- Linux-stable-mirror - lists.linaro.org

[PATCH] jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

by Fedor Pchelkin

Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handle that. The code is ready for propagating the error upwards. KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 Call Trace: jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 call_write_iter include/linux/fs.h:2039 [inline] do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 do_iter_write+0x18c/0x710 fs/read_write.c:866 vfs_writev+0x1db/0x6a0 fs/read_write.c:939 do_pwritev fs/read_write.c:1036 [inline] __do_sys_pwritev fs/read_write.c:1083 [inline] __se_sys_pwritev fs/read_write.c:1078 [inline] __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Similar to https://lore.kernel.org/linux-mtd/20250307163409.13491-2-a.sadovnikov@ispra… but touches two remaining places. fs/jffs2/erase.c | 4 +++- fs/jffs2/scan.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index ef3a1e1b6cb0..fda9f4d6093f 100644 --- a/fs/jffs2/erase.c +++ b/fs/jffs2/erase.c @@ -425,7 +425,9 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb .totlen = cpu_to_je32(c->cleanmarker_size) }; - jffs2_prealloc_raw_node_refs(c, jeb, 1); + ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); + if (ret) + goto filebad; marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4)); diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c index 29671e33a171..62879c218d4b 100644 --- a/fs/jffs2/scan.c +++ b/fs/jffs2/scan.c @@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_info *c) jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n", __func__, skip); - jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); + if (ret) + goto out; jffs2_scan_dirty_space(c, c->nextblock, skip); } #endif -- 2.49.0

1 month

2
1
0 0

[PATCH stable 5.4 v2 0/2] openvswitch port output fixes

by Florian Fainelli

This patch series contains some missing openvswitch port output fixes for the stable 5.4 kernel. Changes in v2: - use BUILD_BUG_ON_INVALID rather than DEBUG_NET_WARN_ON_ONCE which does not exist in Linux 5.4 Felix Huettner (1): net: openvswitch: fix race on port output Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier net/core/dev.c | 1 + net/openvswitch/actions.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.34.1

1 month

2
4
0 0

[PATCH 6.1 6.6 6.12 6.13] scripts/sorttable: fix ELF64 mcount_loc address parsing when compiling on 32-bit

by Sahil Gupta

The ftrace __mcount_loc buildtime sort does not work properly when the host is 32-bit and the target is 64-bit. sorttable parses the start and stop addresses by calling strtoul on the buffer holding the hexadecimal string. Since the target is 64-bit but unsigned long on 32-bit machines is 32 bits, strtoul, and by extension the start and stop addresses, can max out to 2^32 - 1. This patch adds a new macro, parse_addr, that corresponds to a strtoul or strtoull call based on whether you are operating on a 32-bit ELF or a 64-bit ELF. This way, the correct width is guaranteed whether or not the host is 32-bit. This should cleanly apply on all of the 6.x stable kernels. Manually verified that the __mcount_loc section is sorted by parsing the ELF and verified tests corresponding to CONFIG_FTRACE_SORT_STARTUP_TEST for kernels built on a 32-bit and a 64-bit host. Signed-off-by: Sahil Gupta <s.gupta(a)arista.com> --- scripts/sorttable.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/sorttable.h b/scripts/sorttable.h index 7bd0184380d3..9ed7acca9f30 100644 --- a/scripts/sorttable.h +++ b/scripts/sorttable.h @@ -40,6 +40,7 @@ #undef uint_t #undef _r #undef _w +#undef parse_addr #ifdef SORTTABLE_64 # define extable_ent_size 16 @@ -65,6 +66,7 @@ # define uint_t uint64_t # define _r r8 # define _w w8 +# define parse_addr(buf) strtoull(buf, NULL, 16) #else # define extable_ent_size 8 # define compare_extable compare_extable_32 @@ -89,6 +91,7 @@ # define uint_t uint32_t # define _r r # define _w w +# define parse_addr(buf) strtoul(buf, NULL, 16) #endif #if defined(SORTTABLE_64) && defined(UNWINDER_ORC_ENABLED) @@ -246,13 +249,13 @@ static void get_mcount_loc(uint_t *_start, uint_t *_stop) len = strlen(start_buff); start_buff[len - 1] = '\0'; } - *_start = strtoul(start_buff, NULL, 16); + *_start = parse_addr(start_buff); while (fgets(stop_buff, sizeof(stop_buff), file_stop) != NULL) { len = strlen(stop_buff); stop_buff[len - 1] = '\0'; } - *_stop = strtoul(stop_buff, NULL, 16); + *_stop = parse_addr(stop_buff); pclose(file_start); pclose(file_stop); -- 2.47.0

1 month

4
7
0 0

[PATCH stable 5.10 v2 0/2] openvswitch port output fixes

by Florian Fainelli

This patch series contains some missing openvswitch port output fixes for the stable 5.10 kernel. Changes in v2: - use BUILD_BUG_ON_INVALID rather than DEBUG_NET_WARN_ON_ONCE which does not exist in Linux 5.10 Felix Huettner (1): net: openvswitch: fix race on port output Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier net/core/dev.c | 1 + net/openvswitch/actions.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.34.1

1 month

2
4
0 0

[PATCH 5.4.y] virtio-net: Add validation for used length

by Larry Bassel

From: Xie Yongji <xieyongji(a)bytedance.com> commit ad993a95c508 ("virtio-net: Add validation for used length") This adds validation for used length (might come from an untrusted device) to avoid data corruption or loss. Signed-off-by: Xie Yongji <xieyongji(a)bytedance.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> (cherry picked from commit ad993a95c508417acdeb15244109e009e50d8758) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9ce6146ec7b50 virtio_net: Add XDP frame size in two code paths] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- drivers/net/virtio_net.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 182b67270044..215c546bf50a 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -717,6 +717,12 @@ static struct sk_buff *receive_small(struct net_device *dev, len -= vi->hdr_len; stats->bytes += len; + if (unlikely(len > GOOD_PACKET_LEN)) { + pr_debug("%s: rx error: len %u exceeds max size %d\n", + dev->name, len, GOOD_PACKET_LEN); + dev->stats.rx_length_errors++; + goto err_len; + } rcu_read_lock(); xdp_prog = rcu_dereference(rq->xdp_prog); if (xdp_prog) { @@ -819,6 +825,7 @@ static struct sk_buff *receive_small(struct net_device *dev, err_xdp: rcu_read_unlock(); stats->xdp_drops++; +err_len: stats->drops++; put_page(page); xdp_xmit: @@ -871,6 +878,13 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, head_skb = NULL; stats->bytes += len - vi->hdr_len; + truesize = mergeable_ctx_to_truesize(ctx); + if (unlikely(len > truesize)) { + pr_debug("%s: rx error: len %u exceeds truesize %lu\n", + dev->name, len, (unsigned long)ctx); + dev->stats.rx_length_errors++; + goto err_skb; + } rcu_read_lock(); xdp_prog = rcu_dereference(rq->xdp_prog); if (xdp_prog) { @@ -990,14 +1004,6 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, } rcu_read_unlock(); - truesize = mergeable_ctx_to_truesize(ctx); - if (unlikely(len > truesize)) { - pr_debug("%s: rx error: len %u exceeds truesize %lu\n", - dev->name, len, (unsigned long)ctx); - dev->stats.rx_length_errors++; - goto err_skb; - } - head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog, metasize); curr_skb = head_skb; -- 2.46.0

1 month

4
6
0 0

Exclusive Proposal

by Gen Johan Bruntink

Hello I am keen to exchange thoughts on financial opportunities with you. If it aligns with your preferences, I would appreciate your WhatsApp contact details for a more fluid dialogue. Should that not suit, please let me know a convenient time for us to correspond directly. Thank you for your kind consideration. I eagerly anticipate your reply. Warm regards, General Johanne

1 month

1
0
0 0

[PATCH] binder: fix offset calculation in debug log

by Carlos Llamas

The vma start address should be substracted from the buffer's user data address and not the other way around. Cc: Tiffany Y. Yang <ynaffit(a)google.com> Cc: stable(a)vger.kernel.org Fixes: 162c79731448 ("binder: avoid user addresses in debug logs") Signed-off-by: Carlos Llamas <cmllamas(a)google.com> --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 76052006bd87..5fc2c8ee61b1 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -6373,7 +6373,7 @@ static void print_binder_transaction_ilocked(struct seq_file *m, seq_printf(m, " node %d", buffer->target_node->debug_id); seq_printf(m, " size %zd:%zd offset %lx\n", buffer->data_size, buffer->offsets_size, - proc->alloc.vm_start - buffer->user_data); + buffer->user_data - proc->alloc.vm_start); } static void print_binder_work_ilocked(struct seq_file *m, -- 2.49.0.395.g12beb8f557-goog

1 month

2
1
0 0

[PATCH 6.12 000/116] 6.12.21-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.21 release. There are 116 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 27 Mar 2025 12:21:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.21-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.21-rc1 Arthur Mongodin <amongodin(a)randorisec.fr> mptcp: Fix data stream corruption in the address announcement Zi Yan <ziy(a)nvidia.com> mm/huge_memory: drop beyond-EOF folios with the right number of refs Justin Klaassen <justin(a)tidylabs.net> arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Eder Zulian <ezulian(a)redhat.com> libsubcmd: Silence compiler warning Dietmar Eggemann <dietmar.eggemann(a)arm.com> Revert "sched/core: Reduce cost of sched_move_task when config autogroup" Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Eagerly switch ZCR_EL{1,2} Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Mark some header functions as inline Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Refactor exit handlers Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove host FPSIMD saving for non-protected KVM Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Fuad Tabba <tabba(a)google.com> KVM: arm64: Calculate cptr_el2 traps on activating traps Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix sendzc double notif flush Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix incorrect validation for num_aces field of smb_acl Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix user queue validation on Gfx7/8 David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix JPEG video caps max size for navi1x and raven David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size David Rosca <david.rosca(a)amd.com> drm/amdgpu: Remove JPEG from vega and carrizo video caps Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/pm: wire up hwmon fan speed for smu 14.0.2 Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> drm/amdgpu/pm: Handle SCLK offset correctly in overdrive for smu 14.0.2 David Belanger <david.belanger(a)amd.com> drm/amdgpu: Restore uncached behaviour on GFX12 Harish Kasiviswanathan <Harish.Kasiviswanathan(a)amd.com> drm/amd/pm: add unique_id for gfx12 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Yilin Chen <Yilin.Chen(a)amd.com> drm/amd/display: Fix message for support_edp0_on_dp1 Wentao Liang <vulab(a)iscas.ac.cn> drm/amdgpu/gfx12: correct cleanup of 'me' field with gfx_v12_0_me_fini() qianyi liu <liuqianyi125(a)gmail.com> drm/sched: Fix fence reference count leak Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Xianwei Zhao <xianwei.zhao(a)amlogic.com> pmdomain: amlogic: fix T7 ISP secpower Saranya R <quic_sarar(a)quicinc.com> soc: qcom: pdr: Fix the potential deadlock Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore own maximum aggregation size during RX Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> xsk: fix an integer overflow in xp_create_and_assign_umem() David Howells <dhowells(a)redhat.com> keys: Fix UAF in key_put() Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Avoid physical address 0x0 when doing random allocation Johan Hovold <johan+linaro(a)kernel.org> firmware: qcom: uefisecapp: fix efivars registration race Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: shmobile: smp: Enforce shmobile_smp_* alignment Stefan Eichenberger <stefan.eichenberger(a)toradex.com> ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Ye Bin <yebin10(a)huawei.com> proc: fix UAF in proc_get_inode() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm/page_alloc: fix memory accept before watermarks gets initialized Zi Yan <ziy(a)nvidia.com> mm/migrate: fix shmem xarray update during migration Raphael S. Carvalho <raphaelsc(a)scylladb.com> mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Rafael Aquini <raquini(a)redhat.com> selftests/mm: run_vmtests.sh: fix half_ufd_size_MB calculation Gu Bowen <gubowen5(a)huawei.com> mmc: atmel-mci: Add missing clk_disable_unprepare() Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card Dan Carpenter <dan.carpenter(a)linaro.org> accel/qaic: Fix integer overflow in qaic_validate_req() Christian Eggers <ceggers(a)arri.de> regulator: check that dummy regulator has been probed before using it Christian Eggers <ceggers(a)arri.de> regulator: dummy: force synchronous probing Max Kellermann <max.kellermann(a)ionos.com> netfs: Call `invalidate_cache` only if implemented E Shattow <e(a)freeshell.de> riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Jens Axboe <axboe(a)kernel.dk> io_uring/net: don't clear REQ_F_NEED_CLEANUP unconditionally Maíra Canal <mcanal(a)igalia.com> drm/v3d: Don't run jobs that have errors flagged in its fence Tomasz Rusinowicz <tomasz.rusinowicz(a)intel.com> drm/xe: Fix exporting xe buffers multiple times Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: disable transceiver during system PM Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: only change CAN state when link up in system PM Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> can: ucan: fix out of bound read in strscpy() source Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix page entries in the AFL list Biju Das <biju.das.jz(a)bp.renesas.com> dt-bindings: can: renesas,rcar-canfd: Fix typo in pattern properties for R-Car V4M Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Support holes in device list reply msg Andreas Kemnade <andreas(a)kemnade.info> i2c: omap: fix IRQ storms Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: tprobe-events: Fix leakage of module refcount Guillaume Nault <gnault(a)redhat.com> Revert "gre: Fix IPv6 link-local address generation." Lin Ma <linma(a)zju.edu.cn> net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Yongjian Sun <sunyongjian1(a)huawei.com> libfs: Fix duplicate directory entry in offset_dir_lookup Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: ioam6: fix lwtunnel_output() loop Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: fix recursion loops MD Danish Anwar <danishanwar(a)ti.com> net: ti: icssg-prueth: Add lock to stats Dan Carpenter <dan.carpenter(a)linaro.org> net: atm: fix use after free in lec_send() Jason Gunthorpe <jgg(a)ziepe.ca> gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> phy: fix xa_alloc_cyclic() error handling Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> dpll: fix xa_alloc_cyclic() error handling Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> devlink: fix xa_alloc_cyclic() error handling Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix TCP GSO segmentation with NAT Vignesh Raghavendra <vigneshr(a)ti.com> net: ethernet: ti: am65-cpsw: Fix NAPI registration sequence Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Add ATA_QUIRK_NO_LPM_ON_ATI for certain Samsung SSDs Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: tprobe-events: Fix to clean up tprobe correctly when module unload David Lechner <dlechner(a)baylibre.com> ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX Jeffrey Hugo <quic_jhugo(a)quicinc.com> accel/qaic: Fix possible data corruption in BOs > 2G Arkadiusz Bokowy <arkadiusz.bokowy(a)gmail.com> Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: Fix error code in chan_alloc_skb_cb() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong value of max_sge_rd Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix missing xa_destroy() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix invalid sq params not being blocked Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix soft lockup during bt pages loop Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Baochen Qiang <quic_bqiang(a)quicinc.com> dma-mapping: fix missing clear bdr in check_ram_in_range_map() Chester A. Unal <chester.a.unal(a)arinc9.com> ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC3200 Chester A. Unal <chester.a.unal(a)arinc9.com> ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC5300 Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: Don't mark timer regs unconfigured Arnd Bergmann <arnd(a)arndb.de> ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Qasim Ijaz <qasdev00(a)gmail.com> RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests Yao Zi <ziyao(a)disroot.org> arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Phil Elwell <phil(a)raspberrypi.com> arm64: dts: bcm2712: PL011 UARTs are actually r1p5 Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Stefan Wahren <wahrenst(a)gmx.net> ARM: dts: bcm2711: Fix xHCI power-domain Peng Fan <peng.fan(a)nxp.com> soc: imx8m: Unregister cpufreq and soc dev in cleanup path Marek Vasut <marex(a)denx.de> soc: imx8m: Use devm_* to simplify probe failure handling Marek Vasut <marex(a)denx.de> soc: imx8m: Remove global soc_uid Cosmin Ratiu <cratiu(a)nvidia.com> xfrm_output: Force software GSO only in tunnel mode Alexandre Cassen <acassen(a)corp.free.fr> xfrm: fix tunnel mode TX datapath in packet offload mode Heiko Stuebner <heiko.stuebner(a)cherry.de> arm64: dts: rockchip: remove supports-cqe from rk3588 tiger Heiko Stuebner <heiko.stuebner(a)cherry.de> arm64: dts: rockchip: remove supports-cqe from rk3588 jaguar Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> firmware: imx-scu: fix OF node leak in .probe() Dan Carpenter <dan.carpenter(a)linaro.org> firmware: qcom: scm: Fix error code in probe() ------------- Diffstat: .../bindings/net/can/renesas,rcar-canfd.yaml | 2 +- Makefile | 4 +- arch/arm/boot/dts/broadcom/bcm2711-rpi.dtsi | 5 - arch/arm/boot/dts/broadcom/bcm2711.dtsi | 12 +- .../boot/dts/broadcom/bcm4709-asus-rt-ac3200.dts | 12 +- .../boot/dts/broadcom/bcm47094-asus-rt-ac5300.dts | 8 +- arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 +- arch/arm/mach-davinci/Kconfig | 1 + arch/arm/mach-omap1/Kconfig | 1 + arch/arm/mach-shmobile/headsmp.S | 1 + arch/arm64/boot/dts/broadcom/bcm2712.dtsi | 2 +- .../boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 +-- .../boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 +- .../boot/dts/rockchip/px30-ringneck-haikou.dts | 12 ++ arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 + arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 - arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts | 1 - arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 1 - arch/arm64/include/asm/kvm_host.h | 23 +--- arch/arm64/kernel/fpsimd.c | 25 ---- arch/arm64/kvm/arm.c | 9 -- arch/arm64/kvm/fpsimd.c | 100 ++------------ arch/arm64/kvm/hyp/entry.S | 5 + arch/arm64/kvm/hyp/include/hyp/switch.h | 133 +++++++++++++----- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 11 +- arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 ---- arch/arm64/kvm/hyp/nvhe/switch.c | 140 ++++++++++--------- arch/arm64/kvm/hyp/vhe/switch.c | 21 ++- arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 +- drivers/accel/qaic/qaic_data.c | 9 +- drivers/ata/libata-core.c | 14 +- drivers/dpll/dpll_core.c | 2 +- drivers/firmware/efi/libstub/randomalloc.c | 4 + drivers/firmware/imx/imx-scu.c | 1 + drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 18 +-- drivers/firmware/qcom/qcom_scm.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 22 +-- drivers/gpu/drm/amd/amdgpu/nv.c | 20 +-- drivers/gpu/drm/amd/amdgpu/soc15.c | 21 ++- drivers/gpu/drm/amd/amdgpu/vi.c | 43 +++--- drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 8 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 11 ++ drivers/gpu/drm/amd/pm/amdgpu_pm.c | 2 + .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 96 +++++++------ drivers/gpu/drm/radeon/radeon_vce.c | 2 +- drivers/gpu/drm/scheduler/sched_entity.c | 11 +- drivers/gpu/drm/v3d/v3d_sched.c | 9 +- drivers/gpu/drm/xe/xe_bo.h | 2 - drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- drivers/gpu/host1x/dev.c | 6 + drivers/i2c/busses/i2c-omap.c | 26 +--- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +- drivers/infiniband/hw/hns/hns_roce_alloc.c | 4 +- drivers/infiniband/hw/hns/hns_roce_cq.c | 1 + drivers/infiniband/hw/hns/hns_roce_hem.c | 16 ++- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 20 +-- drivers/infiniband/hw/mlx5/ah.c | 14 +- drivers/infiniband/sw/rxe/rxe.c | 25 +--- drivers/mmc/host/atmel-mci.c | 4 +- drivers/mmc/host/sdhci-brcmstb.c | 10 ++ drivers/net/can/flexcan/flexcan-core.c | 18 ++- drivers/net/can/rcar/rcar_canfd.c | 28 ++-- drivers/net/can/usb/ucan.c | 43 +++--- drivers/net/ethernet/microsoft/mana/gdma_main.c | 14 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 32 +++-- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 1 + drivers/net/ethernet/ti/icssg/icssg_prueth.h | 2 + drivers/net/ethernet/ti/icssg/icssg_stats.c | 4 + drivers/net/phy/phy_link_topology.c | 2 +- drivers/pmdomain/amlogic/meson-secure-pwrc.c | 2 +- drivers/regulator/core.c | 12 +- drivers/regulator/dummy.c | 2 +- drivers/soc/imx/soc-imx8m.c | 151 ++++++++++----------- drivers/soc/qcom/pdr_interface.c | 8 +- fs/libfs.c | 2 +- fs/netfs/write_collect.c | 3 +- fs/proc/generic.c | 10 +- fs/proc/inode.c | 6 +- fs/proc/internal.h | 14 ++ fs/smb/server/smbacl.c | 5 +- include/linux/key.h | 1 + include/linux/libata.h | 2 + include/linux/proc_fs.h | 7 +- include/net/bluetooth/hci.h | 2 +- include/net/mana/gdma.h | 11 +- io_uring/net.c | 5 +- kernel/dma/direct.c | 28 ++-- kernel/sched/core.c | 21 +-- kernel/trace/trace_fprobe.c | 30 ++-- mm/filemap.c | 13 +- mm/huge_memory.c | 2 +- mm/memcontrol.c | 9 ++ mm/migrate.c | 10 +- mm/page_alloc.c | 14 +- net/atm/lec.c | 3 +- net/batman-adv/bat_iv_ogm.c | 3 +- net/batman-adv/bat_v_ogm.c | 3 +- net/bluetooth/6lowpan.c | 7 +- net/core/lwtunnel.c | 65 +++++++-- net/core/neighbour.c | 1 + net/devlink/core.c | 2 +- net/ipv6/addrconf.c | 15 +- net/ipv6/ioam6_iptunnel.c | 8 +- net/ipv6/route.c | 5 +- net/ipv6/tcpv6_offload.c | 21 ++- net/mptcp/options.c | 6 +- net/xdp/xsk_buff_pool.c | 2 +- net/xfrm/xfrm_output.c | 43 +++++- security/keys/gc.c | 4 +- security/keys/key.c | 2 + tools/lib/subcmd/parse-options.c | 2 +- tools/testing/selftests/mm/run_vmtests.sh | 4 +- 119 files changed, 944 insertions(+), 819 deletions(-)

1 month

5
120
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) expanded from macro '__pcpu_size_call_return' in arch/x86/events/a...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- expanded from macro '__pcpu_size_call_return' in arch/x86/events/amd/core.o (arch/x86/events/amd/core.c) [logspec:kbuild,kbuild.compiler.note] --- - dashboard: https://d.kernelci.org/i/maestro:bcd59a7f893e94db607d602a4745b60a688799ff - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 135d26f7f8b786c6469b8a12bd7f77eb5d96584b Log excerpt: ===================================================== ./include/linux/percpu-defs.h:323:23In file included from arch/x86/events/amd/core.c:12: note: expanded from macro '__pcpu_size_call_return' 323 | case 4: pscr_ret__ = stem##4(variable); break; \ | ^ <scratch space>:87:1: note: expanded from here 87 | raw_cpu_read_4 | ^ ./arch/x86/include/asm/percpu.h:396:30: note: expanded from macro 'raw_cpu_read_4' 396 | #define raw_cpu_read_4(pcp) percpu_from_op(, "mov", pcp) | ^ ./arch/x86/include/asm/percpu.h:189:15: note: expanded from macro 'percpu_from_op' 189 | : "=q" (pfo: _rarch/x86/events/amd/../perf_event.he:t838_:_21): error: invalid output size for constraint '=q'\ | ^ ./include/linux/percpu-defs.h:446:2: note: expanded from macro '__this_cpu_read' 446 | raw_cpu_read(pcp); \ | ^ ./include/linux/percpu-defs.h:420:28: note: expanded from macro 'raw_cpu_read' 420 | #define raw_cpu_read(pcp) __pcpu_size_call_return(raw_cpu_read_, pcp) | ^ ./include/linux/percpu-defs.h:322:23: note: expanded from macro '__pcpu_size_call_return' 322 | case 2: pscr_ret__ = stem##2(variable); break; \ | ^ <scratch space>:46:1: note: expanded from here 46 | raw_cpu_read_2 | ^ ./arch/x86/include/asm/percpu.h:395:30: note: expanded from macro 'raw_cpu_read_2' 395 | #define raw_cpu_read_2(pcp) percpu_from_op(, "mov", pcp) | ^ ./arch/x86/include/asm/percpu.h:189:15: note: expanded from macro 'percpu_from_op' 189 | : "=q" (pfo_ret__) \ | ^ In file included from arch/x86/events/amd/core.c:12: arch/x86/events/amd/../perf_event.h:838:21: error: invalid output size for constraint '=q' ./include/linux/percpu-defs.h:446:2: note: expanded from macro '__this_cpu_read' 446 | raw_cpu_read(pcp); \ | ^ ./include/linux/percpu-defs.h:420:28: note: expanded from macro 'raw_cpu_read' 420 | #define raw_cpu_read(pcp) __pcpu_size_call_return(raw_cpu_read_, pcp) | ^ ./include/linux/percpu-defs.h:323:23: note: expanded from macro '__pcpu_size_call_return' 323 | case 4: pscr_ret__ = stem##4(variable); break; \ | ^ <scratch space>:55:1: note: expanded from here 55 | raw_cpu_read_4 | ^ ./arch/x86/include/asm/percpu.h:396:30: note: expanded from macro 'raw_cpu_read_4' 396 | #define raw_cpu_read_4(pcp) percpu_from_op(, "mov", pcp) | ^ ./arch/x86/include/asm/percpu.h:189:15: note: expanded from macro 'percpu_from_op' 189 | : "=q" (pfo_ret__) \ | ^ In file included from arch/x86/events/amd/core.c:12: arch/x86/events/amd/../perf_event.h:855:21: error: invalid output size for constraint '=q' 855 | u64 disable_mask = __this_cpu_read(cpu_hw_events.perf_ctr_virt_mask); | ^ ./include/linux/percpu-defs.h:446:2: note: expanded from macro '__this_cpu_read' 446 | raw_cpu_rea HDRTEST usr/include/sound/asound.h d(pcp); \ | ^ ./include/linux/percpu-defs.h:420:28: note: expanded from macro 'raw_cpu_read' 420 | #define raw_cpu_read(pcp) __pcpu_size_call_return(raw_cpu_read_, pcp) | ^ ./include/linux/percpu-defs.h:321:23: note: expanded from macro '__pcpu_size_call_return' 321 | case 1: pscr_ret__ = stem##1(variable); break; \ | ^ <scratch space>:67:1: note: expanded from here 67 | raw_cpu_read_1 | ^ ./arch/x86/include/asm/percpu.h:394:30: note: expanded from macro 'raw_cpu_read_1' 394 | #define raw_cpu_read_1(pcp) percpu_from_op(, "mov", pcp) | ^ ./arch/x86/include/asm/percpu.h:189:15: note: expanded from macro 'percpu_from_op' 189 | : "=q" (pfo_ret__) \ | ^ In file included from arch/x86/events/amd/core.c:12: arch/x86/events/amd/../perf_event.h:855:21: error: invalid output size for constraint '=q' ./include/linux/percpu-defs.h:446:2: note: expanded from macro '__this_cpu_read' 446 | raw_cpu_read(pcp); \ | ^ ./include/linux/percpu-defs.h:420:28: note: expanded from macro 'raw_cpu_read' 420 | #define raw_cpu_read(pcp) __pcpu_size_call_return(raw_cpu_read_, pcp) | ^ ./include/linux/percpu-defs.h:322:23: note: expanded from macro '__pcpu_size_call_return' 322 | case 2: pscr_ret__ = stem##2(variable); break; \ | ^ <scratch space>:76:1: note: expanded from here 76 | raw_cpu_read_2 | ^ ./arch/x86/include/asm/percpu.h:395:30: note: expanded from macro 'raw_cpu_read_2' 395 | #define raw_cpu_read_2(pcp) percpu_from_op(, "mov", pcp) | ^ ./arch/x86/include/asm/percpu.h:189:15: note: expanded from macro 'percpu_from_op' 189 | : "=q" (pfo_ret__) \ | ^ In file included from arch/x86/events/amd/core.c:12: arch/x86/events/amd/../perf_event.h:855:21: error: invalid output size for constraint '=q' ./include/linux/percpu-defs.h:446:2: note: expanded from macro '__this_cpu_read' 446 | raw_cpu_read(pcp); \ | ^ ./include/linux/percpu-defs.h:420:28: note: expanded from macro 'raw_cpu_read' 420 | #define raw_cpu_read(pcp) __pcpu_size_call_return(raw_cpu_read_, pcp) | ^ ./include/linux/percpu-defs.h:323:23: note: expanded from macro '__pcpu_size_call_return' 323 | case 4: pscr_ret__ = stem##4(variable); break; \ | ^ <scratch space>:85:1: note: expanded from here 85 | raw_cpu_read_4 | ^ ./arch/x86/include/asm/percpu.h:396:30: note: expanded from macro 'raw_cpu_read_4' 396 | #define raw_cpu_read_4(pcp) percpu_from_op(, "mov", pcp) | ^ ./arch/x86/include/asm/percpu.h:189:15: note: expanded from macro 'percpu_from_op' 189 | : "=q" (pfo_ret__) \ | ^ AS arch/x86/realmode/rm/header.o 6 errors generated. ===================================================== # Builds where the incident occurred: ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:67e2a3df67593f2aa03189b7 #kernelci issue maestro:bcd59a7f893e94db607d602a4745b60a688799ff Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month

1
0
0 0

[PATCH AUTOSEL 5.4 1/2] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index bc06016a4fe90..d2fd12da30c60 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx_ni(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -647,8 +647,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -669,8 +669,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index a5fc63c78370e..ea442ddd4fd9d 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -123,6 +123,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -132,35 +139,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -173,9 +178,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -217,9 +222,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
1
0 0

[PATCH AUTOSEL 5.10 1/2] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index de47c16b134bf..3e77a52709aaa 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx_ni(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -649,8 +649,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -671,8 +671,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index b15760b5c1cce..2be4a239f31e4 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -122,6 +122,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -131,35 +138,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -172,9 +177,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -216,9 +221,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
1
0 0

[PATCH AUTOSEL 5.15 1/2] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index 4e728b3da40b3..edf01b73d2878 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx_ni(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -649,8 +649,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -671,8 +671,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index b3099f0a3cb82..0533a3c4ff0e1 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
1
0 0

[PATCH AUTOSEL 6.1 1/3] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index 7d8543e877b44..bbd8e959137d9 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -287,8 +287,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -648,8 +648,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -670,8 +670,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index bbce97825f13f..25fdf060e30d0 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
2
0 0

[PATCH AUTOSEL 6.6 1/3] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index c469fc187f0c7..cdad0be43e8ff 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -287,8 +287,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -647,8 +647,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -669,8 +669,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index bbce97825f13f..25fdf060e30d0 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
2
0 0

[PATCH AUTOSEL 6.12 1/5] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index 01f3fbb3b67dc..65230e81fa08c 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -287,8 +287,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -647,8 +647,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -669,8 +669,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index bbce97825f13f..25fdf060e30d0 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
4
0 0

[PATCH AUTOSEL 6.13 1/7] can: statistics: use atomic access in hot path

by Sasha Levin

From: Oliver Hartkopp <socketcan(a)hartkopp.net> [ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] In can_send() and can_receive() CAN messages and CAN filter matches are counted to be visible in the CAN procfs files. KCSAN detected a data race within can_send() when two CAN frames have been generated by a timer event writing to the same CAN netdevice at the same time. Use atomic operations to access the statistics in the hot path to fix the KCSAN complaint. Reported-by: syzbot+78ce4489b812515d5e4d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com Signed-off-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/can/af_can.c | 12 ++++++------ net/can/af_can.h | 12 ++++++------ net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index 01f3fbb3b67dc..65230e81fa08c 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -287,8 +287,8 @@ int can_send(struct sk_buff *skb, int loop) netif_rx(newskb); /* update statistics */ - pkg_stats->tx_frames++; - pkg_stats->tx_frames_delta++; + atomic_long_inc(&pkg_stats->tx_frames); + atomic_long_inc(&pkg_stats->tx_frames_delta); return 0; @@ -647,8 +647,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) int matches; /* update statistics */ - pkg_stats->rx_frames++; - pkg_stats->rx_frames_delta++; + atomic_long_inc(&pkg_stats->rx_frames); + atomic_long_inc(&pkg_stats->rx_frames_delta); /* create non-zero unique skb identifier together with *skb */ while (!(can_skb_prv(skb)->skbcnt)) @@ -669,8 +669,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) consume_skb(skb); if (matches > 0) { - pkg_stats->matches++; - pkg_stats->matches_delta++; + atomic_long_inc(&pkg_stats->matches); + atomic_long_inc(&pkg_stats->matches_delta); } } diff --git a/net/can/af_can.h b/net/can/af_can.h index 7c2d9161e2245..22f3352c77fec 100644 --- a/net/can/af_can.h +++ b/net/can/af_can.h @@ -66,9 +66,9 @@ struct receiver { struct can_pkg_stats { unsigned long jiffies_init; - unsigned long rx_frames; - unsigned long tx_frames; - unsigned long matches; + atomic_long_t rx_frames; + atomic_long_t tx_frames; + atomic_long_t matches; unsigned long total_rx_rate; unsigned long total_tx_rate; @@ -82,9 +82,9 @@ struct can_pkg_stats { unsigned long max_tx_rate; unsigned long max_rx_match_ratio; - unsigned long rx_frames_delta; - unsigned long tx_frames_delta; - unsigned long matches_delta; + atomic_long_t rx_frames_delta; + atomic_long_t tx_frames_delta; + atomic_long_t matches_delta; }; /* persistent statistics */ diff --git a/net/can/proc.c b/net/can/proc.c index bbce97825f13f..25fdf060e30d0 100644 --- a/net/can/proc.c +++ b/net/can/proc.c @@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) struct can_pkg_stats *pkg_stats = net->can.pkg_stats; unsigned long j = jiffies; /* snapshot */ + long rx_frames = atomic_long_read(&pkg_stats->rx_frames); + long tx_frames = atomic_long_read(&pkg_stats->tx_frames); + long matches = atomic_long_read(&pkg_stats->matches); + long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); + long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); + long matches_delta = atomic_long_read(&pkg_stats->matches_delta); + /* restart counting in timer context on user request */ if (user_reset) can_init_stats(net); @@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) + if (rx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* prevent overflow in calc_rate() */ - if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) + if (tx_frames > (LONG_MAX / HZ)) can_init_stats(net); /* matches overflow - very improbable */ - if (pkg_stats->matches > (ULONG_MAX / 100)) + if (matches > (LONG_MAX / 100)) can_init_stats(net); /* calc total values */ - if (pkg_stats->rx_frames) - pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / - pkg_stats->rx_frames; + if (rx_frames) + pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->tx_frames); + tx_frames); pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, - pkg_stats->rx_frames); + rx_frames); /* calc current values */ - if (pkg_stats->rx_frames_delta) + if (rx_frames_delta) pkg_stats->current_rx_match_ratio = - (pkg_stats->matches_delta * 100) / - pkg_stats->rx_frames_delta; + (matches_delta * 100) / rx_frames_delta; - pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); - pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); + pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); + pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); /* check / update maximum values */ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) @@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; /* clear values for 'current rate' calculation */ - pkg_stats->tx_frames_delta = 0; - pkg_stats->rx_frames_delta = 0; - pkg_stats->matches_delta = 0; + atomic_long_set(&pkg_stats->tx_frames_delta, 0); + atomic_long_set(&pkg_stats->rx_frames_delta, 0); + atomic_long_set(&pkg_stats->matches_delta, 0); /* restart timer (one second) */ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); @@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; seq_putc(m, '\n'); - seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); - seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); - seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); + seq_printf(m, " %8ld transmitted frames (TXF)\n", + atomic_long_read(&pkg_stats->tx_frames)); + seq_printf(m, " %8ld received frames (RXF)\n", + atomic_long_read(&pkg_stats->rx_frames)); + seq_printf(m, " %8ld matched frames (RXMF)\n", + atomic_long_read(&pkg_stats->matches)); seq_putc(m, '\n'); -- 2.39.5

1 month

1
6
0 0

RE: Manufacturers and Engineers Accurate Contacts

by Debbie McCoy

Hello, I hope you are having a great day! I am writing this email to follow up on my previous email. I haven't received a response from you yet and I just wanted to make sure that you have received my email. When you have a moment, could you please let me know if you have received it or not? Please acknowledge the receipt of this email. Regards, Debbie ________________________________________________________________________________________ *Subject:* Manufacturers and Engineers Accurate Contacts Hello, Outdated or inaccurate contact data wastes valuable time. We provide highly accurate, *verified contact lists of Engineers, Manufacturers and Purchasing Managers Contacts*, ensuring you connect with the right people. Would you like to see a sample? If so, please let me know your *target geography* I’ll be happy to share details. Just a note that we can customize the lists to meet any specific requirements based on your criteria. Wishing you a wonderful day! Debbie McCoy Manager, Demand Generation If you ever feel like opting out, simply reply with "remove me" in the subject line

1 month

1
0
0 0

[PATCH 1/4] drm/cirrus-qemu: Fix pitch programming

by Thomas Zimmermann

Do not set CR1B[6] when programming the pitch. The bit effects VGA text mode and is not interpreted by qemu. [1] It has no affect on the scanline pitch. The scanline bit that is set into CR1B[6] belongs into CR13[7], which the driver sets up correctly. This bug goes back to the driver's initial commit. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://gitlab.com/qemu-project/qemu/-/blob/stable-9.2/hw/display/cirrus_vg… # 1 Fixes: f9aa76a85248 ("drm/kms: driver for virtual cirrus under qemu") Cc: Adam Jackson <ajax(a)redhat.com> Cc: Dave Airlie <airlied(a)redhat.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: <stable(a)vger.kernel.org> # v3.5+ --- drivers/gpu/drm/tiny/cirrus-qemu.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/gpu/drm/tiny/cirrus-qemu.c b/drivers/gpu/drm/tiny/cirrus-qemu.c index 52ec1e4ea9e5..a00d3b7ded6c 100644 --- a/drivers/gpu/drm/tiny/cirrus-qemu.c +++ b/drivers/gpu/drm/tiny/cirrus-qemu.c @@ -318,7 +318,6 @@ static void cirrus_pitch_set(struct cirrus_device *cirrus, unsigned int pitch) /* Enable extended blanking and pitch bits, and enable full memory */ cr1b = 0x22; cr1b |= (pitch >> 7) & 0x10; - cr1b |= (pitch >> 6) & 0x40; wreg_crt(cirrus, 0x1b, cr1b); cirrus_set_start_address(cirrus, 0); -- 2.48.1

1 month

1
0
0 0

[PATCH iwl-net] igc: Fix XSK queue NAPI ID mapping

by Joe Damato

In commit b65969856d4f ("igc: Link queues to NAPI instances"), the XSK queues were incorrectly unmapped from their NAPI instances. After discussion on the mailing list and the introduction of a test to codify the expected behavior, we can see that the unmapping causes the check_xsk test to fail: NETIF=enp86s0 ./tools/testing/selftests/drivers/net/queues.py [...] # Check| ksft_eq(q.get('xsk', None), {}, # Check failed None != {} xsk attr on queue we configured not ok 4 queues.check_xsk After this commit, the test passes: ok 4 queues.check_xsk Note that the test itself is only in net-next, so I tested this change by applying it to my local net-next tree, booting, and running the test. Cc: stable(a)vger.kernel.org Fixes: b65969856d4f ("igc: Link queues to NAPI instances") Signed-off-by: Joe Damato <jdamato(a)fastly.com> --- drivers/net/ethernet/intel/igc/igc_xdp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/net/ethernet/intel/igc/igc_xdp.c b/drivers/net/ethernet/intel/igc/igc_xdp.c index 13bbd3346e01..869815f48ac1 100644 --- a/drivers/net/ethernet/intel/igc/igc_xdp.c +++ b/drivers/net/ethernet/intel/igc/igc_xdp.c @@ -86,7 +86,6 @@ static int igc_xdp_enable_pool(struct igc_adapter *adapter, napi_disable(napi); } - igc_set_queue_napi(adapter, queue_id, NULL); set_bit(IGC_RING_FLAG_AF_XDP_ZC, &rx_ring->flags); set_bit(IGC_RING_FLAG_AF_XDP_ZC, &tx_ring->flags); @@ -136,7 +135,6 @@ static int igc_xdp_disable_pool(struct igc_adapter *adapter, u16 queue_id) xsk_pool_dma_unmap(pool, IGC_RX_DMA_ATTR); clear_bit(IGC_RING_FLAG_AF_XDP_ZC, &rx_ring->flags); clear_bit(IGC_RING_FLAG_AF_XDP_ZC, &tx_ring->flags); - igc_set_queue_napi(adapter, queue_id, napi); if (needs_reset) { napi_enable(napi); base-commit: 3c9231ea6497dfc50ac0ef69fff484da27d0df66 -- 2.34.1

1 month

5
6
0 0

[PATCH net] net: mana: Switch to page pool for jumbo frames

by Haiyang Zhang

Since commit 8218f62c9c9b ("mm: page_frag: use initial zero offset for page_frag_alloc_align()"), the netdev_alloc_frag() no longer works for fragsz > PAGE_SIZE. And, this behavior is by design. So, switch to page pool for jumbo frames instead of using page frag allocators. This driver is using page pool for smaller MTUs already. Cc: stable(a)vger.kernel.org Fixes: 80f6215b450e ("net: mana: Add support for jumbo frame") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- drivers/net/ethernet/microsoft/mana/mana_en.c | 46 ++++--------------- 1 file changed, 9 insertions(+), 37 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index 9a8171f099b6..4d41f4cca3d8 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -661,30 +661,16 @@ int mana_pre_alloc_rxbufs(struct mana_port_context *mpc, int new_mtu, int num_qu mpc->rxbpre_total = 0; for (i = 0; i < num_rxb; i++) { - if (mpc->rxbpre_alloc_size > PAGE_SIZE) { - va = netdev_alloc_frag(mpc->rxbpre_alloc_size); - if (!va) - goto error; - - page = virt_to_head_page(va); - /* Check if the frag falls back to single page */ - if (compound_order(page) < - get_order(mpc->rxbpre_alloc_size)) { - put_page(page); - goto error; - } - } else { - page = dev_alloc_page(); - if (!page) - goto error; + page = dev_alloc_pages(get_order(mpc->rxbpre_alloc_size)); + if (!page) + goto error; - va = page_to_virt(page); - } + va = page_to_virt(page); da = dma_map_single(dev, va + mpc->rxbpre_headroom, mpc->rxbpre_datasize, DMA_FROM_DEVICE); if (dma_mapping_error(dev, da)) { - put_page(virt_to_head_page(va)); + put_page(page); goto error; } @@ -1672,7 +1658,7 @@ static void mana_rx_skb(void *buf_va, bool from_pool, } static void *mana_get_rxfrag(struct mana_rxq *rxq, struct device *dev, - dma_addr_t *da, bool *from_pool, bool is_napi) + dma_addr_t *da, bool *from_pool) { struct page *page; void *va; @@ -1683,21 +1669,6 @@ static void *mana_get_rxfrag(struct mana_rxq *rxq, struct device *dev, if (rxq->xdp_save_va) { va = rxq->xdp_save_va; rxq->xdp_save_va = NULL; - } else if (rxq->alloc_size > PAGE_SIZE) { - if (is_napi) - va = napi_alloc_frag(rxq->alloc_size); - else - va = netdev_alloc_frag(rxq->alloc_size); - - if (!va) - return NULL; - - page = virt_to_head_page(va); - /* Check if the frag falls back to single page */ - if (compound_order(page) < get_order(rxq->alloc_size)) { - put_page(page); - return NULL; - } } else { page = page_pool_dev_alloc_pages(rxq->page_pool); if (!page) @@ -1730,7 +1701,7 @@ static void mana_refill_rx_oob(struct device *dev, struct mana_rxq *rxq, dma_addr_t da; void *va; - va = mana_get_rxfrag(rxq, dev, &da, &from_pool, true); + va = mana_get_rxfrag(rxq, dev, &da, &from_pool); if (!va) return; @@ -2172,7 +2143,7 @@ static int mana_fill_rx_oob(struct mana_recv_buf_oob *rx_oob, u32 mem_key, if (mpc->rxbufs_pre) va = mana_get_rxbuf_pre(rxq, &da); else - va = mana_get_rxfrag(rxq, dev, &da, &from_pool, false); + va = mana_get_rxfrag(rxq, dev, &da, &from_pool); if (!va) return -ENOMEM; @@ -2258,6 +2229,7 @@ static int mana_create_page_pool(struct mana_rxq *rxq, struct gdma_context *gc) pprm.nid = gc->numa_node; pprm.napi = &rxq->rx_cq.napi; pprm.netdev = rxq->ndev; + pprm.order = get_order(rxq->alloc_size); rxq->page_pool = page_pool_create(&pprm); -- 2.34.1

1 month

2
2
0 0

[PATCH 0/2] string.c: Add wcslen()

by Nathan Chancellor

Hi all, A recent LLVM change [1] introduces a call to wcslen() in fs/smb/client/smb2pdu.c through UniStrcat() via alloc_path_with_tree_prefix(). Similar to the bcmp() and stpcpy() additions that happened in 5f074f3e192f and 1e1b6d63d634, add wcslen() to fix the linkage failure. The second change is RFC because it makes the first change a little more convoluted for the sake of making it externally available, which may or may not be desirable. See the commit message for more details. [1]: https://github.com/llvm/llvm-project/commit/9694844d7e36fd5e01011ab56b64f27… --- Nathan Chancellor (2): lib/string.c: Add wcslen() [RFC] wcslen() prototype in string.h drivers/firmware/efi/libstub/printk.c | 4 ++-- include/linux/string.h | 2 ++ lib/string.c | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) --- base-commit: 78ab93c78fb31c5dfe207318aa2b7bd4e41f8dba change-id: 20250324-string-add-wcslen-for-llvm-opt-705791db92c0 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 month

1
1
0 0

[PATCH v2 1/5] ovl: don't allow datadir only

by Miklos Szeredi

In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops. Fix by disallowing datadir without lowerdir. Reported-by: Giuseppe Scrivano <gscrivan(a)redhat.com> Fixes: 24e16e385f22 ("ovl: add support for appending lowerdirs one by one") Cc: <stable(a)vger.kernel.org> # v6.7 Reviewed-by: Amir Goldstein <amir73il(a)gmail.com> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> --- fs/overlayfs/super.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index 86ae6f6da36b..b11094acdd8f 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -1137,6 +1137,11 @@ static struct ovl_entry *ovl_get_lowerstack(struct super_block *sb, return ERR_PTR(-EINVAL); } + if (ctx->nr == ctx->nr_data) { + pr_err("at least one non-data lowerdir is required\n"); + return ERR_PTR(-EINVAL); + } + err = -EINVAL; for (i = 0; i < ctx->nr; i++) { l = &ctx->lower[i]; -- 2.49.0

1 month

3
2
0 0

[PATCH] hfsplus: Return null terminated string from hfsplus_uni2asc()

by Aaro Mäkinen

In case hfsplus_uni2asc() is called with reused buffer there is a possibility that the buffer contains remains of the last string and the null character is only after that. This can and has caused problems in functions that call hfsplus_uni2asc(). Also correct the error handling for call to copy_name() where the above problem caused error to be not passed in hfsplus_listxattr(). Fixes: 7dcbf17e3f91 ("hfsplus: refactor copy_name to not use strncpy") Signed-off-by: Aaro Mäkinen <aaro(a)tuxera.com> Reviewed-by: Anton Altaparmakov <anton(a)tuxera.com> --- fs/hfsplus/unicode.c | 1 + fs/hfsplus/xattr.c | 13 ++++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c index 73342c925a4b..1f122e3c9583 100644 --- a/fs/hfsplus/unicode.c +++ b/fs/hfsplus/unicode.c @@ -246,6 +246,7 @@ int hfsplus_uni2asc(struct super_block *sb, res = 0; out: *len_p = (char *)op - astr; + *op = '\0'; return res; } diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c index 9a1a93e3888b..f20487ad4e8a 100644 --- a/fs/hfsplus/xattr.c +++ b/fs/hfsplus/xattr.c @@ -746,9 +746,16 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size) if (size < (res + name_len(strbuf, xattr_name_len))) { res = -ERANGE; goto end_listxattr; - } else - res += copy_name(buffer + res, - strbuf, xattr_name_len); + } else { + err = copy_name(buffer + res, + strbuf, xattr_name_len); + if (err < 0) { + res = err; + goto end_listxattr; + } + else + res += err; + } } if (hfs_brec_goto(&fd, 1)) -- 2.43.0

1 month

2
1
0 0

[PATCH 1/4] net: fix uninitialised access in mii_nway_restart()

by Qasim Ijaz

In mii_nway_restart() during the line: bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR); The code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer, which is initialised with control_read(): unsigned char buff[2]; However buff is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then buff remains uninitialised. Once this happens the uninitialised buff is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of buff. To fix this we should check the return value of control_read() and return early on error. Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9 Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/net/mii.c | 2 ++ drivers/net/usb/ch9200.c | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/mii.c b/drivers/net/mii.c index 37bc3131d31a..e305bf0f1d04 100644 --- a/drivers/net/mii.c +++ b/drivers/net/mii.c @@ -464,6 +464,8 @@ int mii_nway_restart (struct mii_if_info *mii) /* if autoneg is off, it's an error */ bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR); + if (bmcr < 0) + return bmcr; if (bmcr & BMCR_ANENABLE) { bmcr |= BMCR_ANRESTART; diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c index f69d9b902da0..a206ffa76f1b 100644 --- a/drivers/net/usb/ch9200.c +++ b/drivers/net/usb/ch9200.c @@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) { struct usbnet *dev = netdev_priv(netdev); unsigned char buff[2]; + int ret; netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n", __func__, phy_id, loc); @@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) if (phy_id != 0) return -ENODEV; - control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, - CONTROL_TIMEOUT_MS); + ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, + CONTROL_TIMEOUT_MS); + if (ret < 0) + return ret; return (buff[0] | buff[1] << 8); } -- 2.39.5

1 month

3
2
0 0

[PATCH v2 08/13] PCI: apple: Set only available ports up

by Marc Zyngier

From: Janne Grunau <j(a)jannau.net> Iterating over disabled ports results in of_irq_parse_raw() parsing the wrong "interrupt-map" entries, as it takes the status of the node into account. Switching from for_each_child_of_node() to for_each_available_child_of_node() solves this issue. This became apparent after disabling unused PCIe ports in the Apple Silicon device trees instead of deleting them. Link: https://lore.kernel.org/asahi/20230214-apple_dts_pcie_disable_unused-v1-0-5… Link: https://lore.kernel.org/asahi/1ea2107a-bb86-8c22-0bbc-82c453ab08ce@linaro.o… Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up") Cc: stable(a)vger.kernel.org Signed-off-by: Janne Grunau <j(a)jannau.net> Signed-off-by: Alyssa Rosenzweig <alyssa(a)rosenzweig.io> Signed-off-by: Marc Zyngier <maz(a)kernel.org> --- drivers/pci/controller/pcie-apple.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c index 6271533f1b042..23d9f62bd2ad4 100644 --- a/drivers/pci/controller/pcie-apple.c +++ b/drivers/pci/controller/pcie-apple.c @@ -747,7 +747,7 @@ static int apple_pcie_init(struct pci_config_window *cfg) struct device_node *of_port; int ret; - for_each_child_of_node(dev->of_node, of_port) { + for_each_available_child_of_node(dev->of_node, of_port) { ret = apple_pcie_setup_port(pcie, of_port); if (ret) { dev_err(dev, "Port %pOF setup fail: %d\n", of_port, ret); -- 2.39.2

1 month

2
1
0 0

[PATCH 5.15.y] bpf, sockmap: Fix race between element replace and close()

by bin.lan.cn＠windriver.com

From: Michal Luczaj <mhal(a)rbox.co> [ Upstream commit ed1fc5d76b81a4d681211333c026202cad4d5649 ] Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_delete_from_link // replace map[0] with s1 map_update_elem(map, 0, s1) sock_map_update_elem (s1!) lock_sock(sk) sock_map_update_common psock = sk_psock(sk) spin_lock(&stab->lock) osk = stab->sks[idx] sock_map_add_link(..., &stab->sks[idx]) sock_map_unref(osk, &stab->sks[idx]) psock = sk_psock(osk) sk_psock_put(sk, psock) if (refcount_dec_and_test(&psock)) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) unlock_sock(sk) __sock_map_delete spin_lock(&stab->lock) sk = *psk // s1 replaced s0; sk == s1 if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch sk = xchg(psk, NULL) if (sk) sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle psock = sk_psock(sk) sk_psock_put(sk, psock) if (refcount_dec_and_test()) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) release_sock(sk) Then close(map) enqueues bpf_map_free_deferred, which finally calls sock_map_free(). This results in some refcount_t warnings along with a KASAN splat [1]. Fix __sock_map_delete(), do not allow sock_map_unref() on elements that may have been replaced. [1]: BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred Call Trace: <TASK> dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 kasan_check_range+0x10f/0x1e0 sock_map_free+0x10e/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1202: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 unix_create1+0x88/0x8a0 unix_create+0xc5/0x180 __sock_create+0x241/0x650 __sys_socketpair+0x1ce/0x420 __x64_sys_socketpair+0x92/0x100 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 46: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 sk_psock_destroy+0x73e/0xa50 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff88811f5b9080 which belongs to the cache UNIX-STREAM of size 1984 The buggy address is located 128 bytes inside of freed 1984-byte region [ffff88811f5b9080, ffff88811f5b9840) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888127d49401 flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 head: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000003 ffffea00047d6e01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88811f5b9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88811f5b9080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88811f5b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88811f5b9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Disabling lock debugging due to kernel taint refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B 6.12.0+ #125 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xce/0x150 Code: 34 73 eb 03 01 e8 82 53 ad fe 0f 0b eb b1 80 3d 27 73 eb 03 00 75 a8 48 c7 c7 80 bd 95 84 c6 05 17 73 eb 03 01 e8 62 53 ad fe <0f> 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xce/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xce/0x150 sock_map_free+0x2e5/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 10741 hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 refcount_t: underflow; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B W 6.12.0+ #125 Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xee/0x150 Code: 17 73 eb 03 01 e8 62 53 ad fe 0f 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 f6 72 eb 03 01 e8 42 53 ad fe <0f> 0b e9 6e ff ff ff 80 3d e6 72 eb 03 00 0f 85 61 ff ff ff 48 c7 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xee/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xee/0x150 sock_map_free+0x2d3/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 10741 hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Michal Luczaj <mhal(a)rbox.co> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox… Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- net/core/sock_map.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index f591ec106cd6..487a571c28c1 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -411,15 +411,14 @@ static void *sock_map_lookup_sys(struct bpf_map *map, void *key) static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test, struct sock **psk) { - struct sock *sk; + struct sock *sk = NULL; int err = 0; if (irqs_disabled()) return -EOPNOTSUPP; /* locks here are hardirq-unsafe */ raw_spin_lock_bh(&stab->lock); - sk = *psk; - if (!sk_test || sk_test == sk) + if (!sk_test || sk_test == *psk) sk = xchg(psk, NULL); if (likely(sk)) -- 2.34.1

1 month

2
1
0 0

[PATCH 5.10.y] bpf, sockmap: Fix race between element replace and close()

by bin.lan.cn＠windriver.com

From: Michal Luczaj <mhal(a)rbox.co> [ Upstream commit ed1fc5d76b81a4d681211333c026202cad4d5649 ] Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_delete_from_link // replace map[0] with s1 map_update_elem(map, 0, s1) sock_map_update_elem (s1!) lock_sock(sk) sock_map_update_common psock = sk_psock(sk) spin_lock(&stab->lock) osk = stab->sks[idx] sock_map_add_link(..., &stab->sks[idx]) sock_map_unref(osk, &stab->sks[idx]) psock = sk_psock(osk) sk_psock_put(sk, psock) if (refcount_dec_and_test(&psock)) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) unlock_sock(sk) __sock_map_delete spin_lock(&stab->lock) sk = *psk // s1 replaced s0; sk == s1 if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch sk = xchg(psk, NULL) if (sk) sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle psock = sk_psock(sk) sk_psock_put(sk, psock) if (refcount_dec_and_test()) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) release_sock(sk) Then close(map) enqueues bpf_map_free_deferred, which finally calls sock_map_free(). This results in some refcount_t warnings along with a KASAN splat [1]. Fix __sock_map_delete(), do not allow sock_map_unref() on elements that may have been replaced. [1]: BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred Call Trace: <TASK> dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 kasan_check_range+0x10f/0x1e0 sock_map_free+0x10e/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1202: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 unix_create1+0x88/0x8a0 unix_create+0xc5/0x180 __sock_create+0x241/0x650 __sys_socketpair+0x1ce/0x420 __x64_sys_socketpair+0x92/0x100 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 46: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 sk_psock_destroy+0x73e/0xa50 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff88811f5b9080 which belongs to the cache UNIX-STREAM of size 1984 The buggy address is located 128 bytes inside of freed 1984-byte region [ffff88811f5b9080, ffff88811f5b9840) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888127d49401 flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000 head: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401 head: 0017ffffc0000003 ffffea00047d6e01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88811f5b9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88811f5b9080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88811f5b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88811f5b9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Disabling lock debugging due to kernel taint refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B 6.12.0+ #125 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xce/0x150 Code: 34 73 eb 03 01 e8 82 53 ad fe 0f 0b eb b1 80 3d 27 73 eb 03 00 75 a8 48 c7 c7 80 bd 95 84 c6 05 17 73 eb 03 01 e8 62 53 ad fe <0f> 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xce/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xce/0x150 sock_map_free+0x2e5/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 10741 hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 refcount_t: underflow; use-after-free. WARNING: CPU: 14 PID: 1063 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B W 6.12.0+ #125 Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0xee/0x150 Code: 17 73 eb 03 01 e8 62 53 ad fe 0f 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 f6 72 eb 03 01 e8 42 53 ad fe <0f> 0b e9 6e ff ff ff 80 3d e6 72 eb 03 00 0f 85 61 ff ff ff 48 c7 RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed10bcde6349 R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000 R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024 FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> ? __warn.cold+0x5f/0x1ff ? refcount_warn_saturate+0xee/0x150 ? report_bug+0x1ec/0x390 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xee/0x150 sock_map_free+0x2d3/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 10741 hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770 softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Michal Luczaj <mhal(a)rbox.co> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox… Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- net/core/sock_map.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index fd4c16391552..d334a2ccd523 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -420,15 +420,14 @@ static void *sock_map_lookup_sys(struct bpf_map *map, void *key) static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test, struct sock **psk) { - struct sock *sk; + struct sock *sk = NULL; int err = 0; if (irqs_disabled()) return -EOPNOTSUPP; /* locks here are hardirq-unsafe */ raw_spin_lock_bh(&stab->lock); - sk = *psk; - if (!sk_test || sk_test == sk) + if (!sk_test || sk_test == *psk) sk = xchg(psk, NULL); if (likely(sk)) -- 2.34.1

1 month

2
1
0 0

[PATCH 5.15.y] ipvs: properly dereference pe in ip_vs_add_service

by Cliff Liu

From: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> [ Upstream commit cbd070a4ae62f119058973f6d2c984e325bce6e7 ] Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression Fixes: 39b972231536 ("ipvs: handle connections started by real-servers") Signed-off-by: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> Acked-by: Julian Anastasov <ja(a)ssi.bg> Acked-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index d0b64c36471d..0f1531e0ce4e 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1384,20 +1384,20 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, sched = NULL; } - /* Bind the ct retriever */ - RCU_INIT_POINTER(svc->pe, pe); - pe = NULL; - /* Update the virtual service counters */ if (svc->port == FTPPORT) atomic_inc(&ipvs->ftpsvc_counter); else if (svc->port == 0) atomic_inc(&ipvs->nullsvc_counter); - if (svc->pe && svc->pe->conn_out) + if (pe && pe->conn_out) atomic_inc(&ipvs->conn_out_counter); ip_vs_start_estimator(ipvs, &svc->stats); + /* Bind the ct retriever */ + RCU_INIT_POINTER(svc->pe, pe); + pe = NULL; + /* Count only IPv4 services for old get/setsockopt interface */ if (svc->af == AF_INET) ipvs->num_services++; -- 2.43.0

1 month

2
1
0 0

[PATCH 5.10.y] ipvs: properly dereference pe in ip_vs_add_service

by Cliff Liu

From: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> [ Upstream commit cbd070a4ae62f119058973f6d2c984e325bce6e7 ] Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression Fixes: 39b972231536 ("ipvs: handle connections started by real-servers") Signed-off-by: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> Acked-by: Julian Anastasov <ja(a)ssi.bg> Acked-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index d0b64c36471d..0f1531e0ce4e 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1384,20 +1384,20 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, sched = NULL; } - /* Bind the ct retriever */ - RCU_INIT_POINTER(svc->pe, pe); - pe = NULL; - /* Update the virtual service counters */ if (svc->port == FTPPORT) atomic_inc(&ipvs->ftpsvc_counter); else if (svc->port == 0) atomic_inc(&ipvs->nullsvc_counter); - if (svc->pe && svc->pe->conn_out) + if (pe && pe->conn_out) atomic_inc(&ipvs->conn_out_counter); ip_vs_start_estimator(ipvs, &svc->stats); + /* Bind the ct retriever */ + RCU_INIT_POINTER(svc->pe, pe); + pe = NULL; + /* Count only IPv4 services for old get/setsockopt interface */ if (svc->af == AF_INET) ipvs->num_services++; -- 2.43.0

1 month

2
1
0 0

FAILED: patch "[PATCH] mm/migrate: fix shmem xarray update during migration" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 60cf233b585cdf1f3c5e52d1225606b86acd08b0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032403-craziness-tactics-91af@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60cf233b585cdf1f3c5e52d1225606b86acd08b0 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Wed, 5 Mar 2025 15:04:03 -0500 Subject: [PATCH] mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here. Link: https://lkml.kernel.org/r/20250305200403.2822855-1-ziy@nvidia.com Fixes: fc346d0a70a1 ("mm: migrate high-order folios in swap cache correctly") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: Liu Shixin <liushixin2(a)huawei.com> Closes: https://lore.kernel.org/all/28546fb4-5210-bf75-16d6-43e1f8646080@huawei.com/ Suggested-by: Hugh Dickins <hughd(a)google.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Charan Teja Kalla <quic_charante(a)quicinc.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Lance Yang <ioworker0(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate.c b/mm/migrate.c index fb19a18892c8..97f0edf0c032 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -518,15 +518,13 @@ static int __folio_migrate_mapping(struct address_space *mapping, if (folio_test_anon(folio) && folio_test_large(folio)) mod_mthp_stat(folio_order(folio), MTHP_STAT_NR_ANON, 1); folio_ref_add(newfolio, nr); /* add cache reference */ - if (folio_test_swapbacked(folio)) { + if (folio_test_swapbacked(folio)) __folio_set_swapbacked(newfolio); - if (folio_test_swapcache(folio)) { - folio_set_swapcache(newfolio); - newfolio->private = folio_get_private(folio); - } + if (folio_test_swapcache(folio)) { + folio_set_swapcache(newfolio); + newfolio->private = folio_get_private(folio); entries = nr; } else { - VM_BUG_ON_FOLIO(folio_test_swapcache(folio), folio); entries = 1; }

1 month

4
4
0 0

[PATCH 6.1 00/29] patches for 6.1.y from 6.8

by Leah Rumancik

Hello, (This series has already been ack'd on the xfs-stable mailing list.) Here is the 6.1.y series corresponding to the 6.6.y series for 6.8 (https://lore.kernel.org/all/20240325220724.42216-1-catherine.hoang@oracle.c…). Descrepancies between the patch series are as follows... The following were added as dependencies (9 patches): 0b11553ec54a6d88907e60d0595dbcef98539747 xfs: pass refcount intent directly through the log intent code (v6.3-rc1~142^2~5) 72ba455599ad13d08c29dafa22a32360e07b1961 xfs: pass xfs_extent_free_item directly through the log intent code (v6.3-rc1~142^2~9) 578c714b215d474c52949e65a914dae67924f0fe xfs: fix confusing xfs_extent_item variable names (v6.3-rc1~142^2~8) ddccb81b26ec021ae1f3366aa996cc4c68dd75ce xfs: pass the xfs_bmbt_irec directly through the log intent code (v6.3-rc1~142^2~11) b2ccab3199aa7cea9154d80ea2585312c5f6eba0 xfs: pass per-ag references to xfs_free_extent (v6.4-rc1~80^2~22^2~3) 7dfee17b13e5024c5c0ab1911859ded4182de3e5 xfs: validate block number being freed before adding to xefi (v6.4-rc6~19^2~1) fix of 7dfee17b13e: 2bed0d82c2f78b91a0a9a5a73da57ee883a0c070 xfs: fix bounds check in xfs_defer_agfl_block() (v6.5-rc1~44^2~10) b742d7b4f0e03df25c2a772adcded35044b625ca xfs: use deferred frees for btree block freeing (v6.5-rc1~44^2~16) 3c919b0910906cc69d76dea214776f0eac73358b xfs: reserve less log space when recovering log intent items (v6.6-rc3~13^2~5^2) And the following were skipped for 6.1.y (4 patches): fb6e584e74710a1b7caee9dac59b494a37e07a62 (scrub) xfs: make xchk_iget safer in the presence of corrupt inode btrees c0e37f07d2bd3c1ee3fb5a650da7d8673557ed16 (scrub) xfs: fix an off-by-one error in xreap_agextent_binval b9358db0a811ff698b0a743bcfb80dfc44b88ebd (scrub) xfs: add missing nrext64 inode flag check to scrub 84712492e6dab803bf595fb8494d11098b74a652 (already in 6.1.y) xfs: short circuit xfs_growfs_data_private() if delta is zero The auto group was run 1x on each of these configs: xfs/4k xfs/1k xfs/logdev xfs/realtime xfs/quota xfs/v4 xfs/dax xfs/adv xfs/dirblock_8k and no regressions were seen. Let me know if you see any issues. Thanks, Leah Andrey Albershteyn (1): xfs: reset XFS_ATTR_INCOMPLETE filter on node removal Christoph Hellwig (1): xfs: consider minlen sized extents in xfs_rtallocate_extent_block Darrick J. Wong (19): xfs: pass refcount intent directly through the log intent code xfs: pass xfs_extent_free_item directly through the log intent code xfs: fix confusing xfs_extent_item variable names xfs: pass the xfs_bmbt_irec directly through the log intent code xfs: pass per-ag references to xfs_free_extent xfs: reserve less log space when recovering log intent items xfs: move the xfs_rtbitmap.c declarations to xfs_rtbitmap.h xfs: convert rt bitmap extent lengths to xfs_rtbxlen_t xfs: don't leak recovered attri intent items xfs: use xfs_defer_pending objects to recover intent items xfs: pass the xfs_defer_pending object to iop_recover xfs: transfer recovered intent item ownership in ->iop_recover xfs: make rextslog computation consistent with mkfs xfs: fix 32-bit truncation in xfs_compute_rextslog xfs: don't allow overly small or large realtime volumes xfs: remove unused fields from struct xbtree_ifakeroot xfs: recompute growfsrtfree transaction reservation while growing rt volume xfs: force all buffers to be written during btree bulk load xfs: remove conditional building of rt geometry validator functions Dave Chinner (4): xfs: validate block number being freed before adding to xefi xfs: fix bounds check in xfs_defer_agfl_block() xfs: use deferred frees for btree block freeing xfs: initialise di_crc in xfs_log_dinode Jiachen Zhang (1): xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real Long Li (2): xfs: add lock protection when remove perag from radix tree xfs: fix perag leak when growfs fails Zhang Tianci (1): xfs: update dir3 leaf block metadata after swap fs/xfs/libxfs/xfs_ag.c | 45 ++++++++--- fs/xfs/libxfs/xfs_ag.h | 3 + fs/xfs/libxfs/xfs_alloc.c | 70 ++++++++++------- fs/xfs/libxfs/xfs_alloc.h | 20 +++-- fs/xfs/libxfs/xfs_attr.c | 6 +- fs/xfs/libxfs/xfs_bmap.c | 121 ++++++++++++++-------------- fs/xfs/libxfs/xfs_bmap.h | 5 +- fs/xfs/libxfs/xfs_bmap_btree.c | 8 +- fs/xfs/libxfs/xfs_btree_staging.c | 4 +- fs/xfs/libxfs/xfs_btree_staging.h | 6 -- fs/xfs/libxfs/xfs_da_btree.c | 7 ++ fs/xfs/libxfs/xfs_defer.c | 103 +++++++++++++++++------- fs/xfs/libxfs/xfs_defer.h | 5 ++ fs/xfs/libxfs/xfs_format.h | 2 +- fs/xfs/libxfs/xfs_ialloc.c | 24 ++++-- fs/xfs/libxfs/xfs_ialloc_btree.c | 6 +- fs/xfs/libxfs/xfs_log_recover.h | 27 +++++++ fs/xfs/libxfs/xfs_refcount.c | 116 +++++++++++++-------------- fs/xfs/libxfs/xfs_refcount.h | 4 +- fs/xfs/libxfs/xfs_refcount_btree.c | 9 +-- fs/xfs/libxfs/xfs_rtbitmap.c | 2 + fs/xfs/libxfs/xfs_rtbitmap.h | 83 ++++++++++++++++++++ fs/xfs/libxfs/xfs_sb.c | 20 ++++- fs/xfs/libxfs/xfs_sb.h | 2 + fs/xfs/libxfs/xfs_types.h | 13 +++ fs/xfs/scrub/repair.c | 3 +- fs/xfs/scrub/rtbitmap.c | 3 +- fs/xfs/xfs_attr_item.c | 30 +++---- fs/xfs/xfs_bmap_item.c | 99 ++++++++++------------- fs/xfs/xfs_buf.c | 44 ++++++++++- fs/xfs/xfs_buf.h | 1 + fs/xfs/xfs_extfree_item.c | 122 ++++++++++++++++------------- fs/xfs/xfs_fsmap.c | 2 +- fs/xfs/xfs_fsops.c | 5 +- fs/xfs/xfs_inode_item.c | 3 + fs/xfs/xfs_log.c | 1 + fs/xfs/xfs_log_priv.h | 1 + fs/xfs/xfs_log_recover.c | 118 +++++++++++++++------------- fs/xfs/xfs_refcount_item.c | 81 +++++++++---------- fs/xfs/xfs_reflink.c | 7 +- fs/xfs/xfs_rmap_item.c | 20 ++--- fs/xfs/xfs_rtalloc.c | 14 +++- fs/xfs/xfs_rtalloc.h | 73 ----------------- fs/xfs/xfs_trace.h | 15 +--- fs/xfs/xfs_trans.h | 4 +- 45 files changed, 782 insertions(+), 575 deletions(-) create mode 100644 fs/xfs/libxfs/xfs_rtbitmap.h -- 2.49.0.rc1.451.g8f38331e32-goog

1 month

4
44
0 0

[PATCH 6.12] Revert "sched/core: Reduce cost of sched_move_task when config autogroup"

by Hagar Hemdan

From: Dietmar Eggemann <dietmar.eggemann(a)arm.com> commit 76f970ce51c80f625eb6ddbb24e9cb51b977b598 upstream. This reverts commit eff6c8ce8d4d7faef75f66614dd20bb50595d261. Hazem reported a 30% drop in UnixBench spawn test with commit eff6c8ce8d4d ("sched/core: Reduce cost of sched_move_task when config autogroup") on a m6g.xlarge AWS EC2 instance with 4 vCPUs and 16 GiB RAM (aarch64) (single level MC sched domain): https://lkml.kernel.org/r/20250205151026.13061-1-hagarhem@amazon.com There is an early bail from sched_move_task() if p->sched_task_group is equal to p's 'cpu cgroup' (sched_get_task_group()). E.g. both are pointing to taskgroup '/user.slice/user-1000.slice/session-1.scope' (Ubuntu '22.04.5 LTS'). So in: do_exit() sched_autogroup_exit_task() sched_move_task() if sched_get_task_group(p) == p->sched_task_group return /* p is enqueued */ dequeue_task() \ sched_change_group() | task_change_group_fair() | detach_task_cfs_rq() | (1) set_task_rq() | attach_task_cfs_rq() | enqueue_task() / (1) isn't called for p anymore. Turns out that the regression is related to sgs->group_util in group_is_overloaded() and group_has_capacity(). If (1) isn't called for all the 'spawn' tasks then sgs->group_util is ~900 and sgs->group_capacity = 1024 (single CPU sched domain) and this leads to group_is_overloaded() returning true (2) and group_has_capacity() false (3) much more often compared to the case when (1) is called. I.e. there are much more cases of 'group_is_overloaded' and 'group_fully_busy' in WF_FORK wakeup sched_balance_find_dst_cpu() which then returns much more often a CPU != smp_processor_id() (5). This isn't good for these extremely short running tasks (FORK + EXIT) and also involves calling sched_balance_find_dst_group_cpu() unnecessary (single CPU sched domain). Instead if (1) is called for 'p->flags & PF_EXITING' then the path (4),(6) is taken much more often. select_task_rq_fair(..., wake_flags = WF_FORK) cpu = smp_processor_id() new_cpu = sched_balance_find_dst_cpu(..., cpu, ...) group = sched_balance_find_dst_group(..., cpu) do { update_sg_wakeup_stats() sgs->group_type = group_classify() if group_is_overloaded() (2) return group_overloaded if !group_has_capacity() (3) return group_fully_busy return group_has_spare (4) } while group if local_sgs.group_type > idlest_sgs.group_type return idlest (5) case group_has_spare: if local_sgs.idle_cpus >= idlest_sgs.idle_cpus return NULL (6) Unixbench Tests './Run -c 4 spawn' on: (a) VM AWS instance (m7gd.16xlarge) with v6.13 ('maxcpus=4 nr_cpus=4') and Ubuntu 22.04.5 LTS (aarch64). Shell & test run in '/user.slice/user-1000.slice/session-1.scope'. w/o patch w/ patch 21005 27120 (b) i7-13700K with tip/sched/core ('nosmt maxcpus=8 nr_cpus=8') and Ubuntu 22.04.5 LTS (x86_64). Shell & test run in '/A'. w/o patch w/ patch 67675 88806 CONFIG_SCHED_AUTOGROUP=y & /sys/proc/kernel/sched_autogroup_enabled equal 0 or 1. Reported-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com> Signed-off-by: Dietmar Eggemann <dietmar.eggemann(a)arm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Vincent Guittot <vincent.guittot(a)linaro.org> Tested-by: Hagar Hemdan <hagarhem(a)amazon.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/r/20250314151345.275739-1-dietmar.eggemann@arm.com Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- kernel/sched/core.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 1f817d0c5d2d..e9bb1b4c5842 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -8919,7 +8919,7 @@ void sched_release_group(struct task_group *tg) spin_unlock_irqrestore(&task_group_lock, flags); } -static struct task_group *sched_get_task_group(struct task_struct *tsk) +static void sched_change_group(struct task_struct *tsk) { struct task_group *tg; @@ -8931,13 +8931,7 @@ static struct task_group *sched_get_task_group(struct task_struct *tsk) tg = container_of(task_css_check(tsk, cpu_cgrp_id, true), struct task_group, css); tg = autogroup_task_group(tsk, tg); - - return tg; -} - -static void sched_change_group(struct task_struct *tsk, struct task_group *group) -{ - tsk->sched_task_group = group; + tsk->sched_task_group = tg; #ifdef CONFIG_FAIR_GROUP_SCHED if (tsk->sched_class->task_change_group) @@ -8958,20 +8952,11 @@ void sched_move_task(struct task_struct *tsk, bool for_autogroup) { int queued, running, queue_flags = DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK; - struct task_group *group; struct rq *rq; CLASS(task_rq_lock, rq_guard)(tsk); rq = rq_guard.rq; - /* - * Esp. with SCHED_AUTOGROUP enabled it is possible to get superfluous - * group changes. - */ - group = sched_get_task_group(tsk); - if (group == tsk->sched_task_group) - return; - update_rq_clock(rq); running = task_current(rq, tsk); @@ -8982,7 +8967,7 @@ void sched_move_task(struct task_struct *tsk, bool for_autogroup) if (running) put_prev_task(rq, tsk); - sched_change_group(tsk, group); + sched_change_group(tsk); if (!for_autogroup) scx_cgroup_move_task(tsk); -- 2.47.1

1 month

3
2
0 0

[PATCH 5.15.y] smb: client: fix potential UAF in cifs_dump_full_key()

by jianqi.ren.cn＠windriver.com

From: Paulo Alcantara <pc(a)manguebit.com> commit 58acd1f497162e7d282077f816faa519487be045 upstream. Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [This patch removes lock/unlock operation in routine cifs_dump_full_key() for ses_lock is not present in v5.15 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.15.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/cifs/ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c index 71883ba9e567..e846c18b71d2 100644 --- a/fs/cifs/ioctl.c +++ b/fs/cifs/ioctl.c @@ -232,7 +232,8 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) { list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) { - if (ses_it->Suid == out.session_id) { + if (ses_it->status != CifsExiting && + ses_it->Suid == out.session_id) { ses = ses_it; /* * since we are using the session outside the crit -- 2.25.1

1 month

2
1
0 0

FAILED: patch "[PATCH] mm/huge_memory: drop beyond-EOF folios with the right number" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 14efb4793519d73fb2902bb0ece319b886e4b4b9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032430-granny-hunter-c6a5@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 14efb4793519d73fb2902bb0ece319b886e4b4b9 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Mon, 10 Mar 2025 11:57:27 -0400 Subject: [PATCH] mm/huge_memory: drop beyond-EOF folios with the right number of refs When an after-split folio is large and needs to be dropped due to EOF, folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all page cache refs. Otherwise, the folio will not be freed, causing memory leak. This leak would happen on a filesystem with blocksize > page_size and a truncate is performed, where the blocksize makes folios split to >0 order ones, causing truncated folios not being freed. Link: https://lkml.kernel.org/r/20250310155727.472846-1-ziy@nvidia.com Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: Hugh Dickins <hughd(a)google.com> Closes: https://lore.kernel.org/all/fcbadb7f-dd3e-21df-f9a7-2853b53183c4@google.com/ Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Kirill A. Shuemov <kirill.shutemov(a)linux.intel.com> Cc: Luis Chamberalin <mcgrof(a)kernel.org> Cc: Matthew Wilcow (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Pankaj Raghav <p.raghav(a)samsung.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Yang Shi <yang(a)os.amperecomputing.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 3d3ebdc002d5..373781b21e5c 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3304,7 +3304,7 @@ static void __split_huge_page(struct page *page, struct list_head *list, folio_account_cleaned(tail, inode_to_wb(folio->mapping->host)); __filemap_remove_folio(tail, NULL); - folio_put(tail); + folio_put_refs(tail, folio_nr_pages(tail)); } else if (!folio_test_anon(folio)) { __xa_store(&folio->mapping->i_pages, tail->index, tail, 0);

1 month

3
2
0 0

[PATCH 6.12.y] libsubcmd: Silence compiler warning

by bin.lan.cn＠windriver.com

From: Eder Zulian <ezulian(a)redhat.com> [ Upstream commit 7a4ffec9fd54ea27395e24dff726dbf58e2fe06b ] Initialize the pointer 'o' in options__order to NULL to prevent a compiler warning/error which is observed when compiling with the '-Og' option, but is not emitted by the compiler with the current default compilation options. For example, when compiling libsubcmd with $ make "EXTRA_CFLAGS=-Og" -C tools/lib/subcmd/ clean all Clang version 17.0.6 and GCC 13.3.1 fail to compile parse-options.c due to following error: parse-options.c: In function ‘options__order’: parse-options.c:832:9: error: ‘o’ may be used uninitialized [-Werror=maybe-uninitialized] 832 | memcpy(&ordered[nr_opts], o, sizeof(*o)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ parse-options.c:810:30: note: ‘o’ was declared here 810 | const struct option *o, *p = opts; | ^ cc1: all warnings being treated as errors Signed-off-by: Eder Zulian <ezulian(a)redhat.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Acked-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lore.kernel.org/bpf/20241022172329.3871958-4-ezulian@redhat.com Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- tools/lib/subcmd/parse-options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/lib/subcmd/parse-options.c b/tools/lib/subcmd/parse-options.c index eb896d30545b..555d617c1f50 100644 --- a/tools/lib/subcmd/parse-options.c +++ b/tools/lib/subcmd/parse-options.c @@ -807,7 +807,7 @@ static int option__cmp(const void *va, const void *vb) static struct option *options__order(const struct option *opts) { int nr_opts = 0, nr_group = 0, nr_parent = 0, len; - const struct option *o, *p = opts; + const struct option *o = NULL, *p = opts; struct option *opt, *ordered = NULL, *group; /* flatten the options that have parents */ -- 2.34.1

1 month

2
1
0 0

[PATCH 6.6.y] btrfs: make sure that WRITTEN is set on all metadata blocks

by jianqi.ren.cn＠windriver.com

From: Josef Bacik <josef(a)toxicpanda.com> [ Upstream commit e03418abde871314e1a3a550f4c8afb7b89cb273 ] We previously would call btrfs_check_leaf() if we had the check integrity code enabled, which meant that we could only run the extended leaf checks if we had WRITTEN set on the header flags. This leaves a gap in our checking, because we could end up with corruption on disk where WRITTEN isn't set on the leaf, and then the extended leaf checks don't get run which we rely on to validate all of the item pointers to make sure we don't access memory outside of the extent buffer. However, since 732fab95abe2 ("btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only ever call it on blocks that are being written out, and thus have WRITTEN set, or that are being read in, which should have WRITTEN set. Add checks to make sure we have WRITTEN set appropriately, and then make sure __btrfs_check_leaf() always does the item checking. This will protect us from file systems that have been corrupted and no longer have WRITTEN set on some of the blocks. This was hit on a crafted image tweaking the WRITTEN bit and reported by KASAN as out-of-bound access in the eb accessors. The example is a dir item at the end of an eb. [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2 [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8 [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Call Trace: [2.621] <TASK> [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 Reported-by: lei lu <llfamsec(a)gmail.com> CC: stable(a)vger.kernel.org # 6.7+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: David Sterba <dsterba(a)suse.com> [ copy more details from report ] Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/btrfs/tree-checker.c | 30 +++++++++++++++--------------- fs/btrfs/tree-checker.h | 1 + 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 53c74010140e..6d16506bbdc0 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -1889,6 +1889,11 @@ enum btrfs_tree_block_status __btrfs_check_leaf(struct extent_buffer *leaf) return BTRFS_TREE_BLOCK_INVALID_LEVEL; } + if (unlikely(!btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_WRITTEN))) { + generic_err(leaf, 0, "invalid flag for leaf, WRITTEN not set"); + return BTRFS_TREE_BLOCK_WRITTEN_NOT_SET; + } + /* * Extent buffers from a relocation tree have a owner field that * corresponds to the subvolume tree they are based on. So just from an @@ -1950,6 +1955,7 @@ enum btrfs_tree_block_status __btrfs_check_leaf(struct extent_buffer *leaf) for (slot = 0; slot < nritems; slot++) { u32 item_end_expected; u64 item_data_end; + enum btrfs_tree_block_status ret; btrfs_item_key_to_cpu(leaf, &key, slot); @@ -2005,21 +2011,10 @@ enum btrfs_tree_block_status __btrfs_check_leaf(struct extent_buffer *leaf) return BTRFS_TREE_BLOCK_INVALID_OFFSETS; } - /* - * We only want to do this if WRITTEN is set, otherwise the leaf - * may be in some intermediate state and won't appear valid. - */ - if (btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_WRITTEN)) { - enum btrfs_tree_block_status ret; - - /* - * Check if the item size and content meet other - * criteria - */ - ret = check_leaf_item(leaf, &key, slot, &prev_key); - if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN)) - return ret; - } + /* Check if the item size and content meet other criteria. */ + ret = check_leaf_item(leaf, &key, slot, &prev_key); + if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN)) + return ret; prev_key.objectid = key.objectid; prev_key.type = key.type; @@ -2049,6 +2044,11 @@ enum btrfs_tree_block_status __btrfs_check_node(struct extent_buffer *node) int level = btrfs_header_level(node); u64 bytenr; + if (unlikely(!btrfs_header_flag(node, BTRFS_HEADER_FLAG_WRITTEN))) { + generic_err(node, 0, "invalid flag for node, WRITTEN not set"); + return BTRFS_TREE_BLOCK_WRITTEN_NOT_SET; + } + if (unlikely(level <= 0 || level >= BTRFS_MAX_LEVEL)) { generic_err(node, 0, "invalid level for node, have %d expect [1, %d]", diff --git a/fs/btrfs/tree-checker.h b/fs/btrfs/tree-checker.h index 3c2a02a72f64..43f2ceb78f34 100644 --- a/fs/btrfs/tree-checker.h +++ b/fs/btrfs/tree-checker.h @@ -51,6 +51,7 @@ enum btrfs_tree_block_status { BTRFS_TREE_BLOCK_INVALID_BLOCKPTR, BTRFS_TREE_BLOCK_INVALID_ITEM, BTRFS_TREE_BLOCK_INVALID_OWNER, + BTRFS_TREE_BLOCK_WRITTEN_NOT_SET, }; /* -- 2.25.1

1 month

2
1
0 0

[PATCH 6.1.y] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> [WHY] DMUB locking is important to make sure that registers aren't accessed while in PSR. Previously it was enabled but caused a deadlock in situations with multiple eDP panels. [HOW] Detect if multiple eDP panels are in use to decide whether to use lock. Refactor the function so that the first check is for PSR-SU and then replay is in use to prevent having to look up number of eDP panels for those configurations. Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965 Reviewed-by: ChiaHsuan Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org (cherry picked from commit acbf16a6ae775b4db86f537448cc466288aa307e) [superm1: Adjust for missing replay support bfeefe6ea5f1, Adjust for dc_get_edp_links not being renamed from get_edp_links()] Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c index 3f32e9c3fbaf..13995b6fb865 100644 --- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c @@ -67,5 +67,17 @@ bool should_use_dmub_lock(struct dc_link *link) { if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) return true; + + /* only use HW lock for PSR1 on single eDP */ + if (link->psr_settings.psr_version == DC_PSR_VERSION_1) { + struct dc_link *edp_links[MAX_NUM_EDP]; + int edp_num; + + get_edp_links(link->dc, edp_links, &edp_num); + + if (edp_num == 1) + return true; + } + return false; } -- 2.43.0

1 month

2
1
0 0

[PATCH 6.6.y] wifi: iwlwifi: mvm: ensure offloading TID queue exists

by jianqi.ren.cn＠windriver.com

From: Benjamin Berg <benjamin.berg(a)intel.com> [ Upstream commit 78f65fbf421a61894c14a1b91fe2fb4437b3fe5f ] The resume code path assumes that the TX queue for the offloading TID has been configured. At resume time it then tries to sync the write pointer as it may have been updated by the firmware. In the unusual event that no packets have been send on TID 0, the queue will not have been allocated and this causes a crash. Fix this by ensuring the queue exist at suspend time. Signed-off-by: Benjamin Berg <benjamin.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://msgid.link/20240218194912.6632e6dc7b35.Ie6e6a7488c9c7d4529f13d48f75… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 ++++++- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++++++++++++++++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 ++- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c index 592b9157d50c..a82cdd897173 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -1293,7 +1293,9 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw, mvm->net_detect = true; } else { - struct iwl_wowlan_config_cmd wowlan_config_cmd = {}; + struct iwl_wowlan_config_cmd wowlan_config_cmd = { + .offloading_tid = 0, + }; wowlan_config_cmd.sta_id = mvmvif->deflink.ap_sta_id; @@ -1305,6 +1307,11 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw, goto out_noreset; } + ret = iwl_mvm_sta_ensure_queue( + mvm, ap_sta->txq[wowlan_config_cmd.offloading_tid]); + if (ret) + goto out_noreset; + ret = iwl_mvm_get_wowlan_config(mvm, wowlan, &wowlan_config_cmd, vif, mvmvif, ap_sta); if (ret) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c index 84f4a9576cbd..662efded3125 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c @@ -1501,6 +1501,34 @@ static int iwl_mvm_sta_alloc_queue(struct iwl_mvm *mvm, return ret; } +int iwl_mvm_sta_ensure_queue(struct iwl_mvm *mvm, + struct ieee80211_txq *txq) +{ + struct iwl_mvm_txq *mvmtxq = iwl_mvm_txq_from_mac80211(txq); + int ret = -EINVAL; + + lockdep_assert_held(&mvm->mutex); + + if (likely(test_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state)) || + !txq->sta) { + return 0; + } + + if (!iwl_mvm_sta_alloc_queue(mvm, txq->sta, txq->ac, txq->tid)) { + set_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state); + ret = 0; + } + + local_bh_disable(); + spin_lock(&mvm->add_stream_lock); + if (!list_empty(&mvmtxq->list)) + list_del_init(&mvmtxq->list); + spin_unlock(&mvm->add_stream_lock); + local_bh_enable(); + + return ret; +} + void iwl_mvm_add_new_dqa_stream_wk(struct work_struct *wk) { struct iwl_mvm *mvm = container_of(wk, struct iwl_mvm, diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h index 95ef60daa62f..799ea7675e01 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */ /* - * Copyright (C) 2012-2014, 2018-2022 Intel Corporation + * Copyright (C) 2012-2014, 2018-2024 Intel Corporation * Copyright (C) 2013-2014 Intel Mobile Communications GmbH * Copyright (C) 2015-2016 Intel Deutschland GmbH */ @@ -577,6 +577,7 @@ void iwl_mvm_modify_all_sta_disable_tx(struct iwl_mvm *mvm, bool disable); void iwl_mvm_csa_client_absent(struct iwl_mvm *mvm, struct ieee80211_vif *vif); +int iwl_mvm_sta_ensure_queue(struct iwl_mvm *mvm, struct ieee80211_txq *txq); void iwl_mvm_add_new_dqa_stream_wk(struct work_struct *wk); int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif, struct iwl_mvm_int_sta *sta, u8 *addr, u32 cipher, -- 2.25.1

1 month

2
1
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 38f4aa34a5f737ea8588dac320d884cc2e762c03 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032421-charging-glucose-8b79@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 38f4aa34a5f737ea8588dac320d884cc2e762c03 Mon Sep 17 00:00:00 2001 From: Justin Klaassen <justin(a)tidylabs.net> Date: Tue, 25 Feb 2025 17:03:58 +0000 Subject: [PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S The u2phy1_host should always have the same status as usb_host1_ehci and usb_host1_ohci, otherwise the EHCI and OHCI drivers may be initialized for a disabled usb port. Per the NanoPi R4S schematic, the phy-supply for u2phy1_host is set to the vdd_5v regulator. Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S") Cc: stable(a)vger.kernel.org Signed-off-by: Justin Klaassen <justin(a)tidylabs.net> Reviewed-by: Dragan Simic <dsimic(a)manjaro.org> Link: https://lore.kernel.org/r/20250225170420.3898-1-justin@tidylabs.net Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi index b1c9bd0e63ef..8d94d9f91a5c 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi @@ -115,7 +115,7 @@ &u2phy0_host { }; &u2phy1_host { - status = "disabled"; + phy-supply = <&vdd_5v>; }; &uart0 {

1 month

3
2
0 0

[PATCH 6.6] Revert "sched/core: Reduce cost of sched_move_task when config autogroup"

by Hagar Hemdan

commit 76f970ce51c80f625eb6ddbb24e9cb51b977b598 upstream. This reverts commit eff6c8ce8d4d7faef75f66614dd20bb50595d261. Hazem reported a 30% drop in UnixBench spawn test with commit eff6c8ce8d4d ("sched/core: Reduce cost of sched_move_task when config autogroup") on a m6g.xlarge AWS EC2 instance with 4 vCPUs and 16 GiB RAM (aarch64) (single level MC sched domain): https://lkml.kernel.org/r/20250205151026.13061-1-hagarhem@amazon.com There is an early bail from sched_move_task() if p->sched_task_group is equal to p's 'cpu cgroup' (sched_get_task_group()). E.g. both are pointing to taskgroup '/user.slice/user-1000.slice/session-1.scope' (Ubuntu '22.04.5 LTS'). So in: do_exit() sched_autogroup_exit_task() sched_move_task() if sched_get_task_group(p) == p->sched_task_group return /* p is enqueued */ dequeue_task() \ sched_change_group() | task_change_group_fair() | detach_task_cfs_rq() | (1) set_task_rq() | attach_task_cfs_rq() | enqueue_task() / (1) isn't called for p anymore. Turns out that the regression is related to sgs->group_util in group_is_overloaded() and group_has_capacity(). If (1) isn't called for all the 'spawn' tasks then sgs->group_util is ~900 and sgs->group_capacity = 1024 (single CPU sched domain) and this leads to group_is_overloaded() returning true (2) and group_has_capacity() false (3) much more often compared to the case when (1) is called. I.e. there are much more cases of 'group_is_overloaded' and 'group_fully_busy' in WF_FORK wakeup sched_balance_find_dst_cpu() which then returns much more often a CPU != smp_processor_id() (5). This isn't good for these extremely short running tasks (FORK + EXIT) and also involves calling sched_balance_find_dst_group_cpu() unnecessary (single CPU sched domain). Instead if (1) is called for 'p->flags & PF_EXITING' then the path (4),(6) is taken much more often. select_task_rq_fair(..., wake_flags = WF_FORK) cpu = smp_processor_id() new_cpu = sched_balance_find_dst_cpu(..., cpu, ...) group = sched_balance_find_dst_group(..., cpu) do { update_sg_wakeup_stats() sgs->group_type = group_classify() if group_is_overloaded() (2) return group_overloaded if !group_has_capacity() (3) return group_fully_busy return group_has_spare (4) } while group if local_sgs.group_type > idlest_sgs.group_type return idlest (5) case group_has_spare: if local_sgs.idle_cpus >= idlest_sgs.idle_cpus return NULL (6) Unixbench Tests './Run -c 4 spawn' on: (a) VM AWS instance (m7gd.16xlarge) with v6.13 ('maxcpus=4 nr_cpus=4') and Ubuntu 22.04.5 LTS (aarch64). Shell & test run in '/user.slice/user-1000.slice/session-1.scope'. w/o patch w/ patch 21005 27120 (b) i7-13700K with tip/sched/core ('nosmt maxcpus=8 nr_cpus=8') and Ubuntu 22.04.5 LTS (x86_64). Shell & test run in '/A'. w/o patch w/ patch 67675 88806 CONFIG_SCHED_AUTOGROUP=y & /sys/proc/kernel/sched_autogroup_enabled equal 0 or 1. Reported-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com> Signed-off-by: Dietmar Eggemann <dietmar.eggemann(a)arm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Vincent Guittot <vincent.guittot(a)linaro.org> Tested-by: Hagar Hemdan <hagarhem(a)amazon.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/r/20250314151345.275739-1-dietmar.eggemann@arm.com [Hagar: clean revert of eff6c8ce8dd7 to make it work on 6.6] Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- kernel/sched/core.c | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 942734bf7347..8c5f75af07db 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -10494,7 +10494,7 @@ void sched_release_group(struct task_group *tg) spin_unlock_irqrestore(&task_group_lock, flags); } -static struct task_group *sched_get_task_group(struct task_struct *tsk) +static void sched_change_group(struct task_struct *tsk) { struct task_group *tg; @@ -10506,13 +10506,7 @@ static struct task_group *sched_get_task_group(struct task_struct *tsk) tg = container_of(task_css_check(tsk, cpu_cgrp_id, true), struct task_group, css); tg = autogroup_task_group(tsk, tg); - - return tg; -} - -static void sched_change_group(struct task_struct *tsk, struct task_group *group) -{ - tsk->sched_task_group = group; + tsk->sched_task_group = tg; #ifdef CONFIG_FAIR_GROUP_SCHED if (tsk->sched_class->task_change_group) @@ -10533,19 +10527,10 @@ void sched_move_task(struct task_struct *tsk) { int queued, running, queue_flags = DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK; - struct task_group *group; struct rq_flags rf; struct rq *rq; rq = task_rq_lock(tsk, &rf); - /* - * Esp. with SCHED_AUTOGROUP enabled it is possible to get superfluous - * group changes. - */ - group = sched_get_task_group(tsk); - if (group == tsk->sched_task_group) - goto unlock; - update_rq_clock(rq); running = task_current(rq, tsk); @@ -10556,7 +10541,7 @@ void sched_move_task(struct task_struct *tsk) if (running) put_prev_task(rq, tsk); - sched_change_group(tsk, group); + sched_change_group(tsk); if (queued) enqueue_task(rq, tsk, queue_flags); @@ -10570,7 +10555,6 @@ void sched_move_task(struct task_struct *tsk) resched_curr(rq); } -unlock: task_rq_unlock(rq, tsk, &rf); } -- 2.47.1

1 month

2
1
0 0

[PATCH 6.1.y] drm/amdgpu: fix use-after-free bug

by bin.lan.cn＠windriver.com

From: Vitaly Prosyak <vitaly.prosyak(a)amd.com> [ Upstream commit 22207fd5c80177b860279653d017474b2812af5e ] The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung <joonkyoj(a)yonsei.ac.kr>. For example the following code: static void Syzkaller1(int fd) { struct drm_amdgpu_gem_userptr arg; int ret; arg.addr = 0xffffffffffff0000; arg.size = 0x80000000; /*2 Gb*/ arg.flags = 0x7; ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg); } Due to the address and size are not valid there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert-> check_shl_overflow, but we even the amdgpu_hmm_register failure we still call amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled: [ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340 [ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80 [ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246 [ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b [ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260 [ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25 [ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00 [ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260 [ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000 [ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0 [ +0.000010] Call Trace: [ +0.000006] <TASK> [ +0.000007] ? show_regs+0x6a/0x80 [ +0.000018] ? __warn+0xa5/0x1b0 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000018] ? report_bug+0x24a/0x290 [ +0.000022] ? handle_bug+0x46/0x90 [ +0.000015] ? exc_invalid_op+0x19/0x50 [ +0.000016] ? asm_exc_invalid_op+0x1b/0x20 [ +0.000017] ? kasan_save_stack+0x26/0x50 [ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10 [ +0.000017] ? kasan_save_alloc_info+0x1e/0x30 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_kmalloc+0xb1/0xc0 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_read+0x11/0x20 [ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu] [ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu] [ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu] [ +0.004291] ? do_syscall_64+0x5f/0xe0 [ +0.000023] ? srso_return_thunk+0x5/0x5f [ +0.000017] drm_gem_object_free+0x3b/0x50 [drm] [ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu] [ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004270] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __this_cpu_preempt_check+0x13/0x20 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm] [ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm] [ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm] [ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [drm] [ +0.000489] ? srso_return_thunk+0x5/0x5f [ +0.000011] ? __kasan_check_write+0x14/0x20 [ +0.000016] drm_ioctl+0x3da/0x730 [drm] [ +0.000475] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004293] ? __pfx_drm_ioctl+0x10/0x10 [drm] [ +0.000506] ? __pfx_rpm_resume+0x10/0x10 [ +0.000016] ? srso_return_thunk+0x5/0x5f [ +0.000011] ? __kasan_check_write+0x14/0x20 [ +0.000010] ? srso_return_thunk+0x5/0x5f [ +0.000011] ? _raw_spin_lock_irqsave+0x99/0x100 [ +0.000015] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000014] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000011] ? srso_return_thunk+0x5/0x5f [ +0.000011] ? preempt_count_sub+0x18/0xc0 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000010] ? _raw_spin_unlock_irqrestore+0x27/0x50 [ +0.000019] amdgpu_drm_ioctl+0x7e/0xe0 [amdgpu] [ +0.004272] __x64_sys_ioctl+0xcd/0x110 [ +0.000020] do_syscall_64+0x5f/0xe0 [ +0.000021] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ +0.000015] RIP: 0033:0x7ff9ed31a94f [ +0.000012] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [ +0.000013] RSP: 002b:00007fff25f66790 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ +0.000016] RAX: ffffffffffffffda RBX: 000055b3f7e133e0 RCX: 00007ff9ed31a94f [ +0.000012] RDX: 000055b3f7e133e0 RSI: 00000000c1186451 RDI: 0000000000000003 [ +0.000010] RBP: 00000000c1186451 R08: 0000000000000000 R09: 0000000000000000 [ +0.000009] R10: 0000000000000008 R11: 0000000000000246 R12: 00007fff25f66ca8 [ +0.000009] R13: 0000000000000003 R14: 000055b3f7021ba8 R15: 00007ff9ed7af040 [ +0.000024] </TASK> [ +0.000007] ---[ end trace 0000000000000000 ]--- v2: Consolidate any error handling into amdgpu_hmm_register which applied to kfd_bo also. (Christian) v3: Improve syntax and comment (Christian) Cc: Christian Koenig <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Felix Kuehling <felix.kuehling(a)amd.com> Cc: Joonkyo Jung <joonkyoj(a)yonsei.ac.kr> Cc: Dokyung Song <dokyungs(a)yonsei.ac.kr> Cc: <jisoo.jang(a)yonsei.ac.kr> Cc: <yw9865(a)yonsei.ac.kr> Signed-off-by: Vitaly Prosyak <vitaly.prosyak(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c is renamed from drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c since d9483ecd327b ("drm/amdgpu: rename the files for HMM handling"). The path is changed accordingly to apply the patch on 6.1.y. ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c index b86c0b8252a5..031b6d974f26 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c @@ -132,13 +132,25 @@ static const struct mmu_interval_notifier_ops amdgpu_mn_hsa_ops = { */ int amdgpu_mn_register(struct amdgpu_bo *bo, unsigned long addr) { + int r; + if (bo->kfd_bo) - return mmu_interval_notifier_insert(&bo->notifier, current->mm, + r = mmu_interval_notifier_insert(&bo->notifier, current->mm, addr, amdgpu_bo_size(bo), &amdgpu_mn_hsa_ops); - return mmu_interval_notifier_insert(&bo->notifier, current->mm, addr, - amdgpu_bo_size(bo), - &amdgpu_mn_gfx_ops); + else + r = mmu_interval_notifier_insert(&bo->notifier, current->mm, addr, + amdgpu_bo_size(bo), + &amdgpu_mn_gfx_ops); + if (r) + /* + * Make sure amdgpu_hmm_unregister() doesn't call + * mmu_interval_notifier_remove() when the notifier isn't properly + * initialized. + */ + bo->notifier.mm = NULL; + + return r; } /** -- 2.34.1

1 month

2
1
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 38f4aa34a5f737ea8588dac320d884cc2e762c03 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032420-nag-conclude-f944@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 38f4aa34a5f737ea8588dac320d884cc2e762c03 Mon Sep 17 00:00:00 2001 From: Justin Klaassen <justin(a)tidylabs.net> Date: Tue, 25 Feb 2025 17:03:58 +0000 Subject: [PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S The u2phy1_host should always have the same status as usb_host1_ehci and usb_host1_ohci, otherwise the EHCI and OHCI drivers may be initialized for a disabled usb port. Per the NanoPi R4S schematic, the phy-supply for u2phy1_host is set to the vdd_5v regulator. Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S") Cc: stable(a)vger.kernel.org Signed-off-by: Justin Klaassen <justin(a)tidylabs.net> Reviewed-by: Dragan Simic <dsimic(a)manjaro.org> Link: https://lore.kernel.org/r/20250225170420.3898-1-justin@tidylabs.net Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi index b1c9bd0e63ef..8d94d9f91a5c 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi @@ -115,7 +115,7 @@ &u2phy0_host { }; &u2phy1_host { - status = "disabled"; + phy-supply = <&vdd_5v>; }; &uart0 {

1 month

3
2
0 0

[PATCH 5.10.y] smb: client: fix potential UAF in cifs_debug_files_proc_show()

by jianqi.ren.cn＠windriver.com

From: Paulo Alcantara <pc(a)manguebit.com> [ Upstream commit ca545b7f0823f19db0f1148d59bc5e1a56634502 ] Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [This patch removes lock/unlock operation in routine cifs_ses_exiting() for ses_lock is not present in v5.10 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.10.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/cifs/cifs_debug.c | 2 ++ fs/cifs/cifsglob.h | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index 53588d7517b4..8b88b0705481 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -183,6 +183,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v) tcp_ses_list); list_for_each(tmp, &server->smb_ses_list) { ses = list_entry(tmp, struct cifs_ses, smb_ses_list); + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp1, &ses->tcon_list) { tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); spin_lock(&tcon->open_file_lock); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 92a7628560cc..b4aa7cd3a914 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -2115,4 +2115,12 @@ static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg, return sg; } +static inline bool cifs_ses_exiting(struct cifs_ses *ses) +{ + bool ret; + + ret = ses->status == CifsExiting; + return ret; +} + #endif /* _CIFS_GLOB_H */ -- 2.25.1

1 month

2
1
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 38f4aa34a5f737ea8588dac320d884cc2e762c03 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032419-glaucoma-ascertain-be6e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 38f4aa34a5f737ea8588dac320d884cc2e762c03 Mon Sep 17 00:00:00 2001 From: Justin Klaassen <justin(a)tidylabs.net> Date: Tue, 25 Feb 2025 17:03:58 +0000 Subject: [PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S The u2phy1_host should always have the same status as usb_host1_ehci and usb_host1_ohci, otherwise the EHCI and OHCI drivers may be initialized for a disabled usb port. Per the NanoPi R4S schematic, the phy-supply for u2phy1_host is set to the vdd_5v regulator. Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S") Cc: stable(a)vger.kernel.org Signed-off-by: Justin Klaassen <justin(a)tidylabs.net> Reviewed-by: Dragan Simic <dsimic(a)manjaro.org> Link: https://lore.kernel.org/r/20250225170420.3898-1-justin@tidylabs.net Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi index b1c9bd0e63ef..8d94d9f91a5c 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi @@ -115,7 +115,7 @@ &u2phy0_host { }; &u2phy1_host { - status = "disabled"; + phy-supply = <&vdd_5v>; }; &uart0 {

1 month

3
2
0 0

[PATCH 5.10.y] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

by bin.lan.cn＠windriver.com

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Upstream commit b25e11f978b63cb7857890edb3a698599cddb10e ] This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4 ("Bluetooth: Always request for user confirmation for Just Works") always request user confirmation with confirm_hint set since the likes of bluetoothd have dedicated policy around JUST_WORKS method (e.g. main.conf:JustWorksRepairing). CVE: CVE-2024-8805 Cc: stable(a)vger.kernel.org Fixes: ba15a58b179e ("Bluetooth: Fix SSP acceptor just-works confirmation without MITM") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Tested-by: Kiran K <kiran.k(a)intel.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- net/bluetooth/hci_event.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 58c029958759..546795425119 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4751,19 +4751,16 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev, goto unlock; } - /* If no side requires MITM protection; auto-accept */ + /* If no side requires MITM protection; use JUST_CFM method */ if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { - /* If we're not the initiators request authorization to - * proceed from user space (mgmt_user_confirm with - * confirm_hint set to 1). The exception is if neither - * side had MITM or if the local IO capability is - * NoInputNoOutput, in which case we do auto-accept + /* If we're not the initiator of request authorization and the + * local IO capability is not NoInputNoOutput, use JUST_WORKS + * method (mgmt_user_confirm with confirm_hint set to 1). */ if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && - conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && - (loc_mitm || rem_mitm)) { + conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) { BT_DBG("Confirming auto-accept as acceptor"); confirm_hint = 1; goto confirm; -- 2.34.1

1 month

2
1
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 38f4aa34a5f737ea8588dac320d884cc2e762c03 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032419-amplifier-sympathy-47c6@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 38f4aa34a5f737ea8588dac320d884cc2e762c03 Mon Sep 17 00:00:00 2001 From: Justin Klaassen <justin(a)tidylabs.net> Date: Tue, 25 Feb 2025 17:03:58 +0000 Subject: [PATCH] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S The u2phy1_host should always have the same status as usb_host1_ehci and usb_host1_ohci, otherwise the EHCI and OHCI drivers may be initialized for a disabled usb port. Per the NanoPi R4S schematic, the phy-supply for u2phy1_host is set to the vdd_5v regulator. Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S") Cc: stable(a)vger.kernel.org Signed-off-by: Justin Klaassen <justin(a)tidylabs.net> Reviewed-by: Dragan Simic <dsimic(a)manjaro.org> Link: https://lore.kernel.org/r/20250225170420.3898-1-justin@tidylabs.net Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi index b1c9bd0e63ef..8d94d9f91a5c 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dtsi @@ -115,7 +115,7 @@ &u2phy0_host { }; &u2phy1_host { - status = "disabled"; + phy-supply = <&vdd_5v>; }; &uart0 {

1 month

3
2
0 0

[PATCH 5.15.y] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

by bin.lan.cn＠windriver.com

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Upstream commit b25e11f978b63cb7857890edb3a698599cddb10e ] This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4 ("Bluetooth: Always request for user confirmation for Just Works") always request user confirmation with confirm_hint set since the likes of bluetoothd have dedicated policy around JUST_WORKS method (e.g. main.conf:JustWorksRepairing). CVE: CVE-2024-8805 Cc: stable(a)vger.kernel.org Fixes: ba15a58b179e ("Bluetooth: Fix SSP acceptor just-works confirmation without MITM") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Tested-by: Kiran K <kiran.k(a)intel.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- net/bluetooth/hci_event.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 50e21f67a73d..83af50c3838a 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4859,19 +4859,16 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev, goto unlock; } - /* If no side requires MITM protection; auto-accept */ + /* If no side requires MITM protection; use JUST_CFM method */ if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { - /* If we're not the initiators request authorization to - * proceed from user space (mgmt_user_confirm with - * confirm_hint set to 1). The exception is if neither - * side had MITM or if the local IO capability is - * NoInputNoOutput, in which case we do auto-accept + /* If we're not the initiator of request authorization and the + * local IO capability is not NoInputNoOutput, use JUST_WORKS + * method (mgmt_user_confirm with confirm_hint set to 1). */ if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && - conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && - (loc_mitm || rem_mitm)) { + conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) { BT_DBG("Confirming auto-accept as acceptor"); confirm_hint = 1; goto confirm; -- 2.34.1

1 month

2
1
0 0

[PATCH 5.10.y 0/1] Try to backport patch to fix CVE-2021-47247 on 5.10

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Try to backport commit fb1a3132ee1a ("net/mlx5e: Fix use-after-free of encap entry in neigh update handler") to linux 5.10.y branch to fix CVE-2021-47247. This commit modified the orginal commit due to kernel 5.10 doesn't have the commit 0d9f96471493 ("net/mlx5e: Extract tc tunnel encap/decap code to dedicated file") which moved encap/decap from en_tc.c to tc_tun_encap.c, so backport and move the additional functions to en_tc.c instead of tc_tun_encap.c Vlad Buslov (1): net/mlx5e: Fix use-after-free of encap entry in neigh update handler .../mellanox/mlx5/core/en/rep/neigh.c | 15 ++++----- .../ethernet/mellanox/mlx5/core/en/rep/tc.c | 6 +--- .../net/ethernet/mellanox/mlx5/core/en_tc.c | 33 +++++++++++++++++-- .../net/ethernet/mellanox/mlx5/core/en_tc.h | 3 ++ 4 files changed, 40 insertions(+), 17 deletions(-) -- 2.25.1

1 month

2
2
0 0

FAILED: patch "[PATCH] drm/amd/display: should support dmub hw lock on Replay" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bfeefe6ea5f18cabb8fda55364079573804623f9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032457-occultist-maximum-38b6@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bfeefe6ea5f18cabb8fda55364079573804623f9 Mon Sep 17 00:00:00 2001 From: Martin Tsai <martin.tsai(a)amd.com> Date: Fri, 2 Feb 2024 14:39:29 +0800 Subject: [PATCH] drm/amd/display: should support dmub hw lock on Replay [Why] Without acquiring DMCUB hw lock, a race condition is caused with Panel Replay feature, which will trigger a hang. Indicate that a lock is necessary to prevent this when replay feature is enabled. [How] To allow dmub hw lock on Replay. Reviewed-by: Robin Chen <robin.chen(a)amd.com> Acked-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Martin Tsai <martin.tsai(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c index ba1fec3016d5..bf636b28e3e1 100644 --- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c @@ -65,5 +65,9 @@ bool should_use_dmub_lock(struct dc_link *link) { if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) return true; + + if (link->replay_settings.replay_feature_enabled) + return true; + return false; }

1 month

5
4
0 0

[PATCH 6.1.y] wifi: iwlwifi: mvm: ensure offloading TID queue exists

by jianqi.ren.cn＠windriver.com

From: Benjamin Berg <benjamin.berg(a)intel.com> [ Upstream commit 78f65fbf421a61894c14a1b91fe2fb4437b3fe5f ] The resume code path assumes that the TX queue for the offloading TID has been configured. At resume time it then tries to sync the write pointer as it may have been updated by the firmware. In the unusual event that no packets have been send on TID 0, the queue will not have been allocated and this causes a crash. Fix this by ensuring the queue exist at suspend time. Signed-off-by: Benjamin Berg <benjamin.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://msgid.link/20240218194912.6632e6dc7b35.Ie6e6a7488c9c7d4529f13d48f75… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 ++++++- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++++++++++++++++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 ++- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c index 53302c29c229..f8af851474e5 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -1286,7 +1286,9 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw, mvm->net_detect = true; } else { - struct iwl_wowlan_config_cmd wowlan_config_cmd = {}; + struct iwl_wowlan_config_cmd wowlan_config_cmd = { + .offloading_tid = 0, + }; wowlan_config_cmd.sta_id = mvmvif->ap_sta_id; @@ -1298,6 +1300,11 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw, goto out_noreset; } + ret = iwl_mvm_sta_ensure_queue( + mvm, ap_sta->txq[wowlan_config_cmd.offloading_tid]); + if (ret) + goto out_noreset; + ret = iwl_mvm_get_wowlan_config(mvm, wowlan, &wowlan_config_cmd, vif, mvmvif, ap_sta); if (ret) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c index 6b52afcf0272..46bf158eb4b3 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c @@ -1419,6 +1419,34 @@ static int iwl_mvm_sta_alloc_queue(struct iwl_mvm *mvm, return ret; } +int iwl_mvm_sta_ensure_queue(struct iwl_mvm *mvm, + struct ieee80211_txq *txq) +{ + struct iwl_mvm_txq *mvmtxq = iwl_mvm_txq_from_mac80211(txq); + int ret = -EINVAL; + + lockdep_assert_held(&mvm->mutex); + + if (likely(test_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state)) || + !txq->sta) { + return 0; + } + + if (!iwl_mvm_sta_alloc_queue(mvm, txq->sta, txq->ac, txq->tid)) { + set_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state); + ret = 0; + } + + local_bh_disable(); + spin_lock(&mvm->add_stream_lock); + if (!list_empty(&mvmtxq->list)) + list_del_init(&mvmtxq->list); + spin_unlock(&mvm->add_stream_lock); + local_bh_enable(); + + return ret; +} + void iwl_mvm_add_new_dqa_stream_wk(struct work_struct *wk) { struct iwl_mvm *mvm = container_of(wk, struct iwl_mvm, diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h index f1a4fc3e4038..5f7e9311e7e5 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */ /* - * Copyright (C) 2012-2014, 2018-2021 Intel Corporation + * Copyright (C) 2012-2014, 2018-2024 Intel Corporation * Copyright (C) 2013-2014 Intel Mobile Communications GmbH * Copyright (C) 2015-2016 Intel Deutschland GmbH */ @@ -544,6 +544,7 @@ void iwl_mvm_modify_all_sta_disable_tx(struct iwl_mvm *mvm, struct iwl_mvm_vif *mvmvif, bool disable); void iwl_mvm_csa_client_absent(struct iwl_mvm *mvm, struct ieee80211_vif *vif); +int iwl_mvm_sta_ensure_queue(struct iwl_mvm *mvm, struct ieee80211_txq *txq); void iwl_mvm_add_new_dqa_stream_wk(struct work_struct *wk); int iwl_mvm_add_pasn_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif, struct iwl_mvm_int_sta *sta, u8 *addr, u32 cipher, -- 2.25.1

1 month

2
1
0 0

[PATCH 6.1.y 6.6.y 0/3] mm/filemap: fix page cache corruption with large folios

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> This series fixes the page cache corruption issue reported by Christian Theune [1]. The issue was reported affects kernels back to 5.19. Current maintained effected branches includes 6.1 and 6.6 and the fix was included in 6.10 already. This series can be applied for both 6.1 and 6.6. Patch 3/3 is the fixing patch. It was initially submitted and merge as an optimization but found to have fixed the corruption by handling race correctly. Patch 1/3 and 2/3 is required for 3/3. Patch 3/3 included some unit test code, making the LOC of the backport a bit higher, but should be OK to be kept, since they are just test code. Note there seems still some unresolved problem in Link [1] but that should be a different issue, and the commits being backported have been well tested, they fix the corruption issue just fine. Link: https://lore.kernel.org/linux-mm/A5A976CB-DB57-4513-A700-656580488AB6@flyin… [1] Kairui Song (3): mm/filemap: return early if failed to allocate memory for split lib/xarray: introduce a new helper xas_get_order mm/filemap: optimize filemap folio adding include/linux/xarray.h | 6 +++ lib/test_xarray.c | 93 ++++++++++++++++++++++++++++++++++++++++++ lib/xarray.c | 49 ++++++++++++++-------- mm/filemap.c | 50 ++++++++++++++++++----- 4 files changed, 169 insertions(+), 29 deletions(-) -- 2.46.1

1 month

6
14
0 0

[PATCH 6.6.y] bnxt_en: Fix receive ring space parameters when XDP is active

by jianqi.ren.cn＠windriver.com

From: Shravya KN <shravya.k-n(a)broadcom.com> [ Upstream commit 3051a77a09dfe3022aa012071346937fdf059033 ] The MTU setting at the time an XDP multi-buffer is attached determines whether the aggregation ring will be used and the rx_skb_func handler. This is done in bnxt_set_rx_skb_mode(). If the MTU is later changed, the aggregation ring setting may need to be changed and it may become out-of-sync with the settings initially done in bnxt_set_rx_skb_mode(). This may result in random memory corruption and crashes as the HW may DMA data larger than the allocated buffer size, such as: BUG: kernel NULL pointer dereference, address: 00000000000003c0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1 Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en] Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en] To address the issue, we now call bnxt_set_rx_skb_mode() within bnxt_change_mtu() to properly set the AGG rings configuration and update rx_skb_func based on the new MTU value. Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on the current MTU. Fixes: 08450ea98ae9 ("bnxt_en: Fix max_mtu setting for multi-buf XDP") Co-developed-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Shravya KN <shravya.k-n(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index c440f4d8d43a..1dd873338ec0 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -3986,7 +3986,7 @@ int bnxt_set_rx_skb_mode(struct bnxt *bp, bool page_mode) struct net_device *dev = bp->dev; if (page_mode) { - bp->flags &= ~BNXT_FLAG_AGG_RINGS; + bp->flags &= ~(BNXT_FLAG_AGG_RINGS | BNXT_FLAG_NO_AGG_RINGS); bp->flags |= BNXT_FLAG_RX_PAGE_MODE; if (bp->xdp_prog->aux->xdp_has_frags) @@ -12795,6 +12795,14 @@ static int bnxt_change_mtu(struct net_device *dev, int new_mtu) bnxt_close_nic(bp, true, false); dev->mtu = new_mtu; + + /* MTU change may change the AGG ring settings if an XDP multi-buffer + * program is attached. We need to set the AGG rings settings and + * rx_skb_func accordingly. + */ + if (READ_ONCE(bp->xdp_prog)) + bnxt_set_rx_skb_mode(bp, true); + bnxt_set_ring_params(bp); if (netif_running(dev)) -- 2.25.1

1 month

2
1
0 0

[PATCH] asus-laptop: Fix an uninitialized variable

by Denis Arefev

The value returned by the acpi_evaluate_integer() function is not checked, but the result is not always successful, so an uninitialized 'val' variable may be used in calculations. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b23910c2194e ("asus-laptop: Pegatron Lucid accelerometer") Cc: stable(a)vger.kernel.org Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/platform/x86/asus-laptop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/asus-laptop.c b/drivers/platform/x86/asus-laptop.c index d460dd194f19..b74b7d0eb6c2 100644 --- a/drivers/platform/x86/asus-laptop.c +++ b/drivers/platform/x86/asus-laptop.c @@ -427,7 +427,7 @@ static int asus_pega_lucid_set(struct asus_laptop *asus, int unit, bool enable) static int pega_acc_axis(struct asus_laptop *asus, int curr, char *method) { int i, delta; - unsigned long long val; + unsigned long long val = PEGA_ACC_CLAMP; for (i = 0; i < PEGA_ACC_RETRIES; i++) { acpi_evaluate_integer(asus->handle, method, NULL, &val); -- 2.43.0

1 month

2
1
0 0

[PATCH 6.1] block, bfq: fix re-introduced UAF in bic_set_bfqq()

by Acs, Jakub

Commit eca0025faa96ac ("block, bfq: split sync bfq_queues on a per-actuator basis"), which is a backport of 9778369a2d6c5e ("block, bfq: split sync bfq_queues on a per-actuator basis") re-introduces UAF bug originally fixed by b600de2d7d3a16 ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") and backported to 6.1 in cb1876fc33af26 ("block, bfq: fix uaf for bfqq in bic_set_bfqq()"). bfq_release_process_ref() may release the sync_bfqq variable, which points to the same bfqq as bic->bfqq member for call context from __bfq_bic_change_cgroup(). bic_set_bfqq() then accesses bic->bfqq member which leads to the UAF condition. Fix this by bringing the incriminated function calls back in correct order. Fixes: eca0025faa96ac ("block, bfq: split sync bfq_queues on a per-actuator basis") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Hagar Hemdan <hagarhem(a)amazon.com> Cc: stable(a)vger.kernel.org --- block/bfq-cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c index 5d202b775beb..c202e2527d05 100644 --- a/block/bfq-cgroup.c +++ b/block/bfq-cgroup.c @@ -739,8 +739,8 @@ static void bfq_sync_bfqq_move(struct bfq_data *bfqd, * old cgroup. */ bfq_put_cooperator(sync_bfqq); - bfq_release_process_ref(bfqd, sync_bfqq); bic_set_bfqq(bic, NULL, true, act_idx); + bfq_release_process_ref(bfqd, sync_bfqq); } } -- 2.47.1

1 month

1
0
0 0

[PATCH 1/3] drm/ast: Fix comment on modeset lock

by Thomas Zimmermann

The ast driver protects the commit tail against concurrent reads of the display modes by acquiring a lock. The comment is misleading as the lock is not released in atomic_flush, but at the end of the commit-tail helper. Rewrite the comment. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 1fe182154984 ("drm/ast: Acquire I/O-register lock in atomic_commit_tail function") Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Jocelyn Falempe <jfalempe(a)redhat.com> Cc: Dave Airlie <airlied(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.2+ --- drivers/gpu/drm/ast/ast_mode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c index 4cac5c7f4547..20fbea11b710 100644 --- a/drivers/gpu/drm/ast/ast_mode.c +++ b/drivers/gpu/drm/ast/ast_mode.c @@ -939,9 +939,9 @@ static void ast_mode_config_helper_atomic_commit_tail(struct drm_atomic_state *s /* * Concurrent operations could possibly trigger a call to - * drm_connector_helper_funcs.get_modes by trying to read the - * display modes. Protect access to I/O registers by acquiring - * the I/O-register lock. Released in atomic_flush(). + * drm_connector_helper_funcs.get_modes by reading the display + * modes. Protect access to registers by acquiring the modeset + * lock. */ mutex_lock(&ast->modeset_lock); drm_atomic_helper_commit_tail(state); -- 2.48.1

1 month

2
1
0 0

[PATCH v4] svc-i3c-master: Fix read from unreadable memory at svc_i3c_master_ibi_work()

by Manjunatha Venkatesh

As part of I3C driver probing sequence for particular device instance, While adding to queue it is trying to access ibi variable of dev which is not yet initialized causing "Unable to handle kernel read from unreadable memory" resulting in kernel panic. Below is the sequence where this issue happened. 1. During boot up sequence IBI is received at host from the slave device before requesting for IBI, Usually will request IBI by calling i3c_device_request_ibi() during probe of slave driver. 2. Since master code trying to access IBI Variable for the particular device instance before actually it initialized by slave driver, due to this randomly accessing the address and causing kernel panic. 3. i3c_device_request_ibi() function invoked by the slave driver where dev->ibi = ibi; assigned as part of function call i3c_dev_request_ibi_locked(). 4. But when IBI request sent by slave device, master code trying to access this variable before its initialized due to this race condition situation kernel panic happened. Fixes: dd3c52846d595 ("i3c: master: svc: Add Silvaco I3C master driver") Cc: stable(a)vger.kernel.org Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> --- Changes since v3: - Description updated typo "Fixes:" drivers/i3c/master/svc-i3c-master.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c index d6057d8c7dec..98c4d2e5cd8d 100644 --- a/drivers/i3c/master/svc-i3c-master.c +++ b/drivers/i3c/master/svc-i3c-master.c @@ -534,8 +534,11 @@ static void svc_i3c_master_ibi_work(struct work_struct *work) switch (ibitype) { case SVC_I3C_MSTATUS_IBITYPE_IBI: if (dev) { - i3c_master_queue_ibi(dev, master->ibi.tbq_slot); - master->ibi.tbq_slot = NULL; + data = i3c_dev_get_master_data(dev); + if (master->ibi.slots[data->ibi]) { + i3c_master_queue_ibi(dev, master->ibi.tbq_slot); + master->ibi.tbq_slot = NULL; + } } svc_i3c_master_emit_stop(master); break; -- 2.46.1

1 month

3
6
0 0

[PATCH v3] clocksource: stm32-lptimer: use wakeup capable instead of init wakeup

by Fabrice Gasnier

From: Alexandre Torgue <alexandre.torgue(a)foss.st.com> "wakeup-source" property describes a device which has wakeup capability but should not force this device as a wakeup source. Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver") Cc: stable(a)vger.kernel.org Signed-off-by: Alexandre Torgue <alexandre.torgue(a)foss.st.com> Signed-off-by: Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> --- drivers/clocksource/timer-stm32-lp.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/clocksource/timer-stm32-lp.c b/drivers/clocksource/timer-stm32-lp.c index a4c95161cb22..193e4f643358 100644 --- a/drivers/clocksource/timer-stm32-lp.c +++ b/drivers/clocksource/timer-stm32-lp.c @@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struct platform_device *pdev) } if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) { - ret = device_init_wakeup(&pdev->dev, true); - if (ret) - goto out_clk_disable; + device_set_wakeup_capable(&pdev->dev, true); ret = dev_pm_set_wake_irq(&pdev->dev, irq); if (ret) -- 2.25.1

1 month

3
2
0 0

[PATCH v3] remoteproc: Add device awake calls in rproc boot and shutdown path

by Souradeep Chowdhury

Add device awake calls in case of rproc boot and rproc shutdown path. Currently, device awake call is only present in the recovery path of remoteproc. If a user stops and starts rproc by using the sysfs interface, then on pm suspension the firmware loading fails. Keep the device awake in such a case just like it is done for the recovery path. Fixes: a781e5aa59110 ("remoteproc: core: Prevent system suspend during remoteproc recovery") Signed-off-by: Souradeep Chowdhury <quic_schowdhu(a)quicinc.com> Cc: stable(a)vger.kernel.org --- Changes in v3 *Add the stability mailing list in commit message drivers/remoteproc/remoteproc_core.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c index c2cf0d277729..908a7b8f6c7e 100644 --- a/drivers/remoteproc/remoteproc_core.c +++ b/drivers/remoteproc/remoteproc_core.c @@ -1916,7 +1916,8 @@ int rproc_boot(struct rproc *rproc) pr_err("invalid rproc handle\n"); return -EINVAL; } - + + pm_stay_awake(rproc->dev.parent); dev = &rproc->dev; ret = mutex_lock_interruptible(&rproc->lock); @@ -1961,6 +1962,7 @@ int rproc_boot(struct rproc *rproc) atomic_dec(&rproc->power); unlock_mutex: mutex_unlock(&rproc->lock); + pm_relax(rproc->dev.parent); return ret; } EXPORT_SYMBOL(rproc_boot); @@ -1991,6 +1993,7 @@ int rproc_shutdown(struct rproc *rproc) struct device *dev = &rproc->dev; int ret = 0; + pm_stay_awake(rproc->dev.parent); ret = mutex_lock_interruptible(&rproc->lock); if (ret) { dev_err(dev, "can't lock rproc %s: %d\n", rproc->name, ret); @@ -2027,6 +2030,7 @@ int rproc_shutdown(struct rproc *rproc) rproc->table_ptr = NULL; out: mutex_unlock(&rproc->lock); + pm_relax(rproc->dev.parent); return ret; } EXPORT_SYMBOL(rproc_shutdown); -- 2.34.1

1 month

2
2
0 0

[PATCH 5.15] net: defer final 'struct net' free in netns dismantle

by Vasiliy Kovalev

From: Eric Dumazet <edumazet(a)google.com> commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream. Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3313) __x64_sys_unshare (kernel/fork.c:3382) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Dec 03 05:46:18 kernel: Freed by task 11: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) kasan_save_free_info (mm/kasan/generic.c:582) __kasan_slab_free (mm/kasan/common.c:271) kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681) cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) kthread (kernel/kthread.c:389) ret_from_fork (arch/x86/kernel/process.c:147) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Dec 03 05:46:18 kernel: Last potentially related work creation: kasan_save_stack (mm/kasan/common.c:48) __kasan_record_aux_stack (mm/kasan/generic.c:541) insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) __queue_work (kernel/workqueue.c:2340) queue_work_on (kernel/workqueue.c:2391) xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610) xfrm_add_policy (net/xfrm/xfrm_user.c:2116) xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) netlink_rcv_skb (net/netlink/af_netlink.c:2536) xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) netlink_sendmsg (net/netlink/af_netlink.c:1886) sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) vfs_write (fs/read_write.c:590 fs/read_write.c:683) ksys_write (fs/read_write.c:736) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Dec 03 05:46:18 kernel: Second to last potentially related work creation: kasan_save_stack (mm/kasan/common.c:48) __kasan_record_aux_stack (mm/kasan/generic.c:541) insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) __queue_work (kernel/workqueue.c:2340) queue_work_on (kernel/workqueue.c:2391) __xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513) xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940) xfrm_add_sa (net/xfrm/xfrm_user.c:912) xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) netlink_rcv_skb (net/netlink/af_netlink.c:2536) xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) netlink_sendmsg (net/netlink/af_netlink.c:1886) sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) vfs_write (fs/read_write.c:590 fs/read_write.c:683) ksys_write (fs/read_write.c:736) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops") Reported-by: Ilya Maximets <i.maximets(a)ovn.org> Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY… Signed-off-by: Eric Dumazet <edumazet(a)google.com> Acked-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-56658 Link: https://www.cve.org/CVERecord/?id=CVE-2024-56658 --- include/net/net_namespace.h | 1 + net/core/net_namespace.c | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index c47baa623ba586..a5d6e04c8e8b55 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -80,6 +80,7 @@ struct net { * or to unregister pernet ops * (pernet_ops_rwsem write locked). */ + struct llist_node defer_free_list; struct llist_node cleanup_list; /* namespaces on death row */ #ifdef CONFIG_KEYS diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 3addbce20f8ed0..0217dd2635cdb4 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -430,11 +430,28 @@ static struct net *net_alloc(void) goto out; } +static LLIST_HEAD(defer_free_list); + +static void net_complete_free(void) +{ + struct llist_node *kill_list; + struct net *net, *next; + + /* Get the list of namespaces to free from last round. */ + kill_list = llist_del_all(&defer_free_list); + + llist_for_each_entry_safe(net, next, kill_list, defer_free_list) + kmem_cache_free(net_cachep, net); + +} + static void net_free(struct net *net) { if (refcount_dec_and_test(&net->passive)) { kfree(rcu_access_pointer(net->gen)); - kmem_cache_free(net_cachep, net); + + /* Wait for an extra rcu_barrier() before final free. */ + llist_add(&net->defer_free_list, &defer_free_list); } } @@ -609,6 +626,8 @@ static void cleanup_net(struct work_struct *work) */ rcu_barrier(); + net_complete_free(); + /* Finally it is safe to free my network namespace structure */ list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { list_del_init(&net->exit_list); -- 2.33.8

1 month

4
3
0 0

[PATCH v3 1/2] string: Add load_unaligned_zeropad() code path to sized_strscpy()

by Peter Collingbourne

The call to read_word_at_a_time() in sized_strscpy() is problematic with MTE because it may trigger a tag check fault when reading across a tag granule (16 bytes) boundary. To make this code MTE compatible, let's start using load_unaligned_zeropad() on architectures where it is available (i.e. architectures that define CONFIG_DCACHE_WORD_ACCESS). Because load_unaligned_zeropad() takes care of page boundaries as well as tag granule boundaries, also disable the code preventing crossing page boundaries when using load_unaligned_zeropad(). Signed-off-by: Peter Collingbourne <pcc(a)google.com> Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fd… Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS") Cc: stable(a)vger.kernel.org --- v2: - new approach lib/string.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/string.c b/lib/string.c index eb4486ed40d25..b632c71df1a50 100644 --- a/lib/string.c +++ b/lib/string.c @@ -119,6 +119,7 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) return -E2BIG; +#ifndef CONFIG_DCACHE_WORD_ACCESS #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS /* * If src is unaligned, don't cross a page boundary, @@ -133,12 +134,14 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) /* If src or dest is unaligned, don't do word-at-a-time. */ if (((long) dest | (long) src) & (sizeof(long) - 1)) max = 0; +#endif #endif /* - * read_word_at_a_time() below may read uninitialized bytes after the - * trailing zero and use them in comparisons. Disable this optimization - * under KMSAN to prevent false positive reports. + * load_unaligned_zeropad() or read_word_at_a_time() below may read + * uninitialized bytes after the trailing zero and use them in + * comparisons. Disable this optimization under KMSAN to prevent + * false positive reports. */ if (IS_ENABLED(CONFIG_KMSAN)) max = 0; @@ -146,7 +149,11 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) while (max >= sizeof(unsigned long)) { unsigned long c, data; +#ifdef CONFIG_DCACHE_WORD_ACCESS + c = load_unaligned_zeropad(src+res); +#else c = read_word_at_a_time(src+res); +#endif if (has_zero(c, &data, &constants)) { data = prep_zero_mask(c, data, &constants); data = create_zero_mask(data); -- 2.49.0.395.g12beb8f557-goog

1 month

1
0
0 0

[for-next][PATCH 2/3] tracing: Fix use-after-free in print_graph_function_flags during tracer switching

by Steven Rostedt

From: Tengda Wu <wutengda(a)huaweicloud.com> Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/ Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Zheng Yejian <zhengyejian1(a)huawei.com> Link: https://lore.kernel.org/20250320122137.23635-1-wutengda@huaweicloud.com Fixes: eecb91b9f98d ("tracing: Fix memleak due to race between current_tracer and trace") Closes: https://lore.kernel.org/all/CAMgjq7BW79KDSCyp+tZHjShSzHsScSiJxn5ffskp-QzVM0… Reported-by: Kairui Song <kasong(a)tencent.com> Signed-off-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_functions_graph.c | 1 + kernel/trace/trace_irqsoff.c | 2 -- kernel/trace/trace_sched_wakeup.c | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c index ed61ff719aa4..2f077d4158e5 100644 --- a/kernel/trace/trace_functions_graph.c +++ b/kernel/trace/trace_functions_graph.c @@ -1611,6 +1611,7 @@ void graph_trace_close(struct trace_iterator *iter) if (data) { free_percpu(data->cpu_data); kfree(data); + iter->private = NULL; } } diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c index c8bfa7310a91..40c39e946940 100644 --- a/kernel/trace/trace_irqsoff.c +++ b/kernel/trace/trace_irqsoff.c @@ -250,8 +250,6 @@ static void irqsoff_trace_open(struct trace_iterator *iter) { if (is_graph(iter->tr)) graph_trace_open(iter); - else - iter->private = NULL; } static void irqsoff_trace_close(struct trace_iterator *iter) diff --git a/kernel/trace/trace_sched_wakeup.c b/kernel/trace/trace_sched_wakeup.c index c9ba4259e03e..a0db3404f7f7 100644 --- a/kernel/trace/trace_sched_wakeup.c +++ b/kernel/trace/trace_sched_wakeup.c @@ -188,8 +188,6 @@ static void wakeup_trace_open(struct trace_iterator *iter) { if (is_graph(iter->tr)) graph_trace_open(iter); - else - iter->private = NULL; } static void wakeup_trace_close(struct trace_iterator *iter) -- 2.47.2

1 month

1
0
0 0

[PATCH v2] mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

by Yosry Ahmed

Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock (through crypto_exit_scomp_ops_async()). On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through crypto_scomp_init_tfm()), and then allocates memory. If the allocation results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex. The above dependencies can cause an ABBA deadlock. For example in the following scenario: (1) Task A running on CPU #1: crypto_alloc_acomp_node() Holds scomp_lock Enters reclaim Reads per_cpu_ptr(pool->acomp_ctx, 1) (2) Task A is descheduled (3) CPU #1 goes offline zswap_cpu_comp_dead(CPU #1) Holds per_cpu_ptr(pool->acomp_ctx, 1)) Calls crypto_free_acomp() Waits for scomp_lock (4) Task A running on CPU #2: Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1 DEADLOCK Since there is no requirement to call crypto_free_acomp() with the per-CPU acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is unlocked. Also move the acomp_request_free() and kfree() calls for consistency and to avoid any potential sublte locking dependencies in the future. With this, only setting acomp_ctx fields to NULL occurs with the mutex held. This is similar to how zswap_cpu_comp_prepare() only initializes acomp_ctx fields with the mutex held, after performing all allocations before holding the mutex. Opportunistically, move the NULL check on acomp_ctx so that it takes place before the mutex dereference. Fixes: 12dcb0ef5406 ("mm: zswap: properly synchronize freeing resources during CPU hotunplug") Reported-by: syzbot+1a517ccfcbc6a7ab0f82(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67bcea51.050a0220.bbfd1.0096.GAE@google.com/ Cc: <stable(a)vger.kernel.org> Co-developed-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> Acked-by: Herbert Xu <herbert(a)gondor.apana.org.au> --- v1 -> v2: - Explained the problem more clearly in the commit message. - Moved all freeing calls outside the lock critical section. v1: https://lore.kernel.org/all/Z72FJnbA39zWh4zS@gondor.apana.org.au/ --- mm/zswap.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index ac9d299e7d0c1..adf745c66aa1d 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -881,18 +881,32 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) { struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node); struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu); + struct acomp_req *req; + struct crypto_acomp *acomp; + u8 *buffer; + + if (IS_ERR_OR_NULL(acomp_ctx)) + return 0; mutex_lock(&acomp_ctx->mutex); - if (!IS_ERR_OR_NULL(acomp_ctx)) { - if (!IS_ERR_OR_NULL(acomp_ctx->req)) - acomp_request_free(acomp_ctx->req); - acomp_ctx->req = NULL; - if (!IS_ERR_OR_NULL(acomp_ctx->acomp)) - crypto_free_acomp(acomp_ctx->acomp); - kfree(acomp_ctx->buffer); - } + req = acomp_ctx->req; + acomp = acomp_ctx->acomp; + buffer = acomp_ctx->buffer; + acomp_ctx->req = NULL; + acomp_ctx->acomp = NULL; + acomp_ctx->buffer = NULL; mutex_unlock(&acomp_ctx->mutex); + /* + * Do the actual freeing after releasing the mutex to avoid subtle + * locking dependencies causing deadlocks. + */ + if (!IS_ERR_OR_NULL(req)) + acomp_request_free(req); + if (!IS_ERR_OR_NULL(acomp)) + crypto_free_acomp(acomp); + kfree(buffer); + return 0; } -- 2.48.1.658.g4767266eb4-goog

1 month

4
10
0 0

FAILED: patch "[PATCH] Revert "sched/core: Reduce cost of sched_move_task when" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 76f970ce51c80f625eb6ddbb24e9cb51b977b598 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032422-giblet-smelting-2a62@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76f970ce51c80f625eb6ddbb24e9cb51b977b598 Mon Sep 17 00:00:00 2001 From: Dietmar Eggemann <dietmar.eggemann(a)arm.com> Date: Fri, 14 Mar 2025 16:13:45 +0100 Subject: [PATCH] Revert "sched/core: Reduce cost of sched_move_task when config autogroup" This reverts commit eff6c8ce8d4d7faef75f66614dd20bb50595d261. Hazem reported a 30% drop in UnixBench spawn test with commit eff6c8ce8d4d ("sched/core: Reduce cost of sched_move_task when config autogroup") on a m6g.xlarge AWS EC2 instance with 4 vCPUs and 16 GiB RAM (aarch64) (single level MC sched domain): https://lkml.kernel.org/r/20250205151026.13061-1-hagarhem@amazon.com There is an early bail from sched_move_task() if p->sched_task_group is equal to p's 'cpu cgroup' (sched_get_task_group()). E.g. both are pointing to taskgroup '/user.slice/user-1000.slice/session-1.scope' (Ubuntu '22.04.5 LTS'). So in: do_exit() sched_autogroup_exit_task() sched_move_task() if sched_get_task_group(p) == p->sched_task_group return /* p is enqueued */ dequeue_task() \ sched_change_group() | task_change_group_fair() | detach_task_cfs_rq() | (1) set_task_rq() | attach_task_cfs_rq() | enqueue_task() / (1) isn't called for p anymore. Turns out that the regression is related to sgs->group_util in group_is_overloaded() and group_has_capacity(). If (1) isn't called for all the 'spawn' tasks then sgs->group_util is ~900 and sgs->group_capacity = 1024 (single CPU sched domain) and this leads to group_is_overloaded() returning true (2) and group_has_capacity() false (3) much more often compared to the case when (1) is called. I.e. there are much more cases of 'group_is_overloaded' and 'group_fully_busy' in WF_FORK wakeup sched_balance_find_dst_cpu() which then returns much more often a CPU != smp_processor_id() (5). This isn't good for these extremely short running tasks (FORK + EXIT) and also involves calling sched_balance_find_dst_group_cpu() unnecessary (single CPU sched domain). Instead if (1) is called for 'p->flags & PF_EXITING' then the path (4),(6) is taken much more often. select_task_rq_fair(..., wake_flags = WF_FORK) cpu = smp_processor_id() new_cpu = sched_balance_find_dst_cpu(..., cpu, ...) group = sched_balance_find_dst_group(..., cpu) do { update_sg_wakeup_stats() sgs->group_type = group_classify() if group_is_overloaded() (2) return group_overloaded if !group_has_capacity() (3) return group_fully_busy return group_has_spare (4) } while group if local_sgs.group_type > idlest_sgs.group_type return idlest (5) case group_has_spare: if local_sgs.idle_cpus >= idlest_sgs.idle_cpus return NULL (6) Unixbench Tests './Run -c 4 spawn' on: (a) VM AWS instance (m7gd.16xlarge) with v6.13 ('maxcpus=4 nr_cpus=4') and Ubuntu 22.04.5 LTS (aarch64). Shell & test run in '/user.slice/user-1000.slice/session-1.scope'. w/o patch w/ patch 21005 27120 (b) i7-13700K with tip/sched/core ('nosmt maxcpus=8 nr_cpus=8') and Ubuntu 22.04.5 LTS (x86_64). Shell & test run in '/A'. w/o patch w/ patch 67675 88806 CONFIG_SCHED_AUTOGROUP=y & /sys/proc/kernel/sched_autogroup_enabled equal 0 or 1. Reported-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com> Signed-off-by: Dietmar Eggemann <dietmar.eggemann(a)arm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Vincent Guittot <vincent.guittot(a)linaro.org> Tested-by: Hagar Hemdan <hagarhem(a)amazon.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/r/20250314151345.275739-1-dietmar.eggemann@arm.com diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 67189907214d..042351c7afce 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -9016,7 +9016,7 @@ void sched_release_group(struct task_group *tg) spin_unlock_irqrestore(&task_group_lock, flags); } -static struct task_group *sched_get_task_group(struct task_struct *tsk) +static void sched_change_group(struct task_struct *tsk) { struct task_group *tg; @@ -9028,13 +9028,7 @@ static struct task_group *sched_get_task_group(struct task_struct *tsk) tg = container_of(task_css_check(tsk, cpu_cgrp_id, true), struct task_group, css); tg = autogroup_task_group(tsk, tg); - - return tg; -} - -static void sched_change_group(struct task_struct *tsk, struct task_group *group) -{ - tsk->sched_task_group = group; + tsk->sched_task_group = tg; #ifdef CONFIG_FAIR_GROUP_SCHED if (tsk->sched_class->task_change_group) @@ -9055,20 +9049,11 @@ void sched_move_task(struct task_struct *tsk, bool for_autogroup) { int queued, running, queue_flags = DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK; - struct task_group *group; struct rq *rq; CLASS(task_rq_lock, rq_guard)(tsk); rq = rq_guard.rq; - /* - * Esp. with SCHED_AUTOGROUP enabled it is possible to get superfluous - * group changes. - */ - group = sched_get_task_group(tsk); - if (group == tsk->sched_task_group) - return; - update_rq_clock(rq); running = task_current_donor(rq, tsk); @@ -9079,7 +9064,7 @@ void sched_move_task(struct task_struct *tsk, bool for_autogroup) if (running) put_prev_task(rq, tsk); - sched_change_group(tsk, group); + sched_change_group(tsk); if (!for_autogroup) scx_cgroup_move_task(tsk);

1 month

1
0
0 0

[PATCH net] gve: unlink old napi only if page pool exists

by Harshitha Ramamurthy

Commit de70981f295e ("gve: unlink old napi when stopping a queue using queue API") unlinks the old napi when stopping a queue. But this breaks QPL mode of the driver which does not use page pool. Fix this by checking that there's a page pool associated with the ring. Cc: stable(a)vger.kernel.org Fixes: de70981f295e ("gve: unlink old napi when stopping a queue using queue API") Reviewed-by: Joshua Washington <joshwash(a)google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy(a)google.com> --- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c index 2c03c39..0fcf4c9 100644 --- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c +++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c @@ -114,7 +114,8 @@ void gve_rx_stop_ring_dqo(struct gve_priv *priv, int idx) if (!gve_rx_was_added_to_block(priv, idx)) return; - page_pool_disable_direct_recycling(rx->dqo.page_pool); + if (rx->dqo.page_pool) + page_pool_disable_direct_recycling(rx->dqo.page_pool); gve_remove_napi(priv, ntfy_idx); gve_rx_remove_from_block(priv, idx); gve_rx_reset_ring_dqo(priv, idx); -- 2.49.0.rc1.451.g8f38331e32-goog

1 month

3
2
0 0

FAILED: patch "[PATCH] proc: fix UAF in proc_get_inode()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 654b33ada4ab5e926cd9c570196fefa7bec7c1df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032409-unnamable-entertain-9026@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 654b33ada4ab5e926cd9c570196fefa7bec7c1df Mon Sep 17 00:00:00 2001 From: Ye Bin <yebin10(a)huawei.com> Date: Sat, 1 Mar 2025 15:06:24 +0300 Subject: [PATCH] proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan(a)gmail.com: don't do 2 atomic ops on the common path] Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183 Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression") Signed-off-by: Ye Bin <yebin10(a)huawei.com> Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: David S. Miller <davem(a)davemloft.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 8ec90826a49e..a3e22803cddf 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -559,10 +559,16 @@ struct proc_dir_entry *proc_create_reg(const char *name, umode_t mode, return p; } -static inline void pde_set_flags(struct proc_dir_entry *pde) +static void pde_set_flags(struct proc_dir_entry *pde) { if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) pde->flags |= PROC_ENTRY_PERMANENT; + if (pde->proc_ops->proc_read_iter) + pde->flags |= PROC_ENTRY_proc_read_iter; +#ifdef CONFIG_COMPAT + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; +#endif } struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, @@ -626,6 +632,7 @@ struct proc_dir_entry *proc_create_seq_private(const char *name, umode_t mode, p->proc_ops = &proc_seq_ops; p->seq_ops = ops; p->state_size = state_size; + pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_seq_private); @@ -656,6 +663,7 @@ struct proc_dir_entry *proc_create_single_data(const char *name, umode_t mode, return NULL; p->proc_ops = &proc_single_ops; p->single_show = show; + pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_single_data); diff --git a/fs/proc/inode.c b/fs/proc/inode.c index 626ad7bd94f2..a3eb3b740f76 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c @@ -656,13 +656,13 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) if (S_ISREG(inode->i_mode)) { inode->i_op = de->proc_iops; - if (de->proc_ops->proc_read_iter) + if (pde_has_proc_read_iter(de)) inode->i_fop = &proc_iter_file_ops; else inode->i_fop = &proc_reg_file_ops; #ifdef CONFIG_COMPAT - if (de->proc_ops->proc_compat_ioctl) { - if (de->proc_ops->proc_read_iter) + if (pde_has_proc_compat_ioctl(de)) { + if (pde_has_proc_read_iter(de)) inode->i_fop = &proc_iter_file_ops_compat; else inode->i_fop = &proc_reg_file_ops_compat; diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 1695509370b8..77a517f91821 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -85,6 +85,20 @@ static inline void pde_make_permanent(struct proc_dir_entry *pde) pde->flags |= PROC_ENTRY_PERMANENT; } +static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde) +{ + return pde->flags & PROC_ENTRY_proc_read_iter; +} + +static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde) +{ +#ifdef CONFIG_COMPAT + return pde->flags & PROC_ENTRY_proc_compat_ioctl; +#else + return false; +#endif +} + extern struct kmem_cache *proc_dir_entry_cache; void pde_free(struct proc_dir_entry *pde); diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 0b2a89854440..ea62201c74c4 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -20,10 +20,13 @@ enum { * If in doubt, ignore this flag. */ #ifdef MODULE - PROC_ENTRY_PERMANENT = 0U, + PROC_ENTRY_PERMANENT = 0U, #else - PROC_ENTRY_PERMANENT = 1U << 0, + PROC_ENTRY_PERMANENT = 1U << 0, #endif + + PROC_ENTRY_proc_read_iter = 1U << 1, + PROC_ENTRY_proc_compat_ioctl = 1U << 2, }; struct proc_ops {

1 month

2
1
0 0

[PATCH net v2] net: stmmac: Fix accessing freed irq affinity_hint

by Qingfang Deng

The cpumask should not be a local variable, since its pointer is saved to irq_desc and may be accessed from procfs. To fix it, use the persistent mask cpumask_of(cpu#). Cc: stable(a)vger.kernel.org Fixes: 8deec94c6040 ("net: stmmac: set IRQ affinity hint for multi MSI vectors") Signed-off-by: Qingfang Deng <dqfext(a)gmail.com> --- v2: use cpumask_of() drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index b22417167cac..ec63452187d0 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -3667,7 +3667,6 @@ static int stmmac_request_irq_multi_msi(struct net_device *dev) { struct stmmac_priv *priv = netdev_priv(dev); enum request_irq_err irq_err; - cpumask_t cpu_mask; int irq_idx = 0; char *int_name; int ret; @@ -3796,9 +3795,8 @@ static int stmmac_request_irq_multi_msi(struct net_device *dev) irq_idx = i; goto irq_error; } - cpumask_clear(&cpu_mask); - cpumask_set_cpu(i % num_online_cpus(), &cpu_mask); - irq_set_affinity_hint(priv->rx_irq[i], &cpu_mask); + irq_set_affinity_hint(priv->rx_irq[i], + cpumask_of(i % num_online_cpus())); } /* Request Tx MSI irq */ @@ -3821,9 +3819,8 @@ static int stmmac_request_irq_multi_msi(struct net_device *dev) irq_idx = i; goto irq_error; } - cpumask_clear(&cpu_mask); - cpumask_set_cpu(i % num_online_cpus(), &cpu_mask); - irq_set_affinity_hint(priv->tx_irq[i], &cpu_mask); + irq_set_affinity_hint(priv->tx_irq[i], + cpumask_of(i % num_online_cpus())); } return 0; -- 2.43.0

1 month

4
3
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x bd1c959f37f384b477f51572331b0dc828bd009a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032432-catsup-glory-c916@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd1c959f37f384b477f51572331b0dc828bd009a Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:03 +0100 Subject: [PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Add missing "avdd-0v9-supply" and "avdd-1v8-supply" properties to the "hdmi" node in the Pine64 RockPro64 board dtsi file. To achieve this, also add the associated "vcca_0v9" regulator that produces the 0.9 V supply, [1][2] which hasn't been defined previously in the board dtsi file. This also eliminates the following warnings from the kernel log: dwhdmi-rockchip ff940000.hdmi: supply avdd-0v9 not found, using dummy regulator dwhdmi-rockchip ff940000.hdmi: supply avdd-1v8 not found, using dummy regulator There are no functional changes to the way board works with these additions, because the "vcc1v8_dvp" and "vcca_0v9" regulators are always enabled, [1][2] but these additions improve the accuracy of hardware description. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf Fixes: e4f3fb490967 ("arm64: dts: rockchip: add initial dts support for Rockpro64") Cc: stable(a)vger.kernel.org Suggested-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/df3d7e8fe74ed5e727e085b18c395260537bb5ac.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 69a9d6170649..47dc198706c8 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -227,6 +227,16 @@ vcc5v0_usb: regulator-vcc5v0-usb { vin-supply = <&vcc12v_dcin>; }; + vcca_0v9: regulator-vcca-0v9 { + compatible = "regulator-fixed"; + regulator-name = "vcca_0v9"; + regulator-always-on; + regulator-boot-on; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; + vin-supply = <&vcc3v3_sys>; + }; + vdd_log: regulator-vdd-log { compatible = "pwm-regulator"; pwms = <&pwm2 0 25000 1>; @@ -312,6 +322,8 @@ &gmac { }; &hdmi { + avdd-0v9-supply = <&vcca_0v9>; + avdd-1v8-supply = <&vcc1v8_dvp>; ddc-i2c-bus = <&i2c3>; pinctrl-names = "default"; pinctrl-0 = <&hdmi_cec>;

1 month

2
1
0 0

FAILED: patch "[PATCH] can: rcar_canfd: Fix page entries in the AFL list" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1dba0a37644ed3022558165bbb5cb9bda540eaf7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032438-fanatic-tubular-1dae@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1dba0a37644ed3022558165bbb5cb9bda540eaf7 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Fri, 7 Mar 2025 17:03:27 +0000 Subject: [PATCH] can: rcar_canfd: Fix page entries in the AFL list There are a total of 96 AFL pages and each page has 16 entries with registers CFDGAFLIDr, CFDGAFLMr, CFDGAFLP0r, CFDGAFLP1r holding the rule entries (r = 0..15). Currently, RCANFD_GAFL* macros use a start variable to find AFL entries, which is incorrect as the testing on RZ/G3E shows ch1 and ch4 gets a start value of 0 and the register contents are overwritten. Fix this issue by using rule_entry corresponding to the channel to find the page entries in the AFL list. Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Tested-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Link: https://patch.msgid.link/20250307170330.173425-3-biju.das.jz@bp.renesas.com Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c index df1a5d0b37b2..aa3df0d05b85 100644 --- a/drivers/net/can/rcar/rcar_canfd.c +++ b/drivers/net/can/rcar/rcar_canfd.c @@ -787,22 +787,14 @@ static void rcar_canfd_configure_controller(struct rcar_canfd_global *gpriv) } static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, - u32 ch) + u32 ch, u32 rule_entry) { - u32 cfg; - int offset, start, page, num_rules = RCANFD_CHANNEL_NUMRULES; + int offset, page, num_rules = RCANFD_CHANNEL_NUMRULES; + u32 rule_entry_index = rule_entry % 16; u32 ridx = ch + RCANFD_RFFIFO_IDX; - if (ch == 0) { - start = 0; /* Channel 0 always starts from 0th rule */ - } else { - /* Get number of Channel 0 rules and adjust */ - cfg = rcar_canfd_read(gpriv->base, RCANFD_GAFLCFG(ch)); - start = RCANFD_GAFLCFG_GETRNC(gpriv, 0, cfg); - } - /* Enable write access to entry */ - page = RCANFD_GAFL_PAGENUM(start); + page = RCANFD_GAFL_PAGENUM(rule_entry); rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLECTR, (RCANFD_GAFLECTR_AFLPN(gpriv, page) | RCANFD_GAFLECTR_AFLDAE)); @@ -818,13 +810,13 @@ static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, offset = RCANFD_C_GAFL_OFFSET; /* Accept all IDs */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, rule_entry_index), 0); /* IDE or RTR is not considered for matching */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, rule_entry_index), 0); /* Any data length accepted */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, rule_entry_index), 0); /* Place the msg in corresponding Rx FIFO entry */ - rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, start), + rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, rule_entry_index), RCANFD_GAFLP1_GAFLFDP(ridx)); /* Disable write access to page */ @@ -1851,6 +1843,7 @@ static int rcar_canfd_probe(struct platform_device *pdev) unsigned long channels_mask = 0; int err, ch_irq, g_irq; int g_err_irq, g_recc_irq; + u32 rule_entry = 0; bool fdmode = true; /* CAN FD only mode - default */ char name[9] = "channelX"; int i; @@ -2023,7 +2016,8 @@ static int rcar_canfd_probe(struct platform_device *pdev) rcar_canfd_configure_tx(gpriv, ch); /* Configure receive rules */ - rcar_canfd_configure_afl_rules(gpriv, ch); + rcar_canfd_configure_afl_rules(gpriv, ch, rule_entry); + rule_entry += RCANFD_CHANNEL_NUMRULES; } /* Configure common interrupts */

1 month

2
1
0 0

FAILED: patch "[PATCH] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x acbf16a6ae775b4db86f537448cc466288aa307e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032441-constrain-eastbound-09d8@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acbf16a6ae775b4db86f537448cc466288aa307e Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello(a)amd.com> Date: Fri, 7 Mar 2025 15:55:20 -0600 Subject: [PATCH] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP [WHY] DMUB locking is important to make sure that registers aren't accessed while in PSR. Previously it was enabled but caused a deadlock in situations with multiple eDP panels. [HOW] Detect if multiple eDP panels are in use to decide whether to use lock. Refactor the function so that the first check is for PSR-SU and then replay is in use to prevent having to look up number of eDP panels for those configurations. Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965 Reviewed-by: ChiaHsuan Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ed569e1279a3045d6b974226c814e071fa0193a6) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c index bf636b28e3e1..6e2fce329d73 100644 --- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c @@ -69,5 +69,16 @@ bool should_use_dmub_lock(struct dc_link *link) if (link->replay_settings.replay_feature_enabled) return true; + /* only use HW lock for PSR1 on single eDP */ + if (link->psr_settings.psr_version == DC_PSR_VERSION_1) { + struct dc_link *edp_links[MAX_NUM_EDP]; + int edp_num; + + dc_get_edp_links(link->dc, edp_links, &edp_num); + + if (edp_num == 1) + return true; + } + return false; }

1 month

3
4
0 0

FAILED: patch "[PATCH] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x acbf16a6ae775b4db86f537448cc466288aa307e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032429-chirpy-penholder-af16@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acbf16a6ae775b4db86f537448cc466288aa307e Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello(a)amd.com> Date: Fri, 7 Mar 2025 15:55:20 -0600 Subject: [PATCH] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP [WHY] DMUB locking is important to make sure that registers aren't accessed while in PSR. Previously it was enabled but caused a deadlock in situations with multiple eDP panels. [HOW] Detect if multiple eDP panels are in use to decide whether to use lock. Refactor the function so that the first check is for PSR-SU and then replay is in use to prevent having to look up number of eDP panels for those configurations. Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965 Reviewed-by: ChiaHsuan Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ed569e1279a3045d6b974226c814e071fa0193a6) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c index bf636b28e3e1..6e2fce329d73 100644 --- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c @@ -69,5 +69,16 @@ bool should_use_dmub_lock(struct dc_link *link) if (link->replay_settings.replay_feature_enabled) return true; + /* only use HW lock for PSR1 on single eDP */ + if (link->psr_settings.psr_version == DC_PSR_VERSION_1) { + struct dc_link *edp_links[MAX_NUM_EDP]; + int edp_num; + + dc_get_edp_links(link->dc, edp_links, &edp_num); + + if (edp_num == 1) + return true; + } + return false; }

1 month

1
0
0 0

FAILED: patch "[PATCH] drm/amdkfd: Fix instruction hazard in gfx12 trap handler" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 424648c3838133f93a34fdfe4f9d5597551e7b3b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032442-serpent-preoccupy-3a2f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 424648c3838133f93a34fdfe4f9d5597551e7b3b Mon Sep 17 00:00:00 2001 From: Jay Cornwall <jay.cornwall(a)amd.com> Date: Fri, 7 Feb 2025 16:40:34 -0500 Subject: [PATCH] drm/amdkfd: Fix instruction hazard in gfx12 trap handler VALU instructions with SGPR source need wait states to avoid hazard with SALU using different SGPR. v2: Eliminate some hazards to reduce code explosion Signed-off-by: Jay Cornwall <jay.cornwall(a)amd.com> Reviewed-by: Lancelot Six <lancelot.six(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 7e0459d453b911435673edd7a86eadc600c63238) Cc: stable(a)vger.kernel.org # 6.12.x diff --git a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h index 651660958e5b..0320163b6e74 100644 --- a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h +++ b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h @@ -3644,7 +3644,7 @@ static const uint32_t cwsr_trap_gfx9_4_3_hex[] = { }; static const uint32_t cwsr_trap_gfx12_hex[] = { - 0xbfa00001, 0xbfa0024b, + 0xbfa00001, 0xbfa002a2, 0xb0804009, 0xb8f8f804, 0x9178ff78, 0x00008c00, 0xb8fbf811, 0x8b6eff78, @@ -3718,7 +3718,15 @@ static const uint32_t cwsr_trap_gfx12_hex[] = { 0x00011677, 0xd7610000, 0x00011a79, 0xd7610000, 0x00011c7e, 0xd7610000, - 0x00011e7f, 0xbefe00ff, + 0x00011e7f, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xbefe00ff, 0x00003fff, 0xbeff0080, 0xee0a407a, 0x000c0000, 0x00004000, 0xd760007a, @@ -3755,38 +3763,46 @@ static const uint32_t cwsr_trap_gfx12_hex[] = { 0x00000200, 0xbef600ff, 0x01000000, 0x7e000280, 0x7e020280, 0x7e040280, - 0xbefd0080, 0xbe804ec2, - 0xbf94fffe, 0xb8faf804, - 0x8b7a847a, 0x91788478, - 0x8c787a78, 0xd7610002, - 0x0000fa71, 0x807d817d, - 0xd7610002, 0x0000fa6c, - 0x807d817d, 0x917aff6d, - 0x80000000, 0xd7610002, - 0x0000fa7a, 0x807d817d, - 0xd7610002, 0x0000fa6e, - 0x807d817d, 0xd7610002, - 0x0000fa6f, 0x807d817d, - 0xd7610002, 0x0000fa78, - 0x807d817d, 0xb8faf811, - 0xd7610002, 0x0000fa7a, - 0x807d817d, 0xd7610002, - 0x0000fa7b, 0x807d817d, - 0xb8f1f801, 0xd7610002, - 0x0000fa71, 0x807d817d, - 0xb8f1f814, 0xd7610002, - 0x0000fa71, 0x807d817d, - 0xb8f1f815, 0xd7610002, - 0x0000fa71, 0x807d817d, - 0xb8f1f812, 0xd7610002, - 0x0000fa71, 0x807d817d, - 0xb8f1f813, 0xd7610002, - 0x0000fa71, 0x807d817d, + 0xbe804ec2, 0xbf94fffe, + 0xb8faf804, 0x8b7a847a, + 0x91788478, 0x8c787a78, + 0x917aff6d, 0x80000000, + 0xd7610002, 0x00010071, + 0xd7610002, 0x0001026c, + 0xd7610002, 0x0001047a, + 0xd7610002, 0x0001066e, + 0xd7610002, 0x0001086f, + 0xd7610002, 0x00010a78, + 0xd7610002, 0x00010e7b, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xd8500000, 0x00000000, + 0xb8faf811, 0xd7610002, + 0x00010c7a, 0xb8faf801, + 0xd7610002, 0x0001107a, + 0xb8faf814, 0xd7610002, + 0x0001127a, 0xb8faf815, + 0xd7610002, 0x0001147a, + 0xb8faf812, 0xd7610002, + 0x0001167a, 0xb8faf813, + 0xd7610002, 0x0001187a, 0xb8faf802, 0xd7610002, - 0x0000fa7a, 0x807d817d, - 0xbefa50c1, 0xbfc70000, - 0xd7610002, 0x0000fa7a, - 0x807d817d, 0xbefe00ff, + 0x00011a7a, 0xbefa50c1, + 0xbfc70000, 0xd7610002, + 0x00011c7a, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xbefe00ff, 0x0000ffff, 0xbeff0080, 0xc4068070, 0x008ce802, 0x00000000, 0xbefe00c1, @@ -3801,331 +3817,358 @@ static const uint32_t cwsr_trap_gfx12_hex[] = { 0xbe824102, 0xbe844104, 0xbe864106, 0xbe884108, 0xbe8a410a, 0xbe8c410c, - 0xbe8e410e, 0xd7610002, - 0x0000f200, 0x80798179, - 0xd7610002, 0x0000f201, - 0x80798179, 0xd7610002, - 0x0000f202, 0x80798179, - 0xd7610002, 0x0000f203, - 0x80798179, 0xd7610002, - 0x0000f204, 0x80798179, - 0xd7610002, 0x0000f205, - 0x80798179, 0xd7610002, - 0x0000f206, 0x80798179, - 0xd7610002, 0x0000f207, - 0x80798179, 0xd7610002, - 0x0000f208, 0x80798179, - 0xd7610002, 0x0000f209, - 0x80798179, 0xd7610002, - 0x0000f20a, 0x80798179, - 0xd7610002, 0x0000f20b, - 0x80798179, 0xd7610002, - 0x0000f20c, 0x80798179, - 0xd7610002, 0x0000f20d, - 0x80798179, 0xd7610002, - 0x0000f20e, 0x80798179, - 0xd7610002, 0x0000f20f, - 0x80798179, 0xbf06a079, - 0xbfa10007, 0xc4068070, - 0x008ce802, 0x00000000, - 0x8070ff70, 0x00000080, - 0xbef90080, 0x7e040280, - 0x807d907d, 0xbf0aff7d, - 0x00000060, 0xbfa2ffbb, - 0xbe804100, 0xbe824102, - 0xbe844104, 0xbe864106, - 0xbe884108, 0xbe8a410a, - 0xd7610002, 0x0000f200, - 0x80798179, 0xd7610002, - 0x0000f201, 0x80798179, - 0xd7610002, 0x0000f202, - 0x80798179, 0xd7610002, - 0x0000f203, 0x80798179, - 0xd7610002, 0x0000f204, - 0x80798179, 0xd7610002, - 0x0000f205, 0x80798179, - 0xd7610002, 0x0000f206, - 0x80798179, 0xd7610002, - 0x0000f207, 0x80798179, - 0xd7610002, 0x0000f208, - 0x80798179, 0xd7610002, - 0x0000f209, 0x80798179, - 0xd7610002, 0x0000f20a, - 0x80798179, 0xd7610002, - 0x0000f20b, 0x80798179, + 0xbe8e410e, 0xbf068079, + 0xbfa10032, 0xd7610002, + 0x00010000, 0xd7610002, + 0x00010201, 0xd7610002, + 0x00010402, 0xd7610002, + 0x00010603, 0xd7610002, + 0x00010804, 0xd7610002, + 0x00010a05, 0xd7610002, + 0x00010c06, 0xd7610002, + 0x00010e07, 0xd7610002, + 0x00011008, 0xd7610002, + 0x00011209, 0xd7610002, + 0x0001140a, 0xd7610002, + 0x0001160b, 0xd7610002, + 0x0001180c, 0xd7610002, + 0x00011a0d, 0xd7610002, + 0x00011c0e, 0xd7610002, + 0x00011e0f, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0x80799079, + 0xbfa00038, 0xd7610002, + 0x00012000, 0xd7610002, + 0x00012201, 0xd7610002, + 0x00012402, 0xd7610002, + 0x00012603, 0xd7610002, + 0x00012804, 0xd7610002, + 0x00012a05, 0xd7610002, + 0x00012c06, 0xd7610002, + 0x00012e07, 0xd7610002, + 0x00013008, 0xd7610002, + 0x00013209, 0xd7610002, + 0x0001340a, 0xd7610002, + 0x0001360b, 0xd7610002, + 0x0001380c, 0xd7610002, + 0x00013a0d, 0xd7610002, + 0x00013c0e, 0xd7610002, + 0x00013e0f, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0x80799079, 0xc4068070, 0x008ce802, - 0x00000000, 0xbefe00c1, - 0x857d9973, 0x8b7d817d, - 0xbf06817d, 0xbfa20002, - 0xbeff0080, 0xbfa00001, - 0xbeff00c1, 0xb8fb4306, - 0x8b7bc17b, 0xbfa10044, - 0x8b7aff6d, 0x80000000, - 0xbfa10041, 0x847b897b, - 0xbef6007b, 0xb8f03b05, - 0x80708170, 0xbf0d9973, - 0xbfa20002, 0x84708970, - 0xbfa00001, 0x84708a70, - 0xb8fa1e06, 0x847a8a7a, - 0x80707a70, 0x8070ff70, - 0x00000200, 0x8070ff70, - 0x00000080, 0xbef600ff, - 0x01000000, 0xd71f0000, - 0x000100c1, 0xd7200000, - 0x000200c1, 0x16000084, - 0x857d9973, 0x8b7d817d, - 0xbf06817d, 0xbefd0080, - 0xbfa20013, 0xbe8300ff, - 0x00000080, 0xbf800000, - 0xbf800000, 0xbf800000, - 0xd8d80000, 0x01000000, - 0xbf8a0000, 0xc4068070, - 0x008ce801, 0x00000000, - 0x807d037d, 0x80700370, - 0xd5250000, 0x0001ff00, - 0x00000080, 0xbf0a7b7d, - 0xbfa2fff3, 0xbfa00012, - 0xbe8300ff, 0x00000100, + 0x00000000, 0x8070ff70, + 0x00000080, 0xbef90080, + 0x7e040280, 0x807d907d, + 0xbf0aff7d, 0x00000060, + 0xbfa2ff88, 0xbe804100, + 0xbe824102, 0xbe844104, + 0xbe864106, 0xbe884108, + 0xbe8a410a, 0xd7610002, + 0x00010000, 0xd7610002, + 0x00010201, 0xd7610002, + 0x00010402, 0xd7610002, + 0x00010603, 0xd7610002, + 0x00010804, 0xd7610002, + 0x00010a05, 0xd7610002, + 0x00010c06, 0xd7610002, + 0x00010e07, 0xd7610002, + 0x00011008, 0xd7610002, + 0x00011209, 0xd7610002, + 0x0001140a, 0xd7610002, + 0x0001160b, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xd8500000, + 0x00000000, 0xc4068070, + 0x008ce802, 0x00000000, + 0xbefe00c1, 0x857d9973, + 0x8b7d817d, 0xbf06817d, + 0xbfa20002, 0xbeff0080, + 0xbfa00001, 0xbeff00c1, + 0xb8fb4306, 0x8b7bc17b, + 0xbfa10044, 0x8b7aff6d, + 0x80000000, 0xbfa10041, + 0x847b897b, 0xbef6007b, + 0xb8f03b05, 0x80708170, + 0xbf0d9973, 0xbfa20002, + 0x84708970, 0xbfa00001, + 0x84708a70, 0xb8fa1e06, + 0x847a8a7a, 0x80707a70, + 0x8070ff70, 0x00000200, + 0x8070ff70, 0x00000080, + 0xbef600ff, 0x01000000, + 0xd71f0000, 0x000100c1, + 0xd7200000, 0x000200c1, + 0x16000084, 0x857d9973, + 0x8b7d817d, 0xbf06817d, + 0xbefd0080, 0xbfa20013, + 0xbe8300ff, 0x00000080, 0xbf800000, 0xbf800000, 0xbf800000, 0xd8d80000, 0x01000000, 0xbf8a0000, 0xc4068070, 0x008ce801, 0x00000000, 0x807d037d, 0x80700370, 0xd5250000, - 0x0001ff00, 0x00000100, + 0x0001ff00, 0x00000080, 0xbf0a7b7d, 0xbfa2fff3, - 0xbefe00c1, 0x857d9973, - 0x8b7d817d, 0xbf06817d, - 0xbfa20004, 0xbef000ff, - 0x00000200, 0xbeff0080, - 0xbfa00003, 0xbef000ff, - 0x00000400, 0xbeff00c1, - 0xb8fb3b05, 0x807b817b, - 0x847b827b, 0x857d9973, - 0x8b7d817d, 0xbf06817d, - 0xbfa2001b, 0xbef600ff, - 0x01000000, 0xbefd0084, - 0xbf0a7b7d, 0xbfa10040, - 0x7e008700, 0x7e028701, - 0x7e048702, 0x7e068703, - 0xc4068070, 0x008ce800, - 0x00000000, 0xc4068070, - 0x008ce801, 0x00008000, - 0xc4068070, 0x008ce802, - 0x00010000, 0xc4068070, - 0x008ce803, 0x00018000, - 0x807d847d, 0x8070ff70, - 0x00000200, 0xbf0a7b7d, - 0xbfa2ffeb, 0xbfa0002a, + 0xbfa00012, 0xbe8300ff, + 0x00000100, 0xbf800000, + 0xbf800000, 0xbf800000, + 0xd8d80000, 0x01000000, + 0xbf8a0000, 0xc4068070, + 0x008ce801, 0x00000000, + 0x807d037d, 0x80700370, + 0xd5250000, 0x0001ff00, + 0x00000100, 0xbf0a7b7d, + 0xbfa2fff3, 0xbefe00c1, + 0x857d9973, 0x8b7d817d, + 0xbf06817d, 0xbfa20004, + 0xbef000ff, 0x00000200, + 0xbeff0080, 0xbfa00003, + 0xbef000ff, 0x00000400, + 0xbeff00c1, 0xb8fb3b05, + 0x807b817b, 0x847b827b, + 0x857d9973, 0x8b7d817d, + 0xbf06817d, 0xbfa2001b, 0xbef600ff, 0x01000000, 0xbefd0084, 0xbf0a7b7d, - 0xbfa10015, 0x7e008700, + 0xbfa10040, 0x7e008700, 0x7e028701, 0x7e048702, 0x7e068703, 0xc4068070, 0x008ce800, 0x00000000, 0xc4068070, 0x008ce801, - 0x00010000, 0xc4068070, - 0x008ce802, 0x00020000, + 0x00008000, 0xc4068070, + 0x008ce802, 0x00010000, 0xc4068070, 0x008ce803, - 0x00030000, 0x807d847d, - 0x8070ff70, 0x00000400, + 0x00018000, 0x807d847d, + 0x8070ff70, 0x00000200, 0xbf0a7b7d, 0xbfa2ffeb, - 0xb8fb1e06, 0x8b7bc17b, - 0xbfa1000d, 0x847b837b, - 0x807b7d7b, 0xbefe00c1, - 0xbeff0080, 0x7e008700, + 0xbfa0002a, 0xbef600ff, + 0x01000000, 0xbefd0084, + 0xbf0a7b7d, 0xbfa10015, + 0x7e008700, 0x7e028701, + 0x7e048702, 0x7e068703, 0xc4068070, 0x008ce800, - 0x00000000, 0x807d817d, - 0x8070ff70, 0x00000080, - 0xbf0a7b7d, 0xbfa2fff7, - 0xbfa0016e, 0xbef4007e, - 0x8b75ff7f, 0x0000ffff, - 0x8c75ff75, 0x00040000, - 0xbef60080, 0xbef700ff, - 0x10807fac, 0xbef1007f, - 0xb8f20742, 0x84729972, - 0x8b6eff7f, 0x04000000, - 0xbfa1003b, 0xbefe00c1, - 0x857d9972, 0x8b7d817d, - 0xbf06817d, 0xbfa20002, - 0xbeff0080, 0xbfa00001, - 0xbeff00c1, 0xb8ef4306, - 0x8b6fc16f, 0xbfa10030, - 0x846f896f, 0xbef6006f, + 0x00000000, 0xc4068070, + 0x008ce801, 0x00010000, + 0xc4068070, 0x008ce802, + 0x00020000, 0xc4068070, + 0x008ce803, 0x00030000, + 0x807d847d, 0x8070ff70, + 0x00000400, 0xbf0a7b7d, + 0xbfa2ffeb, 0xb8fb1e06, + 0x8b7bc17b, 0xbfa1000d, + 0x847b837b, 0x807b7d7b, + 0xbefe00c1, 0xbeff0080, + 0x7e008700, 0xc4068070, + 0x008ce800, 0x00000000, + 0x807d817d, 0x8070ff70, + 0x00000080, 0xbf0a7b7d, + 0xbfa2fff7, 0xbfa0016e, + 0xbef4007e, 0x8b75ff7f, + 0x0000ffff, 0x8c75ff75, + 0x00040000, 0xbef60080, + 0xbef700ff, 0x10807fac, + 0xbef1007f, 0xb8f20742, + 0x84729972, 0x8b6eff7f, + 0x04000000, 0xbfa1003b, + 0xbefe00c1, 0x857d9972, + 0x8b7d817d, 0xbf06817d, + 0xbfa20002, 0xbeff0080, + 0xbfa00001, 0xbeff00c1, + 0xb8ef4306, 0x8b6fc16f, + 0xbfa10030, 0x846f896f, + 0xbef6006f, 0xb8f83b05, + 0x80788178, 0xbf0d9972, + 0xbfa20002, 0x84788978, + 0xbfa00001, 0x84788a78, + 0xb8ee1e06, 0x846e8a6e, + 0x80786e78, 0x8078ff78, + 0x00000200, 0x8078ff78, + 0x00000080, 0xbef600ff, + 0x01000000, 0x857d9972, + 0x8b7d817d, 0xbf06817d, + 0xbefd0080, 0xbfa2000d, + 0xc4050078, 0x0080e800, + 0x00000000, 0xbf8a0000, + 0xdac00000, 0x00000000, + 0x807dff7d, 0x00000080, + 0x8078ff78, 0x00000080, + 0xbf0a6f7d, 0xbfa2fff4, + 0xbfa0000c, 0xc4050078, + 0x0080e800, 0x00000000, + 0xbf8a0000, 0xdac00000, + 0x00000000, 0x807dff7d, + 0x00000100, 0x8078ff78, + 0x00000100, 0xbf0a6f7d, + 0xbfa2fff4, 0xbef80080, + 0xbefe00c1, 0x857d9972, + 0x8b7d817d, 0xbf06817d, + 0xbfa20002, 0xbeff0080, + 0xbfa00001, 0xbeff00c1, + 0xb8ef3b05, 0x806f816f, + 0x846f826f, 0x857d9972, + 0x8b7d817d, 0xbf06817d, + 0xbfa2002c, 0xbef600ff, + 0x01000000, 0xbeee0078, + 0x8078ff78, 0x00000200, + 0xbefd0084, 0xbf0a6f7d, + 0xbfa10061, 0xc4050078, + 0x008ce800, 0x00000000, + 0xc4050078, 0x008ce801, + 0x00008000, 0xc4050078, + 0x008ce802, 0x00010000, + 0xc4050078, 0x008ce803, + 0x00018000, 0xbf8a0000, + 0x7e008500, 0x7e028501, + 0x7e048502, 0x7e068503, + 0x807d847d, 0x8078ff78, + 0x00000200, 0xbf0a6f7d, + 0xbfa2ffea, 0xc405006e, + 0x008ce800, 0x00000000, + 0xc405006e, 0x008ce801, + 0x00008000, 0xc405006e, + 0x008ce802, 0x00010000, + 0xc405006e, 0x008ce803, + 0x00018000, 0xbf8a0000, + 0xbfa0003d, 0xbef600ff, + 0x01000000, 0xbeee0078, + 0x8078ff78, 0x00000400, + 0xbefd0084, 0xbf0a6f7d, + 0xbfa10016, 0xc4050078, + 0x008ce800, 0x00000000, + 0xc4050078, 0x008ce801, + 0x00010000, 0xc4050078, + 0x008ce802, 0x00020000, + 0xc4050078, 0x008ce803, + 0x00030000, 0xbf8a0000, + 0x7e008500, 0x7e028501, + 0x7e048502, 0x7e068503, + 0x807d847d, 0x8078ff78, + 0x00000400, 0xbf0a6f7d, + 0xbfa2ffea, 0xb8ef1e06, + 0x8b6fc16f, 0xbfa1000f, + 0x846f836f, 0x806f7d6f, + 0xbefe00c1, 0xbeff0080, + 0xc4050078, 0x008ce800, + 0x00000000, 0xbf8a0000, + 0x7e008500, 0x807d817d, + 0x8078ff78, 0x00000080, + 0xbf0a6f7d, 0xbfa2fff6, + 0xbeff00c1, 0xc405006e, + 0x008ce800, 0x00000000, + 0xc405006e, 0x008ce801, + 0x00010000, 0xc405006e, + 0x008ce802, 0x00020000, + 0xc405006e, 0x008ce803, + 0x00030000, 0xbf8a0000, 0xb8f83b05, 0x80788178, 0xbf0d9972, 0xbfa20002, 0x84788978, 0xbfa00001, 0x84788a78, 0xb8ee1e06, 0x846e8a6e, 0x80786e78, 0x8078ff78, 0x00000200, - 0x8078ff78, 0x00000080, + 0x80f8ff78, 0x00000050, 0xbef600ff, 0x01000000, - 0x857d9972, 0x8b7d817d, - 0xbf06817d, 0xbefd0080, - 0xbfa2000d, 0xc4050078, - 0x0080e800, 0x00000000, - 0xbf8a0000, 0xdac00000, - 0x00000000, 0x807dff7d, - 0x00000080, 0x8078ff78, - 0x00000080, 0xbf0a6f7d, - 0xbfa2fff4, 0xbfa0000c, - 0xc4050078, 0x0080e800, - 0x00000000, 0xbf8a0000, - 0xdac00000, 0x00000000, - 0x807dff7d, 0x00000100, - 0x8078ff78, 0x00000100, - 0xbf0a6f7d, 0xbfa2fff4, - 0xbef80080, 0xbefe00c1, - 0x857d9972, 0x8b7d817d, - 0xbf06817d, 0xbfa20002, - 0xbeff0080, 0xbfa00001, - 0xbeff00c1, 0xb8ef3b05, - 0x806f816f, 0x846f826f, - 0x857d9972, 0x8b7d817d, - 0xbf06817d, 0xbfa2002c, - 0xbef600ff, 0x01000000, - 0xbeee0078, 0x8078ff78, - 0x00000200, 0xbefd0084, - 0xbf0a6f7d, 0xbfa10061, - 0xc4050078, 0x008ce800, - 0x00000000, 0xc4050078, - 0x008ce801, 0x00008000, - 0xc4050078, 0x008ce802, - 0x00010000, 0xc4050078, - 0x008ce803, 0x00018000, - 0xbf8a0000, 0x7e008500, - 0x7e028501, 0x7e048502, - 0x7e068503, 0x807d847d, - 0x8078ff78, 0x00000200, - 0xbf0a6f7d, 0xbfa2ffea, - 0xc405006e, 0x008ce800, - 0x00000000, 0xc405006e, - 0x008ce801, 0x00008000, - 0xc405006e, 0x008ce802, - 0x00010000, 0xc405006e, - 0x008ce803, 0x00018000, - 0xbf8a0000, 0xbfa0003d, - 0xbef600ff, 0x01000000, - 0xbeee0078, 0x8078ff78, - 0x00000400, 0xbefd0084, - 0xbf0a6f7d, 0xbfa10016, - 0xc4050078, 0x008ce800, - 0x00000000, 0xc4050078, - 0x008ce801, 0x00010000, - 0xc4050078, 0x008ce802, - 0x00020000, 0xc4050078, - 0x008ce803, 0x00030000, - 0xbf8a0000, 0x7e008500, - 0x7e028501, 0x7e048502, - 0x7e068503, 0x807d847d, - 0x8078ff78, 0x00000400, - 0xbf0a6f7d, 0xbfa2ffea, - 0xb8ef1e06, 0x8b6fc16f, - 0xbfa1000f, 0x846f836f, - 0x806f7d6f, 0xbefe00c1, - 0xbeff0080, 0xc4050078, - 0x008ce800, 0x00000000, - 0xbf8a0000, 0x7e008500, - 0x807d817d, 0x8078ff78, - 0x00000080, 0xbf0a6f7d, - 0xbfa2fff6, 0xbeff00c1, - 0xc405006e, 0x008ce800, - 0x00000000, 0xc405006e, - 0x008ce801, 0x00010000, - 0xc405006e, 0x008ce802, - 0x00020000, 0xc405006e, - 0x008ce803, 0x00030000, - 0xbf8a0000, 0xb8f83b05, - 0x80788178, 0xbf0d9972, - 0xbfa20002, 0x84788978, - 0xbfa00001, 0x84788a78, - 0xb8ee1e06, 0x846e8a6e, - 0x80786e78, 0x8078ff78, - 0x00000200, 0x80f8ff78, - 0x00000050, 0xbef600ff, - 0x01000000, 0xbefd00ff, - 0x0000006c, 0x80f89078, - 0xf462403a, 0xf0000000, - 0xbf8a0000, 0x80fd847d, - 0xbf800000, 0xbe804300, - 0xbe824302, 0x80f8a078, - 0xf462603a, 0xf0000000, - 0xbf8a0000, 0x80fd887d, - 0xbf800000, 0xbe804300, - 0xbe824302, 0xbe844304, - 0xbe864306, 0x80f8c078, - 0xf462803a, 0xf0000000, - 0xbf8a0000, 0x80fd907d, - 0xbf800000, 0xbe804300, - 0xbe824302, 0xbe844304, - 0xbe864306, 0xbe884308, - 0xbe8a430a, 0xbe8c430c, - 0xbe8e430e, 0xbf06807d, - 0xbfa1fff0, 0xb980f801, - 0x00000000, 0xb8f83b05, - 0x80788178, 0xbf0d9972, - 0xbfa20002, 0x84788978, - 0xbfa00001, 0x84788a78, - 0xb8ee1e06, 0x846e8a6e, - 0x80786e78, 0x8078ff78, - 0x00000200, 0xbef600ff, - 0x01000000, 0xbeff0071, - 0xf4621bfa, 0xf0000000, - 0x80788478, 0xf4621b3a, - 0xf0000000, 0x80788478, - 0xf4621b7a, 0xf0000000, - 0x80788478, 0xf4621c3a, - 0xf0000000, 0x80788478, - 0xf4621c7a, 0xf0000000, - 0x80788478, 0xf4621eba, - 0xf0000000, 0x80788478, - 0xf4621efa, 0xf0000000, - 0x80788478, 0xf4621e7a, - 0xf0000000, 0x80788478, - 0xf4621cfa, 0xf0000000, - 0x80788478, 0xf4621bba, - 0xf0000000, 0x80788478, - 0xbf8a0000, 0xb96ef814, - 0xf4621bba, 0xf0000000, - 0x80788478, 0xbf8a0000, - 0xb96ef815, 0xf4621bba, - 0xf0000000, 0x80788478, - 0xbf8a0000, 0xb96ef812, - 0xf4621bba, 0xf0000000, - 0x80788478, 0xbf8a0000, - 0xb96ef813, 0x8b6eff7f, - 0x04000000, 0xbfa1000d, - 0x80788478, 0xf4621bba, - 0xf0000000, 0x80788478, - 0xbf8a0000, 0xbf0d806e, - 0xbfa10006, 0x856e906e, - 0x8b6e6e6e, 0xbfa10003, - 0xbe804ec1, 0x816ec16e, - 0xbfa0fffb, 0xbefd006f, - 0xbefe0070, 0xbeff0071, - 0xb97b2011, 0x857b867b, - 0xb97b0191, 0x857b827b, - 0xb97bba11, 0xb973f801, - 0xb8ee3b05, 0x806e816e, + 0xbefd00ff, 0x0000006c, + 0x80f89078, 0xf462403a, + 0xf0000000, 0xbf8a0000, + 0x80fd847d, 0xbf800000, + 0xbe804300, 0xbe824302, + 0x80f8a078, 0xf462603a, + 0xf0000000, 0xbf8a0000, + 0x80fd887d, 0xbf800000, + 0xbe804300, 0xbe824302, + 0xbe844304, 0xbe864306, + 0x80f8c078, 0xf462803a, + 0xf0000000, 0xbf8a0000, + 0x80fd907d, 0xbf800000, + 0xbe804300, 0xbe824302, + 0xbe844304, 0xbe864306, + 0xbe884308, 0xbe8a430a, + 0xbe8c430c, 0xbe8e430e, + 0xbf06807d, 0xbfa1fff0, + 0xb980f801, 0x00000000, + 0xb8f83b05, 0x80788178, 0xbf0d9972, 0xbfa20002, - 0x846e896e, 0xbfa00001, - 0x846e8a6e, 0xb8ef1e06, - 0x846f8a6f, 0x806e6f6e, - 0x806eff6e, 0x00000200, - 0x806e746e, 0x826f8075, - 0x8b6fff6f, 0x0000ffff, - 0xf4605c37, 0xf8000050, - 0xf4605d37, 0xf8000060, - 0xf4601e77, 0xf8000074, - 0xbf8a0000, 0x8b6dff6d, - 0x0000ffff, 0x8bfe7e7e, - 0x8bea6a6a, 0xb97af804, + 0x84788978, 0xbfa00001, + 0x84788a78, 0xb8ee1e06, + 0x846e8a6e, 0x80786e78, + 0x8078ff78, 0x00000200, + 0xbef600ff, 0x01000000, + 0xbeff0071, 0xf4621bfa, + 0xf0000000, 0x80788478, + 0xf4621b3a, 0xf0000000, + 0x80788478, 0xf4621b7a, + 0xf0000000, 0x80788478, + 0xf4621c3a, 0xf0000000, + 0x80788478, 0xf4621c7a, + 0xf0000000, 0x80788478, + 0xf4621eba, 0xf0000000, + 0x80788478, 0xf4621efa, + 0xf0000000, 0x80788478, + 0xf4621e7a, 0xf0000000, + 0x80788478, 0xf4621cfa, + 0xf0000000, 0x80788478, + 0xf4621bba, 0xf0000000, + 0x80788478, 0xbf8a0000, + 0xb96ef814, 0xf4621bba, + 0xf0000000, 0x80788478, + 0xbf8a0000, 0xb96ef815, + 0xf4621bba, 0xf0000000, + 0x80788478, 0xbf8a0000, + 0xb96ef812, 0xf4621bba, + 0xf0000000, 0x80788478, + 0xbf8a0000, 0xb96ef813, + 0x8b6eff7f, 0x04000000, + 0xbfa1000d, 0x80788478, + 0xf4621bba, 0xf0000000, + 0x80788478, 0xbf8a0000, + 0xbf0d806e, 0xbfa10006, + 0x856e906e, 0x8b6e6e6e, + 0xbfa10003, 0xbe804ec1, + 0x816ec16e, 0xbfa0fffb, + 0xbefd006f, 0xbefe0070, + 0xbeff0071, 0xb97b2011, + 0x857b867b, 0xb97b0191, + 0x857b827b, 0xb97bba11, + 0xb973f801, 0xb8ee3b05, + 0x806e816e, 0xbf0d9972, + 0xbfa20002, 0x846e896e, + 0xbfa00001, 0x846e8a6e, + 0xb8ef1e06, 0x846f8a6f, + 0x806e6f6e, 0x806eff6e, + 0x00000200, 0x806e746e, + 0x826f8075, 0x8b6fff6f, + 0x0000ffff, 0xf4605c37, + 0xf8000050, 0xf4605d37, + 0xf8000060, 0xf4601e77, + 0xf8000074, 0xbf8a0000, + 0x8b6dff6d, 0x0000ffff, + 0x8bfe7e7e, 0x8bea6a6a, + 0xb97af804, 0xbe804ec2, + 0xbf94fffe, 0xbe804a6c, 0xbe804ec2, 0xbf94fffe, - 0xbe804a6c, 0xbe804ec2, - 0xbf94fffe, 0xbfb10000, + 0xbfb10000, 0xbf9f0000, 0xbf9f0000, 0xbf9f0000, 0xbf9f0000, 0xbf9f0000, - 0xbf9f0000, 0x00000000, }; static const uint32_t cwsr_trap_gfx9_5_0_hex[] = { diff --git a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm index 7b9d36e5fa43..5a1a1b1f897f 100644 --- a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm +++ b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm @@ -30,6 +30,7 @@ #define CHIP_GFX12 37 #define SINGLE_STEP_MISSED_WORKAROUND 1 //workaround for lost TRAP_AFTER_INST exception when SAVECTX raised +#define HAVE_VALU_SGPR_HAZARD (ASIC_FAMILY == CHIP_GFX12) var SQ_WAVE_STATE_PRIV_BARRIER_COMPLETE_MASK = 0x4 var SQ_WAVE_STATE_PRIV_SCC_SHIFT = 9 @@ -351,6 +352,7 @@ L_HAVE_VGPRS: v_writelane_b32 v0, ttmp13, 0xD v_writelane_b32 v0, exec_lo, 0xE v_writelane_b32 v0, exec_hi, 0xF + valu_sgpr_hazard() s_mov_b32 exec_lo, 0x3FFF s_mov_b32 exec_hi, 0x0 @@ -417,7 +419,6 @@ L_SAVE_HWREG: v_mov_b32 v0, 0x0 //Offset[31:0] from buffer resource v_mov_b32 v1, 0x0 //Offset[63:32] from buffer resource v_mov_b32 v2, 0x0 //Set of SGPRs for TCP store - s_mov_b32 m0, 0x0 //Next lane of v2 to write to // Ensure no further changes to barrier or LDS state. // STATE_PRIV.BARRIER_COMPLETE may change up to this point. @@ -430,40 +431,41 @@ L_SAVE_HWREG: s_andn2_b32 s_save_state_priv, s_save_state_priv, SQ_WAVE_STATE_PRIV_BARRIER_COMPLETE_MASK s_or_b32 s_save_state_priv, s_save_state_priv, s_save_tmp - write_hwreg_to_v2(s_save_m0) - write_hwreg_to_v2(s_save_pc_lo) s_andn2_b32 s_save_tmp, s_save_pc_hi, S_SAVE_PC_HI_FIRST_WAVE_MASK - write_hwreg_to_v2(s_save_tmp) - write_hwreg_to_v2(s_save_exec_lo) - write_hwreg_to_v2(s_save_exec_hi) - write_hwreg_to_v2(s_save_state_priv) + v_writelane_b32 v2, s_save_m0, 0x0 + v_writelane_b32 v2, s_save_pc_lo, 0x1 + v_writelane_b32 v2, s_save_tmp, 0x2 + v_writelane_b32 v2, s_save_exec_lo, 0x3 + v_writelane_b32 v2, s_save_exec_hi, 0x4 + v_writelane_b32 v2, s_save_state_priv, 0x5 + v_writelane_b32 v2, s_save_xnack_mask, 0x7 + valu_sgpr_hazard() s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_EXCP_FLAG_PRIV) - write_hwreg_to_v2(s_save_tmp) + v_writelane_b32 v2, s_save_tmp, 0x6 - write_hwreg_to_v2(s_save_xnack_mask) + s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_MODE) + v_writelane_b32 v2, s_save_tmp, 0x8 - s_getreg_b32 s_save_m0, hwreg(HW_REG_WAVE_MODE) - write_hwreg_to_v2(s_save_m0) + s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_SCRATCH_BASE_LO) + v_writelane_b32 v2, s_save_tmp, 0x9 - s_getreg_b32 s_save_m0, hwreg(HW_REG_WAVE_SCRATCH_BASE_LO) - write_hwreg_to_v2(s_save_m0) + s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_SCRATCH_BASE_HI) + v_writelane_b32 v2, s_save_tmp, 0xA - s_getreg_b32 s_save_m0, hwreg(HW_REG_WAVE_SCRATCH_BASE_HI) - write_hwreg_to_v2(s_save_m0) + s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_EXCP_FLAG_USER) + v_writelane_b32 v2, s_save_tmp, 0xB - s_getreg_b32 s_save_m0, hwreg(HW_REG_WAVE_EXCP_FLAG_USER) - write_hwreg_to_v2(s_save_m0) - - s_getreg_b32 s_save_m0, hwreg(HW_REG_WAVE_TRAP_CTRL) - write_hwreg_to_v2(s_save_m0) + s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_TRAP_CTRL) + v_writelane_b32 v2, s_save_tmp, 0xC s_getreg_b32 s_save_tmp, hwreg(HW_REG_WAVE_STATUS) - write_hwreg_to_v2(s_save_tmp) + v_writelane_b32 v2, s_save_tmp, 0xD s_get_barrier_state s_save_tmp, -1 s_wait_kmcnt (0) - write_hwreg_to_v2(s_save_tmp) + v_writelane_b32 v2, s_save_tmp, 0xE + valu_sgpr_hazard() // Write HWREGs with 16 VGPR lanes. TTMPs occupy space after this. s_mov_b32 exec_lo, 0xFFFF @@ -497,10 +499,12 @@ L_SAVE_SGPR_LOOP: s_movrels_b64 s12, s12 //s12 = s[12+m0], s13 = s[13+m0] s_movrels_b64 s14, s14 //s14 = s[14+m0], s15 = s[15+m0] - write_16sgpr_to_v2(s0) - - s_cmp_eq_u32 ttmp13, 0x20 //have 32 VGPR lanes filled? - s_cbranch_scc0 L_SAVE_SGPR_SKIP_TCP_STORE + s_cmp_eq_u32 ttmp13, 0x0 + s_cbranch_scc0 L_WRITE_V2_SECOND_HALF + write_16sgpr_to_v2(s0, 0x0) + s_branch L_SAVE_SGPR_SKIP_TCP_STORE +L_WRITE_V2_SECOND_HALF: + write_16sgpr_to_v2(s0, 0x10) buffer_store_dword v2, v0, s_save_buf_rsrc0, s_save_mem_offset scope:SCOPE_SYS s_add_u32 s_save_mem_offset, s_save_mem_offset, 0x80 @@ -1056,27 +1060,21 @@ L_END_PGM: s_endpgm_saved end -function write_hwreg_to_v2(s) - // Copy into VGPR for later TCP store. - v_writelane_b32 v2, s, m0 - s_add_u32 m0, m0, 0x1 -end - - -function write_16sgpr_to_v2(s) +function write_16sgpr_to_v2(s, lane_offset) // Copy into VGPR for later TCP store. for var sgpr_idx = 0; sgpr_idx < 16; sgpr_idx ++ - v_writelane_b32 v2, s[sgpr_idx], ttmp13 - s_add_u32 ttmp13, ttmp13, 0x1 + v_writelane_b32 v2, s[sgpr_idx], sgpr_idx + lane_offset end + valu_sgpr_hazard() + s_add_u32 ttmp13, ttmp13, 0x10 end function write_12sgpr_to_v2(s) // Copy into VGPR for later TCP store. for var sgpr_idx = 0; sgpr_idx < 12; sgpr_idx ++ - v_writelane_b32 v2, s[sgpr_idx], ttmp13 - s_add_u32 ttmp13, ttmp13, 0x1 + v_writelane_b32 v2, s[sgpr_idx], sgpr_idx end + valu_sgpr_hazard() end function read_hwreg_from_mem(s, s_rsrc, s_mem_offset) @@ -1128,3 +1126,11 @@ function get_wave_size2(s_reg) s_getreg_b32 s_reg, hwreg(HW_REG_WAVE_STATUS,SQ_WAVE_STATUS_WAVE64_SHIFT,SQ_WAVE_STATUS_WAVE64_SIZE) s_lshl_b32 s_reg, s_reg, S_WAVE_SIZE end + +function valu_sgpr_hazard +#if HAVE_VALU_SGPR_HAZARD + for var rep = 0; rep < 8; rep ++ + ds_nop + end +#endif +end

1 month

1
0
0 0

FAILED: patch "[PATCH] memcg: drain obj stock on cpu hotplug teardown" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032421-cost-prodigy-8d3a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb Mon Sep 17 00:00:00 2001 From: Shakeel Butt <shakeel.butt(a)linux.dev> Date: Mon, 10 Mar 2025 16:09:34 -0700 Subject: [PATCH] memcg: drain obj stock on cpu hotplug teardown Currently on cpu hotplug teardown, only memcg stock is drained but we need to drain the obj stock as well otherwise we will miss the stats accumulated on the target cpu as well as the nr_bytes cached. The stats include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In addition we are leaking reference to struct obj_cgroup object. Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") Signed-off-by: Shakeel Butt <shakeel.butt(a)linux.dev> Reviewed-by: Roman Gushchin <roman.gushchin(a)linux.dev> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 8f9b35f80e24..a037ec92881d 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -1921,9 +1921,18 @@ void drain_all_stock(struct mem_cgroup *root_memcg) static int memcg_hotplug_cpu_dead(unsigned int cpu) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old; + unsigned long flags; stock = &per_cpu(memcg_stock, cpu); + + /* drain_obj_stock requires stock_lock */ + local_lock_irqsave(&memcg_stock.stock_lock, flags); + old = drain_obj_stock(stock); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + drain_stock(stock); + obj_cgroup_put(old); return 0; }

1 month

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x acbf16a6ae775b4db86f537448cc466288aa307e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032440-purifier-stand-0619@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acbf16a6ae775b4db86f537448cc466288aa307e Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello(a)amd.com> Date: Fri, 7 Mar 2025 15:55:20 -0600 Subject: [PATCH] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP [WHY] DMUB locking is important to make sure that registers aren't accessed while in PSR. Previously it was enabled but caused a deadlock in situations with multiple eDP panels. [HOW] Detect if multiple eDP panels are in use to decide whether to use lock. Refactor the function so that the first check is for PSR-SU and then replay is in use to prevent having to look up number of eDP panels for those configurations. Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965 Reviewed-by: ChiaHsuan Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ed569e1279a3045d6b974226c814e071fa0193a6) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c index bf636b28e3e1..6e2fce329d73 100644 --- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c @@ -69,5 +69,16 @@ bool should_use_dmub_lock(struct dc_link *link) if (link->replay_settings.replay_feature_enabled) return true; + /* only use HW lock for PSR1 on single eDP */ + if (link->psr_settings.psr_version == DC_PSR_VERSION_1) { + struct dc_link *edp_links[MAX_NUM_EDP]; + int edp_num; + + dc_get_edp_links(link->dc, edp_links, &edp_num); + + if (edp_num == 1) + return true; + } + return false; }

1 month

1
0
0 0

FAILED: patch "[PATCH] memcg: drain obj stock on cpu hotplug teardown" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032437-boring-siren-6478@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb Mon Sep 17 00:00:00 2001 From: Shakeel Butt <shakeel.butt(a)linux.dev> Date: Mon, 10 Mar 2025 16:09:34 -0700 Subject: [PATCH] memcg: drain obj stock on cpu hotplug teardown Currently on cpu hotplug teardown, only memcg stock is drained but we need to drain the obj stock as well otherwise we will miss the stats accumulated on the target cpu as well as the nr_bytes cached. The stats include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In addition we are leaking reference to struct obj_cgroup object. Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") Signed-off-by: Shakeel Butt <shakeel.butt(a)linux.dev> Reviewed-by: Roman Gushchin <roman.gushchin(a)linux.dev> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 8f9b35f80e24..a037ec92881d 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -1921,9 +1921,18 @@ void drain_all_stock(struct mem_cgroup *root_memcg) static int memcg_hotplug_cpu_dead(unsigned int cpu) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old; + unsigned long flags; stock = &per_cpu(memcg_stock, cpu); + + /* drain_obj_stock requires stock_lock */ + local_lock_irqsave(&memcg_stock.stock_lock, flags); + old = drain_obj_stock(stock); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + drain_stock(stock); + obj_cgroup_put(old); return 0; }

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add missing PCIe supplies to RockPro64" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ffcef3df680c437ca33ff434be18ec24d72907c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032449-spookily-prevalent-78aa@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ffcef3df680c437ca33ff434be18ec24d72907c2 Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:04 +0100 Subject: [PATCH] arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi Add missing "vpcie0v9-supply" and "vpcie1v8-supply" properties to the "pcie0" node in the Pine64 RockPro64 board dtsi file. This eliminates the following warnings from the kernel log: rockchip-pcie f8000000.pcie: supply vpcie1v8 not found, using dummy regulator rockchip-pcie f8000000.pcie: supply vpcie0v9 not found, using dummy regulator These additions improve the accuracy of hardware description of the RockPro64 and, in theory, they should result in no functional changes to the way board works after the changes, because the "vcca_0v9" and "vcca_1v8" regulators are always enabled. [1][2] However, extended reliability testing, performed by Chris, [3] has proven that the age-old issues with some PCI Express cards, when used with a Pine64 RockPro64, are also resolved. Those issues were already mentioned in the commit 43853e843aa6 (arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts, 2024-04-01), together with a brief description of the out-of-tree enumeration delay patch that reportedly resolves those issues. In a nutshell, booting a RockPro64 with some PCI Express cards attached to it caused a kernel oops. [4] Symptomatically enough, to the commit author's best knowledge, only the Pine64 RockPro64, out of all RK3399-based boards and devices supported upstream, has been reported to suffer from those PCI Express issues, and only the RockPro64 had some of the PCI Express supplies missing in its DT. Thus, perhaps some weird timing issues exist that caused the "vcca_1v8" always-on regulator, which is part of the RK808 PMIC, to actually not be enabled before the PCI Express is initialized and enumerated on the RockPro64, causing oopses with some PCIe cards, and the aforementioned enumeration delay patch [4] probably acted as just a workaround for the underlying timing issue. Admittedly, the Pine64 RockPro64 is a bit specific board by having a standard PCI Express slot, allowing use of various standard cards, but pretty much standard PCI Express cards have been attached to other RK3399 boards as well, and the commit author is unaware ot such issues reported for them. It's quite hard to be sure that the PCI Express issues are fully resolved by these additions to the DT, without some really extensive and time-consuming testing. However, these additions to the DT can result in good things and improvements anyway, making them perfectly safe from the standpoint of being unable to do any harm or cause some unforeseen regressions. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf [3] https://z9.de/hedgedoc/s/nF4d5G7rg#reboot-tests-for-PCIe-improvements [4] https://lore.kernel.org/lkml/20230509153912.515218-1-vincenzopalazzodev@gma… Fixes: bba821f5479e ("arm64: dts: rockchip: add PCIe nodes on rk3399-rockpro64") Cc: stable(a)vger.kernel.org Cc: Vincenzo Palazzo <vincenzopalazzodev(a)gmail.com> Cc: Peter Geis <pgwipeout(a)gmail.com> Cc: Bjorn Helgaas <helgaas(a)kernel.org> Reported-by: Diederik de Haas <didi.debian(a)cknow.org> Tested-by: Chris Vogel <chris(a)z9.de> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/b39cfd7490d8194f053bf3971f13a43472d1769e.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 47dc198706c8..51c6aa26d828 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -673,6 +673,8 @@ &pcie0 { num-lanes = <4>; pinctrl-names = "default"; pinctrl-0 = <&pcie_perst>; + vpcie0v9-supply = <&vcca_0v9>; + vpcie1v8-supply = <&vcca_1v8>; vpcie12v-supply = <&vcc12v_dcin>; vpcie3v3-supply = <&vcc3v3_pcie>; status = "okay";

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x bd1c959f37f384b477f51572331b0dc828bd009a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032436-maggot-overture-45f1@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd1c959f37f384b477f51572331b0dc828bd009a Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:03 +0100 Subject: [PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Add missing "avdd-0v9-supply" and "avdd-1v8-supply" properties to the "hdmi" node in the Pine64 RockPro64 board dtsi file. To achieve this, also add the associated "vcca_0v9" regulator that produces the 0.9 V supply, [1][2] which hasn't been defined previously in the board dtsi file. This also eliminates the following warnings from the kernel log: dwhdmi-rockchip ff940000.hdmi: supply avdd-0v9 not found, using dummy regulator dwhdmi-rockchip ff940000.hdmi: supply avdd-1v8 not found, using dummy regulator There are no functional changes to the way board works with these additions, because the "vcc1v8_dvp" and "vcca_0v9" regulators are always enabled, [1][2] but these additions improve the accuracy of hardware description. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf Fixes: e4f3fb490967 ("arm64: dts: rockchip: add initial dts support for Rockpro64") Cc: stable(a)vger.kernel.org Suggested-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/df3d7e8fe74ed5e727e085b18c395260537bb5ac.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 69a9d6170649..47dc198706c8 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -227,6 +227,16 @@ vcc5v0_usb: regulator-vcc5v0-usb { vin-supply = <&vcc12v_dcin>; }; + vcca_0v9: regulator-vcca-0v9 { + compatible = "regulator-fixed"; + regulator-name = "vcca_0v9"; + regulator-always-on; + regulator-boot-on; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; + vin-supply = <&vcc3v3_sys>; + }; + vdd_log: regulator-vdd-log { compatible = "pwm-regulator"; pwms = <&pwm2 0 25000 1>; @@ -312,6 +322,8 @@ &gmac { }; &hdmi { + avdd-0v9-supply = <&vcca_0v9>; + avdd-1v8-supply = <&vcc1v8_dvp>; ddc-i2c-bus = <&i2c3>; pinctrl-names = "default"; pinctrl-0 = <&hdmi_cec>;

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x bd1c959f37f384b477f51572331b0dc828bd009a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032435-egotistic-entangled-60cd@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd1c959f37f384b477f51572331b0dc828bd009a Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:03 +0100 Subject: [PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Add missing "avdd-0v9-supply" and "avdd-1v8-supply" properties to the "hdmi" node in the Pine64 RockPro64 board dtsi file. To achieve this, also add the associated "vcca_0v9" regulator that produces the 0.9 V supply, [1][2] which hasn't been defined previously in the board dtsi file. This also eliminates the following warnings from the kernel log: dwhdmi-rockchip ff940000.hdmi: supply avdd-0v9 not found, using dummy regulator dwhdmi-rockchip ff940000.hdmi: supply avdd-1v8 not found, using dummy regulator There are no functional changes to the way board works with these additions, because the "vcc1v8_dvp" and "vcca_0v9" regulators are always enabled, [1][2] but these additions improve the accuracy of hardware description. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf Fixes: e4f3fb490967 ("arm64: dts: rockchip: add initial dts support for Rockpro64") Cc: stable(a)vger.kernel.org Suggested-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/df3d7e8fe74ed5e727e085b18c395260537bb5ac.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 69a9d6170649..47dc198706c8 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -227,6 +227,16 @@ vcc5v0_usb: regulator-vcc5v0-usb { vin-supply = <&vcc12v_dcin>; }; + vcca_0v9: regulator-vcca-0v9 { + compatible = "regulator-fixed"; + regulator-name = "vcca_0v9"; + regulator-always-on; + regulator-boot-on; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; + vin-supply = <&vcc3v3_sys>; + }; + vdd_log: regulator-vdd-log { compatible = "pwm-regulator"; pwms = <&pwm2 0 25000 1>; @@ -312,6 +322,8 @@ &gmac { }; &hdmi { + avdd-0v9-supply = <&vcca_0v9>; + avdd-1v8-supply = <&vcc1v8_dvp>; ddc-i2c-bus = <&i2c3>; pinctrl-names = "default"; pinctrl-0 = <&hdmi_cec>;

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x bd1c959f37f384b477f51572331b0dc828bd009a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032434-pumice-glacier-39f9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd1c959f37f384b477f51572331b0dc828bd009a Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:03 +0100 Subject: [PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Add missing "avdd-0v9-supply" and "avdd-1v8-supply" properties to the "hdmi" node in the Pine64 RockPro64 board dtsi file. To achieve this, also add the associated "vcca_0v9" regulator that produces the 0.9 V supply, [1][2] which hasn't been defined previously in the board dtsi file. This also eliminates the following warnings from the kernel log: dwhdmi-rockchip ff940000.hdmi: supply avdd-0v9 not found, using dummy regulator dwhdmi-rockchip ff940000.hdmi: supply avdd-1v8 not found, using dummy regulator There are no functional changes to the way board works with these additions, because the "vcc1v8_dvp" and "vcca_0v9" regulators are always enabled, [1][2] but these additions improve the accuracy of hardware description. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf Fixes: e4f3fb490967 ("arm64: dts: rockchip: add initial dts support for Rockpro64") Cc: stable(a)vger.kernel.org Suggested-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/df3d7e8fe74ed5e727e085b18c395260537bb5ac.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 69a9d6170649..47dc198706c8 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -227,6 +227,16 @@ vcc5v0_usb: regulator-vcc5v0-usb { vin-supply = <&vcc12v_dcin>; }; + vcca_0v9: regulator-vcca-0v9 { + compatible = "regulator-fixed"; + regulator-name = "vcca_0v9"; + regulator-always-on; + regulator-boot-on; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; + vin-supply = <&vcc3v3_sys>; + }; + vdd_log: regulator-vdd-log { compatible = "pwm-regulator"; pwms = <&pwm2 0 25000 1>; @@ -312,6 +322,8 @@ &gmac { }; &hdmi { + avdd-0v9-supply = <&vcca_0v9>; + avdd-1v8-supply = <&vcc1v8_dvp>; ddc-i2c-bus = <&i2c3>; pinctrl-names = "default"; pinctrl-0 = <&hdmi_cec>;

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bd1c959f37f384b477f51572331b0dc828bd009a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032434-shortage-antidote-9321@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd1c959f37f384b477f51572331b0dc828bd009a Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:03 +0100 Subject: [PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Add missing "avdd-0v9-supply" and "avdd-1v8-supply" properties to the "hdmi" node in the Pine64 RockPro64 board dtsi file. To achieve this, also add the associated "vcca_0v9" regulator that produces the 0.9 V supply, [1][2] which hasn't been defined previously in the board dtsi file. This also eliminates the following warnings from the kernel log: dwhdmi-rockchip ff940000.hdmi: supply avdd-0v9 not found, using dummy regulator dwhdmi-rockchip ff940000.hdmi: supply avdd-1v8 not found, using dummy regulator There are no functional changes to the way board works with these additions, because the "vcc1v8_dvp" and "vcca_0v9" regulators are always enabled, [1][2] but these additions improve the accuracy of hardware description. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf Fixes: e4f3fb490967 ("arm64: dts: rockchip: add initial dts support for Rockpro64") Cc: stable(a)vger.kernel.org Suggested-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/df3d7e8fe74ed5e727e085b18c395260537bb5ac.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 69a9d6170649..47dc198706c8 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -227,6 +227,16 @@ vcc5v0_usb: regulator-vcc5v0-usb { vin-supply = <&vcc12v_dcin>; }; + vcca_0v9: regulator-vcca-0v9 { + compatible = "regulator-fixed"; + regulator-name = "vcca_0v9"; + regulator-always-on; + regulator-boot-on; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; + vin-supply = <&vcc3v3_sys>; + }; + vdd_log: regulator-vdd-log { compatible = "pwm-regulator"; pwms = <&pwm2 0 25000 1>; @@ -312,6 +322,8 @@ &gmac { }; &hdmi { + avdd-0v9-supply = <&vcca_0v9>; + avdd-1v8-supply = <&vcc1v8_dvp>; ddc-i2c-bus = <&i2c3>; pinctrl-names = "default"; pinctrl-0 = <&hdmi_cec>;

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bd1c959f37f384b477f51572331b0dc828bd009a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032433-easter-landside-3585@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bd1c959f37f384b477f51572331b0dc828bd009a Mon Sep 17 00:00:00 2001 From: Dragan Simic <dsimic(a)manjaro.org> Date: Sun, 2 Mar 2025 19:48:03 +0100 Subject: [PATCH] arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi Add missing "avdd-0v9-supply" and "avdd-1v8-supply" properties to the "hdmi" node in the Pine64 RockPro64 board dtsi file. To achieve this, also add the associated "vcca_0v9" regulator that produces the 0.9 V supply, [1][2] which hasn't been defined previously in the board dtsi file. This also eliminates the following warnings from the kernel log: dwhdmi-rockchip ff940000.hdmi: supply avdd-0v9 not found, using dummy regulator dwhdmi-rockchip ff940000.hdmi: supply avdd-1v8 not found, using dummy regulator There are no functional changes to the way board works with these additions, because the "vcc1v8_dvp" and "vcca_0v9" regulators are always enabled, [1][2] but these additions improve the accuracy of hardware description. These changes apply to the both supported hardware revisions of the Pine64 RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] [1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf Fixes: e4f3fb490967 ("arm64: dts: rockchip: add initial dts support for Rockpro64") Cc: stable(a)vger.kernel.org Suggested-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> Tested-by: Diederik de Haas <didi.debian(a)cknow.org> Link: https://lore.kernel.org/r/df3d7e8fe74ed5e727e085b18c395260537bb5ac.17409410… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi index 69a9d6170649..47dc198706c8 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi @@ -227,6 +227,16 @@ vcc5v0_usb: regulator-vcc5v0-usb { vin-supply = <&vcc12v_dcin>; }; + vcca_0v9: regulator-vcca-0v9 { + compatible = "regulator-fixed"; + regulator-name = "vcca_0v9"; + regulator-always-on; + regulator-boot-on; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; + vin-supply = <&vcc3v3_sys>; + }; + vdd_log: regulator-vdd-log { compatible = "pwm-regulator"; pwms = <&pwm2 0 25000 1>; @@ -312,6 +322,8 @@ &gmac { }; &hdmi { + avdd-0v9-supply = <&vcca_0v9>; + avdd-1v8-supply = <&vcc1v8_dvp>; ddc-i2c-bus = <&i2c3>; pinctrl-names = "default"; pinctrl-0 = <&hdmi_cec>;

1 month

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 55de171bba1b8c0e3dd18b800955ac4b46a63d4b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032402-unfilled-snooze-0c70@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55de171bba1b8c0e3dd18b800955ac4b46a63d4b Mon Sep 17 00:00:00 2001 From: Quentin Schulz <quentin.schulz(a)cherry.de> Date: Tue, 25 Feb 2025 12:53:30 +0100 Subject: [PATCH] arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou UART5 uses GPIO0_B5 as UART RTS but muxed in its GPIO function, therefore UART5 must request this pin to be muxed in that function, so let's do that. Fixes: 5963d97aa780 ("arm64: dts: rockchip: add rs485 support on uart5 of px30-ringneck-haikou") Cc: stable(a)vger.kernel.org Signed-off-by: Quentin Schulz <quentin.schulz(a)cherry.de> Link: https://lore.kernel.org/r/20250225-ringneck-dtbos-v3-2-853a9a6dd597@cherry.… Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> diff --git a/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts b/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts index 6d45a19413ce..1a59e8b1dc46 100644 --- a/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts +++ b/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts @@ -194,6 +194,13 @@ sd_card_led_pin: sd-card-led-pin { <3 RK_PB3 RK_FUNC_GPIO &pcfg_pull_none>; }; }; + + uart { + uart5_rts_pin: uart5-rts-pin { + rockchip,pins = + <0 RK_PB5 RK_FUNC_GPIO &pcfg_pull_none>; + }; + }; }; &pwm0 { @@ -228,6 +235,9 @@ &uart0 { }; &uart5 { + /* Add pinmux for rts-gpios (uart5_rts_pin) */ + pinctrl-names = "default"; + pinctrl-0 = <&uart5_xfer &uart5_rts_pin>; rts-gpios = <&gpio0 RK_PB5 GPIO_ACTIVE_HIGH>; status = "okay"; };

1 month

1
0
0 0

FAILED: patch "[PATCH] can: flexcan: disable transceiver during system PM" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 5a19143124be42900b3fbc9ada3c919632eb45eb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032421-underhand-jujitsu-4b1e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5a19143124be42900b3fbc9ada3c919632eb45eb Mon Sep 17 00:00:00 2001 From: Haibo Chen <haibo.chen(a)nxp.com> Date: Fri, 14 Mar 2025 19:01:45 +0800 Subject: [PATCH] can: flexcan: disable transceiver during system PM During system PM, if no wakeup requirement, disable transceiver to save power. Fixes: 4de349e786a3 ("can: flexcan: fix resume function") Cc: stable(a)vger.kernel.org Reviewed-by: Frank Li <frank.li(a)nxp.com> Signed-off-by: Haibo Chen <haibo.chen(a)nxp.com> Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com [mkl: add newlines] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c index 3a71fd235722..b080740bcb10 100644 --- a/drivers/net/can/flexcan/flexcan-core.c +++ b/drivers/net/can/flexcan/flexcan-core.c @@ -2260,6 +2260,10 @@ static int __maybe_unused flexcan_suspend(struct device *device) flexcan_chip_interrupts_disable(dev); + err = flexcan_transceiver_disable(priv); + if (err) + return err; + err = pinctrl_pm_select_sleep_state(device); if (err) return err; @@ -2292,10 +2296,16 @@ static int __maybe_unused flexcan_resume(struct device *device) if (err) return err; - err = flexcan_chip_start(dev); + err = flexcan_transceiver_enable(priv); if (err) return err; + err = flexcan_chip_start(dev); + if (err) { + flexcan_transceiver_disable(priv); + return err; + } + flexcan_chip_interrupts_enable(dev); }

1 month

1
0
0 0

FAILED: patch "[PATCH] can: flexcan: disable transceiver during system PM" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 5a19143124be42900b3fbc9ada3c919632eb45eb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032420-overstuff-legged-67d6@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5a19143124be42900b3fbc9ada3c919632eb45eb Mon Sep 17 00:00:00 2001 From: Haibo Chen <haibo.chen(a)nxp.com> Date: Fri, 14 Mar 2025 19:01:45 +0800 Subject: [PATCH] can: flexcan: disable transceiver during system PM During system PM, if no wakeup requirement, disable transceiver to save power. Fixes: 4de349e786a3 ("can: flexcan: fix resume function") Cc: stable(a)vger.kernel.org Reviewed-by: Frank Li <frank.li(a)nxp.com> Signed-off-by: Haibo Chen <haibo.chen(a)nxp.com> Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com [mkl: add newlines] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c index 3a71fd235722..b080740bcb10 100644 --- a/drivers/net/can/flexcan/flexcan-core.c +++ b/drivers/net/can/flexcan/flexcan-core.c @@ -2260,6 +2260,10 @@ static int __maybe_unused flexcan_suspend(struct device *device) flexcan_chip_interrupts_disable(dev); + err = flexcan_transceiver_disable(priv); + if (err) + return err; + err = pinctrl_pm_select_sleep_state(device); if (err) return err; @@ -2292,10 +2296,16 @@ static int __maybe_unused flexcan_resume(struct device *device) if (err) return err; - err = flexcan_chip_start(dev); + err = flexcan_transceiver_enable(priv); if (err) return err; + err = flexcan_chip_start(dev); + if (err) { + flexcan_transceiver_disable(priv); + return err; + } + flexcan_chip_interrupts_enable(dev); }

1 month

1
0
0 0

FAILED: patch "[PATCH] can: flexcan: disable transceiver during system PM" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5a19143124be42900b3fbc9ada3c919632eb45eb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032419-immersion-dislike-cf63@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5a19143124be42900b3fbc9ada3c919632eb45eb Mon Sep 17 00:00:00 2001 From: Haibo Chen <haibo.chen(a)nxp.com> Date: Fri, 14 Mar 2025 19:01:45 +0800 Subject: [PATCH] can: flexcan: disable transceiver during system PM During system PM, if no wakeup requirement, disable transceiver to save power. Fixes: 4de349e786a3 ("can: flexcan: fix resume function") Cc: stable(a)vger.kernel.org Reviewed-by: Frank Li <frank.li(a)nxp.com> Signed-off-by: Haibo Chen <haibo.chen(a)nxp.com> Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com [mkl: add newlines] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c index 3a71fd235722..b080740bcb10 100644 --- a/drivers/net/can/flexcan/flexcan-core.c +++ b/drivers/net/can/flexcan/flexcan-core.c @@ -2260,6 +2260,10 @@ static int __maybe_unused flexcan_suspend(struct device *device) flexcan_chip_interrupts_disable(dev); + err = flexcan_transceiver_disable(priv); + if (err) + return err; + err = pinctrl_pm_select_sleep_state(device); if (err) return err; @@ -2292,10 +2296,16 @@ static int __maybe_unused flexcan_resume(struct device *device) if (err) return err; - err = flexcan_chip_start(dev); + err = flexcan_transceiver_enable(priv); if (err) return err; + err = flexcan_chip_start(dev); + if (err) { + flexcan_transceiver_disable(priv); + return err; + } + flexcan_chip_interrupts_enable(dev); }

1 month

1
0
0 0

FAILED: patch "[PATCH] can: flexcan: only change CAN state when link up in system PM" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x fd99d6ed20234b83d65b9c5417794343577cf3e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032408-modular-regally-492c@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd99d6ed20234b83d65b9c5417794343577cf3e5 Mon Sep 17 00:00:00 2001 From: Haibo Chen <haibo.chen(a)nxp.com> Date: Fri, 14 Mar 2025 19:01:44 +0800 Subject: [PATCH] can: flexcan: only change CAN state when link up in system PM After a suspend/resume cycle on a down interface, it will come up as ERROR-ACTIVE. $ ip -details -s -s a s dev flexcan0 3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000 $ sudo systemctl suspend $ ip -details -s -s a s dev flexcan0 3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000 And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did. Fixes: 4de349e786a3 ("can: flexcan: fix resume function") Cc: stable(a)vger.kernel.org Signed-off-by: Haibo Chen <haibo.chen(a)nxp.com> Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com Reported-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@peng… [mkl: add newlines] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c index ac1a860986df..3a71fd235722 100644 --- a/drivers/net/can/flexcan/flexcan-core.c +++ b/drivers/net/can/flexcan/flexcan-core.c @@ -2266,8 +2266,9 @@ static int __maybe_unused flexcan_suspend(struct device *device) } netif_stop_queue(dev); netif_device_detach(dev); + + priv->can.state = CAN_STATE_SLEEPING; } - priv->can.state = CAN_STATE_SLEEPING; return 0; } @@ -2278,7 +2279,6 @@ static int __maybe_unused flexcan_resume(struct device *device) struct flexcan_priv *priv = netdev_priv(dev); int err; - priv->can.state = CAN_STATE_ERROR_ACTIVE; if (netif_running(dev)) { netif_device_attach(dev); netif_start_queue(dev); @@ -2298,6 +2298,8 @@ static int __maybe_unused flexcan_resume(struct device *device) flexcan_chip_interrupts_enable(dev); } + + priv->can.state = CAN_STATE_ERROR_ACTIVE; } return 0;

1 month

1
0
0 0

FAILED: patch "[PATCH] can: flexcan: only change CAN state when link up in system PM" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x fd99d6ed20234b83d65b9c5417794343577cf3e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032407-prelaw-yearly-6b54@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd99d6ed20234b83d65b9c5417794343577cf3e5 Mon Sep 17 00:00:00 2001 From: Haibo Chen <haibo.chen(a)nxp.com> Date: Fri, 14 Mar 2025 19:01:44 +0800 Subject: [PATCH] can: flexcan: only change CAN state when link up in system PM After a suspend/resume cycle on a down interface, it will come up as ERROR-ACTIVE. $ ip -details -s -s a s dev flexcan0 3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000 $ sudo systemctl suspend $ ip -details -s -s a s dev flexcan0 3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000 And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did. Fixes: 4de349e786a3 ("can: flexcan: fix resume function") Cc: stable(a)vger.kernel.org Signed-off-by: Haibo Chen <haibo.chen(a)nxp.com> Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com Reported-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@peng… [mkl: add newlines] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c index ac1a860986df..3a71fd235722 100644 --- a/drivers/net/can/flexcan/flexcan-core.c +++ b/drivers/net/can/flexcan/flexcan-core.c @@ -2266,8 +2266,9 @@ static int __maybe_unused flexcan_suspend(struct device *device) } netif_stop_queue(dev); netif_device_detach(dev); + + priv->can.state = CAN_STATE_SLEEPING; } - priv->can.state = CAN_STATE_SLEEPING; return 0; } @@ -2278,7 +2279,6 @@ static int __maybe_unused flexcan_resume(struct device *device) struct flexcan_priv *priv = netdev_priv(dev); int err; - priv->can.state = CAN_STATE_ERROR_ACTIVE; if (netif_running(dev)) { netif_device_attach(dev); netif_start_queue(dev); @@ -2298,6 +2298,8 @@ static int __maybe_unused flexcan_resume(struct device *device) flexcan_chip_interrupts_enable(dev); } + + priv->can.state = CAN_STATE_ERROR_ACTIVE; } return 0;

1 month

1
0
0 0

FAILED: patch "[PATCH] can: flexcan: only change CAN state when link up in system PM" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x fd99d6ed20234b83d65b9c5417794343577cf3e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032406-deplored-habitat-e672@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd99d6ed20234b83d65b9c5417794343577cf3e5 Mon Sep 17 00:00:00 2001 From: Haibo Chen <haibo.chen(a)nxp.com> Date: Fri, 14 Mar 2025 19:01:44 +0800 Subject: [PATCH] can: flexcan: only change CAN state when link up in system PM After a suspend/resume cycle on a down interface, it will come up as ERROR-ACTIVE. $ ip -details -s -s a s dev flexcan0 3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000 $ sudo systemctl suspend $ ip -details -s -s a s dev flexcan0 3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000 And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did. Fixes: 4de349e786a3 ("can: flexcan: fix resume function") Cc: stable(a)vger.kernel.org Signed-off-by: Haibo Chen <haibo.chen(a)nxp.com> Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com Reported-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@peng… [mkl: add newlines] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c index ac1a860986df..3a71fd235722 100644 --- a/drivers/net/can/flexcan/flexcan-core.c +++ b/drivers/net/can/flexcan/flexcan-core.c @@ -2266,8 +2266,9 @@ static int __maybe_unused flexcan_suspend(struct device *device) } netif_stop_queue(dev); netif_device_detach(dev); + + priv->can.state = CAN_STATE_SLEEPING; } - priv->can.state = CAN_STATE_SLEEPING; return 0; } @@ -2278,7 +2279,6 @@ static int __maybe_unused flexcan_resume(struct device *device) struct flexcan_priv *priv = netdev_priv(dev); int err; - priv->can.state = CAN_STATE_ERROR_ACTIVE; if (netif_running(dev)) { netif_device_attach(dev); netif_start_queue(dev); @@ -2298,6 +2298,8 @@ static int __maybe_unused flexcan_resume(struct device *device) flexcan_chip_interrupts_enable(dev); } + + priv->can.state = CAN_STATE_ERROR_ACTIVE; } return 0;

1 month

1
0
0 0

FAILED: patch "[PATCH] can: rcar_canfd: Fix page entries in the AFL list" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1dba0a37644ed3022558165bbb5cb9bda540eaf7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032440-process-busload-c8bf@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1dba0a37644ed3022558165bbb5cb9bda540eaf7 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Fri, 7 Mar 2025 17:03:27 +0000 Subject: [PATCH] can: rcar_canfd: Fix page entries in the AFL list There are a total of 96 AFL pages and each page has 16 entries with registers CFDGAFLIDr, CFDGAFLMr, CFDGAFLP0r, CFDGAFLP1r holding the rule entries (r = 0..15). Currently, RCANFD_GAFL* macros use a start variable to find AFL entries, which is incorrect as the testing on RZ/G3E shows ch1 and ch4 gets a start value of 0 and the register contents are overwritten. Fix this issue by using rule_entry corresponding to the channel to find the page entries in the AFL list. Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Tested-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Link: https://patch.msgid.link/20250307170330.173425-3-biju.das.jz@bp.renesas.com Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c index df1a5d0b37b2..aa3df0d05b85 100644 --- a/drivers/net/can/rcar/rcar_canfd.c +++ b/drivers/net/can/rcar/rcar_canfd.c @@ -787,22 +787,14 @@ static void rcar_canfd_configure_controller(struct rcar_canfd_global *gpriv) } static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, - u32 ch) + u32 ch, u32 rule_entry) { - u32 cfg; - int offset, start, page, num_rules = RCANFD_CHANNEL_NUMRULES; + int offset, page, num_rules = RCANFD_CHANNEL_NUMRULES; + u32 rule_entry_index = rule_entry % 16; u32 ridx = ch + RCANFD_RFFIFO_IDX; - if (ch == 0) { - start = 0; /* Channel 0 always starts from 0th rule */ - } else { - /* Get number of Channel 0 rules and adjust */ - cfg = rcar_canfd_read(gpriv->base, RCANFD_GAFLCFG(ch)); - start = RCANFD_GAFLCFG_GETRNC(gpriv, 0, cfg); - } - /* Enable write access to entry */ - page = RCANFD_GAFL_PAGENUM(start); + page = RCANFD_GAFL_PAGENUM(rule_entry); rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLECTR, (RCANFD_GAFLECTR_AFLPN(gpriv, page) | RCANFD_GAFLECTR_AFLDAE)); @@ -818,13 +810,13 @@ static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, offset = RCANFD_C_GAFL_OFFSET; /* Accept all IDs */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, rule_entry_index), 0); /* IDE or RTR is not considered for matching */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, rule_entry_index), 0); /* Any data length accepted */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, rule_entry_index), 0); /* Place the msg in corresponding Rx FIFO entry */ - rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, start), + rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, rule_entry_index), RCANFD_GAFLP1_GAFLFDP(ridx)); /* Disable write access to page */ @@ -1851,6 +1843,7 @@ static int rcar_canfd_probe(struct platform_device *pdev) unsigned long channels_mask = 0; int err, ch_irq, g_irq; int g_err_irq, g_recc_irq; + u32 rule_entry = 0; bool fdmode = true; /* CAN FD only mode - default */ char name[9] = "channelX"; int i; @@ -2023,7 +2016,8 @@ static int rcar_canfd_probe(struct platform_device *pdev) rcar_canfd_configure_tx(gpriv, ch); /* Configure receive rules */ - rcar_canfd_configure_afl_rules(gpriv, ch); + rcar_canfd_configure_afl_rules(gpriv, ch, rule_entry); + rule_entry += RCANFD_CHANNEL_NUMRULES; } /* Configure common interrupts */

1 month

1
0
0 0

FAILED: patch "[PATCH] can: rcar_canfd: Fix page entries in the AFL list" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1dba0a37644ed3022558165bbb5cb9bda540eaf7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032439-lumpiness-enchilada-083b@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1dba0a37644ed3022558165bbb5cb9bda540eaf7 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Fri, 7 Mar 2025 17:03:27 +0000 Subject: [PATCH] can: rcar_canfd: Fix page entries in the AFL list There are a total of 96 AFL pages and each page has 16 entries with registers CFDGAFLIDr, CFDGAFLMr, CFDGAFLP0r, CFDGAFLP1r holding the rule entries (r = 0..15). Currently, RCANFD_GAFL* macros use a start variable to find AFL entries, which is incorrect as the testing on RZ/G3E shows ch1 and ch4 gets a start value of 0 and the register contents are overwritten. Fix this issue by using rule_entry corresponding to the channel to find the page entries in the AFL list. Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Tested-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Link: https://patch.msgid.link/20250307170330.173425-3-biju.das.jz@bp.renesas.com Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c index df1a5d0b37b2..aa3df0d05b85 100644 --- a/drivers/net/can/rcar/rcar_canfd.c +++ b/drivers/net/can/rcar/rcar_canfd.c @@ -787,22 +787,14 @@ static void rcar_canfd_configure_controller(struct rcar_canfd_global *gpriv) } static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, - u32 ch) + u32 ch, u32 rule_entry) { - u32 cfg; - int offset, start, page, num_rules = RCANFD_CHANNEL_NUMRULES; + int offset, page, num_rules = RCANFD_CHANNEL_NUMRULES; + u32 rule_entry_index = rule_entry % 16; u32 ridx = ch + RCANFD_RFFIFO_IDX; - if (ch == 0) { - start = 0; /* Channel 0 always starts from 0th rule */ - } else { - /* Get number of Channel 0 rules and adjust */ - cfg = rcar_canfd_read(gpriv->base, RCANFD_GAFLCFG(ch)); - start = RCANFD_GAFLCFG_GETRNC(gpriv, 0, cfg); - } - /* Enable write access to entry */ - page = RCANFD_GAFL_PAGENUM(start); + page = RCANFD_GAFL_PAGENUM(rule_entry); rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLECTR, (RCANFD_GAFLECTR_AFLPN(gpriv, page) | RCANFD_GAFLECTR_AFLDAE)); @@ -818,13 +810,13 @@ static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, offset = RCANFD_C_GAFL_OFFSET; /* Accept all IDs */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, rule_entry_index), 0); /* IDE or RTR is not considered for matching */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, rule_entry_index), 0); /* Any data length accepted */ - rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, start), 0); + rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, rule_entry_index), 0); /* Place the msg in corresponding Rx FIFO entry */ - rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, start), + rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, rule_entry_index), RCANFD_GAFLP1_GAFLFDP(ridx)); /* Disable write access to page */ @@ -1851,6 +1843,7 @@ static int rcar_canfd_probe(struct platform_device *pdev) unsigned long channels_mask = 0; int err, ch_irq, g_irq; int g_err_irq, g_recc_irq; + u32 rule_entry = 0; bool fdmode = true; /* CAN FD only mode - default */ char name[9] = "channelX"; int i; @@ -2023,7 +2016,8 @@ static int rcar_canfd_probe(struct platform_device *pdev) rcar_canfd_configure_tx(gpriv, ch); /* Configure receive rules */ - rcar_canfd_configure_afl_rules(gpriv, ch); + rcar_canfd_configure_afl_rules(gpriv, ch, rule_entry); + rule_entry += RCANFD_CHANNEL_NUMRULES; } /* Configure common interrupts */

1 month

1
0
0 0

FAILED: patch "[PATCH] net: mana: Support holes in device list reply msg" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2fc8a346625eb1abfe202062c7e6a13d76cde5ea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032413-glory-module-21c4@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2fc8a346625eb1abfe202062c7e6a13d76cde5ea Mon Sep 17 00:00:00 2001 From: Haiyang Zhang <haiyangz(a)microsoft.com> Date: Tue, 11 Mar 2025 13:12:54 -0700 Subject: [PATCH] net: mana: Support holes in device list reply msg According to GDMA protocol, holes (zeros) are allowed at the beginning or middle of the gdma_list_devices_resp message. The existing code cannot properly handle this, and may miss some devices in the list. To fix, scan the entire list until the num_of_devs are found, or until the end of the list. Cc: stable(a)vger.kernel.org Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> Reviewed-by: Long Li <longli(a)microsoft.com> Reviewed-by: Shradha Gupta <shradhagupta(a)microsoft.com> Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Link: https://patch.msgid.link/1741723974-1534-1-git-send-email-haiyangz@microsof… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c index 11457b6296cc..638ef64d639f 100644 --- a/drivers/net/ethernet/microsoft/mana/gdma_main.c +++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c @@ -134,9 +134,10 @@ static int mana_gd_detect_devices(struct pci_dev *pdev) struct gdma_list_devices_resp resp = {}; struct gdma_general_req req = {}; struct gdma_dev_id dev; - u32 i, max_num_devs; + int found_dev = 0; u16 dev_type; int err; + u32 i; mana_gd_init_req_hdr(&req.hdr, GDMA_LIST_DEVICES, sizeof(req), sizeof(resp)); @@ -148,12 +149,17 @@ static int mana_gd_detect_devices(struct pci_dev *pdev) return err ? err : -EPROTO; } - max_num_devs = min_t(u32, MAX_NUM_GDMA_DEVICES, resp.num_of_devs); - - for (i = 0; i < max_num_devs; i++) { + for (i = 0; i < GDMA_DEV_LIST_SIZE && + found_dev < resp.num_of_devs; i++) { dev = resp.devs[i]; dev_type = dev.type; + /* Skip empty devices */ + if (dev.as_uint32 == 0) + continue; + + found_dev++; + /* HWC is already detected in mana_hwc_create_channel(). */ if (dev_type == GDMA_DEVICE_HWC) continue; diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h index 90f56656b572..62e9d7673862 100644 --- a/include/net/mana/gdma.h +++ b/include/net/mana/gdma.h @@ -408,8 +408,6 @@ struct gdma_context { struct gdma_dev mana_ib; }; -#define MAX_NUM_GDMA_DEVICES 4 - static inline bool mana_gd_is_mana(struct gdma_dev *gd) { return gd->dev_id.type == GDMA_DEVICE_MANA; @@ -556,11 +554,15 @@ enum { #define GDMA_DRV_CAP_FLAG_1_HWC_TIMEOUT_RECONFIG BIT(3) #define GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT BIT(5) +/* Driver can handle holes (zeros) in the device list */ +#define GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP BIT(11) + #define GDMA_DRV_CAP_FLAGS1 \ (GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \ GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX | \ GDMA_DRV_CAP_FLAG_1_HWC_TIMEOUT_RECONFIG | \ - GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT) + GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT | \ + GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP) #define GDMA_DRV_CAP_FLAGS2 0 @@ -621,11 +623,12 @@ struct gdma_query_max_resources_resp { }; /* HW DATA */ /* GDMA_LIST_DEVICES */ +#define GDMA_DEV_LIST_SIZE 64 struct gdma_list_devices_resp { struct gdma_resp_hdr hdr; u32 num_of_devs; u32 reserved; - struct gdma_dev_id devs[64]; + struct gdma_dev_id devs[GDMA_DEV_LIST_SIZE]; }; /* HW DATA */ /* GDMA_REGISTER_DEVICE */

1 month

1
0
0 0

FAILED: patch "[PATCH] net: mana: Support holes in device list reply msg" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2fc8a346625eb1abfe202062c7e6a13d76cde5ea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032412-snide-glade-6a21@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2fc8a346625eb1abfe202062c7e6a13d76cde5ea Mon Sep 17 00:00:00 2001 From: Haiyang Zhang <haiyangz(a)microsoft.com> Date: Tue, 11 Mar 2025 13:12:54 -0700 Subject: [PATCH] net: mana: Support holes in device list reply msg According to GDMA protocol, holes (zeros) are allowed at the beginning or middle of the gdma_list_devices_resp message. The existing code cannot properly handle this, and may miss some devices in the list. To fix, scan the entire list until the num_of_devs are found, or until the end of the list. Cc: stable(a)vger.kernel.org Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> Reviewed-by: Long Li <longli(a)microsoft.com> Reviewed-by: Shradha Gupta <shradhagupta(a)microsoft.com> Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Link: https://patch.msgid.link/1741723974-1534-1-git-send-email-haiyangz@microsof… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c index 11457b6296cc..638ef64d639f 100644 --- a/drivers/net/ethernet/microsoft/mana/gdma_main.c +++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c @@ -134,9 +134,10 @@ static int mana_gd_detect_devices(struct pci_dev *pdev) struct gdma_list_devices_resp resp = {}; struct gdma_general_req req = {}; struct gdma_dev_id dev; - u32 i, max_num_devs; + int found_dev = 0; u16 dev_type; int err; + u32 i; mana_gd_init_req_hdr(&req.hdr, GDMA_LIST_DEVICES, sizeof(req), sizeof(resp)); @@ -148,12 +149,17 @@ static int mana_gd_detect_devices(struct pci_dev *pdev) return err ? err : -EPROTO; } - max_num_devs = min_t(u32, MAX_NUM_GDMA_DEVICES, resp.num_of_devs); - - for (i = 0; i < max_num_devs; i++) { + for (i = 0; i < GDMA_DEV_LIST_SIZE && + found_dev < resp.num_of_devs; i++) { dev = resp.devs[i]; dev_type = dev.type; + /* Skip empty devices */ + if (dev.as_uint32 == 0) + continue; + + found_dev++; + /* HWC is already detected in mana_hwc_create_channel(). */ if (dev_type == GDMA_DEVICE_HWC) continue; diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h index 90f56656b572..62e9d7673862 100644 --- a/include/net/mana/gdma.h +++ b/include/net/mana/gdma.h @@ -408,8 +408,6 @@ struct gdma_context { struct gdma_dev mana_ib; }; -#define MAX_NUM_GDMA_DEVICES 4 - static inline bool mana_gd_is_mana(struct gdma_dev *gd) { return gd->dev_id.type == GDMA_DEVICE_MANA; @@ -556,11 +554,15 @@ enum { #define GDMA_DRV_CAP_FLAG_1_HWC_TIMEOUT_RECONFIG BIT(3) #define GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT BIT(5) +/* Driver can handle holes (zeros) in the device list */ +#define GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP BIT(11) + #define GDMA_DRV_CAP_FLAGS1 \ (GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \ GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX | \ GDMA_DRV_CAP_FLAG_1_HWC_TIMEOUT_RECONFIG | \ - GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT) + GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT | \ + GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP) #define GDMA_DRV_CAP_FLAGS2 0 @@ -621,11 +623,12 @@ struct gdma_query_max_resources_resp { }; /* HW DATA */ /* GDMA_LIST_DEVICES */ +#define GDMA_DEV_LIST_SIZE 64 struct gdma_list_devices_resp { struct gdma_resp_hdr hdr; u32 num_of_devs; u32 reserved; - struct gdma_dev_id devs[64]; + struct gdma_dev_id devs[GDMA_DEV_LIST_SIZE]; }; /* HW DATA */ /* GDMA_REGISTER_DEVICE */

1 month

1
0
0 0

FAILED: patch "[PATCH] net: mana: Support holes in device list reply msg" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2fc8a346625eb1abfe202062c7e6a13d76cde5ea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032412-consonant-junkman-ebff@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2fc8a346625eb1abfe202062c7e6a13d76cde5ea Mon Sep 17 00:00:00 2001 From: Haiyang Zhang <haiyangz(a)microsoft.com> Date: Tue, 11 Mar 2025 13:12:54 -0700 Subject: [PATCH] net: mana: Support holes in device list reply msg According to GDMA protocol, holes (zeros) are allowed at the beginning or middle of the gdma_list_devices_resp message. The existing code cannot properly handle this, and may miss some devices in the list. To fix, scan the entire list until the num_of_devs are found, or until the end of the list. Cc: stable(a)vger.kernel.org Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> Reviewed-by: Long Li <longli(a)microsoft.com> Reviewed-by: Shradha Gupta <shradhagupta(a)microsoft.com> Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Link: https://patch.msgid.link/1741723974-1534-1-git-send-email-haiyangz@microsof… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c index 11457b6296cc..638ef64d639f 100644 --- a/drivers/net/ethernet/microsoft/mana/gdma_main.c +++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c @@ -134,9 +134,10 @@ static int mana_gd_detect_devices(struct pci_dev *pdev) struct gdma_list_devices_resp resp = {}; struct gdma_general_req req = {}; struct gdma_dev_id dev; - u32 i, max_num_devs; + int found_dev = 0; u16 dev_type; int err; + u32 i; mana_gd_init_req_hdr(&req.hdr, GDMA_LIST_DEVICES, sizeof(req), sizeof(resp)); @@ -148,12 +149,17 @@ static int mana_gd_detect_devices(struct pci_dev *pdev) return err ? err : -EPROTO; } - max_num_devs = min_t(u32, MAX_NUM_GDMA_DEVICES, resp.num_of_devs); - - for (i = 0; i < max_num_devs; i++) { + for (i = 0; i < GDMA_DEV_LIST_SIZE && + found_dev < resp.num_of_devs; i++) { dev = resp.devs[i]; dev_type = dev.type; + /* Skip empty devices */ + if (dev.as_uint32 == 0) + continue; + + found_dev++; + /* HWC is already detected in mana_hwc_create_channel(). */ if (dev_type == GDMA_DEVICE_HWC) continue; diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h index 90f56656b572..62e9d7673862 100644 --- a/include/net/mana/gdma.h +++ b/include/net/mana/gdma.h @@ -408,8 +408,6 @@ struct gdma_context { struct gdma_dev mana_ib; }; -#define MAX_NUM_GDMA_DEVICES 4 - static inline bool mana_gd_is_mana(struct gdma_dev *gd) { return gd->dev_id.type == GDMA_DEVICE_MANA; @@ -556,11 +554,15 @@ enum { #define GDMA_DRV_CAP_FLAG_1_HWC_TIMEOUT_RECONFIG BIT(3) #define GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT BIT(5) +/* Driver can handle holes (zeros) in the device list */ +#define GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP BIT(11) + #define GDMA_DRV_CAP_FLAGS1 \ (GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \ GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX | \ GDMA_DRV_CAP_FLAG_1_HWC_TIMEOUT_RECONFIG | \ - GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT) + GDMA_DRV_CAP_FLAG_1_VARIABLE_INDIRECTION_TABLE_SUPPORT | \ + GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP) #define GDMA_DRV_CAP_FLAGS2 0 @@ -621,11 +623,12 @@ struct gdma_query_max_resources_resp { }; /* HW DATA */ /* GDMA_LIST_DEVICES */ +#define GDMA_DEV_LIST_SIZE 64 struct gdma_list_devices_resp { struct gdma_resp_hdr hdr; u32 num_of_devs; u32 reserved; - struct gdma_dev_id devs[64]; + struct gdma_dev_id devs[GDMA_DEV_LIST_SIZE]; }; /* HW DATA */ /* GDMA_REGISTER_DEVICE */

1 month

1
0
0 0

FAILED: patch "[PATCH] tracing: Correct the refcount if the hist/hist_debug file" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032436-smite-outspoken-5c4c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 Mon Sep 17 00:00:00 2001 From: Tengda Wu <wutengda(a)huaweicloud.com> Date: Fri, 14 Mar 2025 06:53:35 +0000 Subject: [PATCH] tracing: Correct the refcount if the hist/hist_debug file fails to open The function event_{hist,hist_debug}_open() maintains the refcount of 'file->tr' and 'file' through tracing_open_file_tr(). However, it does not roll back these counts on subsequent failure paths, resulting in a refcount leak. A very obvious case is that if the hist/hist_debug file belongs to a specific instance, the refcount leak will prevent the deletion of that instance, as it relies on the condition 'tr->ref == 1' within __remove_instance(). Fix this by calling tracing_release_file_tr() on all failure paths in event_{hist,hist_debug}_open() to correct the refcount. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Zheng Yejian <zhengyejian1(a)huawei.com> Link: https://lore.kernel.org/20250314065335.1202817-1-wutengda@huaweicloud.com Fixes: 1cc111b9cddc ("tracing: Fix uaf issue when open the hist or hist_debug file") Signed-off-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index ad7419e24055..53dc6719181e 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5689,12 +5689,16 @@ static int event_hist_open(struct inode *inode, struct file *file) guard(mutex)(&event_mutex); event_file = event_file_data(file); - if (!event_file) - return -ENODEV; + if (!event_file) { + ret = -ENODEV; + goto err; + } hist_file = kzalloc(sizeof(*hist_file), GFP_KERNEL); - if (!hist_file) - return -ENOMEM; + if (!hist_file) { + ret = -ENOMEM; + goto err; + } hist_file->file = file; hist_file->last_act = get_hist_hit_count(event_file); @@ -5702,9 +5706,14 @@ static int event_hist_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; ret = single_open(file, hist_show, hist_file); - if (ret) + if (ret) { kfree(hist_file); + goto err; + } + return 0; +err: + tracing_release_file_tr(inode, file); return ret; } @@ -5979,7 +5988,10 @@ static int event_hist_debug_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; - return single_open(file, hist_debug_show, file); + ret = single_open(file, hist_debug_show, file); + if (ret) + tracing_release_file_tr(inode, file); + return ret; } const struct file_operations event_hist_debug_fops = {

1 month

1
0
0 0

FAILED: patch "[PATCH] tracing: Correct the refcount if the hist/hist_debug file" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032436-navy-cornfield-5bd2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 Mon Sep 17 00:00:00 2001 From: Tengda Wu <wutengda(a)huaweicloud.com> Date: Fri, 14 Mar 2025 06:53:35 +0000 Subject: [PATCH] tracing: Correct the refcount if the hist/hist_debug file fails to open The function event_{hist,hist_debug}_open() maintains the refcount of 'file->tr' and 'file' through tracing_open_file_tr(). However, it does not roll back these counts on subsequent failure paths, resulting in a refcount leak. A very obvious case is that if the hist/hist_debug file belongs to a specific instance, the refcount leak will prevent the deletion of that instance, as it relies on the condition 'tr->ref == 1' within __remove_instance(). Fix this by calling tracing_release_file_tr() on all failure paths in event_{hist,hist_debug}_open() to correct the refcount. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Zheng Yejian <zhengyejian1(a)huawei.com> Link: https://lore.kernel.org/20250314065335.1202817-1-wutengda@huaweicloud.com Fixes: 1cc111b9cddc ("tracing: Fix uaf issue when open the hist or hist_debug file") Signed-off-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index ad7419e24055..53dc6719181e 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5689,12 +5689,16 @@ static int event_hist_open(struct inode *inode, struct file *file) guard(mutex)(&event_mutex); event_file = event_file_data(file); - if (!event_file) - return -ENODEV; + if (!event_file) { + ret = -ENODEV; + goto err; + } hist_file = kzalloc(sizeof(*hist_file), GFP_KERNEL); - if (!hist_file) - return -ENOMEM; + if (!hist_file) { + ret = -ENOMEM; + goto err; + } hist_file->file = file; hist_file->last_act = get_hist_hit_count(event_file); @@ -5702,9 +5706,14 @@ static int event_hist_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; ret = single_open(file, hist_show, hist_file); - if (ret) + if (ret) { kfree(hist_file); + goto err; + } + return 0; +err: + tracing_release_file_tr(inode, file); return ret; } @@ -5979,7 +5988,10 @@ static int event_hist_debug_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; - return single_open(file, hist_debug_show, file); + ret = single_open(file, hist_debug_show, file); + if (ret) + tracing_release_file_tr(inode, file); + return ret; } const struct file_operations event_hist_debug_fops = {

1 month

1
0
0 0

FAILED: patch "[PATCH] tracing: Correct the refcount if the hist/hist_debug file" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032435-exes-bloomers-fcd8@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 Mon Sep 17 00:00:00 2001 From: Tengda Wu <wutengda(a)huaweicloud.com> Date: Fri, 14 Mar 2025 06:53:35 +0000 Subject: [PATCH] tracing: Correct the refcount if the hist/hist_debug file fails to open The function event_{hist,hist_debug}_open() maintains the refcount of 'file->tr' and 'file' through tracing_open_file_tr(). However, it does not roll back these counts on subsequent failure paths, resulting in a refcount leak. A very obvious case is that if the hist/hist_debug file belongs to a specific instance, the refcount leak will prevent the deletion of that instance, as it relies on the condition 'tr->ref == 1' within __remove_instance(). Fix this by calling tracing_release_file_tr() on all failure paths in event_{hist,hist_debug}_open() to correct the refcount. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Zheng Yejian <zhengyejian1(a)huawei.com> Link: https://lore.kernel.org/20250314065335.1202817-1-wutengda@huaweicloud.com Fixes: 1cc111b9cddc ("tracing: Fix uaf issue when open the hist or hist_debug file") Signed-off-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index ad7419e24055..53dc6719181e 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5689,12 +5689,16 @@ static int event_hist_open(struct inode *inode, struct file *file) guard(mutex)(&event_mutex); event_file = event_file_data(file); - if (!event_file) - return -ENODEV; + if (!event_file) { + ret = -ENODEV; + goto err; + } hist_file = kzalloc(sizeof(*hist_file), GFP_KERNEL); - if (!hist_file) - return -ENOMEM; + if (!hist_file) { + ret = -ENOMEM; + goto err; + } hist_file->file = file; hist_file->last_act = get_hist_hit_count(event_file); @@ -5702,9 +5706,14 @@ static int event_hist_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; ret = single_open(file, hist_show, hist_file); - if (ret) + if (ret) { kfree(hist_file); + goto err; + } + return 0; +err: + tracing_release_file_tr(inode, file); return ret; } @@ -5979,7 +5988,10 @@ static int event_hist_debug_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; - return single_open(file, hist_debug_show, file); + ret = single_open(file, hist_debug_show, file); + if (ret) + tracing_release_file_tr(inode, file); + return ret; } const struct file_operations event_hist_debug_fops = {

1 month

1
0
0 0

FAILED: patch "[PATCH] tracing: Correct the refcount if the hist/hist_debug file" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032434-briskness-unpainted-89ab@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 Mon Sep 17 00:00:00 2001 From: Tengda Wu <wutengda(a)huaweicloud.com> Date: Fri, 14 Mar 2025 06:53:35 +0000 Subject: [PATCH] tracing: Correct the refcount if the hist/hist_debug file fails to open The function event_{hist,hist_debug}_open() maintains the refcount of 'file->tr' and 'file' through tracing_open_file_tr(). However, it does not roll back these counts on subsequent failure paths, resulting in a refcount leak. A very obvious case is that if the hist/hist_debug file belongs to a specific instance, the refcount leak will prevent the deletion of that instance, as it relies on the condition 'tr->ref == 1' within __remove_instance(). Fix this by calling tracing_release_file_tr() on all failure paths in event_{hist,hist_debug}_open() to correct the refcount. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Zheng Yejian <zhengyejian1(a)huawei.com> Link: https://lore.kernel.org/20250314065335.1202817-1-wutengda@huaweicloud.com Fixes: 1cc111b9cddc ("tracing: Fix uaf issue when open the hist or hist_debug file") Signed-off-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index ad7419e24055..53dc6719181e 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5689,12 +5689,16 @@ static int event_hist_open(struct inode *inode, struct file *file) guard(mutex)(&event_mutex); event_file = event_file_data(file); - if (!event_file) - return -ENODEV; + if (!event_file) { + ret = -ENODEV; + goto err; + } hist_file = kzalloc(sizeof(*hist_file), GFP_KERNEL); - if (!hist_file) - return -ENOMEM; + if (!hist_file) { + ret = -ENOMEM; + goto err; + } hist_file->file = file; hist_file->last_act = get_hist_hit_count(event_file); @@ -5702,9 +5706,14 @@ static int event_hist_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; ret = single_open(file, hist_show, hist_file); - if (ret) + if (ret) { kfree(hist_file); + goto err; + } + return 0; +err: + tracing_release_file_tr(inode, file); return ret; } @@ -5979,7 +5988,10 @@ static int event_hist_debug_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; - return single_open(file, hist_debug_show, file); + ret = single_open(file, hist_debug_show, file); + if (ret) + tracing_release_file_tr(inode, file); + return ret; } const struct file_operations event_hist_debug_fops = {

1 month

1
0
0 0

FAILED: patch "[PATCH] tracing: Correct the refcount if the hist/hist_debug file" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032433-fancied-equate-04ec@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04 Mon Sep 17 00:00:00 2001 From: Tengda Wu <wutengda(a)huaweicloud.com> Date: Fri, 14 Mar 2025 06:53:35 +0000 Subject: [PATCH] tracing: Correct the refcount if the hist/hist_debug file fails to open The function event_{hist,hist_debug}_open() maintains the refcount of 'file->tr' and 'file' through tracing_open_file_tr(). However, it does not roll back these counts on subsequent failure paths, resulting in a refcount leak. A very obvious case is that if the hist/hist_debug file belongs to a specific instance, the refcount leak will prevent the deletion of that instance, as it relies on the condition 'tr->ref == 1' within __remove_instance(). Fix this by calling tracing_release_file_tr() on all failure paths in event_{hist,hist_debug}_open() to correct the refcount. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Zheng Yejian <zhengyejian1(a)huawei.com> Link: https://lore.kernel.org/20250314065335.1202817-1-wutengda@huaweicloud.com Fixes: 1cc111b9cddc ("tracing: Fix uaf issue when open the hist or hist_debug file") Signed-off-by: Tengda Wu <wutengda(a)huaweicloud.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index ad7419e24055..53dc6719181e 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5689,12 +5689,16 @@ static int event_hist_open(struct inode *inode, struct file *file) guard(mutex)(&event_mutex); event_file = event_file_data(file); - if (!event_file) - return -ENODEV; + if (!event_file) { + ret = -ENODEV; + goto err; + } hist_file = kzalloc(sizeof(*hist_file), GFP_KERNEL); - if (!hist_file) - return -ENOMEM; + if (!hist_file) { + ret = -ENOMEM; + goto err; + } hist_file->file = file; hist_file->last_act = get_hist_hit_count(event_file); @@ -5702,9 +5706,14 @@ static int event_hist_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; ret = single_open(file, hist_show, hist_file); - if (ret) + if (ret) { kfree(hist_file); + goto err; + } + return 0; +err: + tracing_release_file_tr(inode, file); return ret; } @@ -5979,7 +5988,10 @@ static int event_hist_debug_open(struct inode *inode, struct file *file) /* Clear private_data to avoid warning in single_open() */ file->private_data = NULL; - return single_open(file, hist_debug_show, file); + ret = single_open(file, hist_debug_show, file); + if (ret) + tracing_release_file_tr(inode, file); + return ret; } const struct file_operations event_hist_debug_fops = {

1 month

1
0
0 0

[PATCH] wifi: ath11k: fix rx completion meta data corruption

by Johan Hovold

Add the missing memory barrier to make sure that the REO dest ring descriptor is read after the head pointer to avoid using stale data on weakly ordered architectures like aarch64. This may fix the ring-buffer corruption worked around by commit f9fff67d2d7c ("wifi: ath11k: Fix SKB corruption in REO destination ring") by silently discarding data, and may possibly also address user reported errors like: ath11k_pci 0006:01:00.0: msdu_done bit in attention is not set Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org # 5.6 Link: https://bugzilla.kernel.org/show_bug.cgi?id=218005 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- As I reported here: https://lore.kernel.org/lkml/Z9G5zEOcTdGKm7Ei@hovoldconsulting.com/ the ath11k and ath12k appear to be missing a number of memory barriers that are required on weakly ordered architectures like aarch64 to avoid memory corruption issues. Here's a fix for one more such case which people already seem to be hitting. Note that I've seen one "msdu_done" bit not set warning also with this patch so whether it helps with that at all remains to be seen. I'm CCing Jens and Steev that see these warnings frequently and that may be able to help out with testing. Johan drivers/net/wireless/ath/ath11k/dp_rx.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 029ecf51c9ef..0a57b337e4c6 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2646,7 +2646,7 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, struct ath11k *ar; struct hal_reo_dest_ring *desc; enum hal_reo_dest_ring_push_reason push_reason; - u32 cookie; + u32 cookie, info0, rx_msdu_info0, rx_mpdu_info0; int i; for (i = 0; i < MAX_RADIOS; i++) @@ -2659,11 +2659,14 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, try_again: ath11k_hal_srng_access_begin(ab, srng); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while (likely(desc = (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab, srng))) { cookie = FIELD_GET(BUFFER_ADDR_INFO1_SW_COOKIE, - desc->buf_addr_info.info1); + READ_ONCE(desc->buf_addr_info.info1)); buf_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_BUF_ID, cookie); mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie); @@ -2692,8 +2695,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, num_buffs_reaped[mac_id]++; + info0 = READ_ONCE(desc->info0); push_reason = FIELD_GET(HAL_REO_DEST_RING_INFO0_PUSH_REASON, - desc->info0); + info0); if (unlikely(push_reason != HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) { dev_kfree_skb_any(msdu); @@ -2701,18 +2705,21 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, continue; } - rxcb->is_first_msdu = !!(desc->rx_msdu_info.info0 & + rx_msdu_info0 = READ_ONCE(desc->rx_msdu_info.info0); + rx_mpdu_info0 = READ_ONCE(desc->rx_mpdu_info.info0); + + rxcb->is_first_msdu = !!(rx_msdu_info0 & RX_MSDU_DESC_INFO0_FIRST_MSDU_IN_MPDU); - rxcb->is_last_msdu = !!(desc->rx_msdu_info.info0 & + rxcb->is_last_msdu = !!(rx_msdu_info0 & RX_MSDU_DESC_INFO0_LAST_MSDU_IN_MPDU); - rxcb->is_continuation = !!(desc->rx_msdu_info.info0 & + rxcb->is_continuation = !!(rx_msdu_info0 & RX_MSDU_DESC_INFO0_MSDU_CONTINUATION); rxcb->peer_id = FIELD_GET(RX_MPDU_DESC_META_DATA_PEER_ID, - desc->rx_mpdu_info.meta_data); + READ_ONCE(desc->rx_mpdu_info.meta_data)); rxcb->seq_no = FIELD_GET(RX_MPDU_DESC_INFO0_SEQ_NUM, - desc->rx_mpdu_info.info0); + rx_mpdu_info0); rxcb->tid = FIELD_GET(HAL_REO_DEST_RING_INFO0_RX_QUEUE_NUM, - desc->info0); + info0); rxcb->mac_id = mac_id; __skb_queue_tail(&msdu_list[mac_id], msdu); -- 2.48.1

1 month

5
6
0 0

[PATCH 2/3] [RFC] drm/i915/gvt: Fix opregion_header->signature size

by Nicolas Chauvet

Enlarge the signature field to accept the string termination. Cc: stable(a)vger.kernel.org Fixes: 93615d59912 ("Revert drm/i915/gvt: Fix out-of-bounds buffer write into opregion->signature[]") Signed-off-by: Nicolas Chauvet <kwizart(a)gmail.com> --- drivers/gpu/drm/i915/gvt/opregion.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gvt/opregion.c b/drivers/gpu/drm/i915/gvt/opregion.c index 9a8ead6039e2..0f11cd6ba383 100644 --- a/drivers/gpu/drm/i915/gvt/opregion.c +++ b/drivers/gpu/drm/i915/gvt/opregion.c @@ -43,7 +43,7 @@ #define DEVICE_TYPE_EFP4 0x10 struct opregion_header { - u8 signature[16]; + u8 signature[32]; u32 size; u32 opregion_ver; u8 bios_ver[32]; -- 2.49.0

1 month

2
4
0 0

[PATCH v2] platform/x86: thinkpad_acpi: disable ACPI fan access for T495* and E560

by Seyediman Seyedarab

From: Eduard Christian Dumitrescu <eduard.c.dumitrescu(a)gmail.com> The bug was introduced in commit 57d0557dfa49 ("platform/x86: thinkpad_acpi: Add Thinkpad Edge E531 fan support") which adds a new fan control method via the FANG and FANW ACPI methods. T945, T495s, and E560 laptops have the FANG+FANW ACPI methods (therefore fang_handle and fanw_handle are not NULL) but they do not actually work, which results in the dreaded "No such device or address" error. Fan access and control is restored after forcing the legacy non-ACPI fan control method by setting both fang_handle and fanw_handle to NULL. The DSDT table code for the FANG+FANW methods doesn't seem to do anything special regarding the fan being secondary. This patch adds a quirk for T495, T495s, and E560 to make them avoid the FANG/FANW methods. Cc: stable(a)vger.kernel.org Fixes: 57d0557dfa49 ("platform/x86: thinkpad_acpi: Add Thinkpad Edge E531 fan support") Reported-by: Vlastimil Holer <vlastimil.holer(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219643 Tested-by: crok <crok.bic(a)gmail.com> Tested-by: Alireza Elikahi <scr0lll0ck1s4b0v3h0m3k3y(a)gmail.com> Signed-off-by: Eduard Christian Dumitrescu <eduard.c.dumitrescu(a)gmail.com> Co-developed-by: Seyediman Seyedarab <ImanDevel(a)gmail.com> Signed-off-by: Seyediman Seyedarab <ImanDevel(a)gmail.com> --- Changes in v2: - Added the From: tag for the original author - Replaced the Co-authored-by tag with Co-developed-by - Cc'd stable(a)vger.kernel.org - Removed the extra space inside the comment - Dropped nullification of sfan/gfan_handle, as it's unrelated to the current fix Kindest Regards, Seyediman drivers/platform/x86/thinkpad_acpi.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index d8df1405edfa..27fd67a2f2d1 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -8793,6 +8793,7 @@ static const struct attribute_group fan_driver_attr_group = { #define TPACPI_FAN_NS 0x0010 /* For EC with non-Standard register addresses */ #define TPACPI_FAN_DECRPM 0x0020 /* For ECFW's with RPM in register as decimal */ #define TPACPI_FAN_TPR 0x0040 /* Fan speed is in Ticks Per Revolution */ +#define TPACPI_FAN_NOACPI 0x0080 /* Don't use ACPI methods even if detected */ static const struct tpacpi_quirk fan_quirk_table[] __initconst = { TPACPI_QEC_IBM('1', 'Y', TPACPI_FAN_Q1), @@ -8823,6 +8824,9 @@ static const struct tpacpi_quirk fan_quirk_table[] __initconst = { TPACPI_Q_LNV3('N', '1', 'O', TPACPI_FAN_NOFAN), /* X1 Tablet (2nd gen) */ TPACPI_Q_LNV3('R', '0', 'Q', TPACPI_FAN_DECRPM),/* L480 */ TPACPI_Q_LNV('8', 'F', TPACPI_FAN_TPR), /* ThinkPad x120e */ + TPACPI_Q_LNV3('R', '0', '0', TPACPI_FAN_NOACPI),/* E560 */ + TPACPI_Q_LNV3('R', '1', '2', TPACPI_FAN_NOACPI),/* T495 */ + TPACPI_Q_LNV3('R', '1', '3', TPACPI_FAN_NOACPI),/* T495s */ }; static int __init fan_init(struct ibm_init_struct *iibm) @@ -8874,6 +8878,13 @@ static int __init fan_init(struct ibm_init_struct *iibm) tp_features.fan_ctrl_status_undef = 1; } + if (quirks & TPACPI_FAN_NOACPI) { + /* E560, T495, T495s */ + pr_info("Ignoring buggy ACPI fan access method\n"); + fang_handle = NULL; + fanw_handle = NULL; + } + if (gfan_handle) { /* 570, 600e/x, 770e, 770x */ fan_status_access_mode = TPACPI_FAN_RD_ACPI_GFAN; -- 2.48.1

1 month

3
3
0 0

[PATCH RESEND] fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()

by Qasim Ijaz

fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL(). Reviewed-by: Marco Pagani <marco.pagani(a)linux.dev> Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/fpga/tests/fpga-mgr-test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c index 9cb37aefbac4..1902ebf5a298 100644 --- a/drivers/fpga/tests/fpga-mgr-test.c +++ b/drivers/fpga/tests/fpga-mgr-test.c @@ -263,6 +263,7 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test) img_buf = init_test_buffer(test, IMAGE_SIZE); sgt = kunit_kzalloc(test, sizeof(*sgt), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sgt); ret = sg_alloc_table(sgt, 1, GFP_KERNEL); KUNIT_ASSERT_EQ(test, ret, 0); sg_init_one(sgt->sgl, img_buf, IMAGE_SIZE); -- 2.39.5

1 month, 1 week

1
0
0 0

[PATCH] arm64: dts: rockchip: Remove overdrive-mode OPPs from RK3588J SoC dtsi

by Dragan Simic

The differences in the vendor-approved CPU and GPU OPPs for the standard Rockchip RK3588 variant [1] and the industrial Rockchip RK3588J variant [2] come from the latter, presumably, supporting an extended temperature range that's usually associated with industrial applications, despite the two SoC variant datasheets specifying the same upper limit for the allowed ambient temperature for both variants. However, the lower temperature limit is specified much lower for the RK3588J variant. [1][2] To be on the safe side and to ensure maximum longevity of the RK3588J SoCs, only the CPU and GPU OPPs that are declared by the vendor to be always safe for this SoC variant may be provided. As explained by the vendor [3] and according to its datasheet, [2] the RK3588J variant can actually run safely at higher CPU and GPU OPPs as well, but only when not enjoying the assumed extended temperature range that the RK3588J, as an SoC variant targeted specifically at industrial applications, is made (or binned) for. Thus, only the CPU and GPU OPPs that are specified by the vendor to be safe throughout the entire RK3588J's extended temperature range may be provided, while anyone who actually can ensure that their RK3588J-based board is never going to run within the extended temperature range, may probably safely apply a DT overlay that adds the higher CPU and GPU OPPs. As we obviously can't know what will be the runtime temperature conditions for a particular board, we may provide only the always-safe OPPs. With all this and the downstream RK3588(J) DT definitions [4][5] in mind, let's delete the RK3588J CPU and GPU OPPs that are not considered belonging to the normal operation mode for this SoC variant. To quote the RK3588J datasheet [2], "normal mode means the chipset works under safety voltage and frequency; for the industrial environment, highly recommend to keep in normal mode, the lifetime is reasonably guaranteed", while "overdrive mode brings higher frequency, and the voltage will increase accordingly; under the overdrive mode for a long time, the chipset may shorten the lifetime, especially in high temperature condition". To sum up the RK3588J datasheet [2] and the vendor-provided DTs, [4][5] the maximum allowed CPU core and GPU frequencies are as follows: IP core | Normal mode | Overdrive mode ------------+-------------+---------------- Cortex-A55 | 1,296 MHz | 1,704 MHz Cortex-A76 | 1,608 MHz | 2,016 MHz GPU | 700 MHz | 850 MHz Unfortunately, when it comes to the actual voltages for the RK3588J CPU and GPU OPPs, there's a discrepancy between the RK3588J datasheet [2] and the downstream kernel code. [4][5] The RK3588J datasheet states that "the max. working voltage of CPU/GPU/NPU is 0.75 V under the normal mode", while the downstream kernel code actually allows voltage ranges that go up to 0.95 V, which is still within the voltage range allowed by the datasheet. However, the RK3588J datasheet also tells us to "strictly refer to the software configuration of SDK and the hardware reference design", so let's embrace the voltage ranges provided by the downstream kernel code, which also prevents the undesirable theoretical outcome of ending up with no usable OPPs on a particular board, as a result of the board's voltage regulator(s) being unable to deliver the exact voltages, for whatever reason. The above-described voltage ranges for the RK3588J CPU OPPs remain taken from the downstream kernel code [4][5] by picking the highest, worst-bin values, which ensure that all RK3588J bins will work reliably. Yes, with some power inevitably wasted as unnecessarily generated heat, but the reliability is paramount, together with the longevity. This deficiency may be revisited separately at some point in the future. The provided RK3588J CPU OPPs follow the slightly debatable "provide only the highest-frequency OPP from the same-voltage group" approach that's been established earlier, [6] as a result of the "same-voltage, lower-frequency" OPPs being considered inefficient from the IPA governor's standpoint, which may also be revisited separately at some point in the future. [1] https://wiki.friendlyelec.com/wiki/images/e/ee/Rockchip_RK3588_Datasheet_V1… [2] https://wmsc.lcsc.com/wmsc/upload/file/pdf/v2/lcsc/2403201054_Rockchip-RK35… [3] https://lore.kernel.org/linux-rockchip/e55125ed-64fb-455e-b1e4-cebe2cf006e4… [4] https://raw.githubusercontent.com/rockchip-linux/kernel/604cec4004abe5a96c7… [5] https://raw.githubusercontent.com/rockchip-linux/kernel/604cec4004abe5a96c7… [6] https://lore.kernel.org/all/20240229-rk-dts-additions-v3-5-6afe8473a631@gma… Fixes: 667885a68658 ("arm64: dts: rockchip: Add OPP data for CPU cores on RK3588j") Fixes: a7b2070505a2 ("arm64: dts: rockchip: Split GPU OPPs of RK3588 and RK3588j") Cc: stable(a)vger.kernel.org Cc: Heiko Stuebner <heiko(a)sntech.de> Cc: Alexey Charkov <alchark(a)gmail.com> Helped-by: Quentin Schulz <quentin.schulz(a)cherry.de> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> --- arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 53 ++++++++--------------- 1 file changed, 17 insertions(+), 36 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3588j.dtsi b/arch/arm64/boot/dts/rockchip/rk3588j.dtsi index bce72bac4503..3045cb3bd68c 100644 --- a/arch/arm64/boot/dts/rockchip/rk3588j.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3588j.dtsi @@ -11,74 +11,59 @@ cluster0_opp_table: opp-table-cluster0 { compatible = "operating-points-v2"; opp-shared; - opp-1416000000 { - opp-hz = /bits/ 64 <1416000000>; + opp-1200000000 { + opp-hz = /bits/ 64 <1200000000>; opp-microvolt = <750000 750000 950000>; clock-latency-ns = <40000>; opp-suspend; }; - opp-1608000000 { - opp-hz = /bits/ 64 <1608000000>; - opp-microvolt = <887500 887500 950000>; - clock-latency-ns = <40000>; - }; - opp-1704000000 { - opp-hz = /bits/ 64 <1704000000>; - opp-microvolt = <937500 937500 950000>; + opp-1296000000 { + opp-hz = /bits/ 64 <1296000000>; + opp-microvolt = <775000 775000 950000>; clock-latency-ns = <40000>; }; }; cluster1_opp_table: opp-table-cluster1 { compatible = "operating-points-v2"; opp-shared; + opp-1200000000{ + opp-hz = /bits/ 64 <1200000000>; + opp-microvolt = <750000 750000 950000>; + clock-latency-ns = <40000>; + }; opp-1416000000 { opp-hz = /bits/ 64 <1416000000>; - opp-microvolt = <750000 750000 950000>; + opp-microvolt = <762500 762500 950000>; clock-latency-ns = <40000>; }; opp-1608000000 { opp-hz = /bits/ 64 <1608000000>; opp-microvolt = <787500 787500 950000>; clock-latency-ns = <40000>; }; - opp-1800000000 { - opp-hz = /bits/ 64 <1800000000>; - opp-microvolt = <875000 875000 950000>; - clock-latency-ns = <40000>; - }; - opp-2016000000 { - opp-hz = /bits/ 64 <2016000000>; - opp-microvolt = <950000 950000 950000>; - clock-latency-ns = <40000>; - }; }; cluster2_opp_table: opp-table-cluster2 { compatible = "operating-points-v2"; opp-shared; + opp-1200000000{ + opp-hz = /bits/ 64 <1200000000>; + opp-microvolt = <750000 750000 950000>; + clock-latency-ns = <40000>; + }; opp-1416000000 { opp-hz = /bits/ 64 <1416000000>; - opp-microvolt = <750000 750000 950000>; + opp-microvolt = <762500 762500 950000>; clock-latency-ns = <40000>; }; opp-1608000000 { opp-hz = /bits/ 64 <1608000000>; opp-microvolt = <787500 787500 950000>; clock-latency-ns = <40000>; }; - opp-1800000000 { - opp-hz = /bits/ 64 <1800000000>; - opp-microvolt = <875000 875000 950000>; - clock-latency-ns = <40000>; - }; - opp-2016000000 { - opp-hz = /bits/ 64 <2016000000>; - opp-microvolt = <950000 950000 950000>; - clock-latency-ns = <40000>; - }; }; gpu_opp_table: opp-table { @@ -104,10 +89,6 @@ opp-700000000 { opp-hz = /bits/ 64 <700000000>; opp-microvolt = <750000 750000 850000>; }; - opp-850000000 { - opp-hz = /bits/ 64 <800000000>; - opp-microvolt = <787500 787500 850000>; - }; }; };

1 month, 1 week

2
7
0 0

[PATCH 2/2] usb: typec: class: Invalidate USB device pointers on partner unregistration

by Andrei Kuchynski

To avoid using invalid USB device pointers after a Type-C partner disconnects, this patch clears the pointers upon partner unregistration. This ensures a clean state for future connections. Cc: stable(a)vger.kernel.org Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") Signed-off-by: Andrei Kuchynski <akuchynski(a)chromium.org> --- drivers/usb/typec/class.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c index eadb150223f8..3df3e3736916 100644 --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c @@ -1086,10 +1086,14 @@ void typec_unregister_partner(struct typec_partner *partner) port = to_typec_port(partner->dev.parent); mutex_lock(&port->partner_link_lock); - if (port->usb2_dev) + if (port->usb2_dev) { typec_partner_unlink_device(partner, port->usb2_dev); - if (port->usb3_dev) + port->usb2_dev = NULL; + } + if (port->usb3_dev) { typec_partner_unlink_device(partner, port->usb3_dev); + port->usb3_dev = NULL; + } device_unregister(&partner->dev); mutex_unlock(&port->partner_link_lock); -- 2.49.0.395.g12beb8f557-goog

1 month, 1 week

3
2
0 0

[PATCH 1/2] usb: typec: class: Fix NULL pointer access

by Andrei Kuchynski

Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer dereference. This patch adds a mutex to protect USB device pointers and prevent this issue. The same mutex protects both the device pointers and the partner device registration. Cc: stable(a)vger.kernel.org Fixes: 59de2a56d127 ("usb: typec: Link enumerated USB devices with Type-C partner") Signed-off-by: Andrei Kuchynski <akuchynski(a)chromium.org> --- drivers/usb/typec/class.c | 15 +++++++++++++-- drivers/usb/typec/class.h | 1 + 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c index 9c76c3d0c6cf..eadb150223f8 100644 --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c @@ -1052,6 +1052,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, partner->usb_mode = USB_MODE_USB3; } + mutex_lock(&port->partner_link_lock); ret = device_register(&partner->dev); if (ret) { dev_err(&port->dev, "failed to register partner (%d)\n", ret); @@ -1063,6 +1064,7 @@ struct typec_partner *typec_register_partner(struct typec_port *port, typec_partner_link_device(partner, port->usb2_dev); if (port->usb3_dev) typec_partner_link_device(partner, port->usb3_dev); + mutex_unlock(&port->partner_link_lock); return partner; } @@ -1083,12 +1085,14 @@ void typec_unregister_partner(struct typec_partner *partner) port = to_typec_port(partner->dev.parent); + mutex_lock(&port->partner_link_lock); if (port->usb2_dev) typec_partner_unlink_device(partner, port->usb2_dev); if (port->usb3_dev) typec_partner_unlink_device(partner, port->usb3_dev); device_unregister(&partner->dev); + mutex_unlock(&port->partner_link_lock); } EXPORT_SYMBOL_GPL(typec_unregister_partner); @@ -2041,10 +2045,11 @@ static struct typec_partner *typec_get_partner(struct typec_port *port) static void typec_partner_attach(struct typec_connector *con, struct device *dev) { struct typec_port *port = container_of(con, struct typec_port, con); - struct typec_partner *partner = typec_get_partner(port); + struct typec_partner *partner; struct usb_device *udev = to_usb_device(dev); enum usb_mode usb_mode; + mutex_lock(&port->partner_link_lock); if (udev->speed < USB_SPEED_SUPER) { usb_mode = USB_MODE_USB2; port->usb2_dev = dev; @@ -2053,18 +2058,22 @@ static void typec_partner_attach(struct typec_connector *con, struct device *dev port->usb3_dev = dev; } + partner = typec_get_partner(port); if (partner) { typec_partner_set_usb_mode(partner, usb_mode); typec_partner_link_device(partner, dev); put_device(&partner->dev); } + mutex_unlock(&port->partner_link_lock); } static void typec_partner_deattach(struct typec_connector *con, struct device *dev) { struct typec_port *port = container_of(con, struct typec_port, con); - struct typec_partner *partner = typec_get_partner(port); + struct typec_partner *partner; + mutex_lock(&port->partner_link_lock); + partner = typec_get_partner(port); if (partner) { typec_partner_unlink_device(partner, dev); put_device(&partner->dev); @@ -2074,6 +2083,7 @@ static void typec_partner_deattach(struct typec_connector *con, struct device *d port->usb2_dev = NULL; else if (port->usb3_dev == dev) port->usb3_dev = NULL; + mutex_unlock(&port->partner_link_lock); } /** @@ -2614,6 +2624,7 @@ struct typec_port *typec_register_port(struct device *parent, ida_init(&port->mode_ids); mutex_init(&port->port_type_lock); + mutex_init(&port->partner_link_lock); port->id = id; port->ops = cap->ops; diff --git a/drivers/usb/typec/class.h b/drivers/usb/typec/class.h index b3076a24ad2e..db2fe96c48ff 100644 --- a/drivers/usb/typec/class.h +++ b/drivers/usb/typec/class.h @@ -59,6 +59,7 @@ struct typec_port { enum typec_port_type port_type; enum usb_mode usb_mode; struct mutex port_type_lock; + struct mutex partner_link_lock; enum typec_orientation orientation; struct typec_switch *sw; -- 2.49.0.395.g12beb8f557-goog

1 month, 1 week

3
2
0 0

[PATCH 1/3] Revert "drm/i915/gvt: Fix out-of-bounds buffer write into opregion->signature[]"

by Nicolas Chauvet

This reverts commit ea26c96d59b27e878fe61e8ef0fed840d2281a2f. This fix truncates the OPREGION_SIGNATURE to fit into 16 chars instead of enlarging the target field, hence only moving the size missmatch to later. As shown with gcc-15: drivers/gpu/drm/i915/gvt/opregion.c: In function intel_vgpu_init_opregion: drivers/gpu/drm/i915/gvt/opregion.c:35:28: error: initializer-string for array of char is too long [-Werror=unterminated-string-initialization] 35 | #define OPREGION_SIGNATURE "IntelGraphicsMem" | ^~~~~~~~~~~~~~~~~~ drivers/gpu/drm/i915/gvt/opregion.c:225:45: note: in expansion of macro OPREGION_SIGNATURE 225 | const char opregion_signature[16] = OPREGION_SIGNATURE; | ^~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Cc: stable(a)vger.kernel.org Reported-by: Nicolas Chauvet <kwizart(a)gmail.com> Fixes: ea26c96d59 ("drm/i915/gvt: Fix out-of-bounds buffer write into opregion->signature[]") Signed-off-by: Nicolas Chauvet <kwizart(a)gmail.com> --- drivers/gpu/drm/i915/gvt/opregion.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/gvt/opregion.c b/drivers/gpu/drm/i915/gvt/opregion.c index 509f9ccae3a9..9a8ead6039e2 100644 --- a/drivers/gpu/drm/i915/gvt/opregion.c +++ b/drivers/gpu/drm/i915/gvt/opregion.c @@ -222,7 +222,6 @@ int intel_vgpu_init_opregion(struct intel_vgpu *vgpu) u8 *buf; struct opregion_header *header; struct vbt v; - const char opregion_signature[16] = OPREGION_SIGNATURE; gvt_dbg_core("init vgpu%d opregion\n", vgpu->id); vgpu_opregion(vgpu)->va = (void *)__get_free_pages(GFP_KERNEL | @@ -236,8 +235,8 @@ int intel_vgpu_init_opregion(struct intel_vgpu *vgpu) /* emulated opregion with VBT mailbox only */ buf = (u8 *)vgpu_opregion(vgpu)->va; header = (struct opregion_header *)buf; - memcpy(header->signature, opregion_signature, - sizeof(opregion_signature)); + memcpy(header->signature, OPREGION_SIGNATURE, + sizeof(OPREGION_SIGNATURE)); header->size = 0x8; header->opregion_ver = 0x02000000; header->mboxes = MBOX_VBT; -- 2.49.0

1 month, 1 week

2
1
0 0

[PATCH 3/3] [RFC] drm/i915/gvt: change OPREGION_SIGNATURE name

by Nicolas Chauvet

Change the OPREGION_SIGNATURE name so it fit into the opregion_header->signature size. Cc: stable(a)vger.kernel.org Fixes: 93615d59912 ("Revert drm/i915/gvt: Fix out-of-bounds buffer write into opregion->signature[]") Signed-off-by: Nicolas Chauvet <kwizart(a)gmail.com> --- drivers/gpu/drm/i915/gvt/opregion.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gvt/opregion.c b/drivers/gpu/drm/i915/gvt/opregion.c index 0f11cd6ba383..0bd02dfaceb1 100644 --- a/drivers/gpu/drm/i915/gvt/opregion.c +++ b/drivers/gpu/drm/i915/gvt/opregion.c @@ -32,7 +32,7 @@ #define _INTEL_BIOS_PRIVATE #include "display/intel_vbt_defs.h" -#define OPREGION_SIGNATURE "IntelGraphicsMem" +#define OPREGION_SIGNATURE "IntelGFXMem" #define MBOX_VBT (1<<3) /* device handle */ -- 2.49.0

1 month, 1 week

2
1
0 0

[RFC PATCH 6.1.y] net/sched: act_mirred: don't override retval if we already lost the skb

by jianqi.ren.cn＠windriver.com

From: Jakub Kicinski <kuba(a)kernel.org> [ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ] If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it. Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Acked-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- net/sched/act_mirred.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index 36395e5db3b4..24c70ba6eebc 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -259,13 +259,13 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, dev = rcu_dereference_bh(m->tcfm_dev); if (unlikely(!dev)) { pr_notice_once("tc mirred: target device is gone\n"); - goto out; + goto err_cant_do; } if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { net_notice_ratelimited("tc mirred to Houston: device %s is down\n", dev->name); - goto out; + goto err_cant_do; } /* we could easily avoid the clone only if called by ingress and clsact; @@ -279,7 +279,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, if (!use_reinsert) { skb2 = skb_clone(skb, GFP_ATOMIC); if (!skb2) - goto out; + goto err_cant_do; } want_ingress = tcf_mirred_act_wants_ingress(m_eaction); @@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, } err = tcf_mirred_forward(want_ingress, skb2); - if (err) { -out: + if (err) tcf_action_inc_overlimit_qstats(&m->common); - if (tcf_mirred_is_act_redirect(m_eaction)) - retval = TC_ACT_SHOT; - } + __this_cpu_dec(mirred_nest_level); + + return retval; + +err_cant_do: + if (tcf_mirred_is_act_redirect(m_eaction)) + retval = TC_ACT_SHOT; + tcf_action_inc_overlimit_qstats(&m->common); __this_cpu_dec(mirred_nest_level); return retval; -- 2.25.1

1 month, 1 week

3
2
0 0

[PATCH] usb: dwc3: Abort suspend on soft disconnect failure

by Kuen-Han Tsai

When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. CC: stable(a)vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> --- Kernel panic - not syncing: Asynchronous SError Interrupt Workqueue: events vbus_event_work Call trace: dump_backtrace+0xf4/0x118 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c panic+0x16c/0x390 nmi_panic+0xa4/0xa8 arm64_serror_panic+0x6c/0x94 do_serror+0xc4/0xd0 el1h_64_error_handler+0x34/0x48 el1h_64_error+0x68/0x6c readl+0x4c/0x8c __dwc3_gadget_ep_disable+0x48/0x230 dwc3_gadget_ep_disable+0x50/0xc0 usb_ep_disable+0x44/0xe4 ffs_func_eps_disable+0x64/0xc8 ffs_func_set_alt+0x74/0x368 ffs_func_disable+0x18/0x28 composite_disconnect+0x90/0xec configfs_composite_disconnect+0x64/0x88 usb_gadget_disconnect_locked+0xc0/0x168 vbus_event_work+0x3c/0x58 process_one_work+0x1e4/0x43c worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 --- drivers/usb/dwc3/core.c | 10 +++++++--- drivers/usb/dwc3/gadget.c | 22 +++++++++------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 66a08b527165..d64d17677bdb 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2387,7 +2387,7 @@ static int dwc3_core_init_for_resume(struct dwc3 *dwc) static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; - int i; + int i, ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2406,7 +2406,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2441,7 +2443,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89a4dc8ebf94..316c1589618e 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4776,26 +4776,22 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; - - spin_lock_irqsave(&dwc->lock, flags); - if (dwc->gadget_driver) - dwc3_disconnect_gadget(dwc); - spin_unlock_irqrestore(&dwc->lock, flags); - - return 0; - -err: /* * Attempt to reset the controller's state. Likely no * communication can be established until the host * performs a port reset. */ - if (dwc->softconnect) + if (ret && dwc->softconnect) { dwc3_gadget_soft_connect(dwc); + return ret; + } - return ret; + spin_lock_irqsave(&dwc->lock, flags); + if (dwc->gadget_driver) + dwc3_disconnect_gadget(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; } int dwc3_gadget_resume(struct dwc3 *dwc) -- 2.49.0.395.g12beb8f557-goog

1 month, 1 week

2
2
0 0

[for-next][PATCH 09/10] tracing: Ensure module defining synth event cannot be unloaded while tracing

by Steven Rostedt

From: Douglas Raillard <douglas.raillard(a)arm.com> Currently, using synth_event_delete() will fail if the event is being used (tracing in progress), but that is normally done in the module exit function. At that stage, failing is problematic as returning a non-zero status means the module will become locked (impossible to unload or reload again). Instead, ensure the module exit function does not get called in the first place by increasing the module refcnt when the event is enabled. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Fixes: 35ca5207c2d11 ("tracing: Add synthetic event command generation functions") Link: https://lore.kernel.org/20250318180906.226841-1-douglas.raillard@arm.com Signed-off-by: Douglas Raillard <douglas.raillard(a)arm.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_synth.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c index 07ff8be8267e..463b0073629a 100644 --- a/kernel/trace/trace_events_synth.c +++ b/kernel/trace/trace_events_synth.c @@ -852,6 +852,34 @@ static struct trace_event_fields synth_event_fields_array[] = { {} }; +static int synth_event_reg(struct trace_event_call *call, + enum trace_reg type, void *data) +{ + struct synth_event *event = container_of(call, struct synth_event, call); + + switch (type) { + case TRACE_REG_REGISTER: + case TRACE_REG_PERF_REGISTER: + if (!try_module_get(event->mod)) + return -EBUSY; + break; + default: + break; + } + + int ret = trace_event_reg(call, type, data); + + switch (type) { + case TRACE_REG_UNREGISTER: + case TRACE_REG_PERF_UNREGISTER: + module_put(event->mod); + break; + default: + break; + } + return ret; +} + static int register_synth_event(struct synth_event *event) { struct trace_event_call *call = &event->call; @@ -881,7 +909,7 @@ static int register_synth_event(struct synth_event *event) goto out; } call->flags = TRACE_EVENT_FL_TRACEPOINT; - call->class->reg = trace_event_reg; + call->class->reg = synth_event_reg; call->class->probe = trace_event_raw_event_synth; call->data = event; call->tp = event->tp; -- 2.47.2

1 month, 1 week

1
0
0 0

[for-next][PATCH 07/10] tracing/osnoise: Fix possible recursive locking for cpus_read_lock()

by Steven Rostedt

From: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Lockdep reports this deadlock log: osnoise: could not start sampling thread ============================================ WARNING: possible recursive locking detected -------------------------------------------- CPU0 ---- lock(cpu_hotplug_lock); lock(cpu_hotplug_lock); Call Trace: <TASK> print_deadlock_bug+0x282/0x3c0 __lock_acquire+0x1610/0x29a0 lock_acquire+0xcb/0x2d0 cpus_read_lock+0x49/0x120 stop_per_cpu_kthreads+0x7/0x60 start_kthread+0x103/0x120 osnoise_hotplug_workfn+0x5e/0x90 process_one_work+0x44f/0xb30 worker_thread+0x33e/0x5e0 kthread+0x206/0x3b0 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x11/0x20 </TASK> This is the deadlock scenario: osnoise_hotplug_workfn() guard(cpus_read_lock)(); // first lock call start_kthread(cpu) if (IS_ERR(kthread)) { stop_per_cpu_kthreads(); { cpus_read_lock(); // second lock call. Cause the AA deadlock } } It is not necessary to call stop_per_cpu_kthreads() which stops osnoise kthread for every other CPUs in the system if a failure occurs during hotplug of a certain CPU. For start_per_cpu_kthreads(), if the start_kthread() call fails, this function calls stop_per_cpu_kthreads() to handle the error. Therefore, similarly, there is no need to call stop_per_cpu_kthreads() again within start_kthread(). So just remove stop_per_cpu_kthreads() from start_kthread to solve this issue. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250321095249.2739397-1-ranxiaokai627@163.com Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations") Signed-off-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_osnoise.c | 1 - 1 file changed, 1 deletion(-) diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c index f3a2722ee4c0..c83a51218ee5 100644 --- a/kernel/trace/trace_osnoise.c +++ b/kernel/trace/trace_osnoise.c @@ -2032,7 +2032,6 @@ static int start_kthread(unsigned int cpu) if (IS_ERR(kthread)) { pr_err(BANNER "could not start sampling thread\n"); - stop_per_cpu_kthreads(); return -ENOMEM; } -- 2.47.2

1 month, 1 week

1
0
0 0

Reply Request-Integrated Systems Europe 2025-with Discount!

by Grace Green

Hi, I wanted to follow up on my previous email regarding the visitor list. Please let me know your thoughts—I’d be happy to provide more details. Plus, we’re currently offering an exclusive discount, making this the perfect time to secure the list at the best price! Looking forward to your response. Best regards, Grace Subject: Integrated Systems Europe 2025-with Discount! Hi, Would you like to get the latest list of exhibitors and attendees for Integrated Systems Europe 2025? This comprehensive list includes last-minute registrants as well. Event Details: Location: Fira Barcelona Gran Via, Barcelona, Spain Exhibitors: 1,460 Attendees: 73,891 Available Data Fields: Individual Email Address, Phone Number, Contact Name, Job Title, Company Name, Website, Physical Address, and more. Let me know if you're interested in the attendees list, exhibitors list, or both! I’d be happy to share pricing and additional details. Looking forward to your response! Best regards, Grace Green Sr. Demand Generation P.S. If you’d prefer not to receive updates, simply reply with “NO.”

1 month, 1 week

1
0
0 0

[PATCH 5.15.y] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function

by alvalan9＠foxmail.com

From: Miaoqian Lin <linmq006(a)gmail.com> [ Upstream commit 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f ] callers of tegra_xusb_find_port_node() function only do NULL checking for the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep consistent. Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/phy/tegra/xusb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c index bf7706bf101a..be31b1e25b38 100644 --- a/drivers/phy/tegra/xusb.c +++ b/drivers/phy/tegra/xusb.c @@ -455,7 +455,7 @@ tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type, name = kasprintf(GFP_KERNEL, "%s-%u", type, index); if (!name) { of_node_put(ports); - return ERR_PTR(-ENOMEM); + return NULL; } np = of_get_child_by_name(ports, name); kfree(name); -- 2.34.1

1 month, 1 week

2
1
0 0

[PATCH 5.10.y] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function

by alvalan9＠foxmail.com

From: Miaoqian Lin <linmq006(a)gmail.com> [ Upstream commit 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f ] callers of tegra_xusb_find_port_node() function only do NULL checking for the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep consistent. Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/phy/tegra/xusb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c index 856397def89a..8bd8d1f8eba2 100644 --- a/drivers/phy/tegra/xusb.c +++ b/drivers/phy/tegra/xusb.c @@ -449,7 +449,7 @@ tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type, name = kasprintf(GFP_KERNEL, "%s-%u", type, index); if (!name) { of_node_put(ports); - return ERR_PTR(-ENOMEM); + return NULL; } np = of_get_child_by_name(ports, name); kfree(name); -- 2.34.1

1 month, 1 week

2
1
0 0

[PATCH] mips: Add '-std=gnu11' to vdso CFLAGS

by Khem Raj

GCC 15 changed the default C standard dialect from gnu17 to gnu23, which should not have impacted the kernel because it explicitly requests the gnu11 standard in the main Makefile. However, mips/vdso code uses its own CFLAGS without a '-std=' value, which break with this dialect change because of the kernel's own definitions of bool, false, and true conflicting with the C23 reserved keywords. include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant 11 | false = 0, | ^~~~~ include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef' 35 | typedef _Bool bool; | ^~~~ include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards Add '-std=gnu11' to the decompressor and purgatory CFLAGS to eliminate these errors and make the C standard version of these areas match the rest of the kernel. Signed-off-by: Khem Raj <raj.khem(a)gmail.com> Cc: stable(a)vger.kernel.org --- arch/mips/vdso/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile index b289b2c1b294..15521004c563 100644 --- a/arch/mips/vdso/Makefile +++ b/arch/mips/vdso/Makefile @@ -30,7 +30,7 @@ cflags-vdso := $(ccflags-vdso) \ -O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \ -mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \ -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \ - $(call cc-option, -fno-asynchronous-unwind-tables) + $(call cc-option, -fno-asynchronous-unwind-tables) -std=gnu11 aflags-vdso := $(ccflags-vdso) \ -D__ASSEMBLY__ -Wa,-gdwarf-2

1 month, 1 week

2
1
0 0

[PATCH] wifi: ath11k: fix ring-buffer corruption

by Johan Hovold

Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes breaks and the log fills up with errors like: ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492 ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484 which based on a quick look at the driver seemed to indicate some kind of ring-buffer corruption. Miaoqing Pan tracked it down to the host seeing the updated destination ring head pointer before the updated descriptor, and the error handling for that in turn leaves the ring buffer in an inconsistent state. Add the missing memory barrier to make sure that the descriptor is read after the head pointer to address the root cause of the corruption while fixing up the error handling in case there are ever any (ordering) bugs on the device side. Note that the READ_ONCE() are only needed to avoid compiler mischief in case the ring-buffer helpers are ever inlined. Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623 Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com Cc: Miaoqing Pan <quic_miaoqing(a)quicinc.com> Cc: stable(a)vger.kernel.org # 5.6 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/net/wireless/ath/ath11k/ce.c | 11 +++++------ drivers/net/wireless/ath/ath11k/hal.c | 4 ++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c index e66e86bdec20..9d8efec46508 100644 --- a/drivers/net/wireless/ath/ath11k/ce.c +++ b/drivers/net/wireless/ath/ath11k/ce.c @@ -393,11 +393,10 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe, goto err; } + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + *nbytes = ath11k_hal_ce_dst_status_get_length(desc); - if (*nbytes == 0) { - ret = -EIO; - goto err; - } *skb = pipe->dest_ring->skb[sw_index]; pipe->dest_ring->skb[sw_index] = NULL; @@ -430,8 +429,8 @@ static void ath11k_ce_recv_process_cb(struct ath11k_ce_pipe *pipe) dma_unmap_single(ab->dev, ATH11K_SKB_RXCB(skb)->paddr, max_nbytes, DMA_FROM_DEVICE); - if (unlikely(max_nbytes < nbytes)) { - ath11k_warn(ab, "rxed more than expected (nbytes %d, max %d)", + if (unlikely(max_nbytes < nbytes || nbytes == 0)) { + ath11k_warn(ab, "unexpected rx length (nbytes %d, max %d)", nbytes, max_nbytes); dev_kfree_skb_any(skb); continue; diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index 61f4b6dd5380..8cb1505a5a0c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -599,7 +599,7 @@ u32 ath11k_hal_ce_dst_status_get_length(void *buf) struct hal_ce_srng_dst_status_desc *desc = buf; u32 len; - len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, desc->flags); + len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, READ_ONCE(desc->flags)); desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN; return len; @@ -829,7 +829,7 @@ void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng) srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; } else { - srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr; + srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); /* Try to prefetch the next descriptor in the ring */ if (srng->flags & HAL_SRNG_FLAGS_CACHED) -- 2.48.1

1 month, 1 week

4
3
0 0

Linux 6.13.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.13.8 kernel. All users of the 6.13 kernel series must upgrade. The updated 6.13.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.13.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/rust/quick-start.rst | 2 Makefile | 2 arch/alpha/include/asm/elf.h | 6 arch/alpha/include/asm/pgtable.h | 2 arch/alpha/include/asm/processor.h | 8 arch/alpha/kernel/osf_sys.c | 11 arch/arm64/include/asm/tlbflush.h | 22 - arch/arm64/kernel/topology.c | 22 - arch/arm64/mm/mmu.c | 5 arch/loongarch/kvm/switch.S | 2 arch/loongarch/mm/pageattr.c | 3 arch/x86/events/intel/core.c | 85 ++++ arch/x86/events/rapl.c | 1 arch/x86/include/asm/sev.h | 6 arch/x86/kernel/cpu/microcode/amd.c | 2 arch/x86/kernel/cpu/vmware.c | 4 arch/x86/kernel/devicetree.c | 3 arch/x86/kernel/irq.c | 2 arch/x86/kvm/mmu/mmu.c | 2 block/bio.c | 2 drivers/acpi/resource.c | 6 drivers/block/null_blk/main.c | 4 drivers/block/virtio_blk.c | 5 drivers/clk/samsung/clk-gs101.c | 8 drivers/clk/samsung/clk-pll.c | 7 drivers/firmware/iscsi_ibft.c | 5 drivers/gpio/gpiolib-cdev.c | 15 drivers/gpio/gpiolib.c | 8 drivers/gpio/gpiolib.h | 5 drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 5 drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 ++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 7 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 drivers/gpu/drm/amd/display/dc/dce60/dce60_timing_generator.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c | 4 drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 6 drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +- drivers/gpu/drm/drm_atomic_uapi.c | 4 drivers/gpu/drm/drm_connector.c | 4 drivers/gpu/drm/drm_panic_qr.rs | 16 drivers/gpu/drm/gma500/mid_bios.c | 5 drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 drivers/gpu/drm/i915/display/intel_display.c | 5 drivers/gpu/drm/i915/gem/i915_gem_mman.c | 5 drivers/gpu/drm/nouveau/nouveau_connector.c | 1 drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 193 ++++------ drivers/gpu/drm/vkms/vkms_composer.c | 2 drivers/gpu/drm/xe/xe_guc_ct.c | 6 drivers/gpu/drm/xe/xe_guc_log.c | 3 drivers/gpu/drm/xe/xe_guc_submit.c | 4 drivers/gpu/drm/xe/xe_hmm.c | 6 drivers/gpu/drm/xe/xe_pm.c | 13 drivers/hid/Kconfig | 3 drivers/hid/hid-apple.c | 13 drivers/hid/hid-ids.h | 3 drivers/hid/hid-quirks.c | 1 drivers/hid/hid-steam.c | 6 drivers/hid/hid-topre.c | 7 drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 drivers/hid/intel-ish-hid/ipc/ipc.c | 15 drivers/hid/intel-ish-hid/ipc/pci-ish.c | 7 drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 drivers/hv/vmbus_drv.c | 13 drivers/i2c/busses/i2c-ali1535.c | 12 drivers/i2c/busses/i2c-ali15x3.c | 12 drivers/i2c/busses/i2c-sis630.c | 12 drivers/input/joystick/xpad.c | 39 +- drivers/input/misc/iqs7222.c | 50 +- drivers/input/serio/i8042-acpipnpio.h | 111 ++--- drivers/input/touchscreen/ads7846.c | 2 drivers/input/touchscreen/goodix_berlin_core.c | 24 - drivers/irqchip/irq-riscv-imsic-early.c | 2 drivers/irqchip/irq-thead-c900-aclint-sswi.c | 2 drivers/md/dm-flakey.c | 2 drivers/net/bonding/bond_options.c | 55 ++ drivers/net/dsa/mv88e6xxx/chip.c | 59 ++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 13 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 drivers/net/ethernet/intel/ice/ice_arfs.c | 2 drivers/net/ethernet/intel/ice/ice_eswitch.c | 6 drivers/net/ethernet/intel/ice/ice_lag.c | 27 + drivers/net/ethernet/intel/ice/ice_lib.c | 18 drivers/net/ethernet/intel/ice/ice_lib.h | 4 drivers/net/ethernet/intel/ice/ice_txrx.c | 4 drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 drivers/net/ethernet/mellanox/mlx5/core/eq.c | 2 drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c | 2 drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 drivers/net/ethernet/mellanox/mlx5/core/mlx5_irq.h | 4 drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 13 drivers/net/ethernet/mellanox/mlx5/core/pci_irq.h | 2 drivers/net/ethernet/mellanox/mlx5/core/steering/hws/bwc.h | 2 drivers/net/ethernet/microsoft/mana/gdma_main.c | 11 drivers/net/ethernet/microsoft/mana/mana_en.c | 10 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 drivers/net/ethernet/realtek/rtase/rtase_main.c | 10 drivers/net/mctp/mctp-i2c.c | 5 drivers/net/mctp/mctp-i3c.c | 5 drivers/net/phy/nxp-c45-tja11xx.c | 68 +++ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 6 drivers/net/wwan/mhi_wwan_mbim.c | 2 drivers/nvme/host/apple.c | 5 drivers/nvme/host/core.c | 14 drivers/nvme/host/fc.c | 59 --- drivers/nvme/host/pci.c | 7 drivers/nvme/target/rdma.c | 33 + drivers/phy/ti/phy-gmii-sel.c | 15 drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c | 3 drivers/platform/x86/intel/int3472/discrete.c | 85 +++- drivers/platform/x86/intel/pmc/core.c | 4 drivers/platform/x86/thinkpad_acpi.c | 50 +- drivers/powercap/powercap_sys.c | 3 drivers/s390/cio/chp.c | 3 drivers/scsi/qla1280.c | 2 drivers/scsi/scsi_scan.c | 2 drivers/spi/spi-microchip-core.c | 41 -- drivers/thermal/cpufreq_cooling.c | 2 drivers/ufs/core/ufshcd.c | 7 drivers/usb/phy/phy-generic.c | 2 drivers/usb/serial/ftdi_sio.c | 14 drivers/usb/serial/ftdi_sio_ids.h | 13 drivers/usb/serial/option.c | 48 +- drivers/usb/typec/tcpm/tcpm.c | 8 drivers/vhost/vhost.c | 2 drivers/video/fbdev/hyperv_fb.c | 52 +- drivers/virt/coco/sev-guest/sev-guest.c | 63 ++- drivers/xen/swiotlb-xen.c | 2 fs/btrfs/extent_io.c | 11 fs/btrfs/qgroup.c | 6 fs/fuse/dir.c | 2 fs/namei.c | 24 - fs/netfs/read_collect.c | 2 fs/smb/client/asn1.c | 2 fs/smb/client/cifs_spnego.c | 4 fs/smb/client/cifsglob.h | 4 fs/smb/client/connect.c | 16 fs/smb/client/fs_context.c | 18 fs/smb/client/inode.c | 13 fs/smb/client/reparse.c | 5 fs/smb/client/sess.c | 3 fs/smb/client/smb2pdu.c | 4 fs/smb/common/smbfsctl.h | 3 fs/smb/server/connection.c | 20 + fs/smb/server/connection.h | 2 fs/smb/server/ksmbd_work.c | 3 fs/smb/server/ksmbd_work.h | 1 fs/smb/server/oplock.c | 43 +- fs/smb/server/oplock.h | 1 fs/smb/server/server.c | 14 fs/vboxsf/super.c | 3 include/asm-generic/vmlinux.lds.h | 1 include/linux/blk-mq.h | 16 include/linux/fs.h | 2 include/linux/hugetlb.h | 5 include/linux/module.h | 5 include/linux/pci_ids.h | 1 include/net/bluetooth/hci_core.h | 108 +---- include/net/bluetooth/l2cap.h | 3 include/net/netfilter/nf_tables.h | 4 include/sound/soc.h | 5 init/Kconfig | 2 io_uring/futex.c | 2 io_uring/io-wq.c | 23 - kernel/futex/core.c | 5 kernel/futex/futex.h | 11 kernel/futex/pi.c | 2 kernel/futex/waitwake.c | 4 kernel/rcu/tree.c | 14 kernel/sched/core.c | 5 kernel/sched/debug.c | 2 kernel/sched/ext.c | 3 kernel/time/hrtimer.c | 22 - kernel/vhost_task.c | 4 mm/hugetlb.c | 8 mm/page_isolation.c | 10 mm/userfaultfd.c | 91 +++- net/bluetooth/hci_core.c | 10 net/bluetooth/hci_event.c | 37 + net/bluetooth/iso.c | 6 net/bluetooth/l2cap_core.c | 181 ++++----- net/bluetooth/l2cap_sock.c | 15 net/bluetooth/rfcomm/core.c | 6 net/bluetooth/sco.c | 25 - net/core/dev.c | 5 net/core/netpoll.c | 9 net/ipv6/addrconf.c | 15 net/mac80211/eht.c | 9 net/mac80211/util.c | 8 net/mctp/route.c | 10 net/mctp/test/route-test.c | 109 +++++ net/mptcp/protocol.h | 2 net/netfilter/ipvs/ip_vs_ctl.c | 8 net/netfilter/nf_conncount.c | 6 net/netfilter/nf_tables_api.c | 24 - net/netfilter/nft_compat.c | 8 net/netfilter/nft_ct.c | 6 net/netfilter/nft_exthdr.c | 10 net/openvswitch/conntrack.c | 30 - net/openvswitch/datapath.h | 3 net/openvswitch/flow_netlink.c | 15 net/sched/sch_api.c | 6 net/sched/sch_gred.c | 3 net/sctp/stream.c | 2 net/switchdev/switchdev.c | 25 - net/wireless/core.c | 7 rust/kernel/alloc/allocator_test.rs | 18 rust/kernel/error.rs | 2 rust/kernel/init.rs | 23 - rust/kernel/init/macros.rs | 6 rust/kernel/lib.rs | 2 rust/kernel/sync.rs | 16 scripts/generate_rust_analyzer.py | 73 ++- scripts/mod/modpost.c | 35 + scripts/mod/modpost.h | 6 scripts/module.lds.S | 1 scripts/rustdoc_test_gen.rs | 4 sound/hda/intel-dsp-config.c | 5 sound/pci/hda/hda_intel.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/arizona.c | 14 sound/soc/codecs/cs42l43.c | 2 sound/soc/codecs/madera.c | 10 sound/soc/codecs/rt722-sdca-sdw.c | 4 sound/soc/codecs/tas2764.c | 10 sound/soc/codecs/tas2764.h | 8 sound/soc/codecs/tas2770.c | 2 sound/soc/codecs/wm0010.c | 13 sound/soc/codecs/wm5110.c | 8 sound/soc/generic/simple-card-utils.c | 1 sound/soc/intel/boards/sof_sdw.c | 43 +- sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 2 sound/soc/renesas/rcar/core.c | 14 sound/soc/renesas/rcar/rsnd.h | 1 sound/soc/renesas/rcar/src.c | 116 ++++-- sound/soc/renesas/rcar/ssi.c | 3 sound/soc/soc-ops.c | 15 sound/soc/sof/amd/acp-ipc.c | 23 - sound/soc/sof/amd/acp.c | 1 sound/soc/sof/amd/acp.h | 1 sound/soc/sof/amd/vangogh.c | 18 sound/soc/sof/intel/hda-codec.c | 1 sound/soc/sof/intel/hda.c | 18 sound/soc/sof/intel/pci-ptl.c | 1 sound/soc/tegra/tegra210_adx.c | 4 tools/objtool/check.c | 9 tools/sched_ext/include/scx/common.bpf.h | 11 tools/sound/dapm-graph | 2 tools/testing/selftests/bpf/prog_tests/sockmap_basic.c | 6 tools/testing/selftests/bpf/prog_tests/xdp_cpumap_attach.c | 4 tools/testing/selftests/bpf/prog_tests/xdp_devmap_attach.c | 8 tools/testing/selftests/cgroup/test_cpuset_v1_hp.sh | 2 tools/testing/selftests/drivers/net/bonding/bond_options.sh | 4 tools/testing/selftests/filesystems/statmount/statmount_test.c | 22 + tools/testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 266 files changed, 2455 insertions(+), 1273 deletions(-) Aaron Ma (1): perf/x86/rapl: Add support for Intel Arrow Lake U Ajay Kaher (1): x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware hypervisors Alban Kurti (2): rust: error: add missing newline to pr_warn! calls rust: init: add missing newline to pr_info! calls Alex Deucher (1): drm/amdgpu/vce2: fix ip block reference Alex Henrie (2): HID: apple: fix up the F6 key on the Omoton KB066 keyboard HID: apple: disable Fn key handling on the Omoton KB066 Alex Hung (2): drm/amd/display: Fix out-of-bound accesses drm/amd/display: Assign normalized_pix_clk when color depth = 14 Alexander Stein (1): usb: phy: generic: Use proper helper for property detection Alexey Kardashevskiy (1): virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex Alexey Kashavkin (1): netfilter: nft_exthdr: fix offset with ipv4_find_option() Aliaksei Urbanski (1): drm/amd/display: fix missing .is_two_pixels_per_container Amit Cohen (1): net: switchdev: Convert blocking notification chain to a raw one Amit Sunil Dhamne (1): usb: typec: tcpm: fix state transition for SNK_WAIT_CAPABILITIES state in run_state_machine() Andrea Righi (3): sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl() sched_ext: selftests/dsp_local_on: Fix selftest on UP systems tools/sched_ext: Add helper to check task migration state Andrei Botila (2): net: phy: nxp-c45-tja11xx: add TJA112X PHY configuration errata net: phy: nxp-c45-tja11xx: add TJA112XB SGMII PCS restart errata Andrew Davis (1): phy: ti: gmii-sel: Do not use syscon helper to build regmap Andy Shevchenko (1): hrtimers: Mark is_migration_base() with __always_inline Antheas Kapenekakis (3): Input: xpad - add support for ZOTAC Gaming Zone Input: xpad - add support for TECNO Pocket Go Input: xpad - rename QH controller to Legion Go S Arnd Bergmann (1): x86/irq: Define trace events conditionally Artur Weber (1): pinctrl: bcm281xx: Fix incorrect regmap max_registers value Bard Liao (3): ASoC: Intel: soc-acpi-intel-mtl-match: declare adr as ull ASoC: SOF: Intel: don't check number of sdw links when set dmic_fixup ASoC: rt722-sdca: add missing readable registers Barry Song (1): mm: fix kernel BUG when userfaultfd_move encounters swapcache Bartosz Golaszewski (1): gpio: cdev: use raw notifier for line state events Beata Michalska (1): arm64: amu: Delay allocating cpumask for AMU FIE support Benjamin Berg (1): wifi: mac80211: fix MPDU length parsing for EHT 5/6 GHz Benno Lossin (1): rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Bharadwaj Raju (1): selftests/cgroup: use bash in test_cpuset_v1_hp.sh Bibo Mao (1): LoongArch: KVM: Set host with kernel mode when switch to VM mode Boon Khai Ng (1): USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Brahmajit Das (1): vboxsf: fix building with GCC 15 Breno Leitao (1): netpoll: hold rcu read lock in __netpoll_send_skb() Carolina Jubran (1): net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Charles Han (1): pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw Charles Keepax (2): ASoC: ops: Consistently treat platform_max as control value ASoC: cs42l43: Fix maximum ADC Volume Chengen Du (1): iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Chia-Lin Kao (AceLan) (1): HID: ignore non-functional sensor in HP 5MP Camera Christian Loehle (1): sched/debug: Provide slice length for fair tasks Christophe JAILLET (4): ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() i2c: ali1535: Fix an error handling path in ali1535_probe() i2c: ali15x3: Fix an error handling path in ali15x3_probe() i2c: sis630: Fix an error handling path in sis630_probe() Christopher Lentocha (1): nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Cong Wang (1): net_sched: Prevent creation of classes with TC_H_ROOT Conor Dooley (1): spi: microchip-core: prevent RX overflows when transmit size > FIFO size Cristian Ciocaltea (2): ASoC: SOF: amd: Add post_fw_run_delay ACP quirk ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Dan Carpenter (1): ipvs: prevent integer overflow in do_ip_vs_get_ctl() Daniel Brackenbury (1): HID: topre: Fix n-key rollover on Realforce R3S TKL boards Daniel Lezcano (1): thermal/cpufreq_cooling: Remove structure member documentation Daniel Wagner (4): nvme-fc: go straight to connecting state when initializing nvme-fc: do not ignore connectivity loss during connecting nvme: only allow entering LIVE from CONNECTING state nvme-fc: rely on state transitions to handle connectivity loss David Rosca (1): drm/amdgpu/display: Allow DCC for video formats on GFX12 Dmitry Kandybka (1): platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Dmytro Maluka (1): x86/of: Don't use DTB for SMP setup if ACPI is enabled Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Emmanuel Grumbach (1): wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms Eric W. Biederman (1): alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE990B compositions USB: serial: option: fix Telit Cinterion FE990A name Filipe Manana (1): btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop Florent Revest (1): x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Florian Westphal (1): netfilter: nf_tables: make destruction work queue pernet Frederic Weisbecker (1): net: Handle napi_schedule() calls from non-interrupt Gannon Kolding (1): ACPI: resource: IRQ override for Eluktronics MECH-17 Ge Yang (1): mm/hugetlb: wait for hugetlb folios to be freed Greg Kroah-Hartman (1): Linux 6.13.8 Grzegorz Nitka (1): ice: fix memory leak in aRFS after reset Guillaume Nault (1): gre: Fix IPv6 link-local address generation. H. Nikolaus Schaller (1): Input: ads7846 - fix gpiod allocation Hangbin Liu (2): bonding: fix incorrect MAC address setting to receive NS messages selftests: bonding: fix incorrect mac address Haoxiang Li (1): qlcnic: fix memory leak issues in qlcnic_sriov_common.c Harry Wentland (1): drm/vkms: Round fixp2int conversion in lerp_u16 Hector Martin (4): apple-nvme: Release power domains when probe fails ASoC: tas2770: Fix volume scale ASoC: tas2764: Fix power control mask ASoC: tas2764: Set the SDOUT polarity correctly Henrique Carvalho (1): smb: client: Fix match_session bug preventing session reuse Huacai Chen (1): LoongArch: Fix kernel_page_present() for KPRANGE/XKPRANGE Ievgen Vovk (1): HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Ilya Maximets (1): net: openvswitch: remove misbehaving actions length check Imre Deak (1): drm/dp_mst: Fix locking when skipping CSN before topology probing Ivan Abramov (1): drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Jan Beulich (1): Xen/swiotlb: mark xen_swiotlb_fixup() __init Jann Horn (1): sched: Clarify wake_up_q()'s write to task->wake_q.next Jeff LaBundy (1): Input: iqs7222 - preserve system status register Jens Axboe (1): futex: Pass in task to futex_queue() Jianbo Liu (1): net/mlx5: Bridge, fix the crash caused by LAG state check Jiayuan Chen (1): selftests/bpf: Fix invalid flag of recv() Jiri Pirko (1): net/mlx5: Fill out devlink dev info only for PFs Joe Hattori (1): powercap: call put_device() on an error path in powercap_register_control_type() Johan Hovold (1): USB: serial: option: match on interface class for Telit FN990B Joseph Huang (1): net: dsa: mv88e6xxx: Verify after ATU Load ops Josh Poimboeuf (1): objtool: Ignore dangling jump table entries José Roberto de Souza (2): drm/xe: Make GUC binaries dump consistent with other binaries in devcoredump drm/i915: Increase I915_PARAM_MMAP_GTT_VERSION version to indicate support for partial mmaps Jun Yang (1): sched: address a potential NULL pointer dereference in the GRED scheduler. Justin Lai (1): rtase: Fix improper release of ring list entries in rtase_sw_reset Kan Liang (1): perf/x86/intel: Use better start period for frequency mode Keith Busch (1): vhost: return task creation error instead of NULL Kent Overstreet (1): dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Kohei Enju (1): netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Kuninori Morimoto (4): ASoC: simple-card-utils.c: add missing dlc->of_node ASoC: rsnd: indicate unsupported clock rate ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() ASoC: rsnd: adjust convert rate limitation Larysa Zaremba (1): ice: do not configure destination override for switchdev Leo Li (1): drm/amd/display: Disable unneeded hpd interrupts during dm_init Luca Weiss (1): Input: goodix-berlin - fix vddio regulator references Lucas De Marchi (1): drm/xe/guc: Fix size_t print format Luiz Augusto von Dentz (4): Bluetooth: hci_event: Fix enabling passive scanning Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Magnus Lindholm (1): scsi: qla1280: Fix kernel oops when debug level > 2 Marcin Szycik (1): ice: Fix switchdev slow-path in LAG Mario Limonciello (3): drm/amd/display: fix default brightness drm/amd/display: Restore correct backlight brightness after a GPU reset drm/amd/display: Fix slab-use-after-free on hdcp_work Mark Pearson (1): platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Masahiro Yamada (1): kbuild: keep symbols for symbol_get() even with CONFIG_TRIM_UNUSED_KSYMS Matt Johnston (3): net: mctp i3c: Copy headers if cloned net: mctp i2c: Copy headers if cloned net: mctp: unshare packets when reassembling Matthew Maurer (1): rust: Disallow BTF generation with Rust + LTO Matthew Wilcox (Oracle) (1): btrfs: fix two misuses of folio_shift() Matthieu Baerts (NGI0) (1): mptcp: safety check before fallback Max Kellermann (1): fs/netfs/read_collect: add to next->prev_donated Maxime Ripard (3): drm/tests: hdmi: Remove redundant assignments drm/tests: hdmi: Reorder DRM entities variables assignment drm/tests: hdmi: Fix recursive locking Michael Kelley (4): fbdev: hyperv_fb: iounmap() the correct memory when removing a device drm/hyperv: Fix address space leak when Hyper-V DRM device is removed fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Miguel Ojeda (3): rust: remove leftover mentions of the `alloc` crate drm/panic: use `div_ceil` to clean Clippy warning drm/panic: fix overindented list items in documentation Miklos Szeredi (2): selftests: always check mask returned by statmount(2) fuse: don't truncate cached, mutated symlink Mina Almasry (1): netmem: prevent TX of unreadable skbs Ming Lei (1): block: fix 'kmem_cache of name 'bio-108' already exists' Miri Korenblit (2): wifi: mac80211: don't queue sdata::work for a non-running sdata wifi: cfg80211: cancel wiphy_work before freeing wiphy Mitchell Levy (1): rust: lockdep: Remove support for dynamically allocated LockClassKeys Murad Masimov (4): cifs: Fix integer overflow while processing acregmax mount option cifs: Fix integer overflow while processing acdirmax mount option cifs: Fix integer overflow while processing actimeo mount option cifs: Fix integer overflow while processing closetimeo mount option Namjae Jeon (2): ksmbd: fix use-after-free in ksmbd_free_work_struct ksmbd: prevent connection release during oplock break notification Natalie Vock (1): drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags Nicklas Bo Jensen (1): netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Nicolas Frattaroli (1): ASoC: dapm-graph: set fill colour of turned on nodes Nilton Perim Neto (1): Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Pali Rohár (2): cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes Pauli Virtanen (1): Bluetooth: SCO: fix sco_conn refcounting on sco_conn_ready Paulo Alcantara (2): smb: client: fix noisy when tree connecting to DFS interlink targets smb: client: fix regression with guest option Pavel Rojtberg (1): Input: xpad - add multiple supported devices Peter Griffin (1): clk: samsung: gs101: fix synchronous external abort in samsung_clk_save() Peter Oberparleiter (1): s390/cio: Fix CHPID "configure" attribute caching Peter Ujfalusi (2): ASoC: SOF: Intel: pci-ptl: Add support for PTL-H ASoC: Intel: sof_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() Pierre-Louis Bossart (3): PCI: pci_ids: add INTEL_HDA_PTL_H ALSA: hda: intel-dsp-config: Add PTL-H support ALSA: hda: hda-intel: add Panther Lake-H support Piotr Jaroszynski (1): Fix mmu notifiers for range-based invalidates Richard Fitzgerald (2): ASoC: Intel: sof_sdw: Add lookup of quirk using PCI subsystem ID ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S14 Rik van Riel (1): scsi: core: Use GFP_NOIO to avoid circular locking dependency Rodrigo Vivi (1): drm/xe/pm: Temporarily disable D3Cold on BMG Ruozhu Li (1): nvmet-rdma: recheck queue state is LIVE in state lock in recv done Sakari Ailus (2): platform/x86: int3472: Use correct type for "polarity", call it gpio_flags platform/x86: int3472: Call "reset" GPIO "enable" for INT347E Saurabh Sengar (2): fbdev: hyperv_fb: Simplify hvfb_putmem fbdev: hyperv_fb: Allow graceful removal of framebuffer Sebastian Andrzej Siewior (1): netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Seunghui Lee (1): scsi: ufs: core: Fix error return with query response Shay Drory (2): net/mlx5: Fix incorrect IRQ pool usage when releasing IRQs net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Shigeru Yoshida (1): selftests/bpf: Adjust data size to have ETH_HLEN Shin'ichiro Kawasaki (2): nvme: move error logging from nvme_end_req() to __nvme_end_req() block: change blk_mq_add_to_batch() third argument type to bool Shradha Gupta (1): net: mana: cleanup mana struct after debugfs_remove() Stephan Gerhold (1): net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Steve French (1): smb3: add support for IAKerb Suren Baghdasaryan (1): userfaultfd: fix PTE unmapping stack-allocated PTE copies Sybil Isabel Dorsett (1): platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Taehee Yoo (6): eth: bnxt: fix truesize for mb-xdp-pass case eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc() eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic eth: bnxt: do not update checksum in bnxt_xdp_build_skb() eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} eth: bnxt: fix memory leak in queue reset Tamir Duberstein (4): rust: alloc: satisfy POSIX alignment requirement scripts: generate_rust_analyzer: add missing macros deps scripts: generate_rust_analyzer: add missing include_dirs scripts: generate_rust_analyzer: add uapi crate Tejas Upadhyay (2): drm/xe: cancel pending job timer before freeing scheduler drm/xe: Release guc ids before cancelling work Tejun Heo (1): sched_ext: selftests/dsp_local_on: Fix sporadic failures Terry Cheong (1): ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Thomas Hellström (1): drm/xe/userptr: Fix an incorrect assert Thomas Mizrahi (1): ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Thomas Zimmermann (1): drm/nouveau: Do not override forced connector status Thorsten Blum (1): ASoC: tegra: Fix ADX S24_LE audio format Uday M Bhat (1): ASoC: Intel: sof_sdw: Add support for Fatcat board with BT offload enabled in PTL platform Uday Shankar (1): io-wq: backoff when retrying worker creation Uladzislau Rezki (Sony) (1): mm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq Varada Pavani (1): clk: samsung: update PLL locktime for PLL142XX used on FSD platform Vicki Pfau (1): HID: hid-steam: Fix issues with disabling both gamepad mode and lizard mode Ville Syrjälä (2): drm/i915/cdclk: Do cdclk post plane programming later drm/atomic: Filter out redundant DPMS calls Vitaly Rodionov (1): ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Vlad Dogaru (1): net/mlx5: HWS, Rightsize bwc matcher priority Wentao Liang (1): net/mlx5: handle errors in mlx5_chains_create_table() Werner Sembach (4): Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Input: i8042 - add required quirks for missing old boardnames Input: i8042 - swap old quirk combination with new quirk for several devices Input: i8042 - swap old quirk combination with new quirk for more devices Xin Long (1): Revert "openvswitch: switch to per-action label counting in conntrack" Xu Lu (1): irqchip/riscv: Ensure ordering of memory writes and IPI writes Yifan Zha (1): drm/amd/amdkfd: Evict all queues even HWS remove queue failed Yu-Chun Lin (1): sctp: Fix undefined behavior in left shift operation Zhang Lixu (3): HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell HID: intel-ish-hid: Send clock sync message immediately after reset HID: intel-ish-hid: ipc: Add Panther Lake PCI device IDs Zhenhua Huang (1): arm64: mm: Populate vmemmap at the page level if not section aligned

1 month, 1 week

1
1
0 0

Linux 6.12.20

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.20 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/rust/quick-start.rst | 2 Makefile | 2 arch/alpha/include/asm/elf.h | 6 arch/alpha/include/asm/pgtable.h | 2 arch/alpha/include/asm/processor.h | 8 arch/alpha/kernel/osf_sys.c | 11 arch/arm64/include/asm/tlbflush.h | 22 arch/arm64/kernel/topology.c | 22 arch/arm64/mm/mmu.c | 5 arch/loongarch/kvm/switch.S | 2 arch/loongarch/mm/pageattr.c | 3 arch/x86/events/intel/core.c | 85 ++ arch/x86/events/rapl.c | 1 arch/x86/kernel/cpu/microcode/amd.c | 2 arch/x86/kernel/cpu/vmware.c | 4 arch/x86/kernel/devicetree.c | 3 arch/x86/kernel/irq.c | 2 arch/x86/kvm/mmu/mmu.c | 2 block/bio.c | 2 drivers/acpi/resource.c | 6 drivers/block/null_blk/main.c | 4 drivers/block/virtio_blk.c | 5 drivers/clk/samsung/clk-gs101.c | 8 drivers/clk/samsung/clk-pll.c | 7 drivers/firmware/iscsi_ibft.c | 5 drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 7 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 drivers/gpu/drm/amd/display/dc/dce60/dce60_timing_generator.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c | 4 drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 6 drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 - drivers/gpu/drm/drm_atomic_uapi.c | 4 drivers/gpu/drm/drm_connector.c | 4 drivers/gpu/drm/drm_panic_qr.rs | 16 drivers/gpu/drm/gma500/mid_bios.c | 5 drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 drivers/gpu/drm/i915/display/intel_display.c | 5 drivers/gpu/drm/i915/gem/i915_gem_mman.c | 5 drivers/gpu/drm/nouveau/nouveau_connector.c | 1 drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 193 +++--- drivers/gpu/drm/vkms/vkms_composer.c | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 4 drivers/gpu/drm/xe/xe_hmm.c | 6 drivers/gpu/drm/xe/xe_pm.c | 13 drivers/hid/Kconfig | 3 drivers/hid/hid-apple.c | 13 drivers/hid/hid-ids.h | 3 drivers/hid/hid-quirks.c | 1 drivers/hid/hid-steam.c | 6 drivers/hid/hid-topre.c | 7 drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 drivers/hid/intel-ish-hid/ipc/ipc.c | 15 drivers/hid/intel-ish-hid/ipc/pci-ish.c | 7 drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 drivers/hv/vmbus_drv.c | 13 drivers/i2c/busses/i2c-ali1535.c | 12 drivers/i2c/busses/i2c-ali15x3.c | 12 drivers/i2c/busses/i2c-sis630.c | 12 drivers/input/joystick/xpad.c | 39 + drivers/input/misc/iqs7222.c | 50 - drivers/input/serio/i8042-acpipnpio.h | 111 +-- drivers/input/touchscreen/ads7846.c | 2 drivers/input/touchscreen/goodix_berlin_core.c | 24 drivers/md/dm-flakey.c | 2 drivers/net/bonding/bond_options.c | 55 + drivers/net/dsa/mv88e6xxx/chip.c | 59 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 286 ++++++---- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 13 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 drivers/net/ethernet/intel/ice/ice_arfs.c | 2 drivers/net/ethernet/intel/ice/ice_eswitch.c | 6 drivers/net/ethernet/intel/ice/ice_lag.c | 27 drivers/net/ethernet/intel/ice/ice_lib.c | 18 drivers/net/ethernet/intel/ice/ice_lib.h | 4 drivers/net/ethernet/intel/ice/ice_txrx.c | 4 drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 drivers/net/ethernet/mellanox/mlx5/core/eq.c | 2 drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c | 2 drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 drivers/net/ethernet/mellanox/mlx5/core/mlx5_irq.h | 4 drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 13 drivers/net/ethernet/mellanox/mlx5/core/pci_irq.h | 2 drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_bwc.h | 2 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 drivers/net/ethernet/realtek/rtase/rtase_main.c | 10 drivers/net/mctp/mctp-i2c.c | 5 drivers/net/mctp/mctp-i3c.c | 5 drivers/net/phy/nxp-c45-tja11xx.c | 68 ++ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 6 drivers/net/wwan/mhi_wwan_mbim.c | 2 drivers/nvme/host/apple.c | 5 drivers/nvme/host/core.c | 14 drivers/nvme/host/fc.c | 59 -- drivers/nvme/host/pci.c | 7 drivers/nvme/target/rdma.c | 33 - drivers/phy/ti/phy-gmii-sel.c | 15 drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c | 3 drivers/platform/x86/intel/int3472/discrete.c | 85 ++ drivers/platform/x86/intel/pmc/core.c | 4 drivers/platform/x86/thinkpad_acpi.c | 50 + drivers/powercap/powercap_sys.c | 3 drivers/s390/cio/chp.c | 3 drivers/scsi/qla1280.c | 2 drivers/scsi/scsi_scan.c | 2 drivers/spi/spi-microchip-core.c | 41 - drivers/thermal/cpufreq_cooling.c | 2 drivers/ufs/core/ufshcd.c | 7 drivers/usb/phy/phy-generic.c | 2 drivers/usb/serial/ftdi_sio.c | 14 drivers/usb/serial/ftdi_sio_ids.h | 13 drivers/usb/serial/option.c | 48 + drivers/vhost/vhost.c | 2 drivers/video/fbdev/hyperv_fb.c | 52 + drivers/xen/swiotlb-xen.c | 2 fs/btrfs/extent_io.c | 11 fs/btrfs/qgroup.c | 6 fs/fuse/dir.c | 2 fs/namei.c | 24 fs/netfs/read_collect.c | 2 fs/smb/client/asn1.c | 2 fs/smb/client/cifs_spnego.c | 4 fs/smb/client/cifsglob.h | 4 fs/smb/client/connect.c | 16 fs/smb/client/fs_context.c | 18 fs/smb/client/inode.c | 13 fs/smb/client/reparse.c | 10 fs/smb/client/sess.c | 3 fs/smb/client/smb2pdu.c | 4 fs/smb/common/smbfsctl.h | 3 fs/smb/server/connection.c | 20 fs/smb/server/connection.h | 2 fs/smb/server/ksmbd_work.c | 3 fs/smb/server/ksmbd_work.h | 1 fs/smb/server/oplock.c | 43 - fs/smb/server/oplock.h | 1 fs/smb/server/server.c | 14 fs/vboxsf/super.c | 3 include/linux/blk-mq.h | 16 include/linux/fs.h | 2 include/linux/hugetlb.h | 5 include/linux/pci_ids.h | 1 include/net/bluetooth/hci_core.h | 108 +-- include/net/bluetooth/l2cap.h | 3 include/net/netfilter/nf_tables.h | 4 include/sound/soc.h | 5 init/Kconfig | 2 io_uring/futex.c | 2 io_uring/io-wq.c | 23 kernel/futex/core.c | 5 kernel/futex/futex.h | 11 kernel/futex/pi.c | 2 kernel/futex/waitwake.c | 4 kernel/rcu/tree.c | 14 kernel/sched/core.c | 5 kernel/sched/debug.c | 2 kernel/sched/ext.c | 3 kernel/time/hrtimer.c | 22 kernel/vhost_task.c | 4 mm/hugetlb.c | 8 mm/page_isolation.c | 10 mm/userfaultfd.c | 91 ++- net/bluetooth/hci_core.c | 10 net/bluetooth/hci_event.c | 37 - net/bluetooth/iso.c | 6 net/bluetooth/l2cap_core.c | 181 ++---- net/bluetooth/l2cap_sock.c | 15 net/bluetooth/rfcomm/core.c | 6 net/bluetooth/sco.c | 12 net/core/dev.c | 5 net/core/netpoll.c | 9 net/ipv6/addrconf.c | 15 net/mac80211/util.c | 8 net/mctp/route.c | 10 net/mctp/test/route-test.c | 109 +++ net/mptcp/protocol.h | 2 net/netfilter/ipvs/ip_vs_ctl.c | 8 net/netfilter/nf_conncount.c | 6 net/netfilter/nf_tables_api.c | 24 net/netfilter/nft_compat.c | 8 net/netfilter/nft_ct.c | 6 net/netfilter/nft_exthdr.c | 10 net/openvswitch/conntrack.c | 30 - net/openvswitch/datapath.h | 3 net/openvswitch/flow_netlink.c | 15 net/sched/sch_api.c | 6 net/sched/sch_gred.c | 3 net/sctp/stream.c | 2 net/switchdev/switchdev.c | 25 net/wireless/core.c | 7 rust/kernel/alloc/allocator_test.rs | 18 rust/kernel/error.rs | 2 rust/kernel/init.rs | 23 rust/kernel/init/macros.rs | 6 rust/kernel/lib.rs | 2 rust/kernel/sync.rs | 16 scripts/generate_rust_analyzer.py | 73 +- scripts/rustdoc_test_gen.rs | 4 sound/hda/intel-dsp-config.c | 5 sound/pci/hda/hda_intel.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/arizona.c | 14 sound/soc/codecs/cs42l43.c | 2 sound/soc/codecs/madera.c | 10 sound/soc/codecs/rt722-sdca-sdw.c | 4 sound/soc/codecs/tas2764.c | 10 sound/soc/codecs/tas2764.h | 8 sound/soc/codecs/tas2770.c | 2 sound/soc/codecs/wm0010.c | 13 sound/soc/codecs/wm5110.c | 8 sound/soc/generic/simple-card-utils.c | 1 sound/soc/intel/boards/sof_sdw.c | 33 - sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 2 sound/soc/sh/rcar/core.c | 14 sound/soc/sh/rcar/rsnd.h | 1 sound/soc/sh/rcar/src.c | 116 +++- sound/soc/sh/rcar/ssi.c | 3 sound/soc/soc-ops.c | 15 sound/soc/sof/amd/acp-ipc.c | 23 sound/soc/sof/amd/acp.c | 1 sound/soc/sof/amd/acp.h | 1 sound/soc/sof/amd/vangogh.c | 18 sound/soc/sof/intel/hda-codec.c | 1 sound/soc/sof/intel/hda.c | 18 sound/soc/sof/intel/pci-ptl.c | 1 tools/objtool/check.c | 9 tools/sched_ext/include/scx/common.bpf.h | 11 tools/sound/dapm-graph | 2 tools/testing/selftests/bpf/prog_tests/sockmap_basic.c | 6 tools/testing/selftests/cgroup/test_cpuset_v1_hp.sh | 2 tools/testing/selftests/drivers/net/bonding/bond_options.sh | 4 tools/testing/selftests/filesystems/statmount/statmount_test.c | 22 tools/testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 245 files changed, 2447 insertions(+), 1311 deletions(-) Aaron Ma (1): perf/x86/rapl: Add support for Intel Arrow Lake U Ajay Kaher (1): x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware hypervisors Alban Kurti (2): rust: error: add missing newline to pr_warn! calls rust: init: add missing newline to pr_info! calls Alex Henrie (2): HID: apple: fix up the F6 key on the Omoton KB066 keyboard HID: apple: disable Fn key handling on the Omoton KB066 Alex Hung (2): drm/amd/display: Fix out-of-bound accesses drm/amd/display: Assign normalized_pix_clk when color depth = 14 Alexander Stein (1): usb: phy: generic: Use proper helper for property detection Alexey Kashavkin (1): netfilter: nft_exthdr: fix offset with ipv4_find_option() Aliaksei Urbanski (1): drm/amd/display: fix missing .is_two_pixels_per_container Amit Cohen (1): net: switchdev: Convert blocking notification chain to a raw one Andrea Righi (3): sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl() sched_ext: selftests/dsp_local_on: Fix selftest on UP systems tools/sched_ext: Add helper to check task migration state Andrei Botila (2): net: phy: nxp-c45-tja11xx: add TJA112X PHY configuration errata net: phy: nxp-c45-tja11xx: add TJA112XB SGMII PCS restart errata Andrew Davis (1): phy: ti: gmii-sel: Do not use syscon helper to build regmap Andy Shevchenko (1): hrtimers: Mark is_migration_base() with __always_inline Antheas Kapenekakis (3): Input: xpad - add support for ZOTAC Gaming Zone Input: xpad - add support for TECNO Pocket Go Input: xpad - rename QH controller to Legion Go S Arnd Bergmann (1): x86/irq: Define trace events conditionally Artur Weber (1): pinctrl: bcm281xx: Fix incorrect regmap max_registers value Bard Liao (3): ASoC: Intel: soc-acpi-intel-mtl-match: declare adr as ull ASoC: SOF: Intel: don't check number of sdw links when set dmic_fixup ASoC: rt722-sdca: add missing readable registers Barry Song (1): mm: fix kernel BUG when userfaultfd_move encounters swapcache Beata Michalska (1): arm64: amu: Delay allocating cpumask for AMU FIE support Benno Lossin (1): rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Bharadwaj Raju (1): selftests/cgroup: use bash in test_cpuset_v1_hp.sh Bibo Mao (1): LoongArch: KVM: Set host with kernel mode when switch to VM mode Boon Khai Ng (1): USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Brahmajit Das (1): vboxsf: fix building with GCC 15 Breno Leitao (1): netpoll: hold rcu read lock in __netpoll_send_skb() Carolina Jubran (1): net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Charles Han (1): pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw Charles Keepax (2): ASoC: ops: Consistently treat platform_max as control value ASoC: cs42l43: Fix maximum ADC Volume Chengen Du (1): iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Chia-Lin Kao (AceLan) (1): HID: ignore non-functional sensor in HP 5MP Camera Christian Loehle (1): sched/debug: Provide slice length for fair tasks Christophe JAILLET (4): ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() i2c: ali1535: Fix an error handling path in ali1535_probe() i2c: ali15x3: Fix an error handling path in ali15x3_probe() i2c: sis630: Fix an error handling path in sis630_probe() Christopher Lentocha (1): nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Cong Wang (1): net_sched: Prevent creation of classes with TC_H_ROOT Conor Dooley (1): spi: microchip-core: prevent RX overflows when transmit size > FIFO size Cristian Ciocaltea (2): ASoC: SOF: amd: Add post_fw_run_delay ACP quirk ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Dan Carpenter (1): ipvs: prevent integer overflow in do_ip_vs_get_ctl() Daniel Brackenbury (1): HID: topre: Fix n-key rollover on Realforce R3S TKL boards Daniel Lezcano (1): thermal/cpufreq_cooling: Remove structure member documentation Daniel Wagner (4): nvme-fc: go straight to connecting state when initializing nvme-fc: do not ignore connectivity loss during connecting nvme: only allow entering LIVE from CONNECTING state nvme-fc: rely on state transitions to handle connectivity loss David Rosca (1): drm/amdgpu/display: Allow DCC for video formats on GFX12 David Wei (2): bnxt_en: refactor tpa_info alloc/free into helpers bnxt_en: handle tpa_info in queue API implementation Dmitry Kandybka (1): platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Dmytro Maluka (1): x86/of: Don't use DTB for SMP setup if ACPI is enabled Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Emmanuel Grumbach (1): wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms Eric W. Biederman (1): alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE990B compositions USB: serial: option: fix Telit Cinterion FE990A name Filipe Manana (1): btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop Florent Revest (1): x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Florian Westphal (1): netfilter: nf_tables: make destruction work queue pernet Frederic Weisbecker (1): net: Handle napi_schedule() calls from non-interrupt Gannon Kolding (1): ACPI: resource: IRQ override for Eluktronics MECH-17 Ge Yang (1): mm/hugetlb: wait for hugetlb folios to be freed Greg Kroah-Hartman (1): Linux 6.12.20 Grzegorz Nitka (1): ice: fix memory leak in aRFS after reset Guillaume Nault (1): gre: Fix IPv6 link-local address generation. H. Nikolaus Schaller (1): Input: ads7846 - fix gpiod allocation Hangbin Liu (2): bonding: fix incorrect MAC address setting to receive NS messages selftests: bonding: fix incorrect mac address Haoxiang Li (1): qlcnic: fix memory leak issues in qlcnic_sriov_common.c Harry Wentland (1): drm/vkms: Round fixp2int conversion in lerp_u16 Hector Martin (4): apple-nvme: Release power domains when probe fails ASoC: tas2770: Fix volume scale ASoC: tas2764: Fix power control mask ASoC: tas2764: Set the SDOUT polarity correctly Henrique Carvalho (1): smb: client: Fix match_session bug preventing session reuse Huacai Chen (1): LoongArch: Fix kernel_page_present() for KPRANGE/XKPRANGE Ievgen Vovk (1): HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Ilya Maximets (1): net: openvswitch: remove misbehaving actions length check Imre Deak (1): drm/dp_mst: Fix locking when skipping CSN before topology probing Ivan Abramov (1): drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Jakub Kicinski (1): eth: bnxt: use page pool for head frags Jan Beulich (1): Xen/swiotlb: mark xen_swiotlb_fixup() __init Jann Horn (1): sched: Clarify wake_up_q()'s write to task->wake_q.next Jeff LaBundy (1): Input: iqs7222 - preserve system status register Jens Axboe (1): futex: Pass in task to futex_queue() Jianbo Liu (1): net/mlx5: Bridge, fix the crash caused by LAG state check Jiayuan Chen (1): selftests/bpf: Fix invalid flag of recv() Jiri Pirko (1): net/mlx5: Fill out devlink dev info only for PFs Joe Hattori (1): powercap: call put_device() on an error path in powercap_register_control_type() Johan Hovold (1): USB: serial: option: match on interface class for Telit FN990B Joseph Huang (1): net: dsa: mv88e6xxx: Verify after ATU Load ops Josh Poimboeuf (1): objtool: Ignore dangling jump table entries José Roberto de Souza (1): drm/i915: Increase I915_PARAM_MMAP_GTT_VERSION version to indicate support for partial mmaps Jun Yang (1): sched: address a potential NULL pointer dereference in the GRED scheduler. Justin Lai (1): rtase: Fix improper release of ring list entries in rtase_sw_reset Kan Liang (1): perf/x86/intel: Use better start period for frequency mode Keith Busch (1): vhost: return task creation error instead of NULL Kent Overstreet (1): dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Kohei Enju (1): netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Kuninori Morimoto (4): ASoC: simple-card-utils.c: add missing dlc->of_node ASoC: rsnd: indicate unsupported clock rate ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() ASoC: rsnd: adjust convert rate limitation Larysa Zaremba (1): ice: do not configure destination override for switchdev Leo Li (1): drm/amd/display: Disable unneeded hpd interrupts during dm_init Luca Weiss (1): Input: goodix-berlin - fix vddio regulator references Luiz Augusto von Dentz (4): Bluetooth: hci_event: Fix enabling passive scanning Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Magnus Lindholm (1): scsi: qla1280: Fix kernel oops when debug level > 2 Marcin Szycik (1): ice: Fix switchdev slow-path in LAG Mario Limonciello (3): drm/amd/display: fix default brightness drm/amd/display: Restore correct backlight brightness after a GPU reset drm/amd/display: Fix slab-use-after-free on hdcp_work Mark Pearson (1): platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Matt Johnston (3): net: mctp i3c: Copy headers if cloned net: mctp i2c: Copy headers if cloned net: mctp: unshare packets when reassembling Matthew Maurer (1): rust: Disallow BTF generation with Rust + LTO Matthew Wilcox (Oracle) (1): btrfs: fix two misuses of folio_shift() Matthieu Baerts (NGI0) (1): mptcp: safety check before fallback Max Kellermann (1): fs/netfs/read_collect: add to next->prev_donated Maxime Ripard (3): drm/tests: hdmi: Remove redundant assignments drm/tests: hdmi: Reorder DRM entities variables assignment drm/tests: hdmi: Fix recursive locking Michael Kelley (4): fbdev: hyperv_fb: iounmap() the correct memory when removing a device drm/hyperv: Fix address space leak when Hyper-V DRM device is removed fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Miguel Ojeda (3): rust: remove leftover mentions of the `alloc` crate drm/panic: use `div_ceil` to clean Clippy warning drm/panic: fix overindented list items in documentation Miklos Szeredi (2): selftests: always check mask returned by statmount(2) fuse: don't truncate cached, mutated symlink Mina Almasry (1): netmem: prevent TX of unreadable skbs Ming Lei (1): block: fix 'kmem_cache of name 'bio-108' already exists' Miri Korenblit (2): wifi: mac80211: don't queue sdata::work for a non-running sdata wifi: cfg80211: cancel wiphy_work before freeing wiphy Mitchell Levy (1): rust: lockdep: Remove support for dynamically allocated LockClassKeys Murad Masimov (4): cifs: Fix integer overflow while processing acregmax mount option cifs: Fix integer overflow while processing acdirmax mount option cifs: Fix integer overflow while processing actimeo mount option cifs: Fix integer overflow while processing closetimeo mount option Namjae Jeon (2): ksmbd: fix use-after-free in ksmbd_free_work_struct ksmbd: prevent connection release during oplock break notification Natalie Vock (1): drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags Nicklas Bo Jensen (1): netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Nicolas Frattaroli (1): ASoC: dapm-graph: set fill colour of turned on nodes Nilton Perim Neto (1): Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Pali Rohár (3): cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes cifs: Validate content of WSL reparse point buffers cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() Paulo Alcantara (2): smb: client: fix noisy when tree connecting to DFS interlink targets smb: client: fix regression with guest option Pavel Rojtberg (1): Input: xpad - add multiple supported devices Peter Griffin (1): clk: samsung: gs101: fix synchronous external abort in samsung_clk_save() Peter Oberparleiter (1): s390/cio: Fix CHPID "configure" attribute caching Peter Ujfalusi (2): ASoC: SOF: Intel: pci-ptl: Add support for PTL-H ASoC: Intel: sof_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() Pierre-Louis Bossart (3): PCI: pci_ids: add INTEL_HDA_PTL_H ALSA: hda: intel-dsp-config: Add PTL-H support ALSA: hda: hda-intel: add Panther Lake-H support Piotr Jaroszynski (1): Fix mmu notifiers for range-based invalidates Richard Fitzgerald (2): ASoC: Intel: sof_sdw: Add lookup of quirk using PCI subsystem ID ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S14 Rik van Riel (1): scsi: core: Use GFP_NOIO to avoid circular locking dependency Rodrigo Vivi (1): drm/xe/pm: Temporarily disable D3Cold on BMG Ruozhu Li (1): nvmet-rdma: recheck queue state is LIVE in state lock in recv done Sakari Ailus (2): platform/x86: int3472: Use correct type for "polarity", call it gpio_flags platform/x86: int3472: Call "reset" GPIO "enable" for INT347E Saurabh Sengar (2): fbdev: hyperv_fb: Simplify hvfb_putmem fbdev: hyperv_fb: Allow graceful removal of framebuffer Sebastian Andrzej Siewior (1): netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Seunghui Lee (1): scsi: ufs: core: Fix error return with query response Shay Drory (2): net/mlx5: Fix incorrect IRQ pool usage when releasing IRQs net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Shin'ichiro Kawasaki (2): nvme: move error logging from nvme_end_req() to __nvme_end_req() block: change blk_mq_add_to_batch() third argument type to bool Stephan Gerhold (1): net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Steve French (1): smb3: add support for IAKerb Suren Baghdasaryan (1): userfaultfd: fix PTE unmapping stack-allocated PTE copies Sybil Isabel Dorsett (1): platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Taehee Yoo (6): eth: bnxt: fix truesize for mb-xdp-pass case eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc() eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic eth: bnxt: do not update checksum in bnxt_xdp_build_skb() eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} eth: bnxt: fix memory leak in queue reset Tamir Duberstein (4): rust: alloc: satisfy POSIX alignment requirement scripts: generate_rust_analyzer: add missing macros deps scripts: generate_rust_analyzer: add missing include_dirs scripts: generate_rust_analyzer: add uapi crate Tejas Upadhyay (2): drm/xe: cancel pending job timer before freeing scheduler drm/xe: Release guc ids before cancelling work Tejun Heo (1): sched_ext: selftests/dsp_local_on: Fix sporadic failures Terry Cheong (1): ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Thomas Hellström (1): drm/xe/userptr: Fix an incorrect assert Thomas Mizrahi (1): ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Thomas Zimmermann (1): drm/nouveau: Do not override forced connector status Uday Shankar (1): io-wq: backoff when retrying worker creation Uladzislau Rezki (Sony) (1): mm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq Varada Pavani (1): clk: samsung: update PLL locktime for PLL142XX used on FSD platform Vicki Pfau (1): HID: hid-steam: Fix issues with disabling both gamepad mode and lizard mode Ville Syrjälä (2): drm/i915/cdclk: Do cdclk post plane programming later drm/atomic: Filter out redundant DPMS calls Vitaly Rodionov (1): ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Vlad Dogaru (1): net/mlx5: HWS, Rightsize bwc matcher priority Wentao Liang (1): net/mlx5: handle errors in mlx5_chains_create_table() Werner Sembach (4): Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Input: i8042 - add required quirks for missing old boardnames Input: i8042 - swap old quirk combination with new quirk for several devices Input: i8042 - swap old quirk combination with new quirk for more devices Xin Long (1): Revert "openvswitch: switch to per-action label counting in conntrack" Yifan Zha (1): drm/amd/amdkfd: Evict all queues even HWS remove queue failed Yu-Chun Lin (1): sctp: Fix undefined behavior in left shift operation Zhang Lixu (3): HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell HID: intel-ish-hid: Send clock sync message immediately after reset HID: intel-ish-hid: ipc: Add Panther Lake PCI device IDs Zhenhua Huang (1): arm64: mm: Populate vmemmap at the page level if not section aligned

1 month, 1 week

1
1
0 0

Linux 6.6.84

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.84 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/timers/no_hz.rst | 7 Makefile | 2 arch/alpha/include/asm/elf.h | 6 arch/alpha/include/asm/pgtable.h | 2 arch/alpha/include/asm/processor.h | 8 arch/alpha/kernel/osf_sys.c | 11 arch/arm64/mm/mmu.c | 5 arch/x86/events/intel/core.c | 85 +++++ arch/x86/kernel/cpu/microcode/amd.c | 2 arch/x86/kernel/cpu/mshyperv.c | 11 arch/x86/kernel/irq.c | 2 block/bio.c | 2 drivers/acpi/resource.c | 6 drivers/block/zram/zram_drv.c | 4 drivers/clk/samsung/clk-pll.c | 7 drivers/clocksource/i8253.c | 36 +- drivers/firmware/iscsi_ibft.c | 5 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 ++- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +- drivers/gpu/drm/drm_atomic_uapi.c | 4 drivers/gpu/drm/drm_connector.c | 4 drivers/gpu/drm/gma500/mid_bios.c | 5 drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 drivers/gpu/drm/i915/display/intel_display.c | 5 drivers/gpu/drm/nouveau/nouveau_connector.c | 1 drivers/gpu/drm/vkms/vkms_composer.c | 2 drivers/hid/Kconfig | 3 drivers/hid/hid-apple.c | 13 drivers/hid/hid-ids.h | 3 drivers/hid/hid-quirks.c | 1 drivers/hid/hid-topre.c | 7 drivers/hid/intel-ish-hid/ipc/ipc.c | 15 drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 drivers/hv/vmbus_drv.c | 13 drivers/i2c/busses/i2c-ali1535.c | 12 drivers/i2c/busses/i2c-ali15x3.c | 12 drivers/i2c/busses/i2c-sis630.c | 12 drivers/input/joystick/xpad.c | 39 +- drivers/input/misc/iqs7222.c | 50 +-- drivers/input/serio/i8042-acpipnpio.h | 111 +++--- drivers/input/touchscreen/ads7846.c | 2 drivers/md/dm-flakey.c | 2 drivers/net/bonding/bond_options.c | 55 ++- drivers/net/dsa/mv88e6xxx/chip.c | 59 ++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 drivers/net/ethernet/intel/ice/ice_arfs.c | 2 drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 drivers/net/mctp/mctp-i2c.c | 5 drivers/net/wwan/mhi_wwan_mbim.c | 2 drivers/nvme/host/apple.c | 2 drivers/nvme/host/core.c | 2 drivers/nvme/host/fc.c | 59 --- drivers/nvme/host/pci.c | 2 drivers/nvme/host/tcp.c | 43 ++ drivers/nvme/target/rdma.c | 33 + drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 drivers/platform/x86/intel/pmc/core.c | 4 drivers/platform/x86/thinkpad_acpi.c | 50 ++- drivers/powercap/powercap_sys.c | 3 drivers/s390/cio/chp.c | 3 drivers/scsi/qla1280.c | 2 drivers/scsi/scsi_scan.c | 2 drivers/thermal/cpufreq_cooling.c | 2 drivers/ufs/core/ufshcd.c | 7 drivers/usb/phy/phy-generic.c | 2 drivers/usb/serial/ftdi_sio.c | 14 drivers/usb/serial/ftdi_sio_ids.h | 13 drivers/usb/serial/option.c | 48 +- drivers/video/fbdev/hyperv_fb.c | 2 drivers/xen/swiotlb-xen.c | 2 fs/fuse/dir.c | 2 fs/namei.c | 24 + fs/proc/base.c | 9 fs/select.c | 11 fs/smb/client/asn1.c | 2 fs/smb/client/cifs_spnego.c | 4 fs/smb/client/cifsglob.h | 4 fs/smb/client/connect.c | 16 fs/smb/client/fs_context.c | 18 - fs/smb/client/inode.c | 13 fs/smb/client/reparse.c | 10 fs/smb/client/sess.c | 3 fs/smb/client/smb2pdu.c | 4 fs/smb/common/smbfsctl.h | 3 fs/smb/server/connection.c | 20 + fs/smb/server/connection.h | 2 fs/smb/server/ksmbd_work.c | 3 fs/smb/server/ksmbd_work.h | 1 fs/smb/server/oplock.c | 43 +- fs/smb/server/oplock.h | 1 fs/smb/server/server.c | 14 fs/vboxsf/super.c | 3 include/linux/fs.h | 2 include/linux/i8253.h | 1 include/linux/io_uring_types.h | 3 include/linux/nvme-tcp.h | 2 include/net/bluetooth/hci_core.h | 108 ++---- include/net/bluetooth/l2cap.h | 3 include/net/netfilter/nf_tables.h | 20 - include/sound/soc.h | 5 init/Kconfig | 2 io_uring/io-wq.c | 23 + io_uring/io_uring.c | 250 ++++++++++----- io_uring/io_uring.h | 8 io_uring/kbuf.c | 173 ++-------- io_uring/kbuf.h | 3 io_uring/rsrc.c | 39 -- kernel/bpf/ringbuf.c | 12 kernel/sched/core.c | 13 kernel/sched/debug.c | 2 kernel/sys.c | 2 kernel/time/hrtimer.c | 40 -- lib/buildid.c | 5 mm/mmap.c | 69 +++- mm/nommu.c | 7 net/bluetooth/hci_core.c | 10 net/bluetooth/hci_event.c | 37 +- net/bluetooth/iso.c | 6 net/bluetooth/l2cap_core.c | 181 +++++----- net/bluetooth/l2cap_sock.c | 15 net/bluetooth/rfcomm/core.c | 6 net/bluetooth/sco.c | 12 net/core/dev.c | 2 net/core/netpoll.c | 9 net/ipv4/tcp.c | 20 - net/ipv6/addrconf.c | 15 net/mptcp/protocol.h | 2 net/netfilter/ipvs/ip_vs_ctl.c | 8 net/netfilter/nf_conncount.c | 6 net/netfilter/nf_tables_api.c | 25 - net/netfilter/nft_connlimit.c | 4 net/netfilter/nft_counter.c | 4 net/netfilter/nft_ct.c | 6 net/netfilter/nft_dynset.c | 2 net/netfilter/nft_exthdr.c | 10 net/netfilter/nft_last.c | 4 net/netfilter/nft_limit.c | 14 net/netfilter/nft_quota.c | 4 net/netfilter/nft_set_hash.c | 8 net/netfilter/nft_set_pipapo.c | 18 - net/netfilter/nft_set_rbtree.c | 11 net/openvswitch/flow_netlink.c | 15 net/sched/sch_api.c | 6 net/sched/sch_gred.c | 3 net/sctp/stream.c | 2 net/switchdev/switchdev.c | 25 + net/wireless/core.c | 7 rust/kernel/error.rs | 2 rust/kernel/init.rs | 23 - rust/kernel/init/macros.rs | 6 rust/kernel/sync.rs | 10 scripts/generate_rust_analyzer.py | 30 + sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/arizona.c | 14 sound/soc/codecs/cs42l43.c | 2 sound/soc/codecs/madera.c | 10 sound/soc/codecs/rt722-sdca-sdw.c | 4 sound/soc/codecs/tas2764.c | 10 sound/soc/codecs/tas2764.h | 8 sound/soc/codecs/tas2770.c | 2 sound/soc/codecs/wm0010.c | 13 sound/soc/codecs/wm5110.c | 8 sound/soc/generic/simple-card-utils.c | 1 sound/soc/sh/rcar/core.c | 14 sound/soc/sh/rcar/rsnd.h | 1 sound/soc/sh/rcar/src.c | 116 +++++- sound/soc/sh/rcar/ssi.c | 3 sound/soc/soc-ops.c | 15 sound/soc/sof/amd/acp-ipc.c | 23 - sound/soc/sof/intel/hda-codec.c | 1 tools/objtool/check.c | 9 tools/testing/selftests/bpf/prog_tests/sockmap_basic.c | 6 186 files changed, 1802 insertions(+), 1165 deletions(-) Alban Kurti (2): rust: error: add missing newline to pr_warn! calls rust: init: add missing newline to pr_info! calls Alex Henrie (2): HID: apple: fix up the F6 key on the Omoton KB066 keyboard HID: apple: disable Fn key handling on the Omoton KB066 Alex Hung (1): drm/amd/display: Assign normalized_pix_clk when color depth = 14 Alexander Stein (1): usb: phy: generic: Use proper helper for property detection Alexey Kashavkin (1): netfilter: nft_exthdr: fix offset with ipv4_find_option() Amit Cohen (1): net: switchdev: Convert blocking notification chain to a raw one Andrii Nakryiko (1): lib/buildid: Handle memfd_secret() files in build_id_parse() Andy Shevchenko (1): hrtimers: Mark is_migration_base() with __always_inline Antheas Kapenekakis (3): Input: xpad - add support for ZOTAC Gaming Zone Input: xpad - add support for TECNO Pocket Go Input: xpad - rename QH controller to Legion Go S Arnd Bergmann (1): x86/irq: Define trace events conditionally Artur Weber (1): pinctrl: bcm281xx: Fix incorrect regmap max_registers value Bard Liao (1): ASoC: rt722-sdca: add missing readable registers Benno Lossin (1): rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Boon Khai Ng (1): USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Brahmajit Das (1): vboxsf: fix building with GCC 15 Breno Leitao (1): netpoll: hold rcu read lock in __netpoll_send_skb() Carolina Jubran (1): net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Charles Keepax (2): ASoC: ops: Consistently treat platform_max as control value ASoC: cs42l43: Fix maximum ADC Volume Chengen Du (1): iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Chia-Lin Kao (AceLan) (1): HID: ignore non-functional sensor in HP 5MP Camera Christian Loehle (1): sched/debug: Provide slice length for fair tasks Christophe JAILLET (4): ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() i2c: ali1535: Fix an error handling path in ali1535_probe() i2c: ali15x3: Fix an error handling path in ali15x3_probe() i2c: sis630: Fix an error handling path in sis630_probe() Christopher Lentocha (1): nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Cong Wang (1): net_sched: Prevent creation of classes with TC_H_ROOT Cristian Ciocaltea (1): ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Dan Carpenter (1): ipvs: prevent integer overflow in do_ip_vs_get_ctl() Daniel Brackenbury (1): HID: topre: Fix n-key rollover on Realforce R3S TKL boards Daniel Lezcano (1): thermal/cpufreq_cooling: Remove structure member documentation Daniel Wagner (4): nvme-fc: go straight to connecting state when initializing nvme-fc: do not ignore connectivity loss during connecting nvme: only allow entering LIVE from CONNECTING state nvme-fc: rely on state transitions to handle connectivity loss David Woodhouse (1): clockevents/drivers/i8253: Fix stop sequence for timer 0 Dmitry Kandybka (1): platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Edson Juliano Drosdeck (1): ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Eric Dumazet (1): tcp: fix races in tcp_abort() Eric W. Biederman (1): alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE990B compositions USB: serial: option: fix Telit Cinterion FE990A name Felix Moessbauer (1): hrtimer: Use and report correct timerslack values for realtime tasks Florent Revest (1): x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Florian Westphal (1): netfilter: nf_tables: allow clone callbacks to sleep Frederic Weisbecker (1): net: Handle napi_schedule() calls from non-interrupt Gannon Kolding (1): ACPI: resource: IRQ override for Eluktronics MECH-17 Greg Kroah-Hartman (1): Linux 6.6.84 Grzegorz Nitka (1): ice: fix memory leak in aRFS after reset Guillaume Nault (1): gre: Fix IPv6 link-local address generation. H. Nikolaus Schaller (1): Input: ads7846 - fix gpiod allocation Hangbin Liu (1): bonding: fix incorrect MAC address setting to receive NS messages Haoxiang Li (1): qlcnic: fix memory leak issues in qlcnic_sriov_common.c Harry Wentland (1): drm/vkms: Round fixp2int conversion in lerp_u16 Hector Martin (4): apple-nvme: Release power domains when probe fails ASoC: tas2770: Fix volume scale ASoC: tas2764: Fix power control mask ASoC: tas2764: Set the SDOUT polarity correctly Henrique Carvalho (1): smb: client: Fix match_session bug preventing session reuse Ievgen Vovk (1): HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Ilya Maximets (1): net: openvswitch: remove misbehaving actions length check Imre Deak (1): drm/dp_mst: Fix locking when skipping CSN before topology probing Ivan Abramov (1): drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Jan Beulich (1): Xen/swiotlb: mark xen_swiotlb_fixup() __init Jann Horn (1): sched: Clarify wake_up_q()'s write to task->wake_q.next Jeff LaBundy (1): Input: iqs7222 - preserve system status register Jens Axboe (8): mm: add nommu variant of vm_insert_pages() io_uring: get rid of remap_pfn_range() for mapping rings/sqes io_uring: don't attempt to mmap larger than what the user asks for io_uring: use vmap() for ring mapping io_uring: unify io_pin_pages() io_uring/kbuf: vmap pinned buffer ring io_uring/kbuf: use vm_insert_pages() for mmap'ed pbuf ring io_uring: use unpin_user_pages() where appropriate Jianbo Liu (1): net/mlx5: Bridge, fix the crash caused by LAG state check Jiayuan Chen (1): selftests/bpf: Fix invalid flag of recv() Jiri Pirko (1): net/mlx5: Fill out devlink dev info only for PFs Joe Hattori (1): powercap: call put_device() on an error path in powercap_register_control_type() Johan Hovold (1): USB: serial: option: match on interface class for Telit FN990B Joseph Huang (1): net: dsa: mv88e6xxx: Verify after ATU Load ops Josh Poimboeuf (1): objtool: Ignore dangling jump table entries Jun Yang (1): sched: address a potential NULL pointer dereference in the GRED scheduler. Kan Liang (1): perf/x86/intel: Use better start period for frequency mode Kent Overstreet (1): dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Kirill A. Shutemov (1): mm: split critical region in remap_file_pages() and invoke LSMs in between Kohei Enju (1): netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Kuninori Morimoto (4): ASoC: simple-card-utils.c: add missing dlc->of_node ASoC: rsnd: indicate unsupported clock rate ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() ASoC: rsnd: adjust convert rate limitation Leo Li (1): drm/amd/display: Disable unneeded hpd interrupts during dm_init Liu Shixin (1): zram: fix NULL pointer in comp_algorithm_show() Luiz Augusto von Dentz (4): Bluetooth: hci_event: Fix enabling passive scanning Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Magnus Lindholm (1): scsi: qla1280: Fix kernel oops when debug level > 2 Mario Limonciello (2): drm/amd/display: Restore correct backlight brightness after a GPU reset drm/amd/display: Fix slab-use-after-free on hdcp_work Mark Pearson (1): platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Matt Johnston (1): net: mctp i2c: Copy headers if cloned Matthew Maurer (1): rust: Disallow BTF generation with Rust + LTO Matthieu Baerts (NGI0) (1): mptcp: safety check before fallback Maurizio Lombardi (2): nvme-tcp: add basic support for the C2HTermReq PDU nvme-tcp: Fix a C2HTermReq error message Michael Kelley (3): fbdev: hyperv_fb: iounmap() the correct memory when removing a device drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Miklos Szeredi (1): fuse: don't truncate cached, mutated symlink Ming Lei (1): block: fix 'kmem_cache of name 'bio-108' already exists' Miri Korenblit (1): wifi: cfg80211: cancel wiphy_work before freeing wiphy Mitchell Levy (1): rust: lockdep: Remove support for dynamically allocated LockClassKeys Murad Masimov (4): cifs: Fix integer overflow while processing acregmax mount option cifs: Fix integer overflow while processing acdirmax mount option cifs: Fix integer overflow while processing actimeo mount option cifs: Fix integer overflow while processing closetimeo mount option Namjae Jeon (2): ksmbd: fix use-after-free in ksmbd_free_work_struct ksmbd: prevent connection release during oplock break notification Nicklas Bo Jensen (1): netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Nilton Perim Neto (1): Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Oleg Nesterov (1): sched/isolation: Prevent boot crash when the boot CPU is nohz_full Pablo Neira Ayuso (2): netfilter: nf_tables: use timestamp to check for set element timeout netfilter: nf_tables: bail out if stateful expression provides no .clone Pali Rohár (3): cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes cifs: Validate content of WSL reparse point buffers cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() Paulo Alcantara (2): smb: client: fix noisy when tree connecting to DFS interlink targets smb: client: fix regression with guest option Pavel Begunkov (2): io_uring: fix corner case forgetting to vunmap io_uring: fix error pbuf checking Pavel Rojtberg (1): Input: xpad - add multiple supported devices Peter Oberparleiter (1): s390/cio: Fix CHPID "configure" attribute caching Philipp Stanner (1): stmmac: loongson: Pass correct arg to PCI function Rik van Riel (1): scsi: core: Use GFP_NOIO to avoid circular locking dependency Ruozhu Li (1): nvmet-rdma: recheck queue state is LIVE in state lock in recv done Sebastian Andrzej Siewior (1): netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Seunghui Lee (1): scsi: ufs: core: Fix error return with query response Shay Drory (1): net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Stephan Gerhold (1): net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Steve French (1): smb3: add support for IAKerb Sybil Isabel Dorsett (1): platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Taehee Yoo (1): eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Tamir Duberstein (1): scripts: generate_rust_analyzer: add missing macros deps Terry Cheong (1): ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Thomas Mizrahi (1): ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Thomas Zimmermann (1): drm/nouveau: Do not override forced connector status Uday Shankar (1): io-wq: backoff when retrying worker creation Varada Pavani (1): clk: samsung: update PLL locktime for PLL142XX used on FSD platform Ville Syrjälä (2): drm/i915/cdclk: Do cdclk post plane programming later drm/atomic: Filter out redundant DPMS calls Vitaly Rodionov (1): ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Wander Lairson Costa (1): bpf: Use raw_spinlock_t in ringbuf Wentao Liang (1): net/mlx5: handle errors in mlx5_chains_create_table() Werner Sembach (4): Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Input: i8042 - add required quirks for missing old boardnames Input: i8042 - swap old quirk combination with new quirk for several devices Input: i8042 - swap old quirk combination with new quirk for more devices Xueming Feng (1): tcp: fix forever orphan socket caused by tcp_abort Yu-Chun Lin (1): sctp: Fix undefined behavior in left shift operation Zhang Lixu (2): HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell HID: intel-ish-hid: Send clock sync message immediately after reset Zhenhua Huang (1): arm64: mm: Populate vmemmap at the page level if not section aligned

1 month, 1 week

1
1
0 0

Re: Regression from 7627a0edef54 ("ata: ahci: Drop low power policy board type") on reboot (but not cold boot)

by Niklas Cassel

On Mon, Mar 03, 2025 at 03:58:30PM +0100, Eric wrote: > Hi Niklas > > Le 03/03/2025 à 07:25, Niklas Cassel a écrit : > > So far, this just sounds like a bug where UEFI cannot detect your SSD. > Bit it is detected during cold boot, though. > > UEFI problems should be reported to your BIOS vendor. > I'll try to see what can be done, however I am not sure how responsive they > will be for this board... > > > > It would be interesting to see if _Linux_ can detect your SSD, after a > > reboot, without UEFI involvement. > > > > If you kexec into the same kernel as you are currently running: > > https://manpages.debian.org/testing/kexec-tools/kexec.8.en.html > > > > Do you see your SSD in the kexec'd kernel? > > Sorry, I've tried that using several methods (systemctl kexec / kexec --load > + kexec -e / kexec --load + shutdown --reboot now) and it failed each time. > I *don't* think it is related to this bug, however, because each time the > process got stuck just after displaying "kexec_core: Starting new kernel". I just tired (as root): # kexec -l /boot/vmlinuz-6.13.5-200.fc41.x86_64 --initrd=/boot/initramfs-6.13.5-200.fc41.x86_64.img --reuse-cmd # kexec -e and FWIW, kexec worked fine. Did you specify an initrd ? did you specify --reuse-cmd ? If not, please try it. It would be interesting to see if Linux can detect your SATA drive after a kexec. If it can't, then we need to report the issue to your drive vendor (Samsung). Kind regards, Niklas

1 month, 1 week

4
24
0 0

[PATCH v2] kbuild: deb-pkg: don't set KBUILD_BUILD_VERSION unconditionally

by Alexandru Gagniuc

In ThinPro, we use the convention <upstream_ver>+hp<patchlevel> for the kernel package. This does not have a dash in the name or version. This is built by editing ".version" before a build, and setting EXTRAVERSION="+hp" and KDEB_PKGVERSION make variables: echo 68 > .version make -j<n> EXTRAVERSION="+hp" bindeb-pkg KDEB_PKGVERSION=6.12.2+hp69 .deb name: linux-image-6.12.2+hp_6.12.2+hp69_amd64.deb Since commit 7d4f07d5cb71 ("kbuild: deb-pkg: squash scripts/package/deb-build-option to debian/rules"), this no longer works. The deb build logic changed, even though, the commit message implies that the logic should be unmodified. Before, KBUILD_BUILD_VERSION was not set if the KDEB_PKGVERSION did not contain a dash. After the change KBUILD_BUILD_VERSION is always set to KDEB_PKGVERSION. Since this determines UTS_VERSION,the uname output to look off: (now) uname -a: version 6.12.2+hp ... #6.12.2+hp69 (expected) uname -a: version 6.12.2+hp ... #69 Update the debian/rules logic to restore the original behavior. Cc: <stable(a)vger.kernel.org> Fixes: 7d4f07d5cb71 ("kbuild: deb-pkg: squash scripts/package/deb-build-option to debian/rules") Signed-off-by: Alexandru Gagniuc <alexandru.gagniuc(a)hp.com> Reviewed-by: Nicolas Schier <nicolas(a)fjasle.eu> --- Changes since v1: * Rework logic so that dpkg-parsechangelog is invoked just once * Adjust commit message to reflect review feedback scripts/package/debian/rules | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/package/debian/rules b/scripts/package/debian/rules index ca07243bd5cd..d1f400685682 100755 --- a/scripts/package/debian/rules +++ b/scripts/package/debian/rules @@ -21,9 +21,11 @@ ifeq ($(origin KBUILD_VERBOSE),undefined) endif endif -revision = $(lastword $(subst -, ,$(shell dpkg-parsechangelog -S Version))) +revision = $(shell dpkg-parsechangelog -S Version | sed -n 's/.*-//p') CROSS_COMPILE ?= $(filter-out $(DEB_BUILD_GNU_TYPE)-, $(DEB_HOST_GNU_TYPE)-) -make-opts = ARCH=$(ARCH) KERNELRELEASE=$(KERNELRELEASE) KBUILD_BUILD_VERSION=$(revision) $(addprefix CROSS_COMPILE=,$(CROSS_COMPILE)) +make-opts = ARCH=$(ARCH) KERNELRELEASE=$(KERNELRELEASE) $(addprefix \ + KBUILD_BUILD_VERSION=,$(revision)) $(addprefix \ + CROSS_COMPILE=,$(CROSS_COMPILE)) binary-targets := $(addprefix binary-, image image-dbg headers libc-dev) -- 2.48.1

1 month, 1 week

2
1
0 0

[PATCH 6.6 0/4] fix kernel crash for xfs/235 test

by Fedor Pchelkin

Incomplete backport of series "xfs: log intent item recovery should reconstruct defer work state" [1] leads to a kernel crash during the xfs/235 test execution on top of 6.6.y stable. Tested (briefly) with my local xfstests setup. Additional testing would be much appreciated. [1]: https://lore.kernel.org/linux-xfs/170191741007.1195961.10092536809136830257… XFS (loop1): Corruption of in-memory data (0x8) detected at xfs_trans_cancel+0x4d9/0x610 (fs/xfs/xfs_trans.c:1097). Shutting down filesystem. XFS (loop1): Please unmount the filesystem and rectify the problem(s) general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067] CPU: 1 PID: 2011 Comm: mount Not tainted 6.6.84-rc2+ #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:xlog_recover_cancel_intents+0xad/0x1b0 Call Trace: <TASK> xlog_recover_finish+0x7f6/0x9a0 xfs_log_mount_finish+0x386/0x650 xfs_mountfs+0x1405/0x1fb0 xfs_fs_fill_super+0x11d6/0x1ca0 get_tree_bdev+0x3b4/0x650 vfs_get_tree+0x92/0x370 path_mount+0x13b9/0x1f10 __x64_sys_mount+0x286/0x310 do_syscall_64+0x39/0x90 entry_SYSCALL_64_after_hwframe+0x78/0xe2 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:xlog_recover_cancel_intents+0xad/0x1b0 Link to the original bug report [2]. [2]: https://lore.kernel.org/stable/6pxyzwujo52p4bp2otliyssjcvsfydd6ju32eusdlyhz… Found by Linux Verification Center (linuxtesting.org). Darrick J. Wong (4): xfs: recreate work items when recovering intent items xfs: dump the recovered xattri log item if corruption happens xfs: use xfs_defer_finish_one to finish recovered work items xfs: move ->iop_recover to xfs_defer_op_type fs/xfs/libxfs/xfs_defer.c | 22 ++++- fs/xfs/libxfs/xfs_defer.h | 14 +++ fs/xfs/libxfs/xfs_log_recover.h | 4 +- fs/xfs/xfs_attr_item.c | 115 ++++++++++++------------ fs/xfs/xfs_bmap_item.c | 92 ++++++++++--------- fs/xfs/xfs_extfree_item.c | 117 +++++++++++-------------- fs/xfs/xfs_log_recover.c | 37 ++++---- fs/xfs/xfs_refcount_item.c | 127 +++++++++------------------ fs/xfs/xfs_rmap_item.c | 151 ++++++++++++++++---------------- fs/xfs/xfs_trans.h | 4 - 10 files changed, 326 insertions(+), 357 deletions(-) -- 2.49.0

1 month, 1 week

1
4
0 0

[PATCH v2] ext4: fix OOB read when checking dotdot dir

by Acs, Jakub

Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: ac27a0ec112a0 ("[PATCH] ext4: initial copy of files from ext3") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: "Theodore Ts'o" <tytso(a)mit.edu> Cc: Andreas Dilger <adilger.kernel(a)dilger.ca> Cc: linux-ext4(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Mahmoud Adam <mngyadam(a)amazon.com> Cc: stable(a)vger.kernel.org Cc: security(a)kernel.org --- v1: https://lore.kernel.org/all/20250319110134.10071-1-acsjakub@amazon.com/ v1->v2: - optimize condition as per suggestions - remove questions - move this section to correct place I ran 'kvm-xfstests smoke' and '-c ext4/4k -g quick' as suggested in reply to v1. Some were skipped, none failed. fs/ext4/dir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c index 02d47a64e8d1..253992fcf57c 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -104,6 +104,9 @@ int __ext4_check_dir_entry(const char *function, unsigned int line, else if (unlikely(le32_to_cpu(de->inode) > le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) error_msg = "inode out of bounds"; + else if (unlikely(next_offset == size && de->name_len == 1 && + de->name[0] == '.')) + error_msg = "'.' directory cannot be the last in data block"; else return 0; -- 2.47.1

1 month, 1 week

2
1
0 0

+ mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yosry Ahmed <yosry.ahmed(a)linux.dev> Subject: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() Date: Wed, 26 Feb 2025 18:56:25 +0000 Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock (through crypto_exit_scomp_ops_async()). On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through crypto_scomp_init_tfm()), and then allocates memory. If the allocation results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex. The above dependencies can cause an ABBA deadlock. For example in the following scenario: (1) Task A running on CPU #1: crypto_alloc_acomp_node() Holds scomp_lock Enters reclaim Reads per_cpu_ptr(pool->acomp_ctx, 1) (2) Task A is descheduled (3) CPU #1 goes offline zswap_cpu_comp_dead(CPU #1) Holds per_cpu_ptr(pool->acomp_ctx, 1)) Calls crypto_free_acomp() Waits for scomp_lock (4) Task A running on CPU #2: Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1 DEADLOCK Since there is no requirement to call crypto_free_acomp() with the per-CPU acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is unlocked. Also move the acomp_request_free() and kfree() calls for consistency and to avoid any potential sublte locking dependencies in the future. With this, only setting acomp_ctx fields to NULL occurs with the mutex held. This is similar to how zswap_cpu_comp_prepare() only initializes acomp_ctx fields with the mutex held, after performing all allocations before holding the mutex. Opportunistically, move the NULL check on acomp_ctx so that it takes place before the mutex dereference. Link: https://lkml.kernel.org/r/20250226185625.2672936-1-yosry.ahmed@linux.dev Fixes: 12dcb0ef5406 ("mm: zswap: properly synchronize freeing resources during CPU hotunplug") Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Co-developed-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> Reported-by: syzbot+1a517ccfcbc6a7ab0f82(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67bcea51.050a0220.bbfd1.0096.GAE@google.com/ Acked-by: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: David S. Miller <davem(a)davemloft.net> Cc: Eric Biggers <ebiggers(a)kernel.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) --- a/mm/zswap.c~mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead +++ a/mm/zswap.c @@ -881,18 +881,32 @@ static int zswap_cpu_comp_dead(unsigned { struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node); struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu); + struct acomp_req *req; + struct crypto_acomp *acomp; + u8 *buffer; + + if (IS_ERR_OR_NULL(acomp_ctx)) + return 0; mutex_lock(&acomp_ctx->mutex); - if (!IS_ERR_OR_NULL(acomp_ctx)) { - if (!IS_ERR_OR_NULL(acomp_ctx->req)) - acomp_request_free(acomp_ctx->req); - acomp_ctx->req = NULL; - if (!IS_ERR_OR_NULL(acomp_ctx->acomp)) - crypto_free_acomp(acomp_ctx->acomp); - kfree(acomp_ctx->buffer); - } + req = acomp_ctx->req; + acomp = acomp_ctx->acomp; + buffer = acomp_ctx->buffer; + acomp_ctx->req = NULL; + acomp_ctx->acomp = NULL; + acomp_ctx->buffer = NULL; mutex_unlock(&acomp_ctx->mutex); + /* + * Do the actual freeing after releasing the mutex to avoid subtle + * locking dependencies causing deadlocks. + */ + if (!IS_ERR_OR_NULL(req)) + acomp_request_free(req); + if (!IS_ERR_OR_NULL(acomp)) + crypto_free_acomp(acomp); + kfree(buffer); + return 0; } _ Patches currently in -mm which might be from yosry.ahmed(a)linux.dev are mm-zswap-fix-crypto_free_acomp-deadlock-in-zswap_cpu_comp_dead.patch

1 month, 1 week

1
0
0 0

[PATCH 6.6 000/166] 6.6.84-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.84 release. There are 166 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 22 Mar 2025 16:56:28 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.84-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.84-rc2 Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: bail out if stateful expression provides no .clone Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: use timestamp to check for set element timeout Mitchell Levy <levymitchell0(a)gmail.com> rust: lockdep: Remove support for dynamically allocated LockClassKeys Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: Fix a C2HTermReq error message Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Daniel Wagner <wagi(a)kernel.org> nvme-fc: rely on state transitions to handle connectivity loss Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Philipp Stanner <phasta(a)kernel.org> stmmac: loongson: Pass correct arg to PCI function Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Pali Rohár <pali(a)kernel.org> cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() Pali Rohár <pali(a)kernel.org> cifs: Validate content of WSL reparse point buffers Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: rt722-sdca: add missing readable registers Alban Kurti <kurti(a)invicto.ai> rust: init: add missing newline to pr_info! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Fix maximum ADC Volume Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Alban Kurti <kurti(a)invicto.ai> rust: error: add missing newline to pr_warn! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: split critical region in remap_file_pages() and invoke LSMs in between Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: Handle memfd_secret() files in build_id_parse() Benno Lossin <benno.lossin(a)proton.me> rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Paulo Alcantara <pc(a)manguebit.com> smb: client: fix regression with guest option Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Kent Overstreet <kent.overstreet(a)linux.dev> dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent connection release during oplock break notification Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_free_work_struct Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Disable unneeded hpd interrupts during dm_init Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/cdclk: Do cdclk post plane programming later Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - rename QH controller to Legion Go S Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for TECNO Pocket Go Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for ZOTAC Gaming Zone Pavel Rojtberg <rojtberg(a)gmail.com> Input: xpad - add multiple supported devices Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - preserve system status register H. Nikolaus Schaller <hns(a)goldelico.com> Input: ads7846 - fix gpiod allocation Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix error pbuf checking Jens Axboe <axboe(a)kernel.dk> io_uring: use unpin_user_pages() where appropriate Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: use vm_insert_pages() for mmap'ed pbuf ring Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: vmap pinned buffer ring Jens Axboe <axboe(a)kernel.dk> io_uring: unify io_pin_pages() Jens Axboe <axboe(a)kernel.dk> io_uring: use vmap() for ring mapping Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix corner case forgetting to vunmap Jens Axboe <axboe(a)kernel.dk> io_uring: don't attempt to mmap larger than what the user asks for Jens Axboe <axboe(a)kernel.dk> io_uring: get rid of remap_pfn_range() for mapping rings/sqes Jens Axboe <axboe(a)kernel.dk> mm: add nommu variant of vm_insert_pages() Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Frederic Weisbecker <frederic(a)kernel.org> net: Handle napi_schedule() calls from non-interrupt Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Harry Wentland <harry.wentland(a)amd.com> drm/vkms: Round fixp2int conversion in lerp_u16 Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Pali Rohár <pali(a)kernel.org> cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes Hector Martin <marcan(a)marcan.st> apple-nvme: Release power domains when probe fails Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: add basic support for the C2HTermReq PDU Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Uday Shankar <ushankar(a)purestorage.com> io-wq: backoff when retrying worker creation Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: indicate unsupported clock rate Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: simple-card-utils.c: add missing dlc->of_node Jiayuan Chen <mrpre(a)163.com> selftests/bpf: Fix invalid flag of recv() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Ignore dangling jump table entries Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Daniel Brackenbury <daniel.brackenbury(a)gmail.com> HID: topre: Fix n-key rollover on Realforce R3S TKL boards Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: phy: generic: Use proper helper for property detection Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Fix error return with query response Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Dmitry Kandybka <d.kandybka(a)gmail.com> platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Christian Loehle <christian.loehle(a)arm.com> sched/debug: Provide slice length for fair tasks Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: do not ignore connectivity loss during connecting Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Shay Drory <shayd(a)nvidia.com> net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Fill out devlink dev info only for PFs Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Xueming Feng <kuro(a)kuroa.me> tcp: fix forever orphan socket caused by tcp_abort Eric Dumazet <edumazet(a)google.com> tcp: fix races in tcp_abort() Wander Lairson Costa <wander.lairson(a)gmail.com> bpf: Use raw_spinlock_t in ringbuf Felix Moessbauer <felix.moessbauer(a)siemens.com> hrtimer: Use and report correct timerslack values for realtime tasks Liu Shixin <liushixin2(a)huawei.com> zram: fix NULL pointer in comp_algorithm_show() Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Prevent boot crash when the boot CPU is nohz_full David Woodhouse <dwmw(a)amazon.co.uk> clockevents/drivers/i8253: Fix stop sequence for timer 0 ------------- Diffstat: Documentation/timers/no_hz.rst | 7 +- Makefile | 4 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm64/mm/mmu.c | 5 +- arch/x86/events/intel/core.c | 85 +++++++ arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/mshyperv.c | 11 - arch/x86/kernel/irq.c | 2 + block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/block/zram/zram_drv.c | 4 +- drivers/clk/samsung/clk-pll.c | 7 +- drivers/clocksource/i8253.c | 36 ++- drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 ++++-- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 ++-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/i915/display/intel_display.c | 5 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/vkms/vkms_composer.c | 2 +- drivers/hid/Kconfig | 3 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 3 + drivers/hid/hid-quirks.c | 1 + drivers/hid/hid-topre.c | 7 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 ++ drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/input/joystick/xpad.c | 39 +++- drivers/input/misc/iqs7222.c | 50 ++-- drivers/input/serio/i8042-acpipnpio.h | 111 +++++---- drivers/input/touchscreen/ads7846.c | 2 +- drivers/md/dm-flakey.c | 2 +- drivers/net/bonding/bond_options.c | 55 ++++- drivers/net/dsa/mv88e6xxx/chip.c | 59 ++++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 + .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 + .../net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 +- drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/apple.c | 2 + drivers/nvme/host/core.c | 2 - drivers/nvme/host/fc.c | 59 +---- drivers/nvme/host/pci.c | 2 + drivers/nvme/host/tcp.c | 43 ++++ drivers/nvme/target/rdma.c | 33 ++- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/platform/x86/intel/pmc/core.c | 4 +- drivers/platform/x86/thinkpad_acpi.c | 50 ++-- drivers/powercap/powercap_sys.c | 3 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/thermal/cpufreq_cooling.c | 2 - drivers/ufs/core/ufshcd.c | 7 +- drivers/usb/phy/phy-generic.c | 2 +- drivers/usb/serial/ftdi_sio.c | 14 ++ drivers/usb/serial/ftdi_sio_ids.h | 13 ++ drivers/usb/serial/option.c | 48 ++-- drivers/video/fbdev/hyperv_fb.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 +- fs/proc/base.c | 9 +- fs/select.c | 11 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 18 +- fs/smb/client/inode.c | 13 ++ fs/smb/client/reparse.c | 10 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/common/smbfsctl.h | 3 + fs/smb/server/connection.c | 20 ++ fs/smb/server/connection.h | 2 + fs/smb/server/ksmbd_work.c | 3 - fs/smb/server/ksmbd_work.h | 1 - fs/smb/server/oplock.c | 43 ++-- fs/smb/server/oplock.h | 1 - fs/smb/server/server.c | 14 +- fs/vboxsf/super.c | 3 +- include/linux/fs.h | 2 + include/linux/i8253.h | 1 - include/linux/io_uring_types.h | 3 - include/linux/nvme-tcp.h | 2 + include/net/bluetooth/hci_core.h | 108 ++++----- include/net/bluetooth/l2cap.h | 3 +- include/net/netfilter/nf_tables.h | 20 +- include/sound/soc.h | 5 +- init/Kconfig | 2 +- io_uring/io-wq.c | 23 +- io_uring/io_uring.c | 252 +++++++++++++++------ io_uring/io_uring.h | 8 +- io_uring/kbuf.c | 173 ++++---------- io_uring/kbuf.h | 3 +- io_uring/rsrc.c | 39 ---- kernel/bpf/ringbuf.c | 12 +- kernel/sched/core.c | 13 +- kernel/sched/debug.c | 2 + kernel/sys.c | 2 + kernel/time/hrtimer.c | 40 ++-- lib/buildid.c | 5 + mm/mmap.c | 69 ++++-- mm/nommu.c | 7 + net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 +-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 181 +++++++-------- net/bluetooth/l2cap_sock.c | 15 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 12 +- net/core/dev.c | 2 +- net/core/netpoll.c | 9 +- net/ipv4/tcp.c | 20 +- net/ipv6/addrconf.c | 15 +- net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nf_tables_api.c | 25 +- net/netfilter/nft_connlimit.c | 4 +- net/netfilter/nft_counter.c | 4 +- net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_exthdr.c | 10 +- net/netfilter/nft_last.c | 4 +- net/netfilter/nft_limit.c | 14 +- net/netfilter/nft_quota.c | 4 +- net/netfilter/nft_set_hash.c | 8 +- net/netfilter/nft_set_pipapo.c | 18 +- net/netfilter/nft_set_rbtree.c | 11 +- net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 +- net/wireless/core.c | 7 + rust/kernel/error.rs | 2 +- rust/kernel/init.rs | 23 +- rust/kernel/init/macros.rs | 6 +- rust/kernel/sync.rs | 10 +- scripts/generate_rust_analyzer.py | 30 ++- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/cs42l43.c | 2 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/rt722-sdca-sdw.c | 4 + sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/generic/simple-card-utils.c | 1 + sound/soc/sh/rcar/core.c | 14 -- sound/soc/sh/rcar/rsnd.h | 1 - sound/soc/sh/rcar/src.c | 116 ++++++++-- sound/soc/sh/rcar/ssi.c | 3 +- sound/soc/soc-ops.c | 15 +- sound/soc/sof/amd/acp-ipc.c | 23 +- sound/soc/sof/intel/hda-codec.c | 1 + tools/objtool/check.c | 9 + .../selftests/bpf/prog_tests/sockmap_basic.c | 6 +- 186 files changed, 1804 insertions(+), 1167 deletions(-)

1 month, 1 week

7
6
0 0

Re: [PATCH net 0/3] mptcp: fix data stream corruption and missing sockopts

by patchwork-bot+netdevbpf＠kernel.org

Hello: This series was applied to netdev/net-next.git (main) by Paolo Abeni <pabeni(a)redhat.com>: On Fri, 14 Mar 2025 21:11:30 +0100 you wrote: > Here are 3 unrelated fixes for the net tree. > > - Patch 1: fix data stream corruption when ending up not sending an > ADD_ADDR. > > - Patch 2: fix missing getsockopt(IPV6_V6ONLY) support -- the set part > is supported. > > [...] Here is the summary with links: - [net,1/3] mptcp: Fix data stream corruption in the address announcement (no matching commit) - [net,2/3] mptcp: sockopt: fix getting IPV6_V6ONLY https://git.kernel.org/netdev/net-next/c/8c3963375988 - [net,3/3] mptcp: sockopt: fix getting freebind & transparent https://git.kernel.org/netdev/net-next/c/e2f4ac7bab22 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html

1 month, 1 week

1
0
0 0

[PATCH 6.13 v2 0/8] KVM: arm64: Backport of SVE fixes to v6.13

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v6.13. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Changes in v2: - Remove an erronious kern_hyp_va(). - Move standard cherry pick to stable format in patch 8. - Link to v1: https://lore.kernel.org/r/20250312-stable-sve-6-13-v1-0-c7ba07a6f4f7@kernel… --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/kvm_host.h | 25 ++---- arch/arm64/kernel/fpsimd.c | 25 ------ arch/arm64/kvm/arm.c | 9 --- arch/arm64/kvm/fpsimd.c | 100 ++---------------------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 133 ++++++++++++++++++++++--------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 11 +-- arch/arm64/kvm/hyp/nvhe/pkvm.c | 30 ------- arch/arm64/kvm/hyp/nvhe/switch.c | 134 ++++++++++++++++++-------------- arch/arm64/kvm/hyp/vhe/switch.c | 21 ++--- 10 files changed, 201 insertions(+), 292 deletions(-) --- base-commit: 648e04a805652f513af04b47035cde896addf9b0 change-id: 20250227-stable-sve-6-13-5ceaf408b5f7 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 month, 1 week

2
16
0 0

[PATCH 6.12 v2 0/8] KVM: arm64: Backport of SVE fixes to v6.12

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v6.12. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Changes in v2: - Remove an erronious kern_hyp_va(). - Link to v1: https://lore.kernel.org/r/20250314-stable-sve-6-12-v1-0-ddc16609d9ba@kernel… --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/kvm_host.h | 25 ++---- arch/arm64/kernel/fpsimd.c | 25 ------ arch/arm64/kvm/arm.c | 9 --- arch/arm64/kvm/fpsimd.c | 100 ++---------------------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 133 ++++++++++++++++++++++--------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 11 +-- arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 ------- arch/arm64/kvm/hyp/nvhe/switch.c | 134 ++++++++++++++++++-------------- arch/arm64/kvm/hyp/vhe/switch.c | 21 ++--- 10 files changed, 201 insertions(+), 291 deletions(-) --- base-commit: e9cc806c0152fa9993f817cebf42989a3e2530bb change-id: 20250227-stable-sve-6-12-777778ad28fb Best regards, -- Mark Brown <broonie(a)kernel.org>

1 month, 1 week

3
18
0 0

[PATCH 6.6 0/8] KVM: arm64: Backport of SVE fixes to v6.6

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v6.6. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/kvm_host.h | 7 +-- arch/arm64/include/asm/kvm_hyp.h | 1 + arch/arm64/kernel/fpsimd.c | 25 -------- arch/arm64/kvm/arm.c | 1 - arch/arm64/kvm/fpsimd.c | 89 +++++---------------------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 106 +++++++++++++++++++++----------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 15 +---- arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 +-------- arch/arm64/kvm/hyp/nvhe/switch.c | 106 ++++++++++++++++++++++---------- arch/arm64/kvm/hyp/vhe/switch.c | 13 ++-- arch/arm64/kvm/reset.c | 3 + 12 files changed, 182 insertions(+), 218 deletions(-) --- base-commit: 594a1dd5138a6bbaa1697e5648cce23d2520eba9 change-id: 20250227-stable-sve-6-6-e795d85262b9 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 month, 1 week

2
16
0 0

[PATCH 0/2] spi: fsl-qspi: Fix kernel panic when unbinding the SPI host

by Kevin Hao

Hi, I observed a kernel panic on my imx8mq-evk board. It can be easily reproduced with the following steps: while true; do cat /dev/mtd0 >/dev/null; done & echo 30bb0000.spi >/sys/bus/platform/drivers/fsl-quadspi/unbind The following is the kernel log: Unable to handle kernel paging request at virtual address ffffffc082a6015c Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000041dc3000 [ffffffc082a6015c] pgd=1000000042779003, p4d=1000000042779003, pud=1000000042779003, pmd=1000000044631403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: 8021q ath10k_pci ath10k_core etnaviv snd_soc_fsl_asoc_card ath snd_soc_imx_audmux gpu_sched snd_soc_fsl_sai snd_soc_fsl_spdif imx_sdma imx_pcm_dma snd_soc_fsl_utils snd_soc_wm8524 sch_fq_codel openvswitch nsh nf_conncount nf_nat fuse configfs nfnetlink Hardware name: NXP i.MX8MQ EVK (DT) pc : fsl_qspi_exec_op+0xa8/0x7c0 lr : fsl_qspi_exec_op+0x88/0x7c0 sp : ffffffc08433b650 x8 : ffffffc08433b748 x7 : 0000000000000000 x6 : 0000000000000004 x5 : 0000000000000001 x4 : 0000000000000000 x3 : 0000000000004174 x2 : 0032724c809254be x1 : 000000000000c2a2 x0 : 000000173a720be8 Call trace: fsl_qspi_exec_op+0xa8/0x7c0 (P) spi_mem_exec_op+0x410/0x4a0 spi_mem_no_dirmap_read+0xb0/0xd0 spi_mem_dirmap_read+0xdc/0x150 spi_nor_read_data+0x128/0x1a0 spi_nor_read+0xf4/0x2c8 mtd_read_oob_std+0x80/0x98 mtd_read_oob+0x9c/0x168 mtd_read+0x70/0xe0 mtdchar_read+0x224/0x2a8 vfs_read+0xcc/0x310 ksys_read+0x78/0x118 __arm64_sys_read+0x24/0x38 invoke_syscall+0x5c/0x130 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x30/0xd0 el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x1a0 CPU: 1 UID: 0 PID: 527 Comm: cat Not tainted 6.14.0-rc7-next-20250321-yocto-standard+ #11 PREEMPT pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) x29: ffffffc08433b670 x28: 0000007f8019f000 x27: 000000000000000e x26: ffffff8004781140 x25: 000000173a814e28 x24: 0000000000000006 x23: ffffffc082a6015c x22: ffffff80046a3d80 x21: ffffff80046a3d98 x20: ffffffc082a60000 x19: ffffffc08433b9b8 x18: 0000000000000000 x17: 0000000000000000 x16: 003135312e373631 x15: 2e3432322e383231 x14: 0000000000000000 x13: ffffff80bf74d940 x12: 0000000000000000 x11: 0000000000000160 x10: 00000000000009b0 x9 : ffffffc08010ea78 Code: d2800141 d2800060 941ecb48 d503203f (b94002e1) --- Kevin Hao (2): spi: fsl-qsi: Optimize fsl_qspi struct spi: fsl-qspi: Explicitly unregister SPI host in remove() drivers/spi/spi-fsl-qspi.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- base-commit: 9388ec571cb1adba59d1cded2300eeb11827679c change-id: 20250321-spi-8d7999765767 Best regards, -- Kevin Hao <haokexin(a)gmail.com>

1 month, 1 week

3
3
0 0

x86 kexec problem in stable 6.1.129 and later due to change related to PGD allocation

by Elias Rudberg

Hello, The following change seems to cause kexec to sometimes fail (not every time but about 50% chance) for the stable 6.1 kernels, 6.1.129 and later: 6821918f4519 ("x86/kexec: Allocate PGD for x86_64 transition page tables separately") The commit message for that commit states that it is dependent on another change "x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables" but that change does not seem to have been done in the 6.1 kernel series, which could explain why the 6821918f4519 change causes problems for 6.1. This appears to be a problem only for 6.1, for the 6.6 and later stable kernels there is no problem. I think the reason this problem is seen only for 6.1 and not for 6.6 and later is that the change "x86/kexec: Allocate PGD for x86_64 transition page tables separately" relies on things that are not available in 6.1. In the tests I have done, kexec is called via u-root. More details are available here: https://git.glasklar.is/system-transparency/core/stboot/-/issues/227 Cheers, Elias

1 month, 1 week

1
0
0 0

[PATCH 5.10] btrfs: have proper error handling in btrfs_init_reloc_root

by Ilia Gavrilov

From: Josef Bacik <josef(a)toxicpanda.com> commit 00bb36a0e76ab7e94bdd70d561baf25f9bc1415d upstream. create_reloc_root will return errors in the future, and __add_reloc_root can return ENOMEM or EEXIST, so handle these errors properly. Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> --- fs/btrfs/relocation.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index 5b921e6ed94e..b0d34879e267 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -878,9 +878,15 @@ int btrfs_init_reloc_root(struct btrfs_trans_handle *trans, reloc_root = create_reloc_root(trans, root, root->root_key.objectid); if (clear_rsv) trans->block_rsv = rsv; + if (IS_ERR(reloc_root)) + return PTR_ERR(reloc_root); ret = __add_reloc_root(reloc_root); - BUG_ON(ret < 0); + if (ret) { + /* Pairs with create_reloc_root */ + btrfs_put_root(reloc_root); + return ret; + } root->reloc_root = btrfs_grab_root(reloc_root); return 0; } -- 2.39.5

1 month, 1 week

1
0
0 0

Manufacturers and Engineers Accurate Contacts

by Debbie McCoy

Hello, Outdated or inaccurate contact data wastes valuable time. We provide highly accurate, *verified contact lists of Engineers, Manufacturers and Purchasing Managers Contacts*, ensuring you connect with the right people. Would you like to see a sample? If so, please let me know your *target geography* I’ll be happy to share details. Just a note that we can customize the lists to meet any specific requirements based on your criteria. Wishing you a wonderful day! Debbie McCoy Manager, Demand Generation If you ever feel like opting out, simply reply with "remove me" in the subject line

1 month, 1 week

1
0
0 0

[PATCH 6.13 000/241] 6.13.8-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.13.8 release. There are 241 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 21 Mar 2025 14:29:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.13.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.13.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.13.8-rc1 Max Kellermann <max.kellermann(a)ionos.com> fs/netfs/read_collect: add to next->prev_donated Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Daniel Wagner <wagi(a)kernel.org> nvme-fc: rely on state transitions to handle connectivity loss Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe/guc: Fix size_t print format Andrea Righi <arighi(a)nvidia.com> tools/sched_ext: Add helper to check task migration state Andrea Righi <arighi(a)nvidia.com> sched_ext: selftests/dsp_local_on: Fix selftest on UP systems Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Ge Yang <yangge1116(a)126.com> mm/hugetlb: wait for hugetlb folios to be freed Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Ajay Kaher <ajay.kaher(a)broadcom.com> x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware hypervisors Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: cdev: use raw notifier for line state events Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> block: change blk_mq_add_to_batch() third argument type to bool Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add uapi crate Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing include_dirs Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps José Roberto de Souza <jose.souza(a)intel.com> drm/i915: Increase I915_PARAM_MMAP_GTT_VERSION version to indicate support for partial mmaps Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> nvme: move error logging from nvme_end_req() to __nvme_end_req() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe/pm: Temporarily disable D3Cold on BMG Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/userptr: Fix an incorrect assert Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Release guc ids before cancelling work Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: cancel pending job timer before freeing scheduler Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: rt722-sdca: add missing readable registers Alban Kurti <kurti(a)invicto.ai> rust: init: add missing newline to pr_info! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Fix maximum ADC Volume Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Alban Kurti <kurti(a)invicto.ai> rust: error: add missing newline to pr_warn! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value Andrea Righi <arighi(a)nvidia.com> sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl() Andrei Botila <andrei.botila(a)oss.nxp.com> net: phy: nxp-c45-tja11xx: add TJA112XB SGMII PCS restart errata Andrei Botila <andrei.botila(a)oss.nxp.com> net: phy: nxp-c45-tja11xx: add TJA112X PHY configuration errata Shradha Gupta <shradhagupta(a)linux.microsoft.com> net: mana: cleanup mana struct after debugfs_remove() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix regression with guest option Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Piotr Jaroszynski <pjaroszynski(a)nvidia.com> Fix mmu notifiers for range-based invalidates Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Kent Overstreet <kent.overstreet(a)linux.dev> dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Mina Almasry <almasrymina(a)google.com> netmem: prevent TX of unreadable skbs Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() Thorsten Blum <thorsten.blum(a)linux.dev> ASoC: tegra: Fix ADX S24_LE audio format Peter Griffin <peter.griffin(a)linaro.org> clk: samsung: gs101: fix synchronous external abort in samsung_clk_save() Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent connection release during oplock break notification Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_free_work_struct Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Aliaksei Urbanski <aliaksei.urbanski(a)gmail.com> drm/amd/display: fix missing .is_two_pixels_per_container Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: fix default brightness Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Disable unneeded hpd interrupts during dm_init David Rosca <david.rosca(a)amd.com> drm/amdgpu/display: Allow DCC for video formats on GFX12 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/vce2: fix ip block reference Yifan Zha <Yifan.Zha(a)amd.com> drm/amd/amdkfd: Evict all queues even HWS remove queue failed Natalie Vock <natalie.vock(a)gmx.de> drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Miguel Ojeda <ojeda(a)kernel.org> drm/panic: fix overindented list items in documentation Miguel Ojeda <ojeda(a)kernel.org> drm/panic: use `div_ceil` to clean Clippy warning Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/cdclk: Do cdclk post plane programming later Conor Dooley <conor.dooley(a)microchip.com> spi: microchip-core: prevent RX overflows when transmit size > FIFO size Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Benno Lossin <benno.lossin(a)proton.me> rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Tamir Duberstein <tamird(a)gmail.com> rust: alloc: satisfy POSIX alignment requirement Miguel Ojeda <ojeda(a)kernel.org> rust: remove leftover mentions of the `alloc` crate Mitchell Levy <levymitchell0(a)gmail.com> rust: lockdep: Remove support for dynamically allocated LockClassKeys Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm: fix state transition for SNK_WAIT_CAPABILITIES state in run_state_machine() Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - rename QH controller to Legion Go S Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for TECNO Pocket Go Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for ZOTAC Gaming Zone Pavel Rojtberg <rojtberg(a)gmail.com> Input: xpad - add multiple supported devices Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - preserve system status register H. Nikolaus Schaller <hns(a)goldelico.com> Input: ads7846 - fix gpiod allocation Luca Weiss <luca.weiss(a)fairphone.com> Input: goodix-berlin - fix vddio regulator references Keith Busch <kbusch(a)kernel.org> vhost: return task creation error instead of NULL Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Frederic Weisbecker <frederic(a)kernel.org> net: Handle napi_schedule() calls from non-interrupt Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Aaron Ma <aaron.ma(a)canonical.com> perf/x86/rapl: Add support for Intel Arrow Lake U Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Dmytro Maluka <dmaluka(a)chromium.org> x86/of: Don't use DTB for SMP setup if ACPI is enabled Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Harry Wentland <harry.wentland(a)amd.com> drm/vkms: Round fixp2int conversion in lerp_u16 Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: SOF: Intel: don't check number of sdw links when set dmic_fixup Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> ASoC: dapm-graph: set fill colour of turned on nodes Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Andrew Davis <afd(a)ti.com> phy: ti: gmii-sel: Do not use syscon helper to build regmap Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Pali Rohár <pali(a)kernel.org> cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes Pali Rohár <pali(a)kernel.org> cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() José Roberto de Souza <jose.souza(a)intel.com> drm/xe: Make GUC binaries dump consistent with other binaries in devcoredump Hector Martin <marcan(a)marcan.st> apple-nvme: Release power domains when probe fails Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Uday Shankar <ushankar(a)purestorage.com> io-wq: backoff when retrying worker creation Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: SOF: amd: Add post_fw_run_delay ACP quirk Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> ALSA: hda: hda-intel: add Panther Lake-H support Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: Intel: pci-ptl: Add support for PTL-H Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> ALSA: hda: intel-dsp-config: Add PTL-H support Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> PCI: pci_ids: add INTEL_HDA_PTL_H Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: indicate unsupported clock rate Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: simple-card-utils.c: add missing dlc->of_node Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-mtl-match: declare adr as ull Uday M Bhat <uday.m.bhat(a)intel.com> ASoC: Intel: sof_sdw: Add support for Fatcat board with BT offload enabled in PTL platform Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S14 Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: Intel: sof_sdw: Add lookup of quirk using PCI subsystem ID Jiayuan Chen <mrpre(a)163.com> selftests/bpf: Fix invalid flag of recv() Shigeru Yoshida <syoshida(a)redhat.com> selftests/bpf: Adjust data size to have ETH_HLEN Maxime Ripard <mripard(a)kernel.org> drm/tests: hdmi: Fix recursive locking Maxime Ripard <mripard(a)kernel.org> drm/tests: hdmi: Reorder DRM entities variables assignment Maxime Ripard <mripard(a)kernel.org> drm/tests: hdmi: Remove redundant assignments Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Beata Michalska <beata.michalska(a)arm.com> arm64: amu: Delay allocating cpumask for AMU FIE support Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Set host with kernel mode when switch to VM mode Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix kernel_page_present() for KPRANGE/XKPRANGE Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Sakari Ailus <sakari.ailus(a)linux.intel.com> platform/x86: int3472: Call "reset" GPIO "enable" for INT347E Sakari Ailus <sakari.ailus(a)linux.intel.com> platform/x86: int3472: Use correct type for "polarity", call it gpio_flags Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Ignore dangling jump table entries Matthew Wilcox (Oracle) <willy(a)infradead.org> btrfs: fix two misuses of folio_shift() Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Bharadwaj Raju <bharadwaj.raju777(a)gmail.com> selftests/cgroup: use bash in test_cpuset_v1_hp.sh Daniel Brackenbury <daniel.brackenbury(a)gmail.com> HID: topre: Fix n-key rollover on Realforce R3S TKL boards Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: ipc: Add Panther Lake PCI device IDs Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: phy: generic: Use proper helper for property detection Vicki Pfau <vi(a)endrift.com> HID: hid-steam: Fix issues with disabling both gamepad mode and lizard mode Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Tejun Heo <tj(a)kernel.org> sched_ext: selftests/dsp_local_on: Fix sporadic failures Miklos Szeredi <mszeredi(a)redhat.com> selftests: always check mask returned by statmount(2) Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Masahiro Yamada <masahiroy(a)kernel.org> kbuild: keep symbols for symbol_get() even with CONFIG_TRIM_UNUSED_KSYMS Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Fix error return with query response Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix out-of-bound accesses Dmitry Kandybka <d.kandybka(a)gmail.com> platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Christian Loehle <christian.loehle(a)arm.com> sched/debug: Provide slice length for fair tasks Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Xu Lu <luxu.kernel(a)bytedance.com> irqchip/riscv: Ensure ordering of memory writes and IPI writes Jens Axboe <axboe(a)kernel.dk> futex: Pass in task to futex_queue() Filipe Manana <fdmanana(a)suse.com> btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: do not ignore connectivity loss during connecting Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Shay Drory <shayd(a)nvidia.com> net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix incorrect IRQ pool usage when releasing IRQs Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5: HWS, Rightsize bwc matcher priority Xin Long <lucien.xin(a)gmail.com> Revert "openvswitch: switch to per-action label counting in conntrack" Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: fix MPDU length parsing for EHT 5/6 GHz Justin Lai <justinlai0215(a)realtek.com> rtase: Fix improper release of ring list entries in rtase_sw_reset Hangbin Liu <liuhangbin(a)gmail.com> selftests: bonding: fix incorrect mac address Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: unshare packets when reassembling Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix memory leak in queue reset Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc() Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix truesize for mb-xdp-pass case Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Saurabh Sengar <ssengar(a)linux.microsoft.com> fbdev: hyperv_fb: Allow graceful removal of framebuffer Saurabh Sengar <ssengar(a)linux.microsoft.com> fbdev: hyperv_fb: Simplify hvfb_putmem Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i3c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Fill out devlink dev info only for PFs Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Pauli Virtanen <pav(a)iki.fi> Bluetooth: SCO: fix sco_conn refcounting on sco_conn_ready Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: don't queue sdata::work for a non-running sdata Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: make destruction work queue pernet Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Marcin Szycik <marcin.szycik(a)linux.intel.com> ice: Fix switchdev slow-path in LAG Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Larysa Zaremba <larysa.zaremba(a)intel.com> ice: do not configure destination override for switchdev Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Charles Han <hanchunchao(a)inspur.com> pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Alexey Kardashevskiy <aik(a)amd.com> virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex Uladzislau Rezki (Sony) <urezki(a)gmail.com> mm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq Suren Baghdasaryan <surenb(a)google.com> userfaultfd: fix PTE unmapping stack-allocated PTE copies Barry Song <baohua(a)kernel.org> mm: fix kernel BUG when userfaultfd_move encounters swapcache ------------- Diffstat: Documentation/rust/quick-start.rst | 2 +- Makefile | 4 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm64/include/asm/tlbflush.h | 22 +-- arch/arm64/kernel/topology.c | 22 ++- arch/arm64/mm/mmu.c | 5 +- arch/loongarch/kvm/switch.S | 2 +- arch/loongarch/mm/pageattr.c | 3 +- arch/x86/events/intel/core.c | 85 +++++++++ arch/x86/events/rapl.c | 1 + arch/x86/include/asm/sev.h | 6 +- arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/vmware.c | 4 + arch/x86/kernel/devicetree.c | 3 +- arch/x86/kernel/irq.c | 2 + arch/x86/kvm/mmu/mmu.c | 2 +- block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/block/null_blk/main.c | 4 +- drivers/block/virtio_blk.c | 5 +- drivers/clk/samsung/clk-gs101.c | 8 - drivers/clk/samsung/clk-pll.c | 7 +- drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpio/gpiolib-cdev.c | 15 +- drivers/gpio/gpiolib.c | 8 +- drivers/gpio/gpiolib.h | 5 +- drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 5 +- drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 2 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 +++++-- .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 7 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- .../amd/display/dc/dce60/dce60_timing_generator.c | 1 + .../dc/dml2/dml21/dml21_translation_helper.c | 4 +- .../amd/display/dc/dml2/dml2_translation_helper.c | 6 +- drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +++-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/drm_panic_qr.rs | 16 +- drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/i915/display/intel_display.c | 5 +- drivers/gpu/drm/i915/gem/i915_gem_mman.c | 5 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 193 ++++++++++----------- drivers/gpu/drm/vkms/vkms_composer.c | 2 +- drivers/gpu/drm/xe/xe_guc_ct.c | 6 +- drivers/gpu/drm/xe/xe_guc_log.c | 3 +- drivers/gpu/drm/xe/xe_guc_submit.c | 4 +- drivers/gpu/drm/xe/xe_hmm.c | 6 +- drivers/gpu/drm/xe/xe_pm.c | 13 +- drivers/hid/Kconfig | 3 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 3 + drivers/hid/hid-quirks.c | 1 + drivers/hid/hid-steam.c | 6 +- drivers/hid/hid-topre.c | 7 + drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ipc/pci-ish.c | 7 + drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 ++ drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/input/joystick/xpad.c | 39 ++++- drivers/input/misc/iqs7222.c | 50 +++--- drivers/input/serio/i8042-acpipnpio.h | 111 ++++++------ drivers/input/touchscreen/ads7846.c | 2 +- drivers/input/touchscreen/goodix_berlin_core.c | 24 +-- drivers/irqchip/irq-riscv-imsic-early.c | 2 +- drivers/irqchip/irq-thead-c900-aclint-sswi.c | 2 +- drivers/md/dm-flakey.c | 2 +- drivers/net/bonding/bond_options.c | 55 +++++- drivers/net/dsa/mv88e6xxx/chip.c | 59 +++++-- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 ++- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 13 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- drivers/net/ethernet/intel/ice/ice_eswitch.c | 6 - drivers/net/ethernet/intel/ice/ice_lag.c | 27 +++ drivers/net/ethernet/intel/ice/ice_lib.c | 18 -- drivers/net/ethernet/intel/ice/ice_lib.h | 4 - drivers/net/ethernet/intel/ice/ice_txrx.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 + .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 2 +- .../net/ethernet/mellanox/mlx5/core/irq_affinity.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 + .../net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + drivers/net/ethernet/mellanox/mlx5/core/mlx5_irq.h | 4 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 13 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.h | 2 +- .../ethernet/mellanox/mlx5/core/steering/hws/bwc.h | 2 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 11 +- drivers/net/ethernet/microsoft/mana/mana_en.c | 10 +- .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- drivers/net/ethernet/realtek/rtase/rtase_main.c | 10 ++ drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/mctp/mctp-i3c.c | 5 + drivers/net/phy/nxp-c45-tja11xx.c | 68 ++++++++ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 6 +- drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/apple.c | 5 +- drivers/nvme/host/core.c | 14 +- drivers/nvme/host/fc.c | 59 +------ drivers/nvme/host/pci.c | 7 +- drivers/nvme/target/rdma.c | 33 ++-- drivers/phy/ti/phy-gmii-sel.c | 15 +- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c | 3 + drivers/platform/x86/intel/int3472/discrete.c | 85 ++++++--- drivers/platform/x86/intel/pmc/core.c | 4 +- drivers/platform/x86/thinkpad_acpi.c | 50 ++++-- drivers/powercap/powercap_sys.c | 3 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/spi/spi-microchip-core.c | 41 ++--- drivers/thermal/cpufreq_cooling.c | 2 - drivers/ufs/core/ufshcd.c | 7 +- drivers/usb/phy/phy-generic.c | 2 +- drivers/usb/serial/ftdi_sio.c | 14 ++ drivers/usb/serial/ftdi_sio_ids.h | 13 ++ drivers/usb/serial/option.c | 48 +++-- drivers/usb/typec/tcpm/tcpm.c | 8 +- drivers/vhost/vhost.c | 2 +- drivers/video/fbdev/hyperv_fb.c | 52 ++++-- drivers/virt/coco/sev-guest/sev-guest.c | 63 ++++--- drivers/xen/swiotlb-xen.c | 2 +- fs/btrfs/extent_io.c | 11 +- fs/btrfs/qgroup.c | 6 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 ++- fs/netfs/read_collect.c | 2 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 18 +- fs/smb/client/inode.c | 13 ++ fs/smb/client/reparse.c | 5 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/common/smbfsctl.h | 3 + fs/smb/server/connection.c | 20 +++ fs/smb/server/connection.h | 2 + fs/smb/server/ksmbd_work.c | 3 - fs/smb/server/ksmbd_work.h | 1 - fs/smb/server/oplock.c | 43 +++-- fs/smb/server/oplock.h | 1 - fs/smb/server/server.c | 14 +- fs/vboxsf/super.c | 3 +- include/asm-generic/vmlinux.lds.h | 1 + include/linux/blk-mq.h | 16 +- include/linux/fs.h | 2 + include/linux/hugetlb.h | 5 + include/linux/module.h | 5 +- include/linux/pci_ids.h | 1 + include/net/bluetooth/hci_core.h | 108 ++++-------- include/net/bluetooth/l2cap.h | 3 +- include/net/netfilter/nf_tables.h | 4 +- include/sound/soc.h | 5 +- init/Kconfig | 2 +- io_uring/futex.c | 2 +- io_uring/io-wq.c | 23 ++- kernel/futex/core.c | 5 +- kernel/futex/futex.h | 11 +- kernel/futex/pi.c | 2 +- kernel/futex/waitwake.c | 4 +- kernel/rcu/tree.c | 14 +- kernel/sched/core.c | 5 +- kernel/sched/debug.c | 2 + kernel/sched/ext.c | 3 + kernel/time/hrtimer.c | 22 +-- kernel/vhost_task.c | 4 +- mm/hugetlb.c | 8 + mm/page_isolation.c | 10 ++ mm/userfaultfd.c | 91 ++++++++-- net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 ++-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 181 +++++++++---------- net/bluetooth/l2cap_sock.c | 15 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 25 ++- net/core/dev.c | 5 +- net/core/netpoll.c | 9 +- net/ipv6/addrconf.c | 15 +- net/mac80211/eht.c | 9 +- net/mac80211/util.c | 8 +- net/mctp/route.c | 10 +- net/mctp/test/route-test.c | 109 ++++++++++++ net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nf_tables_api.c | 24 +-- net/netfilter/nft_compat.c | 8 +- net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_exthdr.c | 10 +- net/openvswitch/conntrack.c | 30 ++-- net/openvswitch/datapath.h | 3 + net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 ++- net/wireless/core.c | 7 + rust/kernel/alloc/allocator_test.rs | 18 ++ rust/kernel/error.rs | 2 +- rust/kernel/init.rs | 23 ++- rust/kernel/init/macros.rs | 6 +- rust/kernel/lib.rs | 2 +- rust/kernel/sync.rs | 16 +- scripts/generate_rust_analyzer.py | 71 ++++---- scripts/mod/modpost.c | 35 ++++ scripts/mod/modpost.h | 6 + scripts/module.lds.S | 1 + scripts/rustdoc_test_gen.rs | 4 +- sound/hda/intel-dsp-config.c | 5 + sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/cs42l43.c | 2 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/rt722-sdca-sdw.c | 4 + sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/generic/simple-card-utils.c | 1 + sound/soc/intel/boards/sof_sdw.c | 43 ++++- sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 2 +- sound/soc/renesas/rcar/core.c | 14 -- sound/soc/renesas/rcar/rsnd.h | 1 - sound/soc/renesas/rcar/src.c | 116 ++++++++++--- sound/soc/renesas/rcar/ssi.c | 3 +- sound/soc/soc-ops.c | 15 +- sound/soc/sof/amd/acp-ipc.c | 23 ++- sound/soc/sof/amd/acp.c | 1 + sound/soc/sof/amd/acp.h | 1 + sound/soc/sof/amd/vangogh.c | 18 ++ sound/soc/sof/intel/hda-codec.c | 1 + sound/soc/sof/intel/hda.c | 18 +- sound/soc/sof/intel/pci-ptl.c | 1 + sound/soc/tegra/tegra210_adx.c | 4 +- tools/objtool/check.c | 9 + tools/sched_ext/include/scx/common.bpf.h | 11 ++ tools/sound/dapm-graph | 2 +- .../selftests/bpf/prog_tests/sockmap_basic.c | 6 +- .../selftests/bpf/prog_tests/xdp_cpumap_attach.c | 4 +- .../selftests/bpf/prog_tests/xdp_devmap_attach.c | 8 +- .../testing/selftests/cgroup/test_cpuset_v1_hp.sh | 2 +- .../selftests/drivers/net/bonding/bond_options.sh | 4 +- .../filesystems/statmount/statmount_test.c | 22 ++- .../testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 +- 266 files changed, 2455 insertions(+), 1273 deletions(-)

1 month, 1 week

15
255
0 0

BUG in LTS 5.15.x cpusets with tasks launched by newer systemd

by James Thomas

Hello all, I encountered an issue with the CPU affinity of tasks launched by systemd in a slice, after updating from systemd 254 to by systemd >= 256, on the LTS 5.15.x branch (tested on v5.15.179). Despite the slice file stipulating AllowedCPUS=2 (and confirming this was set in /sys/fs/cgroup/test.slice/cpuset.cpus) tasks launched in the slice would have the CPU affinity of the system.slice (i.e all by default) rather than 2. To reproduce: * Check kernel version and systemd version (I used a debian testing image for testing) ``` # uname -r 5.15.179 # systemctl --version systemd 257 (257.4-3) ... ``` * Create a test.slice with AllowedCPUS=2 ``` # cat <<EOF > /usr/lib/systemd/system/test.slice [Unit] Description=Test slice Before=slices.target [Slice] AllowedCPUs=2 [Install] WantedBy=slices.target EOF # systemctl daemon-reload && systemctl start test.slice ``` * Confirm cpuset ``` # cat /sys/fs/cgroup/test.slice/cpuset.cpus 2 ``` * Launch task in slice ``` # systemd-run --slice test.slice yes Running as unit: run-r9187b97c6958498aad5bba213289ac56.service; invocation ID: f470f74047ac43b7a60861d03a7ef6f9 # cat /sys/fs/cgroup/test.slice/run-r9187b97c6958498aad5bba213289ac56.service/cgroup.procs 317 ``` # Check affinity ``` # taskset -pc 317 pid 317's current affinity list: 0-7 ``` This issue is fixed by applying upstream commits: 18f9a4d47527772515ad6cbdac796422566e6440 cgroup/cpuset: Skip spread flags update on v2 and 42a11bf5c5436e91b040aeb04063be1710bb9f9c cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly With these applied: ``` # systemd-run --slice test.slice yes Running as unit: run-r442c444559ff49f48c6c2b8325b3b500.service; invocation ID: 5211167267154e9292cb6b854585cb91 # cat /sys/fs/cgroup/test.slice/run-r442c444559ff49f48c6c2b8325b3b500.service/cgroup.procs 291 # taskset -pc 291 pid 291's current affinity list: 2 ``` Perhaps these are a good candidate for backport onto the 5.15 LTS branch? Thanks James

1 month, 1 week

1
0
0 0

[PATCH v2] exfat: fix random stack corruption after get_block

by Sungjong Seo

When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head. Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") Cc: stable(a)vger.kernel.org Tested-by: Yeongjin Gil <youngjin.gil(a)samsung.com> Signed-off-by: Sungjong Seo <sj1557.seo(a)samsung.com> --- v2: - clear_buffer_mapped if there is any errors. - remove unnecessary BUG_ON() --- fs/exfat/inode.c | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c index 96952d4acb50..f3fdba9f4d21 100644 --- a/fs/exfat/inode.c +++ b/fs/exfat/inode.c @@ -344,7 +344,8 @@ static int exfat_get_block(struct inode *inode, sector_t iblock, * The block has been partially written, * zero the unwritten part and map the block. */ - loff_t size, off, pos; + loff_t size, pos; + void *addr; max_blocks = 1; @@ -355,17 +356,41 @@ static int exfat_get_block(struct inode *inode, sector_t iblock, if (!bh_result->b_folio) goto done; + /* + * No buffer_head is allocated. + * (1) bmap: It's enough to fill bh_result without I/O. + * (2) read: The unwritten part should be filled with 0 + * If a folio does not have any buffers, + * let's returns -EAGAIN to fallback to + * per-bh IO like block_read_full_folio(). + */ + if (!folio_buffers(bh_result->b_folio)) { + err = -EAGAIN; + goto done; + } + pos = EXFAT_BLK_TO_B(iblock, sb); size = ei->valid_size - pos; - off = pos & (PAGE_SIZE - 1); + addr = folio_address(bh_result->b_folio) + + offset_in_folio(bh_result->b_folio, pos); + + /* Check if bh->b_data points to proper addr in folio */ + if (bh_result->b_data != addr) { + exfat_fs_error_ratelimit(sb, + "b_data(%p) != folio_addr(%p)", + bh_result->b_data, addr); + err = -EINVAL; + goto done; + } - folio_set_bh(bh_result, bh_result->b_folio, off); + /* Read a block */ err = bh_read(bh_result, 0); if (err < 0) - goto unlock_ret; + goto done; - folio_zero_segment(bh_result->b_folio, off + size, - off + sb->s_blocksize); + /* Zero unwritten part of a block */ + memset(bh_result->b_data + size, 0, + bh_result->b_size - size); } else { /* * The range has not been written, clear the mapped flag @@ -376,6 +401,8 @@ static int exfat_get_block(struct inode *inode, sector_t iblock, } done: bh_result->b_size = EXFAT_BLK_TO_B(max_blocks, sb); + if (err < 0) + clear_buffer_mapped(bh_result); unlock_ret: mutex_unlock(&sbi->s_lock); return err; -- 2.25.1

1 month, 1 week

3
2
0 0

6.1.132-rc1 build regression on ia64 (and possibly other architectures)

by Frank Scheiner

Hi again, also for 6.1.132-rc1 the review hasn't started yet, but as it was already available on [1], our CI has also tried to built it for ia64 in the morning. Unfortunately that failed, too - I assume due to the following **missing** upstream commit: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm… [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.… Build failure (see [2]): ``` [...] In file included from ./include/linux/string.h:5, from ./include/linux/uuid.h:12, from ./fs/xfs/xfs_linux.h:10, from ./fs/xfs/xfs.h:22, from fs/xfs/libxfs/xfs_alloc.c:6: fs/xfs/libxfs/xfs_alloc.c: In function '__xfs_free_extent_later': fs/xfs/libxfs/xfs_alloc.c:2551:51: error: 'mp' undeclared (first use in this function); did you mean 'tp'? 2551 | if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len))) | ^~ ./include/linux/compiler.h:78:45: note: in definition of macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ fs/xfs/libxfs/xfs_alloc.c:2551:13: note: in expansion of macro 'XFS_IS_CORRUPT' 2551 | if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len))) | ^~~~~~~~~~~~~~ fs/xfs/libxfs/xfs_alloc.c:2551:51: note: each undeclared identifier is reported only once for each function it appears in 2551 | if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len))) | ^~ ./include/linux/compiler.h:78:45: note: in definition of macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ fs/xfs/libxfs/xfs_alloc.c:2551:13: note: in expansion of macro 'XFS_IS_CORRUPT' 2551 | if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len))) | ^~~~~~~~~~~~~~ ./fs/xfs/xfs_linux.h:225:63: warning: left-hand operand of comma expression has no effect [-Wunused-value] 225 | __this_address), \ | ^ fs/xfs/libxfs/xfs_alloc.c:2551:13: note: in expansion of macro 'XFS_IS_CORRUPT' 2551 | if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len))) | ^~~~~~~~~~~~~~ make[5]: *** [scripts/Makefile.build:250: fs/xfs/libxfs/xfs_alloc.o] Error 1 [...] ``` [2]: https://github.com/linux-ia64/linux-stable-rc/actions/runs/13914712427/job/… [3] (7dfee17b13e5024c5c0ab1911859ded4182de3e5 upstream) introduced the XFS_IS_CORRUPT macro call now in `fs/xfs/libxfs/xfs_alloc.c:2551`, but the struct "mp" is only there when DEBUG is defined in 6.1.132-rc1. The above upstream commit (f6b3846) moves "mp" out of that guard and hence should fix that specific build regression IIUC. Again not build-tested yet, though. [3]: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.… Cheers, Frank

1 month, 1 week

4
4
0 0

[PATCH V2] tracing/osnoise: Fix possible recursive locking for cpus_read_lock()

by Ran Xiaokai

From: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Lockdep reports this deadlock log: osnoise: could not start sampling thread ============================================ WARNING: possible recursive locking detected -------------------------------------------- CPU0 ---- lock(cpu_hotplug_lock); lock(cpu_hotplug_lock); Call Trace: <TASK> print_deadlock_bug+0x282/0x3c0 __lock_acquire+0x1610/0x29a0 lock_acquire+0xcb/0x2d0 cpus_read_lock+0x49/0x120 stop_per_cpu_kthreads+0x7/0x60 start_kthread+0x103/0x120 osnoise_hotplug_workfn+0x5e/0x90 process_one_work+0x44f/0xb30 worker_thread+0x33e/0x5e0 kthread+0x206/0x3b0 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x11/0x20 </TASK> This is the deadlock scenario: osnoise_hotplug_workfn() guard(cpus_read_lock)(); // first lock call start_kthread(cpu) if (IS_ERR(kthread)) { stop_per_cpu_kthreads(); { cpus_read_lock(); // second lock call. Cause the AA deadlock } } It is not necessary to call stop_per_cpu_kthreads() which stops osnoise kthread for every other CPUs in the system if a failure occurs during hotplug of a certain CPU. For start_per_cpu_kthreads(), if the start_kthread() call fails, this function calls stop_per_cpu_kthreads() to handle the error. Therefore, similarly, there is no need to call stop_per_cpu_kthreads() again within start_kthread(). So just remove stop_per_cpu_kthreads() from start_kthread to solve this issue. Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations") Signed-off-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> --- kernel/trace/trace_osnoise.c | 1 - 1 file changed, 1 deletion(-) diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c index 647516a73fa2..e732c9e37e14 100644 --- a/kernel/trace/trace_osnoise.c +++ b/kernel/trace/trace_osnoise.c @@ -2006,7 +2006,6 @@ static int start_kthread(unsigned int cpu) if (IS_ERR(kthread)) { pr_err(BANNER "could not start sampling thread\n"); - stop_per_cpu_kthreads(); return -ENOMEM; } -- 2.17.1

1 month, 1 week

2
1
0 0

[PATCH] wifi: ath12k: fix ring-buffer corruption

by Johan Hovold

Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes breaks and the log fills up with errors like: ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492 ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484 which based on a quick look at the ath11k driver seemed to indicate some kind of ring-buffer corruption. Miaoqing Pan tracked it down to the host seeing the updated destination ring head pointer before the updated descriptor, and the error handling for that in turn leaves the ring buffer in an inconsistent state. While this has not yet been observed with ath12k, the ring-buffer implementation is very similar to the ath11k one and it suffers from the same bugs. Add the missing memory barrier to make sure that the descriptor is read after the head pointer to address the root cause of the corruption while fixing up the error handling in case there are ever any (ordering) bugs on the device side. Note that the READ_ONCE() are only needed to avoid compiler mischief in case the ring-buffer helpers are ever inlined. Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Cc: stable(a)vger.kernel.org # 6.3 Link: https://bugzilla.kernel.org/show_bug.cgi?id=218623 Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com Cc: Miaoqing Pan <quic_miaoqing(a)quicinc.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/net/wireless/ath/ath12k/ce.c | 11 +++++------ drivers/net/wireless/ath/ath12k/hal.c | 4 ++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/ce.c b/drivers/net/wireless/ath/ath12k/ce.c index be0d669d31fc..740586fe49d1 100644 --- a/drivers/net/wireless/ath/ath12k/ce.c +++ b/drivers/net/wireless/ath/ath12k/ce.c @@ -343,11 +343,10 @@ static int ath12k_ce_completed_recv_next(struct ath12k_ce_pipe *pipe, goto err; } + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + *nbytes = ath12k_hal_ce_dst_status_get_length(desc); - if (*nbytes == 0) { - ret = -EIO; - goto err; - } *skb = pipe->dest_ring->skb[sw_index]; pipe->dest_ring->skb[sw_index] = NULL; @@ -380,8 +379,8 @@ static void ath12k_ce_recv_process_cb(struct ath12k_ce_pipe *pipe) dma_unmap_single(ab->dev, ATH12K_SKB_RXCB(skb)->paddr, max_nbytes, DMA_FROM_DEVICE); - if (unlikely(max_nbytes < nbytes)) { - ath12k_warn(ab, "rxed more than expected (nbytes %d, max %d)", + if (unlikely(max_nbytes < nbytes || nbytes == 0)) { + ath12k_warn(ab, "unexpected rx length (nbytes %d, max %d)", nbytes, max_nbytes); dev_kfree_skb_any(skb); continue; diff --git a/drivers/net/wireless/ath/ath12k/hal.c b/drivers/net/wireless/ath/ath12k/hal.c index cd59ff8e6c7b..91d5126ca149 100644 --- a/drivers/net/wireless/ath/ath12k/hal.c +++ b/drivers/net/wireless/ath/ath12k/hal.c @@ -1962,7 +1962,7 @@ u32 ath12k_hal_ce_dst_status_get_length(struct hal_ce_srng_dst_status_desc *desc { u32 len; - len = le32_get_bits(desc->flags, HAL_CE_DST_STATUS_DESC_FLAGS_LEN); + len = le32_get_bits(READ_ONCE(desc->flags), HAL_CE_DST_STATUS_DESC_FLAGS_LEN); desc->flags &= ~cpu_to_le32(HAL_CE_DST_STATUS_DESC_FLAGS_LEN); return len; @@ -2132,7 +2132,7 @@ void ath12k_hal_srng_access_begin(struct ath12k_base *ab, struct hal_srng *srng) srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; else - srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr; + srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); } /* Update cached ring head/tail pointers to HW. ath12k_hal_srng_access_begin() -- 2.48.1

1 month, 1 week

1
0
0 0

[PATCH 6.12 000/231] 6.12.20-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.20 release. There are 231 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 21 Mar 2025 14:29:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.20-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.20-rc1 Max Kellermann <max.kellermann(a)ionos.com> fs/netfs/read_collect: add to next->prev_donated Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Daniel Wagner <wagi(a)kernel.org> nvme-fc: rely on state transitions to handle connectivity loss Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Andrea Righi <arighi(a)nvidia.com> tools/sched_ext: Add helper to check task migration state Andrea Righi <arighi(a)nvidia.com> sched_ext: selftests/dsp_local_on: Fix selftest on UP systems Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Ge Yang <yangge1116(a)126.com> mm/hugetlb: wait for hugetlb folios to be freed Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Ajay Kaher <ajay.kaher(a)broadcom.com> x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware hypervisors Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> block: change blk_mq_add_to_batch() third argument type to bool Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add uapi crate Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing include_dirs Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps José Roberto de Souza <jose.souza(a)intel.com> drm/i915: Increase I915_PARAM_MMAP_GTT_VERSION version to indicate support for partial mmaps Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> nvme: move error logging from nvme_end_req() to __nvme_end_req() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe/pm: Temporarily disable D3Cold on BMG Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/userptr: Fix an incorrect assert Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Release guc ids before cancelling work Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: cancel pending job timer before freeing scheduler Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: rt722-sdca: add missing readable registers Alban Kurti <kurti(a)invicto.ai> rust: init: add missing newline to pr_info! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Fix maximum ADC Volume Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Alban Kurti <kurti(a)invicto.ai> rust: error: add missing newline to pr_warn! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value Andrea Righi <arighi(a)nvidia.com> sched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl() Andrei Botila <andrei.botila(a)oss.nxp.com> net: phy: nxp-c45-tja11xx: add TJA112XB SGMII PCS restart errata Andrei Botila <andrei.botila(a)oss.nxp.com> net: phy: nxp-c45-tja11xx: add TJA112X PHY configuration errata Paulo Alcantara <pc(a)manguebit.com> smb: client: fix regression with guest option Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Piotr Jaroszynski <pjaroszynski(a)nvidia.com> Fix mmu notifiers for range-based invalidates Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Kent Overstreet <kent.overstreet(a)linux.dev> dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Mina Almasry <almasrymina(a)google.com> netmem: prevent TX of unreadable skbs Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() Peter Griffin <peter.griffin(a)linaro.org> clk: samsung: gs101: fix synchronous external abort in samsung_clk_save() Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent connection release during oplock break notification Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_free_work_struct Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Aliaksei Urbanski <aliaksei.urbanski(a)gmail.com> drm/amd/display: fix missing .is_two_pixels_per_container Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: fix default brightness Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Disable unneeded hpd interrupts during dm_init David Rosca <david.rosca(a)amd.com> drm/amdgpu/display: Allow DCC for video formats on GFX12 Yifan Zha <Yifan.Zha(a)amd.com> drm/amd/amdkfd: Evict all queues even HWS remove queue failed Natalie Vock <natalie.vock(a)gmx.de> drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Miguel Ojeda <ojeda(a)kernel.org> drm/panic: fix overindented list items in documentation Miguel Ojeda <ojeda(a)kernel.org> drm/panic: use `div_ceil` to clean Clippy warning Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/cdclk: Do cdclk post plane programming later Conor Dooley <conor.dooley(a)microchip.com> spi: microchip-core: prevent RX overflows when transmit size > FIFO size Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Benno Lossin <benno.lossin(a)proton.me> rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Tamir Duberstein <tamird(a)gmail.com> rust: alloc: satisfy POSIX alignment requirement Miguel Ojeda <ojeda(a)kernel.org> rust: remove leftover mentions of the `alloc` crate Mitchell Levy <levymitchell0(a)gmail.com> rust: lockdep: Remove support for dynamically allocated LockClassKeys Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - rename QH controller to Legion Go S Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for TECNO Pocket Go Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for ZOTAC Gaming Zone Pavel Rojtberg <rojtberg(a)gmail.com> Input: xpad - add multiple supported devices Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - preserve system status register H. Nikolaus Schaller <hns(a)goldelico.com> Input: ads7846 - fix gpiod allocation Luca Weiss <luca.weiss(a)fairphone.com> Input: goodix-berlin - fix vddio regulator references Pali Rohár <pali(a)kernel.org> cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() Pali Rohár <pali(a)kernel.org> cifs: Validate content of WSL reparse point buffers Keith Busch <kbusch(a)kernel.org> vhost: return task creation error instead of NULL Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Frederic Weisbecker <frederic(a)kernel.org> net: Handle napi_schedule() calls from non-interrupt Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Aaron Ma <aaron.ma(a)canonical.com> perf/x86/rapl: Add support for Intel Arrow Lake U Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Dmytro Maluka <dmaluka(a)chromium.org> x86/of: Don't use DTB for SMP setup if ACPI is enabled Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Harry Wentland <harry.wentland(a)amd.com> drm/vkms: Round fixp2int conversion in lerp_u16 Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: SOF: Intel: don't check number of sdw links when set dmic_fixup Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> ASoC: dapm-graph: set fill colour of turned on nodes Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Andrew Davis <afd(a)ti.com> phy: ti: gmii-sel: Do not use syscon helper to build regmap Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Pali Rohár <pali(a)kernel.org> cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes Hector Martin <marcan(a)marcan.st> apple-nvme: Release power domains when probe fails Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Uday Shankar <ushankar(a)purestorage.com> io-wq: backoff when retrying worker creation Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: SOF: amd: Add post_fw_run_delay ACP quirk Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> ALSA: hda: hda-intel: add Panther Lake-H support Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: Intel: pci-ptl: Add support for PTL-H Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> ALSA: hda: intel-dsp-config: Add PTL-H support Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> PCI: pci_ids: add INTEL_HDA_PTL_H Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: indicate unsupported clock rate Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: simple-card-utils.c: add missing dlc->of_node Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-mtl-match: declare adr as ull Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S14 Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: Intel: sof_sdw: Add lookup of quirk using PCI subsystem ID Jiayuan Chen <mrpre(a)163.com> selftests/bpf: Fix invalid flag of recv() Maxime Ripard <mripard(a)kernel.org> drm/tests: hdmi: Fix recursive locking Maxime Ripard <mripard(a)kernel.org> drm/tests: hdmi: Reorder DRM entities variables assignment Maxime Ripard <mripard(a)kernel.org> drm/tests: hdmi: Remove redundant assignments Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Beata Michalska <beata.michalska(a)arm.com> arm64: amu: Delay allocating cpumask for AMU FIE support Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Set host with kernel mode when switch to VM mode Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix kernel_page_present() for KPRANGE/XKPRANGE Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Sakari Ailus <sakari.ailus(a)linux.intel.com> platform/x86: int3472: Call "reset" GPIO "enable" for INT347E Sakari Ailus <sakari.ailus(a)linux.intel.com> platform/x86: int3472: Use correct type for "polarity", call it gpio_flags Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Ignore dangling jump table entries Matthew Wilcox (Oracle) <willy(a)infradead.org> btrfs: fix two misuses of folio_shift() Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Bharadwaj Raju <bharadwaj.raju777(a)gmail.com> selftests/cgroup: use bash in test_cpuset_v1_hp.sh Daniel Brackenbury <daniel.brackenbury(a)gmail.com> HID: topre: Fix n-key rollover on Realforce R3S TKL boards Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: ipc: Add Panther Lake PCI device IDs Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: phy: generic: Use proper helper for property detection Vicki Pfau <vi(a)endrift.com> HID: hid-steam: Fix issues with disabling both gamepad mode and lizard mode Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Tejun Heo <tj(a)kernel.org> sched_ext: selftests/dsp_local_on: Fix sporadic failures Miklos Szeredi <mszeredi(a)redhat.com> selftests: always check mask returned by statmount(2) Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Fix error return with query response Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix out-of-bound accesses Dmitry Kandybka <d.kandybka(a)gmail.com> platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Christian Loehle <christian.loehle(a)arm.com> sched/debug: Provide slice length for fair tasks Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Jens Axboe <axboe(a)kernel.dk> futex: Pass in task to futex_queue() Filipe Manana <fdmanana(a)suse.com> btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: do not ignore connectivity loss during connecting Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Shay Drory <shayd(a)nvidia.com> net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix incorrect IRQ pool usage when releasing IRQs Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5: HWS, Rightsize bwc matcher priority Xin Long <lucien.xin(a)gmail.com> Revert "openvswitch: switch to per-action label counting in conntrack" Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Justin Lai <justinlai0215(a)realtek.com> rtase: Fix improper release of ring list entries in rtase_sw_reset Hangbin Liu <liuhangbin(a)gmail.com> selftests: bonding: fix incorrect mac address Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: unshare packets when reassembling Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix memory leak in queue reset David Wei <dw(a)davidwei.uk> bnxt_en: handle tpa_info in queue API implementation David Wei <dw(a)davidwei.uk> bnxt_en: refactor tpa_info alloc/free into helpers Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: use page pool for head frags Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc() Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: fix truesize for mb-xdp-pass case Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Saurabh Sengar <ssengar(a)linux.microsoft.com> fbdev: hyperv_fb: Allow graceful removal of framebuffer Saurabh Sengar <ssengar(a)linux.microsoft.com> fbdev: hyperv_fb: Simplify hvfb_putmem Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i3c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Fill out devlink dev info only for PFs Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: don't queue sdata::work for a non-running sdata Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: make destruction work queue pernet Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Marcin Szycik <marcin.szycik(a)linux.intel.com> ice: Fix switchdev slow-path in LAG Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Larysa Zaremba <larysa.zaremba(a)intel.com> ice: do not configure destination override for switchdev Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Charles Han <hanchunchao(a)inspur.com> pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Suren Baghdasaryan <surenb(a)google.com> userfaultfd: fix PTE unmapping stack-allocated PTE copies Barry Song <baohua(a)kernel.org> mm: fix kernel BUG when userfaultfd_move encounters swapcache Uladzislau Rezki (Sony) <urezki(a)gmail.com> mm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq ------------- Diffstat: Documentation/rust/quick-start.rst | 2 +- Makefile | 4 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm64/include/asm/tlbflush.h | 22 +- arch/arm64/kernel/topology.c | 22 +- arch/arm64/mm/mmu.c | 5 +- arch/loongarch/kvm/switch.S | 2 +- arch/loongarch/mm/pageattr.c | 3 +- arch/x86/events/intel/core.c | 85 ++++++ arch/x86/events/rapl.c | 1 + arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/vmware.c | 4 + arch/x86/kernel/devicetree.c | 3 +- arch/x86/kernel/irq.c | 2 + arch/x86/kvm/mmu/mmu.c | 2 +- block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/block/null_blk/main.c | 4 +- drivers/block/virtio_blk.c | 5 +- drivers/clk/samsung/clk-gs101.c | 8 - drivers/clk/samsung/clk-pll.c | 7 +- drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 5 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 +++-- .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 7 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- .../amd/display/dc/dce60/dce60_timing_generator.c | 1 + .../dc/dml2/dml21/dml21_translation_helper.c | 4 +- .../amd/display/dc/dml2/dml2_translation_helper.c | 6 +- drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/drm_panic_qr.rs | 16 +- drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/i915/display/intel_display.c | 5 +- drivers/gpu/drm/i915/gem/i915_gem_mman.c | 5 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 193 +++++++------- drivers/gpu/drm/vkms/vkms_composer.c | 2 +- drivers/gpu/drm/xe/xe_guc_submit.c | 4 +- drivers/gpu/drm/xe/xe_hmm.c | 6 +- drivers/gpu/drm/xe/xe_pm.c | 13 +- drivers/hid/Kconfig | 3 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 3 + drivers/hid/hid-quirks.c | 1 + drivers/hid/hid-steam.c | 6 +- drivers/hid/hid-topre.c | 7 + drivers/hid/intel-ish-hid/ipc/hw-ish.h | 2 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ipc/pci-ish.c | 7 + drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 + drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/input/joystick/xpad.c | 39 ++- drivers/input/misc/iqs7222.c | 50 ++-- drivers/input/serio/i8042-acpipnpio.h | 111 ++++---- drivers/input/touchscreen/ads7846.c | 2 +- drivers/input/touchscreen/goodix_berlin_core.c | 24 +- drivers/md/dm-flakey.c | 2 +- drivers/net/bonding/bond_options.c | 55 +++- drivers/net/dsa/mv88e6xxx/chip.c | 59 ++++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 286 +++++++++++++-------- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 13 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- drivers/net/ethernet/intel/ice/ice_eswitch.c | 6 - drivers/net/ethernet/intel/ice/ice_lag.c | 27 ++ drivers/net/ethernet/intel/ice/ice_lib.c | 18 -- drivers/net/ethernet/intel/ice/ice_lib.h | 4 - drivers/net/ethernet/intel/ice/ice_txrx.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 + .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 2 +- .../net/ethernet/mellanox/mlx5/core/irq_affinity.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 + .../net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + drivers/net/ethernet/mellanox/mlx5/core/mlx5_irq.h | 4 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 13 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.h | 2 +- .../mellanox/mlx5/core/steering/hws/mlx5hws_bwc.h | 2 +- .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- drivers/net/ethernet/realtek/rtase/rtase_main.c | 10 + drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/mctp/mctp-i3c.c | 5 + drivers/net/phy/nxp-c45-tja11xx.c | 68 +++++ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 6 +- drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/apple.c | 5 +- drivers/nvme/host/core.c | 14 +- drivers/nvme/host/fc.c | 59 +---- drivers/nvme/host/pci.c | 7 +- drivers/nvme/target/rdma.c | 33 ++- drivers/phy/ti/phy-gmii-sel.c | 15 +- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c | 3 + drivers/platform/x86/intel/int3472/discrete.c | 85 ++++-- drivers/platform/x86/intel/pmc/core.c | 4 +- drivers/platform/x86/thinkpad_acpi.c | 50 +++- drivers/powercap/powercap_sys.c | 3 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/spi/spi-microchip-core.c | 41 ++- drivers/thermal/cpufreq_cooling.c | 2 - drivers/ufs/core/ufshcd.c | 7 +- drivers/usb/phy/phy-generic.c | 2 +- drivers/usb/serial/ftdi_sio.c | 14 + drivers/usb/serial/ftdi_sio_ids.h | 13 + drivers/usb/serial/option.c | 48 ++-- drivers/vhost/vhost.c | 2 +- drivers/video/fbdev/hyperv_fb.c | 52 ++-- drivers/xen/swiotlb-xen.c | 2 +- fs/btrfs/extent_io.c | 11 +- fs/btrfs/qgroup.c | 6 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 +- fs/netfs/read_collect.c | 2 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 18 +- fs/smb/client/inode.c | 13 + fs/smb/client/reparse.c | 10 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/common/smbfsctl.h | 3 + fs/smb/server/connection.c | 20 ++ fs/smb/server/connection.h | 2 + fs/smb/server/ksmbd_work.c | 3 - fs/smb/server/ksmbd_work.h | 1 - fs/smb/server/oplock.c | 43 ++-- fs/smb/server/oplock.h | 1 - fs/smb/server/server.c | 14 +- fs/vboxsf/super.c | 3 +- include/linux/blk-mq.h | 16 +- include/linux/fs.h | 2 + include/linux/hugetlb.h | 5 + include/linux/pci_ids.h | 1 + include/net/bluetooth/hci_core.h | 108 +++----- include/net/bluetooth/l2cap.h | 3 +- include/net/netfilter/nf_tables.h | 4 +- include/sound/soc.h | 5 +- init/Kconfig | 2 +- io_uring/futex.c | 2 +- io_uring/io-wq.c | 23 +- kernel/futex/core.c | 5 +- kernel/futex/futex.h | 11 +- kernel/futex/pi.c | 2 +- kernel/futex/waitwake.c | 4 +- kernel/rcu/tree.c | 14 +- kernel/sched/core.c | 5 +- kernel/sched/debug.c | 2 + kernel/sched/ext.c | 3 + kernel/time/hrtimer.c | 22 +- kernel/vhost_task.c | 4 +- mm/hugetlb.c | 8 + mm/page_isolation.c | 10 + mm/userfaultfd.c | 91 +++++-- net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 +-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 181 ++++++------- net/bluetooth/l2cap_sock.c | 15 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 12 +- net/core/dev.c | 5 +- net/core/netpoll.c | 9 +- net/ipv6/addrconf.c | 15 +- net/mac80211/util.c | 8 +- net/mctp/route.c | 10 +- net/mctp/test/route-test.c | 109 ++++++++ net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nf_tables_api.c | 24 +- net/netfilter/nft_compat.c | 8 +- net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_exthdr.c | 10 +- net/openvswitch/conntrack.c | 30 ++- net/openvswitch/datapath.h | 3 + net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 +- net/wireless/core.c | 7 + rust/kernel/alloc/allocator_test.rs | 18 ++ rust/kernel/error.rs | 2 +- rust/kernel/init.rs | 23 +- rust/kernel/init/macros.rs | 6 +- rust/kernel/lib.rs | 2 +- rust/kernel/sync.rs | 16 +- scripts/generate_rust_analyzer.py | 71 ++--- scripts/rustdoc_test_gen.rs | 4 +- sound/hda/intel-dsp-config.c | 5 + sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/cs42l43.c | 2 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/rt722-sdca-sdw.c | 4 + sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/generic/simple-card-utils.c | 1 + sound/soc/intel/boards/sof_sdw.c | 33 ++- sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 2 +- sound/soc/sh/rcar/core.c | 14 - sound/soc/sh/rcar/rsnd.h | 1 - sound/soc/sh/rcar/src.c | 116 +++++++-- sound/soc/sh/rcar/ssi.c | 3 +- sound/soc/soc-ops.c | 15 +- sound/soc/sof/amd/acp-ipc.c | 23 +- sound/soc/sof/amd/acp.c | 1 + sound/soc/sof/amd/acp.h | 1 + sound/soc/sof/amd/vangogh.c | 18 ++ sound/soc/sof/intel/hda-codec.c | 1 + sound/soc/sof/intel/hda.c | 18 +- sound/soc/sof/intel/pci-ptl.c | 1 + tools/objtool/check.c | 9 + tools/sched_ext/include/scx/common.bpf.h | 11 + tools/sound/dapm-graph | 2 +- .../selftests/bpf/prog_tests/sockmap_basic.c | 6 +- .../testing/selftests/cgroup/test_cpuset_v1_hp.sh | 2 +- .../selftests/drivers/net/bonding/bond_options.sh | 4 +- .../filesystems/statmount/statmount_test.c | 22 +- .../testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 +- 245 files changed, 2447 insertions(+), 1311 deletions(-)

1 month, 1 week

12
242
0 0

[PATCH] exfat: fix random stack corruption after get_block

by Sungjong Seo

When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head. Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") Cc: stable(a)vger.kernel.org Tested-by: Yeongjin Gil <youngjin.gil(a)samsung.com> Signed-off-by: Sungjong Seo <sj1557.seo(a)samsung.com> --- fs/exfat/inode.c | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c index 96952d4acb50..b8ea910586e4 100644 --- a/fs/exfat/inode.c +++ b/fs/exfat/inode.c @@ -344,7 +344,8 @@ static int exfat_get_block(struct inode *inode, sector_t iblock, * The block has been partially written, * zero the unwritten part and map the block. */ - loff_t size, off, pos; + loff_t size, pos; + void *addr; max_blocks = 1; @@ -355,17 +356,43 @@ static int exfat_get_block(struct inode *inode, sector_t iblock, if (!bh_result->b_folio) goto done; + /* + * No buffer_head is allocated. + * (1) bmap: It's enough to fill bh_result without I/O. + * (2) read: The unwritten part should be filled with 0 + * If a folio does not have any buffers, + * let's returns -EAGAIN to fallback to + * per-bh IO like block_read_full_folio(). + */ + if (!folio_buffers(bh_result->b_folio)) { + err = -EAGAIN; + goto done; + } + pos = EXFAT_BLK_TO_B(iblock, sb); size = ei->valid_size - pos; - off = pos & (PAGE_SIZE - 1); + addr = folio_address(bh_result->b_folio) + + offset_in_folio(bh_result->b_folio, pos); + + BUG_ON(size > sb->s_blocksize); + + /* Check if bh->b_data points to proper addr in folio */ + if (bh_result->b_data != addr) { + exfat_fs_error_ratelimit(sb, + "b_data(%p) != folio_addr(%p)", + bh_result->b_data, addr); + err = -EINVAL; + goto done; + } - folio_set_bh(bh_result, bh_result->b_folio, off); + /* Read a block */ err = bh_read(bh_result, 0); if (err < 0) goto unlock_ret; - folio_zero_segment(bh_result->b_folio, off + size, - off + sb->s_blocksize); + /* Zero unwritten part of a block */ + memset(bh_result->b_data + size, 0, + bh_result->b_size - size); } else { /* * The range has not been written, clear the mapped flag -- 2.25.1

1 month, 1 week

2
2
0 0

[PATCH RESEND] ext4: Fix potential NULL pointer dereferences in test_mb_mark_used() and test_mb_free_blocks()

by Qasim Ijaz

test_mb_mark_used() and test_mb_free_blocks() call kunit_kzalloc() to allocate memory, however both fail to ensure that the allocations succeeded. If kunit_kzalloc() returns NULL, then dereferencing the corresponding pointer without checking for NULL will lead to a NULL pointer dereference. To fix this call KUNIT_ASSERT_NOT_ERR_OR_NULL() to ensure the allocation succeeded. Fixes: ac96b56a2fbd ("ext4: Add unit test for mb_mark_used") Fixes: b7098e1fa7bc ("ext4: Add unit test for mb_free_blocks") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- fs/ext4/mballoc-test.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ext4/mballoc-test.c b/fs/ext4/mballoc-test.c index bb2a223b207c..d634c12f1984 100644 --- a/fs/ext4/mballoc-test.c +++ b/fs/ext4/mballoc-test.c @@ -796,6 +796,7 @@ static void test_mb_mark_used(struct kunit *test) KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buddy); grp = kunit_kzalloc(test, offsetof(struct ext4_group_info, bb_counters[MB_NUM_ORDERS(sb)]), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, grp); ret = ext4_mb_load_buddy(sb, TEST_GOAL_GROUP, &e4b); KUNIT_ASSERT_EQ(test, ret, 0); @@ -860,6 +861,7 @@ static void test_mb_free_blocks(struct kunit *test) KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buddy); grp = kunit_kzalloc(test, offsetof(struct ext4_group_info, bb_counters[MB_NUM_ORDERS(sb)]), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, grp); ret = ext4_mb_load_buddy(sb, TEST_GOAL_GROUP, &e4b); KUNIT_ASSERT_EQ(test, ret, 0); -- 2.39.5

1 month, 1 week

4
3
0 0

[PATCH 6.6 000/166] 6.6.84-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.84 release. There are 166 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 21 Mar 2025 14:29:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.84-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.84-rc1 Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: bail out if stateful expression provides no .clone Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: use timestamp to check for set element timeout Mitchell Levy <levymitchell0(a)gmail.com> rust: lockdep: Remove support for dynamically allocated LockClassKeys Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: Fix a C2HTermReq error message Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Daniel Wagner <wagi(a)kernel.org> nvme-fc: rely on state transitions to handle connectivity loss Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix corrupted list in hci_chan_del Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Philipp Stanner <phasta(a)kernel.org> stmmac: loongson: Pass correct arg to PCI function Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Pali Rohár <pali(a)kernel.org> cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point() Pali Rohár <pali(a)kernel.org> cifs: Validate content of WSL reparse point buffers Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: rt722-sdca: add missing readable registers Alban Kurti <kurti(a)invicto.ai> rust: init: add missing newline to pr_info! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Fix maximum ADC Volume Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Alban Kurti <kurti(a)invicto.ai> rust: error: add missing newline to pr_warn! calls Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: split critical region in remap_file_pages() and invoke LSMs in between Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: Handle memfd_secret() files in build_id_parse() Benno Lossin <benno.lossin(a)proton.me> rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and `Option<KBox<T>>` Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Paulo Alcantara <pc(a)manguebit.com> smb: client: fix regression with guest option Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Kent Overstreet <kent.overstreet(a)linux.dev> dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent connection release during oplock break notification Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_free_work_struct Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Disable unneeded hpd interrupts during dm_init Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/cdclk: Do cdclk post plane programming later Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - rename QH controller to Legion Go S Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for TECNO Pocket Go Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for ZOTAC Gaming Zone Pavel Rojtberg <rojtberg(a)gmail.com> Input: xpad - add multiple supported devices Nilton Perim Neto <niltonperimneto(a)gmail.com> Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - preserve system status register H. Nikolaus Schaller <hns(a)goldelico.com> Input: ads7846 - fix gpiod allocation Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix error pbuf checking Jens Axboe <axboe(a)kernel.dk> io_uring: use unpin_user_pages() where appropriate Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: use vm_insert_pages() for mmap'ed pbuf ring Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: vmap pinned buffer ring Jens Axboe <axboe(a)kernel.dk> io_uring: unify io_pin_pages() Jens Axboe <axboe(a)kernel.dk> io_uring: use vmap() for ring mapping Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix corner case forgetting to vunmap Jens Axboe <axboe(a)kernel.dk> io_uring: don't attempt to mmap larger than what the user asks for Jens Axboe <axboe(a)kernel.dk> io_uring: get rid of remap_pfn_range() for mapping rings/sqes Jens Axboe <axboe(a)kernel.dk> mm: add nommu variant of vm_insert_pages() Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Frederic Weisbecker <frederic(a)kernel.org> net: Handle napi_schedule() calls from non-interrupt Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Harry Wentland <harry.wentland(a)amd.com> drm/vkms: Round fixp2int conversion in lerp_u16 Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Pali Rohár <pali(a)kernel.org> cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes Hector Martin <marcan(a)marcan.st> apple-nvme: Release power domains when probe fails Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: add basic support for the C2HTermReq PDU Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Uday Shankar <ushankar(a)purestorage.com> io-wq: backoff when retrying worker creation Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: indicate unsupported clock rate Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: simple-card-utils.c: add missing dlc->of_node Jiayuan Chen <mrpre(a)163.com> selftests/bpf: Fix invalid flag of recv() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Ignore dangling jump table entries Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Daniel Brackenbury <daniel.brackenbury(a)gmail.com> HID: topre: Fix n-key rollover on Realforce R3S TKL boards Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: phy: generic: Use proper helper for property detection Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Fix error return with query response Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Dmitry Kandybka <d.kandybka(a)gmail.com> platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Christian Loehle <christian.loehle(a)arm.com> sched/debug: Provide slice length for fair tasks Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: do not ignore connectivity loss during connecting Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Shay Drory <shayd(a)nvidia.com> net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Fill out devlink dev info only for PFs Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Xueming Feng <kuro(a)kuroa.me> tcp: fix forever orphan socket caused by tcp_abort Eric Dumazet <edumazet(a)google.com> tcp: fix races in tcp_abort() Wander Lairson Costa <wander.lairson(a)gmail.com> bpf: Use raw_spinlock_t in ringbuf Felix Moessbauer <felix.moessbauer(a)siemens.com> hrtimer: Use and report correct timerslack values for realtime tasks Liu Shixin <liushixin2(a)huawei.com> zram: fix NULL pointer in comp_algorithm_show() Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Prevent boot crash when the boot CPU is nohz_full David Woodhouse <dwmw(a)amazon.co.uk> clockevents/drivers/i8253: Fix stop sequence for timer 0 ------------- Diffstat: Documentation/timers/no_hz.rst | 7 +- Makefile | 4 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm64/mm/mmu.c | 5 +- arch/x86/events/intel/core.c | 85 +++++++ arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/mshyperv.c | 11 - arch/x86/kernel/irq.c | 2 + block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/block/zram/zram_drv.c | 4 +- drivers/clk/samsung/clk-pll.c | 7 +- drivers/clocksource/i8253.c | 36 ++- drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 64 ++++-- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 ++-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/i915/display/intel_display.c | 5 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/vkms/vkms_composer.c | 2 +- drivers/hid/Kconfig | 3 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 3 + drivers/hid/hid-quirks.c | 1 + drivers/hid/hid-topre.c | 7 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 ++ drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/input/joystick/xpad.c | 39 +++- drivers/input/misc/iqs7222.c | 50 ++-- drivers/input/serio/i8042-acpipnpio.h | 111 +++++---- drivers/input/touchscreen/ads7846.c | 2 +- drivers/md/dm-flakey.c | 2 +- drivers/net/bonding/bond_options.c | 55 ++++- drivers/net/dsa/mv88e6xxx/chip.c | 59 ++++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 3 + .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h | 1 + .../net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 3 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 +- drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/apple.c | 2 + drivers/nvme/host/core.c | 2 - drivers/nvme/host/fc.c | 59 +---- drivers/nvme/host/pci.c | 2 + drivers/nvme/host/tcp.c | 43 ++++ drivers/nvme/target/rdma.c | 33 ++- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/platform/x86/intel/pmc/core.c | 4 +- drivers/platform/x86/thinkpad_acpi.c | 50 ++-- drivers/powercap/powercap_sys.c | 3 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/thermal/cpufreq_cooling.c | 2 - drivers/ufs/core/ufshcd.c | 7 +- drivers/usb/phy/phy-generic.c | 2 +- drivers/usb/serial/ftdi_sio.c | 14 ++ drivers/usb/serial/ftdi_sio_ids.h | 13 ++ drivers/usb/serial/option.c | 48 ++-- drivers/video/fbdev/hyperv_fb.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 +- fs/proc/base.c | 9 +- fs/select.c | 11 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 18 +- fs/smb/client/inode.c | 13 ++ fs/smb/client/reparse.c | 10 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/common/smbfsctl.h | 3 + fs/smb/server/connection.c | 20 ++ fs/smb/server/connection.h | 2 + fs/smb/server/ksmbd_work.c | 3 - fs/smb/server/ksmbd_work.h | 1 - fs/smb/server/oplock.c | 43 ++-- fs/smb/server/oplock.h | 1 - fs/smb/server/server.c | 14 +- fs/vboxsf/super.c | 3 +- include/linux/fs.h | 2 + include/linux/i8253.h | 1 - include/linux/io_uring_types.h | 3 - include/linux/nvme-tcp.h | 2 + include/net/bluetooth/hci_core.h | 108 ++++----- include/net/bluetooth/l2cap.h | 3 +- include/net/netfilter/nf_tables.h | 20 +- include/sound/soc.h | 5 +- init/Kconfig | 2 +- io_uring/io-wq.c | 23 +- io_uring/io_uring.c | 251 +++++++++++++++------ io_uring/io_uring.h | 8 +- io_uring/kbuf.c | 173 ++++---------- io_uring/kbuf.h | 3 +- io_uring/rsrc.c | 39 ---- kernel/bpf/ringbuf.c | 12 +- kernel/sched/core.c | 13 +- kernel/sched/debug.c | 2 + kernel/sys.c | 2 + kernel/time/hrtimer.c | 40 ++-- lib/buildid.c | 5 + mm/mmap.c | 69 ++++-- mm/nommu.c | 7 + net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 +-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 181 +++++++-------- net/bluetooth/l2cap_sock.c | 15 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 12 +- net/core/dev.c | 2 +- net/core/netpoll.c | 9 +- net/ipv4/tcp.c | 20 +- net/ipv6/addrconf.c | 15 +- net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nf_tables_api.c | 25 +- net/netfilter/nft_connlimit.c | 4 +- net/netfilter/nft_counter.c | 4 +- net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_exthdr.c | 10 +- net/netfilter/nft_last.c | 4 +- net/netfilter/nft_limit.c | 14 +- net/netfilter/nft_quota.c | 4 +- net/netfilter/nft_set_hash.c | 8 +- net/netfilter/nft_set_pipapo.c | 18 +- net/netfilter/nft_set_rbtree.c | 11 +- net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 +- net/wireless/core.c | 7 + rust/kernel/error.rs | 2 +- rust/kernel/init.rs | 23 +- rust/kernel/init/macros.rs | 6 +- rust/kernel/sync.rs | 10 +- scripts/generate_rust_analyzer.py | 30 ++- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/cs42l43.c | 2 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/rt722-sdca-sdw.c | 4 + sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/generic/simple-card-utils.c | 1 + sound/soc/sh/rcar/core.c | 14 -- sound/soc/sh/rcar/rsnd.h | 1 - sound/soc/sh/rcar/src.c | 116 ++++++++-- sound/soc/sh/rcar/ssi.c | 3 +- sound/soc/soc-ops.c | 15 +- sound/soc/sof/amd/acp-ipc.c | 23 +- sound/soc/sof/intel/hda-codec.c | 1 + tools/objtool/check.c | 9 + .../selftests/bpf/prog_tests/sockmap_basic.c | 6 +- 186 files changed, 1803 insertions(+), 1167 deletions(-)

1 month, 1 week

10
180
0 0

[PATCH 6.13 000/207] 6.13.7-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.13.7 release. There are 207 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 12 Mar 2025 17:04:00 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.13.7-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.13.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.13.7-rc1 Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: Fix a C2HTermReq error message Arnd Bergmann <arnd(a)arndb.de> ALSA: hda: realtek: fix incorrect IS_REACHABLE() usage Steven Rostedt <rostedt(a)goodmis.org> fprobe: Fix accounting of when to unregister from function graph Steven Rostedt <rostedt(a)goodmis.org> fprobe: Always unregister fgraph function from ops Lukas Bulwahn <lukas.bulwahn(a)redhat.com> arm64: Kconfig: Remove selecting replaced HAVE_FUNCTION_GRAPH_RETVAL Arnd Bergmann <arnd(a)arndb.de> kbuild: hdrcheck: fix cross build with clang Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix wrong scale available Angelo Dureghello <adureghello(a)baylibre.com> dt-bindings: iio: dac: adi-axi-adc: fix ad7606 pwm-names Ricardo Ribalda <ribalda(a)chromium.org> iio: hid-sensor-prox: Split difference from multiple channels Ryan Roberts <ryan.roberts(a)arm.com> arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes Ryan Roberts <ryan.roberts(a)arm.com> mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear() Nayab Sayed <nayabbasha.sayed(a)microchip.com> iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value Markus Burri <markus.burri(a)mt.com> iio: adc: ad7192: fix channel select Angelo Dureghello <adureghello(a)baylibre.com> iio: dac: ad3552r: clear reset status flag Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: apds9306: fix max_scale_nano values Sam Winchenbach <swinchenbach(a)arka.org> iio: filter: admv8818: Force initialization of SDO Haoyu Li <lihaoyu499(a)gmail.com> drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Make GPIO lookup table match the device Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock Visweswara Tanuku <quic_vtanuku(a)quicinc.com> slimbus: messaging: Free transaction ID in delayed interrupt scenario Luca Ceresoli <luca.ceresoli(a)bootlin.com> drivers: core: fix device leak in __fw_devlink_relax_cycles() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> char: misc: deallocate static minor in error path Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Panther Lake-P/U support Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Panther Lake-H support Pawel Chmielewski <pawel.chmielewski(a)intel.com> intel_th: pci: Add Arrow Lake support Hans de Goede <hdegoede(a)redhat.com> mei: vsc: Use "wakeuphostint" when getting the host wakeup GPIO Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake P DID Qiu-ji Chen <chenqiuji666(a)gmail.com> cdx: Fix possible UAF error in driver_override_show() Xiaoyao Li <xiaoyao.li(a)intel.com> KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM Sean Christopherson <seanjc(a)google.com> KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs Sean Christopherson <seanjc(a)google.com> KVM: SVM: Manually context switch DEBUGCTL if LBR virtualization is disabled Sean Christopherson <seanjc(a)google.com> KVM: x86: Snapshot the host's DEBUGCTL in common x86 Sean Christopherson <seanjc(a)google.com> KVM: SVM: Suppress DEBUGCTL.BTF on AMD Sean Christopherson <seanjc(a)google.com> KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value Sean Christopherson <seanjc(a)google.com> KVM: SVM: Save host DR masks on CPUs with DebugSwap Sean Christopherson <seanjc(a)google.com> KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow Christian A. Ehrhardt <lk(a)c--e.de> acpi: typec: ucsi: Introduce a ->poll_cci method Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: use correct lld when linking through clang Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Check bmAttributes only if configuration is valid Marek Szyprowski <m.szyprowski(a)samsung.com> usb: gadget: Fix setting self-powered state on suspend Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Set self-powered based on MaxPower and bmAttributes AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality Fedor Pchelkin <boddah8794(a)gmail.com> usb: typec: ucsi: increase timeout for PPM reset operations Badhri Jagan Sridharan <badhri(a)google.com> usb: dwc3: gadget: Prevent irq storm when TH re-executes Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: Set SUSPENDENABLE soon after phy init Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> usb: atm: cxacru: fix a flaw in existing endpoint checks Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Enable the TRB overfetch quirk on VIA VL805 Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Flush the notify_hotplug_work Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: Fix NULL pointer access Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix host controllers "dying" after suspend and resume Miao Li <limiao(a)kylinos.cn> usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader Pawel Laszczak <pawell(a)cadence.com> usb: hub: lack of clearing xHC resources Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Use devm_usb_get_phy() Marc Zyngier <maz(a)kernel.org> xhci: Restrict USB4 tunnel detection for USB3 devices to Intel hosts Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Call clk_put() Christian Heusel <christian(a)heusel.eu> Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection" Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> gpio: rcar: Fix missing of_node_put() call Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix missing dst ref drop in ila lwtunnel Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: fix dst ref loop in ila lwtunnel Matt Johnston <matt(a)codeconstruct.com.au> mctp i3c: handle NULL header address Takashi Iwai <tiwai(a)suse.de> drm/bochs: Fix DPMS regression Lorenzo Bianconi <lorenzo(a)kernel.org> net: dsa: mt7530: Fix traffic flooding for MMIO devices Dan Carpenter <dan.carpenter(a)linaro.org> nvme-tcp: fix signedness bug in nvme_tcp_init_connection() Zecheng Li <zecheng(a)google.com> sched/fair: Fix potential memory corruption in child_cfs_rq_on_list Uday Shankar <ushankar(a)purestorage.com> ublk: set_params: properly check if parameters can be applied Jason Xing <kerneljasonxing(a)gmail.com> net-timestamp: support TCP GSO case for a few missing flags Eric Sandeen <sandeen(a)redhat.com> exfat: short-circuit zero-byte writes in exfat_file_write_iter Namjae Jeon <linkinjeon(a)kernel.org> exfat: fix soft lockup in exfat_clear_bitmap Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix just enough dentries but allocate a new cluster to dir Jarkko Sakkinen <jarkko(a)kernel.org> x86/sgx: Fix size overflows in sgx_encl_create() Oscar Maes <oscmaes92(a)gmail.com> vlan: enforce underlying device type Maxime Chevallier <maxime.chevallier(a)bootlin.com> net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device Jakub Kicinski <kuba(a)kernel.org> net: ethtool: plumb PHY stats to PHY drivers Oleksij Rempel <o.rempel(a)pengutronix.de> ethtool: linkstate: migrate linkstate functions to support multi-PHY setups Jiayuan Chen <jiayuan.chen(a)linux.dev> ppp: Fix KMSAN uninit-value warning with bpf Luca Weiss <luca.weiss(a)fairphone.com> net: ipa: Enable checksum for IPA_ENDPOINT_AP_MODEM_{RX,TX} for v4.7 Luca Weiss <luca.weiss(a)fairphone.com> net: ipa: Fix QSB data for v4.7 Luca Weiss <luca.weiss(a)fairphone.com> net: ipa: Fix v4.7 resource group names Vicki Pfau <vi(a)endrift.com> HID: hid-steam: Fix use-after-free when detaching device Maarten Lankhorst <dev(a)lankhorst.se> drm/xe: Remove double pageflip Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error Nikolay Aleksandrov <razor(a)blackwall.org> be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink Philipp Stanner <phasta(a)kernel.org> drm/sched: Fix preprocessor guard Xinghuo Chen <xinghuo.chen(a)foxmail.com> hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe() Eric Dumazet <edumazet(a)google.com> llc: do not use skb_get() before dev_queue_xmit() Murad Masimov <m.masimov(a)mt-integration.ru> ALSA: usx2y: validate nrpacks module parameter on probe Alessio Belle <alessio.belle(a)imgtec.com> drm/imagination: Fix timestamps in firmware traces Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probe-events: Remove unused MAX_ARG_BUF_LEN macro Erik Schumacher <erik.schumacher(a)iris-sensing.com> hwmon: (ad7314) Validate leading zero bits and return error Maud Spierings <maudspierings(a)gocontroll.com> hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table Titus Rwantare <titusr(a)google.com> hwmon: (pmbus) Initialise page count in pmbus_identify() Herbert Xu <herbert(a)gondor.apana.org.au> cred: Fix RCU warnings in override/revert_creds Christian Brauner <brauner(a)kernel.org> cred: return old creds from revert_creds_light() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix pmus_lock vs. pmus_srcu ordering Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> caif_virtio: fix wrong pointer check in cfv_probe() Antoine Tenart <atenart(a)kernel.org> net: gso: fix ownership in __udp_gso_segment Antheas Kapenekakis <lkml(a)antheas.dev> ALSA: hda/realtek: Remove (revert) duplicate Ally X config Meir Elisha <meir.elisha(a)volumez.com> nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: add basic support for the C2HTermReq PDU Maurizio Lombardi <mlombard(a)redhat.com> nvmet: remove old function prototype Salah Triki <salah.triki(a)gmail.com> bluetooth: btusb: Initialize .owner field of force_poll_sync_fops Dave Airlie <airlied(a)redhat.com> drm/nouveau: select FW caching Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe-events: Log error for exceeding the number of entry args Masami Hiramatsu (Google) <mhiramat(a)kernel.org> fprobe: Rewrite fprobe on function-graph tracer Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: Add ftrace_fill_perf_regs() for perf event Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: Add ftrace_partial_regs() for converting ftrace_regs to pt_regs Masami Hiramatsu (Google) <mhiramat(a)kernel.org> fprobe: Use ftrace_regs in fprobe exit handler Masami Hiramatsu (Google) <mhiramat(a)kernel.org> fprobe: Use ftrace_regs in fprobe entry handler Masami Hiramatsu (Google) <mhiramat(a)kernel.org> fgraph: Replace fgraph_ret_regs with ftrace_regs Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix vendor-specific inheritance Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix MLE non-inheritance parsing Ilan Peer <ilan.peer(a)intel.com> wifi: mac80211: Support parsing EPCS ML element Keith Busch <kbusch(a)kernel.org> nvme-ioctl: fix leaked requests on mapping error Kees Cook <kees(a)kernel.org> coredump: Only sort VMAs when core_sort_vma sysctl is set Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() Yu-Chun Lin <eleanor15x(a)gmail.com> HID: google: fix unused variable warning under !CONFIG_ACPI Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: Fix A-MSDU TSO preparation Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: Free pages allocated when failing to build A-MSDU Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: limit printed string from FW file Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't try to talk to a dead firmware Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't dump the firmware state upon RFKILL while suspend Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: log error for failures after D3 Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: clean up ROC on failure Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: fw: avoid using an uninitialized variable Ma Wupeng <mawupeng1(a)huawei.com> mm: memory-hotplug: check folio ref count first in do_migrate_range Ma Wupeng <mawupeng1(a)huawei.com> hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio Brian Geffon <bgeffon(a)google.com> mm: fix finish_fault() handling for large folios Ryan Roberts <ryan.roberts(a)arm.com> mm: don't skip arch_sync_kernel_mappings() in error paths Ma Wupeng <mawupeng1(a)huawei.com> mm: memory-failure: update ttu flag inside unmap_poisoned_folio Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: abort vma_modify() on merge out of memory failure Hao Zhang <zhanghao1(a)kylinos.cn> mm/page_alloc: fix uninitialized variable Olivier Gayot <olivier.gayot(a)canonical.com> block: fix conversion of GPT partition name to 7-bit Qi Zheng <zhengqi.arch(a)bytedance.com> arm: pgtable: fix NULL pointer dereference issue Suren Baghdasaryan <surenb(a)google.com> userfaultfd: do not block on locking a large folio with raised refcount Mike Snitzer <snitzer(a)kernel.org> NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback Heiko Carstens <hca(a)linux.ibm.com> s390/traps: Fix test_monitor_call() inline assembly Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> dma: kmsan: export kmsan_handle_dma() for modules Haoxiang Li <haoxiang_li2024(a)163.com> rapidio: fix an API misues when rio_add_net() fails Haoxiang Li <haoxiang_li2024(a)163.com> rapidio: add check for rio_add_net() in rio_scan_alloc_net() SeongJae Park <sj(a)kernel.org> selftests/damon/damon_nr_regions: sort collected regiosn before checking with min/max boundaries SeongJae Park <sj(a)kernel.org> selftests/damon/damon_nr_regions: set ops update for merge results check to 100ms SeongJae Park <sj(a)kernel.org> selftests/damon/damos_quota: make real expectation of quota exceeds SeongJae Park <sj(a)kernel.org> selftests/damon/damos_quota_goal: handle minimum quota that cannot be further reduced Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> wifi: nl80211: reject cooked mode if it is set along with other flags Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: cfg80211: regulatory: improve invalid hints checking Haoxiang Li <haoxiang_li2024(a)163.com> Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Haoxiang Li <haoxiang_li2024(a)163.com> Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/userptr: Unmap userptrs in the mmu notifier Matthew Auld <matthew.auld(a)intel.com> drm/xe/userptr: properly setup pfn_flags_mask Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Fix fault mode invalidation with unbind Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/xe: Fix GT "for each engine" workarounds Krister Johansen <kjlx(a)templeofstupid.com> mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/vm: Validate userptr during gpu vma prefetching Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/vm: Fix a misplaced #endif Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/hmm: Don't dereference struct page pointers without notifier lock Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe/hmm: Style- and include fixes Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add staging tree for VM binds Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63 Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Validate CPUID leaf 0x2 EDX output Ahmed S. Darwish <darwi(a)linutronix.de> x86/cacheinfo: Validate CPUID leaf 0x2 EDX output Ard Biesheuvel <ardb(a)kernel.org> x86/boot: Sanitize boot params before parsing command line Mingcong Bai <jeffbai(a)aosc.io> platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e John Hubbard <jhubbard(a)nvidia.com> Revert "selftests/mm: remove local __NR_* definitions" Gabriel Krisman Bertazi <krisman(a)suse.de> Revert "mm/page_alloc.c: don't show protection in zone's ->lowmem_reserve[] for empty zone" Richard Thier <u9vata(a)gmail.com> drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M Brendan King <Brendan.King(a)imgtec.com> drm/imagination: only init job done fences once Brendan King <Brendan.King(a)imgtec.com> drm/imagination: Hold drm_gem_gpuva lock for unmap Brendan King <Brendan.King(a)imgtec.com> drm/imagination: avoid deadlock on fence release Kenneth Feng <kenneth.feng(a)amd.com> drm/amd/pm: always allow ih interrupt from fw Andrew Martin <Andrew.Martin(a)amd.com> drm/amdkfd: Fix NULL Pointer Dereference in KFD queue Ma Ke <make24(a)iscas.ac.cn> drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Paul Fertser <fercerpav(a)gmail.com> hwmon: (peci/dimmtemp) Do not provide fake thresholds data Nikunj A Dadhania <nikunj(a)amd.com> virt: sev-guest: Allocate request data dynamically Haoxiang Li <haoxiang_li2024(a)163.com> btrfs: fix a leaked chunk map issue in read_one_chunk() Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix extent range end unlock in cow_file_range() Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: update ALC222 depop optimize Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform Hoku Ishibe <me(a)hokuishi.be> ALSA: hda: intel: Add Dell ALC3271 to power_save denylist Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Avoid module auto-load handling at event delivery Koichiro Den <koichiro.den(a)canonical.com> gpio: aggregator: protect driver attr handlers against module unload Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> gpio: rcar: Use raw_spinlock to protect register access Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix bug on trap in smb2_lock Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in smb2_lock Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix out-of-bounds in parse_sec_desc() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix type confusion via race condition when using ipc_msg_send_request Stuart Hayhurst <stuart.a.hayhurst(a)gmail.com> HID: corsair-void: Update power supply values with a unified work handler Daniil Dulov <d.dulov(a)aladdin.ru> HID: appleir: Fix potential NULL dereference at raw event handle Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix GPA size issue about VM Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Reload guest CSR registers after sleep Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Add interrupt checking for AVEC Bibo Mao <maobibo(a)loongson.cn> LoongArch: Set max_pfn with the PFN of the last page Bibo Mao <maobibo(a)loongson.cn> LoongArch: Set hugetlb mmap base address aligned with pmd size Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use polling play_dead() when resuming from hibernation Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Convert unreachable() to BUG() Philipp Stanner <phasta(a)kernel.org> stmmac: loongson: Pass correct arg to PCI function Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: tprobe-events: Reject invalid tracepoint name Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: tprobe-events: Fix a memory leak when tprobe with $retval Rob Herring (Arm) <robh(a)kernel.org> Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'" Peter Zijlstra <peterz(a)infradead.org> loongarch: Use ASM_REACHABLE Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Add some forgotten models to the SHA check Steve French <stfrench(a)microsoft.com> smb311: failure to open files of length 1040 when mounting with SMB3.1.1 POSIX extensions Pali Rohár <pali(a)kernel.org> cifs: Remove symlink member from cifs_open_info_data union Yutaro Ohno <yutaro.ono.418(a)gmail.com> rust: block: fix formatting in GenDisk doc Andrew Cooper <andrew.cooper3(a)citrix.com> x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() ------------- Diffstat: Documentation/admin-guide/sysctl/kernel.rst | 11 + .../devicetree/bindings/iio/adc/adi,ad7606.yaml | 1 + Makefile | 9 +- arch/arm/mm/fault-armv.c | 37 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/ftrace.h | 49 +- arch/arm64/include/asm/hugetlb.h | 4 +- arch/arm64/kernel/asm-offsets.c | 12 - arch/arm64/kernel/entry-ftrace.S | 32 +- arch/arm64/mm/hugetlbpage.c | 59 +- arch/loongarch/Kconfig | 3 +- arch/loongarch/include/asm/bug.h | 13 +- arch/loongarch/include/asm/ftrace.h | 32 +- arch/loongarch/include/asm/hugetlb.h | 6 +- arch/loongarch/kernel/asm-offsets.c | 12 - arch/loongarch/kernel/machine_kexec.c | 4 +- arch/loongarch/kernel/mcount.S | 17 +- arch/loongarch/kernel/mcount_dyn.S | 14 +- arch/loongarch/kernel/setup.c | 3 + arch/loongarch/kernel/smp.c | 47 +- arch/loongarch/kvm/exit.c | 6 + arch/loongarch/kvm/main.c | 7 + arch/loongarch/kvm/vcpu.c | 2 +- arch/loongarch/kvm/vm.c | 6 +- arch/loongarch/mm/mmap.c | 6 +- arch/mips/include/asm/hugetlb.h | 6 +- arch/parisc/include/asm/hugetlb.h | 2 +- arch/parisc/mm/hugetlbpage.c | 2 +- arch/powerpc/include/asm/ftrace.h | 13 + arch/powerpc/include/asm/hugetlb.h | 6 +- arch/riscv/Kconfig | 2 +- arch/riscv/include/asm/ftrace.h | 45 +- arch/riscv/include/asm/hugetlb.h | 3 +- arch/riscv/kernel/mcount.S | 24 +- arch/riscv/mm/hugetlbpage.c | 2 +- arch/s390/Kconfig | 3 +- arch/s390/include/asm/ftrace.h | 36 +- arch/s390/include/asm/hugetlb.h | 18 +- arch/s390/kernel/asm-offsets.c | 6 - arch/s390/kernel/mcount.S | 12 +- arch/s390/kernel/traps.c | 6 +- arch/s390/mm/hugetlbpage.c | 4 +- arch/sparc/include/asm/hugetlb.h | 2 +- arch/sparc/mm/hugetlbpage.c | 2 +- arch/x86/Kconfig | 3 +- arch/x86/boot/compressed/pgtable_64.c | 2 + arch/x86/include/asm/ftrace.h | 33 +- arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kernel/amd_nb.c | 9 +- arch/x86/kernel/cpu/cacheinfo.c | 2 +- arch/x86/kernel/cpu/intel.c | 52 +- arch/x86/kernel/cpu/microcode/amd.c | 6 + arch/x86/kernel/cpu/sgx/ioctl.c | 7 + arch/x86/kernel/ftrace_32.S | 13 +- arch/x86/kernel/ftrace_64.S | 17 +- arch/x86/kvm/cpuid.c | 2 +- arch/x86/kvm/svm/sev.c | 13 +- arch/x86/kvm/svm/svm.c | 49 ++ arch/x86/kvm/svm/svm.h | 2 +- arch/x86/kvm/svm/vmenter.S | 10 +- arch/x86/kvm/vmx/vmx.c | 8 +- arch/x86/kvm/vmx/vmx.h | 2 - arch/x86/kvm/x86.c | 2 + block/partitions/efi.c | 2 +- drivers/base/core.c | 1 + drivers/block/ublk_drv.c | 7 +- drivers/bluetooth/btusb.c | 1 + drivers/bus/mhi/host/pci_generic.c | 5 +- drivers/cdx/cdx.c | 6 +- drivers/char/misc.c | 2 +- drivers/gpio/gpio-aggregator.c | 20 +- drivers/gpio/gpio-rcar.c | 31 +- drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 4 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +- drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c | 12 +- drivers/gpu/drm/imagination/pvr_fw_meta.c | 6 +- drivers/gpu/drm/imagination/pvr_fw_trace.c | 4 +- drivers/gpu/drm/imagination/pvr_queue.c | 18 +- drivers/gpu/drm/imagination/pvr_queue.h | 4 + drivers/gpu/drm/imagination/pvr_vm.c | 134 ++++- drivers/gpu/drm/imagination/pvr_vm.h | 3 + drivers/gpu/drm/nouveau/Kconfig | 1 + drivers/gpu/drm/radeon/r300.c | 3 +- drivers/gpu/drm/radeon/radeon_asic.h | 1 + drivers/gpu/drm/radeon/rs400.c | 18 +- drivers/gpu/drm/scheduler/gpu_scheduler_trace.h | 4 +- drivers/gpu/drm/tiny/bochs.c | 5 +- drivers/gpu/drm/xe/display/xe_plane_initial.c | 10 - drivers/gpu/drm/xe/xe_gt.c | 4 +- drivers/gpu/drm/xe/xe_hmm.c | 194 ++++-- drivers/gpu/drm/xe/xe_hmm.h | 7 + drivers/gpu/drm/xe/xe_pt.c | 96 +-- drivers/gpu/drm/xe/xe_pt_walk.c | 3 +- drivers/gpu/drm/xe/xe_pt_walk.h | 4 + drivers/gpu/drm/xe/xe_vm.c | 100 +++- drivers/gpu/drm/xe/xe_vm.h | 10 +- drivers/gpu/drm/xe/xe_vm_types.h | 8 +- drivers/hid/hid-appleir.c | 2 +- drivers/hid/hid-corsair-void.c | 83 +-- drivers/hid/hid-google-hammer.c | 2 + drivers/hid/hid-steam.c | 2 +- drivers/hid/intel-ish-hid/ishtp-hid-client.c | 2 +- drivers/hid/intel-ish-hid/ishtp-hid.c | 4 +- drivers/hwmon/ad7314.c | 10 + drivers/hwmon/ntc_thermistor.c | 66 +-- drivers/hwmon/peci/dimmtemp.c | 10 +- drivers/hwmon/pmbus/pmbus.c | 2 + drivers/hwmon/xgene-hwmon.c | 2 +- drivers/hwtracing/intel_th/pci.c | 15 + drivers/iio/adc/ad7192.c | 2 +- drivers/iio/adc/ad7606.c | 2 +- drivers/iio/adc/at91-sama5d2_adc.c | 68 ++- drivers/iio/dac/ad3552r.c | 6 + drivers/iio/filter/admv8818.c | 14 +- drivers/iio/light/apds9306.c | 4 +- drivers/iio/light/hid-sensor-prox.c | 7 +- drivers/misc/cardreader/rtsx_usb.c | 15 - drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/misc/mei/hw-me-regs.h | 2 + drivers/misc/mei/pci-me.c | 2 + drivers/misc/mei/vsc-tp.c | 2 +- drivers/net/caif/caif_virtio.c | 2 +- drivers/net/dsa/mt7530.c | 8 +- drivers/net/ethernet/emulex/benet/be.h | 2 +- drivers/net/ethernet/emulex/benet/be_cmds.c | 197 ++++--- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 2 +- .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 6 +- drivers/net/ipa/data/ipa_data-v4.7.c | 18 +- drivers/net/mctp/mctp-i3c.c | 3 + drivers/net/phy/phy.c | 43 ++ drivers/net/phy/phy_device.c | 2 + drivers/net/ppp/ppp_generic.c | 28 +- drivers/net/wireless/intel/iwlwifi/fw/dump.c | 3 + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 77 ++- drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 7 + .../net/wireless/intel/iwlwifi/mvm/time-event.c | 2 + drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 5 +- drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 6 +- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 20 +- drivers/nvme/host/ioctl.c | 12 +- drivers/nvme/host/tcp.c | 81 ++- drivers/nvme/target/nvmet.h | 1 - drivers/nvme/target/tcp.c | 15 +- drivers/of/of_reserved_mem.c | 4 +- drivers/platform/x86/thinkpad_acpi.c | 1 + drivers/rapidio/devices/rio_mport_cdev.c | 3 +- drivers/rapidio/rio-scan.c | 5 +- drivers/slimbus/messaging.c | 5 +- drivers/usb/atm/cxacru.c | 13 +- drivers/usb/core/hub.c | 33 ++ drivers/usb/core/quirks.c | 4 + drivers/usb/dwc3/core.c | 85 +-- drivers/usb/dwc3/core.h | 2 +- drivers/usb/dwc3/drd.c | 4 +- drivers/usb/dwc3/gadget.c | 10 +- drivers/usb/gadget/composite.c | 17 +- drivers/usb/gadget/function/u_ether.c | 4 +- drivers/usb/host/xhci-hub.c | 8 + drivers/usb/host/xhci-mem.c | 3 +- drivers/usb/host/xhci-pci.c | 10 +- drivers/usb/host/xhci.c | 6 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/renesas_usbhs/common.c | 6 +- drivers/usb/renesas_usbhs/mod_gadget.c | 2 +- drivers/usb/typec/tcpm/tcpci_rt1711h.c | 11 + drivers/usb/typec/ucsi/ucsi.c | 25 +- drivers/usb/typec/ucsi/ucsi.h | 2 + drivers/usb/typec/ucsi/ucsi_acpi.c | 21 +- drivers/usb/typec/ucsi/ucsi_ccg.c | 1 + drivers/usb/typec/ucsi/ucsi_glink.c | 1 + drivers/usb/typec/ucsi/ucsi_stm32g0.c | 1 + drivers/usb/typec/ucsi/ucsi_yoga_c630.c | 1 + drivers/virt/acrn/hsm.c | 6 +- drivers/virt/coco/sev-guest/sev-guest.c | 24 +- fs/btrfs/inode.c | 9 +- fs/btrfs/volumes.c | 1 + fs/coredump.c | 15 +- fs/exfat/balloc.c | 10 +- fs/exfat/exfat_fs.h | 2 +- fs/exfat/fatent.c | 11 +- fs/exfat/file.c | 2 +- fs/exfat/namei.c | 2 +- fs/nfs/file.c | 3 +- fs/smb/client/cifsglob.h | 6 +- fs/smb/client/inode.c | 2 +- fs/smb/client/reparse.h | 28 +- fs/smb/client/smb1ops.c | 4 +- fs/smb/client/smb2inode.c | 4 + fs/smb/client/smb2ops.c | 3 +- fs/smb/server/smb2pdu.c | 8 +- fs/smb/server/smbacl.c | 16 + fs/smb/server/transport_ipc.c | 1 + include/asm-generic/hugetlb.h | 2 +- include/linux/compaction.h | 5 + include/linux/cred.h | 9 +- include/linux/ethtool.h | 23 + include/linux/fprobe.h | 62 +- include/linux/ftrace.h | 66 ++- include/linux/ftrace_regs.h | 2 + include/linux/hugetlb.h | 4 +- include/linux/nvme-tcp.h | 2 + include/linux/phy.h | 36 ++ include/linux/phylib_stubs.h | 42 ++ include/linux/sched.h | 2 +- kernel/events/core.c | 4 +- kernel/sched/fair.c | 6 +- kernel/trace/Kconfig | 18 +- kernel/trace/bpf_trace.c | 16 +- kernel/trace/fgraph.c | 21 +- kernel/trace/fprobe.c | 653 +++++++++++++++------ kernel/trace/trace_fprobe.c | 37 +- kernel/trace/trace_probe.h | 5 +- lib/test_fprobe.c | 51 +- mm/compaction.c | 3 + mm/hugetlb.c | 4 +- mm/internal.h | 5 +- mm/kmsan/hooks.c | 1 + mm/memory-failure.c | 63 +- mm/memory.c | 21 +- mm/memory_hotplug.c | 28 +- mm/page_alloc.c | 4 +- mm/userfaultfd.c | 17 +- mm/vma.c | 12 +- mm/vmalloc.c | 4 +- net/8021q/vlan.c | 3 +- net/bluetooth/mgmt.c | 5 + net/ethtool/cabletest.c | 8 +- net/ethtool/linkstate.c | 26 +- net/ethtool/netlink.c | 6 +- net/ethtool/netlink.h | 5 +- net/ethtool/phy.c | 2 +- net/ethtool/plca.c | 6 +- net/ethtool/pse-pd.c | 4 +- net/ethtool/stats.c | 18 + net/ethtool/strset.c | 2 +- net/ipv4/tcp_offload.c | 11 +- net/ipv4/udp_offload.c | 8 +- net/ipv6/ila/ila_lwt.c | 4 +- net/llc/llc_s_ac.c | 49 +- net/mac80211/ieee80211_i.h | 2 + net/mac80211/mlme.c | 1 + net/mac80211/parse.c | 164 ++++-- net/mptcp/pm_netlink.c | 18 +- net/wireless/nl80211.c | 5 + net/wireless/reg.c | 3 +- rust/kernel/block/mq/gen_disk.rs | 6 +- samples/fprobe/fprobe_example.c | 4 +- sound/core/seq/seq_clientmgr.c | 46 +- sound/pci/hda/Kconfig | 1 + sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 107 +++- sound/usb/usx2y/usbusx2y.c | 11 + sound/usb/usx2y/usbusx2y.h | 26 + sound/usb/usx2y/usbusx2yaudio.c | 27 - tools/testing/selftests/damon/damon_nr_regions.py | 2 + tools/testing/selftests/damon/damos_quota.py | 9 +- tools/testing/selftests/damon/damos_quota_goal.py | 3 + tools/testing/selftests/mm/hugepage-mremap.c | 2 +- tools/testing/selftests/mm/ksm_functional_tests.c | 8 +- tools/testing/selftests/mm/memfd_secret.c | 14 +- tools/testing/selftests/mm/mkdirty.c | 8 +- tools/testing/selftests/mm/mlock2.h | 1 - tools/testing/selftests/mm/protection_keys.c | 2 +- tools/testing/selftests/mm/uffd-common.c | 4 + tools/testing/selftests/mm/uffd-stress.c | 15 +- tools/testing/selftests/mm/uffd-unit-tests.c | 14 +- usr/include/Makefile | 2 +- 269 files changed, 3214 insertions(+), 1547 deletions(-)

1 month, 1 week

17
229
0 0

[PATCH] x86/pkeys: Disable PKU when XFEATURE_PKRU is missing

by Akihiro Suda

Even when X86_FEATURE_PKU and X86_FEATURE_OSPKE are available, XFEATURE_PKRU can be missing. In such a case, pkeys has to be disabled to avoid hanging up. WARNING: CPU: 0 PID: 1 at arch/x86/kernel/fpu/xstate.c:1003 get_xsave_addr_user+0x28/0x40 (...) Call Trace: <TASK> ? get_xsave_addr_user+0x28/0x40 ? __warn.cold+0x8e/0xea ? get_xsave_addr_user+0x28/0x40 ? report_bug+0xff/0x140 ? handle_bug+0x3b/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? get_xsave_addr_user+0x28/0x40 copy_fpstate_to_sigframe+0x1be/0x380 ? __put_user_8+0x11/0x20 get_sigframe+0xf1/0x280 x64_setup_rt_frame+0x67/0x2c0 arch_do_signal_or_restart+0x1b3/0x240 syscall_exit_to_user_mode+0xb0/0x130 do_syscall_64+0xab/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f This fix is known to be needed on Apple Virtualization. Tested with macOS 13.5.2 running on MacBook Pro 2020 with Intel(R) Core(TM) i7-1068NG7 CPU @ 2.30GHz. Fixes: 70044df250d0 ("x86/pkeys: Update PKRU to enable all pkeys before XSAVE") Link: https://lore.kernel.org/regressions/CAG8fp8QvH71Wi_y7b7tgFp7knK38rfrF7rRHh-… Link: https://github.com/lima-vm/lima/issues/3334 Signed-off-by: Akihiro Suda <akihiro.suda.cz(a)hco.ntt.co.jp> --- arch/x86/kernel/cpu/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index e9464fe411ac..4c2c268af214 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -517,7 +517,8 @@ static bool pku_disabled; static __always_inline void setup_pku(struct cpuinfo_x86 *c) { if (c == &boot_cpu_data) { - if (pku_disabled || !cpu_feature_enabled(X86_FEATURE_PKU)) + if (pku_disabled || !cpu_feature_enabled(X86_FEATURE_PKU) || + !cpu_has_xfeatures(XFEATURE_PKRU, NULL)) return; /* * Setting CR4.PKE will cause the X86_FEATURE_OSPKE cpuid -- 2.45.2

1 month, 1 week

5
5
0 0

Re: BUG in LTS 5.15.x cpusets with tasks launched by newer systemd

by Waiman Long

On 3/20/25 6:07 AM, James Thomas wrote: > Hello all, > > I encountered an issue with the CPU affinity of tasks launched by systemd in a > slice, after updating from systemd 254 to by systemd >= 256, on the LTS 5.15.x > branch (tested on v5.15.179). > > Despite the slice file stipulating AllowedCPUS=2 (and confirming this was set in > /sys/fs/cgroup/test.slice/cpuset.cpus) tasks launched in the slice would have > the CPU affinity of the system.slice (i.e all by default) rather than 2. > > To reproduce: > > * Check kernel version and systemd version (I used a debian testing image for > testing) > > ``` > # uname -r > 5.15.179 > # systemctl --version > systemd 257 (257.4-3) > ... > ``` > > * Create a test.slice with AllowedCPUS=2 > > ``` > # cat <<EOF > /usr/lib/systemd/system/test.slice > [Unit] > Description=Test slice > Before=slices.target > [Slice] > AllowedCPUs=2 > [Install] > WantedBy=slices.target > EOF > # systemctl daemon-reload && systemctl start test.slice > ``` > > * Confirm cpuset > > ``` > # cat /sys/fs/cgroup/test.slice/cpuset.cpus > 2 > ``` > > * Launch task in slice > > ``` > # systemd-run --slice test.slice yes > Running as unit: run-r9187b97c6958498aad5bba213289ac56.service; invocation ID: > f470f74047ac43b7a60861d03a7ef6f9 > # cat > /sys/fs/cgroup/test.slice/run-r9187b97c6958498aad5bba213289ac56.service/cgroup.procs > > 317 > ``` > > # Check affinity > > ``` > # taskset -pc 317 > pid 317's current affinity list: 0-7 > ``` > > This issue is fixed by applying upstream commits: > > 18f9a4d47527772515ad6cbdac796422566e6440 > cgroup/cpuset: Skip spread flags update on v2 > and > 42a11bf5c5436e91b040aeb04063be1710bb9f9c > cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly > > With these applied: > > ``` > # systemd-run --slice test.slice yes > Running as unit: run-r442c444559ff49f48c6c2b8325b3b500.service; invocation ID: > 5211167267154e9292cb6b854585cb91 > # cat /sys/fs/cgroup/test.slice/run-r442c444559ff49f48c6c2b8325b3b500.service > 291 > # taskset -pc 291 > pid 291's current affinity list: 2 > ``` > > Perhaps these are a good candidate for backport onto the 5.15 LTS branch? > > Thanks > James > You should also send this email to stable(a)vger.kernel.org for consideration into the 5.15 LTS branch. Cheers, Longman

1 month, 1 week

1
0
0 0

[PATCH v2] keys: Fix UAF in key_put()

by David Howells

Once a key's reference count has been reduced to 0, the garbage collector thread may destroy it at any time and so key_put() is not allowed to touch the key after that point. The most key_put() is normally allowed to do is to touch key_gc_work as that's a static global variable. However, in an effort to speed up the reclamation of quota, this is now done in key_put() once the key's usage is reduced to 0 - but now the code is looking at the key after the deadline, which is forbidden. Fix this by using a flag to indicate that a key can be gc'd now rather than looking at the key's refcount in the garbage collector. Fixes: 9578e327b2b4 ("keys: update key quotas in key_put()") Reported-by: syzbot+6105ffc1ded71d194d6d(a)syzkaller.appspotmail.com Signed-off-by: David Howells <dhowells(a)redhat.com> Tested-by: syzbot+6105ffc1ded71d194d6d(a)syzkaller.appspotmail.com cc: Jarkko Sakkinen <jarkko(a)kernel.org> cc: Oleg Nesterov <oleg(a)redhat.com> cc: Kees Cook <kees(a)kernel.org> cc: Hillf Danton <hdanton(a)sina.com>, cc: keyrings(a)vger.kernel.org Cc: stable(a)vger.kernel.org # v6.10+ --- include/linux/key.h | 1 + security/keys/gc.c | 4 +++- security/keys/key.c | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/include/linux/key.h b/include/linux/key.h index 074dca3222b9..ba05de8579ec 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -236,6 +236,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_FINAL_PUT 10 /* set if final put has happened on key */ /* the key type and key description string * - the desc is used to match a key against search criteria diff --git a/security/keys/gc.c b/security/keys/gc.c index 7d687b0962b1..f27223ea4578 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -218,8 +218,10 @@ static void key_garbage_collector(struct work_struct *work) key = rb_entry(cursor, struct key, serial_node); cursor = rb_next(cursor); - if (refcount_read(&key->usage) == 0) + if (test_bit(KEY_FLAG_FINAL_PUT, &key->flags)) { + smp_mb(); /* Clobber key->user after FINAL_PUT seen. */ goto found_unreferenced_key; + } if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) { if (key->type == key_gc_dead_keytype) { diff --git a/security/keys/key.c b/security/keys/key.c index 3d7d185019d3..7198cd2ac3a3 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -658,6 +658,8 @@ void key_put(struct key *key) key->user->qnbytes -= key->quotalen; spin_unlock_irqrestore(&key->user->lock, flags); } + smp_mb(); /* key->user before FINAL_PUT set. */ + set_bit(KEY_FLAG_FINAL_PUT, &key->flags); schedule_work(&key_gc_work); } }

1 month, 1 week

4
8
0 0

[PATCH 6.1.y] fs/ntfs3: Change new sparse cluster processing

by Miguel García

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> commit c380b52f6c5702cc4bdda5e6d456d6c19a201a0b upstream. This patch is a backport. Remove ntfs_sparse_cluster. Zero clusters in attr_allocate_clusters. Fixes xfstest generic/263 The fix has been verified by executing the syzkaller reproducer test case. Bug: https://syzkaller.appspot.com/bug?extid=f3e5d0948a1837ed1bb0 Reported-by: syzbot+f3e5d0948a1837ed1bb0(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Miguel Garcia Roman <miguelgarciaroman8(a)gmail.com> (cherry picked from commit c380b52f6c5702cc4bdda5e6d456d6c19a201a0b) --- fs/ntfs3/attrib.c | 176 +++++++++++++++++++++++++++++++-------------- fs/ntfs3/file.c | 151 +++++++++----------------------------- fs/ntfs3/frecord.c | 2 +- fs/ntfs3/index.c | 4 +- fs/ntfs3/inode.c | 12 ++-- fs/ntfs3/ntfs_fs.h | 7 +- 6 files changed, 166 insertions(+), 186 deletions(-) diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c index 0388e6b42100..3e402b597e0f 100644 --- a/fs/ntfs3/attrib.c +++ b/fs/ntfs3/attrib.c @@ -176,7 +176,7 @@ static int run_deallocate_ex(struct ntfs_sb_info *sbi, struct runs_tree *run, int attr_allocate_clusters(struct ntfs_sb_info *sbi, struct runs_tree *run, CLST vcn, CLST lcn, CLST len, CLST *pre_alloc, enum ALLOCATE_OPT opt, CLST *alen, const size_t fr, - CLST *new_lcn) + CLST *new_lcn, CLST *new_len) { int err; CLST flen, vcn0 = vcn, pre = pre_alloc ? *pre_alloc : 0; @@ -196,20 +196,36 @@ int attr_allocate_clusters(struct ntfs_sb_info *sbi, struct runs_tree *run, if (err) goto out; - if (new_lcn && vcn == vcn0) - *new_lcn = lcn; + if (vcn == vcn0) { + /* Return the first fragment. */ + if (new_lcn) + *new_lcn = lcn; + if (new_len) + *new_len = flen; + } /* Add new fragment into run storage. */ - if (!run_add_entry(run, vcn, lcn, flen, opt == ALLOCATE_MFT)) { + if (!run_add_entry(run, vcn, lcn, flen, opt & ALLOCATE_MFT)) { /* Undo last 'ntfs_look_for_free_space' */ mark_as_free_ex(sbi, lcn, len, false); err = -ENOMEM; goto out; } + if (opt & ALLOCATE_ZERO) { + u8 shift = sbi->cluster_bits - SECTOR_SHIFT; + + err = blkdev_issue_zeroout(sbi->sb->s_bdev, + (sector_t)lcn << shift, + (sector_t)flen << shift, + GFP_NOFS, 0); + if (err) + goto out; + } + vcn += flen; - if (flen >= len || opt == ALLOCATE_MFT || + if (flen >= len || (opt & ALLOCATE_MFT) || (fr && run->count - cnt >= fr)) { *alen = vcn - vcn0; return 0; @@ -287,7 +303,8 @@ int attr_make_nonresident(struct ntfs_inode *ni, struct ATTRIB *attr, const char *data = resident_data(attr); err = attr_allocate_clusters(sbi, run, 0, 0, len, NULL, - ALLOCATE_DEF, &alen, 0, NULL); + ALLOCATE_DEF, &alen, 0, NULL, + NULL); if (err) goto out1; @@ -582,13 +599,13 @@ int attr_set_size(struct ntfs_inode *ni, enum ATTR_TYPE type, /* ~3 bytes per fragment. */ err = attr_allocate_clusters( sbi, run, vcn, lcn, to_allocate, &pre_alloc, - is_mft ? ALLOCATE_MFT : 0, &alen, + is_mft ? ALLOCATE_MFT : ALLOCATE_DEF, &alen, is_mft ? 0 : (sbi->record_size - le32_to_cpu(rec->used) + 8) / 3 + 1, - NULL); + NULL, NULL); if (err) goto out; } @@ -886,8 +903,19 @@ int attr_set_size(struct ntfs_inode *ni, enum ATTR_TYPE type, return err; } +/* + * attr_data_get_block - Returns 'lcn' and 'len' for given 'vcn'. + * + * @new == NULL means just to get current mapping for 'vcn' + * @new != NULL means allocate real cluster if 'vcn' maps to hole + * @zero - zeroout new allocated clusters + * + * NOTE: + * - @new != NULL is called only for sparsed or compressed attributes. + * - new allocated clusters are zeroed via blkdev_issue_zeroout. + */ int attr_data_get_block(struct ntfs_inode *ni, CLST vcn, CLST clen, CLST *lcn, - CLST *len, bool *new) + CLST *len, bool *new, bool zero) { int err = 0; struct runs_tree *run = &ni->file.run; @@ -896,29 +924,27 @@ int attr_data_get_block(struct ntfs_inode *ni, CLST vcn, CLST clen, CLST *lcn, struct ATTRIB *attr = NULL, *attr_b; struct ATTR_LIST_ENTRY *le, *le_b; struct mft_inode *mi, *mi_b; - CLST hint, svcn, to_alloc, evcn1, next_svcn, asize, end; + CLST hint, svcn, to_alloc, evcn1, next_svcn, asize, end, vcn0, alen; + unsigned int fr; u64 total_size; - u32 clst_per_frame; - bool ok; if (new) *new = false; + /* Try to find in cache. */ down_read(&ni->file.run_lock); - ok = run_lookup_entry(run, vcn, lcn, len, NULL); + if (!run_lookup_entry(run, vcn, lcn, len, NULL)) + *len = 0; up_read(&ni->file.run_lock); - if (ok && (*lcn != SPARSE_LCN || !new)) { - /* Normal way. */ - return 0; + if (*len) { + if (*lcn != SPARSE_LCN || !new) + return 0; /* Fast normal way without allocation. */ + else if (clen > *len) + clen = *len; } - if (!clen) - clen = 1; - - if (ok && clen > *len) - clen = *len; - + /* No cluster in cache or we need to allocate cluster in hole. */ sbi = ni->mi.sbi; cluster_bits = sbi->cluster_bits; @@ -944,12 +970,6 @@ int attr_data_get_block(struct ntfs_inode *ni, CLST vcn, CLST clen, CLST *lcn, goto out; } - clst_per_frame = 1u << attr_b->nres.c_unit; - to_alloc = (clen + clst_per_frame - 1) & ~(clst_per_frame - 1); - - if (vcn + to_alloc > asize) - to_alloc = asize - vcn; - svcn = le64_to_cpu(attr_b->nres.svcn); evcn1 = le64_to_cpu(attr_b->nres.evcn) + 1; @@ -968,36 +988,68 @@ int attr_data_get_block(struct ntfs_inode *ni, CLST vcn, CLST clen, CLST *lcn, evcn1 = le64_to_cpu(attr->nres.evcn) + 1; } + /* Load in cache actual information. */ err = attr_load_runs(attr, ni, run, NULL); if (err) goto out; - if (!ok) { - ok = run_lookup_entry(run, vcn, lcn, len, NULL); - if (ok && (*lcn != SPARSE_LCN || !new)) { - /* Normal way. */ - err = 0; - goto ok; - } + if (!*len) { + if (run_lookup_entry(run, vcn, lcn, len, NULL)) { + if (*lcn != SPARSE_LCN || !new) + goto ok; /* Slow normal way without allocation. */ - if (!ok && !new) { - *len = 0; - err = 0; + if (clen > *len) + clen = *len; + } else if (!new) { + /* Here we may return -ENOENT. + * In any case caller gets zero length. */ goto ok; } - - if (ok && clen > *len) { - clen = *len; - to_alloc = (clen + clst_per_frame - 1) & - ~(clst_per_frame - 1); - } } if (!is_attr_ext(attr_b)) { + /* The code below only for sparsed or compressed attributes. */ err = -EINVAL; goto out; } + vcn0 = vcn; + to_alloc = clen; + fr = (sbi->record_size - le32_to_cpu(mi->mrec->used) + 8) / 3 + 1; + /* Allocate frame aligned clusters. + * ntfs.sys usually uses 16 clusters per frame for sparsed or compressed. + * ntfs3 uses 1 cluster per frame for new created sparsed files. */ + if (attr_b->nres.c_unit) { + CLST clst_per_frame = 1u << attr_b->nres.c_unit; + CLST cmask = ~(clst_per_frame - 1); + + /* Get frame aligned vcn and to_alloc. */ + vcn = vcn0 & cmask; + to_alloc = ((vcn0 + clen + clst_per_frame - 1) & cmask) - vcn; + if (fr < clst_per_frame) + fr = clst_per_frame; + zero = true; + + /* Check if 'vcn' and 'vcn0' in different attribute segments. */ + if (vcn < svcn || evcn1 <= vcn) { + /* Load attribute for truncated vcn. */ + attr = ni_find_attr(ni, attr_b, &le, ATTR_DATA, NULL, 0, + &vcn, &mi); + if (!attr) { + err = -EINVAL; + goto out; + } + svcn = le64_to_cpu(attr->nres.svcn); + evcn1 = le64_to_cpu(attr->nres.evcn) + 1; + err = attr_load_runs(attr, ni, run, NULL); + if (err) + goto out; + } + } + + if (vcn + to_alloc > asize) + to_alloc = asize - vcn; + /* Get the last LCN to allocate from. */ hint = 0; @@ -1011,18 +1063,33 @@ int attr_data_get_block(struct ntfs_inode *ni, CLST vcn, CLST clen, CLST *lcn, hint = -1; } - err = attr_allocate_clusters( - sbi, run, vcn, hint + 1, to_alloc, NULL, 0, len, - (sbi->record_size - le32_to_cpu(mi->mrec->used) + 8) / 3 + 1, - lcn); + /* Allocate and zeroout new clusters. */ + err = attr_allocate_clusters(sbi, run, vcn, hint + 1, to_alloc, NULL, + zero ? ALLOCATE_ZERO : ALLOCATE_DEF, &alen, + fr, lcn, len); if (err) goto out; *new = true; - end = vcn + *len; - + end = vcn + alen; total_size = le64_to_cpu(attr_b->nres.total_size) + - ((u64)*len << cluster_bits); + ((u64)alen << cluster_bits); + + if (vcn != vcn0) { + if (!run_lookup_entry(run, vcn0, lcn, len, NULL)) { + err = -EINVAL; + goto out; + } + if (*lcn == SPARSE_LCN) { + /* Internal error. Should not happened. */ + WARN_ON(1); + err = -EINVAL; + goto out; + } + /* Check case when vcn0 + len overlaps new allocated clusters. */ + if (vcn0 + *len > end) + *len = end - vcn0; + } repack: err = mi_pack_runs(mi, attr, run, max(end, evcn1) - svcn); @@ -1547,7 +1614,7 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, struct ATTRIB *attr = NULL, *attr_b; struct ATTR_LIST_ENTRY *le, *le_b; struct mft_inode *mi, *mi_b; - CLST svcn, evcn1, next_svcn, lcn, len; + CLST svcn, evcn1, next_svcn, len; CLST vcn, end, clst_data; u64 total_size, valid_size, data_size; @@ -1623,8 +1690,9 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, } err = attr_allocate_clusters(sbi, run, vcn + clst_data, - hint + 1, len - clst_data, NULL, 0, - &alen, 0, &lcn); + hint + 1, len - clst_data, NULL, + ALLOCATE_DEF, &alen, 0, NULL, + NULL); if (err) goto out; diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 70b38465aee3..72e25842f5dc 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -122,8 +122,8 @@ static int ntfs_extend_initialized_size(struct file *file, bits = sbi->cluster_bits; vcn = pos >> bits; - err = attr_data_get_block(ni, vcn, 0, &lcn, &clen, - NULL); + err = attr_data_get_block(ni, vcn, 1, &lcn, &clen, NULL, + false); if (err) goto out; @@ -196,18 +196,18 @@ static int ntfs_zero_range(struct inode *inode, u64 vbo, u64 vbo_to) struct address_space *mapping = inode->i_mapping; u32 blocksize = 1 << inode->i_blkbits; pgoff_t idx = vbo >> PAGE_SHIFT; - u32 z_start = vbo & (PAGE_SIZE - 1); + u32 from = vbo & (PAGE_SIZE - 1); pgoff_t idx_end = (vbo_to + PAGE_SIZE - 1) >> PAGE_SHIFT; loff_t page_off; struct buffer_head *head, *bh; - u32 bh_next, bh_off, z_end; + u32 bh_next, bh_off, to; sector_t iblock; struct page *page; - for (; idx < idx_end; idx += 1, z_start = 0) { + for (; idx < idx_end; idx += 1, from = 0) { page_off = (loff_t)idx << PAGE_SHIFT; - z_end = (page_off + PAGE_SIZE) > vbo_to ? (vbo_to - page_off) - : PAGE_SIZE; + to = (page_off + PAGE_SIZE) > vbo_to ? (vbo_to - page_off) + : PAGE_SIZE; iblock = page_off >> inode->i_blkbits; page = find_or_create_page(mapping, idx, @@ -224,7 +224,7 @@ static int ntfs_zero_range(struct inode *inode, u64 vbo, u64 vbo_to) do { bh_next = bh_off + blocksize; - if (bh_next <= z_start || bh_off >= z_end) + if (bh_next <= from || bh_off >= to) continue; if (!buffer_mapped(bh)) { @@ -258,7 +258,7 @@ static int ntfs_zero_range(struct inode *inode, u64 vbo, u64 vbo_to) } while (bh_off = bh_next, iblock += 1, head != (bh = bh->b_this_page)); - zero_user_segment(page, z_start, z_end); + zero_user_segment(page, from, to); unlock_page(page); put_page(page); @@ -269,81 +269,6 @@ static int ntfs_zero_range(struct inode *inode, u64 vbo, u64 vbo_to) return err; } -/* - * ntfs_sparse_cluster - Helper function to zero a new allocated clusters. - * - * NOTE: 512 <= cluster size <= 2M - */ -void ntfs_sparse_cluster(struct inode *inode, struct page *page0, CLST vcn, - CLST len) -{ - struct address_space *mapping = inode->i_mapping; - struct ntfs_sb_info *sbi = inode->i_sb->s_fs_info; - u64 vbo = (u64)vcn << sbi->cluster_bits; - u64 bytes = (u64)len << sbi->cluster_bits; - u32 blocksize = 1 << inode->i_blkbits; - pgoff_t idx0 = page0 ? page0->index : -1; - loff_t vbo_clst = vbo & sbi->cluster_mask_inv; - loff_t end = ntfs_up_cluster(sbi, vbo + bytes); - pgoff_t idx = vbo_clst >> PAGE_SHIFT; - u32 from = vbo_clst & (PAGE_SIZE - 1); - pgoff_t idx_end = (end + PAGE_SIZE - 1) >> PAGE_SHIFT; - loff_t page_off; - u32 to; - bool partial; - struct page *page; - - for (; idx < idx_end; idx += 1, from = 0) { - page = idx == idx0 ? page0 : grab_cache_page(mapping, idx); - - if (!page) - continue; - - page_off = (loff_t)idx << PAGE_SHIFT; - to = (page_off + PAGE_SIZE) > end ? (end - page_off) - : PAGE_SIZE; - partial = false; - - if ((from || PAGE_SIZE != to) && - likely(!page_has_buffers(page))) { - create_empty_buffers(page, blocksize, 0); - } - - if (page_has_buffers(page)) { - struct buffer_head *head, *bh; - u32 bh_off = 0; - - bh = head = page_buffers(page); - do { - u32 bh_next = bh_off + blocksize; - - if (from <= bh_off && bh_next <= to) { - set_buffer_uptodate(bh); - mark_buffer_dirty(bh); - } else if (!buffer_uptodate(bh)) { - partial = true; - } - bh_off = bh_next; - } while (head != (bh = bh->b_this_page)); - } - - zero_user_segment(page, from, to); - - if (!partial) { - if (!PageUptodate(page)) - SetPageUptodate(page); - set_page_dirty(page); - } - - if (idx != idx0) { - unlock_page(page); - put_page(page); - } - cond_resched(); - } - mark_inode_dirty(inode); -} - /* * ntfs_file_mmap - file_operations::mmap */ @@ -385,13 +310,9 @@ static int ntfs_file_mmap(struct file *file, struct vm_area_struct *vma) for (; vcn < end; vcn += len) { err = attr_data_get_block(ni, vcn, 1, &lcn, - &len, &new); + &len, &new, true); if (err) goto out; - - if (!new) - continue; - ntfs_sparse_cluster(inode, NULL, vcn, 1); } } @@ -532,7 +453,8 @@ static long ntfs_fallocate(struct file *file, int mode, loff_t vbo, loff_t len) struct ntfs_sb_info *sbi = sb->s_fs_info; struct ntfs_inode *ni = ntfs_i(inode); loff_t end = vbo + len; - loff_t vbo_down = round_down(vbo, PAGE_SIZE); + loff_t vbo_down = round_down(vbo, max_t(unsigned long, + sbi->cluster_size, PAGE_SIZE)); bool is_supported_holes = is_sparsed(ni) || is_compressed(ni); loff_t i_size, new_size; bool map_locked; @@ -585,11 +507,8 @@ static long ntfs_fallocate(struct file *file, int mode, loff_t vbo, loff_t len) u32 frame_size; loff_t mask, vbo_a, end_a, tmp; - err = filemap_write_and_wait_range(mapping, vbo, end - 1); - if (err) - goto out; - - err = filemap_write_and_wait_range(mapping, end, LLONG_MAX); + err = filemap_write_and_wait_range(mapping, vbo_down, + LLONG_MAX); if (err) goto out; @@ -692,39 +611,35 @@ static long ntfs_fallocate(struct file *file, int mode, loff_t vbo, loff_t len) goto out; if (is_supported_holes) { - CLST vcn_v = ni->i_valid >> sbi->cluster_bits; CLST vcn = vbo >> sbi->cluster_bits; CLST cend = bytes_to_cluster(sbi, end); + CLST cend_v = bytes_to_cluster(sbi, ni->i_valid); CLST lcn, clen; bool new; + if (cend_v > cend) + cend_v = cend; + /* - * Allocate but do not zero new clusters. (see below comments) - * This breaks security: One can read unused on-disk areas. + * Allocate and zero new clusters. * Zeroing these clusters may be too long. - * Maybe we should check here for root rights? + */ + for (; vcn < cend_v; vcn += clen) { + err = attr_data_get_block(ni, vcn, cend_v - vcn, + &lcn, &clen, &new, + true); + if (err) + goto out; + } + /* + * Allocate but not zero new clusters. */ for (; vcn < cend; vcn += clen) { err = attr_data_get_block(ni, vcn, cend - vcn, - &lcn, &clen, &new); + &lcn, &clen, &new, + false); if (err) goto out; - if (!new || vcn >= vcn_v) - continue; - - /* - * Unwritten area. - * NTFS is not able to store several unwritten areas. - * Activate 'ntfs_sparse_cluster' to zero new allocated clusters. - * - * Dangerous in case: - * 1G of sparsed clusters + 1 cluster of data => - * valid_size == 1G + 1 cluster - * fallocate(1G) will zero 1G and this can be very long - * xfstest 016/086 will fail without 'ntfs_sparse_cluster'. - */ - ntfs_sparse_cluster(inode, NULL, vcn, - min(vcn_v - vcn, clen)); } } @@ -945,8 +860,8 @@ static ssize_t ntfs_compress_write(struct kiocb *iocb, struct iov_iter *from) frame_vbo = valid & ~(frame_size - 1); off = valid & (frame_size - 1); - err = attr_data_get_block(ni, frame << NTFS_LZNT_CUNIT, 0, &lcn, - &clen, NULL); + err = attr_data_get_block(ni, frame << NTFS_LZNT_CUNIT, 1, &lcn, + &clen, NULL, false); if (err) goto out; diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c index d41ddc06f207..fb572688f919 100644 --- a/fs/ntfs3/frecord.c +++ b/fs/ntfs3/frecord.c @@ -2297,7 +2297,7 @@ int ni_decompress_file(struct ntfs_inode *ni) for (vcn = vbo >> sbi->cluster_bits; vcn < end; vcn += clen) { err = attr_data_get_block(ni, vcn, cend - vcn, &lcn, - &clen, &new); + &clen, &new, false); if (err) goto out; } diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c index 2589f6d1215f..2dfe74a3de75 100644 --- a/fs/ntfs3/index.c +++ b/fs/ntfs3/index.c @@ -1442,8 +1442,8 @@ static int indx_create_allocate(struct ntfs_index *indx, struct ntfs_inode *ni, run_init(&run); - err = attr_allocate_clusters(sbi, &run, 0, 0, len, NULL, 0, &alen, 0, - NULL); + err = attr_allocate_clusters(sbi, &run, 0, 0, len, NULL, ALLOCATE_DEF, + &alen, 0, NULL, NULL); if (err) goto out; diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c index 057aa3cec902..5baf6a2b3d48 100644 --- a/fs/ntfs3/inode.c +++ b/fs/ntfs3/inode.c @@ -592,7 +592,8 @@ static noinline int ntfs_get_block_vbo(struct inode *inode, u64 vbo, off = vbo & sbi->cluster_mask; new = false; - err = attr_data_get_block(ni, vcn, 1, &lcn, &len, create ? &new : NULL); + err = attr_data_get_block(ni, vcn, 1, &lcn, &len, create ? &new : NULL, + create && sbi->cluster_size > PAGE_SIZE); if (err) goto out; @@ -610,11 +611,8 @@ static noinline int ntfs_get_block_vbo(struct inode *inode, u64 vbo, WARN_ON(1); } - if (new) { + if (new) set_buffer_new(bh); - if ((len << cluster_bits) > block_size) - ntfs_sparse_cluster(inode, page, vcn, len); - } lbo = ((u64)lcn << cluster_bits) + off; @@ -1533,8 +1531,8 @@ struct inode *ntfs_create_inode(struct user_namespace *mnt_userns, cpu_to_le64(ntfs_up_cluster(sbi, nsize)); err = attr_allocate_clusters(sbi, &ni->file.run, 0, 0, - clst, NULL, 0, &alen, 0, - NULL); + clst, NULL, ALLOCATE_DEF, + &alen, 0, NULL, NULL); if (err) goto out5; diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h index 26dbe1b46fdd..05d9abd66b37 100644 --- a/fs/ntfs3/ntfs_fs.h +++ b/fs/ntfs3/ntfs_fs.h @@ -126,6 +126,7 @@ struct ntfs_buffers { enum ALLOCATE_OPT { ALLOCATE_DEF = 0, // Allocate all clusters. ALLOCATE_MFT = 1, // Allocate for MFT. + ALLOCATE_ZERO = 2, // Zeroout new allocated clusters }; enum bitmap_mutex_classes { @@ -416,7 +417,7 @@ enum REPARSE_SIGN { int attr_allocate_clusters(struct ntfs_sb_info *sbi, struct runs_tree *run, CLST vcn, CLST lcn, CLST len, CLST *pre_alloc, enum ALLOCATE_OPT opt, CLST *alen, const size_t fr, - CLST *new_lcn); + CLST *new_lcn, CLST *new_len); int attr_make_nonresident(struct ntfs_inode *ni, struct ATTRIB *attr, struct ATTR_LIST_ENTRY *le, struct mft_inode *mi, u64 new_size, struct runs_tree *run, @@ -426,7 +427,7 @@ int attr_set_size(struct ntfs_inode *ni, enum ATTR_TYPE type, u64 new_size, const u64 *new_valid, bool keep_prealloc, struct ATTRIB **ret); int attr_data_get_block(struct ntfs_inode *ni, CLST vcn, CLST clen, CLST *lcn, - CLST *len, bool *new); + CLST *len, bool *new, bool zero); int attr_data_read_resident(struct ntfs_inode *ni, struct page *page); int attr_data_write_resident(struct ntfs_inode *ni, struct page *page); int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type, @@ -491,8 +492,6 @@ extern const struct file_operations ntfs_dir_operations; /* Globals from file.c */ int ntfs_getattr(struct user_namespace *mnt_userns, const struct path *path, struct kstat *stat, u32 request_mask, u32 flags); -void ntfs_sparse_cluster(struct inode *inode, struct page *page0, CLST vcn, - CLST len); int ntfs3_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, struct iattr *attr); int ntfs_file_open(struct inode *inode, struct file *file); -- 2.34.1

1 month, 1 week

2
2
0 0

[PATCH 6.1.y 6.6.y 1/1] netfilter: nft_counter: Use u64_stats_t for statistic.

by Felix Moessbauer

From: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> commit 4a1d3acd6ea86075e77fcc1188c3fc372833ba73 upstream. The nft_counter uses two s64 counters for statistics. Those two are protected by a seqcount to ensure that the 64bit variable is always properly seen during updates even on 32bit architectures where the store is performed by two writes. A side effect is that the two counter (bytes and packet) are written and read together in the same window. This can be replaced with u64_stats_t. write_seqcount_begin()/ end() is replaced with u64_stats_update_begin()/ end() and behaves the same way as with seqcount_t on 32bit architectures. Additionally there is a preempt_disable on PREEMPT_RT to ensure that a reader does not preempt a writer. On 64bit architectures the macros are removed and the reads happen without any retries. This also means that the reader can observe one counter (bytes) from before the update and the other counter (packets) but that is okay since there is no requirement to have both counter from the same update window. Convert the statistic to u64_stats_t. There is one optimisation: nft_counter_do_init() and nft_counter_clone() allocate a new per-CPU counter and assign a value to it. During this assignment preemption is disabled which is not needed because the counter is not yet exposed to the system so there can not be another writer or reader. Therefore disabling preemption is omitted and raw_cpu_ptr() is used to obtain a pointer to a counter for the assignment. Cc: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Felix Moessbauer <felix.moessbauer(a)siemens.com> --- I propose the backport, as this is a performance improvement. Note, that this is a bugfix on RT kernels. net/netfilter/nft_counter.c | 90 +++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 44 deletions(-) diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c index 781d3a26f5df..8d19bd001277 100644 --- a/net/netfilter/nft_counter.c +++ b/net/netfilter/nft_counter.c @@ -8,7 +8,7 @@ #include <linux/kernel.h> #include <linux/init.h> #include <linux/module.h> -#include <linux/seqlock.h> +#include <linux/u64_stats_sync.h> #include <linux/netlink.h> #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> @@ -17,6 +17,11 @@ #include <net/netfilter/nf_tables_offload.h> struct nft_counter { + u64_stats_t bytes; + u64_stats_t packets; +}; + +struct nft_counter_tot { s64 bytes; s64 packets; }; @@ -25,25 +30,24 @@ struct nft_counter_percpu_priv { struct nft_counter __percpu *counter; }; -static DEFINE_PER_CPU(seqcount_t, nft_counter_seq); +static DEFINE_PER_CPU(struct u64_stats_sync, nft_counter_sync); static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv, struct nft_regs *regs, const struct nft_pktinfo *pkt) { + struct u64_stats_sync *nft_sync; struct nft_counter *this_cpu; - seqcount_t *myseq; local_bh_disable(); this_cpu = this_cpu_ptr(priv->counter); - myseq = this_cpu_ptr(&nft_counter_seq); - - write_seqcount_begin(myseq); + nft_sync = this_cpu_ptr(&nft_counter_sync); - this_cpu->bytes += pkt->skb->len; - this_cpu->packets++; + u64_stats_update_begin(nft_sync); + u64_stats_add(&this_cpu->bytes, pkt->skb->len); + u64_stats_inc(&this_cpu->packets); + u64_stats_update_end(nft_sync); - write_seqcount_end(myseq); local_bh_enable(); } @@ -66,17 +70,16 @@ static int nft_counter_do_init(const struct nlattr * const tb[], if (cpu_stats == NULL) return -ENOMEM; - preempt_disable(); - this_cpu = this_cpu_ptr(cpu_stats); + this_cpu = raw_cpu_ptr(cpu_stats); if (tb[NFTA_COUNTER_PACKETS]) { - this_cpu->packets = - be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); + u64_stats_set(&this_cpu->packets, + be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]))); } if (tb[NFTA_COUNTER_BYTES]) { - this_cpu->bytes = - be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); + u64_stats_set(&this_cpu->bytes, + be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]))); } - preempt_enable(); + priv->counter = cpu_stats; return 0; } @@ -104,40 +107,41 @@ static void nft_counter_obj_destroy(const struct nft_ctx *ctx, } static void nft_counter_reset(struct nft_counter_percpu_priv *priv, - struct nft_counter *total) + struct nft_counter_tot *total) { + struct u64_stats_sync *nft_sync; struct nft_counter *this_cpu; - seqcount_t *myseq; local_bh_disable(); this_cpu = this_cpu_ptr(priv->counter); - myseq = this_cpu_ptr(&nft_counter_seq); + nft_sync = this_cpu_ptr(&nft_counter_sync); + + u64_stats_update_begin(nft_sync); + u64_stats_add(&this_cpu->packets, -total->packets); + u64_stats_add(&this_cpu->bytes, -total->bytes); + u64_stats_update_end(nft_sync); - write_seqcount_begin(myseq); - this_cpu->packets -= total->packets; - this_cpu->bytes -= total->bytes; - write_seqcount_end(myseq); local_bh_enable(); } static void nft_counter_fetch(struct nft_counter_percpu_priv *priv, - struct nft_counter *total) + struct nft_counter_tot *total) { struct nft_counter *this_cpu; - const seqcount_t *myseq; u64 bytes, packets; unsigned int seq; int cpu; memset(total, 0, sizeof(*total)); for_each_possible_cpu(cpu) { - myseq = per_cpu_ptr(&nft_counter_seq, cpu); + struct u64_stats_sync *nft_sync = per_cpu_ptr(&nft_counter_sync, cpu); + this_cpu = per_cpu_ptr(priv->counter, cpu); do { - seq = read_seqcount_begin(myseq); - bytes = this_cpu->bytes; - packets = this_cpu->packets; - } while (read_seqcount_retry(myseq, seq)); + seq = u64_stats_fetch_begin(nft_sync); + bytes = u64_stats_read(&this_cpu->bytes); + packets = u64_stats_read(&this_cpu->packets); + } while (u64_stats_fetch_retry(nft_sync, seq)); total->bytes += bytes; total->packets += packets; @@ -148,7 +152,7 @@ static int nft_counter_do_dump(struct sk_buff *skb, struct nft_counter_percpu_priv *priv, bool reset) { - struct nft_counter total; + struct nft_counter_tot total; nft_counter_fetch(priv, &total); @@ -236,7 +240,7 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src, g struct nft_counter_percpu_priv *priv_clone = nft_expr_priv(dst); struct nft_counter __percpu *cpu_stats; struct nft_counter *this_cpu; - struct nft_counter total; + struct nft_counter_tot total; nft_counter_fetch(priv, &total); @@ -244,11 +248,9 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src, g if (cpu_stats == NULL) return -ENOMEM; - preempt_disable(); - this_cpu = this_cpu_ptr(cpu_stats); - this_cpu->packets = total.packets; - this_cpu->bytes = total.bytes; - preempt_enable(); + this_cpu = raw_cpu_ptr(cpu_stats); + u64_stats_set(&this_cpu->packets, total.packets); + u64_stats_set(&this_cpu->bytes, total.bytes); priv_clone->counter = cpu_stats; return 0; @@ -266,17 +268,17 @@ static void nft_counter_offload_stats(struct nft_expr *expr, const struct flow_stats *stats) { struct nft_counter_percpu_priv *priv = nft_expr_priv(expr); + struct u64_stats_sync *nft_sync; struct nft_counter *this_cpu; - seqcount_t *myseq; local_bh_disable(); this_cpu = this_cpu_ptr(priv->counter); - myseq = this_cpu_ptr(&nft_counter_seq); + nft_sync = this_cpu_ptr(&nft_counter_sync); - write_seqcount_begin(myseq); - this_cpu->packets += stats->pkts; - this_cpu->bytes += stats->bytes; - write_seqcount_end(myseq); + u64_stats_update_begin(nft_sync); + u64_stats_add(&this_cpu->packets, stats->pkts); + u64_stats_add(&this_cpu->bytes, stats->bytes); + u64_stats_update_end(nft_sync); local_bh_enable(); } @@ -285,7 +287,7 @@ void nft_counter_init_seqcount(void) int cpu; for_each_possible_cpu(cpu) - seqcount_init(per_cpu_ptr(&nft_counter_seq, cpu)); + u64_stats_init(per_cpu_ptr(&nft_counter_sync, cpu)); } struct nft_expr_type nft_counter_type; -- 2.49.0

1 month, 1 week

2
1
0 0

[PATCH 6.6] wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8

by Emmanuel Grumbach

From: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> commit b1e8102a4048003097c7054cbc00bbda91a5ced7 upstream Commit 6b3e87cc0ca5 ("iwlwifi: Add support for LARI_CONFIG_CHANGE_CMD cmd v9") added a few bits to iwl_lari_config_change_cmd::oem_unii4_allow_bitmap if the FW has LARI version >= 9. But we also need to send those bits for version 8 if the FW is capable of this feature (indicated with capability bits) Add the FW capability bit, and set the additional bits in the cmd when the version is 8 and the FW capability bit is set. Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Reviewed-by: Johannes Berg <johannes.berg(a)intel.com> Link: https://patch.msgid.link/20241226174257.dc5836f84514.I1e38f94465a36731034c9… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> --- drivers/net/wireless/intel/iwlwifi/fw/file.h | 4 ++- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 37 ++++++++++++++++++-- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/fw/file.h b/drivers/net/wireless/intel/iwlwifi/fw/file.h index b36e9613a52c..b1687e6d3ad2 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/file.h +++ b/drivers/net/wireless/intel/iwlwifi/fw/file.h @@ -372,6 +372,8 @@ typedef unsigned int __bitwise iwl_ucode_tlv_capa_t; * channels even when these are not enabled. * @IWL_UCODE_TLV_CAPA_DUMP_COMPLETE_SUPPORT: Support for indicating dump collection * complete to FW. + * @IWL_UCODE_TLV_CAPA_BIOS_OVERRIDE_5G9_FOR_CA: supports (de)activating 5G9 + * for CA from BIOS. * * @NUM_IWL_UCODE_TLV_CAPA: number of bits used */ @@ -468,7 +470,7 @@ enum iwl_ucode_tlv_capa { IWL_UCODE_TLV_CAPA_OFFLOAD_BTM_SUPPORT = (__force iwl_ucode_tlv_capa_t)113, IWL_UCODE_TLV_CAPA_STA_EXP_MFP_SUPPORT = (__force iwl_ucode_tlv_capa_t)114, IWL_UCODE_TLV_CAPA_SNIFF_VALIDATE_SUPPORT = (__force iwl_ucode_tlv_capa_t)116, - + IWL_UCODE_TLV_CAPA_BIOS_OVERRIDE_5G9_FOR_CA = (__force iwl_ucode_tlv_capa_t)123, #ifdef __CHECKER__ /* sparse says it cannot increment the previous enum member */ #define NUM_IWL_UCODE_TLV_CAPA 128 diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c index 80b5c20d3a48..c597492668fa 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c @@ -1195,11 +1195,30 @@ static u8 iwl_mvm_eval_dsm_rfi(struct iwl_mvm *mvm) return DSM_VALUE_RFI_DISABLE; } +enum iwl_dsm_unii4_bitmap { + DSM_VALUE_UNII4_US_OVERRIDE_MSK = BIT(0), + DSM_VALUE_UNII4_US_EN_MSK = BIT(1), + DSM_VALUE_UNII4_ETSI_OVERRIDE_MSK = BIT(2), + DSM_VALUE_UNII4_ETSI_EN_MSK = BIT(3), + DSM_VALUE_UNII4_CANADA_OVERRIDE_MSK = BIT(4), + DSM_VALUE_UNII4_CANADA_EN_MSK = BIT(5), +}; + +#define DSM_UNII4_ALLOW_BITMAP (DSM_VALUE_UNII4_US_OVERRIDE_MSK |\ + DSM_VALUE_UNII4_US_EN_MSK |\ + DSM_VALUE_UNII4_ETSI_OVERRIDE_MSK |\ + DSM_VALUE_UNII4_ETSI_EN_MSK |\ + DSM_VALUE_UNII4_CANADA_OVERRIDE_MSK |\ + DSM_VALUE_UNII4_CANADA_EN_MSK) + static void iwl_mvm_lari_cfg(struct iwl_mvm *mvm) { int ret; u32 value; struct iwl_lari_config_change_cmd_v6 cmd = {}; + u8 cmd_ver = iwl_fw_lookup_cmd_ver(mvm->fw, + WIDE_ID(REGULATORY_AND_NVM_GROUP, + LARI_CONFIG_CHANGE), 1); cmd.config_bitmap = iwl_acpi_get_lari_config_bitmap(&mvm->fwrt); @@ -1211,8 +1230,22 @@ static void iwl_mvm_lari_cfg(struct iwl_mvm *mvm) ret = iwl_acpi_get_dsm_u32(mvm->fwrt.dev, 0, DSM_FUNC_ENABLE_UNII4_CHAN, &iwl_guid, &value); - if (!ret) - cmd.oem_unii4_allow_bitmap = cpu_to_le32(value); + if (!ret) { + u32 _value = cpu_to_le32(value); + + _value &= DSM_UNII4_ALLOW_BITMAP; + + /* Since version 9, bits 4 and 5 are supported + * regardless of this capability. + */ + if (cmd_ver < 9 && + !fw_has_capa(&mvm->fw->ucode_capa, + IWL_UCODE_TLV_CAPA_BIOS_OVERRIDE_5G9_FOR_CA)) + _value &= ~(DSM_VALUE_UNII4_CANADA_OVERRIDE_MSK | + DSM_VALUE_UNII4_CANADA_EN_MSK); + + cmd.oem_unii4_allow_bitmap = cpu_to_le32(_value); + } ret = iwl_acpi_get_dsm_u32(mvm->fwrt.dev, 0, DSM_FUNC_ACTIVATE_CHANNEL, -- 2.48.1

1 month, 1 week

3
2
0 0

[PATCH 5.10.y] wifi: ath10k: avoid NULL pointer error during sdio remove

by alvalan9＠foxmail.com

From: Kang Yang <quic_kangyang(a)quicinc.com> [ Upstream commit 95c38953cb1ecf40399a676a1f85dfe2b5780a9a ] When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189 Signed-off-by: Kang Yang <quic_kangyang(a)quicinc.com> Tested-by: David Ruth <druth(a)chromium.org> Reviewed-by: David Ruth <druth(a)chromium.org> Link: https://patch.msgid.link/20241008022246.1010-1-quic_kangyang@quicinc.com Signed-off-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/net/wireless/ath/ath10k/sdio.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c index 9d1b0890f310..418e40560f59 100644 --- a/drivers/net/wireless/ath/ath10k/sdio.c +++ b/drivers/net/wireless/ath/ath10k/sdio.c @@ -3,6 +3,7 @@ * Copyright (c) 2004-2011 Atheros Communications Inc. * Copyright (c) 2011-2012,2017 Qualcomm Atheros, Inc. * Copyright (c) 2016-2017 Erik Stromdahl <erik.stromdahl(a)gmail.com> + * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include <linux/module.h> @@ -2649,9 +2650,9 @@ static void ath10k_sdio_remove(struct sdio_func *func) netif_napi_del(&ar->napi); - ath10k_core_destroy(ar); - destroy_workqueue(ar_sdio->workqueue); + + ath10k_core_destroy(ar); } static const struct sdio_device_id ath10k_sdio_devices[] = { -- 2.34.1

1 month, 1 week

2
1
0 0

pm80xx driver crashes in a daisy-chained multipath JBOD configuration

by Jarl Gullberg

I'm having issues on kernel 6.12.12 and 6.13.7 with the pm80xx0 driver using a PMC/Sierra 8001 card pulled from a SUN/Oracle ZFS Storage Appliance. Specifically, the card does not appear to handle daisy-chained multipath configurations correctly, and either locks up at boot, crashes during runtime, or doesn't enumerate the disks in the JBODs correctly. My topology looks like the following: ┌─────────────┐ │ PM8001 │ │ ▒A ▒ │B └─║─────────║─┘ ║ ╚═════╗ ┌─║───────────┐ ║ │ ║ JBOD 1 │ ║ │ ║ │ ║ │ ▒ A ▒ │B ║ └─║─────────║─┘ ║ ┌─║─────────║─┐ ║ │ ║ JBOD 2 ║ │ ║ │ ║ ║ │ ║ │ ▒ A ▒ │B ║ └─║─────────║─┘ ║ ┌─║─────────║─┐ ║ │ ║ JBOD 3 ║ │ ║ │ ║ ║ │ ║ │ ▒ A ▒ │B ║ └───────────║─┘ ║ ║ ║ ╚═════╝ Each JBOD has two dual-ported controllers on it, allowing for multiple shelves to be chained together and the controlling server to be attached at each end. The same topology works with an LSI/Broadcom card. The problem can be divided into three separate instances: 1 - failure to boot The driver crashes outright on boot when enumerating disks. Kernel logs from 6.13.7: https://gist.github.com/Nihlus/8b390a56ce743a85ff7aaf7b38cb501a [ 15.261604] kernel BUG at drivers/scsi/libsas/sas_scsi_host.c:378! [ 15.335390] Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 15.402050] CPU: 0 UID: 0 PID: 374 Comm: kworker/0:2 Tainted: G W 6.13-amd64 #1 Debian 6.13.7-1~exp1 [ 15.528840] Tainted: [W]=WARN [ 15.564215] Hardware name: SUN MICROSYSTEMS SUN FIRE X4170 M2 SERVER /ASSY,MOTHERBOARD,X4170, BIOS 08060108 12/27/2010 [ 15.698278] Workqueue: pm80xx pm8001_work_fn [pm80xx] [ 15.758607] RIP: 0010:sas_get_local_phy+0x57/0x60 [libsas] [ 15.824126] Code: 9f 2f 86 e0 48 8b 5b 38 49 89 c4 48 89 df e8 e0 29 4c e0 4c 89 e6 48 89 ef e8 45 30 86 e0 48 89 d8 5b 5d 41 5c c3 cc cc cc cc <0f> 0b 90 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 16.048618] RSP: 0018:ffffaa888e017db0 EFLAGS: 00010246 [ 16.111024] RAX: ffff8fe450766408 RBX: ffff8fe4515e3c00 RCX: 0000000000000002 [ 16.196288] RDX: 0000000000000000 RSI: 0000000000400000 RDI: ffff8fe4515e3c00 [ 16.281552] RBP: ffff8ff5ca075c00 R08: ffff8ff5ca0758c0 R09: 0000000000000014 [ 16.366815] R10: 0000000000000004 R11: 0000000000000000 R12: ffff8ff577835200 [ 16.452077] R13: ffff8fe450760000 R14: ffff8fe450780e40 R15: 0000000000000000 [ 16.537342] FS: 0000000000000000(0000) GS:ffff8ff577800000(0000) knlGS:0000000000000000 [ 16.634063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.702706] CR2: 00007fa7f2f58273 CR3: 000000035c022003 CR4: 00000000000206f0 [ 16.787969] Call Trace: [ 16.817136] <TASK> [ 16.842151] ? __die_body.cold+0x19/0x27 [ 16.888981] ? die+0x2e/0x50 [ 16.923345] ? do_trap+0xca/0x110 [ 16.962909] ? do_error_trap+0x6a/0x90 [ 17.007658] ? sas_get_local_phy+0x57/0x60 [libsas] [ 17.065922] ? exc_invalid_op+0x50/0x70 [ 17.111710] ? sas_get_local_phy+0x57/0x60 [libsas] [ 17.169970] ? asm_exc_invalid_op+0x1a/0x20 [ 17.219921] ? sas_get_local_phy+0x57/0x60 [libsas] [ 17.278184] pm8001_I_T_nexus_event_handler+0x69/0x1a0 [pm80xx] [ 17.348911] ? psi_task_switch+0xb7/0x200 [ 17.396779] ? finish_task_switch.isra.0+0x97/0x2c0 [ 17.455033] pm8001_work_fn+0x6b/0x4e0 [pm80xx] [ 17.509144] ? __schedule+0x50d/0xbf0 [ 17.552856] process_one_work+0x177/0x330 [ 17.600721] worker_thread+0x251/0x390 [ 17.645468] ? __pfx_worker_thread+0x10/0x10 [ 17.696455] kthread+0xd2/0x100 [ 17.733933] ? __pfx_kthread+0x10/0x10 [ 17.778683] ret_from_fork+0x34/0x50 [ 17.821360] ? __pfx_kthread+0x10/0x10 [ 17.866107] ret_from_fork_asm+0x1a/0x30 [ 17.912942] </TASK> [ 17.938987] Modules linked in: usbhid mii hid usb_storage pm80xx ahci libsas libahci scsi_transport_sas ixgbe uhci_hcd ehci_pci libata ehci_hcd xfrm_algo igb mdio_devres usbcore scsi_mod crc32_pclmul libphy e1000e crc32c_intel i2c_i801 i2c_algo_bit i2c_smbus usb_common lpc_ich dca scsi_common mdio [ 18.253949] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 1981286504 wd_nsec: 1981285958 [ 18.375615] ---[ end trace 0000000000000000 ]--- 2 - runtime crash This happens if the cables are reseated or the JBODs restarted after the device has successfully booted, usually by leaving the cables unplugged. The disk enumeration fails to complete, leading to a call trace in the kernel logs and typically causes the JBOD controllers to get stuck in an unhealthy state (see case 3). Full kernel logs for 6.12.12 are available at https://gist.github.com/Nihlus/cbbabe685de551afa2cc8cdfbc6be6b2 with the relevant part being [ 415.245390] port-0:2:32: trying to add phy phy-0:2:32 fails: it's already part of another port [ 415.245473] ------------[ cut here ]------------ [ 415.245475] kernel BUG at drivers/scsi/scsi_transport_sas.c:1111! [ 415.245483] Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 415.245487] CPU: 0 UID: 0 PID: 11 Comm: kworker/u96:0 Tainted: G W 6.12.12+bpo-amd64 #1 Debian 6.12.12-1~bpo12+1 [ 415.245492] Tainted: [W]=WARN [ 415.245493] Hardware name: SUN MICROSYSTEMS SUN FIRE X4170 M2 SERVER /ASSY,MOTHERBOARD,X4170, BIOS 08060108 12/27/2010 [ 415.245495] Workqueue: 0000:19:00.0_disco_q sas_revalidate_domain [libsas] [ 415.245522] RIP: 0010:sas_port_add_phy+0x143/0x150 [scsi_transport_sas] [ 415.245539] Code: d5 75 e8 48 39 c3 74 8e 48 8b 4b 50 48 85 c9 75 03 48 8b 0b 48 c7 c2 80 c5 46 c0 48 89 ee 48 c7 c7 ae c6 46 c0 e8 5d 32 ce c9 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 [ 415.245542] RSP: 0018:ffffb595400d3c80 EFLAGS: 00010246 [ 415.245544] RAX: 0000000000000000 RBX: ffff905c9651d800 RCX: 0000000000000027 [ 415.245546] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff906db7821780 [ 415.245547] RBP: ffff905c96eb4400 R08: 0000000000000000 R09: 0000000000000003 [ 415.245549] R10: ffffb595400d3978 R11: ffff907ffff7ab28 R12: ffff905c9651db38 [ 415.245550] R13: ffff905c96eb4720 R14: ffff905c96eb4700 R15: ffff905c8809a800 [ 415.245552] FS: 0000000000000000(0000) GS:ffff906db7800000(0000) knlGS:0000000000000000 [ 415.245554] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 415.245556] CR2: 0000557484600000 CR3: 00000002f2622002 CR4: 00000000000226f0 [ 415.245558] Call Trace: [ 415.245562] <TASK> [ 415.245565] ? die+0x36/0x90 [ 415.245572] ? do_trap+0xdd/0x100 [ 415.245576] ? sas_port_add_phy+0x143/0x150 [scsi_transport_sas] [ 415.245583] ? do_error_trap+0x6a/0x90 [ 415.245585] ? sas_port_add_phy+0x143/0x150 [scsi_transport_sas] [ 415.245592] ? exc_invalid_op+0x50/0x70 [ 415.245597] ? sas_port_add_phy+0x143/0x150 [scsi_transport_sas] [ 415.245603] ? asm_exc_invalid_op+0x1a/0x20 [ 415.245613] ? sas_port_add_phy+0x143/0x150 [scsi_transport_sas] [ 415.245620] sas_ex_get_linkrate+0x9b/0xd0 [libsas] [ 415.245631] sas_ex_discover_devices+0x38f/0xc20 [libsas] [ 415.245644] sas_discover_new+0x71/0x110 [libsas] [ 415.245655] sas_ex_revalidate_domain+0x337/0x430 [libsas] [ 415.245667] sas_revalidate_domain+0x189/0x1a0 [libsas] [ 415.245678] process_one_work+0x17c/0x390 [ 415.245685] worker_thread+0x251/0x360 [ 415.245689] ? __pfx_worker_thread+0x10/0x10 [ 415.245692] kthread+0xd2/0x100 [ 415.245695] ? __pfx_kthread+0x10/0x10 [ 415.245698] ret_from_fork+0x34/0x50 [ 415.245702] ? __pfx_kthread+0x10/0x10 [ 415.245704] ret_from_fork_asm+0x1a/0x30 [ 415.245711] </TASK> [ 415.245712] Modules linked in: binfmt_misc intel_powerclamp coretemp kvm_intel kvm joydev evdev crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 aesni_intel gf128mul crypto_simd cryptd intel_cstate ipmi_ssif ast drm_shmem_helper drm_kms_helper iTCO_wdt intel_pmc_bxt intel_uncore iTCO_vendor_support acpi_ipmi watchdog pcspkr sg i5500_temp ioatdma acpi_cpufreq i7core_edac ipmi_si ipmi_devintf ipmi_msghandler button dm_multipath drm loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid0 dm_mod raid1 md_mod ses enclosure sd_mod hid_generic cdc_ether usbnet uas usbhid mii hid usb_storage pm80xx libsas ahci libahci scsi_transport_sas ixgbe libata uhci_hcd ehci_pci ehci_hcd xfrm_algo usbcore mdio_devres igb scsi_mod e1000e libphy crc32_pclmul crc32c_intel i2c_i801 lpc_ich i2c_smbus i2c_algo_bit usb_common scsi_common mdio dca [ 415.245777] ---[ end trace 0000000000000000 ]--- [ 415.245778] RIP: 0010:sas_port_add_phy+0x143/0x150 [scsi_transport_sas] [ 415.245785] Code: d5 75 e8 48 39 c3 74 8e 48 8b 4b 50 48 85 c9 75 03 48 8b 0b 48 c7 c2 80 c5 46 c0 48 89 ee 48 c7 c7 ae c6 46 c0 e8 5d 32 ce c9 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 [ 415.245788] RSP: 0018:ffffb595400d3c80 EFLAGS: 00010246 [ 415.245790] RAX: 0000000000000000 RBX: ffff905c9651d800 RCX: 0000000000000027 [ 415.245791] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff906db7821780 [ 415.245793] RBP: ffff905c96eb4400 R08: 0000000000000000 R09: 0000000000000003 [ 415.245794] R10: ffffb595400d3978 R11: ffff907ffff7ab28 R12: ffff905c9651db38 [ 415.245796] R13: ffff905c96eb4720 R14: ffff905c96eb4700 R15: ffff905c8809a800 [ 415.245797] FS: 0000000000000000(0000) GS:ffff906db7800000(0000) knlGS:0000000000000000 [ 415.245800] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 415.245801] CR2: 0000557484600000 CR3: 00000002f2622002 CR4: 00000000000226f0 [ 415.388491] pm80xx0:: mpi_ssp_completion 1752: status:0x3, tag:0x29b, task:0x00000000bc0fdffa 3 - incorrect enumeration In this case, only disks from JBOD 1 and 2 are enumerated. The device boots correctly, but the controllers on the JBODs are in an unhealty state and are not forwarding traffic as expected (link LED on A1 to A2 is dark, link LED on B2 to B3 is dark). System information: Linux san1 6.12.12+bpo-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.12-1~bpo12+1 (2025-02-23) x86_64 GNU/Linux Kernel config for 6.12.12: https://gist.github.com/Nihlus/33ab520b37270ab2d92d2ec26ddfa730 Kernel config for 6.13.7: https://gist.github.com/Nihlus/8d1af8204b0e4c456aeb30d079659712

1 month, 1 week

2
1
0 0

Clarifying stable kernel rule on selftest backporting

by Shung-Hsi Yu

Hi, Do we have any rule regarding whether a patch that adds a new test case in tools/testing/selftests/ can be considered for backport? For example, consider commit 0a5d2efa3827 ("selftests/bpf: Add test case for the freeing of bpf_timer"), it adds a test case for the issue addressed in the same series -- commit 58f038e6d209 ("bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT"). The latter has been backported to 6.12.y. Would commit 0a5d2efa3827 be a worthwhile add to 6.12.y as well? IMO having such test case added would be helpful to check whether the backported fix really works (assuming someone is willing to do the extra work of finding, testing, and sending such tests); yet it does not seem to fit into the current stable kernel rule set of: - It or an equivalent fix must already exist in Linux mainline (upstream). - It must be obviously correct and tested. - It cannot be bigger than 100 lines, with context. - It must follow the Documentation/process/submitting-patches.rst rules. - It must either fix a real bug that bothers people or just add a device ID Appreciate any clarification and/or feedback on this matter. Thanks, Shung-Hsi Yu

1 month, 1 week

2
1
0 0

[PATCH net 1/1] batman-adv: Ignore own maximum aggregation size during RX

by Simon Wunderlich

From: Sven Eckelmann <sven(a)narfation.org> An OGMv1 and OGMv2 packet receive processing were not only limited by the number of bytes in the received packet but also by the nodes maximum aggregation packet size limit. But this limit is relevant for TX and not for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid loss of information in case of a different limit for sender and receiver. This has a minor side effect for B.A.T.M.A.N. IV because the batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX. But since the aggregation code itself will not allow more than BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in this context) prior of removing it. Cc: stable(a)vger.kernel.org Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> --- net/batman-adv/bat_iv_ogm.c | 3 +-- net/batman-adv/bat_v_ogm.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index 07ae5dd1f150..b12645949ae5 100644 --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -325,8 +325,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, /* check if there is enough space for the optional TVLV */ next_buff_pos += ntohs(ogm_packet->tvlv_len); - return (next_buff_pos <= packet_len) && - (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); + return next_buff_pos <= packet_len; } /* send a batman ogm to a given interface */ diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c index e503ee0d896b..8f89ffe6020c 100644 --- a/net/batman-adv/bat_v_ogm.c +++ b/net/batman-adv/bat_v_ogm.c @@ -839,8 +839,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, /* check if there is enough space for the optional TVLV */ next_buff_pos += ntohs(ogm2_packet->tvlv_len); - return (next_buff_pos <= packet_len) && - (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); + return next_buff_pos <= packet_len; } /** -- 2.39.5

1 month, 1 week

2
1
0 0

Re: [PATCH net 0/3] mptcp: fix data stream corruption and missing sockopts

by patchwork-bot+netdevbpf＠kernel.org

Hello: This series was applied to netdev/net.git (main) by Paolo Abeni <pabeni(a)redhat.com>: On Fri, 14 Mar 2025 21:11:30 +0100 you wrote: > Here are 3 unrelated fixes for the net tree. > > - Patch 1: fix data stream corruption when ending up not sending an > ADD_ADDR. > > - Patch 2: fix missing getsockopt(IPV6_V6ONLY) support -- the set part > is supported. > > [...] Here is the summary with links: - [net,1/3] mptcp: Fix data stream corruption in the address announcement https://git.kernel.org/netdev/net/c/2c1f97a52cb8 - [net,2/3] mptcp: sockopt: fix getting IPV6_V6ONLY (no matching commit) - [net,3/3] mptcp: sockopt: fix getting freebind & transparent (no matching commit) You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html

1 month, 1 week

1
0
0 0

[PATCH 5.10.y] tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

by bin.lan.cn＠windriver.com

From: Kuniyuki Iwashima <kuniyu(a)amazon.com> [ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ] Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") Reported-by: Martin KaFai Lau <martin.lau(a)kernel.org> Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.d… Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.d… [1] Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Martin KaFai Lau <martin.lau(a)kernel.org> Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- net/ipv4/inet_connection_sock.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index 6ebe43b4d28f..723aab818b52 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -722,21 +722,31 @@ static bool reqsk_queue_unlink(struct request_sock *req) found = __sk_nulls_del_node_init_rcu(req_to_sk(req)); spin_unlock(lock); } - if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) - reqsk_put(req); + return found; } -bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) +static bool __inet_csk_reqsk_queue_drop(struct sock *sk, + struct request_sock *req, + bool from_timer) { bool unlinked = reqsk_queue_unlink(req); + if (!from_timer && timer_delete_sync(&req->rsk_timer)) + reqsk_put(req); + if (unlinked) { reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req); reqsk_put(req); } + return unlinked; } + +bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req) +{ + return __inet_csk_reqsk_queue_drop(sk, req, false); +} EXPORT_SYMBOL(inet_csk_reqsk_queue_drop); void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req) @@ -804,7 +814,8 @@ static void reqsk_timer_handler(struct timer_list *t) return; } drop: - inet_csk_reqsk_queue_drop_and_put(sk_listener, req); + __inet_csk_reqsk_queue_drop(sk_listener, req, true); + reqsk_put(req); } static void reqsk_queue_hash_req(struct request_sock *req, -- 2.34.1

1 month, 1 week

2
1
0 0

Re: [PATCH] block: cleanup and fix batch completion adding conditions

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Summary of potential issues: ⚠️ Found matching upstream commit but patch is missing proper reference to it ⚠️ Found follow-up fixes in mainline Found matching upstream commit: 1f47ed294a2bd577d5ae43e6e28e1c9a3be4a833 Found fixes commits: 9bce6b5f8987 block: change blk_mq_add_to_batch() third argument type to bool e5c2bcc0cd47 nvme: move error logging from nvme_end_req() to __nvme_end_req() Note: The patch differs from the upstream commit: --- 1: 1f47ed294a2bd < -: ------------- block: cleanup and fix batch completion adding conditions -: ------------- > 1: 648e04a805652 Linux 6.13.7 --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.13.y | Success | Success | | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Success | Success | | stable/linux-6.1.y | Success | Success | | stable/linux-5.15.y | Success | Success | | stable/linux-5.10.y | Success | Success | | stable/linux-5.4.y | Success | Success |

1 month, 1 week

1
0
0 0

6.1 io_uring mmap backport

by Jens Axboe

Hi, I prepared this series about 6 months ago, but never got around to sending it in. In mainline, we got rid of remap_pfn_range() on the io_uring side, and this just backports it to 6.1-stable as well. This eliminates issues with fragmented memory, and hence it'd be nice to have it in 6.1 stable as well. -- Jens Axboe

1 month, 1 week

2
4
0 0

[PATCH net 2/3] mptcp: sockopt: fix getting IPV6_V6ONLY

by Matthieu Baerts (NGI0)

When adding a socket option support in MPTCP, both the get and set parts are supposed to be implemented. IPV6_V6ONLY support for the setsockopt part has been added a while ago, but it looks like the get part got forgotten. It should have been present as a way to verify a setting has been set as expected, and not to act differently from TCP or any other socket types. Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want to check the default value, before doing extra actions. On Linux, the default value is 0, but this can be changed with the net.ipv6.bindv6only sysctl knob. On Windows, it is set to 1 by default. So supporting the get part, like for all other socket options, is important. Everything was in place to expose it, just the last step was missing. Only new code is added to cover this specific getsockopt(), that seems safe. Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt") Cc: stable(a)vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550 Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/sockopt.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c index 505445a9598fafa1cde6d8f4a1a8635c3e778051..4b99eb796855e4578d14df90f9d1cc3f1cd5b8c7 100644 --- a/net/mptcp/sockopt.c +++ b/net/mptcp/sockopt.c @@ -1430,6 +1430,20 @@ static int mptcp_getsockopt_v4(struct mptcp_sock *msk, int optname, return -EOPNOTSUPP; } +static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname, + char __user *optval, int __user *optlen) +{ + struct sock *sk = (void *)msk; + + switch (optname) { + case IPV6_V6ONLY: + return mptcp_put_int_option(msk, optval, optlen, + sk->sk_ipv6only); + } + + return -EOPNOTSUPP; +} + static int mptcp_getsockopt_sol_mptcp(struct mptcp_sock *msk, int optname, char __user *optval, int __user *optlen) { @@ -1469,6 +1483,8 @@ int mptcp_getsockopt(struct sock *sk, int level, int optname, if (level == SOL_IP) return mptcp_getsockopt_v4(msk, optname, optval, option); + if (level == SOL_IPV6) + return mptcp_getsockopt_v6(msk, optname, optval, option); if (level == SOL_TCP) return mptcp_getsockopt_sol_tcp(msk, optname, optval, option); if (level == SOL_MPTCP) -- 2.48.1

1 month, 1 week

4
4
0 0

[PATCH 1/3] drm/i915: Fix scanline_offset for LNL+ and BMG+

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Turns out LNL+ and BMG+ no longer have the weird extra scanline offset for HDMI outputs. Fix intel_crtc_scanline_offset() accordingly so that scanline evasion/etc. works correctly on HDMI outputs on these new platforms. Cc: stable(a)vger.kernel.org Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_vblank.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_vblank.c b/drivers/gpu/drm/i915/display/intel_vblank.c index 4efd4f7d497a..7b240ce681a0 100644 --- a/drivers/gpu/drm/i915/display/intel_vblank.c +++ b/drivers/gpu/drm/i915/display/intel_vblank.c @@ -222,7 +222,9 @@ int intel_crtc_scanline_offset(const struct intel_crtc_state *crtc_state) * However if queried just before the start of vblank we'll get an * answer that's slightly in the future. */ - if (DISPLAY_VER(display) == 2) + if (DISPLAY_VER(display) >= 20 || display->platform.battlemage) + return 1; + else if (DISPLAY_VER(display) == 2) return -1; else if (HAS_DDI(display) && intel_crtc_has_type(crtc_state, INTEL_OUTPUT_HDMI)) return 2; -- 2.45.3

1 month, 1 week

3
2
0 0

[PATCH v2 0/3] m68k: Bug fix and cleanup for framebuffer debug console

by Finn Thain

This series has a bug fix for the early bootconsole as well as some related efficiency improvements and cleanup. The relevant code is subject to CONSOLE_DEBUG, which is only used on Macs at present. --- Changed since v1: - Solved problem with line wrap while scrolling. - Added two additional patches. Finn Thain (3): m68k: Fix lost column on framebuffer debug console m68k: Avoid pointless recursion in debug console rendering m68k: Remove unused "cursor home" code from debug console arch/m68k/kernel/head.S | 73 +++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 36 deletions(-) -- 2.45.3

1 month, 1 week

2
3
0 0

[PATCH] drm/amd/display: Add dp_decide_lane_settings() to ensure compatibility

by Wentao Liang

The dp_perform_128b_132b_channel_eq_done_sequence() calls dp_get_lane_status_and_lane_adjust() but lacks dp_decide_lane_settings(). The dp_get_lane_status_and_lane_adjust() and dp_decide_lane_settings() functions are essential for DisplayPort link training in the Linux kernel, with the former retrieving lane status and adjustment needs, and the latter determining optimal lane configurations. This omission risks compatibility issues, particularly with lower-quality cables or displays, as the system cannot dynamically adjust to hardware limitations, potentially leading to failed connections. Add dp_decide_lane_settings() to enable adaptive lane configuration. Fixes: 630168a97314 ("drm/amd/display: move dp link training logic to link_dp_training") Cc: stable(a)vger.kernel.org # 6.3+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- .../amd/display/dc/link/protocols/link_dp_training_128b_132b.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_128b_132b.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_128b_132b.c index db87cfe37b5c..99aae3e43106 100644 --- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_128b_132b.c +++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_128b_132b.c @@ -176,6 +176,8 @@ static enum link_training_result dp_perform_128b_132b_cds_done_sequence( wait_time += lt_settings->cds_pattern_time; status = dp_get_lane_status_and_lane_adjust(link, lt_settings, dpcd_lane_status, &dpcd_lane_status_updated, dpcd_lane_adjust, DPRX); + dp_decide_lane_settings(lt_settings, dpcd_lane_adjust, + lt_settings->hw_lane_settings, lt_settings->dpcd_lane_settings); if (status != DC_OK) { result = LINK_TRAINING_ABORT; } else if (dp_is_symbol_locked(lt_settings->link_settings.lane_count, dpcd_lane_status) && -- 2.42.0.windows.2

1 month, 1 week

1
0
0 0

[PATCH 6.1.y] smb: prevent use-after-free due to open_cached_dir error paths

by Cliff Liu

From: Paul Aurich <paul(a)darkrain42.org> If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000) Cc: stable(a)vger.kernel.org Signed-off-by: Paul Aurich <paul(a)darkrain42.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ Do not apply the change for cfids_laundromat_worker() since there is no this function and related feature on 6.1.y. Update open_cached_dir() according to method of upstream patch. ] Signed-off-by: Cliff Liu <donghua.liu(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- fs/smb/client/cached_dir.c | 39 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/fs/smb/client/cached_dir.c b/fs/smb/client/cached_dir.c index d09226c1ac90..d65d5fe5b8fe 100644 --- a/fs/smb/client/cached_dir.c +++ b/fs/smb/client/cached_dir.c @@ -320,17 +320,13 @@ int open_cached_dir(unsigned int xid, struct cifs_tcon *tcon, /* * We are guaranteed to have two references at this point. * One for the caller and one for a potential lease. - * Release the Lease-ref so that the directory will be closed - * when the caller closes the cached handle. + * Release one here, and the second below. */ kref_put(&cfid->refcount, smb2_close_cached_fid); } if (rc) { - if (cfid->is_open) - SMB2_close(0, cfid->tcon, cfid->fid.persistent_fid, - cfid->fid.volatile_fid); - free_cached_dir(cfid); - cfid = NULL; + cfid->has_lease = false; + kref_put(&cfid->refcount, smb2_close_cached_fid); } if (rc == 0) { @@ -462,25 +458,24 @@ void invalidate_all_cached_dirs(struct cifs_tcon *tcon) cfids->num_entries--; cfid->is_open = false; cfid->on_list = false; - /* To prevent race with smb2_cached_lease_break() */ - kref_get(&cfid->refcount); + if (cfid->has_lease) { + /* + * The lease was never cancelled from the server, + * so steal that reference. + */ + cfid->has_lease = false; + } else + kref_get(&cfid->refcount); } spin_unlock(&cfids->cfid_list_lock); list_for_each_entry_safe(cfid, q, &entry, entry) { list_del(&cfid->entry); cancel_work_sync(&cfid->lease_break); - if (cfid->has_lease) { - /* - * We lease was never cancelled from the server so we - * need to drop the reference. - */ - spin_lock(&cfids->cfid_list_lock); - cfid->has_lease = false; - spin_unlock(&cfids->cfid_list_lock); - kref_put(&cfid->refcount, smb2_close_cached_fid); - } - /* Drop the extra reference opened above*/ + /* + * Drop the ref-count from above, either the lease-ref (if there + * was one) or the extra one acquired. + */ kref_put(&cfid->refcount, smb2_close_cached_fid); } } @@ -491,9 +486,6 @@ smb2_cached_lease_break(struct work_struct *work) struct cached_fid *cfid = container_of(work, struct cached_fid, lease_break); - spin_lock(&cfid->cfids->cfid_list_lock); - cfid->has_lease = false; - spin_unlock(&cfid->cfids->cfid_list_lock); kref_put(&cfid->refcount, smb2_close_cached_fid); } @@ -511,6 +503,7 @@ int cached_dir_lease_break(struct cifs_tcon *tcon, __u8 lease_key[16]) !memcmp(lease_key, cfid->fid.lease_key, SMB2_LEASE_KEY_SIZE)) { + cfid->has_lease = false; cfid->time = 0; /* * We found a lease remove it from the list -- 2.43.0

1 month, 1 week

4
4
0 0

[PATCH net] xsk: fix an integer overflow in xp_create_and_assign_umem()

by Gavrilov Ilia

Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 94033cd8e73b ("xsk: Optimize for aligned case") Cc: stable(a)vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> --- net/xdp/xsk_buff_pool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c index 1f7975b49657..d158cb6dd391 100644 --- a/net/xdp/xsk_buff_pool.c +++ b/net/xdp/xsk_buff_pool.c @@ -105,7 +105,7 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs, if (pool->unaligned) pool->free_heads[i] = xskb; else - xp_init_xskb_addr(xskb, pool, i * pool->chunk_size); + xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size); } return pool; -- 2.39.5

1 month, 1 week

2
1
0 0

Re: [PATCH] block: cleanup and fix batch completion adding conditions

by Milan Broz

On 3/11/25 4:00 PM, Jens Axboe wrote: > On 3/11/25 8:59 AM, Milan Broz wrote: >> On 3/11/25 4:03 AM, Shinichiro Kawasaki wrote: >>> >>> I created fix candidate patches to address the blktests nvme/039 failure [1]. >>> This may work for the failures Ondrej and Milan observe too, hopefully. >> >> Hi, >> >> I quickly tried to run the test with todays' mainline git and mentioned two patches: >> https://lkml.kernel.org/linux-block/20250311024144.1762333-2-shinichiro.kaw… >> https://lkml.kernel.org/linux-block/20250311024144.1762333-3-shinichiro.kaw… >> and it looks like our SED Opal tests are fixed, no errors or warnings, thanks! >> >>> Jens, Alan, could you take a look in the patches and see if they make sense? >> >> Please, fix it before the 6.14 final, this could cause serious data corruption, at least >> on systems using SED Opal drives. > > Fix is already queued up. Hi Jens, it seems the bug was "successfully" backported to stable 6.13.4+ and I do not see any fix in the stable queue yet. We were hit by it today, as all locked ranges for Opal devices now returning empty data instead of failing read. Please could you check what need to be backported to 6.13 stable? IMO these patches should be backported: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm… https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm… Thanks, Milan

1 month, 1 week

1
0
0 0

[PATCH v2] Revert "mmc: sdhci_am654: Add sdhci_am654_start_signal_voltage_switch"

by Josua Mayer

This reverts commit 941a7abd4666912b84ab209396fdb54b0dae685d. This commit uses presence of device-tree properties vmmc-supply and vqmmc-supply for deciding whether to enable a quirk affecting timing of clock and data. The intention was to address issues observed with eMMC and SD on AM62 platforms. This new quirk is however also enabled for AM64 breaking microSD access on the SolidRun HimmingBoard-T which is supported in-tree since v6.11, causing a regression. During boot microSD initialization now fails with the error below: [ 2.008520] mmc1: SDHCI controller on fa00000.mmc [fa00000.mmc] using ADMA 64-bit [ 2.115348] mmc1: error -110 whilst initialising SD card The heuristics for enabling the quirk are clearly not correct as they break at least one but potentially many existing boards. Revert the change and restore original behaviour until a more appropriate method of selecting the quirk is derived. Fixes: 941a7abd4666 ("mmc: sdhci_am654: Add sdhci_am654_start_signal_voltage_switch") Closes: https://lore.kernel.org/linux-mmc/a70fc9fc-186f-4165-a652-3de50733763a@soli… Cc: stable(a)vger.kernel.org Signed-off-by: Josua Mayer <josua(a)solid-run.com> Acked-by: Adrian Hunter <adrian.hunter(a)intel.com> --- Changes in v2: - Fixed "Fixes:" tag invalid commit description copied from history (Reported-by: Adrian Hunter <adrian.hunter(a)intel.com>) (Reported-by: Greg KH <gregkh(a)linuxfoundation.org>) - Link to v1: https://lore.kernel.org/r/20250127-am654-mmc-regression-v1-1-d831f9a13ae9@s… --- drivers/mmc/host/sdhci_am654.c | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/drivers/mmc/host/sdhci_am654.c b/drivers/mmc/host/sdhci_am654.c index b73f673db92bbc042392995e715815e15ace6005..f75c31815ab00d17b5757063521f56ba5643babe 100644 --- a/drivers/mmc/host/sdhci_am654.c +++ b/drivers/mmc/host/sdhci_am654.c @@ -155,7 +155,6 @@ struct sdhci_am654_data { u32 tuning_loop; #define SDHCI_AM654_QUIRK_FORCE_CDTEST BIT(0) -#define SDHCI_AM654_QUIRK_SUPPRESS_V1P8_ENA BIT(1) }; struct window { @@ -357,29 +356,6 @@ static void sdhci_j721e_4bit_set_clock(struct sdhci_host *host, sdhci_set_clock(host, clock); } -static int sdhci_am654_start_signal_voltage_switch(struct mmc_host *mmc, struct mmc_ios *ios) -{ - struct sdhci_host *host = mmc_priv(mmc); - struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); - struct sdhci_am654_data *sdhci_am654 = sdhci_pltfm_priv(pltfm_host); - int ret; - - if ((sdhci_am654->quirks & SDHCI_AM654_QUIRK_SUPPRESS_V1P8_ENA) && - ios->signal_voltage == MMC_SIGNAL_VOLTAGE_180) { - if (!IS_ERR(mmc->supply.vqmmc)) { - ret = mmc_regulator_set_vqmmc(mmc, ios); - if (ret < 0) { - pr_err("%s: Switching to 1.8V signalling voltage failed,\n", - mmc_hostname(mmc)); - return -EIO; - } - } - return 0; - } - - return sdhci_start_signal_voltage_switch(mmc, ios); -} - static u8 sdhci_am654_write_power_on(struct sdhci_host *host, u8 val, int reg) { writeb(val, host->ioaddr + reg); @@ -868,11 +844,6 @@ static int sdhci_am654_get_of_property(struct platform_device *pdev, if (device_property_read_bool(dev, "ti,fails-without-test-cd")) sdhci_am654->quirks |= SDHCI_AM654_QUIRK_FORCE_CDTEST; - /* Suppress v1p8 ena for eMMC and SD with vqmmc supply */ - if (!!of_parse_phandle(dev->of_node, "vmmc-supply", 0) == - !!of_parse_phandle(dev->of_node, "vqmmc-supply", 0)) - sdhci_am654->quirks |= SDHCI_AM654_QUIRK_SUPPRESS_V1P8_ENA; - sdhci_get_of_property(pdev); return 0; @@ -969,7 +940,6 @@ static int sdhci_am654_probe(struct platform_device *pdev) goto err_pltfm_free; } - host->mmc_host_ops.start_signal_voltage_switch = sdhci_am654_start_signal_voltage_switch; host->mmc_host_ops.execute_tuning = sdhci_am654_execute_tuning; pm_runtime_get_noresume(dev); --- base-commit: ffd294d346d185b70e28b1a28abe367bbfe53c04 change-id: 20250127-am654-mmc-regression-ed289f8967c2 Best regards, -- Josua Mayer <josua(a)solid-run.com>

1 month, 1 week

4
7
0 0

[PATCH] ext4: fix OOB read when checking dotdot dir

by Jakub Acs

Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: ac27a0ec112a0 ("[PATCH] ext4: initial copy of files from ext3") Signed-off-by: Jakub Acs <acsjakub(a)amazon.com> Cc: "Theodore Ts'o" <tytso(a)mit.edu> Cc: Andreas Dilger <adilger.kernel(a)dilger.ca> Cc: linux-ext4(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Mahmoud Adam <mngyadam(a)amazon.com> Cc: stable(a)vger.kernel.org Cc: security(a)kernel.org --- If not fixed, this potentially leaks information from kernel data structures allocated after the data block. I based the check on the assumption that every ext4 directory has '.' followed by at least one entry ('..') in the first data block. (the code in ext4_empty_dir seems to operate on this assumption) ..and it is also supported by claim in https://www.kernel.org/doc/html/latest/filesystems/ext4/directory.html: "By ext2 custom, the '.' and '..' entries must appear at the beginning of this first block" Please confirm that this is correct and there are no valid ext4 directories that have '.' as the last directory entry. If this assumption is wrong, I would fix the caller rather than the callee. Testing: I booted the kernel in AL2023 EC2 Instance and ran ext4 tests from git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git: <setup with loop devices> ./check ext4/* [..] ext4/002 [not run] This test requires a valid $SCRATCH_LOGDEV ext4/004 [not run] dump utility required, skipped this test ext4/006 [not run] Couldn't find e2fuzz ext4/029 [not run] This test requires a valid $SCRATCH_LOGDEV ext4/030 [not run] mount /dev/loop1 with dax failed ext4/031 [not run] mount /dev/loop1 with dax failed ext4/047 [not run] mount /dev/loop1 with dax=always failed ext4/055 [not run] fsgqa user not defined. ext4/057 [not run] UUID ioctls are not supported by kernel. Not run: ext4/002 ext4/004 ext4/006 ext4/029 ext4/030 ext4/031 ext4/047 ext4/055 ext4/057 Passed all 69 tests (please let me know if any of the skipped tests need to be run) Thanks, Jakub --- fs/ext4/dir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c index 02d47a64e8d1..d157a6c0eff6 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -104,6 +104,9 @@ int __ext4_check_dir_entry(const char *function, unsigned int line, else if (unlikely(le32_to_cpu(de->inode) > le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) error_msg = "inode out of bounds"; + else if (unlikely(de->name_len > 0 && strcmp(".", de->name) == 0 && + next_offset == size)) + error_msg = "'.' directory cannot be the last in data block"; else return 0; -- 2.47.1

1 month, 1 week

3
3
0 0

[PATCH net 1/3] mptcp: Fix data stream corruption in the address announcement

by Matthieu Baerts (NGI0)

From: Arthur Mongodin <amongodin(a)randorisec.fr> Because of the size restriction in the TCP options space, the MPTCP ADD_ADDR option is exclusive and cannot be sent with other MPTCP ones. For this reason, in the linked mptcp_out_options structure, group of fields linked to different options are part of the same union. There is a case where the mptcp_pm_add_addr_signal() function can modify opts->addr, but not ended up sending an ADD_ADDR. Later on, back in mptcp_established_options, other options will be sent, but with unexpected data written in other fields due to the union, e.g. in opts->ext_copy. This could lead to a data stream corruption in the next packet. Using an intermediate variable, prevents from corrupting previously established DSS option. The assignment of the ADD_ADDR option parameters is now done once we are sure this ADD_ADDR option can be set in the packet, e.g. after having dropped other suboptions. Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") Cc: stable(a)vger.kernel.org Suggested-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Arthur Mongodin <amongodin(a)randorisec.fr> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> [ Matt: the commit message has been updated: long lines splits and some clarifications. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/options.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/mptcp/options.c b/net/mptcp/options.c index fd2de185bc939f8730e87a63ac02a015e610e99c..23949ae2a3a8db19d05c5c8373f45c885c3523ad 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -651,6 +651,7 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * struct mptcp_sock *msk = mptcp_sk(subflow->conn); bool drop_other_suboptions = false; unsigned int opt_size = *size; + struct mptcp_addr_info addr; bool echo; int len; @@ -659,7 +660,7 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * */ if (!mptcp_pm_should_add_signal(msk) || (opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) || - !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &opts->addr, + !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &addr, &echo, &drop_other_suboptions)) return false; @@ -672,7 +673,7 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * else if (opts->suboptions & OPTION_MPTCP_DSS) return false; - len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port); + len = mptcp_add_addr_len(addr.family, echo, !!addr.port); if (remaining < len) return false; @@ -689,6 +690,7 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * opts->ahmac = 0; *size -= opt_size; } + opts->addr = addr; opts->suboptions |= OPTION_MPTCP_ADD_ADDR; if (!echo) { MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_ADDADDRTX); -- 2.48.1

1 month, 1 week

2
2
0 0

[PATCH net 3/3] mptcp: sockopt: fix getting freebind & transparent

by Matthieu Baerts (NGI0)

When adding a socket option support in MPTCP, both the get and set parts are supposed to be implemented. IP(V6)_FREEBIND and IP(V6)_TRANSPARENT support for the setsockopt part has been added a while ago, but it looks like the get part got forgotten. It should have been present as a way to verify a setting has been set as expected, and not to act differently from TCP or any other socket types. Everything was in place to expose it, just the last step was missing. Only new code is added to cover these specific getsockopt(), that seems safe. Fixes: c9406a23c116 ("mptcp: sockopt: add SOL_IP freebind & transparent options") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/sockopt.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c index 4b99eb796855e4578d14df90f9d1cc3f1cd5b8c7..3caa0a9d3b3885ce6399570f2d98a2e8f103638d 100644 --- a/net/mptcp/sockopt.c +++ b/net/mptcp/sockopt.c @@ -1419,6 +1419,12 @@ static int mptcp_getsockopt_v4(struct mptcp_sock *msk, int optname, switch (optname) { case IP_TOS: return mptcp_put_int_option(msk, optval, optlen, READ_ONCE(inet_sk(sk)->tos)); + case IP_FREEBIND: + return mptcp_put_int_option(msk, optval, optlen, + inet_test_bit(FREEBIND, sk)); + case IP_TRANSPARENT: + return mptcp_put_int_option(msk, optval, optlen, + inet_test_bit(TRANSPARENT, sk)); case IP_BIND_ADDRESS_NO_PORT: return mptcp_put_int_option(msk, optval, optlen, inet_test_bit(BIND_ADDRESS_NO_PORT, sk)); @@ -1439,6 +1445,12 @@ static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname, case IPV6_V6ONLY: return mptcp_put_int_option(msk, optval, optlen, sk->sk_ipv6only); + case IPV6_TRANSPARENT: + return mptcp_put_int_option(msk, optval, optlen, + inet_test_bit(TRANSPARENT, sk)); + case IPV6_FREEBIND: + return mptcp_put_int_option(msk, optval, optlen, + inet_test_bit(FREEBIND, sk)); } return -EOPNOTSUPP; -- 2.48.1

1 month, 1 week

2
1
0 0

[PATCH 01/15] proc: fix UAF in proc_get_inode()

by Ayaan Mirza Baig

From: Ye Bin <yebin10(a)huawei.com> Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan(a)gmail.com: don't do 2 atomic ops on the common path] Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183 Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression") Signed-off-by: Ye Bin <yebin10(a)huawei.com> Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: David S. Miller <davem(a)davemloft.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Ayaan Mirza Baig <ayaanmirzabaig85(a)gmail.com> --- fs/proc/generic.c | 10 +++++++++- fs/proc/inode.c | 6 +++--- fs/proc/internal.h | 14 ++++++++++++++ include/linux/proc_fs.h | 7 +++++-- 4 files changed, 31 insertions(+), 6 deletions(-) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 8ec90826a49e..a3e22803cddf 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -559,10 +559,16 @@ struct proc_dir_entry *proc_create_reg(const char *name, umode_t mode, return p; } -static inline void pde_set_flags(struct proc_dir_entry *pde) +static void pde_set_flags(struct proc_dir_entry *pde) { if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) pde->flags |= PROC_ENTRY_PERMANENT; + if (pde->proc_ops->proc_read_iter) + pde->flags |= PROC_ENTRY_proc_read_iter; +#ifdef CONFIG_COMPAT + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; +#endif } struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, @@ -626,6 +632,7 @@ struct proc_dir_entry *proc_create_seq_private(const char *name, umode_t mode, p->proc_ops = &proc_seq_ops; p->seq_ops = ops; p->state_size = state_size; + pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_seq_private); @@ -656,6 +663,7 @@ struct proc_dir_entry *proc_create_single_data(const char *name, umode_t mode, return NULL; p->proc_ops = &proc_single_ops; p->single_show = show; + pde_set_flags(p); return proc_register(parent, p); } EXPORT_SYMBOL(proc_create_single_data); diff --git a/fs/proc/inode.c b/fs/proc/inode.c index 626ad7bd94f2..a3eb3b740f76 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c @@ -656,13 +656,13 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) if (S_ISREG(inode->i_mode)) { inode->i_op = de->proc_iops; - if (de->proc_ops->proc_read_iter) + if (pde_has_proc_read_iter(de)) inode->i_fop = &proc_iter_file_ops; else inode->i_fop = &proc_reg_file_ops; #ifdef CONFIG_COMPAT - if (de->proc_ops->proc_compat_ioctl) { - if (de->proc_ops->proc_read_iter) + if (pde_has_proc_compat_ioctl(de)) { + if (pde_has_proc_read_iter(de)) inode->i_fop = &proc_iter_file_ops_compat; else inode->i_fop = &proc_reg_file_ops_compat; diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 1695509370b8..77a517f91821 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -85,6 +85,20 @@ static inline void pde_make_permanent(struct proc_dir_entry *pde) pde->flags |= PROC_ENTRY_PERMANENT; } +static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde) +{ + return pde->flags & PROC_ENTRY_proc_read_iter; +} + +static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde) +{ +#ifdef CONFIG_COMPAT + return pde->flags & PROC_ENTRY_proc_compat_ioctl; +#else + return false; +#endif +} + extern struct kmem_cache *proc_dir_entry_cache; void pde_free(struct proc_dir_entry *pde); diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 0b2a89854440..ea62201c74c4 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -20,10 +20,13 @@ enum { * If in doubt, ignore this flag. */ #ifdef MODULE - PROC_ENTRY_PERMANENT = 0U, + PROC_ENTRY_PERMANENT = 0U, #else - PROC_ENTRY_PERMANENT = 1U << 0, + PROC_ENTRY_PERMANENT = 1U << 0, #endif + + PROC_ENTRY_proc_read_iter = 1U << 1, + PROC_ENTRY_proc_compat_ioctl = 1U << 2, }; struct proc_ops { -- 2.48.1

1 month, 1 week

1
0
0 0

[PATCH RESEND] fs/netfs/read_collect: add to next->prev_donated

by Max Kellermann

If multiple subrequests donate data to the same "next" request (depending on the subrequest completion order), each of them would overwrite the `prev_donated` field, causing data corruption and a BUG() crash ("Can't donate prior to front"). Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Closes: https://lore.kernel.org/netfs/CAKPOu+_4mUwYgQtRTbXCmi+-k3PGvLysnPadkmHOyB7G… Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Signed-off-by: David Howells <dhowells(a)redhat.com> --- fs/netfs/read_collect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c index 8878b46589ff..cafadfe8e858 100644 --- a/fs/netfs/read_collect.c +++ b/fs/netfs/read_collect.c @@ -284,7 +284,7 @@ static bool netfs_consume_read_data(struct netfs_io_subrequest *subreq, bool was netfs_trace_donate_to_deferred_next); } else { next = list_next_entry(subreq, rreq_link); - WRITE_ONCE(next->prev_donated, excess); + WRITE_ONCE(next->prev_donated, next->prev_donated + excess); trace_netfs_donate(rreq, subreq, next, excess, netfs_trace_donate_to_next); } -- 2.47.2

1 month, 1 week

4
3
0 0

6.6.84-rc1 build regression on ia64 (and possibly other architectures)

by Frank Scheiner

Dear Greg, I see that the review for 6.6.84-rc1 hasn't started yet, but as it was already available on [1], our CI has already tried to built it for ia64 in the morning. Unfortunately that failed - I assume due to the following **missing** upstream commit: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm… [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.… Build failure (see [2]): ``` [...] CC drivers/video/fbdev/core/fbcon.o drivers/video/fbdev/core/fbcon.c: In function 'fb_console_setup': drivers/video/fbdev/core/fbcon.c:478:33: error: 'fb_center_logo' undeclared (first use in this function); did you mean 'fb_prepare_logo'? 478 | fb_center_logo = true; | ^~~~~~~~~~~~~~ | fb_prepare_logo drivers/video/fbdev/core/fbcon.c:478:33: note: each undeclared identifier is reported only once for each function it appears in drivers/video/fbdev/core/fbcon.c:485:33: error: 'fb_logo_count' undeclared (first use in this function); did you mean 'file_count'? 485 | fb_logo_count = simple_strtol(options, &options, 0); | ^~~~~~~~~~~~~ | file_count make[8]: *** [scripts/Makefile.build:243: drivers/video/fbdev/core/fbcon.o] Error 1 [...] ``` [2]: https://github.com/linux-ia64/linux-stable-rc/actions/runs/13914712427/job/… [3] (fa671e4f1556e2c18e5443f777a75ae041290068 upstream) includes definitions for these variables, but they are guarded by CONFIG_LOGO. But in `drivers/video/fbdev/core/fbcon.c` those variables are used unguarded with 6.6.84-rc1. The above upstream commit (8887086) fixes that IIUC. Not build-tested yet, though. [3]: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.… Cheers, Frank

1 month, 1 week

2
1
0 0

RE: Transform your business

by kristina williams

Hi again, I would appreciate your feedback on the proposal I sent earlier. Looking forward to your response. Best regards, Kristina ________________________________ From: Kristina Williams Sent: 17 March 2025 12:29 To: linux-stable-mirror(a)lists.linaro.org<mailto:linux-stable-mirror@lists.linaro.org> Subject: Transform your business Hi there, Would you like an updated contact list of Real Estate CRM Software users and customers? We can also provide contact lists for users and customers of the following companies: * AppFolio * RealPage * Buildium * CoreLogic * Yardi Voyager * Kissflow CRM * Pipedrive * HubSpot CRM Service and more... Please specify the target technology users and geographical areas of interest, so we can provide relevant information accordingly. Kind regards, Kristina Williams Lead Specialist To unsubscribe from future emails, simply reply with Stop.

1 month, 1 week

1
0
0 0

Re: Patch "nvme-fc: do not ignore connectivity loss during connecting" has been added to the 6.13-stable tree

by Daniel Wagner

Hi Sasha, On Sat, Mar 15, 2025 at 09:34:40AM -0400, Sasha Levin wrote: > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. This fix is unfortunately buggy (schedule in atomic context). There is a fixup patch which would be necessary alongside this patch: f13409bb3f91 ("nvme-fc: rely on state transitions to handle connectivity loss") Thanks, Daniel > commit e0cdcd023334a757ae78a43d2fa8909dcc72ec56 > Author: Daniel Wagner <wagi(a)kernel.org> > Date: Thu Jan 9 14:30:49 2025 +0100 > > nvme-fc: do not ignore connectivity loss during connecting

1 month, 1 week

2
1
0 0

Re: Patch "mm: shmem: skip swapcache for swapin of synchronous swap device" has been added to the 6.13-stable tree

by Hugh Dickins

On Tue, 18 Mar 2025, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > mm: shmem: skip swapcache for swapin of synchronous swap device > > to the 6.13-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > mm-shmem-skip-swapcache-for-swapin-of-synchronous-sw.patch > and it can be found in the queue-6.13 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 91c40c9fb0e939508d814e1ac302011d8e8213eb > Author: Baolin Wang <baolin.wang(a)linux.alibaba.com> > Date: Wed Jan 8 10:16:49 2025 +0800 > > mm: shmem: skip swapcache for swapin of synchronous swap device > > [ Upstream commit 1dd44c0af4fa1e80a4e82faa10cbf5d22da40362 ] > > With fast swap devices (such as zram), swapin latency is crucial to > applications. For shmem swapin, similar to anonymous memory swapin, we > can skip the swapcache operation to improve swapin latency. Testing 1G > shmem sequential swapin without THP enabled, I observed approximately a 6% > performance improvement: (Note: I repeated 5 times and took the mean data > for each test) > > w/o patch w/ patch changes > 534.8ms 501ms +6.3% > > In addition, currently, we always split the large swap entry stored in the > shmem mapping during shmem large folio swapin, which is not perfect, > especially with a fast swap device. We should swap in the whole large > folio instead of splitting the precious large folios to take advantage of > the large folios and improve the swapin latency if the swap device is > synchronous device, which is similar to anonymous memory mTHP swapin. > Testing 1G shmem sequential swapin with 64K mTHP and 2M mTHP, I observed > obvious performance improvement: > > mTHP=64K > w/o patch w/ patch changes > 550.4ms 169.6ms +69% > > mTHP=2M > w/o patch w/ patch changes > 542.8ms 126.8ms +77% > > Note that skipping swapcache requires attention to concurrent swapin > scenarios. Fortunately the swapcache_prepare() and > shmem_add_to_page_cache() can help identify concurrent swapin and large > swap entry split scenarios, and return -EEXIST for retry. > > [akpm(a)linux-foundation.org: use IS_ENABLED(), tweak comment grammar] > Link: https://lkml.kernel.org/r/3d9f3bd3bc6ec953054baff5134f66feeaae7c1e.17363017… > Signed-off-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> > Cc: David Hildenbrand <david(a)redhat.com> > Cc: "Huang, Ying" <ying.huang(a)linux.alibaba.com> > Cc: Hugh Dickins <hughd(a)google.com> > Cc: Kairui Song <kasong(a)tencent.com> > Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> > Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> > Cc: Ryan Roberts <ryan.roberts(a)arm.com> > Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> > Stable-dep-of: 058313515d5a ("mm: shmem: fix potential data corruption during shmem swapin") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> No, NAK to this one going to stable. Hugh > > diff --git a/mm/shmem.c b/mm/shmem.c > index e10d6e0924620..6d30139d3967d 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -1903,6 +1903,65 @@ static struct folio *shmem_alloc_and_add_folio(struct vm_fault *vmf, > return ERR_PTR(error); > } > > +static struct folio *shmem_swap_alloc_folio(struct inode *inode, > + struct vm_area_struct *vma, pgoff_t index, > + swp_entry_t entry, int order, gfp_t gfp) > +{ > + struct shmem_inode_info *info = SHMEM_I(inode); > + struct folio *new; > + void *shadow; > + int nr_pages; > + > + /* > + * We have arrived here because our zones are constrained, so don't > + * limit chance of success with further cpuset and node constraints. > + */ > + gfp &= ~GFP_CONSTRAINT_MASK; > + if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) && order > 0) { > + gfp_t huge_gfp = vma_thp_gfp_mask(vma); > + > + gfp = limit_gfp_mask(huge_gfp, gfp); > + } > + > + new = shmem_alloc_folio(gfp, order, info, index); > + if (!new) > + return ERR_PTR(-ENOMEM); > + > + nr_pages = folio_nr_pages(new); > + if (mem_cgroup_swapin_charge_folio(new, vma ? vma->vm_mm : NULL, > + gfp, entry)) { > + folio_put(new); > + return ERR_PTR(-ENOMEM); > + } > + > + /* > + * Prevent parallel swapin from proceeding with the swap cache flag. > + * > + * Of course there is another possible concurrent scenario as well, > + * that is to say, the swap cache flag of a large folio has already > + * been set by swapcache_prepare(), while another thread may have > + * already split the large swap entry stored in the shmem mapping. > + * In this case, shmem_add_to_page_cache() will help identify the > + * concurrent swapin and return -EEXIST. > + */ > + if (swapcache_prepare(entry, nr_pages)) { > + folio_put(new); > + return ERR_PTR(-EEXIST); > + } > + > + __folio_set_locked(new); > + __folio_set_swapbacked(new); > + new->swap = entry; > + > + mem_cgroup_swapin_uncharge_swap(entry, nr_pages); > + shadow = get_shadow_from_swap_cache(entry); > + if (shadow) > + workingset_refault(new, shadow); > + folio_add_lru(new); > + swap_read_folio(new, NULL); > + return new; > +} > + > /* > * When a page is moved from swapcache to shmem filecache (either by the > * usual swapin of shmem_get_folio_gfp(), or by the less common swapoff of > @@ -2006,7 +2065,8 @@ static int shmem_replace_folio(struct folio **foliop, gfp_t gfp, > } > > static void shmem_set_folio_swapin_error(struct inode *inode, pgoff_t index, > - struct folio *folio, swp_entry_t swap) > + struct folio *folio, swp_entry_t swap, > + bool skip_swapcache) > { > struct address_space *mapping = inode->i_mapping; > swp_entry_t swapin_error; > @@ -2022,7 +2082,8 @@ static void shmem_set_folio_swapin_error(struct inode *inode, pgoff_t index, > > nr_pages = folio_nr_pages(folio); > folio_wait_writeback(folio); > - delete_from_swap_cache(folio); > + if (!skip_swapcache) > + delete_from_swap_cache(folio); > /* > * Don't treat swapin error folio as alloced. Otherwise inode->i_blocks > * won't be 0 when inode is released and thus trigger WARN_ON(i_blocks) > @@ -2126,6 +2187,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > struct shmem_inode_info *info = SHMEM_I(inode); > struct swap_info_struct *si; > struct folio *folio = NULL; > + bool skip_swapcache = false; > swp_entry_t swap; > int error, nr_pages; > > @@ -2147,6 +2209,8 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > /* Look it up and read it in.. */ > folio = swap_cache_get_folio(swap, NULL, 0); > if (!folio) { > + int order = xa_get_order(&mapping->i_pages, index); > + bool fallback_order0 = false; > int split_order; > > /* Or update major stats only when swapin succeeds?? */ > @@ -2156,6 +2220,33 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > count_memcg_event_mm(fault_mm, PGMAJFAULT); > } > > + /* > + * If uffd is active for the vma, we need per-page fault > + * fidelity to maintain the uffd semantics, then fallback > + * to swapin order-0 folio, as well as for zswap case. > + */ > + if (order > 0 && ((vma && unlikely(userfaultfd_armed(vma))) || > + !zswap_never_enabled())) > + fallback_order0 = true; > + > + /* Skip swapcache for synchronous device. */ > + if (!fallback_order0 && data_race(si->flags & SWP_SYNCHRONOUS_IO)) { > + folio = shmem_swap_alloc_folio(inode, vma, index, swap, order, gfp); > + if (!IS_ERR(folio)) { > + skip_swapcache = true; > + goto alloced; > + } > + > + /* > + * Fallback to swapin order-0 folio unless the swap entry > + * already exists. > + */ > + error = PTR_ERR(folio); > + folio = NULL; > + if (error == -EEXIST) > + goto failed; > + } > + > /* > * Now swap device can only swap in order 0 folio, then we > * should split the large swap entry stored in the pagecache > @@ -2186,9 +2277,10 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > } > } > > +alloced: > /* We have to do this with folio locked to prevent races */ > folio_lock(folio); > - if (!folio_test_swapcache(folio) || > + if ((!skip_swapcache && !folio_test_swapcache(folio)) || > folio->swap.val != swap.val || > !shmem_confirm_swap(mapping, index, swap)) { > error = -EEXIST; > @@ -2224,7 +2316,12 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > if (sgp == SGP_WRITE) > folio_mark_accessed(folio); > > - delete_from_swap_cache(folio); > + if (skip_swapcache) { > + folio->swap.val = 0; > + swapcache_clear(si, swap, nr_pages); > + } else { > + delete_from_swap_cache(folio); > + } > folio_mark_dirty(folio); > swap_free_nr(swap, nr_pages); > put_swap_device(si); > @@ -2235,8 +2332,11 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > if (!shmem_confirm_swap(mapping, index, swap)) > error = -EEXIST; > if (error == -EIO) > - shmem_set_folio_swapin_error(inode, index, folio, swap); > + shmem_set_folio_swapin_error(inode, index, folio, swap, > + skip_swapcache); > unlock: > + if (skip_swapcache) > + swapcache_clear(si, swap, folio_nr_pages(folio)); > if (folio) { > folio_unlock(folio); > folio_put(folio); >

1 month, 1 week

3
2
0 0

[PATCH 6.12 0/8] KVM: arm64: Backport of SVE fixes to v6.12

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v6.12. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/kvm_host.h | 25 ++---- arch/arm64/kernel/fpsimd.c | 25 ------ arch/arm64/kvm/arm.c | 9 --- arch/arm64/kvm/fpsimd.c | 100 ++---------------------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 133 ++++++++++++++++++++++--------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 15 ++-- arch/arm64/kvm/hyp/nvhe/pkvm.c | 29 ------- arch/arm64/kvm/hyp/nvhe/switch.c | 134 ++++++++++++++++++-------------- arch/arm64/kvm/hyp/vhe/switch.c | 21 ++--- 10 files changed, 204 insertions(+), 292 deletions(-) --- base-commit: e9cc806c0152fa9993f817cebf42989a3e2530bb change-id: 20250227-stable-sve-6-12-777778ad28fb Best regards, -- Mark Brown <broonie(a)kernel.org>

1 month, 1 week

9
25
0 0

[PATCH v2 2/2] sched/topology: Fix EAS freq-invariance print

by Christian Loehle

Add the missing newline on frequency invariance check to ensure the EAS abort reason doesn't go missing. Fixes: fa50e2b452c6 ("sched/topology: Condition EAS enablement on FIE support") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Loehle <christian.loehle(a)arm.com> Reviewed-by: Vincent Guittot <vincent.guittot(a)linaro.org> --- kernel/sched/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index 27f14a775004..18e804b416f5 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -245,7 +245,7 @@ static bool sched_is_eas_possible(const struct cpumask *cpu_mask) if (!arch_scale_freq_invariant()) { if (sched_debug()) { - pr_info("rd %*pbl: Checking EAS: frequency-invariant load tracking not yet supported", + pr_info("rd %*pbl: Checking EAS: frequency-invariant load tracking not yet supported\n", cpumask_pr_args(cpu_mask)); } return false; -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH v2 1/2] sched/topology: Fix EAS cpufreq check print

by Christian Loehle

Add the missing newline on cpufreq check to ensure the EAS abort reason doesn't go missing. Fixes: 8f833c82cdab ("sched/topology: Change behaviour of the 'sched_energy_aware' sysctl, based on the platform") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Loehle <christian.loehle(a)arm.com> Reviewed-by: Vincent Guittot <vincent.guittot(a)linaro.org> --- kernel/sched/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index c49aea8c1025..27f14a775004 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -256,7 +256,7 @@ static bool sched_is_eas_possible(const struct cpumask *cpu_mask) policy = cpufreq_cpu_get(i); if (!policy) { if (sched_debug()) { - pr_info("rd %*pbl: Checking EAS, cpufreq policy not set for CPU: %d", + pr_info("rd %*pbl: Checking EAS, cpufreq policy not set for CPU: %d\n", cpumask_pr_args(cpu_mask), i); } return false; -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH] mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD

by Ulf Hansson

We have received reports about cards can become corrupt related to the aggressive PM support. Let's make a partial revert of the change that enabled the feature. Reported-by: David Owens <daowens01(a)gmail.com> Reported-by: Romain Naour <romain.naour(a)smile.fr> Reported-by: Robert Nelson <robertcnelson(a)gmail.com> Tested-by: Robert Nelson <robertcnelson(a)gmail.com> Fixes: 3edf588e7fe0 ("mmc: sdhci-omap: Allow SDIO card power off and enable aggressive PM") Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> --- drivers/mmc/host/sdhci-omap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c index 54d795205fb4..26a9a8b5682a 100644 --- a/drivers/mmc/host/sdhci-omap.c +++ b/drivers/mmc/host/sdhci-omap.c @@ -1339,8 +1339,8 @@ static int sdhci_omap_probe(struct platform_device *pdev) /* R1B responses is required to properly manage HW busy detection. */ mmc->caps |= MMC_CAP_NEED_RSP_BUSY; - /* Allow card power off and runtime PM for eMMC/SD card devices */ - mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_AGGRESSIVE_PM; + /* Enable SDIO card power off. */ + mmc->caps |= MMC_CAP_POWER_OFF_CARD; ret = sdhci_setup_host(host); if (ret) -- 2.43.0

1 month, 1 week

4
5
0 0

[PATCH 6.1] ubi: Add a check for ubi_num

by Denis Arefev

From: Denis Arefev <arefev(a)swemel.ru> commit 97bbf9e312c3fbaf0baa56120238825d2eb23b8a upstream. Added a check for ubi_num for negative numbers If the variable ubi_num takes negative values then we get: qemu-system-arm ... -append "ubi.mtd=0,0,0,-22222345" ... [ 0.745065] ubi_attach_mtd_dev from ubi_init+0x178/0x218 [ 0.745230] ubi_init from do_one_initcall+0x70/0x1ac [ 0.745344] do_one_initcall from kernel_init_freeable+0x198/0x224 [ 0.745474] kernel_init_freeable from kernel_init+0x18/0x134 [ 0.745600] kernel_init from ret_from_fork+0x14/0x28 [ 0.745727] Exception stack(0x90015fb0 to 0x90015ff8) Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 83ff59a06663 ("UBI: support ubi_num on mtd.ubi command line") Signed-off-by: Denis Arefev <arefev(a)swemel.ru> Reviewed-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Richard Weinberger <richard(a)nod.at> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/mtd/ubi/build.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index 6fbd77dc1d18..6a7577e57617 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -1460,9 +1460,9 @@ static int ubi_mtd_param_parse(const char *val, const struct kernel_param *kp) if (token) { int err = kstrtoint(token, 10, &p->ubi_num); - if (err) { - pr_err("UBI error: bad value for ubi_num parameter: %s", - token); + if (err || p->ubi_num < UBI_DEV_NUM_AUTO) { + pr_err("UBI error: bad value for ubi_num parameter: %s\n", + token); return -EINVAL; } } else -- 2.43.0

1 month, 1 week

1
0
0 0

[PATCH 1/4] net: fix uninitialised access in mii_nway_restart()

by Qasim Ijaz

In mii_nway_restart() during the line: bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR); The code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer, which is initialised with control_read(): unsigned char buff[2]; However buff is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then buff remains uninitialised. Once this happens the uninitialised buff is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of buff. To fix this we should check the return value of control_read() and return early on error. Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9 Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/net/mii.c | 2 ++ drivers/net/usb/ch9200.c | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/mii.c b/drivers/net/mii.c index 37bc3131d31a..e305bf0f1d04 100644 --- a/drivers/net/mii.c +++ b/drivers/net/mii.c @@ -464,6 +464,8 @@ int mii_nway_restart (struct mii_if_info *mii) /* if autoneg is off, it's an error */ bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR); + if (bmcr < 0) + return bmcr; if (bmcr & BMCR_ANENABLE) { bmcr |= BMCR_ANRESTART; diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c index f69d9b902da0..a206ffa76f1b 100644 --- a/drivers/net/usb/ch9200.c +++ b/drivers/net/usb/ch9200.c @@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) { struct usbnet *dev = netdev_priv(netdev); unsigned char buff[2]; + int ret; netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n", __func__, phy_id, loc); @@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) if (phy_id != 0) return -ENODEV; - control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, - CONTROL_TIMEOUT_MS); + ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, + CONTROL_TIMEOUT_MS); + if (ret < 0) + return ret; return (buff[0] | buff[1] << 8); } -- 2.39.5

1 month, 1 week

1
0
0 0

[PATCH 6.1.y] smb: client: fix potential UAF in cifs_dump_full_key()

by jianqi.ren.cn＠windriver.com

From: Paulo Alcantara <pc(a)manguebit.com> [ Upstream commit 58acd1f497162e7d282077f816faa519487be045 ] Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/smb/client/ioctl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/smb/client/ioctl.c b/fs/smb/client/ioctl.c index ae9905e2b9d4..7402070b7a06 100644 --- a/fs/smb/client/ioctl.c +++ b/fs/smb/client/ioctl.c @@ -246,7 +246,9 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug spin_lock(&cifs_tcp_ses_lock); list_for_each_entry(server_it, &cifs_tcp_ses_list, tcp_ses_list) { list_for_each_entry(ses_it, &server_it->smb_ses_list, smb_ses_list) { - if (ses_it->Suid == out.session_id) { + spin_lock(&ses_it->ses_lock); + if (ses_it->ses_status != SES_EXITING && + ses_it->Suid == out.session_id) { ses = ses_it; /* * since we are using the session outside the crit @@ -254,9 +256,11 @@ static int cifs_dump_full_key(struct cifs_tcon *tcon, struct smb3_full_key_debug * so increment its refcount */ ses->ses_count++; + spin_unlock(&ses_it->ses_lock); found = true; goto search_end; } + spin_unlock(&ses_it->ses_lock); } } search_end: -- 2.25.1

1 month, 1 week

2
1
0 0

[PATCH -stable,6.6 v2 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

v2: fix incorrect patch submission. -o- Hi Greg, Sasha, This batch contains a backport fix for 6.6-stable. The following list shows the backported patches, I am using original commit IDs for reference: 1) 82cfd785c7b3 ("netfilter: nf_tables: bail out if stateful expression provides no .clone") This is a stable dependency for the next patch. 2) 56fac3c36c8f ("netfilter: nf_tables: allow clone callbacks to sleep") Without this series, ENOMEM is reported when loading a set with 100k elements with counters. Please, apply, Thanks Florian Westphal (1): netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso (1): netfilter: nf_tables: bail out if stateful expression provides no .clone include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nf_tables_api.c | 21 ++++++++++----------- net/netfilter/nft_connlimit.c | 4 ++-- net/netfilter/nft_counter.c | 4 ++-- net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_last.c | 4 ++-- net/netfilter/nft_limit.c | 14 ++++++++------ net/netfilter/nft_quota.c | 4 ++-- 8 files changed, 29 insertions(+), 28 deletions(-) -- 2.30.2

1 month, 1 week

2
4
0 0

[PATCH 5.15.y] smb: client: fix potential UAF in cifs_debug_files_proc_show()

by jianqi.ren.cn＠windriver.com

From: Paulo Alcantara <pc(a)manguebit.com> [ Upstream commit ca545b7f0823f19db0f1148d59bc5e1a56634502 ] Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [This patch removes lock/unlock operation in routine cifs_ses_exiting() for ses_lock is not present in v5.15 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.15.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/cifs/cifs_debug.c | 2 ++ fs/cifs/cifsglob.h | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index e7501533c2ec..8eb91bd18439 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -183,6 +183,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v) list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { list_for_each(tmp, &server->smb_ses_list) { ses = list_entry(tmp, struct cifs_ses, smb_ses_list); + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp1, &ses->tcon_list) { tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); spin_lock(&tcon->open_file_lock); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 2ee67a27020d..7b57cc5d7022 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -2041,4 +2041,12 @@ static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg, return sg; } +static inline bool cifs_ses_exiting(struct cifs_ses *ses) +{ + bool ret; + + ret = ses->status == CifsExiting; + return ret; +} + #endif /* _CIFS_GLOB_H */ -- 2.25.1

1 month, 1 week

2
1
0 0

[PATCH -stable,6.6 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport fix for 6.6-stable. The following list shows the backported patches, I am using original commit IDs for reference: 1) 82cfd785c7b3 ("netfilter: nf_tables: bail out if stateful expression provides no .clone") This is a stable dependency for the next patch. 2) 56fac3c36c8f ("netfilter: nf_tables: allow clone callbacks to sleep") Please, apply, Thanks without this fix, the default set expression is silently ignored when used from dynamic sets. Florian Westphal (1): netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso (1): netfilter: nf_tables: use timestamp to check for set element timeout include/net/netfilter/nf_tables.h | 20 ++++++++++++++++---- net/netfilter/nf_tables_api.c | 12 +++++++----- net/netfilter/nft_connlimit.c | 4 ++-- net/netfilter/nft_counter.c | 4 ++-- net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_last.c | 4 ++-- net/netfilter/nft_limit.c | 14 ++++++++------ net/netfilter/nft_quota.c | 4 ++-- net/netfilter/nft_set_hash.c | 8 +++++++- net/netfilter/nft_set_pipapo.c | 18 +++++++++++------- net/netfilter/nft_set_rbtree.c | 11 +++++++---- 11 files changed, 65 insertions(+), 36 deletions(-) -- 2.30.2

1 month, 1 week

2
5
0 0

[PATCH 6.1.y] media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning

by bin.lan.cn＠windriver.com

From: Yunfei Dong <yunfei.dong(a)mediatek.com> [ Upstream commit b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44 ] Fix a smatch static checker warning on vdec_vp8_req_if.c. Which leads to a kernel crash when fb is NULL. Fixes: 7a7ae26fd458 ("media: mediatek: vcodec: support stateless VP8 decoding") Signed-off-by: Yunfei Dong <yunfei.dong(a)mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Sebastian Fricke <sebastian.fricke(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- .../platform/mediatek/vcodec/vdec/vdec_vp8_req_if.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp8_req_if.c b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp8_req_if.c index e1fe2603e92e..22d8f178b04d 100644 --- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp8_req_if.c +++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp8_req_if.c @@ -336,14 +336,18 @@ static int vdec_vp8_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs, src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer); fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx); - dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer); + if (!fb) { + mtk_vcodec_err(inst, "fb buffer is NULL"); + return -ENOMEM; + } - y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0; + dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer); + y_fb_dma = fb->base_y.dma_addr; if (inst->ctx->q_data[MTK_Q_DATA_DST].fmt->num_planes == 1) c_fb_dma = y_fb_dma + inst->ctx->picinfo.buf_w * inst->ctx->picinfo.buf_h; else - c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0; + c_fb_dma = fb->base_c.dma_addr; inst->vsi->dec.bs_dma = (u64)bs->dma_addr; inst->vsi->dec.bs_sz = bs->size; -- 2.34.1

1 month, 1 week

2
1
0 0

[PATCH 1/4] net: fix uninitialised access in mii_nway_restart()

by Qasim Ijaz

In mii_nway_restart() during the line: bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR); The code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer, which is initialised with control_read(): unsigned char buff[2]; However buff is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then buff remains uninitialised. Once this happens the uninitialised buff is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of buff. To fix this we should check the return value of control_read() and return early on error. Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9 Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/net/mii.c | 2 ++ drivers/net/usb/ch9200.c | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/mii.c b/drivers/net/mii.c index 37bc3131d31a..e305bf0f1d04 100644 --- a/drivers/net/mii.c +++ b/drivers/net/mii.c @@ -464,6 +464,8 @@ int mii_nway_restart (struct mii_if_info *mii) /* if autoneg is off, it's an error */ bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR); + if (bmcr < 0) + return bmcr; if (bmcr & BMCR_ANENABLE) { bmcr |= BMCR_ANRESTART; diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c index f69d9b902da0..a206ffa76f1b 100644 --- a/drivers/net/usb/ch9200.c +++ b/drivers/net/usb/ch9200.c @@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) { struct usbnet *dev = netdev_priv(netdev); unsigned char buff[2]; + int ret; netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n", __func__, phy_id, loc); @@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) if (phy_id != 0) return -ENODEV; - control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, - CONTROL_TIMEOUT_MS); + ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, + CONTROL_TIMEOUT_MS); + if (ret < 0) + return ret; return (buff[0] | buff[1] << 8); } -- 2.39.5

1 month, 1 week

1
0
0 0

[PATCH 6.13 0/8] KVM: arm64: Backport of SVE fixes to v6.13

by Mark Brown

This series backports some recent fixes for SVE/KVM interactions from Mark Rutland to v6.13. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Rutland (7): KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} arch/arm64/include/asm/kvm_host.h | 25 ++---- arch/arm64/kernel/fpsimd.c | 25 ------ arch/arm64/kvm/arm.c | 9 --- arch/arm64/kvm/fpsimd.c | 100 ++---------------------- arch/arm64/kvm/hyp/entry.S | 5 ++ arch/arm64/kvm/hyp/include/hyp/switch.h | 133 ++++++++++++++++++++++--------- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 15 ++-- arch/arm64/kvm/hyp/nvhe/pkvm.c | 30 ------- arch/arm64/kvm/hyp/nvhe/switch.c | 134 ++++++++++++++++++-------------- arch/arm64/kvm/hyp/vhe/switch.c | 21 ++--- 10 files changed, 204 insertions(+), 293 deletions(-) --- base-commit: 251aeb0f2f570db5290d0dc2f8ebf87247b00b85 change-id: 20250227-stable-sve-6-13-5ceaf408b5f7 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 month, 1 week

3
17
0 0

[Patch v2 2/3] mm/memblock: repeat setting reserved region nid if array is doubled

by Wei Yang

Commit 61167ad5fecd ("mm: pass nid to reserve_bootmem_region()") introduce a way to set nid to all reserved region. But there is a corner case it will leave some region with invalid nid. When memblock_set_node() doubles the array of memblock.reserved, it may lead to a new reserved region before current position. The new region will be left with an invalid node id. Repeat the process when detecting it. Fixes: 61167ad5fecd ("mm: pass nid to reserve_bootmem_region()") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> CC: Mike Rapoport <rppt(a)kernel.org> CC: Yajun Deng <yajun.deng(a)linux.dev> CC: <stable(a)vger.kernel.org> --- v2: move check out side of the loop --- mm/memblock.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/mm/memblock.c b/mm/memblock.c index 85442f1b7f14..0bae7547d2db 100644 --- a/mm/memblock.c +++ b/mm/memblock.c @@ -2179,11 +2179,14 @@ static void __init memmap_init_reserved_pages(void) struct memblock_region *region; phys_addr_t start, end; int nid; + unsigned long max_reserved; /* * set nid on all reserved pages and also treat struct * pages for the NOMAP regions as PageReserved */ +repeat: + max_reserved = memblock.reserved.max; for_each_mem_region(region) { nid = memblock_get_region_node(region); start = region->base; @@ -2194,6 +2197,13 @@ static void __init memmap_init_reserved_pages(void) memblock_set_node(start, region->size, &memblock.reserved, nid); } + /* + * 'max' is changed means memblock.reserved has been doubled its + * array, which may result a new reserved region before current + * 'start'. Now we should repeat the procedure to set its node id. + */ + if (max_reserved != memblock.reserved.max) + goto repeat; /* * initialize struct pages for reserved regions that don't have -- 2.34.1

1 month, 1 week

2
2
0 0

+ mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: move hugetlb_sysctl_init() to the __init section has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marc Herbert <Marc.Herbert(a)linux.intel.com> Subject: mm/hugetlb: move hugetlb_sysctl_init() to the __init section Date: Wed, 19 Mar 2025 06:00:30 +0000 hugetlb_sysctl_init() is only invoked once by an __init function and is merely a wrapper around another __init function so there is not reason to keep it. Fixes the following warning when toning down some GCC inline options: WARNING: modpost: vmlinux: section mismatch in reference: hugetlb_sysctl_init+0x1b (section: .text) -> __register_sysctl_init (section: .init.text) Link: https://lkml.kernel.org/r/20250319060041.2737320-1-marc.herbert@linux.intel… Signed-off-by: Marc Herbert <Marc.Herbert(a)linux.intel.com> Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/hugetlb.c~mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section +++ a/mm/hugetlb.c @@ -4912,7 +4912,7 @@ static const struct ctl_table hugetlb_ta }, }; -static void hugetlb_sysctl_init(void) +static void __init hugetlb_sysctl_init(void) { register_sysctl_init("vm", hugetlb_table); } _ Patches currently in -mm which might be from Marc.Herbert(a)linux.intel.com are mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch

1 month, 1 week

1
0
0 0

Error building Kernel 5.4.291 due new code in xen/mmu_pv.c, running Lubuntu 18.04 i686, gcc 14.2

by ofbarea

[1.] One line summary of the problem: Kernel 5.4.291 fails to build on i686 linux target due to problematic new code in x86/xen/mmu_pv.c [2.] Full description of the problem/report: when building Kernel 5.4.291 under Lubuntu 18.6.6 LTS, with GCC 14.2, i686 target, build fails due to changes introduced in "arch/x86/xen/mmu_pv.c" Note - I did not determined what of the following changes caused the issue: Juergen Gross (1): x86/xen: allow larger contiguous memory regions in PV guests Petr Tesarik (1): xen: remove a confusing comment on auto-translated guest I/O *The error:* En el fichero incluido desde ./include/linux/export.h:42, desde ./include/linux/linkage.h:7, desde ./include/linux/kernel.h:8, desde ./include/linux/sched/mm.h:5, desde arch/x86/xen/mmu_pv.c:43:arch/x86/xen/mmu_pv.c: En la función ‘alloc_discontig_frames’:./include/linux/compiler.h:419:45: error: call to ‘__compiletime_assert_120’ declared with attribute error: BUILD_BUG_ON failed: sizeof(discontig_frames_early) != PAGE_SIZE [3.] Keywords (i.e., modules, networking, kernel): x86/xen file: arch/x86/xen/mmu_pv.c [4.] Kernel information [4.1.] Kernel version (from /proc/version): Linux version 6.1.131-i686-custom (ofbarea@vm1) (gcc (GCC) 14.2.0, GNU ld (GNU Binutils for Ubuntu) 2.30) #1 SMP PREEMPT_DYNAMIC Sun Mar 16 11:13:28 CST 2025 [4.2.] Kernel .config file: See attachment => config-5.4.291-custom.txt [5.] Most recent kernel version which did not have the bug: Kernel 5.4.290 did not have the bug [6.] Output of Oops.. message (if applicable) with symbolic information resolved (see Documentation/admin-guide/bug-hunting.rst) En el fichero incluido desde ./include/linux/export.h:42, desde ./include/linux/linkage.h:7, desde ./include/linux/kernel.h:8, desde ./include/linux/sched/mm.h:5, desde arch/x86/xen/mmu_pv.c:43:arch/x86/xen/mmu_pv.c: En la función ‘alloc_discontig_frames’:./include/linux/compiler.h:419:45: error: call to ‘__compiletime_assert_120’ declared with attribute error: BUILD_BUG_ON failed: sizeof(discontig_frames_early) != PAGE_SIZE 419 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^./include/linux/compiler.h:400:25: nota: en definición de macro ‘__compiletime_assert’ 400 | prefix ## suffix(); \ | ^~~~~~./include/linux/compiler.h:419:9: nota: en expansión de macro ‘_compiletime_assert’ 419 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^~~~~~~~~~~~~~~~~~~./include/linux/build_bug.h:39:37: nota: en expansión de macro ‘compiletime_assert’ 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) | ^~~~~~~~~~~~~~~~~~./include/linux/build_bug.h:50:9: nota: en expansión de macro ‘BUILD_BUG_ON_MSG’ 50 | BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) | ^~~~~~~~~~~~~~~~arch/x86/xen/mmu_pv.c:123:9: nota: en expansión de macro ‘BUILD_BUG_ON’ 123 | BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE); | ^~~~~~~~~~~~make[5]: *** [scripts/Makefile.build:262: arch/x86/xen/mmu_pv.o] Error 1make[4]: *** [scripts/Makefile.build:497: arch/x86/xen] Error 2make[3]: *** [Makefile:1755: arch/x86] Error 2make[3]: *** Se espera a que terminen otras tareas.... CC drivers/char/agp/backend.omake[2]: *** [debian/rules:6: build] Error 2dpkg-buildpackage: fallo: debian/rules build subprocess returned exit status 2make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2make: *** [Makefile:1490: bindeb-pkg] Error 2 [7.] A small shell script or example program which triggers the problem (if possible) The problem only happens when building the kernel. I'm using this line for the build: make bindeb-pkg LOCALVERSION=-i686-custom KDEB_PKGVERSION=$(make kernelversion)-1 -j8 [8.] Environment [8.1.] Software (add the output of the ver_linux script here) $ awk -f scripts/ver_linux If some fields are empty or look unusual you may have an old version. Compare to the current minimal requirements in Documentation/Changes. Linux vm1 6.1.131-i686-custom #1 SMP PREEMPT_DYNAMIC Sun Mar 16 11:13:28 CST 2025 i686 i686 i686 GNU/Linux GNU C 14.2.0 GNU Make 4.2.1 Binutils 2.30 Util-linux 2.31.1 Mount 2.31.1 Module-init-tools 24 E2fsprogs 1.44.1 Pcmciautils 018 PPP 2.4.7 Linux C Library 2.27 Dynamic linker (ldd) 2.27 Linux C++ Library 6.0.32 Procps 3.3.12 Kbd 2.0.4 Console-tools 2.0.4 Sh-utils 8.28 Udev 237 Wireless-tools 30 Modules Loaded ac97_bus aesni_intel at24 autofs4 binfmt_misc blake2b_generic bpfilter btrfs cpuid crc32_pclmul cryptd crypto_simd drm drm_kms_helper drm_ttm_helper ee1004 failover fb_sys_fops hfs hfsplus hid hid_generic i2c_piix4 input_leds ip6table_filter ip6_tables ip6t_REJECT ip6t_rt iptable_filter ip_tables ipt_REJECT irqbypass jfs joydev kvm kvm_intel libcrc32c lp mac_hid minix mptbase mptscsih mptspi msdos net_failover nf_conntrack nf_conntrack_broadcast nf_conntrack_ftp nf_conntrack_netbios_ns nf_defrag_ipv4 nf_defrag_ipv6 nf_log_syslog nf_nat nf_nat_ftp nf_reject_ipv4 nf_reject_ipv6 ntfs parport parport_pc ppdev psmouse qnx4 raid6_pq rapl sch_fq_codel scsi_transport_spi serio_raw snd snd_ac97_codec snd_intel8x0 snd_pcm snd_timer soundcore syscopyarea sysfillrect sysimgblt ttm ufs usbhid vboxguest video virtio_net vmwgfx wmi xfs xor x_tables xt_addrtype xt_conntrack xt_hl xt_limit xt_LOG xt_tcpudp zstd_compress [8.2.] Processor information (from /proc/cpuinfo): Running underVirtualBox 7.0.24 $ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 0 cpu cores : 8 apicid : 0 initial apicid : 0 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 1 cpu cores : 8 apicid : 1 initial apicid : 1 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 2 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 2 cpu cores : 8 apicid : 2 initial apicid : 2 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 3 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 3 cpu cores : 8 apicid : 3 initial apicid : 3 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 4 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 4 cpu cores : 8 apicid : 4 initial apicid : 4 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 5 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 5 cpu cores : 8 apicid : 5 initial apicid : 5 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 6 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 6 cpu cores : 8 apicid : 6 initial apicid : 6 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: processor : 7 vendor_id : GenuineIntel cpu family : 6 model : 170 model name : Intel(R) Core(TM) Ultra 7 155H stepping : 4 microcode : 0x20 cpu MHz : 2995.198 cache size : 24576 KB physical id : 0 siblings : 8 core id : 7 cpu cores : 8 apicid : 7 initial apicid : 7 fdiv_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 22 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht nx rdtscp constant_tsc xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq vmx ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch pti tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities vmx flags : vnmi invvpid ept_x_only flexpriority tsc_offset vtpr vapic ept vpid unrestricted_guest ple bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit mmio_unknown bhi bogomips : 5990.39 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: [8.3.] Module information (from /proc/modules): $ cat /proc/modules btrfs 1503232 0 - Live 0x00000000 blake2b_generic 36864 0 - Live 0x00000000 xor 28672 1 btrfs, Live 0x00000000 raid6_pq 110592 1 btrfs, Live 0x00000000 zstd_compress 262144 1 btrfs, Live 0x00000000 ufs 77824 0 - Live 0x00000000 qnx4 16384 0 - Live 0x00000000 hfsplus 102400 0 - Live 0x00000000 hfs 57344 0 - Live 0x00000000 minix 36864 0 - Live 0x00000000 ntfs 102400 0 - Live 0x00000000 msdos 20480 0 - Live 0x00000000 jfs 184320 0 - Live 0x00000000 xfs 1495040 0 - Live 0x00000000 cpuid 16384 0 - Live 0x00000000 at24 24576 0 - Live 0x00000000 ee1004 20480 0 - Live 0x00000000 ip6t_REJECT 16384 1 - Live 0x00000000 nf_reject_ipv6 20480 1 ip6t_REJECT, Live 0x00000000 xt_hl 16384 22 - Live 0x00000000 vmwgfx 266240 2 - Live 0x00000000 drm_ttm_helper 16384 1 vmwgfx, Live 0x00000000 kvm_intel 352256 0 - Live 0x00000000 ttm 69632 2 vmwgfx,drm_ttm_helper, Live 0x00000000 ip6t_rt 20480 3 - Live 0x00000000 binfmt_misc 24576 1 - Live 0x00000000 kvm 856064 1 kvm_intel, Live 0x00000000 drm_kms_helper 167936 3 vmwgfx, Live 0x00000000 ipt_REJECT 16384 1 - Live 0x00000000 irqbypass 16384 1 kvm, Live 0x00000000 joydev 24576 0 - Live 0x00000000 nf_reject_ipv4 16384 1 ipt_REJECT, Live 0x00000000 snd_intel8x0 40960 2 - Live 0x00000000 drm 479232 7 vmwgfx,drm_ttm_helper,ttm,drm_kms_helper, Live 0x00000000 xt_LOG 20480 10 - Live 0x00000000 snd_ac97_codec 131072 1 snd_intel8x0, Live 0x00000000 crc32_pclmul 16384 0 - Live 0x00000000 nf_log_syslog 24576 10 - Live 0x00000000 ac97_bus 16384 1 snd_ac97_codec, Live 0x00000000 input_leds 16384 0 - Live 0x00000000 aesni_intel 20480 0 - Live 0x00000000 fb_sys_fops 16384 1 drm_kms_helper, Live 0x00000000 crypto_simd 16384 1 aesni_intel, Live 0x00000000 syscopyarea 16384 1 drm_kms_helper, Live 0x00000000 snd_pcm 122880 2 snd_intel8x0,snd_ac97_codec, Live 0x00000000 sysfillrect 16384 1 drm_kms_helper, Live 0x00000000 cryptd 24576 1 crypto_simd, Live 0x00000000 xt_limit 16384 13 - Live 0x00000000 snd_timer 36864 1 snd_pcm, Live 0x00000000 sysimgblt 16384 1 drm_kms_helper, Live 0x00000000 rapl 20480 0 - Live 0x00000000 xt_tcpudp 20480 26 - Live 0x00000000 vboxguest 372736 6 - Live 0x00000000 (OE) snd 90112 8 snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer, Live 0x00000000 serio_raw 20480 0 - Live 0x00000000 soundcore 16384 1 snd, Live 0x00000000 mac_hid 16384 0 - Live 0x00000000 xt_addrtype 16384 4 - Live 0x00000000 xt_conntrack 16384 16 - Live 0x00000000 ip6table_filter 16384 1 - Live 0x00000000 ip6_tables 28672 53 ip6table_filter, Live 0x00000000 nf_conntrack_netbios_ns 16384 0 - Live 0x00000000 nf_conntrack_broadcast 16384 1 nf_conntrack_netbios_ns, Live 0x00000000 nf_nat_ftp 20480 0 - Live 0x00000000 nf_nat 49152 1 nf_nat_ftp, Live 0x00000000 sch_fq_codel 20480 2 - Live 0x00000000 nf_conntrack_ftp 20480 1 nf_nat_ftp, Live 0x00000000 nf_conntrack 143360 6 xt_conntrack,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_nat_ftp,nf_nat,nf_conntrack_ftp, Live 0x00000000 nf_defrag_ipv6 24576 1 nf_conntrack, Live 0x00000000 nf_defrag_ipv4 16384 1 nf_conntrack, Live 0x00000000 libcrc32c 16384 4 btrfs,xfs,nf_nat,nf_conntrack, Live 0x00000000 parport_pc 40960 0 - Live 0x00000000 ppdev 24576 0 - Live 0x00000000 iptable_filter 16384 1 - Live 0x00000000 bpfilter 16384 0 - Live 0x00000000 lp 20480 0 - Live 0x00000000 parport 57344 3 parport_pc,ppdev,lp, Live 0x00000000 ip_tables 28672 9 iptable_filter, Live 0x00000000 x_tables 36864 13 ip6t_REJECT,xt_hl,ip6t_rt,ipt_REJECT,xt_LOG,xt_limit,xt_tcpudp,xt_addrtype,xt_conntrack,ip6table_filter,ip6_tables,iptable_filter,ip_tables, Live 0x00000000 autofs4 45056 2 - Live 0x00000000 hid_generic 16384 0 - Live 0x00000000 usbhid 53248 0 - Live 0x00000000 hid 131072 2 hid_generic,usbhid, Live 0x00000000 mptspi 24576 2 - Live 0x00000000 virtio_net 61440 0 - Live 0x00000000 mptscsih 45056 1 mptspi, Live 0x00000000 mptbase 98304 2 mptspi,mptscsih, Live 0x00000000 net_failover 20480 1 virtio_net, Live 0x00000000 psmouse 147456 0 - Live 0x00000000 video 61440 0 - Live 0x00000000 scsi_transport_spi 28672 1 mptspi, Live 0x00000000 failover 16384 1 net_failover, Live 0x00000000 i2c_piix4 28672 0 - Live 0x00000000 wmi 28672 1 video, Live 0x00000000 [8.4.] Loaded driver and hardware information (/proc/ioports, /proc/iomem) $ cat /proc/ioports 0000-0000 : PCI Bus 0000:00 0000-0000 : dma1 0000-0000 : pic1 0000-0000 : timer0 0000-0000 : timer1 0000-0000 : keyboard 0000-0000 : keyboard 0000-0000 : rtc_cmos 0000-0000 : rtc0 0000-0000 : dma page reg 0000-0000 : pic2 0000-0000 : dma2 0000-0000 : fpu 0000-0000 : vga+ 0000-0000 : PCI conf1 0000-0000 : PCI Bus 0000:00 0000-0000 : 0000:00:07.0 0000-0000 : ACPI PM1a_EVT_BLK 0000-0000 : ACPI PM1a_CNT_BLK 0000-0000 : ACPI PM_TMR 0000-0000 : ACPI GPE0_BLK 0000-0000 : 0000:00:07.0 0000-0000 : piix4_smbus 0000-0000 : 0000:00:02.0 0000-0000 : vmwgfx probe 0000-0000 : 0000:00:03.0 0000-0000 : 0000:00:04.0 0000-0000 : 0000:00:05.0 0000-0000 : Intel 82801AA-ICH 0000-0000 : 0000:00:05.0 0000-0000 : Intel 82801AA-ICH 0000-0000 : 0000:00:14.0 $ cat /proc/iomem 00000000-00000000 : Reserved 00000000-00000000 : System RAM 00000000-00000000 : Reserved 00000000-00000000 : PCI Bus 0000:00 00000000-00000000 : Video RAM area 00000000-00000000 : Video ROM 00000000-00000000 : Adapter ROM 00000000-00000000 : Reserved 00000000-00000000 : System ROM 00000000-00000000 : System RAM 00000000-00000000 : Kernel code 00000000-00000000 : Kernel rodata 00000000-00000000 : Kernel data 00000000-00000000 : Kernel bss 00000000-00000000 : ACPI Tables 00000000-00000000 : PCI Bus 0000:00 00000000-00000000 : 0000:00:02.0 00000000-00000000 : vmwgfx probe 00000000-00000000 : 0000:00:02.0 00000000-00000000 : vmwgfx probe 00000000-00000000 : 0000:00:03.0 00000000-00000000 : virtio-pci-modern 00000000-00000000 : 0000:00:04.0 00000000-00000000 : vboxguest 00000000-00000000 : 0000:00:04.0 00000000-00000000 : 0000:00:06.0 00000000-00000000 : ohci_hcd 00000000-00000000 : 0000:00:0b.0 00000000-00000000 : ehci_hcd 00000000-00000000 : 0000:00:14.0 00000000-00000000 : mpt 00000000-00000000 : 0000:00:14.0 00000000-00000000 : mpt 00000000-00000000 : Reserved 00000000-00000000 : IOAPIC 0 00000000-00000000 : Local APIC 00000000-00000000 : Reserved 00000000-00000000 : Reserved 00000000-00000000 : System RAM [8.5.] PCI information ('lspci -vvv' as root) $ sudo lspci -vvv [sudo] contraseña para ofbarea: 00:00.0 Host bridge: Intel Corporation 440FX - 82441FX PMC [Natoma] (rev 02) Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- 00:01.0 ISA bridge: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 00:02.0 VGA compatible controller: VMware SVGA II Adapter (prog-if 00 [VGA controller]) Subsystem: VMware SVGA II Adapter Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 Interrupt: pin A routed to IRQ 18 Region 0: I/O ports at d000 [size=16] Region 1: Memory at e0000000 (32-bit, prefetchable) [size=128M] Region 2: Memory at f0000000 (32-bit, non-prefetchable) [size=2M] [virtual] Expansion ROM at 000c0000 [disabled] [size=128K] Kernel driver in use: vmwgfx Kernel modules: vmwgfx 00:03.0 Ethernet controller: Red Hat, Inc. Virtio network device Subsystem: Red Hat, Inc. Virtio network device Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 Interrupt: pin A routed to IRQ 19 Region 0: I/O ports at d020 [size=32] Region 2: Memory at f0200000 (32-bit, non-prefetchable) [size=8K] Capabilities: [40] Vendor Specific Information: VirtIO: CommonCfg BAR=2 offset=00000000 size=00000038 Capabilities: [50] Vendor Specific Information: VirtIO: Notify BAR=2 offset=00000038 size=00000032 multiplier=00000002 Capabilities: [64] Vendor Specific Information: VirtIO: ISR BAR=2 offset=0000006c size=00000001 Capabilities: [74] Vendor Specific Information: VirtIO: <unknown> BAR=2 offset=00000000 size=00000004 Capabilities: [88] Vendor Specific Information: VirtIO: DeviceCfg BAR=2 offset=00000070 size=0000000a Kernel driver in use: virtio-pci 00:04.0 System peripheral: InnoTek Systemberatung GmbH VirtualBox Guest Service Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Interrupt: pin A routed to IRQ 20 Region 0: I/O ports at d040 [size=32] Region 1: Memory at f0400000 (32-bit, non-prefetchable) [size=4M] Region 2: Memory at f0800000 (32-bit, prefetchable) [size=16K] Kernel driver in use: vboxguest Kernel modules: vboxguest 00:05.0 Multimedia audio controller: Intel Corporation 82801AA AC'97 Audio Controller (rev 01) Subsystem: Dell 82801AA AC'97 Audio Controller Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 Interrupt: pin A routed to IRQ 21 Region 0: I/O ports at d100 [size=256] Region 1: I/O ports at d200 [size=64] Kernel driver in use: snd_intel8x0 Kernel modules: snd_intel8x0 00:06.0 USB controller: Apple Inc. KeyLargo/Intrepid USB (prog-if 10 [OHCI]) Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 Interrupt: pin A routed to IRQ 22 Region 0: Memory at f0804000 (32-bit, non-prefetchable) [size=4K] Kernel driver in use: ohci-pci 00:07.0 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08) Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Interrupt: pin A routed to IRQ 9 Kernel driver in use: piix4_smbus Kernel modules: i2c_piix4 00:0b.0 USB controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller (prog-if 20 [EHCI]) Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64, Cache Line Size: 64 bytes Interrupt: pin A routed to IRQ 19 Region 0: Memory at f0805000 (32-bit, non-prefetchable) [size=4K] Kernel driver in use: ehci-pci 00:14.0 SCSI storage controller: LSI Logic / Symbios Logic 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI Subsystem: LSI Logic / Symbios Logic 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 Interrupt: pin A routed to IRQ 20 Region 0: I/O ports at d300 [size=256] Region 1: Memory at f0820000 (32-bit, non-prefetchable) [size=128K] Region 2: Memory at f0840000 (32-bit, non-prefetchable) [size=128K] Kernel driver in use: mptspi Kernel modules: mptspi [8.6.] SCSI information (from /proc/scsi/scsi) $ cat /proc/scsi/scsi Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: VBOX Model: HARDDISK Rev: 1.0 Type: Direct-Access ANSI SCSI revision: 05 Host: scsi0 Channel: 00 Id: 01 Lun: 00 Vendor: VBOX Model: HARDDISK Rev: 1.0 Type: Direct-Access ANSI SCSI revision: 05 Host: scsi0 Channel: 00 Id: 06 Lun: 00 Vendor: VBOX Model: CD-ROM Rev: 1.0 Type: CD-ROM ANSI SCSI revision: 05 [8.7.] Other information that might be relevant to the problem (please look in /proc and include all information that you think to be relevant): [X.] Other notes, patches, fixes, workarounds: I validated the changes from linux 5.4.29 vs 5.4.291 and saw that the changes were pretty much contained in mmu_pv.c. meld ./linux-5.4.290/arch/x86/xen/mmu_pv.c ./linux-5.4.291/arch/x86/xen/mmu_pv.c So in order to build the kernel 5.4.291, I just copied over mmu_pv.c file from 5.4.290 sources into 5.4.291 and I attempted to rebuild. My 5.4.291 kernel was built successfully. Best regards, Otto Barea

1 month, 1 week

2
1
0 0

[PATCH v2] usb: cdns3: Fix deadlock when using NCM gadget

by Ralph Siemsen

The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using "iperf --bidir" over NCM ethernet link. The deadlock occurs because the threaded interrupt handler gets preempted by a softirq, but both are protected by the same spinlock. Prevent deadlock by disabling softirq during threaded irq handler. cc: stable(a)vger.kernel.org Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Ralph Siemsen <ralph.siemsen(a)linaro.org> --- v2 changes: - move the fix up the call stack, as per discussion at https://lore.kernel.org/linux-rt-devel/20250226082931.-XRIDa6D@linutronix.d… --- drivers/usb/cdns3/cdns3-gadget.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index fd1beb10bba72..19101ff1cf1bd 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -1963,6 +1963,7 @@ static irqreturn_t cdns3_device_thread_irq_handler(int irq, void *data) unsigned int bit; unsigned long reg; + local_bh_disable(); spin_lock_irqsave(&priv_dev->lock, flags); reg = readl(&priv_dev->regs->usb_ists); @@ -2004,6 +2005,7 @@ static irqreturn_t cdns3_device_thread_irq_handler(int irq, void *data) irqend: writel(~0, &priv_dev->regs->ep_ien); spin_unlock_irqrestore(&priv_dev->lock, flags); + local_bh_enable(); return ret; } --- base-commit: 4701f33a10702d5fc577c32434eb62adde0a1ae1 change-id: 20250312-rfs-cdns3-deadlock-697df5cad3ce Best regards, -- Ralph Siemsen <ralph.siemsen(a)linaro.org>

1 month, 1 week

3
2
0 0

[PATCH 6.1&6.6 V2 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0

by Huacai Chen

Backport this series to 6.1&6.6 because we get build errors with GCC14 and OpenSSL3 (or later): certs/extract-cert.c: In function 'main': certs/extract-cert.c:124:17: error: implicit declaration of function 'ENGINE_load_builtin_engines' [-Wimplicit-function-declaration] 124 | ENGINE_load_builtin_engines(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ certs/extract-cert.c:126:21: error: implicit declaration of function 'ENGINE_by_id' [-Wimplicit-function-declaration] 126 | e = ENGINE_by_id("pkcs11"); | ^~~~~~~~~~~~ certs/extract-cert.c:126:19: error: assignment to 'ENGINE *' {aka 'struct engine_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion] 126 | e = ENGINE_by_id("pkcs11"); | ^ certs/extract-cert.c:128:21: error: implicit declaration of function 'ENGINE_init' [-Wimplicit-function-declaration] 128 | if (ENGINE_init(e)) | ^~~~~~~~~~~ certs/extract-cert.c:133:30: error: implicit declaration of function 'ENGINE_ctrl_cmd_string' [-Wimplicit-function-declaration] 133 | ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); | ^~~~~~~~~~~~~~~~~~~~~~ certs/extract-cert.c:64:32: note: in definition of macro 'ERR' 64 | bool __cond = (cond); \ | ^~~~ certs/extract-cert.c:134:17: error: implicit declaration of function 'ENGINE_ctrl_cmd' [-Wimplicit-function-declaration] 134 | ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); | ^~~~~~~~~~~~~~~ In theory 5.4&5.10&5.15 also need this, but they need more efforts because file paths are different. The ENGINE interface has its limitations and it has been superseded by the PROVIDER API, it is deprecated in OpenSSL version 3.0. Some distros have started removing it from header files. Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= 3. Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM and PKCS11 and comparing that the result is identical. V1 -> V2: Add upstream commit id. Jan Stancek (3): sign-file,extract-cert: move common SSL helper functions to a header sign-file,extract-cert: avoid using deprecated ERR_get_error_line() sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Signed-off-by: Jan Stancek <jstancek(a)redhat.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- MAINTAINERS | 1 + certs/Makefile | 2 +- certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- scripts/ssl-common.h | 32 ++++++++++ 5 files changed, 178 insertions(+), 129 deletions(-) create mode 100644 scripts/ssl-common.h --- 2.27.0

1 month, 1 week

4
10
0 0

[PATCH v2 1/2] string: Add load_unaligned_zeropad() code path to sized_strscpy()

by Peter Collingbourne

The call to read_word_at_a_time() in sized_strscpy() is problematic with MTE because it may trigger a tag check fault when reading across a tag granule (16 bytes) boundary. To make this code MTE compatible, let's start using load_unaligned_zeropad() on architectures where it is available (i.e. architectures that define CONFIG_DCACHE_WORD_ACCESS). Because load_unaligned_zeropad() takes care of page boundaries as well as tag granule boundaries, also disable the code preventing crossing page boundaries when using load_unaligned_zeropad(). Signed-off-by: Peter Collingbourne <pcc(a)google.com> Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fd… Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS") Cc: stable(a)vger.kernel.org --- v2: - new approach lib/string.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/string.c b/lib/string.c index eb4486ed40d25..b632c71df1a50 100644 --- a/lib/string.c +++ b/lib/string.c @@ -119,6 +119,7 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) return -E2BIG; +#ifndef CONFIG_DCACHE_WORD_ACCESS #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS /* * If src is unaligned, don't cross a page boundary, @@ -133,12 +134,14 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) /* If src or dest is unaligned, don't do word-at-a-time. */ if (((long) dest | (long) src) & (sizeof(long) - 1)) max = 0; +#endif #endif /* - * read_word_at_a_time() below may read uninitialized bytes after the - * trailing zero and use them in comparisons. Disable this optimization - * under KMSAN to prevent false positive reports. + * load_unaligned_zeropad() or read_word_at_a_time() below may read + * uninitialized bytes after the trailing zero and use them in + * comparisons. Disable this optimization under KMSAN to prevent + * false positive reports. */ if (IS_ENABLED(CONFIG_KMSAN)) max = 0; @@ -146,7 +149,11 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) while (max >= sizeof(unsigned long)) { unsigned long c, data; +#ifdef CONFIG_DCACHE_WORD_ACCESS + c = load_unaligned_zeropad(src+res); +#else c = read_word_at_a_time(src+res); +#endif if (has_zero(c, &data, &constants)) { data = prep_zero_mask(c, data, &constants); data = create_zero_mask(data); -- 2.49.0.395.g12beb8f557-goog

1 month, 1 week

2
2
0 0

[PATCH 1/1] iommu/vt-d: Fix possible circular locking dependency

by Lu Baolu

We have recently seen report of lockdep circular lock dependency warnings on platforms like skykale and kabylake: ====================================================== WARNING: possible circular locking dependency detected 6.14.0-rc6-CI_DRM_16276-gca2c04fe76e8+ #1 Not tainted ------------------------------------------------------ swapper/0/1 is trying to acquire lock: ffffffff8360ee48 (iommu_probe_device_lock){+.+.}-{3:3}, at: iommu_probe_device+0x1d/0x70 but task is already holding lock: ffff888102c7efa8 (&device->physical_node_lock){+.+.}-{3:3}, at: intel_iommu_init+0xe75/0x11f0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #6 (&device->physical_node_lock){+.+.}-{3:3}: __mutex_lock+0xb4/0xe40 mutex_lock_nested+0x1b/0x30 intel_iommu_init+0xe75/0x11f0 pci_iommu_init+0x13/0x70 do_one_initcall+0x62/0x3f0 kernel_init_freeable+0x3da/0x6a0 kernel_init+0x1b/0x200 ret_from_fork+0x44/0x70 ret_from_fork_asm+0x1a/0x30 -> #5 (dmar_global_lock){++++}-{3:3}: down_read+0x43/0x1d0 enable_drhd_fault_handling+0x21/0x110 cpuhp_invoke_callback+0x4c6/0x870 cpuhp_issue_call+0xbf/0x1f0 __cpuhp_setup_state_cpuslocked+0x111/0x320 __cpuhp_setup_state+0xb0/0x220 irq_remap_enable_fault_handling+0x3f/0xa0 apic_intr_mode_init+0x5c/0x110 x86_late_time_init+0x24/0x40 start_kernel+0x895/0xbd0 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xbf/0x110 common_startup_64+0x13e/0x141 -> #4 (cpuhp_state_mutex){+.+.}-{3:3}: __mutex_lock+0xb4/0xe40 mutex_lock_nested+0x1b/0x30 __cpuhp_setup_state_cpuslocked+0x67/0x320 __cpuhp_setup_state+0xb0/0x220 page_alloc_init_cpuhp+0x2d/0x60 mm_core_init+0x18/0x2c0 start_kernel+0x576/0xbd0 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xbf/0x110 common_startup_64+0x13e/0x141 -> #3 (cpu_hotplug_lock){++++}-{0:0}: __cpuhp_state_add_instance+0x4f/0x220 iova_domain_init_rcaches+0x214/0x280 iommu_setup_dma_ops+0x1a4/0x710 iommu_device_register+0x17d/0x260 intel_iommu_init+0xda4/0x11f0 pci_iommu_init+0x13/0x70 do_one_initcall+0x62/0x3f0 kernel_init_freeable+0x3da/0x6a0 kernel_init+0x1b/0x200 ret_from_fork+0x44/0x70 ret_from_fork_asm+0x1a/0x30 -> #2 (&domain->iova_cookie->mutex){+.+.}-{3:3}: __mutex_lock+0xb4/0xe40 mutex_lock_nested+0x1b/0x30 iommu_setup_dma_ops+0x16b/0x710 iommu_device_register+0x17d/0x260 intel_iommu_init+0xda4/0x11f0 pci_iommu_init+0x13/0x70 do_one_initcall+0x62/0x3f0 kernel_init_freeable+0x3da/0x6a0 kernel_init+0x1b/0x200 ret_from_fork+0x44/0x70 ret_from_fork_asm+0x1a/0x30 -> #1 (&group->mutex){+.+.}-{3:3}: __mutex_lock+0xb4/0xe40 mutex_lock_nested+0x1b/0x30 __iommu_probe_device+0x24c/0x4e0 probe_iommu_group+0x2b/0x50 bus_for_each_dev+0x7d/0xe0 iommu_device_register+0xe1/0x260 intel_iommu_init+0xda4/0x11f0 pci_iommu_init+0x13/0x70 do_one_initcall+0x62/0x3f0 kernel_init_freeable+0x3da/0x6a0 kernel_init+0x1b/0x200 ret_from_fork+0x44/0x70 ret_from_fork_asm+0x1a/0x30 -> #0 (iommu_probe_device_lock){+.+.}-{3:3}: __lock_acquire+0x1637/0x2810 lock_acquire+0xc9/0x300 __mutex_lock+0xb4/0xe40 mutex_lock_nested+0x1b/0x30 iommu_probe_device+0x1d/0x70 intel_iommu_init+0xe90/0x11f0 pci_iommu_init+0x13/0x70 do_one_initcall+0x62/0x3f0 kernel_init_freeable+0x3da/0x6a0 kernel_init+0x1b/0x200 ret_from_fork+0x44/0x70 ret_from_fork_asm+0x1a/0x30 other info that might help us debug this: Chain exists of: iommu_probe_device_lock --> dmar_global_lock --> &device->physical_node_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&device->physical_node_lock); lock(dmar_global_lock); lock(&device->physical_node_lock); lock(iommu_probe_device_lock); *** DEADLOCK *** This driver uses a global lock to protect the list of enumerated DMA remapping units. It is necessary due to the driver's support for dynamic addition and removal of remapping units at runtime. Two distinct code paths require iteration over this remapping unit list: - Device registration and probing: the driver iterates the list to register each remapping unit with the upper layer IOMMU framework and subsequently probe the devices managed by that unit. - Global configuration: Upper layer components may also iterate the list to apply configuration changes. The lock acquisition order between these two code paths was reversed. This caused lockdep warnings, indicating a risk of deadlock. Fix this warning by releasing the global lock before invoking upper layer interfaces for device registration. Fixes: b150654f74bf ("iommu/vt-d: Fix suspicious RCU usage") Closes: https://lore.kernel.org/linux-iommu/SJ1PR11MB612953431F94F18C954C4A9CB9D32@… Cc: stable(a)vger.kernel.org Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/intel/iommu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 85aa66ef4d61..ec2f385ae25b 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3049,6 +3049,7 @@ static int __init probe_acpi_namespace_devices(void) if (dev->bus != &acpi_bus_type) continue; + up_read(&dmar_global_lock); adev = to_acpi_device(dev); mutex_lock(&adev->physical_node_lock); list_for_each_entry(pn, @@ -3058,6 +3059,7 @@ static int __init probe_acpi_namespace_devices(void) break; } mutex_unlock(&adev->physical_node_lock); + down_read(&dmar_global_lock); if (ret) return ret; -- 2.43.0

1 month, 1 week

3
2
0 0

[BUG REPORT] cifs: Deadlock due to network reconnection during file writing

by Wang Zhaolong

In the code of the LTS branch that is being maintained (from linux-5.4 to linux-6.6), a deadlock occurs in the network reconnection scenario When multiple processes or threads write to the same file concurrently. Take the code of linux-5.10 as an example. The simplified deadlock process is as follows: ``` Process 1 Process 2 lock_page() - [1] wait_on_page_writeback() - [2] Waiting for writeback, blocked by [4] lock_page() - [3] Blocked by [1] end_page_writeback() - [4] Won't execute ``` Based on my research, I'm going to use two detailed scenarios to illustrate the issue. Scenarios 1: ``` P1 (dd) P2 (cifsd) P3 (cifsiod) cifs_writepages wdata_prepare_pages lock_page - [1] wait_on_page_writeback - [2] Waiting for writeback, blocked by [4] wait_on_page_bit cifs_demultiplex_thread cifs_read_from_socket cifs_readv_from_socket - If another process triggers reconnect at this point cifs_reconnect - mid->mid_state updated to MID_RETRY_NEEDED smb2_writev_callback mid_entry->callback() - mid_state leads to wdata->result = -EAGAIN wdata->result = -EAGAIN queue_work(cifsiod_wq, &wdata->work); cifs_writev_complete - worker function - wdata->result == -EAGAIN Condition satisfied cifs_writev_requeue lock_page - [3] Blocked by [1] end_page_writeback - [4] Won't execute unlock_page ``` Mainline refactoring commit d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") unlock folio while waiting for the writeback to complete. This patch is introduced in v6.3-rc1. Therefore, scenario 1 only affects LTS versions from linux-5.4 to linux-6.1. Call stack trace: ``` cat /proc/34/stack [<0>] __lock_page+0x147/0x3a0 [<0>] cifs_writev_requeue.cold+0x185/0x28e [<0>] process_one_work+0x1df/0x3b0 [<0>] worker_thread+0x4a/0x3c0 [<0>] kthread+0x125/0x160 [<0>] ret_from_fork+0x22/0x30 # cat /proc/465/stack [<0>] wait_on_page_bit+0x106/0x2e0 [<0>] wait_on_page_writeback+0x25/0xd0 [<0>] cifs_writepages+0x5ee/0xf60 [<0>] do_writepages+0x43/0xe0 [<0>] __filemap_fdatawrite_range+0xcd/0x110 [<0>] file_write_and_wait_range+0x40/0x90 [<0>] cifs_strict_fsync+0x35/0x470 [<0>] do_fsync+0x38/0x70 [<0>] __x64_sys_fsync+0x10/0x20 [<0>] do_syscall_64+0x33/0x40 [<0>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ 369.826215] INFO: task kworker/1:1:34 blocked for more than 122 seconds. [ 369.828964] Not tainted 5.10.0+ #164 [ 369.830623] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 369.835104] task:kworker/1:1 state:D stack:13472 pid: 34 ppid: 2 flags:0x00004000 [ 369.838448] Workqueue: cifsiod cifs_writev_complete [ 369.840242] Call Trace: [ 369.841219] __schedule+0x401/0x8e0 [ 369.842568] schedule+0x49/0x130 [ 369.843785] io_schedule+0x12/0x40 [ 369.845079] __lock_page+0x147/0x3a0 [ 369.846444] ? add_to_page_cache_lru+0x180/0x180 [ 369.847963] cifs_writev_requeue.cold+0x185/0x28e [ 369.849193] process_one_work+0x1df/0x3b0 [ 369.850248] worker_thread+0x4a/0x3c0 [ 369.851216] ? process_one_work+0x3b0/0x3b0 [ 369.852308] kthread+0x125/0x160 [ 369.853167] ? kthread_park+0x90/0x90 [ 369.854142] ret_from_fork+0x22/0x30 [ 369.855054] INFO: task kworker/u8:3:96 blocked for more than 122 seconds. [ 369.856781] Not tainted 5.10.0+ #164 [ 369.857851] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 369.859419] task:kworker/u8:3 state:D stack:12744 pid: 96 ppid: 2 flags:0x00004000 [ 369.861041] Workqueue: writeback wb_workfn (flush-cifs-2) [ 369.862095] Call Trace: [ 369.862583] __schedule+0x401/0x8e0 [ 369.863280] schedule+0x49/0x130 [ 369.863912] io_schedule+0x12/0x40 [ 369.864604] __lock_page+0x147/0x3a0 [ 369.865322] ? add_to_page_cache_lru+0x180/0x180 [ 369.866246] cifs_writepages+0x620/0xf60 [ 369.867005] do_writepages+0x43/0xe0 [ 369.867737] ? __blk_mq_try_issue_directly+0x121/0x1c0 [ 369.868750] __writeback_single_inode+0x3d/0x320 [ 369.869589] writeback_sb_inodes+0x20d/0x480 [ 369.870367] __writeback_inodes_wb+0x4c/0xe0 [ 369.871148] wb_writeback+0x201/0x2f0 [ 369.871797] wb_workfn+0x38a/0x4e0 [ 369.872427] ? check_preempt_curr+0x47/0x70 [ 369.873191] ? ttwu_do_wakeup.isra.0+0x17/0x170 [ 369.873999] process_one_work+0x1df/0x3b0 [ 369.874741] worker_thread+0x4a/0x3c0 [ 369.875421] ? process_one_work+0x3b0/0x3b0 [ 369.876180] kthread+0x125/0x160 [ 369.876761] ? kthread_park+0x90/0x90 [ 369.877431] ret_from_fork+0x22/0x30 [ 369.878106] INFO: task a.out:465 blocked for more than 122 seconds. [ 369.879225] Not tainted 5.10.0+ #164 [ 369.879945] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 369.881316] task:a.out state:D stack:12752 pid: 465 ppid: 386 flags:0x00000002 [ 369.882791] Call Trace: [ 369.883263] __schedule+0x401/0x8e0 [ 369.883884] schedule+0x49/0x130 [ 369.884447] io_schedule+0x12/0x40 [ 369.885054] wait_on_page_bit+0x106/0x2e0 [ 369.885795] ? add_to_page_cache_lru+0x180/0x180 [ 369.886631] wait_on_page_writeback+0x25/0xd0 [ 369.887427] cifs_writepages+0x5ee/0xf60 [ 369.888151] do_writepages+0x43/0xe0 [ 369.888789] ? __generic_file_write_iter+0xfd/0x1d0 [ 369.889663] __filemap_fdatawrite_range+0xcd/0x110 [ 369.890523] file_write_and_wait_range+0x40/0x90 [ 369.891360] cifs_strict_fsync+0x35/0x470 [ 369.892094] do_fsync+0x38/0x70 [ 369.892657] __x64_sys_fsync+0x10/0x20 [ 369.893336] do_syscall_64+0x33/0x40 [ 369.893978] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ 369.894883] RIP: 0033:0x7f660e208950 [ 369.895538] RSP: 002b:00007fff52b27b78 EFLAGS: 00000202 ORIG_RAX: 000000000000004a [ 369.896882] RAX: ffffffffffffffda RBX: 00007fff52b28cb8 RCX: 00007f660e208950 [ 369.898139] RDX: 0000000000001000 RSI: 00007fff52b27b80 RDI: 0000000000000003 [ 369.899395] RBP: 00007fff52b28ba0 R08: 0000000000000410 R09: 0000000000000001 [ 369.900661] R10: 00007f660e11c400 R11: 0000000000000202 R12: 0000000000000000 [ 369.901925] R13: 00007fff52b28cc8 R14: 00007f660e328000 R15: 000055b5aeb6fdd8 [ 369.903202] INFO: task sync:468 blocked for more than 122 seconds. [ 369.904311] Not tainted 5.10.0+ #164 [ 369.905034] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 369.906457] task:sync state:D stack:13632 pid: 468 ppid: 386 flags:0x00004002 [ 369.907930] Call Trace: [ 369.908369] __schedule+0x401/0x8e0 [ 369.908984] schedule+0x49/0x130 [ 369.909582] io_schedule+0x12/0x40 [ 369.910208] wait_on_page_bit+0x106/0x2e0 [ 369.910918] ? add_to_page_cache_lru+0x180/0x180 [ 369.911758] wait_on_page_writeback+0x25/0xd0 [ 369.912560] __filemap_fdatawait_range+0x83/0x110 [ 369.913408] ? __add_pages+0x6f/0x1b0 [ 369.914089] filemap_fdatawait_keep_errors+0x1a/0x50 [ 369.914957] sync_inodes_sb+0x208/0x2a0 [ 369.915666] ? __x64_sys_tee+0xd0/0xd0 [ 369.916344] iterate_supers+0x90/0xe0 [ 369.916983] ksys_sync+0x40/0xb0 [ 369.917590] __do_sys_sync+0xa/0x20 [ 369.918240] do_syscall_64+0x33/0x40 [ 369.918884] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ 369.919800] RIP: 0033:0x7f746d820987 [ 369.920451] RSP: 002b:00007ffce853fd78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a2 [ 369.921798] RAX: ffffffffffffffda RBX: 00007ffce853fed8 RCX: 00007f746d820987 [ 369.923063] RDX: 00007f746d8f4801 RSI: 00007ffce8541f71 RDI: 00007f746d8b05ad [ 369.924339] RBP: 0000000000000001 R08: 000000000000ffff R09: 0000000000000000 [ 369.925605] R10: 00007f746d7308a0 R11: 0000000000000206 R12: 000055b8487470fb [ 369.926866] R13: 0000000000000000 R14: 0000000000000000 R15: 000055b848749ce0 [ 369.928138] Kernel panic - not syncing: hung_task: blocked tasks [ 369.929191] CPU: 3 PID: 35 Comm: khungtaskd Not tainted 5.10.0+ #164 [ 369.952450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 [ 369.956984] Call Trace: [ 369.957973] dump_stack+0x57/0x6e [ 369.959273] panic+0x115/0x2f1 [ 369.960476] watchdog.cold+0xb5/0xb5 [ 369.961884] ? hungtask_pm_notify+0x40/0x40 [ 369.963310] kthread+0x125/0x160 [ 369.964354] ? kthread_park+0x90/0x90 [ 369.965551] ret_from_fork+0x22/0x30 [ 369.967673] Kernel Offset: 0xd600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 369.971025] ---[ end Kernel panic - not syncing: hung_task: blocked tasks ]--- ``` Scenarios 2: Scenario 2 occurs in strict cache mode ``` P1 (dd) P2 (cifsd) P3 (cifsiod) cifs_strict_writev cifs_zap_mapping - If something breaks the oplock cifs_revalidate_mapping cifs_invalidate_mapping invalidate_inode_pages2 invalidate_inode_pages2_range lock_page - [1] wait_on_page_writeback - [2] Waiting for writeback, blocked by [4] wait_on_page_bit cifs_demultiplex_thread cifs_read_from_socket cifs_readv_from_socket - If another process triggers reconnect at this point cifs_reconnect - mid->mid_state updated to MID_RETRY_NEEDED smb2_writev_callback mid_entry->callback() - mid_state leads to wdata->result = -EAGAIN wdata->result = -EAGAIN queue_work(cifsiod_wq, &wdata->work); cifs_writev_complete - worker function - wdata->result == -EAGAIN Condition satisfied cifs_writev_requeue lock_page - [3] Blocked by [1] end_page_writeback - [4] Won't execute unlock_page ``` Mainline refactoring commit 3ee1a1fc3981 ("cifs: Cut over to using netfslib") directly terminates the file write instead of resending data when smb2_writev_callback() detects a write failure, thus avoiding this problem. This patch is introduced in v6.10-rc1. Therefore, scenario 2 affects LTS versions from linux-5.4 to linux-6.6. ``` cat /proc/522/stack [<0>] wait_on_page_bit+0x106/0x150 [<0>] invalidate_inode_pages2_range+0x2cc/0x580 [<0>] cifs_invalidate_mapping+0x2c/0x50 [cifs] [<0>] cifs_revalidate_mapping+0x4c/0x90 [cifs] [<0>] cifs_strict_writev+0x17a/0x250 [cifs] [<0>] __vfs_write+0x14f/0x1b0 [<0>] vfs_write+0xb6/0x1a0 [<0>] ksys_write+0x57/0xd0 [<0>] do_syscall_64+0x63/0x250 [<0>] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [<0>] 0xffffffffffffffff cat /proc/33/stack [<0>] __lock_page+0x10c/0x160 [<0>] cifs_writev_requeue.cold+0x17e/0x239 [cifs] [<0>] process_one_work+0x1a9/0x3f0 [<0>] worker_thread+0x50/0x3c0 [<0>] kthread+0x117/0x130 [<0>] ret_from_fork+0x35/0x40 [<0>] 0xffffffffffffffff ``` The root cause of the deadlock problem is that the page/folio is locked again in cifs_writev_requeue(). In order to safely fix it on the LTS branches, I would like to clarify the following questions:, 1. Whether resending is necessary. If retransmission is not required, simply terminating the write would avoids this problem. Is this an acceptable solution? 2. Is it necessary to lock the page/folio in cifs_writev_requeue()? Based on my code screening (possibly missing), there seems to be no process that modifies a page when it is marked as PG_writeback.Therefore, the page does not need to be locked during wait_on_page_writeback().

1 month, 1 week

4
7
0 0

[PATCH 6.6.y] netfilter: nf_tables: use timestamp to check for set element timeout

by jianqi.ren.cn＠windriver.com

From: Pablo Neira Ayuso <pablo(a)netfilter.org> [ Upstream commit 7395dfacfff65e9938ac0889dafa1ab01e987d15 ] Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Fixes: c3e1b005ed1c ("netfilter: nf_tables: add set element timeout support") Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- include/net/netfilter/nf_tables.h | 16 ++++++++++++++-- net/netfilter/nf_tables_api.c | 4 +++- net/netfilter/nft_set_hash.c | 8 +++++++- net/netfilter/nft_set_pipapo.c | 18 +++++++++++------- net/netfilter/nft_set_rbtree.c | 11 +++++++---- 5 files changed, 42 insertions(+), 15 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index dcbf3f299548..fb1952d0fbef 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -826,10 +826,16 @@ static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ex return nft_set_ext(ext, NFT_SET_EXT_EXPRESSIONS); } -static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) +static inline bool __nft_set_elem_expired(const struct nft_set_ext *ext, + u64 tstamp) { return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && - time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext)); + time_after_eq64(tstamp, *nft_set_ext_expiration(ext)); +} + +static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) +{ + return __nft_set_elem_expired(ext, get_jiffies_64()); } static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, @@ -1791,6 +1797,7 @@ struct nftables_pernet { struct list_head notify_list; struct mutex commit_mutex; u64 table_handle; + u64 tstamp; unsigned int base_seq; unsigned int gc_seq; u8 validate_state; @@ -1803,6 +1810,11 @@ static inline struct nftables_pernet *nft_pernet(const struct net *net) return net_generic(net, nf_tables_net_id); } +static inline u64 nft_net_tstamp(const struct net *net) +{ + return nft_pernet(net)->tstamp; +} + #define __NFT_REDUCE_READONLY 1UL #define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index bf24c63aff7b..5536e703230b 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9963,6 +9963,7 @@ struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc, struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) { struct nft_set_elem_catchall *catchall, *next; + u64 tstamp = nft_net_tstamp(gc->net); const struct nft_set *set = gc->set; struct nft_set_elem elem; struct nft_set_ext *ext; @@ -9972,7 +9973,7 @@ struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { ext = nft_set_elem_ext(set, catchall->elem); - if (!nft_set_elem_expired(ext)) + if (!__nft_set_elem_expired(ext, tstamp)) continue; gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); @@ -10777,6 +10778,7 @@ static bool nf_tables_valid_genid(struct net *net, u32 genid) bool genid_ok; mutex_lock(&nft_net->commit_mutex); + nft_net->tstamp = get_jiffies_64(); genid_ok = genid == 0 || nft_net->base_seq == genid; if (!genid_ok) diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index cc1ae18485fa..0370f69dce86 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -37,6 +37,7 @@ struct nft_rhash_cmp_arg { const struct nft_set *set; const u32 *key; u8 genmask; + u64 tstamp; }; static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed) @@ -63,7 +64,7 @@ static inline int nft_rhash_cmp(struct rhashtable_compare_arg *arg, return 1; if (nft_set_elem_is_dead(&he->ext)) return 1; - if (nft_set_elem_expired(&he->ext)) + if (__nft_set_elem_expired(&he->ext, x->tstamp)) return 1; if (!nft_set_elem_active(&he->ext, x->genmask)) return 1; @@ -88,6 +89,7 @@ bool nft_rhash_lookup(const struct net *net, const struct nft_set *set, .genmask = nft_genmask_cur(net), .set = set, .key = key, + .tstamp = get_jiffies_64(), }; he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); @@ -106,6 +108,7 @@ static void *nft_rhash_get(const struct net *net, const struct nft_set *set, .genmask = nft_genmask_cur(net), .set = set, .key = elem->key.val.data, + .tstamp = get_jiffies_64(), }; he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); @@ -129,6 +132,7 @@ static bool nft_rhash_update(struct nft_set *set, const u32 *key, .genmask = NFT_GENMASK_ANY, .set = set, .key = key, + .tstamp = get_jiffies_64(), }; he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); @@ -172,6 +176,7 @@ static int nft_rhash_insert(const struct net *net, const struct nft_set *set, .genmask = nft_genmask_next(net), .set = set, .key = elem->key.val.data, + .tstamp = nft_net_tstamp(net), }; struct nft_rhash_elem *prev; @@ -214,6 +219,7 @@ static void *nft_rhash_deactivate(const struct net *net, .genmask = nft_genmask_next(net), .set = set, .key = elem->key.val.data, + .tstamp = nft_net_tstamp(net), }; rcu_read_lock(); diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index 5dab9905ebbe..4274831b6e67 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -504,6 +504,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, * @set: nftables API set representation * @data: Key data to be matched against existing elements * @genmask: If set, check that element is active in given genmask + * @tstamp: timestamp to check for expired elements * * This is essentially the same as the lookup function, except that it matches * key data against the uncommitted copy and doesn't use preallocated maps for @@ -513,7 +514,8 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, */ static struct nft_pipapo_elem *pipapo_get(const struct net *net, const struct nft_set *set, - const u8 *data, u8 genmask) + const u8 *data, u8 genmask, + u64 tstamp) { struct nft_pipapo_elem *ret = ERR_PTR(-ENOENT); struct nft_pipapo *priv = nft_set_priv(set); @@ -568,7 +570,7 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, goto out; if (last) { - if (nft_set_elem_expired(&f->mt[b].e->ext)) + if (__nft_set_elem_expired(&f->mt[b].e->ext, tstamp)) goto next_match; if ((genmask && !nft_set_elem_active(&f->mt[b].e->ext, genmask))) @@ -605,7 +607,7 @@ static void *nft_pipapo_get(const struct net *net, const struct nft_set *set, const struct nft_set_elem *elem, unsigned int flags) { return pipapo_get(net, set, (const u8 *)elem->key.val.data, - nft_genmask_cur(net)); + nft_genmask_cur(net), get_jiffies_64()); } /** @@ -1199,6 +1201,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, struct nft_pipapo *priv = nft_set_priv(set); struct nft_pipapo_match *m = priv->clone; u8 genmask = nft_genmask_next(net); + u64 tstamp = nft_net_tstamp(net); struct nft_pipapo_field *f; const u8 *start_p, *end_p; int i, bsize_max, err = 0; @@ -1208,7 +1211,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, else end = start; - dup = pipapo_get(net, set, start, genmask); + dup = pipapo_get(net, set, start, genmask, tstamp); if (!IS_ERR(dup)) { /* Check if we already have the same exact entry */ const struct nft_data *dup_key, *dup_end; @@ -1230,7 +1233,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, if (PTR_ERR(dup) == -ENOENT) { /* Look for partially overlapping entries */ - dup = pipapo_get(net, set, end, nft_genmask_next(net)); + dup = pipapo_get(net, set, end, nft_genmask_next(net), tstamp); } if (PTR_ERR(dup) != -ENOENT) { @@ -1581,6 +1584,7 @@ static void pipapo_gc(struct nft_set *set, struct nft_pipapo_match *m) { struct nft_pipapo *priv = nft_set_priv(set); struct net *net = read_pnet(&set->net); + u64 tstamp = nft_net_tstamp(net); int rules_f0, first_rule = 0; struct nft_pipapo_elem *e; struct nft_trans_gc *gc; @@ -1615,7 +1619,7 @@ static void pipapo_gc(struct nft_set *set, struct nft_pipapo_match *m) /* synchronous gc never fails, there is no need to set on * NFT_SET_ELEM_DEAD_BIT. */ - if (nft_set_elem_expired(&e->ext)) { + if (__nft_set_elem_expired(&e->ext, tstamp)) { priv->dirty = true; gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC); @@ -1786,7 +1790,7 @@ static void *pipapo_deactivate(const struct net *net, const struct nft_set *set, { struct nft_pipapo_elem *e; - e = pipapo_get(net, set, data, nft_genmask_next(net)); + e = pipapo_get(net, set, data, nft_genmask_next(net), nft_net_tstamp(net)); if (IS_ERR(e)) return NULL; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 8ad1e008d12b..04672238e17d 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -314,6 +314,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, struct nft_rbtree *priv = nft_set_priv(set); u8 cur_genmask = nft_genmask_cur(net); u8 genmask = nft_genmask_next(net); + u64 tstamp = nft_net_tstamp(net); int d; /* Descend the tree to search for an existing element greater than the @@ -361,7 +362,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, /* perform garbage collection to avoid bogus overlap reports * but skip new elements in this transaction. */ - if (nft_set_elem_expired(&rbe->ext) && + if (__nft_set_elem_expired(&rbe->ext, tstamp) && nft_set_elem_active(&rbe->ext, cur_genmask)) { const struct nft_rbtree_elem *removed_end; @@ -553,6 +554,7 @@ static void *nft_rbtree_deactivate(const struct net *net, const struct rb_node *parent = priv->root.rb_node; struct nft_rbtree_elem *rbe, *this = elem->priv; u8 genmask = nft_genmask_next(net); + u64 tstamp = nft_net_tstamp(net); int d; while (parent != NULL) { @@ -573,7 +575,7 @@ static void *nft_rbtree_deactivate(const struct net *net, nft_rbtree_interval_end(this)) { parent = parent->rb_right; continue; - } else if (nft_set_elem_expired(&rbe->ext)) { + } else if (__nft_set_elem_expired(&rbe->ext, tstamp)) { break; } else if (!nft_set_elem_active(&rbe->ext, genmask)) { parent = parent->rb_left; @@ -632,9 +634,10 @@ static void nft_rbtree_gc(struct nft_set *set) struct nft_rbtree *priv = nft_set_priv(set); struct nft_rbtree_elem *rbe, *rbe_end = NULL; struct nftables_pernet *nft_net; + struct net *net = read_pnet(&set->net); + u64 tstamp = nft_net_tstamp(net); struct rb_node *node, *next; struct nft_trans_gc *gc; - struct net *net; set = nft_set_container_of(priv); net = read_pnet(&set->net); @@ -657,7 +660,7 @@ static void nft_rbtree_gc(struct nft_set *set) rbe_end = rbe; continue; } - if (!nft_set_elem_expired(&rbe->ext)) + if (!__nft_set_elem_expired(&rbe->ext, tstamp)) continue; gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); -- 2.25.1

1 month, 1 week

3
2
0 0

[PATCH] string: Disable read_word_at_a_time() optimizations if kernel MTE is enabled

by Peter Collingbourne

The optimized strscpy() and dentry_string_cmp() routines will read 8 unaligned bytes at a time via the function read_word_at_a_time(), but this is incompatible with MTE which will fault on a partially invalid read. The attributes on read_word_at_a_time() that disable KASAN are invisible to the CPU so they have no effect on MTE. Let's fix the bug for now by disabling the optimizations if the kernel is built with HW tag-based KASAN and consider improvements for followup changes. Signed-off-by: Peter Collingbourne <pcc(a)google.com> Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fd… Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS") Cc: stable(a)vger.kernel.org --- fs/dcache.c | 2 +- lib/string.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index e3634916ffb93..71f0830ac5e69 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -223,7 +223,7 @@ fs_initcall(init_fs_dcache_sysctls); * Compare 2 name strings, return 0 if they match, otherwise non-zero. * The strings are both count bytes long, and count is non-zero. */ -#ifdef CONFIG_DCACHE_WORD_ACCESS +#if defined(CONFIG_DCACHE_WORD_ACCESS) && !defined(CONFIG_KASAN_HW_TAGS) #include <asm/word-at-a-time.h> /* diff --git a/lib/string.c b/lib/string.c index eb4486ed40d25..9a43a3824d0d7 100644 --- a/lib/string.c +++ b/lib/string.c @@ -119,7 +119,8 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count) if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) return -E2BIG; -#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS +#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && \ + !defined(CONFIG_KASAN_HW_TAGS) /* * If src is unaligned, don't cross a page boundary, * since we don't know if the next page is mapped. -- 2.49.0.rc0.332.g42c0ae87b1-goog

1 month, 1 week

4
10
0 0

FAILED: patch "[PATCH] smb: client: Fix match_session bug preventing session reuse" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x 605b249ea96770ac4fac4b8510a99e0f8442be5e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025031652-spider-flying-c68b@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 605b249ea96770ac4fac4b8510a99e0f8442be5e Mon Sep 17 00:00:00 2001 From: Henrique Carvalho <henrique.carvalho(a)suse.com> Date: Tue, 11 Mar 2025 15:23:59 -0300 Subject: [PATCH] smb: client: Fix match_session bug preventing session reuse Fix a bug in match_session() that can causes the session to not be reused in some cases. Reproduction steps: mount.cifs //server/share /mnt/a -o credentials=creds mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp cat /proc/fs/cifs/DebugData | grep SessionId | wc -l mount.cifs //server/share /mnt/b -o credentials=creds,sec=ntlmssp mount.cifs //server/share /mnt/a -o credentials=creds cat /proc/fs/cifs/DebugData | grep SessionId | wc -l Cc: stable(a)vger.kernel.org Reviewed-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Henrique Carvalho <henrique.carvalho(a)suse.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index f917de020dd5..73f93a35eedd 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -1825,9 +1825,8 @@ static int match_session(struct cifs_ses *ses, struct smb3_fs_context *ctx, bool match_super) { - if (ctx->sectype != Unspecified && - ctx->sectype != ses->sectype) - return 0; + struct TCP_Server_Info *server = ses->server; + enum securityEnum ctx_sec, ses_sec; if (!match_super && ctx->dfs_root_ses != ses->dfs_root_ses) return 0; @@ -1839,11 +1838,20 @@ static int match_session(struct cifs_ses *ses, if (ses->chan_max < ctx->max_channels) return 0; - switch (ses->sectype) { + ctx_sec = server->ops->select_sectype(server, ctx->sectype); + ses_sec = server->ops->select_sectype(server, ses->sectype); + + if (ctx_sec != ses_sec) + return 0; + + switch (ctx_sec) { + case IAKerb: case Kerberos: if (!uid_eq(ctx->cred_uid, ses->cred_uid)) return 0; break; + case NTLMv2: + case RawNTLMSSP: default: /* NULL username means anonymous session */ if (ses->user_name == NULL) {

1 month, 1 week

4
7
0 0

FAILED: patch "[PATCH] rust: lockdep: Remove support for dynamically allocated" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 966944f3711665db13e214fef6d02982c49bb972 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025031632-divorcee-duly-868e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 966944f3711665db13e214fef6d02982c49bb972 Mon Sep 17 00:00:00 2001 From: Mitchell Levy <levymitchell0(a)gmail.com> Date: Fri, 7 Mar 2025 15:27:00 -0800 Subject: [PATCH] rust: lockdep: Remove support for dynamically allocated LockClassKeys Currently, dynamically allocated LockCLassKeys can be used from the Rust side without having them registered. This is a soundness issue, so remove them. Fixes: 6ea5aa08857a ("rust: sync: introduce `LockClassKey`") Suggested-by: Alice Ryhl <aliceryhl(a)google.com> Signed-off-by: Mitchell Levy <levymitchell0(a)gmail.com> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Benno Lossin <benno.lossin(a)proton.me> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250307232717.1759087-11-boqun.feng@gmail.com diff --git a/rust/kernel/sync.rs b/rust/kernel/sync.rs index 3498fb344dc9..16eab9138b2b 100644 --- a/rust/kernel/sync.rs +++ b/rust/kernel/sync.rs @@ -30,28 +30,20 @@ unsafe impl Sync for LockClassKey {} impl LockClassKey { - /// Creates a new lock class key. - pub const fn new() -> Self { - Self(Opaque::uninit()) - } - pub(crate) fn as_ptr(&self) -> *mut bindings::lock_class_key { self.0.get() } } -impl Default for LockClassKey { - fn default() -> Self { - Self::new() - } -} - /// Defines a new static lock class and returns a pointer to it. #[doc(hidden)] #[macro_export] macro_rules! static_lock_class { () => {{ - static CLASS: $crate::sync::LockClassKey = $crate::sync::LockClassKey::new(); + static CLASS: $crate::sync::LockClassKey = + // SAFETY: lockdep expects uninitialized memory when it's handed a statically allocated + // lock_class_key + unsafe { ::core::mem::MaybeUninit::uninit().assume_init() }; &CLASS }}; }

1 month, 1 week

4
4
0 0

[PATCH v5 0/5] samsung: pinctrl: Add support for eint_fltcon_offset and filter selection on gs101

by Peter Griffin

Hi folks, This series fixes support for correctly saving and restoring fltcon0 and fltcon1 registers on gs101 for non-alive banks where the fltcon register offset is not at a fixed offset (unlike previous SoCs). This is done by adding a eint_fltcon_offset and providing GS101 specific pin macros that take an additional parameter (similar to how exynosautov920 handles it's eint_con_offset). Additionally the SoC specific suspend and resume callbacks are re-factored so that each SoC variant has it's own callback containing the peculiarities for that SoC. Finally support for filter selection on alive banks is added, this is currently only enabled for gs101. The code path can be excercised using `echo mem > /sys/power/state` regards, Peter To: Krzysztof Kozlowski <krzk(a)kernel.org> To: Sylwester Nawrocki <s.nawrocki(a)samsung.com> To: Alim Akhtar <alim.akhtar(a)samsung.com> To: Linus Walleij <linus.walleij(a)linaro.org> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-samsung-soc(a)vger.kernel.org Cc: linux-gpio(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: andre.draszik(a)linaro.org Cc: tudor.ambarus(a)linaro.org Cc: willmcvicker(a)google.com Cc: semen.protsenko(a)linaro.org Cc: kernel-team(a)android.com Cc: jaewon02.kim(a)samsung.com Signed-off-by: Peter Griffin <peter.griffin(a)linaro.org> --- Changes in v5: - Split drvdata suspend & resume callbacks into a dedicated patch (Krzysztof) - Add comment about stable dependency (Krzysztof) - Add back in {} braces (Krzysztof) - Link to v4: https://lore.kernel.org/r/20250307-pinctrl-fltcon-suspend-v4-0-2d775e486036… Changes in v4: - save->eint_fltcon1 is an argument to pr_debug(), not readl() change alignment accordingly (Andre) - Link to v3: https://lore.kernel.org/r/20250306-pinctrl-fltcon-suspend-v3-0-f9ab4ff6a24e… Changes in v3: - Ensure EXYNOS_FLTCON_DIGITAL bit is cleared (Andre) - Make it obvious that exynos_eint_set_filter() is conditional on bank type (Andre) - Make it obvious exynos_set_wakeup() is conditional on bank type (Andre) - Align style where the '+' is placed first (Andre) - Remove unnecessary braces (Andre) - Link to v2: https://lore.kernel.org/r/20250301-pinctrl-fltcon-suspend-v2-0-a7eef9bb443b… Changes in v2: - Remove eint_flt_selectable bool as it can be deduced from EINT_TYPE_WKUP (Peter) - Move filter config register comment to header file (Andre) - Rename EXYNOS_FLTCON_DELAY to EXYNOS_FLTCON_ANALOG (Andre) - Remove misleading old comment (Andre) - Refactor exynos_eint_update_flt_reg() into a loop (Andre) - Split refactor of suspend/resume callbacks & gs101 parts into separate patches (Andre) - Link to v1: https://lore.kernel.org/r/20250120-pinctrl-fltcon-suspend-v1-0-e77900b2a854… --- Peter Griffin (5): pinctrl: samsung: add support for eint_fltcon_offset pinctrl: samsung: refactor drvdata suspend & resume callbacks pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks pinctrl: samsung: add gs101 specific eint suspend/resume callbacks pinctrl: samsung: Add filter selection support for alive bank on gs101 drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 150 ++++++------- drivers/pinctrl/samsung/pinctrl-exynos.c | 294 +++++++++++++++---------- drivers/pinctrl/samsung/pinctrl-exynos.h | 50 ++++- drivers/pinctrl/samsung/pinctrl-samsung.c | 12 +- drivers/pinctrl/samsung/pinctrl-samsung.h | 12 +- 5 files changed, 319 insertions(+), 199 deletions(-) --- base-commit: 0761652a3b3b607787aebc386d412b1d0ae8008c change-id: 20250120-pinctrl-fltcon-suspend-2333a137c4d4 Best regards, -- Peter Griffin <peter.griffin(a)linaro.org>

1 month, 1 week

2
3
0 0