- Linux-stable-mirror - lists.linaro.org

Re: Patch "media: ov02c10: Fix default vertical flip" has been added to the 6.18-stable tree

by Hans de Goede

Hi Sasha, On 13-Dec-25 10:35, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > media: ov02c10: Fix default vertical flip This fix is incomplete, leading to wrong colors and it causes the image to be upside down on some Dell XPS models where it currently is the right way up. There is a series of fixes which applies on top of this to fix both issues: https://lore.kernel.org/linux-media/20251210112436.167212-1-johannes.goede@… For now (without the fixes on top) we are better of not adding this patch to the stable series. Can you drop this patch please? Same for 6.17 and other stable series. Regards, Hans > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > media-ov02c10-fix-default-vertical-flip.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 14cc4474799a595caeccdb8fdf2ca4b867cef972 > Author: Sebastian Reichel <sre(a)kernel.org> > Date: Wed Aug 20 02:13:19 2025 +0200 > > media: ov02c10: Fix default vertical flip > > [ Upstream commit d5ebe3f7d13d4cee3ff7e718de23564915aaf163 ] > > The driver right now defaults to setting the vertical flip bit. This > conflicts with proper handling of the rotation property defined in > ACPI or device tree, so drop the VFLIP bit. It should be handled via > V4L2_CID_VFLIP instead. > > Reported-by: Frederic Stuyk <fstuyk(a)runbox.com> > Closes: https://lore.kernel.org/all/b6df9ae7-ea9f-4e5a-8065-5b130f534f37@runbox.com/ > Fixes: 44f89010dae0 ("media: i2c: Add Omnivision OV02C10 sensor driver") > Signed-off-by: Sebastian Reichel <sre(a)kernel.org> > Reviewed-by: Bryan O'Donoghue <bod(a)kernel.org> > Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> > Signed-off-by: Hans Verkuil <hverkuil+cisco(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c > index 8c4d85dc7922e..8e22ff446b0c4 100644 > --- a/drivers/media/i2c/ov02c10.c > +++ b/drivers/media/i2c/ov02c10.c > @@ -174,7 +174,7 @@ static const struct reg_sequence sensor_1928x1092_30fps_setting[] = { > {0x3816, 0x01}, > {0x3817, 0x01}, > > - {0x3820, 0xb0}, > + {0x3820, 0xa0}, > {0x3821, 0x00}, > {0x3822, 0x80}, > {0x3823, 0x08},

4 hours, 20 minutes

1
0
0 0

Re: Patch "RAS: Report all ARM processor CPER information to userspace" has been added to the 6.18-stable tree

by Mauro Carvalho Chehab

Hi Sacha, Em Sat, 13 Dec 2025 04:49:42 -0500 Sasha Levin <sashal(a)kernel.org> escreveu: > This is a note to let you know that I've just added the patch titled > > RAS: Report all ARM processor CPER information to userspace > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > ras-report-all-arm-processor-cper-information-to-use.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. You should also backport this patch(*): 96b010536ee0 efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs It fixes a bug at the UEFI parser for the ARM Processor Error record: basically, the specs were not clear about how the error type should be reported. The Kernel implementation were assuming that this was an enum, but UEFI errata 2.9A make it clear that the value is a bitmap. So, basically, all kernels up to 6.18 are not parsing the field the expected way: only "Cache error" was properly reported. The other 3 types were wrong. (*) You could need to backport those patches as well: a976d790f494 efi/cper: Add a new helper function to print bitmasks 8ad2c72e21ef efi/cper: Adjust infopfx size to accept an extra space Regards, Mauro Thanks, Mauro

5 hours, 58 minutes

1
0
0 0

[PATCH net v2] erspan: Initialize options_len before referencing options.

by Frode Nordahl

The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Cc: stable(a)vger.kernel.org Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… Reported-at: https://launchpad.net/bugs/2129580 Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info") Signed-off-by: Frode Nordahl <fnordahl(a)ubuntu.com> --- v2: - target correct netdev tree and properly cc stable in commit message. - replace repeated long in-line comments and link with a single line. - document search for any similar offenses in the code base in commit message. v1: https://lore.kernel.org/all/20251212073202.13153-1-fnordahl@ubuntu.com/ net/ipv4/ip_gre.c | 6 ++++-- net/ipv6/ip6_gre.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 761a53c6a89a..8178c44a3cdd 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -330,6 +330,10 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!tun_dst) return PACKET_REJECT; + /* MUST set options_len before referencing options */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -344,10 +348,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); - info = &tun_dst->u.tun_info; __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); } skb_reset_mac_header(skb); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c82a75510c0e..4603554d4c7f 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -535,6 +535,10 @@ static int ip6erspan_rcv(struct sk_buff *skb, if (!tun_dst) return PACKET_REJECT; + /* MUST set options_len before referencing options */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -543,7 +547,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, skb_network_header_len(skb); pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + sizeof(*ershdr)); - info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; md2 = &md->u.md2; @@ -551,7 +554,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, ERSPAN_V2_MDSIZE); __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); ip6_tnl_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error); -- 2.51.0

5 hours, 59 minutes

1
0
0 0

[PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation

by Huacai Chen

Commit 863a320dc6fd7c855f47da4b ("LoongArch: Mask all interrupts during kexec/kdump") is backported to LTS branches, but they lack a generic machine_kexec_mask_interrupts() implementation, so add an arch-specific one. Signed-off-by: Tianyang Zhang <zhangtianyang(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- 6.6LTS also need it if commit 863a320dc6fd7c855f47da4b is backported. arch/loongarch/kernel/machine_kexec.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/arch/loongarch/kernel/machine_kexec.c b/arch/loongarch/kernel/machine_kexec.c index 8ef4e4595d61..19bd763263d3 100644 --- a/arch/loongarch/kernel/machine_kexec.c +++ b/arch/loongarch/kernel/machine_kexec.c @@ -136,6 +136,28 @@ void kexec_reboot(void) BUG(); } +static void machine_kexec_mask_interrupts(void) +{ + unsigned int i; + struct irq_desc *desc; + + for_each_irq_desc(i, desc) { + struct irq_chip *chip; + + chip = irq_desc_get_chip(desc); + if (!chip) + continue; + + if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data)) + chip->irq_eoi(&desc->irq_data); + + if (chip->irq_mask) + chip->irq_mask(&desc->irq_data); + + if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data)) + chip->irq_disable(&desc->irq_data); + } +} #ifdef CONFIG_SMP static void kexec_shutdown_secondary(void *regs) -- 2.47.3

6 hours, 21 minutes

2
1
0 0

[PATCH v2] ocfs2: fix kernel BUG in ocfs2_write_block

by Prithvi Tambewagh

When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing an if condition block in ocfs2_update_disk_slot(), right before calling ocfs2_write_block(), which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned back to caller of ocfs2_update_disk_slot() i.e. ocfs2_find_slot(). If the return value is zero. then error code EIO is returned. Reported-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- v1->v2: - Remove usage of le16_to_cpu() from ocfs2_error() - Cast bh->b_blocknr to unsigned long long - Remove type casting for OCFS2_SUPER_BLOCK_BLKNO - Fix Sparse warnings reported in v1 by kernel test robot - Update title from 'ocfs2: Fix kernel BUG in ocfs2_write_block' to 'ocfs2: fix kernel BUG in ocfs2_write_block' v1 link: https://lore.kernel.org/all/20251206154819.175479-1-activprithvi@gmail.com/… fs/ocfs2/slot_map.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..e916a2e8f92d 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -193,6 +193,16 @@ static int ocfs2_update_disk_slot(struct ocfs2_super *osb, else ocfs2_update_disk_slot_old(si, slot_num, &bh); spin_unlock(&osb->osb_lock); + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + status = ocfs2_error(osb->sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >= %d", + (unsigned long long)bh->b_blocknr, + OCFS2_SUPER_BLOCK_BLKNO); + if (!status) + return -EIO; + return status; + } status = ocfs2_write_block(osb, bh, INODE_CACHE(si->si_inode)); if (status < 0) base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 -- 2.43.0

7 hours, 17 minutes

3
2
0 0

[PATCH] scsi: be2iscsi: fix a memory leak in beiscsi_boot_get_sinfo()

by Haoxiang Li

If nonemb_cmd->va fails to be allocated, call free_mcc_wrb() to restore the impact caused by alloc_mcc_wrb(). Fixes: 50a4b824be9e ("scsi: be2iscsi: Fix to make boot discovery non-blocking") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/scsi/be2iscsi/be_mgmt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index 4e899ec1477d..b1cba986f0fb 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -1025,6 +1025,7 @@ unsigned int beiscsi_boot_get_sinfo(struct beiscsi_hba *phba) &nonemb_cmd->dma, GFP_KERNEL); if (!nonemb_cmd->va) { + free_mcc_wrb(ctrl, tag); mutex_unlock(&ctrl->mbox_lock); return 0; } -- 2.25.1

7 hours, 36 minutes

1
0
0 0

[PATCH] drm/amd/display: Apply e4479aecf658 to dml

by Nathan Chancellor

After an innocuous optimization change in clang-22, allmodconfig (which enables CONFIG_KASAN and CONFIG_WERROR) breaks with: drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) | ^ With clang-21, this function was already pretty close to the existing limit of 3072 bytes. drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) | ^ A similar situation occurred in dml2, which was resolved by commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger than limit when compile testing with clang") by increasing the limit for clang when compile testing with certain sanitizer enabled, so that allmodconfig (an easy testing target) continues to work. Apply that same change to the dml folder to clear up the warning for allmodconfig, unbreaking the build. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2135 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/Makefile b/drivers/gpu/drm/amd/display/dc/dml/Makefile index b357683b4255..268b5fbdb48b 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/Makefile +++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile @@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU) ifneq ($(CONFIG_FRAME_WARN),0) ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) - frame_warn_limit := 3072 + ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) + frame_warn_limit := 4096 + else + frame_warn_limit := 3072 + endif else frame_warn_limit := 2048 endif --- base-commit: f24e96d69f5b9eb0f3b9c49e53c385c50729edfd change-id: 20251213-dml-bump-frame-warn-clang-sanitizers-0a34fc916aec Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

9 hours, 56 minutes

1
0
0 0

[PATCH] input: synaptics_i2c - cancel delayed work before freeing device

by Minseong Kim

synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). The delayed work performs I2C transactions and may still be running (or get queued) when the device is removed. synaptics_i2c_remove() currently frees 'touch' without canceling touch->dwork. If removal happens while the work is pending/running, the work handler may dereference freed memory, leading to a potential use-after-free. Cancel the delayed work synchronously before unregistering/freeing the device. Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad Reported-by: Minseong Kim <ii4gsp(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Minseong Kim <ii4gsp(a)gmail.com> --- drivers/input/mouse/synaptics_i2c.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c index a0d707e47d93..fe30bf9aea3a 100644 --- a/drivers/input/mouse/synaptics_i2c.c +++ b/drivers/input/mouse/synaptics_i2c.c @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) if (!polling_req) free_irq(client->irq, touch); + cancel_delayed_work_sync(&touch->dwork); + input_unregister_device(touch->input); kfree(touch); } -- 2.39.5

11 hours, 34 minutes

3
4
0 0

[PATCH 1/2] scsi: sd: fix write_same(16/10) to enable sector size > PAGE_SIZE

by sw.prabhu6＠gmail.com

From: Swarna Prabhu <sw.prabhu6(a)gmail.com> The WRITE SAME(16) and WRITE SAME(10) scsi commands uses a page from a dedicated mempool('sd_page_pool') for its payload. This pool was initialized to allocate single pages, which was sufficient as long as the device sector size did not exceed the PAGE_SIZE. Given that block layer now supports block size upto 64K ie beyond PAGE_SIZE, adapt sd_set_special_bvec() to accommodate that. With the above fix, enable sector sizes > PAGE_SIZE in scsi sd driver. Cc: stable(a)vger.kernel.org Signed-off-by: Swarna Prabhu <s.prabhu(a)samsung.com> Co-developed-by: Pankaj Raghav <p.raghav(a)samsung.com> Signed-off-by: Pankaj Raghav <p.raghav(a)samsung.com> --- Note: We are allocating pages of order aligned to BLK_MAX_BLOCK_SIZE for the mempool page allocator 'sd_page_pool' all the time. This is because we only know that a bigger sector size device is attached at sd_probe and it might be too late to reallocate mempool with order >0. drivers/scsi/sd.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed1..17b5c1589eb2 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -892,14 +892,24 @@ static void sd_config_discard(struct scsi_disk *sdkp, struct queue_limits *lim, (logical_block_size >> SECTOR_SHIFT); } -static void *sd_set_special_bvec(struct request *rq, unsigned int data_len) +static void *sd_set_special_bvec(struct scsi_cmnd *cmd, unsigned int data_len) { struct page *page; + struct request *rq = scsi_cmd_to_rq(cmd); + struct scsi_device *sdp = cmd->device; + unsigned sector_size = sdp->sector_size; + unsigned int nr_pages = DIV_ROUND_UP(sector_size, PAGE_SIZE); + int n = 0; page = mempool_alloc(sd_page_pool, GFP_ATOMIC); if (!page) return NULL; - clear_highpage(page); + + do { + clear_highpage(page + n); + n++; + } while (n < nr_pages); + bvec_set_page(&rq->special_vec, page, data_len, 0); rq->rq_flags |= RQF_SPECIAL_PAYLOAD; return bvec_virt(&rq->special_vec); @@ -915,7 +925,7 @@ static blk_status_t sd_setup_unmap_cmnd(struct scsi_cmnd *cmd) unsigned int data_len = 24; char *buf; - buf = sd_set_special_bvec(rq, data_len); + buf = sd_set_special_bvec(cmd, data_len); if (!buf) return BLK_STS_RESOURCE; @@ -1004,7 +1014,7 @@ static blk_status_t sd_setup_write_same16_cmnd(struct scsi_cmnd *cmd, u32 nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); u32 data_len = sdp->sector_size; - if (!sd_set_special_bvec(rq, data_len)) + if (!sd_set_special_bvec(cmd, data_len)) return BLK_STS_RESOURCE; cmd->cmd_len = 16; @@ -1031,7 +1041,7 @@ static blk_status_t sd_setup_write_same10_cmnd(struct scsi_cmnd *cmd, u32 nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); u32 data_len = sdp->sector_size; - if (!sd_set_special_bvec(rq, data_len)) + if (!sd_set_special_bvec(cmd, data_len)) return BLK_STS_RESOURCE; cmd->cmd_len = 10; @@ -2880,10 +2890,7 @@ sd_read_capacity(struct scsi_disk *sdkp, struct queue_limits *lim, "assuming 512.\n"); } - if (sector_size != 512 && - sector_size != 1024 && - sector_size != 2048 && - sector_size != 4096) { + if (blk_validate_block_size(sector_size)) { sd_printk(KERN_NOTICE, sdkp, "Unsupported sector size %d.\n", sector_size); /* @@ -4368,7 +4375,7 @@ static int __init init_sd(void) if (err) goto err_out; - sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, 0); + sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, get_order(BLK_MAX_BLOCK_SIZE)); if (!sd_page_pool) { printk(KERN_ERR "sd: can't init discard page pool\n"); err = -ENOMEM; -- 2.51.0

12 hours, 47 minutes

3
3
0 0

[PATCH] virtiofs: fix NULL dereference in virtio_fs_add_queues_sysfs()

by Qianchang Zhao

virtio_fs_add_queues_sysfs() creates per-queue sysfs kobjects via kobject_create_and_add(). The current code checks the wrong variable after the allocation: - kobject_create_and_add() may return NULL on failure. - The code incorrectly checks fs->mqs_kobj (the parent kobject), which is expected to be non-NULL at this point. - If kobject_create_and_add() fails, fsvq->kobj is NULL but the code can still call sysfs_create_group(fsvq->kobj, ...), leading to a NULL pointer dereference and kernel panic (DoS). Fix by validating fsvq->kobj immediately after kobject_create_and_add() and aborting on failure, so sysfs_create_group() is never called with a NULL kobject. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/fuse/virtio_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c index 6bc7c97b0..b2f6486fe 100644 --- a/fs/fuse/virtio_fs.c +++ b/fs/fuse/virtio_fs.c @@ -373,7 +373,7 @@ static int virtio_fs_add_queues_sysfs(struct virtio_fs *fs) sprintf(buff, "%d", i); fsvq->kobj = kobject_create_and_add(buff, fs->mqs_kobj); - if (!fs->mqs_kobj) { + if (!fsvq->kobj) { ret = -ENOMEM; goto out_del; } -- 2.34.1

14 hours, 44 minutes

1
0
0 0

[PATCH v2 04/13] KVM: nSVM: Fix consistency checks for NP_ENABLE

by Yosry Ahmed

KVM currenty fails a nested VMRUN and injects VMEXIT_INVALID (aka SVM_EXIT_ERR) if L1 sets NP_ENABLE and the host does not support NPTs. On first glance, it seems like the check should actually be for guest_cpu_cap_has(X86_FEATURE_NPT) instead, as it is possible for the host to support NPTs but the guest CPUID to not advertise it. However, the consistency check is not architectural to begin with. The APM does not mention VMEXIT_INVALID if NP_ENABLE is set on a processor that does not have X86_FEATURE_NPT. Hence, NP_ENABLE should be ignored if X86_FEATURE_NPT is not available for L1. Apart from the consistency check, this is currently the case because NP_ENABLE is actually copied from VMCB01 to VMCB02, not from VMCB12. On the other hand, the APM does mention two other consistency checks for NP_ENABLE, both of which are missing (paraphrased): In Volume #2, 15.25.3 (24593—Rev. 3.42—March 2024): If VMRUN is executed with hCR0.PG cleared to zero and NP_ENABLE set to 1, VMRUN terminates with #VMEXIT(VMEXIT_INVALID) In Volume #2, 15.25.4 (24593—Rev. 3.42—March 2024): When VMRUN is executed with nested paging enabled (NP_ENABLE = 1), the following conditions are considered illegal state combinations, in addition to those mentioned in “Canonicalization and Consistency Checks”: • Any MBZ bit of nCR3 is set. • Any G_PAT.PA field has an unsupported type encoding or any reserved field in G_PAT has a nonzero value. Replace the existing consistency check with consistency checks on hCR0.PG and nCR3. Only perform the consistency checks if L1 has X86_FEATURE_NPT and NP_ENABLE is set in VMCB12. The G_PAT consistency check will be addressed separately. As it is now possible for an L1 to run L2 with NP_ENABLE set but ignored, also check that L1 has X86_FEATURE_NPT in nested_npt_enabled(). Pass L1's CR0 to __nested_vmcb_check_controls(). In nested_vmcb_check_controls(), L1's CR0 is available through kvm_read_cr0(), as vcpu->arch.cr0 is not updated to L2's CR0 until later through nested_vmcb02_prepare_save() -> svm_set_cr0(). In svm_set_nested_state(), L1's CR0 is available in the captured save area, as svm_get_nested_state() captures L1's save area when running L2, and L1's CR0 is stashed in VMCB01 on nested VMRUN (in nested_svm_vmrun()). Fixes: 4b16184c1cca ("KVM: SVM: Initialize Nested Nested MMU context on VMRUN") Cc: stable(a)vger.kernel.org Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> --- arch/x86/kvm/svm/nested.c | 21 ++++++++++++++++----- arch/x86/kvm/svm/svm.h | 3 ++- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 74211c5c68026..87bcc5eff96e8 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -325,7 +325,8 @@ static bool nested_svm_check_bitmap_pa(struct kvm_vcpu *vcpu, u64 pa, u32 size) } static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu, - struct vmcb_ctrl_area_cached *control) + struct vmcb_ctrl_area_cached *control, + unsigned long l1_cr0) { if (CC(!vmcb12_is_intercept(control, INTERCEPT_VMRUN))) return false; @@ -333,8 +334,12 @@ static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu, if (CC(control->asid == 0)) return false; - if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && !npt_enabled)) - return false; + if (nested_npt_enabled(to_svm(vcpu))) { + if (CC(!kvm_vcpu_is_legal_gpa(vcpu, control->nested_cr3))) + return false; + if (CC(!(l1_cr0 & X86_CR0_PG))) + return false; + } if (CC(!nested_svm_check_bitmap_pa(vcpu, control->msrpm_base_pa, MSRPM_SIZE))) @@ -400,7 +405,12 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu) struct vcpu_svm *svm = to_svm(vcpu); struct vmcb_ctrl_area_cached *ctl = &svm->nested.ctl; - return __nested_vmcb_check_controls(vcpu, ctl); + /* + * Make sure we did not enter guest mode yet, in which case + * kvm_read_cr0() could return L2's CR0. + */ + WARN_ON_ONCE(is_guest_mode(vcpu)); + return __nested_vmcb_check_controls(vcpu, ctl, kvm_read_cr0(vcpu)); } static @@ -1831,7 +1841,8 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu, ret = -EINVAL; __nested_copy_vmcb_control_to_cache(vcpu, &ctl_cached, ctl); - if (!__nested_vmcb_check_controls(vcpu, &ctl_cached)) + /* 'save' contains L1 state saved from before VMRUN */ + if (!__nested_vmcb_check_controls(vcpu, &ctl_cached, save->cr0)) goto out_free; /* diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index f6fb70ddf7272..3e805a43ffcdb 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -552,7 +552,8 @@ static inline bool gif_set(struct vcpu_svm *svm) static inline bool nested_npt_enabled(struct vcpu_svm *svm) { - return svm->nested.ctl.nested_ctl & SVM_NESTED_CTL_NP_ENABLE; + return guest_cpu_cap_has(&svm->vcpu, X86_FEATURE_NPT) && + svm->nested.ctl.nested_ctl & SVM_NESTED_CTL_NP_ENABLE; } static inline bool nested_vnmi_enabled(struct vcpu_svm *svm) -- 2.51.2.1041.gc1ab5b90ca-goog

15 hours, 5 minutes

2
9
0 0

[PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in

by Ilya Krutskih

'card_idx' can be overflowed when fealnx_init_one() will be called more than INT_MAX times. Check before incremention is required. Fixes: 15c037d6423e ("fealnx: Move the Myson driver") Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Ilya Krutskih <devsec(a)tpz.ru> --- drivers/net/ethernet/fealnx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c index 6ac8547ef9b8..7eb6e42b4551 100644 --- a/drivers/net/ethernet/fealnx.c +++ b/drivers/net/ethernet/fealnx.c @@ -489,7 +489,10 @@ static int fealnx_init_one(struct pci_dev *pdev, int bar = 1; #endif - card_idx++; + if (card_idx == INT_MAX) + return -EINVAL; + else + card_idx++; sprintf(boardname, "fealnx%d", card_idx); option = card_idx < MAX_UNITS ? options[card_idx] : 0; -- 2.43.0

15 hours, 51 minutes

5
5
0 0

[PATCH] erspan: Initialize options_len before referencing options.

by Frode Nordahl

The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. In the normal case the ip_tunnel_info_opts_set() helper is used which would initialize options_len properly, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… Reported-at: https://launchpad.net/bugs/2129580 Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info") Signed-off-by: Frode Nordahl <fnordahl(a)ubuntu.com> --- net/ipv4/ip_gre.c | 18 ++++++++++++++++-- net/ipv6/ip6_gre.c | 18 ++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 761a53c6a89a..285a656c9e41 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -330,6 +330,22 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!tun_dst) return PACKET_REJECT; + /* The struct ip_tunnel_info has a flexible array member named + * options that is protected by a counted_by(options_len) + * attribute. + * + * The compiler will use this information to enforce runtime bounds + * checking deployed by FORTIFY_SOURCE string helpers. + * + * As laid out in the GCC documentation, the counter must be + * initialized before the first reference to the flexible array + * member. + * + * Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… + */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -344,10 +360,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); - info = &tun_dst->u.tun_info; __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); } skb_reset_mac_header(skb); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c82a75510c0e..eb840a11b93b 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -535,6 +535,22 @@ static int ip6erspan_rcv(struct sk_buff *skb, if (!tun_dst) return PACKET_REJECT; + /* The struct ip_tunnel_info has a flexible array member named + * options that is protected by a counted_by(options_len) + * attribute. + * + * The compiler will use this information to enforce runtime bounds + * checking deployed by FORTIFY_SOURCE string helpers. + * + * As laid out in the GCC documentation, the counter must be + * initialized before the first reference to the flexible array + * member. + * + * Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… + */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -543,7 +559,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, skb_network_header_len(skb); pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + sizeof(*ershdr)); - info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; md2 = &md->u.md2; @@ -551,7 +566,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, ERSPAN_V2_MDSIZE); __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); ip6_tnl_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error); -- 2.43.0

21 hours, 48 minutes

4
5
0 0

[PATCH] vfs: fix EBUSY on FSCONFIG_CMD_CREATE retry

by Chen Linxuan via B4 Relay

From: Chen Linxuan <me(a)black-desk.cn> When using fsconfig(..., FSCONFIG_CMD_CREATE, ...), the filesystem context is retrieved from the file descriptor. Since the file structure persists across syscall restarts, the context state is preserved: // fs/fsopen.c SYSCALL_DEFINE5(fsconfig, ...) { ... fc = fd_file(f)->private_data; ... ret = vfs_fsconfig_locked(fc, cmd, &param); ... } In vfs_cmd_create(), the context phase is transitioned to FS_CONTEXT_CREATING before calling vfs_get_tree(): // fs/fsopen.c static int vfs_cmd_create(struct fs_context *fc, bool exclusive) { ... fc->phase = FS_CONTEXT_CREATING; ... ret = vfs_get_tree(fc); ... } However, vfs_get_tree() may return -ERESTARTNOINTR if the filesystem implementation needs to restart the syscall. For example, cgroup v1 does this when it encounters a race condition where the root is dying: // kernel/cgroup/cgroup-v1.c int cgroup1_get_tree(struct fs_context *fc) { ... if (unlikely(ret > 0)) { msleep(10); return restart_syscall(); } return ret; } If the syscall is restarted, fsconfig() is called again and retrieves the *same* fs_context. However, vfs_cmd_create() rejects the call because the phase was left as FS_CONTEXT_CREATING during the first attempt: if (fc->phase != FS_CONTEXT_CREATE_PARAMS) return -EBUSY; Fix this by resetting fc->phase back to FS_CONTEXT_CREATE_PARAMS if vfs_get_tree() returns -ERESTARTNOINTR. Cc: stable(a)vger.kernel.org Signed-off-by: Chen Linxuan <me(a)black-desk.cn> --- fs/fsopen.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/fsopen.c b/fs/fsopen.c index f645c99204eb..8a7cb031af50 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -229,6 +229,10 @@ static int vfs_cmd_create(struct fs_context *fc, bool exclusive) fc->exclusive = exclusive; ret = vfs_get_tree(fc); + if (ret == -ERESTARTNOINTR) { + fc->phase = FS_CONTEXT_CREATE_PARAMS; + return ret; + } if (ret) { fc->phase = FS_CONTEXT_FAILED; return ret; --- base-commit: 187d0801404f415f22c0b31531982c7ea97fa341 change-id: 20251213-mount-ebusy-8ee3888a7e4f Best regards, -- Chen Linxuan <me(a)black-desk.cn>

22 hours, 8 minutes

1
0
0 0

Linux 6.18.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.18.1 kernel. All users of the 6.18 kernel series must upgrade. The updated 6.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.18.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/renesas,rsci.yaml | 2 Documentation/process/2.Process.rst | 6 Documentation/tools/rtla/common_appendix.rst | 24 -- Documentation/tools/rtla/common_appendix.txt | 24 ++ Documentation/tools/rtla/common_hist_options.rst | 23 -- Documentation/tools/rtla/common_hist_options.txt | 23 ++ Documentation/tools/rtla/common_options.rst | 119 ------------- Documentation/tools/rtla/common_options.txt | 119 +++++++++++++ Documentation/tools/rtla/common_osnoise_description.rst | 8 Documentation/tools/rtla/common_osnoise_description.txt | 8 Documentation/tools/rtla/common_osnoise_options.rst | 39 ---- Documentation/tools/rtla/common_osnoise_options.txt | 39 ++++ Documentation/tools/rtla/common_timerlat_aa.rst | 7 Documentation/tools/rtla/common_timerlat_aa.txt | 7 Documentation/tools/rtla/common_timerlat_description.rst | 18 - Documentation/tools/rtla/common_timerlat_description.txt | 18 + Documentation/tools/rtla/common_timerlat_options.rst | 67 ------- Documentation/tools/rtla/common_timerlat_options.txt | 67 +++++++ Documentation/tools/rtla/common_top_options.rst | 3 Documentation/tools/rtla/common_top_options.txt | 3 Documentation/tools/rtla/rtla-hwnoise.rst | 8 Documentation/tools/rtla/rtla-osnoise-hist.rst | 10 - Documentation/tools/rtla/rtla-osnoise-top.rst | 10 - Documentation/tools/rtla/rtla-osnoise.rst | 4 Documentation/tools/rtla/rtla-timerlat-hist.rst | 12 - Documentation/tools/rtla/rtla-timerlat-top.rst | 12 - Documentation/tools/rtla/rtla-timerlat.rst | 4 Documentation/tools/rtla/rtla.rst | 2 Makefile | 2 arch/x86/include/asm/kvm_host.h | 9 arch/x86/kvm/svm/svm.c | 24 +- arch/x86/kvm/x86.c | 21 ++ crypto/zstd.c | 7 drivers/android/binder/node.rs | 6 drivers/comedi/comedi_fops.c | 42 +++- drivers/comedi/drivers/c6xdigio.c | 46 +++-- drivers/comedi/drivers/multiq3.c | 9 drivers/comedi/drivers/pcl818.c | 5 drivers/iio/adc/ad4080.c | 9 drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 - drivers/tty/serial/8250/8250_pci.c | 37 ++++ drivers/tty/serial/sh-sci.c | 12 + drivers/usb/serial/belkin_sa.c | 28 +-- drivers/usb/serial/ftdi_sio.c | 72 ++----- drivers/usb/serial/kobil_sct.c | 18 - drivers/usb/serial/option.c | 22 ++ fs/ext4/inline.c | 14 + fs/jbd2/transaction.c | 19 +- fs/smb/server/transport_ipc.c | 7 kernel/locking/spinlock_debug.c | 4 53 files changed, 650 insertions(+), 481 deletions(-) Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alice Ryhl (1): rust_binder: fix race condition on death_list Antoniu Miclaus (1): iio: adc: ad4080: fix chip identification Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Biju Das (2): dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Giovanni Cabiddu (1): crypto: zstd - fix double-free in per-CPU stream cleanup Gopi Krishna Menon (1): Documentation/rtla: rename common_xxx.rst files to common_xxx.txt Greg Kroah-Hartman (1): Linux 6.18.1 Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Magne Bruno (1): serial: add support of CPCI cards Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1

22 hours, 21 minutes

1
1
0 0

Linux 6.17.12

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.12 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/renesas,rsci.yaml | 2 Documentation/process/2.Process.rst | 6 Makefile | 2 arch/arm64/include/asm/alternative.h | 7 arch/arm64/kernel/alternative.c | 19 +- arch/arm64/kernel/module.c | 9 - arch/loongarch/kernel/machine_kexec.c | 2 arch/x86/include/asm/kvm_host.h | 9 + arch/x86/kvm/svm/svm.c | 24 +-- arch/x86/kvm/x86.c | 21 ++ crypto/zstd.c | 7 drivers/acpi/acpi_mrrm.c | 43 ++++- drivers/bluetooth/btrtl.c | 24 +-- drivers/comedi/comedi_fops.c | 42 +++++ drivers/comedi/drivers/c6xdigio.c | 46 ++++-- drivers/comedi/drivers/multiq3.c | 9 + drivers/comedi/drivers/pcl818.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 - drivers/hid/hid-apple.c | 1 drivers/hid/hid-elecom.c | 6 drivers/hid/hid-ids.h | 4 drivers/hid/hid-input.c | 5 drivers/hid/hid-lenovo.c | 17 ++ drivers/hid/hid-quirks.c | 3 drivers/iio/adc/ad4080.c | 9 - drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/nvme/host/core.c | 3 drivers/pinctrl/qcom/pinctrl-msm.c | 2 drivers/platform/x86/acer-wmi.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 +++ drivers/platform/x86/amd/pmc/pmc.c | 3 drivers/platform/x86/amd/pmc/pmc.h | 1 drivers/platform/x86/hp/hp-wmi.c | 6 drivers/platform/x86/huawei-wmi.c | 4 drivers/platform/x86/intel/hid.c | 1 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 4 drivers/spi/spi-imx.c | 15 +- drivers/spi/spi-xilinx.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 + drivers/tty/serial/8250/8250_pci.c | 37 +++++ drivers/tty/serial/sh-sci.c | 12 + drivers/usb/serial/belkin_sa.c | 28 ++- drivers/usb/serial/ftdi_sio.c | 72 +++------- drivers/usb/serial/kobil_sct.c | 18 +- drivers/usb/serial/option.c | 22 ++- fs/bfs/inode.c | 19 ++ fs/ext4/inline.c | 14 + fs/jbd2/transaction.c | 19 +- fs/smb/client/fs_context.c | 2 fs/smb/server/transport_ipc.c | 7 kernel/locking/spinlock_debug.c | 4 kernel/sched/ext.c | 4 kernel/trace/ftrace.c | 40 ++++- samples/vfs/test-statx.c | 6 samples/watch_queue/watch_test.c | 6 sound/hda/codecs/realtek/alc269.c | 9 + sound/soc/sdca/sdca_functions.c | 3 sound/usb/quirks.c | 6 61 files changed, 559 insertions(+), 207 deletions(-) Adrian Barnaś (1): arm64: Reject modules with internal alternative callbacks Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alvaro Gamez Machado (1): spi: xilinx: increase number of retries before declaring stall Antheas Kapenekakis (3): platform/x86/amd/pmc: Add support for Van Gogh SoC platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Antoniu Miclaus (1): iio: adc: ad4080: fix chip identification April Grimoire (1): HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf (1): platform/x86: acer-wmi: Ignore backlight event Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Baojun Xu (1): ALSA: hda/tas2781: Add new quirk for HP new projects Biju Das (2): dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Edip Hazuri (1): platform/x86: hp-wmi: mark Victus 16-r0 and 16-s0 for victus_s fan and thermal profile support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Giovanni Cabiddu (1): crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman (1): Linux 6.17.12 Harish Kasiviswanathan (1): drm/amdkfd: Fix GPU mappings for APU after prefetch Huacai Chen (1): LoongArch: Mask all interrupts during kexec/kdump Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Ian Forbes (1): drm/vmwgfx: Use kref in vmw_bo_dirty Jia Ston (1): platform/x86: huawei-wmi: add keys for HONOR models Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Kaushlendra Kumar (1): ACPI: MRRM: Fix memory leaks and improve error handling Keith Busch (1): nvme: fix admin request_queue lifetime Krishna Chomal (1): platform/x86: hp-wmi: Add Omen 16-wf1xxx fan support Kuppuswamy Sathyanarayanan (1): platform/x86: intel-uncore-freq: Add additional client processors Lauri Tirkkonen (1): HID: lenovo: fixup Lenovo Yoga Slim 7x Keyboard rdesc Linus Torvalds (1): samples: work around glibc redefining some of our defines wrong Lushih Hsieh (1): ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Magne Bruno (1): serial: add support of CPCI cards Marcos Vega (1): platform/x86: hp-wmi: Add Omen MAX 16-ah0xx fan support and thermal profile Mario Limonciello (AMD) (1): HID: hid-input: Extend Elan ignore battery quirk to USB Max Chou (1): Bluetooth: btrtl: Avoid loading the config file on security chips Naoki Ueki (1): HID: elecom: Add support for ELECOM M-XT3URBK (018F) Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Niranjan H Y (1): ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Praveen Talari (1): pinctrl: qcom: msm: Fix deadlock in pinmux configuration Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Robin Gong (1): spi: imx: keep dma request disabled before dma transfer setup Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Song Liu (1): ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Srinivas Pandruvada (1): platform/x86/intel/hid: Add Nova Lake support Tetsuo Handa (1): bfs: Reconstruct file type when loading from disk Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Yiqi Sun (1): smb: fix invalid username check in smb3_fs_context_parse_param() Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Zqiang (2): sched_ext: Fix possible deadlock in the deferred_irq_workfn() sched_ext: Use IRQ_WORK_INIT_HARD() to initialize rq->scx.kick_cpus_irq_work

22 hours, 22 minutes

1
1
0 0

Linux 6.12.62

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.62 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/process/2.Process.rst | 6 +- Makefile | 2 arch/loongarch/kernel/machine_kexec.c | 2 arch/x86/include/asm/kvm_host.h | 9 +++ arch/x86/kvm/svm/svm.c | 24 ++++---- arch/x86/kvm/x86.c | 21 +++++++ drivers/bluetooth/btrtl.c | 24 ++++---- drivers/bus/mhi/host/pci_generic.c | 52 ++++++++++++++++++ drivers/comedi/comedi_fops.c | 42 ++++++++++++-- drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++--- drivers/comedi/drivers/multiq3.c | 9 +++ drivers/comedi/drivers/pcl818.c | 5 - drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 +--- drivers/hid/hid-apple.c | 1 drivers/hid/hid-elecom.c | 6 +- drivers/hid/hid-ids.h | 3 - drivers/hid/hid-input.c | 5 + drivers/hid/hid-quirks.c | 3 - drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 + drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/nvme/host/core.c | 3 - drivers/pinctrl/qcom/pinctrl-msm.c | 2 drivers/platform/x86/acer-wmi.c | 4 + drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 ++++++++ drivers/platform/x86/huawei-wmi.c | 4 + drivers/spi/spi-imx.c | 15 +++-- drivers/spi/spi-xilinx.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++-- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +++- drivers/tty/serial/8250/8250_pci.c | 37 ++++++++++++ drivers/usb/serial/belkin_sa.c | 28 +++++---- drivers/usb/serial/ftdi_sio.c | 72 ++++++++----------------- drivers/usb/serial/kobil_sct.c | 18 +++--- drivers/usb/serial/option.c | 22 ++++++- fs/bfs/inode.c | 19 ++++++ fs/ext4/inline.c | 14 ++++ fs/jbd2/transaction.c | 19 ++++-- fs/smb/client/fs_context.c | 2 fs/smb/server/transport_ipc.c | 7 +- include/net/xfrm.h | 13 +--- kernel/locking/spinlock_debug.c | 4 - kernel/trace/ftrace.c | 40 ++++++++++--- net/ipv4/ipcomp.c | 2 net/ipv6/ipcomp6.c | 2 net/ipv6/xfrm6_tunnel.c | 2 net/key/af_key.c | 2 net/xfrm/xfrm_ipcomp.c | 1 net/xfrm/xfrm_state.c | 41 +++++--------- net/xfrm/xfrm_user.c | 2 samples/vfs/test-statx.c | 6 ++ samples/watch_queue/watch_test.c | 6 ++ sound/usb/quirks.c | 6 ++ 53 files changed, 520 insertions(+), 206 deletions(-) Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alvaro Gamez Machado (1): spi: xilinx: increase number of retries before declaring stall Antheas Kapenekakis (2): platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally April Grimoire (1): HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf (1): platform/x86: acer-wmi: Ignore backlight event Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Daniele Palmas (2): bus: mhi: host: pci_generic: Add Telit FN920C04 modem support bus: mhi: host: pci_generic: Add Telit FN990B40 modem support Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman (1): Linux 6.12.62 Harish Kasiviswanathan (1): drm/amdkfd: Fix GPU mappings for APU after prefetch Huacai Chen (1): LoongArch: Mask all interrupts during kexec/kdump Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Ian Forbes (1): drm/vmwgfx: Use kref in vmw_bo_dirty Jia Ston (1): platform/x86: huawei-wmi: add keys for HONOR models Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Keith Busch (1): nvme: fix admin request_queue lifetime Linus Torvalds (1): samples: work around glibc redefining some of our defines wrong Lushih Hsieh (1): ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Magne Bruno (1): serial: add support of CPCI cards Mario Limonciello (AMD) (1): HID: hid-input: Extend Elan ignore battery quirk to USB Max Chou (1): Bluetooth: btrtl: Avoid loading the config file on security chips Naoki Ueki (1): HID: elecom: Add support for ELECOM M-XT3URBK (018F) Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Praveen Talari (1): pinctrl: qcom: msm: Fix deadlock in pinmux configuration Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Robin Gong (1): spi: imx: keep dma request disabled before dma transfer setup Sabrina Dubroca (4): xfrm: delete x->tunnel as we delete x Revert "xfrm: destroy xfrm_state synchronously on net exit path" xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added xfrm: flush all states in xfrm_state_fini Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Song Liu (1): ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Tetsuo Handa (1): bfs: Reconstruct file type when loading from disk Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Yiqi Sun (1): smb: fix invalid username check in smb3_fs_context_parse_param() Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1

22 hours, 22 minutes

1
1
0 0

[PATCH 5.15.y] mmc: core: use sysfs_emit() instead of sprintf()

by Chen Yu

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> [ Upstream commit f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11 ] sprintf() (still used in the MMC core for the sysfs output) is vulnerable to the buffer overflow. Use the new-fangled sysfs_emit() instead. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@omp.ru Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Chen Yu <xnguchen(a)sina.cn> --- drivers/mmc/core/bus.c | 9 +++++---- drivers/mmc/core/bus.h | 3 ++- drivers/mmc/core/mmc.c | 16 ++++++++-------- drivers/mmc/core/sd.c | 25 ++++++++++++------------- drivers/mmc/core/sdio.c | 5 +++-- drivers/mmc/core/sdio_bus.c | 7 ++++--- 6 files changed, 34 insertions(+), 31 deletions(-) diff --git a/drivers/mmc/core/bus.c b/drivers/mmc/core/bus.c index c25c58473a91..c80d61780ea9 100644 --- a/drivers/mmc/core/bus.c +++ b/drivers/mmc/core/bus.c @@ -15,6 +15,7 @@ #include <linux/stat.h> #include <linux/of.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/card.h> #include <linux/mmc/host.h> @@ -34,13 +35,13 @@ static ssize_t type_show(struct device *dev, switch (card->type) { case MMC_TYPE_MMC: - return sprintf(buf, "MMC\n"); + return sysfs_emit(buf, "MMC\n"); case MMC_TYPE_SD: - return sprintf(buf, "SD\n"); + return sysfs_emit(buf, "SD\n"); case MMC_TYPE_SDIO: - return sprintf(buf, "SDIO\n"); + return sysfs_emit(buf, "SDIO\n"); case MMC_TYPE_SD_COMBO: - return sprintf(buf, "SDcombo\n"); + return sysfs_emit(buf, "SDcombo\n"); default: return -EFAULT; } diff --git a/drivers/mmc/core/bus.h b/drivers/mmc/core/bus.h index 8105852c4b62..3996b191b68d 100644 --- a/drivers/mmc/core/bus.h +++ b/drivers/mmc/core/bus.h @@ -9,6 +9,7 @@ #define _MMC_CORE_BUS_H #include <linux/device.h> +#include <linux/sysfs.h> struct mmc_host; struct mmc_card; @@ -17,7 +18,7 @@ struct mmc_card; static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf) \ { \ struct mmc_card *card = mmc_dev_to_card(dev); \ - return sprintf(buf, fmt, args); \ + return sysfs_emit(buf, fmt, args); \ } \ static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL) diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c index a56906633ddf..958bd901a136 100644 --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -12,6 +12,7 @@ #include <linux/slab.h> #include <linux/stat.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/host.h> #include <linux/mmc/card.h> @@ -812,12 +813,11 @@ static ssize_t mmc_fwrev_show(struct device *dev, { struct mmc_card *card = mmc_dev_to_card(dev); - if (card->ext_csd.rev < 7) { - return sprintf(buf, "0x%x\n", card->cid.fwrev); - } else { - return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN, - card->ext_csd.fwrev); - } + if (card->ext_csd.rev < 7) + return sysfs_emit(buf, "0x%x\n", card->cid.fwrev); + else + return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN, + card->ext_csd.fwrev); } static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL); @@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct device *dev, struct mmc_host *host = card->host; if (card->csd.dsr_imp && host->dsr_req) - return sprintf(buf, "0x%x\n", host->dsr); + return sysfs_emit(buf, "0x%x\n", host->dsr); else /* return default DSR value */ - return sprintf(buf, "0x%x\n", 0x404); + return sysfs_emit(buf, "0x%x\n", 0x404); } static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL); diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c index 592166e53dce..46ca73c17c4c 100644 --- a/drivers/mmc/core/sd.c +++ b/drivers/mmc/core/sd.c @@ -12,6 +12,7 @@ #include <linux/slab.h> #include <linux/stat.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/host.h> #include <linux/mmc/card.h> @@ -707,18 +708,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr); MMC_DEV_ATTR(rca, "0x%04x\n", card->rca); -static ssize_t mmc_dsr_show(struct device *dev, - struct device_attribute *attr, - char *buf) +static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr, + char *buf) { - struct mmc_card *card = mmc_dev_to_card(dev); - struct mmc_host *host = card->host; - - if (card->csd.dsr_imp && host->dsr_req) - return sprintf(buf, "0x%x\n", host->dsr); - else - /* return default DSR value */ - return sprintf(buf, "0x%x\n", 0x404); + struct mmc_card *card = mmc_dev_to_card(dev); + struct mmc_host *host = card->host; + + if (card->csd.dsr_imp && host->dsr_req) + return sysfs_emit(buf, "0x%x\n", host->dsr); + /* return default DSR value */ + return sysfs_emit(buf, "0x%x\n", 0x404); } static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL); @@ -734,9 +733,9 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att \ if (num > card->num_info) \ return -ENODATA; \ - if (!card->info[num-1][0]) \ + if (!card->info[num - 1][0]) \ return 0; \ - return sprintf(buf, "%s\n", card->info[num-1]); \ + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \ } \ static DEVICE_ATTR_RO(info##num) diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c index cbc9ca0dd56e..53c8f71af966 100644 --- a/drivers/mmc/core/sdio.c +++ b/drivers/mmc/core/sdio.c @@ -7,6 +7,7 @@ #include <linux/err.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/host.h> #include <linux/mmc/card.h> @@ -40,9 +41,9 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att \ if (num > card->num_info) \ return -ENODATA; \ - if (!card->info[num-1][0]) \ + if (!card->info[num - 1][0]) \ return 0; \ - return sprintf(buf, "%s\n", card->info[num-1]); \ + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \ } \ static DEVICE_ATTR_RO(info##num) diff --git a/drivers/mmc/core/sdio_bus.c b/drivers/mmc/core/sdio_bus.c index f6cdec00e97e..f191a2a76f3b 100644 --- a/drivers/mmc/core/sdio_bus.c +++ b/drivers/mmc/core/sdio_bus.c @@ -14,6 +14,7 @@ #include <linux/pm_runtime.h> #include <linux/pm_domain.h> #include <linux/acpi.h> +#include <linux/sysfs.h> #include <linux/mmc/card.h> #include <linux/mmc/host.h> @@ -35,7 +36,7 @@ field##_show(struct device *dev, struct device_attribute *attr, char *buf) \ struct sdio_func *func; \ \ func = dev_to_sdio_func (dev); \ - return sprintf(buf, format_string, args); \ + return sysfs_emit(buf, format_string, args); \ } \ static DEVICE_ATTR_RO(field) @@ -52,9 +53,9 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att \ if (num > func->num_info) \ return -ENODATA; \ - if (!func->info[num-1][0]) \ + if (!func->info[num - 1][0]) \ return 0; \ - return sprintf(buf, "%s\n", func->info[num-1]); \ + return sysfs_emit(buf, "%s\n", func->info[num - 1]); \ } \ static DEVICE_ATTR_RO(info##num) -- 2.17.1

23 hours, 21 minutes

2
1
0 0

[PATCHSET v2 sched_ext/for-6.19-fixes] sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq()

by Tejun Heo

Hello, move_local_task_to_local_dsq() was missing post-enqueue handling which matters now that scx_bpf_dsq_move() can be called while the CPU is busy. v2: Updated commit messages and added Cc stable. v1: http://lkml.kernel.org/r/20251211224809.3383633-1-tj@kernel.org 0001-sched_ext-Factor-out-local_dsq_post_enq-from-dispatc.patch 0002-sched_ext-Fix-missing-post-enqueue-handling-in-move_.patch Based on sched_ext/for-6.19-fixes (9f769637a93f). diffstat: kernel/sched/ext.c | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) -- tejun

23 hours, 44 minutes

2
5
0 0

Follow-Up: LDI 2025 Attendee List + 20% Discount

by Juanita Garcia

Hi, Just checking in to see if you had a moment to review my earlier message. As you have been an exhibitor at Live Design International 2025 We have the final updated attendee list of verified contacts 16,537 of people including last-minute registers and walk-ins to the show, and all are confirmed Opt-in and Verified contacts Special :20% reduction on our compliant contact data. If you’d like more details, just let me know or reply “Send me pricing.” Best regards, Juanita Garcia Sr. Marketing Manager If you prefer not to receive updates, reply “Not Interested.”

1 day

1
0
0 0

[PATCH 5/5] drm/tests: shmem: Hold reservation lock around purge

by Thomas Zimmermann

Acquire and release the GEM object's reservation lock around calls to the object's purge operation. The tests use drm_gem_shmem_purge_locked(), which led to errors such as show below. [ 58.709128] WARNING: CPU: 1 PID: 1354 at drivers/gpu/drm/drm_gem_shmem_helper.c:515 drm_gem_shmem_purge_locked+0x51c/0x740 Only export the new helper drm_gem_shmem_purge() for Kunit tests. This is not an interface for regular drivers. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 954907f7147d ("drm/shmem-helper: Refactor locked/unlocked functions") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.16+ --- drivers/gpu/drm/drm_gem_shmem_helper.c | 15 +++++++++++++++ drivers/gpu/drm/tests/drm_gem_shmem_test.c | 4 +++- include/drm/drm_gem_shmem_helper.h | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 4ffcf6ed46f5..dfc24392cb61 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -939,6 +939,21 @@ int drm_gem_shmem_madvise(struct drm_gem_shmem_object *shmem, int madv) return ret; } EXPORT_SYMBOL_IF_KUNIT(drm_gem_shmem_madvise); + +int drm_gem_shmem_purge(struct drm_gem_shmem_object *shmem) +{ + struct drm_gem_object *obj = &shmem->base; + int ret; + + ret = dma_resv_lock_interruptible(obj->resv, NULL); + if (ret) + return ret; + drm_gem_shmem_purge_locked(shmem); + dma_resv_unlock(obj->resv); + + return 0; +} +EXPORT_SYMBOL_IF_KUNIT(drm_gem_shmem_purge); #endif MODULE_DESCRIPTION("DRM SHMEM memory-management helpers"); diff --git a/drivers/gpu/drm/tests/drm_gem_shmem_test.c b/drivers/gpu/drm/tests/drm_gem_shmem_test.c index d639848e3c8e..4b459f21acfd 100644 --- a/drivers/gpu/drm/tests/drm_gem_shmem_test.c +++ b/drivers/gpu/drm/tests/drm_gem_shmem_test.c @@ -340,7 +340,9 @@ static void drm_gem_shmem_test_purge(struct kunit *test) ret = drm_gem_shmem_is_purgeable(shmem); KUNIT_EXPECT_TRUE(test, ret); - drm_gem_shmem_purge_locked(shmem); + ret = drm_gem_shmem_purge(shmem); + KUNIT_ASSERT_EQ(test, ret, 0); + KUNIT_EXPECT_NULL(test, shmem->pages); KUNIT_EXPECT_NULL(test, shmem->sgt); KUNIT_EXPECT_EQ(test, shmem->madv, -1); diff --git a/include/drm/drm_gem_shmem_helper.h b/include/drm/drm_gem_shmem_helper.h index 3dd93e2df709..8d56970d7eed 100644 --- a/include/drm/drm_gem_shmem_helper.h +++ b/include/drm/drm_gem_shmem_helper.h @@ -311,6 +311,7 @@ struct drm_gem_object *drm_gem_shmem_prime_import_no_map(struct drm_device *dev, int drm_gem_shmem_vmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map); void drm_gem_shmem_vunmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map); int drm_gem_shmem_madvise(struct drm_gem_shmem_object *shmem, int madv); +int drm_gem_shmem_purge(struct drm_gem_shmem_object *shmem); #endif #endif /* __DRM_GEM_SHMEM_HELPER_H__ */ -- 2.52.0

1 day

1
0
0 0

[PATCH 4/5] drm/tests: shmem: Hold reservation lock around madvise

by Thomas Zimmermann

Acquire and release the GEM object's reservation lock around calls to the object's madvide operation. The tests use drm_gem_shmem_madvise_locked(), which led to errors such as show below. [ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140 Only export the new helper drm_gem_shmem_madvise() for Kunit tests. This is not an interface for regular drivers. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 954907f7147d ("drm/shmem-helper: Refactor locked/unlocked functions") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.16+ --- drivers/gpu/drm/drm_gem_shmem_helper.c | 15 +++++++++++++++ drivers/gpu/drm/tests/drm_gem_shmem_test.c | 8 ++++---- include/drm/drm_gem_shmem_helper.h | 1 + 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 06ef4e5adb7d..4ffcf6ed46f5 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -924,6 +924,21 @@ void drm_gem_shmem_vunmap(struct drm_gem_shmem_object *shmem, struct iosys_map * dma_resv_unlock(obj->resv); } EXPORT_SYMBOL_IF_KUNIT(drm_gem_shmem_vunmap); + +int drm_gem_shmem_madvise(struct drm_gem_shmem_object *shmem, int madv) +{ + struct drm_gem_object *obj = &shmem->base; + int ret; + + ret = dma_resv_lock_interruptible(obj->resv, NULL); + if (ret) + return ret; + ret = drm_gem_shmem_madvise_locked(shmem, madv); + dma_resv_unlock(obj->resv); + + return ret; +} +EXPORT_SYMBOL_IF_KUNIT(drm_gem_shmem_madvise); #endif MODULE_DESCRIPTION("DRM SHMEM memory-management helpers"); diff --git a/drivers/gpu/drm/tests/drm_gem_shmem_test.c b/drivers/gpu/drm/tests/drm_gem_shmem_test.c index 3e7c6f20fbcc..d639848e3c8e 100644 --- a/drivers/gpu/drm/tests/drm_gem_shmem_test.c +++ b/drivers/gpu/drm/tests/drm_gem_shmem_test.c @@ -292,17 +292,17 @@ static void drm_gem_shmem_test_madvise(struct kunit *test) ret = kunit_add_action_or_reset(test, drm_gem_shmem_free_wrapper, shmem); KUNIT_ASSERT_EQ(test, ret, 0); - ret = drm_gem_shmem_madvise_locked(shmem, 1); + ret = drm_gem_shmem_madvise(shmem, 1); KUNIT_EXPECT_TRUE(test, ret); KUNIT_ASSERT_EQ(test, shmem->madv, 1); /* Set madv to a negative value */ - ret = drm_gem_shmem_madvise_locked(shmem, -1); + ret = drm_gem_shmem_madvise(shmem, -1); KUNIT_EXPECT_FALSE(test, ret); KUNIT_ASSERT_EQ(test, shmem->madv, -1); /* Check that madv cannot be set back to a positive value */ - ret = drm_gem_shmem_madvise_locked(shmem, 0); + ret = drm_gem_shmem_madvise(shmem, 0); KUNIT_EXPECT_FALSE(test, ret); KUNIT_ASSERT_EQ(test, shmem->madv, -1); } @@ -330,7 +330,7 @@ static void drm_gem_shmem_test_purge(struct kunit *test) ret = drm_gem_shmem_is_purgeable(shmem); KUNIT_EXPECT_FALSE(test, ret); - ret = drm_gem_shmem_madvise_locked(shmem, 1); + ret = drm_gem_shmem_madvise(shmem, 1); KUNIT_EXPECT_TRUE(test, ret); /* The scatter/gather table will be freed by drm_gem_shmem_free */ diff --git a/include/drm/drm_gem_shmem_helper.h b/include/drm/drm_gem_shmem_helper.h index 6924ee226655..3dd93e2df709 100644 --- a/include/drm/drm_gem_shmem_helper.h +++ b/include/drm/drm_gem_shmem_helper.h @@ -310,6 +310,7 @@ struct drm_gem_object *drm_gem_shmem_prime_import_no_map(struct drm_device *dev, #if IS_ENABLED(CONFIG_KUNIT) int drm_gem_shmem_vmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map); void drm_gem_shmem_vunmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map); +int drm_gem_shmem_madvise(struct drm_gem_shmem_object *shmem, int madv); #endif #endif /* __DRM_GEM_SHMEM_HELPER_H__ */ -- 2.52.0

1 day

1
0
0 0

[PATCH 3/5] drm/tests: shmem: Hold reservation lock around vmap/vunmap

by Thomas Zimmermann

Acquire and release the GEM object's reservation lock around vmap and vunmap operations. The tests use vmap_locked, which led to errors such as show below. [ 122.292030] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:390 drm_gem_shmem_vmap_locked+0x3a3/0x6f0 [ 122.468066] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:293 drm_gem_shmem_pin_locked+0x1fe/0x350 [ 122.563504] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:234 drm_gem_shmem_get_pages_locked+0x23c/0x370 [ 122.662248] WARNING: CPU: 2 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:452 drm_gem_shmem_vunmap_locked+0x101/0x330 Only export the new vmap/vunmap helpers for Kunit tests. These are not interfaces for regular drivers. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 954907f7147d ("drm/shmem-helper: Refactor locked/unlocked functions") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.16+ --- drivers/gpu/drm/drm_gem_shmem_helper.c | 33 ++++++++++++++++++++++ drivers/gpu/drm/tests/drm_gem_shmem_test.c | 6 ++-- include/drm/drm_gem_shmem_helper.h | 9 ++++++ 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index dc94a27710e5..06ef4e5adb7d 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -15,6 +15,8 @@ #include <asm/set_memory.h> #endif +#include <kunit/visibility.h> + #include <drm/drm.h> #include <drm/drm_device.h> #include <drm/drm_drv.h> @@ -893,6 +895,37 @@ struct drm_gem_object *drm_gem_shmem_prime_import_no_map(struct drm_device *dev, } EXPORT_SYMBOL_GPL(drm_gem_shmem_prime_import_no_map); +/* + * Kunit helpers + */ + +#if IS_ENABLED(CONFIG_KUNIT) +int drm_gem_shmem_vmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map) +{ + struct drm_gem_object *obj = &shmem->base; + int ret; + + ret = dma_resv_lock_interruptible(obj->resv, NULL); + if (ret) + return ret; + ret = drm_gem_shmem_vmap_locked(shmem, map); + dma_resv_unlock(obj->resv); + + return ret; +} +EXPORT_SYMBOL_IF_KUNIT(drm_gem_shmem_vmap); + +void drm_gem_shmem_vunmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map) +{ + struct drm_gem_object *obj = &shmem->base; + + dma_resv_lock_interruptible(obj->resv, NULL); + drm_gem_shmem_vunmap_locked(shmem, map); + dma_resv_unlock(obj->resv); +} +EXPORT_SYMBOL_IF_KUNIT(drm_gem_shmem_vunmap); +#endif + MODULE_DESCRIPTION("DRM SHMEM memory-management helpers"); MODULE_IMPORT_NS("DMA_BUF"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/gpu/drm/tests/drm_gem_shmem_test.c b/drivers/gpu/drm/tests/drm_gem_shmem_test.c index 1d50bab51ef3..3e7c6f20fbcc 100644 --- a/drivers/gpu/drm/tests/drm_gem_shmem_test.c +++ b/drivers/gpu/drm/tests/drm_gem_shmem_test.c @@ -19,6 +19,8 @@ #include <drm/drm_gem_shmem_helper.h> #include <drm/drm_kunit_helpers.h> +MODULE_IMPORT_NS("EXPORTED_FOR_KUNIT_TESTING"); + #define TEST_SIZE SZ_1M #define TEST_BYTE 0xae @@ -176,7 +178,7 @@ static void drm_gem_shmem_test_vmap(struct kunit *test) ret = kunit_add_action_or_reset(test, drm_gem_shmem_free_wrapper, shmem); KUNIT_ASSERT_EQ(test, ret, 0); - ret = drm_gem_shmem_vmap_locked(shmem, &map); + ret = drm_gem_shmem_vmap(shmem, &map); KUNIT_ASSERT_EQ(test, ret, 0); KUNIT_ASSERT_NOT_NULL(test, shmem->vaddr); KUNIT_ASSERT_FALSE(test, iosys_map_is_null(&map)); @@ -186,7 +188,7 @@ static void drm_gem_shmem_test_vmap(struct kunit *test) for (i = 0; i < TEST_SIZE; i++) KUNIT_EXPECT_EQ(test, iosys_map_rd(&map, i, u8), TEST_BYTE); - drm_gem_shmem_vunmap_locked(shmem, &map); + drm_gem_shmem_vunmap(shmem, &map); KUNIT_EXPECT_NULL(test, shmem->vaddr); KUNIT_EXPECT_EQ(test, refcount_read(&shmem->vmap_use_count), 0); } diff --git a/include/drm/drm_gem_shmem_helper.h b/include/drm/drm_gem_shmem_helper.h index 589f7bfe7506..6924ee226655 100644 --- a/include/drm/drm_gem_shmem_helper.h +++ b/include/drm/drm_gem_shmem_helper.h @@ -303,4 +303,13 @@ struct drm_gem_object *drm_gem_shmem_prime_import_no_map(struct drm_device *dev, .gem_prime_import = drm_gem_shmem_prime_import_no_map, \ .dumb_create = drm_gem_shmem_dumb_create +/* + * Kunit helpers + */ + +#if IS_ENABLED(CONFIG_KUNIT) +int drm_gem_shmem_vmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map); +void drm_gem_shmem_vunmap(struct drm_gem_shmem_object *shmem, struct iosys_map *map); +#endif + #endif /* __DRM_GEM_SHMEM_HELPER_H__ */ -- 2.52.0

1 day

1
0
0 0

[PATCH 2/5] drm/tests: shmem: Add clean-up action to unpin pages

by Thomas Zimmermann

Automatically unpin pages on cleanup. The test currently fails with the error [ 58.246263] drm-kunit-mock-device drm_gem_shmem_test_get_sg_table.drm-kunit-mock-device: [drm] drm_WARN_ON(refcount_read(&shmem->pages_pin_count)) while cleaning up the GEM object. The pin count has to be zero at this point. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: d586b535f144 ("drm/shmem-helper: Add and use pages_pin_count") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.16+ --- drivers/gpu/drm/tests/drm_gem_shmem_test.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/tests/drm_gem_shmem_test.c b/drivers/gpu/drm/tests/drm_gem_shmem_test.c index 872881ec9c30..1d50bab51ef3 100644 --- a/drivers/gpu/drm/tests/drm_gem_shmem_test.c +++ b/drivers/gpu/drm/tests/drm_gem_shmem_test.c @@ -34,6 +34,9 @@ KUNIT_DEFINE_ACTION_WRAPPER(sg_free_table_wrapper, sg_free_table, KUNIT_DEFINE_ACTION_WRAPPER(drm_gem_shmem_free_wrapper, drm_gem_shmem_free, struct drm_gem_shmem_object *); +KUNIT_DEFINE_ACTION_WRAPPER(drm_gem_shmem_unpin_wrapper, drm_gem_shmem_unpin, + struct drm_gem_shmem_object *); + /* * Test creating a shmem GEM object backed by shmem buffer. The test * case succeeds if the GEM object is successfully allocated with the @@ -212,6 +215,9 @@ static void drm_gem_shmem_test_get_sg_table(struct kunit *test) ret = drm_gem_shmem_pin(shmem); KUNIT_ASSERT_EQ(test, ret, 0); + ret = kunit_add_action_or_reset(test, drm_gem_shmem_unpin_wrapper, shmem); + KUNIT_ASSERT_EQ(test, ret, 0); + sgt = drm_gem_shmem_get_sg_table(shmem); KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sgt); KUNIT_EXPECT_NULL(test, shmem->sgt); -- 2.52.0

1 day

1
0
0 0

[PATCH 1/5] drm/tests: shmem: Swap names of export tests

by Thomas Zimmermann

GEM SHMEM has 2 helpers for exporting S/G tables. Swap the names of the rsp. tests, so that each matches the helper it tests. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 93032ae634d4 ("drm/test: add a test suite for GEM objects backed by shmem") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/tests/drm_gem_shmem_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/tests/drm_gem_shmem_test.c b/drivers/gpu/drm/tests/drm_gem_shmem_test.c index 68f2c3162354..872881ec9c30 100644 --- a/drivers/gpu/drm/tests/drm_gem_shmem_test.c +++ b/drivers/gpu/drm/tests/drm_gem_shmem_test.c @@ -194,7 +194,7 @@ static void drm_gem_shmem_test_vmap(struct kunit *test) * scatter/gather table large enough to accommodate the backing memory * is successfully exported. */ -static void drm_gem_shmem_test_get_pages_sgt(struct kunit *test) +static void drm_gem_shmem_test_get_sg_table(struct kunit *test) { struct drm_device *drm_dev = test->priv; struct drm_gem_shmem_object *shmem; @@ -236,7 +236,7 @@ static void drm_gem_shmem_test_get_pages_sgt(struct kunit *test) * backing pages are pinned and a scatter/gather table large enough to * accommodate the backing memory is successfully exported. */ -static void drm_gem_shmem_test_get_sg_table(struct kunit *test) +static void drm_gem_shmem_test_get_pages_sgt(struct kunit *test) { struct drm_device *drm_dev = test->priv; struct drm_gem_shmem_object *shmem; @@ -366,8 +366,8 @@ static struct kunit_case drm_gem_shmem_test_cases[] = { KUNIT_CASE(drm_gem_shmem_test_obj_create_private), KUNIT_CASE(drm_gem_shmem_test_pin_pages), KUNIT_CASE(drm_gem_shmem_test_vmap), - KUNIT_CASE(drm_gem_shmem_test_get_pages_sgt), KUNIT_CASE(drm_gem_shmem_test_get_sg_table), + KUNIT_CASE(drm_gem_shmem_test_get_pages_sgt), KUNIT_CASE(drm_gem_shmem_test_madvise), KUNIT_CASE(drm_gem_shmem_test_purge), {} -- 2.52.0

1 day

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror