8 ext4_fiemap+0x110/0x140 [ext4] do_vfs_ioctl+0x4b8/0xbc0 __arm64_sys_ioctl+0x8c/0x120 invoke_syscall+0x6c/0x100 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0x120 el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x1a0 ---[ end trace 0000000000000000 ]--- Cc: stable(a)kernel.org Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()") Reported-by: Qu Wenruo <wqu(a)suse.com> Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx… Tested-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Zhang Yi <yi.zhang(a)huawei.com> Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c index 7de327fa7b1c..d45124318200 100644 --- a/fs/ext4/indirect.c +++ b/fs/ext4/indirect.c @@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle, struct inode *inode, int indirect_blks; int blocks_to_boundary = 0; int depth; - int count = 0; + u64 count = 0; ext4_fsblk_t first_block = 0; trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); @@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle, struct inode *inode, count++; /* Fill in size of a hole we found */ map->m_pblk = 0; - map->m_len = min_t(unsigned int, map->m_len, count); + map->m_len = umin(map->m_len, count); goto cleanup; }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] btrfs: subpage: keep TOWRITE tag until folio is cleaned" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b1511360c8ac882b0c52caa263620538e8d73220 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082107-pellet-wildfire-8e45@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b1511360c8ac882b0c52caa263620538e8d73220 Mon Sep 17 00:00:00 2001 From: Naohiro Aota <naohiro.aota(a)wdc.com> Date: Thu, 31 Jul 2025 12:46:56 +0900 Subject: [PATCH] btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as those required by btrfs_wait_ordered_extents(). That ordering breakage leads to a real failure. For example, running generic/464 on a zoned setup will hit the following ASSERT. This happens because the broken ordering fails to flush existing dirty pages before the file size is truncated. assertion failed: !list_empty(&ordered->list) :: 0, in fs/btrfs/zoned.c:1899 ------------[ cut here ]------------ kernel BUG at fs/btrfs/zoned.c:1899! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs] RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246 RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8 R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00 R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680 FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0 Call Trace: <TASK> ? srso_return_thunk+0x5/0x5f btrfs_finish_ordered_io+0x4a/0x60 [btrfs] btrfs_work_helper+0xf9/0x490 [btrfs] process_one_work+0x204/0x590 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d6/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x118/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x205/0x260 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Consider process A calling writepages() with WB_SYNC_NONE. In zoned mode or for compressed writes, it locks several folios for delalloc and starts writing them out. Let's call the last locked folio folio X. Suppose the write range only partially covers folio X, leaving some pages dirty. Process A calls btrfs_subpage_set_writeback() when building a bio. This function call clears the TOWRITE tag of folio X, whose size = 8K and the block size = 4K. It is following state. 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY) <-----> Process A will write this range. Now suppose process B concurrently calls writepages() with WB_SYNC_ALL. It calls tag_pages_for_writeback() to tag dirty folios with PAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then, B collects tagged folios using filemap_get_folios_tag() and must wait for folio X to be written before returning from writepages(). 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE) However, between tagging and collecting, process A may call btrfs_subpage_set_writeback() and clear folio X's TOWRITE tag. 0 4K 8K | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY) As a result, process B won't see folio X in its batch, and returns without waiting for it. This breaks the WB_SYNC_ALL ordering requirement. Fix this by using btrfs_subpage_set_writeback_keepwrite(), which retains the TOWRITE tag. We now manually clear the tag only after the folio becomes clean, via the xas operation. Fixes: 3470da3b7d87 ("btrfs: subpage: introduce helpers for writeback status") CC: stable(a)vger.kernel.org # 6.12+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/subpage.c b/fs/btrfs/subpage.c index c9b3821957f7..cb4f97833dc3 100644 --- a/fs/btrfs/subpage.c +++ b/fs/btrfs/subpage.c @@ -448,8 +448,25 @@ void btrfs_subpage_set_writeback(const struct btrfs_fs_info *fs_info, spin_lock_irqsave(&bfs->lock, flags); bitmap_set(bfs->bitmaps, start_bit, len >> fs_info->sectorsize_bits); + + /* + * Don't clear the TOWRITE tag when starting writeback on a still-dirty + * folio. Doing so can cause WB_SYNC_ALL writepages() to overlook it, + * assume writeback is complete, and exit too early — violating sync + * ordering guarantees. + */ if (!folio_test_writeback(folio)) - folio_start_writeback(folio); + __folio_start_writeback(folio, true); + if (!folio_test_dirty(folio)) { + struct address_space *mapping = folio_mapping(folio); + XA_STATE(xas, &mapping->i_pages, folio->index); + unsigned long flags; + + xas_lock_irqsave(&xas, flags); + xas_load(&xas); + xas_clear_mark(&xas, PAGECACHE_TAG_TOWRITE); + xas_unlock_irqrestore(&xas, flags); + } spin_unlock_irqrestore(&bfs->lock, flags); }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] btrfs: subpage: keep TOWRITE tag until folio is cleaned" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b1511360c8ac882b0c52caa263620538e8d73220 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082105-calibrate-trombone-430c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b1511360c8ac882b0c52caa263620538e8d73220 Mon Sep 17 00:00:00 2001 From: Naohiro Aota <naohiro.aota(a)wdc.com> Date: Thu, 31 Jul 2025 12:46:56 +0900 Subject: [PATCH] btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as those required by btrfs_wait_ordered_extents(). That ordering breakage leads to a real failure. For example, running generic/464 on a zoned setup will hit the following ASSERT. This happens because the broken ordering fails to flush existing dirty pages before the file size is truncated. assertion failed: !list_empty(&ordered->list) :: 0, in fs/btrfs/zoned.c:1899 ------------[ cut here ]------------ kernel BUG at fs/btrfs/zoned.c:1899! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs] RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246 RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8 R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00 R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680 FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0 Call Trace: <TASK> ? srso_return_thunk+0x5/0x5f btrfs_finish_ordered_io+0x4a/0x60 [btrfs] btrfs_work_helper+0xf9/0x490 [btrfs] process_one_work+0x204/0x590 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d6/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x118/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x205/0x260 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Consider process A calling writepages() with WB_SYNC_NONE. In zoned mode or for compressed writes, it locks several folios for delalloc and starts writing them out. Let's call the last locked folio folio X. Suppose the write range only partially covers folio X, leaving some pages dirty. Process A calls btrfs_subpage_set_writeback() when building a bio. This function call clears the TOWRITE tag of folio X, whose size = 8K and the block size = 4K. It is following state. 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY) <-----> Process A will write this range. Now suppose process B concurrently calls writepages() with WB_SYNC_ALL. It calls tag_pages_for_writeback() to tag dirty folios with PAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then, B collects tagged folios using filemap_get_folios_tag() and must wait for folio X to be written before returning from writepages(). 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE) However, between tagging and collecting, process A may call btrfs_subpage_set_writeback() and clear folio X's TOWRITE tag. 0 4K 8K | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY) As a result, process B won't see folio X in its batch, and returns without waiting for it. This breaks the WB_SYNC_ALL ordering requirement. Fix this by using btrfs_subpage_set_writeback_keepwrite(), which retains the TOWRITE tag. We now manually clear the tag only after the folio becomes clean, via the xas operation. Fixes: 3470da3b7d87 ("btrfs: subpage: introduce helpers for writeback status") CC: stable(a)vger.kernel.org # 6.12+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/subpage.c b/fs/btrfs/subpage.c index c9b3821957f7..cb4f97833dc3 100644 --- a/fs/btrfs/subpage.c +++ b/fs/btrfs/subpage.c @@ -448,8 +448,25 @@ void btrfs_subpage_set_writeback(const struct btrfs_fs_info *fs_info, spin_lock_irqsave(&bfs->lock, flags); bitmap_set(bfs->bitmaps, start_bit, len >> fs_info->sectorsize_bits); + + /* + * Don't clear the TOWRITE tag when starting writeback on a still-dirty + * folio. Doing so can cause WB_SYNC_ALL writepages() to overlook it, + * assume writeback is complete, and exit too early — violating sync + * ordering guarantees. + */ if (!folio_test_writeback(folio)) - folio_start_writeback(folio); + __folio_start_writeback(folio, true); + if (!folio_test_dirty(folio)) { + struct address_space *mapping = folio_mapping(folio); + XA_STATE(xas, &mapping->i_pages, folio->index); + unsigned long flags; + + xas_lock_irqsave(&xas, flags); + xas_load(&xas); + xas_clear_mark(&xas, PAGECACHE_TAG_TOWRITE); + xas_unlock_irqrestore(&xas, flags); + } spin_unlock_irqrestore(&bfs->lock, flags); }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] btrfs: subpage: keep TOWRITE tag until folio is cleaned" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b1511360c8ac882b0c52caa263620538e8d73220 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082104-dad-buzz-9d86@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b1511360c8ac882b0c52caa263620538e8d73220 Mon Sep 17 00:00:00 2001 From: Naohiro Aota <naohiro.aota(a)wdc.com> Date: Thu, 31 Jul 2025 12:46:56 +0900 Subject: [PATCH] btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as those required by btrfs_wait_ordered_extents(). That ordering breakage leads to a real failure. For example, running generic/464 on a zoned setup will hit the following ASSERT. This happens because the broken ordering fails to flush existing dirty pages before the file size is truncated. assertion failed: !list_empty(&ordered->list) :: 0, in fs/btrfs/zoned.c:1899 ------------[ cut here ]------------ kernel BUG at fs/btrfs/zoned.c:1899! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs] RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246 RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8 R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00 R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680 FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0 Call Trace: <TASK> ? srso_return_thunk+0x5/0x5f btrfs_finish_ordered_io+0x4a/0x60 [btrfs] btrfs_work_helper+0xf9/0x490 [btrfs] process_one_work+0x204/0x590 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d6/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x118/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x205/0x260 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Consider process A calling writepages() with WB_SYNC_NONE. In zoned mode or for compressed writes, it locks several folios for delalloc and starts writing them out. Let's call the last locked folio folio X. Suppose the write range only partially covers folio X, leaving some pages dirty. Process A calls btrfs_subpage_set_writeback() when building a bio. This function call clears the TOWRITE tag of folio X, whose size = 8K and the block size = 4K. It is following state. 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY) <-----> Process A will write this range. Now suppose process B concurrently calls writepages() with WB_SYNC_ALL. It calls tag_pages_for_writeback() to tag dirty folios with PAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then, B collects tagged folios using filemap_get_folios_tag() and must wait for folio X to be written before returning from writepages(). 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE) However, between tagging and collecting, process A may call btrfs_subpage_set_writeback() and clear folio X's TOWRITE tag. 0 4K 8K | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY) As a result, process B won't see folio X in its batch, and returns without waiting for it. This breaks the WB_SYNC_ALL ordering requirement. Fix this by using btrfs_subpage_set_writeback_keepwrite(), which retains the TOWRITE tag. We now manually clear the tag only after the folio becomes clean, via the xas operation. Fixes: 3470da3b7d87 ("btrfs: subpage: introduce helpers for writeback status") CC: stable(a)vger.kernel.org # 6.12+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/subpage.c b/fs/btrfs/subpage.c index c9b3821957f7..cb4f97833dc3 100644 --- a/fs/btrfs/subpage.c +++ b/fs/btrfs/subpage.c @@ -448,8 +448,25 @@ void btrfs_subpage_set_writeback(const struct btrfs_fs_info *fs_info, spin_lock_irqsave(&bfs->lock, flags); bitmap_set(bfs->bitmaps, start_bit, len >> fs_info->sectorsize_bits); + + /* + * Don't clear the TOWRITE tag when starting writeback on a still-dirty + * folio. Doing so can cause WB_SYNC_ALL writepages() to overlook it, + * assume writeback is complete, and exit too early — violating sync + * ordering guarantees. + */ if (!folio_test_writeback(folio)) - folio_start_writeback(folio); + __folio_start_writeback(folio, true); + if (!folio_test_dirty(folio)) { + struct address_space *mapping = folio_mapping(folio); + XA_STATE(xas, &mapping->i_pages, folio->index); + unsigned long flags; + + xas_lock_irqsave(&xas, flags); + xas_load(&xas); + xas_clear_mark(&xas, PAGECACHE_TAG_TOWRITE); + xas_unlock_irqrestore(&xas, flags); + } spin_unlock_irqrestore(&bfs->lock, flags); }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2e13163b43e6bb861182ea999a80dd1d893c0cbf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082142-trend-rind-de4e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2e13163b43e6bb861182ea999a80dd1d893c0cbf Mon Sep 17 00:00:00 2001 From: Bharat Bhushan <bbhushan2(a)marvell.com> Date: Thu, 22 May 2025 15:36:26 +0530 Subject: [PATCH] crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and OcteonTX2 octeontx2 crypto driver allocates memory using kmalloc/kzalloc, and uses this memory for dma (does dma_map_single()). It assumes that kmalloc/kzalloc will return 128-byte aligned address. But kmalloc/kzalloc returns 8-byte aligned address after below changes: "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the smaller cache_line_size() Memory allocated are used for following purpose: - Input data or scatter list address - 8-Byte alignment - Output data or gather list address - 8-Byte alignment - Completion address - 32-Byte alignment. This patch ensures all addresses are aligned as mentioned above. Signed-off-by: Bharat Bhushan <bbhushan2(a)marvell.com> Cc: <stable(a)vger.kernel.org> # v6.5+ Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h b/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h index e27e849b01df..98de93851ba1 100644 --- a/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h +++ b/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h @@ -34,6 +34,9 @@ #define SG_COMP_2 2 #define SG_COMP_1 1 +#define OTX2_CPT_DPTR_RPTR_ALIGN 8 +#define OTX2_CPT_RES_ADDR_ALIGN 32 + union otx2_cpt_opcode { u16 flags; struct { @@ -417,10 +420,9 @@ static inline struct otx2_cpt_inst_info * otx2_sg_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req, gfp_t gfp) { - int align = OTX2_CPT_DMA_MINALIGN; struct otx2_cpt_inst_info *info; - u32 dlen, align_dlen, info_len; - u16 g_sz_bytes, s_sz_bytes; + u32 dlen, info_len; + u16 g_len, s_len; u32 total_mem_len; if (unlikely(req->in_cnt > OTX2_CPT_MAX_SG_IN_CNT || @@ -429,22 +431,54 @@ otx2_sg_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req, return NULL; } - g_sz_bytes = ((req->in_cnt + 3) / 4) * - sizeof(struct otx2_cpt_sglist_component); - s_sz_bytes = ((req->out_cnt + 3) / 4) * - sizeof(struct otx2_cpt_sglist_component); + /* Allocate memory to meet below alignment requirement: + * ------------------------------------ + * | struct otx2_cpt_inst_info | + * | (No alignment required) | + * | --------------------------------| + * | | padding for ARCH_DMA_MINALIGN | + * | | alignment | + * |------------------------------------| + * | SG List Header of 8 Byte | + * |------------------------------------| + * | SG List Gather/Input memory | + * | Length = multiple of 32Bytes | + * | Alignment = 8Byte | + * |---------------------------------- | + * | SG List Scatter/Output memory | + * | Length = multiple of 32Bytes | + * | Alignment = 8Byte | + * | -------------------------------| + * | | padding for 32B alignment | + * |------------------------------------| + * | Result response memory | + * | Alignment = 32Byte | + * ------------------------------------ + */ - dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE; - align_dlen = ALIGN(dlen, align); - info_len = ALIGN(sizeof(*info), align); - total_mem_len = align_dlen + info_len + sizeof(union otx2_cpt_res_s); + info_len = sizeof(*info); + + g_len = ((req->in_cnt + 3) / 4) * + sizeof(struct otx2_cpt_sglist_component); + s_len = ((req->out_cnt + 3) / 4) * + sizeof(struct otx2_cpt_sglist_component); + + dlen = g_len + s_len + SG_LIST_HDR_SIZE; + + /* Allocate extra memory for SG and response address alignment */ + total_mem_len = ALIGN(info_len, OTX2_CPT_DPTR_RPTR_ALIGN); + total_mem_len += (ARCH_DMA_MINALIGN - 1) & + ~(OTX2_CPT_DPTR_RPTR_ALIGN - 1); + total_mem_len += ALIGN(dlen, OTX2_CPT_RES_ADDR_ALIGN); + total_mem_len += sizeof(union otx2_cpt_res_s); info = kzalloc(total_mem_len, gfp); if (unlikely(!info)) return NULL; info->dlen = dlen; - info->in_buffer = (u8 *)info + info_len; + info->in_buffer = PTR_ALIGN((u8 *)info + info_len, ARCH_DMA_MINALIGN); + info->out_buffer = info->in_buffer + SG_LIST_HDR_SIZE + g_len; ((u16 *)info->in_buffer)[0] = req->out_cnt; ((u16 *)info->in_buffer)[1] = req->in_cnt; @@ -460,7 +494,7 @@ otx2_sg_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req, } if (setup_sgio_components(pdev, req->out, req->out_cnt, - &info->in_buffer[8 + g_sz_bytes])) { + info->out_buffer)) { dev_err(&pdev->dev, "Failed to setup scatter list\n"); goto destroy_info; } @@ -476,8 +510,10 @@ otx2_sg_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req, * Get buffer for union otx2_cpt_res_s response * structure and its physical address */ - info->completion_addr = info->in_buffer + align_dlen; - info->comp_baddr = info->dptr_baddr + align_dlen; + info->completion_addr = PTR_ALIGN((info->in_buffer + dlen), + OTX2_CPT_RES_ADDR_ALIGN); + info->comp_baddr = ALIGN((info->dptr_baddr + dlen), + OTX2_CPT_RES_ADDR_ALIGN); return info;

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Add missing error checks" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 3d9eb180fbe8828cce43bce4c370124685b205c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082116-muck-spongy-09b0@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d9eb180fbe8828cce43bce4c370124685b205c3 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:29 -0700 Subject: [PATCH] crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index 3cb5c193038b..f1adfba1a76e 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -104,10 +104,12 @@ static void crypto_aegis128_aesni_process_ad( } } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_process_crypt(struct aegis_state *state, struct skcipher_walk *walk, bool enc) { + int err = 0; + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { if (enc) aegis128_aesni_enc(state, walk->src.virt.addr, @@ -120,7 +122,8 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); kernel_fpu_end(); - skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + err = skcipher_walk_done(walk, + walk->nbytes % AEGIS128_BLOCK_SIZE); kernel_fpu_begin(); } @@ -134,9 +137,10 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, walk->nbytes); kernel_fpu_end(); - skcipher_walk_done(walk, 0); + err = skcipher_walk_done(walk, 0); kernel_fpu_begin(); } + return err; } static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) @@ -169,7 +173,7 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, return 0; } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_block *tag_xor, unsigned int cryptlen, bool enc) @@ -178,20 +182,24 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); struct skcipher_walk walk; struct aegis_state state; + int err; if (enc) - skcipher_walk_aead_encrypt(&walk, req, false); + err = skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, false); + err = skcipher_walk_aead_decrypt(&walk, req, false); + if (err) + return err; kernel_fpu_begin(); aegis128_aesni_init(&state, &ctx->key, req->iv); crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); - crypto_aegis128_aesni_process_crypt(&state, &walk, enc); - aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); - + err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc); + if (err == 0) + aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); kernel_fpu_end(); + return err; } static int crypto_aegis128_aesni_encrypt(struct aead_request *req) @@ -200,8 +208,11 @@ static int crypto_aegis128_aesni_encrypt(struct aead_request *req) struct aegis_block tag = {}; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen; + int err; - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + if (err) + return err; scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen, authsize, 1); @@ -216,11 +227,14 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) struct aegis_block tag; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen - authsize; + int err; scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen, authsize, 0); - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + if (err) + return err; return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Add missing error checks" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 3d9eb180fbe8828cce43bce4c370124685b205c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082116-patriot-perfume-1c71@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d9eb180fbe8828cce43bce4c370124685b205c3 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:29 -0700 Subject: [PATCH] crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index 3cb5c193038b..f1adfba1a76e 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -104,10 +104,12 @@ static void crypto_aegis128_aesni_process_ad( } } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_process_crypt(struct aegis_state *state, struct skcipher_walk *walk, bool enc) { + int err = 0; + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { if (enc) aegis128_aesni_enc(state, walk->src.virt.addr, @@ -120,7 +122,8 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); kernel_fpu_end(); - skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + err = skcipher_walk_done(walk, + walk->nbytes % AEGIS128_BLOCK_SIZE); kernel_fpu_begin(); } @@ -134,9 +137,10 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, walk->nbytes); kernel_fpu_end(); - skcipher_walk_done(walk, 0); + err = skcipher_walk_done(walk, 0); kernel_fpu_begin(); } + return err; } static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) @@ -169,7 +173,7 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, return 0; } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_block *tag_xor, unsigned int cryptlen, bool enc) @@ -178,20 +182,24 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); struct skcipher_walk walk; struct aegis_state state; + int err; if (enc) - skcipher_walk_aead_encrypt(&walk, req, false); + err = skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, false); + err = skcipher_walk_aead_decrypt(&walk, req, false); + if (err) + return err; kernel_fpu_begin(); aegis128_aesni_init(&state, &ctx->key, req->iv); crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); - crypto_aegis128_aesni_process_crypt(&state, &walk, enc); - aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); - + err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc); + if (err == 0) + aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); kernel_fpu_end(); + return err; } static int crypto_aegis128_aesni_encrypt(struct aead_request *req) @@ -200,8 +208,11 @@ static int crypto_aegis128_aesni_encrypt(struct aead_request *req) struct aegis_block tag = {}; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen; + int err; - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + if (err) + return err; scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen, authsize, 1); @@ -216,11 +227,14 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) struct aegis_block tag; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen - authsize; + int err; scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen, authsize, 0); - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + if (err) + return err; return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Add missing error checks" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 3d9eb180fbe8828cce43bce4c370124685b205c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082115-demystify-woozy-fa5f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d9eb180fbe8828cce43bce4c370124685b205c3 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:29 -0700 Subject: [PATCH] crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index 3cb5c193038b..f1adfba1a76e 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -104,10 +104,12 @@ static void crypto_aegis128_aesni_process_ad( } } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_process_crypt(struct aegis_state *state, struct skcipher_walk *walk, bool enc) { + int err = 0; + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { if (enc) aegis128_aesni_enc(state, walk->src.virt.addr, @@ -120,7 +122,8 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); kernel_fpu_end(); - skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + err = skcipher_walk_done(walk, + walk->nbytes % AEGIS128_BLOCK_SIZE); kernel_fpu_begin(); } @@ -134,9 +137,10 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, walk->nbytes); kernel_fpu_end(); - skcipher_walk_done(walk, 0); + err = skcipher_walk_done(walk, 0); kernel_fpu_begin(); } + return err; } static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) @@ -169,7 +173,7 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, return 0; } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_block *tag_xor, unsigned int cryptlen, bool enc) @@ -178,20 +182,24 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); struct skcipher_walk walk; struct aegis_state state; + int err; if (enc) - skcipher_walk_aead_encrypt(&walk, req, false); + err = skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, false); + err = skcipher_walk_aead_decrypt(&walk, req, false); + if (err) + return err; kernel_fpu_begin(); aegis128_aesni_init(&state, &ctx->key, req->iv); crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); - crypto_aegis128_aesni_process_crypt(&state, &walk, enc); - aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); - + err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc); + if (err == 0) + aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); kernel_fpu_end(); + return err; } static int crypto_aegis128_aesni_encrypt(struct aead_request *req) @@ -200,8 +208,11 @@ static int crypto_aegis128_aesni_encrypt(struct aead_request *req) struct aegis_block tag = {}; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen; + int err; - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + if (err) + return err; scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen, authsize, 1); @@ -216,11 +227,14 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) struct aegis_block tag; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen - authsize; + int err; scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen, authsize, 0); - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + if (err) + return err; return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Add missing error checks" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 3d9eb180fbe8828cce43bce4c370124685b205c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082115-defensive-plasma-31fd@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d9eb180fbe8828cce43bce4c370124685b205c3 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:29 -0700 Subject: [PATCH] crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index 3cb5c193038b..f1adfba1a76e 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -104,10 +104,12 @@ static void crypto_aegis128_aesni_process_ad( } } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_process_crypt(struct aegis_state *state, struct skcipher_walk *walk, bool enc) { + int err = 0; + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { if (enc) aegis128_aesni_enc(state, walk->src.virt.addr, @@ -120,7 +122,8 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); kernel_fpu_end(); - skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + err = skcipher_walk_done(walk, + walk->nbytes % AEGIS128_BLOCK_SIZE); kernel_fpu_begin(); } @@ -134,9 +137,10 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, walk->nbytes); kernel_fpu_end(); - skcipher_walk_done(walk, 0); + err = skcipher_walk_done(walk, 0); kernel_fpu_begin(); } + return err; } static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) @@ -169,7 +173,7 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, return 0; } -static __always_inline void +static __always_inline int crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_block *tag_xor, unsigned int cryptlen, bool enc) @@ -178,20 +182,24 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); struct skcipher_walk walk; struct aegis_state state; + int err; if (enc) - skcipher_walk_aead_encrypt(&walk, req, false); + err = skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, false); + err = skcipher_walk_aead_decrypt(&walk, req, false); + if (err) + return err; kernel_fpu_begin(); aegis128_aesni_init(&state, &ctx->key, req->iv); crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); - crypto_aegis128_aesni_process_crypt(&state, &walk, enc); - aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); - + err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc); + if (err == 0) + aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); kernel_fpu_end(); + return err; } static int crypto_aegis128_aesni_encrypt(struct aead_request *req) @@ -200,8 +208,11 @@ static int crypto_aegis128_aesni_encrypt(struct aead_request *req) struct aegis_block tag = {}; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen; + int err; - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); + if (err) + return err; scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen, authsize, 1); @@ -216,11 +227,14 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) struct aegis_block tag; unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen - authsize; + int err; scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen, authsize, 0); - crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); + if (err) + return err; return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; }

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Fix sleeping when disallowed on" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x c7f49dadfcdf27e1f747442e874e9baa52ab7674 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082105-partridge-unboxed-5a0e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c7f49dadfcdf27e1f747442e874e9baa52ab7674 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:28 -0700 Subject: [PATCH] crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT skcipher_walk_done() can call kfree(), which takes a spinlock, which makes it incorrect to call while preemption is disabled on PREEMPT_RT. Therefore, end the kernel-mode FPU section before calling skcipher_walk_done(), and restart it afterwards. Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of atomic=true. The point of atomic=true was to make skcipher_walk_done() safe to call while in a kernel-mode FPU section, but that does not actually work. So just use the usual atomic=false. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index f1b6d40154e3..3cb5c193038b 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -119,7 +119,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); + kernel_fpu_end(); skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + kernel_fpu_begin(); } if (walk->nbytes) { @@ -131,7 +133,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, aegis128_aesni_dec_tail(state, walk->src.virt.addr, walk->dst.virt.addr, walk->nbytes); + kernel_fpu_end(); skcipher_walk_done(walk, 0); + kernel_fpu_begin(); } } @@ -176,9 +180,9 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_state state; if (enc) - skcipher_walk_aead_encrypt(&walk, req, true); + skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, true); + skcipher_walk_aead_decrypt(&walk, req, false); kernel_fpu_begin();

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Fix sleeping when disallowed on" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x c7f49dadfcdf27e1f747442e874e9baa52ab7674 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082104-syrup-acquire-04a4@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c7f49dadfcdf27e1f747442e874e9baa52ab7674 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:28 -0700 Subject: [PATCH] crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT skcipher_walk_done() can call kfree(), which takes a spinlock, which makes it incorrect to call while preemption is disabled on PREEMPT_RT. Therefore, end the kernel-mode FPU section before calling skcipher_walk_done(), and restart it afterwards. Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of atomic=true. The point of atomic=true was to make skcipher_walk_done() safe to call while in a kernel-mode FPU section, but that does not actually work. So just use the usual atomic=false. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index f1b6d40154e3..3cb5c193038b 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -119,7 +119,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); + kernel_fpu_end(); skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + kernel_fpu_begin(); } if (walk->nbytes) { @@ -131,7 +133,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, aegis128_aesni_dec_tail(state, walk->src.virt.addr, walk->dst.virt.addr, walk->nbytes); + kernel_fpu_end(); skcipher_walk_done(walk, 0); + kernel_fpu_begin(); } } @@ -176,9 +180,9 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_state state; if (enc) - skcipher_walk_aead_encrypt(&walk, req, true); + skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, true); + skcipher_walk_aead_decrypt(&walk, req, false); kernel_fpu_begin();

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Fix sleeping when disallowed on" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c7f49dadfcdf27e1f747442e874e9baa52ab7674 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082104-whooping-armband-6944@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c7f49dadfcdf27e1f747442e874e9baa52ab7674 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:28 -0700 Subject: [PATCH] crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT skcipher_walk_done() can call kfree(), which takes a spinlock, which makes it incorrect to call while preemption is disabled on PREEMPT_RT. Therefore, end the kernel-mode FPU section before calling skcipher_walk_done(), and restart it afterwards. Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of atomic=true. The point of atomic=true was to make skcipher_walk_done() safe to call while in a kernel-mode FPU section, but that does not actually work. So just use the usual atomic=false. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index f1b6d40154e3..3cb5c193038b 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -119,7 +119,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); + kernel_fpu_end(); skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + kernel_fpu_begin(); } if (walk->nbytes) { @@ -131,7 +133,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, aegis128_aesni_dec_tail(state, walk->src.virt.addr, walk->dst.virt.addr, walk->nbytes); + kernel_fpu_end(); skcipher_walk_done(walk, 0); + kernel_fpu_begin(); } } @@ -176,9 +180,9 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_state state; if (enc) - skcipher_walk_aead_encrypt(&walk, req, true); + skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, true); + skcipher_walk_aead_decrypt(&walk, req, false); kernel_fpu_begin();

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] crypto: x86/aegis - Fix sleeping when disallowed on" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c7f49dadfcdf27e1f747442e874e9baa52ab7674 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082103-chamomile-hesitant-52e3@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c7f49dadfcdf27e1f747442e874e9baa52ab7674 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Tue, 8 Jul 2025 12:38:28 -0700 Subject: [PATCH] crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT skcipher_walk_done() can call kfree(), which takes a spinlock, which makes it incorrect to call while preemption is disabled on PREEMPT_RT. Therefore, end the kernel-mode FPU section before calling skcipher_walk_done(), and restart it afterwards. Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of atomic=true. The point of atomic=true was to make skcipher_walk_done() safe to call while in a kernel-mode FPU section, but that does not actually work. So just use the usual atomic=false. Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c index f1b6d40154e3..3cb5c193038b 100644 --- a/arch/x86/crypto/aegis128-aesni-glue.c +++ b/arch/x86/crypto/aegis128-aesni-glue.c @@ -119,7 +119,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, walk->dst.virt.addr, round_down(walk->nbytes, AEGIS128_BLOCK_SIZE)); + kernel_fpu_end(); skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); + kernel_fpu_begin(); } if (walk->nbytes) { @@ -131,7 +133,9 @@ crypto_aegis128_aesni_process_crypt(struct aegis_state *state, aegis128_aesni_dec_tail(state, walk->src.virt.addr, walk->dst.virt.addr, walk->nbytes); + kernel_fpu_end(); skcipher_walk_done(walk, 0); + kernel_fpu_begin(); } } @@ -176,9 +180,9 @@ crypto_aegis128_aesni_crypt(struct aead_request *req, struct aegis_state state; if (enc) - skcipher_walk_aead_encrypt(&walk, req, true); + skcipher_walk_aead_encrypt(&walk, req, false); else - skcipher_walk_aead_decrypt(&walk, req, true); + skcipher_walk_aead_decrypt(&walk, req, false); kernel_fpu_begin();

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] bus: mhi: host: Detect events pointing to unexpected TREs" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 5bd398e20f0833ae8a1267d4f343591a2dd20185 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082100-snowiness-profanity-df3a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5bd398e20f0833ae8a1267d4f343591a2dd20185 Mon Sep 17 00:00:00 2001 From: Youssef Samir <quic_yabdulra(a)quicinc.com> Date: Mon, 14 Jul 2025 18:30:39 +0200 Subject: [PATCH] bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device") Signed-off-by: Youssef Samir <quic_yabdulra(a)quicinc.com> [mani: added stable tag and reworded commit message] Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Reviewed-by: Jeff Hugo <jeff.hugo(a)oss.qualcomm.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250714163039.3438985-1-quic_yabdulra@quicinc.com diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c index 3041ee6747e3..52bef663e182 100644 --- a/drivers/bus/mhi/host/main.c +++ b/drivers/bus/mhi/host/main.c @@ -602,7 +602,7 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, { dma_addr_t ptr = MHI_TRE_GET_EV_PTR(event); struct mhi_ring_element *local_rp, *ev_tre; - void *dev_rp; + void *dev_rp, *next_rp; struct mhi_buf_info *buf_info; u16 xfer_len; @@ -621,6 +621,16 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, result.dir = mhi_chan->dir; local_rp = tre_ring->rp; + + next_rp = local_rp + 1; + if (next_rp >= tre_ring->base + tre_ring->len) + next_rp = tre_ring->base; + if (dev_rp != next_rp && !MHI_TRE_DATA_GET_CHAIN(local_rp)) { + dev_err(&mhi_cntrl->mhi_dev->dev, + "Event element points to an unexpected TRE\n"); + break; + } + while (local_rp != dev_rp) { buf_info = buf_ring->rp; /* If it's the last TRE, get length from the event */

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] PM: runtime: Take active children into account in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 51888393cc64dd0462d0b96c13ab94873abbc030 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082130-droop-update-8564@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 51888393cc64dd0462d0b96c13ab94873abbc030 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Wed, 9 Jul 2025 12:41:45 +0200 Subject: [PATCH] PM: runtime: Take active children into account in pm_runtime_get_if_in_use() For all practical purposes, there is no difference between the situation in which a given device is not ignoring children and its active child count is nonzero and the situation in which its runtime PM usage counter is nonzero. However, pm_runtime_get_if_in_use() will only increment the device's usage counter and return 1 in the latter case. For consistency, make it do so in the former case either by adjusting pm_runtime_get_conditional() and update the related kerneldoc comments accordingly. Fixes: c111566bea7c ("PM: runtime: Add pm_runtime_get_if_active()") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Ulf Hansson <ulf.hansson(a)linaro.org> Reviewed-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+: c0ef3df8dbae: PM: runtime: Simplify pm_runtime_get_if_active() usage Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+ Link: https://patch.msgid.link/12700973.O9o76ZdvQC@rjwysocki.net diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c index c55a7c70bc1a..2ba0dfd1de5a 100644 --- a/drivers/base/power/runtime.c +++ b/drivers/base/power/runtime.c @@ -1191,10 +1191,12 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume); * * Return -EINVAL if runtime PM is disabled for @dev. * - * Otherwise, if the runtime PM status of @dev is %RPM_ACTIVE and either - * @ign_usage_count is %true or the runtime PM usage counter of @dev is not - * zero, increment the usage counter of @dev and return 1. Otherwise, return 0 - * without changing the usage counter. + * Otherwise, if its runtime PM status is %RPM_ACTIVE and (1) @ign_usage_count + * is set, or (2) @dev is not ignoring children and its active child count is + * nonero, or (3) the runtime PM usage counter of @dev is not zero, increment + * the usage counter of @dev and return 1. + * + * Otherwise, return 0 without changing the usage counter. * * If @ign_usage_count is %true, this function can be used to prevent suspending * the device when its runtime PM status is %RPM_ACTIVE. @@ -1216,7 +1218,8 @@ static int pm_runtime_get_conditional(struct device *dev, bool ign_usage_count) retval = -EINVAL; } else if (dev->power.runtime_status != RPM_ACTIVE) { retval = 0; - } else if (ign_usage_count) { + } else if (ign_usage_count || (!dev->power.ignore_children && + atomic_read(&dev->power.child_count) > 0)) { retval = 1; atomic_inc(&dev->power.usage_count); } else { @@ -1249,10 +1252,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_get_if_active); * @dev: Target device. * * Increment the runtime PM usage counter of @dev if its runtime PM status is - * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case - * it returns 1. If the device is in a different state or its usage_count is 0, - * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device, - * in which case also the usage_count will remain unmodified. + * %RPM_ACTIVE and its runtime PM usage counter is greater than 0 or it is not + * ignoring children and its active child count is nonzero. 1 is returned in + * this case. + * + * If @dev is in a different state or it is not in use (that is, its usage + * counter is 0, or it is ignoring children, or its active child count is 0), + * 0 is returned. + * + * -EINVAL is returned if runtime PM is disabled for the device, in which case + * also the usage counter of @dev is not updated. */ int pm_runtime_get_if_in_use(struct device *dev) {

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] PM: runtime: Take active children into account in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 51888393cc64dd0462d0b96c13ab94873abbc030 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082130-duchess-reflux-c692@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 51888393cc64dd0462d0b96c13ab94873abbc030 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Wed, 9 Jul 2025 12:41:45 +0200 Subject: [PATCH] PM: runtime: Take active children into account in pm_runtime_get_if_in_use() For all practical purposes, there is no difference between the situation in which a given device is not ignoring children and its active child count is nonzero and the situation in which its runtime PM usage counter is nonzero. However, pm_runtime_get_if_in_use() will only increment the device's usage counter and return 1 in the latter case. For consistency, make it do so in the former case either by adjusting pm_runtime_get_conditional() and update the related kerneldoc comments accordingly. Fixes: c111566bea7c ("PM: runtime: Add pm_runtime_get_if_active()") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Ulf Hansson <ulf.hansson(a)linaro.org> Reviewed-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+: c0ef3df8dbae: PM: runtime: Simplify pm_runtime_get_if_active() usage Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+ Link: https://patch.msgid.link/12700973.O9o76ZdvQC@rjwysocki.net diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c index c55a7c70bc1a..2ba0dfd1de5a 100644 --- a/drivers/base/power/runtime.c +++ b/drivers/base/power/runtime.c @@ -1191,10 +1191,12 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume); * * Return -EINVAL if runtime PM is disabled for @dev. * - * Otherwise, if the runtime PM status of @dev is %RPM_ACTIVE and either - * @ign_usage_count is %true or the runtime PM usage counter of @dev is not - * zero, increment the usage counter of @dev and return 1. Otherwise, return 0 - * without changing the usage counter. + * Otherwise, if its runtime PM status is %RPM_ACTIVE and (1) @ign_usage_count + * is set, or (2) @dev is not ignoring children and its active child count is + * nonero, or (3) the runtime PM usage counter of @dev is not zero, increment + * the usage counter of @dev and return 1. + * + * Otherwise, return 0 without changing the usage counter. * * If @ign_usage_count is %true, this function can be used to prevent suspending * the device when its runtime PM status is %RPM_ACTIVE. @@ -1216,7 +1218,8 @@ static int pm_runtime_get_conditional(struct device *dev, bool ign_usage_count) retval = -EINVAL; } else if (dev->power.runtime_status != RPM_ACTIVE) { retval = 0; - } else if (ign_usage_count) { + } else if (ign_usage_count || (!dev->power.ignore_children && + atomic_read(&dev->power.child_count) > 0)) { retval = 1; atomic_inc(&dev->power.usage_count); } else { @@ -1249,10 +1252,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_get_if_active); * @dev: Target device. * * Increment the runtime PM usage counter of @dev if its runtime PM status is - * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case - * it returns 1. If the device is in a different state or its usage_count is 0, - * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device, - * in which case also the usage_count will remain unmodified. + * %RPM_ACTIVE and its runtime PM usage counter is greater than 0 or it is not + * ignoring children and its active child count is nonzero. 1 is returned in + * this case. + * + * If @dev is in a different state or it is not in use (that is, its usage + * counter is 0, or it is ignoring children, or its active child count is 0), + * 0 is returned. + * + * -EINVAL is returned if runtime PM is disabled for the device, in which case + * also the usage counter of @dev is not updated. */ int pm_runtime_get_if_in_use(struct device *dev) {

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] PM: runtime: Take active children into account in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 51888393cc64dd0462d0b96c13ab94873abbc030 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082129-botany-headlamp-b026@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 51888393cc64dd0462d0b96c13ab94873abbc030 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Wed, 9 Jul 2025 12:41:45 +0200 Subject: [PATCH] PM: runtime: Take active children into account in pm_runtime_get_if_in_use() For all practical purposes, there is no difference between the situation in which a given device is not ignoring children and its active child count is nonzero and the situation in which its runtime PM usage counter is nonzero. However, pm_runtime_get_if_in_use() will only increment the device's usage counter and return 1 in the latter case. For consistency, make it do so in the former case either by adjusting pm_runtime_get_conditional() and update the related kerneldoc comments accordingly. Fixes: c111566bea7c ("PM: runtime: Add pm_runtime_get_if_active()") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Ulf Hansson <ulf.hansson(a)linaro.org> Reviewed-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+: c0ef3df8dbae: PM: runtime: Simplify pm_runtime_get_if_active() usage Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+ Link: https://patch.msgid.link/12700973.O9o76ZdvQC@rjwysocki.net diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c index c55a7c70bc1a..2ba0dfd1de5a 100644 --- a/drivers/base/power/runtime.c +++ b/drivers/base/power/runtime.c @@ -1191,10 +1191,12 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume); * * Return -EINVAL if runtime PM is disabled for @dev. * - * Otherwise, if the runtime PM status of @dev is %RPM_ACTIVE and either - * @ign_usage_count is %true or the runtime PM usage counter of @dev is not - * zero, increment the usage counter of @dev and return 1. Otherwise, return 0 - * without changing the usage counter. + * Otherwise, if its runtime PM status is %RPM_ACTIVE and (1) @ign_usage_count + * is set, or (2) @dev is not ignoring children and its active child count is + * nonero, or (3) the runtime PM usage counter of @dev is not zero, increment + * the usage counter of @dev and return 1. + * + * Otherwise, return 0 without changing the usage counter. * * If @ign_usage_count is %true, this function can be used to prevent suspending * the device when its runtime PM status is %RPM_ACTIVE. @@ -1216,7 +1218,8 @@ static int pm_runtime_get_conditional(struct device *dev, bool ign_usage_count) retval = -EINVAL; } else if (dev->power.runtime_status != RPM_ACTIVE) { retval = 0; - } else if (ign_usage_count) { + } else if (ign_usage_count || (!dev->power.ignore_children && + atomic_read(&dev->power.child_count) > 0)) { retval = 1; atomic_inc(&dev->power.usage_count); } else { @@ -1249,10 +1252,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_get_if_active); * @dev: Target device. * * Increment the runtime PM usage counter of @dev if its runtime PM status is - * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case - * it returns 1. If the device is in a different state or its usage_count is 0, - * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device, - * in which case also the usage_count will remain unmodified. + * %RPM_ACTIVE and its runtime PM usage counter is greater than 0 or it is not + * ignoring children and its active child count is nonzero. 1 is returned in + * this case. + * + * If @dev is in a different state or it is not in use (that is, its usage + * counter is 0, or it is ignoring children, or its active child count is 0), + * 0 is returned. + * + * -EINVAL is returned if runtime PM is disabled for the device, in which case + * also the usage counter of @dev is not updated. */ int pm_runtime_get_if_in_use(struct device *dev) {

3 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] PM: runtime: Take active children into account in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 51888393cc64dd0462d0b96c13ab94873abbc030 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025082129-outdoors-semantic-147a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 51888393cc64dd0462d0b96c13ab94873abbc030 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Wed, 9 Jul 2025 12:41:45 +0200 Subject: [PATCH] PM: runtime: Take active children into account in pm_runtime_get_if_in_use() For all practical purposes, there is no difference between the situation in which a given device is not ignoring children and its active child count is nonzero and the situation in which its runtime PM usage counter is nonzero. However, pm_runtime_get_if_in_use() will only increment the device's usage counter and return 1 in the latter case. For consistency, make it do so in the former case either by adjusting pm_runtime_get_conditional() and update the related kerneldoc comments accordingly. Fixes: c111566bea7c ("PM: runtime: Add pm_runtime_get_if_active()") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Ulf Hansson <ulf.hansson(a)linaro.org> Reviewed-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+: c0ef3df8dbae: PM: runtime: Simplify pm_runtime_get_if_active() usage Cc: 5.10+ <stable(a)vger.kernel.org> # 5.10+ Link: https://patch.msgid.link/12700973.O9o76ZdvQC@rjwysocki.net diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c index c55a7c70bc1a..2ba0dfd1de5a 100644 --- a/drivers/base/power/runtime.c +++ b/drivers/base/power/runtime.c @@ -1191,10 +1191,12 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume); * * Return -EINVAL if runtime PM is disabled for @dev. * - * Otherwise, if the runtime PM status of @dev is %RPM_ACTIVE and either - * @ign_usage_count is %true or the runtime PM usage counter of @dev is not - * zero, increment the usage counter of @dev and return 1. Otherwise, return 0 - * without changing the usage counter. + * Otherwise, if its runtime PM status is %RPM_ACTIVE and (1) @ign_usage_count + * is set, or (2) @dev is not ignoring children and its active child count is + * nonero, or (3) the runtime PM usage counter of @dev is not zero, increment + * the usage counter of @dev and return 1. + * + * Otherwise, return 0 without changing the usage counter. * * If @ign_usage_count is %true, this function can be used to prevent suspending * the device when its runtime PM status is %RPM_ACTIVE. @@ -1216,7 +1218,8 @@ static int pm_runtime_get_conditional(struct device *dev, bool ign_usage_count) retval = -EINVAL; } else if (dev->power.runtime_status != RPM_ACTIVE) { retval = 0; - } else if (ign_usage_count) { + } else if (ign_usage_count || (!dev->power.ignore_children && + atomic_read(&dev->power.child_count) > 0)) { retval = 1; atomic_inc(&dev->power.usage_count); } else { @@ -1249,10 +1252,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_get_if_active); * @dev: Target device. * * Increment the runtime PM usage counter of @dev if its runtime PM status is - * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case - * it returns 1. If the device is in a different state or its usage_count is 0, - * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device, - * in which case also the usage_count will remain unmodified. + * %RPM_ACTIVE and its runtime PM usage counter is greater than 0 or it is not + * ignoring children and its active child count is nonzero. 1 is returned in + * this case. + * + * If @dev is in a different state or it is not in use (that is, its usage + * counter is 0, or it is ignoring children, or its active child count is 0), + * 0 is returned. + * + * -EINVAL is returned if runtime PM is disabled for the device, in which case + * also the usage counter of @dev is not updated. */ int pm_runtime_get_if_in_use(struct device *dev) {

3 weeks, 6 days

1
0
0 0

[PATCH v2] media: nxp: imx8-isi: Fix streamon/streamoff calls are imbalanced issue

by Guoniu Zhou

If streamon/streamoff calls are imbalanced, such as exit application with Ctrl+C when streaming, m2m usage_count will never reach to zero and ISI channel won't be freed. Besides from that, if the input line width is more 2K and exit with Ctrl+C when streaming, it will trigger kernel panic, like bellow: [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- VIDIOC_STREAMON returned -1 (Invalid argument) So check the queue streaming status when application close and call streamoff to fix the issue. Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver") Cc: stable(a)vger.kernel.org Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Signed-off-by: Guoniu Zhou <guoniu.zhou(a)nxp.com> --- Changes in v2: - No functions changed, add Cc:stable@vger.kernel.org tag in the sign-off area - Link to v1: https://lore.kernel.org/r/20250818-isi_m2m-v1-1-bbe2b774d4bf@nxp.com --- drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c index 22e49d3a128732c077beb7ac2e2f688e0899f8e2..7650a9fe6b093e2b4e09e3e66b624c8c019c8583 100644 --- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c +++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c @@ -709,6 +709,14 @@ static int mxc_isi_m2m_release(struct file *file) struct mxc_isi_m2m *m2m = video_drvdata(file); struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(file->private_data); + if (ctx->queues.out.streaming) + mxc_isi_m2m_streamoff(file, &ctx->fh, + V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE); + + if (ctx->queues.cap.streaming) + mxc_isi_m2m_streamoff(file, &ctx->fh, + V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE); + v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); mxc_isi_m2m_ctx_ctrls_delete(ctx); --- base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585 change-id: 20250818-isi_m2m-ac52338ae925 Best regards, -- Guoniu Zhou <guoniu.zhou(a)nxp.com>

3 weeks, 6 days

2
1
0 0

Fwd: [Bug 220457] Using -march=native on linux 6.16.1 causes: can't find jump dest instruction error.

by SMF Linux

https://bugzilla.kernel.org/show_bug.cgi?id=220457 --- Comment #4 from Artem S. Tashkinov (aros(a)gmx.com) --- Send this to LKML. This bug report will die here unattended.

3 weeks, 6 days

1
0
0 0

[PATCH v4] mm: Fix possible deadlock in kmemleak

by Gu Bowen

Our syztester report the lockdep WARNING [1], which was identified in stable kernel version 5.10. However, this deadlock path no longer exists due to the refactoring of console_lock in v6.2-rc1 [2]. Coincidentally, there are two types of deadlocks that we have found here. One is the ABBA deadlock, as mentioned above [1], and the other is the AA deadlock was reported by Breno [3]. The latter's deadlock issue persists. To solve this problem, switch to printk_safe mode before printing warning message, this will redirect all printk()-s to a special per-CPU buffer, which will be flushed later from a safe context (irq work), and this deadlock problem can be avoided. The proper API to use should be printk_deferred_enter()/printk_deferred_exit() [4]. [1] https://lore.kernel.org/all/20250730094914.566582-1-gubowen5@huawei.com/ [2] https://lore.kernel.org/all/20221116162152.193147-1-john.ogness@linutronix.… [3] https://lore.kernel.org/all/20250731-kmemleak_lock-v1-1-728fd470198f@debian… [4] https://lore.kernel.org/all/5ca375cd-4a20-4807-b897-68b289626550@redhat.com/ ==================== Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- mm/kmemleak.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/mm/kmemleak.c b/mm/kmemleak.c index 84265983f239..26113b89d09b 100644 --- a/mm/kmemleak.c +++ b/mm/kmemleak.c @@ -437,9 +437,15 @@ static struct kmemleak_object *__lookup_object(unsigned long ptr, int alias, else if (untagged_objp == untagged_ptr || alias) return object; else { + /* + * Printk deferring due to the kmemleak_lock held. + * This is done to avoid deadlock. + */ + printk_deferred_enter(); kmemleak_warn("Found object by alias at 0x%08lx\n", ptr); dump_object_info(object); + printk_deferred_exit(); break; } } @@ -736,6 +742,11 @@ static int __link_object(struct kmemleak_object *object, unsigned long ptr, else if (untagged_objp + parent->size <= untagged_ptr) link = &parent->rb_node.rb_right; else { + /* + * Printk deferring due to the kmemleak_lock held. + * This is done to avoid deadlock. + */ + printk_deferred_enter(); kmemleak_stop("Cannot insert 0x%lx into the object search tree (overlaps existing)\n", ptr); /* @@ -743,6 +754,7 @@ static int __link_object(struct kmemleak_object *object, unsigned long ptr, * be freed while the kmemleak_lock is held. */ dump_object_info(parent); + printk_deferred_exit(); return -EEXIST; } } @@ -858,8 +870,14 @@ static void delete_object_part(unsigned long ptr, size_t size, object = __find_and_remove_object(ptr, 1, objflags); if (!object) { #ifdef DEBUG + /* + * Printk deferring due to the kmemleak_lock held. + * This is done to avoid deadlock. + */ + printk_deferred_enter(); kmemleak_warn("Partially freeing unknown object at 0x%08lx (size %zu)\n", ptr, size); + printk_deferred_exit(); #endif goto unlock; } -- 2.43.0

3 weeks, 6 days

5
9
0 0

[PATCH v4] tty: serial: qcom_geni_serial: Improve error handling for RS485 mode

by Anup Kulkarni

Fix error handling issues of `uart_get_rs485_mode()` function by reordering resources_init() to occur after uart_get_rs485_mode. Remove multiple goto paths and use dev_err_probe to simplify error paths. Fixes: 4fcc287f3c69 ("serial: qcom-geni: Enable support for half-duplex mode") Cc: stable(a)vger.kernel.org Signed-off-by: Anup Kulkarni <quic_anupkulk(a)quicinc.com> --- v3->v4 - Added Fixes and Cc tag. v2->v3 - Reordered the function resources_init. - Removed goto. - Added dev_err_probe. v1->v2 - Updated commit message. --- drivers/tty/serial/qcom_geni_serial.c | 38 ++++++++++----------------- 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 32ec632fd080..be998dd45968 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1882,15 +1882,9 @@ static int qcom_geni_serial_probe(struct platform_device *pdev) port->se.dev = &pdev->dev; port->se.wrapper = dev_get_drvdata(pdev->dev.parent); - ret = port->dev_data->resources_init(uport); - if (ret) - return ret; - res = platform_get_resource(pdev, IORESOURCE_MEM, 0); - if (!res) { - ret = -EINVAL; - goto error; - } + if (!res) + return -EINVAL; uport->mapbase = res->start; @@ -1903,25 +1897,19 @@ static int qcom_geni_serial_probe(struct platform_device *pdev) if (!data->console) { port->rx_buf = devm_kzalloc(uport->dev, DMA_RX_BUF_SIZE, GFP_KERNEL); - if (!port->rx_buf) { - ret = -ENOMEM; - goto error; - } + if (!port->rx_buf) + return -ENOMEM; } port->name = devm_kasprintf(uport->dev, GFP_KERNEL, "qcom_geni_serial_%s%d", uart_console(uport) ? "console" : "uart", uport->line); - if (!port->name) { - ret = -ENOMEM; - goto error; - } + if (!port->name) + return -ENOMEM; irq = platform_get_irq(pdev, 0); - if (irq < 0) { - ret = irq; - goto error; - } + if (irq < 0) + return irq; uport->irq = irq; uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_QCOM_GENI_CONSOLE); @@ -1942,12 +1930,14 @@ static int qcom_geni_serial_probe(struct platform_device *pdev) irq_set_status_flags(uport->irq, IRQ_NOAUTOEN); ret = devm_request_irq(uport->dev, uport->irq, qcom_geni_serial_isr, IRQF_TRIGGER_HIGH, port->name, uport); - if (ret) { - dev_err(uport->dev, "Failed to get IRQ ret %d\n", ret); - goto error; - } + if (ret) + return dev_err_probe(uport->dev, ret, "Failed to get IRQ\n"); ret = uart_get_rs485_mode(uport); + if (ret) + return dev_err_probe(uport->dev, ret, "Failed to get rs485 mode\n"); + + ret = port->dev_data->resources_init(uport); if (ret) return ret; -- 2.34.1

3 weeks, 6 days

2
2
0 0

[PATCH 6.16.y 1/2] erofs: fix build error with CONFIG_EROFS_FS_ZIP_ACCEL=y

by Gao Xiang

From: "Bo Liu (OpenAnolis)" <liubo03(a)inspur.com> commit 5e0bf36fd156b8d9b09f8481ee6daa6cdba1b064 upstream. fix build err: ld.lld: error: undefined symbol: crypto_req_done referenced by decompressor_crypto.c fs/erofs/decompressor_crypto.o:(z_erofs_crypto_decompress) in archive vmlinux.a referenced by decompressor_crypto.c fs/erofs/decompressor_crypto.o:(z_erofs_crypto_decompress) in archive vmlinux.a ld.lld: error: undefined symbol: crypto_acomp_decompress referenced by decompressor_crypto.c fs/erofs/decompressor_crypto.o:(z_erofs_crypto_decompress) in archive vmlinux.a ld.lld: error: undefined symbol: crypto_alloc_acomp referenced by decompressor_crypto.c fs/erofs/decompressor_crypto.o:(z_erofs_crypto_enable_engine) in archive vmlinux.a Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202507161032.QholMPtn-lkp@intel.com/ Fixes: b4a29efc5146 ("erofs: support DEFLATE decompression by using Intel QAT") Signed-off-by: Bo Liu (OpenAnolis) <liubo03(a)inspur.com> Link: https://lore.kernel.org/r/20250718033039.3609-1-liubo03@inspur.com Reviewed-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> --- Also backport commit 74da24f0ac9b to address: https://lore.kernel.org/r/ca432b9e-e016-4d2d-b137-79def0aaca85@kernel.org fs/erofs/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/erofs/Kconfig b/fs/erofs/Kconfig index 6beeb7063871..7b26efc271ee 100644 --- a/fs/erofs/Kconfig +++ b/fs/erofs/Kconfig @@ -147,6 +147,8 @@ config EROFS_FS_ZIP_ZSTD config EROFS_FS_ZIP_ACCEL bool "EROFS hardware decompression support" depends on EROFS_FS_ZIP + select CRYPTO + select CRYPTO_DEFLATE help Saying Y here includes hardware accelerator support for reading EROFS file systems containing compressed data. It gives better -- 2.43.5

3 weeks, 6 days

1
1
0 0

[PATCH RESEND v2] proc: fix missing pde_set_flags() for net proc files

by wangzijie

To avoid potential UAF issues during module removal races, we use pde_set_flags() to save proc_ops flags in PDE itself before proc_register(), and then use pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*. However, the pde_set_flags() call was missing when creating net related proc files. This omission caused incorrect behavior which FMODE_LSEEK was being cleared inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1]. Fix this by ensuring pde_set_flags() is called when register proc entry, and add NULL check for proc_ops in pde_set_flags(). [1]: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al) Cc: stable(a)vger.kernel.org Reported-by: Lars Wendler <polynomial-c(a)gmx.de> Signed-off-by: wangzijie <wangzijie1(a)honor.com> --- v2: - followed by Jiri's suggestion to refractor code and reformat commit message --- fs/proc/generic.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 76e800e38..003031839 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -367,6 +367,23 @@ static const struct inode_operations proc_dir_inode_operations = { .setattr = proc_notify_change, }; +static void pde_set_flags(struct proc_dir_entry *pde) +{ + if (!pde->proc_ops) + return; + + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; + if (pde->proc_ops->proc_read_iter) + pde->flags |= PROC_ENTRY_proc_read_iter; +#ifdef CONFIG_COMPAT + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; +#endif + if (pde->proc_ops->proc_lseek) + pde->flags |= PROC_ENTRY_proc_lseek; +} + /* returns the registered entry, or frees dp and returns NULL on failure */ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, struct proc_dir_entry *dp) @@ -374,6 +391,8 @@ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, if (proc_alloc_inum(&dp->low_ino)) goto out_free_entry; + pde_set_flags(dp); + write_lock(&proc_subdir_lock); dp->parent = dir; if (pde_subdir_insert(dir, dp) == false) { @@ -561,20 +580,6 @@ struct proc_dir_entry *proc_create_reg(const char *name, umode_t mode, return p; } -static void pde_set_flags(struct proc_dir_entry *pde) -{ - if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) - pde->flags |= PROC_ENTRY_PERMANENT; - if (pde->proc_ops->proc_read_iter) - pde->flags |= PROC_ENTRY_proc_read_iter; -#ifdef CONFIG_COMPAT - if (pde->proc_ops->proc_compat_ioctl) - pde->flags |= PROC_ENTRY_proc_compat_ioctl; -#endif - if (pde->proc_ops->proc_lseek) - pde->flags |= PROC_ENTRY_proc_lseek; -} - struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, struct proc_dir_entry *parent, const struct proc_ops *proc_ops, void *data) @@ -585,7 +590,6 @@ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, if (!p) return NULL; p->proc_ops = proc_ops; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_data); @@ -636,7 +640,6 @@ struct proc_dir_entry *proc_create_seq_private(const char *name, umode_t mode, p->proc_ops = &proc_seq_ops; p->seq_ops = ops; p->state_size = state_size; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_seq_private); @@ -667,7 +670,6 @@ struct proc_dir_entry *proc_create_single_data(const char *name, umode_t mode, return NULL; p->proc_ops = &proc_single_ops; p->single_show = show; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_single_data); -- 2.25.1

4 weeks

3
3
0 0

[PATCH v2 0/2] Fixes for maxim tcpc contaminant detection logic

by Amit Sunil Dhamne via B4 Relay

Add fixes to the CC contaminant/connection detection logic to improve reliability and stability of the maxim tcpc driver. This patchset has been tested on a PD Tester. --- Changes in v2: - Fix improperly formatted patch for stable inclusion. Tagged every patch in patchset for stable. - Link to v1: https://lore.kernel.org/r/20250814-fix-upstream-contaminant-v1-0-801ce80890… --- Amit Sunil Dhamne (2): usb: typec: maxim_contaminant: disable low power mode when reading comparator values usb: typec: maxim_contaminant: re-enable cc toggle if cc is open and port is clean drivers/usb/typec/tcpm/maxim_contaminant.c | 58 ++++++++++++++++++++++++++++++ drivers/usb/typec/tcpm/tcpci_maxim.h | 1 + 2 files changed, 59 insertions(+) --- base-commit: 89be9a83ccf1f88522317ce02f854f30d6115c41 change-id: 20250802-fix-upstream-contaminant-16910e2762ca Best regards, -- Amit Sunil Dhamne <amitsd(a)google.com>

4 weeks

2
5
0 0

[PATCH stable 5.10] usb: dwc3: Remove DWC3 locking during gadget suspend/resume

by Selvarasu Ganesan

Dear stable team, Patch : usb: dwc3: Remove DWC3 locking during gadget suspend/resume Commit id:5265397f94424eaea596026fd34dc7acf474dcec This patch fixes a critical bug in the dwc3 driver that was introduced by commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/dri… <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/dri…>) in the 5.10 kernel series. The bug causes the below kernel crash (Added usleep in atomic context as part of above patch) under dwc3 suspend/resume scenarios. 35.829644] [6: kworker/6:1: 68] BUG: scheduling while atomic: kworker/6:1/68/0x00000002 [ 35.829946] [6: kworker/6:1: 68] CPU: 6 PID: 68 Comm: kworker/6:1 Tainted: G C E 5.10.236-android13-4 #1 [ 35.830010] [6: kworker/6:1: 68] Call trace: [ 35.830024] [6: kworker/6:1: 68] dump_backtrace.cfi_jt+0x0/0x8 [ 35.830034] [6: kworker/6:1: 68] show_stack+0x1c/0x2c [ 35.830044] [6: kworker/6:1: 68] dump_stack_lvl+0xd8/0x134 [ 35.830053] [6: kworker/6:1: 68] __schedule_bug+0x80/0xbc [ 35.830062] [6: kworker/6:1: 68] __schedule+0x55c/0x7e8 [ 35.830068] [6: kworker/6:1: 68] schedule+0x80/0x100 [ 35.830077] [6: kworker/6:1: 68] schedule_hrtimeout_range_clock+0xa8/0x11c [ 35.830083] [6: kworker/6:1: 68] usleep_range+0x68/0xa4 [ 35.830093] [6: kworker/6:1: 68] dwc3_gadget_run_stop+0x170/0x448 [ 35.830099] [6: kworker/6:1: 68] dwc3_gadget_resume+0x4c/0xdc [ 35.830108] [6: kworker/6:1: 68] dwc3_resume_common+0x6c/0x23c [ 35.830115] [6: kworker/6:1: 68] dwc3_runtime_resume+0x40/0xcc [ 35.830123] [6: kworker/6:1: 68] pm_generic_runtime_resume+0x48/0x88 [ 35.830131] [6: kworker/6:1: 68] __rpm_callback+0x94/0x420 The patch(5265397f9442) for this fix was originally merged in the below commit: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/… <https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/…> Please apply this patch to the stable 5.10 kernel to prevent this BUG. Additionally the below patch also required to avoid dead lock that introduced by the abovepatch (5265397f9442) in 5.10 stable kernel. Patch:usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock Commit id:7838de15bb700c2898a7d741db9b1f3cbc86c136 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/… <https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/…> Thanks, Selva

4 weeks

2
2
0 0

[to-be-updated] mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: set quota->charged_from to jiffies at first charge window has been removed from the -mm tree. Its filename was mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Sang-Heon Jeon <ekffu200098(a)gmail.com> Subject: mm/damon/core: set quota->charged_from to jiffies at first charge window Date: Wed, 20 Aug 2025 00:01:23 +0900 Kernel initializes "jiffies" timer as 5 minutes below zero, as shown in include/linux/jiffies.h /* * Have the 32 bit jiffies value wrap 5 minutes after boot * so jiffies wrap bugs show up earlier. */ #define INITIAL_JIFFIES ((unsigned long)(unsigned int) (-300*HZ)) And they cast unsigned value to signed to cover wraparound #define time_after_eq(a,b) \ (typecheck(unsigned long, a) && \ typecheck(unsigned long, b) && \ ((long)((a) - (b)) >= 0)) In 64bit systems, these might not be a problem because wrapround occurs 300 million years after the boot, assuming HZ value is 1000. With same assuming, In 32bit system, wraparound occurs 5 minutues after the initial boot and every 49 days after the first wraparound. And about 25 days after first wraparound, it continues quota charging window up to next 25 days. Example 1: initial boot jiffies=0xFFFB6C20, charged_from+interval=0x000003E8 time_after_eq(jiffies, charged_from+interval)=(long)0xFFFB6838; In signed values, it is considered negative so it is false. Example 2: after about 25 days first wraparound jiffies=0x800004E8, charged_from+interval=0x000003E8 time_after_eq(jiffies, charged_from+interval)=(long)0x80000100; In signed values, it is considered negative so it is false So, change quota->charged_from to jiffies at damos_adjust_quota() when it is consider first charge window. In theory; but almost impossible; quota->total_charged_sz and qutoa->charged_from should be both zero even if it is not in first charge window. But It will only delay one reset_interval, So it is not big problem. Link: https://lkml.kernel.org/r/20250819150123.1532458-1-ekffu200098@gmail.com Fixes: 2b8a248d5873 ("mm/damon/schemes: implement size quota for schemes application speed control") [5.16] Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/damon/core.c~mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window +++ a/mm/damon/core.c @@ -2111,6 +2111,10 @@ static void damos_adjust_quota(struct da if (!quota->ms && !quota->sz && list_empty(&quota->goals)) return; + /* First charge window */ + if (!quota->total_charged_sz && !quota->charged_from) + quota->charged_from = jiffies; + /* New charge window starts */ if (time_after_eq(jiffies, quota->charged_from + msecs_to_jiffies(quota->reset_interval))) { _ Patches currently in -mm which might be from ekffu200098(a)gmail.com are mm-damon-update-expired-description-of-damos_action.patch docs-mm-damon-design-fix-typo-s-sz_trtied-sz_tried.patch selftests-damon-test-no-op-commit-broke-damon-status.patch selftests-damon-test-no-op-commit-broke-damon-status-fix.patch mm-damon-tests-core-kunit-add-damos_commit_filter-test.patch

4 weeks

1
0
0 0

[PATCH net v2] ipv6: sr: Fix MAC comparison to be constant-time

by Eric Biggers

To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- v2: sent as standalone patch targeting net instead of net-next. net/ipv6/seg6_hmac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c index f78ecb6ad8383..5dae892bbc73b 100644 --- a/net/ipv6/seg6_hmac.c +++ b/net/ipv6/seg6_hmac.c @@ -33,10 +33,11 @@ #include <net/ip6_route.h> #include <net/addrconf.h> #include <net/xfrm.h> #include <crypto/hash.h> +#include <crypto/utils.h> #include <net/seg6.h> #include <net/genetlink.h> #include <net/seg6_hmac.h> #include <linux/random.h> @@ -278,11 +279,11 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb) return false; if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output)) return false; - if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0) + if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN)) return false; return true; } EXPORT_SYMBOL(seg6_hmac_validate_skb); base-commit: 715c7a36d59f54162a26fac1d1ed8dc087a24cf1 -- 2.50.1

4 weeks

3
2
0 0

[STATUS] stable/linux-6.12.y - 9becd7c25c61ae7e5b6fbfc3c226b1f23af7638c

by KernelCI bot

Hello, Status summary for stable/linux-6.12.y Dashboard: https://d.kernelci.org/c/stable/linux-6.12.y/9becd7c25c61ae7e5b6fbfc3c226b1… giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git branch: linux-6.12.y commit hash: 9becd7c25c61ae7e5b6fbfc3c226b1f23af7638c origin: maestro test start time: 2025-08-20 17:11:31.947000+00:00 Builds: 44 ✅ 1 ❌ 0 ⚠️ Boots: 155 ✅ 0 ❌ 47 ⚠️ Tests: 9449 ✅ 4714 ❌ 2785 ⚠️ ### POSSIBLE REGRESSIONS Hardware: imx6q-udoo - kselftest.alsa.alsa_mixer-test_name_fslimx6qudooac9_22 (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a62a9b233e484a3fa3644a history: > ✅ > ❌ - kselftest.alsa.alsa_mixer-test_name_fslimx6qudooac9_9 (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a62a9b233e484a3fa363ef history: > ✅ > ❌ Hardware: sun50i-a64-pine64-plus - kselftest.kvm.kvm_memslot_perf_test (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a6103e233e484a3fa3221d history: > ✅ > ❌ Hardware: sun50i-h5-libretech-all-h3-cc - kselftest.uevent (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60df0233e484a3fa31411 history: > ✅ > ❌ - kselftest.uevent.uevent_uevent_filtering (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60f02233e484a3fa31730 history: > ✅ > ❌ - kselftest.uevent.uevent_uevent_filtering_global_uevent_filtering (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60f02233e484a3fa31731 history: > ✅ > ❌ ### FIXED REGRESSIONS Hardware: imx6q-udoo - kselftest.alsa.alsa_mixer-test_name_fslimx6qudooac9_10 (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a62a9b233e484a3fa363f6 history: > ❌ > ✅ Hardware: imx8mp-evk - kselftest.kvm.kvm_memslot_perf_test (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a649db233e484a3fa3d412 history: > ❌ > ✅ Hardware: k3-am625-verdin-wifi-mallow - kselftest.kvm.kvm_memslot_perf_test (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60fbb233e484a3fa319f0 history: > ❌ > ✅ ### UNSTABLE TESTS Hardware: acer-cb317-1h-c3z6-dedede - kernelci_wifi_basic (x86_64_defconfig+lab-setup+x86-board+kselftest) last run: https://d.kernelci.org/test/maestro:68a60ea1233e484a3fa3168c history: > ⚠️ > ❌ > ⚠️ - kselftest.iommu (x86_64_defconfig+lab-setup+x86-board+kselftest) last run: https://d.kernelci.org/test/maestro:68a60e92233e484a3fa3160d history: > ❌ > ⚠️ Hardware: acer-chromebox-cxi4-puff - tast (cros://chromeos-6.6/x86_64/chromeos-intel-pineview.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60d3b233e484a3fa31218 history: > ⚠️ > ⚠️ > ⚠️ > ⚠️ > ⚠️ Hardware: acer-chromebox-cxi5-brask - boot (x86_64_defconfig+lab-setup+x86-board+kselftest) last run: https://d.kernelci.org/test/maestro:68a60e6a233e484a3fa314bd history: > ✅ > ⚠️ Hardware: acer-cp514-2h-1160g7-volteer - boot (defconfig+kcidebug+x86-board) last run: https://d.kernelci.org/test/maestro:68a61133233e484a3fa32a5a history: > ⚠️ > ⚠️ Hardware: acer-R721T-grunt - kselftest.cpufreq.suspend (x86_64_defconfig+lab-setup+x86-board+kselftest) last run: https://d.kernelci.org/test/maestro:68a60e80233e484a3fa3156e history: > ✅ > ✅ > ⚠️ Hardware: at91sam9g20ek - ltp (multi_v5_defconfig) last run: https://d.kernelci.org/test/maestro:68a60958233e484a3fa306a5 history: > ⚠️ > ⚠️ Hardware: bcm2711-rpi-4-b - boot (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61238233e484a3fa33008 history: > ✅ > ⚠️ > ✅ > ⚠️ > ⚠️ - kselftest.acct (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61239233e484a3fa33010 history: > ❌ > ⚠️ - kselftest.alsa (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61239233e484a3fa33013 history: > ❌ > ⚠️ - kselftest.arm64 (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6123d233e484a3fa33031 history: > ✅ > ⚠️ - kselftest.breakpoints (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61244233e484a3fa3305f history: > ⚠️ > ⚠️ - kselftest.device_error_logs (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61248233e484a3fa33077 history: > ✅ > ⚠️ - kselftest.dt (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6125c233e484a3fa330ed history: > ❌ > ❌ > ⚠️ > ❌ - kselftest.timers (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61262233e484a3fa3310e history: > ❌ > ⚠️ - kselftest.ftrace (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de2233e484a3fa313b6 history: > ✅ > ⚠️ - kselftest.kvm (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de3233e484a3fa313c2 history: > ❌ > ⚠️ - kselftest.landlock (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de8233e484a3fa313e0 history: > ❌ > ⚠️ - kselftest.lsm (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de8233e484a3fa313e3 history: > ✅ > ⚠️ - kselftest.perf_events (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60dea233e484a3fa313f0 history: > ⚠️ > ⚠️ - kselftest.zram (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60df1233e484a3fa31417 history: > ✅ > ⚠️ Hardware: beaglebone-black - boot (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60735233e484a3fa2ffff history: > ✅ > ⚠️ - kselftest.acct (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a6073f233e484a3fa30016 history: > ❌ > ⚠️ - kselftest.alsa (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60740233e484a3fa30019 history: > ❌ > ⚠️ - kselftest.breakpoints (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60745233e484a3fa30026 history: > ❌ > ⚠️ - kselftest.capabilities (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60746233e484a3fa30029 history: > ✅ > ⚠️ - kselftest.clone3 (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60747233e484a3fa3002c history: > ❌ > ⚠️ - kselftest.coredump (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60748233e484a3fa3002f history: > ❌ > ⚠️ - kselftest.device_error_logs (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60749233e484a3fa30032 history: > ❌ > ⚠️ - kselftest.dt (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60753233e484a3fa30051 history: > ❌ > ❌ > ⚠️ > ⚠️ - kselftest.fchmodat2 (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60758233e484a3fa30061 history: > ❌ > ⚠️ - kselftest.futex (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60759233e484a3fa30064 history: > ❌ > ⚠️ - kselftest.kcmp (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a6075a233e484a3fa30067 history: > ✅ > ⚠️ - kselftest.mqueue (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a6075b233e484a3fa3006a history: > ❌ > ⚠️ - kselftest.proc (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a6075e233e484a3fa30070 history: > ❌ > ⚠️ - kselftest.ptrace (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a6075c233e484a3fa3006d history: > ❌ > ⚠️ - kselftest.signal (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60762233e484a3fa30079 history: > ❌ > ⚠️ - kselftest.timers (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a6075f233e484a3fa30073 history: > ❌ > ⚠️ - kselftest.tmpfs (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60760233e484a3fa30076 history: > ✅ > ⚠️ - kselftest.vdso (multi_v7_defconfig) last run: https://d.kernelci.org/test/maestro:68a60763233e484a3fa3007c history: > ✅ > ⚠️ - kselftest.gpio (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60ca0233e484a3fa30ccd history: > ❌ > ⚠️ - kselftest.ipc (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60ca2233e484a3fa30cd0 history: > ❌ > ⚠️ - kselftest.landlock (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60ca3233e484a3fa30cd3 history: > ❌ > ⚠️ - kselftest.lsm (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60ca5233e484a3fa30cd6 history: > ❌ > ⚠️ - kselftest.memfd (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60ca7233e484a3fa30cd9 history: > ❌ > ⚠️ - kselftest.perf_events (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cab233e484a3fa30cdf history: > ❌ > ⚠️ - kselftest.ring-buffer (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cad233e484a3fa30ce9 history: > ❌ > ⚠️ - kselftest.rlimits (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60caf233e484a3fa30cfb history: > ❌ > ⚠️ - kselftest.seccomp (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cb7233e484a3fa30d13 history: > ❌ > ⚠️ - kselftest.splce (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cb1233e484a3fa30cfe history: > ❌ > ⚠️ - kselftest.sync (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cb3233e484a3fa30d09 history: > ✅ > ⚠️ - kselftest.timens (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cb5233e484a3fa30d10 history: > ✅ > ⚠️ - kselftest.ublk (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cba233e484a3fa30d16 history: > ❌ > ⚠️ - kselftest.uevent (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cbb233e484a3fa30d1f history: > ❌ > ⚠️ - kselftest.user_events (multi_v7_defconfig+kselftest) last run: https://d.kernelci.org/test/maestro:68a60cbd233e484a3fa30d22 history: > ✅ > ⚠️ Hardware: cd8180-orion-o6 - boot (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61231233e484a3fa32fdd history: > ✅ > ⚠️ - kselftest.arm64 (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6123f233e484a3fa3303b history: > ⚠️ > ⚠️ - kselftest.breakpoints (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61245233e484a3fa33065 history: > ⚠️ > ⚠️ - kselftest.device_error_logs (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6124a233e484a3fa33087 history: > ⚠️ > ⚠️ - kselftest.dt (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61255233e484a3fa330c2 history: > ⚠️ > ⚠️ - kselftest.futex (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6125f233e484a3fa330ff history: > ⚠️ > ⚠️ - kselftest.signal (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61265233e484a3fa33120 history: > ⚠️ > ⚠️ - kselftest.timers (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61263233e484a3fa33115 history: > ⚠️ > ⚠️ - kselftest.efivars (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de1233e484a3fa313b3 history: > ⚠️ > ⚠️ - kselftest.ftrace (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de2233e484a3fa313b9 history: > ⚠️ > ⚠️ - kselftest.mm (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de9233e484a3fa313e9 history: > ⚠️ > ⚠️ - kselftest.perf_events (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60deb233e484a3fa313f3 history: > ⚠️ > ⚠️ Hardware: dell-latitude-3445-7520c-skyrim - boot (cros://chromeos-6.6/x86_64/chromeos-amd-stoneyridge.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a606eb233e484a3fa2ff10 history: > ⚠️ > ⚠️ > ⚠️ > ⚠️ Hardware: dell-latitude-5400-8665U-sarien - tast (cros://chromeos-6.6/x86_64/chromeos-intel-pineview.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60d3e233e484a3fa31230 history: > ⚠️ > ⚠️ > ⚠️ > ⚠️ > ❌ - boot (defconfig+kcidebug+x86-board) last run: https://d.kernelci.org/test/maestro:68a61135233e484a3fa32a6c history: > ❌ > ⚠️ Hardware: hp-14b-na0052xx-zork - kselftest.cpufreq.suspend (x86_64_defconfig+lab-setup+x86-board+kselftest) last run: https://d.kernelci.org/test/maestro:68a60e82233e484a3fa31580 history: > ✅ > ⚠️ Hardware: hp-14-db0003na-grunt - kselftest.cpufreq.suspend (x86_64_defconfig+lab-setup+x86-board+kselftest) last run: https://d.kernelci.org/test/maestro:68a60e81233e484a3fa3157a history: > ⚠️ > ✅ Hardware: imx8mp-evk - kselftest.alsa (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6123a233e484a3fa33019 history: > ⚠️ > ❌ Hardware: imx8mp-verdin-nonwifi-dahlia - boot (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61232233e484a3fa32fe3 history: > ✅ > ⚠️ - kselftest.alsa (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6123a233e484a3fa3301c history: > ❌ > ⚠️ - kselftest.arm64 (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61240233e484a3fa33041 history: > ✅ > ⚠️ - kselftest.device_error_logs (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6124b233e484a3fa3308d history: > ❌ > ⚠️ - kselftest.dt (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61256233e484a3fa330cf history: > ❌ > ⚠️ - kselftest.kvm (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de4233e484a3fa313cb history: > ❌ > ⚠️ - kselftest.pkvm (defconfig+arm64-chromebook+kselftest) last run: https://d.kernelci.org/test/maestro:68a60de7233e484a3fa313da history: > ❌ > ⚠️ Hardware: lenovo-TPad-C13-Yoga-zork - tast (cros://chromeos-6.6/x86_64/chromeos-amd-stoneyridge.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60703233e484a3fa2ffec history: > ⚠️ > ⚠️ > ⚠️ > ⚠️ > ⚠️ Hardware: meson-g12b-a311d-libretech-cc - boot (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61233233e484a3fa32fed history: > ✅ > ⚠️ Hardware: meson-sm1-s905d3-libretech-cc - boot (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61234233e484a3fa32ff5 history: > ✅ > ⚠️ - kselftest.device_error_logs (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6124f233e484a3fa3309f history: > ❌ > ⚠️ - kselftest.dt (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61259233e484a3fa330e1 history: > ⚠️ > ❌ Hardware: mt8183-kukui-jacuzzi-juniper-sku16 - boot.nfs (defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60b88233e484a3fa3089d history: > ✅ > ⚠️ - kernelci_watchdog_reset (defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60c18233e484a3fa30965 history: > ⚠️ > ✅ - kselftest.cpufreq.hibernate (defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60bc9233e484a3fa30905 history: > ⚠️ > ✅ - kselftest.devices-probe (defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60bab233e484a3fa308d8 history: > ⚠️ > ✅ - kselftest.exec (defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60bfa233e484a3fa3093b history: > ⚠️ > ✅ Hardware: mt8395-genio-1200-evk - kselftest.dt (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6125d233e484a3fa330f4 history: > ❌ > ⚠️ Hardware: rk3399-roc-pc - boot (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61234233e484a3fa32ff8 history: > ⚠️ > ✅ - kselftest.arm64 (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a61243233e484a3fa33056 history: > ⚠️ > ⚠️ - kselftest.dt (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6125a233e484a3fa330e4 history: > ⚠️ > ⚠️ Hardware: sc7180-trogdor-kingoftown - kselftest.cpufreq.suspend (defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y) last run: https://d.kernelci.org/test/maestro:68a60bd3233e484a3fa30911 history: > ✅ > ⚠️ Hardware: sun50i-h5-libretech-all-h3-cc - kselftest.alsa (defconfig+lab-setup+kselftest) last run: https://d.kernelci.org/test/maestro:68a6123d233e484a3fa3302c history: > ❌ > ⚠️ Sent every day if there were changes in the past 24 hours. Legend: ✅ PASS ❌ FAIL ⚠️ INCONCLUSIVE -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

4 weeks

1
0
0 0

[for-linus][PATCH 6/6] ftrace: Also allocate and copy hash for reading of filter files

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs. Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Link: https://lore.kernel.org/20250820091913.146b77ea@gandalf.local.home Fixes: c20489dad156 ("ftrace: Assign iter->hash to filter or notrace hashes on seq read") Closes: https://lore.kernel.org/all/20250813023044.2121943-1-wutengda@huaweicloud.c… Reported-by: Tengda Wu <wutengda(a)huaweicloud.com> Tested-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ftrace.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 00b76d450a89..f992a5eb878e 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -4661,13 +4661,14 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag, } else { iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash); } + } else { + iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash); + } - if (!iter->hash) { - trace_parser_put(&iter->parser); - goto out_unlock; - } - } else - iter->hash = hash; + if (!iter->hash) { + trace_parser_put(&iter->parser); + goto out_unlock; + } ret = 0; @@ -6543,9 +6544,6 @@ int ftrace_regex_release(struct inode *inode, struct file *file) ftrace_hash_move_and_update_ops(iter->ops, orig_hash, iter->hash, filter_hash); mutex_unlock(&ftrace_lock); - } else { - /* For read only, the hash is the ops hash */ - iter->hash = NULL; } mutex_unlock(&iter->ops->func_hash->regex_lock); -- 2.50.1

4 weeks

1
0
0 0

[for-linus][PATCH 3/6] tracing: Limit access to parser->buffer when trace_get_user failed

by Steven Rostedt

From: Pu Lehui <pulehui(a)huawei.com> When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0 The reason is that trace_get_user will fail when processing a string longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftrace_regex_release-> ftrace_process_regex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when trace_get_user failed. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250813040232.1344527-1-pulehui@huaweicloud.com Fixes: 8c9af478c06b ("ftrace: Handle commands when closing set_ftrace_filter file") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace.c | 18 ++++++++++++------ kernel/trace/trace.h | 8 +++++++- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 4283ed4e8f59..8d8935ed416d 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -1816,7 +1816,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf, ret = get_user(ch, ubuf++); if (ret) - return ret; + goto fail; read++; cnt--; @@ -1830,7 +1830,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf, while (cnt && isspace(ch)) { ret = get_user(ch, ubuf++); if (ret) - return ret; + goto fail; read++; cnt--; } @@ -1848,12 +1848,14 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf, while (cnt && !isspace(ch) && ch) { if (parser->idx < parser->size - 1) parser->buffer[parser->idx++] = ch; - else - return -EINVAL; + else { + ret = -EINVAL; + goto fail; + } ret = get_user(ch, ubuf++); if (ret) - return ret; + goto fail; read++; cnt--; } @@ -1868,11 +1870,15 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf, /* Make sure the parsed string always terminates with '\0'. */ parser->buffer[parser->idx] = 0; } else { - return -EINVAL; + ret = -EINVAL; + goto fail; } *ppos += read; return read; +fail: + trace_parser_fail(parser); + return ret; } /* TODO add a seq_buf_to_buffer() */ diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 1dbf1d3cf2f1..be6654899cae 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -1292,6 +1292,7 @@ bool ftrace_event_is_function(struct trace_event_call *call); */ struct trace_parser { bool cont; + bool fail; char *buffer; unsigned idx; unsigned size; @@ -1299,7 +1300,7 @@ struct trace_parser { static inline bool trace_parser_loaded(struct trace_parser *parser) { - return (parser->idx != 0); + return !parser->fail && parser->idx != 0; } static inline bool trace_parser_cont(struct trace_parser *parser) @@ -1313,6 +1314,11 @@ static inline void trace_parser_clear(struct trace_parser *parser) parser->idx = 0; } +static inline void trace_parser_fail(struct trace_parser *parser) +{ + parser->fail = true; +} + extern int trace_parser_get_init(struct trace_parser *parser, int size); extern void trace_parser_put(struct trace_parser *parser); extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf, -- 2.50.1

4 weeks

1
0
0 0

+ ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: prevent release journal inode after journal shutdown has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Edward Adam Davis <eadavis(a)qq.com> Subject: ocfs2: prevent release journal inode after journal shutdown Date: Tue, 19 Aug 2025 21:41:02 +0800 Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_release_jbd_inode(). ocfs2_dismount_volume()-> ocfs2_delete_osb()-> ocfs2_free_slot_info()-> __ocfs2_free_slot_info()-> evict()-> ocfs2_evict_inode()-> ocfs2_clear_inode()-> jbd2_journal_release_jbd_inode(osb->journal->j_journal, Adding osb->journal checks will prevent null-ptr-deref during the above execution path. Link: https://lkml.kernel.org/r/tencent_357489BEAEE4AED74CBD67D246DBD2C4C606@qq.c… Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown") Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Reported-by: syzbot+47d8cb2f2cc1517e515a(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a Tested-by: syzbot+47d8cb2f2cc1517e515a(a)syzkaller.appspotmail.com Reviewed-by: Mark Tinguely <mark.tinguely(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/inode.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/ocfs2/inode.c~ocfs2-prevent-release-journal-inode-after-journal-shutdown +++ a/fs/ocfs2/inode.c @@ -1281,6 +1281,9 @@ static void ocfs2_clear_inode(struct ino * the journal is flushed before journal shutdown. Thus it is safe to * have inodes get cleaned up after journal shutdown. */ + if (!osb->journal) + return; + jbd2_journal_release_jbd_inode(osb->journal->j_journal, &oi->ip_jinode); } _ Patches currently in -mm which might be from eadavis(a)qq.com are ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch

4 weeks

1
0
0 0

Re: Patch "rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe" has been added to the 5.4-stable tree

by Meagan Lloyd

On 8/17/2025 8:48 AM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe > > to the 5.4-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… Hi Sasha, FYI, patch 2/2 of the series wasn't applied to 5.4, but was applied to all the other trees. "rtc: ds1307: handle oscillator stop flag (OSF) for ds1341" [PATCH 2/2] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 - Meagan Lloyd <https://lore.kernel.org/all/1749665656-30108-3-git-send-email-meaganlloyd@l…> (upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e) Thank you, Meagan

4 weeks

2
2
0 0

Linux 6.15.11

by Greg Kroah-Hartman

Note, this is the LAST 6.15.y kernel release, this branch is now end-of-life. Please move to the 6.16.y kernel branch at this point in time. I'm announcing the release of the 6.15.11 kernel. All users of the 6.15 kernel series must upgrade. The updated 6.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/filesystems/fscrypt.rst | 37 Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 Documentation/sphinx/kernel_abi.py | 6 Makefile | 2 arch/arm/mach-rockchip/platsmp.c | 15 arch/arm/mach-tegra/reset.c | 2 arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 2 arch/arm64/include/asm/acpi.h | 2 arch/arm64/kernel/acpi.c | 10 arch/arm64/kernel/stacktrace.c | 2 arch/arm64/kernel/traps.c | 1 arch/arm64/mm/fault.c | 1 arch/arm64/mm/ptdump_debugfs.c | 3 arch/loongarch/kernel/env.c | 13 arch/loongarch/kernel/relocate_kernel.S | 2 arch/loongarch/kernel/unwind_orc.c | 2 arch/loongarch/net/bpf_jit.c | 21 arch/loongarch/vdso/Makefile | 2 arch/mips/include/asm/vpe.h | 8 arch/mips/kernel/process.c | 16 arch/mips/lantiq/falcon/sysctrl.c | 23 arch/parisc/Makefile | 2 arch/powerpc/include/asm/floppy.h | 5 arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 arch/riscv/boot/dts/thead/th1520.dtsi | 10 arch/riscv/mm/ptdump.c | 3 arch/s390/include/asm/timex.h | 13 arch/s390/kernel/early.c | 1 arch/s390/kernel/time.c | 2 arch/s390/mm/dump_pagetables.c | 2 arch/um/include/asm/thread_info.h | 4 arch/um/kernel/process.c | 20 arch/x86/include/asm/kvm_host.h | 6 arch/x86/kernel/cpu/bugs.c | 5 arch/x86/kvm/svm/svm.c | 4 arch/x86/kvm/vmx/nested.c | 18 arch/x86/kvm/vmx/pmu_intel.c | 8 arch/x86/kvm/vmx/vmx.c | 41 arch/x86/kvm/vmx/vmx.h | 13 arch/x86/kvm/vmx/x86_ops.h | 2 arch/x86/kvm/x86.c | 11 block/bfq-iosched.c | 35 block/bfq-iosched.h | 3 block/blk-mq.c | 6 block/blk-settings.c | 2 block/blk-zoned.c | 20 block/kyber-iosched.c | 9 block/mq-deadline.c | 16 crypto/jitterentropy-kcapi.c | 9 drivers/accel/habanalabs/common/memory.c | 23 drivers/acpi/acpi_processor.c | 2 drivers/acpi/apei/ghes.c | 13 drivers/acpi/prmt.c | 26 drivers/acpi/processor_perflib.c | 11 drivers/android/binder_alloc_selftest.c | 2 drivers/ata/ahci.c | 12 drivers/ata/ata_piix.c | 1 drivers/ata/libahci.c | 1 drivers/ata/libata-sata.c | 52 drivers/base/power/runtime.c | 5 drivers/block/drbd/drbd_receiver.c | 6 drivers/block/loop.c | 38 drivers/block/sunvdc.c | 4 drivers/bluetooth/btusb.c | 3 drivers/bus/mhi/host/pci_generic.c | 20 drivers/char/ipmi/ipmi_msghandler.c | 8 drivers/char/ipmi/ipmi_watchdog.c | 59 drivers/char/misc.c | 4 drivers/char/tpm/tpm-interface.c | 17 drivers/char/tpm/tpm_crb_ffa.c | 19 drivers/clk/qcom/dispcc-sm8750.c | 10 drivers/clk/qcom/gcc-ipq5018.c | 2 drivers/clk/qcom/gcc-ipq8074.c | 6 drivers/clk/renesas/rzg2l-cpg.c | 8 drivers/clk/samsung/clk-exynos850.c | 2 drivers/clk/samsung/clk-gs101.c | 4 drivers/clk/tegra/clk-periph.c | 4 drivers/clk/thead/clk-th1520-ap.c | 5 drivers/comedi/comedi_fops.c | 31 drivers/comedi/comedi_internal.h | 1 drivers/comedi/drivers.c | 13 drivers/cpufreq/cppc_cpufreq.c | 2 drivers/cpufreq/cpufreq.c | 8 drivers/cpufreq/intel_pstate.c | 2 drivers/cpuidle/governors/menu.c | 21 drivers/crypto/ccp/sp-pci.c | 1 drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 drivers/devfreq/governor_userspace.c | 6 drivers/dma/stm32/stm32-dma.c | 2 drivers/edac/synopsys_edac.c | 97 drivers/firmware/arm_ffa/driver.c | 2 drivers/firmware/arm_scmi/scmi_power_control.c | 22 drivers/firmware/tegra/Kconfig | 5 drivers/gpio/gpio-loongson-64bit.c | 6 drivers/gpio/gpio-mlxbf2.c | 2 drivers/gpio/gpio-mlxbf3.c | 54 drivers/gpio/gpio-tps65912.c | 7 drivers/gpio/gpio-virtio.c | 9 drivers/gpio/gpio-wcd934x.c | 7 drivers/gpu/drm/amd/amdgpu/aldebaran.c | 33 drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 28 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 6 drivers/gpu/drm/amd/display/dc/core/dc.c | 12 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 11 drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c | 2 drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 1 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c | 16 drivers/gpu/drm/amd/pm/amdgpu_pm.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 drivers/gpu/drm/clients/drm_client_setup.c | 5 drivers/gpu/drm/i915/display/intel_psr.c | 14 drivers/gpu/drm/imagination/pvr_power.c | 59 drivers/gpu/drm/msm/Makefile | 5 drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 2 drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 4 drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h | 2 drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 2 drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h | 4 drivers/gpu/drm/msm/msm_drv.c | 9 drivers/gpu/drm/msm/msm_gem.c | 3 drivers/gpu/drm/msm/msm_gem.h | 6 drivers/gpu/drm/msm/registers/adreno/a6xx.xml | 3582 +--------- drivers/gpu/drm/msm/registers/adreno/a6xx_descriptors.xml | 198 drivers/gpu/drm/msm/registers/adreno/a6xx_enums.xml | 383 + drivers/gpu/drm/msm/registers/adreno/a6xx_perfcntrs.xml | 600 + drivers/gpu/drm/msm/registers/adreno/a7xx_enums.xml | 223 drivers/gpu/drm/msm/registers/adreno/a7xx_perfcntrs.xml | 1030 ++ drivers/gpu/drm/msm/registers/adreno/adreno_pm4.xml | 302 drivers/gpu/drm/panel/panel-raydium-rm67200.c | 22 drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c | 3 drivers/gpu/drm/scheduler/sched_main.c | 34 drivers/gpu/drm/ttm/ttm_pool.c | 8 drivers/gpu/drm/ttm/ttm_resource.c | 3 drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 7 drivers/gpu/drm/xe/xe_hw_fence.c | 3 drivers/gpu/drm/xe/xe_query.c | 27 drivers/hid/hid-core.c | 4 drivers/hid/hid-magicmouse.c | 56 drivers/hwmon/emc2305.c | 10 drivers/i2c/i2c-core-acpi.c | 1 drivers/i3c/internals.h | 1 drivers/i3c/master.c | 4 drivers/idle/intel_idle.c | 2 drivers/iio/adc/ad7768-1.c | 23 drivers/iio/adc/ad_sigma_delta.c | 2 drivers/infiniband/core/nldev.c | 22 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 drivers/infiniband/hw/hfi1/affinity.c | 44 drivers/infiniband/sw/siw/siw_qp_tx.c | 5 drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 drivers/iommu/intel/iommu.c | 19 drivers/iommu/intel/iommu.h | 3 drivers/iommu/iommufd/io_pagetable.c | 48 drivers/irqchip/irq-mips-gic.c | 8 drivers/irqchip/irq-renesas-rzv2h.c | 4 drivers/leds/flash/leds-qcom-flash.c | 15 drivers/leds/leds-lp50xx.c | 11 drivers/leds/trigger/ledtrig-netdev.c | 16 drivers/md/dm-ps-historical-service-time.c | 4 drivers/md/dm-ps-queue-length.c | 4 drivers/md/dm-ps-round-robin.c | 4 drivers/md/dm-ps-service-time.c | 4 drivers/md/dm-stripe.c | 1 drivers/md/dm-table.c | 10 drivers/md/dm-zoned-target.c | 2 drivers/md/dm.c | 37 drivers/md/raid10.c | 1 drivers/media/dvb-frontends/dib7000p.c | 8 drivers/media/i2c/hi556.c | 7 drivers/media/i2c/lt6911uxe.c | 2 drivers/media/i2c/tc358743.c | 86 drivers/media/pci/intel/ipu-bridge.c | 2 drivers/media/platform/qcom/iris/iris_buffer.c | 11 drivers/media/platform/qcom/iris/iris_hfi_gen1_defines.h | 2 drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c | 6 drivers/media/platform/qcom/venus/hfi_msgs.c | 83 drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 4 drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 drivers/media/usb/uvc/uvc_ctrl.c | 55 drivers/media/usb/uvc/uvc_driver.c | 12 drivers/media/usb/uvc/uvc_video.c | 21 drivers/media/usb/uvc/uvcvideo.h | 2 drivers/media/v4l2-core/v4l2-common.c | 14 drivers/mfd/axp20x.c | 3 drivers/mfd/cros_ec_dev.c | 10 drivers/misc/cardreader/rtsx_usb.c | 16 drivers/misc/mei/bus.c | 6 drivers/mmc/host/rtsx_usb_sdmmc.c | 4 drivers/mmc/host/sdhci-msm.c | 14 drivers/net/can/ti_hecc.c | 2 drivers/net/dsa/b53/b53_common.c | 78 drivers/net/dsa/b53/b53_regs.h | 7 drivers/net/ethernet/agere/et131x.c | 36 drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 drivers/net/ethernet/atheros/ag71xx.c | 9 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 drivers/net/ethernet/emulex/benet/be_main.c | 8 drivers/net/ethernet/faraday/ftgmac100.c | 7 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 drivers/net/ethernet/freescale/fec_main.c | 34 drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 drivers/net/ethernet/google/gve/gve_adminq.c | 1 drivers/net/ethernet/hisilicon/hibmcge/hbg_err.c | 14 drivers/net/ethernet/hisilicon/hibmcge/hbg_hw.c | 15 drivers/net/ethernet/hisilicon/hibmcge/hbg_txrx.h | 7 drivers/net/ethernet/intel/idpf/idpf.h | 19 drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 36 drivers/net/ethernet/intel/idpf/idpf_lib.c | 18 drivers/net/ethernet/intel/idpf/idpf_main.c | 1 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 13 drivers/net/ethernet/mediatek/mtk_wed.c | 1 drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 drivers/net/ethernet/stmicro/stmmac/dwmac-thead.c | 14 drivers/net/ethernet/ti/icssg/icss_iep.c | 26 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 6 drivers/net/hamradio/bpqether.c | 2 drivers/net/hyperv/hyperv_net.h | 3 drivers/net/hyperv/netvsc_drv.c | 29 drivers/net/pcs/pcs-xpcs-plat.c | 4 drivers/net/phy/broadcom.c | 25 drivers/net/phy/micrel.c | 12 drivers/net/phy/smsc.c | 1 drivers/net/thunderbolt/main.c | 21 drivers/net/usb/asix_devices.c | 1 drivers/net/usb/cdc_ncm.c | 20 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wan/lapbether.c | 2 drivers/net/wireless/ath/ath10k/core.c | 48 drivers/net/wireless/ath/ath10k/core.h | 11 drivers/net/wireless/ath/ath10k/mac.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 6 drivers/net/wireless/ath/ath12k/core.h | 4 drivers/net/wireless/ath/ath12k/dp.c | 3 drivers/net/wireless/ath/ath12k/hw.c | 2 drivers/net/wireless/ath/ath12k/mac.c | 77 drivers/net/wireless/ath/ath12k/wmi.c | 5 drivers/net/wireless/ath/ath12k/wmi.h | 1 drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 drivers/net/wireless/intel/iwlwifi/mld/agg.c | 5 drivers/net/wireless/intel/iwlwifi/mld/iface.h | 3 drivers/net/wireless/intel/iwlwifi/mld/link.c | 8 drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 1 drivers/net/wireless/intel/iwlwifi/mld/mlo.c | 8 drivers/net/wireless/intel/iwlwifi/mld/scan.c | 2 drivers/net/wireless/intel/iwlwifi/mld/scan.h | 2 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 5 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 drivers/net/wireless/mediatek/mt76/channel.c | 4 drivers/net/wireless/mediatek/mt76/mt76.h | 5 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 28 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 drivers/net/wireless/realtek/rtlwifi/pci.c | 23 drivers/net/wireless/realtek/rtw89/chan.c | 6 drivers/net/wireless/realtek/rtw89/coex.c | 12 drivers/net/wireless/realtek/rtw89/core.c | 3 drivers/net/wireless/realtek/rtw89/fw.c | 9 drivers/net/wireless/realtek/rtw89/fw.h | 2 drivers/net/wireless/realtek/rtw89/mac.c | 19 drivers/net/wireless/realtek/rtw89/reg.h | 1 drivers/net/wireless/realtek/rtw89/wow.c | 5 drivers/net/xen-netfront.c | 5 drivers/nvme/host/pci.c | 24 drivers/nvme/host/tcp.c | 11 drivers/pci/pci-acpi.c | 4 drivers/pci/pci.c | 6 drivers/pci/probe.c | 2 drivers/perf/arm-cmn.c | 1 drivers/perf/arm-ni.c | 1 drivers/perf/cxl_pmu.c | 2 drivers/phy/rockchip/phy-rockchip-pcie.c | 15 drivers/pinctrl/stm32/pinctrl-stm32.c | 1 drivers/platform/chrome/cros_ec_sensorhub.c | 23 drivers/platform/chrome/cros_ec_typec.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 drivers/platform/x86/thinkpad_acpi.c | 4 drivers/pmdomain/imx/imx8m-blk-ctrl.c | 10 drivers/pmdomain/ti/Kconfig | 2 drivers/power/supply/qcom_battmgr.c | 2 drivers/pps/clients/pps-gpio.c | 5 drivers/ptp/ptp_clock.c | 2 drivers/ptp/ptp_private.h | 5 drivers/ptp/ptp_vclock.c | 7 drivers/remoteproc/imx_rproc.c | 4 drivers/reset/Kconfig | 10 drivers/rtc/rtc-ds1307.c | 15 drivers/s390/char/sclp.c | 4 drivers/scsi/aacraid/comminit.c | 3 drivers/scsi/bfa/bfad_im.c | 1 drivers/scsi/libiscsi.c | 3 drivers/scsi/lpfc/lpfc_debugfs.c | 1 drivers/scsi/lpfc/lpfc_hbadisc.c | 3 drivers/scsi/lpfc/lpfc_scsi.c | 4 drivers/scsi/mpi3mr/mpi3mr_os.c | 20 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 drivers/scsi/pm8001/pm80xx_hwi.c | 12 drivers/scsi/scsi_scan.c | 2 drivers/scsi/scsi_transport_sas.c | 60 drivers/soc/qcom/mdt_loader.c | 10 drivers/soc/qcom/rpmh-rsc.c | 2 drivers/soundwire/amd_manager.c | 7 drivers/soundwire/bus.c | 6 drivers/staging/gpib/ni_usb/ni_usb_gpib.c | 14 drivers/target/target_core_fabric_lib.c | 63 drivers/target/target_core_internal.h | 4 drivers/target/target_core_pr.c | 18 drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 drivers/thermal/thermal_sysfs.c | 9 drivers/thunderbolt/domain.c | 2 drivers/tty/serial/serial_core.c | 44 drivers/usb/class/cdc-acm.c | 11 drivers/usb/core/config.c | 10 drivers/usb/core/urb.c | 2 drivers/usb/dwc3/dwc3-xilinx.c | 1 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci-ring.c | 10 drivers/usb/host/xhci.c | 6 drivers/usb/typec/mux/intel_pmc_mux.c | 2 drivers/usb/typec/tcpm/fusb302.c | 8 drivers/usb/typec/tcpm/tcpci_maxim_core.c | 46 drivers/usb/typec/ucsi/cros_ec_ucsi.c | 1 drivers/usb/typec/ucsi/psy.c | 2 drivers/usb/typec/ucsi/ucsi.c | 1 drivers/usb/typec/ucsi/ucsi.h | 7 drivers/vfio/pci/mlx5/cmd.c | 4 drivers/vfio/vfio_iommu_type1.c | 7 drivers/vhost/vhost.c | 3 drivers/video/fbdev/Kconfig | 2 drivers/video/fbdev/core/fbcon.c | 9 drivers/video/fbdev/core/fbmem.c | 3 drivers/virt/coco/efi_secret/efi_secret.c | 10 drivers/watchdog/dw_wdt.c | 2 drivers/watchdog/iTCO_wdt.c | 6 drivers/watchdog/sbsa_gwdt.c | 50 fs/btrfs/block-group.c | 31 fs/btrfs/ctree.c | 1 fs/btrfs/extent-tree.c | 33 fs/btrfs/inode.c | 2 fs/btrfs/ioctl.c | 3 fs/btrfs/qgroup.c | 44 fs/btrfs/relocation.c | 19 fs/btrfs/send.c | 33 fs/btrfs/transaction.c | 6 fs/btrfs/tree-log.c | 107 fs/btrfs/zoned.c | 5 fs/crypto/fscrypt_private.h | 17 fs/crypto/hkdf.c | 2 fs/crypto/keysetup.c | 3 fs/crypto/keysetup_v1.c | 3 fs/erofs/super.c | 4 fs/eventpoll.c | 60 fs/exfat/dir.c | 12 fs/exfat/fatent.c | 10 fs/exfat/namei.c | 5 fs/exfat/super.c | 32 fs/ext2/inode.c | 12 fs/ext4/inline.c | 19 fs/ext4/mballoc-test.c | 9 fs/ext4/mballoc.c | 67 fs/f2fs/file.c | 24 fs/fhandle.c | 2 fs/file.c | 15 fs/gfs2/dir.c | 6 fs/gfs2/glops.c | 6 fs/gfs2/meta_io.c | 2 fs/hfs/bfind.c | 3 fs/hfs/bnode.c | 93 fs/hfs/btree.c | 57 fs/hfs/extent.c | 2 fs/hfs/hfs_fs.h | 1 fs/hfsplus/bnode.c | 92 fs/hfsplus/unicode.c | 7 fs/hfsplus/xattr.c | 6 fs/jfs/file.c | 3 fs/jfs/inode.c | 2 fs/jfs/jfs_dmap.c | 6 fs/libfs.c | 4 fs/nfs/blocklayout/blocklayout.c | 4 fs/nfs/blocklayout/dev.c | 5 fs/nfs/blocklayout/extent_tree.c | 20 fs/nfs/client.c | 44 fs/nfs/internal.h | 2 fs/nfs/nfs4client.c | 20 fs/nfs/nfs4proc.c | 2 fs/nfs/pnfs.c | 11 fs/nfsd/nfs4state.c | 34 fs/ntfs3/dir.c | 3 fs/ntfs3/inode.c | 31 fs/ocfs2/aops.c | 1 fs/orangefs/orangefs-debugfs.c | 2 fs/pidfs.c | 2 fs/proc/task_mmu.c | 6 fs/smb/client/cifsencrypt.c | 79 fs/smb/client/cifssmb.c | 10 fs/smb/client/compress.c | 71 fs/smb/client/connect.c | 1 fs/smb/client/sess.c | 9 fs/smb/client/smb2ops.c | 11 fs/smb/client/smbdirect.c | 25 fs/smb/server/smb2pdu.c | 16 fs/tracefs/inode.c | 11 fs/udf/super.c | 13 fs/xfs/scrub/trace.h | 2 include/drm/gpu_scheduler.h | 18 include/linux/acpi.h | 2 include/linux/blk_types.h | 6 include/linux/blkdev.h | 55 include/linux/hid.h | 2 include/linux/hypervisor.h | 3 include/linux/if_vlan.h | 21 include/linux/libata.h | 1 include/linux/memory-tiers.h | 2 include/linux/packing.h | 6 include/linux/pci.h | 6 include/linux/sbitmap.h | 6 include/linux/skbuff.h | 8 include/linux/usb/cdc_ncm.h | 1 include/linux/virtio_vsock.h | 7 include/net/bluetooth/hci.h | 6 include/net/bluetooth/hci_core.h | 5 include/net/cfg80211.h | 2 include/net/ip_vs.h | 13 include/net/kcm.h | 1 include/net/mac80211.h | 4 include/net/page_pool/types.h | 2 include/sound/sdca_function.h | 2 include/trace/events/thp.h | 2 include/uapi/linux/in6.h | 4 include/uapi/linux/io_uring.h | 2 io_uring/memmap.c | 2 io_uring/net.c | 27 io_uring/rsrc.c | 4 io_uring/rsrc.h | 2 io_uring/rw.c | 2 kernel/.gitignore | 2 kernel/Makefile | 47 kernel/bpf/verifier.c | 7 kernel/gen_kheaders.sh | 94 kernel/kthread.c | 1 kernel/module/main.c | 10 kernel/power/console.c | 7 kernel/printk/nbcon.c | 63 kernel/rcu/rcutorture.c | 9 kernel/rcu/tree.c | 2 kernel/rcu/tree.h | 14 kernel/rcu/tree_nocb.h | 5 kernel/rcu/tree_plugin.h | 44 kernel/sched/deadline.c | 4 kernel/sched/fair.c | 19 kernel/sched/rt.c | 6 kernel/trace/fprobe.c | 4 kernel/trace/rv/rv_trace.h | 3 lib/sbitmap.c | 56 mm/damon/core.c | 1 mm/huge_memory.c | 7 mm/kmemleak.c | 10 mm/ptdump.c | 2 mm/shmem.c | 39 mm/slub.c | 7 mm/userfaultfd.c | 17 net/bluetooth/hci_conn.c | 3 net/bluetooth/hci_event.c | 39 net/bluetooth/hci_sock.c | 2 net/core/ieee8021q_helpers.c | 44 net/core/page_pool.c | 29 net/ipv4/route.c | 1 net/ipv4/udp_offload.c | 2 net/ipv6/addrconf.c | 7 net/ipv6/mcast.c | 11 net/kcm/kcmsock.c | 10 net/mac80211/chan.c | 1 net/mac80211/ht.c | 40 net/mac80211/ieee80211_i.h | 6 net/mac80211/iface.c | 29 net/mac80211/link.c | 9 net/mac80211/mlme.c | 45 net/mac80211/rx.c | 47 net/mctp/af_mctp.c | 26 net/ncsi/internal.h | 2 net/ncsi/ncsi-rsp.c | 1 net/netfilter/ipvs/ip_vs_est.c | 3 net/netfilter/nf_conntrack_netlink.c | 24 net/netfilter/nft_set_pipapo.c | 9 net/netlink/af_netlink.c | 2 net/sched/sch_ets.c | 11 net/sctp/input.c | 2 net/tls/tls.h | 2 net/tls/tls_strp.c | 11 net/tls/tls_sw.c | 3 net/vmw_vsock/virtio_transport.c | 2 net/wireless/mlme.c | 3 net/xfrm/xfrm_device.c | 9 net/xfrm/xfrm_state.c | 72 rust/Makefile | 16 samples/damon/wsse.c | 12 scripts/kconfig/gconf.c | 8 scripts/kconfig/lxdialog/inputbox.c | 6 scripts/kconfig/lxdialog/menubox.c | 2 scripts/kconfig/nconf.c | 2 scripts/kconfig/nconf.gui.c | 1 security/apparmor/domain.c | 52 security/apparmor/file.c | 6 security/apparmor/include/lib.h | 6 security/inode.c | 2 security/landlock/syscalls.c | 1 sound/core/pcm_native.c | 19 sound/pci/hda/cs35l41_hda.c | 2 sound/pci/hda/cs35l56_hda.c | 4 sound/pci/hda/hda_codec.c | 42 sound/pci/hda/patch_ca0132.c | 2 sound/pci/hda/patch_realtek.c | 3 sound/pci/intel8x0.c | 2 sound/soc/codecs/hdac_hdmi.c | 10 sound/soc/codecs/rt5640.c | 5 sound/soc/fsl/fsl_sai.c | 20 sound/soc/intel/avs/core.c | 3 sound/soc/intel/boards/sof_sdw.c | 8 sound/soc/qcom/lpass-platform.c | 27 sound/soc/sdca/sdca_functions.c | 2 sound/soc/soc-core.c | 3 sound/soc/soc-dapm.c | 4 sound/soc/sof/topology.c | 15 sound/usb/mixer_quirks.c | 14 sound/usb/stream.c | 25 sound/usb/validate.c | 12 tools/bpf/bpftool/main.c | 6 tools/include/nolibc/std.h | 4 tools/include/nolibc/types.h | 4 tools/lib/bpf/libbpf.c | 7 tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 tools/power/x86/turbostat/turbostat.c | 14 tools/scripts/Makefile.include | 4 tools/testing/ktest/ktest.pl | 5 tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 tools/testing/selftests/bpf/prog_tests/ringbuf.c | 4 tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 10 tools/testing/selftests/bpf/progs/test_ringbuf_write.c | 4 tools/testing/selftests/bpf/progs/verifier_unpriv.c | 2 tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 tools/testing/selftests/futex/include/futextest.h | 11 tools/testing/selftests/net/netfilter/config | 2 tools/testing/selftests/vDSO/vdso_test_getrandom.c | 6 tools/verification/dot2/dot2k.py | 3 tools/verification/dot2/dot2k_templates/Kconfig_container | 5 559 files changed, 8142 insertions(+), 5038 deletions(-) Aakash Kumar S (1): xfrm: Duplicate SPI Handling Aaron Kling (1): ARM: tegra: Use I/O memcpy to write to IRAM Aaron Plattner (1): watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Abel Vesa (1): power: supply: qcom_battmgr: Add lithium-polymer entry Aditya Garg (1): HID: magicmouse: avoid setting up battery timer when not needed Ahmed Zaki (1): idpf: preserve coalescing settings across resets Al Viro (5): habanalabs: fix UAF in export_dmabuf() better lockdep annotations for simple_recursive_removal() landlock: opened file never has a negative dentry fix locking in efi_secret_unlink() securityfs: don't pin dentries twice, once is enough... Alessio Belle (1): drm/imagination: Clear runtime PM errors while resetting the GPU Alex Guo (2): media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Alex Hung (1): drm/amd/display: Initialize mode_select to 0 Alexander Kochetkov (1): ARM: rockchip: fix kernel hang during smp initialization Alexey Klimov (1): iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Alok Tiwari (6): net: ti: icss-iep: Fix incorrect type for return value in extts_enable() ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 be2net: Use correct byte order and format string for TCP seq and ack_seq net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() perf/cxlpmu: Remove unintended newline from IRQ name format string gve: Return error for unknown admin queue command Amelie Delaunay (1): dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Amir Mohammad Jahangirzad (1): fs/orangefs: use snprintf() instead of sprintf() Andrew Price (2): gfs2: Validate i_depth for exhash directories gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Andrey Albershteyn (1): xfs: fix scrub trace with null pointer in quotacheck André Draszik (4): clk: samsung: exynos850: fix a comment clk: samsung: gs101: fix CLK_DOUT_CMU_G3D_BUSD clk: samsung: gs101: fix alternate mout_hsi0_usb20_ref parent clock usb: typec: tcpm/tcpci_maxim: fix irq wake usage Andy Shevchenko (1): Documentation: ACPI: Fix parent device references Andy Yan (1): drm/panel: raydium-rm67200: Move initialization from enable() to prepare stage Anshuman Khandual (1): mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Anthoine Bourgeois (1): xen/netfront: Fix TX response spurious interrupts Arnaud Lecomte (1): jfs: upper bound check of tree index in dbAllocAG Arnd Bergmann (2): RDMA/core: reduce stack using in nldev_stat_get_doit() firmware: arm_scmi: Convert to SYSTEM_SLEEP_PM_OPS Artem Sadovnikov (1): vfio/mlx5: fix possible overflow in tracking max message size Avraham Stern (4): wifi: iwlwifi: mld: avoid outdated reorder buffer head_sn wifi: iwlwifi: mvm: avoid outdated reorder buffer head_sn wifi: iwlwifi: mld: fix scan request validation wifi: iwlwifi: mvm: fix scan request validation Baochen Qiang (1): wifi: ath12k: install pairwise key first Baokun Li (2): ext4: fix zombie groups in average fragment size lists ext4: fix largest free orders lists corruption on mb_optimize_scan switch Bartosz Golaszewski (2): gpio: wcd934x: check the return value of regmap_update_bits() gpio: tps65912: check the return value of regmap_update_bits() Benjamin Marzinski (1): dm-table: fix checking for rq stackable devices Benson Leung (1): usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Bharat Bhushan (1): crypto: octeontx2 - add timeout for load_fvc completion poll Bijan Tabatabai (1): mm/damon/core: commit damos->target_nid Biju Das (2): irqchip/renesas-rzv2h: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND net: phy: micrel: Add ksz9131_resume() Binbin Zhou (1): gpio: loongson-64bit: Extend GPIO irq support Bitterblue Smith (3): wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB wifi: rtw89: Fix rtw89_mac_power_switch() for USB wifi: rtw89: Disable deep power saving for USB/SDIO Bjorn Andersson (1): soc: qcom: mdt_loader: Actually use the e_phoff Boris Burkov (2): btrfs: fix ssd_spread overallocation btrfs: fix iteration bug in __qgroup_excl_accounting() Breno Leitao (5): ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path arm64: Mark kernel as tainted on SAE and SError panic ptp: Use ratelimite for freerun error message ipmi: Use dev_warn_ratelimited() for incorrect message warnings mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Buday Csaba (1): net: phy: smsc: add proper reset flags for LAN8710A Caleb Sander Mateos (1): btrfs: don't skip accounting in early ENOTTY return in btrfs_uring_encoded_read() Calvin Owens (2): tools/power turbostat: Fix build with musl tools/power turbostat: Handle cap_get_proc() ENOSYS Cezary Rojewski (1): ASoC: Intel: avs: Fix uninitialized pointer error in probe() Charlene Liu (1): drm/amd/display: limit clear_update_flags to dcn32 and above Charles Keepax (2): ASoC: SDCA: Add flag for unused IRQs soundwire: Move handle_nested_irq outside of sdw_dev_lock Cheick Traore (1): pinctrl: stm32: Manage irq affinity settings Chen-Yu Tsai (1): mfd: axp20x: Set explicit ID for AXP313 regulator Chih-Kang Chang (1): wifi: rtw89: scan abort when assign/unassign_vif Chin-Yen Lee (1): wifi: rtw89: wow: Add Basic Rate IE to probe request in scheduled scan mode Ching-Te Ku (1): wifi: rtw89: coex: Not to set slot duration to zero to avoid firmware issue Chris Mason (1): sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Christian Brauner (2): fhandle: raise FILEID_IS_DIR in handle_type pidfs: raise SB_I_NODEV and SB_I_NOEXEC Christian Marangi (1): clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src Christophe Leroy (1): ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Christopher Eby (1): ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Claudiu Beznea (1): clk: renesas: rzg2l: Postpone updating priv->clks[] Corey Minyard (1): ipmi: Fix strcpy source and destination the same Cristian Ciocaltea (1): ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Cynthia Huang (1): selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Dai Ngo (1): NFSD: detect mismatch of file handle and delegation stateid in OPEN op Damien Le Moal (9): block: Make REQ_OP_ZONE_FINISH a write operation ata: ahci: Disallow LPM policy control if not supported ata: ahci: Disable DIPM if host lacks support ata: libata-sata: Disallow changing LPM state if not supported scsi: mpt3sas: Correctly handle ATA device errors scsi: mpi3mr: Correctly handle ATA device errors block: Introduce bio_needs_zone_write_plugging() dm: Always split write BIOs to zoned device limits ata: libata-sata: Add link_power_management_supported sysfs attribute Daniel Golle (1): Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" Daniel Scally (1): media: ipu-bridge: Add _HID for OV5670 Daniele Palmas (1): bus: mhi: host: pci_generic: Add Telit FN990B40 modem support Dave Penkler (1): staging: gpib: Add init response codes for new ni-usb-hs+ Dave Stevenson (3): media: tc358743: Check I2C succeeded during probe media: tc358743: Return an appropriate colorspace from tc358743_set_fmt media: tc358743: Increase FIFO trigger level to 374 David Bauer (2): wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch wifi: mt76: mt7915: mcu: increase eeprom command timeout David Collins (1): thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required David Hildenbrand (1): mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() David Howells (1): cifs: Fix collect_sample() to handle any iterator type David Lechner (1): iio: adc: ad_sigma_delta: don't overallocate scan buffer David Thompson (3): gpio: mlxbf2: use platform_get_irq_optional() Revert "gpio: mlxbf3: only get IRQ for device instance 0" gpio: mlxbf3: use platform_get_irq_optional() Davide Caratti (1): net/sched: ets: use old 'nbands' while purging unused classes Dikshita Agarwal (1): media: iris: Add handling for corrupt and drop frames Dongcheng Yan (1): media: i2c: set lt6911uxe's reset_gpio to GPIOD_OUT_LOW Eduard Zingerman (1): libbpf: Verify that arena map exists when adding arena relocations Edward Adam Davis (1): jfs: Regular file corruption check Eliav Farber (1): pps: clients: gpio: fix interrupt handling order in remove path Emily Deng (1): drm/ttm: Should to return the evict error En-Wei Wu (1): Bluetooth: btusb: Add new VID/PID 0489/e14e for MT7925 Eric Biggers (2): fscrypt: Don't use problematic non-inline crypto engines thunderbolt: Fix copy+paste error in match_service_id() Eric Work (1): net: atlantic: add set_power to fw_ops for atl2 to fix wol Fabio Porcedda (1): net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition Fedor Pchelkin (1): netlink: avoid infinite retry looping in netlink_unicast() Felix Fietkau (1): wifi: mt76: fix vif link allocation Filipe Manana (10): btrfs: abort transaction during log replay if walk_log_tree() failed btrfs: qgroup: set quota enabled bit if quota disable fails flushing reservations btrfs: don't ignore inode missing when replaying log tree btrfs: qgroup: fix race between quota disable and quota rescan ioctl btrfs: qgroup: fix qgroup create ioctl returning success after quotas disabled btrfs: don't skip remaining extrefs if dir not found during log replay btrfs: clear dirty status from extent buffer on error at insert_new_root() btrfs: send: use fallocate for hole punching with send stream v2 btrfs: fix log tree replay failure due to file with 0 links and extents btrfs: error on missing block group when unaccounting log tree extent buffers Florian Larysch (1): net: phy: micrel: fix KSZ8081/KSZ8091 cable test Florian Westphal (2): netfilter: ctnetlink: fix refcount leak on table dump netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps Florin Leotescu (1): hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Francisco Gutierrez (1): scsi: pm80xx: Free allocated tags after failure Frederic Weisbecker (2): ipvs: Fix estimator kthreads preferred affinity rcu: Fix racy re-initialization of irq_work causing hangs Gabriel Totev (1): apparmor: shift ouid when mediating hard links in userns Gal Pressman (2): net: vlan: Make is_vlan_dev() a stub when VLAN is not configured net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs GalaxySnail (1): ALSA: hda: add MODULE_FIRMWARE for cs35l41/cs35l56 Gao Xiang (1): erofs: fix block count report when 48-bit layout is on Gautham R. Shenoy (1): pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() George Moussalem (1): clk: qcom: ipq5018: keep XO clock always on Geraldo Nascimento (1): phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal Greg Kroah-Hartman (1): Linux 6.15.11 Guillaume La Roque (1): pmdomain: ti: Select PM_GENERIC_DOMAINS Gwendal Grignou (1): platform/chrome: cros_ec_sensorhub: Retries when a sensor is not ready Haiyang Zhang (1): hv_netvsc: Fix panic during namespace deletion with VF Hans de Goede (2): mei: bus: Check for still connected devices in mei_cl_bus_dev_release() media: hi556: Fix reset GPIO timings Haoran Jiang (1): LoongArch: BPF: Fix jump offset calculation in tailcall Harald Mommer (1): gpio: virtio: Fix config space reading. Hari Chandrakanthan (2): wifi: mac80211: fix rx link assignment for non-MLO stations wifi: ath12k: Fix station association with MBSSID Non-TX BSS Hari Kalavakunta (1): net: ncsi: Fix buffer overflow in fetching version id Heiko Carstens (1): s390/early: Copy last breaking event address to pt_regs Heiner Kallweit (2): net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect dpaa_eth: don't use fixed_phy_change_carrier Hiago De Franco (1): remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Hsin-Te Yuan (1): thermal: sysfs: Return ENODATA instead of EAGAIN for reads Huacai Chen (2): PCI: Extend isolated function probing to LoongArch LoongArch: Make relocate_new_kernel_size be a .quad value Ian Abbott (1): comedi: fix race between polling and detaching Ihor Solodrai (1): bpf: Make reg_not_null() true for CONST_PTR_TO_MAP Ilan Peer (1): wifi: cfg80211: Fix interface type validation Ilya Bakoulin (1): drm/amd/display: Separate set_gsl from set_gsl_source_select Ivan Lipski (1): drm/amd/display: Allow DCN301 to clear update flags Jack Ping CHNG (1): net: pcs: xpcs: mask readl() return value to 16 bits Jack Xiao (1): drm/amdgpu: fix incorrect vm flags to map bo Jaegeuk Kim (1): f2fs: check the generic conditions first Jakub Kicinski (3): net: page_pool: allow enabling recycling late, fix false positive warning tls: handle data disappearing from under the TLS ULP uapi: in6: restore visibility of most IPv6 socket options Jameson Thies (1): usb: typec: ucsi: Add poll_cci operation to cros_ec_ucsi Jan Kara (2): loop: Avoid updating block size under exclusive owner udf: Verify partition map count Jann Horn (1): eventpoll: Fix semi-unbounded recursion Jarkko Sakkinen (1): tpm: Check for completion after timeout Jason Gunthorpe (1): iommufd: Prevent ALIGN() overflow Jason Wang (1): vhost: fail early when __vhost_add_used() fails Jay Chen (1): usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Jeff Layton (1): nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Jens Axboe (3): io_uring/memmap: cast nr_pages to size_t before shifting io_uring/net: commit partial buffers on retry io_uring/rw: cast rw->flags assignment to rwf_t Jeongjun Park (1): ptp: prevent possible ABBA deadlock in ptp_clock_freerun() Jiasheng Jiang (1): scsi: lpfc: Remove redundant assignment to avoid memory leak Jiayi Li (1): ACPI: processor: perflib: Fix initial _PPC limit application Jijie Shao (3): net: hibmcge: fix rtnl deadlock issue net: hibmcge: fix the division by zero issue net: hibmcge: fix the np_link_fail error reporting issue Jinjiang Tu (1): mm/smaps: fix race between smaps_hugetlb_range and migration Joel Fernandes (1): rcu: Fix rcu_read_unlock() deadloop due to IRQ work Johan Adolfsson (1): leds: leds-lp50xx: Handle reg to get correct multi_index Johan Hovold (5): net: gianfar: fix device leak when querying time stamp info net: enetc: fix device and OF node leak at probe net: mtk_eth_soc: fix device leak at probe net: ti: icss-iep: fix device and OF node leaks at probe net: dpaa: fix device leak when querying time stamp info Johannes Berg (5): wifi: cfg80211: reject HTC bit for management frames wifi: mac80211: don't use TPE data from assoc response wifi: mac80211: don't unreserve never reserved chanctx wifi: mac80211: don't complete management TX on SAE commit wifi: iwlwifi: mld: fix last_mlo_scan_time type Johannes Thumshirn (1): btrfs: zoned: use filesystem size not disk size for reclaim decision John Garry (4): dm-stripe: limit chunk_sectors to the stripe size md/raid10: set chunk_sectors limit scsi: aacraid: Stop using PCI_IRQ_AFFINITY block: avoid possible overflow for chunk_sectors check in blk_stack_limits() John Johansen (1): apparmor: fix x_table_lookup when stacking is not the first entry John Ogness (1): printk: nbcon: Allow reacquire during panic Jonas Rebmann (1): net: fec: allow disable coalescing Jonathan Santos (1): iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Jorge Marques (1): i3c: master: Initialize ret in i3c_i2c_notifier_call() Joseph Tilahun (1): tty: serial: fix print format specifiers Jouni Högander (1): drm/i915/psr: Do not trigger Frame Change events from frontbuffer flush Juri Lelli (1): sched/deadline: Fix accounting after global limits change Justin Tee (2): scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Kairui Song (1): mm/shmem, swap: improve cached mTHP handling and fix potential hang Kalesh AP (1): RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM Kamil Horák - 2N (1): net: phy: bcm54811: PHY initialization Kang Yang (1): wifi: ath10k: shutdown driver when hardware is unreliable Karthikeyan Kathirvel (1): wifi: ath12k: Decrement TID on RX peer frag setup error handling Kees Cook (2): arm64: Handle KCOV __init vs inline mismatches platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Keith Busch (2): nvme-pci: try function level reset on init failure vfio/type1: conditional rescheduling while pinning Krzysztof Hałasa (1): imx8m-blk-ctrl: set ISI panic write hurry level Krzysztof Kozlowski (2): leds: flash: leds-qcom-flash: Fix registry access after re-bind clk: qcom: dispcc-sm8750: Fix setting rate byte and pixel clocks Kuninori Morimoto (1): ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Kuniyuki Iwashima (1): ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc(). Lad Prabhakar (1): drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range Len Brown (2): intel_idle: Allow loading ACPI tables for any family tools/power turbostat: Handle non-root legacy-uncore sysfs permissions Leon Romanovsky (1): net/mlx5e: Properly access RCU protected qdisc_sleeping variable Li Chen (3): ACPI: Suppress misleading SPCR console message when SPCR table is absent HID: rate-limit hid_warn to prevent log flooding ACPI: Return -ENODEV from acpi_parse_spcr() when SPCR support is disabled Li RongQing (1): cpufreq: intel_pstate: Add Granite Rapids support in no-HWP mode Li Zhijian (1): mm/memory-tier: fix abstract distance calculation overflow Lifeng Zheng (2): cpufreq: Exit governor when failed to start old governor PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Lijo Lazar (1): drm/amdgpu: Suspend IH during mode-2 reset Lizhi Xu (3): fs/ntfs3: Add sanity check for file name jfs: truncate good inode pages when hard link is 0 ocfs2: reset folio to NULL when get folio fails Lorenzo Bianconi (1): wifi: mt76: mt7996: Fix mlink lookup in mt7996_tx_prepare_skb Lu Baolu (1): iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes Lucy Thrun (1): ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Lukas Wunner (1): PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports MD Danish Anwar (1): net: ti: icssg-prueth: Fix emac link speed handling Ma Ke (1): sunvdc: Balance device refcount in vdc_port_mpgroup_check Marek Szyprowski (1): media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() Mario Limonciello (8): platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list usb: xhci: Avoid showing warnings for dying controller usb: xhci: Avoid showing errors during surprise removal drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual drm/amd/display: Stop storing failures into adev->dm.cached_state drm/amd/display: Only finalize atomic_obj if it was initialized drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported crypto: ccp - Add missing bootloader info reg for pspv6 Mark Brown (2): ASoC: hdac_hdmi: Rate limit logging on connection and disconnection kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace Mark Rutland (1): arm64: stacktrace: Check kretprobe_find_ret_addr() return value Markus Stockhausen (1): irqchip/mips-gic: Allow forced affinity Markus Theil (1): crypto: jitter - fix intermediary handling Masahiro Yamada (3): kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() kconfig: gconf: fix potential memory leak in renderer_edited() kheaders: rebuild kheaders_data.tar.xz when a file is modified within a minute Masami Hiramatsu (Google) (2): selftests: tracing: Use mutex_unlock for testing glob filter tracing: fprobe: Fix infinite recursion using preempt_*_notrace() Mateusz Guzik (1): apparmor: use the condition in AA_BUG_FMT even with debug disabled Matt Johnston (1): net: mctp: Prevent duplicate binds Matt Roper (1): drm/xe/xe_query: Use separate iterator while filling GT list Matteo Croce (1): libbpf: Fix warning in calloc() usage Maulik Shah (1): soc: qcom: rpmh-rsc: Add RSC version 4 support Maurizio Lombardi (2): nvme-tcp: log TLS handshake failures at error level scsi: target: core: Generate correct identifiers for PR OUT transport IDs Mauro Carvalho Chehab (1): sphinx: kernel_abi: fix performance regression with O=<dir> Maxim Levitsky (2): KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Meagan Lloyd (2): rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Michal Wilczynski (1): clk: thead: Mark essential bus clocks as CLK_IGNORE_UNUSED Miguel Ojeda (2): rust: kbuild: clean output before running `rustdoc` rust: workaround `rustdoc` target modifiers bug Mikulas Patocka (1): dm-mpath: don't print the "loaded" message if registering fails Mina Almasry (1): netmem: fix skb_frag_address_safe with unreadable skbs Miri Korenblit (5): wifi: iwlwifi: mld: use spec link id and not FW link id wifi: mac80211: handle WLAN_HT_ACTION_NOTIFY_CHANWIDTH async wifi: iwlwifi: mvm: set gtk id also in older FWs wifi: mac80211: avoid weird state in error path wifi: iwlwifi: mld: don't exit EMLSR when we shouldn't Myrrh Periwinkle (1): usb: typec: ucsi: Update power_supply on power role change Nam Cao (2): verification/dot2k: Make a separate dot2k_templates/Kconfig_container rv: Add #undef TRACE_INCLUDE_FILE Naohiro Aota (3): btrfs: zoned: requeue to unused block group list if zone finish failed btrfs: zoned: do not remove unwritten non-data block group btrfs: zoned: do not select metadata BG as finish target Nathan Lynch (1): lib: packing: Include necessary headers NeilBrown (1): smb/server: avoid deadlock when linking with ReplaceIfExists Nicholas Kazlauskas (1): drm/amd/display: Update DMCUB loading sequence for DCN3.5 Nicolin Chen (1): iommufd: Report unmapped bytes in the error path of iopt_unmap_iova_range Niklas Söderlund (1): media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Oliver Neukum (3): usb: core: usb_submit_urb: downgrade type check net: usb: cdc-ncm: check for filtering capability cdc-acm: fix race between initial clearing halt and open Oscar Maes (1): net: ipv4: fix incorrect MTU in broadcast routes Pagadala Yesu Anjaneyulu (1): wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Pali Rohár (1): cifs: Fix calling CIFSFindFirst() for root path without msearch Paul Chaignon (1): bpf: Forget ranges when refining tnum after JSET Paul E. McKenney (1): rcu: Protect ->defer_qs_iw_pending from data race Paulo Alcantara (1): smb: client: fix session setup against servers that require SPN Pavel Begunkov (2): io_uring: don't use int for ABI io_uring: export io_[un]account_mem Pawan Gupta (1): x86/bugs: Avoid warning when overriding return thunk Pedro Falcato (1): RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Pei Xiao (1): clk: tegra: periph: Fix error handling and resolve unsigned compare warning Peichen Huang (1): drm/amd/display: add null check Peng Fan (1): firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set early during resume Peter Jakubek (1): ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCC SKU Peter Robinson (1): reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Peter Ujfalusi (2): ASoC: SOF: topology: Parse the dapm_widget_tokens in case of DSPless mode ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Petr Pavlu (1): module: Prevent silent truncation of module name in delete_module(2) Philipp Stanner (1): drm/sched: Avoid memory leaks with cancel_job() callback Prashant Malani (1): cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Purva Yeshi (1): md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Qu Wenruo (3): btrfs: populate otime when logging an inode item btrfs: fix wrong length parameter for btrfs_cleanup_ordered_extents() btrfs: do not allow relocation of partially dropped subvolumes Radhey Shyam Pandey (1): usb: dwc3: xilinx: add shutdown callback Rafael J. Wysocki (3): ACPI: processor: perflib: Move problematic pr->performance check cpuidle: governors: menu: Avoid using invalid recent intervals data PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Raj Kumar Bhagat (1): wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 Ramya Gnanasekar (1): wifi: mac80211: update radar_required in channel context after channel switch Rand Deeb (1): wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Randy Dunlap (2): fbdev: nvidiafb: add depends on HAS_IOPORT parisc: Makefile: fix a typo in palo.conf Ranjan Kumar (1): scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Ricardo Ribalda (3): media: uvcvideo: Add quirk for HP Webcam HD 2300 media: uvcvideo: Set V4L2_CTRL_FLAG_DISABLED during queryctrl errors media: uvcvideo: Do not mark valid metadata as invalid Ricky Wu (1): misc: rtsx: usb: Ensure mmc child device is active when card is present Rob Clark (2): drm/msm: Update register xml drm/msm: use trylock for debugfs Robin Murphy (1): perf/arm: Add missing .suppress_bind_attrs Roman Li (1): drm/amd/display: Disable dsc_power_gate for dcn314 by default Rong Zhang (1): fs/ntfs3: correctly create symlink for relative path RubenKelevra (1): net: ieee8021q: fix insufficient table-size assertion Sabrina Dubroca (2): xfrm: restore GSO for SW crypto udp: also consider secpath when evaluating ipsec use for checksumming Sarah Newman (1): drbd: add missing kref_get in handle_write_conflicts Sarika Sharma (2): wifi: ath12k: Correct tid cleanup when tid setup fails wifi: ath12k: Add memset and update default rate value in wmi tx completion Sarthak Garg (1): mmc: sdhci-msm: Ensure SD card power isn't ON when card removed Sasha Levin (1): fs: Prevent file descriptor table allocations exceeding INT_MAX Sean Christopherson (2): KVM: VMX: Extract checking of guest's DEBUGCTL into helper KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap Sebastian Andrzej Siewior (1): selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG Sebastian Ott (1): ACPI: processor: fix acpi_object initialization Sebastian Reichel (2): watchdog: dw_wdt: Fix default timeout usb: typec: fusb302: cache PD RX state SeongJae Park (1): samples/damon/wsse: fix boot time enable handling Sergey Bashirov (4): pNFS: Fix stripe mapping in block/scsi layout pNFS: Fix disk addr range check in block/scsi layout pNFS: Handle RPC size limit for layoutcommits pNFS: Fix uninited ptr deref in block/scsi layout Shankari Anand (1): kconfig: nconf: Ensure null termination where strncpy is used Shannon Nelson (1): ionic: clean dbpage in de-init Shengjiu Wang (1): ASoC: fsl_sai: replace regmap_write with regmap_update_bits Shiji Yang (2): MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} MIPS: lantiq: falcon: sysctrl: fix request memory check logic Shin'ichiro Kawasaki (1): dm: split write BIOs on zone boundaries when zone append is not emulated Showrya M N (1): scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Shuai Xue (1): ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered Shubhrajyoti Datta (1): EDAC/synopsys: Clear the ECC counters on init Shyam Prasad N (1): cifs: reset iface weights when we cannot find a candidate Siddharth Vadapalli (1): arm64: dts: ti: k3-j722s-evm: Fix USB gpio-hog level for Type-C Sravan Kumar Gundu (1): fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Srinivas Kandagatla (1): ASoC: qcom: use drvdata instead of component to keep id Stanislav Fomichev (2): net: lapbether: ignore ops-locked netdevs hamradio: ignore ops-locked netdevs Stanislaw Gruszka (1): wifi: iwlegacy: Check rate_idx range after addition Stefan Metzmacher (3): smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() smb: client: don't wait for info->send_pending == 0 on error smb: client: don't call init_waitqueue_head(&info->conn_wait) twice in _smbd_get_connection Steve French (1): smb3: fix for slab out of bounds on mount to ksmbd Steven Rostedt (3): tracefs: Add d_delete to remove negative dentries powerpc/thp: tracing: Hide hugepage events under CONFIG_PPC_BOOK3S_64 ktest.pl: Prevent recursion of default variable options Su Hui (1): usb: xhci: print xhci->xhc_state when queue_command failed Suchit Karunakaran (1): kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Suren Baghdasaryan (1): userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry Sven Schnelle (3): s390/sclp: Use monotonic clock in sclp_sync_wait() s390/time: Use monotonic clock in get_cycles() s390/stp: Remove udelay from stp_sync_clock() Sven Stegemann (1): net: kcm: Fix race condition in kcm_unattach() Takashi Iwai (4): ALSA: usb-audio: Validate UAC3 power domain descriptors, too ALSA: usb-audio: Validate UAC3 cluster segment descriptors ALSA: hda: Handle the jack polling always via a work ALSA: hda: Disable jack polling at shutdown Tetsuo Handa (1): hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() Theodore Ts'o (1): ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Thierry Reding (2): firmware: tegra: Fix IVC dependency problems drm/fbdev-client: Skip DRM clients if modesetting is absent Thomas Croft (1): ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table Thomas Fourier (6): et131x: Add missing check after DMA map net: ag71xx: Add missing check after DMA map (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. powerpc: floppy: Add missing checks after DMA map wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Thomas Weißschuh (7): LoongArch: Don't use %pK through printk() in unwinder mfd: cros_ec: Separate charge-control probing from USB-PD tools/nolibc: define time_t in terms of __kernel_old_time_t tools/build: Fix s390(x) cross-compilation with clang selftests: vDSO: vdso_test_getrandom: Always print TAP header um: Re-evaluate thread flags repeatedly MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Tiffany Yang (1): binder: Fix selftest page indexing Tomasz Michalec (2): usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present platform/chrome: cros_ec_typec: Defer probe on missing EC parent Tomi Valkeinen (1): media: raspberrypi: cfe: Fix min_reqbufs_allocation Trond Myklebust (1): NFS: Fix the setting of capabilities when automounting a new filesystem Tvrtko Ursulin (2): drm/xe: Make dma-fences compliant with the safe access rules drm/ttm: Respect the shrinker core free target Ulf Hansson (1): mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Umio Yasuno (1): drm/amd/pm: fix null pointer access Uwe Kleine-König (1): Bluetooth: btusb: Add support for variant of RTL8851BE (USB ID 13d3:3601) Valmantas Paliksa (1): phy: rockchip-pcie: Enable all four lanes if required Vasiliy Kovalev (1): ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Vedang Nagar (1): media: venus: Fix OOB read due to missing payload bound check Viacheslav Dubeyko (5): hfs: fix general protection fault in hfs_find_init() hfs: fix slab-out-of-bounds in hfs_bnode_read() hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() hfs: fix not erasing deleted b-tree node issue Vijendar Mukunda (2): soundwire: amd: serialize amd manager resume sequence during pm_prepare soundwire: amd: cancel pending slave status handling workqueue during remove sequence Vincent Mailhol (1): can: ti_hecc: fix -Woverflow compiler warning Vivek Pernamitta (1): bus: mhi: host: pci_generic: Disable runtime PM for QDU100 Vlastimil Babka (1): mm, slab: restore NUMA policy support for large kmalloc Waiman Long (1): mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Wang Zhaolong (1): smb: client: remove redundant lstrp update in negotiate protocol Wayne Lin (1): drm/amd/display: Avoid trying AUX transactions on disconnected ports Wei Gao (1): ext2: Handle fiemap on empty files to prevent EINVAL Wen Chen (1): drm/amd/display: Fix 'failed to blank crtc!' Wentao Guan (1): LoongArch: vDSO: Remove -nostdlib complier flag Will Deacon (1): vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Willy Tarreau (1): tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Wolfram Sang (3): media: usb: hdpvr: disable zero-length read messages i3c: add missing include to internal header i3c: don't fail if GETHDRCAP is unsupported Xiang Liu (1): drm/amdgpu: Use correct severity for BP threshold exceed event Xin Long (1): sctp: linearize cloned gso packets in sctp_rcv Xinxin Wan (1): ASoC: codecs: rt5640: Retry DEVICE_ID verification Xinyu Liu (1): usb: core: config: Prevent OOB read in SS endpoint companion parsing Xu Yang (1): net: usb: asix_devices: add phy_mask for ax88772 mdio bus Yang Li (1): Bluetooth: hci_event: Add support for handling LE BIG Sync Lost event Yann E. MORIN (1): kconfig: lxdialog: fix 'space' to (de)select options Yao Zi (3): LoongArch: Avoid in-place string operation on FDT content net: stmmac: thead: Get and enable APB clock on initialization riscv: dts: thead: Add APB clocks for TH1520 GMACs Yeoreum Yun (2): tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's built-in firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall YiPeng Chai (1): drm/amdgpu: fix vram reservation issue Yonghong Song (2): selftests/bpf: Fix ringbuf/ringbuf_write test failure with arm64 64KB page size selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Yongzhen Zhang (1): fbdev: fix potential buffer overflow in do_register_framebuffer() Youngjun Lee (1): media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Yu Kuai (1): lib/sbitmap: convert shallow_depth from one word to the whole sbitmap Yuan Chen (2): drm/msm: Add error handling for krealloc in metadata setup bpftool: Fix JSON writer resource leak in version command Yuezhang Mo (1): exfat: add cluster chain loop check for dir Yury Norov [NVIDIA] (1): RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Zhang Yi (1): ext4: initialize superblock fields in the kballoc-test.c kunit tests Zhiqi Song (1): crypto: hisilicon/hpre - fix dma unmap sequence Zhu Qiyu (1): ACPI: PRM: Reduce unnecessary printing to avoid user confusion Zijun Hu (2): char: misc: Fix improper and inaccurate error code returned by misc_init() Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() Ziyan Fu (1): watchdog: iTCO_wdt: Report error if timeout configuration fails Zqiang (2): rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access rcutorture: Fix rcutorture_one_extend_check() splat in RT kernels chenchangcheng (1): media: uvcvideo: Fix bandwidth issue for Alcor camera fangzhong.zhou (1): i2c: Force DLL0945 touchpad i2c freq to 100khz ganglxie (1): drm/amdgpu: clear pa and mca record counter when resetting eeprom jackysliu (1): scsi: bfa: Double-free fix tuhaowen (1): PM: sleep: console: Fix the black screen issue zhangjianrong (2): net: thunderbolt: Enable end-to-end flow control also in transmit net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Álvaro Fernández Rojas (6): net: dsa: b53: ensure BCM5325 PHYs are enabled net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 net: dsa: b53: prevent DIS_LEARNING access on BCM5325 net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325

4 weeks

1
1
0 0

Linux 6.16.2

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.2 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/filesystems/fscrypt.rst | 37 Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 Documentation/sphinx/kernel_abi.py | 6 Makefile | 2 arch/arm/mach-rockchip/platsmp.c | 15 arch/arm/mach-tegra/reset.c | 2 arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 2 arch/arm64/include/asm/acpi.h | 2 arch/arm64/kernel/acpi.c | 10 arch/arm64/kernel/stacktrace.c | 2 arch/arm64/kernel/traps.c | 1 arch/arm64/mm/fault.c | 1 arch/arm64/mm/ptdump_debugfs.c | 3 arch/loongarch/kernel/env.c | 13 arch/loongarch/kernel/relocate_kernel.S | 2 arch/loongarch/kernel/unwind_orc.c | 2 arch/loongarch/net/bpf_jit.c | 21 arch/loongarch/vdso/Makefile | 2 arch/mips/include/asm/vpe.h | 8 arch/mips/kernel/process.c | 16 arch/mips/lantiq/falcon/sysctrl.c | 23 arch/parisc/Makefile | 2 arch/powerpc/include/asm/floppy.h | 5 arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 arch/riscv/boot/dts/thead/th1520.dtsi | 10 arch/riscv/mm/ptdump.c | 3 arch/s390/include/asm/timex.h | 13 arch/s390/kernel/early.c | 1 arch/s390/kernel/time.c | 2 arch/s390/mm/dump_pagetables.c | 2 arch/um/include/asm/thread_info.h | 4 arch/um/kernel/process.c | 20 arch/x86/boot/startup/sev-shared.c | 1 arch/x86/coco/sev/core.c | 2 arch/x86/coco/sev/vc-handle.c | 40 arch/x86/include/asm/kvm_host.h | 7 arch/x86/kernel/cpu/bugs.c | 5 arch/x86/kernel/fpu/xstate.c | 19 arch/x86/kvm/vmx/main.c | 2 arch/x86/kvm/vmx/nested.c | 21 arch/x86/kvm/vmx/pmu_intel.c | 8 arch/x86/kvm/vmx/vmx.c | 41 arch/x86/kvm/vmx/vmx.h | 26 arch/x86/kvm/x86.c | 14 arch/x86/lib/crypto/poly1305_glue.c | 48 block/bfq-iosched.c | 35 block/bfq-iosched.h | 3 block/blk-mq.c | 6 block/blk-settings.c | 2 block/blk-sysfs.c | 12 block/blk-zoned.c | 20 block/blk.h | 1 block/genhd.c | 2 block/kyber-iosched.c | 9 block/mq-deadline.c | 16 crypto/jitterentropy-kcapi.c | 9 drivers/accel/habanalabs/common/memory.c | 23 drivers/acpi/acpi_processor.c | 2 drivers/acpi/apei/ghes.c | 13 drivers/acpi/ec.c | 10 drivers/acpi/prmt.c | 26 drivers/acpi/processor_perflib.c | 11 drivers/android/binder_alloc_selftest.c | 2 drivers/ata/ahci.c | 12 drivers/ata/ata_piix.c | 1 drivers/ata/libahci.c | 1 drivers/ata/libata-sata.c | 52 drivers/base/power/runtime.c | 5 drivers/base/regmap/regmap-irq.c | 19 drivers/block/drbd/drbd_receiver.c | 6 drivers/block/loop.c | 38 drivers/block/sunvdc.c | 4 drivers/block/ublk_drv.c | 16 drivers/bluetooth/btusb.c | 3 drivers/bus/mhi/host/pci_generic.c | 20 drivers/char/ipmi/ipmi_msghandler.c | 8 drivers/char/ipmi/ipmi_watchdog.c | 59 drivers/char/misc.c | 4 drivers/char/tpm/tpm-interface.c | 17 drivers/char/tpm/tpm_crb_ffa.c | 19 drivers/clk/qcom/dispcc-sm8750.c | 10 drivers/clk/qcom/gcc-ipq5018.c | 2 drivers/clk/qcom/gcc-ipq8074.c | 6 drivers/clk/renesas/rzg2l-cpg.c | 8 drivers/clk/samsung/clk-exynos850.c | 2 drivers/clk/samsung/clk-gs101.c | 4 drivers/clk/tegra/clk-periph.c | 4 drivers/clk/thead/clk-th1520-ap.c | 5 drivers/comedi/comedi_fops.c | 31 drivers/comedi/comedi_internal.h | 1 drivers/comedi/drivers.c | 13 drivers/cpufreq/cppc_cpufreq.c | 2 drivers/cpufreq/cpufreq.c | 8 drivers/cpufreq/intel_pstate.c | 2 drivers/cpuidle/governors/menu.c | 21 drivers/crypto/caam/ctrl.c | 2 drivers/crypto/ccp/sp-pci.c | 1 drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 drivers/devfreq/governor_userspace.c | 6 drivers/dma/stm32/stm32-dma.c | 2 drivers/edac/ie31200_edac.c | 4 drivers/edac/synopsys_edac.c | 97 drivers/firmware/arm_ffa/driver.c | 2 drivers/firmware/arm_scmi/scmi_power_control.c | 22 drivers/firmware/tegra/Kconfig | 5 drivers/gpio/gpio-loongson-64bit.c | 6 drivers/gpio/gpio-mlxbf2.c | 2 drivers/gpio/gpio-mlxbf3.c | 54 drivers/gpio/gpio-pxa.c | 8 drivers/gpio/gpio-tps65912.c | 7 drivers/gpio/gpio-virtio.c | 9 drivers/gpio/gpio-wcd934x.c | 7 drivers/gpu/drm/amd/amdgpu/aldebaran.c | 33 drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 28 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 6 drivers/gpu/drm/amd/display/dc/core/dc.c | 12 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 11 drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c | 2 drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 1 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c | 16 drivers/gpu/drm/amd/pm/amdgpu_pm.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 41 drivers/gpu/drm/clients/drm_client_setup.c | 5 drivers/gpu/drm/i915/display/intel_fbc.c | 8 drivers/gpu/drm/i915/display/intel_psr.c | 14 drivers/gpu/drm/imagination/pvr_power.c | 59 drivers/gpu/drm/msm/Makefile | 5 drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 2 drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 4 drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h | 2 drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 2 drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h | 4 drivers/gpu/drm/msm/msm_drv.c | 9 drivers/gpu/drm/msm/msm_gem.c | 3 drivers/gpu/drm/msm/msm_gem.h | 6 drivers/gpu/drm/msm/registers/adreno/a6xx.xml | 3582 +--------- drivers/gpu/drm/msm/registers/adreno/a6xx_descriptors.xml | 198 drivers/gpu/drm/msm/registers/adreno/a6xx_enums.xml | 383 + drivers/gpu/drm/msm/registers/adreno/a6xx_perfcntrs.xml | 600 + drivers/gpu/drm/msm/registers/adreno/a7xx_enums.xml | 223 drivers/gpu/drm/msm/registers/adreno/a7xx_perfcntrs.xml | 1030 ++ drivers/gpu/drm/msm/registers/adreno/adreno_pm4.xml | 302 drivers/gpu/drm/panel/panel-raydium-rm67200.c | 22 drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c | 3 drivers/gpu/drm/scheduler/sched_main.c | 34 drivers/gpu/drm/scheduler/tests/tests_basic.c | 42 drivers/gpu/drm/ttm/ttm_pool.c | 8 drivers/gpu/drm/ttm/ttm_resource.c | 3 drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 7 drivers/gpu/drm/xe/xe_hw_fence.c | 3 drivers/gpu/drm/xe/xe_hwmon.c | 29 drivers/gpu/drm/xe/xe_migrate.c | 42 drivers/gpu/drm/xe/xe_query.c | 27 drivers/hid/hid-core.c | 4 drivers/hwmon/emc2305.c | 10 drivers/i2c/i2c-core-acpi.c | 1 drivers/i2c/i2c-core-base.c | 8 drivers/i3c/internals.h | 1 drivers/i3c/master.c | 4 drivers/idle/intel_idle.c | 2 drivers/iio/adc/ad7768-1.c | 23 drivers/iio/adc/ad_sigma_delta.c | 2 drivers/infiniband/core/nldev.c | 22 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 drivers/infiniband/hw/hfi1/affinity.c | 44 drivers/infiniband/sw/siw/siw_qp_tx.c | 5 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 7 drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 drivers/iommu/intel/iommu.c | 19 drivers/iommu/intel/iommu.h | 3 drivers/iommu/iommufd/io_pagetable.c | 48 drivers/irqchip/irq-mips-gic.c | 8 drivers/irqchip/irq-mvebu-gicp.c | 10 drivers/irqchip/irq-renesas-rzv2h.c | 4 drivers/leds/flash/leds-qcom-flash.c | 15 drivers/leds/leds-lp50xx.c | 11 drivers/leds/trigger/ledtrig-netdev.c | 16 drivers/md/dm-ps-historical-service-time.c | 4 drivers/md/dm-ps-queue-length.c | 4 drivers/md/dm-ps-round-robin.c | 4 drivers/md/dm-ps-service-time.c | 4 drivers/md/dm-stripe.c | 1 drivers/md/dm-table.c | 10 drivers/md/dm-zoned-target.c | 2 drivers/md/dm.c | 37 drivers/md/raid10.c | 1 drivers/media/dvb-frontends/dib7000p.c | 8 drivers/media/i2c/hi556.c | 7 drivers/media/i2c/lt6911uxe.c | 2 drivers/media/i2c/tc358743.c | 86 drivers/media/i2c/vd55g1.c | 11 drivers/media/pci/intel/ipu-bridge.c | 2 drivers/media/platform/qcom/iris/iris_buffer.c | 11 drivers/media/platform/qcom/iris/iris_hfi_gen1_defines.h | 2 drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c | 6 drivers/media/platform/qcom/venus/hfi_msgs.c | 83 drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 4 drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 drivers/media/usb/uvc/uvc_ctrl.c | 65 drivers/media/usb/uvc/uvc_driver.c | 12 drivers/media/usb/uvc/uvc_video.c | 21 drivers/media/usb/uvc/uvcvideo.h | 2 drivers/media/v4l2-core/v4l2-common.c | 14 drivers/mfd/axp20x.c | 3 drivers/mfd/cros_ec_dev.c | 10 drivers/misc/cardreader/rtsx_usb.c | 16 drivers/misc/mei/bus.c | 6 drivers/mmc/host/rtsx_usb_sdmmc.c | 4 drivers/mmc/host/sdhci-esdhc-imx.c | 16 drivers/mmc/host/sdhci-msm.c | 14 drivers/net/can/ti_hecc.c | 2 drivers/net/dsa/b53/b53_common.c | 78 drivers/net/dsa/b53/b53_regs.h | 7 drivers/net/ethernet/agere/et131x.c | 36 drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 drivers/net/ethernet/atheros/ag71xx.c | 9 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 29 drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 drivers/net/ethernet/emulex/benet/be_main.c | 8 drivers/net/ethernet/faraday/ftgmac100.c | 7 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 drivers/net/ethernet/freescale/enetc/enetc_ethtool.c | 15 drivers/net/ethernet/freescale/enetc/enetc_hw.h | 1 drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 drivers/net/ethernet/freescale/fec_main.c | 34 drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 drivers/net/ethernet/google/gve/gve_adminq.c | 1 drivers/net/ethernet/hisilicon/hibmcge/hbg_err.c | 14 drivers/net/ethernet/hisilicon/hibmcge/hbg_hw.c | 15 drivers/net/ethernet/hisilicon/hibmcge/hbg_txrx.h | 7 drivers/net/ethernet/intel/idpf/idpf.h | 19 drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 36 drivers/net/ethernet/intel/idpf/idpf_lib.c | 18 drivers/net/ethernet/intel/idpf/idpf_main.c | 1 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 13 drivers/net/ethernet/mediatek/mtk_wed.c | 1 drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 drivers/net/ethernet/stmicro/stmmac/dwmac-thead.c | 14 drivers/net/ethernet/ti/icssg/icss_iep.c | 26 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 6 drivers/net/hamradio/bpqether.c | 2 drivers/net/hyperv/hyperv_net.h | 3 drivers/net/hyperv/netvsc_drv.c | 29 drivers/net/pcs/pcs-xpcs-plat.c | 4 drivers/net/phy/air_en8811h.c | 45 drivers/net/phy/broadcom.c | 25 drivers/net/phy/mdio_bus.c | 1 drivers/net/phy/mdio_bus_provider.c | 3 drivers/net/phy/micrel.c | 12 drivers/net/phy/nxp-c45-tja11xx.c | 23 drivers/net/phy/realtek/realtek_main.c | 10 drivers/net/phy/smsc.c | 1 drivers/net/thunderbolt/main.c | 21 drivers/net/usb/asix_devices.c | 1 drivers/net/usb/cdc_ncm.c | 20 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wan/lapbether.c | 2 drivers/net/wireless/ath/ath10k/core.c | 48 drivers/net/wireless/ath/ath10k/core.h | 11 drivers/net/wireless/ath/ath10k/mac.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 6 drivers/net/wireless/ath/ath12k/dp.c | 3 drivers/net/wireless/ath/ath12k/hw.c | 2 drivers/net/wireless/ath/ath12k/mac.c | 57 drivers/net/wireless/ath/ath12k/wmi.c | 5 drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 8 drivers/net/wireless/intel/iwlwifi/mld/agg.c | 5 drivers/net/wireless/intel/iwlwifi/mld/iface.h | 3 drivers/net/wireless/intel/iwlwifi/mld/link.c | 8 drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 1 drivers/net/wireless/intel/iwlwifi/mld/mld.c | 2 drivers/net/wireless/intel/iwlwifi/mld/mlo.c | 8 drivers/net/wireless/intel/iwlwifi/mld/scan.c | 2 drivers/net/wireless/intel/iwlwifi/mld/scan.h | 2 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 5 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 1 drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 5 drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 drivers/net/wireless/mediatek/mt76/channel.c | 4 drivers/net/wireless/mediatek/mt76/mt76.h | 5 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 28 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 drivers/net/wireless/realtek/rtlwifi/pci.c | 23 drivers/net/wireless/realtek/rtw89/chan.c | 6 drivers/net/wireless/realtek/rtw89/coex.c | 12 drivers/net/wireless/realtek/rtw89/core.c | 3 drivers/net/wireless/realtek/rtw89/fw.c | 10 drivers/net/wireless/realtek/rtw89/fw.h | 2 drivers/net/wireless/realtek/rtw89/mac.c | 19 drivers/net/wireless/realtek/rtw89/reg.h | 1 drivers/net/wireless/realtek/rtw89/wow.c | 5 drivers/net/xen-netfront.c | 5 drivers/nvme/host/pci.c | 24 drivers/nvme/host/tcp.c | 11 drivers/pci/controller/dwc/pcie-dw-rockchip.c | 15 drivers/pci/pci-acpi.c | 4 drivers/pci/pci.c | 6 drivers/pci/probe.c | 2 drivers/perf/arm-cmn.c | 1 drivers/perf/arm-ni.c | 1 drivers/perf/cxl_pmu.c | 2 drivers/phy/rockchip/phy-rockchip-pcie.c | 15 drivers/pinctrl/stm32/pinctrl-stm32.c | 1 drivers/platform/chrome/cros_ec_sensorhub.c | 23 drivers/platform/chrome/cros_ec_typec.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 drivers/platform/x86/thinkpad_acpi.c | 4 drivers/pmdomain/imx/imx8m-blk-ctrl.c | 10 drivers/pmdomain/ti/Kconfig | 2 drivers/power/supply/qcom_battmgr.c | 2 drivers/pps/clients/pps-gpio.c | 5 drivers/ptp/ptp_clock.c | 2 drivers/ptp/ptp_private.h | 5 drivers/ptp/ptp_vclock.c | 7 drivers/remoteproc/imx_rproc.c | 4 drivers/reset/Kconfig | 10 drivers/rtc/rtc-ds1307.c | 15 drivers/s390/char/sclp.c | 4 drivers/scsi/aacraid/comminit.c | 3 drivers/scsi/bfa/bfad_im.c | 1 drivers/scsi/libiscsi.c | 3 drivers/scsi/lpfc/lpfc_debugfs.c | 1 drivers/scsi/lpfc/lpfc_hbadisc.c | 3 drivers/scsi/lpfc/lpfc_scsi.c | 4 drivers/scsi/mpi3mr/mpi3mr_os.c | 20 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 drivers/scsi/pm8001/pm80xx_hwi.c | 12 drivers/scsi/scsi_scan.c | 2 drivers/scsi/scsi_transport_sas.c | 60 drivers/soc/qcom/mdt_loader.c | 10 drivers/soc/qcom/rpmh-rsc.c | 2 drivers/soundwire/amd_manager.c | 7 drivers/soundwire/bus.c | 6 drivers/staging/gpib/ni_usb/ni_usb_gpib.c | 14 drivers/target/target_core_fabric_lib.c | 63 drivers/target/target_core_internal.h | 4 drivers/target/target_core_pr.c | 18 drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 drivers/thermal/thermal_sysfs.c | 9 drivers/thunderbolt/domain.c | 2 drivers/tty/serial/serial_core.c | 44 drivers/ufs/core/ufshcd.c | 9 drivers/usb/class/cdc-acm.c | 11 drivers/usb/core/config.c | 10 drivers/usb/core/urb.c | 2 drivers/usb/dwc3/dwc3-xilinx.c | 1 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci-ring.c | 10 drivers/usb/host/xhci.c | 6 drivers/usb/typec/mux/intel_pmc_mux.c | 2 drivers/usb/typec/tcpm/fusb302.c | 8 drivers/usb/typec/tcpm/tcpci_maxim_core.c | 46 drivers/usb/typec/ucsi/cros_ec_ucsi.c | 1 drivers/usb/typec/ucsi/psy.c | 2 drivers/usb/typec/ucsi/ucsi.c | 1 drivers/usb/typec/ucsi/ucsi.h | 7 drivers/vfio/pci/mlx5/cmd.c | 4 drivers/vfio/vfio_iommu_type1.c | 7 drivers/vhost/vhost.c | 3 drivers/video/fbdev/Kconfig | 2 drivers/video/fbdev/core/fbcon.c | 9 drivers/video/fbdev/core/fbmem.c | 3 drivers/virt/coco/efi_secret/efi_secret.c | 10 drivers/watchdog/dw_wdt.c | 2 drivers/watchdog/iTCO_wdt.c | 6 drivers/watchdog/sbsa_gwdt.c | 50 fs/btrfs/block-group.c | 31 fs/btrfs/ctree.c | 1 fs/btrfs/disk-io.c | 1 fs/btrfs/extent-tree.c | 33 fs/btrfs/file.c | 59 fs/btrfs/inode.c | 2 fs/btrfs/ioctl.c | 3 fs/btrfs/qgroup.c | 44 fs/btrfs/relocation.c | 19 fs/btrfs/send.c | 33 fs/btrfs/transaction.c | 6 fs/btrfs/tree-log.c | 107 fs/btrfs/zoned.c | 66 fs/btrfs/zoned.h | 3 fs/crypto/fscrypt_private.h | 17 fs/crypto/hkdf.c | 2 fs/crypto/keysetup.c | 3 fs/crypto/keysetup_v1.c | 3 fs/erofs/super.c | 4 fs/exfat/dir.c | 12 fs/exfat/fatent.c | 10 fs/exfat/namei.c | 5 fs/exfat/super.c | 32 fs/ext2/inode.c | 12 fs/ext4/ext4.h | 2 fs/ext4/ialloc.c | 3 fs/ext4/inline.c | 19 fs/ext4/inode.c | 22 fs/ext4/mballoc-test.c | 9 fs/ext4/mballoc.c | 67 fs/f2fs/file.c | 24 fs/f2fs/node.c | 29 fs/fhandle.c | 2 fs/file.c | 15 fs/gfs2/dir.c | 6 fs/gfs2/glops.c | 6 fs/gfs2/meta_io.c | 2 fs/hfs/bfind.c | 3 fs/hfs/bnode.c | 93 fs/hfs/btree.c | 57 fs/hfs/extent.c | 2 fs/hfs/hfs_fs.h | 1 fs/hfsplus/bnode.c | 92 fs/hfsplus/unicode.c | 7 fs/hfsplus/xattr.c | 6 fs/jfs/file.c | 3 fs/jfs/inode.c | 2 fs/jfs/jfs_dmap.c | 6 fs/libfs.c | 4 fs/nfs/blocklayout/blocklayout.c | 4 fs/nfs/blocklayout/dev.c | 5 fs/nfs/blocklayout/extent_tree.c | 20 fs/nfs/client.c | 44 fs/nfs/internal.h | 2 fs/nfs/nfs4client.c | 20 fs/nfs/nfs4proc.c | 2 fs/nfs/pnfs.c | 11 fs/nfsd/nfs4state.c | 34 fs/ntfs3/dir.c | 3 fs/ntfs3/inode.c | 31 fs/ocfs2/aops.c | 1 fs/orangefs/orangefs-debugfs.c | 2 fs/pidfs.c | 2 fs/proc/task_mmu.c | 6 fs/smb/client/cifsencrypt.c | 79 fs/smb/client/cifssmb.c | 10 fs/smb/client/compress.c | 71 fs/smb/client/connect.c | 1 fs/smb/client/sess.c | 9 fs/smb/client/smb2ops.c | 11 fs/smb/client/smbdirect.c | 25 fs/smb/server/smb2pdu.c | 16 fs/tracefs/inode.c | 11 fs/udf/super.c | 13 fs/xfs/scrub/trace.h | 2 include/drm/gpu_scheduler.h | 18 include/linux/acpi.h | 2 include/linux/blk_types.h | 6 include/linux/blkdev.h | 55 include/linux/hid.h | 2 include/linux/hypervisor.h | 3 include/linux/if_vlan.h | 21 include/linux/libata.h | 1 include/linux/memory-tiers.h | 2 include/linux/packing.h | 6 include/linux/pci.h | 6 include/linux/sbitmap.h | 6 include/linux/skbuff.h | 8 include/linux/usb/cdc_ncm.h | 1 include/linux/virtio_vsock.h | 7 include/net/bluetooth/hci.h | 6 include/net/bluetooth/hci_core.h | 5 include/net/cfg80211.h | 2 include/net/ip_vs.h | 13 include/net/kcm.h | 1 include/net/mac80211.h | 4 include/net/page_pool/types.h | 2 include/sound/sdca_function.h | 2 include/trace/events/thp.h | 2 include/uapi/linux/in6.h | 4 include/uapi/linux/io_uring.h | 2 io_uring/memmap.c | 2 io_uring/net.c | 27 io_uring/rsrc.c | 4 io_uring/rsrc.h | 2 io_uring/rw.c | 2 io_uring/zcrx.c | 34 io_uring/zcrx.h | 1 kernel/.gitignore | 2 kernel/Makefile | 47 kernel/bpf/verifier.c | 7 kernel/futex/futex.h | 6 kernel/gen_kheaders.sh | 94 kernel/kthread.c | 1 kernel/module/main.c | 10 kernel/power/console.c | 7 kernel/printk/nbcon.c | 63 kernel/rcu/rcutorture.c | 9 kernel/rcu/tree.c | 2 kernel/rcu/tree.h | 14 kernel/rcu/tree_nocb.h | 5 kernel/rcu/tree_plugin.h | 44 kernel/sched/deadline.c | 4 kernel/sched/fair.c | 19 kernel/sched/rt.c | 6 kernel/trace/fprobe.c | 4 kernel/trace/rv/rv_trace.h | 3 lib/sbitmap.c | 56 mm/damon/core.c | 1 mm/huge_memory.c | 7 mm/kmemleak.c | 10 mm/ptdump.c | 2 mm/shmem.c | 39 mm/slub.c | 7 mm/userfaultfd.c | 17 net/bluetooth/hci_conn.c | 3 net/bluetooth/hci_event.c | 39 net/bluetooth/hci_sock.c | 2 net/core/ieee8021q_helpers.c | 44 net/core/page_pool.c | 29 net/ipv4/route.c | 1 net/ipv4/udp_offload.c | 2 net/ipv6/addrconf.c | 7 net/ipv6/mcast.c | 11 net/ipv6/xfrm6_tunnel.c | 2 net/kcm/kcmsock.c | 10 net/mac80211/chan.c | 1 net/mac80211/ht.c | 40 net/mac80211/ieee80211_i.h | 6 net/mac80211/iface.c | 29 net/mac80211/link.c | 9 net/mac80211/mlme.c | 45 net/mac80211/rx.c | 47 net/mctp/af_mctp.c | 26 net/ncsi/internal.h | 2 net/ncsi/ncsi-rsp.c | 1 net/netfilter/ipvs/ip_vs_est.c | 3 net/netfilter/nf_conntrack_netlink.c | 65 net/netfilter/nf_tables_api.c | 30 net/netfilter/nft_set_pipapo.c | 9 net/netlink/af_netlink.c | 2 net/sched/sch_ets.c | 11 net/sctp/input.c | 2 net/tls/tls.h | 2 net/tls/tls_strp.c | 11 net/tls/tls_sw.c | 3 net/vmw_vsock/virtio_transport.c | 2 net/wireless/mlme.c | 3 net/xfrm/xfrm_device.c | 12 net/xfrm/xfrm_state.c | 74 rust/Makefile | 16 samples/damon/mtier.c | 10 samples/damon/wsse.c | 12 scripts/kconfig/gconf.c | 8 scripts/kconfig/lxdialog/inputbox.c | 6 scripts/kconfig/lxdialog/menubox.c | 2 scripts/kconfig/nconf.c | 2 scripts/kconfig/nconf.gui.c | 1 security/apparmor/domain.c | 52 security/apparmor/file.c | 6 security/apparmor/include/lib.h | 6 security/inode.c | 2 security/landlock/syscalls.c | 1 sound/core/pcm_native.c | 19 sound/pci/hda/cs35l41_hda.c | 2 sound/pci/hda/cs35l56_hda.c | 4 sound/pci/hda/hda_codec.c | 42 sound/pci/hda/patch_ca0132.c | 2 sound/pci/hda/patch_realtek.c | 3 sound/pci/intel8x0.c | 2 sound/soc/codecs/hdac_hdmi.c | 10 sound/soc/codecs/rt5640.c | 5 sound/soc/fsl/fsl_sai.c | 20 sound/soc/intel/avs/core.c | 3 sound/soc/intel/boards/sof_sdw.c | 8 sound/soc/qcom/lpass-platform.c | 27 sound/soc/sdca/sdca_functions.c | 2 sound/soc/soc-core.c | 3 sound/soc/soc-dapm.c | 4 sound/soc/sof/topology.c | 15 sound/usb/mixer_quirks.c | 14 sound/usb/stream.c | 25 sound/usb/validate.c | 12 tools/bpf/bpftool/main.c | 6 tools/include/nolibc/std.h | 4 tools/include/nolibc/types.h | 4 tools/lib/bpf/libbpf.c | 7 tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 tools/power/x86/turbostat/turbostat.c | 14 tools/scripts/Makefile.include | 4 tools/testing/ktest/ktest.pl | 5 tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 tools/testing/selftests/bpf/prog_tests/ringbuf.c | 4 tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 10 tools/testing/selftests/bpf/progs/test_ringbuf_write.c | 4 tools/testing/selftests/bpf/progs/verifier_unpriv.c | 2 tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 tools/testing/selftests/futex/include/futextest.h | 11 tools/testing/selftests/kexec/Makefile | 2 tools/testing/selftests/net/netfilter/config | 2 tools/testing/selftests/vDSO/vdso_test_getrandom.c | 6 tools/verification/dot2/dot2k.py | 3 tools/verification/dot2/dot2k_templates/Kconfig_container | 5 615 files changed, 8824 insertions(+), 5279 deletions(-) Aakash Kumar S (1): xfrm: Duplicate SPI Handling Aaron Kling (1): ARM: tegra: Use I/O memcpy to write to IRAM Aaron Plattner (1): watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Abel Vesa (1): power: supply: qcom_battmgr: Add lithium-polymer entry Ahmed Zaki (1): idpf: preserve coalescing settings across resets Al Viro (5): habanalabs: fix UAF in export_dmabuf() better lockdep annotations for simple_recursive_removal() landlock: opened file never has a negative dentry fix locking in efi_secret_unlink() securityfs: don't pin dentries twice, once is enough... Alessio Belle (1): drm/imagination: Clear runtime PM errors while resetting the GPU Alex Guo (2): media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Alex Hung (1): drm/amd/display: Initialize mode_select to 0 Alexander Kochetkov (1): ARM: rockchip: fix kernel hang during smp initialization Alexey Klimov (1): iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Alok Tiwari (6): net: ti: icss-iep: Fix incorrect type for return value in extts_enable() ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 be2net: Use correct byte order and format string for TCP seq and ack_seq net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() perf/cxlpmu: Remove unintended newline from IRQ name format string gve: Return error for unknown admin queue command Amelie Delaunay (1): dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Amir Mohammad Jahangirzad (1): fs/orangefs: use snprintf() instead of sprintf() Andrew Price (2): gfs2: Validate i_depth for exhash directories gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Andrey Albershteyn (1): xfs: fix scrub trace with null pointer in quotacheck André Draszik (4): clk: samsung: exynos850: fix a comment clk: samsung: gs101: fix CLK_DOUT_CMU_G3D_BUSD clk: samsung: gs101: fix alternate mout_hsi0_usb20_ref parent clock usb: typec: tcpm/tcpci_maxim: fix irq wake usage Andy Shevchenko (1): Documentation: ACPI: Fix parent device references Andy Yan (1): drm/panel: raydium-rm67200: Move initialization from enable() to prepare stage Anshuman Khandual (1): mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Anthoine Bourgeois (1): xen/netfront: Fix TX response spurious interrupts Armin Wolf (1): ACPI: EC: Relax sanity check of the ECDT ID string Arnaud Lecomte (1): jfs: upper bound check of tree index in dbAllocAG Arnd Bergmann (2): RDMA/core: reduce stack using in nldev_stat_get_doit() firmware: arm_scmi: Convert to SYSTEM_SLEEP_PM_OPS Artem Sadovnikov (1): vfio/mlx5: fix possible overflow in tracking max message size Avraham Stern (4): wifi: iwlwifi: mld: avoid outdated reorder buffer head_sn wifi: iwlwifi: mvm: avoid outdated reorder buffer head_sn wifi: iwlwifi: mld: fix scan request validation wifi: iwlwifi: mvm: fix scan request validation Baokun Li (2): ext4: fix zombie groups in average fragment size lists ext4: fix largest free orders lists corruption on mb_optimize_scan switch Bartosz Golaszewski (3): Revert "gpio: pxa: Make irq_chip immutable" gpio: wcd934x: check the return value of regmap_update_bits() gpio: tps65912: check the return value of regmap_update_bits() Benjamin Berg (1): wifi: iwlwifi: mld: use the correct struct size for tracing Benjamin Marzinski (1): dm-table: fix checking for rq stackable devices Benjamin Mugnier (3): media: i2c: vd55g1: Setup sensor external clock before patching media: i2c: vd55g1: Fix RATE macros not being expressed in bps media: i2c: vd55g1: Fix return code in vd55g1_enable_streams error path Benson Leung (1): usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Bharat Bhushan (1): crypto: octeontx2 - add timeout for load_fvc completion poll Bijan Tabatabai (1): mm/damon/core: commit damos->target_nid Biju Das (2): irqchip/renesas-rzv2h: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND net: phy: micrel: Add ksz9131_resume() Binbin Zhou (1): gpio: loongson-64bit: Extend GPIO irq support Bitterblue Smith (3): wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB wifi: rtw89: Fix rtw89_mac_power_switch() for USB wifi: rtw89: Disable deep power saving for USB/SDIO Bjorn Andersson (1): soc: qcom: mdt_loader: Actually use the e_phoff Boris Burkov (2): btrfs: fix ssd_spread overallocation btrfs: fix iteration bug in __qgroup_excl_accounting() Breno Leitao (5): ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path arm64: Mark kernel as tainted on SAE and SError panic ptp: Use ratelimite for freerun error message ipmi: Use dev_warn_ratelimited() for incorrect message warnings mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Buday Csaba (2): net: mdiobus: release reset_gpio in mdiobus_unregister_device() net: phy: smsc: add proper reset flags for LAN8710A Caleb Sander Mateos (2): ublk: check for unprivileged daemon on each I/O fetch btrfs: don't skip accounting in early ENOTTY return in btrfs_uring_encoded_read() Calvin Owens (2): tools/power turbostat: Fix build with musl tools/power turbostat: Handle cap_get_proc() ENOSYS Cezary Rojewski (1): ASoC: Intel: avs: Fix uninitialized pointer error in probe() Chao Yu (1): f2fs: handle nat.blkaddr corruption in f2fs_get_node_info() Charlene Liu (1): drm/amd/display: limit clear_update_flags to dcn32 and above Charles Keepax (2): ASoC: SDCA: Add flag for unused IRQs soundwire: Move handle_nested_irq outside of sdw_dev_lock Cheick Traore (1): pinctrl: stm32: Manage irq affinity settings Chen-Yu Tsai (1): mfd: axp20x: Set explicit ID for AXP313 regulator Chih-Kang Chang (1): wifi: rtw89: scan abort when assign/unassign_vif Chin-Yen Lee (1): wifi: rtw89: wow: Add Basic Rate IE to probe request in scheduled scan mode Ching-Te Ku (1): wifi: rtw89: coex: Not to set slot duration to zero to avoid firmware issue Chris Mason (1): sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Christian Brauner (2): fhandle: raise FILEID_IS_DIR in handle_type pidfs: raise SB_I_NODEV and SB_I_NOEXEC Christian Marangi (1): clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src Christophe Leroy (1): ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Christopher Eby (1): ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Clark Wang (1): net: phy: nxp-c45-tja11xx: fix the PHY ID mismatch issue when using C45 Claudiu Beznea (1): clk: renesas: rzg2l: Postpone updating priv->clks[] Corey Minyard (1): ipmi: Fix strcpy source and destination the same Cristian Ciocaltea (1): ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Cynthia Huang (1): selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Dai Ngo (1): NFSD: detect mismatch of file handle and delegation stateid in OPEN op Damien Le Moal (9): block: Make REQ_OP_ZONE_FINISH a write operation ata: ahci: Disallow LPM policy control if not supported ata: ahci: Disable DIPM if host lacks support ata: libata-sata: Disallow changing LPM state if not supported scsi: mpt3sas: Correctly handle ATA device errors scsi: mpi3mr: Correctly handle ATA device errors block: Introduce bio_needs_zone_write_plugging() dm: Always split write BIOs to zoned device limits ata: libata-sata: Add link_power_management_supported sysfs attribute Daniel Braunwarth (1): net: phy: realtek: add error handling to rtl8211f_get_wol Daniel Golle (1): Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" Daniel Scally (1): media: ipu-bridge: Add _HID for OV5670 Daniele Palmas (1): bus: mhi: host: pci_generic: Add Telit FN990B40 modem support Dave Penkler (1): staging: gpib: Add init response codes for new ni-usb-hs+ Dave Stevenson (3): media: tc358743: Check I2C succeeded during probe media: tc358743: Return an appropriate colorspace from tc358743_set_fmt media: tc358743: Increase FIFO trigger level to 374 David Bauer (2): wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch wifi: mt76: mt7915: mcu: increase eeprom command timeout David Collins (1): thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required David Hildenbrand (1): mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() David Howells (1): cifs: Fix collect_sample() to handle any iterator type David Lechner (1): iio: adc: ad_sigma_delta: don't overallocate scan buffer David Thompson (3): gpio: mlxbf2: use platform_get_irq_optional() Revert "gpio: mlxbf3: only get IRQ for device instance 0" gpio: mlxbf3: use platform_get_irq_optional() David Wei (1): bnxt: fill data page pool with frags if PAGE_SIZE > BNXT_RX_PAGE_SIZE Davide Caratti (1): net/sched: ets: use old 'nbands' while purging unused classes Dikshita Agarwal (1): media: iris: Add handling for corrupt and drop frames Dongcheng Yan (1): media: i2c: set lt6911uxe's reset_gpio to GPIOD_OUT_LOW Eduard Zingerman (1): libbpf: Verify that arena map exists when adding arena relocations Edward Adam Davis (1): jfs: Regular file corruption check Elad Nachman (1): irqchip/mvebu-gicp: Clear pending interrupts on init Eliav Farber (1): pps: clients: gpio: fix interrupt handling order in remove path Emily Deng (1): drm/ttm: Should to return the evict error En-Wei Wu (1): Bluetooth: btusb: Add new VID/PID 0489/e14e for MT7925 Eric Biggers (4): fscrypt: Don't use problematic non-inline crypto engines lib/crypto: x86/poly1305: Fix register corruption in no-SIMD contexts lib/crypto: x86/poly1305: Fix performance regression on short messages thunderbolt: Fix copy+paste error in match_service_id() Eric Work (1): net: atlantic: add set_power to fw_ops for atl2 to fix wol Fabio Porcedda (1): net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition Fedor Pchelkin (1): netlink: avoid infinite retry looping in netlink_unicast() Felix Fietkau (1): wifi: mt76: fix vif link allocation Filipe Manana (11): btrfs: fix -ENOSPC mmap write failure on NOCOW files/extents btrfs: abort transaction during log replay if walk_log_tree() failed btrfs: qgroup: set quota enabled bit if quota disable fails flushing reservations btrfs: don't ignore inode missing when replaying log tree btrfs: qgroup: fix race between quota disable and quota rescan ioctl btrfs: qgroup: fix qgroup create ioctl returning success after quotas disabled btrfs: don't skip remaining extrefs if dir not found during log replay btrfs: clear dirty status from extent buffer on error at insert_new_root() btrfs: send: use fallocate for hole punching with send stream v2 btrfs: fix log tree replay failure due to file with 0 links and extents btrfs: error on missing block group when unaccounting log tree extent buffers Florian Larysch (1): net: phy: micrel: fix KSZ8081/KSZ8091 cable test Florian Westphal (3): netfilter: ctnetlink: fix refcount leak on table dump netfilter: ctnetlink: remove refcounting in expectation dumpers netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps Florin Leotescu (1): hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Francisco Gutierrez (1): scsi: pm80xx: Free allocated tags after failure Frederic Weisbecker (2): ipvs: Fix estimator kthreads preferred affinity rcu: Fix racy re-initialization of irq_work causing hangs Fushuai Wang (1): x86/fpu: Fix NULL dereference in avx512_status() Gabriel Totev (1): apparmor: shift ouid when mediating hard links in userns Gal Pressman (2): net: vlan: Make is_vlan_dev() a stub when VLAN is not configured net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs GalaxySnail (1): ALSA: hda: add MODULE_FIRMWARE for cs35l41/cs35l56 Gao Xiang (1): erofs: fix block count report when 48-bit layout is on Gautham R. Shenoy (1): pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() George Gaidarov (1): EDAC/ie31200: Enable support for Core i5-14600 and i7-14700 George Moussalem (1): clk: qcom: ipq5018: keep XO clock always on Geraldo Nascimento (1): phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal Gerd Hoffmann (1): x86/sev/vc: Fix EFI runtime instruction emulation Greg Kroah-Hartman (1): Linux 6.16.2 Guillaume La Roque (1): pmdomain: ti: Select PM_GENERIC_DOMAINS Gwendal Grignou (1): platform/chrome: cros_ec_sensorhub: Retries when a sensor is not ready Haibo Chen (1): mmc: sdhci-esdhc-imx: Don't change pinctrl in suspend if wakeup source Haiyang Zhang (1): hv_netvsc: Fix panic during namespace deletion with VF Hans de Goede (3): mei: bus: Check for still connected devices in mei_cl_bus_dev_release() media: hi556: Fix reset GPIO timings i2c: core: Fix double-free of fwnode in i2c_unregister_device() Haoran Jiang (1): LoongArch: BPF: Fix jump offset calculation in tailcall Harald Mommer (1): gpio: virtio: Fix config space reading. Hari Chandrakanthan (2): wifi: mac80211: fix rx link assignment for non-MLO stations wifi: ath12k: Fix station association with MBSSID Non-TX BSS Hari Kalavakunta (1): net: ncsi: Fix buffer overflow in fetching version id Heiko Carstens (1): s390/early: Copy last breaking event address to pt_regs Heiner Kallweit (2): net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect dpaa_eth: don't use fixed_phy_change_carrier Hiago De Franco (1): remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Hsin-Te Yuan (1): thermal: sysfs: Return ENODATA instead of EAGAIN for reads Huacai Chen (2): PCI: Extend isolated function probing to LoongArch LoongArch: Make relocate_new_kernel_size be a .quad value Ian Abbott (1): comedi: fix race between polling and detaching Ihor Solodrai (1): bpf: Make reg_not_null() true for CONST_PTR_TO_MAP Ilan Peer (1): wifi: cfg80211: Fix interface type validation Ilya Bakoulin (1): drm/amd/display: Separate set_gsl from set_gsl_source_select Ivan Lipski (1): drm/amd/display: Allow DCN301 to clear update flags Jack Ping CHNG (1): net: pcs: xpcs: mask readl() return value to 16 bits Jack Xiao (1): drm/amdgpu: fix incorrect vm flags to map bo Jaegeuk Kim (1): f2fs: check the generic conditions first Jakub Kicinski (4): net: page_pool: allow enabling recycling late, fix false positive warning tls: handle data disappearing from under the TLS ULP eth: bnxt: take page size into account for page pool recycling rings uapi: in6: restore visibility of most IPv6 socket options Jameson Thies (1): usb: typec: ucsi: Add poll_cci operation to cros_ec_ucsi Jan Kara (2): loop: Avoid updating block size under exclusive owner udf: Verify partition map count Jarkko Sakkinen (1): tpm: Check for completion after timeout Jason Gunthorpe (1): iommufd: Prevent ALIGN() overflow Jason Wang (1): vhost: fail early when __vhost_add_used() fails Jay Chen (1): usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Jeff Layton (1): nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Jens Axboe (3): io_uring/memmap: cast nr_pages to size_t before shifting io_uring/net: commit partial buffers on retry io_uring/rw: cast rw->flags assignment to rwf_t Jeongjun Park (1): ptp: prevent possible ABBA deadlock in ptp_clock_freerun() Jiasheng Jiang (1): scsi: lpfc: Remove redundant assignment to avoid memory leak Jiayi Li (1): ACPI: processor: perflib: Fix initial _PPC limit application Jijie Shao (3): net: hibmcge: fix rtnl deadlock issue net: hibmcge: fix the division by zero issue net: hibmcge: fix the np_link_fail error reporting issue Jinjiang Tu (1): mm/smaps: fix race between smaps_hugetlb_range and migration Joel Fernandes (1): rcu: Fix rcu_read_unlock() deadloop due to IRQ work Johan Adolfsson (1): leds: leds-lp50xx: Handle reg to get correct multi_index Johan Hovold (5): net: gianfar: fix device leak when querying time stamp info net: enetc: fix device and OF node leak at probe net: mtk_eth_soc: fix device leak at probe net: ti: icss-iep: fix device and OF node leaks at probe net: dpaa: fix device leak when querying time stamp info Johannes Berg (6): wifi: cfg80211: reject HTC bit for management frames wifi: mac80211: don't use TPE data from assoc response wifi: mac80211: don't unreserve never reserved chanctx wifi: mac80211: don't complete management TX on SAE commit wifi: iwlwifi: mld: fix last_mlo_scan_time type wifi: iwlwifi: pcie: reinit device properly during TOP reset Johannes Thumshirn (2): btrfs: zoned: use filesystem size not disk size for reclaim decision btrfs: zoned: reserve data_reloc block group on mount John Ernberg (1): crypto: caam - Support iMX8QXP and variants thereof John Garry (4): dm-stripe: limit chunk_sectors to the stripe size md/raid10: set chunk_sectors limit scsi: aacraid: Stop using PCI_IRQ_AFFINITY block: avoid possible overflow for chunk_sectors check in blk_stack_limits() John Johansen (1): apparmor: fix x_table_lookup when stacking is not the first entry John Ogness (1): printk: nbcon: Allow reacquire during panic Jonas Rebmann (1): net: fec: allow disable coalescing Jonathan Santos (1): iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Jorge Marques (1): i3c: master: Initialize ret in i3c_i2c_notifier_call() Joseph Tilahun (1): tty: serial: fix print format specifiers Jouni Högander (1): drm/i915/psr: Do not trigger Frame Change events from frontbuffer flush Juri Lelli (1): sched/deadline: Fix accounting after global limits change Justin Tee (2): scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Kairui Song (1): mm/shmem, swap: improve cached mTHP handling and fix potential hang Kalesh AP (1): RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM Kamil Horák - 2N (1): net: phy: bcm54811: PHY initialization Kang Yang (1): wifi: ath10k: shutdown driver when hardware is unreliable Karthik Poosa (1): drm/xe/hwmon: Add SW clamp for power limits writes Karthikeyan Kathirvel (1): wifi: ath12k: Decrement TID on RX peer frag setup error handling Kees Cook (2): arm64: Handle KCOV __init vs inline mismatches platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Keith Busch (2): nvme-pci: try function level reset on init failure vfio/type1: conditional rescheduling while pinning Krzysztof Hałasa (1): imx8m-blk-ctrl: set ISI panic write hurry level Krzysztof Kozlowski (2): leds: flash: leds-qcom-flash: Fix registry access after re-bind clk: qcom: dispcc-sm8750: Fix setting rate byte and pixel clocks Kuan-Chung Chen (1): wifi: rtw89: 8852c: increase beacon loss to 6 seconds Kuninori Morimoto (1): ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Kuniyuki Iwashima (1): ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc(). Lad Prabhakar (1): drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range Len Brown (2): intel_idle: Allow loading ACPI tables for any family tools/power turbostat: Handle non-root legacy-uncore sysfs permissions Leon Romanovsky (1): net/mlx5e: Properly access RCU protected qdisc_sleeping variable Li Chen (3): ACPI: Suppress misleading SPCR console message when SPCR table is absent HID: rate-limit hid_warn to prevent log flooding ACPI: Return -ENODEV from acpi_parse_spcr() when SPCR support is disabled Li RongQing (1): cpufreq: intel_pstate: Add Granite Rapids support in no-HWP mode Li Zhijian (1): mm/memory-tier: fix abstract distance calculation overflow Lifeng Zheng (2): cpufreq: Exit governor when failed to start old governor PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Lijo Lazar (3): drm/amdgpu: Add more checks to PSP mailbox drm/amd/pm: Use pointer type for typecheck() drm/amdgpu: Suspend IH during mode-2 reset Lizhi Xu (3): fs/ntfs3: Add sanity check for file name jfs: truncate good inode pages when hard link is 0 ocfs2: reset folio to NULL when get folio fails Lorenzo Bianconi (1): wifi: mt76: mt7996: Fix mlink lookup in mt7996_tx_prepare_skb Lu Baolu (1): iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes Lucien.Jheng (1): net: phy: air_en8811h: Introduce resume/suspend and clk_restore_context to ensure correct CKO settings after network interface reinitialization. Lucy Thrun (1): ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Lukas Wunner (1): PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports MD Danish Anwar (1): net: ti: icssg-prueth: Fix emac link speed handling Ma Ke (1): sunvdc: Balance device refcount in vdc_port_mpgroup_check Marek Szyprowski (1): media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() Mario Limonciello (8): platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list usb: xhci: Avoid showing warnings for dying controller usb: xhci: Avoid showing errors during surprise removal drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual drm/amd/display: Stop storing failures into adev->dm.cached_state drm/amd/display: Only finalize atomic_obj if it was initialized drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported crypto: ccp - Add missing bootloader info reg for pspv6 Mark Brown (3): ASoC: hdac_hdmi: Rate limit logging on connection and disconnection kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace regmap: irq: Free the regmap-irq mutex Mark Rutland (1): arm64: stacktrace: Check kretprobe_find_ret_addr() return value Markus Stockhausen (1): irqchip/mips-gic: Allow forced affinity Markus Theil (1): crypto: jitter - fix intermediary handling Masahiro Yamada (3): kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() kconfig: gconf: fix potential memory leak in renderer_edited() kheaders: rebuild kheaders_data.tar.xz when a file is modified within a minute Masami Hiramatsu (Google) (2): selftests: tracing: Use mutex_unlock for testing glob filter tracing: fprobe: Fix infinite recursion using preempt_*_notrace() Mateusz Guzik (1): apparmor: use the condition in AA_BUG_FMT even with debug disabled Matt Johnston (1): net: mctp: Prevent duplicate binds Matt Roper (1): drm/xe/xe_query: Use separate iterator while filling GT list Matteo Croce (1): libbpf: Fix warning in calloc() usage Matthew Auld (3): drm/xe/migrate: prevent infinite recursion drm/xe/migrate: don't overflow max copy size drm/xe/migrate: prevent potential UAF Maulik Shah (1): soc: qcom: rpmh-rsc: Add RSC version 4 support Maurizio Lombardi (2): nvme-tcp: log TLS handshake failures at error level scsi: target: core: Generate correct identifiers for PR OUT transport IDs Mauro Carvalho Chehab (1): sphinx: kernel_abi: fix performance regression with O=<dir> Maxim Levitsky (3): KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Meagan Lloyd (2): rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Michal Wilczynski (1): clk: thead: Mark essential bus clocks as CLK_IGNORE_UNUSED Miguel Ojeda (2): rust: kbuild: clean output before running `rustdoc` rust: workaround `rustdoc` target modifiers bug Mikulas Patocka (1): dm-mpath: don't print the "loaded" message if registering fails Mina Almasry (1): netmem: fix skb_frag_address_safe with unreadable skbs Miri Korenblit (6): wifi: iwlwifi: mld: use spec link id and not FW link id wifi: mac80211: handle WLAN_HT_ACTION_NOTIFY_CHANWIDTH async wifi: iwlwifi: mvm: set gtk id also in older FWs wifi: iwlwifi: handle non-overlapping API ranges wifi: mac80211: avoid weird state in error path wifi: iwlwifi: mld: don't exit EMLSR when we shouldn't Moon Hee Lee (1): selftests/kexec: fix test_kexec_jump build Myrrh Periwinkle (1): usb: typec: ucsi: Update power_supply on power role change Nam Cao (2): verification/dot2k: Make a separate dot2k_templates/Kconfig_container rv: Add #undef TRACE_INCLUDE_FILE Naohiro Aota (3): btrfs: zoned: requeue to unused block group list if zone finish failed btrfs: zoned: do not remove unwritten non-data block group btrfs: zoned: do not select metadata BG as finish target Nathan Lynch (1): lib: packing: Include necessary headers NeilBrown (1): smb/server: avoid deadlock when linking with ReplaceIfExists Nicholas Kazlauskas (1): drm/amd/display: Update DMCUB loading sequence for DCN3.5 Nicolin Chen (2): iommu/arm-smmu-v3: Revert vmaster in the error path iommufd: Report unmapped bytes in the error path of iopt_unmap_iova_range Niklas Söderlund (1): media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Nikunj A Dadhania (1): x86/sev: Improve handling of writes to intercepted TSC MSRs Nitin Rawat (1): scsi: ufs: core: Fix interrupt handling for MCQ Mode Oliver Neukum (3): usb: core: usb_submit_urb: downgrade type check net: usb: cdc-ncm: check for filtering capability cdc-acm: fix race between initial clearing halt and open Oscar Maes (1): net: ipv4: fix incorrect MTU in broadcast routes Pablo Neira Ayuso (1): netfilter: nf_tables: reject duplicate device on updates Pagadala Yesu Anjaneyulu (1): wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Pali Rohár (1): cifs: Fix calling CIFSFindFirst() for root path without msearch Paul Chaignon (1): bpf: Forget ranges when refining tnum after JSET Paul E. McKenney (1): rcu: Protect ->defer_qs_iw_pending from data race Paulo Alcantara (1): smb: client: fix session setup against servers that require SPN Pavel Begunkov (5): io_uring: don't use int for ABI io_uring: export io_[un]account_mem io_uring/zcrx: account area memory io_uring/zcrx: fix null ifq on area destruction io_uring/zcrx: don't leak pages on account failure Pawan Gupta (1): x86/bugs: Avoid warning when overriding return thunk Pedro Falcato (1): RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Pei Xiao (1): clk: tegra: periph: Fix error handling and resolve unsigned compare warning Peichen Huang (1): drm/amd/display: add null check Peng Fan (1): firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set early during resume Peter Jakubek (1): ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCC SKU Peter Robinson (1): reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Peter Ujfalusi (2): ASoC: SOF: topology: Parse the dapm_widget_tokens in case of DSPless mode ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Petr Pavlu (1): module: Prevent silent truncation of module name in delete_module(2) Philipp Stanner (2): drm/sched/tests: Add unit test for cancel_job() drm/sched: Avoid memory leaks with cancel_job() callback Prashant Malani (1): cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Purva Yeshi (1): md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Qu Wenruo (3): btrfs: populate otime when logging an inode item btrfs: fix wrong length parameter for btrfs_cleanup_ordered_extents() btrfs: do not allow relocation of partially dropped subvolumes Radhey Shyam Pandey (1): usb: dwc3: xilinx: add shutdown callback Rafael J. Wysocki (3): ACPI: processor: perflib: Move problematic pr->performance check cpuidle: governors: menu: Avoid using invalid recent intervals data PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Raj Kumar Bhagat (1): wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 Rameshkumar Sundaram (1): wifi: ath12k: Fix beacon reception for sta associated to Non-TX AP Ramya Gnanasekar (1): wifi: mac80211: update radar_required in channel context after channel switch Rand Deeb (1): wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Randy Dunlap (2): fbdev: nvidiafb: add depends on HAS_IOPORT parisc: Makefile: fix a typo in palo.conf Ranjan Kumar (1): scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Ricardo Ribalda (4): media: uvcvideo: Add quirk for HP Webcam HD 2300 media: uvcvideo: Set V4L2_CTRL_FLAG_DISABLED during queryctrl errors media: uvcvideo: Do not mark valid metadata as invalid media: uvcvideo: Turn on the camera if V4L2_EVENT_SUB_FL_SEND_INITIAL Ricky Wu (1): misc: rtsx: usb: Ensure mmc child device is active when card is present Rob Clark (2): drm/msm: Update register xml drm/msm: use trylock for debugfs Robin Murphy (1): perf/arm: Add missing .suppress_bind_attrs Roman Li (1): drm/amd/display: Disable dsc_power_gate for dcn314 by default Rong Zhang (1): fs/ntfs3: correctly create symlink for relative path RubenKelevra (1): net: ieee8021q: fix insufficient table-size assertion Sabrina Dubroca (4): xfrm: flush all states in xfrm_state_fini xfrm: restore GSO for SW crypto xfrm: bring back device check in validate_xmit_xfrm udp: also consider secpath when evaluating ipsec use for checksumming Sarah Newman (1): drbd: add missing kref_get in handle_write_conflicts Sarika Sharma (2): wifi: ath12k: Correct tid cleanup when tid setup fails wifi: ath12k: Add memset and update default rate value in wmi tx completion Sarthak Garg (1): mmc: sdhci-msm: Ensure SD card power isn't ON when card removed Sasha Levin (1): fs: Prevent file descriptor table allocations exceeding INT_MAX Sean Christopherson (1): KVM: VMX: Extract checking of guest's DEBUGCTL into helper Sebastian Andrzej Siewior (1): selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG Sebastian Ott (1): ACPI: processor: fix acpi_object initialization Sebastian Reichel (2): watchdog: dw_wdt: Fix default timeout usb: typec: fusb302: cache PD RX state SeongJae Park (2): samples/damon/wsse: fix boot time enable handling samples/damon/mtier: support boot time enable setup Sergey Bashirov (4): pNFS: Fix stripe mapping in block/scsi layout pNFS: Fix disk addr range check in block/scsi layout pNFS: Handle RPC size limit for layoutcommits pNFS: Fix uninited ptr deref in block/scsi layout Shankari Anand (1): kconfig: nconf: Ensure null termination where strncpy is used Shannon Nelson (1): ionic: clean dbpage in de-init Shengjiu Wang (1): ASoC: fsl_sai: replace regmap_write with regmap_update_bits Shiji Yang (2): MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} MIPS: lantiq: falcon: sysctrl: fix request memory check logic Shin'ichiro Kawasaki (1): dm: split write BIOs on zone boundaries when zone append is not emulated Showrya M N (1): scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Shuai Xue (1): ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered Shubhrajyoti Datta (1): EDAC/synopsys: Clear the ECC counters on init Shyam Prasad N (1): cifs: reset iface weights when we cannot find a candidate Siddharth Vadapalli (1): arm64: dts: ti: k3-j722s-evm: Fix USB gpio-hog level for Type-C Sravan Kumar Gundu (1): fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Srinivas Kandagatla (1): ASoC: qcom: use drvdata instead of component to keep id Stanislav Fomichev (2): net: lapbether: ignore ops-locked netdevs hamradio: ignore ops-locked netdevs Stanislaw Gruszka (1): wifi: iwlegacy: Check rate_idx range after addition Stefan Metzmacher (3): smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() smb: client: don't wait for info->send_pending == 0 on error smb: client: don't call init_waitqueue_head(&info->conn_wait) twice in _smbd_get_connection Steve French (1): smb3: fix for slab out of bounds on mount to ksmbd Steven Rostedt (3): tracefs: Add d_delete to remove negative dentries powerpc/thp: tracing: Hide hugepage events under CONFIG_PPC_BOOK3S_64 ktest.pl: Prevent recursion of default variable options Su Hui (1): usb: xhci: print xhci->xhc_state when queue_command failed Suchit Karunakaran (1): kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Suren Baghdasaryan (1): userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry Sven Schnelle (3): s390/sclp: Use monotonic clock in sclp_sync_wait() s390/time: Use monotonic clock in get_cycles() s390/stp: Remove udelay from stp_sync_clock() Sven Stegemann (1): net: kcm: Fix race condition in kcm_unattach() Takashi Iwai (4): ALSA: usb-audio: Validate UAC3 power domain descriptors, too ALSA: usb-audio: Validate UAC3 cluster segment descriptors ALSA: hda: Handle the jack polling always via a work ALSA: hda: Disable jack polling at shutdown Tetsuo Handa (1): hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() Theodore Ts'o (1): ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Thierry Reding (2): firmware: tegra: Fix IVC dependency problems drm/fbdev-client: Skip DRM clients if modesetting is absent Thomas Croft (1): ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table Thomas Fourier (6): et131x: Add missing check after DMA map net: ag71xx: Add missing check after DMA map (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. powerpc: floppy: Add missing checks after DMA map wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Thomas Gleixner (1): irqchip/mvebu-gicp: Use resource_size() for ioremap() Thomas Weißschuh (7): LoongArch: Don't use %pK through printk() in unwinder mfd: cros_ec: Separate charge-control probing from USB-PD tools/nolibc: define time_t in terms of __kernel_old_time_t tools/build: Fix s390(x) cross-compilation with clang selftests: vDSO: vdso_test_getrandom: Always print TAP header um: Re-evaluate thread flags repeatedly MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Tiffany Yang (1): binder: Fix selftest page indexing Tom Lendacky (1): x86/sev: Ensure SVSM reserved fields in a page validation entry are initialized to zero Tomasz Michalec (2): usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present platform/chrome: cros_ec_typec: Defer probe on missing EC parent Tomi Valkeinen (1): media: raspberrypi: cfe: Fix min_reqbufs_allocation Trond Myklebust (1): NFS: Fix the setting of capabilities when automounting a new filesystem Tvrtko Ursulin (2): drm/xe: Make dma-fences compliant with the safe access rules drm/ttm: Respect the shrinker core free target Ulf Hansson (1): mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Umio Yasuno (1): drm/amd/pm: fix null pointer access Uwe Kleine-König (1): Bluetooth: btusb: Add support for variant of RTL8851BE (USB ID 13d3:3601) Valmantas Paliksa (1): phy: rockchip-pcie: Enable all four lanes if required Vasiliy Kovalev (1): ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Vedang Nagar (1): media: venus: Fix OOB read due to missing payload bound check Viacheslav Dubeyko (5): hfs: fix general protection fault in hfs_find_init() hfs: fix slab-out-of-bounds in hfs_bnode_read() hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() hfs: fix not erasing deleted b-tree node issue Vijendar Mukunda (2): soundwire: amd: serialize amd manager resume sequence during pm_prepare soundwire: amd: cancel pending slave status handling workqueue during remove sequence Vincent Mailhol (1): can: ti_hecc: fix -Woverflow compiler warning Vinod Govindapillai (1): drm/i915/fbc: fix the implementation of wa_18038517565 Vivek Pernamitta (1): bus: mhi: host: pci_generic: Disable runtime PM for QDU100 Vlastimil Babka (1): mm, slab: restore NUMA policy support for large kmalloc Waiman Long (2): futex: Use user_write_access_begin/_end() in futex_put_value() mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Wang Zhaolong (1): smb: client: remove redundant lstrp update in negotiate protocol Wayne Lin (1): drm/amd/display: Avoid trying AUX transactions on disconnected ports Wei Fang (1): net: enetc: separate 64-bit counters from enetc_port_counters Wei Gao (1): ext2: Handle fiemap on empty files to prevent EINVAL Wen Chen (1): drm/amd/display: Fix 'failed to blank crtc!' Wentao Guan (1): LoongArch: vDSO: Remove -nostdlib complier flag Wilfred Mallawa (1): PCI: dw-rockchip: Delay link training after hot reset in EP mode Will Deacon (1): vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Willy Tarreau (1): tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Wolfram Sang (3): media: usb: hdpvr: disable zero-length read messages i3c: add missing include to internal header i3c: don't fail if GETHDRCAP is unsupported Xiang Liu (1): drm/amdgpu: Use correct severity for BP threshold exceed event Xin Long (1): sctp: linearize cloned gso packets in sctp_rcv Xinxin Wan (1): ASoC: codecs: rt5640: Retry DEVICE_ID verification Xinyu Liu (1): usb: core: config: Prevent OOB read in SS endpoint companion parsing Xu Yang (1): net: usb: asix_devices: add phy_mask for ax88772 mdio bus Yang Li (1): Bluetooth: hci_event: Add support for handling LE BIG Sync Lost event Yann E. MORIN (1): kconfig: lxdialog: fix 'space' to (de)select options Yao Zi (3): LoongArch: Avoid in-place string operation on FDT content net: stmmac: thead: Get and enable APB clock on initialization riscv: dts: thead: Add APB clocks for TH1520 GMACs Yeoreum Yun (2): tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's built-in firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall YiPeng Chai (1): drm/amdgpu: fix vram reservation issue Yonghong Song (2): selftests/bpf: Fix ringbuf/ringbuf_write test failure with arm64 64KB page size selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Yongzhen Zhang (1): fbdev: fix potential buffer overflow in do_register_framebuffer() Youngjun Lee (1): media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Yu Kuai (1): lib/sbitmap: convert shallow_depth from one word to the whole sbitmap Yuan Chen (2): drm/msm: Add error handling for krealloc in metadata setup bpftool: Fix JSON writer resource leak in version command Yuezhang Mo (1): exfat: add cluster chain loop check for dir Yury Norov [NVIDIA] (1): RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Zhang Yi (2): ext4: limit the maximum folio order ext4: initialize superblock fields in the kballoc-test.c kunit tests Zheng Qixing (1): block: fix kobject double initialization in add_disk Zhiqi Song (1): crypto: hisilicon/hpre - fix dma unmap sequence Zhu Qiyu (1): ACPI: PRM: Reduce unnecessary printing to avoid user confusion Zijun Hu (2): char: misc: Fix improper and inaccurate error code returned by misc_init() Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() Ziyan Fu (1): watchdog: iTCO_wdt: Report error if timeout configuration fails Zqiang (2): rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access rcutorture: Fix rcutorture_one_extend_check() splat in RT kernels chenchangcheng (1): media: uvcvideo: Fix bandwidth issue for Alcor camera fangzhong.zhou (1): i2c: Force DLL0945 touchpad i2c freq to 100khz ganglxie (1): drm/amdgpu: clear pa and mca record counter when resetting eeprom jackysliu (1): scsi: bfa: Double-free fix tuhaowen (1): PM: sleep: console: Fix the black screen issue zhangjianrong (2): net: thunderbolt: Enable end-to-end flow control also in transmit net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Álvaro Fernández Rojas (6): net: dsa: b53: ensure BCM5325 PHYs are enabled net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 net: dsa: b53: prevent DIS_LEARNING access on BCM5325 net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325

4 weeks

1
1
0 0

Linux 6.12.43

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.43 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/filesystems/fscrypt.rst | 37 +-- Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 Makefile | 2 arch/arm/mach-rockchip/platsmp.c | 15 - arch/arm/mach-tegra/reset.c | 2 arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 4 arch/arm64/include/asm/acpi.h | 2 arch/arm64/kernel/acpi.c | 10 arch/arm64/kernel/stacktrace.c | 2 arch/arm64/kernel/traps.c | 1 arch/arm64/mm/fault.c | 1 arch/arm64/mm/ptdump_debugfs.c | 3 arch/loongarch/kernel/env.c | 13 - arch/loongarch/kernel/relocate_kernel.S | 2 arch/loongarch/kernel/unwind_orc.c | 2 arch/loongarch/net/bpf_jit.c | 21 - arch/mips/include/asm/vpe.h | 8 arch/mips/kernel/process.c | 16 - arch/mips/lantiq/falcon/sysctrl.c | 23 -- arch/parisc/Makefile | 2 arch/powerpc/include/asm/floppy.h | 5 arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 arch/riscv/mm/ptdump.c | 3 arch/s390/include/asm/timex.h | 13 - arch/s390/kernel/early.c | 1 arch/s390/kernel/time.c | 2 arch/s390/mm/dump_pagetables.c | 2 arch/um/include/asm/thread_info.h | 4 arch/um/kernel/process.c | 20 + arch/x86/include/asm/kvm-x86-ops.h | 1 arch/x86/include/asm/kvm_host.h | 15 + arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/bugs.c | 5 arch/x86/kvm/svm/svm.c | 14 - arch/x86/kvm/vmx/main.c | 3 arch/x86/kvm/vmx/nested.c | 21 + arch/x86/kvm/vmx/pmu_intel.c | 8 arch/x86/kvm/vmx/vmx.c | 57 +++-- arch/x86/kvm/vmx/vmx.h | 26 ++ arch/x86/kvm/vmx/x86_ops.h | 2 arch/x86/kvm/x86.c | 25 +- block/bfq-iosched.c | 35 +-- block/bfq-iosched.h | 3 block/blk-mq.c | 6 block/blk-settings.c | 2 block/blk-zoned.c | 20 - block/kyber-iosched.c | 9 block/mq-deadline.c | 16 - crypto/jitterentropy-kcapi.c | 9 drivers/accel/habanalabs/common/memory.c | 23 -- drivers/acpi/acpi_processor.c | 2 drivers/acpi/apei/ghes.c | 13 + drivers/acpi/prmt.c | 26 ++ drivers/acpi/processor_perflib.c | 11 + drivers/ata/ahci.c | 12 + drivers/ata/ata_piix.c | 1 drivers/ata/libahci.c | 1 drivers/ata/libata-sata.c | 52 ++++ drivers/base/power/runtime.c | 5 drivers/block/drbd/drbd_receiver.c | 6 drivers/block/loop.c | 38 ++- drivers/block/sunvdc.c | 4 drivers/bluetooth/btusb.c | 2 drivers/char/ipmi/ipmi_msghandler.c | 8 drivers/char/ipmi/ipmi_watchdog.c | 59 +++-- drivers/char/misc.c | 4 drivers/clk/qcom/gcc-ipq5018.c | 2 drivers/clk/qcom/gcc-ipq8074.c | 6 drivers/clk/renesas/rzg2l-cpg.c | 8 drivers/clk/samsung/clk-exynos850.c | 2 drivers/clk/samsung/clk-gs101.c | 4 drivers/clk/tegra/clk-periph.c | 4 drivers/clk/thead/clk-th1520-ap.c | 5 drivers/comedi/comedi_fops.c | 31 ++ drivers/comedi/comedi_internal.h | 1 drivers/comedi/drivers.c | 13 - drivers/cpufreq/cppc_cpufreq.c | 2 drivers/cpufreq/cpufreq.c | 8 drivers/cpufreq/intel_pstate.c | 2 drivers/cpuidle/governors/menu.c | 21 + drivers/crypto/ccp/sp-pci.c | 1 drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 + drivers/devfreq/governor_userspace.c | 6 drivers/dma/stm32/stm32-dma.c | 2 drivers/edac/synopsys_edac.c | 97 ++++----- drivers/firmware/arm_ffa/driver.c | 2 drivers/firmware/arm_scmi/scmi_power_control.c | 22 +- drivers/firmware/tegra/Kconfig | 5 drivers/gpio/gpio-mlxbf2.c | 2 drivers/gpio/gpio-mlxbf3.c | 54 +---- drivers/gpio/gpio-tps65912.c | 7 drivers/gpio/gpio-virtio.c | 9 drivers/gpio/gpio-wcd934x.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 6 drivers/gpu/drm/amd/display/dc/core/dc.c | 6 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 11 - drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c | 2 drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 1 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c | 16 - drivers/gpu/drm/amd/pm/amdgpu_pm.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 +-- drivers/gpu/drm/imagination/pvr_power.c | 59 +++++ drivers/gpu/drm/msm/msm_drv.c | 9 drivers/gpu/drm/msm/msm_gem.c | 3 drivers/gpu/drm/msm/msm_gem.h | 6 drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c | 3 drivers/gpu/drm/ttm/ttm_pool.c | 8 drivers/gpu/drm/ttm/ttm_resource.c | 3 drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 7 drivers/gpu/drm/xe/xe_hw_fence.c | 3 drivers/gpu/drm/xe/xe_query.c | 27 +- drivers/hid/hid-apple.c | 17 + drivers/hid/hid-magicmouse.c | 56 +++-- drivers/hwmon/emc2305.c | 10 drivers/i2c/i2c-core-acpi.c | 1 drivers/i3c/internals.h | 1 drivers/i3c/master.c | 4 drivers/idle/intel_idle.c | 2 drivers/iio/adc/ad7768-1.c | 23 +- drivers/iio/adc/ad_sigma_delta.c | 2 drivers/infiniband/core/nldev.c | 22 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 drivers/infiniband/hw/hfi1/affinity.c | 44 ++-- drivers/infiniband/sw/siw/siw_qp_tx.c | 5 drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 drivers/iommu/intel/iommu.c | 19 + drivers/iommu/intel/iommu.h | 3 drivers/iommu/iommufd/io_pagetable.c | 48 ++-- drivers/leds/flash/leds-qcom-flash.c | 15 + drivers/leds/leds-lp50xx.c | 11 - drivers/leds/trigger/ledtrig-netdev.c | 16 - drivers/md/dm-ps-historical-service-time.c | 4 drivers/md/dm-ps-queue-length.c | 4 drivers/md/dm-ps-round-robin.c | 4 drivers/md/dm-ps-service-time.c | 4 drivers/md/dm-stripe.c | 1 drivers/md/dm-table.c | 10 drivers/md/dm-zoned-target.c | 2 drivers/md/dm.c | 37 ++- drivers/md/raid10.c | 1 drivers/media/dvb-frontends/dib7000p.c | 8 drivers/media/i2c/hi556.c | 7 drivers/media/i2c/tc358743.c | 86 ++++---- drivers/media/pci/intel/ipu-bridge.c | 2 drivers/media/platform/qcom/venus/hfi_msgs.c | 83 +++++-- drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 drivers/media/usb/uvc/uvc_driver.c | 12 + drivers/media/usb/uvc/uvc_video.c | 21 + drivers/media/v4l2-core/v4l2-common.c | 14 - drivers/mfd/axp20x.c | 3 drivers/mfd/cros_ec_dev.c | 10 drivers/misc/cardreader/rtsx_usb.c | 16 - drivers/misc/mei/bus.c | 6 drivers/mmc/host/rtsx_usb_sdmmc.c | 4 drivers/mmc/host/sdhci-msm.c | 14 + drivers/net/can/ti_hecc.c | 2 drivers/net/dsa/b53/b53_common.c | 78 +++++-- drivers/net/dsa/b53/b53_regs.h | 7 drivers/net/ethernet/agere/et131x.c | 36 +++ drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++ drivers/net/ethernet/atheros/ag71xx.c | 9 drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 drivers/net/ethernet/emulex/benet/be_main.c | 8 drivers/net/ethernet/faraday/ftgmac100.c | 7 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 + drivers/net/ethernet/freescale/fec_main.c | 34 +-- drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 drivers/net/ethernet/google/gve/gve_adminq.c | 1 drivers/net/ethernet/intel/idpf/idpf.h | 19 + drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 36 ++- drivers/net/ethernet/intel/idpf/idpf_lib.c | 18 + drivers/net/ethernet/intel/idpf/idpf_main.c | 1 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 13 - drivers/net/ethernet/mediatek/mtk_wed.c | 1 drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 drivers/net/ethernet/ti/icssg/icss_iep.c | 26 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 6 drivers/net/hyperv/hyperv_net.h | 3 drivers/net/hyperv/netvsc_drv.c | 29 ++ drivers/net/pcs/pcs-xpcs-plat.c | 4 drivers/net/phy/broadcom.c | 25 +- drivers/net/phy/micrel.c | 12 + drivers/net/phy/smsc.c | 1 drivers/net/thunderbolt/main.c | 21 - drivers/net/usb/asix_devices.c | 1 drivers/net/usb/cdc_ncm.c | 20 + drivers/net/wireless/ath/ath10k/core.c | 48 ++++ drivers/net/wireless/ath/ath10k/core.h | 11 - drivers/net/wireless/ath/ath10k/mac.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 6 drivers/net/wireless/ath/ath12k/dp.c | 3 drivers/net/wireless/ath/ath12k/hw.c | 2 drivers/net/wireless/ath/ath12k/mac.c | 1 drivers/net/wireless/ath/ath12k/wmi.c | 5 drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 5 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 25 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 23 +- drivers/net/wireless/realtek/rtw89/chan.c | 6 drivers/net/wireless/realtek/rtw89/fw.c | 9 drivers/net/wireless/realtek/rtw89/fw.h | 2 drivers/net/wireless/realtek/rtw89/mac.c | 19 + drivers/net/wireless/realtek/rtw89/reg.h | 1 drivers/net/wireless/realtek/rtw89/wow.c | 5 drivers/net/xen-netfront.c | 5 drivers/nvme/host/pci.c | 24 ++ drivers/nvme/host/tcp.c | 11 - drivers/pci/pci-acpi.c | 4 drivers/pci/pci.c | 76 +++++-- drivers/pci/pci.h | 1 drivers/pci/probe.c | 5 drivers/perf/arm-cmn.c | 1 drivers/perf/arm-ni.c | 1 drivers/perf/cxl_pmu.c | 2 drivers/phy/rockchip/phy-rockchip-pcie.c | 3 drivers/pinctrl/stm32/pinctrl-stm32.c | 1 drivers/platform/chrome/cros_ec_sensorhub.c | 23 +- drivers/platform/chrome/cros_ec_typec.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 drivers/platform/x86/thinkpad_acpi.c | 4 drivers/pmdomain/imx/imx8m-blk-ctrl.c | 10 drivers/pmdomain/ti/Kconfig | 2 drivers/power/supply/qcom_battmgr.c | 2 drivers/pps/clients/pps-gpio.c | 5 drivers/ptp/ptp_clock.c | 2 drivers/ptp/ptp_private.h | 5 drivers/ptp/ptp_vclock.c | 7 drivers/remoteproc/imx_rproc.c | 4 drivers/reset/Kconfig | 10 drivers/rtc/rtc-ds1307.c | 15 + drivers/scsi/aacraid/comminit.c | 3 drivers/scsi/bfa/bfad_im.c | 1 drivers/scsi/libiscsi.c | 3 drivers/scsi/lpfc/lpfc_debugfs.c | 1 drivers/scsi/lpfc/lpfc_hbadisc.c | 3 drivers/scsi/lpfc/lpfc_scsi.c | 4 drivers/scsi/mpi3mr/mpi3mr_os.c | 20 + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 + drivers/scsi/scsi_scan.c | 2 drivers/scsi/scsi_transport_sas.c | 60 ++++- drivers/soc/qcom/mdt_loader.c | 10 drivers/soc/qcom/rpmh-rsc.c | 2 drivers/soundwire/amd_manager.c | 7 drivers/soundwire/bus.c | 6 drivers/target/target_core_fabric_lib.c | 63 ++++- drivers/target/target_core_internal.h | 4 drivers/target/target_core_pr.c | 18 - drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 +++- drivers/thermal/thermal_sysfs.c | 9 drivers/thunderbolt/domain.c | 2 drivers/tty/serial/serial_core.c | 44 ++-- drivers/usb/class/cdc-acm.c | 11 - drivers/usb/core/config.c | 10 drivers/usb/core/urb.c | 2 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci-ring.c | 10 drivers/usb/host/xhci.c | 6 drivers/usb/typec/mux/intel_pmc_mux.c | 2 drivers/usb/typec/tcpm/tcpci_maxim_core.c | 46 ++-- drivers/usb/typec/ucsi/psy.c | 2 drivers/usb/typec/ucsi/ucsi.c | 1 drivers/usb/typec/ucsi/ucsi.h | 7 drivers/vfio/pci/mlx5/cmd.c | 4 drivers/vfio/vfio_iommu_type1.c | 7 drivers/vhost/vhost.c | 3 drivers/video/fbdev/core/fbcon.c | 9 drivers/video/fbdev/core/fbmem.c | 3 drivers/virt/coco/efi_secret/efi_secret.c | 10 drivers/watchdog/dw_wdt.c | 2 drivers/watchdog/iTCO_wdt.c | 6 drivers/watchdog/sbsa_gwdt.c | 50 ++++ fs/btrfs/block-group.c | 27 ++ fs/btrfs/ctree.c | 1 fs/btrfs/extent-tree.c | 33 +-- fs/btrfs/qgroup.c | 13 - fs/btrfs/relocation.c | 19 + fs/btrfs/transaction.c | 6 fs/btrfs/tree-log.c | 107 ++++++---- fs/btrfs/zoned.c | 5 fs/crypto/fscrypt_private.h | 17 + fs/crypto/hkdf.c | 2 fs/crypto/keysetup.c | 3 fs/crypto/keysetup_v1.c | 3 fs/eventpoll.c | 60 ++++- fs/exfat/dir.c | 12 + fs/exfat/fatent.c | 10 fs/exfat/namei.c | 5 fs/exfat/super.c | 32 +- fs/ext2/inode.c | 12 + fs/ext4/inline.c | 19 + fs/ext4/mballoc-test.c | 9 fs/ext4/mballoc.c | 67 ++---- fs/f2fs/file.c | 24 +- fs/file.c | 15 + fs/gfs2/dir.c | 6 fs/gfs2/glops.c | 6 fs/gfs2/meta_io.c | 2 fs/hfs/bfind.c | 3 fs/hfs/bnode.c | 93 ++++++++ fs/hfs/btree.c | 57 ++++- fs/hfs/extent.c | 2 fs/hfs/hfs_fs.h | 1 fs/hfsplus/bnode.c | 92 ++++++++ fs/hfsplus/unicode.c | 7 fs/hfsplus/xattr.c | 6 fs/jfs/file.c | 3 fs/jfs/inode.c | 2 fs/jfs/jfs_dmap.c | 6 fs/libfs.c | 4 fs/nfs/blocklayout/blocklayout.c | 4 fs/nfs/blocklayout/dev.c | 5 fs/nfs/blocklayout/extent_tree.c | 20 + fs/nfs/client.c | 44 +++- fs/nfs/internal.h | 2 fs/nfs/nfs4client.c | 20 - fs/nfs/nfs4proc.c | 2 fs/nfs/pnfs.c | 11 - fs/nfsd/nfs4state.c | 34 ++- fs/ntfs3/dir.c | 3 fs/ntfs3/inode.c | 31 +- fs/orangefs/orangefs-debugfs.c | 2 fs/pidfs.c | 2 fs/proc/task_mmu.c | 6 fs/smb/client/cifssmb.c | 10 fs/smb/client/compress.c | 71 +----- fs/smb/client/connect.c | 10 fs/smb/client/sess.c | 9 fs/smb/client/smb2ops.c | 11 - fs/smb/client/smbdirect.c | 25 +- fs/smb/server/smb2pdu.c | 16 - fs/tracefs/inode.c | 11 + fs/udf/super.c | 13 + fs/xfs/scrub/trace.h | 2 include/linux/acpi.h | 2 include/linux/blk_types.h | 6 include/linux/blkdev.h | 55 +++++ include/linux/hypervisor.h | 3 include/linux/if_vlan.h | 21 + include/linux/libata.h | 1 include/linux/memory-tiers.h | 2 include/linux/packing.h | 6 include/linux/pci.h | 16 + include/linux/sbitmap.h | 6 include/linux/skbuff.h | 8 include/linux/usb/cdc_ncm.h | 1 include/linux/virtio_vsock.h | 7 include/net/cfg80211.h | 2 include/net/kcm.h | 1 include/net/mac80211.h | 4 include/net/neighbour.h | 1 include/net/net_namespace.h | 16 + include/net/sock.h | 1 include/trace/events/thp.h | 2 include/uapi/linux/in6.h | 4 include/uapi/linux/io_uring.h | 2 include/uapi/linux/pci_regs.h | 1 io_uring/rw.c | 2 kernel/bpf/verifier.c | 7 kernel/module/main.c | 10 kernel/power/console.c | 7 kernel/printk/nbcon.c | 63 +++-- kernel/rcu/tree.c | 2 kernel/rcu/tree.h | 14 + kernel/rcu/tree_nocb.h | 5 kernel/rcu/tree_plugin.h | 44 +++- kernel/sched/deadline.c | 4 kernel/sched/fair.c | 19 + kernel/sched/rt.c | 6 lib/sbitmap.c | 56 ++--- mm/damon/core.c | 1 mm/kmemleak.c | 10 mm/ptdump.c | 2 mm/slub.c | 7 mm/userfaultfd.c | 17 - net/bluetooth/hci_sock.c | 2 net/core/ieee8021q_helpers.c | 44 +--- net/core/neighbour.c | 12 - net/core/net_namespace.c | 8 net/core/sock.c | 27 ++ net/ipv4/route.c | 1 net/ipv4/udp_offload.c | 2 net/ipv6/addrconf.c | 7 net/ipv6/mcast.c | 11 - net/kcm/kcmsock.c | 10 net/mac80211/cfg.c | 12 - net/mac80211/chan.c | 1 net/mac80211/link.c | 9 net/mac80211/mlme.c | 12 - net/mac80211/rx.c | 12 - net/mctp/af_mctp.c | 26 ++ net/mptcp/subflow.c | 5 net/ncsi/internal.h | 2 net/ncsi/ncsi-rsp.c | 1 net/netfilter/nf_conntrack_netlink.c | 24 +- net/netfilter/nft_set_pipapo.c | 9 net/netlink/af_netlink.c | 12 - net/rds/tcp.c | 8 net/sched/sch_ets.c | 11 - net/sctp/input.c | 2 net/smc/af_smc.c | 5 net/sunrpc/svcsock.c | 5 net/sunrpc/xprtsock.c | 8 net/tls/tls.h | 2 net/tls/tls_strp.c | 11 - net/tls/tls_sw.c | 3 net/vmw_vsock/virtio_transport.c | 2 net/wireless/mlme.c | 3 net/xfrm/xfrm_state.c | 72 ++++-- rust/Makefile | 13 + scripts/kconfig/gconf.c | 8 scripts/kconfig/lxdialog/inputbox.c | 6 scripts/kconfig/lxdialog/menubox.c | 2 scripts/kconfig/nconf.c | 2 scripts/kconfig/nconf.gui.c | 1 security/apparmor/domain.c | 52 ++-- security/apparmor/file.c | 6 security/apparmor/include/lib.h | 6 security/inode.c | 2 sound/core/pcm_native.c | 19 + sound/pci/hda/hda_codec.c | 42 +-- sound/pci/hda/patch_ca0132.c | 2 sound/pci/hda/patch_realtek.c | 3 sound/pci/intel8x0.c | 2 sound/soc/codecs/hdac_hdmi.c | 10 sound/soc/codecs/rt5640.c | 5 sound/soc/fsl/fsl_sai.c | 20 - sound/soc/intel/avs/core.c | 3 sound/soc/qcom/lpass-platform.c | 27 +- sound/soc/soc-core.c | 3 sound/soc/soc-dapm.c | 4 sound/soc/sof/topology.c | 15 + sound/usb/mixer_quirks.c | 14 - sound/usb/stream.c | 25 ++ sound/usb/validate.c | 12 + tools/bpf/bpftool/main.c | 6 tools/hv/hv_fcopy_uio_daemon.c | 91 +++++++- tools/include/nolibc/std.h | 4 tools/include/nolibc/types.h | 4 tools/lib/bpf/libbpf.c | 5 tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 tools/power/x86/turbostat/turbostat.c | 14 + tools/scripts/Makefile.include | 4 tools/testing/ktest/ktest.pl | 5 tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 tools/testing/selftests/bpf/prog_tests/ringbuf.c | 4 tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 10 tools/testing/selftests/bpf/progs/test_ringbuf_write.c | 4 tools/testing/selftests/bpf/progs/verifier_unpriv.c | 2 tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 tools/testing/selftests/futex/include/futextest.h | 11 + tools/testing/selftests/net/netfilter/config | 2 tools/testing/selftests/vDSO/vdso_test_getrandom.c | 6 466 files changed, 4133 insertions(+), 1787 deletions(-) Aakash Kumar S (1): xfrm: Duplicate SPI Handling Aaron Kling (1): ARM: tegra: Use I/O memcpy to write to IRAM Aaron Plattner (1): watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Abel Vesa (1): power: supply: qcom_battmgr: Add lithium-polymer entry Aditya Garg (2): HID: magicmouse: avoid setting up battery timer when not needed HID: apple: avoid setting up battery timer for devices without battery Ahmed Zaki (1): idpf: preserve coalescing settings across resets Al Viro (4): habanalabs: fix UAF in export_dmabuf() better lockdep annotations for simple_recursive_removal() fix locking in efi_secret_unlink() securityfs: don't pin dentries twice, once is enough... Alessio Belle (1): drm/imagination: Clear runtime PM errors while resetting the GPU Alex Guo (2): media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Alex Hung (1): drm/amd/display: Initialize mode_select to 0 Alexander Kochetkov (1): ARM: rockchip: fix kernel hang during smp initialization Alexey Klimov (1): iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Alok Tiwari (6): net: ti: icss-iep: Fix incorrect type for return value in extts_enable() ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 be2net: Use correct byte order and format string for TCP seq and ack_seq net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() perf/cxlpmu: Remove unintended newline from IRQ name format string gve: Return error for unknown admin queue command Amelie Delaunay (1): dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Amir Mohammad Jahangirzad (1): fs/orangefs: use snprintf() instead of sprintf() Andrew Price (2): gfs2: Validate i_depth for exhash directories gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Andrey Albershteyn (1): xfs: fix scrub trace with null pointer in quotacheck André Draszik (4): clk: samsung: exynos850: fix a comment clk: samsung: gs101: fix CLK_DOUT_CMU_G3D_BUSD clk: samsung: gs101: fix alternate mout_hsi0_usb20_ref parent clock usb: typec: tcpm/tcpci_maxim: fix irq wake usage Andy Shevchenko (1): Documentation: ACPI: Fix parent device references Anshuman Khandual (1): mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Anthoine Bourgeois (1): xen/netfront: Fix TX response spurious interrupts Arnaud Lecomte (1): jfs: upper bound check of tree index in dbAllocAG Arnd Bergmann (2): RDMA/core: reduce stack using in nldev_stat_get_doit() firmware: arm_scmi: Convert to SYSTEM_SLEEP_PM_OPS Artem Sadovnikov (1): vfio/mlx5: fix possible overflow in tracking max message size Avraham Stern (2): wifi: iwlwifi: mvm: avoid outdated reorder buffer head_sn wifi: iwlwifi: mvm: fix scan request validation Baokun Li (2): ext4: fix zombie groups in average fragment size lists ext4: fix largest free orders lists corruption on mb_optimize_scan switch Bartosz Golaszewski (2): gpio: wcd934x: check the return value of regmap_update_bits() gpio: tps65912: check the return value of regmap_update_bits() Benjamin Marzinski (1): dm-table: fix checking for rq stackable devices Benson Leung (1): usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Bharat Bhushan (1): crypto: octeontx2 - add timeout for load_fvc completion poll Bijan Tabatabai (1): mm/damon/core: commit damos->target_nid Biju Das (1): net: phy: micrel: Add ksz9131_resume() Bitterblue Smith (2): wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB wifi: rtw89: Fix rtw89_mac_power_switch() for USB Bjorn Andersson (1): soc: qcom: mdt_loader: Actually use the e_phoff Boris Burkov (2): btrfs: fix ssd_spread overallocation btrfs: fix iteration bug in __qgroup_excl_accounting() Breno Leitao (5): ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path arm64: Mark kernel as tainted on SAE and SError panic ptp: Use ratelimite for freerun error message ipmi: Use dev_warn_ratelimited() for incorrect message warnings mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Buday Csaba (1): net: phy: smsc: add proper reset flags for LAN8710A Calvin Owens (2): tools/power turbostat: Fix build with musl tools/power turbostat: Handle cap_get_proc() ENOSYS Cezary Rojewski (1): ASoC: Intel: avs: Fix uninitialized pointer error in probe() Charlene Liu (1): drm/amd/display: limit clear_update_flags to dcn32 and above Charles Keepax (1): soundwire: Move handle_nested_irq outside of sdw_dev_lock Cheick Traore (1): pinctrl: stm32: Manage irq affinity settings Chen-Yu Tsai (1): mfd: axp20x: Set explicit ID for AXP313 regulator Chih-Kang Chang (1): wifi: rtw89: scan abort when assign/unassign_vif Chin-Yen Lee (1): wifi: rtw89: wow: Add Basic Rate IE to probe request in scheduled scan mode Chris Mason (1): sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Christian Brauner (1): pidfs: raise SB_I_NODEV and SB_I_NOEXEC Christian Marangi (1): clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src Christophe Leroy (1): ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Christopher Eby (1): ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Claudiu Beznea (1): clk: renesas: rzg2l: Postpone updating priv->clks[] Corey Minyard (1): ipmi: Fix strcpy source and destination the same Cristian Ciocaltea (1): ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Cynthia Huang (1): selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Dai Ngo (1): NFSD: detect mismatch of file handle and delegation stateid in OPEN op Damien Le Moal (9): block: Make REQ_OP_ZONE_FINISH a write operation ata: ahci: Disallow LPM policy control if not supported ata: ahci: Disable DIPM if host lacks support ata: libata-sata: Disallow changing LPM state if not supported scsi: mpt3sas: Correctly handle ATA device errors scsi: mpi3mr: Correctly handle ATA device errors block: Introduce bio_needs_zone_write_plugging() dm: Always split write BIOs to zoned device limits ata: libata-sata: Add link_power_management_supported sysfs attribute Daniel Golle (1): Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" Daniel Scally (1): media: ipu-bridge: Add _HID for OV5670 Dave Stevenson (3): media: tc358743: Check I2C succeeded during probe media: tc358743: Return an appropriate colorspace from tc358743_set_fmt media: tc358743: Increase FIFO trigger level to 374 David Bauer (1): wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch David Collins (1): thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required David Howells (1): cifs: Fix collect_sample() to handle any iterator type David Lechner (1): iio: adc: ad_sigma_delta: don't overallocate scan buffer David Thompson (3): gpio: mlxbf2: use platform_get_irq_optional() Revert "gpio: mlxbf3: only get IRQ for device instance 0" gpio: mlxbf3: use platform_get_irq_optional() Davide Caratti (1): net/sched: ets: use old 'nbands' while purging unused classes Eduard Zingerman (1): libbpf: Verify that arena map exists when adding arena relocations Edward Adam Davis (1): jfs: Regular file corruption check Eliav Farber (1): pps: clients: gpio: fix interrupt handling order in remove path Emily Deng (1): drm/ttm: Should to return the evict error En-Wei Wu (1): Bluetooth: btusb: Add new VID/PID 0489/e14e for MT7925 Eric Biggers (2): fscrypt: Don't use problematic non-inline crypto engines thunderbolt: Fix copy+paste error in match_service_id() Eric Dumazet (1): net: better track kernel sockets lifetime Eric Work (1): net: atlantic: add set_power to fw_ops for atl2 to fix wol Fedor Pchelkin (1): netlink: avoid infinite retry looping in netlink_unicast() Filipe Manana (8): btrfs: abort transaction during log replay if walk_log_tree() failed btrfs: qgroup: set quota enabled bit if quota disable fails flushing reservations btrfs: don't ignore inode missing when replaying log tree btrfs: qgroup: fix qgroup create ioctl returning success after quotas disabled btrfs: don't skip remaining extrefs if dir not found during log replay btrfs: clear dirty status from extent buffer on error at insert_new_root() btrfs: fix log tree replay failure due to file with 0 links and extents btrfs: error on missing block group when unaccounting log tree extent buffers Florian Larysch (1): net: phy: micrel: fix KSZ8081/KSZ8091 cable test Florian Westphal (2): netfilter: ctnetlink: fix refcount leak on table dump netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps Florin Leotescu (1): hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Frederic Weisbecker (1): rcu: Fix racy re-initialization of irq_work causing hangs Gabriel Totev (1): apparmor: shift ouid when mediating hard links in userns Gal Pressman (2): net: vlan: Make is_vlan_dev() a stub when VLAN is not configured net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Gautham R. Shenoy (1): pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() George Moussalem (1): clk: qcom: ipq5018: keep XO clock always on Geraldo Nascimento (1): phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal Greg Kroah-Hartman (1): Linux 6.12.43 Guillaume La Roque (1): pmdomain: ti: Select PM_GENERIC_DOMAINS Gwendal Grignou (1): platform/chrome: cros_ec_sensorhub: Retries when a sensor is not ready Haiyang Zhang (1): hv_netvsc: Fix panic during namespace deletion with VF Hans de Goede (2): mei: bus: Check for still connected devices in mei_cl_bus_dev_release() media: hi556: Fix reset GPIO timings Haoran Jiang (1): LoongArch: BPF: Fix jump offset calculation in tailcall Harald Mommer (1): gpio: virtio: Fix config space reading. Hari Chandrakanthan (2): wifi: mac80211: fix rx link assignment for non-MLO stations wifi: ath12k: Fix station association with MBSSID Non-TX BSS Hari Kalavakunta (1): net: ncsi: Fix buffer overflow in fetching version id Heiko Carstens (1): s390/early: Copy last breaking event address to pt_regs Heiner Kallweit (2): net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect dpaa_eth: don't use fixed_phy_change_carrier Hiago De Franco (1): remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Hrushikesh Salunke (1): arm64: dts: ti: k3-j722s-evm: Fix USB2.0_MUX_SEL to select Type-C Hsin-Te Yuan (1): thermal: sysfs: Return ENODATA instead of EAGAIN for reads Huacai Chen (2): PCI: Extend isolated function probing to LoongArch LoongArch: Make relocate_new_kernel_size be a .quad value Ian Abbott (1): comedi: fix race between polling and detaching Ihor Solodrai (1): bpf: Make reg_not_null() true for CONST_PTR_TO_MAP Ilan Peer (1): wifi: cfg80211: Fix interface type validation Ilpo Järvinen (1): PCI: Store all PCIe Supported Link Speeds Ilya Bakoulin (1): drm/amd/display: Separate set_gsl from set_gsl_source_select Ivan Lipski (1): drm/amd/display: Allow DCN301 to clear update flags Jack Ping CHNG (1): net: pcs: xpcs: mask readl() return value to 16 bits Jack Xiao (1): drm/amdgpu: fix incorrect vm flags to map bo Jaegeuk Kim (1): f2fs: check the generic conditions first Jakub Kicinski (2): tls: handle data disappearing from under the TLS ULP uapi: in6: restore visibility of most IPv6 socket options Jan Kara (2): loop: Avoid updating block size under exclusive owner udf: Verify partition map count Jann Horn (1): eventpoll: Fix semi-unbounded recursion Jason Gunthorpe (1): iommufd: Prevent ALIGN() overflow Jason Wang (1): vhost: fail early when __vhost_add_used() fails Jay Chen (1): usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Jeff Layton (1): nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Jens Axboe (1): io_uring/rw: cast rw->flags assignment to rwf_t Jeongjun Park (1): ptp: prevent possible ABBA deadlock in ptp_clock_freerun() Jiasheng Jiang (1): scsi: lpfc: Remove redundant assignment to avoid memory leak Jiayi Li (1): ACPI: processor: perflib: Fix initial _PPC limit application Jinjiang Tu (1): mm/smaps: fix race between smaps_hugetlb_range and migration Joel Fernandes (1): rcu: Fix rcu_read_unlock() deadloop due to IRQ work Johan Adolfsson (1): leds: leds-lp50xx: Handle reg to get correct multi_index Johan Hovold (5): net: gianfar: fix device leak when querying time stamp info net: enetc: fix device and OF node leak at probe net: mtk_eth_soc: fix device leak at probe net: ti: icss-iep: fix device and OF node leaks at probe net: dpaa: fix device leak when querying time stamp info Johannes Berg (3): wifi: cfg80211: reject HTC bit for management frames wifi: mac80211: don't unreserve never reserved chanctx wifi: mac80211: don't complete management TX on SAE commit Johannes Thumshirn (1): btrfs: zoned: use filesystem size not disk size for reclaim decision John Garry (4): dm-stripe: limit chunk_sectors to the stripe size md/raid10: set chunk_sectors limit scsi: aacraid: Stop using PCI_IRQ_AFFINITY block: avoid possible overflow for chunk_sectors check in blk_stack_limits() John Johansen (1): apparmor: fix x_table_lookup when stacking is not the first entry John Ogness (1): printk: nbcon: Allow reacquire during panic Jonas Rebmann (1): net: fec: allow disable coalescing Jonathan Santos (1): iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Jorge Marques (1): i3c: master: Initialize ret in i3c_i2c_notifier_call() Joseph Tilahun (1): tty: serial: fix print format specifiers Juri Lelli (1): sched/deadline: Fix accounting after global limits change Justin Tee (2): scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Kalesh AP (1): RDMA/bnxt_re: Fix size of uverbs_copy_to() in BNXT_RE_METHOD_GET_TOGGLE_MEM Kamil Horák - 2N (1): net: phy: bcm54811: PHY initialization Kang Yang (1): wifi: ath10k: shutdown driver when hardware is unreliable Karthikeyan Kathirvel (1): wifi: ath12k: Decrement TID on RX peer frag setup error handling Kees Cook (2): arm64: Handle KCOV __init vs inline mismatches platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Keith Busch (2): nvme-pci: try function level reset on init failure vfio/type1: conditional rescheduling while pinning Krzysztof Hałasa (1): imx8m-blk-ctrl: set ISI panic write hurry level Krzysztof Kozlowski (1): leds: flash: leds-qcom-flash: Fix registry access after re-bind Kuninori Morimoto (1): ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Kuniyuki Iwashima (2): ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc(). net: Add net_passive_inc() and net_passive_dec(). Lad Prabhakar (1): drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range Len Brown (2): intel_idle: Allow loading ACPI tables for any family tools/power turbostat: Handle non-root legacy-uncore sysfs permissions Leon Romanovsky (1): net/mlx5e: Properly access RCU protected qdisc_sleeping variable Li Chen (2): ACPI: Suppress misleading SPCR console message when SPCR table is absent ACPI: Return -ENODEV from acpi_parse_spcr() when SPCR support is disabled Li RongQing (1): cpufreq: intel_pstate: Add Granite Rapids support in no-HWP mode Li Zhijian (1): mm/memory-tier: fix abstract distance calculation overflow Lifeng Zheng (2): cpufreq: Exit governor when failed to start old governor PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Lizhi Xu (2): fs/ntfs3: Add sanity check for file name jfs: truncate good inode pages when hard link is 0 Lu Baolu (1): iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes Lucy Thrun (1): ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Lukas Wunner (2): PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports PCI: Honor Max Link Speed when determining supported speeds MD Danish Anwar (1): net: ti: icssg-prueth: Fix emac link speed handling Ma Ke (1): sunvdc: Balance device refcount in vdc_port_mpgroup_check Manivannan Sadhasivam (1): PCI: Allow PCI bridges to go to D3Hot on all non-x86 Marek Szyprowski (1): media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() Mario Limonciello (7): platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list usb: xhci: Avoid showing warnings for dying controller usb: xhci: Avoid showing errors during surprise removal drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual drm/amd/display: Only finalize atomic_obj if it was initialized drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported crypto: ccp - Add missing bootloader info reg for pspv6 Mark Brown (2): ASoC: hdac_hdmi: Rate limit logging on connection and disconnection kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace Mark Rutland (1): arm64: stacktrace: Check kretprobe_find_ret_addr() return value Markus Theil (1): crypto: jitter - fix intermediary handling Masahiro Yamada (2): kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() kconfig: gconf: fix potential memory leak in renderer_edited() Masami Hiramatsu (Google) (1): selftests: tracing: Use mutex_unlock for testing glob filter Mateusz Guzik (1): apparmor: use the condition in AA_BUG_FMT even with debug disabled Matt Johnston (1): net: mctp: Prevent duplicate binds Matt Roper (1): drm/xe/xe_query: Use separate iterator while filling GT list Maulik Shah (1): soc: qcom: rpmh-rsc: Add RSC version 4 support Maurizio Lombardi (2): nvme-tcp: log TLS handshake failures at error level scsi: target: core: Generate correct identifiers for PR OUT transport IDs Maxim Levitsky (3): KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Meagan Lloyd (2): rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Michal Wilczynski (1): clk: thead: Mark essential bus clocks as CLK_IGNORE_UNUSED Miguel Ojeda (2): rust: kbuild: clean output before running `rustdoc` rust: workaround `rustdoc` target modifiers bug Mikhail Lobanov (1): wifi: mac80211: check basic rates validity in sta_link_apply_parameters Mikulas Patocka (1): dm-mpath: don't print the "loaded" message if registering fails Mina Almasry (1): netmem: fix skb_frag_address_safe with unreadable skbs Miri Korenblit (2): wifi: iwlwifi: mvm: set gtk id also in older FWs wifi: mac80211: avoid weird state in error path Myrrh Periwinkle (1): usb: typec: ucsi: Update power_supply on power role change Naman Jain (1): tools/hv: fcopy: Fix irregularities with size of ring buffer Naohiro Aota (2): btrfs: zoned: do not remove unwritten non-data block group btrfs: zoned: do not select metadata BG as finish target Nathan Lynch (1): lib: packing: Include necessary headers NeilBrown (1): smb/server: avoid deadlock when linking with ReplaceIfExists Nicholas Kazlauskas (1): drm/amd/display: Update DMCUB loading sequence for DCN3.5 Nicolas Escande (1): neighbour: add support for NUD_PERMANENT proxy entries Nicolin Chen (1): iommufd: Report unmapped bytes in the error path of iopt_unmap_iova_range Niklas Söderlund (1): media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Oliver Neukum (3): usb: core: usb_submit_urb: downgrade type check net: usb: cdc-ncm: check for filtering capability cdc-acm: fix race between initial clearing halt and open Oscar Maes (1): net: ipv4: fix incorrect MTU in broadcast routes Pagadala Yesu Anjaneyulu (1): wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Pali Rohár (1): cifs: Fix calling CIFSFindFirst() for root path without msearch Paul Chaignon (1): bpf: Forget ranges when refining tnum after JSET Paul E. McKenney (1): rcu: Protect ->defer_qs_iw_pending from data race Pavel Begunkov (1): io_uring: don't use int for ABI Pawan Gupta (1): x86/bugs: Avoid warning when overriding return thunk Pedro Falcato (1): RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Pei Xiao (1): clk: tegra: periph: Fix error handling and resolve unsigned compare warning Peng Fan (1): firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set early during resume Peter Robinson (1): reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Peter Ujfalusi (2): ASoC: SOF: topology: Parse the dapm_widget_tokens in case of DSPless mode ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Petr Pavlu (1): module: Prevent silent truncation of module name in delete_module(2) Prashant Malani (1): cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Purva Yeshi (1): md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Qu Wenruo (2): btrfs: populate otime when logging an inode item btrfs: do not allow relocation of partially dropped subvolumes Rafael J. Wysocki (3): ACPI: processor: perflib: Move problematic pr->performance check cpuidle: governors: menu: Avoid using invalid recent intervals data PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Raj Kumar Bhagat (1): wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 Ramya Gnanasekar (1): wifi: mac80211: update radar_required in channel context after channel switch Rand Deeb (1): wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Randy Dunlap (1): parisc: Makefile: fix a typo in palo.conf Ranjan Kumar (1): scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Ricardo Ribalda (2): media: uvcvideo: Add quirk for HP Webcam HD 2300 media: uvcvideo: Do not mark valid metadata as invalid Ricky Wu (1): misc: rtsx: usb: Ensure mmc child device is active when card is present Rob Clark (1): drm/msm: use trylock for debugfs Robin Murphy (1): perf/arm: Add missing .suppress_bind_attrs Roman Li (1): drm/amd/display: Disable dsc_power_gate for dcn314 by default Rong Zhang (1): fs/ntfs3: correctly create symlink for relative path RubenKelevra (1): net: ieee8021q: fix insufficient table-size assertion Sabrina Dubroca (1): udp: also consider secpath when evaluating ipsec use for checksumming Sarah Newman (1): drbd: add missing kref_get in handle_write_conflicts Sarika Sharma (2): wifi: ath12k: Correct tid cleanup when tid setup fails wifi: ath12k: Add memset and update default rate value in wmi tx completion Sarthak Garg (1): mmc: sdhci-msm: Ensure SD card power isn't ON when card removed Sasha Levin (1): fs: Prevent file descriptor table allocations exceeding INT_MAX Sean Christopherson (4): KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported KVM: VMX: Extract checking of guest's DEBUGCTL into helper Sebastian Andrzej Siewior (1): selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG Sebastian Ott (1): ACPI: processor: fix acpi_object initialization Sebastian Reichel (1): watchdog: dw_wdt: Fix default timeout Sergey Bashirov (4): pNFS: Fix stripe mapping in block/scsi layout pNFS: Fix disk addr range check in block/scsi layout pNFS: Handle RPC size limit for layoutcommits pNFS: Fix uninited ptr deref in block/scsi layout Shankari Anand (1): kconfig: nconf: Ensure null termination where strncpy is used Shannon Nelson (1): ionic: clean dbpage in de-init Shengjiu Wang (1): ASoC: fsl_sai: replace regmap_write with regmap_update_bits Shiji Yang (2): MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} MIPS: lantiq: falcon: sysctrl: fix request memory check logic Shin'ichiro Kawasaki (1): dm: split write BIOs on zone boundaries when zone append is not emulated Showrya M N (1): scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Shuai Xue (1): ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered Shubhrajyoti Datta (1): EDAC/synopsys: Clear the ECC counters on init Shyam Prasad N (1): cifs: reset iface weights when we cannot find a candidate Siddharth Vadapalli (1): arm64: dts: ti: k3-j722s-evm: Fix USB gpio-hog level for Type-C Sravan Kumar Gundu (1): fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Srinivas Kandagatla (1): ASoC: qcom: use drvdata instead of component to keep id Stanislaw Gruszka (1): wifi: iwlegacy: Check rate_idx range after addition Stefan Metzmacher (3): smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() smb: client: don't wait for info->send_pending == 0 on error smb: client: don't call init_waitqueue_head(&info->conn_wait) twice in _smbd_get_connection Steve French (1): smb3: fix for slab out of bounds on mount to ksmbd Steven Rostedt (3): tracefs: Add d_delete to remove negative dentries powerpc/thp: tracing: Hide hugepage events under CONFIG_PPC_BOOK3S_64 ktest.pl: Prevent recursion of default variable options Su Hui (1): usb: xhci: print xhci->xhc_state when queue_command failed Suchit Karunakaran (1): kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Suren Baghdasaryan (1): userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry Sven Schnelle (2): s390/time: Use monotonic clock in get_cycles() s390/stp: Remove udelay from stp_sync_clock() Sven Stegemann (1): net: kcm: Fix race condition in kcm_unattach() Takashi Iwai (4): ALSA: usb-audio: Validate UAC3 power domain descriptors, too ALSA: usb-audio: Validate UAC3 cluster segment descriptors ALSA: hda: Handle the jack polling always via a work ALSA: hda: Disable jack polling at shutdown Tetsuo Handa (1): hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() Theodore Ts'o (1): ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Thierry Reding (1): firmware: tegra: Fix IVC dependency problems Thomas Croft (1): ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table Thomas Fourier (6): et131x: Add missing check after DMA map net: ag71xx: Add missing check after DMA map (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. powerpc: floppy: Add missing checks after DMA map wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Thomas Weißschuh (7): LoongArch: Don't use %pK through printk() in unwinder tools/nolibc: define time_t in terms of __kernel_old_time_t tools/build: Fix s390(x) cross-compilation with clang selftests: vDSO: vdso_test_getrandom: Always print TAP header um: Re-evaluate thread flags repeatedly MIPS: Don't crash in stack_top() for tasks without ABI or vDSO mfd: cros_ec: Separate charge-control probing from USB-PD Tomasz Michalec (2): usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present platform/chrome: cros_ec_typec: Defer probe on missing EC parent Trond Myklebust (1): NFS: Fix the setting of capabilities when automounting a new filesystem Tvrtko Ursulin (2): drm/xe: Make dma-fences compliant with the safe access rules drm/ttm: Respect the shrinker core free target Ulf Hansson (1): mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Umio Yasuno (1): drm/amd/pm: fix null pointer access Vasiliy Kovalev (1): ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Vedang Nagar (1): media: venus: Fix OOB read due to missing payload bound check Viacheslav Dubeyko (5): hfs: fix general protection fault in hfs_find_init() hfs: fix slab-out-of-bounds in hfs_bnode_read() hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() hfs: fix not erasing deleted b-tree node issue Vijendar Mukunda (2): soundwire: amd: serialize amd manager resume sequence during pm_prepare soundwire: amd: cancel pending slave status handling workqueue during remove sequence Vincent Mailhol (1): can: ti_hecc: fix -Woverflow compiler warning Vlastimil Babka (1): mm, slab: restore NUMA policy support for large kmalloc Waiman Long (1): mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Wang Zhaolong (2): smb: client: remove redundant lstrp update in negotiate protocol smb: client: fix netns refcount leak after net_passive changes Wayne Lin (1): drm/amd/display: Avoid trying AUX transactions on disconnected ports Wei Gao (1): ext2: Handle fiemap on empty files to prevent EINVAL Wen Chen (1): drm/amd/display: Fix 'failed to blank crtc!' Will Deacon (1): vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Willy Tarreau (1): tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Wolfram Sang (3): media: usb: hdpvr: disable zero-length read messages i3c: add missing include to internal header i3c: don't fail if GETHDRCAP is unsupported Xin Long (1): sctp: linearize cloned gso packets in sctp_rcv Xinxin Wan (1): ASoC: codecs: rt5640: Retry DEVICE_ID verification Xinyu Liu (1): usb: core: config: Prevent OOB read in SS endpoint companion parsing Xu Yang (1): net: usb: asix_devices: add phy_mask for ax88772 mdio bus Yann E. MORIN (1): kconfig: lxdialog: fix 'space' to (de)select options Yao Zi (1): LoongArch: Avoid in-place string operation on FDT content Yeoreum Yun (1): firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall YiPeng Chai (1): drm/amdgpu: fix vram reservation issue Yonghong Song (2): selftests/bpf: Fix ringbuf/ringbuf_write test failure with arm64 64KB page size selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Yongzhen Zhang (1): fbdev: fix potential buffer overflow in do_register_framebuffer() Youngjun Lee (1): media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Yu Kuai (1): lib/sbitmap: convert shallow_depth from one word to the whole sbitmap Yuan Chen (2): drm/msm: Add error handling for krealloc in metadata setup bpftool: Fix JSON writer resource leak in version command Yuezhang Mo (1): exfat: add cluster chain loop check for dir Yury Norov [NVIDIA] (1): RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Zhang Yi (1): ext4: initialize superblock fields in the kballoc-test.c kunit tests Zhiqi Song (1): crypto: hisilicon/hpre - fix dma unmap sequence Zhu Qiyu (1): ACPI: PRM: Reduce unnecessary printing to avoid user confusion Zijun Hu (2): char: misc: Fix improper and inaccurate error code returned by misc_init() Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() Ziyan Fu (1): watchdog: iTCO_wdt: Report error if timeout configuration fails Zqiang (1): rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access chenchangcheng (1): media: uvcvideo: Fix bandwidth issue for Alcor camera fangzhong.zhou (1): i2c: Force DLL0945 touchpad i2c freq to 100khz jackysliu (1): scsi: bfa: Double-free fix tuhaowen (1): PM: sleep: console: Fix the black screen issue zhangjianrong (2): net: thunderbolt: Enable end-to-end flow control also in transmit net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Álvaro Fernández Rojas (6): net: dsa: b53: ensure BCM5325 PHYs are enabled net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 net: dsa: b53: prevent DIS_LEARNING access on BCM5325 net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325

4 weeks

1
1
0 0

[PATCH] x86: XOP prefix instructions decoder support

by Masami Hiramatsu (Google)

From: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Support decoding AMD's XOP prefix encoded instructions. These instructions are introduced for Bulldozer micro architecture, and not supported on Intel's processors. But when compiling kernel with CONFIG_X86_NATIVE_CPU on some AMD processor (e.g. -march=bdver2), these instructions can be used. Reported-by: Alan J. Wylie <alan(a)wylie.me.uk> Closes: https://lore.kernel.org/all/871pq06728.fsf@wylie.me.uk/ Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> --- arch/x86/include/asm/inat.h | 15 +++ arch/x86/include/asm/insn.h | 51 +++++++++ arch/x86/lib/inat.c | 13 ++ arch/x86/lib/insn.c | 35 +++++- arch/x86/lib/x86-opcode-map.txt | 111 ++++++++++++++++++++ arch/x86/tools/gen-insn-attr-x86.awk | 44 ++++++++ tools/arch/x86/include/asm/inat.h | 15 +++ tools/arch/x86/include/asm/insn.h | 51 +++++++++ tools/arch/x86/lib/inat.c | 13 ++ tools/arch/x86/lib/insn.c | 35 +++++- tools/arch/x86/lib/x86-opcode-map.txt | 111 ++++++++++++++++++++ tools/arch/x86/tools/gen-insn-attr-x86.awk | 44 ++++++++ .../util/intel-pt-decoder/intel-pt-insn-decoder.c | 2 13 files changed, 513 insertions(+), 27 deletions(-) diff --git a/arch/x86/include/asm/inat.h b/arch/x86/include/asm/inat.h index 97f341777db5..1b3060a3425c 100644 --- a/arch/x86/include/asm/inat.h +++ b/arch/x86/include/asm/inat.h @@ -37,6 +37,8 @@ #define INAT_PFX_EVEX 15 /* EVEX prefix */ /* x86-64 REX2 prefix */ #define INAT_PFX_REX2 16 /* 0xD5 */ +/* AMD XOP prefix */ +#define INAT_PFX_XOP 17 /* 0x8F */ #define INAT_LSTPFX_MAX 3 #define INAT_LGCPFX_MAX 11 @@ -77,6 +79,7 @@ #define INAT_MOFFSET (1 << (INAT_FLAG_OFFS + 3)) #define INAT_VARIANT (1 << (INAT_FLAG_OFFS + 4)) #define INAT_VEXOK (1 << (INAT_FLAG_OFFS + 5)) +#define INAT_XOPOK INAT_VEXOK #define INAT_VEXONLY (1 << (INAT_FLAG_OFFS + 6)) #define INAT_EVEXONLY (1 << (INAT_FLAG_OFFS + 7)) #define INAT_NO_REX2 (1 << (INAT_FLAG_OFFS + 8)) @@ -111,6 +114,8 @@ extern insn_attr_t inat_get_group_attribute(insn_byte_t modrm, extern insn_attr_t inat_get_avx_attribute(insn_byte_t opcode, insn_byte_t vex_m, insn_byte_t vex_pp); +extern insn_attr_t inat_get_xop_attribute(insn_byte_t opcode, + insn_byte_t map_select); /* Attribute checking functions */ static inline int inat_is_legacy_prefix(insn_attr_t attr) @@ -164,6 +169,11 @@ static inline int inat_is_vex3_prefix(insn_attr_t attr) return (attr & INAT_PFX_MASK) == INAT_PFX_VEX3; } +static inline int inat_is_xop_prefix(insn_attr_t attr) +{ + return (attr & INAT_PFX_MASK) == INAT_PFX_XOP; +} + static inline int inat_is_escape(insn_attr_t attr) { return attr & INAT_ESC_MASK; @@ -229,6 +239,11 @@ static inline int inat_accept_vex(insn_attr_t attr) return attr & INAT_VEXOK; } +static inline int inat_accept_xop(insn_attr_t attr) +{ + return attr & INAT_XOPOK; +} + static inline int inat_must_vex(insn_attr_t attr) { return attr & (INAT_VEXONLY | INAT_EVEXONLY); diff --git a/arch/x86/include/asm/insn.h b/arch/x86/include/asm/insn.h index 7152ea809e6a..091f88c8254d 100644 --- a/arch/x86/include/asm/insn.h +++ b/arch/x86/include/asm/insn.h @@ -71,7 +71,10 @@ struct insn { * prefixes.bytes[3]: last prefix */ struct insn_field rex_prefix; /* REX prefix */ - struct insn_field vex_prefix; /* VEX prefix */ + union { + struct insn_field vex_prefix; /* VEX prefix */ + struct insn_field xop_prefix; /* XOP prefix */ + }; struct insn_field opcode; /* * opcode.bytes[0]: opcode1 * opcode.bytes[1]: opcode2 @@ -135,6 +138,17 @@ struct insn { #define X86_VEX_V(vex) (((vex) & 0x78) >> 3) /* VEX3 Byte2, VEX2 Byte1 */ #define X86_VEX_P(vex) ((vex) & 0x03) /* VEX3 Byte2, VEX2 Byte1 */ #define X86_VEX_M_MAX 0x1f /* VEX3.M Maximum value */ +/* XOP bit fields */ +#define X86_XOP_R(xop) ((xop) & 0x80) /* XOP Byte2 */ +#define X86_XOP_X(xop) ((xop) & 0x40) /* XOP Byte2 */ +#define X86_XOP_B(xop) ((xop) & 0x20) /* XOP Byte2 */ +#define X86_XOP_M(xop) ((xop) & 0x1f) /* XOP Byte2 */ +#define X86_XOP_W(xop) ((xop) & 0x80) /* XOP Byte3 */ +#define X86_XOP_V(xop) ((xop) & 0x78) /* XOP Byte3 */ +#define X86_XOP_L(xop) ((xop) & 0x04) /* XOP Byte3 */ +#define X86_XOP_P(xop) ((xop) & 0x03) /* XOP Byte3 */ +#define X86_XOP_M_MIN 0x08 /* Min of XOP.M */ +#define X86_XOP_M_MAX 0x1f /* Max of XOP.M */ extern void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64); extern int insn_get_prefixes(struct insn *insn); @@ -178,7 +192,7 @@ static inline insn_byte_t insn_rex2_m_bit(struct insn *insn) return X86_REX2_M(insn->rex_prefix.bytes[1]); } -static inline int insn_is_avx(struct insn *insn) +static inline int insn_is_avx_or_xop(struct insn *insn) { if (!insn->prefixes.got) insn_get_prefixes(insn); @@ -192,6 +206,22 @@ static inline int insn_is_evex(struct insn *insn) return (insn->vex_prefix.nbytes == 4); } +/* If we already know this is AVX/XOP encoded */ +static inline int avx_insn_is_xop(struct insn *insn) +{ + insn_attr_t attr = inat_get_opcode_attribute(insn->vex_prefix.bytes[0]); + + return inat_is_xop_prefix(attr); +} + +static inline int insn_is_xop(struct insn *insn) +{ + if (!insn_is_avx_or_xop(insn)) + return 0; + + return avx_insn_is_xop(insn); +} + static inline int insn_has_emulate_prefix(struct insn *insn) { return !!insn->emulate_prefix_size; @@ -222,11 +252,26 @@ static inline insn_byte_t insn_vex_w_bit(struct insn *insn) return X86_VEX_W(insn->vex_prefix.bytes[2]); } +static inline insn_byte_t insn_xop_map_bits(struct insn *insn) +{ + if (insn->xop_prefix.nbytes < 3) /* XOP is 3 bytes */ + return 0; + return X86_XOP_M(insn->xop_prefix.bytes[1]); +} + +static inline insn_byte_t insn_xop_p_bits(struct insn *insn) +{ + return X86_XOP_P(insn->vex_prefix.bytes[2]); +} + /* Get the last prefix id from last prefix or VEX prefix */ static inline int insn_last_prefix_id(struct insn *insn) { - if (insn_is_avx(insn)) + if (insn_is_avx_or_xop(insn)) { + if (avx_insn_is_xop(insn)) + return insn_xop_p_bits(insn); return insn_vex_p_bits(insn); /* VEX_p is a SIMD prefix id */ + } if (insn->prefixes.bytes[3]) return inat_get_last_prefix_id(insn->prefixes.bytes[3]); diff --git a/arch/x86/lib/inat.c b/arch/x86/lib/inat.c index b0f3b2a62ae2..a5cafd402cfd 100644 --- a/arch/x86/lib/inat.c +++ b/arch/x86/lib/inat.c @@ -81,3 +81,16 @@ insn_attr_t inat_get_avx_attribute(insn_byte_t opcode, insn_byte_t vex_m, return table[opcode]; } +insn_attr_t inat_get_xop_attribute(insn_byte_t opcode, insn_byte_t map_select) +{ + const insn_attr_t *table; + + if (map_select < X86_XOP_M_MIN || map_select > X86_XOP_M_MAX) + return 0; + map_select -= X86_XOP_M_MIN; + /* At first, this checks the master table */ + table = inat_xop_tables[map_select]; + if (!table) + return 0; + return table[opcode]; +} diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c index 149a57e334ab..225af1399c9d 100644 --- a/arch/x86/lib/insn.c +++ b/arch/x86/lib/insn.c @@ -200,12 +200,15 @@ int insn_get_prefixes(struct insn *insn) } insn->rex_prefix.got = 1; - /* Decode VEX prefix */ + /* Decode VEX/XOP prefix */ b = peek_next(insn_byte_t, insn); - attr = inat_get_opcode_attribute(b); - if (inat_is_vex_prefix(attr)) { + if (inat_is_vex_prefix(attr) || inat_is_xop_prefix(attr)) { insn_byte_t b2 = peek_nbyte_next(insn_byte_t, insn, 1); - if (!insn->x86_64) { + + if (inat_is_xop_prefix(attr) && X86_MODRM_REG(b2) == 0) { + /* Grp1A.0 is always POP Ev */ + goto vex_end; + } else if (!insn->x86_64) { /* * In 32-bits mode, if the [7:6] bits (mod bits of * ModRM) on the second byte are not 11b, it is @@ -226,13 +229,13 @@ int insn_get_prefixes(struct insn *insn) if (insn->x86_64 && X86_VEX_W(b2)) /* VEX.W overrides opnd_size */ insn->opnd_bytes = 8; - } else if (inat_is_vex3_prefix(attr)) { + } else if (inat_is_vex3_prefix(attr) || inat_is_xop_prefix(attr)) { b2 = peek_nbyte_next(insn_byte_t, insn, 2); insn_set_byte(&insn->vex_prefix, 2, b2); insn->vex_prefix.nbytes = 3; insn->next_byte += 3; if (insn->x86_64 && X86_VEX_W(b2)) - /* VEX.W overrides opnd_size */ + /* VEX.W/XOP.W overrides opnd_size */ insn->opnd_bytes = 8; } else { /* @@ -288,9 +291,22 @@ int insn_get_opcode(struct insn *insn) insn_set_byte(opcode, 0, op); opcode->nbytes = 1; - /* Check if there is VEX prefix or not */ - if (insn_is_avx(insn)) { + /* Check if there is VEX/XOP prefix or not */ + if (insn_is_avx_or_xop(insn)) { insn_byte_t m, p; + + /* XOP prefix has different encoding */ + if (unlikely(avx_insn_is_xop(insn))) { + m = insn_xop_map_bits(insn); + insn->attr = inat_get_xop_attribute(op, m); + if (!inat_accept_xop(insn->attr)) { + insn->attr = 0; + return -EINVAL; + } + /* XOP has only 1 byte for opcode */ + goto end; + } + m = insn_vex_m_bits(insn); p = insn_vex_p_bits(insn); insn->attr = inat_get_avx_attribute(op, m, p); @@ -383,7 +399,8 @@ int insn_get_modrm(struct insn *insn) pfx_id = insn_last_prefix_id(insn); insn->attr = inat_get_group_attribute(mod, pfx_id, insn->attr); - if (insn_is_avx(insn) && !inat_accept_vex(insn->attr)) { + if (insn_is_avx_or_xop(insn) && !inat_accept_vex(insn->attr) && + !inat_accept_xop(insn->attr)) { /* Bad insn */ insn->attr = 0; return -EINVAL; diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt index 262f7ca1fb95..2a4e69ecc2de 100644 --- a/arch/x86/lib/x86-opcode-map.txt +++ b/arch/x86/lib/x86-opcode-map.txt @@ -27,6 +27,11 @@ # (evo): this opcode is changed by EVEX prefix (EVEX opcode) # (v): this opcode requires VEX prefix. # (v1): this opcode only supports 128bit VEX. +# (xop): this opcode accepts XOP prefix. +# +# XOP Superscripts +# (W=0): this opcode requires XOP.W == 0 +# (W=1): this opcode requires XOP.W == 1 # # Last Prefix Superscripts # - (66): the last prefix is 0x66 @@ -194,7 +199,7 @@ AVXcode: 8c: MOV Ev,Sw 8d: LEA Gv,M 8e: MOV Sw,Ew -8f: Grp1A (1A) | POP Ev (d64) +8f: Grp1A (1A) | POP Ev (d64) | XOP (Prefix) # 0x90 - 0x9f 90: NOP | PAUSE (F3) | XCHG r8,rAX 91: XCHG rCX/r9,rAX @@ -1106,6 +1111,84 @@ AVXcode: 7 f8: URDMSR Rq,Id (F2),(v1),(11B) | UWRMSR Id,Rq (F3),(v1),(11B) EndTable +# From AMD64 Architecture Programmer's Manual Vol3, Appendix A.1.5 +Table: XOP map 8h +Referrer: +XOPcode: 0 +85: VPMACSSWW Vo,Ho,Wo,Lo +86: VPMACSSWD Vo,Ho,Wo,Lo +87: VPMACSSDQL Vo,Ho,Wo,Lo +8e: VPMACSSDD Vo,Ho,Wo,Lo +8f: VPMACSSDQH Vo,Ho,Wo,Lo +95: VPMACSWW Vo,Ho,Wo,Lo +96: VPMACSWD Vo,Ho,Wo,Lo +97: VPMACSDQL Vo,Ho,Wo,Lo +9e: VPMACSDD Vo,Ho,Wo,Lo +9f: VPMACSDQH Vo,Ho,Wo,Lo +a2: VPCMOV Vx,Hx,Wx,Lx (W=0) | VPCMOV Vx,Hx,Lx,Wx (W=1) +a3: VPPERM Vo,Ho,Wo,Lo (W=0) | VPPERM Vo,Ho,Lo,Wo (W=1) +a6: VPMADCSSWD Vo,Ho,Wo,Lo +b6: VPMADCSWD Vo,Ho,Wo,Lo +c0: VPROTB Vo,Wo,Ib +c1: VPROTW Vo,Wo,Ib +c2: VPROTD Vo,Wo,Ib +c3: VPROTQ Vo,Wo,Ib +cc: VPCOMccB Vo,Ho,Wo,Ib +cd: VPCOMccW Vo,Ho,Wo,Ib +ce: VPCOMccD Vo,Ho,Wo,Ib +cf: VPCOMccQ Vo,Ho,Wo,Ib +ec: VPCOMccUB Vo,Ho,Wo,Ib +ed: VPCOMccUW Vo,Ho,Wo,Ib +ee: VPCOMccUD Vo,Ho,Wo,Ib +ef: VPCOMccUQ Vo,Ho,Wo,Ib +EndTable + +Table: XOP map 9h +Referrer: +XOPcode: 1 +01: GrpXOP1 +02: GrpXOP2 +12: GrpXOP3 +80: VFRCZPS Vx,Wx +81: VFRCZPD Vx,Wx +82: VFRCZSS Vq,Wss +83: VFRCZSD Vq,Wsd +90: VPROTB Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +91: VPROTW Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +92: VPROTD Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +93: VPROTQ Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +94: VPSHLB Vo,Wo,Ho (W=0) | VPSHLB Vo,Ho,Wo (W=1) +95: VPSHLW Vo,Wo,Ho (W=0) | VPSHLW Vo,Ho,Wo (W=1) +96: VPSHLD Vo,Wo,Ho (W=0) | VPSHLD Vo,Ho,Wo (W=1) +97: VPSHLQ Vo,Wo,Ho (W=0) | VPSHLQ Vo,Ho,Wo (W=1) +98: VPSHAB Vo,Wo,Ho (W=0) | VPSHAB Vo,Ho,Wo (W=1) +99: VPSHAW Vo,Wo,Ho (W=0) | VPSHAW Vo,Ho,Wo (W=1) +9a: VPSHAD Vo,Wo,Ho (W=0) | VPSHAD Vo,Ho,Wo (W=1) +9b: VPSHAQ Vo,Wo,Ho (W=0) | VPSHAQ Vo,Ho,Wo (W=1) +c1: VPHADDBW Vo,Wo +c2: VPHADDBD Vo,Wo +c3: VPHADDBQ Vo,Wo +c6: VPHADDWD Vo,Wo +c7: VPHADDWQ Vo,Wo +cb: VPHADDDQ Vo,Wo +d1: VPHADDUBWD Vo,Wo +d2: VPHADDUBD Vo,Wo +d3: VPHADDUBQ Vo,Wo +d6: VPHADDUWD Vo,Wo +d7: VPHADDUWQ Vo,Wo +db: VPHADDUDQ Vo,Wo +e1: VPHSUBBW Vo,Wo +e2: VPHSUBWD Vo,Wo +e3: VPHSUBDQ Vo,Wo +EndTable + +Table: XOP map Ah +Referrer: +XOPcode: 2 +10: BEXTR Gy,Ey,Id +12: GrpXOP4 +EndTable + GrpTable: Grp1 0: ADD 1: OR @@ -1320,3 +1403,29 @@ GrpTable: GrpRNG 4: xcrypt-cfb 5: xcrypt-ofb EndTable + +# GrpXOP1-4 is shown in AMD APM Vol.3 Appendix A as XOP group #1-4 +GrpTable: GrpXOP1 +1: BLCFILL By,Ey (xop) +2: BLSFILL By,Ey (xop) +3: BLCS By,Ey (xop) +4: TZMSK By,Ey (xop) +5: BLCIC By,Ey (xop) +6: BLSIC By,Ey (xop) +7: T1MSKC By,Ey (xop) +EndTable + +GrpTable: GrpXOP2 +1: BLCMSK By,Ey (xop) +6: BLCI By,Ey (xop) +EndTable + +GrpTable: GrpXOP3 +0: LLWPCB Ry (xop) +1: SLWPCB Ry (xop) +EndTable + +GrpTable: GrpXOP4 +0: LWPINS By,Ed,Id (xop) +1: LWPVAL By,Ed,Id (xop) +EndTable diff --git a/arch/x86/tools/gen-insn-attr-x86.awk b/arch/x86/tools/gen-insn-attr-x86.awk index 2c19d7fc8a85..7ea1b75e59b7 100644 --- a/arch/x86/tools/gen-insn-attr-x86.awk +++ b/arch/x86/tools/gen-insn-attr-x86.awk @@ -21,6 +21,7 @@ function clear_vars() { eid = -1 # escape id gid = -1 # group id aid = -1 # AVX id + xopid = -1 # XOP id tname = "" } @@ -39,9 +40,11 @@ BEGIN { ggid = 1 geid = 1 gaid = 0 + gxopid = 0 delete etable delete gtable delete atable + delete xoptable opnd_expr = "^[A-Za-z/]" ext_expr = "^\$" @@ -61,6 +64,7 @@ BEGIN { imm_flag["Ob"] = "INAT_MOFFSET" imm_flag["Ov"] = "INAT_MOFFSET" imm_flag["Lx"] = "INAT_MAKE_IMM(INAT_IMM_BYTE)" + imm_flag["Lo"] = "INAT_MAKE_IMM(INAT_IMM_BYTE)" modrm_expr = "^([CDEGMNPQRSUVW/][a-z]+|NTA|T[012])" force64_expr = "\\([df]64\$" @@ -87,6 +91,8 @@ BEGIN { evexonly_expr = "\$ev\$" # (es) is the same as (ev) but also "SCALABLE" i.e. W and pp determine operand size evex_scalable_expr = "\$es\$" + # All opcodes in XOP table or with (xop) superscript accept XOP prefix + xopok_expr = "\$xop\$" prefix_expr = "\$Prefix\$" prefix_num["Operand-Size"] = "INAT_PFX_OPNDSZ" @@ -106,6 +112,7 @@ BEGIN { prefix_num["VEX+2byte"] = "INAT_PFX_VEX3" prefix_num["EVEX"] = "INAT_PFX_EVEX" prefix_num["REX2"] = "INAT_PFX_REX2" + prefix_num["XOP"] = "INAT_PFX_XOP" clear_vars() } @@ -147,6 +154,7 @@ function array_size(arr, i,c) { if (NF != 1) { # AVX/escape opcode table aid = $2 + xopid = -1 if (gaid <= aid) gaid = aid + 1 if (tname == "") # AVX only opcode table @@ -156,6 +164,20 @@ function array_size(arr, i,c) { tname = "inat_primary_table" } +/^XOPcode:/ { + if (NF != 1) { + # XOP opcode table + xopid = $2 + aid = -1 + if (gxopid <= xopid) + gxopid = xopid + 1 + if (tname == "") # XOP only opcode table + tname = sprintf("inat_xop_table_%d", $2) + } + if (xopid == -1 && eid == -1) # primary opcode table + tname = "inat_primary_table" +} + /^GrpTable:/ { print "/* " $0 " */" if (!($2 in group)) @@ -206,6 +228,8 @@ function print_table(tbl,name,fmt,n) etable[eid,0] = tname if (aid >= 0) atable[aid,0] = tname + else if (xopid >= 0) + xoptable[xopid] = tname } if (array_size(lptable1) != 0) { print_table(lptable1,tname "_1[INAT_OPCODE_TABLE_SIZE]", @@ -347,6 +371,8 @@ function convert_operands(count,opnd, i,j,imm,mod) flags = add_flags(flags, "INAT_VEXOK | INAT_VEXONLY") else if (match(ext, vexok_expr) || match(opcode, vexok_opcode_expr)) flags = add_flags(flags, "INAT_VEXOK") + else if (match(ext, xopok_expr) || xopid >= 0) + flags = add_flags(flags, "INAT_XOPOK") # check prefixes if (match(ext, prefix_expr)) { @@ -413,6 +439,14 @@ END { print " ["i"]["j"] = "atable[i,j]"," print "};\n" + print "/* XOP opcode map array */" + print "const insn_attr_t * const inat_xop_tables[X86_XOP_M_MAX - X86_XOP_M_MIN + 1]" \ + " = {" + for (i = 0; i < gxopid; i++) + if (xoptable[i]) + print " ["i"] = "xoptable[i]"," + print "};" + print "#else /* !__BOOT_COMPRESSED */\n" print "/* Escape opcode map array */" @@ -430,6 +464,10 @@ END { "[INAT_LSTPFX_MAX + 1];" print "" + print "/* XOP opcode map array */" + print "static const insn_attr_t *inat_xop_tables[X86_XOP_M_MAX - X86_XOP_M_MIN + 1];" + print "" + print "static void inat_init_tables(void)" print "{" @@ -455,6 +493,12 @@ END { if (atable[i,j]) print "\tinat_avx_tables["i"]["j"] = "atable[i,j]";" + print "" + print "\t/* Print XOP opcode map array */" + for (i = 0; i < gxopid; i++) + if (xoptable[i]) + print "\tinat_xop_tables["i"] = "xoptable[i]";" + print "}" print "#endif" } diff --git a/tools/arch/x86/include/asm/inat.h b/tools/arch/x86/include/asm/inat.h index 183aa662b165..099e926595bd 100644 --- a/tools/arch/x86/include/asm/inat.h +++ b/tools/arch/x86/include/asm/inat.h @@ -37,6 +37,8 @@ #define INAT_PFX_EVEX 15 /* EVEX prefix */ /* x86-64 REX2 prefix */ #define INAT_PFX_REX2 16 /* 0xD5 */ +/* AMD XOP prefix */ +#define INAT_PFX_XOP 17 /* 0x8F */ #define INAT_LSTPFX_MAX 3 #define INAT_LGCPFX_MAX 11 @@ -77,6 +79,7 @@ #define INAT_MOFFSET (1 << (INAT_FLAG_OFFS + 3)) #define INAT_VARIANT (1 << (INAT_FLAG_OFFS + 4)) #define INAT_VEXOK (1 << (INAT_FLAG_OFFS + 5)) +#define INAT_XOPOK INAT_VEXOK #define INAT_VEXONLY (1 << (INAT_FLAG_OFFS + 6)) #define INAT_EVEXONLY (1 << (INAT_FLAG_OFFS + 7)) #define INAT_NO_REX2 (1 << (INAT_FLAG_OFFS + 8)) @@ -111,6 +114,8 @@ extern insn_attr_t inat_get_group_attribute(insn_byte_t modrm, extern insn_attr_t inat_get_avx_attribute(insn_byte_t opcode, insn_byte_t vex_m, insn_byte_t vex_pp); +extern insn_attr_t inat_get_xop_attribute(insn_byte_t opcode, + insn_byte_t map_select); /* Attribute checking functions */ static inline int inat_is_legacy_prefix(insn_attr_t attr) @@ -164,6 +169,11 @@ static inline int inat_is_vex3_prefix(insn_attr_t attr) return (attr & INAT_PFX_MASK) == INAT_PFX_VEX3; } +static inline int inat_is_xop_prefix(insn_attr_t attr) +{ + return (attr & INAT_PFX_MASK) == INAT_PFX_XOP; +} + static inline int inat_is_escape(insn_attr_t attr) { return attr & INAT_ESC_MASK; @@ -229,6 +239,11 @@ static inline int inat_accept_vex(insn_attr_t attr) return attr & INAT_VEXOK; } +static inline int inat_accept_xop(insn_attr_t attr) +{ + return attr & INAT_XOPOK; +} + static inline int inat_must_vex(insn_attr_t attr) { return attr & (INAT_VEXONLY | INAT_EVEXONLY); diff --git a/tools/arch/x86/include/asm/insn.h b/tools/arch/x86/include/asm/insn.h index 0e5abd896ad4..c683d609934b 100644 --- a/tools/arch/x86/include/asm/insn.h +++ b/tools/arch/x86/include/asm/insn.h @@ -71,7 +71,10 @@ struct insn { * prefixes.bytes[3]: last prefix */ struct insn_field rex_prefix; /* REX prefix */ - struct insn_field vex_prefix; /* VEX prefix */ + union { + struct insn_field vex_prefix; /* VEX prefix */ + struct insn_field xop_prefix; /* XOP prefix */ + }; struct insn_field opcode; /* * opcode.bytes[0]: opcode1 * opcode.bytes[1]: opcode2 @@ -135,6 +138,17 @@ struct insn { #define X86_VEX_V(vex) (((vex) & 0x78) >> 3) /* VEX3 Byte2, VEX2 Byte1 */ #define X86_VEX_P(vex) ((vex) & 0x03) /* VEX3 Byte2, VEX2 Byte1 */ #define X86_VEX_M_MAX 0x1f /* VEX3.M Maximum value */ +/* XOP bit fields */ +#define X86_XOP_R(xop) ((xop) & 0x80) /* XOP Byte2 */ +#define X86_XOP_X(xop) ((xop) & 0x40) /* XOP Byte2 */ +#define X86_XOP_B(xop) ((xop) & 0x20) /* XOP Byte2 */ +#define X86_XOP_M(xop) ((xop) & 0x1f) /* XOP Byte2 */ +#define X86_XOP_W(xop) ((xop) & 0x80) /* XOP Byte3 */ +#define X86_XOP_V(xop) ((xop) & 0x78) /* XOP Byte3 */ +#define X86_XOP_L(xop) ((xop) & 0x04) /* XOP Byte3 */ +#define X86_XOP_P(xop) ((xop) & 0x03) /* XOP Byte3 */ +#define X86_XOP_M_MIN 0x08 /* Min of XOP.M */ +#define X86_XOP_M_MAX 0x1f /* Max of XOP.M */ extern void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64); extern int insn_get_prefixes(struct insn *insn); @@ -178,7 +192,7 @@ static inline insn_byte_t insn_rex2_m_bit(struct insn *insn) return X86_REX2_M(insn->rex_prefix.bytes[1]); } -static inline int insn_is_avx(struct insn *insn) +static inline int insn_is_avx_or_xop(struct insn *insn) { if (!insn->prefixes.got) insn_get_prefixes(insn); @@ -192,6 +206,22 @@ static inline int insn_is_evex(struct insn *insn) return (insn->vex_prefix.nbytes == 4); } +/* If we already know this is AVX/XOP encoded */ +static inline int avx_insn_is_xop(struct insn *insn) +{ + insn_attr_t attr = inat_get_opcode_attribute(insn->vex_prefix.bytes[0]); + + return inat_is_xop_prefix(attr); +} + +static inline int insn_is_xop(struct insn *insn) +{ + if (!insn_is_avx_or_xop(insn)) + return 0; + + return avx_insn_is_xop(insn); +} + static inline int insn_has_emulate_prefix(struct insn *insn) { return !!insn->emulate_prefix_size; @@ -222,11 +252,26 @@ static inline insn_byte_t insn_vex_w_bit(struct insn *insn) return X86_VEX_W(insn->vex_prefix.bytes[2]); } +static inline insn_byte_t insn_xop_map_bits(struct insn *insn) +{ + if (insn->xop_prefix.nbytes < 3) /* XOP is 3 bytes */ + return 0; + return X86_XOP_M(insn->xop_prefix.bytes[1]); +} + +static inline insn_byte_t insn_xop_p_bits(struct insn *insn) +{ + return X86_XOP_P(insn->vex_prefix.bytes[2]); +} + /* Get the last prefix id from last prefix or VEX prefix */ static inline int insn_last_prefix_id(struct insn *insn) { - if (insn_is_avx(insn)) + if (insn_is_avx_or_xop(insn)) { + if (avx_insn_is_xop(insn)) + return insn_xop_p_bits(insn); return insn_vex_p_bits(insn); /* VEX_p is a SIMD prefix id */ + } if (insn->prefixes.bytes[3]) return inat_get_last_prefix_id(insn->prefixes.bytes[3]); diff --git a/tools/arch/x86/lib/inat.c b/tools/arch/x86/lib/inat.c index dfbcc6405941..ffcb0e27453b 100644 --- a/tools/arch/x86/lib/inat.c +++ b/tools/arch/x86/lib/inat.c @@ -81,3 +81,16 @@ insn_attr_t inat_get_avx_attribute(insn_byte_t opcode, insn_byte_t vex_m, return table[opcode]; } +insn_attr_t inat_get_xop_attribute(insn_byte_t opcode, insn_byte_t map_select) +{ + const insn_attr_t *table; + + if (map_select < X86_XOP_M_MIN || map_select > X86_XOP_M_MAX) + return 0; + map_select -= X86_XOP_M_MIN; + /* At first, this checks the master table */ + table = inat_xop_tables[map_select]; + if (!table) + return 0; + return table[opcode]; +} diff --git a/tools/arch/x86/lib/insn.c b/tools/arch/x86/lib/insn.c index bce69c6bfa69..1d1c57c74d1f 100644 --- a/tools/arch/x86/lib/insn.c +++ b/tools/arch/x86/lib/insn.c @@ -200,12 +200,15 @@ int insn_get_prefixes(struct insn *insn) } insn->rex_prefix.got = 1; - /* Decode VEX prefix */ + /* Decode VEX/XOP prefix */ b = peek_next(insn_byte_t, insn); - attr = inat_get_opcode_attribute(b); - if (inat_is_vex_prefix(attr)) { + if (inat_is_vex_prefix(attr) || inat_is_xop_prefix(attr)) { insn_byte_t b2 = peek_nbyte_next(insn_byte_t, insn, 1); - if (!insn->x86_64) { + + if (inat_is_xop_prefix(attr) && X86_MODRM_REG(b2) == 0) { + /* Grp1A.0 is always POP Ev */ + goto vex_end; + } else if (!insn->x86_64) { /* * In 32-bits mode, if the [7:6] bits (mod bits of * ModRM) on the second byte are not 11b, it is @@ -226,13 +229,13 @@ int insn_get_prefixes(struct insn *insn) if (insn->x86_64 && X86_VEX_W(b2)) /* VEX.W overrides opnd_size */ insn->opnd_bytes = 8; - } else if (inat_is_vex3_prefix(attr)) { + } else if (inat_is_vex3_prefix(attr) || inat_is_xop_prefix(attr)) { b2 = peek_nbyte_next(insn_byte_t, insn, 2); insn_set_byte(&insn->vex_prefix, 2, b2); insn->vex_prefix.nbytes = 3; insn->next_byte += 3; if (insn->x86_64 && X86_VEX_W(b2)) - /* VEX.W overrides opnd_size */ + /* VEX.W/XOP.W overrides opnd_size */ insn->opnd_bytes = 8; } else { /* @@ -288,9 +291,22 @@ int insn_get_opcode(struct insn *insn) insn_set_byte(opcode, 0, op); opcode->nbytes = 1; - /* Check if there is VEX prefix or not */ - if (insn_is_avx(insn)) { + /* Check if there is VEX/XOP prefix or not */ + if (insn_is_avx_or_xop(insn)) { insn_byte_t m, p; + + /* XOP prefix has different encoding */ + if (unlikely(avx_insn_is_xop(insn))) { + m = insn_xop_map_bits(insn); + insn->attr = inat_get_xop_attribute(op, m); + if (!inat_accept_xop(insn->attr)) { + insn->attr = 0; + return -EINVAL; + } + /* XOP has only 1 byte for opcode */ + goto end; + } + m = insn_vex_m_bits(insn); p = insn_vex_p_bits(insn); insn->attr = inat_get_avx_attribute(op, m, p); @@ -383,7 +399,8 @@ int insn_get_modrm(struct insn *insn) pfx_id = insn_last_prefix_id(insn); insn->attr = inat_get_group_attribute(mod, pfx_id, insn->attr); - if (insn_is_avx(insn) && !inat_accept_vex(insn->attr)) { + if (insn_is_avx_or_xop(insn) && !inat_accept_vex(insn->attr) && + !inat_accept_xop(insn->attr)) { /* Bad insn */ insn->attr = 0; return -EINVAL; diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt index 262f7ca1fb95..2a4e69ecc2de 100644 --- a/tools/arch/x86/lib/x86-opcode-map.txt +++ b/tools/arch/x86/lib/x86-opcode-map.txt @@ -27,6 +27,11 @@ # (evo): this opcode is changed by EVEX prefix (EVEX opcode) # (v): this opcode requires VEX prefix. # (v1): this opcode only supports 128bit VEX. +# (xop): this opcode accepts XOP prefix. +# +# XOP Superscripts +# (W=0): this opcode requires XOP.W == 0 +# (W=1): this opcode requires XOP.W == 1 # # Last Prefix Superscripts # - (66): the last prefix is 0x66 @@ -194,7 +199,7 @@ AVXcode: 8c: MOV Ev,Sw 8d: LEA Gv,M 8e: MOV Sw,Ew -8f: Grp1A (1A) | POP Ev (d64) +8f: Grp1A (1A) | POP Ev (d64) | XOP (Prefix) # 0x90 - 0x9f 90: NOP | PAUSE (F3) | XCHG r8,rAX 91: XCHG rCX/r9,rAX @@ -1106,6 +1111,84 @@ AVXcode: 7 f8: URDMSR Rq,Id (F2),(v1),(11B) | UWRMSR Id,Rq (F3),(v1),(11B) EndTable +# From AMD64 Architecture Programmer's Manual Vol3, Appendix A.1.5 +Table: XOP map 8h +Referrer: +XOPcode: 0 +85: VPMACSSWW Vo,Ho,Wo,Lo +86: VPMACSSWD Vo,Ho,Wo,Lo +87: VPMACSSDQL Vo,Ho,Wo,Lo +8e: VPMACSSDD Vo,Ho,Wo,Lo +8f: VPMACSSDQH Vo,Ho,Wo,Lo +95: VPMACSWW Vo,Ho,Wo,Lo +96: VPMACSWD Vo,Ho,Wo,Lo +97: VPMACSDQL Vo,Ho,Wo,Lo +9e: VPMACSDD Vo,Ho,Wo,Lo +9f: VPMACSDQH Vo,Ho,Wo,Lo +a2: VPCMOV Vx,Hx,Wx,Lx (W=0) | VPCMOV Vx,Hx,Lx,Wx (W=1) +a3: VPPERM Vo,Ho,Wo,Lo (W=0) | VPPERM Vo,Ho,Lo,Wo (W=1) +a6: VPMADCSSWD Vo,Ho,Wo,Lo +b6: VPMADCSWD Vo,Ho,Wo,Lo +c0: VPROTB Vo,Wo,Ib +c1: VPROTW Vo,Wo,Ib +c2: VPROTD Vo,Wo,Ib +c3: VPROTQ Vo,Wo,Ib +cc: VPCOMccB Vo,Ho,Wo,Ib +cd: VPCOMccW Vo,Ho,Wo,Ib +ce: VPCOMccD Vo,Ho,Wo,Ib +cf: VPCOMccQ Vo,Ho,Wo,Ib +ec: VPCOMccUB Vo,Ho,Wo,Ib +ed: VPCOMccUW Vo,Ho,Wo,Ib +ee: VPCOMccUD Vo,Ho,Wo,Ib +ef: VPCOMccUQ Vo,Ho,Wo,Ib +EndTable + +Table: XOP map 9h +Referrer: +XOPcode: 1 +01: GrpXOP1 +02: GrpXOP2 +12: GrpXOP3 +80: VFRCZPS Vx,Wx +81: VFRCZPD Vx,Wx +82: VFRCZSS Vq,Wss +83: VFRCZSD Vq,Wsd +90: VPROTB Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +91: VPROTW Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +92: VPROTD Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +93: VPROTQ Vo,Wo,Ho (W=0) | VPROTB Vo,Ho,Wo (W=1) +94: VPSHLB Vo,Wo,Ho (W=0) | VPSHLB Vo,Ho,Wo (W=1) +95: VPSHLW Vo,Wo,Ho (W=0) | VPSHLW Vo,Ho,Wo (W=1) +96: VPSHLD Vo,Wo,Ho (W=0) | VPSHLD Vo,Ho,Wo (W=1) +97: VPSHLQ Vo,Wo,Ho (W=0) | VPSHLQ Vo,Ho,Wo (W=1) +98: VPSHAB Vo,Wo,Ho (W=0) | VPSHAB Vo,Ho,Wo (W=1) +99: VPSHAW Vo,Wo,Ho (W=0) | VPSHAW Vo,Ho,Wo (W=1) +9a: VPSHAD Vo,Wo,Ho (W=0) | VPSHAD Vo,Ho,Wo (W=1) +9b: VPSHAQ Vo,Wo,Ho (W=0) | VPSHAQ Vo,Ho,Wo (W=1) +c1: VPHADDBW Vo,Wo +c2: VPHADDBD Vo,Wo +c3: VPHADDBQ Vo,Wo +c6: VPHADDWD Vo,Wo +c7: VPHADDWQ Vo,Wo +cb: VPHADDDQ Vo,Wo +d1: VPHADDUBWD Vo,Wo +d2: VPHADDUBD Vo,Wo +d3: VPHADDUBQ Vo,Wo +d6: VPHADDUWD Vo,Wo +d7: VPHADDUWQ Vo,Wo +db: VPHADDUDQ Vo,Wo +e1: VPHSUBBW Vo,Wo +e2: VPHSUBWD Vo,Wo +e3: VPHSUBDQ Vo,Wo +EndTable + +Table: XOP map Ah +Referrer: +XOPcode: 2 +10: BEXTR Gy,Ey,Id +12: GrpXOP4 +EndTable + GrpTable: Grp1 0: ADD 1: OR @@ -1320,3 +1403,29 @@ GrpTable: GrpRNG 4: xcrypt-cfb 5: xcrypt-ofb EndTable + +# GrpXOP1-4 is shown in AMD APM Vol.3 Appendix A as XOP group #1-4 +GrpTable: GrpXOP1 +1: BLCFILL By,Ey (xop) +2: BLSFILL By,Ey (xop) +3: BLCS By,Ey (xop) +4: TZMSK By,Ey (xop) +5: BLCIC By,Ey (xop) +6: BLSIC By,Ey (xop) +7: T1MSKC By,Ey (xop) +EndTable + +GrpTable: GrpXOP2 +1: BLCMSK By,Ey (xop) +6: BLCI By,Ey (xop) +EndTable + +GrpTable: GrpXOP3 +0: LLWPCB Ry (xop) +1: SLWPCB Ry (xop) +EndTable + +GrpTable: GrpXOP4 +0: LWPINS By,Ed,Id (xop) +1: LWPVAL By,Ed,Id (xop) +EndTable diff --git a/tools/arch/x86/tools/gen-insn-attr-x86.awk b/tools/arch/x86/tools/gen-insn-attr-x86.awk index 2c19d7fc8a85..7ea1b75e59b7 100644 --- a/tools/arch/x86/tools/gen-insn-attr-x86.awk +++ b/tools/arch/x86/tools/gen-insn-attr-x86.awk @@ -21,6 +21,7 @@ function clear_vars() { eid = -1 # escape id gid = -1 # group id aid = -1 # AVX id + xopid = -1 # XOP id tname = "" } @@ -39,9 +40,11 @@ BEGIN { ggid = 1 geid = 1 gaid = 0 + gxopid = 0 delete etable delete gtable delete atable + delete xoptable opnd_expr = "^[A-Za-z/]" ext_expr = "^\$" @@ -61,6 +64,7 @@ BEGIN { imm_flag["Ob"] = "INAT_MOFFSET" imm_flag["Ov"] = "INAT_MOFFSET" imm_flag["Lx"] = "INAT_MAKE_IMM(INAT_IMM_BYTE)" + imm_flag["Lo"] = "INAT_MAKE_IMM(INAT_IMM_BYTE)" modrm_expr = "^([CDEGMNPQRSUVW/][a-z]+|NTA|T[012])" force64_expr = "\\([df]64\$" @@ -87,6 +91,8 @@ BEGIN { evexonly_expr = "\$ev\$" # (es) is the same as (ev) but also "SCALABLE" i.e. W and pp determine operand size evex_scalable_expr = "\$es\$" + # All opcodes in XOP table or with (xop) superscript accept XOP prefix + xopok_expr = "\$xop\$" prefix_expr = "\$Prefix\$" prefix_num["Operand-Size"] = "INAT_PFX_OPNDSZ" @@ -106,6 +112,7 @@ BEGIN { prefix_num["VEX+2byte"] = "INAT_PFX_VEX3" prefix_num["EVEX"] = "INAT_PFX_EVEX" prefix_num["REX2"] = "INAT_PFX_REX2" + prefix_num["XOP"] = "INAT_PFX_XOP" clear_vars() } @@ -147,6 +154,7 @@ function array_size(arr, i,c) { if (NF != 1) { # AVX/escape opcode table aid = $2 + xopid = -1 if (gaid <= aid) gaid = aid + 1 if (tname == "") # AVX only opcode table @@ -156,6 +164,20 @@ function array_size(arr, i,c) { tname = "inat_primary_table" } +/^XOPcode:/ { + if (NF != 1) { + # XOP opcode table + xopid = $2 + aid = -1 + if (gxopid <= xopid) + gxopid = xopid + 1 + if (tname == "") # XOP only opcode table + tname = sprintf("inat_xop_table_%d", $2) + } + if (xopid == -1 && eid == -1) # primary opcode table + tname = "inat_primary_table" +} + /^GrpTable:/ { print "/* " $0 " */" if (!($2 in group)) @@ -206,6 +228,8 @@ function print_table(tbl,name,fmt,n) etable[eid,0] = tname if (aid >= 0) atable[aid,0] = tname + else if (xopid >= 0) + xoptable[xopid] = tname } if (array_size(lptable1) != 0) { print_table(lptable1,tname "_1[INAT_OPCODE_TABLE_SIZE]", @@ -347,6 +371,8 @@ function convert_operands(count,opnd, i,j,imm,mod) flags = add_flags(flags, "INAT_VEXOK | INAT_VEXONLY") else if (match(ext, vexok_expr) || match(opcode, vexok_opcode_expr)) flags = add_flags(flags, "INAT_VEXOK") + else if (match(ext, xopok_expr) || xopid >= 0) + flags = add_flags(flags, "INAT_XOPOK") # check prefixes if (match(ext, prefix_expr)) { @@ -413,6 +439,14 @@ END { print " ["i"]["j"] = "atable[i,j]"," print "};\n" + print "/* XOP opcode map array */" + print "const insn_attr_t * const inat_xop_tables[X86_XOP_M_MAX - X86_XOP_M_MIN + 1]" \ + " = {" + for (i = 0; i < gxopid; i++) + if (xoptable[i]) + print " ["i"] = "xoptable[i]"," + print "};" + print "#else /* !__BOOT_COMPRESSED */\n" print "/* Escape opcode map array */" @@ -430,6 +464,10 @@ END { "[INAT_LSTPFX_MAX + 1];" print "" + print "/* XOP opcode map array */" + print "static const insn_attr_t *inat_xop_tables[X86_XOP_M_MAX - X86_XOP_M_MIN + 1];" + print "" + print "static void inat_init_tables(void)" print "{" @@ -455,6 +493,12 @@ END { if (atable[i,j]) print "\tinat_avx_tables["i"]["j"] = "atable[i,j]";" + print "" + print "\t/* Print XOP opcode map array */" + for (i = 0; i < gxopid; i++) + if (xoptable[i]) + print "\tinat_xop_tables["i"] = "xoptable[i]";" + print "}" print "#endif" } diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-insn-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-insn-decoder.c index 8fabddc1c0da..72c7a4e15d61 100644 --- a/tools/perf/util/intel-pt-decoder/intel-pt-insn-decoder.c +++ b/tools/perf/util/intel-pt-decoder/intel-pt-insn-decoder.c @@ -32,7 +32,7 @@ static void intel_pt_insn_decoder(struct insn *insn, intel_pt_insn->rel = 0; intel_pt_insn->emulated_ptwrite = false; - if (insn_is_avx(insn)) { + if (insn_is_avx_or_xop(insn)) { intel_pt_insn->op = INTEL_PT_OP_OTHER; intel_pt_insn->branch = INTEL_PT_BR_NO_BRANCH; intel_pt_insn->length = insn->length;

4 weeks

5
7
0 0

patch "iio: light: as73211: Ensure buffer holes are zeroed" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: light: as73211: Ensure buffer holes are zeroed to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 433b99e922943efdfd62b9a8e3ad1604838181f2 Mon Sep 17 00:00:00 2001 From: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Date: Sat, 2 Aug 2025 17:44:21 +0100 Subject: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it. Fixes: 403e5586b52e ("iio: light: as73211: New driver") Reviewed-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Reviewed-by: Andy Shevchenko <andy(a)kernel.org> Link: https://patch.msgid.link/20250802164436.515988-2-jic23@kernel.org Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/light/as73211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/light/as73211.c b/drivers/iio/light/as73211.c index 68f60dc3c79d..32719f584c47 100644 --- a/drivers/iio/light/as73211.c +++ b/drivers/iio/light/as73211.c @@ -639,7 +639,7 @@ static irqreturn_t as73211_trigger_handler(int irq __always_unused, void *p) struct { __le16 chan[4]; aligned_s64 ts; - } scan; + } scan = { }; int data_result, ret; mutex_lock(&data->mutex); -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe()" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 43c0f6456f801181a80b73d95def0e0fd134e1cc Mon Sep 17 00:00:00 2001 From: Salah Triki <salah.triki(a)gmail.com> Date: Mon, 18 Aug 2025 10:27:30 +0100 Subject: iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() `devm_gpiod_get_optional()` may return non-NULL error pointer on failure. Check its return value using `IS_ERR()` and propagate the error if necessary. Fixes: df6e71256c84 ("iio: pressure: bmp280: Explicitly mark GPIO optional") Signed-off-by: Salah Triki <salah.triki(a)gmail.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250818092740.545379-2-salah.triki@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/pressure/bmp280-core.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c index 74505c9ec1a0..6cdc8ed53520 100644 --- a/drivers/iio/pressure/bmp280-core.c +++ b/drivers/iio/pressure/bmp280-core.c @@ -3213,11 +3213,12 @@ int bmp280_common_probe(struct device *dev, /* Bring chip out of reset if there is an assigned GPIO line */ gpiod = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(gpiod)) + return dev_err_probe(dev, PTR_ERR(gpiod), "failed to get reset GPIO\n"); + /* Deassert the signal */ - if (gpiod) { - dev_info(dev, "release reset\n"); - gpiod_set_value(gpiod, 0); - } + dev_info(dev, "release reset\n"); + gpiod_set_value(gpiod, 0); data->regmap = regmap; -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: adc: rzg2l: Cleanup suspend/resume path" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: rzg2l: Cleanup suspend/resume path to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From a3c6eabe3bbd6b0e7124d68b2d3bc32fed17362e Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Sun, 10 Aug 2025 15:33:27 +0300 Subject: iio: adc: rzg2l: Cleanup suspend/resume path There is no need to manually track the runtime PM status in the driver. The pm_runtime_force_suspend() and pm_runtime_force_resume() functions already call pm_runtime_status_suspended() to check the runtime PM state. Additionally, avoid calling pm_runtime_put_autosuspend() during the suspend/resume path, as this would decrease the usage counter of a potential user that had the ADC open before the suspend/resume cycle. Fixes: 563cf94f9329 ("iio: adc: rzg2l_adc: Add suspend/resume support") Reviewed-by: Ulf Hansson <ulf.hansson(a)linaro.org> Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://patch.msgid.link/20250810123328.800104-2-claudiu.beznea.uj@bp.renes… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/rzg2l_adc.c | 29 ++++++++--------------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/drivers/iio/adc/rzg2l_adc.c b/drivers/iio/adc/rzg2l_adc.c index 9674d48074c9..0cb5a67fd497 100644 --- a/drivers/iio/adc/rzg2l_adc.c +++ b/drivers/iio/adc/rzg2l_adc.c @@ -89,7 +89,6 @@ struct rzg2l_adc { struct completion completion; struct mutex lock; u16 last_val[RZG2L_ADC_MAX_CHANNELS]; - bool was_rpm_active; }; /** @@ -541,14 +540,9 @@ static int rzg2l_adc_suspend(struct device *dev) }; int ret; - if (pm_runtime_suspended(dev)) { - adc->was_rpm_active = false; - } else { - ret = pm_runtime_force_suspend(dev); - if (ret) - return ret; - adc->was_rpm_active = true; - } + ret = pm_runtime_force_suspend(dev); + if (ret) + return ret; ret = reset_control_bulk_assert(ARRAY_SIZE(resets), resets); if (ret) @@ -557,9 +551,7 @@ static int rzg2l_adc_suspend(struct device *dev) return 0; rpm_restore: - if (adc->was_rpm_active) - pm_runtime_force_resume(dev); - + pm_runtime_force_resume(dev); return ret; } @@ -577,11 +569,9 @@ static int rzg2l_adc_resume(struct device *dev) if (ret) return ret; - if (adc->was_rpm_active) { - ret = pm_runtime_force_resume(dev); - if (ret) - goto resets_restore; - } + ret = pm_runtime_force_resume(dev); + if (ret) + goto resets_restore; ret = rzg2l_adc_hw_init(dev, adc); if (ret) @@ -590,10 +580,7 @@ static int rzg2l_adc_resume(struct device *dev) return 0; rpm_restore: - if (adc->was_rpm_active) { - pm_runtime_mark_last_busy(dev); - pm_runtime_put_autosuspend(dev); - } + pm_runtime_force_suspend(dev); resets_restore: reset_control_bulk_assert(ARRAY_SIZE(resets), resets); return ret; -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: adc: rzg2l_adc: Set driver data before enabling runtime PM" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: rzg2l_adc: Set driver data before enabling runtime PM to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From c69e13965f26b8058f538ea8bdbd2d7718cf1fbe Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Sun, 10 Aug 2025 15:33:28 +0300 Subject: iio: adc: rzg2l_adc: Set driver data before enabling runtime PM When stress-testing the system by repeatedly unbinding and binding the ADC device in a loop, and the ADC is a supplier for another device (e.g., a thermal hardware block that reads temperature through the ADC), it may happen that the ADC device is runtime-resumed immediately after runtime PM is enabled, triggered by its consumer. At this point, since drvdata is not yet set and the driver's runtime PM callbacks rely on it, a crash can occur. To avoid this, set drvdata just after it was allocated. Fixes: 89ee8174e8c8 ("iio: adc: rzg2l_adc: Simplify the runtime PM code") Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://patch.msgid.link/20250810123328.800104-3-claudiu.beznea.uj@bp.renes… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/rzg2l_adc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/adc/rzg2l_adc.c b/drivers/iio/adc/rzg2l_adc.c index 0cb5a67fd497..cadb0446bc29 100644 --- a/drivers/iio/adc/rzg2l_adc.c +++ b/drivers/iio/adc/rzg2l_adc.c @@ -427,6 +427,8 @@ static int rzg2l_adc_probe(struct platform_device *pdev) if (!indio_dev) return -ENOMEM; + platform_set_drvdata(pdev, indio_dev); + adc = iio_priv(indio_dev); adc->hw_params = device_get_match_data(dev); @@ -459,8 +461,6 @@ static int rzg2l_adc_probe(struct platform_device *pdev) if (ret) return ret; - platform_set_drvdata(pdev, indio_dev); - ret = rzg2l_adc_hw_init(dev, adc); if (ret) return dev_err_probe(&pdev->dev, ret, -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: adc: bd79124: Add GPIOLIB dependency" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: bd79124: Add GPIOLIB dependency to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 8a6ededaad2d2dcaac8e545bffee1073dca9db95 Mon Sep 17 00:00:00 2001 From: Matti Vaittinen <mazziesaccount(a)gmail.com> Date: Wed, 13 Aug 2025 12:16:06 +0300 Subject: iio: adc: bd79124: Add GPIOLIB dependency The bd79124 has ADC inputs which can be muxed to be GPIOs. The driver supports this by registering a GPIO-chip for channels which aren't used as ADC. The Kconfig entry does not handle the dependency to GPIOLIB, which causes errors: ERROR: modpost: "devm_gpiochip_add_data_with_key" [drivers/iio/adc/rohm-bd79124.ko] undefined! ERROR: modpost: "gpiochip_get_data" [drivers/iio/adc/rohm-bd79124.ko] undefined! at linking phase if GPIOLIB is not configured to be used. Fix this by adding dependency to the GPIOLIB. Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202508131533.5sSkq80B-lkp@intel.com/ Fixes: 3f57a3b9ab74 ("iio: adc: Support ROHM BD79124 ADC") Signed-off-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Link: https://patch.msgid.link/6837249bddf358924e67566293944506206d2d62.175507636… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index 6de2abad0197..24f2572c487e 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1300,7 +1300,7 @@ config RN5T618_ADC config ROHM_BD79124 tristate "Rohm BD79124 ADC driver" - depends on I2C + depends on I2C && GPIOLIB select REGMAP_I2C select IIO_ADC_HELPER help -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: adc: ad7124: fix channel lookup in syscalib functions" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7124: fix channel lookup in syscalib functions to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 197e299aae42ffa19028eaea92b2f30dd9fb8445 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Sat, 26 Jul 2025 11:28:48 -0500 Subject: iio: adc: ad7124: fix channel lookup in syscalib functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix possible incorrect channel lookup in the syscalib functions by using the correct channel address instead of the channel number. In the ad7124 driver, the channel field of struct iio_chan_spec is the input pin number of the positive input of the channel. This can be, but is not always the same as the index in the channels array. The correct index in the channels array is stored in the address field (and also scan_index). We use the address field to perform the correct lookup. Fixes: 47036a03a303 ("iio: adc: ad7124: Implement internal calibration at probe time") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250726-iio-adc-ad7124-fix-channel-lookup-in-sysc… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7124.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c index 9808df2e9242..4d8c6bafd1c3 100644 --- a/drivers/iio/adc/ad7124.c +++ b/drivers/iio/adc/ad7124.c @@ -849,7 +849,7 @@ enum { static int ad7124_syscalib_locked(struct ad7124_state *st, const struct iio_chan_spec *chan) { struct device *dev = &st->sd.spi->dev; - struct ad7124_channel *ch = &st->channels[chan->channel]; + struct ad7124_channel *ch = &st->channels[chan->address]; int ret; if (ch->syscalib_mode == AD7124_SYSCALIB_ZERO_SCALE) { @@ -865,8 +865,8 @@ static int ad7124_syscalib_locked(struct ad7124_state *st, const struct iio_chan if (ret < 0) return ret; - dev_dbg(dev, "offset for channel %d after zero-scale calibration: 0x%x\n", - chan->channel, ch->cfg.calibration_offset); + dev_dbg(dev, "offset for channel %lu after zero-scale calibration: 0x%x\n", + chan->address, ch->cfg.calibration_offset); } else { ch->cfg.calibration_gain = st->gain_default; @@ -880,8 +880,8 @@ static int ad7124_syscalib_locked(struct ad7124_state *st, const struct iio_chan if (ret < 0) return ret; - dev_dbg(dev, "gain for channel %d after full-scale calibration: 0x%x\n", - chan->channel, ch->cfg.calibration_gain); + dev_dbg(dev, "gain for channel %lu after full-scale calibration: 0x%x\n", + chan->address, ch->cfg.calibration_gain); } return 0; @@ -924,7 +924,7 @@ static int ad7124_set_syscalib_mode(struct iio_dev *indio_dev, { struct ad7124_state *st = iio_priv(indio_dev); - st->channels[chan->channel].syscalib_mode = mode; + st->channels[chan->address].syscalib_mode = mode; return 0; } @@ -934,7 +934,7 @@ static int ad7124_get_syscalib_mode(struct iio_dev *indio_dev, { struct ad7124_state *st = iio_priv(indio_dev); - return st->channels[chan->channel].syscalib_mode; + return st->channels[chan->address].syscalib_mode; } static const struct iio_enum ad7124_syscalib_mode_enum = { -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: temperature: maxim_thermocouple: use DMA-safe buffer for" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: temperature: maxim_thermocouple: use DMA-safe buffer for to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From ae5bc07ec9f73a41734270ef3f800c5c8a7e0ad3 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Mon, 21 Jul 2025 18:04:04 -0500 Subject: iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace using stack-allocated buffers with a DMA-safe buffer for use with spi_read(). This allows the driver to be safely used with DMA-enabled SPI controllers. The buffer array is also converted to a struct with a union to make the usage of the memory in the buffer more clear and ensure proper alignment. Fixes: 1f25ca11d84a ("iio: temperature: add support for Maxim thermocouple chips") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://patch.msgid.link/20250721-iio-use-more-iio_declare_buffer_with_ts-3… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/temperature/maxim_thermocouple.c | 26 ++++++++++++-------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/drivers/iio/temperature/maxim_thermocouple.c b/drivers/iio/temperature/maxim_thermocouple.c index cae8e84821d7..205939680fd4 100644 --- a/drivers/iio/temperature/maxim_thermocouple.c +++ b/drivers/iio/temperature/maxim_thermocouple.c @@ -11,6 +11,7 @@ #include <linux/module.h> #include <linux/err.h> #include <linux/spi/spi.h> +#include <linux/types.h> #include <linux/iio/iio.h> #include <linux/iio/sysfs.h> #include <linux/iio/trigger.h> @@ -121,8 +122,15 @@ struct maxim_thermocouple_data { struct spi_device *spi; const struct maxim_thermocouple_chip *chip; char tc_type; - - u8 buffer[16] __aligned(IIO_DMA_MINALIGN); + /* Buffer for reading up to 2 hardware channels. */ + struct { + union { + __be16 raw16; + __be32 raw32; + __be16 raw[2]; + }; + aligned_s64 timestamp; + } buffer __aligned(IIO_DMA_MINALIGN); }; static int maxim_thermocouple_read(struct maxim_thermocouple_data *data, @@ -130,18 +138,16 @@ static int maxim_thermocouple_read(struct maxim_thermocouple_data *data, { unsigned int storage_bytes = data->chip->read_size; unsigned int shift = chan->scan_type.shift + (chan->address * 8); - __be16 buf16; - __be32 buf32; int ret; switch (storage_bytes) { case 2: - ret = spi_read(data->spi, (void *)&buf16, storage_bytes); - *val = be16_to_cpu(buf16); + ret = spi_read(data->spi, &data->buffer.raw16, storage_bytes); + *val = be16_to_cpu(data->buffer.raw16); break; case 4: - ret = spi_read(data->spi, (void *)&buf32, storage_bytes); - *val = be32_to_cpu(buf32); + ret = spi_read(data->spi, &data->buffer.raw32, storage_bytes); + *val = be32_to_cpu(data->buffer.raw32); break; default: ret = -EINVAL; @@ -166,9 +172,9 @@ static irqreturn_t maxim_thermocouple_trigger_handler(int irq, void *private) struct maxim_thermocouple_data *data = iio_priv(indio_dev); int ret; - ret = spi_read(data->spi, data->buffer, data->chip->read_size); + ret = spi_read(data->spi, data->buffer.raw, data->chip->read_size); if (!ret) { - iio_push_to_buffers_with_ts(indio_dev, data->buffer, + iio_push_to_buffers_with_ts(indio_dev, &data->buffer, sizeof(data->buffer), iio_get_time_ns(indio_dev)); } -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: adc: ad7173: prevent scan if too many setups requested" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7173: prevent scan if too many setups requested to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 1cfb22c277c7274f54babaa5b416dfbc00181e16 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Tue, 22 Jul 2025 14:20:07 -0500 Subject: iio: adc: ad7173: prevent scan if too many setups requested Add a check to ad7173_update_scan_mode() to ensure that we didn't exceed the maximum number of unique channel configurations. In the AD7173 family of chips, there are some chips that have 16 CHANNELx registers but only 8 setups (combination of CONFIGx, FILTERx, GAINx and OFFSETx registers). Since commit 92c247216918 ("iio: adc: ad7173: fix num_slots"), it is possible to have more than 8 channels enabled in a scan at the same time, so it is possible to get a bad configuration when more than 8 channels are using unique configurations. This happens because the algorithm to allocate the setup slots only takes into account which slot has been least recently used and doesn't know about the maximum number of slots available. Since the algorithm to allocate the setup slots is quite complex, it is simpler to check after the fact if the current state is valid or not. So this patch adds a check in ad7173_update_scan_mode() after setting up all of the configurations to make sure that the actual setup still matches the requested setup for each enabled channel. If not, we prevent the scan from being enabled and return an error. The setup comparison in ad7173_setup_equal() is refactored to a separate function since we need to call it in two places now. Fixes: 92c247216918 ("iio: adc: ad7173: fix num_slots") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250722-iio-adc-ad7173-fix-setup-use-limits-v2-1-… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7173.c | 87 ++++++++++++++++++++++++++++++++++------ 1 file changed, 75 insertions(+), 12 deletions(-) diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c index 4413207be28f..683146e83ab2 100644 --- a/drivers/iio/adc/ad7173.c +++ b/drivers/iio/adc/ad7173.c @@ -200,7 +200,7 @@ struct ad7173_channel_config { /* * Following fields are used to compare equality. If you * make adaptations in it, you most likely also have to adapt - * ad7173_find_live_config(), too. + * ad7173_is_setup_equal(), too. */ struct_group(config_props, bool bipolar; @@ -561,12 +561,19 @@ static void ad7173_reset_usage_cnts(struct ad7173_state *st) st->config_usage_counter = 0; } -static struct ad7173_channel_config * -ad7173_find_live_config(struct ad7173_state *st, struct ad7173_channel_config *cfg) +/** + * ad7173_is_setup_equal - Compare two channel setups + * @cfg1: First channel configuration + * @cfg2: Second channel configuration + * + * Compares all configuration options that affect the registers connected to + * SETUP_SEL, namely CONFIGx, FILTERx, GAINx and OFFSETx. + * + * Returns: true if the setups are identical, false otherwise + */ +static bool ad7173_is_setup_equal(const struct ad7173_channel_config *cfg1, + const struct ad7173_channel_config *cfg2) { - struct ad7173_channel_config *cfg_aux; - int i; - /* * This is just to make sure that the comparison is adapted after * struct ad7173_channel_config was changed. @@ -579,14 +586,22 @@ ad7173_find_live_config(struct ad7173_state *st, struct ad7173_channel_config *c u8 ref_sel; })); + return cfg1->bipolar == cfg2->bipolar && + cfg1->input_buf == cfg2->input_buf && + cfg1->odr == cfg2->odr && + cfg1->ref_sel == cfg2->ref_sel; +} + +static struct ad7173_channel_config * +ad7173_find_live_config(struct ad7173_state *st, struct ad7173_channel_config *cfg) +{ + struct ad7173_channel_config *cfg_aux; + int i; + for (i = 0; i < st->num_channels; i++) { cfg_aux = &st->channels[i].cfg; - if (cfg_aux->live && - cfg->bipolar == cfg_aux->bipolar && - cfg->input_buf == cfg_aux->input_buf && - cfg->odr == cfg_aux->odr && - cfg->ref_sel == cfg_aux->ref_sel) + if (cfg_aux->live && ad7173_is_setup_equal(cfg, cfg_aux)) return cfg_aux; } return NULL; @@ -1228,7 +1243,7 @@ static int ad7173_update_scan_mode(struct iio_dev *indio_dev, const unsigned long *scan_mask) { struct ad7173_state *st = iio_priv(indio_dev); - int i, ret; + int i, j, k, ret; for (i = 0; i < indio_dev->num_channels; i++) { if (test_bit(i, scan_mask)) @@ -1239,6 +1254,54 @@ static int ad7173_update_scan_mode(struct iio_dev *indio_dev, return ret; } + /* + * On some chips, there are more channels that setups, so if there were + * more unique setups requested than the number of available slots, + * ad7173_set_channel() will have written over some of the slots. We + * can detect this by making sure each assigned cfg_slot matches the + * requested configuration. If it doesn't, we know that the slot was + * overwritten by a different channel. + */ + for_each_set_bit(i, scan_mask, indio_dev->num_channels) { + const struct ad7173_channel_config *cfg1, *cfg2; + + cfg1 = &st->channels[i].cfg; + + for_each_set_bit(j, scan_mask, indio_dev->num_channels) { + cfg2 = &st->channels[j].cfg; + + /* + * Only compare configs that are assigned to the same + * SETUP_SEL slot and don't compare channel to itself. + */ + if (i == j || cfg1->cfg_slot != cfg2->cfg_slot) + continue; + + /* + * If we find two different configs trying to use the + * same SETUP_SEL slot, then we know that the that we + * have too many unique configurations requested for + * the available slots and at least one was overwritten. + */ + if (!ad7173_is_setup_equal(cfg1, cfg2)) { + /* + * At this point, there isn't a way to tell + * which setups are actually programmed in the + * ADC anymore, so we could read them back to + * see, but it is simpler to just turn off all + * of the live flags so that everything gets + * reprogramed on the next attempt read a sample. + */ + for (k = 0; k < st->num_channels; k++) + st->channels[k].cfg.live = false; + + dev_err(&st->sd.spi->dev, + "Too many unique channel configurations requested for scan\n"); + return -EINVAL; + } + } + } + return 0; } -- 2.50.1

4 weeks, 1 day

1
0
0 0

patch "iio: proximity: isl29501: fix buffered read on big-endian systems" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: proximity: isl29501: fix buffered read on big-endian systems to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From de18e978d0cda23e4c102e18092b63a5b0b3a800 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Tue, 22 Jul 2025 15:54:21 -0500 Subject: iio: proximity: isl29501: fix buffered read on big-endian systems Fix passing a u32 value as a u16 buffer scan item. This works on little- endian systems, but not on big-endian systems. A new local variable is introduced for getting the register value and the array is changed to a struct to make the data layout more explicit rather than just changing the type and having to recalculate the proper length needed for the timestamp. Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.") Signed-off-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250722-iio-use-more-iio_declare_buffer_with_ts-7… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/proximity/isl29501.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/iio/proximity/isl29501.c b/drivers/iio/proximity/isl29501.c index d1510fe24050..f69db6f2f380 100644 --- a/drivers/iio/proximity/isl29501.c +++ b/drivers/iio/proximity/isl29501.c @@ -938,12 +938,18 @@ static irqreturn_t isl29501_trigger_handler(int irq, void *p) struct iio_dev *indio_dev = pf->indio_dev; struct isl29501_private *isl29501 = iio_priv(indio_dev); const unsigned long *active_mask = indio_dev->active_scan_mask; - u32 buffer[4] __aligned(8) = {}; /* 1x16-bit + naturally aligned ts */ + u32 value; + struct { + u16 data; + aligned_s64 ts; + } scan = { }; - if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) - isl29501_register_read(isl29501, REG_DISTANCE, buffer); + if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) { + isl29501_register_read(isl29501, REG_DISTANCE, &value); + scan.data = value; + } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp); iio_trigger_notify_done(indio_dev->trig); return IRQ_HANDLED; -- 2.50.1

4 weeks, 1 day

1
0
0 0

[PATCH v2] PCI: j721e: Fix programming sequence of "strap" settings

by Siddharth Vadapalli

The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. In the PCIe Controller's register space, the same set of registers that correspond to the Root-Port configuration space when the Controller is configured for Root-Complex mode of operation, also correspond to the Physical Function configuration space when the Controller is configured for Endpoint mode of operation. As a result, the "reset-value" of these set of registers _should_ vary depending on the selected mode of operation. This is the expected behavior according to the description of the registers and their reset values in the Technical Reference Manual for the SoCs. However, it is observed that the "reset-value" seen in practice do not match the description. To be precise, when the Controller is configured for Root-Complex mode of operation, the "reset-value" of the Root-Port configuration space reflect the "reset-value" corresponding to the Physical Function configuration space. This can be attributed to the fact that the "strap" settings play a role in "switching" the "reset-value" of the registers to match the expected values as determined by the selected mode of operation. Since the "strap" settings are sampled the moment the PCIe Controller is powered ON, the "reset-value" of the registers are setup at that point in time. As a result, if the "strap" settings are programmed at a later point in time, it _will not_ update the "reset-value" of the registers. This will cause the Physical Function configuration space to be seen when the Root-Port configuration space is accessed after programming the PCIe Controller for Root-Complex mode of operation. Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. This will ensure that the "strap" settings that have been sampled convey the intended mode of operation, thereby resulting in the "reset-value" of the registers being accurate. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit be48bcf004f9 Merge tag 'for-6.17-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux of Mainline Linux. v1 of this patch is at: https://lore.kernel.org/r/20250716102851.121742-1-s-vadapalli@ti.com/ Changes since v1: - Rebased patch on latest Mainline Linux. Regards, Siddharth. drivers/pci/controller/cadence/pci-j721e.c | 82 ++++++++++++++-------- 1 file changed, 53 insertions(+), 29 deletions(-) diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index 6c93f39d0288..d5e7cb7277dc 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -19,6 +19,7 @@ #include <linux/of.h> #include <linux/pci.h> #include <linux/platform_device.h> +#include <linux/pm_domain.h> #include <linux/pm_runtime.h> #include <linux/regmap.h> @@ -173,10 +174,9 @@ static const struct cdns_pcie_ops j721e_pcie_ops = { .link_up = j721e_pcie_link_up, }; -static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct regmap *syscon, - unsigned int offset) +static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct device *dev, + struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; u32 mask = J721E_MODE_RC; u32 mode = pcie->mode; u32 val = 0; @@ -193,9 +193,9 @@ static int j721e_pcie_set_mode(struct j721e_pcie *pcie, struct regmap *syscon, } static int j721e_pcie_set_link_speed(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *np = dev->of_node; int link_speed; u32 val = 0; @@ -214,9 +214,9 @@ static int j721e_pcie_set_link_speed(struct j721e_pcie *pcie, } static int j721e_pcie_set_lane_count(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon, unsigned int offset) { - struct device *dev = pcie->cdns_pcie->dev; u32 lanes = pcie->num_lanes; u32 mask = BIT(8); u32 val = 0; @@ -234,9 +234,9 @@ static int j721e_pcie_set_lane_count(struct j721e_pcie *pcie, } static int j721e_enable_acspcie_refclk(struct j721e_pcie *pcie, + struct device *dev, struct regmap *syscon) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *node = dev->of_node; u32 mask = ACSPCIE_PAD_DISABLE_MASK; struct of_phandle_args args; @@ -263,9 +263,8 @@ static int j721e_enable_acspcie_refclk(struct j721e_pcie *pcie, return 0; } -static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) +static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie, struct device *dev) { - struct device *dev = pcie->cdns_pcie->dev; struct device_node *node = dev->of_node; struct of_phandle_args args; unsigned int offset = 0; @@ -284,19 +283,19 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; - ret = j721e_pcie_set_mode(pcie, syscon, offset); + ret = j721e_pcie_set_mode(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); return ret; } - ret = j721e_pcie_set_link_speed(pcie, syscon, offset); + ret = j721e_pcie_set_link_speed(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set link speed\n"); return ret; } - ret = j721e_pcie_set_lane_count(pcie, syscon, offset); + ret = j721e_pcie_set_lane_count(pcie, dev, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set num-lanes\n"); return ret; @@ -308,7 +307,7 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!syscon) return 0; - return j721e_enable_acspcie_refclk(pcie, syscon); + return j721e_enable_acspcie_refclk(pcie, dev, syscon); } static int cdns_ti_pcie_config_read(struct pci_bus *bus, unsigned int devfn, @@ -469,6 +468,47 @@ static int j721e_pcie_probe(struct platform_device *pdev) if (!pcie) return -ENOMEM; + pcie->mode = mode; + + ret = of_property_read_u32(node, "num-lanes", &num_lanes); + if (ret || num_lanes > data->max_lanes) { + dev_warn(dev, "num-lanes property not provided or invalid, setting num-lanes to 1\n"); + num_lanes = 1; + } + + pcie->num_lanes = num_lanes; + pcie->max_lanes = data->max_lanes; + + /* + * The PCIe Controller's registers have different "reset-values" depending + * on the "strap" settings programmed into the Controller's Glue Layer. + * This is because the same set of registers are used for representing the + * Physical Function configuration space in Endpoint mode and for + * representing the Root-Port configuration space in Root-Complex mode. + * + * The registers latch onto a "reset-value" based on the "strap" settings + * sampled after the Controller is powered on. Therefore, for the + * "reset-value" to be accurate, it is necessary to program the "strap" + * settings when the Controller is powered off, and power on the Controller + * after the "strap" settings have been programmed. + * + * The "strap" settings are programmed by "j721e_pcie_ctrl_init()". + * Therefore, power off the Controller before invoking "j721e_pcie_ctrl_init()", + * program the "strap" settings, and then power on the Controller. This ensures + * that the reset values are accurate and reflect the "strap" settings. + */ + dev_pm_domain_detach(dev, true); + + ret = j721e_pcie_ctrl_init(pcie, dev); + if (ret < 0) + return ret; + + ret = dev_pm_domain_attach(dev, true); + if (ret < 0) { + dev_err(dev, "failed to power on device\n"); + return ret; + } + switch (mode) { case PCI_MODE_RC: if (!IS_ENABLED(CONFIG_PCI_J721E_HOST)) @@ -510,7 +550,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) return 0; } - pcie->mode = mode; pcie->linkdown_irq_regfield = data->linkdown_irq_regfield; base = devm_platform_ioremap_resource_byname(pdev, "intd_cfg"); @@ -523,15 +562,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) return PTR_ERR(base); pcie->user_cfg_base = base; - ret = of_property_read_u32(node, "num-lanes", &num_lanes); - if (ret || num_lanes > data->max_lanes) { - dev_warn(dev, "num-lanes property not provided or invalid, setting num-lanes to 1\n"); - num_lanes = 1; - } - - pcie->num_lanes = num_lanes; - pcie->max_lanes = data->max_lanes; - if (dma_set_mask_and_coherent(dev, DMA_BIT_MASK(48))) return -EINVAL; @@ -547,12 +577,6 @@ static int j721e_pcie_probe(struct platform_device *pdev) goto err_get_sync; } - ret = j721e_pcie_ctrl_init(pcie); - if (ret < 0) { - dev_err_probe(dev, ret, "pm_runtime_get_sync failed\n"); - goto err_get_sync; - } - ret = devm_request_irq(dev, irq, j721e_pcie_link_irq_handler, 0, "j721e-pcie-link-down-irq", pcie); if (ret < 0) { @@ -680,7 +704,7 @@ static int j721e_pcie_resume_noirq(struct device *dev) struct cdns_pcie *cdns_pcie = pcie->cdns_pcie; int ret; - ret = j721e_pcie_ctrl_init(pcie); + ret = j721e_pcie_ctrl_init(pcie, dev); if (ret < 0) return ret; -- 2.43.0

4 weeks, 1 day

2
2
0 0

[PATCH linux-stable 6.6] Bluetooth: hci_conn: avoid queue when deleting hci connection

by xu.xin16＠zte.com.cn

From: Chen Junlin <chen.junlin(a)zte.com.cn> Although the upstream commit 2b0f2fc9ed62 ("Bluetooth: hci_conn: Use disable_delayed_work_sync") has fixed the issue CVE-2024-56591, that patch depends on the implementaion of disable/enable_work() of workqueue [1], which are merged into 6.9/6.10 and so on. But for branch linux-6.6, there's no these feature of workqueue. To solve CVE-2024-56591 without backport too many feature patches about workqueue, we can set a new flag HCI_CONN_DELETE when hci_conn_dell() is called, and the subsequent queuing of work will be ignored. [1] https://lore.kernel.org/all/20240216180559.208276-1-tj@kernel.org/ Signed-off-by: Chen Junlin <chen.junlin(a)zte.com.cn> Signed-off-by: xu xin <xu.xin16(a)zte.com.cn> --- include/net/bluetooth/hci_core.h | 8 +++++++- net/bluetooth/hci_conn.c | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 4f067599e6e9..9a3ec55079a1 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -954,6 +954,7 @@ enum { HCI_CONN_BIG_SYNC_FAILED, HCI_CONN_PA_SYNC, HCI_CONN_PA_SYNC_FAILED, + HCI_CONN_DELETE, }; static inline bool hci_conn_ssp_enabled(struct hci_conn *conn) @@ -1575,7 +1576,12 @@ static inline void hci_conn_drop(struct hci_conn *conn) } cancel_delayed_work(&conn->disc_work); - queue_delayed_work(conn->hdev->workqueue, + /* + * When HCI_CONN_DELETE is set, the conn is goint to be freed. + * Don't queue the work to avoid noisy WARNing about refcnt < 0. + */ + if (!test_bit(HCI_CONN_DELETE, &conn->flags)) + queue_delayed_work(conn->hdev->workqueue, &conn->disc_work, timeo); } } diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 549ee9e87d63..67a6513bb01c 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1112,6 +1112,7 @@ void hci_conn_del(struct hci_conn *conn) hci_conn_unlink(conn); + set_bit(HCI_CONN_DELETE, &conn->flags); cancel_delayed_work_sync(&conn->disc_work); cancel_delayed_work_sync(&conn->auto_accept_work); cancel_delayed_work_sync(&conn->idle_work); -- 2.15.2

4 weeks, 1 day

2
2
0 0

[merged mm-hotfixes-stable] mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/mremap: fix WARN with uffd that has remap events disabled has been removed from the -mm tree. Its filename was mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/mremap: fix WARN with uffd that has remap events disabled Date: Mon, 18 Aug 2025 19:53:58 +0200 Registering userfaultd on a VMA that spans at least one PMD and then mremap()'ing that VMA can trigger a WARN when recovering from a failed page table move due to a page table allocation error. The code ends up doing the right thing (recurse, avoiding moving actual page tables), but triggering that WARN is unpleasant: WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline] WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline] WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852 Modules linked in: CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline] RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline] RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852 Code: ... RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645 RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007 RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000 FS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0 Call Trace: <TASK> copy_vma_and_data+0x468/0x790 mm/mremap.c:1215 move_vma+0x548/0x1780 mm/mremap.c:1282 mremap_to+0x1b7/0x450 mm/mremap.c:1406 do_mremap+0xfad/0x1f80 mm/mremap.c:1921 __do_sys_mremap+0x119/0x170 mm/mremap.c:1977 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f00d0b8ebe9 Code: ... RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9 RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000 RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002 R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005 </TASK> The underlying issue is that we recurse during the original page table move, but not during the recovery move. Fix it by checking for both VMAs and performing the check before the pmd_none() sanity check. Add a new helper where we perform+document that check for the PMD and PUD level. Thanks to Harry for bisecting. Link: https://lkml.kernel.org/r/20250818175358.1184757-1-david@redhat.com Fixes: 0cef0bb836e3 ("mm: clear uffd-wp PTE/PMD state on mremap()") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: syzbot+4d9a13f0797c46a29e42(a)syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/689bb893.050a0220.7f033.013a.GAE@google.com Tested-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: Pedro Falcato <pfalcato(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mremap.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) --- a/mm/mremap.c~mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled +++ a/mm/mremap.c @@ -323,6 +323,25 @@ static inline bool arch_supports_page_ta } #endif +static inline bool uffd_supports_page_table_move(struct pagetable_move_control *pmc) +{ + /* + * If we are moving a VMA that has uffd-wp registered but with + * remap events disabled (new VMA will not be registered with uffd), we + * need to ensure that the uffd-wp state is cleared from all pgtables. + * This means recursing into lower page tables in move_page_tables(). + * + * We might get called with VMAs reversed when recovering from a + * failed page table move. In that case, the + * "old"-but-actually-"originally new" VMA during recovery will not have + * a uffd context. Recursing into lower page tables during the original + * move but not during the recovery move will cause trouble, because we + * run into already-existing page tables. So check both VMAs. + */ + return !vma_has_uffd_without_event_remap(pmc->old) && + !vma_has_uffd_without_event_remap(pmc->new); +} + #ifdef CONFIG_HAVE_MOVE_PMD static bool move_normal_pmd(struct pagetable_move_control *pmc, pmd_t *old_pmd, pmd_t *new_pmd) @@ -335,6 +354,8 @@ static bool move_normal_pmd(struct paget if (!arch_supports_page_table_move()) return false; + if (!uffd_supports_page_table_move(pmc)) + return false; /* * The destination pmd shouldn't be established, free_pgtables() * should have released it. @@ -361,15 +382,6 @@ static bool move_normal_pmd(struct paget if (WARN_ON_ONCE(!pmd_none(*new_pmd))) return false; - /* If this pmd belongs to a uffd vma with remap events disabled, we need - * to ensure that the uffd-wp state is cleared from all pgtables. This - * means recursing into lower page tables in move_page_tables(), and we - * can reuse the existing code if we simply treat the entry as "not - * moved". - */ - if (vma_has_uffd_without_event_remap(vma)) - return false; - /* * We don't have to worry about the ordering of src and dst * ptlocks because exclusive mmap_lock prevents deadlock. @@ -418,6 +430,8 @@ static bool move_normal_pud(struct paget if (!arch_supports_page_table_move()) return false; + if (!uffd_supports_page_table_move(pmc)) + return false; /* * The destination pud shouldn't be established, free_pgtables() * should have released it. @@ -425,15 +439,6 @@ static bool move_normal_pud(struct paget if (WARN_ON_ONCE(!pud_none(*new_pud))) return false; - /* If this pud belongs to a uffd vma with remap events disabled, we need - * to ensure that the uffd-wp state is cleared from all pgtables. This - * means recursing into lower page tables in move_page_tables(), and we - * can reuse the existing code if we simply treat the entry as "not - * moved". - */ - if (vma_has_uffd_without_event_remap(vma)) - return false; - /* * We don't have to worry about the ordering of src and dst * ptlocks because exclusive mmap_lock prevents deadlock. _ Patches currently in -mm which might be from david(a)redhat.com are mm-migrate-remove-migratepage_unmap.patch mm-migrate-remove-migratepage_unmap-fix.patch treewide-remove-migratepage_success.patch mm-huge_memory-move-more-common-code-into-insert_pmd.patch mm-huge_memory-move-more-common-code-into-insert_pud.patch mm-huge_memory-support-huge-zero-folio-in-vmf_insert_folio_pmd.patch fs-dax-use-vmf_insert_folio_pmd-to-insert-the-huge-zero-folio.patch mm-huge_memory-mark-pmd-mappings-of-the-huge-zero-folio-special.patch powerpc-ptdump-rename-struct-pgtable_level-to-struct-ptdump_pglevel.patch mm-rmap-convert-enum-rmap_level-to-enum-pgtable_level.patch mm-memory-convert-print_bad_pte-to-print_bad_page_map.patch mm-memory-factor-out-common-code-from-vm_normal_page_.patch mm-introduce-and-use-vm_normal_page_pud.patch mm-rename-vm_ops-find_special_page-to-vm_ops-find_normal_page.patch prctl-extend-pr_set_thp_disable-to-optionally-exclude-vm_hugepage.patch mm-huge_memory-convert-tva_flags-to-enum-tva_type.patch mm-huge_memory-respect-madv_collapse-with-pr_thp_disable_except_advised.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-damos_commit_filter-not-changing-allow.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix damos_commit_filter not changing allow has been removed from the -mm tree. Its filename was mm-damon-core-fix-damos_commit_filter-not-changing-allow.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Sang-Heon Jeon <ekffu200098(a)gmail.com> Subject: mm/damon/core: fix damos_commit_filter not changing allow Date: Sat, 16 Aug 2025 10:51:16 +0900 Current damos_commit_filter() does not persist the `allow' value of the filter. As a result, changing the `allow' value of a filter and committing doesn't change the `allow' value. Add the missing `allow' value update, so committing the filter persistently changes the `allow' value well. Link: https://lkml.kernel.org/r/20250816015116.194589-1-ekffu200098@gmail.com Fixes: fe6d7fdd6249 ("mm/damon/core: add damos_filter->allow field") Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.14.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/damon/core.c~mm-damon-core-fix-damos_commit_filter-not-changing-allow +++ a/mm/damon/core.c @@ -883,6 +883,7 @@ static void damos_commit_filter( { dst->type = src->type; dst->matching = src->matching; + dst->allow = src->allow; damos_commit_filter_arg(dst, src); } _ Patches currently in -mm which might be from ekffu200098(a)gmail.com are mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch mm-damon-update-expired-description-of-damos_action.patch docs-mm-damon-design-fix-typo-s-sz_trtied-sz_tried.patch selftests-damon-test-no-op-commit-broke-damon-status.patch selftests-damon-test-no-op-commit-broke-damon-status-fix.patch mm-damon-tests-core-kunit-add-damos_commit_filter-test.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn has been removed from the -mm tree. Its filename was mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jinjiang Tu <tujinjiang(a)huawei.com> Subject: mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Date: Fri, 15 Aug 2025 15:32:09 +0800 When memory_failure() is called for a already hwpoisoned pfn, kill_accessing_process() will be called to kill current task. However, if the vma of the accessing vaddr is VM_PFNMAP, walk_page_range() will skip the vma in walk_page_test() and return 0. Before commit aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes with recovered clean pages"), kill_accessing_process() will return EFAULT. For x86, the current task will be killed in kill_me_maybe(). However, after this commit, kill_accessing_process() simplies return 0, that means UCE is handled properly, but it doesn't actually. In such case, the user task will trigger UCE infinitely. To fix it, add .test_walk callback for hwpoison_walk_ops to scan all vmas. Link: https://lkml.kernel.org/r/20250815073209.1984582-1-tujinjiang@huawei.com Fixes: aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes with recovered clean pages") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Miaohe Lin <linmiaohe(a)huawei.com> Reviewed-by: Jane Chu <jane.chu(a)oracle.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Shuai Xue <xueshuai(a)linux.alibaba.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/mm/memory-failure.c~mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn +++ a/mm/memory-failure.c @@ -853,9 +853,17 @@ static int hwpoison_hugetlb_range(pte_t #define hwpoison_hugetlb_range NULL #endif +static int hwpoison_test_walk(unsigned long start, unsigned long end, + struct mm_walk *walk) +{ + /* We also want to consider pages mapped into VM_PFNMAP. */ + return 0; +} + static const struct mm_walk_ops hwpoison_walk_ops = { .pmd_entry = hwpoison_pte_range, .hugetlb_entry = hwpoison_hugetlb_range, + .test_walk = hwpoison_test_walk, .walk_lock = PGWALK_RDLOCK, }; _ Patches currently in -mm which might be from tujinjiang(a)huawei.com are mm-memory_hotplug-fix-hwpoisoned-large-folio-handling-in-do_migrate_range.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size has been removed from the -mm tree. Its filename was iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Dominique Martinet <asmadeus(a)codewreck.org> Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size Date: Wed, 13 Aug 2025 15:04:55 +0900 It's apparently possible to get an iov advanced all the way up to the end of the current page we're looking at, e.g. (gdb) p *iter $24 = {iter_type = 4 '\004', nofault = false, data_source = false, iov_offset = 4096, {__ubuf_iovec = { iov_base = 0xffff88800f5bc000, iov_len = 655}, {{__iov = 0xffff88800f5bc000, kvec = 0xffff88800f5bc000, bvec = 0xffff88800f5bc000, folioq = 0xffff88800f5bc000, xarray = 0xffff88800f5bc000, ubuf = 0xffff88800f5bc000}, count = 655}}, {nr_segs = 2, folioq_slot = 2 '\002', xarray_start = 2}} Where iov_offset is 4k with 4k-sized folios This should have been fine because we're only in the 2nd slot and there's another one after this, but iterate_folioq should not try to map a folio that skips the whole size, and more importantly part here does not end up zero (because 'PAGE_SIZE - skip % PAGE_SIZE' ends up PAGE_SIZE and not zero..), so skip forward to the "advance to next folio" code Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-0-a0ffad2b665a@codewre… Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-1-a0ffad2b665a@codewre… Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios") Reported-by: Maximilian Bosch <maximilian(a)mbosch.me> Reported-by: Ryan Lahfa <ryan(a)lahfa.xyz> Reported-by: Christian Theune <ct(a)flyingcircus.io> Reported-by: Arnout Engelen <arnout(a)bzzt.net> Link: https://lkml.kernel.org/r/D4LHHUNLG79Y.12PI0X6BEHRHW@mbosch.me/ Acked-by: David Howells <dhowells(a)redhat.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> [6.12+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/iov_iter.h | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) --- a/include/linux/iov_iter.h~iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size +++ a/include/linux/iov_iter.h @@ -160,7 +160,7 @@ size_t iterate_folioq(struct iov_iter *i do { struct folio *folio = folioq_folio(folioq, slot); - size_t part, remain, consumed; + size_t part, remain = 0, consumed; size_t fsize; void *base; @@ -168,14 +168,16 @@ size_t iterate_folioq(struct iov_iter *i break; fsize = folioq_folio_size(folioq, slot); - base = kmap_local_folio(folio, skip); - part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); - remain = step(base, progress, part, priv, priv2); - kunmap_local(base); - consumed = part - remain; - len -= consumed; - progress += consumed; - skip += consumed; + if (skip < fsize) { + base = kmap_local_folio(folio, skip); + part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); + remain = step(base, progress, part, priv, priv2); + kunmap_local(base); + consumed = part - remain; + len -= consumed; + progress += consumed; + skip += consumed; + } if (skip >= fsize) { skip = 0; slot++; _ Patches currently in -mm which might be from asmadeus(a)codewreck.org are

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-commit_ops_filters-by-using-correct-nth-function.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix commit_ops_filters by using correct nth function has been removed from the -mm tree. Its filename was mm-damon-core-fix-commit_ops_filters-by-using-correct-nth-function.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Sang-Heon Jeon <ekffu200098(a)gmail.com> Subject: mm/damon/core: fix commit_ops_filters by using correct nth function Date: Sun, 10 Aug 2025 21:42:01 +0900 damos_commit_ops_filters() incorrectly uses damos_nth_filter() which iterates core_filters. As a result, performing a commit unintentionally corrupts ops_filters. Add damos_nth_ops_filter() which iterates ops_filters. Use this function to fix issues caused by wrong iteration. Link: https://lkml.kernel.org/r/20250810124201.15743-1-ekffu200098@gmail.com Fixes: 3607cc590f18 ("mm/damon/core: support committing ops_filters") # 6.15.x Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-fix-commit_ops_filters-by-using-correct-nth-function +++ a/mm/damon/core.c @@ -845,6 +845,18 @@ static struct damos_filter *damos_nth_fi return NULL; } +static struct damos_filter *damos_nth_ops_filter(int n, struct damos *s) +{ + struct damos_filter *filter; + int i = 0; + + damos_for_each_ops_filter(filter, s) { + if (i++ == n) + return filter; + } + return NULL; +} + static void damos_commit_filter_arg( struct damos_filter *dst, struct damos_filter *src) { @@ -908,7 +920,7 @@ static int damos_commit_ops_filters(stru int i = 0, j = 0; damos_for_each_ops_filter_safe(dst_filter, next, dst) { - src_filter = damos_nth_filter(i++, src); + src_filter = damos_nth_ops_filter(i++, src); if (src_filter) damos_commit_filter(dst_filter, src_filter); else _ Patches currently in -mm which might be from ekffu200098(a)gmail.com are mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch mm-damon-update-expired-description-of-damos_action.patch docs-mm-damon-design-fix-typo-s-sz_trtied-sz_tried.patch selftests-damon-test-no-op-commit-broke-damon-status.patch selftests-damon-test-no-op-commit-broke-damon-status-fix.patch mm-damon-tests-core-kunit-add-damos_commit_filter-test.patch

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-debug_vm_pgtable-clear-page-table-entries-at-destroy_args.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/debug_vm_pgtable: clear page table entries at destroy_args() has been removed from the -mm tree. Its filename was mm-debug_vm_pgtable-clear-page-table-entries-at-destroy_args.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Herton R. Krzesinski" <herton(a)redhat.com> Subject: mm/debug_vm_pgtable: clear page table entries at destroy_args() Date: Thu, 31 Jul 2025 18:40:51 -0300 The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *_clear functions. The problem is that leaves stale entries. If another process allocates an mm_struct with a pgd at the same address, it may end up running into the stale entry. This is happening in practice on a debug kernel with CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra debugging I added (it prints a warning trace if pgtables_bytes goes negative, in addition to the warning at check_mm() function): [ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000 [ 2.539366] kmem_cache info [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508 [ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e (...) [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0 [ 2.552816] Modules linked in: [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90 [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug) [ 2.552899] MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24002822 XER: 0000000a [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0 [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001 [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000 [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0 [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000 [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001 [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760 [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0 [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0 [ 2.553199] Call Trace: [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable) [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0 [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570 [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650 [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290 [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0 [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870 [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150 [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50 [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0 [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec (...) [ 2.558892] ---[ end trace 0000000000000000 ]--- [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1 [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144 Here the modprobe process ended up with an allocated mm_struct from the mm_struct slab that was used before by the debug_vm_pgtable test. That is not a problem, since the mm_struct is initialized again etc., however, if it ends up using the same pgd table, it bumps into the old stale entry when clearing/freeing the page table entries, so it tries to free an entry already gone (that one which was allocated by the debug_vm_pgtable test), which also explains the negative pgtables_bytes since it's accounting for not allocated entries in the current process. As far as I looked pgd_{alloc,free} etc. does not clear entries, and clearing of the entries is explicitly done in the free_pgtables-> free_pgd_range->free_p4d_range->free_pud_range->free_pmd_range-> free_pte_range path. However, the debug_vm_pgtable test does not call free_pgtables, since it allocates mm_struct and entries manually for its test and eg. not goes through page faults. So it also should clear manually the entries before exit at destroy_args(). This problem was noticed on a reboot X number of times test being done on a powerpc host, with a debug kernel with CONFIG_DEBUG_VM_PGTABLE enabled. Depends on the system, but on a 100 times reboot loop the problem could manifest once or twice, if a process ends up getting the right mm->pgd entry with the stale entries used by mm/debug_vm_pagetable. After using this patch, I couldn't reproduce/experience the problems anymore. I was able to reproduce the problem as well on latest upstream kernel (6.16). I also modified destroy_args() to use mmput() instead of mmdrop(), there is no reason to hold mm_users reference and not release the mm_struct entirely, and in the output above with my debugging prints I already had patched it to use mmput, it did not fix the problem, but helped in the debugging as well. Link: https://lkml.kernel.org/r/20250731214051.4115182-1-herton@redhat.com Fixes: 3c9b84f044a9 ("mm/debug_vm_pgtable: introduce struct pgtable_debug_args") Signed-off-by: Herton R. Krzesinski <herton(a)redhat.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: Gavin Shan <gshan(a)redhat.com> Cc: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/debug_vm_pgtable.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/mm/debug_vm_pgtable.c~mm-debug_vm_pgtable-clear-page-table-entries-at-destroy_args +++ a/mm/debug_vm_pgtable.c @@ -990,29 +990,34 @@ static void __init destroy_args(struct p /* Free page table entries */ if (args->start_ptep) { + pmd_clear(args->pmdp); pte_free(args->mm, args->start_ptep); mm_dec_nr_ptes(args->mm); } if (args->start_pmdp) { + pud_clear(args->pudp); pmd_free(args->mm, args->start_pmdp); mm_dec_nr_pmds(args->mm); } if (args->start_pudp) { + p4d_clear(args->p4dp); pud_free(args->mm, args->start_pudp); mm_dec_nr_puds(args->mm); } - if (args->start_p4dp) + if (args->start_p4dp) { + pgd_clear(args->pgdp); p4d_free(args->mm, args->start_p4dp); + } /* Free vma and mm struct */ if (args->vma) vm_area_free(args->vma); if (args->mm) - mmdrop(args->mm); + mmput(args->mm); } static struct page * __init _ Patches currently in -mm which might be from herton(a)redhat.com are

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] squashfs-fix-memory-leak-in-squashfs_fill_super.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: squashfs: fix memory leak in squashfs_fill_super has been removed from the -mm tree. Its filename was squashfs-fix-memory-leak-in-squashfs_fill_super.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Phillip Lougher <phillip(a)squashfs.org.uk> Subject: squashfs: fix memory leak in squashfs_fill_super Date: Mon, 11 Aug 2025 23:37:40 +0100 If sb_min_blocksize returns 0, squashfs_fill_super exits without freeing allocated memory (sb->s_fs_info). Fix this by moving the call to sb_min_blocksize to before memory is allocated. Link: https://lkml.kernel.org/r/20250811223740.110392-1-phillip@squashfs.org.uk Fixes: 734aa85390ea ("Squashfs: check return result of sb_min_blocksize") Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: Scott GUO <scottzhguo(a)tencent.com> Closes: https://lore.kernel.org/all/20250811061921.3807353-1-scott_gzh@163.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/squashfs/super.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) --- a/fs/squashfs/super.c~squashfs-fix-memory-leak-in-squashfs_fill_super +++ a/fs/squashfs/super.c @@ -187,10 +187,15 @@ static int squashfs_fill_super(struct su unsigned short flags; unsigned int fragments; u64 lookup_table_start, xattr_id_table_start, next_table; - int err; + int err, devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); TRACE("Entered squashfs_fill_superblock\n"); + if (!devblksize) { + errorf(fc, "squashfs: unable to set blocksize\n"); + return -EINVAL; + } + sb->s_fs_info = kzalloc(sizeof(*msblk), GFP_KERNEL); if (sb->s_fs_info == NULL) { ERROR("Failed to allocate squashfs_sb_info\n"); @@ -201,12 +206,7 @@ static int squashfs_fill_super(struct su msblk->panic_on_errors = (opts->errors == Opt_errors_panic); - msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); - if (!msblk->devblksize) { - errorf(fc, "squashfs: unable to set blocksize\n"); - return -EINVAL; - } - + msblk->devblksize = devblksize; msblk->devblksize_log2 = ffz(~msblk->devblksize); mutex_init(&msblk->meta_index_mutex); _ Patches currently in -mm which might be from phillip(a)squashfs.org.uk are

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] kho-warn-if-kho-is-disabled-due-to-an-error.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kho: warn if KHO is disabled due to an error has been removed from the -mm tree. Its filename was kho-warn-if-kho-is-disabled-due-to-an-error.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Subject: kho: warn if KHO is disabled due to an error Date: Fri, 8 Aug 2025 20:18:04 +0000 During boot scratch area is allocated based on command line parameters or auto calculated. However, scratch area may fail to allocate, and in that case KHO is disabled. Currently, no warning is printed that KHO is disabled, which makes it confusing for the end user to figure out why KHO is not available. Add the missing warning message. Link: https://lkml.kernel.org/r/20250808201804.772010-4-pasha.tatashin@soleen.com Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Acked-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Acked-by: Pratyush Yadav <pratyush(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Baoquan He <bhe(a)redhat.com> Cc: Changyuan Lyu <changyuanl(a)google.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: Dave Vasilevsky <dave(a)vasilevsky.ca> Cc: Eric Biggers <ebiggers(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/kexec_handover.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/kexec_handover.c~kho-warn-if-kho-is-disabled-due-to-an-error +++ a/kernel/kexec_handover.c @@ -564,6 +564,7 @@ err_free_scratch_areas: err_free_scratch_desc: memblock_free(kho_scratch, kho_scratch_cnt * sizeof(*kho_scratch)); err_disable_kho: + pr_warn("Failed to reserve scratch area, disabling kexec handover\n"); kho_enable = false; } _ Patches currently in -mm which might be from pasha.tatashin(a)soleen.com are

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] kho-mm-dont-allow-deferred-struct-page-with-kho.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kho: mm: don't allow deferred struct page with KHO has been removed from the -mm tree. Its filename was kho-mm-dont-allow-deferred-struct-page-with-kho.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Subject: kho: mm: don't allow deferred struct page with KHO Date: Fri, 8 Aug 2025 20:18:03 +0000 KHO uses struct pages for the preserved memory early in boot, however, with deferred struct page initialization, only a small portion of memory has properly initialized struct pages. This problem was detected where vmemmap is poisoned, and illegal flag combinations are detected. Don't allow them to be enabled together, and later we will have to teach KHO to work properly with deferred struct page init kernel feature. Link: https://lkml.kernel.org/r/20250808201804.772010-3-pasha.tatashin@soleen.com Fixes: 4e1d010e3bda ("kexec: add config option for KHO") Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Acked-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Acked-by: Pratyush Yadav <pratyush(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Baoquan He <bhe(a)redhat.com> Cc: Changyuan Lyu <changyuanl(a)google.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: Dave Vasilevsky <dave(a)vasilevsky.ca> Cc: Eric Biggers <ebiggers(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/Kconfig.kexec | 1 + 1 file changed, 1 insertion(+) --- a/kernel/Kconfig.kexec~kho-mm-dont-allow-deferred-struct-page-with-kho +++ a/kernel/Kconfig.kexec @@ -97,6 +97,7 @@ config KEXEC_JUMP config KEXEC_HANDOVER bool "kexec handover" depends on ARCH_SUPPORTS_KEXEC_HANDOVER && ARCH_SUPPORTS_KEXEC_FILE + depends on !DEFERRED_STRUCT_PAGE_INIT select MEMBLOCK_KHO_SCRATCH select KEXEC_FILE select DEBUG_FS _ Patches currently in -mm which might be from pasha.tatashin(a)soleen.com are

4 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] kho-init-new_physxa-phys_bits-to-fix-lockdep.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kho: init new_physxa->phys_bits to fix lockdep has been removed from the -mm tree. Its filename was kho-init-new_physxa-phys_bits-to-fix-lockdep.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Subject: kho: init new_physxa->phys_bits to fix lockdep Date: Fri, 8 Aug 2025 20:18:02 +0000 Patch series "Several KHO Hotfixes". Three unrelated fixes for Kexec Handover. This patch (of 3): Lockdep shows the following warning: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. [<ffffffff810133a6>] dump_stack_lvl+0x66/0xa0 [<ffffffff8136012c>] assign_lock_key+0x10c/0x120 [<ffffffff81358bb4>] register_lock_class+0xf4/0x2f0 [<ffffffff813597ff>] __lock_acquire+0x7f/0x2c40 [<ffffffff81360cb0>] ? __pfx_hlock_conflict+0x10/0x10 [<ffffffff811707be>] ? native_flush_tlb_global+0x8e/0xa0 [<ffffffff8117096e>] ? __flush_tlb_all+0x4e/0xa0 [<ffffffff81172fc2>] ? __kernel_map_pages+0x112/0x140 [<ffffffff813ec327>] ? xa_load_or_alloc+0x67/0xe0 [<ffffffff81359556>] lock_acquire+0xe6/0x280 [<ffffffff813ec327>] ? xa_load_or_alloc+0x67/0xe0 [<ffffffff8100b9e0>] _raw_spin_lock+0x30/0x40 [<ffffffff813ec327>] ? xa_load_or_alloc+0x67/0xe0 [<ffffffff813ec327>] xa_load_or_alloc+0x67/0xe0 [<ffffffff813eb4c0>] kho_preserve_folio+0x90/0x100 [<ffffffff813ebb7f>] __kho_finalize+0xcf/0x400 [<ffffffff813ebef4>] kho_finalize+0x34/0x70 This is becase xa has its own lock, that is not initialized in xa_load_or_alloc. Modifiy __kho_preserve_order(), to properly call xa_init(&new_physxa->phys_bits); Link: https://lkml.kernel.org/r/20250808201804.772010-2-pasha.tatashin@soleen.com Fixes: fc33e4b44b27 ("kexec: enable KHO support for memory preservation") Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Acked-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Baoquan He <bhe(a)redhat.com> Cc: Changyuan Lyu <changyuanl(a)google.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: Dave Vasilevsky <dave(a)vasilevsky.ca> Cc: Eric Biggers <ebiggers(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: Pratyush Yadav <pratyush(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/kexec_handover.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) --- a/kernel/kexec_handover.c~kho-init-new_physxa-phys_bits-to-fix-lockdep +++ a/kernel/kexec_handover.c @@ -144,14 +144,34 @@ static int __kho_preserve_order(struct k unsigned int order) { struct kho_mem_phys_bits *bits; - struct kho_mem_phys *physxa; + struct kho_mem_phys *physxa, *new_physxa; const unsigned long pfn_high = pfn >> order; might_sleep(); - physxa = xa_load_or_alloc(&track->orders, order, sizeof(*physxa)); - if (IS_ERR(physxa)) - return PTR_ERR(physxa); + physxa = xa_load(&track->orders, order); + if (!physxa) { + int err; + + new_physxa = kzalloc(sizeof(*physxa), GFP_KERNEL); + if (!new_physxa) + return -ENOMEM; + + xa_init(&new_physxa->phys_bits); + physxa = xa_cmpxchg(&track->orders, order, NULL, new_physxa, + GFP_KERNEL); + + err = xa_err(physxa); + if (err || physxa) { + xa_destroy(&new_physxa->phys_bits); + kfree(new_physxa); + + if (err) + return err; + } else { + physxa = new_physxa; + } + } bits = xa_load_or_alloc(&physxa->phys_bits, pfn_high / PRESERVE_BITS, sizeof(*bits)); _ Patches currently in -mm which might be from pasha.tatashin(a)soleen.com are

4 weeks, 1 day

1
0
0 0

+ x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() has been added to the -mm mm-hotfixes-unstable branch. Its filename is x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Date: Mon, 18 Aug 2025 11:02:06 +0900 Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] Link: https://lkml.kernel.org/r/20250818020206.4517-4-harry.yoo@oracle.com Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Closes: https://lore.kernel.org/linux-mm/20250311114420.240341-1-gwan-gyeong.mun@in… [1] Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/include/asm/pgtable_64_types.h | 3 +++ arch/x86/mm/init_64.c | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) --- a/arch/x86/include/asm/pgtable_64_types.h~x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings +++ a/arch/x86/include/asm/pgtable_64_types.h @@ -36,6 +36,9 @@ static inline bool pgtable_l5_enabled(vo #define pgtable_l5_enabled() cpu_feature_enabled(X86_FEATURE_LA57) #endif /* USE_EARLY_PGTABLE_L5 */ +#define ARCH_PAGE_TABLE_SYNC_MASK \ + (pgtable_l5_enabled() ? PGTBL_PGD_MODIFIED : PGTBL_P4D_MODIFIED) + extern unsigned int pgdir_shift; extern unsigned int ptrs_per_p4d; --- a/arch/x86/mm/init_64.c~x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings +++ a/arch/x86/mm/init_64.c @@ -224,6 +224,24 @@ static void sync_global_pgds(unsigned lo } /* + * Make kernel mappings visible in all page tables in the system. + * This is necessary except when the init task populates kernel mappings + * during the boot process. In that case, all processes originating from + * the init task copies the kernel mappings, so there is no issue. + * Otherwise, missing synchronization could lead to kernel crashes due + * to missing page table entries for certain kernel mappings. + * + * Synchronization is performed at the top level, which is the PGD in + * 5-level paging systems. But in 4-level paging systems, however, + * pgd_populate() is a no-op, so synchronization is done at the P4D level. + * sync_global_pgds() handles this difference between paging levels. + */ +void arch_sync_kernel_mappings(unsigned long start, unsigned long end) +{ + sync_global_pgds(start, end); +} + +/* * NOTE: This function is marked __ref because it calls __init function * (alloc_bootmem_pages). It's safe to do it ONLY when after_bootmem == 0. */ _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are mm-move-page-table-sync-declarations-to-linux-pgtableh.patch mm-introduce-and-use-pgdp4d_populate_kernel.patch x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch

4 weeks, 1 day

1
0
0 0

+ mm-introduce-and-use-pgdp4d_populate_kernel.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: introduce and use {pgd,p4d}_populate_kernel() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-introduce-and-use-pgdp4d_populate_kernel.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm: introduce and use {pgd,p4d}_populate_kernel() Date: Mon, 18 Aug 2025 11:02:05 +0900 Introduce and use {pgd,p4d}_populate_kernel() in core MM code when populating PGD and P4D entries for the kernel address space. These helpers ensure proper synchronization of page tables when updating the kernel portion of top-level page tables. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile for following reasons: 1) It is easy to forget to perform the necessary page table synchronization when introducing new changes. For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory savings for compound devmaps") overlooked the need to synchronize page tables for the vmemmap area. 2) It is also easy to overlook that the vmemmap and direct mapping areas must not be accessed before explicit page table synchronization. For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges")) caused crashes by accessing the vmemmap area before calling sync_global_pgds(). To address this, as suggested by Dave Hansen, introduce _kernel() variants of the page table population helpers, which invoke architecture-specific hooks to properly synchronize page tables. These are introduced in a new header file, include/linux/pgalloc.h, so they can be called from common code. They reuse existing infrastructure for vmalloc and ioremap. Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, and the actual synchronization is performed by arch_sync_kernel_mappings(). This change currently targets only x86_64, so only PGD and P4D level helpers are introduced. Currently, these helpers are no-ops since no architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. In theory, PUD and PMD level helpers can be added later if needed by other architectures. For now, 32-bit architectures (x86-32 and arm) only handle PGTBL_PMD_MODIFIED, so p*d_populate_kernel() will never affect them unless we introduce a PMD level helper. Link: https://lkml.kernel.org/r/20250818020206.4517-3-harry.yoo@oracle.com Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/pgalloc.h | 24 ++++++++++++++++++++++++ include/linux/pgtable.h | 13 +++++++------ mm/kasan/init.c | 12 ++++++------ mm/percpu.c | 6 +++--- mm/sparse-vmemmap.c | 6 +++--- 5 files changed, 43 insertions(+), 18 deletions(-) diff --git a/include/linux/pgalloc.h a/include/linux/pgalloc.h new file mode 100644 --- /dev/null +++ a/include/linux/pgalloc.h @@ -0,0 +1,24 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_PGALLOC_H +#define _LINUX_PGALLOC_H + +#include <linux/pgtable.h> +#include <asm/pgalloc.h> + +static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd, + p4d_t *p4d) +{ + pgd_populate(&init_mm, pgd, p4d); + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) + arch_sync_kernel_mappings(addr, addr); +} + +static inline void p4d_populate_kernel(unsigned long addr, p4d_t *p4d, + pud_t *pud) +{ + p4d_populate(&init_mm, p4d, pud); + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) + arch_sync_kernel_mappings(addr, addr); +} + +#endif /* _LINUX_PGALLOC_H */ --- a/include/linux/pgtable.h~mm-introduce-and-use-pgdp4d_populate_kernel +++ a/include/linux/pgtable.h @@ -1469,8 +1469,8 @@ static inline void modify_prot_commit_pt /* * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. + * and let generic vmalloc, ioremap and page table update code know when + * arch_sync_kernel_mappings() needs to be called. */ #ifndef ARCH_PAGE_TABLE_SYNC_MASK #define ARCH_PAGE_TABLE_SYNC_MASK 0 @@ -1954,10 +1954,11 @@ static inline bool arch_has_pfn_modify_c /* * Page Table Modification bits for pgtbl_mod_mask. * - * These are used by the p?d_alloc_track*() set of functions an in the generic - * vmalloc/ioremap code to track at which page-table levels entries have been - * modified. Based on that the code can better decide when vmalloc and ioremap - * mapping changes need to be synchronized to other page-tables in the system. + * These are used by the p?d_alloc_track*() and p*d_populate_kernel() + * functions in the generic vmalloc, ioremap and page table update code + * to track at which page-table levels entries have been modified. + * Based on that the code can better decide when page table changes need + * to be synchronized to other page-tables in the system. */ #define __PGTBL_PGD_MODIFIED 0 #define __PGTBL_P4D_MODIFIED 1 --- a/mm/kasan/init.c~mm-introduce-and-use-pgdp4d_populate_kernel +++ a/mm/kasan/init.c @@ -13,9 +13,9 @@ #include <linux/mm.h> #include <linux/pfn.h> #include <linux/slab.h> +#include <linux/pgalloc.h> #include <asm/page.h> -#include <asm/pgalloc.h> #include "kasan.h" @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(co * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(co if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } --- a/mm/percpu.c~mm-introduce-and-use-pgdp4d_populate_kernel +++ a/mm/percpu.c @@ -3108,7 +3108,7 @@ out_free: #endif /* BUILD_EMBED_FIRST_CHUNK */ #ifdef BUILD_PAGE_FIRST_CHUNK -#include <asm/pgalloc.h> +#include <linux/pgalloc.h> #ifndef P4D_TABLE_SIZE #define P4D_TABLE_SIZE PAGE_SIZE @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(uns if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); --- a/mm/sparse-vmemmap.c~mm-introduce-and-use-pgdp4d_populate_kernel +++ a/mm/sparse-vmemmap.c @@ -27,9 +27,9 @@ #include <linux/spinlock.h> #include <linux/vmalloc.h> #include <linux/sched.h> +#include <linux/pgalloc.h> #include <asm/dma.h> -#include <asm/pgalloc.h> #include <asm/tlbflush.h> #include "hugetlb_vmemmap.h" @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(p if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(u void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; } _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are mm-move-page-table-sync-declarations-to-linux-pgtableh.patch mm-introduce-and-use-pgdp4d_populate_kernel.patch x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch

4 weeks, 1 day

1
0
0 0

+ mm-move-page-table-sync-declarations-to-linux-pgtableh.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: move page table sync declarations to linux/pgtable.h has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-move-page-table-sync-declarations-to-linux-pgtableh.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm: move page table sync declarations to linux/pgtable.h Date: Mon, 18 Aug 2025 11:02:04 +0900 During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It turns out that the kernel panics while initializing vmemmap (struct page array) when the vmemmap region spans two PGD entries, because the new PGD entry is only installed in init_mm.pgd, but not in the page tables of other tasks. And looking at __populate_section_memmap(): if (vmemmap_can_optimize(altmap, pgmap)) // does not sync top level page tables r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap); else // sync top level page tables in x86 r = vmemmap_populate(start, end, nid, altmap); In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c synchronizes the top level page table (See commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so that all tasks in the system can see the new vmemmap area. However, when vmemmap_can_optimize() returns true, the optimized path skips synchronization of top-level page tables. This is because vmemmap_populate_compound_pages() is implemented in core MM code, which does not handle synchronization of the top-level page tables. Instead, the core MM has historically relied on each architecture to perform this synchronization manually. We're not the first party to encounter a crash caused by not-sync'd top level page tables: earlier this year, Gwan-gyeong Mun attempted to address the issue [1] [2] after hitting a kernel panic when x86 code accessed the vmemmap area before the corresponding top-level entries were synced. At that time, the issue was believed to be triggered only when struct page was enlarged for debugging purposes, and the patch did not get further updates. It turns out that current approach of relying on each arch to handle the page table sync manually is fragile because 1) it's easy to forget to sync the top level page table, and 2) it's also easy to overlook that the kernel should not access the vmemmap and direct mapping areas before the sync. # The solution: Make page table sync more code robust and harder to miss To address this, Dave Hansen suggested [3] [4] introducing {pgd,p4d}_populate_kernel() for updating kernel portion of the page tables and allow each architecture to explicitly perform synchronization when installing top-level entries. With this approach, we no longer need to worry about missing the sync step, reducing the risk of future regressions. The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK, PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by vmalloc and ioremap to synchronize page tables. pgd_populate_kernel() looks like this: static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd, p4d_t *p4d) { pgd_populate(&init_mm, pgd, p4d); if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) arch_sync_kernel_mappings(addr, addr); } It is worth noting that vmalloc() and apply_to_range() carefully synchronizes page tables by calling p*d_alloc_track() and arch_sync_kernel_mappings(), and thus they are not affected by this patch series. This series was hugely inspired by Dave Hansen's suggestion and hence added Suggested-by: Dave Hansen. Cc stable because lack of this series opens the door to intermittent boot failures. This patch (of 3): Move ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to linux/pgtable.h so that they can be used outside of vmalloc and ioremap. Link: https://lkml.kernel.org/r/20250818020206.4517-1-harry.yoo@oracle.com Link: https://lkml.kernel.org/r/20250818020206.4517-2-harry.yoo@oracle.com Link: https://lore.kernel.org/linux-mm/20250220064105.808339-1-gwan-gyeong.mun@in… [1] Link: https://lore.kernel.org/linux-mm/20250311114420.240341-1-gwan-gyeong.mun@in… [2] Link: https://lore.kernel.org/linux-mm/d1da214c-53d3-45ac-a8b6-51821c5416e4@intel… [3] Link: https://lore.kernel.org/linux-mm/4d800744-7b88-41aa-9979-b245e8bf794b@intel… [4] Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/pgtable.h | 16 ++++++++++++++++ include/linux/vmalloc.h | 16 ---------------- 2 files changed, 16 insertions(+), 16 deletions(-) --- a/include/linux/pgtable.h~mm-move-page-table-sync-declarations-to-linux-pgtableh +++ a/include/linux/pgtable.h @@ -1467,6 +1467,22 @@ static inline void modify_prot_commit_pt } #endif +/* + * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values + * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() + * needs to be called. + */ +#ifndef ARCH_PAGE_TABLE_SYNC_MASK +#define ARCH_PAGE_TABLE_SYNC_MASK 0 +#endif + +/* + * There is no default implementation for arch_sync_kernel_mappings(). It is + * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK + * is 0. + */ +void arch_sync_kernel_mappings(unsigned long start, unsigned long end); + #endif /* CONFIG_MMU */ /* --- a/include/linux/vmalloc.h~mm-move-page-table-sync-declarations-to-linux-pgtableh +++ a/include/linux/vmalloc.h @@ -220,22 +220,6 @@ int vmap_pages_range(unsigned long addr, struct page **pages, unsigned int page_shift); /* - * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. - */ -#ifndef ARCH_PAGE_TABLE_SYNC_MASK -#define ARCH_PAGE_TABLE_SYNC_MASK 0 -#endif - -/* - * There is no default implementation for arch_sync_kernel_mappings(). It is - * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK - * is 0. - */ -void arch_sync_kernel_mappings(unsigned long start, unsigned long end); - -/* * Lowlevel-APIs (not for driver use!) */ _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are mm-move-page-table-sync-declarations-to-linux-pgtableh.patch mm-introduce-and-use-pgdp4d_populate_kernel.patch x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch

4 weeks, 1 day

1
0
0 0

+ of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: of_numa: fix uninitialized memory nodes causing kernel panic has been added to the -mm mm-hotfixes-unstable branch. Its filename is of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yin Tirui <yintirui(a)huawei.com> Subject: of_numa: fix uninitialized memory nodes causing kernel panic Date: Tue, 19 Aug 2025 15:55:10 +0800 When there are memory-only nodes (nodes without CPUs), these nodes are not properly initialized, causing kernel panic during boot. of_numa_init of_numa_parse_cpu_nodes node_set(nid, numa_nodes_parsed); of_numa_parse_memory_nodes In of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes containing CPUs. Memory-only nodes should have been updated in of_numa_parse_memory_nodes, but they weren't. Subsequently, when free_area_init() attempts to access NODE_DATA() for these uninitialized memory nodes, the kernel panics due to NULL pointer dereference. This can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes: qemu-system-aarch64 \ -cpu host -nographic \ -m 4G -smp 1 \ -machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \ -object memory-backend-ram,size=2G,id=mem0 \ -object memory-backend-ram,size=2G,id=mem1 \ -numa node,nodeid=0,memdev=mem0 \ -numa node,nodeid=1,memdev=mem1 \ -kernel $IMAGE \ -hda $DISK \ -append "console=ttyAMA0 root=/dev/vda rw earlycon" [ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010] [ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025 [ 0.000000] KASLR enabled [ 0.000000] random: crng init done [ 0.000000] Machine model: linux,dummy-virt [ 0.000000] efi: UEFI not found. [ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '') [ 0.000000] printk: legacy bootconsole [pl11] enabled [ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT [ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff] [ 0.000000] node 1 must be removed before remove section 23 [ 0.000000] Zone ranges: [ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff] [ 0.000000] DMA32 empty [ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff] [ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff] [ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x0000000096000004 [ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] FSC = 0x04: level 0 translation fault [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 0.000000] [00000000000000a0] user address but active_mm is swapper [ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT [ 0.000000] Hardware name: linux,dummy-virt (DT) [ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.000000] pc : free_area_init+0x50c/0xf9c [ 0.000000] lr : free_area_init+0x5c0/0xf9c [ 0.000000] sp : ffffa02ca0f33c00 [ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000 [ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000 [ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368 [ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002 [ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001 [ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002 [ 0.000000] x11: ffffa02ca0fd4f00 x10: ffffa02ca14bab20 x9 : ffffa02ca14bab38 [ 0.000000] x8 : 00000000000c0000 x7 : 0000000000000001 x6 : 0000000000000002 [ 0.000000] x5 : 0000000140000000 x4 : ffffa02ca0f33c90 x3 : ffffa02ca0f33ca0 [ 0.000000] x2 : ffffa02ca0f33c98 x1 : 0000000080000000 x0 : 0000000000000001 [ 0.000000] Call trace: [ 0.000000] free_area_init+0x50c/0xf9c (P) [ 0.000000] bootmem_init+0x110/0x1dc [ 0.000000] setup_arch+0x278/0x60c [ 0.000000] start_kernel+0x70/0x748 [ 0.000000] __primary_switched+0x88/0x90 [ 0.000000] Code: d503201f b98093e0 52800016 f8607a93 (f9405260) [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- Link: https://lkml.kernel.org/r/20250819075510.2079961-1-yintirui@huawei.com Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") Signed-off-by: Yin Tirui <yintirui(a)huawei.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Chen Jun <chenjun102(a)huawei.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Joanthan Cameron <Jonathan.Cameron(a)huawei.com> Cc: Rob Herring <robh(a)kernel.org> Cc: Saravana Kannan <saravanak(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/of/of_numa.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/of/of_numa.c~of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic +++ a/drivers/of/of_numa.c @@ -59,8 +59,11 @@ static int __init of_numa_parse_memory_n r = -EINVAL; } - for (i = 0; !r && !of_address_to_resource(np, i, &rsrc); i++) + for (i = 0; !r && !of_address_to_resource(np, i, &rsrc); i++) { r = numa_add_memblk(nid, rsrc.start, rsrc.end + 1); + if (!r) + node_set(nid, numa_nodes_parsed); + } if (!i || r) { of_node_put(np); _ Patches currently in -mm which might be from yintirui(a)huawei.com are of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch

4 weeks, 1 day

1
0
0 0

[PATCH v5 0/5] i2c: rtl9300: Fix multi-byte I2C operations

by Sven Eckelmann

During the integration of the RTL8239 POE chip + its frontend MCU, it was noticed that multi-byte operations were basically broken in the current driver. Tests using SMBus Block Writes showed that the data (after the Wr maker + Ack) was mixed up on the wire. At first glance, it looked like an endianness problem. But for transfers where the number of count + data bytes was not divisible by 4, the last bytes were not looking like an endianness problem because they were in the wrong order but not for example 0 - which would be the case for an endianness problem with 32 bit registers. At the end, it turned out to be the way how i2c_write tried to add the bytes to the send registers. Each 32 bit register was used similar to a shift register - shifting the various bytes up the register while the next one is added to the least significant byte. But the I2C controller expects the first byte of the transmission in the least significant byte of the first register. And the last byte (assuming it is a 16 byte transfer) is expected in the most significant byte of the fourth register. While doing these tests, it was also observed that the count byte was missing from the SMBus Block Writes. The driver just removed them from the data->block (from the I2C subsystem). But the I2C controller DOES NOT automatically add this byte - for example by using the configured transmission length. The RTL8239 MCU is not actually an SMBus compliant device. Instead, it expects I2C Block Reads + I2C Block Writes. But according to the already identified bugs in the driver, it was clear that the I2C controller can simply be modified to not send the count byte for I2C_SMBUS_I2C_BLOCK_DATA. The receive part just needs to write the content of the receive buffer to the correct position in data->block. While the on-wire format was now correct, reads were still not possible against the MCU (for the RTL8239 POE chip). It was always timing out because the 2ms were not enough for sending the read request and then receiving the 12 byte answer. These changes were originally submitted to OpenWrt. But there are plans to migrate OpenWrt to the upstream Linux driver. As a result, the pull request was stopped and the changes were redone against this driver. For reasons of transparency: The work on I2C_SMBUS_I2C_BLOCK_DATA support for the RTL8239-MCU was done on RTL931xx. All problems were therefore detected with the patches from Jonas Jelonek [1] and not the vanilla Linux driver. But looking through the code, it seems like these are NOT regressions introduced by the RTL931x patchset. I've picked up Alex Guo's patch [2] to reduce conflicts between pending fixes. [1] https://patchwork.ozlabs.org/project/linux-i2c/cover/20250727114800.3046-1-… [2] https://lore.kernel.org/r/20250615235248.529019-1-alexguo1023@gmail.com Signed-off-by: Sven Eckelmann <sven(a)narfation.org> --- Changes in v5: - Simplify function/capability registration by using I2C_FUNC_SMBUS_I2C_BLOCK, thanks Jonas Jelonek - Link to v4: https://lore.kernel.org/r/20250809-i2c-rtl9300-multi-byte-v4-0-d71dd5eb6121… Changes in v4: - Provide only "write" examples for "i2c: rtl9300: Fix multi-byte I2C write" - drop the second initialization of vals in rtl9300_i2c_write() directly in the "Fix multi-byte I2C write" fix - indicate in target branch for each patch in PATCH prefix - minor commit message cleanups - Link to v3: https://lore.kernel.org/r/20250804-i2c-rtl9300-multi-byte-v3-0-e20607e1b28c… Changes in v3: - integrated patch https://lore.kernel.org/r/20250615235248.529019-1-alexguo1023@gmail.com to avoid conflicts in the I2C_SMBUS_BLOCK_DATA code - added Fixes and stable(a)vger.kernel.org to Alex Guo's patch - added Chris Packham's Reviewed-by/Acked-by - Link to v2: https://lore.kernel.org/r/20250803-i2c-rtl9300-multi-byte-v2-0-9b7b759fe2b6… Changes in v2: - add the missing transfer width and read length increase for the SMBus Write/Read - Link to v1: https://lore.kernel.org/r/20250802-i2c-rtl9300-multi-byte-v1-0-5f687e0098e2… --- Alex Guo (1): i2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer Harshal Gohel (2): [i2c-host-fixes] i2c: rtl9300: Fix multi-byte I2C write [i2c-host] i2c: rtl9300: Implement I2C block read and write Sven Eckelmann (2): [i2c-host-fixes] i2c: rtl9300: Increase timeout for transfer polling [i2c-host-fixes] i2c: rtl9300: Add missing count byte for SMBus Block Ops drivers/i2c/busses/i2c-rtl9300.c | 51 +++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 9 deletions(-) --- base-commit: 7e161a991ea71e6ec526abc8f40c6852ebe3d946 change-id: 20250802-i2c-rtl9300-multi-byte-edaa1fb0872c Best regards, -- Sven Eckelmann <sven(a)narfation.org>

4 weeks, 1 day

2
5
0 0

+ mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: set quota->charged_from to jiffies at first charge window has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Sang-Heon Jeon <ekffu200098(a)gmail.com> Subject: mm/damon/core: set quota->charged_from to jiffies at first charge window Date: Wed, 20 Aug 2025 00:01:23 +0900 Kernel initializes "jiffies" timer as 5 minutes below zero, as shown in include/linux/jiffies.h /* * Have the 32 bit jiffies value wrap 5 minutes after boot * so jiffies wrap bugs show up earlier. */ #define INITIAL_JIFFIES ((unsigned long)(unsigned int) (-300*HZ)) And they cast unsigned value to signed to cover wraparound #define time_after_eq(a,b) \ (typecheck(unsigned long, a) && \ typecheck(unsigned long, b) && \ ((long)((a) - (b)) >= 0)) In 64bit systems, these might not be a problem because wrapround occurs 300 million years after the boot, assuming HZ value is 1000. With same assuming, In 32bit system, wraparound occurs 5 minutues after the initial boot and every 49 days after the first wraparound. And about 25 days after first wraparound, it continues quota charging window up to next 25 days. Example 1: initial boot jiffies=0xFFFB6C20, charged_from+interval=0x000003E8 time_after_eq(jiffies, charged_from+interval)=(long)0xFFFB6838; In signed values, it is considered negative so it is false. Example 2: after about 25 days first wraparound jiffies=0x800004E8, charged_from+interval=0x000003E8 time_after_eq(jiffies, charged_from+interval)=(long)0x80000100; In signed values, it is considered negative so it is false So, change quota->charged_from to jiffies at damos_adjust_quota() when it is consider first charge window. In theory; but almost impossible; quota->total_charged_sz and qutoa->charged_from should be both zero even if it is not in first charge window. But It will only delay one reset_interval, So it is not big problem. Link: https://lkml.kernel.org/r/20250819150123.1532458-1-ekffu200098@gmail.com Fixes: 2b8a248d5873 ("mm/damon/schemes: implement size quota for schemes application speed control") [5.16] Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/damon/core.c~mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window +++ a/mm/damon/core.c @@ -2111,6 +2111,10 @@ static void damos_adjust_quota(struct da if (!quota->ms && !quota->sz && list_empty(&quota->goals)) return; + /* First charge window */ + if (!quota->total_charged_sz && !quota->charged_from) + quota->charged_from = jiffies; + /* New charge window starts */ if (time_after_eq(jiffies, quota->charged_from + msecs_to_jiffies(quota->reset_interval))) { _ Patches currently in -mm which might be from ekffu200098(a)gmail.com are mm-damon-core-fix-commit_ops_filters-by-using-correct-nth-function.patch selftests-damon-fix-selftests-by-installing-drgn-related-script.patch mm-damon-core-fix-damos_commit_filter-not-changing-allow.patch mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch mm-damon-update-expired-description-of-damos_action.patch docs-mm-damon-design-fix-typo-s-sz_trtied-sz_tried.patch selftests-damon-test-no-op-commit-broke-damon-status.patch selftests-damon-test-no-op-commit-broke-damon-status-fix.patch mm-damon-tests-core-kunit-add-damos_commit_filter-test.patch

4 weeks, 1 day

1
0
0 0

[PATCH AUTOSEL 6.16] io_uring/io-wq: add check free worker before create new worker

by Sasha Levin

From: Fengnan Chang <changfengnan(a)bytedance.com> [ Upstream commit 9d83e1f05c98bab5de350bef89177e2be8b34db0 ] After commit 0b2b066f8a85 ("io_uring/io-wq: only create a new worker if it can make progress"), in our produce environment, we still observe that part of io_worker threads keeps creating and destroying. After analysis, it was confirmed that this was due to a more complex scenario involving a large number of fsync operations, which can be abstracted as frequent write + fsync operations on multiple files in a single uring instance. Since write is a hash operation while fsync is not, and fsync is likely to be suspended during execution, the action of checking the hash value in io_wqe_dec_running cannot handle such scenarios. Similarly, if hash-based work and non-hash-based work are sent at the same time, similar issues are likely to occur. Returning to the starting point of the issue, when a new work arrives, io_wq_enqueue may wake up free worker A, while io_wq_dec_running may create worker B. Ultimately, only one of A and B can obtain and process the task, leaving the other in an idle state. In the end, the issue is caused by inconsistent logic in the checks performed by io_wq_enqueue and io_wq_dec_running. Therefore, the problem can be resolved by checking for available workers in io_wq_dec_running. Signed-off-by: Fengnan Chang <changfengnan(a)bytedance.com> Reviewed-by: Diangang Li <lidiangang(a)bytedance.com> Link: https://lore.kernel.org/r/20250813120214.18729-1-changfengnan@bytedance.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Now let me analyze the nature of the fix to determine if it's appropriate for stable: **Backport Status: YES** This commit should be backported to stable kernel trees for the following reasons: ## Bug Fix Nature The commit fixes a **real performance bug** that occurs in production environments. The issue causes unnecessary creation and destruction of io_worker threads, leading to: 1. CPU overhead from constant thread creation/destruction 2. Resource wastage from redundant workers 3. Performance degradation in production workloads with mixed hash/non- hash operations ## Root Cause Analysis The patch addresses a **race condition** between `io_wq_enqueue()` and `io_wq_dec_running()`: - When new work arrives, `io_wq_enqueue()` may wake up a free worker A - Simultaneously, `io_wq_dec_running()` may create a new worker B - Only one worker can actually process the task, leaving the other idle - This creates a worker "churn" pattern that wastes resources ## Small and Contained Fix The fix is minimal and surgical: 1. Adds a check in `create_worker_cb()` to verify if a free worker is available before creating a new one 2. Uses the existing `io_acct_activate_free_worker()` function (lines 361-365) 3. Only adds 8 lines of code with proper RCU locking 4. Introduces a single goto label for clean error handling ## Production Impact The commit message explicitly states this was observed in **production environments** with real workloads involving: - Frequent write + fsync operations - Mixed hash and non-hash operations - Multiple files in a single io_uring instance ## Regression Potential The fix has **low regression risk** because: 1. It reuses existing, well-tested infrastructure (`io_acct_activate_free_worker()`) 2. The logic is consistent with what `io_wq_enqueue()` already does 3. It adds a defensive check rather than changing core logic 4. The RCU locking is properly scoped and follows existing patterns ## Stable Kernel Rules Compliance The patch follows stable kernel criteria: - ✓ Fixes a real bug affecting users (worker thread churn in production) - ✓ Small change (8 lines added) - ✓ Obviously correct (aligns logic between enqueue and dec_running paths) - ✓ Already tested in production (reported by ByteDance engineers) - ✓ Not a new feature or optimization ## Affected Versions This should be backported to kernels containing commit 0b2b066f8a85 ("io_uring/io-wq: only create a new worker if it can make progress") which introduced incomplete handling of the worker creation logic. The issue affects mixed workload scenarios that are common in production environments. The fact that this was discovered and reported by engineers from a major cloud provider (ByteDance) running production workloads further validates its importance for stable backporting. io_uring/io-wq.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c index be91edf34f01..17dfaa0395c4 100644 --- a/io_uring/io-wq.c +++ b/io_uring/io-wq.c @@ -357,6 +357,13 @@ static void create_worker_cb(struct callback_head *cb) worker = container_of(cb, struct io_worker, create_work); wq = worker->wq; acct = worker->acct; + + rcu_read_lock(); + do_create = !io_acct_activate_free_worker(acct); + rcu_read_unlock(); + if (!do_create) + goto no_need_create; + raw_spin_lock(&acct->workers_lock); if (acct->nr_workers < acct->max_workers) { @@ -367,6 +374,7 @@ static void create_worker_cb(struct callback_head *cb) if (do_create) { create_io_worker(wq, acct); } else { +no_need_create: atomic_dec(&acct->nr_running); io_worker_ref_put(wq); } -- 2.50.1

4 weeks, 1 day

1
8
0 0

[PATCH] drm/amd/display: fix leak of probed modes

by Fedor Pchelkin

amdgpu_dm_connector_ddc_get_modes() reinitializes a connector's probed modes list without cleaning it up. First time it is called during the driver's initialization phase, then via drm_mode_getconnector() ioctl. The leaks observed with Kmemleak are as following: unreferenced object 0xffff88812f91b200 (size 128): comm "(udev-worker)", pid 388, jiffies 4294695475 hex dump (first 32 bytes): ac dd 07 00 80 02 70 0b 90 0b e0 0b 00 00 e0 01 ......p......... 0b 07 10 07 5c 07 00 00 0a 00 00 00 00 00 00 00 ....\........... backtrace (crc 89db554f): __kmalloc_cache_noprof+0x3a3/0x490 drm_mode_duplicate+0x8e/0x2b0 amdgpu_dm_create_common_mode+0x40/0x150 [amdgpu] amdgpu_dm_connector_add_common_modes+0x336/0x488 [amdgpu] amdgpu_dm_connector_get_modes+0x428/0x8a0 [amdgpu] amdgpu_dm_initialize_drm_device+0x1389/0x17b4 [amdgpu] amdgpu_dm_init.cold+0x157b/0x1a1e [amdgpu] dm_hw_init+0x3f/0x110 [amdgpu] amdgpu_device_ip_init+0xcf4/0x1180 [amdgpu] amdgpu_device_init.cold+0xb84/0x1863 [amdgpu] amdgpu_driver_load_kms+0x15/0x90 [amdgpu] amdgpu_pci_probe+0x391/0xce0 [amdgpu] local_pci_probe+0xd9/0x190 pci_call_probe+0x183/0x540 pci_device_probe+0x171/0x2c0 really_probe+0x1e1/0x890 Found by Linux Verification Center (linuxtesting.org). Fixes: acc96ae0d127 ("drm/amd/display: set panel orientation before drm_dev_register") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- I can't reproduce the issue before the commit in Fixes which placed that extra amdgpu_dm_connector_get_modes() call. Though the reinitializing part /* empty probed_modes */ INIT_LIST_HEAD(&connector->probed_modes); was added years before and it looks OK since drm_connector_list_update() should shake the list in between drm_mode_getconnector() ioctl calls. For what the patch does there exists a drm_mode_remove() helper but it's static at drivers/gpu/drm/drm_connector.c and requires to be exported first. This probably looks like a subject for an independent for-next patch, if needed. drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index cd0e2976e268..4b84f944f066 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -8227,9 +8227,14 @@ static void amdgpu_dm_connector_ddc_get_modes(struct drm_connector *connector, { struct amdgpu_dm_connector *amdgpu_dm_connector = to_amdgpu_dm_connector(connector); + struct drm_display_mode *mode, *t; if (drm_edid) { /* empty probed_modes */ + list_for_each_entry_safe(mode, t, &connector->probed_modes, head) { + list_del(&mode->head); + drm_mode_destroy(connector->dev, mode); + } INIT_LIST_HEAD(&connector->probed_modes); amdgpu_dm_connector->num_modes = drm_edid_connector_add_modes(connector); -- 2.50.1

4 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] mm/kmemleak: avoid deadlock by moving pr_warn() outside" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081848-proximity-feline-dfea@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Thu, 31 Jul 2025 02:57:18 -0700 Subject: [PATCH] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may trigger netpoll, which eventually leads to __alloc_skb() and back into kmemleak code, attempting to reacquire kmemleak_lock. This is the path for the deadlock. mem_pool_alloc() -> raw_spin_lock_irqsave(&kmemleak_lock, flags); -> pr_warn_once() -> netconsole subsystem -> netpoll -> __alloc_skb -> __create_object -> raw_spin_lock_irqsave(&kmemleak_lock, flags); Fix this by setting a flag and issuing the pr_warn_once() after kmemleak_lock is released. Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.o… Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reported-by: Jakub Kicinski <kuba(a)kernel.org> Acked-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kmemleak.c b/mm/kmemleak.c index 8d588e685311..e0333455c738 100644 --- a/mm/kmemleak.c +++ b/mm/kmemleak.c @@ -470,6 +470,7 @@ static struct kmemleak_object *mem_pool_alloc(gfp_t gfp) { unsigned long flags; struct kmemleak_object *object; + bool warn = false; /* try the slab allocator first */ if (object_cache) { @@ -488,8 +489,10 @@ static struct kmemleak_object *mem_pool_alloc(gfp_t gfp) else if (mem_pool_free_count) object = &mem_pool[--mem_pool_free_count]; else - pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + warn = true; raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + if (warn) + pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); return object; }

4 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] media: venus: Fix OOB read due to missing payload bound check" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081854-pauper-opacity-6318@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001 From: Vedang Nagar <quic_vnagar(a)quicinc.com> Date: Mon, 19 May 2025 12:42:22 +0530 Subject: [PATCH] media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Cc: stable(a)vger.kernel.org Signed-off-by: Vedang Nagar <quic_vnagar(a)quicinc.com> Reviewed-by: Vikash Garodia <quic_vgarodia(a)quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Co-developed-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Bryan O'Donoghue <bod(a)kernel.org> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 0a041b4db9ef..cf0d97cbc463 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -33,8 +33,9 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, struct hfi_buffer_requirements *bufreq; struct hfi_extradata_input_crop *crop; struct hfi_dpb_counts *dpb_count; + u32 ptype, rem_bytes; + u32 size_read = 0; u8 *data_ptr; - u32 ptype; inst->error = HFI_ERR_NONE; @@ -44,86 +45,118 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, break; default: inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; - goto done; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; } event.event_type = pkt->event_data1; num_properties_changed = pkt->event_data2; - if (!num_properties_changed) { - inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; - goto done; - } + if (!num_properties_changed) + goto error; data_ptr = (u8 *)&pkt->ext_event_data[0]; + rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); + do { + if (rem_bytes < sizeof(u32)) + goto error; ptype = *((u32 *)data_ptr); + + data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + switch (ptype) { case HFI_PROPERTY_PARAM_FRAME_SIZE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_framesize)) + goto error; + frame_sz = (struct hfi_framesize *)data_ptr; event.width = frame_sz->width; event.height = frame_sz->height; - data_ptr += sizeof(*frame_sz); + size_read = sizeof(struct hfi_framesize); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_profile_level)) + goto error; + profile_level = (struct hfi_profile_level *)data_ptr; event.profile = profile_level->profile; event.level = profile_level->level; - data_ptr += sizeof(*profile_level); + size_read = sizeof(struct hfi_profile_level); break; case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_bit_depth)) + goto error; + pixel_depth = (struct hfi_bit_depth *)data_ptr; event.bit_depth = pixel_depth->bit_depth; - data_ptr += sizeof(*pixel_depth); + size_read = sizeof(struct hfi_bit_depth); break; case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_pic_struct)) + goto error; + pic_struct = (struct hfi_pic_struct *)data_ptr; event.pic_struct = pic_struct->progressive_only; - data_ptr += sizeof(*pic_struct); + size_read = sizeof(struct hfi_pic_struct); break; case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_colour_space)) + goto error; + colour_info = (struct hfi_colour_space *)data_ptr; event.colour_space = colour_info->colour_space; - data_ptr += sizeof(*colour_info); + size_read = sizeof(struct hfi_colour_space); break; case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(u32)) + goto error; + event.entropy_mode = *(u32 *)data_ptr; - data_ptr += sizeof(u32); + size_read = sizeof(u32); break; case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_buffer_requirements)) + goto error; + bufreq = (struct hfi_buffer_requirements *)data_ptr; event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); - data_ptr += sizeof(*bufreq); + size_read = sizeof(struct hfi_buffer_requirements); break; case HFI_INDEX_EXTRADATA_INPUT_CROP: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) + goto error; + crop = (struct hfi_extradata_input_crop *)data_ptr; event.input_crop.left = crop->left; event.input_crop.top = crop->top; event.input_crop.width = crop->width; event.input_crop.height = crop->height; - data_ptr += sizeof(*crop); + size_read = sizeof(struct hfi_extradata_input_crop); break; case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_dpb_counts)) + goto error; + dpb_count = (struct hfi_dpb_counts *)data_ptr; event.buf_count = dpb_count->fw_min_cnt; - data_ptr += sizeof(*dpb_count); + size_read = sizeof(struct hfi_dpb_counts); break; default: + size_read = 0; break; } + data_ptr += size_read; + rem_bytes -= size_read; num_properties_changed--; } while (num_properties_changed > 0); -done: + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; + +error: + inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); }

4 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] mm/ptdump: take the memory hotplug lock inside" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 59305202c67fea50378dcad0cc199dbc13a0e99a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081801-undertake-nuzzle-c4b1@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 From: Anshuman Khandual <anshuman.khandual(a)arm.com> Date: Fri, 20 Jun 2025 10:54:27 +0530 Subject: [PATCH] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dev Jain <dev.jain(a)arm.com> Acked-by: Alexander Gordeev <agordeev(a)linux.ibm.com> [s390] Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Cc: Heiko Carstens <hca(a)linux.ibm.com> Cc: Vasily Gorbik <gor(a)linux.ibm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/arch/arm64/mm/ptdump_debugfs.c b/arch/arm64/mm/ptdump_debugfs.c index 68bf1a125502..1e308328c079 100644 --- a/arch/arm64/mm/ptdump_debugfs.c +++ b/arch/arm64/mm/ptdump_debugfs.c @@ -1,6 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <asm/ptdump.h> @@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *m, void *v) { struct ptdump_info *info = m->private; - get_online_mems(); ptdump_walk(m, info); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c index 32922550a50a..3b51690cc876 100644 --- a/arch/riscv/mm/ptdump.c +++ b/arch/riscv/mm/ptdump.c @@ -6,7 +6,6 @@ #include <linux/efi.h> #include <linux/init.h> #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <linux/ptdump.h> @@ -413,9 +412,7 @@ bool ptdump_check_wx(void) static int ptdump_show(struct seq_file *m, void *v) { - get_online_mems(); ptdump_walk(m, m->private); - put_online_mems(); return 0; } diff --git a/arch/s390/mm/dump_pagetables.c b/arch/s390/mm/dump_pagetables.c index ac604b176660..9af2aae0a515 100644 --- a/arch/s390/mm/dump_pagetables.c +++ b/arch/s390/mm/dump_pagetables.c @@ -247,11 +247,9 @@ static int ptdump_show(struct seq_file *m, void *v) .marker = markers, }; - get_online_mems(); mutex_lock(&cpa_mutex); ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); mutex_unlock(&cpa_mutex); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/mm/ptdump.c b/mm/ptdump.c index 61a352aa12ed..b600c7f864b8 100644 --- a/mm/ptdump.c +++ b/mm/ptdump.c @@ -176,6 +176,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) { const struct ptdump_range *range = st->range; + get_online_mems(); mmap_write_lock(mm); while (range->start != range->end) { walk_page_range_debug(mm, range->start, range->end, @@ -183,6 +184,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) range++; } mmap_write_unlock(mm); + put_online_mems(); /* Flush out the last page */ st->note_page_flush(st);

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/ptdump: take the memory hotplug lock inside" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 59305202c67fea50378dcad0cc199dbc13a0e99a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081800-autopilot-booted-fb7f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 From: Anshuman Khandual <anshuman.khandual(a)arm.com> Date: Fri, 20 Jun 2025 10:54:27 +0530 Subject: [PATCH] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dev Jain <dev.jain(a)arm.com> Acked-by: Alexander Gordeev <agordeev(a)linux.ibm.com> [s390] Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Cc: Heiko Carstens <hca(a)linux.ibm.com> Cc: Vasily Gorbik <gor(a)linux.ibm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/arch/arm64/mm/ptdump_debugfs.c b/arch/arm64/mm/ptdump_debugfs.c index 68bf1a125502..1e308328c079 100644 --- a/arch/arm64/mm/ptdump_debugfs.c +++ b/arch/arm64/mm/ptdump_debugfs.c @@ -1,6 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <asm/ptdump.h> @@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *m, void *v) { struct ptdump_info *info = m->private; - get_online_mems(); ptdump_walk(m, info); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c index 32922550a50a..3b51690cc876 100644 --- a/arch/riscv/mm/ptdump.c +++ b/arch/riscv/mm/ptdump.c @@ -6,7 +6,6 @@ #include <linux/efi.h> #include <linux/init.h> #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <linux/ptdump.h> @@ -413,9 +412,7 @@ bool ptdump_check_wx(void) static int ptdump_show(struct seq_file *m, void *v) { - get_online_mems(); ptdump_walk(m, m->private); - put_online_mems(); return 0; } diff --git a/arch/s390/mm/dump_pagetables.c b/arch/s390/mm/dump_pagetables.c index ac604b176660..9af2aae0a515 100644 --- a/arch/s390/mm/dump_pagetables.c +++ b/arch/s390/mm/dump_pagetables.c @@ -247,11 +247,9 @@ static int ptdump_show(struct seq_file *m, void *v) .marker = markers, }; - get_online_mems(); mutex_lock(&cpa_mutex); ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); mutex_unlock(&cpa_mutex); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/mm/ptdump.c b/mm/ptdump.c index 61a352aa12ed..b600c7f864b8 100644 --- a/mm/ptdump.c +++ b/mm/ptdump.c @@ -176,6 +176,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) { const struct ptdump_range *range = st->range; + get_online_mems(); mmap_write_lock(mm); while (range->start != range->end) { walk_page_range_debug(mm, range->start, range->end, @@ -183,6 +184,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) range++; } mmap_write_unlock(mm); + put_online_mems(); /* Flush out the last page */ st->note_page_flush(st);

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] btrfs: populate otime when logging an inode item" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1ef94169db0958d6de39f9ea6e063ce887342e2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081801-shortlist-acutely-2100@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ef94169db0958d6de39f9ea6e063ce887342e2d Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 2 Jul 2025 15:08:13 +0930 Subject: [PATCH] btrfs: populate otime when logging an inode item [TEST FAILURE WITH EXPERIMENTAL FEATURES] When running test case generic/508, the test case will fail with the new btrfs shutdown support: generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 @@ -1,2 +1,6 @@ QA output created by 508 Silence is golden +Before: +After : stat.btime = Thu Jan 1 09:30:00 1970 +Before: +After : stat.btime = Wed Jul 2 14:53:22 2025 ... (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) Ran: generic/508 Failures: generic/508 Failed 1 of 1 tests Please note that the test case requires shutdown support, thus the test case will be skipped using the current upstream kernel, as it doesn't have shutdown ioctl support. [CAUSE] The direct cause the 0 time stamp in the log tree: leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG leaf 30507008 flags 0x1(WRITTEN) backref revision 1 checksum stored e522548d checksum calced e522548d fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 9 transid 9 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) atime 1751432947.492000000 (2025-07-02 14:39:07) ctime 1751432947.492000000 (2025-07-02 14:39:07) mtime 1751432947.492000000 (2025-07-02 14:39:07) otime 0.0 (1970-01-01 09:30:00) <<< But the old fs tree has all the correct time stamp: btrfs-progs v6.12 fs tree key (FS_TREE ROOT_ITEM 0) leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE leaf 30425088 flags 0x1(WRITTEN) backref revision 1 checksum stored 48f6c57e checksum calced 48f6c57e fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 0 size 0 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 0 flags 0x0(none) atime 1751432947.0 (2025-07-02 14:39:07) ctime 1751432947.0 (2025-07-02 14:39:07) mtime 1751432947.0 (2025-07-02 14:39:07) otime 1751432947.0 (2025-07-02 14:39:07) <<< The root cause is that fill_inode_item() in tree-log.c is only populating a/c/m time, not the otime (or btime in statx output). Part of the reason is that, the vfs inode only has a/c/m time, no native btime support yet. [FIX] Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and btrfs_inode::i_otime_nsec. So what we really need is just fill the otime time stamp in fill_inode_item() of tree-log.c There is another fill_inode_item() in inode.c, which is doing the proper otime population. Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") CC: stable(a)vger.kernel.org Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index 1e805dabfc4b..ab0815d9e7e5 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4233,6 +4233,9 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, btrfs_set_timespec_sec(leaf, &item->ctime, inode_get_ctime_sec(inode)); btrfs_set_timespec_nsec(leaf, &item->ctime, inode_get_ctime_nsec(inode)); + btrfs_set_timespec_sec(leaf, &item->otime, BTRFS_I(inode)->i_otime_sec); + btrfs_set_timespec_nsec(leaf, &item->otime, BTRFS_I(inode)->i_otime_nsec); + /* * We do not need to set the nbytes field, in fact during a fast fsync * its value may not even be correct, since a fast fsync does not wait

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/ptdump: take the memory hotplug lock inside" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 59305202c67fea50378dcad0cc199dbc13a0e99a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081859-excess-willfully-0f01@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 From: Anshuman Khandual <anshuman.khandual(a)arm.com> Date: Fri, 20 Jun 2025 10:54:27 +0530 Subject: [PATCH] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dev Jain <dev.jain(a)arm.com> Acked-by: Alexander Gordeev <agordeev(a)linux.ibm.com> [s390] Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Cc: Heiko Carstens <hca(a)linux.ibm.com> Cc: Vasily Gorbik <gor(a)linux.ibm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/arch/arm64/mm/ptdump_debugfs.c b/arch/arm64/mm/ptdump_debugfs.c index 68bf1a125502..1e308328c079 100644 --- a/arch/arm64/mm/ptdump_debugfs.c +++ b/arch/arm64/mm/ptdump_debugfs.c @@ -1,6 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <asm/ptdump.h> @@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *m, void *v) { struct ptdump_info *info = m->private; - get_online_mems(); ptdump_walk(m, info); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c index 32922550a50a..3b51690cc876 100644 --- a/arch/riscv/mm/ptdump.c +++ b/arch/riscv/mm/ptdump.c @@ -6,7 +6,6 @@ #include <linux/efi.h> #include <linux/init.h> #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <linux/ptdump.h> @@ -413,9 +412,7 @@ bool ptdump_check_wx(void) static int ptdump_show(struct seq_file *m, void *v) { - get_online_mems(); ptdump_walk(m, m->private); - put_online_mems(); return 0; } diff --git a/arch/s390/mm/dump_pagetables.c b/arch/s390/mm/dump_pagetables.c index ac604b176660..9af2aae0a515 100644 --- a/arch/s390/mm/dump_pagetables.c +++ b/arch/s390/mm/dump_pagetables.c @@ -247,11 +247,9 @@ static int ptdump_show(struct seq_file *m, void *v) .marker = markers, }; - get_online_mems(); mutex_lock(&cpa_mutex); ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); mutex_unlock(&cpa_mutex); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/mm/ptdump.c b/mm/ptdump.c index 61a352aa12ed..b600c7f864b8 100644 --- a/mm/ptdump.c +++ b/mm/ptdump.c @@ -176,6 +176,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) { const struct ptdump_range *range = st->range; + get_online_mems(); mmap_write_lock(mm); while (range->start != range->end) { walk_page_range_debug(mm, range->start, range->end, @@ -183,6 +184,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) range++; } mmap_write_unlock(mm); + put_online_mems(); /* Flush out the last page */ st->note_page_flush(st);

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/ptdump: take the memory hotplug lock inside" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 59305202c67fea50378dcad0cc199dbc13a0e99a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081858-sabbath-blunt-7735@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 From: Anshuman Khandual <anshuman.khandual(a)arm.com> Date: Fri, 20 Jun 2025 10:54:27 +0530 Subject: [PATCH] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dev Jain <dev.jain(a)arm.com> Acked-by: Alexander Gordeev <agordeev(a)linux.ibm.com> [s390] Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Cc: Heiko Carstens <hca(a)linux.ibm.com> Cc: Vasily Gorbik <gor(a)linux.ibm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/arch/arm64/mm/ptdump_debugfs.c b/arch/arm64/mm/ptdump_debugfs.c index 68bf1a125502..1e308328c079 100644 --- a/arch/arm64/mm/ptdump_debugfs.c +++ b/arch/arm64/mm/ptdump_debugfs.c @@ -1,6 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <asm/ptdump.h> @@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *m, void *v) { struct ptdump_info *info = m->private; - get_online_mems(); ptdump_walk(m, info); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c index 32922550a50a..3b51690cc876 100644 --- a/arch/riscv/mm/ptdump.c +++ b/arch/riscv/mm/ptdump.c @@ -6,7 +6,6 @@ #include <linux/efi.h> #include <linux/init.h> #include <linux/debugfs.h> -#include <linux/memory_hotplug.h> #include <linux/seq_file.h> #include <linux/ptdump.h> @@ -413,9 +412,7 @@ bool ptdump_check_wx(void) static int ptdump_show(struct seq_file *m, void *v) { - get_online_mems(); ptdump_walk(m, m->private); - put_online_mems(); return 0; } diff --git a/arch/s390/mm/dump_pagetables.c b/arch/s390/mm/dump_pagetables.c index ac604b176660..9af2aae0a515 100644 --- a/arch/s390/mm/dump_pagetables.c +++ b/arch/s390/mm/dump_pagetables.c @@ -247,11 +247,9 @@ static int ptdump_show(struct seq_file *m, void *v) .marker = markers, }; - get_online_mems(); mutex_lock(&cpa_mutex); ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); mutex_unlock(&cpa_mutex); - put_online_mems(); return 0; } DEFINE_SHOW_ATTRIBUTE(ptdump); diff --git a/mm/ptdump.c b/mm/ptdump.c index 61a352aa12ed..b600c7f864b8 100644 --- a/mm/ptdump.c +++ b/mm/ptdump.c @@ -176,6 +176,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) { const struct ptdump_range *range = st->range; + get_online_mems(); mmap_write_lock(mm); while (range->start != range->end) { walk_page_range_debug(mm, range->start, range->end, @@ -183,6 +184,7 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) range++; } mmap_write_unlock(mm); + put_online_mems(); /* Flush out the last page */ st->note_page_flush(st);

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] btrfs: send: use fallocate for hole punching with send stream" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 005b0a0c24e1628313e951516b675109a92cacfe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081827-washed-yelp-3c3e@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 005b0a0c24e1628313e951516b675109a92cacfe Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 18 Jul 2025 13:07:29 +0100 Subject: [PATCH] btrfs: send: use fallocate for hole punching with send stream v2 Currently holes are sent as writes full of zeroes, which results in unnecessarily using disk space at the receiving end and increasing the stream size. In some cases we avoid sending writes of zeroes, like during a full send operation where we just skip writes for holes. But for some cases we fill previous holes with writes of zeroes too, like in this scenario: 1) We have a file with a hole in the range [2M, 3M), we snapshot the subvolume and do a full send. The range [2M, 3M) stays as a hole at the receiver since we skip sending write commands full of zeroes; 2) We punch a hole for the range [3M, 4M) in our file, so that now it has a 2M hole in the range [2M, 4M), and snapshot the subvolume. Now if we do an incremental send, we will send write commands full of zeroes for the range [2M, 4M), removing the hole for [2M, 3M) at the receiver. We could improve cases such as this last one by doing additional comparisons of file extent items (or their absence) between the parent and send snapshots, but that's a lot of code to add plus additional CPU and IO costs. Since the send stream v2 already has a fallocate command and btrfs-progs implements a callback to execute fallocate since the send stream v2 support was added to it, update the kernel to use fallocate for punching holes for V2+ streams. Test coverage is provided by btrfs/284 which is a version of btrfs/007 that exercises send stream v2 instead of v1, using fsstress with random operations and fssum to verify file contents. Link: https://github.com/kdave/btrfs-progs/issues/1001 CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 09822e766e41..7664025a5af4 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -4,6 +4,7 @@ */ #include <linux/bsearch.h> +#include <linux/falloc.h> #include <linux/fs.h> #include <linux/file.h> #include <linux/sort.h> @@ -5405,6 +5406,30 @@ static int send_update_extent(struct send_ctx *sctx, return ret; } +static int send_fallocate(struct send_ctx *sctx, u32 mode, u64 offset, u64 len) +{ + struct fs_path *path; + int ret; + + path = get_cur_inode_path(sctx); + if (IS_ERR(path)) + return PTR_ERR(path); + + ret = begin_cmd(sctx, BTRFS_SEND_C_FALLOCATE); + if (ret < 0) + return ret; + + TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path); + TLV_PUT_U32(sctx, BTRFS_SEND_A_FALLOCATE_MODE, mode); + TLV_PUT_U64(sctx, BTRFS_SEND_A_FILE_OFFSET, offset); + TLV_PUT_U64(sctx, BTRFS_SEND_A_SIZE, len); + + ret = send_cmd(sctx); + +tlv_put_failure: + return ret; +} + static int send_hole(struct send_ctx *sctx, u64 end) { struct fs_path *p = NULL; @@ -5412,6 +5437,14 @@ static int send_hole(struct send_ctx *sctx, u64 end) u64 offset = sctx->cur_inode_last_extent; int ret = 0; + /* + * Starting with send stream v2 we have fallocate and can use it to + * punch holes instead of sending writes full of zeroes. + */ + if (proto_cmd_ok(sctx, BTRFS_SEND_C_FALLOCATE)) + return send_fallocate(sctx, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, + offset, end - offset); + /* * A hole that starts at EOF or beyond it. Since we do not yet support * fallocate (for extent preallocation and hole punching), sending a

4 weeks, 1 day

3
9
0 0

FAILED: patch "[PATCH] btrfs: populate otime when logging an inode item" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1ef94169db0958d6de39f9ea6e063ce887342e2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081801-ended-viewless-5ac7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ef94169db0958d6de39f9ea6e063ce887342e2d Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 2 Jul 2025 15:08:13 +0930 Subject: [PATCH] btrfs: populate otime when logging an inode item [TEST FAILURE WITH EXPERIMENTAL FEATURES] When running test case generic/508, the test case will fail with the new btrfs shutdown support: generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 @@ -1,2 +1,6 @@ QA output created by 508 Silence is golden +Before: +After : stat.btime = Thu Jan 1 09:30:00 1970 +Before: +After : stat.btime = Wed Jul 2 14:53:22 2025 ... (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) Ran: generic/508 Failures: generic/508 Failed 1 of 1 tests Please note that the test case requires shutdown support, thus the test case will be skipped using the current upstream kernel, as it doesn't have shutdown ioctl support. [CAUSE] The direct cause the 0 time stamp in the log tree: leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG leaf 30507008 flags 0x1(WRITTEN) backref revision 1 checksum stored e522548d checksum calced e522548d fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 9 transid 9 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) atime 1751432947.492000000 (2025-07-02 14:39:07) ctime 1751432947.492000000 (2025-07-02 14:39:07) mtime 1751432947.492000000 (2025-07-02 14:39:07) otime 0.0 (1970-01-01 09:30:00) <<< But the old fs tree has all the correct time stamp: btrfs-progs v6.12 fs tree key (FS_TREE ROOT_ITEM 0) leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE leaf 30425088 flags 0x1(WRITTEN) backref revision 1 checksum stored 48f6c57e checksum calced 48f6c57e fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 0 size 0 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 0 flags 0x0(none) atime 1751432947.0 (2025-07-02 14:39:07) ctime 1751432947.0 (2025-07-02 14:39:07) mtime 1751432947.0 (2025-07-02 14:39:07) otime 1751432947.0 (2025-07-02 14:39:07) <<< The root cause is that fill_inode_item() in tree-log.c is only populating a/c/m time, not the otime (or btime in statx output). Part of the reason is that, the vfs inode only has a/c/m time, no native btime support yet. [FIX] Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and btrfs_inode::i_otime_nsec. So what we really need is just fill the otime time stamp in fill_inode_item() of tree-log.c There is another fill_inode_item() in inode.c, which is doing the proper otime population. Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") CC: stable(a)vger.kernel.org Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index 1e805dabfc4b..ab0815d9e7e5 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4233,6 +4233,9 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, btrfs_set_timespec_sec(leaf, &item->ctime, inode_get_ctime_sec(inode)); btrfs_set_timespec_nsec(leaf, &item->ctime, inode_get_ctime_nsec(inode)); + btrfs_set_timespec_sec(leaf, &item->otime, BTRFS_I(inode)->i_otime_sec); + btrfs_set_timespec_nsec(leaf, &item->otime, BTRFS_I(inode)->i_otime_nsec); + /* * We do not need to set the nbytes field, in fact during a fast fsync * its value may not even be correct, since a fast fsync does not wait

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] net/sched: ets: use old 'nbands' while purging unused classes" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 87c6efc5ce9c126ae4a781bc04504b83780e3650 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081858-blurred-unlinked-7eae@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 From: Davide Caratti <dcaratti(a)redhat.com> Date: Tue, 12 Aug 2025 18:40:29 +0200 Subject: [PATCH] net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.163… [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.c… Cc: stable(a)vger.kernel.org Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") Reported-by: Li Shuang <shuali(a)redhat.com> Closes: https://issues.redhat.com/browse/RHEL-108026 Reviewed-by: Petr Machata <petrm(a)nvidia.com> Co-developed-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.175501608… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index 037f764822b9..82635dd2cfa5 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, sch_tree_lock(sch); + for (i = nbands; i < oldbands; i++) { + if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } + WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { @@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, q->classes[i].deficit = quanta[i]; } } - for (i = q->nbands; i < oldbands; i++) { - if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) - list_del_init(&q->classes[i].alist); - qdisc_purge_queue(q->classes[i].qdisc); - } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap));

4 weeks, 1 day

2
3
0 0

FAILED: patch "[PATCH] btrfs: fix ssd_spread overallocation" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 807d9023e75fc20bfd6dd2ac0408ce4af53f1648 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081832-unearned-monopoly-13b1@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 807d9023e75fc20bfd6dd2ac0408ce4af53f1648 Mon Sep 17 00:00:00 2001 From: Boris Burkov <boris(a)bur.io> Date: Mon, 14 Jul 2025 16:44:28 -0700 Subject: [PATCH] btrfs: fix ssd_spread overallocation If the ssd_spread mount option is enabled, then we run the so called clustered allocator for data block groups. In practice, this results in creating a btrfs_free_cluster which caches a block_group and borrows its free extents for allocation. Since the introduction of allocation size classes in 6.1, there has been a bug in the interaction between that feature and ssd_spread. find_free_extent() has a number of nested loops. The loop going over the allocation stages, stored in ffe_ctl->loop and managed by find_free_extent_update_loop(), the loop over the raid levels, and the loop over all the block_groups in a space_info. The size class feature relies on the block_group loop to ensure it gets a chance to see a block_group of a given size class. However, the clustered allocator uses the cached cluster block_group and breaks that loop. Each call to do_allocation() will really just go back to the same cached block_group. Normally, this is OK, as the allocation either succeeds and we don't want to loop any more or it fails, and we clear the cluster and return its space to the block_group. But with size classes, the allocation can succeed, then later fail, outside of do_allocation() due to size class mismatch. That latter failure is not properly handled due to the highly complex multi loop logic. The result is a painful loop where we continue to allocate the same num_bytes from the cluster in a tight loop until it fails and releases the cluster and lets us try a new block_group. But by then, we have skipped great swaths of the available block_groups and are likely to fail to allocate, looping the outer loop. In pathological cases like the reproducer below, the cached block_group is often the very last one, in which case we don't perform this tight bg loop but instead rip through the ffe stages to LOOP_CHUNK_ALLOC and allocate a chunk, which is now the last one, and we enter the tight inner loop until an allocation failure. Then allocation succeeds on the final block_group and if the next allocation is a size mismatch, the exact same thing happens again. Triggering this is as easy as mounting with -o ssd_spread and then running: mount -o ssd_spread $dev $mnt dd if=/dev/zero of=$mnt/big bs=16M count=1 &>/dev/null dd if=/dev/zero of=$mnt/med bs=4M count=1 &>/dev/null sync if you do the two writes + sync in a loop, you can force btrfs to spin an excessive amount on semi-successful clustered allocations, before ultimately failing and advancing to the stage where we force a chunk allocation. This results in 2G of data allocated per iteration, despite only using ~20M of data. By using a small size classed extent, the inner loop takes longer and we can spin for longer. The simplest, shortest term fix to unbreak this is to make the clustered allocator size_class aware in the dumbest way, where it fails on size class mismatch. This may hinder the operation of the clustered allocator, but better hindered than completely broken and terribly overallocating. Further re-design improvements are also in the works. Fixes: 52bb7a2166af ("btrfs: introduce size class to block group allocator") CC: stable(a)vger.kernel.org # 6.1+ Reported-by: David Sterba <dsterba(a)suse.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Boris Burkov <boris(a)bur.io> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 85833bf216de..97d517cdf2df 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -3651,6 +3651,21 @@ btrfs_release_block_group(struct btrfs_block_group *cache, btrfs_put_block_group(cache); } +static bool find_free_extent_check_size_class(const struct find_free_extent_ctl *ffe_ctl, + const struct btrfs_block_group *bg) +{ + if (ffe_ctl->policy == BTRFS_EXTENT_ALLOC_ZONED) + return true; + if (!btrfs_block_group_should_use_size_class(bg)) + return true; + if (ffe_ctl->loop >= LOOP_WRONG_SIZE_CLASS) + return true; + if (ffe_ctl->loop >= LOOP_UNSET_SIZE_CLASS && + bg->size_class == BTRFS_BG_SZ_NONE) + return true; + return ffe_ctl->size_class == bg->size_class; +} + /* * Helper function for find_free_extent(). * @@ -3672,7 +3687,8 @@ static int find_free_extent_clustered(struct btrfs_block_group *bg, if (!cluster_bg) goto refill_cluster; if (cluster_bg != bg && (cluster_bg->ro || - !block_group_bits(cluster_bg, ffe_ctl->flags))) + !block_group_bits(cluster_bg, ffe_ctl->flags) || + !find_free_extent_check_size_class(ffe_ctl, cluster_bg))) goto release_cluster; offset = btrfs_alloc_from_cluster(cluster_bg, last_ptr, @@ -4229,21 +4245,6 @@ static int find_free_extent_update_loop(struct btrfs_fs_info *fs_info, return -ENOSPC; } -static bool find_free_extent_check_size_class(struct find_free_extent_ctl *ffe_ctl, - struct btrfs_block_group *bg) -{ - if (ffe_ctl->policy == BTRFS_EXTENT_ALLOC_ZONED) - return true; - if (!btrfs_block_group_should_use_size_class(bg)) - return true; - if (ffe_ctl->loop >= LOOP_WRONG_SIZE_CLASS) - return true; - if (ffe_ctl->loop >= LOOP_UNSET_SIZE_CLASS && - bg->size_class == BTRFS_BG_SZ_NONE) - return true; - return ffe_ctl->size_class == bg->size_class; -} - static int prepare_allocation_clustered(struct btrfs_fs_info *fs_info, struct find_free_extent_ctl *ffe_ctl, struct btrfs_space_info *space_info,

4 weeks, 1 day

3
4
0 0

[PATCH 5.4.y] ACPI: processor: idle: Check acpi_bus_get_device return value

by Yann Sionneau

From: Teddy Astie <teddy.astie(a)vates.tech> [ Upstream commit 2437513a814b3e93bd02879740a8a06e52e2cf7d ] Fix a potential NULL pointer dereferences if acpi_bus_get_device happens to fail. This is backported from commit 2437513a814b3 ("ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value") This has been tested successfully by the reporter, see https://xcp-ng.org/forum/topic/10972/xcp-ng-8.3-lts-install-on-minisforum-m… Signed-off-by: Li Zhong <floridsleeves(a)gmail.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> Signed-off-by: Yann Sionneau <yann.sionneau(a)vates.tech> Reported-by: Dillon C <dchan(a)dchan.tech> Tested-by: Dillon C <dchan(a)dchan.tech> --- drivers/acpi/processor_idle.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index 92db8b0622b2..e6bba26caf3c 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -1228,7 +1228,9 @@ static int acpi_processor_get_lpi_info(struct acpi_processor *pr) status = acpi_get_parent(handle, &pr_ahandle); while (ACPI_SUCCESS(status)) { - acpi_bus_get_device(pr_ahandle, &d); + if (acpi_bus_get_device(pr_ahandle, &d)) + break; + handle = pr_ahandle; if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID)) base-commit: 04b7726c3cdd2fb4da040c2b898bcf405ed607bd -- 2.43.0 Yann Sionneau | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 weeks, 1 day

1
0
0 0

[PATCH 5.10.y] ACPI: processor: idle: Check acpi_bus_get_device return value

by Yann Sionneau

From: Teddy Astie <teddy.astie(a)vates.tech> [ Upstream commit 2437513a814b3e93bd02879740a8a06e52e2cf7d ] Fix a potential NULL pointer dereferences if acpi_bus_get_device happens to fail. This is backported from commit 2437513a814b3 ("ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value") This has been tested successfully by the reporter, see https://xcp-ng.org/forum/topic/10972/xcp-ng-8.3-lts-install-on-minisforum-m… Signed-off-by: Li Zhong <floridsleeves(a)gmail.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> Signed-off-by: Yann Sionneau <yann.sionneau(a)vates.tech> Reported-by: Dillon C <dchan(a)dchan.tech> Tested-by: Dillon C <dchan(a)dchan.tech> --- drivers/acpi/processor_idle.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index 92db8b0622b2..e6bba26caf3c 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -1228,7 +1228,9 @@ static int acpi_processor_get_lpi_info(struct acpi_processor *pr) status = acpi_get_parent(handle, &pr_ahandle); while (ACPI_SUCCESS(status)) { - acpi_bus_get_device(pr_ahandle, &d); + if (acpi_bus_get_device(pr_ahandle, &d)) + break; + handle = pr_ahandle; if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID)) base-commit: 04b7726c3cdd2fb4da040c2b898bcf405ed607bd -- 2.43.0 Yann Sionneau | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 weeks, 1 day

1
0
0 0

[PATCH 5.15.y] ACPI: processor: idle: Check acpi_bus_get_device return value

by Yann Sionneau

From: Teddy Astie <teddy.astie(a)vates.tech> [ Upstream commit 2437513a814b3e93bd02879740a8a06e52e2cf7d ] Fix a potential NULL pointer dereferences if acpi_bus_get_device happens to fail. This is backported from commit 2437513a814b3 ("ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value") This has been tested successfully by the reporter, see https://xcp-ng.org/forum/topic/10972/xcp-ng-8.3-lts-install-on-minisforum-m… Signed-off-by: Li Zhong <floridsleeves(a)gmail.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> Signed-off-by: Yann Sionneau <yann.sionneau(a)vates.tech> Reported-by: Dillon C <dchan(a)dchan.tech> Tested-by: Dillon C <dchan(a)dchan.tech> --- drivers/acpi/processor_idle.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index 92db8b0622b2..e6bba26caf3c 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -1228,7 +1228,9 @@ static int acpi_processor_get_lpi_info(struct acpi_processor *pr) status = acpi_get_parent(handle, &pr_ahandle); while (ACPI_SUCCESS(status)) { - acpi_bus_get_device(pr_ahandle, &d); + if (acpi_bus_get_device(pr_ahandle, &d)) + break; + handle = pr_ahandle; if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID)) base-commit: 04b7726c3cdd2fb4da040c2b898bcf405ed607bd -- 2.43.0 Yann Sionneau | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 weeks, 1 day

1
0
0 0

[PATCH 2/2] usb: xhci: fix host not responding after suspend and resume

by Mathias Nyman

From: Niklas Neronin <niklas.neronin(a)linux.intel.com> Partially revert commit e1db856bd288 ("usb: xhci: remove '0' write to write-1-to-clear register") because the patch cleared the Interrupt Pending bit during interrupt enabling and disabling. The Interrupt Pending bit should only be cleared when the driver has handled the interrupt. Ideally, all interrupts should be handled before disabling the interrupt; consequently, no interrupt should be pending when enabling the interrupt. For this reason, keep the debug message informing if an interrupt is still pending when an interrupt is disabled. Because the Interrupt Pending bit is write-1-to-clear, writing '0' to it ensures that the state does not change. Link: https://lore.kernel.org/linux-usb/20250818231103.672ec7ed@foxbook Fixes: e1db856bd288 ("usb: xhci: remove '0' write to write-1-to-clear register") Closes: https://bbs.archlinux.org/viewtopic.php?id=307641 cc: stable(a)vger.kernel.org # 6.16+ Signed-off-by: Niklas Neronin <niklas.neronin(a)linux.intel.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 0e03691f03bf..742c23826e17 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -309,6 +309,7 @@ int xhci_enable_interrupter(struct xhci_interrupter *ir) return -EINVAL; iman = readl(&ir->ir_set->iman); + iman &= ~IMAN_IP; iman |= IMAN_IE; writel(iman, &ir->ir_set->iman); @@ -325,6 +326,7 @@ int xhci_disable_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir) return -EINVAL; iman = readl(&ir->ir_set->iman); + iman &= ~IMAN_IP; iman &= ~IMAN_IE; writel(iman, &ir->ir_set->iman); -- 2.43.0

4 weeks, 1 day

1
0
0 0

[PATCH 1/2] usb: xhci: Fix slot_id resource race conflict

by Mathias Nyman

From: Weitao Wang <WeitaoWang-oc(a)zhaoxin.com> xHC controller may immediately reuse a slot_id after it's disabled, giving it to a new enumerating device before the xhci driver freed all resources related to the disabled device. In such a scenario, device-A with slot_id equal to 1 is disconnecting while device-B is enumerating, device-B will fail to enumerate in the follow sequence. 1.[device-A] send disable slot command 2.[device-B] send enable slot command 3.[device-A] disable slot command completed and wakeup waiting thread 4.[device-B] enable slot command completed with slot_id equal to 1 and wakeup waiting thread 5.[device-B] driver checks that slot_id is still in use (by device-A) in xhci_alloc_virt_device, and fail to enumerate due to this conflict 6.[device-A] xhci->devs[slot_id] set to NULL in xhci_free_virt_device To fix driver's slot_id resources conflict, clear xhci->devs[slot_id] and xhci->dcbba->dev_context_ptrs[slot_id] pointers in the interrupt context when disable slot command completes successfully. Simultaneously, adjust function xhci_free_virt_device to accurately handle device release. [minor smatch warning and commit message fix -Mathias] Cc: stable(a)vger.kernel.org Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command and host runtime suspend") Signed-off-by: Weitao Wang <WeitaoWang-oc(a)zhaoxin.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-hub.c | 3 +-- drivers/usb/host/xhci-mem.c | 22 +++++++++++----------- drivers/usb/host/xhci-ring.c | 9 +++++++-- drivers/usb/host/xhci.c | 21 ++++++++++++++------- drivers/usb/host/xhci.h | 3 ++- 5 files changed, 35 insertions(+), 23 deletions(-) diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c index 92bb84f8132a..b3a59ce1b3f4 100644 --- a/drivers/usb/host/xhci-hub.c +++ b/drivers/usb/host/xhci-hub.c @@ -704,8 +704,7 @@ static int xhci_enter_test_mode(struct xhci_hcd *xhci, if (!xhci->devs[i]) continue; - retval = xhci_disable_slot(xhci, i); - xhci_free_virt_device(xhci, i); + retval = xhci_disable_and_free_slot(xhci, i); if (retval) xhci_err(xhci, "Failed to disable slot %d, %d. Enter test mode anyway\n", i, retval); diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 07289333a1e8..81eaad87a3d9 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -865,21 +865,20 @@ int xhci_alloc_tt_info(struct xhci_hcd *xhci, * will be manipulated by the configure endpoint, allocate device, or update * hub functions while this function is removing the TT entries from the list. */ -void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id) +void xhci_free_virt_device(struct xhci_hcd *xhci, struct xhci_virt_device *dev, + int slot_id) { - struct xhci_virt_device *dev; int i; int old_active_eps = 0; /* Slot ID 0 is reserved */ - if (slot_id == 0 || !xhci->devs[slot_id]) + if (slot_id == 0 || !dev) return; - dev = xhci->devs[slot_id]; - - xhci->dcbaa->dev_context_ptrs[slot_id] = 0; - if (!dev) - return; + /* If device ctx array still points to _this_ device, clear it */ + if (dev->out_ctx && + xhci->dcbaa->dev_context_ptrs[slot_id] == cpu_to_le64(dev->out_ctx->dma)) + xhci->dcbaa->dev_context_ptrs[slot_id] = 0; trace_xhci_free_virt_device(dev); @@ -920,8 +919,9 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id) dev->udev->slot_id = 0; if (dev->rhub_port && dev->rhub_port->slot_id == slot_id) dev->rhub_port->slot_id = 0; - kfree(xhci->devs[slot_id]); - xhci->devs[slot_id] = NULL; + if (xhci->devs[slot_id] == dev) + xhci->devs[slot_id] = NULL; + kfree(dev); } /* @@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_i out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); - xhci_free_virt_device(xhci, slot_id); + xhci_free_virt_device(xhci, vdev, slot_id); } int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index ecd757d482c5..4f8f5aab109d 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1592,7 +1592,8 @@ static void xhci_handle_cmd_enable_slot(int slot_id, struct xhci_command *comman command->slot_id = 0; } -static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id) +static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id, + u32 cmd_comp_code) { struct xhci_virt_device *virt_dev; struct xhci_slot_ctx *slot_ctx; @@ -1607,6 +1608,10 @@ static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id) if (xhci->quirks & XHCI_EP_LIMIT_QUIRK) /* Delete default control endpoint resources */ xhci_free_device_endpoint_resources(xhci, virt_dev, true); + if (cmd_comp_code == COMP_SUCCESS) { + xhci->dcbaa->dev_context_ptrs[slot_id] = 0; + xhci->devs[slot_id] = NULL; + } } static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id) @@ -1856,7 +1861,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, xhci_handle_cmd_enable_slot(slot_id, cmd, cmd_comp_code); break; case TRB_DISABLE_SLOT: - xhci_handle_cmd_disable_slot(xhci, slot_id); + xhci_handle_cmd_disable_slot(xhci, slot_id, cmd_comp_code); break; case TRB_CONFIG_EP: if (!cmd->completion) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 47151ca527bf..0e03691f03bf 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3932,8 +3932,7 @@ static int xhci_discover_or_reset_device(struct usb_hcd *hcd, * Obtaining a new device slot to inform the xHCI host that * the USB device has been reset. */ - ret = xhci_disable_slot(xhci, udev->slot_id); - xhci_free_virt_device(xhci, udev->slot_id); + ret = xhci_disable_and_free_slot(xhci, udev->slot_id); if (!ret) { ret = xhci_alloc_dev(hcd, udev); if (ret == 1) @@ -4090,7 +4089,7 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) xhci_disable_slot(xhci, udev->slot_id); spin_lock_irqsave(&xhci->lock, flags); - xhci_free_virt_device(xhci, udev->slot_id); + xhci_free_virt_device(xhci, virt_dev, udev->slot_id); spin_unlock_irqrestore(&xhci->lock, flags); } @@ -4139,6 +4138,16 @@ int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id) return 0; } +int xhci_disable_and_free_slot(struct xhci_hcd *xhci, u32 slot_id) +{ + struct xhci_virt_device *vdev = xhci->devs[slot_id]; + int ret; + + ret = xhci_disable_slot(xhci, slot_id); + xhci_free_virt_device(xhci, vdev, slot_id); + return ret; +} + /* * Checks if we have enough host controller resources for the default control * endpoint. @@ -4245,8 +4254,7 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) return 1; disable_slot: - xhci_disable_slot(xhci, udev->slot_id); - xhci_free_virt_device(xhci, udev->slot_id); + xhci_disable_and_free_slot(xhci, udev->slot_id); return 0; } @@ -4382,8 +4390,7 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, dev_warn(&udev->dev, "Device not responding to setup %s.\n", act); mutex_unlock(&xhci->mutex); - ret = xhci_disable_slot(xhci, udev->slot_id); - xhci_free_virt_device(xhci, udev->slot_id); + ret = xhci_disable_and_free_slot(xhci, udev->slot_id); if (!ret) { if (xhci_alloc_dev(hcd, udev) == 1) xhci_setup_addressable_virt_dev(xhci, udev); diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index a20f4e7cd43a..85d5b964bf1e 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1791,7 +1791,7 @@ void xhci_dbg_trace(struct xhci_hcd *xhci, void (*trace)(struct va_format *), /* xHCI memory management */ void xhci_mem_cleanup(struct xhci_hcd *xhci); int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags); -void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id); +void xhci_free_virt_device(struct xhci_hcd *xhci, struct xhci_virt_device *dev, int slot_id); int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, struct usb_device *udev, gfp_t flags); int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *udev); void xhci_copy_ep0_dequeue_into_input_ctx(struct xhci_hcd *xhci, @@ -1888,6 +1888,7 @@ void xhci_reset_bandwidth(struct usb_hcd *hcd, struct usb_device *udev); int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev, struct usb_tt *tt, gfp_t mem_flags); int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id); +int xhci_disable_and_free_slot(struct xhci_hcd *xhci, u32 slot_id); int xhci_ext_cap_init(struct xhci_hcd *xhci); int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup); -- 2.43.0

4 weeks, 1 day

1
0
0 0

[PATCH] ACPI: processor: idle: Check acpi_bus_get_device return value

by Yann Sionneau

From: Teddy Astie <teddy.astie(a)vates.tech> Fix a potential NULL pointer dereferences if acpi_bus_get_device happens to fail. This is backported from commit 2437513a814b3 ("ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value") This has been tested successfully by the reporter, see https://xcp-ng.org/forum/topic/10972/xcp-ng-8.3-lts-install-on-minisforum-m… Signed-off-by: Li Zhong <floridsleeves(a)gmail.com> Signed-off-by: Teddy Astie <teddy.astie(a)vates.tech> Signed-off-by: Yann Sionneau <yann.sionneau(a)vates.tech> Reported-by: Dillon C <dchan(a)dchan.tech> Tested-by: Dillon C <dchan(a)dchan.tech> --- drivers/acpi/processor_idle.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index 92db8b0622b2..e6bba26caf3c 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -1228,7 +1228,9 @@ static int acpi_processor_get_lpi_info(struct acpi_processor *pr) status = acpi_get_parent(handle, &pr_ahandle); while (ACPI_SUCCESS(status)) { - acpi_bus_get_device(pr_ahandle, &d); + if (acpi_bus_get_device(pr_ahandle, &d)) + break; + handle = pr_ahandle; if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID)) base-commit: 04b7726c3cdd2fb4da040c2b898bcf405ed607bd -- 2.43.0 Yann Sionneau | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

4 weeks, 1 day

2
4
0 0

FAILED: patch "[PATCH] net/sched: ets: use old 'nbands' while purging unused classes" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 87c6efc5ce9c126ae4a781bc04504b83780e3650 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081857-reunite-divinely-430d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 From: Davide Caratti <dcaratti(a)redhat.com> Date: Tue, 12 Aug 2025 18:40:29 +0200 Subject: [PATCH] net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.163… [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.c… Cc: stable(a)vger.kernel.org Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") Reported-by: Li Shuang <shuali(a)redhat.com> Closes: https://issues.redhat.com/browse/RHEL-108026 Reviewed-by: Petr Machata <petrm(a)nvidia.com> Co-developed-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.175501608… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index 037f764822b9..82635dd2cfa5 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, sch_tree_lock(sch); + for (i = nbands; i < oldbands; i++) { + if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } + WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { @@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, q->classes[i].deficit = quanta[i]; } } - for (i = q->nbands; i < oldbands; i++) { - if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) - list_del_init(&q->classes[i].alist); - qdisc_purge_queue(q->classes[i].qdisc); - } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap));

4 weeks, 1 day

2
3
0 0

FAILED: patch "[PATCH] btrfs: populate otime when logging an inode item" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1ef94169db0958d6de39f9ea6e063ce887342e2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081800-anew-bullion-cdbe@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ef94169db0958d6de39f9ea6e063ce887342e2d Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 2 Jul 2025 15:08:13 +0930 Subject: [PATCH] btrfs: populate otime when logging an inode item [TEST FAILURE WITH EXPERIMENTAL FEATURES] When running test case generic/508, the test case will fail with the new btrfs shutdown support: generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 @@ -1,2 +1,6 @@ QA output created by 508 Silence is golden +Before: +After : stat.btime = Thu Jan 1 09:30:00 1970 +Before: +After : stat.btime = Wed Jul 2 14:53:22 2025 ... (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) Ran: generic/508 Failures: generic/508 Failed 1 of 1 tests Please note that the test case requires shutdown support, thus the test case will be skipped using the current upstream kernel, as it doesn't have shutdown ioctl support. [CAUSE] The direct cause the 0 time stamp in the log tree: leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG leaf 30507008 flags 0x1(WRITTEN) backref revision 1 checksum stored e522548d checksum calced e522548d fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 9 transid 9 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) atime 1751432947.492000000 (2025-07-02 14:39:07) ctime 1751432947.492000000 (2025-07-02 14:39:07) mtime 1751432947.492000000 (2025-07-02 14:39:07) otime 0.0 (1970-01-01 09:30:00) <<< But the old fs tree has all the correct time stamp: btrfs-progs v6.12 fs tree key (FS_TREE ROOT_ITEM 0) leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE leaf 30425088 flags 0x1(WRITTEN) backref revision 1 checksum stored 48f6c57e checksum calced 48f6c57e fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 0 size 0 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 0 flags 0x0(none) atime 1751432947.0 (2025-07-02 14:39:07) ctime 1751432947.0 (2025-07-02 14:39:07) mtime 1751432947.0 (2025-07-02 14:39:07) otime 1751432947.0 (2025-07-02 14:39:07) <<< The root cause is that fill_inode_item() in tree-log.c is only populating a/c/m time, not the otime (or btime in statx output). Part of the reason is that, the vfs inode only has a/c/m time, no native btime support yet. [FIX] Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and btrfs_inode::i_otime_nsec. So what we really need is just fill the otime time stamp in fill_inode_item() of tree-log.c There is another fill_inode_item() in inode.c, which is doing the proper otime population. Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") CC: stable(a)vger.kernel.org Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index 1e805dabfc4b..ab0815d9e7e5 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4233,6 +4233,9 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, btrfs_set_timespec_sec(leaf, &item->ctime, inode_get_ctime_sec(inode)); btrfs_set_timespec_nsec(leaf, &item->ctime, inode_get_ctime_nsec(inode)); + btrfs_set_timespec_sec(leaf, &item->otime, BTRFS_I(inode)->i_otime_sec); + btrfs_set_timespec_nsec(leaf, &item->otime, BTRFS_I(inode)->i_otime_nsec); + /* * We do not need to set the nbytes field, in fact during a fast fsync * its value may not even be correct, since a fast fsync does not wait

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] hv_netvsc: Fix panic during namespace deletion with VF" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 33caa208dba6fa639e8a92fd0c8320b652e5550c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081828-apprehend-wielder-0625@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001 From: Haiyang Zhang <haiyangz(a)microsoft.com> Date: Wed, 6 Aug 2025 13:21:51 -0700 Subject: [PATCH] hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.m… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index cb6f5482d203..7397c693f984 100644 --- a/drivers/net/hyperv/hyperv_net.h +++ b/drivers/net/hyperv/hyperv_net.h @@ -1061,6 +1061,7 @@ struct net_device_context { struct net_device __rcu *vf_netdev; struct netvsc_vf_pcpu_stats __percpu *vf_stats; struct delayed_work vf_takeover; + struct delayed_work vfns_work; /* 1: allocated, serial number is valid. 0: not allocated */ u32 vf_alloc; @@ -1075,6 +1076,8 @@ struct net_device_context { struct netvsc_device_info *saved_netvsc_dev_info; }; +void netvsc_vfns_work(struct work_struct *w); + /* Azure hosts don't support non-TCP port numbers in hashing for fragmented * packets. We can use ethtool to change UDP hash level when necessary. */ diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index f44753756358..39c892e46cb0 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2522,6 +2522,7 @@ static int netvsc_probe(struct hv_device *dev, spin_lock_init(&net_device_ctx->lock); INIT_LIST_HEAD(&net_device_ctx->reconfig_events); INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); + INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); net_device_ctx->vf_stats = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); @@ -2666,6 +2667,8 @@ static void netvsc_remove(struct hv_device *dev) cancel_delayed_work_sync(&ndev_ctx->dwork); rtnl_lock(); + cancel_delayed_work_sync(&ndev_ctx->vfns_work); + nvdev = rtnl_dereference(ndev_ctx->nvdev); if (nvdev) { cancel_work_sync(&nvdev->subchan_work); @@ -2707,6 +2710,7 @@ static int netvsc_suspend(struct hv_device *dev) cancel_delayed_work_sync(&ndev_ctx->dwork); rtnl_lock(); + cancel_delayed_work_sync(&ndev_ctx->vfns_work); nvdev = rtnl_dereference(ndev_ctx->nvdev); if (nvdev == NULL) { @@ -2800,6 +2804,27 @@ static void netvsc_event_set_vf_ns(struct net_device *ndev) } } +void netvsc_vfns_work(struct work_struct *w) +{ + struct net_device_context *ndev_ctx = + container_of(w, struct net_device_context, vfns_work.work); + struct net_device *ndev; + + if (!rtnl_trylock()) { + schedule_delayed_work(&ndev_ctx->vfns_work, 1); + return; + } + + ndev = hv_get_drvdata(ndev_ctx->device_ctx); + if (!ndev) + goto out; + + netvsc_event_set_vf_ns(ndev); + +out: + rtnl_unlock(); +} + /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2810,10 +2835,12 @@ static int netvsc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr) { struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); + struct net_device_context *ndev_ctx; int ret = 0; if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); + ndev_ctx = netdev_priv(event_dev); + schedule_delayed_work(&ndev_ctx->vfns_work, 0); return NOTIFY_DONE; }

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] btrfs: populate otime when logging an inode item" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1ef94169db0958d6de39f9ea6e063ce887342e2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081800-uncouple-vagrancy-7f2b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ef94169db0958d6de39f9ea6e063ce887342e2d Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 2 Jul 2025 15:08:13 +0930 Subject: [PATCH] btrfs: populate otime when logging an inode item [TEST FAILURE WITH EXPERIMENTAL FEATURES] When running test case generic/508, the test case will fail with the new btrfs shutdown support: generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 @@ -1,2 +1,6 @@ QA output created by 508 Silence is golden +Before: +After : stat.btime = Thu Jan 1 09:30:00 1970 +Before: +After : stat.btime = Wed Jul 2 14:53:22 2025 ... (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) Ran: generic/508 Failures: generic/508 Failed 1 of 1 tests Please note that the test case requires shutdown support, thus the test case will be skipped using the current upstream kernel, as it doesn't have shutdown ioctl support. [CAUSE] The direct cause the 0 time stamp in the log tree: leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG leaf 30507008 flags 0x1(WRITTEN) backref revision 1 checksum stored e522548d checksum calced e522548d fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 9 transid 9 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) atime 1751432947.492000000 (2025-07-02 14:39:07) ctime 1751432947.492000000 (2025-07-02 14:39:07) mtime 1751432947.492000000 (2025-07-02 14:39:07) otime 0.0 (1970-01-01 09:30:00) <<< But the old fs tree has all the correct time stamp: btrfs-progs v6.12 fs tree key (FS_TREE ROOT_ITEM 0) leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE leaf 30425088 flags 0x1(WRITTEN) backref revision 1 checksum stored 48f6c57e checksum calced 48f6c57e fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 0 size 0 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 0 flags 0x0(none) atime 1751432947.0 (2025-07-02 14:39:07) ctime 1751432947.0 (2025-07-02 14:39:07) mtime 1751432947.0 (2025-07-02 14:39:07) otime 1751432947.0 (2025-07-02 14:39:07) <<< The root cause is that fill_inode_item() in tree-log.c is only populating a/c/m time, not the otime (or btime in statx output). Part of the reason is that, the vfs inode only has a/c/m time, no native btime support yet. [FIX] Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and btrfs_inode::i_otime_nsec. So what we really need is just fill the otime time stamp in fill_inode_item() of tree-log.c There is another fill_inode_item() in inode.c, which is doing the proper otime population. Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") CC: stable(a)vger.kernel.org Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index 1e805dabfc4b..ab0815d9e7e5 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4233,6 +4233,9 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, btrfs_set_timespec_sec(leaf, &item->ctime, inode_get_ctime_sec(inode)); btrfs_set_timespec_nsec(leaf, &item->ctime, inode_get_ctime_nsec(inode)); + btrfs_set_timespec_sec(leaf, &item->otime, BTRFS_I(inode)->i_otime_sec); + btrfs_set_timespec_nsec(leaf, &item->otime, BTRFS_I(inode)->i_otime_nsec); + /* * We do not need to set the nbytes field, in fact during a fast fsync * its value may not even be correct, since a fast fsync does not wait

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] hv_netvsc: Fix panic during namespace deletion with VF" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 33caa208dba6fa639e8a92fd0c8320b652e5550c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081827-quicksand-exposure-0dd9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001 From: Haiyang Zhang <haiyangz(a)microsoft.com> Date: Wed, 6 Aug 2025 13:21:51 -0700 Subject: [PATCH] hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.m… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index cb6f5482d203..7397c693f984 100644 --- a/drivers/net/hyperv/hyperv_net.h +++ b/drivers/net/hyperv/hyperv_net.h @@ -1061,6 +1061,7 @@ struct net_device_context { struct net_device __rcu *vf_netdev; struct netvsc_vf_pcpu_stats __percpu *vf_stats; struct delayed_work vf_takeover; + struct delayed_work vfns_work; /* 1: allocated, serial number is valid. 0: not allocated */ u32 vf_alloc; @@ -1075,6 +1076,8 @@ struct net_device_context { struct netvsc_device_info *saved_netvsc_dev_info; }; +void netvsc_vfns_work(struct work_struct *w); + /* Azure hosts don't support non-TCP port numbers in hashing for fragmented * packets. We can use ethtool to change UDP hash level when necessary. */ diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index f44753756358..39c892e46cb0 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2522,6 +2522,7 @@ static int netvsc_probe(struct hv_device *dev, spin_lock_init(&net_device_ctx->lock); INIT_LIST_HEAD(&net_device_ctx->reconfig_events); INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); + INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); net_device_ctx->vf_stats = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); @@ -2666,6 +2667,8 @@ static void netvsc_remove(struct hv_device *dev) cancel_delayed_work_sync(&ndev_ctx->dwork); rtnl_lock(); + cancel_delayed_work_sync(&ndev_ctx->vfns_work); + nvdev = rtnl_dereference(ndev_ctx->nvdev); if (nvdev) { cancel_work_sync(&nvdev->subchan_work); @@ -2707,6 +2710,7 @@ static int netvsc_suspend(struct hv_device *dev) cancel_delayed_work_sync(&ndev_ctx->dwork); rtnl_lock(); + cancel_delayed_work_sync(&ndev_ctx->vfns_work); nvdev = rtnl_dereference(ndev_ctx->nvdev); if (nvdev == NULL) { @@ -2800,6 +2804,27 @@ static void netvsc_event_set_vf_ns(struct net_device *ndev) } } +void netvsc_vfns_work(struct work_struct *w) +{ + struct net_device_context *ndev_ctx = + container_of(w, struct net_device_context, vfns_work.work); + struct net_device *ndev; + + if (!rtnl_trylock()) { + schedule_delayed_work(&ndev_ctx->vfns_work, 1); + return; + } + + ndev = hv_get_drvdata(ndev_ctx->device_ctx); + if (!ndev) + goto out; + + netvsc_event_set_vf_ns(ndev); + +out: + rtnl_unlock(); +} + /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2810,10 +2835,12 @@ static int netvsc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr) { struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); + struct net_device_context *ndev_ctx; int ret = 0; if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); + ndev_ctx = netdev_priv(event_dev); + schedule_delayed_work(&ndev_ctx->vfns_work, 0); return NOTIFY_DONE; }

4 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] net/sched: ets: use old 'nbands' while purging unused classes" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 87c6efc5ce9c126ae4a781bc04504b83780e3650 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081855-silicon-oops-12df@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 From: Davide Caratti <dcaratti(a)redhat.com> Date: Tue, 12 Aug 2025 18:40:29 +0200 Subject: [PATCH] net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.163… [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.c… Cc: stable(a)vger.kernel.org Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") Reported-by: Li Shuang <shuali(a)redhat.com> Closes: https://issues.redhat.com/browse/RHEL-108026 Reviewed-by: Petr Machata <petrm(a)nvidia.com> Co-developed-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.175501608… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index 037f764822b9..82635dd2cfa5 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, sch_tree_lock(sch); + for (i = nbands; i < oldbands; i++) { + if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } + WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { @@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, q->classes[i].deficit = quanta[i]; } } - for (i = q->nbands; i < oldbands; i++) { - if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) - list_del_init(&q->classes[i].alist); - qdisc_purge_queue(q->classes[i].qdisc); - } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap));

4 weeks, 1 day

2
2
0 0

[PATCH v3] debugfs: fix mount options not being applied

by Charalampos Mitrodimas

Mount options (uid, gid, mode) are silently ignored when debugfs is mounted. This is a regression introduced during the conversion to the new mount API. When the mount API conversion was done, the parsed options were never applied to the superblock when it was reused. As a result, the mount options were ignored when debugfs was mounted. Fix this by following the same pattern as the tracefs fix in commit e4d32142d1de ("tracing: Fix tracefs mount options"). Call debugfs_reconfigure() in debugfs_get_tree() to apply the mount options to the superblock after it has been created or reused. As an example, with the bug the "mode" mount option is ignored: $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test $ mount | grep debugfs_test debugfs on /tmp/debugfs_test type debugfs (rw,relatime) $ ls -ld /tmp/debugfs_test drwx------ 25 root root 0 Aug 4 14:16 /tmp/debugfs_test With the fix applied, it works as expected: $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test $ mount | grep debugfs_test debugfs on /tmp/debugfs_test type debugfs (rw,relatime,mode=666) $ ls -ld /tmp/debugfs_test drw-rw-rw- 37 root root 0 Aug 2 17:28 /tmp/debugfs_test Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220406 Cc: stable(a)vger.kernel.org Reviewed-by: Eric Sandeen <sandeen(a)redhat.com> Signed-off-by: Charalampos Mitrodimas <charmitro(a)posteo.net> --- Changes in v3: - Reworded patch description to avoid confusion about OOPs - Link to v2: https://lore.kernel.org/r/20250813-debugfs-mount-opts-v2-1-0ca79720edc6@pos… Changes in v2: - Follow the same pattern as e4d32142d1de ("tracing: Fix tracefs mount options") - Add Cc: stable tag - Link to v1: https://lore.kernel.org/r/20250804-debugfs-mount-opts-v1-1-bc05947a80b5@pos… --- fs/debugfs/inode.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index a0357b0cf362d8ac47ff810e162402d6a8ae2cb9..c12d649df6a5435050f606c2828a9a7cc61922e4 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -183,6 +183,9 @@ static int debugfs_reconfigure(struct fs_context *fc) struct debugfs_fs_info *sb_opts = sb->s_fs_info; struct debugfs_fs_info *new_opts = fc->s_fs_info; + if (!new_opts) + return 0; + sync_filesystem(sb); /* structure copy of new mount options to sb */ @@ -282,10 +285,16 @@ static int debugfs_fill_super(struct super_block *sb, struct fs_context *fc) static int debugfs_get_tree(struct fs_context *fc) { + int err; + if (!(debugfs_allow & DEBUGFS_ALLOW_API)) return -EPERM; - return get_tree_single(fc, debugfs_fill_super); + err = get_tree_single(fc, debugfs_fill_super); + if (err) + return err; + + return debugfs_reconfigure(fc); } static void debugfs_free_fc(struct fs_context *fc) --- base-commit: 3c4a063b1f8ab71352df1421d9668521acb63cd9 change-id: 20250804-debugfs-mount-opts-2a68d7741f05 Best regards, -- Charalampos Mitrodimas <charmitro(a)posteo.net>

4 weeks, 1 day

3
2
0 0

[PATCH 6.1.y] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register

by Roy, Patrick

From: Nianyao Tang <tangnianyao(a)huawei.com> [ upstream commit e8cde32f111f7f5681a7bad3ec747e9e697569a9 ] Enable ECBHB bits in ID_AA64MMFR1 register as per ARM DDI 0487K.a specification. When guest OS read ID_AA64MMFR1_EL1, kvm emulate this reg using ftr_id_aa64mmfr1 and always return ID_AA64MMFR1_EL1.ECBHB=0 to guest. It results in guest syscall jump to tramp ventry, which is not needed in implementation with ID_AA64MMFR1_EL1.ECBHB=1. Let's make the guest syscall process the same as the host. This fixes performance regressions introduced by commit a53b3599d9bf ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") for guests running on neoverse v2 hardware, which supports ECBHB. Signed-off-by: Nianyao Tang <tangnianyao(a)huawei.com> Link: https://lore.kernel.org/r/20240611122049.2758600-1-tangnianyao@huawei.com Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Patrick Roy <roypat(a)amazon.co.uk> --- arch/arm64/kernel/cpufeature.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 840cc48b5147..5d2322eeee47 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -343,6 +343,7 @@ static const struct arm64_ftr_bits ftr_id_aa64mmfr0[] = { }; static const struct arm64_ftr_bits ftr_id_aa64mmfr1[] = { + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_ECBHB_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_TIDCP1_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_AFP_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR1_EL1_ETS_SHIFT, 4, 0), -- 2.50.1

4 weeks, 1 day

1
1
0 0

[PATCH v2 0/3] i2c: pxa: fix I2C communication on Armada 3700

by Gabor Juhos

There is a long standing bug which causes I2C communication not to work on the Armada 3700 based boards. This small series restores that functionality. Signed-off-by: Imre Kaloz <kaloz(a)openwrt.org> Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> --- Changes in v2: - collect offered tags - rebase and retest on tip of i2c/for-current - Link to v1: https://lore.kernel.org/r/20250511-i2c-pxa-fix-i2c-communication-v1-0-e9097… --- Gabor Juhos (3): i2c: add init_recovery() callback i2c: pxa: prevent calling of the generic recovery init code i2c: pxa: handle 'Early Bus Busy' condition on Armada 3700 drivers/i2c/busses/i2c-pxa.c | 25 +++++++++++++++++++------ drivers/i2c/i2c-core-base.c | 8 +++++++- include/linux/i2c.h | 4 ++++ 3 files changed, 30 insertions(+), 7 deletions(-) --- base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585 change-id: 20250510-i2c-pxa-fix-i2c-communication-3e6de1e3d0c6 Best regards, -- Gabor Juhos <j4g8y7(a)gmail.com>

1 month

3
24
0 0

[PATCH v4 0/2] media: pci: Fix invalid access to file *

by Jacopo Mondi

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") All the ioctl handlers access their private data structures from file * The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access. The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file" Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Changes in v4: - Slightly adjust commit messages - Link to v3: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v3-0-5e2f08f3cadc@ideasonbo… Changes in v3: - Change helpers to accept the type they're going to operate on instead of using the open_id wrapper type as suggested by Laurent - Link to v2: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v2-0-3f53ce423663@ideasonbo… Changes in v2: - Add Cc: stable(a)vger.kernel.org per-patch --- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file * drivers/media/pci/cx18/cx18-driver.c | 9 +++------ drivers/media/pci/cx18/cx18-ioctl.c | 30 +++++++++++++++++++----------- drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 11 ++++------- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 52 insertions(+), 34 deletions(-) --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

1 month

1
2
0 0

[PATCH v3 0/2] media: pci: Fix invalid access to file *

by Jacopo Mondi

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") All the ioctl handlers access their private data structures from file * The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access. The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file" Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Changes in v3: - Change helpers to accept the type they're going to operate on instead of using the open_id wrapper type as suggested by Laurent - Link to v2: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v2-0-3f53ce423663@ideasonbo… Changes in v2: - Add Cc: stable(a)vger.kernel.org per-patch --- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file * drivers/media/pci/cx18/cx18-driver.c | 9 +++------ drivers/media/pci/cx18/cx18-ioctl.c | 30 +++++++++++++++++++----------- drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 11 ++++------- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 52 insertions(+), 34 deletions(-) --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

1 month

2
6
0 0

Re: Patch "md: call del_gendisk in control path" has been added to the 6.6-stable tree

by Yu Kuai

Hi, 在 2025/08/17 22:18, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > md: call del_gendisk in control path > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > md-call-del_gendisk-in-control-path.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > This patch should be be backported to any stable kernel, this change will break user tools mdadm: https://lore.kernel.org/all/f654db67-a5a5-114b-09b8-00db303daab7@redhat.com/ Thanks, Kuai > > commit fa738623105e2dd4865274dc8525856feaec3ae9 > Author: Xiao Ni <xni(a)redhat.com> > Date: Wed Jun 11 15:31:06 2025 +0800 > > md: call del_gendisk in control path > > [ Upstream commit 9e59d609763f70a992a8f3808dabcce60f14eb5c ] > > Now del_gendisk and put_disk are called asynchronously in workqueue work. > The asynchronous way has a problem that the device node can still exist > after mdadm --stop command returns in a short window. So udev rule can > open this device node and create the struct mddev in kernel again. So put > del_gendisk in control path and still leave put_disk in md_kobj_release > to avoid uaf of gendisk. > > Function del_gendisk can't be called with reconfig_mutex. If it's called > with reconfig mutex, a deadlock can happen. del_gendisk waits all sysfs > files access to finish and sysfs file access waits reconfig mutex. So > put del_gendisk after releasing reconfig mutex. > > But there is still a window that sysfs can be accessed between mddev_unlock > and del_gendisk. So some actions (add disk, change level, .e.g) can happen > which lead unexpected results. MD_DELETED is used to resolve this problem. > MD_DELETED is set before releasing reconfig mutex and it should be checked > for these sysfs access which need reconfig mutex. For sysfs access which > don't need reconfig mutex, del_gendisk will wait them to finish. > > But it doesn't need to do this in function mddev_lock_nointr. There are > ten places that call it. > * Five of them are in dm raid which we don't need to care. MD_DELETED is > only used for md raid. > * stop_sync_thread, md_do_sync and md_start_sync are related sync request, > and it needs to wait sync thread to finish before stopping an array. > * md_ioctl: md_open is called before md_ioctl, so ->openers is added. It > will fail to stop the array. So it doesn't need to check MD_DELETED here > * md_set_readonly: > It needs to call mddev_set_closing_and_sync_blockdev when setting readonly > or read_auto. So it will fail to stop the array too because MD_CLOSING is > already set. > > Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> > Signed-off-by: Xiao Ni <xni(a)redhat.com> > Link: https://lore.kernel.org/linux-raid/20250611073108.25463-2-xni@redhat.com > Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index b086cbf24086..8e3939c0d2ed 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -639,9 +639,6 @@ static void __mddev_put(struct mddev *mddev) > mddev->ctime || mddev->hold_active) > return; > > - /* Array is not configured at all, and not held active, so destroy it */ > - set_bit(MD_DELETED, &mddev->flags); > - > /* > * Call queue_work inside the spinlock so that flush_workqueue() after > * mddev_find will succeed in waiting for the work to be done. > @@ -837,6 +834,16 @@ void mddev_unlock(struct mddev *mddev) > kobject_del(&rdev->kobj); > export_rdev(rdev, mddev); > } > + > + /* Call del_gendisk after release reconfig_mutex to avoid > + * deadlock (e.g. call del_gendisk under the lock and an > + * access to sysfs files waits the lock) > + * And MD_DELETED is only used for md raid which is set in > + * do_md_stop. dm raid only uses md_stop to stop. So dm raid > + * doesn't need to check MD_DELETED when getting reconfig lock > + */ > + if (test_bit(MD_DELETED, &mddev->flags)) > + del_gendisk(mddev->gendisk); > } > EXPORT_SYMBOL_GPL(mddev_unlock); > > @@ -5616,19 +5623,30 @@ md_attr_store(struct kobject *kobj, struct attribute *attr, > struct md_sysfs_entry *entry = container_of(attr, struct md_sysfs_entry, attr); > struct mddev *mddev = container_of(kobj, struct mddev, kobj); > ssize_t rv; > + struct kernfs_node *kn = NULL; > > if (!entry->store) > return -EIO; > if (!capable(CAP_SYS_ADMIN)) > return -EACCES; > + > + if (entry->store == array_state_store && cmd_match(page, "clear")) > + kn = sysfs_break_active_protection(kobj, attr); > + > spin_lock(&all_mddevs_lock); > if (!mddev_get(mddev)) { > spin_unlock(&all_mddevs_lock); > + if (kn) > + sysfs_unbreak_active_protection(kn); > return -EBUSY; > } > spin_unlock(&all_mddevs_lock); > rv = entry->store(mddev, page, length); > mddev_put(mddev); > + > + if (kn) > + sysfs_unbreak_active_protection(kn); > + > return rv; > } > > @@ -5636,12 +5654,6 @@ static void md_kobj_release(struct kobject *ko) > { > struct mddev *mddev = container_of(ko, struct mddev, kobj); > > - if (mddev->sysfs_state) > - sysfs_put(mddev->sysfs_state); > - if (mddev->sysfs_level) > - sysfs_put(mddev->sysfs_level); > - > - del_gendisk(mddev->gendisk); > put_disk(mddev->gendisk); > } > > @@ -6531,8 +6543,9 @@ static int do_md_stop(struct mddev *mddev, int mode, > mddev->bitmap_info.offset = 0; > > export_array(mddev); > - > md_clean(mddev); > + set_bit(MD_DELETED, &mddev->flags); > + > if (mddev->hold_active == UNTIL_STOP) > mddev->hold_active = 0; > } > diff --git a/drivers/md/md.h b/drivers/md/md.h > index 46995558d3bd..0a7c9122db50 100644 > --- a/drivers/md/md.h > +++ b/drivers/md/md.h > @@ -589,11 +589,26 @@ static inline bool is_md_suspended(struct mddev *mddev) > > static inline int __must_check mddev_lock(struct mddev *mddev) > { > - return mutex_lock_interruptible(&mddev->reconfig_mutex); > + int ret; > + > + ret = mutex_lock_interruptible(&mddev->reconfig_mutex); > + > + /* MD_DELETED is set in do_md_stop with reconfig_mutex. > + * So check it here. > + */ > + if (!ret && test_bit(MD_DELETED, &mddev->flags)) { > + ret = -ENODEV; > + mutex_unlock(&mddev->reconfig_mutex); > + } > + > + return ret; > } > > /* Sometimes we need to take the lock in a situation where > * failure due to interrupts is not acceptable. > + * It doesn't need to check MD_DELETED here, the owner which > + * holds the lock here can't be stopped. And all paths can't > + * call this function after do_md_stop. > */ > static inline void mddev_lock_nointr(struct mddev *mddev) > { > @@ -602,7 +617,14 @@ static inline void mddev_lock_nointr(struct mddev *mddev) > > static inline int mddev_trylock(struct mddev *mddev) > { > - return mutex_trylock(&mddev->reconfig_mutex); > + int ret; > + > + ret = mutex_trylock(&mddev->reconfig_mutex); > + if (!ret && test_bit(MD_DELETED, &mddev->flags)) { > + ret = -ENODEV; > + mutex_unlock(&mddev->reconfig_mutex); > + } > + return ret; > } > extern void mddev_unlock(struct mddev *mddev); > > . >

1 month

2
7
0 0

[PATCH v4 0/6] media: ti, cdns: Multiple pixel support and misc fixes

by Jai Luthra

Hi, The first four patches in this series are miscellaneous fixes and improvements in the Cadence and TI CSI-RX drivers around probing, fwnode and link creation. The last two patches add support for transmitting multiple pixels per clock on the internal bus between Cadence CSI-RX bridge and TI CSI-RX wrapper. As this internal bus is 32-bit wide, the maximum number of pixels that can be transmitted per cycle depend upon the format's bit width. Secondly, the downstream element must support unpacking of multiple pixels. Thus we export a module function that can be used by the downstream driver to negotiate the pixels per cycle on the output pixel stream of the Cadence bridge. Signed-off-by: Jai Luthra <jai.luthra(a)ideasonboard.com> --- Changes in v4: - Rebase on top of v6.17-rc1 - Add missing include for linux/export.h in cdns-csi2rx.c - Link to v3: https://lore.kernel.org/r/20250626-probe_fixes-v3-0-83e735ae466e@ideasonboa… Changes in v3: - Move cdns-csi2rx header to include/media - Export symbol from cdns-csi2rx.c to be used only through the j721e-csi2rx.c module namespace - Other minor fixes suggested by Sakari - Add Abhilash's T-by tags - Link to v2: https://lore.kernel.org/r/20250410-probe_fixes-v2-0-801bc6eebdea@ideasonboa… Changes in v2: - Rebase on v6.15-rc1 - Fix lkp warnings in PATCH 5/6 missing header for FIELD_PREP - Add R-By tags from Devarsh and Changhuang - Link to v1: https://lore.kernel.org/r/20250324-probe_fixes-v1-0-5cd5b9e1cfac@ideasonboa… --- Jai Luthra (6): media: ti: j721e-csi2rx: Use devm_of_platform_populate media: ti: j721e-csi2rx: Use fwnode_get_named_child_node media: ti: j721e-csi2rx: Fix source subdev link creation media: cadence: csi2rx: Implement get_fwnode_pad op media: cadence: cdns-csi2rx: Support multiple pixels per clock cycle media: ti: j721e-csi2rx: Support multiple pixels per clock MAINTAINERS | 1 + drivers/media/platform/cadence/cdns-csi2rx.c | 75 ++++++++++++++++------ drivers/media/platform/ti/Kconfig | 3 +- .../media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 65 ++++++++++++++----- include/media/cadence/cdns-csi2rx.h | 19 ++++++ 5 files changed, 128 insertions(+), 35 deletions(-) --- base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585 change-id: 20250314-probe_fixes-7e0ec33c7fee Best regards, -- Jai Luthra <jai.luthra(a)ideasonboard.com>

1 month

2
3
0 0

+ proc-fix-missing-pde_set_flags-for-net-proc-files.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: proc: fix missing pde_set_flags() for net proc files has been added to the -mm mm-hotfixes-unstable branch. Its filename is proc-fix-missing-pde_set_flags-for-net-proc-files.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: wangzijie <wangzijie1(a)honor.com> Subject: proc: fix missing pde_set_flags() for net proc files Date: Mon, 18 Aug 2025 20:31:02 +0800 To avoid potential UAF issues during module removal races, we use pde_set_flags() to save proc_ops flags in PDE itself before proc_register(), and then use pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*. However, the pde_set_flags() call was missing when creating net related proc files. This omission caused incorrect behavior which FMODE_LSEEK was being cleared inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1]. Fix this by ensuring pde_set_flags() is called when register proc entry, and add NULL check for proc_ops in pde_set_flags(). [1]: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ Link: https://lkml.kernel.org/r/20250818123102.959595-1-wangzijie1@honor.com Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al) Signed-off-by: wangzijie <wangzijie1(a)honor.com> Reported-by: Lars Wendler <polynomial-c(a)gmx.de> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: "Edgecombe, Rick P" <rick.p.edgecombe(a)intel.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Kirill A. Shutemov <k.shutemov(a)gmail.com> Cc: wangzijie <wangzijie1(a)honor.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/generic.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) --- a/fs/proc/generic.c~proc-fix-missing-pde_set_flags-for-net-proc-files +++ a/fs/proc/generic.c @@ -367,6 +367,23 @@ static const struct inode_operations pro .setattr = proc_notify_change, }; +static void pde_set_flags(struct proc_dir_entry *pde) +{ + if (!pde->proc_ops) + return; + + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; + if (pde->proc_ops->proc_read_iter) + pde->flags |= PROC_ENTRY_proc_read_iter; +#ifdef CONFIG_COMPAT + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; +#endif + if (pde->proc_ops->proc_lseek) + pde->flags |= PROC_ENTRY_proc_lseek; +} + /* returns the registered entry, or frees dp and returns NULL on failure */ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, struct proc_dir_entry *dp) @@ -374,6 +391,8 @@ struct proc_dir_entry *proc_register(str if (proc_alloc_inum(&dp->low_ino)) goto out_free_entry; + pde_set_flags(dp); + write_lock(&proc_subdir_lock); dp->parent = dir; if (pde_subdir_insert(dir, dp) == false) { @@ -561,20 +580,6 @@ struct proc_dir_entry *proc_create_reg(c return p; } -static void pde_set_flags(struct proc_dir_entry *pde) -{ - if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) - pde->flags |= PROC_ENTRY_PERMANENT; - if (pde->proc_ops->proc_read_iter) - pde->flags |= PROC_ENTRY_proc_read_iter; -#ifdef CONFIG_COMPAT - if (pde->proc_ops->proc_compat_ioctl) - pde->flags |= PROC_ENTRY_proc_compat_ioctl; -#endif - if (pde->proc_ops->proc_lseek) - pde->flags |= PROC_ENTRY_proc_lseek; -} - struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, struct proc_dir_entry *parent, const struct proc_ops *proc_ops, void *data) @@ -585,7 +590,6 @@ struct proc_dir_entry *proc_create_data( if (!p) return NULL; p->proc_ops = proc_ops; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_data); @@ -636,7 +640,6 @@ struct proc_dir_entry *proc_create_seq_p p->proc_ops = &proc_seq_ops; p->seq_ops = ops; p->state_size = state_size; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_seq_private); @@ -667,7 +670,6 @@ struct proc_dir_entry *proc_create_singl return NULL; p->proc_ops = &proc_single_ops; p->single_show = show; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_single_data); _ Patches currently in -mm which might be from wangzijie1(a)honor.com are proc-fix-missing-pde_set_flags-for-net-proc-files.patch

1 month

1
0
0 0

FAILED: patch "[PATCH] net/sched: ets: use old 'nbands' while purging unused classes" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 87c6efc5ce9c126ae4a781bc04504b83780e3650 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081854-registry-sled-ea48@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 From: Davide Caratti <dcaratti(a)redhat.com> Date: Tue, 12 Aug 2025 18:40:29 +0200 Subject: [PATCH] net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.163… [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.c… Cc: stable(a)vger.kernel.org Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") Reported-by: Li Shuang <shuali(a)redhat.com> Closes: https://issues.redhat.com/browse/RHEL-108026 Reviewed-by: Petr Machata <petrm(a)nvidia.com> Co-developed-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.175501608… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index 037f764822b9..82635dd2cfa5 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, sch_tree_lock(sch); + for (i = nbands; i < oldbands; i++) { + if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } + WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { @@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, q->classes[i].deficit = quanta[i]; } } - for (i = q->nbands; i < oldbands; i++) { - if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) - list_del_init(&q->classes[i].alist); - qdisc_purge_queue(q->classes[i].qdisc); - } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap));

1 month

2
2
0 0

FAILED: patch "[PATCH] btrfs: send: use fallocate for hole punching with send stream" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 005b0a0c24e1628313e951516b675109a92cacfe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081848-kilobyte-skirmish-7ccd@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 005b0a0c24e1628313e951516b675109a92cacfe Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 18 Jul 2025 13:07:29 +0100 Subject: [PATCH] btrfs: send: use fallocate for hole punching with send stream v2 Currently holes are sent as writes full of zeroes, which results in unnecessarily using disk space at the receiving end and increasing the stream size. In some cases we avoid sending writes of zeroes, like during a full send operation where we just skip writes for holes. But for some cases we fill previous holes with writes of zeroes too, like in this scenario: 1) We have a file with a hole in the range [2M, 3M), we snapshot the subvolume and do a full send. The range [2M, 3M) stays as a hole at the receiver since we skip sending write commands full of zeroes; 2) We punch a hole for the range [3M, 4M) in our file, so that now it has a 2M hole in the range [2M, 4M), and snapshot the subvolume. Now if we do an incremental send, we will send write commands full of zeroes for the range [2M, 4M), removing the hole for [2M, 3M) at the receiver. We could improve cases such as this last one by doing additional comparisons of file extent items (or their absence) between the parent and send snapshots, but that's a lot of code to add plus additional CPU and IO costs. Since the send stream v2 already has a fallocate command and btrfs-progs implements a callback to execute fallocate since the send stream v2 support was added to it, update the kernel to use fallocate for punching holes for V2+ streams. Test coverage is provided by btrfs/284 which is a version of btrfs/007 that exercises send stream v2 instead of v1, using fsstress with random operations and fssum to verify file contents. Link: https://github.com/kdave/btrfs-progs/issues/1001 CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 09822e766e41..7664025a5af4 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -4,6 +4,7 @@ */ #include <linux/bsearch.h> +#include <linux/falloc.h> #include <linux/fs.h> #include <linux/file.h> #include <linux/sort.h> @@ -5405,6 +5406,30 @@ static int send_update_extent(struct send_ctx *sctx, return ret; } +static int send_fallocate(struct send_ctx *sctx, u32 mode, u64 offset, u64 len) +{ + struct fs_path *path; + int ret; + + path = get_cur_inode_path(sctx); + if (IS_ERR(path)) + return PTR_ERR(path); + + ret = begin_cmd(sctx, BTRFS_SEND_C_FALLOCATE); + if (ret < 0) + return ret; + + TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path); + TLV_PUT_U32(sctx, BTRFS_SEND_A_FALLOCATE_MODE, mode); + TLV_PUT_U64(sctx, BTRFS_SEND_A_FILE_OFFSET, offset); + TLV_PUT_U64(sctx, BTRFS_SEND_A_SIZE, len); + + ret = send_cmd(sctx); + +tlv_put_failure: + return ret; +} + static int send_hole(struct send_ctx *sctx, u64 end) { struct fs_path *p = NULL; @@ -5412,6 +5437,14 @@ static int send_hole(struct send_ctx *sctx, u64 end) u64 offset = sctx->cur_inode_last_extent; int ret = 0; + /* + * Starting with send stream v2 we have fallocate and can use it to + * punch holes instead of sending writes full of zeroes. + */ + if (proto_cmd_ok(sctx, BTRFS_SEND_C_FALLOCATE)) + return send_fallocate(sctx, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, + offset, end - offset); + /* * A hole that starts at EOF or beyond it. Since we do not yet support * fallocate (for extent preallocation and hole punching), sending a

1 month

2
1
0 0

FAILED: patch "[PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d2845519b0723c5d5a0266cbf410495f9b8fd65c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081859-matcher-handprint-c398@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d2845519b0723c5d5a0266cbf410495f9b8fd65c Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Wed, 23 Jul 2025 14:19:44 +0200 Subject: [PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags argument to xfs_inobt_walk, which expects the XFS_IWALK* flags. Currently passing the wrong flags works for non-debug builds because the only XFS_IWALK* flag has the same encoding as the corresponding XFS_IBULK* flag, but in debug builds it can trigger an assert that no incorrect flag is passed. Instead just extra the relevant flag. Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags") Cc: <stable(a)vger.kernel.org> # v5.19 Reported-by: cen zhang <zzzccc427(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c index c8c9b8d8309f..5116842420b2 100644 --- a/fs/xfs/xfs_itable.c +++ b/fs/xfs/xfs_itable.c @@ -447,17 +447,21 @@ xfs_inumbers( .breq = breq, }; struct xfs_trans *tp; + unsigned int iwalk_flags = 0; int error = 0; if (xfs_bulkstat_already_done(breq->mp, breq->startino)) return 0; + if (breq->flags & XFS_IBULK_SAME_AG) + iwalk_flags |= XFS_IWALK_SAME_AG; + /* * Grab an empty transaction so that we can use its recursive buffer * locking abilities to detect cycles in the inobt without deadlocking. */ tp = xfs_trans_alloc_empty(breq->mp); - error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags, + error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags, xfs_inumbers_walk, breq->icount, &ic); xfs_trans_cancel(tp);

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: populate otime when logging an inode item" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1ef94169db0958d6de39f9ea6e063ce887342e2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081854-eject-aloft-03ff@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ef94169db0958d6de39f9ea6e063ce887342e2d Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Wed, 2 Jul 2025 15:08:13 +0930 Subject: [PATCH] btrfs: populate otime when logging an inode item [TEST FAILURE WITH EXPERIMENTAL FEATURES] When running test case generic/508, the test case will fail with the new btrfs shutdown support: generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 @@ -1,2 +1,6 @@ QA output created by 508 Silence is golden +Before: +After : stat.btime = Thu Jan 1 09:30:00 1970 +Before: +After : stat.btime = Wed Jul 2 14:53:22 2025 ... (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) Ran: generic/508 Failures: generic/508 Failed 1 of 1 tests Please note that the test case requires shutdown support, thus the test case will be skipped using the current upstream kernel, as it doesn't have shutdown ioctl support. [CAUSE] The direct cause the 0 time stamp in the log tree: leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG leaf 30507008 flags 0x1(WRITTEN) backref revision 1 checksum stored e522548d checksum calced e522548d fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 9 transid 9 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) atime 1751432947.492000000 (2025-07-02 14:39:07) ctime 1751432947.492000000 (2025-07-02 14:39:07) mtime 1751432947.492000000 (2025-07-02 14:39:07) otime 0.0 (1970-01-01 09:30:00) <<< But the old fs tree has all the correct time stamp: btrfs-progs v6.12 fs tree key (FS_TREE ROOT_ITEM 0) leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE leaf 30425088 flags 0x1(WRITTEN) backref revision 1 checksum stored 48f6c57e checksum calced 48f6c57e fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 0 size 0 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 0 flags 0x0(none) atime 1751432947.0 (2025-07-02 14:39:07) ctime 1751432947.0 (2025-07-02 14:39:07) mtime 1751432947.0 (2025-07-02 14:39:07) otime 1751432947.0 (2025-07-02 14:39:07) <<< The root cause is that fill_inode_item() in tree-log.c is only populating a/c/m time, not the otime (or btime in statx output). Part of the reason is that, the vfs inode only has a/c/m time, no native btime support yet. [FIX] Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and btrfs_inode::i_otime_nsec. So what we really need is just fill the otime time stamp in fill_inode_item() of tree-log.c There is another fill_inode_item() in inode.c, which is doing the proper otime population. Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") CC: stable(a)vger.kernel.org Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index 1e805dabfc4b..ab0815d9e7e5 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4233,6 +4233,9 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, btrfs_set_timespec_sec(leaf, &item->ctime, inode_get_ctime_sec(inode)); btrfs_set_timespec_nsec(leaf, &item->ctime, inode_get_ctime_nsec(inode)); + btrfs_set_timespec_sec(leaf, &item->otime, BTRFS_I(inode)->i_otime_sec); + btrfs_set_timespec_nsec(leaf, &item->otime, BTRFS_I(inode)->i_otime_nsec); + /* * We do not need to set the nbytes field, in fact during a fast fsync * its value may not even be correct, since a fast fsync does not wait

1 month

2
2
0 0

FAILED: patch "[PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d2845519b0723c5d5a0266cbf410495f9b8fd65c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081859-buckskin-outwit-e0f0@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d2845519b0723c5d5a0266cbf410495f9b8fd65c Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Wed, 23 Jul 2025 14:19:44 +0200 Subject: [PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags argument to xfs_inobt_walk, which expects the XFS_IWALK* flags. Currently passing the wrong flags works for non-debug builds because the only XFS_IWALK* flag has the same encoding as the corresponding XFS_IBULK* flag, but in debug builds it can trigger an assert that no incorrect flag is passed. Instead just extra the relevant flag. Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags") Cc: <stable(a)vger.kernel.org> # v5.19 Reported-by: cen zhang <zzzccc427(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c index c8c9b8d8309f..5116842420b2 100644 --- a/fs/xfs/xfs_itable.c +++ b/fs/xfs/xfs_itable.c @@ -447,17 +447,21 @@ xfs_inumbers( .breq = breq, }; struct xfs_trans *tp; + unsigned int iwalk_flags = 0; int error = 0; if (xfs_bulkstat_already_done(breq->mp, breq->startino)) return 0; + if (breq->flags & XFS_IBULK_SAME_AG) + iwalk_flags |= XFS_IWALK_SAME_AG; + /* * Grab an empty transaction so that we can use its recursive buffer * locking abilities to detect cycles in the inobt without deadlocking. */ tp = xfs_trans_alloc_empty(breq->mp); - error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags, + error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags, xfs_inumbers_walk, breq->icount, &ic); xfs_trans_cancel(tp);

1 month

2
1
0 0

+ mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/mremap: fix WARN with uffd that has remap events disabled has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/mremap: fix WARN with uffd that has remap events disabled Date: Mon, 18 Aug 2025 19:53:58 +0200 Registering userfaultd on a VMA that spans at least one PMD and then mremap()'ing that VMA can trigger a WARN when recovering from a failed page table move due to a page table allocation error. The code ends up doing the right thing (recurse, avoiding moving actual page tables), but triggering that WARN is unpleasant: WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline] WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline] WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852 Modules linked in: CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline] RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline] RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852 Code: ... RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645 RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007 RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000 FS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0 Call Trace: <TASK> copy_vma_and_data+0x468/0x790 mm/mremap.c:1215 move_vma+0x548/0x1780 mm/mremap.c:1282 mremap_to+0x1b7/0x450 mm/mremap.c:1406 do_mremap+0xfad/0x1f80 mm/mremap.c:1921 __do_sys_mremap+0x119/0x170 mm/mremap.c:1977 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f00d0b8ebe9 Code: ... RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9 RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000 RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002 R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005 </TASK> The underlying issue is that we recurse during the original page table move, but not during the recovery move. Fix it by checking for both VMAs and performing the check before the pmd_none() sanity check. Add a new helper where we perform+document that check for the PMD and PUD level. Thanks to Harry for bisecting. Link: https://lkml.kernel.org/r/20250818175358.1184757-1-david@redhat.com Fixes: 0cef0bb836e ("mm: clear uffd-wp PTE/PMD state on mremap()") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: syzbot+4d9a13f0797c46a29e42(a)syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/689bb893.050a0220.7f033.013a.GAE@google.com Cc: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: Pedro Falcato <pfalcato(a)suse.de> Cc: Harry Yoo <harry.yoo(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mremap.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) --- a/mm/mremap.c~mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled +++ a/mm/mremap.c @@ -323,6 +323,25 @@ static inline bool arch_supports_page_ta } #endif +static inline bool uffd_supports_page_table_move(struct pagetable_move_control *pmc) +{ + /* + * If we are moving a VMA that has uffd-wp registered but with + * remap events disabled (new VMA will not be registered with uffd), we + * need to ensure that the uffd-wp state is cleared from all pgtables. + * This means recursing into lower page tables in move_page_tables(). + * + * We might get called with VMAs reversed when recovering from a + * failed page table move. In that case, the + * "old"-but-actually-"originally new" VMA during recovery will not have + * a uffd context. Recursing into lower page tables during the original + * move but not during the recovery move will cause trouble, because we + * run into already-existing page tables. So check both VMAs. + */ + return !vma_has_uffd_without_event_remap(pmc->old) && + !vma_has_uffd_without_event_remap(pmc->new); +} + #ifdef CONFIG_HAVE_MOVE_PMD static bool move_normal_pmd(struct pagetable_move_control *pmc, pmd_t *old_pmd, pmd_t *new_pmd) @@ -335,6 +354,8 @@ static bool move_normal_pmd(struct paget if (!arch_supports_page_table_move()) return false; + if (!uffd_supports_page_table_move(pmc)) + return false; /* * The destination pmd shouldn't be established, free_pgtables() * should have released it. @@ -361,15 +382,6 @@ static bool move_normal_pmd(struct paget if (WARN_ON_ONCE(!pmd_none(*new_pmd))) return false; - /* If this pmd belongs to a uffd vma with remap events disabled, we need - * to ensure that the uffd-wp state is cleared from all pgtables. This - * means recursing into lower page tables in move_page_tables(), and we - * can reuse the existing code if we simply treat the entry as "not - * moved". - */ - if (vma_has_uffd_without_event_remap(vma)) - return false; - /* * We don't have to worry about the ordering of src and dst * ptlocks because exclusive mmap_lock prevents deadlock. @@ -418,6 +430,8 @@ static bool move_normal_pud(struct paget if (!arch_supports_page_table_move()) return false; + if (!uffd_supports_page_table_move(pmc)) + return false; /* * The destination pud shouldn't be established, free_pgtables() * should have released it. @@ -425,15 +439,6 @@ static bool move_normal_pud(struct paget if (WARN_ON_ONCE(!pud_none(*new_pud))) return false; - /* If this pud belongs to a uffd vma with remap events disabled, we need - * to ensure that the uffd-wp state is cleared from all pgtables. This - * means recursing into lower page tables in move_page_tables(), and we - * can reuse the existing code if we simply treat the entry as "not - * moved". - */ - if (vma_has_uffd_without_event_remap(vma)) - return false; - /* * We don't have to worry about the ordering of src and dst * ptlocks because exclusive mmap_lock prevents deadlock. _ Patches currently in -mm which might be from david(a)redhat.com are mm-mremap-fix-warn-with-uffd-that-has-remap-events-disabled.patch mm-migrate-remove-migratepage_unmap.patch treewide-remove-migratepage_success.patch mm-huge_memory-move-more-common-code-into-insert_pmd.patch mm-huge_memory-move-more-common-code-into-insert_pud.patch mm-huge_memory-support-huge-zero-folio-in-vmf_insert_folio_pmd.patch fs-dax-use-vmf_insert_folio_pmd-to-insert-the-huge-zero-folio.patch mm-huge_memory-mark-pmd-mappings-of-the-huge-zero-folio-special.patch powerpc-ptdump-rename-struct-pgtable_level-to-struct-ptdump_pglevel.patch mm-rmap-convert-enum-rmap_level-to-enum-pgtable_level.patch mm-memory-convert-print_bad_pte-to-print_bad_page_map.patch mm-memory-factor-out-common-code-from-vm_normal_page_.patch mm-introduce-and-use-vm_normal_page_pud.patch mm-rename-vm_ops-find_special_page-to-vm_ops-find_normal_page.patch prctl-extend-pr_set_thp_disable-to-optionally-exclude-vm_hugepage.patch mm-huge_memory-convert-tva_flags-to-enum-tva_type.patch mm-huge_memory-respect-madv_collapse-with-pr_thp_disable_except_advised.patch

1 month

1
0
0 0

FAILED: patch "[PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x d2845519b0723c5d5a0266cbf410495f9b8fd65c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081858-issuing-conclude-4ff3@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d2845519b0723c5d5a0266cbf410495f9b8fd65c Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Wed, 23 Jul 2025 14:19:44 +0200 Subject: [PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags argument to xfs_inobt_walk, which expects the XFS_IWALK* flags. Currently passing the wrong flags works for non-debug builds because the only XFS_IWALK* flag has the same encoding as the corresponding XFS_IBULK* flag, but in debug builds it can trigger an assert that no incorrect flag is passed. Instead just extra the relevant flag. Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags") Cc: <stable(a)vger.kernel.org> # v5.19 Reported-by: cen zhang <zzzccc427(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c index c8c9b8d8309f..5116842420b2 100644 --- a/fs/xfs/xfs_itable.c +++ b/fs/xfs/xfs_itable.c @@ -447,17 +447,21 @@ xfs_inumbers( .breq = breq, }; struct xfs_trans *tp; + unsigned int iwalk_flags = 0; int error = 0; if (xfs_bulkstat_already_done(breq->mp, breq->startino)) return 0; + if (breq->flags & XFS_IBULK_SAME_AG) + iwalk_flags |= XFS_IWALK_SAME_AG; + /* * Grab an empty transaction so that we can use its recursive buffer * locking abilities to detect cycles in the inobt without deadlocking. */ tp = xfs_trans_alloc_empty(breq->mp); - error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags, + error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags, xfs_inumbers_walk, breq->icount, &ic); xfs_trans_cancel(tp);

1 month

2
2
0 0

FAILED: patch "[PATCH] btrfs: send: use fallocate for hole punching with send stream" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 005b0a0c24e1628313e951516b675109a92cacfe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081840-stomp-enhance-b456@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 005b0a0c24e1628313e951516b675109a92cacfe Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 18 Jul 2025 13:07:29 +0100 Subject: [PATCH] btrfs: send: use fallocate for hole punching with send stream v2 Currently holes are sent as writes full of zeroes, which results in unnecessarily using disk space at the receiving end and increasing the stream size. In some cases we avoid sending writes of zeroes, like during a full send operation where we just skip writes for holes. But for some cases we fill previous holes with writes of zeroes too, like in this scenario: 1) We have a file with a hole in the range [2M, 3M), we snapshot the subvolume and do a full send. The range [2M, 3M) stays as a hole at the receiver since we skip sending write commands full of zeroes; 2) We punch a hole for the range [3M, 4M) in our file, so that now it has a 2M hole in the range [2M, 4M), and snapshot the subvolume. Now if we do an incremental send, we will send write commands full of zeroes for the range [2M, 4M), removing the hole for [2M, 3M) at the receiver. We could improve cases such as this last one by doing additional comparisons of file extent items (or their absence) between the parent and send snapshots, but that's a lot of code to add plus additional CPU and IO costs. Since the send stream v2 already has a fallocate command and btrfs-progs implements a callback to execute fallocate since the send stream v2 support was added to it, update the kernel to use fallocate for punching holes for V2+ streams. Test coverage is provided by btrfs/284 which is a version of btrfs/007 that exercises send stream v2 instead of v1, using fsstress with random operations and fssum to verify file contents. Link: https://github.com/kdave/btrfs-progs/issues/1001 CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 09822e766e41..7664025a5af4 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -4,6 +4,7 @@ */ #include <linux/bsearch.h> +#include <linux/falloc.h> #include <linux/fs.h> #include <linux/file.h> #include <linux/sort.h> @@ -5405,6 +5406,30 @@ static int send_update_extent(struct send_ctx *sctx, return ret; } +static int send_fallocate(struct send_ctx *sctx, u32 mode, u64 offset, u64 len) +{ + struct fs_path *path; + int ret; + + path = get_cur_inode_path(sctx); + if (IS_ERR(path)) + return PTR_ERR(path); + + ret = begin_cmd(sctx, BTRFS_SEND_C_FALLOCATE); + if (ret < 0) + return ret; + + TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, path); + TLV_PUT_U32(sctx, BTRFS_SEND_A_FALLOCATE_MODE, mode); + TLV_PUT_U64(sctx, BTRFS_SEND_A_FILE_OFFSET, offset); + TLV_PUT_U64(sctx, BTRFS_SEND_A_SIZE, len); + + ret = send_cmd(sctx); + +tlv_put_failure: + return ret; +} + static int send_hole(struct send_ctx *sctx, u64 end) { struct fs_path *p = NULL; @@ -5412,6 +5437,14 @@ static int send_hole(struct send_ctx *sctx, u64 end) u64 offset = sctx->cur_inode_last_extent; int ret = 0; + /* + * Starting with send stream v2 we have fallocate and can use it to + * punch holes instead of sending writes full of zeroes. + */ + if (proto_cmd_ok(sctx, BTRFS_SEND_C_FALLOCATE)) + return send_fallocate(sctx, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, + offset, end - offset); + /* * A hole that starts at EOF or beyond it. Since we do not yet support * fallocate (for extent preallocation and hole punching), sending a

1 month

2
7
0 0

[PATCH AUTOSEL 6.12 01/69] usb: xhci: print xhci->xhc_state when queue_command failed

by Sasha Levin

From: Su Hui <suhui(a)nfschina.com> [ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ] When encounters some errors like these: xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment usb usb5-port6: couldn't allocate usb_device It's hard to know whether xhc_state is dying or halted. So it's better to print xhc_state's value which can help locate the resaon of the bug. Signed-off-by: Su Hui <suhui(a)nfschina.com> Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **Backport Status: YES** This commit is suitable for backporting to stable kernel trees for the following reasons: 1. **Enhanced Debugging for Real-World Issues**: The commit improves debugging of USB xHCI host controller failures by printing the actual `xhc_state` value when `queue_command` fails. The commit message shows real error messages users encounter ("xHCI dying or halted, can't queue_command"), demonstrating this is a real-world debugging problem. 2. **Minimal and Safe Change**: The change is extremely small and safe - it only modifies a debug print statement from: ```c xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n"); ``` to: ```c xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n", xhci->xhc_state); ``` 3. **No Functional Changes**: This is a pure diagnostic improvement. It doesn't change any logic, control flow, or data structures. It only adds the state value (0x%x format) to an existing debug message. 4. **Important for Troubleshooting**: The xHCI driver is critical for USB functionality, and when it fails with "dying or halted" states, knowing the exact state helps diagnose whether: - `XHCI_STATE_DYING` (0x1) - controller is dying - `XHCI_STATE_HALTED` (0x2) - controller is halted - Both states (0x3) - controller has both flags set This distinction is valuable for debugging hardware issues, driver bugs, or system problems. 5. **Zero Risk of Regression**: Adding a parameter to a debug print statement has no risk of introducing regressions. The worst case is the debug message prints the state value. 6. **Follows Stable Rules**: This meets stable kernel criteria as it: - Fixes a real debugging limitation - Is obviously correct - Has been tested (signed-off and accepted by Greg KH) - Is small (single line change) - Doesn't add new features, just improves existing diagnostics The commit helps system administrators and developers diagnose USB issues more effectively by providing the actual state value rather than just saying "dying or halted", making it a valuable debugging enhancement for stable kernels. drivers/usb/host/xhci-ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 2ff8787f753c..19978f02bb9e 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -4378,7 +4378,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, if ((xhci->xhc_state & XHCI_STATE_DYING) || (xhci->xhc_state & XHCI_STATE_HALTED)) { - xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n"); + xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n", + xhci->xhc_state); return -ESHUTDOWN; } -- 2.39.5

1 month

2
70
0 0

FAILED: patch "[PATCH] btrfs: zoned: requeue to unused block group list if zone" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 62be7afcc13b2727bdc6a4c91aefed6b452e6ecc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081853-parrot-skeleton-78e1@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 62be7afcc13b2727bdc6a4c91aefed6b452e6ecc Mon Sep 17 00:00:00 2001 From: Naohiro Aota <naohiro.aota(a)wdc.com> Date: Sun, 29 Jun 2025 23:18:29 +0900 Subject: [PATCH] btrfs: zoned: requeue to unused block group list if zone finish failed btrfs_zone_finish() can fail for several reason. If it is -EAGAIN, we need to try it again later. So, put the block group to the retry list properly. Failing to do so will keep the removable block group intact until remount and can causes unnecessary ENOSPC. Fixes: 74e91b12b115 ("btrfs: zoned: zone finish unused block group") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c index 3ddf9fe52b9d..47c6d040176c 100644 --- a/fs/btrfs/block-group.c +++ b/fs/btrfs/block-group.c @@ -1639,8 +1639,10 @@ void btrfs_delete_unused_bgs(struct btrfs_fs_info *fs_info) ret = btrfs_zone_finish(block_group); if (ret < 0) { btrfs_dec_block_group_ro(block_group); - if (ret == -EAGAIN) + if (ret == -EAGAIN) { + btrfs_link_bg_list(block_group, &retry_list); ret = 0; + } goto next; }

1 month

2
3
0 0

FAILED: patch "[PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x d2845519b0723c5d5a0266cbf410495f9b8fd65c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081857-glitter-hummus-4836@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d2845519b0723c5d5a0266cbf410495f9b8fd65c Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Wed, 23 Jul 2025 14:19:44 +0200 Subject: [PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags argument to xfs_inobt_walk, which expects the XFS_IWALK* flags. Currently passing the wrong flags works for non-debug builds because the only XFS_IWALK* flag has the same encoding as the corresponding XFS_IBULK* flag, but in debug builds it can trigger an assert that no incorrect flag is passed. Instead just extra the relevant flag. Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags") Cc: <stable(a)vger.kernel.org> # v5.19 Reported-by: cen zhang <zzzccc427(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c index c8c9b8d8309f..5116842420b2 100644 --- a/fs/xfs/xfs_itable.c +++ b/fs/xfs/xfs_itable.c @@ -447,17 +447,21 @@ xfs_inumbers( .breq = breq, }; struct xfs_trans *tp; + unsigned int iwalk_flags = 0; int error = 0; if (xfs_bulkstat_already_done(breq->mp, breq->startino)) return 0; + if (breq->flags & XFS_IBULK_SAME_AG) + iwalk_flags |= XFS_IWALK_SAME_AG; + /* * Grab an empty transaction so that we can use its recursive buffer * locking abilities to detect cycles in the inobt without deadlocking. */ tp = xfs_trans_alloc_empty(breq->mp); - error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags, + error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags, xfs_inumbers_walk, breq->icount, &ic); xfs_trans_cancel(tp);

1 month

2
5
0 0

FAILED: patch "[PATCH] btrfs: abort transaction on unexpected eb generation at" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081821-debating-askew-bf1e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 19 May 2025 11:07:29 +0100 Subject: [PATCH] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Daniel Vacek <neelx(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index ae6cd77282f5..a5ee6ce312cf 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -283,7 +283,14 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid); - WARN_ON(btrfs_header_generation(buf) > trans->transid); + if (unlikely(btrfs_header_generation(buf) > trans->transid)) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + ret = -EUCLEAN; + btrfs_abort_transaction(trans, ret); + return ret; + } + if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID) { ret = btrfs_inc_ref(trans, root, cow, 1); if (ret)

1 month

2
1
0 0

FAILED: patch "[PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x d2845519b0723c5d5a0266cbf410495f9b8fd65c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081857-swerve-preschool-2c2c@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d2845519b0723c5d5a0266cbf410495f9b8fd65c Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Wed, 23 Jul 2025 14:19:44 +0200 Subject: [PATCH] xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags argument to xfs_inobt_walk, which expects the XFS_IWALK* flags. Currently passing the wrong flags works for non-debug builds because the only XFS_IWALK* flag has the same encoding as the corresponding XFS_IBULK* flag, but in debug builds it can trigger an assert that no incorrect flag is passed. Instead just extra the relevant flag. Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags") Cc: <stable(a)vger.kernel.org> # v5.19 Reported-by: cen zhang <zzzccc427(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c index c8c9b8d8309f..5116842420b2 100644 --- a/fs/xfs/xfs_itable.c +++ b/fs/xfs/xfs_itable.c @@ -447,17 +447,21 @@ xfs_inumbers( .breq = breq, }; struct xfs_trans *tp; + unsigned int iwalk_flags = 0; int error = 0; if (xfs_bulkstat_already_done(breq->mp, breq->startino)) return 0; + if (breq->flags & XFS_IBULK_SAME_AG) + iwalk_flags |= XFS_IWALK_SAME_AG; + /* * Grab an empty transaction so that we can use its recursive buffer * locking abilities to detect cycles in the inobt without deadlocking. */ tp = xfs_trans_alloc_empty(breq->mp); - error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags, + error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags, xfs_inumbers_walk, breq->icount, &ic); xfs_trans_cancel(tp);

1 month

2
5
0 0

FAILED: patch "[PATCH] btrfs: fix subpage deadlock in" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x ad580dfa388fabb52af033e3f8cc5d04be985e54 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081814-monsoon-supermom-44bb@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ad580dfa388fabb52af033e3f8cc5d04be985e54 Mon Sep 17 00:00:00 2001 From: Leo Martins <loemra.dev(a)gmail.com> Date: Mon, 21 Jul 2025 10:49:16 -0700 Subject: [PATCH] btrfs: fix subpage deadlock in try_release_subpage_extent_buffer() There is a potential deadlock that can happen in try_release_subpage_extent_buffer() because the irq-safe xarray spin lock fs_info->buffer_tree is being acquired before the irq-unsafe eb->refs_lock. This leads to the potential race: // T1 (random eb->refs user) // T2 (release folio) spin_lock(&eb->refs_lock); // interrupt end_bbio_meta_write() btrfs_meta_folio_clear_writeback() btree_release_folio() folio_test_writeback() //false try_release_extent_buffer() try_release_subpage_extent_buffer() xa_lock_irq(&fs_info->buffer_tree) spin_lock(&eb->refs_lock); // blocked; held by T1 buffer_tree_clear_mark() xas_lock_irqsave() // blocked; held by T2 I believe that the spin lock can safely be replaced by an rcu_read_lock. The xa_for_each loop does not need the spin lock as it's already internally protected by the rcu_read_lock. The extent buffer is also protected by the rcu_read_lock so it won't be freed before we take the eb->refs_lock and check the ref count. The rcu_read_lock is taken and released every iteration, just like the spin lock, which means we're not protected against concurrent insertions into the xarray. This is fine because we rely on folio->private to detect if there are any ebs remaining in the folio. There is already some precedent for this with find_extent_buffer_nolock, which loads an extent buffer from the xarray with only rcu_read_lock. lockdep warning: ===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 6.16.0-0_fbk701_debug_rc0_123_g4c06e63b9203 #1 Tainted: G E N ----------------------------------------------------- kswapd0/66 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: ffff000011ffd600 (&eb->refs_lock){+.+.}-{3:3}, at: try_release_extent_buffer+0x18c/0x560 and this task is already holding: ffff0000c1d91b88 (&buffer_xa_class){-.-.}-{3:3}, at: try_release_extent_buffer+0x13c/0x560 which would create a new lock dependency: (&buffer_xa_class){-.-.}-{3:3} -> (&eb->refs_lock){+.+.}-{3:3} but this new dependency connects a HARDIRQ-irq-safe lock: (&buffer_xa_class){-.-.}-{3:3} ... which became HARDIRQ-irq-safe at: lock_acquire+0x178/0x358 _raw_spin_lock_irqsave+0x60/0x88 buffer_tree_clear_mark+0xc4/0x160 end_bbio_meta_write+0x238/0x398 btrfs_bio_end_io+0x1f8/0x330 btrfs_orig_write_end_io+0x1c4/0x2c0 bio_endio+0x63c/0x678 blk_update_request+0x1c4/0xa00 blk_mq_end_request+0x54/0x88 virtblk_request_done+0x124/0x1d0 blk_mq_complete_request+0x84/0xa0 virtblk_done+0x130/0x238 vring_interrupt+0x130/0x288 __handle_irq_event_percpu+0x1e8/0x708 handle_irq_event+0x98/0x1b0 handle_fasteoi_irq+0x264/0x7c0 generic_handle_domain_irq+0xa4/0x108 gic_handle_irq+0x7c/0x1a0 do_interrupt_handler+0xe4/0x148 el1_interrupt+0x30/0x50 el1h_64_irq_handler+0x14/0x20 el1h_64_irq+0x6c/0x70 _raw_spin_unlock_irq+0x38/0x70 __run_timer_base+0xdc/0x5e0 run_timer_softirq+0xa0/0x138 handle_softirqs.llvm.13542289750107964195+0x32c/0xbd0 ____do_softirq.llvm.17674514681856217165+0x18/0x28 call_on_irq_stack+0x24/0x30 __irq_exit_rcu+0x164/0x430 irq_exit_rcu+0x18/0x88 el1_interrupt+0x34/0x50 el1h_64_irq_handler+0x14/0x20 el1h_64_irq+0x6c/0x70 arch_local_irq_enable+0x4/0x8 do_idle+0x1a0/0x3b8 cpu_startup_entry+0x60/0x80 rest_init+0x204/0x228 start_kernel+0x394/0x3f0 __primary_switched+0x8c/0x8958 to a HARDIRQ-irq-unsafe lock: (&eb->refs_lock){+.+.}-{3:3} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire+0x178/0x358 _raw_spin_lock+0x4c/0x68 free_extent_buffer_stale+0x2c/0x170 btrfs_read_sys_array+0x1b0/0x338 open_ctree+0xeb0/0x1df8 btrfs_get_tree+0xb60/0x1110 vfs_get_tree+0x8c/0x250 fc_mount+0x20/0x98 btrfs_get_tree+0x4a4/0x1110 vfs_get_tree+0x8c/0x250 do_new_mount+0x1e0/0x6c0 path_mount+0x4ec/0xa58 __arm64_sys_mount+0x370/0x490 invoke_syscall+0x6c/0x208 el0_svc_common+0x14c/0x1b8 do_el0_svc+0x4c/0x60 el0_svc+0x4c/0x160 el0t_64_sync_handler+0x70/0x100 el0t_64_sync+0x168/0x170 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&eb->refs_lock); local_irq_disable(); lock(&buffer_xa_class); lock(&eb->refs_lock); <Interrupt> lock(&buffer_xa_class); *** DEADLOCK *** 2 locks held by kswapd0/66: #0: ffff800085506e40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0xe8/0xe50 #1: ffff0000c1d91b88 (&buffer_xa_class){-.-.}-{3:3}, at: try_release_extent_buffer+0x13c/0x560 Link: https://www.kernel.org/doc/Documentation/locking/lockdep-design.rst#:~:text… Fixes: 19d7f65f032f ("btrfs: convert the buffer_radix to an xarray") CC: stable(a)vger.kernel.org # 6.16+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Leo Martins <loemra.dev(a)gmail.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 835b0deef9bb..f23d75986947 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -4331,15 +4331,18 @@ static int try_release_subpage_extent_buffer(struct folio *folio) unsigned long end = index + (PAGE_SIZE >> fs_info->nodesize_bits) - 1; int ret; - xa_lock_irq(&fs_info->buffer_tree); + rcu_read_lock(); xa_for_each_range(&fs_info->buffer_tree, index, eb, start, end) { /* * The same as try_release_extent_buffer(), to ensure the eb * won't disappear out from under us. */ spin_lock(&eb->refs_lock); + rcu_read_unlock(); + if (refcount_read(&eb->refs) != 1 || extent_buffer_under_io(eb)) { spin_unlock(&eb->refs_lock); + rcu_read_lock(); continue; } @@ -4358,11 +4361,10 @@ static int try_release_subpage_extent_buffer(struct folio *folio) * check the folio private at the end. And * release_extent_buffer() will release the refs_lock. */ - xa_unlock_irq(&fs_info->buffer_tree); release_extent_buffer(eb); - xa_lock_irq(&fs_info->buffer_tree); + rcu_read_lock(); } - xa_unlock_irq(&fs_info->buffer_tree); + rcu_read_unlock(); /* * Finally to check if we have cleared folio private, as if we have @@ -4375,7 +4377,6 @@ static int try_release_subpage_extent_buffer(struct folio *folio) ret = 0; spin_unlock(&folio->mapping->i_private_lock); return ret; - } int try_release_extent_buffer(struct folio *folio)

1 month

2
4
0 0

FAILED: patch "[PATCH] btrfs: abort transaction on unexpected eb generation at" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081821-startling-skiing-ca6d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 19 May 2025 11:07:29 +0100 Subject: [PATCH] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Daniel Vacek <neelx(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index ae6cd77282f5..a5ee6ce312cf 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -283,7 +283,14 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid); - WARN_ON(btrfs_header_generation(buf) > trans->transid); + if (unlikely(btrfs_header_generation(buf) > trans->transid)) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + ret = -EUCLEAN; + btrfs_abort_transaction(trans, ret); + return ret; + } + if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID) { ret = btrfs_inc_ref(trans, root, cow, 1); if (ret)

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: abort transaction on unexpected eb generation at" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081815-strut-suspend-7a53@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 19 May 2025 11:07:29 +0100 Subject: [PATCH] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Daniel Vacek <neelx(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index ae6cd77282f5..a5ee6ce312cf 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -283,7 +283,14 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid); - WARN_ON(btrfs_header_generation(buf) > trans->transid); + if (unlikely(btrfs_header_generation(buf) > trans->transid)) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + ret = -EUCLEAN; + btrfs_abort_transaction(trans, ret); + return ret; + } + if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID) { ret = btrfs_inc_ref(trans, root, cow, 1); if (ret)

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: always abort transaction on failure to add block group" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1f06c942aa709d397cf6bed577a0d10a61509667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081810-washer-purchase-bdf5@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1f06c942aa709d397cf6bed577a0d10a61509667 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Sat, 7 Jun 2025 19:44:03 +0100 Subject: [PATCH] btrfs: always abort transaction on failure to add block group to free space tree Only one of the callers of __add_block_group_free_space() aborts the transaction if the call fails, while the others don't do it and it's either never done up the call chain or much higher in the call chain. So make sure we abort the transaction at __add_block_group_free_space() if it fails, which brings a couple benefits: 1) If some call chain never aborts the transaction, we avoid having some metadata inconsistency because BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE is cleared when we enter __add_block_group_free_space() and therefore __add_block_group_free_space() is never called again to add the block group items to the free space tree, since the function is only called when that flag is set in a block group; 2) If the call chain already aborts the transaction, then we get a better trace that points to the exact step from __add_block_group_free_space() which failed, which is better for analysis. So abort the transaction at __add_block_group_free_space() if any of its steps fails. CC: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c index 9eb9858e8e99..af005fb4b676 100644 --- a/fs/btrfs/free-space-tree.c +++ b/fs/btrfs/free-space-tree.c @@ -1431,12 +1431,17 @@ static int __add_block_group_free_space(struct btrfs_trans_handle *trans, set_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &block_group->runtime_flags); ret = add_new_free_space_info(trans, block_group, path); - if (ret) + if (ret) { + btrfs_abort_transaction(trans, ret); return ret; + } - return __add_to_free_space_tree(trans, block_group, path, - block_group->start, - block_group->length); + ret = __add_to_free_space_tree(trans, block_group, path, + block_group->start, block_group->length); + if (ret) + btrfs_abort_transaction(trans, ret); + + return 0; } int add_block_group_free_space(struct btrfs_trans_handle *trans, @@ -1461,9 +1466,6 @@ int add_block_group_free_space(struct btrfs_trans_handle *trans, } ret = __add_block_group_free_space(trans, block_group, path); - if (ret) - btrfs_abort_transaction(trans, ret); - out: btrfs_free_path(path); mutex_unlock(&block_group->free_space_lock);

1 month

2
2
0 0

FAILED: patch "[PATCH] btrfs: abort transaction on unexpected eb generation at" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081815-mothproof-embody-49e3@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 19 May 2025 11:07:29 +0100 Subject: [PATCH] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Daniel Vacek <neelx(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index ae6cd77282f5..a5ee6ce312cf 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -283,7 +283,14 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid); - WARN_ON(btrfs_header_generation(buf) > trans->transid); + if (unlikely(btrfs_header_generation(buf) > trans->transid)) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + ret = -EUCLEAN; + btrfs_abort_transaction(trans, ret); + return ret; + } + if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID) { ret = btrfs_inc_ref(trans, root, cow, 1); if (ret)

1 month

2
1
0 0

[PATCH net 0/8] mptcp: misc fixes for v6.17-rc

by Matthieu Baerts (NGI0)

Here are various fixes: - Patch 1: Better handling SKB extension allocation failures. A fix for v5.7. - Patches 2, 3: Avoid resetting MPTCP limits when flushing MPTCP endpoints. With a validation in the selftests. Fixes for v5.7. - Patches 4, 5, 6: Disallow '0' as ADD_ADDR retransmission timeout. With a preparation patch, and a validation in the selftests. Fixes for v5.11. - Patches 8, 9: Fix C23 extension warnings in the selftests, spotted by GCC. Fixes for v6.16. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Christoph Paasch (1): mptcp: drop skb if MPTCP skb extension allocation fails Geliang Tang (3): mptcp: remove duplicate sk_reset_timer call mptcp: disable add_addr retransmission when timeout is 0 selftests: mptcp: disable add_addr retrans in endpoint_tests Matthieu Baerts (NGI0) (4): mptcp: pm: kernel: flush: do not reset ADD_ADDR limit selftests: mptcp: pm: check flush doesn't reset limits selftests: mptcp: connect: fix C23 extension warning selftests: mptcp: sockopt: fix C23 extension warning Documentation/networking/mptcp-sysctl.rst | 2 ++ net/mptcp/options.c | 6 ++++-- net/mptcp/pm.c | 18 ++++++++++++------ net/mptcp/pm_kernel.c | 1 - tools/testing/selftests/net/mptcp/mptcp_connect.c | 5 +++-- tools/testing/selftests/net/mptcp/mptcp_inq.c | 5 +++-- tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 + tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 5 +++-- tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 + 9 files changed, 29 insertions(+), 15 deletions(-) --- base-commit: 065c31f2c6915b38f45b1c817b31f41f62eaa774 change-id: 20250815-net-mptcp-misc-fixes-6-17-rc2-d18b2437e8d4 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month

4
10
0 0

FAILED: patch "[PATCH] btrfs: always abort transaction on failure to add block group" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1f06c942aa709d397cf6bed577a0d10a61509667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081809-unwatched-rejoicing-21e4@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1f06c942aa709d397cf6bed577a0d10a61509667 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Sat, 7 Jun 2025 19:44:03 +0100 Subject: [PATCH] btrfs: always abort transaction on failure to add block group to free space tree Only one of the callers of __add_block_group_free_space() aborts the transaction if the call fails, while the others don't do it and it's either never done up the call chain or much higher in the call chain. So make sure we abort the transaction at __add_block_group_free_space() if it fails, which brings a couple benefits: 1) If some call chain never aborts the transaction, we avoid having some metadata inconsistency because BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE is cleared when we enter __add_block_group_free_space() and therefore __add_block_group_free_space() is never called again to add the block group items to the free space tree, since the function is only called when that flag is set in a block group; 2) If the call chain already aborts the transaction, then we get a better trace that points to the exact step from __add_block_group_free_space() which failed, which is better for analysis. So abort the transaction at __add_block_group_free_space() if any of its steps fails. CC: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c index 9eb9858e8e99..af005fb4b676 100644 --- a/fs/btrfs/free-space-tree.c +++ b/fs/btrfs/free-space-tree.c @@ -1431,12 +1431,17 @@ static int __add_block_group_free_space(struct btrfs_trans_handle *trans, set_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &block_group->runtime_flags); ret = add_new_free_space_info(trans, block_group, path); - if (ret) + if (ret) { + btrfs_abort_transaction(trans, ret); return ret; + } - return __add_to_free_space_tree(trans, block_group, path, - block_group->start, - block_group->length); + ret = __add_to_free_space_tree(trans, block_group, path, + block_group->start, block_group->length); + if (ret) + btrfs_abort_transaction(trans, ret); + + return 0; } int add_block_group_free_space(struct btrfs_trans_handle *trans, @@ -1461,9 +1466,6 @@ int add_block_group_free_space(struct btrfs_trans_handle *trans, } ret = __add_block_group_free_space(trans, block_group, path); - if (ret) - btrfs_abort_transaction(trans, ret); - out: btrfs_free_path(path); mutex_unlock(&block_group->free_space_lock);

1 month

2
2
0 0

FAILED: patch "[PATCH] btrfs: abort transaction on unexpected eb generation at" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081814-cotton-endpoint-c7b3@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 19 May 2025 11:07:29 +0100 Subject: [PATCH] btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Daniel Vacek <neelx(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index ae6cd77282f5..a5ee6ce312cf 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -283,7 +283,14 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid); - WARN_ON(btrfs_header_generation(buf) > trans->transid); + if (unlikely(btrfs_header_generation(buf) > trans->transid)) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + ret = -EUCLEAN; + btrfs_abort_transaction(trans, ret); + return ret; + } + if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID) { ret = btrfs_inc_ref(trans, root, cow, 1); if (ret)

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: always abort transaction on failure to add block group" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 1f06c942aa709d397cf6bed577a0d10a61509667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081808-companion-arson-989c@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1f06c942aa709d397cf6bed577a0d10a61509667 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Sat, 7 Jun 2025 19:44:03 +0100 Subject: [PATCH] btrfs: always abort transaction on failure to add block group to free space tree Only one of the callers of __add_block_group_free_space() aborts the transaction if the call fails, while the others don't do it and it's either never done up the call chain or much higher in the call chain. So make sure we abort the transaction at __add_block_group_free_space() if it fails, which brings a couple benefits: 1) If some call chain never aborts the transaction, we avoid having some metadata inconsistency because BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE is cleared when we enter __add_block_group_free_space() and therefore __add_block_group_free_space() is never called again to add the block group items to the free space tree, since the function is only called when that flag is set in a block group; 2) If the call chain already aborts the transaction, then we get a better trace that points to the exact step from __add_block_group_free_space() which failed, which is better for analysis. So abort the transaction at __add_block_group_free_space() if any of its steps fails. CC: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c index 9eb9858e8e99..af005fb4b676 100644 --- a/fs/btrfs/free-space-tree.c +++ b/fs/btrfs/free-space-tree.c @@ -1431,12 +1431,17 @@ static int __add_block_group_free_space(struct btrfs_trans_handle *trans, set_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &block_group->runtime_flags); ret = add_new_free_space_info(trans, block_group, path); - if (ret) + if (ret) { + btrfs_abort_transaction(trans, ret); return ret; + } - return __add_to_free_space_tree(trans, block_group, path, - block_group->start, - block_group->length); + ret = __add_to_free_space_tree(trans, block_group, path, + block_group->start, block_group->length); + if (ret) + btrfs_abort_transaction(trans, ret); + + return 0; } int add_block_group_free_space(struct btrfs_trans_handle *trans, @@ -1461,9 +1466,6 @@ int add_block_group_free_space(struct btrfs_trans_handle *trans, } ret = __add_block_group_free_space(trans, block_group, path); - if (ret) - btrfs_abort_transaction(trans, ret); - out: btrfs_free_path(path); mutex_unlock(&block_group->free_space_lock);

1 month

2
2
0 0

FAILED: patch "[PATCH] btrfs: qgroup: fix race between quota disable and quota" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e1249667750399a48cafcf5945761d39fa584edf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081832-drainable-observant-d242@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1249667750399a48cafcf5945761d39fa584edf Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 30 Jun 2025 13:19:20 +0100 Subject: [PATCH] btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing because at that point fs_info->qgroup_rescan_running is false (it wasn't set yet by task A); 3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; 4) Task A enters qgroup_rescan_zero_tracking() which starts iterating the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free. Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas were already disabled. Reported-by: cen zhang <zzzccc427(a)gmail.com> Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsH… CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index b83d9534adae..310ca2dd9f24 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -636,22 +636,30 @@ bool btrfs_check_quota_leak(const struct btrfs_fs_info *fs_info) /* * This is called from close_ctree() or open_ctree() or btrfs_quota_disable(), - * first two are in single-threaded paths.And for the third one, we have set - * quota_root to be null with qgroup_lock held before, so it is safe to clean - * up the in-memory structures without qgroup_lock held. + * first two are in single-threaded paths. */ void btrfs_free_qgroup_config(struct btrfs_fs_info *fs_info) { struct rb_node *n; struct btrfs_qgroup *qgroup; + /* + * btrfs_quota_disable() can be called concurrently with + * btrfs_qgroup_rescan() -> qgroup_rescan_zero_tracking(), so take the + * lock. + */ + spin_lock(&fs_info->qgroup_lock); while ((n = rb_first(&fs_info->qgroup_tree))) { qgroup = rb_entry(n, struct btrfs_qgroup, node); rb_erase(n, &fs_info->qgroup_tree); __del_qgroup_rb(qgroup); + spin_unlock(&fs_info->qgroup_lock); btrfs_sysfs_del_one_qgroup(fs_info, qgroup); kfree(qgroup); + spin_lock(&fs_info->qgroup_lock); } + spin_unlock(&fs_info->qgroup_lock); + /* * We call btrfs_free_qgroup_config() when unmounting * filesystem and disabling quota, so we set qgroup_ulist @@ -4036,12 +4044,21 @@ btrfs_qgroup_rescan(struct btrfs_fs_info *fs_info) qgroup_rescan_zero_tracking(fs_info); mutex_lock(&fs_info->qgroup_rescan_lock); - fs_info->qgroup_rescan_running = true; - btrfs_queue_work(fs_info->qgroup_rescan_workers, - &fs_info->qgroup_rescan_work); + /* + * The rescan worker is only for full accounting qgroups, check if it's + * enabled as it is pointless to queue it otherwise. A concurrent quota + * disable may also have just cleared BTRFS_FS_QUOTA_ENABLED. + */ + if (btrfs_qgroup_full_accounting(fs_info)) { + fs_info->qgroup_rescan_running = true; + btrfs_queue_work(fs_info->qgroup_rescan_workers, + &fs_info->qgroup_rescan_work); + } else { + ret = -ENOTCONN; + } mutex_unlock(&fs_info->qgroup_rescan_lock); - return 0; + return ret; } int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: always abort transaction on failure to add block group" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 1f06c942aa709d397cf6bed577a0d10a61509667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081808-unneeded-unstuffed-e294@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1f06c942aa709d397cf6bed577a0d10a61509667 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Sat, 7 Jun 2025 19:44:03 +0100 Subject: [PATCH] btrfs: always abort transaction on failure to add block group to free space tree Only one of the callers of __add_block_group_free_space() aborts the transaction if the call fails, while the others don't do it and it's either never done up the call chain or much higher in the call chain. So make sure we abort the transaction at __add_block_group_free_space() if it fails, which brings a couple benefits: 1) If some call chain never aborts the transaction, we avoid having some metadata inconsistency because BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE is cleared when we enter __add_block_group_free_space() and therefore __add_block_group_free_space() is never called again to add the block group items to the free space tree, since the function is only called when that flag is set in a block group; 2) If the call chain already aborts the transaction, then we get a better trace that points to the exact step from __add_block_group_free_space() which failed, which is better for analysis. So abort the transaction at __add_block_group_free_space() if any of its steps fails. CC: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c index 9eb9858e8e99..af005fb4b676 100644 --- a/fs/btrfs/free-space-tree.c +++ b/fs/btrfs/free-space-tree.c @@ -1431,12 +1431,17 @@ static int __add_block_group_free_space(struct btrfs_trans_handle *trans, set_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &block_group->runtime_flags); ret = add_new_free_space_info(trans, block_group, path); - if (ret) + if (ret) { + btrfs_abort_transaction(trans, ret); return ret; + } - return __add_to_free_space_tree(trans, block_group, path, - block_group->start, - block_group->length); + ret = __add_to_free_space_tree(trans, block_group, path, + block_group->start, block_group->length); + if (ret) + btrfs_abort_transaction(trans, ret); + + return 0; } int add_block_group_free_space(struct btrfs_trans_handle *trans, @@ -1461,9 +1466,6 @@ int add_block_group_free_space(struct btrfs_trans_handle *trans, } ret = __add_block_group_free_space(trans, block_group, path); - if (ret) - btrfs_abort_transaction(trans, ret); - out: btrfs_free_path(path); mutex_unlock(&block_group->free_space_lock);

1 month

2
2
0 0

FAILED: patch "[PATCH] btrfs: qgroup: fix race between quota disable and quota" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e1249667750399a48cafcf5945761d39fa584edf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081831-cancel-lunchtime-0e51@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1249667750399a48cafcf5945761d39fa584edf Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 30 Jun 2025 13:19:20 +0100 Subject: [PATCH] btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing because at that point fs_info->qgroup_rescan_running is false (it wasn't set yet by task A); 3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; 4) Task A enters qgroup_rescan_zero_tracking() which starts iterating the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free. Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas were already disabled. Reported-by: cen zhang <zzzccc427(a)gmail.com> Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsH… CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index b83d9534adae..310ca2dd9f24 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -636,22 +636,30 @@ bool btrfs_check_quota_leak(const struct btrfs_fs_info *fs_info) /* * This is called from close_ctree() or open_ctree() or btrfs_quota_disable(), - * first two are in single-threaded paths.And for the third one, we have set - * quota_root to be null with qgroup_lock held before, so it is safe to clean - * up the in-memory structures without qgroup_lock held. + * first two are in single-threaded paths. */ void btrfs_free_qgroup_config(struct btrfs_fs_info *fs_info) { struct rb_node *n; struct btrfs_qgroup *qgroup; + /* + * btrfs_quota_disable() can be called concurrently with + * btrfs_qgroup_rescan() -> qgroup_rescan_zero_tracking(), so take the + * lock. + */ + spin_lock(&fs_info->qgroup_lock); while ((n = rb_first(&fs_info->qgroup_tree))) { qgroup = rb_entry(n, struct btrfs_qgroup, node); rb_erase(n, &fs_info->qgroup_tree); __del_qgroup_rb(qgroup); + spin_unlock(&fs_info->qgroup_lock); btrfs_sysfs_del_one_qgroup(fs_info, qgroup); kfree(qgroup); + spin_lock(&fs_info->qgroup_lock); } + spin_unlock(&fs_info->qgroup_lock); + /* * We call btrfs_free_qgroup_config() when unmounting * filesystem and disabling quota, so we set qgroup_ulist @@ -4036,12 +4044,21 @@ btrfs_qgroup_rescan(struct btrfs_fs_info *fs_info) qgroup_rescan_zero_tracking(fs_info); mutex_lock(&fs_info->qgroup_rescan_lock); - fs_info->qgroup_rescan_running = true; - btrfs_queue_work(fs_info->qgroup_rescan_workers, - &fs_info->qgroup_rescan_work); + /* + * The rescan worker is only for full accounting qgroups, check if it's + * enabled as it is pointless to queue it otherwise. A concurrent quota + * disable may also have just cleared BTRFS_FS_QUOTA_ENABLED. + */ + if (btrfs_qgroup_full_accounting(fs_info)) { + fs_info->qgroup_rescan_running = true; + btrfs_queue_work(fs_info->qgroup_rescan_workers, + &fs_info->qgroup_rescan_work); + } else { + ret = -ENOTCONN; + } mutex_unlock(&fs_info->qgroup_rescan_lock); - return 0; + return ret; } int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: don't ignore inode missing when replaying log tree" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7ebf381a69421a88265d3c49cd0f007ba7336c9d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081805-strongly-container-0be3@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7ebf381a69421a88265d3c49cd0f007ba7336c9d Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Fri, 11 Jul 2025 20:21:28 +0100 Subject: [PATCH] btrfs: don't ignore inode missing when replaying log tree During log replay, at add_inode_ref(), we return -ENOENT if our current inode isn't found on the subvolume tree or if a parent directory isn't found. The error comes from btrfs_iget_logging() <- btrfs_iget() <- btrfs_read_locked_inode(). The single caller of add_inode_ref(), replay_one_buffer(), ignores an -ENOENT error because it expects that error to mean only that a parent directory wasn't found and that is ok. Before commit 5f61b961599a ("btrfs: fix inode lookup error handling during log replay") we were converting any error when getting a parent directory to -ENOENT and any error when getting the current inode to -EIO, so our caller would fail log replay in case we can't find the current inode. After that commit however in case the current inode is not found we return -ENOENT to the caller and therefore it ignores the critical fact that the current inode was not found in the subvolume tree. Fix this by converting -ENOENT to 0 when we don't find a parent directory, returning -ENOENT when we don't find the current inode and making the caller, replay_one_buffer(), not ignore -ENOENT anymore. Fixes: 5f61b961599a ("btrfs: fix inode lookup error handling during log replay") CC: stable(a)vger.kernel.org # 6.16 Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index ab0815d9e7e5..e3c77f3d092c 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -1416,6 +1416,8 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans, dir = btrfs_iget_logging(parent_objectid, root); if (IS_ERR(dir)) { ret = PTR_ERR(dir); + if (ret == -ENOENT) + ret = 0; dir = NULL; goto out; } @@ -1440,6 +1442,15 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans, if (IS_ERR(dir)) { ret = PTR_ERR(dir); dir = NULL; + /* + * A new parent dir may have not been + * logged and not exist in the subvolume + * tree, see the comment above before + * the loop when getting the first + * parent dir. + */ + if (ret == -ENOENT) + ret = 0; goto out; } } @@ -2551,9 +2562,8 @@ static int replay_one_buffer(struct btrfs_root *log, struct extent_buffer *eb, key.type == BTRFS_INODE_EXTREF_KEY) { ret = add_inode_ref(wc->trans, root, log, path, eb, i, &key); - if (ret && ret != -ENOENT) + if (ret) break; - ret = 0; } else if (key.type == BTRFS_EXTENT_DATA_KEY) { ret = replay_one_extent(wc->trans, root, path, eb, i, &key);

1 month

2
1
0 0

FAILED: patch "[PATCH] btrfs: qgroup: fix race between quota disable and quota" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x e1249667750399a48cafcf5945761d39fa584edf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081830-legroom-preshow-e033@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1249667750399a48cafcf5945761d39fa584edf Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 30 Jun 2025 13:19:20 +0100 Subject: [PATCH] btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing because at that point fs_info->qgroup_rescan_running is false (it wasn't set yet by task A); 3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; 4) Task A enters qgroup_rescan_zero_tracking() which starts iterating the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free. Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas were already disabled. Reported-by: cen zhang <zzzccc427(a)gmail.com> Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsH… CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Boris Burkov <boris(a)bur.io> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index b83d9534adae..310ca2dd9f24 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -636,22 +636,30 @@ bool btrfs_check_quota_leak(const struct btrfs_fs_info *fs_info) /* * This is called from close_ctree() or open_ctree() or btrfs_quota_disable(), - * first two are in single-threaded paths.And for the third one, we have set - * quota_root to be null with qgroup_lock held before, so it is safe to clean - * up the in-memory structures without qgroup_lock held. + * first two are in single-threaded paths. */ void btrfs_free_qgroup_config(struct btrfs_fs_info *fs_info) { struct rb_node *n; struct btrfs_qgroup *qgroup; + /* + * btrfs_quota_disable() can be called concurrently with + * btrfs_qgroup_rescan() -> qgroup_rescan_zero_tracking(), so take the + * lock. + */ + spin_lock(&fs_info->qgroup_lock); while ((n = rb_first(&fs_info->qgroup_tree))) { qgroup = rb_entry(n, struct btrfs_qgroup, node); rb_erase(n, &fs_info->qgroup_tree); __del_qgroup_rb(qgroup); + spin_unlock(&fs_info->qgroup_lock); btrfs_sysfs_del_one_qgroup(fs_info, qgroup); kfree(qgroup); + spin_lock(&fs_info->qgroup_lock); } + spin_unlock(&fs_info->qgroup_lock); + /* * We call btrfs_free_qgroup_config() when unmounting * filesystem and disabling quota, so we set qgroup_ulist @@ -4036,12 +4044,21 @@ btrfs_qgroup_rescan(struct btrfs_fs_info *fs_info) qgroup_rescan_zero_tracking(fs_info); mutex_lock(&fs_info->qgroup_rescan_lock); - fs_info->qgroup_rescan_running = true; - btrfs_queue_work(fs_info->qgroup_rescan_workers, - &fs_info->qgroup_rescan_work); + /* + * The rescan worker is only for full accounting qgroups, check if it's + * enabled as it is pointless to queue it otherwise. A concurrent quota + * disable may also have just cleared BTRFS_FS_QUOTA_ENABLED. + */ + if (btrfs_qgroup_full_accounting(fs_info)) { + fs_info->qgroup_rescan_running = true; + btrfs_queue_work(fs_info->qgroup_rescan_workers, + &fs_info->qgroup_rescan_work); + } else { + ret = -ENOTCONN; + } mutex_unlock(&fs_info->qgroup_rescan_lock); - return 0; + return ret; } int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,

1 month

2
2
0 0

FAILED: patch "[PATCH] cdc-acm: fix race between initial clearing halt and open" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 64690a90cd7c6db16d3af8616be1f4bf8d492850 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081847-user-synthesis-c726@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 64690a90cd7c6db16d3af8616be1f4bf8d492850 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Thu, 17 Jul 2025 16:12:50 +0200 Subject: [PATCH] cdc-acm: fix race between initial clearing halt and open On the devices that need their endpoints to get an initial clear_halt, this needs to be done before the devices can be opened. That means it needs to be before the devices are registered. Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers") Cc: stable <stable(a)kernel.org> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index c2ecfa3c8349..5a334e370f4d 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1520,6 +1520,12 @@ static int acm_probe(struct usb_interface *intf, goto err_remove_files; } + if (quirks & CLEAR_HALT_CONDITIONS) { + /* errors intentionally ignored */ + usb_clear_halt(usb_dev, acm->in); + usb_clear_halt(usb_dev, acm->out); + } + tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor, &control_interface->dev); if (IS_ERR(tty_dev)) { @@ -1527,11 +1533,6 @@ static int acm_probe(struct usb_interface *intf, goto err_release_data_interface; } - if (quirks & CLEAR_HALT_CONDITIONS) { - usb_clear_halt(usb_dev, acm->in); - usb_clear_halt(usb_dev, acm->out); - } - dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); return 0;

1 month

2
2
0 0

FAILED: patch "[PATCH] usb: typec: fusb302: cache PD RX state" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081835-swaddling-wound-cef8@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 Mon Sep 17 00:00:00 2001 From: Sebastian Reichel <sebastian.reichel(a)collabora.com> Date: Fri, 4 Jul 2025 19:55:06 +0200 Subject: [PATCH] usb: typec: fusb302: cache PD RX state This patch fixes a race condition communication error, which ends up in PD hard resets when losing the race. Some systems, like the Radxa ROCK 5B are powered through USB-C without any backup power source and use a FUSB302 chip to do the PD negotiation. This means it is quite important to avoid hard resets, since that effectively kills the system's power-supply. I've found the following race condition while debugging unplanned power loss during booting the board every now and then: 1. lots of TCPM/FUSB302/PD initialization stuff 2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) 3. the remote PD source does not send anything, so TCPM does a SOFT RESET 4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time (tcpm_set_pd_rx is enabled again, even though it is still on) At this point I've seen broken CRC good messages being send by the FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like messages are being lost and things generally going haywire with one of the two sides doing a hard reset once a broken CRC good message was send to the bus. I think the system is running into a race condition, that the FIFOs are being cleared and/or the automatic good CRC message generation flag is being updated while a message is already arriving. Let's avoid this by caching the PD RX enabled state, as we have already processed anything in the FIFOs and are in a good state. As a side effect that this also optimizes I2C bus usage :) As far as I can tell the problem theoretically also exists when TCPM enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less critical for the following reason: On devices like the ROCK 5B, which are powered through a TCPM backed USB-C port, the bootloader must have done some prior PD communication (initial communication must happen within 5 seconds after plugging the USB-C plug). This means the first time the kernel TCPM state machine reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages actively. On other devices a hard reset simply adds some extra delay and things should be good afterwards. Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/fusb302.c b/drivers/usb/typec/tcpm/fusb302.c index f2801279c4b5..a4ff2403ddd6 100644 --- a/drivers/usb/typec/tcpm/fusb302.c +++ b/drivers/usb/typec/tcpm/fusb302.c @@ -104,6 +104,7 @@ struct fusb302_chip { bool vconn_on; bool vbus_on; bool charge_on; + bool pd_rx_on; bool vbus_present; enum typec_cc_polarity cc_polarity; enum typec_cc_status cc1; @@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) int ret = 0; mutex_lock(&chip->lock); + if (chip->pd_rx_on == on) { + fusb302_log(chip, "pd is already %s", str_on_off(on)); + goto done; + } + ret = fusb302_pd_rx_flush(chip); if (ret < 0) { fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); @@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) str_on_off(on), ret); goto done; } + + chip->pd_rx_on = on; fusb302_log(chip, "pd := %s", str_on_off(on)); done: mutex_unlock(&chip->lock);

1 month

2
1
0 0

FAILED: patch "[PATCH] cdc-acm: fix race between initial clearing halt and open" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 64690a90cd7c6db16d3af8616be1f4bf8d492850 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081847-resident-transform-fcca@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 64690a90cd7c6db16d3af8616be1f4bf8d492850 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Thu, 17 Jul 2025 16:12:50 +0200 Subject: [PATCH] cdc-acm: fix race between initial clearing halt and open On the devices that need their endpoints to get an initial clear_halt, this needs to be done before the devices can be opened. That means it needs to be before the devices are registered. Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers") Cc: stable <stable(a)kernel.org> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index c2ecfa3c8349..5a334e370f4d 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1520,6 +1520,12 @@ static int acm_probe(struct usb_interface *intf, goto err_remove_files; } + if (quirks & CLEAR_HALT_CONDITIONS) { + /* errors intentionally ignored */ + usb_clear_halt(usb_dev, acm->in); + usb_clear_halt(usb_dev, acm->out); + } + tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor, &control_interface->dev); if (IS_ERR(tty_dev)) { @@ -1527,11 +1533,6 @@ static int acm_probe(struct usb_interface *intf, goto err_release_data_interface; } - if (quirks & CLEAR_HALT_CONDITIONS) { - usb_clear_halt(usb_dev, acm->in); - usb_clear_halt(usb_dev, acm->out); - } - dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); return 0;

1 month

2
2
0 0

FAILED: patch "[PATCH] usb: typec: fusb302: cache PD RX state" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081834-staff-ranged-09c8@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 Mon Sep 17 00:00:00 2001 From: Sebastian Reichel <sebastian.reichel(a)collabora.com> Date: Fri, 4 Jul 2025 19:55:06 +0200 Subject: [PATCH] usb: typec: fusb302: cache PD RX state This patch fixes a race condition communication error, which ends up in PD hard resets when losing the race. Some systems, like the Radxa ROCK 5B are powered through USB-C without any backup power source and use a FUSB302 chip to do the PD negotiation. This means it is quite important to avoid hard resets, since that effectively kills the system's power-supply. I've found the following race condition while debugging unplanned power loss during booting the board every now and then: 1. lots of TCPM/FUSB302/PD initialization stuff 2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) 3. the remote PD source does not send anything, so TCPM does a SOFT RESET 4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time (tcpm_set_pd_rx is enabled again, even though it is still on) At this point I've seen broken CRC good messages being send by the FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like messages are being lost and things generally going haywire with one of the two sides doing a hard reset once a broken CRC good message was send to the bus. I think the system is running into a race condition, that the FIFOs are being cleared and/or the automatic good CRC message generation flag is being updated while a message is already arriving. Let's avoid this by caching the PD RX enabled state, as we have already processed anything in the FIFOs and are in a good state. As a side effect that this also optimizes I2C bus usage :) As far as I can tell the problem theoretically also exists when TCPM enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less critical for the following reason: On devices like the ROCK 5B, which are powered through a TCPM backed USB-C port, the bootloader must have done some prior PD communication (initial communication must happen within 5 seconds after plugging the USB-C plug). This means the first time the kernel TCPM state machine reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages actively. On other devices a hard reset simply adds some extra delay and things should be good afterwards. Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/fusb302.c b/drivers/usb/typec/tcpm/fusb302.c index f2801279c4b5..a4ff2403ddd6 100644 --- a/drivers/usb/typec/tcpm/fusb302.c +++ b/drivers/usb/typec/tcpm/fusb302.c @@ -104,6 +104,7 @@ struct fusb302_chip { bool vconn_on; bool vbus_on; bool charge_on; + bool pd_rx_on; bool vbus_present; enum typec_cc_polarity cc_polarity; enum typec_cc_status cc1; @@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) int ret = 0; mutex_lock(&chip->lock); + if (chip->pd_rx_on == on) { + fusb302_log(chip, "pd is already %s", str_on_off(on)); + goto done; + } + ret = fusb302_pd_rx_flush(chip); if (ret < 0) { fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); @@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) str_on_off(on), ret); goto done; } + + chip->pd_rx_on = on; fusb302_log(chip, "pd := %s", str_on_off(on)); done: mutex_unlock(&chip->lock);

1 month

2
1
0 0

[PATCH 6.15 00/92] 6.15.9-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.9 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 01 Aug 2025 09:32:07 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.9-rc1 Daniel Dadap <ddadap(a)nvidia.com> ALSA: hda: Add missing NVIDIA HDA codec IDs Mohan Kumar D <mkumard(a)nvidia.com> ALSA: hda/tegra: Add Tegra264 support Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> spi: cadence-quadspi: fix cleanup of rx_chan on failure paths RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: typec: tcpm: allow switching to mode accessory to mux properly Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: typec: tcpm: allow to use sink in accessory mode Thomas Zimmermann <tzimmermann(a)suse.de> Revert "drm/gem-shmem: Use dma_buf from GEM object instance" Dmitry Osipenko <dmitry.osipenko(a)collabora.com> drm/shmem-helper: Remove obsoleted is_iomem test Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: Fix SDMA engine reset with logical instance ID Jesse.zhang(a)amd.com <Jesse.zhang(a)amd.com> drm/amdgpu: Implement SDMA soft reset directly for v5.x Jesse.zhang(a)amd.com <Jesse.zhang(a)amd.com> drm/amdgpu: Add the new sdma function pointers for amdgpu_sdma.h Matthew Brost <matthew.brost(a)intel.com> drm/xe: Make WA BB part of LRC BO Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Add tests with stack ptr register in conditional jmp Harry Yoo <harry.yoo(a)oracle.com> mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Jinjiang Tu <tujinjiang(a)huawei.com> mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list Zi Yan <ziy(a)nvidia.com> selftests/mm: fix split_huge_page_test for folio_split() tests Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: also cover checksum Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: also cover alt modes Akinobu Mita <akinobu.mita(a)gmail.com> resource: fix false warning in __request_region() Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> PCI/pwrctrl: Create pwrctrl devices only when CONFIG_PCI_PWRCTRL is enabled Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: reject invalid file types when reading inodes Marco Elver <elver(a)google.com> kasan: use vmalloc_dump_obj() for vmalloc error reports Haoxiang Li <haoxiang_li2024(a)163.com> ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Praveen Kaligineedi <pkaligineedi(a)google.com> gve: Fix stuck TX queue for DQ queue format Jacek Kowalski <jacek(a)jacekk.info> e1000e: ignore uninitialized checksum word on tgp Jacek Kowalski <jacek(a)jacekk.info> e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Ma Ke <make24(a)iscas.ac.cn> dpaa2-switch: Fix device reference count leak in MAC endpoint handling Ma Ke <make24(a)iscas.ac.cn> dpaa2-eth: Fix device reference count leak in MAC endpoint handling Johan Hovold <johan(a)kernel.org> ASoC: mediatek: common: fix device and OF node leak Ada Couprie Diaz <ada.coupriediaz(a)arm.com> arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx Dawid Rezler <dawidrezler.patches(a)gmail.com> ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Stephen Rothwell <sfr(a)canb.auug.org.au> sprintf.h requires stdarg.h Ma Ke <make24(a)iscas.ac.cn> bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Viresh Kumar <viresh.kumar(a)linaro.org> i2c: virtio: Avoid hang by using interruptible completion wait Akhil R <akhilrajeev(a)nvidia.com> i2c: tegra: Fix reset error handling with ACPI Yang Xiwen <forbidden405(a)outlook.com> i2c: qup: jump out of the loop in case of timeout Markus Blöchl <markus(a)blochl.de> timekeeping: Zero initialize system_counterval when querying time from phc drivers Nathan Chancellor <nathan(a)kernel.org> ARM: 9450/1: Fix allowing linker DCE with binutils < 2.36 Nathan Chancellor <nathan(a)kernel.org> ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Nathan Chancellor <nathan(a)kernel.org> mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() Lin.Cao <lincao12(a)amd.com> drm/sched: Remove optimization that causes hang when killing dependent jobs Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> drm/amdgpu: Reset the clear flag in buddy during resume Thomas Zimmermann <tzimmermann(a)suse.de> Revert "drm/gem-dma: Use dma_buf from GEM object instance" Thomas Zimmermann <tzimmermann(a)suse.de> Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance" Thomas Zimmermann <tzimmermann(a)suse.de> Revert "drm/prime: Use dma_buf from GEM object instance" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots Rong Zhang <i(a)rong.moe> platform/x86: ideapad-laptop: Fix FnLock not remembered among boots Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array Jijie Shao <shaojijie(a)huawei.com> net: hns3: default enable tx bounce buffer when smmu enabled Jian Shen <shenjian15(a)huawei.com> net: hns3: fixed vf get max channels bug Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: disable interrupt when ptp init failed Jian Shen <shenjian15(a)huawei.com> net: hns3: fix concurrent setting vlan filter issue Halil Pasic <pasic(a)linux.ibm.com> s390/ism: fix concurrency management in ism_cmd() Nimrod Oren <noren(a)nvidia.com> selftests: drv-net: wait for iperf client to stop sending SHARAN KUMAR M <sharweshraajan(a)gmail.com> ALSA: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop Douglas Anderson <dianders(a)chromium.org> drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() Marc Kleine-Budde <mkl(a)pengutronix.de> can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Xiang Mei <xmei5(a)asu.edu> net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Kito Xu (veritas501) <hxzene(a)gmail.com> net: appletalk: Fix use-after-free in AARP proxy probe Jamie Bainbridge <jamie.bainbridge(a)gmail.com> i40e: When removing VF MAC filters, only check PF-set MAC Dennis Chen <dechen(a)redhat.com> i40e: report VF tx_dropped with tx_errors instead of tx_discards Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch Chiara Meiohas <cmeiohas(a)nvidia.com> net/mlx5: Fix memory leak in cmd_exec() Himanshu Mittal <h-mittal1(a)ti.com> net: ti: icssg-prueth: Fix buffer allocation for ICSSG Guoqing Jiang <guoqing.jiang(a)canonical.com> ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv Eyal Birger <eyal.birger(a)gmail.com> xfrm: interface: fix use-after-free after changing collect_md xfrm interface Fernando Fernandez Mancera <fmancera(a)suse.de> xfrm: ipcomp: adjust transport header after decompressing Tobias Brunner <tobias(a)strongswan.org> xfrm: Set transport header to fix UDP GRO handling Leon Romanovsky <leon(a)kernel.org> xfrm: always initialize offload path Sabrina Dubroca <sd(a)queasysnail.net> xfrm: state: use a consistent pcpu_id in xfrm_state_find Sabrina Dubroca <sd(a)queasysnail.net> xfrm: state: initialize state_ptrs earlier in xfrm_state_find Stefan Wahren <wahrenst(a)gmx.net> staging: vchiq_arm: Make vchiq_shutdown never fail Torsten Hilbrich <torsten.hilbrich(a)secunet.com> platform/x86: Fix initialization order for firmware_attributes_class Nuno Das Neves <nunodasneves(a)linux.microsoft.com> x86/hyperv: Fix usage of cpu_online_mask to get valid cpu Yasumasa Suenaga <yasuenag(a)gmail.com> tools/hv: fcopy: Fix incorrect file path conversion Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Use kstrtobool() to check 0/1 input Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Validate event/enable input Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Remove newline char from event name input Abdun Nihaal <abdun.nihaal(a)gmail.com> regmap: fix potential memory leak of regmap_bus David Lechner <dlechner(a)baylibre.com> iio: adc: ad7949: use spi_is_bpw_supported() Gabor Juhos <j4g8y7(a)gmail.com> interconnect: icc-clk: destroy nodes in case of memory allocation failures Xilin Wu <sophon(a)radxa.com> interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Markus Burri <markus.burri(a)mt.com> iio: fix potential out-of-bound write Maor Gottlieb <maorg(a)nvidia.com> RDMA/core: Rate limit GID cache warning messages Rahul Chandra <rahul(a)chandra.net> platform/x86: asus-nb-wmi: add DMI quirk for ASUS Zenbook Duo UX8406CA Alessandro Carminati <acarmina(a)redhat.com> regulator: core: fix NULL dereference on unbind due to stale coupling data Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Don't allow OLED to go down to fully off Laurent Vivier <lvivier(a)redhat.com> virtio_ring: Fix error reporting in virtqueue_resize Laurent Vivier <lvivier(a)redhat.com> virtio_net: Enforce minimum TX ring size for reliability Xin Li (Intel) <xin(a)zytor.com> x86/traps: Initialize DR7 by writing its architectural reset value ------------- Diffstat: Makefile | 4 +- arch/arm/Kconfig | 2 +- arch/arm/Makefile | 2 +- arch/arm64/include/asm/assembler.h | 5 + arch/arm64/kernel/entry.S | 6 + arch/x86/hyperv/irqdomain.c | 4 +- arch/x86/include/asm/debugreg.h | 19 ++- arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/kgdb.c | 2 +- arch/x86/kernel/process_32.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kvm/x86.c | 4 +- drivers/base/regmap/regmap.c | 2 + drivers/bus/fsl-mc/fsl-mc-bus.c | 19 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.c | 44 +++++- drivers/gpu/drm/amd/amdgpu/amdgpu_sdma.h | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 17 +++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 +- drivers/gpu/drm/drm_buddy.c | 43 ++++++ drivers/gpu/drm/drm_gem_dma_helper.c | 2 +- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 8 +- drivers/gpu/drm/drm_gem_shmem_helper.c | 10 +- drivers/gpu/drm/drm_prime.c | 8 +- drivers/gpu/drm/i915/display/intel_dp.c | 6 + drivers/gpu/drm/scheduler/sched_entity.c | 21 +-- drivers/gpu/drm/xe/xe_lrc.c | 37 ++--- drivers/gpu/drm/xe/xe_lrc_types.h | 3 - drivers/i2c/busses/i2c-qup.c | 4 +- drivers/i2c/busses/i2c-tegra.c | 24 +-- drivers/i2c/busses/i2c-virtio.c | 15 +- drivers/iio/adc/ad7949.c | 7 +- drivers/iio/industrialio-core.c | 5 +- drivers/infiniband/core/cache.c | 4 +- drivers/interconnect/icc-clk.c | 2 + drivers/interconnect/qcom/sc7280.c | 1 + drivers/net/can/dev/dev.c | 12 +- drivers/net/can/dev/netlink.c | 12 ++ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 +- drivers/net/ethernet/google/gve/gve_main.c | 67 +++++---- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 31 ++++ drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 36 +++-- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 9 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 +- drivers/net/ethernet/intel/e1000e/defines.h | 3 + drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 + drivers/net/ethernet/intel/e1000e/nvm.c | 6 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 +- drivers/net/ethernet/intel/ice/ice_ddp.c | 2 + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 108 +++++++------- drivers/net/ethernet/ti/icssg/icssg_config.c | 162 ++++++++++++++------- drivers/net/ethernet/ti/icssg/icssg_config.h | 78 ++++++++-- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 ++- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 2 + drivers/net/ethernet/ti/icssg/icssg_switch_map.h | 3 + drivers/net/virtio_net.c | 6 + drivers/pci/probe.c | 7 + drivers/platform/mellanox/mlxbf-pmc.c | 25 +++- drivers/platform/x86/Makefile | 3 +- drivers/platform/x86/asus-nb-wmi.c | 9 ++ drivers/platform/x86/dell/alienware-wmi-wmax.c | 1 + drivers/platform/x86/ideapad-laptop.c | 4 +- drivers/regulator/core.c | 1 + drivers/s390/net/ism_drv.c | 3 + drivers/spi/spi-cadence-quadspi.c | 5 - .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 3 +- drivers/usb/typec/tcpm/tcpm.c | 64 ++++---- drivers/virtio/virtio_ring.c | 8 +- fs/nilfs2/inode.c | 9 +- include/drm/drm_buddy.h | 2 + include/linux/ism.h | 1 + include/linux/sprintf.h | 1 + include/net/xfrm.h | 2 +- kernel/bpf/verifier.c | 7 +- kernel/resource.c | 5 +- kernel/time/timekeeping.c | 2 +- mm/kasan/report.c | 4 +- mm/ksm.c | 6 +- mm/memory-failure.c | 4 + mm/vmscan.c | 8 + mm/zsmalloc.c | 3 + net/appletalk/aarp.c | 24 ++- net/ipv4/xfrm4_input.c | 3 + net/ipv6/xfrm6_input.c | 3 + net/sched/sch_qfq.c | 7 +- net/xfrm/xfrm_device.c | 1 - net/xfrm/xfrm_interface_core.c | 7 +- net/xfrm/xfrm_ipcomp.c | 2 +- net/xfrm/xfrm_state.c | 29 ++-- net/xfrm/xfrm_user.c | 1 + sound/pci/hda/hda_tegra.c | 51 ++++++- sound/pci/hda/patch_hdmi.c | 20 +++ sound/pci/hda/patch_realtek.c | 4 +- sound/soc/mediatek/common/mtk-soundcard-driver.c | 4 + sound/soc/mediatek/mt8365/mt8365-dai-i2s.c | 3 +- tools/hv/hv_fcopy_uio_daemon.c | 37 ++--- .../selftests/bpf/progs/verifier_precision.c | 53 +++++++ tools/testing/selftests/drivers/net/lib/py/load.py | 23 ++- tools/testing/selftests/mm/split_huge_page_test.c | 3 +- tools/testing/selftests/net/mptcp/Makefile | 3 +- .../selftests/net/mptcp/mptcp_connect_checksum.sh | 5 + .../selftests/net/mptcp/mptcp_connect_mmap.sh | 5 + .../selftests/net/mptcp/mptcp_connect_sendfile.sh | 5 + 109 files changed, 998 insertions(+), 452 deletions(-)

1 month

15
107
0 0

FAILED: patch "[PATCH] usb: typec: fusb302: cache PD RX state" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081833-chatting-dragging-a84b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 Mon Sep 17 00:00:00 2001 From: Sebastian Reichel <sebastian.reichel(a)collabora.com> Date: Fri, 4 Jul 2025 19:55:06 +0200 Subject: [PATCH] usb: typec: fusb302: cache PD RX state This patch fixes a race condition communication error, which ends up in PD hard resets when losing the race. Some systems, like the Radxa ROCK 5B are powered through USB-C without any backup power source and use a FUSB302 chip to do the PD negotiation. This means it is quite important to avoid hard resets, since that effectively kills the system's power-supply. I've found the following race condition while debugging unplanned power loss during booting the board every now and then: 1. lots of TCPM/FUSB302/PD initialization stuff 2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) 3. the remote PD source does not send anything, so TCPM does a SOFT RESET 4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time (tcpm_set_pd_rx is enabled again, even though it is still on) At this point I've seen broken CRC good messages being send by the FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like messages are being lost and things generally going haywire with one of the two sides doing a hard reset once a broken CRC good message was send to the bus. I think the system is running into a race condition, that the FIFOs are being cleared and/or the automatic good CRC message generation flag is being updated while a message is already arriving. Let's avoid this by caching the PD RX enabled state, as we have already processed anything in the FIFOs and are in a good state. As a side effect that this also optimizes I2C bus usage :) As far as I can tell the problem theoretically also exists when TCPM enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less critical for the following reason: On devices like the ROCK 5B, which are powered through a TCPM backed USB-C port, the bootloader must have done some prior PD communication (initial communication must happen within 5 seconds after plugging the USB-C plug). This means the first time the kernel TCPM state machine reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages actively. On other devices a hard reset simply adds some extra delay and things should be good afterwards. Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/fusb302.c b/drivers/usb/typec/tcpm/fusb302.c index f2801279c4b5..a4ff2403ddd6 100644 --- a/drivers/usb/typec/tcpm/fusb302.c +++ b/drivers/usb/typec/tcpm/fusb302.c @@ -104,6 +104,7 @@ struct fusb302_chip { bool vconn_on; bool vbus_on; bool charge_on; + bool pd_rx_on; bool vbus_present; enum typec_cc_polarity cc_polarity; enum typec_cc_status cc1; @@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) int ret = 0; mutex_lock(&chip->lock); + if (chip->pd_rx_on == on) { + fusb302_log(chip, "pd is already %s", str_on_off(on)); + goto done; + } + ret = fusb302_pd_rx_flush(chip); if (ret < 0) { fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); @@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) str_on_off(on), ret); goto done; } + + chip->pd_rx_on = on; fusb302_log(chip, "pd := %s", str_on_off(on)); done: mutex_unlock(&chip->lock);

1 month

2
1
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081849-trio-prepay-4247@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

[PATCH net-next v3 2/5] sctp: Fix MAC comparison to be constant-time

by Eric Biggers

To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- net/sctp/sm_make_chunk.c | 3 ++- net/sctp/sm_statefuns.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 3ead591c72fd3..d099b605e44a7 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -29,10 +29,11 @@ */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include <crypto/hash.h> +#include <crypto/utils.h> #include <linux/types.h> #include <linux/kernel.h> #include <linux/ip.h> #include <linux/ipv6.h> #include <linux/net.h> @@ -1786,11 +1787,11 @@ struct sctp_association *sctp_unpack_cookie( *error = -SCTP_IERROR_NOMEM; goto fail; } } - if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) { + if (crypto_memneq(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) { *error = -SCTP_IERROR_BAD_SIG; goto fail; } no_hmac: diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index a0524ba8d7878..d4d5b14b49b3f 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -28,10 +28,11 @@ * Kevin Gao <kevin.gao(a)intel.com> */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +#include <crypto/utils.h> #include <linux/types.h> #include <linux/kernel.h> #include <linux/ip.h> #include <linux/ipv6.h> #include <linux/net.h> @@ -4414,11 +4415,11 @@ static enum sctp_ierror sctp_sf_authenticate( sctp_auth_calculate_hmac(asoc, chunk->skb, (struct sctp_auth_chunk *)chunk->chunk_hdr, sh_key, GFP_ATOMIC); /* Discard the packet if the digests do not match */ - if (memcmp(save_digest, digest, sig_len)) { + if (crypto_memneq(save_digest, digest, sig_len)) { kfree(save_digest); return SCTP_IERROR_BAD_SIG; } kfree(save_digest); -- 2.50.1

1 month

1
0
0 0

FAILED: patch "[PATCH] usb: typec: fusb302: cache PD RX state" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081832-rental-utter-f3e1@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 Mon Sep 17 00:00:00 2001 From: Sebastian Reichel <sebastian.reichel(a)collabora.com> Date: Fri, 4 Jul 2025 19:55:06 +0200 Subject: [PATCH] usb: typec: fusb302: cache PD RX state This patch fixes a race condition communication error, which ends up in PD hard resets when losing the race. Some systems, like the Radxa ROCK 5B are powered through USB-C without any backup power source and use a FUSB302 chip to do the PD negotiation. This means it is quite important to avoid hard resets, since that effectively kills the system's power-supply. I've found the following race condition while debugging unplanned power loss during booting the board every now and then: 1. lots of TCPM/FUSB302/PD initialization stuff 2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) 3. the remote PD source does not send anything, so TCPM does a SOFT RESET 4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time (tcpm_set_pd_rx is enabled again, even though it is still on) At this point I've seen broken CRC good messages being send by the FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like messages are being lost and things generally going haywire with one of the two sides doing a hard reset once a broken CRC good message was send to the bus. I think the system is running into a race condition, that the FIFOs are being cleared and/or the automatic good CRC message generation flag is being updated while a message is already arriving. Let's avoid this by caching the PD RX enabled state, as we have already processed anything in the FIFOs and are in a good state. As a side effect that this also optimizes I2C bus usage :) As far as I can tell the problem theoretically also exists when TCPM enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less critical for the following reason: On devices like the ROCK 5B, which are powered through a TCPM backed USB-C port, the bootloader must have done some prior PD communication (initial communication must happen within 5 seconds after plugging the USB-C plug). This means the first time the kernel TCPM state machine reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages actively. On other devices a hard reset simply adds some extra delay and things should be good afterwards. Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/fusb302.c b/drivers/usb/typec/tcpm/fusb302.c index f2801279c4b5..a4ff2403ddd6 100644 --- a/drivers/usb/typec/tcpm/fusb302.c +++ b/drivers/usb/typec/tcpm/fusb302.c @@ -104,6 +104,7 @@ struct fusb302_chip { bool vconn_on; bool vbus_on; bool charge_on; + bool pd_rx_on; bool vbus_present; enum typec_cc_polarity cc_polarity; enum typec_cc_status cc1; @@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) int ret = 0; mutex_lock(&chip->lock); + if (chip->pd_rx_on == on) { + fusb302_log(chip, "pd is already %s", str_on_off(on)); + goto done; + } + ret = fusb302_pd_rx_flush(chip); if (ret < 0) { fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); @@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) str_on_off(on), ret); goto done; } + + chip->pd_rx_on = on; fusb302_log(chip, "pd := %s", str_on_off(on)); done: mutex_unlock(&chip->lock);

1 month

2
1
0 0

[PATCH net-next 1/3] ipv6: sr: Fix MAC comparison to be constant-time

by Eric Biggers

To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- net/ipv6/seg6_hmac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c index f78ecb6ad8383..5dae892bbc73b 100644 --- a/net/ipv6/seg6_hmac.c +++ b/net/ipv6/seg6_hmac.c @@ -33,10 +33,11 @@ #include <net/ip6_route.h> #include <net/addrconf.h> #include <net/xfrm.h> #include <crypto/hash.h> +#include <crypto/utils.h> #include <net/seg6.h> #include <net/genetlink.h> #include <net/seg6_hmac.h> #include <linux/random.h> @@ -278,11 +279,11 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb) return false; if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output)) return false; - if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0) + if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN)) return false; return true; } EXPORT_SYMBOL(seg6_hmac_validate_skb); -- 2.50.1

1 month

2
3
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081848-lemon-attic-be0e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] usb: typec: fusb302: cache PD RX state" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081831-untrimmed-dab-6b43@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 Mon Sep 17 00:00:00 2001 From: Sebastian Reichel <sebastian.reichel(a)collabora.com> Date: Fri, 4 Jul 2025 19:55:06 +0200 Subject: [PATCH] usb: typec: fusb302: cache PD RX state This patch fixes a race condition communication error, which ends up in PD hard resets when losing the race. Some systems, like the Radxa ROCK 5B are powered through USB-C without any backup power source and use a FUSB302 chip to do the PD negotiation. This means it is quite important to avoid hard resets, since that effectively kills the system's power-supply. I've found the following race condition while debugging unplanned power loss during booting the board every now and then: 1. lots of TCPM/FUSB302/PD initialization stuff 2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) 3. the remote PD source does not send anything, so TCPM does a SOFT RESET 4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time (tcpm_set_pd_rx is enabled again, even though it is still on) At this point I've seen broken CRC good messages being send by the FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like messages are being lost and things generally going haywire with one of the two sides doing a hard reset once a broken CRC good message was send to the bus. I think the system is running into a race condition, that the FIFOs are being cleared and/or the automatic good CRC message generation flag is being updated while a message is already arriving. Let's avoid this by caching the PD RX enabled state, as we have already processed anything in the FIFOs and are in a good state. As a side effect that this also optimizes I2C bus usage :) As far as I can tell the problem theoretically also exists when TCPM enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less critical for the following reason: On devices like the ROCK 5B, which are powered through a TCPM backed USB-C port, the bootloader must have done some prior PD communication (initial communication must happen within 5 seconds after plugging the USB-C plug). This means the first time the kernel TCPM state machine reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages actively. On other devices a hard reset simply adds some extra delay and things should be good afterwards. Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/fusb302.c b/drivers/usb/typec/tcpm/fusb302.c index f2801279c4b5..a4ff2403ddd6 100644 --- a/drivers/usb/typec/tcpm/fusb302.c +++ b/drivers/usb/typec/tcpm/fusb302.c @@ -104,6 +104,7 @@ struct fusb302_chip { bool vconn_on; bool vbus_on; bool charge_on; + bool pd_rx_on; bool vbus_present; enum typec_cc_polarity cc_polarity; enum typec_cc_status cc1; @@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) int ret = 0; mutex_lock(&chip->lock); + if (chip->pd_rx_on == on) { + fusb302_log(chip, "pd is already %s", str_on_off(on)); + goto done; + } + ret = fusb302_pd_rx_flush(chip); if (ret < 0) { fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); @@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) str_on_off(on), ret); goto done; } + + chip->pd_rx_on = on; fusb302_log(chip, "pd := %s", str_on_off(on)); done: mutex_unlock(&chip->lock);

1 month

2
1
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081848-charter-handcart-4eda@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081847-cheddar-glacier-ea0e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081846-exquisite-previous-f76e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] usb: typec: fusb302: cache PD RX state" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081830-selected-dandelion-46ec@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 Mon Sep 17 00:00:00 2001 From: Sebastian Reichel <sebastian.reichel(a)collabora.com> Date: Fri, 4 Jul 2025 19:55:06 +0200 Subject: [PATCH] usb: typec: fusb302: cache PD RX state This patch fixes a race condition communication error, which ends up in PD hard resets when losing the race. Some systems, like the Radxa ROCK 5B are powered through USB-C without any backup power source and use a FUSB302 chip to do the PD negotiation. This means it is quite important to avoid hard resets, since that effectively kills the system's power-supply. I've found the following race condition while debugging unplanned power loss during booting the board every now and then: 1. lots of TCPM/FUSB302/PD initialization stuff 2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) 3. the remote PD source does not send anything, so TCPM does a SOFT RESET 4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time (tcpm_set_pd_rx is enabled again, even though it is still on) At this point I've seen broken CRC good messages being send by the FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like messages are being lost and things generally going haywire with one of the two sides doing a hard reset once a broken CRC good message was send to the bus. I think the system is running into a race condition, that the FIFOs are being cleared and/or the automatic good CRC message generation flag is being updated while a message is already arriving. Let's avoid this by caching the PD RX enabled state, as we have already processed anything in the FIFOs and are in a good state. As a side effect that this also optimizes I2C bus usage :) As far as I can tell the problem theoretically also exists when TCPM enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less critical for the following reason: On devices like the ROCK 5B, which are powered through a TCPM backed USB-C port, the bootloader must have done some prior PD communication (initial communication must happen within 5 seconds after plugging the USB-C plug). This means the first time the kernel TCPM state machine reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages actively. On other devices a hard reset simply adds some extra delay and things should be good afterwards. Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") Cc: stable <stable(a)kernel.org> Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/typec/tcpm/fusb302.c b/drivers/usb/typec/tcpm/fusb302.c index f2801279c4b5..a4ff2403ddd6 100644 --- a/drivers/usb/typec/tcpm/fusb302.c +++ b/drivers/usb/typec/tcpm/fusb302.c @@ -104,6 +104,7 @@ struct fusb302_chip { bool vconn_on; bool vbus_on; bool charge_on; + bool pd_rx_on; bool vbus_present; enum typec_cc_polarity cc_polarity; enum typec_cc_status cc1; @@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) int ret = 0; mutex_lock(&chip->lock); + if (chip->pd_rx_on == on) { + fusb302_log(chip, "pd is already %s", str_on_off(on)); + goto done; + } + ret = fusb302_pd_rx_flush(chip); if (ret < 0) { fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); @@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_dev *dev, bool on) str_on_off(on), ret); goto done; } + + chip->pd_rx_on = on; fusb302_log(chip, "pd := %s", str_on_off(on)); done: mutex_unlock(&chip->lock);

1 month

2
2
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081846-vanquish-fastball-b7d1@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081845-enlarging-goldsmith-455a@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] serial: 8250: fix panic due to PSLVERR" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 7f8fdd4dbffc05982b96caf586f77a014b2a9353 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081844-wimp-jubilance-539e@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f8fdd4dbffc05982b96caf586f77a014b2a9353 Mon Sep 17 00:00:00 2001 From: Yunhui Cui <cuiyunhui(a)bytedance.com> Date: Wed, 23 Jul 2025 10:33:22 +0800 Subject: [PATCH] serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Reviewed-by: John Ogness <john.ogness(a)linutronix.de> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 7eddcab318b4..2da9db960d09 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2269,9 +2269,9 @@ static void serial8250_initialize(struct uart_port *port) { unsigned long flags; + uart_port_lock_irqsave(port, &flags); serial_port_out(port, UART_LCR, UART_LCR_WLEN8); - uart_port_lock_irqsave(port, &flags); serial8250_init_mctrl(port); serial8250_iir_txen_test(port); uart_port_unlock_irqrestore(port, flags);

1 month

2
1
0 0

FAILED: patch "[PATCH] cifs: reset iface weights when we cannot find a candidate" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9d5eff7821f6d70f7d1b4d8a60680fba4de868a7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081845-cork-enable-a1e8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9d5eff7821f6d70f7d1b4d8a60680fba4de868a7 Mon Sep 17 00:00:00 2001 From: Shyam Prasad N <sprasad(a)microsoft.com> Date: Thu, 17 Jul 2025 17:36:13 +0530 Subject: [PATCH] cifs: reset iface weights when we cannot find a candidate We now do a weighted selection of server interfaces when allocating new channels. The weights are decided based on the speed advertised. The fulfilled weight for an interface is a counter that is used to track the interface selection. It should be reset back to zero once all interfaces fulfilling their weight. In cifs_chan_update_iface, this reset logic was missing. As a result when the server interface list changes, the client may not be able to find a new candidate for other channels after all interfaces have been fulfilled. Fixes: a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed") Cc: <stable(a)vger.kernel.org> Signed-off-by: Shyam Prasad N <sprasad(a)microsoft.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c index 330bc3d25bad..0a8c2fcc9ded 100644 --- a/fs/smb/client/sess.c +++ b/fs/smb/client/sess.c @@ -332,6 +332,7 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) struct cifs_server_iface *old_iface = NULL; struct cifs_server_iface *last_iface = NULL; struct sockaddr_storage ss; + int retry = 0; spin_lock(&ses->chan_lock); chan_index = cifs_ses_get_chan_index(ses, server); @@ -360,6 +361,7 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) return; } +try_again: last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, iface_head); iface_min_speed = last_iface->speed; @@ -397,6 +399,13 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) } if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { + list_for_each_entry(iface, &ses->iface_list, iface_head) + iface->weight_fulfilled = 0; + + /* see if it can be satisfied in second attempt */ + if (!retry++) + goto try_again; + iface = NULL; cifs_dbg(FYI, "unable to find a suitable iface\n"); }

1 month

2
1
0 0

FAILED: patch "[PATCH] mm/damon/ops-common: ignore migration request to invalid" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7e6c3130690a01076efdf45aa02ba5d5c16849a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081833-booting-yelling-d0fa@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7e6c3130690a01076efdf45aa02ba5d5c16849a0 Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Sun, 20 Jul 2025 11:58:22 -0700 Subject: [PATCH] mm/damon/ops-common: ignore migration request to invalid nodes damon_migrate_pages() tries migration even if the target node is invalid. If users mistakenly make such invalid requests via DAMOS_MIGRATE_{HOT,COLD} action, the below kernel BUG can happen. [ 7831.883495] BUG: unable to handle page fault for address: 0000000000001f48 [ 7831.884160] #PF: supervisor read access in kernel mode [ 7831.884681] #PF: error_code(0x0000) - not-present page [ 7831.885203] PGD 0 P4D 0 [ 7831.885468] Oops: Oops: 0000 [#1] SMP PTI [ 7831.885852] CPU: 31 UID: 0 PID: 94202 Comm: kdamond.0 Not tainted 6.16.0-rc5-mm-new-damon+ #93 PREEMPT(voluntary) [ 7831.886913] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.el9 04/01/2014 [ 7831.887777] RIP: 0010:__alloc_frozen_pages_noprof (include/linux/mmzone.h:1724 include/linux/mmzone.h:1750 mm/page_alloc.c:4936 mm/page_alloc.c:5137) [...] [ 7831.895953] Call Trace: [ 7831.896195] <TASK> [ 7831.896397] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192) [ 7831.896787] migrate_pages_batch (mm/migrate.c:1189 mm/migrate.c:1851) [ 7831.897228] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.897735] migrate_pages (mm/migrate.c:2078) [ 7831.898141] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.898664] damon_migrate_folio_list (mm/damon/ops-common.c:321 mm/damon/ops-common.c:354) [ 7831.899140] damon_migrate_pages (mm/damon/ops-common.c:405) [...] Add a target node validity check in damon_migrate_pages(). The validity check is stolen from that of do_pages_move(), which is being used for the move_pages() system call. Link: https://lkml.kernel.org/r/20250720185822.1451-1-sj@kernel.org Fixes: b51820ebea65 ("mm/damon/paddr: introduce DAMOS_MIGRATE_COLD action for demotion") [6.11.x] Signed-off-by: SeongJae Park <sj(a)kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Honggyu Kim <honggyu.kim(a)sk.com> Cc: Hyeongtak Ji <hyeongtak.ji(a)sk.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/damon/ops-common.c b/mm/damon/ops-common.c index 6a9797d1d7ff..99321ff5cb92 100644 --- a/mm/damon/ops-common.c +++ b/mm/damon/ops-common.c @@ -383,6 +383,10 @@ unsigned long damon_migrate_pages(struct list_head *folio_list, int target_nid) if (list_empty(folio_list)) return nr_migrated; + if (target_nid < 0 || target_nid >= MAX_NUMNODES || + !node_state(target_nid, N_MEMORY)) + return nr_migrated; + noreclaim_flag = memalloc_noreclaim_save(); nid = folio_nid(lru_to_folio(folio_list));

1 month

2
1
0 0

FAILED: patch "[PATCH] mm/damon/ops-common: ignore migration request to invalid" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 7e6c3130690a01076efdf45aa02ba5d5c16849a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081832-splendor-carve-f25b@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7e6c3130690a01076efdf45aa02ba5d5c16849a0 Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Sun, 20 Jul 2025 11:58:22 -0700 Subject: [PATCH] mm/damon/ops-common: ignore migration request to invalid nodes damon_migrate_pages() tries migration even if the target node is invalid. If users mistakenly make such invalid requests via DAMOS_MIGRATE_{HOT,COLD} action, the below kernel BUG can happen. [ 7831.883495] BUG: unable to handle page fault for address: 0000000000001f48 [ 7831.884160] #PF: supervisor read access in kernel mode [ 7831.884681] #PF: error_code(0x0000) - not-present page [ 7831.885203] PGD 0 P4D 0 [ 7831.885468] Oops: Oops: 0000 [#1] SMP PTI [ 7831.885852] CPU: 31 UID: 0 PID: 94202 Comm: kdamond.0 Not tainted 6.16.0-rc5-mm-new-damon+ #93 PREEMPT(voluntary) [ 7831.886913] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.el9 04/01/2014 [ 7831.887777] RIP: 0010:__alloc_frozen_pages_noprof (include/linux/mmzone.h:1724 include/linux/mmzone.h:1750 mm/page_alloc.c:4936 mm/page_alloc.c:5137) [...] [ 7831.895953] Call Trace: [ 7831.896195] <TASK> [ 7831.896397] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192) [ 7831.896787] migrate_pages_batch (mm/migrate.c:1189 mm/migrate.c:1851) [ 7831.897228] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.897735] migrate_pages (mm/migrate.c:2078) [ 7831.898141] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.898664] damon_migrate_folio_list (mm/damon/ops-common.c:321 mm/damon/ops-common.c:354) [ 7831.899140] damon_migrate_pages (mm/damon/ops-common.c:405) [...] Add a target node validity check in damon_migrate_pages(). The validity check is stolen from that of do_pages_move(), which is being used for the move_pages() system call. Link: https://lkml.kernel.org/r/20250720185822.1451-1-sj@kernel.org Fixes: b51820ebea65 ("mm/damon/paddr: introduce DAMOS_MIGRATE_COLD action for demotion") [6.11.x] Signed-off-by: SeongJae Park <sj(a)kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Honggyu Kim <honggyu.kim(a)sk.com> Cc: Hyeongtak Ji <hyeongtak.ji(a)sk.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/damon/ops-common.c b/mm/damon/ops-common.c index 6a9797d1d7ff..99321ff5cb92 100644 --- a/mm/damon/ops-common.c +++ b/mm/damon/ops-common.c @@ -383,6 +383,10 @@ unsigned long damon_migrate_pages(struct list_head *folio_list, int target_nid) if (list_empty(folio_list)) return nr_migrated; + if (target_nid < 0 || target_nid >= MAX_NUMNODES || + !node_state(target_nid, N_MEMORY)) + return nr_migrated; + noreclaim_flag = memalloc_noreclaim_save(); nid = folio_nid(lru_to_folio(folio_list));

1 month

2
1
0 0

FAILED: patch "[PATCH] mm/damon/ops-common: ignore migration request to invalid" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 7e6c3130690a01076efdf45aa02ba5d5c16849a0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081831-singular-geologist-93a6@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7e6c3130690a01076efdf45aa02ba5d5c16849a0 Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Sun, 20 Jul 2025 11:58:22 -0700 Subject: [PATCH] mm/damon/ops-common: ignore migration request to invalid nodes damon_migrate_pages() tries migration even if the target node is invalid. If users mistakenly make such invalid requests via DAMOS_MIGRATE_{HOT,COLD} action, the below kernel BUG can happen. [ 7831.883495] BUG: unable to handle page fault for address: 0000000000001f48 [ 7831.884160] #PF: supervisor read access in kernel mode [ 7831.884681] #PF: error_code(0x0000) - not-present page [ 7831.885203] PGD 0 P4D 0 [ 7831.885468] Oops: Oops: 0000 [#1] SMP PTI [ 7831.885852] CPU: 31 UID: 0 PID: 94202 Comm: kdamond.0 Not tainted 6.16.0-rc5-mm-new-damon+ #93 PREEMPT(voluntary) [ 7831.886913] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.el9 04/01/2014 [ 7831.887777] RIP: 0010:__alloc_frozen_pages_noprof (include/linux/mmzone.h:1724 include/linux/mmzone.h:1750 mm/page_alloc.c:4936 mm/page_alloc.c:5137) [...] [ 7831.895953] Call Trace: [ 7831.896195] <TASK> [ 7831.896397] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192) [ 7831.896787] migrate_pages_batch (mm/migrate.c:1189 mm/migrate.c:1851) [ 7831.897228] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.897735] migrate_pages (mm/migrate.c:2078) [ 7831.898141] ? __pfx_alloc_migration_target (mm/migrate.c:2137) [ 7831.898664] damon_migrate_folio_list (mm/damon/ops-common.c:321 mm/damon/ops-common.c:354) [ 7831.899140] damon_migrate_pages (mm/damon/ops-common.c:405) [...] Add a target node validity check in damon_migrate_pages(). The validity check is stolen from that of do_pages_move(), which is being used for the move_pages() system call. Link: https://lkml.kernel.org/r/20250720185822.1451-1-sj@kernel.org Fixes: b51820ebea65 ("mm/damon/paddr: introduce DAMOS_MIGRATE_COLD action for demotion") [6.11.x] Signed-off-by: SeongJae Park <sj(a)kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Honggyu Kim <honggyu.kim(a)sk.com> Cc: Hyeongtak Ji <hyeongtak.ji(a)sk.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/damon/ops-common.c b/mm/damon/ops-common.c index 6a9797d1d7ff..99321ff5cb92 100644 --- a/mm/damon/ops-common.c +++ b/mm/damon/ops-common.c @@ -383,6 +383,10 @@ unsigned long damon_migrate_pages(struct list_head *folio_list, int target_nid) if (list_empty(folio_list)) return nr_migrated; + if (target_nid < 0 || target_nid >= MAX_NUMNODES || + !node_state(target_nid, N_MEMORY)) + return nr_migrated; + noreclaim_flag = memalloc_noreclaim_save(); nid = folio_nid(lru_to_folio(folio_list));

1 month

2
1
0 0

FAILED: patch "[PATCH] io_uring/zcrx: account area memory" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 262ab205180d2ba3ab6110899a4dbe439c51dfaa # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081527-unflawed-matrimony-2057@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 262ab205180d2ba3ab6110899a4dbe439c51dfaa Mon Sep 17 00:00:00 2001 From: Pavel Begunkov <asml.silence(a)gmail.com> Date: Wed, 16 Jul 2025 22:04:09 +0100 Subject: [PATCH] io_uring/zcrx: account area memory zcrx areas can be quite large and need to be accounted and checked against RLIMIT_MEMLOCK. In practise it shouldn't be a big issue as the inteface already requires cap_net_admin. Cc: stable(a)vger.kernel.org Fixes: cf96310c5f9a0 ("io_uring/zcrx: add io_zcrx_area") Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Link: https://lore.kernel.org/r/4b53f0c575bd062f63d12bec6cac98037fc66aeb.17526995… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index 7d7396ce876c..dabce3ee0e8b 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -158,6 +158,23 @@ static int io_zcrx_map_area_dmabuf(struct io_zcrx_ifq *ifq, struct io_zcrx_area area->mem.dmabuf_offset); } +static unsigned long io_count_account_pages(struct page **pages, unsigned nr_pages) +{ + struct folio *last_folio = NULL; + unsigned long res = 0; + int i; + + for (i = 0; i < nr_pages; i++) { + struct folio *folio = page_folio(pages[i]); + + if (folio == last_folio) + continue; + last_folio = folio; + res += 1UL << folio_order(folio); + } + return res; +} + static int io_import_umem(struct io_zcrx_ifq *ifq, struct io_zcrx_mem *mem, struct io_uring_zcrx_area_reg *area_reg) @@ -180,6 +197,13 @@ static int io_import_umem(struct io_zcrx_ifq *ifq, if (ret) return ret; + mem->account_pages = io_count_account_pages(pages, nr_pages); + ret = io_account_mem(ifq->ctx, mem->account_pages); + if (ret < 0) { + mem->account_pages = 0; + return ret; + } + mem->pages = pages; mem->nr_folios = nr_pages; mem->size = area_reg->len; @@ -357,6 +381,9 @@ static void io_zcrx_free_area(struct io_zcrx_area *area) io_zcrx_unmap_area(area->ifq, area); io_release_area_mem(&area->mem); + if (area->mem.account_pages) + io_unaccount_mem(area->ifq->ctx, area->mem.account_pages); + kvfree(area->freelist); kvfree(area->nia.niovs); kvfree(area->user_refs); diff --git a/io_uring/zcrx.h b/io_uring/zcrx.h index 89015b923911..109c4ca36434 100644 --- a/io_uring/zcrx.h +++ b/io_uring/zcrx.h @@ -15,6 +15,7 @@ struct io_zcrx_mem { struct page **pages; unsigned long nr_folios; struct sg_table page_sg_table; + unsigned long account_pages; struct dma_buf_attachment *attach; struct dma_buf *dmabuf;

1 month

3
2
0 0

[REGRESSION] stable-rc/linux-6.1.y: (build) call to undeclared function 'BIT_U32'; ISO C99 and later do not su...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.1.y: --- call to undeclared function 'BIT_U32'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] in drivers/net/can/ti_hecc.o (drivers/net/can/ti_hecc.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:8fd2dd605b4f4e3fdfb2bb48ed2965f305259b0d - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: de81846a25749c1fa21ba68cf4938d4309cfbcef Log excerpt: ===================================================== drivers/net/can/ti_hecc.c:387:14: error: call to undeclared function 'BIT_U32'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 387 | mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX); | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:68a32682233e484a3f9ea0aa #kernelci issue maestro:8fd2dd605b4f4e3fdfb2bb48ed2965f305259b0d Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month

1
0
0 0

FAILED: patch "[PATCH] mm, slab: restore NUMA policy support for large kmalloc" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e2d18cbf178775ad377ad88ee55e6e183c38d262 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081818-skilled-timid-4660@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e2d18cbf178775ad377ad88ee55e6e183c38d262 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Mon, 2 Jun 2025 13:02:12 +0200 Subject: [PATCH] mm, slab: restore NUMA policy support for large kmalloc The slab allocator observes the task's NUMA policy in various places such as allocating slab pages. Large kmalloc() allocations used to do that too, until an unintended change by c4cab557521a ("mm/slab_common: cleanup kmalloc_large()") resulted in ignoring mempolicy and just preferring the local node. Restore the NUMA policy support. Fixes: c4cab557521a ("mm/slab_common: cleanup kmalloc_large()") Cc: <stable(a)vger.kernel.org> Acked-by: Christoph Lameter (Ampere) <cl(a)gentwo.org> Acked-by: Roman Gushchin <roman.gushchin(a)linux.dev> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..06d64a5fb1bf 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -4269,7 +4269,12 @@ static void *___kmalloc_large_node(size_t size, gfp_t flags, int node) flags = kmalloc_fix_flags(flags); flags |= __GFP_COMP; - folio = (struct folio *)alloc_pages_node_noprof(node, flags, order); + + if (node == NUMA_NO_NODE) + folio = (struct folio *)alloc_pages_noprof(flags, order); + else + folio = (struct folio *)__alloc_pages_noprof(flags, order, node, NULL); + if (folio) { ptr = folio_address(folio); lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B,

1 month

3
2
0 0

[PATCH 6.6.y] wifi: mac80211: check basic rates validity in sta_link_apply_parameters

by Hanne-Lotta Mäenpää

From: Mikhail Lobanov <m.lobanov(a)rosa.ru> [ Upstream commit 16ee3ea8faef8ff042acc15867a6c458c573de61 ] When userspace sets supported rates for a new station via NL80211_CMD_NEW_STATION, it might send a list that's empty or contains only invalid values. Currently, we process these values in sta_link_apply_parameters() without checking the result of ieee80211_parse_bitrates(), which can lead to an empty rates bitmap. A similar issue was addressed for NL80211_CMD_SET_BSS in commit ce04abc3fcc6 ("wifi: mac80211: check basic rates validity"). This patch applies the same approach in sta_link_apply_parameters() for NL80211_CMD_NEW_STATION, ensuring there is at least one valid rate by inspecting the result of ieee80211_parse_bitrates(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. [ Summary of conflict resolutions: - The function ieee80211_parse_bitrates() takes channel width as its first parameter, and the chandef struct has been refactored in kernel version 6.9, in commit 6092077ad09ce880c61735c314060f0bd79ae4aa so that the width is contained in chanreq.oper.width. In kernel version 6.6 the width parameter is defined directly in the chandef struct. ] Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params") Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Hanne-Lotta Mäenpää <hannelotta(a)gmail.com> --- net/mac80211/cfg.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 3ff7f38394a6..1addfba4b285 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1847,12 +1847,12 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, } if (params->supported_rates && - params->supported_rates_len) { - ieee80211_parse_bitrates(link->conf->chandef.width, - sband, params->supported_rates, - params->supported_rates_len, - &link_sta->pub->supp_rates[sband->band]); - } + params->supported_rates_len && + !ieee80211_parse_bitrates(link->conf->chandef.width, + sband, params->supported_rates, + params->supported_rates_len, + &link_sta->pub->supp_rates[sband->band])) + return -EINVAL; if (params->ht_capa) ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband, -- 2.50.0

1 month

1
0
0 0

FAILED: patch "[PATCH] io_uring/net: commit partial buffers on retry" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 41b70df5b38bc80967d2e0ed55cc3c3896bba781 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081549-shorter-borrower-941d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41b70df5b38bc80967d2e0ed55cc3c3896bba781 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Tue, 12 Aug 2025 08:30:11 -0600 Subject: [PATCH] io_uring/net: commit partial buffers on retry Ring provided buffers are potentially only valid within the single execution context in which they were acquired. io_uring deals with this and invalidates them on retry. But on the networking side, if MSG_WAITALL is set, or if the socket is of the streaming type and too little was processed, then it will hang on to the buffer rather than recycle or commit it. This is problematic for two reasons: 1) If someone unregisters the provided buffer ring before a later retry, then the req->buf_list will no longer be valid. 2) If multiple sockers are using the same buffer group, then multiple receives can consume the same memory. This can cause data corruption in the application, as either receive could land in the same userspace buffer. Fix this by disallowing partial retries from pinning a provided buffer across multiple executions, if ring provided buffers are used. Cc: stable(a)vger.kernel.org Reported-by: pt x <superman.xpt(a)gmail.com> Fixes: c56e022c0a27 ("io_uring: add support for user mapped provided buffer ring") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/net.c b/io_uring/net.c index dd96e355982f..d69f2afa4f7a 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -494,6 +494,15 @@ static int io_bundle_nbufs(struct io_async_msghdr *kmsg, int ret) return nbufs; } +static int io_net_kbuf_recyle(struct io_kiocb *req, + struct io_async_msghdr *kmsg, int len) +{ + req->flags |= REQ_F_BL_NO_RECYCLE; + if (req->flags & REQ_F_BUFFERS_COMMIT) + io_kbuf_commit(req, req->buf_list, len, io_bundle_nbufs(kmsg, len)); + return IOU_RETRY; +} + static inline bool io_send_finish(struct io_kiocb *req, int *ret, struct io_async_msghdr *kmsg, unsigned issue_flags) @@ -562,8 +571,7 @@ int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags) kmsg->msg.msg_controllen = 0; kmsg->msg.msg_control = NULL; sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -674,8 +682,7 @@ int io_send(struct io_kiocb *req, unsigned int issue_flags) sr->len -= ret; sr->buf += ret; sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1071,8 +1078,7 @@ int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags) } if (ret > 0 && io_net_retry(sock, flags)) { sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return IOU_RETRY; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1218,8 +1224,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags) sr->len -= ret; sr->buf += ret; sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1500,8 +1505,7 @@ int io_send_zc(struct io_kiocb *req, unsigned int issue_flags) zc->len -= ret; zc->buf += ret; zc->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1571,8 +1575,7 @@ int io_sendmsg_zc(struct io_kiocb *req, unsigned int issue_flags) if (ret > 0 && io_net_retry(sock, flags)) { sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR;

1 month

3
3
0 0

[REGRESSION] stable-rc/linux-6.6.y: (build) call to undeclared function 'BIT_U32'; ISO C99 and later do not su...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.6.y: --- call to undeclared function 'BIT_U32'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] in drivers/net/can/ti_hecc.o (drivers/net/can/ti_hecc.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:8ace23e7f8ec64c36de1851f3a96cbd024dbc75a - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 243d4807be1704fef446934001535d37afafd8d7 Log excerpt: ===================================================== drivers/net/can/ti_hecc.c:386:14: error: call to undeclared function 'BIT_U32'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 386 | mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX); | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:68a3271d233e484a3f9ea12f #kernelci issue maestro:8ace23e7f8ec64c36de1851f3a96cbd024dbc75a Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month

1
0
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) implicit declaration of function 'BIT_U32' [-Werror,-Wimplicit-fun...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- implicit declaration of function 'BIT_U32' [-Werror,-Wimplicit-function-declaration] in drivers/net/can/ti_hecc.o (drivers/net/can/ti_hecc.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:d43992843dddea5eb6d0e618759db726469a7b6a - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: a6319f2fe27b8fefe40757d3797cfca30d43ce3c Log excerpt: ===================================================== drivers/net/can/ti_hecc.c:396:14: error: implicit declaration of function 'BIT_U32' [-Werror,-Wimplicit-function-declaration] 396 | mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX); | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:68a325ed233e484a3f9ea033 #kernelci issue maestro:d43992843dddea5eb6d0e618759db726469a7b6a Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month

1
0
0 0

FAILED: patch "[PATCH] x86/sev: Ensure SVSM reserved fields in a page validation" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 3ee9cebd0a5e7ea47eb35cec95eaa1a866af982d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081850-culture-uncheck-1048@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3ee9cebd0a5e7ea47eb35cec95eaa1a866af982d Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Wed, 13 Aug 2025 10:26:59 -0500 Subject: [PATCH] x86/sev: Ensure SVSM reserved fields in a page validation entry are initialized to zero In order to support future versions of the SVSM_CORE_PVALIDATE call, all reserved fields within a PVALIDATE entry must be set to zero as an SVSM should be ensuring all reserved fields are zero in order to support future usage of reserved areas based on the protocol version. Fixes: fcd042e86422 ("x86/sev: Perform PVALIDATE using the SVSM when not at VMPL0") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Joerg Roedel <joerg.roedel(a)amd.com> Cc: <stable(a)kernel.org> Link: https://lore.kernel.org/7cde412f8b057ea13a646fb166b1ca023f6a5031.1755098819… diff --git a/arch/x86/boot/startup/sev-shared.c b/arch/x86/boot/startup/sev-shared.c index 7a706db87b93..4ab0dbd043c6 100644 --- a/arch/x86/boot/startup/sev-shared.c +++ b/arch/x86/boot/startup/sev-shared.c @@ -785,6 +785,7 @@ static void __head svsm_pval_4k_page(unsigned long paddr, bool validate) pc->entry[0].page_size = RMP_PG_SIZE_4K; pc->entry[0].action = validate; pc->entry[0].ignore_cf = 0; + pc->entry[0].rsvd = 0; pc->entry[0].pfn = paddr >> PAGE_SHIFT; /* Protocol 0, Call ID 1 */ diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index fc59ce78c477..43ecc6b9fb9c 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -227,6 +227,7 @@ static u64 svsm_build_ca_from_pfn_range(u64 pfn, u64 pfn_end, bool action, pe->page_size = RMP_PG_SIZE_4K; pe->action = action; pe->ignore_cf = 0; + pe->rsvd = 0; pe->pfn = pfn; pe++; @@ -257,6 +258,7 @@ static int svsm_build_ca_from_psc_desc(struct snp_psc_desc *desc, unsigned int d pe->page_size = e->pagesize ? RMP_PG_SIZE_2M : RMP_PG_SIZE_4K; pe->action = e->operation == SNP_PAGE_STATE_PRIVATE; pe->ignore_cf = 0; + pe->rsvd = 0; pe->pfn = e->gfn; pe++;

1 month

2
1
0 0

FAILED: patch "[PATCH] x86/sev: Ensure SVSM reserved fields in a page validation" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 3ee9cebd0a5e7ea47eb35cec95eaa1a866af982d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081852-debtless-penniless-395d@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3ee9cebd0a5e7ea47eb35cec95eaa1a866af982d Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Wed, 13 Aug 2025 10:26:59 -0500 Subject: [PATCH] x86/sev: Ensure SVSM reserved fields in a page validation entry are initialized to zero In order to support future versions of the SVSM_CORE_PVALIDATE call, all reserved fields within a PVALIDATE entry must be set to zero as an SVSM should be ensuring all reserved fields are zero in order to support future usage of reserved areas based on the protocol version. Fixes: fcd042e86422 ("x86/sev: Perform PVALIDATE using the SVSM when not at VMPL0") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Joerg Roedel <joerg.roedel(a)amd.com> Cc: <stable(a)kernel.org> Link: https://lore.kernel.org/7cde412f8b057ea13a646fb166b1ca023f6a5031.1755098819… diff --git a/arch/x86/boot/startup/sev-shared.c b/arch/x86/boot/startup/sev-shared.c index 7a706db87b93..4ab0dbd043c6 100644 --- a/arch/x86/boot/startup/sev-shared.c +++ b/arch/x86/boot/startup/sev-shared.c @@ -785,6 +785,7 @@ static void __head svsm_pval_4k_page(unsigned long paddr, bool validate) pc->entry[0].page_size = RMP_PG_SIZE_4K; pc->entry[0].action = validate; pc->entry[0].ignore_cf = 0; + pc->entry[0].rsvd = 0; pc->entry[0].pfn = paddr >> PAGE_SHIFT; /* Protocol 0, Call ID 1 */ diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index fc59ce78c477..43ecc6b9fb9c 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -227,6 +227,7 @@ static u64 svsm_build_ca_from_pfn_range(u64 pfn, u64 pfn_end, bool action, pe->page_size = RMP_PG_SIZE_4K; pe->action = action; pe->ignore_cf = 0; + pe->rsvd = 0; pe->pfn = pfn; pe++; @@ -257,6 +258,7 @@ static int svsm_build_ca_from_psc_desc(struct snp_psc_desc *desc, unsigned int d pe->page_size = e->pagesize ? RMP_PG_SIZE_2M : RMP_PG_SIZE_4K; pe->action = e->operation == SNP_PAGE_STATE_PRIVATE; pe->ignore_cf = 0; + pe->rsvd = 0; pe->pfn = e->gfn; pe++;

1 month

2
1
0 0

[tip: x86/urgent] x86/CPU/AMD: Ignore invalid reset reason value

by tip-bot2 for Yazen Ghannam

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: e9576e078220c50ace9e9087355423de23e25fa5 Gitweb: https://git.kernel.org/tip/e9576e078220c50ace9e9087355423de23e25fa5 Author: Yazen Ghannam <yazen.ghannam(a)amd.com> AuthorDate: Mon, 21 Jul 2025 18:11:54 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 18 Aug 2025 16:36:59 +02:00 x86/CPU/AMD: Ignore invalid reset reason value The reset reason value may be "all bits set", e.g. 0xFFFFFFFF. This is a commonly used error response from hardware. This may occur due to a real hardware issue or when running in a VM. The user will see all reset reasons reported in this case. Check for an error response value and return early to avoid decoding invalid data. Also, adjust the data variable type to match the hardware register size. Fixes: ab8131028710 ("x86/CPU/AMD: Print the reason for the last reset") Reported-by: Libing He <libhe(a)redhat.com> Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250721181155.3536023-1-yazen.ghannam@amd.com --- arch/x86/kernel/cpu/amd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index a5ece6e..a6f88ca 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -1326,8 +1326,8 @@ static const char * const s5_reset_reason_txt[] = { static __init int print_s5_reset_status_mmio(void) { - unsigned long value; void __iomem *addr; + u32 value; int i; if (!cpu_feature_enabled(X86_FEATURE_ZEN)) @@ -1340,12 +1340,16 @@ static __init int print_s5_reset_status_mmio(void) value = ioread32(addr); iounmap(addr); + /* Value with "all bits set" is an error response and should be ignored. */ + if (value == U32_MAX) + return 0; + for (i = 0; i < ARRAY_SIZE(s5_reset_reason_txt); i++) { if (!(value & BIT(i))) continue; if (s5_reset_reason_txt[i]) { - pr_info("x86/amd: Previous system reset reason [0x%08lx]: %s\n", + pr_info("x86/amd: Previous system reset reason [0x%08x]: %s\n", value, s5_reset_reason_txt[i]); } }

1 month

1
0
0 0

[bp@imp.ch: Bug#1111455: linux-image-6.12.41+deb13-amd64: kernel BUG at fs/netfs/read_collect.c:316 netfs: Can't donate prior to front]

by Salvatore Bonaccorso

Hi, A user in Debian reported the following kernel oops when running on 6.12.41 (but apparently as well on older versions, though there were several netfs related similar issues, so including Max Kellermann as well in the recipients) The report from Benoit Panizzon is as follows: > From: Benoit Panizzon <bp(a)imp.ch> > Resent-From: Benoit Panizzon <bp(a)imp.ch> > Reply-To: Benoit Panizzon <bp(a)imp.ch>, 1111455(a)bugs.debian.org > X-Mailer: reportbug 13.2.0 > Date: Mon, 18 Aug 2025 10:24:32 +0200 > To: Debian Bug Tracking System <submit(a)bugs.debian.org> > Subject: Bug#1111455: linux-image-6.12.41+deb13-amd64: kernel BUG at fs/netfs/read_collect.c:316 netfs: Can't donate > prior to front > Delivered-To: lists-debian-kernel(a)bendel.debian.org > Delivered-To: submit(a)bugs.debian.org > Message-ID: <175550547264.3745.5845128440223069497.reportbug(a)go.imp.ch> > > Package: src:linux > Version: 6.12.41-1 > Severity: grave > Justification: renders package unusable > X-Debbugs-Cc: debian-amd64(a)lists.debian.org > User: debian-amd64(a)lists.debian.org > Usertags: amd64 > > Dear Maintainer, > > Updated my workstation from Bookworm to Trixie. /home on NFS > > Applications accessing data on NFS shares become unresponsive one after the other after a couple of minutes. > > Especially affected: > * Claws-Mail > * Chromium > > Suspected cachefsd being the culpit and disabled - issue persists. > > It looks like an invalid opcode is being used. Fairly recent CPU in use: > > vendor_id : AuthenticAMD > cpu family : 25 > model : 80 > model name : AMD Ryzen 7 PRO 5750GE with Radeon Graphics > stepping : 0 > microcode : 0xa500011 > > Google found reports of others affected with similar kernel versions mostly when accessing SMB shares. > > [Mo Aug 18 10:11:19 2025] netfs: Can't donate prior to front > [Mo Aug 18 10:11:19 2025] R=00001e07[4] s=6000-7fff 0/2000/2000 > [Mo Aug 18 10:11:19 2025] folio: 4000-7fff > [Mo Aug 18 10:11:19 2025] donated: prev=0 next=0 > [Mo Aug 18 10:11:19 2025] s=6000 av=2000 part=2000 > [Mo Aug 18 10:11:19 2025] ------------[ cut here ]------------ > [Mo Aug 18 10:11:19 2025] kernel BUG at fs/netfs/read_collect.c:316! > [Mo Aug 18 10:11:19 2025] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI > [Mo Aug 18 10:11:19 2025] CPU: 5 UID: 0 PID: 115 Comm: kworker/u64:1 Not tainted 6.12.41+deb13-amd64 #1 Debian 6.12.41-1 > [Mo Aug 18 10:11:19 2025] Hardware name: LENOVO 11JN000JGE/32E4, BIOS M47KT26A 11/23/2022 > [Mo Aug 18 10:11:19 2025] Workqueue: nfsiod rpc_async_release [sunrpc] > [Mo Aug 18 10:11:19 2025] RIP: 0010:netfs_consume_read_data.isra.0+0xb79/0xb80 [netfs] > [Mo Aug 18 10:11:19 2025] Code: 48 89 ea 31 f6 48 c7 c7 96 95 6f c2 e8 d0 8d a2 e1 48 8b 4c 24 10 4c 89 fe 48 8b 54 24 20 48 c7 c7 b2 95 6f c2 e8 b7 8d a2 e1 <0f> 0b 90 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > [Mo Aug 18 10:11:19 2025] RSP: 0018:ffffb4234057bd58 EFLAGS: 00010246 > [Mo Aug 18 10:11:19 2025] RAX: 0000000000000018 RBX: ffff9aed62651ec0 RCX: 0000000000000027 > [Mo Aug 18 10:11:19 2025] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9af04e4a1740 > [Mo Aug 18 10:11:19 2025] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb4234057bbe8 > [Mo Aug 18 10:11:19 2025] R10: ffffffffa50b43a8 R11: 0000000000000003 R12: ffff9aed6c9081e8 > [Mo Aug 18 10:11:19 2025] R13: 0000000000004000 R14: ffff9aed6c9081e8 R15: 0000000000006000 > [Mo Aug 18 10:11:19 2025] FS: 0000000000000000(0000) GS:ffff9af04e480000(0000) knlGS:0000000000000000 > [Mo Aug 18 10:11:19 2025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [Mo Aug 18 10:11:19 2025] CR2: 00003d3407849020 CR3: 00000002f1822000 CR4: 0000000000f50ef0 > [Mo Aug 18 10:11:19 2025] PKRU: 55555554 > [Mo Aug 18 10:11:19 2025] Call Trace: > [Mo Aug 18 10:11:19 2025] <TASK> > [Mo Aug 18 10:11:19 2025] netfs_read_subreq_terminated+0x2ab/0x3e0 [netfs] > [Mo Aug 18 10:11:19 2025] nfs_netfs_read_completion+0x9c/0xc0 [nfs] > [Mo Aug 18 10:11:19 2025] nfs_read_completion+0xf6/0x130 [nfs] > [Mo Aug 18 10:11:19 2025] rpc_free_task+0x39/0x60 [sunrpc] > [Mo Aug 18 10:11:19 2025] rpc_async_release+0x2f/0x40 [sunrpc] > [Mo Aug 18 10:11:19 2025] process_one_work+0x177/0x330 > [Mo Aug 18 10:11:19 2025] worker_thread+0x251/0x390 > [Mo Aug 18 10:11:19 2025] ? __pfx_worker_thread+0x10/0x10 > [Mo Aug 18 10:11:19 2025] kthread+0xd2/0x100 > [Mo Aug 18 10:11:19 2025] ? __pfx_kthread+0x10/0x10 > [Mo Aug 18 10:11:19 2025] ret_from_fork+0x34/0x50 > [Mo Aug 18 10:11:19 2025] ? __pfx_kthread+0x10/0x10 > [Mo Aug 18 10:11:19 2025] ret_from_fork_asm+0x1a/0x30 > [Mo Aug 18 10:11:19 2025] </TASK> > [Mo Aug 18 10:11:19 2025] Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables libcrc32c wireguard libchacha20poly1305 chacha_x86_64 poly1305_x86_64 curve25519_x86_64 libcurve25519_generic libchacha vxlan ip6_udp_tunnel udp_tunnel bridge stp llc btusb btrtl btintel btbcm btmtk bluetooth joydev qrtr nfsd auth_rpcgss binfmt_misc nfs_acl lockd grace nls_ascii nls_cp437 sunrpc vfat fat amd_atl intel_rapl_msr intel_rapl_common rtw88_8822ce rtw88_8822c edac_mce_amd rtw88_pci snd_sof_amd_rembrandt snd_sof_amd_acp rtw88_core kvm_amd snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_hda_codec_realtek mac80211 kvm snd_hda_codec_generic snd_sof_utils snd_hda_scodec_component snd_soc_core snd_hda_codec_hdmi snd_hda_intel snd_compress snd_intel_dspcfg libarc4 snd_pcm_dmaengine irqbypass snd_intel_sdw_acpi snd_pci_ps crct10dif_pclmul snd_hda_codec ghash_clmulni_intel snd_rpl_pci_acp6x cfg80211 snd_hda_core sha512_ssse3 snd_acp_pci > [Mo Aug 18 10:11:19 2025] sha256_ssse3 snd_acp_legacy_common sha1_ssse3 snd_hwdep snd_pci_acp6x aesni_intel snd_pcm gf128mul snd_pci_acp5x crypto_simd think_lmi snd_timer snd_rn_pci_acp3x cryptd firmware_attributes_class snd_acp_config wmi_bmof snd snd_soc_acpi ee1004 rapl snd_pci_acp3x pcspkr ccp k10temp rfkill soundcore evdev parport_pc ppdev lp parport configfs efi_pstore nfnetlink efivarfs ip_tables x_tables autofs4 ext4 mbcache jbd2 crc32c_generic hid_plantronics hid_generic usbhid hid amdgpu dm_mod amdxcp drm_exec gpu_sched drm_buddy i2c_algo_bit drm_suballoc_helper drm_display_helper cec rc_core drm_ttm_helper xhci_pci ttm xhci_hcd drm_kms_helper drm r8169 nvme usbcore realtek sp5100_tco nvme_core mdio_devres watchdog libphy crc32_pclmul i2c_piix4 video crc32c_intel usb_common nvme_auth i2c_smbus crc16 wmi button > [Mo Aug 18 10:11:19 2025] ---[ end trace 0000000000000000 ]--- Any ideas here? Benoit can you please es well test the current 6.16.1 ideally to verify if the problem persists there as well? Regards, Salvatore

1 month

2
3
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) ‘CPUFREQ_NEED_UPDATE_LIMITS’ undeclared here (not in a function) i...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- ‘CPUFREQ_NEED_UPDATE_LIMITS’ undeclared here (not in a function) in drivers/cpufreq/cppc_cpufreq.o (drivers/cpufreq/cppc_cpufreq.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:dc41002c36bbf28f576cb4cf62779067892fb9db - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: a6319f2fe27b8fefe40757d3797cfca30d43ce3c Log excerpt: ===================================================== drivers/cpufreq/cppc_cpufreq.c:410:40: error: ‘CPUFREQ_NEED_UPDATE_LIMITS’ undeclared here (not in a function) 410 | .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ ===================================================== # Builds where the incident occurred: ## defconfig+arm64-chromebook+kselftest on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:68a3251d233e484a3f9e9e33 ## defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:68a324d8233e484a3f9e9df2 ## defconfig+lab-setup+kselftest on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:68a32513233e484a3f9e9e2a #kernelci issue maestro:dc41002c36bbf28f576cb4cf62779067892fb9db Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month

1
0
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) use of undeclared identifier 'CPUFREQ_NEED_UPDATE_LIMITS' in drive...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- use of undeclared identifier 'CPUFREQ_NEED_UPDATE_LIMITS' in drivers/cpufreq/cppc_cpufreq.o (drivers/cpufreq/cppc_cpufreq.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:b9c80192e71f04dd69fa1038881cb02b2c46b045 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: a6319f2fe27b8fefe40757d3797cfca30d43ce3c Log excerpt: ===================================================== drivers/cpufreq/cppc_cpufreq.c:410:33: error: use of undeclared identifier 'CPUFREQ_NEED_UPDATE_LIMITS' 410 | .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS, | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+arm64-chromebook+kselftest on (arm64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:68a324ee233e484a3f9e9e07 #kernelci issue maestro:b9c80192e71f04dd69fa1038881cb02b2c46b045 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month

1
0
0 0

[REGRESSION] IPv6 RA default router advertisement fails after kernel 6.12.42 updates

by 喵公子

Hi, While testing Linux kernel 6.12.42 on OpenWrt, we observed a regression in IPv6 Router Advertisement (RA) handling for the default router. Affected commits The following commits appear related and may have introduced the issue: ipv6: fix possible infinite loop in fib6_info_uses_dev()： https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ipv6: prevent infinite loop in rt6_nlmsg_size()： https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ipv6: annotate data-races around rt->fib6_nsiblings： https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… Problem description： In Linux kernel 6.12.42, IPv6 FIB multipath and concurrent access handling was made stricter (READ_ONCE / WRITE_ONCE + RCU retry). The RA “Automatic” mode relies on checking whether a local default route exists. With the stricter FIB handling, this check can fail in multipath scenarios. As a result, RA does not advertise a default route, and IPv6 clients on LAN fail to receive the default gateway. Steps to reproduce Run OpenWrt with kernel 6.12.42 on a router with br-lan bridge. Configure IPv6 RA in Automatic default router mode. Observe that no default route is advertised to clients (though prefixes may still be delivered). Expected behavior Router Advertisement should continue to advertise the default route as in kernel 6.12.41 and earlier. Client IPv6 connectivity should not break. Actual behavior RA fails to advertise a default route in Automatic mode. Clients do not install a default IPv6 route → connectivity fails. Temporary workaround Change RA default router mode from Automatic → Always / Use available prefixes in OpenWrt. This bypasses the dependency on local default route check and restores correct RA behavior. Additional notes This appears to be an unintended side effect of the stricter FIB handling changes introduced in 6.12.42. Please advise if this has already been reported or if I should prepare a minimal reproducer outside OpenWrt. Thanks, [GitHub: mgz0227]

1 month

2
2
0 0

[PATCH v2 0/2] media: pci: Fix invalid access to file *

by Jacopo Mondi

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") All the ioctl handlers access their private data structures from file * The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access. The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file" Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Changes in v2: - Add Cc: stable(a)vger.kernel.org per-patch --- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file * drivers/media/pci/cx18/cx18-driver.c | 6 +++--- drivers/media/pci/cx18/cx18-ioctl.c | 26 ++++++++++++++++++++------ drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 51 insertions(+), 21 deletions(-) --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

1 month

2
3
0 0

[PATCH 0/2] media: pci: Fix invalid access to file *

by Jacopo Mondi

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") All the ioctl handlers access their private data structures from file * The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access. The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file" Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file * drivers/media/pci/cx18/cx18-driver.c | 6 +++--- drivers/media/pci/cx18/cx18-ioctl.c | 26 ++++++++++++++++++++------ drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 51 insertions(+), 21 deletions(-) --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

1 month

3
4
0 0

[PATCH RESEND v2] proc: fix missing pde_set_flags() for net proc files

by wangzijie

To avoid potential UAF issues during module removal races, we use pde_set_flags() to save proc_ops flags in PDE itself before proc_register(), and then use pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*. However, the pde_set_flags() call was missing when creating net related proc files. This omission caused incorrect behavior which FMODE_LSEEK was being cleared inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1]. Fix this by ensuring pde_set_flags() is called when register proc entry, and add NULL check for proc_ops in pde_set_flags(). [1]: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al) Cc: stable(a)vger.kernel.org Reported-by: Lars Wendler <polynomial-c(a)gmx.de> Signed-off-by: wangzijie <wangzijie1(a)honor.com> --- fs/proc/generic.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 76e800e38..003031839 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -367,6 +367,23 @@ static const struct inode_operations proc_dir_inode_operations = { .setattr = proc_notify_change, }; +static void pde_set_flags(struct proc_dir_entry *pde) +{ + if (!pde->proc_ops) + return; + + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; + if (pde->proc_ops->proc_read_iter) + pde->flags |= PROC_ENTRY_proc_read_iter; +#ifdef CONFIG_COMPAT + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; +#endif + if (pde->proc_ops->proc_lseek) + pde->flags |= PROC_ENTRY_proc_lseek; +} + /* returns the registered entry, or frees dp and returns NULL on failure */ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, struct proc_dir_entry *dp) @@ -374,6 +391,8 @@ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, if (proc_alloc_inum(&dp->low_ino)) goto out_free_entry; + pde_set_flags(dp); + write_lock(&proc_subdir_lock); dp->parent = dir; if (pde_subdir_insert(dir, dp) == false) { @@ -561,20 +580,6 @@ struct proc_dir_entry *proc_create_reg(const char *name, umode_t mode, return p; } -static void pde_set_flags(struct proc_dir_entry *pde) -{ - if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) - pde->flags |= PROC_ENTRY_PERMANENT; - if (pde->proc_ops->proc_read_iter) - pde->flags |= PROC_ENTRY_proc_read_iter; -#ifdef CONFIG_COMPAT - if (pde->proc_ops->proc_compat_ioctl) - pde->flags |= PROC_ENTRY_proc_compat_ioctl; -#endif - if (pde->proc_ops->proc_lseek) - pde->flags |= PROC_ENTRY_proc_lseek; -} - struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, struct proc_dir_entry *parent, const struct proc_ops *proc_ops, void *data) @@ -585,7 +590,6 @@ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, if (!p) return NULL; p->proc_ops = proc_ops; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_data); @@ -636,7 +640,6 @@ struct proc_dir_entry *proc_create_seq_private(const char *name, umode_t mode, p->proc_ops = &proc_seq_ops; p->seq_ops = ops; p->state_size = state_size; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_seq_private); @@ -667,7 +670,6 @@ struct proc_dir_entry *proc_create_single_data(const char *name, umode_t mode, return NULL; p->proc_ops = &proc_single_ops; p->single_show = show; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_single_data); -- 2.25.1

1 month

1
1
0 0

FAILED: patch "[PATCH] iommu/vt-d: Make iotlb_sync_map a static property of" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x cee686775f9cd4eae31f3c1f7ec24b2048082667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081823-muzzle-defiant-69ef@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cee686775f9cd4eae31f3c1f7ec24b2048082667 Mon Sep 17 00:00:00 2001 From: Lu Baolu <baolu.lu(a)linux.intel.com> Date: Mon, 21 Jul 2025 13:16:57 +0800 Subject: [PATCH] iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Commit 12724ce3fe1a ("iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes") dynamically set iotlb_sync_map. This causes synchronization issues due to lack of locking on map and attach paths, racing iommufd userspace operations. Invalidation changes must precede device attachment to ensure all flushes complete before hardware walks page tables, preventing coherence issues. Make domain->iotlb_sync_map static, set once during domain allocation. If an IOMMU requires iotlb_sync_map but the domain lacks it, attach is rejected. This won't reduce domain sharing: RWBF and shadowing page table caching are legacy uses with legacy hardware. Mixed configs (some IOMMUs in caching mode, others not) are unlikely in real-world scenarios. Fixes: 12724ce3fe1a ("iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes") Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Link: https://lore.kernel.org/r/20250721051657.1695788-1-baolu.lu@linux.intel.com Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 3e774e3bb735..d1791b50f791 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -57,6 +57,8 @@ static void __init check_tylersburg_isoch(void); static int rwbf_quirk; +#define rwbf_required(iommu) (rwbf_quirk || cap_rwbf((iommu)->cap)) + /* * set to 1 to panic kernel if can't successfully enable VT-d * (used when kernel is launched w/ TXT) @@ -1780,18 +1782,6 @@ static int domain_setup_first_level(struct intel_iommu *iommu, __pa(pgd), flags, old); } -static bool domain_need_iotlb_sync_map(struct dmar_domain *domain, - struct intel_iommu *iommu) -{ - if (cap_caching_mode(iommu->cap) && intel_domain_is_ss_paging(domain)) - return true; - - if (rwbf_quirk || cap_rwbf(iommu->cap)) - return true; - - return false; -} - static int dmar_domain_attach_device(struct dmar_domain *domain, struct device *dev) { @@ -1831,8 +1821,6 @@ static int dmar_domain_attach_device(struct dmar_domain *domain, if (ret) goto out_block_translation; - domain->iotlb_sync_map |= domain_need_iotlb_sync_map(domain, iommu); - return 0; out_block_translation: @@ -3352,6 +3340,14 @@ intel_iommu_domain_alloc_first_stage(struct device *dev, return ERR_CAST(dmar_domain); dmar_domain->domain.ops = &intel_fs_paging_domain_ops; + /* + * iotlb sync for map is only needed for legacy implementations that + * explicitly require flushing internal write buffers to ensure memory + * coherence. + */ + if (rwbf_required(iommu)) + dmar_domain->iotlb_sync_map = true; + return &dmar_domain->domain; } @@ -3386,6 +3382,14 @@ intel_iommu_domain_alloc_second_stage(struct device *dev, if (flags & IOMMU_HWPT_ALLOC_DIRTY_TRACKING) dmar_domain->domain.dirty_ops = &intel_dirty_ops; + /* + * Besides the internal write buffer flush, the caching mode used for + * legacy nested translation (which utilizes shadowing page tables) + * also requires iotlb sync on map. + */ + if (rwbf_required(iommu) || cap_caching_mode(iommu->cap)) + dmar_domain->iotlb_sync_map = true; + return &dmar_domain->domain; } @@ -3446,6 +3450,11 @@ static int paging_domain_compatible_first_stage(struct dmar_domain *dmar_domain, if (!cap_fl1gp_support(iommu->cap) && (dmar_domain->domain.pgsize_bitmap & SZ_1G)) return -EINVAL; + + /* iotlb sync on map requirement */ + if ((rwbf_required(iommu)) && !dmar_domain->iotlb_sync_map) + return -EINVAL; + return 0; } @@ -3469,6 +3478,12 @@ paging_domain_compatible_second_stage(struct dmar_domain *dmar_domain, return -EINVAL; if (!(sslps & BIT(1)) && (dmar_domain->domain.pgsize_bitmap & SZ_1G)) return -EINVAL; + + /* iotlb sync on map requirement */ + if ((rwbf_required(iommu) || cap_caching_mode(iommu->cap)) && + !dmar_domain->iotlb_sync_map) + return -EINVAL; + return 0; }

1 month

1
0
0 0

FAILED: patch "[PATCH] iommu/vt-d: Make iotlb_sync_map a static property of" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x cee686775f9cd4eae31f3c1f7ec24b2048082667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081823-waking-baritone-c887@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cee686775f9cd4eae31f3c1f7ec24b2048082667 Mon Sep 17 00:00:00 2001 From: Lu Baolu <baolu.lu(a)linux.intel.com> Date: Mon, 21 Jul 2025 13:16:57 +0800 Subject: [PATCH] iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Commit 12724ce3fe1a ("iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes") dynamically set iotlb_sync_map. This causes synchronization issues due to lack of locking on map and attach paths, racing iommufd userspace operations. Invalidation changes must precede device attachment to ensure all flushes complete before hardware walks page tables, preventing coherence issues. Make domain->iotlb_sync_map static, set once during domain allocation. If an IOMMU requires iotlb_sync_map but the domain lacks it, attach is rejected. This won't reduce domain sharing: RWBF and shadowing page table caching are legacy uses with legacy hardware. Mixed configs (some IOMMUs in caching mode, others not) are unlikely in real-world scenarios. Fixes: 12724ce3fe1a ("iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes") Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Link: https://lore.kernel.org/r/20250721051657.1695788-1-baolu.lu@linux.intel.com Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 3e774e3bb735..d1791b50f791 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -57,6 +57,8 @@ static void __init check_tylersburg_isoch(void); static int rwbf_quirk; +#define rwbf_required(iommu) (rwbf_quirk || cap_rwbf((iommu)->cap)) + /* * set to 1 to panic kernel if can't successfully enable VT-d * (used when kernel is launched w/ TXT) @@ -1780,18 +1782,6 @@ static int domain_setup_first_level(struct intel_iommu *iommu, __pa(pgd), flags, old); } -static bool domain_need_iotlb_sync_map(struct dmar_domain *domain, - struct intel_iommu *iommu) -{ - if (cap_caching_mode(iommu->cap) && intel_domain_is_ss_paging(domain)) - return true; - - if (rwbf_quirk || cap_rwbf(iommu->cap)) - return true; - - return false; -} - static int dmar_domain_attach_device(struct dmar_domain *domain, struct device *dev) { @@ -1831,8 +1821,6 @@ static int dmar_domain_attach_device(struct dmar_domain *domain, if (ret) goto out_block_translation; - domain->iotlb_sync_map |= domain_need_iotlb_sync_map(domain, iommu); - return 0; out_block_translation: @@ -3352,6 +3340,14 @@ intel_iommu_domain_alloc_first_stage(struct device *dev, return ERR_CAST(dmar_domain); dmar_domain->domain.ops = &intel_fs_paging_domain_ops; + /* + * iotlb sync for map is only needed for legacy implementations that + * explicitly require flushing internal write buffers to ensure memory + * coherence. + */ + if (rwbf_required(iommu)) + dmar_domain->iotlb_sync_map = true; + return &dmar_domain->domain; } @@ -3386,6 +3382,14 @@ intel_iommu_domain_alloc_second_stage(struct device *dev, if (flags & IOMMU_HWPT_ALLOC_DIRTY_TRACKING) dmar_domain->domain.dirty_ops = &intel_dirty_ops; + /* + * Besides the internal write buffer flush, the caching mode used for + * legacy nested translation (which utilizes shadowing page tables) + * also requires iotlb sync on map. + */ + if (rwbf_required(iommu) || cap_caching_mode(iommu->cap)) + dmar_domain->iotlb_sync_map = true; + return &dmar_domain->domain; } @@ -3446,6 +3450,11 @@ static int paging_domain_compatible_first_stage(struct dmar_domain *dmar_domain, if (!cap_fl1gp_support(iommu->cap) && (dmar_domain->domain.pgsize_bitmap & SZ_1G)) return -EINVAL; + + /* iotlb sync on map requirement */ + if ((rwbf_required(iommu)) && !dmar_domain->iotlb_sync_map) + return -EINVAL; + return 0; } @@ -3469,6 +3478,12 @@ paging_domain_compatible_second_stage(struct dmar_domain *dmar_domain, return -EINVAL; if (!(sslps & BIT(1)) && (dmar_domain->domain.pgsize_bitmap & SZ_1G)) return -EINVAL; + + /* iotlb sync on map requirement */ + if ((rwbf_required(iommu) || cap_caching_mode(iommu->cap)) && + !dmar_domain->iotlb_sync_map) + return -EINVAL; + return 0; }

1 month

1
0
0 0

FAILED: patch "[PATCH] iommu/vt-d: Make iotlb_sync_map a static property of" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x cee686775f9cd4eae31f3c1f7ec24b2048082667 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081822-quill-yeah-a207@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cee686775f9cd4eae31f3c1f7ec24b2048082667 Mon Sep 17 00:00:00 2001 From: Lu Baolu <baolu.lu(a)linux.intel.com> Date: Mon, 21 Jul 2025 13:16:57 +0800 Subject: [PATCH] iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Commit 12724ce3fe1a ("iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes") dynamically set iotlb_sync_map. This causes synchronization issues due to lack of locking on map and attach paths, racing iommufd userspace operations. Invalidation changes must precede device attachment to ensure all flushes complete before hardware walks page tables, preventing coherence issues. Make domain->iotlb_sync_map static, set once during domain allocation. If an IOMMU requires iotlb_sync_map but the domain lacks it, attach is rejected. This won't reduce domain sharing: RWBF and shadowing page table caching are legacy uses with legacy hardware. Mixed configs (some IOMMUs in caching mode, others not) are unlikely in real-world scenarios. Fixes: 12724ce3fe1a ("iommu/vt-d: Optimize iotlb_sync_map for non-caching/non-RWBF modes") Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Link: https://lore.kernel.org/r/20250721051657.1695788-1-baolu.lu@linux.intel.com Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 3e774e3bb735..d1791b50f791 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -57,6 +57,8 @@ static void __init check_tylersburg_isoch(void); static int rwbf_quirk; +#define rwbf_required(iommu) (rwbf_quirk || cap_rwbf((iommu)->cap)) + /* * set to 1 to panic kernel if can't successfully enable VT-d * (used when kernel is launched w/ TXT) @@ -1780,18 +1782,6 @@ static int domain_setup_first_level(struct intel_iommu *iommu, __pa(pgd), flags, old); } -static bool domain_need_iotlb_sync_map(struct dmar_domain *domain, - struct intel_iommu *iommu) -{ - if (cap_caching_mode(iommu->cap) && intel_domain_is_ss_paging(domain)) - return true; - - if (rwbf_quirk || cap_rwbf(iommu->cap)) - return true; - - return false; -} - static int dmar_domain_attach_device(struct dmar_domain *domain, struct device *dev) { @@ -1831,8 +1821,6 @@ static int dmar_domain_attach_device(struct dmar_domain *domain, if (ret) goto out_block_translation; - domain->iotlb_sync_map |= domain_need_iotlb_sync_map(domain, iommu); - return 0; out_block_translation: @@ -3352,6 +3340,14 @@ intel_iommu_domain_alloc_first_stage(struct device *dev, return ERR_CAST(dmar_domain); dmar_domain->domain.ops = &intel_fs_paging_domain_ops; + /* + * iotlb sync for map is only needed for legacy implementations that + * explicitly require flushing internal write buffers to ensure memory + * coherence. + */ + if (rwbf_required(iommu)) + dmar_domain->iotlb_sync_map = true; + return &dmar_domain->domain; } @@ -3386,6 +3382,14 @@ intel_iommu_domain_alloc_second_stage(struct device *dev, if (flags & IOMMU_HWPT_ALLOC_DIRTY_TRACKING) dmar_domain->domain.dirty_ops = &intel_dirty_ops; + /* + * Besides the internal write buffer flush, the caching mode used for + * legacy nested translation (which utilizes shadowing page tables) + * also requires iotlb sync on map. + */ + if (rwbf_required(iommu) || cap_caching_mode(iommu->cap)) + dmar_domain->iotlb_sync_map = true; + return &dmar_domain->domain; } @@ -3446,6 +3450,11 @@ static int paging_domain_compatible_first_stage(struct dmar_domain *dmar_domain, if (!cap_fl1gp_support(iommu->cap) && (dmar_domain->domain.pgsize_bitmap & SZ_1G)) return -EINVAL; + + /* iotlb sync on map requirement */ + if ((rwbf_required(iommu)) && !dmar_domain->iotlb_sync_map) + return -EINVAL; + return 0; } @@ -3469,6 +3478,12 @@ paging_domain_compatible_second_stage(struct dmar_domain *dmar_domain, return -EINVAL; if (!(sslps & BIT(1)) && (dmar_domain->domain.pgsize_bitmap & SZ_1G)) return -EINVAL; + + /* iotlb sync on map requirement */ + if ((rwbf_required(iommu) || cap_caching_mode(iommu->cap)) && + !dmar_domain->iotlb_sync_map) + return -EINVAL; + return 0; }

1 month

1
0
0 0

[PATCH v2] proc: fix missing pde_set_flags() for net proc files

by wangzijie

To avoid potential UAF issues during module removal races, we use pde_set_flags() to save proc_ops flags in PDE itself before proc_register(), and then use pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*. However, the pde_set_flags() call was missing when creating net related proc files. This omission caused incorrect behavior which FMODE_LSEEK was being cleared inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1]. Fix this by ensuring pde_set_flags() is called when register proc entry, and add NULL check for proc_ops in pde_set_flags(). [1]: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al) Reported-by: Lars Wendler <polynomial-c(a)gmx.de> Signed-off-by: wangzijie <wangzijie1(a)honor.com> --- v2: - followed by Jiri's suggestion to refractor code and reformat commit message --- fs/proc/generic.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 76e800e38..003031839 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -367,6 +367,23 @@ static const struct inode_operations proc_dir_inode_operations = { .setattr = proc_notify_change, }; +static void pde_set_flags(struct proc_dir_entry *pde) +{ + if (!pde->proc_ops) + return; + + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; + if (pde->proc_ops->proc_read_iter) + pde->flags |= PROC_ENTRY_proc_read_iter; +#ifdef CONFIG_COMPAT + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; +#endif + if (pde->proc_ops->proc_lseek) + pde->flags |= PROC_ENTRY_proc_lseek; +} + /* returns the registered entry, or frees dp and returns NULL on failure */ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, struct proc_dir_entry *dp) @@ -374,6 +391,8 @@ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, if (proc_alloc_inum(&dp->low_ino)) goto out_free_entry; + pde_set_flags(dp); + write_lock(&proc_subdir_lock); dp->parent = dir; if (pde_subdir_insert(dir, dp) == false) { @@ -561,20 +580,6 @@ struct proc_dir_entry *proc_create_reg(const char *name, umode_t mode, return p; } -static void pde_set_flags(struct proc_dir_entry *pde) -{ - if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) - pde->flags |= PROC_ENTRY_PERMANENT; - if (pde->proc_ops->proc_read_iter) - pde->flags |= PROC_ENTRY_proc_read_iter; -#ifdef CONFIG_COMPAT - if (pde->proc_ops->proc_compat_ioctl) - pde->flags |= PROC_ENTRY_proc_compat_ioctl; -#endif - if (pde->proc_ops->proc_lseek) - pde->flags |= PROC_ENTRY_proc_lseek; -} - struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, struct proc_dir_entry *parent, const struct proc_ops *proc_ops, void *data) @@ -585,7 +590,6 @@ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, if (!p) return NULL; p->proc_ops = proc_ops; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_data); @@ -636,7 +640,6 @@ struct proc_dir_entry *proc_create_seq_private(const char *name, umode_t mode, p->proc_ops = &proc_seq_ops; p->seq_ops = ops; p->state_size = state_size; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_seq_private); @@ -667,7 +670,6 @@ struct proc_dir_entry *proc_create_single_data(const char *name, umode_t mode, return NULL; p->proc_ops = &proc_single_ops; p->single_show = show; - pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_single_data); -- 2.25.1

1 month

3
2
0 0

[PATCH 6.1 v2] crypto: qat - fix ring to service map for QAT GEN4

by Giovanni Cabiddu

[ Upstream commit a238487f7965d102794ed9f8aff0b667cd2ae886 ] The 4xxx drivers hardcode the ring to service mapping. However, when additional configurations where added to the driver, the mappings were not updated. This implies that an incorrect mapping might be reported through pfvf for certain configurations. This is a backport of the upstream commit with modifications, as the original patch does not apply cleanly to kernel v6.1.x. The logic has been simplified to reflect the limited configurations of the QAT driver in this version: crypto-only and compression. Instead of dynamically computing the ring to service mappings, these are now hardcoded to simplify the backport. Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Reviewed-by: Damian Muszynski <damian.muszynski(a)intel.com> Reviewed-by: Tero Kristo <tero.kristo(a)linux.intel.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> (cherry-picked from commit a238487f7965d102794ed9f8aff0b667cd2ae886) [Giovanni: backport to 6.1.y, conflict resolved simplifying the logic in the function get_ring_to_svc_map() as the QAT driver in v6.1 supports only limited configurations (crypto only and compression). Differs from upstream as the ring to service mapping is hardcoded rather than being dynamically computed.] Reviewed-by: Ahsan Atta <ahsan.atta(a)intel.com> Tested-by: Ahsan Atta <ahsan.atta(a)intel.com> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> --- V1 -> V2: changed signed-off-by area: * added (cherry-picked from ...) after last tag from upstream commit * added a note explaining how this backport differs from the original patch * added a new Signed-off-by tag for the backport author. drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 +++++++++++++ drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 + drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 ++++++ drivers/crypto/qat/qat_common/adf_init.c | 3 +++ 4 files changed, 23 insertions(+) diff --git a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c index fda5f699ff57..65b52c692add 100644 --- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c +++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c @@ -297,6 +297,18 @@ static char *uof_get_name(struct adf_accel_dev *accel_dev, u32 obj_num) return NULL; } +static u16 get_ring_to_svc_map(struct adf_accel_dev *accel_dev) +{ + switch (get_service_enabled(accel_dev)) { + case SVC_CY: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP; + case SVC_DC: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC; + } + + return 0; +} + static u32 uof_get_ae_mask(struct adf_accel_dev *accel_dev, u32 obj_num) { switch (get_service_enabled(accel_dev)) { @@ -353,6 +365,7 @@ void adf_init_hw_data_4xxx(struct adf_hw_device_data *hw_data) hw_data->uof_get_ae_mask = uof_get_ae_mask; hw_data->set_msix_rttable = set_msix_default_rttable; hw_data->set_ssm_wdtimer = adf_gen4_set_ssm_wdtimer; + hw_data->get_ring_to_svc_map = get_ring_to_svc_map; hw_data->disable_iov = adf_disable_sriov; hw_data->ring_pair_reset = adf_gen4_ring_pair_reset; hw_data->enable_pm = adf_gen4_enable_pm; diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h index ad01d99e6e2b..7993d0f82dea 100644 --- a/drivers/crypto/qat/qat_common/adf_accel_devices.h +++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h @@ -176,6 +176,7 @@ struct adf_hw_device_data { void (*get_arb_info)(struct arb_info *arb_csrs_info); void (*get_admin_info)(struct admin_info *admin_csrs_info); enum dev_sku_info (*get_sku)(struct adf_hw_device_data *self); + u16 (*get_ring_to_svc_map)(struct adf_accel_dev *accel_dev); int (*alloc_irq)(struct adf_accel_dev *accel_dev); void (*free_irq)(struct adf_accel_dev *accel_dev); void (*enable_error_correction)(struct adf_accel_dev *accel_dev); diff --git a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h index 4fb4b3df5a18..5e653ec755e6 100644 --- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h +++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h @@ -95,6 +95,12 @@ do { \ ADF_RING_BUNDLE_SIZE * (bank) + \ ADF_RING_CSR_RING_SRV_ARB_EN, (value)) +#define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC \ + (COMP << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_1_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_2_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_3_SHIFT) + /* Default ring mapping */ #define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP \ (ASYM << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c index 2e3481270c4b..49f07584f8c9 100644 --- a/drivers/crypto/qat/qat_common/adf_init.c +++ b/drivers/crypto/qat/qat_common/adf_init.c @@ -95,6 +95,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) return -EFAULT; } + if (hw_data->get_ring_to_svc_map) + hw_data->ring_to_svc_map = hw_data->get_ring_to_svc_map(accel_dev); + if (adf_ae_init(accel_dev)) { dev_err(&GET_DEV(accel_dev), "Failed to initialise Acceleration Engine\n"); -- 2.50.0

1 month

3
4
0 0

[PATCH 6.12 000/158] 6.12.40-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.40 release. There are 158 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 24 Jul 2025 13:43:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.40-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.40-rc1 Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data Matthew Brost <matthew.brost(a)intel.com> drm/xe: Move page fault init after topology init Balasubramani Vivekanandan <balasubramani.vivekanandan(a)intel.com> drm/xe/mocs: Initialize MOCS index early Chen Ridong <chenridong(a)huawei.com> sched,freezer: Remove unnecessary warning in __thaw_task Johan Hovold <johan+linaro(a)kernel.org> i2c: omap: fix deprecated of_property_read_bool() use Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: omap: Fix an error handling path in omap_i2c_probe() Jayesh Choudhary <j-choudhary(a)ti.com> i2c: omap: Add support for setting mux Ihor Solodrai <ihor.solodrai(a)pm.me> selftests/bpf: Set test path for token/obj_priv_implicit_token_envvar Miguel Ojeda <ojeda(a)kernel.org> rust: use `#[used(compiler)]` to fix build and `modpost` with Rust >= 1.89.0 Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix multicast packets received count Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> usb: dwc3: qcom: Don't leave BCR asserted Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Don't try to recover devices lost during warm reset. Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Fix flushing of delayed work used for post resume purposes Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: hub: fix detection of high tier USB3 devices behind suspended hubs Boris Burkov <boris(a)bur.io> btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Al Viro <viro(a)zeniv.linux.org.uk> clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> sched: Change nr_uninterruptible type to unsigned long Breno Leitao <leitao(a)debian.org> efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths Andrii Nakryiko <andrii(a)kernel.org> libbpf: Fix handling of BPF arena relocations Icenowy Zheng <uwu(a)icenowy.me> drm/mediatek: only announce AFBC if really supported Jason-JH Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add wait_event_timeout when disabling plane Chen Ridong <chenridong(a)huawei.com> Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" David Howells <dhowells(a)redhat.com> rxrpc: Fix transmission of an abort in response to an abort David Howells <dhowells(a)redhat.com> rxrpc: Fix recv-recv race of completed call William Liu <will(a)willsroot.io> net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Joseph Huang <Joseph.Huang(a)garmin.com> net: bridge: Do not offload IGMP/MLD messages Dong Chenchen <dongchenchen2(a)huawei.com> net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Jakub Kicinski <kuba(a)kernel.org> tls: always refresh the queue when reading sock Zigit Zo <zuozhijie(a)bytedance.com> virtio-net: fix recursived rtnl_lock() during probe() Li Tian <litian(a)redhat.com> hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Prepare to stop SR-IOV support prior GT reset Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Move VFs reprovisioning to worker Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Sanitize VF scratch registers on FLR Florian Westphal <fw(a)strlen.de> netfilter: nf_conntrack: fix crash due to removal of uninitialised entry Felix Fietkau <nbd(a)nbd.name> net: fix segmentation after TCP/UDP fraglist GRO Yue Haibing <yuehaibing(a)huawei.com> ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Christoph Paasch <cpaasch(a)openai.com> net/mlx5: Correctly set gso_size when LRO is used Zijun Hu <zijun.hu(a)oss.qualcomm.com> Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID Christian Eggers <ceggers(a)arri.de> Bluetooth: hci_core: add missing braces when using macro parameters Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: If an unallowed command is received consider it a failure Alessandro Gasbarroni <alex.gasbarroni(a)gmail.com> Bluetooth: hci_sync: fix connectable extended advertising when using static random address Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Andreas Schwab <schwab(a)suse.de> riscv: traps_misaligned: properly sign extend value in misaligned load handler Nam Cao <namcao(a)linutronix.de> riscv: Enable interrupt during exception handling Ming Lei <ming.lei(a)redhat.com> loop: use kiocb helpers to fix lockdep warning Oliver Neukum <oneukum(a)suse.com> usb: net: sierra: check for no status endpoint Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> ice: check correct pointer in fwlog debugfs Dave Ertman <david.m.ertman(a)intel.com> ice: add NULL check in eswitch lag check Marius Zachmann <mail(a)mariuszachmann.de> hwmon: (corsair-cpro) Validate the size of the received input buffer Paolo Abeni <pabeni(a)redhat.com> selftests: net: increase inter-packet timeout in udpgro.sh Brett Werling <brett.werling(a)garmin.com> can: tcan4x5x: fix reset gpio usage during probe Sean Nyekjaer <sean(a)geanix.com> can: tcan4x5x: add option for selecting nWKRQ voltage Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: remove scan request n_channels counted_by Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: fix callback lock for TLS handshake Yu Kuai <yukuai3(a)huawei.com> nvme: fix misaccounting of nvme-mpath inflight I/O Sean Anderson <sean.anderson(a)linux.dev> net: phy: Don't register LEDs for genphy Kuniyuki Iwashima <kuniyu(a)google.com> smc: Fix various oops due to inet_sock type confusion. John Garry <john.g.garry(a)oracle.com> nvme: fix endianness of command word prints in nvme_log_err_passthru() Zheng Qixing <zhengqixing(a)huawei.com> nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() Al Viro <viro(a)zeniv.linux.org.uk> fix a leak in fcntl_dirnotify() Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix use-after-free in cifs_oplock_break Kuniyuki Iwashima <kuniyu(a)google.com> rpl: Fix use-after-free in rpl_do_srh_inline(). Xiang Mei <xmei5(a)asu.edu> net/sched: sch_qfq: Fix race condition on qfq_aggregate Ming Lei <ming.lei(a)redhat.com> block: fix kobject leak in blk_unregister_queue Alok Tiwari <alok.a.tiwari(a)oracle.com> net: emaclite: Fix missing pointer increment in aligned_read() Zizhi Wo <wozizhi(a)huawei.com> cachefiles: Fix the incorrect return value in __cachefiles_write() Andrea Righi <arighi(a)nvidia.com> selftests/sched_ext: Fix exit selftest hang on UP Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Reject %p% format string in bprintf-like helpers Richard Zhu <hongxing.zhu(a)nxp.com> arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> soundwire: amd: fix for clearing command status register Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> soundwire: amd: fix for handling slave alerts after link is down Andy Yan <andyshrk(a)163.com> arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B Andy Yan <andyshrk(a)163.com> arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5 Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix initialization of data for instructions that write to subdevice Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix use of uninitialized data in insn_rw_emulate_bits() Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix some signed shift left operations Ian Abbott <abbotti(a)mev.co.uk> comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large Ian Abbott <abbotti(a)mev.co.uk> comedi: das6402: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: das16m1: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: aio_iiro_16: Fix bit shift out of bounds Ian Abbott <abbotti(a)mev.co.uk> comedi: pcl812: Fix bit shift out of bounds Maud Spierings <maudspierings(a)gocontroll.com> iio: common: st_sensors: Fix use of uninitialize device structs Markus Burri <markus.burri(a)mt.com> iio: backend: fix out-of-bound write Chen Ni <nichen(a)iscas.ac.cn> iio: adc: stm32-adc: Fix race in installing chained IRQ handler Fabio Estevam <festevam(a)denx.de> iio: adc: max1363: Reorder mode_list[] entries Fabio Estevam <festevam(a)denx.de> iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] Chen-Yu Tsai <wens(a)csie.org> iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush Andrew Jeffery <andrew(a)codeconstruct.com.au> soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Andrew Jeffery <andrew(a)codeconstruct.com.au> soc: aspeed: lpc-snoop: Cleanup resources in stack-order Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix use-after-free in crypt_message when using async crypto Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Maulik Shah <maulik.shah(a)oss.qualcomm.com> pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: properly reset Rx ring descriptor Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix the using of Rx buffer DMA Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: remove duplicate page_pool_put_full_page() Markus Blöchl <markus(a)blochl.de> net: stmmac: intel: populate entire system_counterval_t in get_time_fn() callback Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Workaround for Errata i2312 Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Thomas Fourier <fourier.thomas(a)gmail.com> mmc: bcm2835: Fix dma_unmap_sg() nents value Nathan Chancellor <nathan(a)kernel.org> memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Jan Kara <jack(a)suse.cz> isofs: Verify inode mode when loading from disk Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: nbpfaxi: Fix memory corruption in probe() Daniel Lezcano <daniel.lezcano(a)linaro.org> cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type Yun Lu <luyun(a)kylinos.cn> af_packet: fix soft lockup issue caused by tpacket_snd() Yun Lu <luyun(a)kylinos.cn> af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de> arm64: dts: rockchip: use cs-gpios for spi1 on ringneck Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency Francesco Dolcini <francesco.dolcini(a)toradex.com> arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on Meng Li <Meng.Li(a)windriver.com> arm64: dts: add big-endian property back into watchdog node Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Nathan Chancellor <nathan(a)kernel.org> phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() Paolo Abeni <pabeni(a)redhat.com> mptcp: reset fallback status gracefully at disconnect() time Paolo Abeni <pabeni(a)redhat.com> mptcp: plug races between subflow fail and subflow creation Paolo Abeni <pabeni(a)redhat.com> mptcp: make fallback action and fallback decision atomic Pavel Begunkov <asml.silence(a)gmail.com> io_uring/poll: fix POLLERR handling Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx Clayton King <clayton.king(a)amd.com> drm/amd/display: Free memory allocation Melissa Wen <mwen(a)igalia.com> drm/amd/display: Disable CRTC degamma LUT for DCN401 Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Increase reset counter only on success Eeli Haapalainen <eeli.haapalainen(a)protonmail.com> drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.89.0 Tomas Glozar <tglozar(a)redhat.com> tracing/osnoise: Fix crash in timerlat_dump_stack() Steven Rostedt <rostedt(a)goodmis.org> tracing: Add down_write(trace_event_sem) when adding trace event Nathan Chancellor <nathan(a)kernel.org> tracing/probes: Avoid using params uninitialized in parse_btf_arg() Benjamin Tissoires <bentiss(a)kernel.org> HID: core: do not bypass hid_hw_raw_request Benjamin Tissoires <bentiss(a)kernel.org> HID: core: ensure __hid_request reserves the report ID as the first byte Benjamin Tissoires <bentiss(a)kernel.org> HID: core: ensure the allocated report buffer can contain the reserved report ID Sheng Yong <shengyong1(a)xiaomi.com> dm-bufio: fix sched in atomic context Naman Jain <namjain(a)linux.microsoft.com> tools/hv: fcopy: Fix irregularities with size of ring buffer Cheng Ming Lin <chengminglin(a)mxic.com.tw> spi: Add check for 8-bit transfer with 8 IO mode support Thomas Fourier <fourier.thomas(a)gmail.com> pch_uart: Fix dma_sync_sg_for_device() nents value Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - set correct controller type for Acer NGR200 Michael C. Pratt <mcpratt(a)pm.me> nvmem: layouts: u-boot-env: remove crc32 endianness conversion Steffen Bätz <steffen(a)innosonix.de> nvmem: imx-ocotp: fix MAC address byte length Stefan Wahren <wahrenst(a)gmx.net> Revert "staging: vchiq_arm: Create keep-alive thread during probe" Alok Tiwari <alok.a.tiwari(a)oracle.com> thunderbolt: Fix bit masking in tb_dp_port_set_hops() Mario Limonciello <mario.limonciello(a)amd.com> thunderbolt: Fix wake on connect at runtime Clément Le Goffic <clement.legoffic(a)foss.st.com> i2c: stm32f7: unmap DMA mapped buffer Clément Le Goffic <clement.legoffic(a)foss.st.com> i2c: stm32: fix the device used for the DMA map Xinyu Liu <1171169449(a)qq.com> usb: gadget: configfs: Fix OOB read on empty string write Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY Drew Hamilton <drew.hamilton(a)zetier.com> usb: musb: fix gadget state on disconnect Ryan Mann (NDI) <rmann(a)ndigital.com> USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W640 Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Haotien Hsu <haotienh(a)nvidia.com> phy: tegra: xusb: Disable periodic tracking on Tegra234 Wayne Chang <waynec(a)nvidia.com> phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode Wayne Chang <waynec(a)nvidia.com> phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 3 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 + .../boot/dts/freescale/imx8mp-venice-gw71xx.dtsi | 2 +- .../boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 2 +- .../boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 +- .../boot/dts/freescale/imx8mp-venice-gw74xx.dts | 2 +- arch/arm64/boot/dts/freescale/imx95.dtsi | 2 +- arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 23 +++++ .../arm64/boot/dts/rockchip/rk3588-coolpi-cm5.dtsi | 1 + arch/arm64/boot/dts/rockchip/rk3588s-coolpi-4b.dts | 1 + arch/riscv/kernel/traps.c | 10 +- arch/riscv/kernel/traps_misaligned.c | 2 +- arch/s390/net/bpf_jit_comp.c | 10 +- block/blk-sysfs.c | 1 + drivers/block/loop.c | 5 +- drivers/bluetooth/btintel.c | 2 +- drivers/bluetooth/btusb.c | 78 ++++++++------ drivers/comedi/comedi_fops.c | 30 +++++- drivers/comedi/drivers.c | 17 +-- drivers/comedi/drivers/aio_iiro_16.c | 3 +- drivers/comedi/drivers/das16m1.c | 3 +- drivers/comedi/drivers/das6402.c | 3 +- drivers/comedi/drivers/pcl812.c | 3 +- drivers/cpuidle/cpuidle-psci.c | 23 +++-- drivers/dma/nbpfaxi.c | 11 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 9 +- drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 1 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 11 +- .../amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 3 +- drivers/gpu/drm/mediatek/mtk_crtc.c | 36 ++++++- drivers/gpu/drm/mediatek/mtk_crtc.h | 1 + drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 1 + drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 9 ++ drivers/gpu/drm/mediatek/mtk_disp_drv.h | 1 + drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 7 ++ drivers/gpu/drm/mediatek/mtk_plane.c | 12 ++- drivers/gpu/drm/mediatek/mtk_plane.h | 3 +- drivers/gpu/drm/xe/xe_gt.c | 15 +-- drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 114 ++++++++++++++++++++- drivers/gpu/drm/xe/xe_gt_sriov_pf.h | 6 ++ drivers/gpu/drm/xe/xe_gt_sriov_pf_control.c | 3 +- drivers/gpu/drm/xe/xe_gt_sriov_pf_types.h | 10 ++ drivers/hid/hid-core.c | 21 ++-- drivers/hwmon/corsair-cpro.c | 5 + drivers/i2c/busses/Kconfig | 1 + drivers/i2c/busses/i2c-omap.c | 30 +++++- drivers/i2c/busses/i2c-stm32.c | 8 +- drivers/i2c/busses/i2c-stm32f7.c | 24 ++--- drivers/iio/accel/fxls8962af-core.c | 2 + drivers/iio/accel/st_accel_core.c | 10 +- drivers/iio/adc/axp20x_adc.c | 1 + drivers/iio/adc/max1363.c | 43 ++++---- drivers/iio/adc/stm32-adc-core.c | 7 +- drivers/iio/common/st_sensors/st_sensors_core.c | 36 +++---- drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 ++-- drivers/iio/industrialio-backend.c | 5 +- drivers/input/joystick/xpad.c | 2 +- drivers/md/dm-bufio.c | 6 +- drivers/memstick/core/memstick.c | 2 +- drivers/mmc/host/bcm2835.c | 3 +- drivers/mmc/host/sdhci-pci-core.c | 3 +- drivers/mmc/host/sdhci_am654.c | 9 +- drivers/net/can/m_can/tcan4x5x-core.c | 80 +++++++++++---- drivers/net/can/m_can/tcan4x5x.h | 2 + drivers/net/ethernet/intel/ice/ice_debugfs.c | 2 +- drivers/net/ethernet/intel/ice/ice_lag.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 ++- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 8 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 9 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 20 ++-- drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 - drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- drivers/net/hyperv/netvsc_drv.c | 5 +- drivers/net/phy/phy_device.c | 6 +- drivers/net/usb/sierra_net.c | 4 + drivers/net/virtio_net.c | 2 +- drivers/nvme/host/core.c | 18 ++-- drivers/nvme/target/tcp.c | 4 +- drivers/nvmem/imx-ocotp-ele.c | 5 +- drivers/nvmem/imx-ocotp.c | 5 +- drivers/nvmem/layouts/u-boot-env.c | 6 +- drivers/phy/tegra/xusb-tegra186.c | 77 ++++++++------ drivers/phy/tegra/xusb.h | 1 + drivers/pmdomain/governor.c | 18 +++- drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 ++- drivers/soundwire/amd_manager.c | 4 +- drivers/spi/spi.c | 14 ++- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 69 +++++++------ drivers/thunderbolt/switch.c | 10 +- drivers/thunderbolt/tb.h | 2 +- drivers/thunderbolt/usb4.c | 12 +-- drivers/tty/serial/pch_uart.c | 2 +- drivers/usb/core/hub.c | 36 ++++++- drivers/usb/core/hub.h | 1 + drivers/usb/dwc2/gadget.c | 40 +++++--- drivers/usb/dwc3/dwc3-qcom.c | 8 +- drivers/usb/gadget/configfs.c | 4 + drivers/usb/musb/musb_gadget.c | 2 + drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 3 + drivers/usb/serial/option.c | 5 + fs/btrfs/block-group.c | 3 + fs/cachefiles/io.c | 2 - fs/cachefiles/ondemand.c | 4 +- fs/efivarfs/super.c | 6 ++ fs/isofs/inode.c | 9 +- fs/namespace.c | 5 + fs/notify/dnotify/dnotify.c | 8 +- fs/smb/client/file.c | 10 +- fs/smb/client/smb2ops.c | 7 +- fs/smb/client/smbdirect.c | 31 +++++- include/net/bluetooth/hci_core.h | 22 ++-- include/net/cfg80211.h | 2 +- include/net/netfilter/nf_conntrack.h | 15 ++- include/trace/events/rxrpc.h | 3 + io_uring/net.c | 12 ++- io_uring/poll.c | 2 - kernel/bpf/helpers.c | 11 +- kernel/cgroup/legacy_freezer.c | 8 +- kernel/freezer.c | 15 +-- kernel/sched/loadavg.c | 2 +- kernel/sched/sched.h | 2 +- kernel/trace/trace_events.c | 5 + kernel/trace/trace_osnoise.c | 2 +- kernel/trace/trace_probe.c | 2 +- net/8021q/vlan.c | 42 ++++++-- net/8021q/vlan.h | 1 + net/bluetooth/hci_sync.c | 4 +- net/bluetooth/l2cap_core.c | 26 ++++- net/bluetooth/l2cap_sock.c | 3 + net/bluetooth/smp.c | 21 +++- net/bluetooth/smp.h | 1 + net/bridge/br_switchdev.c | 3 + net/ipv4/tcp_offload.c | 1 + net/ipv4/udp_offload.c | 1 + net/ipv6/mcast.c | 2 +- net/ipv6/rpl_iptunnel.c | 8 +- net/mptcp/options.c | 3 +- net/mptcp/pm.c | 8 +- net/mptcp/protocol.c | 56 ++++++++-- net/mptcp/protocol.h | 29 ++++-- net/mptcp/subflow.c | 30 ++++-- net/netfilter/nf_conntrack_core.c | 26 +++-- net/packet/af_packet.c | 27 +++-- net/phonet/pep.c | 2 +- net/rxrpc/call_accept.c | 1 + net/rxrpc/output.c | 3 + net/rxrpc/recvmsg.c | 19 +++- net/sched/sch_htb.c | 4 +- net/sched/sch_qfq.c | 30 ++++-- net/smc/af_smc.c | 14 +++ net/smc/smc.h | 8 +- net/tls/tls_strp.c | 3 +- rust/Makefile | 1 + rust/kernel/lib.rs | 1 + rust/macros/module.rs | 10 +- scripts/Makefile.build | 2 +- sound/pci/hda/patch_realtek.c | 2 + tools/hv/hv_fcopy_uio_daemon.c | 91 ++++++++++++++-- tools/lib/bpf/libbpf.c | 20 ++-- tools/objtool/check.c | 1 + tools/testing/selftests/bpf/prog_tests/token.c | 19 ++-- tools/testing/selftests/net/udpgro.sh | 8 +- tools/testing/selftests/sched_ext/exit.c | 8 ++ 166 files changed, 1416 insertions(+), 554 deletions(-)

1 month

15
178
0 0

FAILED: patch "[PATCH] rust: workaround `rustdoc` target modifiers bug" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x abbf9a44944171ca99c150adad9361a2f517d3b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081813-overhand-resolute-c0f3@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From abbf9a44944171ca99c150adad9361a2f517d3b6 Mon Sep 17 00:00:00 2001 From: Miguel Ojeda <ojeda(a)kernel.org> Date: Sun, 27 Jul 2025 11:23:17 +0200 Subject: [PATCH] rust: workaround `rustdoc` target modifiers bug Starting with Rust 1.88.0 (released 2025-06-26), `rustdoc` complains about a target modifier mismatch in configurations where `-Zfixed-x18` is passed: error: mixing `-Zfixed-x18` will cause an ABI mismatch in crate `rust_out` | = help: the `-Zfixed-x18` flag modifies the ABI so Rust crates compiled with different values of this flag cannot be used together safely = note: unset `-Zfixed-x18` in this crate is incompatible with `-Zfixed-x18=` in dependency `core` = help: set `-Zfixed-x18=` in this crate or unset `-Zfixed-x18` in `core` = help: if you are sure this will not cause problems, you may use `-Cunsafe-allow-abi-mismatch=fixed-x18` to silence this error The reason is that `rustdoc` was not passing the target modifiers when configuring the session options, and thus it would report a mismatch that did not exist as soon as a target modifier is used in a dependency. We did not notice it in the kernel until now because `-Zfixed-x18` has been a target modifier only since 1.88.0 (and it is the only one we use so far). The issue has been reported upstream [1] and a fix has been submitted [2], including a test similar to the kernel case. [ This is now fixed upstream (thanks Guillaume for the quick review), so it will be fixed in Rust 1.90.0 (expected 2025-09-18). - Miguel ] Meanwhile, conditionally pass `-Cunsafe-allow-abi-mismatch=fixed-x18` to workaround the issue on our side. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Reported-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Closes: https://lore.kernel.org/rust-for-linux/36cdc798-524f-4910-8b77-d7b9fac08d77… Link: https://github.com/rust-lang/rust/issues/144521 [1] Link: https://github.com/rust-lang/rust/pull/144523 [2] Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Link: https://lore.kernel.org/r/20250727092317.2930617-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> diff --git a/rust/Makefile b/rust/Makefile index 4263462b8470..d47f82588d78 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -65,6 +65,10 @@ core-cfgs = \ core-edition := $(if $(call rustc-min-version,108700),2024,2021) +# `rustdoc` did not save the target modifiers, thus workaround for +# the time being (https://github.com/rust-lang/rust/issues/144521). +rustdoc_modifiers_workaround := $(if $(call rustc-min-version,108800),-Cunsafe-allow-abi-mismatch=fixed-x18) + # `rustc` recognizes `--remap-path-prefix` since 1.26.0, but `rustdoc` only # since Rust 1.81.0. Moreover, `rustdoc` ICEs on out-of-tree builds since Rust # 1.82.0 (https://github.com/rust-lang/rust/issues/138520). Thus workaround both @@ -77,6 +81,7 @@ quiet_cmd_rustdoc = RUSTDOC $(if $(rustdoc_host),H, ) $< -Zunstable-options --generate-link-to-definition \ --output $(rustdoc_output) \ --crate-name $(subst rustdoc-,,$@) \ + $(rustdoc_modifiers_workaround) \ $(if $(rustdoc_host),,--sysroot=/dev/null) \ @$(objtree)/include/generated/rustc_cfg $< @@ -215,6 +220,7 @@ quiet_cmd_rustdoc_test_kernel = RUSTDOC TK $< --extern bindings --extern uapi \ --no-run --crate-name kernel -Zunstable-options \ --sysroot=/dev/null \ + $(rustdoc_modifiers_workaround) \ --test-builder $(objtree)/scripts/rustdoc_test_builder \ $< $(rustdoc_test_kernel_quiet); \ $(objtree)/scripts/rustdoc_test_gen

1 month

2
1
0 0

FAILED: patch "[PATCH] rust: kbuild: clean output before running `rustdoc`" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 252fea131e15aba2cd487119d1a8f546471199e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081858-zips-enchanted-3d3e@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 252fea131e15aba2cd487119d1a8f546471199e2 Mon Sep 17 00:00:00 2001 From: Miguel Ojeda <ojeda(a)kernel.org> Date: Sat, 26 Jul 2025 15:34:35 +0200 Subject: [PATCH] rust: kbuild: clean output before running `rustdoc` `rustdoc` can get confused when generating documentation into a folder that contains generated files from other `rustdoc` versions. For instance, running something like: rustup default 1.78.0 make LLVM=1 rustdoc rustup default 1.88.0 make LLVM=1 rustdoc may generate errors like: error: couldn't generate documentation: invalid template: last line expected to start with a comment | = note: failed to create or modify "./Documentation/output/rust/rustdoc/src-files.js" Thus just always clean the output folder before generating the documentation -- we are anyway regenerating it every time the `rustdoc` target gets called, at least for the time being. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Reported-by: Daniel Almeida <daniel.almeida(a)collabora.com> Closes: https://rust-for-linux.zulipchat.com/#narrow/channel/288089/topic/x/near/52… Reviewed-by: Tamir Duberstein <tamird(a)kernel.org> Link: https://lore.kernel.org/r/20250726133435.2460085-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> diff --git a/rust/Makefile b/rust/Makefile index d47f82588d78..bfa915b0e588 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -111,14 +111,14 @@ rustdoc: rustdoc-core rustdoc-macros rustdoc-compiler_builtins \ rustdoc-macros: private rustdoc_host = yes rustdoc-macros: private rustc_target_flags = --crate-type proc-macro \ --extern proc_macro -rustdoc-macros: $(src)/macros/lib.rs FORCE +rustdoc-macros: $(src)/macros/lib.rs rustdoc-clean FORCE +$(call if_changed,rustdoc) # Starting with Rust 1.82.0, skipping `-Wrustdoc::unescaped_backticks` should # not be needed -- see https://github.com/rust-lang/rust/pull/128307. rustdoc-core: private skip_flags = --edition=2021 -Wrustdoc::unescaped_backticks rustdoc-core: private rustc_target_flags = --edition=$(core-edition) $(core-cfgs) -rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs FORCE +rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs rustdoc-clean FORCE +$(call if_changed,rustdoc) rustdoc-compiler_builtins: $(src)/compiler_builtins.rs rustdoc-core FORCE @@ -130,7 +130,8 @@ rustdoc-ffi: $(src)/ffi.rs rustdoc-core FORCE rustdoc-pin_init_internal: private rustdoc_host = yes rustdoc-pin_init_internal: private rustc_target_flags = --cfg kernel \ --extern proc_macro --crate-type proc-macro -rustdoc-pin_init_internal: $(src)/pin-init/internal/src/lib.rs FORCE +rustdoc-pin_init_internal: $(src)/pin-init/internal/src/lib.rs \ + rustdoc-clean FORCE +$(call if_changed,rustdoc) rustdoc-pin_init: private rustdoc_host = yes @@ -148,6 +149,9 @@ rustdoc-kernel: $(src)/kernel/lib.rs rustdoc-core rustdoc-ffi rustdoc-macros \ $(obj)/bindings.o FORCE +$(call if_changed,rustdoc) +rustdoc-clean: FORCE + $(Q)rm -rf $(rustdoc_output) + quiet_cmd_rustc_test_library = $(RUSTC_OR_CLIPPY_QUIET) TL $< cmd_rustc_test_library = \ OBJTREE=$(abspath $(objtree)) \

1 month

2
1
0 0

Re: Re: Re: Re: [PATCH v2] mm: slub: avoid wake up kswapd in set_track_prepare

by Harry Yoo

On Mon, Aug 18, 2025 at 10:33:51AM +0800, yangshiguang wrote: > > > > At 2025-08-18 10:22:36, "Harry Yoo" <harry.yoo(a)oracle.com> wrote: > > >On Mon, Aug 18, 2025 at 10:07:40AM +0800, yangshiguang wrote: > >> > >> > >> At 2025-08-16 18:46:12, "Harry Yoo" <harry.yoo(a)oracle.com> wrote: > >> >On Sat, Aug 16, 2025 at 06:05:15PM +0800, yangshiguang wrote: > >> >> > >> >> > >> >> At 2025-08-16 16:25:25, "Harry Yoo" <harry.yoo(a)oracle.com> wrote: > >> >> >On Thu, Aug 14, 2025 at 07:16:42PM +0800, yangshiguang1011(a)163.com wrote: > >> >> >> From: yangshiguang <yangshiguang(a)xiaomi.com> > >> >> >> > >> >> >> From: yangshiguang <yangshiguang(a)xiaomi.com> > >> >> >> > >> >> >> set_track_prepare() can incur lock recursion. > >> >> >> The issue is that it is called from hrtimer_start_range_ns > >> >> >> holding the per_cpu(hrtimer_bases)[n].lock, but when enabled > >> >> >> CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare, > >> >> >> and try to hold the per_cpu(hrtimer_bases)[n].lock. > >> >> >> > >> >> >> So avoid waking up kswapd.The oops looks something like: > >> >> > > >> >> >Hi yangshiguang, > >> >> > > >> >> >In the next revision, could you please elaborate the commit message > >> >> >to reflect how this change avoids waking up kswapd? > >> >> > > >> >> > >> >> of course. Thanks for the reminder. > >> >> > >> >> >> BUG: spinlock recursion on CPU#3, swapper/3/0 > >> >> >> lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3 > >> >> >> Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT) > >> >> >> Call trace: > >> >> >> spin_bug+0x0 > >> >> >> _raw_spin_lock_irqsave+0x80 > >> >> >> hrtimer_try_to_cancel+0x94 > >> >> >> task_contending+0x10c > >> >> >> enqueue_dl_entity+0x2a4 > >> >> >> dl_server_start+0x74 > >> >> >> enqueue_task_fair+0x568 > >> >> >> enqueue_task+0xac > >> >> >> do_activate_task+0x14c > >> >> >> ttwu_do_activate+0xcc > >> >> >> try_to_wake_up+0x6c8 > >> >> >> default_wake_function+0x20 > >> >> >> autoremove_wake_function+0x1c > >> >> >> __wake_up+0xac > >> >> >> wakeup_kswapd+0x19c > >> >> >> wake_all_kswapds+0x78 > >> >> >> __alloc_pages_slowpath+0x1ac > >> >> >> __alloc_pages_noprof+0x298 > >> >> >> stack_depot_save_flags+0x6b0 > >> >> >> stack_depot_save+0x14 > >> >> >> set_track_prepare+0x5c > >> >> >> ___slab_alloc+0xccc > >> >> >> __kmalloc_cache_noprof+0x470 > >> >> >> __set_page_owner+0x2bc > >> >> >> post_alloc_hook[jt]+0x1b8 > >> >> >> prep_new_page+0x28 > >> >> >> get_page_from_freelist+0x1edc > >> >> >> __alloc_pages_noprof+0x13c > >> >> >> alloc_slab_page+0x244 > >> >> >> allocate_slab+0x7c > >> >> >> ___slab_alloc+0x8e8 > >> >> >> kmem_cache_alloc_noprof+0x450 > >> >> >> debug_objects_fill_pool+0x22c > >> >> >> debug_object_activate+0x40 > >> >> >> enqueue_hrtimer[jt]+0xdc > >> >> >> hrtimer_start_range_ns+0x5f8 > >> >> >> ... > >> >> >> > >> >> >> Signed-off-by: yangshiguang <yangshiguang(a)xiaomi.com> > >> >> >> Fixes: 5cf909c553e9 ("mm/slub: use stackdepot to save stack trace in objects") > >> >> >> --- > >> >> >> v1 -> v2: > >> >> >> propagate gfp flags to set_track_prepare() > >> >> >> > >> >> >> [1] https://urldefense.com/v3/__https://lore.kernel.org/all/20250801065121.8767… > >> >> >> --- > >> >> >> mm/slub.c | 21 +++++++++++---------- > >> >> >> 1 file changed, 11 insertions(+), 10 deletions(-) > >> >> >> > >> >> >> diff --git a/mm/slub.c b/mm/slub.c > >> >> >> index 30003763d224..dba905bf1e03 100644 > >> >> >> --- a/mm/slub.c > >> >> >> +++ b/mm/slub.c > >> >> >> @@ -962,19 +962,20 @@ static struct track *get_track(struct kmem_cache *s, void *object, > >> >> >> } > >> >> >> > >> >> >> #ifdef CONFIG_STACKDEPOT > >> >> >> -static noinline depot_stack_handle_t set_track_prepare(void) > >> >> >> +static noinline depot_stack_handle_t set_track_prepare(gfp_t gfp_flags) > >> >> >> { > >> >> >> depot_stack_handle_t handle; > >> >> >> unsigned long entries[TRACK_ADDRS_COUNT]; > >> >> >> unsigned int nr_entries; > >> >> >> + gfp_flags &= GFP_NOWAIT; > >> >> > > >> >> >Is there any reason to downgrade it to GFP_NOWAIT when the gfp flag allows > >> >> >direct reclamation? > >> >> > > >> >> > >> >> Hi Harry, > >> >> > >> >> The original allocation is GFP_NOWAIT. > >> >> So I think it's better not to increase the allocation cost here. > >> > > >> >I don't think the allocation cost is important here, because collecting > >> >a stack trace for each alloc/free is quite slow anyway. And we don't really > >> >care about performance in debug caches (it isn't designed to be > >> >performant). > >> > > >> >I think it was GFP_NOWAIT because it was considered safe without > >> >regard to the GFP flags passed, rather than due to performance > >> >considerations. > >> > > >> Hi harry, > >> > >> Is that so? > >> gfp_flags &= (GFP_NOWAIT | __GFP_DIRECT_RECLAIM); > > > >This still clears gfp flags passed by the caller to the allocator. > >Why not use gfp_flags directly without clearing some flags? > > > > Hi Harry, > > > This introduces new problems. > > call stack： > dump_backtrace+0xfc/0x17c > show_stack+0x18/0x28 > dump_stack_lvl+0x40/0xc0 > dump_stack+0x18/0x24 > __might_resched+0x164/0x184 > __might_sleep+0x38/0x84 > prepare_alloc_pages+0xc0/0x17c > __alloc_pages_noprof+0x130/0x3f8 > stack_depot_save_flags+0x5a8/0x6bc > stack_depot_save+0x14/0x24 > set_track_prepare+0x64/0x90 > ___slab_alloc+0xc14/0xc48 > __kmalloc_cache_noprof+0x398/0x568 > __kthread_create_on_node+0x8c/0x1f0 > kthread_create_on_node+0x4c/0x74 > create_worker+0xe0/0x298 > workqueue_init+0x228/0x324 > kernel_init_freeable+0x124/0x1c8 > kernel_init+0x20/0x1ac > ret_from_fork+0x10/0x20 Ok, because preemption is disabled in ___slab_alloc(), blocking allocations are not allowed even when gfp_flags allows it. So __GFP_DIRECT_RECLAIM should be cleared. So, /* Preemption is disabled in ___slab_alloc() */ gfp_flags &= ~(__GFP_DIRECT_RECLAIM); should work? > Of course there are other problems. > > So it is best to limit gtp flags. -- Cheers, Harry / Hyeonggon

1 month

2
1
0 0

FAILED: patch "[PATCH] ocfs2: reset folio to NULL when get folio fails" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2ae826799932ff89409f56636ad3c25578fe7cf5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081825-obedience-result-270a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Jun 2025 09:31:40 +0800 Subject: [PATCH] ocfs2: reset folio to NULL when get folio fails The reproducer uses FAULT_INJECTION to make memory allocation fail, which causes __filemap_get_folio() to fail, when initializing w_folios[i] in ocfs2_grab_folios_for_write(), it only returns an error code and the value of w_folios[i] is the error code, which causes ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when releasing folios. Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com Reported-by: syzbot+c2ea94ae47cd7e3881ec(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } }

1 month

1
0
0 0

FAILED: patch "[PATCH] ocfs2: reset folio to NULL when get folio fails" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2ae826799932ff89409f56636ad3c25578fe7cf5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081824-approach-prodigal-6b35@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Jun 2025 09:31:40 +0800 Subject: [PATCH] ocfs2: reset folio to NULL when get folio fails The reproducer uses FAULT_INJECTION to make memory allocation fail, which causes __filemap_get_folio() to fail, when initializing w_folios[i] in ocfs2_grab_folios_for_write(), it only returns an error code and the value of w_folios[i] is the error code, which causes ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when releasing folios. Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com Reported-by: syzbot+c2ea94ae47cd7e3881ec(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } }

1 month

1
0
0 0

FAILED: patch "[PATCH] ocfs2: reset folio to NULL when get folio fails" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2ae826799932ff89409f56636ad3c25578fe7cf5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081824-glimpse-unmanned-9833@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Jun 2025 09:31:40 +0800 Subject: [PATCH] ocfs2: reset folio to NULL when get folio fails The reproducer uses FAULT_INJECTION to make memory allocation fail, which causes __filemap_get_folio() to fail, when initializing w_folios[i] in ocfs2_grab_folios_for_write(), it only returns an error code and the value of w_folios[i] is the error code, which causes ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when releasing folios. Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com Reported-by: syzbot+c2ea94ae47cd7e3881ec(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } }

1 month

1
0
0 0

FAILED: patch "[PATCH] ocfs2: reset folio to NULL when get folio fails" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2ae826799932ff89409f56636ad3c25578fe7cf5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081823-exuberant-trace-6385@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Jun 2025 09:31:40 +0800 Subject: [PATCH] ocfs2: reset folio to NULL when get folio fails The reproducer uses FAULT_INJECTION to make memory allocation fail, which causes __filemap_get_folio() to fail, when initializing w_folios[i] in ocfs2_grab_folios_for_write(), it only returns an error code and the value of w_folios[i] is the error code, which causes ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when releasing folios. Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com Reported-by: syzbot+c2ea94ae47cd7e3881ec(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } }

1 month

1
0
0 0

FAILED: patch "[PATCH] ocfs2: reset folio to NULL when get folio fails" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2ae826799932ff89409f56636ad3c25578fe7cf5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081822-pebble-cinch-682b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Jun 2025 09:31:40 +0800 Subject: [PATCH] ocfs2: reset folio to NULL when get folio fails The reproducer uses FAULT_INJECTION to make memory allocation fail, which causes __filemap_get_folio() to fail, when initializing w_folios[i] in ocfs2_grab_folios_for_write(), it only returns an error code and the value of w_folios[i] is the error code, which causes ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when releasing folios. Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com Reported-by: syzbot+c2ea94ae47cd7e3881ec(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } }

1 month

1
0
0 0

FAILED: patch "[PATCH] ocfs2: reset folio to NULL when get folio fails" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2ae826799932ff89409f56636ad3c25578fe7cf5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081822-hasty-vineyard-a5ea@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 From: Lizhi Xu <lizhi.xu(a)windriver.com> Date: Mon, 16 Jun 2025 09:31:40 +0800 Subject: [PATCH] ocfs2: reset folio to NULL when get folio fails The reproducer uses FAULT_INJECTION to make memory allocation fail, which causes __filemap_get_folio() to fail, when initializing w_folios[i] in ocfs2_grab_folios_for_write(), it only returns an error code and the value of w_folios[i] is the error code, which causes ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when releasing folios. Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com Reported-by: syzbot+c2ea94ae47cd7e3881ec(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 40b6bce12951..89aadc6cdd87 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(struct address_space *mapping, if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } }

1 month

1
0
0 0

FAILED: patch "[PATCH] media: venus: Fix OOB read due to missing payload bound check" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081856-cubbyhole-riot-22a2@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001 From: Vedang Nagar <quic_vnagar(a)quicinc.com> Date: Mon, 19 May 2025 12:42:22 +0530 Subject: [PATCH] media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Cc: stable(a)vger.kernel.org Signed-off-by: Vedang Nagar <quic_vnagar(a)quicinc.com> Reviewed-by: Vikash Garodia <quic_vgarodia(a)quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Co-developed-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Bryan O'Donoghue <bod(a)kernel.org> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 0a041b4db9ef..cf0d97cbc463 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -33,8 +33,9 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, struct hfi_buffer_requirements *bufreq; struct hfi_extradata_input_crop *crop; struct hfi_dpb_counts *dpb_count; + u32 ptype, rem_bytes; + u32 size_read = 0; u8 *data_ptr; - u32 ptype; inst->error = HFI_ERR_NONE; @@ -44,86 +45,118 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, break; default: inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; - goto done; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; } event.event_type = pkt->event_data1; num_properties_changed = pkt->event_data2; - if (!num_properties_changed) { - inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; - goto done; - } + if (!num_properties_changed) + goto error; data_ptr = (u8 *)&pkt->ext_event_data[0]; + rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); + do { + if (rem_bytes < sizeof(u32)) + goto error; ptype = *((u32 *)data_ptr); + + data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + switch (ptype) { case HFI_PROPERTY_PARAM_FRAME_SIZE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_framesize)) + goto error; + frame_sz = (struct hfi_framesize *)data_ptr; event.width = frame_sz->width; event.height = frame_sz->height; - data_ptr += sizeof(*frame_sz); + size_read = sizeof(struct hfi_framesize); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_profile_level)) + goto error; + profile_level = (struct hfi_profile_level *)data_ptr; event.profile = profile_level->profile; event.level = profile_level->level; - data_ptr += sizeof(*profile_level); + size_read = sizeof(struct hfi_profile_level); break; case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_bit_depth)) + goto error; + pixel_depth = (struct hfi_bit_depth *)data_ptr; event.bit_depth = pixel_depth->bit_depth; - data_ptr += sizeof(*pixel_depth); + size_read = sizeof(struct hfi_bit_depth); break; case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_pic_struct)) + goto error; + pic_struct = (struct hfi_pic_struct *)data_ptr; event.pic_struct = pic_struct->progressive_only; - data_ptr += sizeof(*pic_struct); + size_read = sizeof(struct hfi_pic_struct); break; case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_colour_space)) + goto error; + colour_info = (struct hfi_colour_space *)data_ptr; event.colour_space = colour_info->colour_space; - data_ptr += sizeof(*colour_info); + size_read = sizeof(struct hfi_colour_space); break; case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(u32)) + goto error; + event.entropy_mode = *(u32 *)data_ptr; - data_ptr += sizeof(u32); + size_read = sizeof(u32); break; case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_buffer_requirements)) + goto error; + bufreq = (struct hfi_buffer_requirements *)data_ptr; event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); - data_ptr += sizeof(*bufreq); + size_read = sizeof(struct hfi_buffer_requirements); break; case HFI_INDEX_EXTRADATA_INPUT_CROP: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) + goto error; + crop = (struct hfi_extradata_input_crop *)data_ptr; event.input_crop.left = crop->left; event.input_crop.top = crop->top; event.input_crop.width = crop->width; event.input_crop.height = crop->height; - data_ptr += sizeof(*crop); + size_read = sizeof(struct hfi_extradata_input_crop); break; case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_dpb_counts)) + goto error; + dpb_count = (struct hfi_dpb_counts *)data_ptr; event.buf_count = dpb_count->fw_min_cnt; - data_ptr += sizeof(*dpb_count); + size_read = sizeof(struct hfi_dpb_counts); break; default: + size_read = 0; break; } + data_ptr += size_read; + rem_bytes -= size_read; num_properties_changed--; } while (num_properties_changed > 0); -done: + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; + +error: + inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); }

1 month

1
0
0 0

FAILED: patch "[PATCH] media: venus: Fix OOB read due to missing payload bound check" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081856-uncover-hydrogen-b05d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001 From: Vedang Nagar <quic_vnagar(a)quicinc.com> Date: Mon, 19 May 2025 12:42:22 +0530 Subject: [PATCH] media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Cc: stable(a)vger.kernel.org Signed-off-by: Vedang Nagar <quic_vnagar(a)quicinc.com> Reviewed-by: Vikash Garodia <quic_vgarodia(a)quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Co-developed-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Bryan O'Donoghue <bod(a)kernel.org> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 0a041b4db9ef..cf0d97cbc463 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -33,8 +33,9 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, struct hfi_buffer_requirements *bufreq; struct hfi_extradata_input_crop *crop; struct hfi_dpb_counts *dpb_count; + u32 ptype, rem_bytes; + u32 size_read = 0; u8 *data_ptr; - u32 ptype; inst->error = HFI_ERR_NONE; @@ -44,86 +45,118 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, break; default: inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; - goto done; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; } event.event_type = pkt->event_data1; num_properties_changed = pkt->event_data2; - if (!num_properties_changed) { - inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; - goto done; - } + if (!num_properties_changed) + goto error; data_ptr = (u8 *)&pkt->ext_event_data[0]; + rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); + do { + if (rem_bytes < sizeof(u32)) + goto error; ptype = *((u32 *)data_ptr); + + data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + switch (ptype) { case HFI_PROPERTY_PARAM_FRAME_SIZE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_framesize)) + goto error; + frame_sz = (struct hfi_framesize *)data_ptr; event.width = frame_sz->width; event.height = frame_sz->height; - data_ptr += sizeof(*frame_sz); + size_read = sizeof(struct hfi_framesize); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_profile_level)) + goto error; + profile_level = (struct hfi_profile_level *)data_ptr; event.profile = profile_level->profile; event.level = profile_level->level; - data_ptr += sizeof(*profile_level); + size_read = sizeof(struct hfi_profile_level); break; case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_bit_depth)) + goto error; + pixel_depth = (struct hfi_bit_depth *)data_ptr; event.bit_depth = pixel_depth->bit_depth; - data_ptr += sizeof(*pixel_depth); + size_read = sizeof(struct hfi_bit_depth); break; case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_pic_struct)) + goto error; + pic_struct = (struct hfi_pic_struct *)data_ptr; event.pic_struct = pic_struct->progressive_only; - data_ptr += sizeof(*pic_struct); + size_read = sizeof(struct hfi_pic_struct); break; case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_colour_space)) + goto error; + colour_info = (struct hfi_colour_space *)data_ptr; event.colour_space = colour_info->colour_space; - data_ptr += sizeof(*colour_info); + size_read = sizeof(struct hfi_colour_space); break; case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(u32)) + goto error; + event.entropy_mode = *(u32 *)data_ptr; - data_ptr += sizeof(u32); + size_read = sizeof(u32); break; case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_buffer_requirements)) + goto error; + bufreq = (struct hfi_buffer_requirements *)data_ptr; event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); - data_ptr += sizeof(*bufreq); + size_read = sizeof(struct hfi_buffer_requirements); break; case HFI_INDEX_EXTRADATA_INPUT_CROP: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) + goto error; + crop = (struct hfi_extradata_input_crop *)data_ptr; event.input_crop.left = crop->left; event.input_crop.top = crop->top; event.input_crop.width = crop->width; event.input_crop.height = crop->height; - data_ptr += sizeof(*crop); + size_read = sizeof(struct hfi_extradata_input_crop); break; case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_dpb_counts)) + goto error; + dpb_count = (struct hfi_dpb_counts *)data_ptr; event.buf_count = dpb_count->fw_min_cnt; - data_ptr += sizeof(*dpb_count); + size_read = sizeof(struct hfi_dpb_counts); break; default: + size_read = 0; break; } + data_ptr += size_read; + rem_bytes -= size_read; num_properties_changed--; } while (num_properties_changed > 0); -done: + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; + +error: + inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); }

1 month

1
0
0 0

FAILED: patch "[PATCH] media: venus: Fix OOB read due to missing payload bound check" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081855-other-whisking-9807@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001 From: Vedang Nagar <quic_vnagar(a)quicinc.com> Date: Mon, 19 May 2025 12:42:22 +0530 Subject: [PATCH] media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Cc: stable(a)vger.kernel.org Signed-off-by: Vedang Nagar <quic_vnagar(a)quicinc.com> Reviewed-by: Vikash Garodia <quic_vgarodia(a)quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> Co-developed-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Bryan O'Donoghue <bod(a)kernel.org> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 0a041b4db9ef..cf0d97cbc463 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -33,8 +33,9 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, struct hfi_buffer_requirements *bufreq; struct hfi_extradata_input_crop *crop; struct hfi_dpb_counts *dpb_count; + u32 ptype, rem_bytes; + u32 size_read = 0; u8 *data_ptr; - u32 ptype; inst->error = HFI_ERR_NONE; @@ -44,86 +45,118 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, break; default: inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; - goto done; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; } event.event_type = pkt->event_data1; num_properties_changed = pkt->event_data2; - if (!num_properties_changed) { - inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; - goto done; - } + if (!num_properties_changed) + goto error; data_ptr = (u8 *)&pkt->ext_event_data[0]; + rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); + do { + if (rem_bytes < sizeof(u32)) + goto error; ptype = *((u32 *)data_ptr); + + data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + switch (ptype) { case HFI_PROPERTY_PARAM_FRAME_SIZE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_framesize)) + goto error; + frame_sz = (struct hfi_framesize *)data_ptr; event.width = frame_sz->width; event.height = frame_sz->height; - data_ptr += sizeof(*frame_sz); + size_read = sizeof(struct hfi_framesize); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_profile_level)) + goto error; + profile_level = (struct hfi_profile_level *)data_ptr; event.profile = profile_level->profile; event.level = profile_level->level; - data_ptr += sizeof(*profile_level); + size_read = sizeof(struct hfi_profile_level); break; case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_bit_depth)) + goto error; + pixel_depth = (struct hfi_bit_depth *)data_ptr; event.bit_depth = pixel_depth->bit_depth; - data_ptr += sizeof(*pixel_depth); + size_read = sizeof(struct hfi_bit_depth); break; case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_pic_struct)) + goto error; + pic_struct = (struct hfi_pic_struct *)data_ptr; event.pic_struct = pic_struct->progressive_only; - data_ptr += sizeof(*pic_struct); + size_read = sizeof(struct hfi_pic_struct); break; case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_colour_space)) + goto error; + colour_info = (struct hfi_colour_space *)data_ptr; event.colour_space = colour_info->colour_space; - data_ptr += sizeof(*colour_info); + size_read = sizeof(struct hfi_colour_space); break; case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(u32)) + goto error; + event.entropy_mode = *(u32 *)data_ptr; - data_ptr += sizeof(u32); + size_read = sizeof(u32); break; case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_buffer_requirements)) + goto error; + bufreq = (struct hfi_buffer_requirements *)data_ptr; event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); - data_ptr += sizeof(*bufreq); + size_read = sizeof(struct hfi_buffer_requirements); break; case HFI_INDEX_EXTRADATA_INPUT_CROP: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) + goto error; + crop = (struct hfi_extradata_input_crop *)data_ptr; event.input_crop.left = crop->left; event.input_crop.top = crop->top; event.input_crop.width = crop->width; event.input_crop.height = crop->height; - data_ptr += sizeof(*crop); + size_read = sizeof(struct hfi_extradata_input_crop); break; case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: - data_ptr += sizeof(u32); + if (rem_bytes < sizeof(struct hfi_dpb_counts)) + goto error; + dpb_count = (struct hfi_dpb_counts *)data_ptr; event.buf_count = dpb_count->fw_min_cnt; - data_ptr += sizeof(*dpb_count); + size_read = sizeof(struct hfi_dpb_counts); break; default: + size_read = 0; break; } + data_ptr += size_read; + rem_bytes -= size_read; num_properties_changed--; } while (num_properties_changed > 0); -done: + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; + +error: + inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); }

1 month

1
0
0 0

FAILED: patch "[PATCH] mm/shmem, swap: improve cached mTHP handling and fix" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 5c241ed8d031693dadf33dd98ed2e7cc363e9b66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081819-dawdler-letdown-9d50@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5c241ed8d031693dadf33dd98ed2e7cc363e9b66 Mon Sep 17 00:00:00 2001 From: Kairui Song <kasong(a)tencent.com> Date: Mon, 28 Jul 2025 15:52:59 +0800 Subject: [PATCH] mm/shmem, swap: improve cached mTHP handling and fix potential hang The current swap-in code assumes that, when a swap entry in shmem mapping is order 0, its cached folios (if present) must be order 0 too, which turns out not always correct. The problem is shmem_split_large_entry is called before verifying the folio will eventually be swapped in, one possible race is: CPU1 CPU2 shmem_swapin_folio /* swap in of order > 0 swap entry S1 */ folio = swap_cache_get_folio /* folio = NULL */ order = xa_get_order /* order > 0 */ folio = shmem_swap_alloc_folio /* mTHP alloc failure, folio = NULL */ <... Interrupted ...> shmem_swapin_folio /* S1 is swapped in */ shmem_writeout /* S1 is swapped out, folio cached */ shmem_split_large_entry(..., S1) /* S1 is split, but the folio covering it has order > 0 now */ Now any following swapin of S1 will hang: `xa_get_order` returns 0, and folio lookup will return a folio with order > 0. The `xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always return false causing swap-in to return -EEXIST. And this looks fragile. So fix this up by allowing seeing a larger folio in swap cache, and check the whole shmem mapping range covered by the swapin have the right swap value upon inserting the folio. And drop the redundant tree walks before the insertion. This will actually improve performance, as it avoids two redundant Xarray tree walks in the hot path, and the only side effect is that in the failure path, shmem may redundantly reallocate a few folios causing temporary slight memory pressure. And worth noting, it may seems the order and value check before inserting might help reducing the lock contention, which is not true. The swap cache layer ensures raced swapin will either see a swap cache folio or failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is bypassed), so holding the folio lock and checking the folio flag is already good enough for avoiding the lock contention. The chance that a folio passes the swap entry value check but the shmem mapping slot has changed should be very low. Link: https://lkml.kernel.org/r/20250728075306.12704-1-ryncsn@gmail.com Link: https://lkml.kernel.org/r/20250728075306.12704-2-ryncsn@gmail.com Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Tested-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index 7570a24e0ae4..1d0fd266c29b 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -891,7 +891,9 @@ static int shmem_add_to_page_cache(struct folio *folio, pgoff_t index, void *expected, gfp_t gfp) { XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio)); - long nr = folio_nr_pages(folio); + unsigned long nr = folio_nr_pages(folio); + swp_entry_t iter, swap; + void *entry; VM_BUG_ON_FOLIO(index != round_down(index, nr), folio); VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); @@ -903,14 +905,25 @@ static int shmem_add_to_page_cache(struct folio *folio, gfp &= GFP_RECLAIM_MASK; folio_throttle_swaprate(folio, gfp); + swap = radix_to_swp_entry(expected); do { + iter = swap; xas_lock_irq(&xas); - if (expected != xas_find_conflict(&xas)) { - xas_set_err(&xas, -EEXIST); - goto unlock; + xas_for_each_conflict(&xas, entry) { + /* + * The range must either be empty, or filled with + * expected swap entries. Shmem swap entries are never + * partially freed without split of both entry and + * folio, so there shouldn't be any holes. + */ + if (!expected || entry != swp_to_radix_entry(iter)) { + xas_set_err(&xas, -EEXIST); + goto unlock; + } + iter.val += 1 << xas_get_order(&xas); } - if (expected && xas_find_conflict(&xas)) { + if (expected && iter.val - nr != swap.val) { xas_set_err(&xas, -EEXIST); goto unlock; } @@ -2359,7 +2372,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, error = -ENOMEM; goto failed; } - } else if (order != folio_order(folio)) { + } else if (order > folio_order(folio)) { /* * Swap readahead may swap in order 0 folios into swapcache * asynchronously, while the shmem mapping can still stores @@ -2384,15 +2397,23 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, swap = swp_entry(swp_type(swap), swp_offset(swap) + offset); } + } else if (order < folio_order(folio)) { + swap.val = round_down(swap.val, 1 << folio_order(folio)); + index = round_down(index, 1 << folio_order(folio)); } alloced: - /* We have to do this with folio locked to prevent races */ + /* + * We have to do this with the folio locked to prevent races. + * The shmem_confirm_swap below only checks if the first swap + * entry matches the folio, that's enough to ensure the folio + * is not used outside of shmem, as shmem swap entries + * and swap cache folios are never partially freed. + */ folio_lock(folio); if ((!skip_swapcache && !folio_test_swapcache(folio)) || - folio->swap.val != swap.val || !shmem_confirm_swap(mapping, index, swap) || - xa_get_order(&mapping->i_pages, index) != folio_order(folio)) { + folio->swap.val != swap.val) { error = -EEXIST; goto unlock; }

1 month

1
0
0 0

FAILED: patch "[PATCH] mm/huge_memory: don't ignore queried cachemode in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 09fefdca80aebd1023e827cb0ee174983d829d18 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081839-covenant-lagoon-0736@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 09fefdca80aebd1023e827cb0ee174983d829d18 Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Fri, 13 Jun 2025 11:27:00 +0200 Subject: [PATCH] mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() Patch series "mm/huge_memory: vmf_insert_folio_*() and vmf_insert_pfn_pud() fixes", v3. While working on improving vm_normal_page() and friends, I stumbled over this issues: refcounted "normal" folios must not be marked using pmd_special() / pud_special(). Otherwise, we're effectively telling the system that these folios are no "normal", violating the rules we documented for vm_normal_page(). Fortunately, there are not many pmd_special()/pud_special() users yet. So far there doesn't seem to be serious damage. Tested using the ndctl tests ("ndctl:dax" suite). This patch (of 3): We set up the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. It is unclear in which configurations we would get the cachemode wrong: through vfio seems possible. Getting cachemodes wrong is usually ... bad. As the fix is easy, let's backport it to stable. Identified by code inspection. Link: https://lkml.kernel.org/r/20250613092702.1943533-1-david@redhat.com Link: https://lkml.kernel.org/r/20250613092702.1943533-2-david@redhat.com Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Tested-by: Dan Williams <dan.j.williams(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index d3e66136e41a..49b98082c540 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud, struct vm_area_struct *vma) } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_fault *vmf, pfn_t pfn, bool write) pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct vm_fault *vmf, struct folio *folio, add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE;

1 month

1
0
0 0

FAILED: patch "[PATCH] mm/huge_memory: don't ignore queried cachemode in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 09fefdca80aebd1023e827cb0ee174983d829d18 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081838-flap-rewire-69a5@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 09fefdca80aebd1023e827cb0ee174983d829d18 Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Fri, 13 Jun 2025 11:27:00 +0200 Subject: [PATCH] mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() Patch series "mm/huge_memory: vmf_insert_folio_*() and vmf_insert_pfn_pud() fixes", v3. While working on improving vm_normal_page() and friends, I stumbled over this issues: refcounted "normal" folios must not be marked using pmd_special() / pud_special(). Otherwise, we're effectively telling the system that these folios are no "normal", violating the rules we documented for vm_normal_page(). Fortunately, there are not many pmd_special()/pud_special() users yet. So far there doesn't seem to be serious damage. Tested using the ndctl tests ("ndctl:dax" suite). This patch (of 3): We set up the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. It is unclear in which configurations we would get the cachemode wrong: through vfio seems possible. Getting cachemodes wrong is usually ... bad. As the fix is easy, let's backport it to stable. Identified by code inspection. Link: https://lkml.kernel.org/r/20250613092702.1943533-1-david@redhat.com Link: https://lkml.kernel.org/r/20250613092702.1943533-2-david@redhat.com Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Tested-by: Dan Williams <dan.j.williams(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index d3e66136e41a..49b98082c540 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud, struct vm_area_struct *vma) } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_fault *vmf, pfn_t pfn, bool write) pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct vm_fault *vmf, struct folio *folio, add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE;

1 month

1
0
0 0

FAILED: patch "[PATCH] mm, slab: restore NUMA policy support for large kmalloc" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e2d18cbf178775ad377ad88ee55e6e183c38d262 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081818-fragrant-plausibly-d214@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e2d18cbf178775ad377ad88ee55e6e183c38d262 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Mon, 2 Jun 2025 13:02:12 +0200 Subject: [PATCH] mm, slab: restore NUMA policy support for large kmalloc The slab allocator observes the task's NUMA policy in various places such as allocating slab pages. Large kmalloc() allocations used to do that too, until an unintended change by c4cab557521a ("mm/slab_common: cleanup kmalloc_large()") resulted in ignoring mempolicy and just preferring the local node. Restore the NUMA policy support. Fixes: c4cab557521a ("mm/slab_common: cleanup kmalloc_large()") Cc: <stable(a)vger.kernel.org> Acked-by: Christoph Lameter (Ampere) <cl(a)gentwo.org> Acked-by: Roman Gushchin <roman.gushchin(a)linux.dev> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..06d64a5fb1bf 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -4269,7 +4269,12 @@ static void *___kmalloc_large_node(size_t size, gfp_t flags, int node) flags = kmalloc_fix_flags(flags); flags |= __GFP_COMP; - folio = (struct folio *)alloc_pages_node_noprof(node, flags, order); + + if (node == NUMA_NO_NODE) + folio = (struct folio *)alloc_pages_noprof(flags, order); + else + folio = (struct folio *)__alloc_pages_noprof(flags, order, node, NULL); + if (folio) { ptr = folio_address(folio); lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B,

1 month

1
0
0 0

FAILED: patch "[PATCH] hv_netvsc: Fix panic during namespace deletion with VF" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 33caa208dba6fa639e8a92fd0c8320b652e5550c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081829-subsidy-password-5fce@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001 From: Haiyang Zhang <haiyangz(a)microsoft.com> Date: Wed, 6 Aug 2025 13:21:51 -0700 Subject: [PATCH] hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. Cc: stable(a)vger.kernel.org Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.m… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index cb6f5482d203..7397c693f984 100644 --- a/drivers/net/hyperv/hyperv_net.h +++ b/drivers/net/hyperv/hyperv_net.h @@ -1061,6 +1061,7 @@ struct net_device_context { struct net_device __rcu *vf_netdev; struct netvsc_vf_pcpu_stats __percpu *vf_stats; struct delayed_work vf_takeover; + struct delayed_work vfns_work; /* 1: allocated, serial number is valid. 0: not allocated */ u32 vf_alloc; @@ -1075,6 +1076,8 @@ struct net_device_context { struct netvsc_device_info *saved_netvsc_dev_info; }; +void netvsc_vfns_work(struct work_struct *w); + /* Azure hosts don't support non-TCP port numbers in hashing for fragmented * packets. We can use ethtool to change UDP hash level when necessary. */ diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index f44753756358..39c892e46cb0 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2522,6 +2522,7 @@ static int netvsc_probe(struct hv_device *dev, spin_lock_init(&net_device_ctx->lock); INIT_LIST_HEAD(&net_device_ctx->reconfig_events); INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); + INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); net_device_ctx->vf_stats = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); @@ -2666,6 +2667,8 @@ static void netvsc_remove(struct hv_device *dev) cancel_delayed_work_sync(&ndev_ctx->dwork); rtnl_lock(); + cancel_delayed_work_sync(&ndev_ctx->vfns_work); + nvdev = rtnl_dereference(ndev_ctx->nvdev); if (nvdev) { cancel_work_sync(&nvdev->subchan_work); @@ -2707,6 +2710,7 @@ static int netvsc_suspend(struct hv_device *dev) cancel_delayed_work_sync(&ndev_ctx->dwork); rtnl_lock(); + cancel_delayed_work_sync(&ndev_ctx->vfns_work); nvdev = rtnl_dereference(ndev_ctx->nvdev); if (nvdev == NULL) { @@ -2800,6 +2804,27 @@ static void netvsc_event_set_vf_ns(struct net_device *ndev) } } +void netvsc_vfns_work(struct work_struct *w) +{ + struct net_device_context *ndev_ctx = + container_of(w, struct net_device_context, vfns_work.work); + struct net_device *ndev; + + if (!rtnl_trylock()) { + schedule_delayed_work(&ndev_ctx->vfns_work, 1); + return; + } + + ndev = hv_get_drvdata(ndev_ctx->device_ctx); + if (!ndev) + goto out; + + netvsc_event_set_vf_ns(ndev); + +out: + rtnl_unlock(); +} + /* * On Hyper-V, every VF interface is matched with a corresponding * synthetic interface. The synthetic interface is presented first @@ -2810,10 +2835,12 @@ static int netvsc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr) { struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); + struct net_device_context *ndev_ctx; int ret = 0; if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { - netvsc_event_set_vf_ns(event_dev); + ndev_ctx = netdev_priv(event_dev); + schedule_delayed_work(&ndev_ctx->vfns_work, 0); return NOTIFY_DONE; }

1 month

1
0
0 0

FAILED: patch "[PATCH] net/sched: ets: use old 'nbands' while purging unused classes" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 87c6efc5ce9c126ae4a781bc04504b83780e3650 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081800-slapping-emperor-9edd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 From: Davide Caratti <dcaratti(a)redhat.com> Date: Tue, 12 Aug 2025 18:40:29 +0200 Subject: [PATCH] net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.163… [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.c… Cc: stable(a)vger.kernel.org Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") Reported-by: Li Shuang <shuali(a)redhat.com> Closes: https://issues.redhat.com/browse/RHEL-108026 Reviewed-by: Petr Machata <petrm(a)nvidia.com> Co-developed-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Ivan Vecera <ivecera(a)redhat.com> Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.175501608… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index 037f764822b9..82635dd2cfa5 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, sch_tree_lock(sch); + for (i = nbands; i < oldbands; i++) { + if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } + WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { @@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, q->classes[i].deficit = quanta[i]; } } - for (i = q->nbands; i < oldbands; i++) { - if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) - list_del_init(&q->classes[i].alist); - qdisc_purge_queue(q->classes[i].qdisc); - } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap));

1 month

1
0
0 0

FAILED: patch "[PATCH] btrfs: zoned: requeue to unused block group list if zone" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 62be7afcc13b2727bdc6a4c91aefed6b452e6ecc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081819-dean-outage-295c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 62be7afcc13b2727bdc6a4c91aefed6b452e6ecc Mon Sep 17 00:00:00 2001 From: Naohiro Aota <naohiro.aota(a)wdc.com> Date: Sun, 29 Jun 2025 23:18:29 +0900 Subject: [PATCH] btrfs: zoned: requeue to unused block group list if zone finish failed btrfs_zone_finish() can fail for several reason. If it is -EAGAIN, we need to try it again later. So, put the block group to the retry list properly. Failing to do so will keep the removable block group intact until remount and can causes unnecessary ENOSPC. Fixes: 74e91b12b115 ("btrfs: zoned: zone finish unused block group") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c index 3ddf9fe52b9d..47c6d040176c 100644 --- a/fs/btrfs/block-group.c +++ b/fs/btrfs/block-group.c @@ -1639,8 +1639,10 @@ void btrfs_delete_unused_bgs(struct btrfs_fs_info *fs_info) ret = btrfs_zone_finish(block_group); if (ret < 0) { btrfs_dec_block_group_ro(block_group); - if (ret == -EAGAIN) + if (ret == -EAGAIN) { + btrfs_link_bg_list(block_group, &retry_list); ret = 0; + } goto next; }

1 month

1
0
0 0

FAILED: patch "[PATCH] btrfs: zoned: requeue to unused block group list if zone" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 62be7afcc13b2727bdc6a4c91aefed6b452e6ecc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081802-litigator-enrich-4269@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 62be7afcc13b2727bdc6a4c91aefed6b452e6ecc Mon Sep 17 00:00:00 2001 From: Naohiro Aota <naohiro.aota(a)wdc.com> Date: Sun, 29 Jun 2025 23:18:29 +0900 Subject: [PATCH] btrfs: zoned: requeue to unused block group list if zone finish failed btrfs_zone_finish() can fail for several reason. If it is -EAGAIN, we need to try it again later. So, put the block group to the retry list properly. Failing to do so will keep the removable block group intact until remount and can causes unnecessary ENOSPC. Fixes: 74e91b12b115 ("btrfs: zoned: zone finish unused block group") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota(a)wdc.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c index 3ddf9fe52b9d..47c6d040176c 100644 --- a/fs/btrfs/block-group.c +++ b/fs/btrfs/block-group.c @@ -1639,8 +1639,10 @@ void btrfs_delete_unused_bgs(struct btrfs_fs_info *fs_info) ret = btrfs_zone_finish(block_group); if (ret < 0) { btrfs_dec_block_group_ro(block_group); - if (ret == -EAGAIN) + if (ret == -EAGAIN) { + btrfs_link_bg_list(block_group, &retry_list); ret = 0; + } goto next; }

1 month

1
0
0 0

[PATCH v2] memstick: Fix deadlock by moving removing flag earlier

by Jiayi Li

The existing memstick core patch: commit 62c59a8786e6 ("memstick: Skip allocating card when removing host") sets host->removing in memstick_remove_host(),but still exists a critical time window where memstick_check can run after host->eject is set but before removing is set. In the rtsx_usb_ms driver, the problematic sequence is: rtsx_usb_ms_drv_remove: memstick_check: host->eject = true cancel_work_sync(handle_req) if(!host->removing) ... memstick_alloc_card() memstick_set_rw_addr() memstick_new_req() rtsx_usb_ms_request() if(!host->eject) skip schedule_work wait_for_completion() memstick_remove_host: [blocks indefinitely] host->removing = true flush_workqueue() [block] 1. rtsx_usb_ms_drv_remove sets host->eject = true 2. cancel_work_sync(&host->handle_req) runs 3. memstick_check work may be executed here <-- danger window 4. memstick_remove_host sets removing = 1 During this window (step 3), memstick_check calls memstick_alloc_card, which may indefinitely waiting for mrq_complete completion that will never occur because rtsx_usb_ms_request sees eject=true and skips scheduling work, memstick_set_rw_addr waits forever for completion. This causes a deadlock when memstick_remove_host tries to flush_workqueue, waiting for memstick_check to complete, while memstick_check is blocked waiting for mrq_complete completion. Fix this by setting removing=true at the start of rtsx_usb_ms_drv_remove, before any work cancellation. This ensures memstick_check will see the removing flag immediately and exit early, avoiding the deadlock. Fixes: 62c59a8786e6 ("memstick: Skip allocating card when removing host") Signed-off-by: Jiayi Li <lijiayi(a)kylinos.cn> Cc: stable(a)vger.kernel.org --- v1 -> v2: Added Cc: stable(a)vger.kernel.org --- drivers/memstick/core/memstick.c | 1 - drivers/memstick/host/rtsx_usb_ms.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c index 043b9ec756ff..95e65f4958f2 100644 --- a/drivers/memstick/core/memstick.c +++ b/drivers/memstick/core/memstick.c @@ -555,7 +555,6 @@ EXPORT_SYMBOL(memstick_add_host); */ void memstick_remove_host(struct memstick_host *host) { - host->removing = 1; flush_workqueue(workqueue); mutex_lock(&host->lock); if (host->card) diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c index 3878136227e4..5b5e9354fb2e 100644 --- a/drivers/memstick/host/rtsx_usb_ms.c +++ b/drivers/memstick/host/rtsx_usb_ms.c @@ -812,6 +812,7 @@ static void rtsx_usb_ms_drv_remove(struct platform_device *pdev) int err; host->eject = true; + msh->removing = true; cancel_work_sync(&host->handle_req); cancel_delayed_work_sync(&host->poll_card); -- 2.47.1

1 month

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror