- Linux-stable-mirror - lists.linaro.org

+ idr-fix-idr_alloc-returning-an-id-out-of-range.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: idr: fix idr_alloc() returning an ID out of range has been added to the -mm mm-hotfixes-unstable branch. Its filename is idr-fix-idr_alloc-returning-an-id-out-of-range.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Subject: idr: fix idr_alloc() returning an ID out of range Date: Fri, 28 Nov 2025 16:18:32 +0000 If you use an IDR with a non-zero base, and specify a range that lies entirely below the base, 'max - base' becomes very large and idr_get_free() can return an ID that lies outside of the requested range. Link: https://lkml.kernel.org/r/20251128161853.3200058-1-willy@infradead.org Fixes: 6ce711f27500 (idr: Make 1-based IDRs more efficient) Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Reported-by: Jan Sokolowski <jan.sokolowski(a)intel.com> Reported-by: Koen Koning koen.koning(a)intel.com Reported-by: Peter Senna Tschudin peter.senna(a)linux.intel.com Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449 Reviewed-by: Christian K��nig <christian.koenig(a)amd.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/idr.c | 2 ++ tools/testing/radix-tree/idr-test.c | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) --- a/lib/idr.c~idr-fix-idr_alloc-returning-an-id-out-of-range +++ a/lib/idr.c @@ -40,6 +40,8 @@ int idr_alloc_u32(struct idr *idr, void if (WARN_ON_ONCE(!(idr->idr_rt.xa_flags & ROOT_IS_IDR))) idr->idr_rt.xa_flags |= IDR_RT_MARKER; + if (max < base) + return -ENOSPC; id = (id < base) ? 0 : id - base; radix_tree_iter_init(&iter, id); --- a/tools/testing/radix-tree/idr-test.c~idr-fix-idr_alloc-returning-an-id-out-of-range +++ a/tools/testing/radix-tree/idr-test.c @@ -57,6 +57,26 @@ void idr_alloc_test(void) idr_destroy(&idr); } +void idr_alloc2_test(void) +{ + int id; + struct idr idr = IDR_INIT_BASE(idr, 1); + + id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL); + assert(id == -ENOSPC); + + id = idr_alloc(&idr, idr_alloc2_test, 1, 2, GFP_KERNEL); + assert(id == 1); + + id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL); + assert(id == -ENOSPC); + + id = idr_alloc(&idr, idr_alloc2_test, 0, 2, GFP_KERNEL); + assert(id == -ENOSPC); + + idr_destroy(&idr); +} + void idr_replace_test(void) { DEFINE_IDR(idr); @@ -409,6 +429,7 @@ void idr_checks(void) idr_replace_test(); idr_alloc_test(); + idr_alloc2_test(); idr_null_test(); idr_nowait_test(); idr_get_next_test(0); _ Patches currently in -mm which might be from willy(a)infradead.org are idr-fix-idr_alloc-returning-an-id-out-of-range.patch mm-fix-vma_start_write_killable-signal-handling.patch

1 day, 12 hours

1
0
0 0

+ mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Subject: mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN Date: Fri, 28 Nov 2025 19:15:14 +0800 Syzkaller reported a memory out-of-bounds bug [1]. This patch fixes two issues: 1. In vrealloc, we were missing the KASAN_VMALLOC_VM_ALLOC flag when unpoisoning the extended region. This flag is required to correctly associate the allocation with KASAN's vmalloc tracking. Note: In contrast, vzalloc (via __vmalloc_node_range_noprof) explicitly sets KASAN_VMALLOC_VM_ALLOC and calls kasan_unpoison_vmalloc() with it. vrealloc must behave consistently �� especially when reusing existing vmalloc regions �� to ensure KASAN can track allocations correctly. 2. When vrealloc reuses an existing vmalloc region (without allocating new pages), KASAN previously generated a new tag, which broke tag-based memory access tracking. We now add a 'reuse_tag' parameter to __kasan_unpoison_vmalloc() to preserve the original tag in such cases. A new helper kasan_unpoison_vralloc() is introduced to handle this reuse scenario, ensuring consistent tag behavior during reallocation. Link: https://lkml.kernel.org/r/20251128111516.244497-1-jiayuan.chen@linux.dev Link: https://syzkaller.appspot.com/bug?extid=997752115a851cb0cf36 [1] Fixes: a0309faf1cb0 ("mm: vmalloc: support more granular vrealloc() sizing") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Reported-by: syzbot+997752115a851cb0cf36(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e243a2.050a0220.1696c6.007d.GAE@google.com/T/ Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/kasan.h | 21 +++++++++++++++++++-- mm/kasan/hw_tags.c | 4 ++-- mm/kasan/shadow.c | 6 ++++-- mm/vmalloc.c | 4 ++-- 4 files changed, 27 insertions(+), 8 deletions(-) --- a/include/linux/kasan.h~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/include/linux/kasan.h @@ -596,13 +596,23 @@ static inline void kasan_release_vmalloc #endif /* CONFIG_KASAN_GENERIC || CONFIG_KASAN_SW_TAGS */ void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, - kasan_vmalloc_flags_t flags); + kasan_vmalloc_flags_t flags, bool reuse_tag); + +static __always_inline void *kasan_unpoison_vrealloc(const void *start, + unsigned long size, + kasan_vmalloc_flags_t flags) +{ + if (kasan_enabled()) + return __kasan_unpoison_vmalloc(start, size, flags, true); + return (void *)start; +} + static __always_inline void *kasan_unpoison_vmalloc(const void *start, unsigned long size, kasan_vmalloc_flags_t flags) { if (kasan_enabled()) - return __kasan_unpoison_vmalloc(start, size, flags); + return __kasan_unpoison_vmalloc(start, size, flags, false); return (void *)start; } @@ -629,6 +639,13 @@ static inline void kasan_release_vmalloc unsigned long free_region_end, unsigned long flags) { } +static inline void *kasan_unpoison_vrealloc(const void *start, + unsigned long size, + kasan_vmalloc_flags_t flags) +{ + return (void *)start; +} + static inline void *kasan_unpoison_vmalloc(const void *start, unsigned long size, kasan_vmalloc_flags_t flags) --- a/mm/kasan/hw_tags.c~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/mm/kasan/hw_tags.c @@ -317,7 +317,7 @@ static void init_vmalloc_pages(const voi } void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, - kasan_vmalloc_flags_t flags) + kasan_vmalloc_flags_t flags, bool reuse_tag) { u8 tag; unsigned long redzone_start, redzone_size; @@ -361,7 +361,7 @@ void *__kasan_unpoison_vmalloc(const voi return (void *)start; } - tag = kasan_random_tag(); + tag = reuse_tag ? get_tag(start) : kasan_random_tag(); start = set_tag(start, tag); /* Unpoison and initialize memory up to size. */ --- a/mm/kasan/shadow.c~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/mm/kasan/shadow.c @@ -625,7 +625,7 @@ void kasan_release_vmalloc(unsigned long } void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, - kasan_vmalloc_flags_t flags) + kasan_vmalloc_flags_t flags, bool reuse_tag) { /* * Software KASAN modes unpoison both VM_ALLOC and non-VM_ALLOC @@ -648,7 +648,9 @@ void *__kasan_unpoison_vmalloc(const voi !(flags & KASAN_VMALLOC_PROT_NORMAL)) return (void *)start; - start = set_tag(start, kasan_random_tag()); + if (!reuse_tag) + start = set_tag(start, kasan_random_tag()); + kasan_unpoison(start, size, false); return (void *)start; } --- a/mm/vmalloc.c~mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan +++ a/mm/vmalloc.c @@ -4175,8 +4175,8 @@ void *vrealloc_node_align_noprof(const v * We already have the bytes available in the allocation; use them. */ if (size <= alloced_size) { - kasan_unpoison_vmalloc(p + old_size, size - old_size, - KASAN_VMALLOC_PROT_NORMAL); + kasan_unpoison_vrealloc(p, size, + KASAN_VMALLOC_PROT_NORMAL | KASAN_VMALLOC_VM_ALLOC); /* * No need to zero memory here, as unused memory will have * already been zeroed at initial allocation time or during _ Patches currently in -mm which might be from jiayuan.chen(a)linux.dev are mm-kasan-fix-incorrect-unpoisoning-in-vrealloc-for-kasan.patch mm-vmscan-skip-increasing-kswapd_failures-when-reclaim-was-boosted.patch

1 day, 13 hours

1
0
0 0

[obsolete] arm64-kernel-initialize-missing-kexec_buf-random-field.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: arm64: kernel: initialize missing kexec_buf->random field has been removed from the -mm tree. Its filename was arm64-kernel-initialize-missing-kexec_buf-random-field.patch This patch was dropped because it is obsolete ------------------------------------------------------ From: Yeoreum Yun <yeoreum.yun(a)arm.com> Subject: arm64: kernel: initialize missing kexec_buf->random field Date: Thu, 27 Nov 2025 18:26:44 +0000 Commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly") introduced the kexec_buf->random field to enable random placement of kexec_buf. However, this field was never properly initialized for kexec images that do not need to be placed randomly, leading to the following UBSAN warning: [ +0.364528] ------------[ cut here ]------------ [ +0.000019] UBSAN: invalid-load in ./include/linux/kexec.h:210:12 [ +0.000131] load of value 2 is not a valid value for type 'bool' (aka '_Bool') [ +0.000003] CPU: 4 UID: 0 PID: 927 Comm: kexec Not tainted 6.18.0-rc7+ #3 PREEMPT(full) [ +0.000002] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 [ +0.000000] Call trace: [ +0.000001] show_stack+0x24/0x40 (C) [ +0.000006] __dump_stack+0x28/0x48 [ +0.000002] dump_stack_lvl+0x7c/0xb0 [ +0.000002] dump_stack+0x18/0x34 [ +0.000001] ubsan_epilogue+0x10/0x50 [ +0.000002] __ubsan_handle_load_invalid_value+0xc8/0xd0 [ +0.000003] locate_mem_hole_callback+0x28c/0x2a0 [ +0.000003] kexec_locate_mem_hole+0xf4/0x2f0 [ +0.000001] kexec_add_buffer+0xa8/0x178 [ +0.000002] image_load+0xf0/0x258 [ +0.000001] __arm64_sys_kexec_file_load+0x510/0x718 [ +0.000002] invoke_syscall+0x68/0xe8 [ +0.000001] el0_svc_common+0xb0/0xf8 [ +0.000002] do_el0_svc+0x28/0x48 [ +0.000001] el0_svc+0x40/0xe8 [ +0.000002] el0t_64_sync_handler+0x84/0x140 [ +0.000002] el0t_64_sync+0x1bc/0x1c0 To address this, initialise kexec_buf->random field properly. Link: https://lkml.kernel.org/r/20251127182644.1577592-1-yeoreum.yun@arm.com Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly") Signed-off-by: Yeoreum Yun <yeoreum.yun(a)arm.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Breno Leitao <leitao(a)debian.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: levi.yun <yeoreum.yun(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Jan Pazdziora <jpazdziora(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/arm64/kernel/kexec_image.c | 3 +++ arch/arm64/kernel/machine_kexec_file.c | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) --- a/arch/arm64/kernel/kexec_image.c~arm64-kernel-initialize-missing-kexec_buf-random-field +++ a/arch/arm64/kernel/kexec_image.c @@ -76,6 +76,9 @@ static void *image_load(struct kimage *i kbuf.buf_min = 0; kbuf.buf_max = ULONG_MAX; kbuf.top_down = false; +#ifdef CONFIG_CRASH_DUMP + kbuf.random = false; +#endif kbuf.buffer = kernel; kbuf.bufsz = kernel_len; --- a/arch/arm64/kernel/machine_kexec_file.c~arm64-kernel-initialize-missing-kexec_buf-random-field +++ a/arch/arm64/kernel/machine_kexec_file.c @@ -94,7 +94,11 @@ int load_other_segments(struct kimage *i char *initrd, unsigned long initrd_len, char *cmdline) { - struct kexec_buf kbuf = {}; + struct kexec_buf kbuf = { +#ifdef CONFIG_CRASH_DUMP + .random = false, +#endif + }; void *dtb = NULL; unsigned long initrd_load_addr = 0, dtb_len, orig_segments = image->nr_segments; _ Patches currently in -mm which might be from yeoreum.yun(a)arm.com are

1 day, 13 hours

1
0
0 0

[PATCH] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly

by Jason Gunthorpe

The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 Cc: stable(a)vger.kernel.org Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") Reported-by: syzbot+938fcd548c303fe33c1a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/68dc3dac.a00a0220.102ee.004f.GAE@google.com Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> --- drivers/infiniband/core/addr.c | 33 ++++++++++----------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c index 61596cda2b65f3..35ba852a172aad 100644 --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c @@ -80,37 +80,25 @@ static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = { .min = sizeof(struct rdma_nla_ls_gid)}, }; -static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh) +static void ib_nl_process_ip_rsep(const struct nlmsghdr *nlh) { struct nlattr *tb[LS_NLA_TYPE_MAX] = {}; + union ib_gid gid; + struct addr_req *req; + int found = 0; int ret; if (nlh->nlmsg_flags & RDMA_NL_LS_F_ERR) - return false; + return; ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh), nlmsg_len(nlh), ib_nl_addr_policy, NULL); if (ret) - return false; + return; - return true; -} - -static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh) -{ - const struct nlattr *head, *curr; - union ib_gid gid; - struct addr_req *req; - int len, rem; - int found = 0; - - head = (const struct nlattr *)nlmsg_data(nlh); - len = nlmsg_len(nlh); - - nla_for_each_attr(curr, head, len, rem) { - if (curr->nla_type == LS_NLA_TYPE_DGID) - memcpy(&gid, nla_data(curr), nla_len(curr)); - } + if (!tb[LS_NLA_TYPE_DGID]) + return; + memcpy(&gid, nla_data(tb[LS_NLA_TYPE_DGID]), sizeof(gid)); spin_lock_bh(&lock); list_for_each_entry(req, &req_list, list) { @@ -137,8 +125,7 @@ int ib_nl_handle_ip_res_resp(struct sk_buff *skb, !(NETLINK_CB(skb).sk)) return -EPERM; - if (ib_nl_is_good_ip_resp(nlh)) - ib_nl_process_good_ip_rsep(nlh); + ib_nl_process_ip_rsep(nlh); return 0; } base-commit: 80a85a771deb113cfe2e295fb9e84467a43ebfe4 -- 2.43.0

1 day, 14 hours

1
0
0 0

[PATCH] hwmon: (max16065) Use local variable to avoid TOCTOU

by Gui-Dong Han

In max16065_current_show, data->curr_sense is read twice: once for the error check and again for the calculation. Since i2c_smbus_read_byte_data returns negative error codes on failure, if the data changes to an error code between the check and the use, ADC_TO_CURR results in an incorrect calculation. Read data->curr_sense into a local variable to ensure consistency. Note that data->curr_gain is constant and safe to access directly. This aligns max16065_current_show with max16065_input_show, which already uses a local variable for the same reason. Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z… Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- Based on the discussion in the link, I will submit a series of patches to address TOCTOU issues in the hwmon subsystem by converting macros to functions or adjusting locking where appropriate. --- drivers/hwmon/max16065.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c index 0ccb5eb596fc..4c9e7892a73c 100644 --- a/drivers/hwmon/max16065.c +++ b/drivers/hwmon/max16065.c @@ -216,12 +216,13 @@ static ssize_t max16065_current_show(struct device *dev, struct device_attribute *da, char *buf) { struct max16065_data *data = max16065_update_device(dev); + int curr_sense = data->curr_sense; - if (unlikely(data->curr_sense < 0)) - return data->curr_sense; + if (unlikely(curr_sense < 0)) + return curr_sense; return sysfs_emit(buf, "%d\n", - ADC_TO_CURR(data->curr_sense, data->curr_gain)); + ADC_TO_CURR(curr_sense, data->curr_gain)); } static ssize_t max16065_limit_store(struct device *dev, -- 2.43.0

1 day, 15 hours

2
1
0 0

[PATCH] idr: Fix idr_alloc() returning an ID out of range

by Matthew Wilcox (Oracle)

If you use an IDR with a non-zero base, and specify a range that lies entirely below the base, 'max - base' becomes very large and idr_get_free() can return an ID that lies outside of the requested range. Reported-by: Jan Sokolowski <jan.sokolowski(a)intel.com> Reported-by: Koen Koning koen.koning(a)intel.com Reported-by: Peter Senna Tschudin peter.senna(a)linux.intel.com Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449 Fixes: 6ce711f27500 (idr: Make 1-based IDRs more efficient) Cc: stable(a)vger.kernel.org Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Reviewed-by: Christian König <christian.koenig(a)amd.com> --- lib/idr.c | 2 ++ tools/testing/radix-tree/idr-test.c | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/lib/idr.c b/lib/idr.c index e2adc457abb4..457430cff8c5 100644 --- a/lib/idr.c +++ b/lib/idr.c @@ -40,6 +40,8 @@ int idr_alloc_u32(struct idr *idr, void *ptr, u32 *nextid, if (WARN_ON_ONCE(!(idr->idr_rt.xa_flags & ROOT_IS_IDR))) idr->idr_rt.xa_flags |= IDR_RT_MARKER; + if (max < base) + return -ENOSPC; id = (id < base) ? 0 : id - base; radix_tree_iter_init(&iter, id); diff --git a/tools/testing/radix-tree/idr-test.c b/tools/testing/radix-tree/idr-test.c index 2f830ff8396c..945144e98507 100644 --- a/tools/testing/radix-tree/idr-test.c +++ b/tools/testing/radix-tree/idr-test.c @@ -57,6 +57,26 @@ void idr_alloc_test(void) idr_destroy(&idr); } +void idr_alloc2_test(void) +{ + int id; + struct idr idr = IDR_INIT_BASE(idr, 1); + + id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL); + assert(id == -ENOSPC); + + id = idr_alloc(&idr, idr_alloc2_test, 1, 2, GFP_KERNEL); + assert(id == 1); + + id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL); + assert(id == -ENOSPC); + + id = idr_alloc(&idr, idr_alloc2_test, 0, 2, GFP_KERNEL); + assert(id == -ENOSPC); + + idr_destroy(&idr); +} + void idr_replace_test(void) { DEFINE_IDR(idr); @@ -409,6 +429,7 @@ void idr_checks(void) idr_replace_test(); idr_alloc_test(); + idr_alloc2_test(); idr_null_test(); idr_nowait_test(); idr_get_next_test(0); -- 2.47.2

1 day, 15 hours

1
0
0 0

[PATCH 5.15.y 00/14] timers: Provide timer_shutdown[_sync]()

by Jeongjun Park

The "timers: Provide timer_shutdown[_sync]()" patch series implemented a useful feature that addresses various bugs caused by attempts to rearm shutdown timers. https://lore.kernel.org/all/20221123201306.823305113@linutronix.de/ However, this patch series was not fully backported to versions prior to 6.2, requiring separate patches for older kernels if these bugs were encountered. The biggest problem with this is that even if these bugs were discovered and patched in the upstream kernel, if the maintainer or author didn't create a separate backport patch for versions prior to 6.2, the bugs would remain untouched in older kernels. Therefore, to reduce the hassle of having to write a separate patch, we should backport the remaining unbackported commits from the "timers: Provide timer_shutdown[_sync]()" patch series to versions prior to 6.2. --- Documentation/RCU/Design/Requirements/Requirements.rst | 2 +- Documentation/core-api/local_ops.rst | 2 +- Documentation/kernel-hacking/locking.rst | 17 +++++++----- Documentation/timers/hrtimers.rst | 2 +- Documentation/translations/it_IT/kernel-hacking/locking.rst | 14 +++++----- Documentation/translations/zh_CN/core-api/local_ops.rst | 2 +- arch/arm/mach-spear/time.c | 8 +++--- drivers/bluetooth/hci_qca.c | 10 +++++-- drivers/char/tpm/tpm-dev-common.c | 4 +-- drivers/clocksource/arm_arch_timer.c | 12 ++++----- drivers/clocksource/timer-sp804.c | 6 ++--- drivers/staging/wlan-ng/hfa384x_usb.c | 4 +-- drivers/staging/wlan-ng/prism2usb.c | 6 ++--- include/linux/timer.h | 17 ++++++++++-- kernel/time/timer.c | 315 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------------------- net/sunrpc/xprt.c | 2 +- 16 files changed, 322 insertions(+), 101 deletions(-)

1 day, 15 hours

1
14
0 0

[PATCH 5.10/5.15/6.1] scsi: pm80xx: Set phy->enable_completion only when we

by Nazar Kalashnikov

From: Igor Pylypiv <ipylypiv(a)google.com> [ Upstream commit e4f949ef1516c0d74745ee54a0f4882c1f6c7aea ] pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash. Signed-off-by: Igor Pylypiv <ipylypiv(a)google.com> Signed-off-by: Terrence Adams <tadamsjr(a)google.com> Link: https://lore.kernel.org/r/20240627155924.2361370-2-tadamsjr@google.com Acked-by: Jack Wang <jinpu.wang(a)ionos.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- Backport fix for CVE-2024-47666 drivers/scsi/pm8001/pm8001_sas.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c index 765c5be6c84c..85c27f2f990f 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -163,7 +163,6 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, unsigned long flags; pm8001_ha = sas_phy->ha->lldd_ha; phy = &pm8001_ha->phy[phy_id]; - pm8001_ha->phy[phy_id].enable_completion = &completion; switch (func) { case PHY_FUNC_SET_LINK_RATE: rates = funcdata; @@ -176,6 +175,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, rates->maximum_linkrate; } if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -184,6 +184,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, break; case PHY_FUNC_HARD_RESET: if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -192,6 +193,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, break; case PHY_FUNC_LINK_RESET: if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } -- 2.43.0

1 day, 17 hours

1
0
0 0

[PATCH 5.10] netfilter: nf_set_pipapo: fix initial map fill

by Nazar Kalashnikov

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 791a615b7ad2258c560f91852be54b0480837c93 ] The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: Yi Chen <yiche(a)redhat.com> Cc: Stefano Brivio <sbrivio(a)redhat.com> Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Stefano Brivio <sbrivio(a)redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- Backport fix for CVE-2024-57947 net/netfilter/nft_set_pipapo.c | 4 ++-- net/netfilter/nft_set_pipapo.h | 21 +++++++++++++++++++++ net/netfilter/nft_set_pipapo_avx2.c | 10 ++++++---- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index ce617f6a215f..6813ff660b72 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -432,7 +432,7 @@ bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, res_map = scratch->map + (map_index ? m->bsize_max : 0); fill_map = scratch->map + (map_index ? 0 : m->bsize_max); - memset(res_map, 0xff, m->bsize_max * sizeof(*res_map)); + pipapo_resmap_init(m, res_map); nft_pipapo_for_each_field(f, i, m) { bool last = i == m->field_count - 1; @@ -536,7 +536,7 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, goto out; } - memset(res_map, 0xff, m->bsize_max * sizeof(*res_map)); + pipapo_resmap_init(m, res_map); nft_pipapo_for_each_field(f, i, m) { bool last = i == m->field_count - 1; diff --git a/net/netfilter/nft_set_pipapo.h b/net/netfilter/nft_set_pipapo.h index 2e709ae01924..8f8f58af4e34 100644 --- a/net/netfilter/nft_set_pipapo.h +++ b/net/netfilter/nft_set_pipapo.h @@ -287,4 +287,25 @@ static u64 pipapo_estimate_size(const struct nft_set_desc *desc) return size; } +/** + * pipapo_resmap_init() - Initialise result map before first use + * @m: Matching data, including mapping table + * @res_map: Result map + * + * Initialize all bits covered by the first field to one, so that after + * the first step, only the matching bits of the first bit group remain. + * + * If other fields have a large bitmap, set remainder of res_map to 0. + */ +static inline void pipapo_resmap_init(const struct nft_pipapo_match *m, unsigned long *res_map) +{ + const struct nft_pipapo_field *f = m->f; + int i; + + for (i = 0; i < f->bsize; i++) + res_map[i] = ULONG_MAX; + + for (i = f->bsize; i < m->bsize_max; i++) + res_map[i] = 0ul; +} #endif /* _NFT_SET_PIPAPO_H */ diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c index 0a23d297084d..81e6d12ab4cd 100644 --- a/net/netfilter/nft_set_pipapo_avx2.c +++ b/net/netfilter/nft_set_pipapo_avx2.c @@ -1028,6 +1028,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, /** * nft_pipapo_avx2_lookup_slow() - Fallback function for uncommon field sizes + * @mdata: Matching data, including mapping table * @map: Previous match result, used as initial bitmap * @fill: Destination bitmap to be filled with current match result * @f: Field, containing lookup and mapping tables @@ -1043,7 +1044,8 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, * Return: -1 on no match, rule index of match if @last, otherwise first long * word index to be checked next (i.e. first filled word). */ -static int nft_pipapo_avx2_lookup_slow(unsigned long *map, unsigned long *fill, +static int nft_pipapo_avx2_lookup_slow(const struct nft_pipapo_match *mdata, + unsigned long *map, unsigned long *fill, struct nft_pipapo_field *f, int offset, const u8 *pkt, bool first, bool last) { @@ -1053,7 +1055,7 @@ static int nft_pipapo_avx2_lookup_slow(unsigned long *map, unsigned long *fill, lt += offset * NFT_PIPAPO_LONGS_PER_M256; if (first) - memset(map, 0xff, bsize * sizeof(*map)); + pipapo_resmap_init(mdata, map); for (i = offset; i < bsize; i++) { if (f->bb == 8) @@ -1181,7 +1183,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, } else if (f->groups == 16) { NFT_SET_PIPAPO_AVX2_LOOKUP(8, 16); } else { - ret = nft_pipapo_avx2_lookup_slow(res, fill, f, + ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f, ret, rp, first, last); } @@ -1197,7 +1199,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, } else if (f->groups == 32) { NFT_SET_PIPAPO_AVX2_LOOKUP(4, 32); } else { - ret = nft_pipapo_avx2_lookup_slow(res, fill, f, + ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f, ret, rp, first, last); } -- 2.43.0

1 day, 17 hours

1
0
0 0

[PATCH 5.10/5.15] Bluetooth: Add more enc key size check

by Nazar Kalashnikov

From: Alex Lu <alex_lu(a)realsil.com.cn> [ Upstream commit 04a342cc49a8522e99c9b3346371c329d841dcd2 ] When we are slave role and receives l2cap conn req when encryption has started, we should check the enc key size to avoid KNOB attack or BLUFFS attack. From SIG recommendation, implementations are advised to reject service-level connections on an encrypted baseband link with key strengths below 7 octets. A simple and clear way to achieve this is to place the enc key size check in hci_cc_read_enc_key_size() The btmon log below shows the case that lacks enc key size check. > HCI Event: Connect Request (0x04) plen 10 Address: BB:22:33:44:55:99 (OUI BB-22-33) Class: 0x480104 Major class: Computer (desktop, notebook, PDA, organizers) Minor class: Desktop workstation Capturing (Scanner, Microphone) Telephony (Cordless telephony, Modem, Headset) Link type: ACL (0x01) < HCI Command: Accept Connection Request (0x01|0x0009) plen 7 Address: BB:22:33:44:55:99 (OUI BB-22-33) Role: Peripheral (0x01) > HCI Event: Command Status (0x0f) plen 4 Accept Connection Request (0x01|0x0009) ncmd 2 Status: Success (0x00) > HCI Event: Connect Complete (0x03) plen 11 Status: Success (0x00) Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) Link type: ACL (0x01) Encryption: Disabled (0x00) ... > HCI Event: Encryption Change (0x08) plen 4 Status: Success (0x00) Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) Encryption: Enabled with E0 (0x01) < HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2 Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) > HCI Event: Command Complete (0x0e) plen 7 Read Encryption Key Size (0x05|0x0008) ncmd 2 Status: Success (0x00) Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) Key size: 6 // We should check the enc key size ... > ACL Data RX: Handle 1 flags 0x02 dlen 12 L2CAP: Connection Request (0x02) ident 3 len 4 PSM: 25 (0x0019) Source CID: 64 < ACL Data TX: Handle 1 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 3 len 8 Destination CID: 64 Source CID: 64 Result: Connection pending (0x0001) Status: Authorization pending (0x0002) > HCI Event: Number of Completed Packets (0x13) plen 5 Num handles: 1 Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) Count: 1 #35: len 16 (25 Kb/s) Latency: 5 msec (2-7 msec ~4 msec) < ACL Data TX: Handle 1 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 3 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000) Cc: stable(a)vger.kernel.org Signed-off-by: Alex Lu <alex_lu(a)realsil.com.cn> Signed-off-by: Max Chou <max.chou(a)realtek.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Nazar Kalashnikov: change status to rp_status due to function parameter conflict ] Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- Backport fix for CVE-2023-24023 net/bluetooth/hci_event.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index c6dbb4aebfbc..6310f4f9890e 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3043,6 +3043,7 @@ static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, const struct hci_rp_read_enc_key_size *rp; struct hci_conn *conn; u16 handle; + u8 rp_status; BT_DBG("%s status 0x%02x", hdev->name, status); @@ -3052,6 +3053,7 @@ static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, } rp = (void *)skb->data; + rp_status = rp->status; handle = le16_to_cpu(rp->handle); hci_dev_lock(hdev); @@ -3064,15 +3066,30 @@ static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, * secure approach is to then assume the key size is 0 to force a * disconnection. */ - if (rp->status) { + if (rp_status) { bt_dev_err(hdev, "failed to read key size for handle %u", handle); conn->enc_key_size = 0; } else { conn->enc_key_size = rp->key_size; + rp_status = 0; + + if (conn->enc_key_size < hdev->min_enc_key_size) { + /* As slave role, the conn->state has been set to + * BT_CONNECTED and l2cap conn req might not be received + * yet, at this moment the l2cap layer almost does + * nothing with the non-zero status. + * So we also clear encrypt related bits, and then the + * handler of l2cap conn req will get the right secure + * state at a later time. + */ + rp_status = HCI_ERROR_AUTH_FAILURE; + clear_bit(HCI_CONN_ENCRYPT, &conn->flags); + clear_bit(HCI_CONN_AES_CCM, &conn->flags); + } } - hci_encrypt_cfm(conn, 0); + hci_encrypt_cfm(conn, rp_status); unlock: hci_dev_unlock(hdev); -- 2.43.0

1 day, 17 hours

1
0
0 0

[PATCH 5.10] fs: writeback: fix use-after-free in __mark_inode_dirty()

by Nazar Kalashnikov

From: Jiufei Xue <jiufei.xue(a)samsung.com> [ Upstream commit d02d2c98d25793902f65803ab853b592c7a96b29 ] An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished. Signed-off-by: Jiufei Xue <jiufei.xue(a)samsung.com> Link: https://lore.kernel.org/20250728100715.3863241-1-jiufei.xue@samsung.com Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- Backport fix for CVE-2025-39866 fs/fs-writeback.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c index 045a3bd520ca..ba70508b405d 100644 --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -2326,9 +2326,6 @@ void __mark_inode_dirty(struct inode *inode, int flags) wakeup_bdi = inode_io_list_move_locked(inode, wb, dirty_list); - spin_unlock(&wb->list_lock); - trace_writeback_dirty_inode_enqueue(inode); - /* * If this is the first dirty inode for this bdi, * we have to wake-up the corresponding bdi thread @@ -2338,6 +2335,10 @@ void __mark_inode_dirty(struct inode *inode, int flags) if (wakeup_bdi && (wb->bdi->capabilities & BDI_CAP_WRITEBACK)) wb_wakeup_delayed(wb); + + spin_unlock(&wb->list_lock); + trace_writeback_dirty_inode_enqueue(inode); + return; } } -- 2.43.0

1 day, 17 hours

1
0
0 0

[PATCH 5.10 1/2] bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change

by Alexey Panov

From: Nikolay Aleksandrov <razor(a)blackwall.org> [ Upstream commit 9ec7eb60dcbcb6c41076defbc5df7bbd95ceaba5 ] Add bond_ether_setup helper which is used to fix ether_setup() calls in the bonding driver. It takes care of both IFF_MASTER and IFF_SLAVE flags, the former is always restored and the latter only if it was set. If the bond enslaves non-ARPHRD_ETHER device (changes its type), then releases it and enslaves ARPHRD_ETHER device (changes back) then we use ether_setup() to restore the bond device type but it also resets its flags and removes IFF_MASTER and IFF_SLAVE[1]. Use the bond_ether_setup helper to restore both after such transition. [1] reproduce (nlmon is non-ARPHRD_ETHER): $ ip l add nlmon0 type nlmon $ ip l add bond2 type bond mode active-backup $ ip l set nlmon0 master bond2 $ ip l set nlmon0 nomaster $ ip l add bond1 type bond (we use bond1 as ARPHRD_ETHER device to restore bond2's mode) $ ip l set bond1 master bond2 $ ip l sh dev bond2 37: bond2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether be:d7:c5:40:5b:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 1500 (notice bond2's IFF_MASTER is missing) Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type") Signed-off-by: Nikolay Aleksandrov <razor(a)blackwall.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Alexey Panov <apanov(a)astralinux.ru> --- Backport fix for CVE-2023-53103 Tested with the syzkaller reproducer for https://syzkaller.appspot.com/bug?extid=9dfc3f3348729cc82277: the issue triggers on vanilla v5.10.y and no longer reproduces with these patches applied. drivers/net/bonding/bond_main.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 08bc930afc4c..127242101c8e 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -1691,6 +1691,19 @@ void bond_lower_state_changed(struct slave *slave) netdev_lower_state_changed(slave->dev, &info); } +/* The bonding driver uses ether_setup() to convert a master bond device + * to ARPHRD_ETHER, that resets the target netdevice's flags so we always + * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE if it was set + */ +static void bond_ether_setup(struct net_device *bond_dev) +{ + unsigned int slave_flag = bond_dev->flags & IFF_SLAVE; + + ether_setup(bond_dev); + bond_dev->flags |= IFF_MASTER | slave_flag; + bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; +} + /* enslave device <slave> to bond device <master> */ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, struct netlink_ext_ack *extack) @@ -1777,10 +1790,8 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, if (slave_dev->type != ARPHRD_ETHER) bond_setup_by_slave(bond_dev, slave_dev); - else { - ether_setup(bond_dev); - bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING; - } + else + bond_ether_setup(bond_dev); call_netdevice_notifiers(NETDEV_POST_TYPE_CHANGE, bond_dev); -- 2.30.2

1 day, 18 hours

2
3
0 0

[PATCH 5.10 v3 0/3] Backport fix for CVE-2023-53103

by Alexey Panov

Changes in v3: - Fixed patch numbering (previously sent as 2/3 instead of 3/3) Changes in v2: - Added a new patch fixing bonding regression, based on the Fixes tag in c484fcc058ba ("bonding: Fix memory leak when changing bond type to Ethernet") - Added a cover letter - No changes in patches 1 and 3 - Retested the reproducer [1] Tested with the syzkaller reproducer [1]. The issue triggers on vanilla v5.10.y and no longer reproduces with these patches applied. Additionally, c484fcc058ba ("bonding: Fix memory leak when changing bond type to Ethernet") has a Fixes tag pointing to 9ec7eb60dcbc ("bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change"), so it should be ported as well. [1]: https://syzkaller.appspot.com/bug?extid=9dfc3f3348729cc82277 Ido Schimmel (1): bonding: Fix memory leak when changing bond type to Ethernet Nikolay Aleksandrov (2): bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails drivers/net/bonding/bond_main.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) -- 2.39.5

1 day, 18 hours

1
3
0 0

[PATCH 5.10 v2 0/3] Backport fix for CVE-2023-53103

by Alexey Panov

Changes in v2: - Added a new patch fixing bonding regression, based on the Fixes tag in c484fcc058ba ("bonding: Fix memory leak when changing bond type to Ethernet") - Added a cover letter - No changes in patches 1 and 3 - Retested the reproducer [1] Tested with the syzkaller reproducer [1]. The issue triggers on vanilla v5.10.y and no longer reproduces with these patches applied. Additionally, c484fcc058ba ("bonding: Fix memory leak when changing bond type to Ethernet") has a Fixes tag pointing to 9ec7eb60dcbc ("bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change"), so it should be ported as well. [1]: https://syzkaller.appspot.com/bug?extid=9dfc3f3348729cc82277 Ido Schimmel (1): bonding: Fix memory leak when changing bond type to Ethernet Nikolay Aleksandrov (2): bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails drivers/net/bonding/bond_main.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) -- 2.39.5

1 day, 18 hours

1
3
0 0

[PATCH 6.12 000/112] 6.12.60-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.60 release. There are 112 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 29 Nov 2025 14:40:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.60-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.60-rc1 Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: Insert dccg log for easy debug Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: disable DPP RCG before DPP CLK enable Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: avoid reset DTBCLK at clock init Darrick J. Wong <djwong(a)kernel.org> xfs: fix out of bounds memory read error in symlink repair Marcelo Moreira <marcelomoreira1905(a)gmail.com> xfs: Replace strncpy with memcpy Eric Dumazet <edumazet(a)google.com> mptcp: fix a race in mptcp_pm_del_add_timer() Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Disable Panel Replay Martin Kaiser <martin(a)kaiser.cx> maple_tree: fix tracepoint string pointers Jari Ruusu <jariruusu(a)protonmail.com> tty/vt: fix up incorrect backport to stable releases Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix incomplete backport in cfids_invalidation_worker() Samuel Zhang <guoqing.zhang(a)amd.com> drm/amdgpu: fix gpu page fault after hibernation on PF passthrough Zhang Chujun <zhangchujun(a)cmss.chinamobile.com> tracing/tools: Fix incorrcet short option in usage text for --threads Nishanth Menon <nm(a)ti.com> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error René Rebe <rene(a)exactco.de> ALSA: usb-audio: fix uac2 clock source at terminal parser Heiko Carstens <hca(a)linux.ibm.com> s390/mm: Fix __ptep_rdp() inline assembly Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Prevent BIT() overflow when handling invalid prefetch region Wentao Guan <guanwentao(a)uniontech.com> Revert "RDMA/irdma: Update Kconfig" Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make all 32bit ID registers fully writable Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check Jakub Horký <jakub.git(a)horky.net> kconfig/nconf: Initialize the default locale at startup Jakub Horký <jakub.git(a)horky.net> kconfig/mconf: Initialize the default locale at startup Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Cancel RX async resync request on rcd_delta overflow Carlos Llamas <cmllamas(a)google.com> blk-crypto: use BLK_STS_INVAL for alignment errors Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Change async resync helpers argument Po-Hsu Lin <po-hsu.lin(a)canonical.com> selftests: net: use BASH for bareudp testing Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Limit Entrysign signature checking to known generations Bart Van Assche <bvanassche(a)acm.org> scsi: core: Fix a regression triggered by scsi_host_busy() Steve French <stfrench(a)microsoft.com> cifs: fix typo in enable_gcm_256 module parameter Rafał Miłecki <rafal(a)milecki.pl> bcma: don't register devices disabled in OF Michal Luczaj <mhal(a)rbox.co> vsock: Ignore signal/timeout on connect() if already established Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> cifs: fix memory leak in smb3_fs_context_parse_param error path Thomas Weißschuh <linux(a)weissschuh.net> LoongArch: Use UAPI types in ptrace UAPI header Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Cache state->msg in unix_stream_read_generic(). Pradyumn Rahar <pradyumn.rahar(a)oracle.com> net/mlx5: Clean up only new IRQ glue on request_irq() failure Shay Drory <shayd(a)nvidia.com> devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix PTP cleanup on driver removal in error path Emil Tantilov <emil.s.tantilov(a)intel.com> idpf: fix possible vport_config NULL pointer deref in remove Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Haotian Zhang <vulab(a)iscas.ac.cn> platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos Ido Schimmel <idosch(a)nvidia.com> selftests: net: lib: Do not overwrite error messages Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> s390/ctcm: Fix double-kfree Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> nvme-multipath: fix lockdep WARN due to partition scan work Chen Pei <cp0613(a)linux.alibaba.com> tools: riscv: Fixed misalignment of CSR related definitions Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove never-working support for setting nsh fields Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: mlxsw: linecards: fix missing error check in mlxsw_linecard_devlink_info_get() Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: dsa: hellcreek: fix missing error handling in LED registration Prateek Agarwal <praagarwal(a)nvidia.com> drm/tegra: Add call to put_pid() Zilin Guan <zilin(a)seu.edu.cn> mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Fix typo in WMI GUID Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Only load on MSI devices Haotian Zhang <vulab(a)iscas.ac.cn> pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() Jianbo Liu <jianbol(a)nvidia.com> xfrm: Prevent locally generated packets from direct output in tunnel mode Jianbo Liu <jianbol(a)nvidia.com> xfrm: Determine inner GSO type from packet inner protocol Yu-Chun Lin <eleanor.lin(a)realtek.com> pinctrl: realtek: Select REGMAP_MMIO for RTD driver Sabrina Dubroca <sd(a)queasysnail.net> xfrm: set err and extack on failure to create pcpu SA Sabrina Dubroca <sd(a)queasysnail.net> xfrm: drop SA reference in xfrm_state_update if dir doesn't match Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix pbn to kbps Conversion Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Move sleep into each retry for retrieve_link_cap() Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Increase DPCD read retries Yifan Zha <Yifan.Zha(a)amd.com> drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Skip power ungate during suspend for VPE Robert McClinton <rbmccav(a)gmail.com> drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Ma Ke <make24(a)iscas.ac.cn> drm/tegra: dc: Fix reference leak in tegra_dc_couple() Paolo Abeni <pabeni(a)redhat.com> mptcp: do not fallback when OoO is present Paolo Abeni <pabeni(a)redhat.com> mptcp: decouple mptcp fastclose from tcp close Paolo Abeni <pabeni(a)redhat.com> mptcp: avoid unneeded subflow-level drops Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer timeout Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer timeout Paolo Abeni <pabeni(a)redhat.com> mptcp: fix premature close in case of fallback Paolo Abeni <pabeni(a)redhat.com> mptcp: fix duplicate reset on fastclose Paolo Abeni <pabeni(a)redhat.com> mptcp: fix ack generation for fallback msk Eric Dumazet <edumazet(a)google.com> mptcp: fix race condition in mptcp_schedule_work() Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Don't panic if no valid cache info for PCI Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Malta: Fix !EVA SOC-it PCI MMIO Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Bart Van Assche <bvanassche(a)acm.org> scsi: sg: Do not sleep in atomic context Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() Nam Cao <namcao(a)linutronix.de> nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot Vlastimil Babka <vbabka(a)suse.cz> mm/mempool: fix poisoning order>0 pages with HIGHMEM Seungjin Bae <eeodqql09(a)gmail.com> Input: pegasus-notetaker - fix potential out-of-bounds access Dan Carpenter <dan.carpenter(a)linaro.org> Input: imx_sc_key - fix memory corruption on unload Hans de Goede <hdegoede(a)redhat.com> Input: goodix - add support for ACPI ID GDIX1003 Tzung-Bi Shih <tzungbi(a)kernel.org> Input: cros_ec_keyb - fix an invalid memory access Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Oleksij Rempel <o.rempel(a)pengutronix.de> net: dsa: microchip: lan937x: Fix RGMII delay tuning Andrey Vatoropin <a.vatoropin(a)crpt.ru> be2net: pass wrb_params in case of OS2BMC Yihang Li <liyihang9(a)h-partners.com> ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: introduce close_cached_dir_locked() Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification Niklas Cassel <cassel(a)kernel.org> ata: libata-scsi: Fix system suspend for a security locked drive Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Fix proto fallback detection with BPF Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Disallow MPTCP subflows from sockmap Yongpeng Yang <yangyongpeng(a)xiaomi.com> exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Mike Yuan <me(a)yhndnzj.com> shmem: fix tmpfs reconfiguration (remount) when noswap is set Yongpeng Yang <yangyongpeng(a)xiaomi.com> isofs: check the return value of sb_min_blocksize() in isofs_fill_super Dan Carpenter <dan.carpenter(a)linaro.org> mtdchar: fix integer overflow in read/write ioctls Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> mtd: rawnand: cadence: fix DMA device NULL pointer dereference Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable HS400 on RK3588 Tiger Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 Mykola Kvach <xakep.amatop(a)gmail.com> arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 Diederik de Haas <diederik(a)cknow-tech.com> arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 Zhang Heng <zhangheng(a)kylinos.cn> HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Mario Limonciello (AMD) <superm1(a)kernel.org> HID: amd_sfh: Stop sensor before starting Yipeng Zou <zouyipeng(a)huawei.com> timers: Fix NULL function pointer race in timer_shutdown_sync() Sebastian Ene <sebastianene(a)google.com> KVM: arm64: Check the untrusted offset in FF-A memory share ------------- Diffstat: .../bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++--- Documentation/wmi/driver-development-guide.rst | 1 + Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +- .../arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 +- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +- arch/arm64/kvm/sys_regs.c | 63 +++++++------ arch/loongarch/include/uapi/asm/ptrace.h | 40 ++++---- arch/loongarch/pci/pci.c | 8 +- arch/mips/mm/tlb-r4k.c | 102 +++++++++++++-------- arch/mips/mti-malta/malta-init.c | 20 ++-- arch/s390/include/asm/pgtable.h | 12 +-- arch/s390/mm/pgtable.c | 4 +- arch/x86/kernel/cpu/microcode/amd.c | 20 +++- block/blk-crypto.c | 2 +- drivers/ata/libata-scsi.c | 11 ++- drivers/bcma/main.c | 6 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +- drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 3 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 4 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 +++++------- .../amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 20 ++-- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 60 ++++++++---- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 ++ .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 21 +++-- .../display/dc/link/protocols/link_dp_capability.c | 11 ++- drivers/gpu/drm/i915/display/intel_psr.c | 4 + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 + drivers/gpu/drm/radeon/radeon_fence.c | 7 -- drivers/gpu/drm/tegra/dc.c | 1 + drivers/gpu/drm/tegra/dsi.c | 9 -- drivers/gpu/drm/tegra/uapi.c | 7 +- drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 + drivers/hid/hid-ids.h | 4 +- drivers/hid/hid-quirks.c | 13 ++- drivers/infiniband/hw/irdma/Kconfig | 7 +- drivers/input/keyboard/cros_ec_keyb.c | 6 ++ drivers/input/keyboard/imx_sc_key.c | 2 +- drivers/input/tablet/pegasus_notetaker.c | 9 ++ drivers/input/touchscreen/goodix.c | 1 + drivers/mtd/mtdchar.c | 6 +- drivers/mtd/nand/raw/cadence-nand-controller.c | 3 +- drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++- drivers/net/dsa/microchip/lan937x_main.c | 1 + drivers/net/ethernet/emulex/benet/be_main.c | 7 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 22 ++++- drivers/net/ethernet/intel/idpf/idpf_main.c | 2 + .../ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 9 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 +- .../net/ethernet/mellanox/mlxsw/core_linecards.c | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +- drivers/net/ethernet/ti/netcp_core.c | 10 +- drivers/nvme/host/fc.c | 15 +-- drivers/nvme/host/multipath.c | 2 +- drivers/perf/riscv_pmu_sbi.c | 2 +- drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 21 ++++- drivers/pinctrl/nxp/pinctrl-s32cc.c | 3 +- drivers/pinctrl/realtek/Kconfig | 1 + drivers/platform/x86/Kconfig | 1 + .../x86/intel/speed_select_if/isst_if_mmio.c | 4 +- drivers/platform/x86/msi-wmi-platform.c | 43 ++++++++- drivers/s390/net/ctcm_mpc.c | 1 - drivers/scsi/hosts.c | 5 +- drivers/scsi/sg.c | 10 +- drivers/soc/ti/knav_dma.c | 14 +-- drivers/target/loopback/tcm_loop.c | 3 + drivers/tty/vt/vt_ioctl.c | 4 +- fs/exfat/super.c | 5 +- fs/isofs/inode.c | 5 + fs/smb/client/cached_dir.c | 43 ++++++++- fs/smb/client/cifsfs.c | 2 +- fs/smb/client/fs_context.c | 4 + fs/xfs/scrub/symlink_repair.c | 4 +- include/linux/ata.h | 1 + include/net/tls.h | 25 ++--- include/net/xfrm.h | 3 +- kernel/time/timer.c | 7 +- lib/maple_tree.c | 30 +++--- mm/mempool.c | 32 +++++-- mm/shmem.c | 15 ++- net/devlink/rate.c | 4 +- net/ipv4/esp4_offload.c | 6 +- net/ipv6/esp6_offload.c | 6 +- net/mptcp/options.c | 54 ++++++++++- net/mptcp/pm_netlink.c | 20 ++-- net/mptcp/protocol.c | 84 +++++++++++------ net/mptcp/protocol.h | 3 +- net/mptcp/subflow.c | 8 ++ net/openvswitch/actions.c | 68 +------------- net/openvswitch/flow_netlink.c | 64 ++----------- net/openvswitch/flow_netlink.h | 2 - net/tls/tls_device.c | 4 +- net/unix/af_unix.c | 36 ++++---- net/vmw_vsock/af_vsock.c | 40 ++++++-- net/xfrm/xfrm_output.c | 6 +- net/xfrm/xfrm_state.c | 8 +- net/xfrm/xfrm_user.c | 5 +- scripts/kconfig/mconf.c | 3 + scripts/kconfig/nconf.c | 3 + sound/usb/endpoint.c | 3 +- sound/usb/mixer.c | 2 +- tools/arch/riscv/include/asm/csr.h | 5 +- tools/testing/selftests/net/bareudp.sh | 2 +- .../selftests/net/forwarding/lib_sh_test.sh | 7 ++ tools/testing/selftests/net/lib.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 ++-- tools/tracing/latency/latency-collector.c | 2 +- 112 files changed, 914 insertions(+), 560 deletions(-)

1 day, 19 hours

3
114
0 0

[PATCH] gpio: loongson: Switch 2K2000/3000 GPIO to BYTE_CTRL_MODE

by Xi Ruoyao

The manuals of 2K2000 says both BIT_CTRL_MODE and BYTE_CTRL_MODE are supported but the latter is recommended. Also on 2K3000, per the ACPI DSDT the GPIO controller is compatible with 2K2000, but it fails to operate GPIOs 62 and 63 (and maybe others) using BIT_CTRL_MODE. Using BYTE_CTRL_MODE also makes those 2K3000 GPIOs work. Fixes: 3feb70a61740 ("gpio: loongson: add more gpio chip support") Cc: stable(a)vger.kernel.org Signed-off-by: Xi Ruoyao <xry111(a)xry111.site> --- drivers/gpio/gpio-loongson-64bit.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/gpio/gpio-loongson-64bit.c b/drivers/gpio/gpio-loongson-64bit.c index 02f181cb219e..82d4c3aa4d2f 100644 --- a/drivers/gpio/gpio-loongson-64bit.c +++ b/drivers/gpio/gpio-loongson-64bit.c @@ -407,11 +407,11 @@ static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data0 = { static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data1 = { .label = "ls2k2000_gpio", - .mode = BIT_CTRL_MODE, - .conf_offset = 0x0, - .in_offset = 0x20, - .out_offset = 0x10, - .inten_offset = 0x30, + .mode = BYTE_CTRL_MODE, + .conf_offset = 0x800, + .in_offset = 0xa00, + .out_offset = 0x900, + .inten_offset = 0xb00, }; static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data2 = { -- 2.52.0

1 day, 19 hours

3
2
0 0

[PATCH 2/4] PCI: Rewrite bridge window head alignment function

by Ilpo Järvinen

The calculation of bridge window head alignment is done by calculate_mem_align() [*]. With the default bridge window alignment, it is used for both head and tail alignment. The selected head alignment does not always result in tight-fitting resources (gap at d4f00000-d4ffffff): d4800000-dbffffff : PCI Bus 0000:06 d4800000-d48fffff : PCI Bus 0000:07 d4800000-d4803fff : 0000:07:00.0 d4800000-d4803fff : nvme d4900000-d49fffff : PCI Bus 0000:0a d4900000-d490ffff : 0000:0a:00.0 d4900000-d490ffff : r8169 d4910000-d4913fff : 0000:0a:00.0 d4a00000-d4cfffff : PCI Bus 0000:0b d4a00000-d4bfffff : 0000:0b:00.0 d4a00000-d4bfffff : 0000:0b:00.0 d4c00000-d4c07fff : 0000:0b:00.0 d4d00000-d4dfffff : PCI Bus 0000:15 d4d00000-d4d07fff : 0000:15:00.0 d4d00000-d4d07fff : xhci-hcd d4e00000-d4efffff : PCI Bus 0000:16 d4e00000-d4e7ffff : 0000:16:00.0 d4e80000-d4e803ff : 0000:16:00.0 d4e80000-d4e803ff : ahci d5000000-dbffffff : PCI Bus 0000:0c This has not been caused problems (for years) with the default bridge window tail alignment that grossly over-estimates the required tail alignment leaving more tail room than necessary. With the introduction of relaxed tail alignment that leaves no extra tail room whatsoever, any gaps will immediately turn into assignment failures. Introduce head alignment calculation that ensures no gaps are left and apply the new approach when using relaxed alignment. ([*] I don't understand the algorithm in calculate_mem_align().) Fixes: 5d0a8965aea9 ("[PATCH] 2.5.14: New PCI allocation code (alpha, arm, parisc) [2/2]") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220775 Reported-by: Malte Schröder <malte+lkml(a)tnxip.de> Tested-by: Malte Schröder <malte+lkml(a)tnxip.de> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- Little annoyingly, there's difference in what aligns array contains between the legacy alignment approach (which I dare not to touch as I really don't understand what the algorithm tries to do) and this new head aligment algorithm, both consuming stack space. After making the new approach the only available approach in the follow-up patch, only one array remains (however, that follow-up change is also somewhat riskier when it comes to regressions). That being said, the new head alignment could work with the same aligns array as the legacy approach, it just won't necessarily produce an optimal (the smallest possible) head alignment when if (r_size <= align) condition is used. Just let me know if that approach is preferred (to save some stack space). --- drivers/pci/setup-bus.c | 53 ++++++++++++++++++++++++++++++++++------- 1 file changed, 44 insertions(+), 9 deletions(-) diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c index 70d021ffb486..93f6b0750174 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c @@ -1224,6 +1224,45 @@ static inline resource_size_t calculate_mem_align(resource_size_t *aligns, return min_align; } +/* + * Calculate bridge window head alignment that leaves no gaps in between + * resources. + */ +static resource_size_t calculate_head_align(resource_size_t *aligns, + int max_order) +{ + resource_size_t head_align = 1; + resource_size_t remainder = 0; + int order; + + /* Take the largest alignment as the starting point. */ + head_align <<= max_order + __ffs(SZ_1M); + + for (order = max_order - 1; order >= 0; order--) { + resource_size_t align1 = 1; + + align1 <<= order + __ffs(SZ_1M); + + /* + * Account smaller resources with alignment < max_order that + * could be used to fill head room if alignment less than + * max_order is used. + */ + remainder += aligns[order]; + + /* + * Test if head fill is enough to satisfy the alignment of + * the larger resources after reducing the alignment. + */ + while ((head_align > align1) && (remainder >= head_align / 2)) { + head_align /= 2; + remainder -= head_align; + } + } + + return head_align; +} + /** * pbus_upstream_space_available - Check no upstream resource limits allocation * @bus: The bus @@ -1311,13 +1350,13 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type, { struct pci_dev *dev; resource_size_t min_align, win_align, align, size, size0, size1 = 0; - resource_size_t aligns[28]; /* Alignments from 1MB to 128TB */ + resource_size_t aligns[28] = {}; /* Alignments from 1MB to 128TB */ + resource_size_t aligns2[28] = {};/* Alignments from 1MB to 128TB */ int order, max_order; struct resource *b_res = pbus_select_window_for_type(bus, type); resource_size_t children_add_size = 0; resource_size_t children_add_align = 0; resource_size_t add_align = 0; - resource_size_t relaxed_align; resource_size_t old_size; if (!b_res) @@ -1327,7 +1366,6 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type, if (b_res->parent) return; - memset(aligns, 0, sizeof(aligns)); max_order = 0; size = 0; @@ -1378,6 +1416,7 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type, */ if (r_size <= align) aligns[order] += align; + aligns2[order] += align; if (order > max_order) max_order = order; @@ -1402,9 +1441,7 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type, if (bus->self && size0 && !pbus_upstream_space_available(bus, b_res, size0, min_align)) { - relaxed_align = 1ULL << (max_order + __ffs(SZ_1M)); - relaxed_align = max(relaxed_align, win_align); - min_align = min(min_align, relaxed_align); + min_align = calculate_head_align(aligns2, max_order); size0 = calculate_memsize(size, min_size, 0, 0, old_size, win_align); resource_set_range(b_res, min_align, size0); pci_info(bus->self, "bridge window %pR to %pR requires relaxed alignment rules\n", @@ -1418,9 +1455,7 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type, if (bus->self && size1 && !pbus_upstream_space_available(bus, b_res, size1, add_align)) { - relaxed_align = 1ULL << (max_order + __ffs(SZ_1M)); - relaxed_align = max(relaxed_align, win_align); - min_align = min(min_align, relaxed_align); + min_align = calculate_head_align(aligns2, max_order); size1 = calculate_memsize(size, min_size, add_size, children_add_size, old_size, win_align); pci_info(bus->self, -- 2.39.5

1 day, 20 hours

1
0
0 0

[PATCH 1/4] PCI: Fix bridge window alignment with optional resources

by Ilpo Järvinen

pbus_size_mem() has two alignments, one for required resources in min_align and another in add_align that takes account optional resources. The add_align is applied to the bridge window through the realloc_head list. It can happen, however, that add_align is larger than min_align but calculated size1 and size0 are equal due to extra tailroom (e.g., hotplug reservation, tail alignment), and therefore no entry is created to the realloc_head list. Without the bridge appearing in the realloc head, add_align is lost when pbus_size_mem() returns. The problem is visible in this log for 0000:05:00.0 which lacks add_size ... add_align ... line that would indicate it was added into the realloc_head list: pci 0000:05:00.0: PCI bridge to [bus 06-16] ... pci 0000:06:00.0: bridge window [mem 0x00100000-0x001fffff] to [bus 07] requires relaxed alignment rules pci 0000:06:06.0: bridge window [mem 0x00100000-0x001fffff] to [bus 0a] requires relaxed alignment rules pci 0000:06:07.0: bridge window [mem 0x00100000-0x003fffff] to [bus 0b] requires relaxed alignment rules pci 0000:06:08.0: bridge window [mem 0x00800000-0x00ffffff 64bit pref] to [bus 0c-14] requires relaxed alignment rules pci 0000:06:08.0: bridge window [mem 0x01000000-0x057fffff] to [bus 0c-14] requires relaxed alignment rules pci 0000:06:08.0: bridge window [mem 0x01000000-0x057fffff] to [bus 0c-14] requires relaxed alignment rules pci 0000:06:08.0: bridge window [mem 0x01000000-0x057fffff] to [bus 0c-14] add_size 100000 add_align 1000000 pci 0000:06:0c.0: bridge window [mem 0x00100000-0x001fffff] to [bus 15] requires relaxed alignment rules pci 0000:06:0d.0: bridge window [mem 0x00100000-0x001fffff] to [bus 16] requires relaxed alignment rules pci 0000:06:0d.0: bridge window [mem 0x00100000-0x001fffff] to [bus 16] requires relaxed alignment rules pci 0000:05:00.0: bridge window [mem 0xd4800000-0xd97fffff]: assigned pci 0000:05:00.0: bridge window [mem 0x1060000000-0x10607fffff 64bit pref]: assigned pci 0000:06:08.0: bridge window [mem size 0x04900000]: can't assign; no space pci 0000:06:08.0: bridge window [mem size 0x04900000]: failed to assign While this bug itself seems old, it has likely become more visible after the relaxed tail alignment that does not grossly overestimate the size needed for the bridge window. Make sure add_align > min_align too results in adding an entry into the realloc head list. In addition, add handling to the cases where add_size is zero while only alignment differs. Fixes: d74b9027a4da ("PCI: Consider additional PF's IOV BAR alignment in sizing and assigning") Reported-by: Malte Schröder <malte+lkml(a)tnxip.de> Tested-by: Malte Schröder <malte+lkml(a)tnxip.de> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- drivers/pci/setup-bus.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c index 4a8735b275e4..70d021ffb486 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c @@ -14,6 +14,7 @@ * tighter packing. Prefetchable range support. */ +#include <linux/align.h> #include <linux/bitops.h> #include <linux/init.h> #include <linux/kernel.h> @@ -452,7 +453,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head, "%s %pR: ignoring failure in optional allocation\n", res_name, res); } - } else if (add_size > 0) { + } else if (add_size > 0 || !IS_ALIGNED(res->start, align)) { res->flags |= add_res->flags & (IORESOURCE_STARTALIGN|IORESOURCE_SIZEALIGN); if (pci_reassign_resource(dev, idx, add_size, align)) @@ -1438,12 +1439,13 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type, resource_set_range(b_res, min_align, size0); b_res->flags |= IORESOURCE_STARTALIGN; - if (bus->self && size1 > size0 && realloc_head) { + if (bus->self && realloc_head && (size1 > size0 || add_align > min_align)) { b_res->flags &= ~IORESOURCE_DISABLED; - add_to_list(realloc_head, bus->self, b_res, size1-size0, add_align); + add_size = size1 > size0 ? size1 - size0 : 0; + add_to_list(realloc_head, bus->self, b_res, add_size, add_align); pci_info(bus->self, "bridge window %pR to %pR add_size %llx add_align %llx\n", b_res, &bus->busn_res, - (unsigned long long) (size1 - size0), + (unsigned long long) add_size, (unsigned long long) add_align); } } -- 2.39.5

1 day, 20 hours

1
0
0 0

[PATCH v4] platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak

by yongxin.liu＠windriver.com

From: Yongxin Liu <yongxin.liu(a)windriver.com> The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory for the ACPI evaluation result but never frees it, causing a 192-byte memory leak on each call. This leak is triggered during network interface initialization when the stmmac driver calls intel_mac_finish() -> intel_pmc_ipc(). unreferenced object 0xffff96a848d6ea80 (size 192): comm "dhcpcd", pid 541, jiffies 4294684345 hex dump (first 32 bytes): 04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H.... 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ backtrace (crc b1564374): kmemleak_alloc+0x2d/0x40 __kmalloc_noprof+0x2fa/0x730 acpi_ut_initialize_buffer+0x83/0xc0 acpi_evaluate_object+0x29a/0x2f0 intel_pmc_ipc+0xfd/0x170 intel_mac_finish+0x168/0x230 stmmac_mac_finish+0x3d/0x50 phylink_major_config+0x22b/0x5b0 phylink_mac_initial_config.constprop.0+0xf1/0x1b0 phylink_start+0x8e/0x210 __stmmac_open+0x12c/0x2b0 stmmac_open+0x23c/0x380 __dev_open+0x11d/0x2c0 __dev_change_flags+0x1d2/0x250 netif_change_flags+0x2b/0x70 dev_change_flags+0x40/0xb0 Add __free(kfree) for ACPI object to properly release the allocated buffer. Cc: stable(a)vger.kernel.org Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC register access") Signed-off-by: Yongxin Liu <yongxin.liu(a)windriver.com> --- V3->V4: Move declaration of *obj to where it gets assigned. V2->V3: Use __free(kfree) instead of goto and kfree(); V1->V2: Cover all potential paths for kfree(); --- include/linux/platform_data/x86/intel_pmc_ipc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/platform_data/x86/intel_pmc_ipc.h b/include/linux/platform_data/x86/intel_pmc_ipc.h index 1d34435b7001..85ea381e4a27 100644 --- a/include/linux/platform_data/x86/intel_pmc_ipc.h +++ b/include/linux/platform_data/x86/intel_pmc_ipc.h @@ -9,6 +9,7 @@ #ifndef INTEL_PMC_IPC_H #define INTEL_PMC_IPC_H #include <linux/acpi.h> +#include <linux/cleanup.h> #define IPC_SOC_REGISTER_ACCESS 0xAA #define IPC_SOC_SUB_CMD_READ 0x00 @@ -48,7 +49,6 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf {.type = ACPI_TYPE_INTEGER,}, }; struct acpi_object_list arg_list = { PMC_IPCS_PARAM_COUNT, params }; - union acpi_object *obj; int status; if (!ipc_cmd || !rbuf) @@ -72,7 +72,7 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf if (ACPI_FAILURE(status)) return -ENODEV; - obj = buffer.pointer; + union acpi_object *obj __free(kfree) = buffer.pointer; if (obj && obj->type == ACPI_TYPE_PACKAGE && obj->package.count == VALID_IPC_RESPONSE) { -- 2.46.2

1 day, 21 hours

1
0
0 0

[PATCH v1 2/2] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages

by David Hildenbrand

Let's properly adjust BALLOON_MIGRATE like the other drivers. Note that the INFLATE/DEFLATE events are triggered from the core when enqueueing/dequeueing pages. Not completely sure whether really is stable material, but the fix is trivial so let's just CC stable. This was found by code inspection. Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction") Cc: <stable(a)vger.kernel.org> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- arch/powerpc/platforms/pseries/cmm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/platforms/pseries/cmm.c b/arch/powerpc/platforms/pseries/cmm.c index 688f5fa1c7245..310dab4bc8679 100644 --- a/arch/powerpc/platforms/pseries/cmm.c +++ b/arch/powerpc/platforms/pseries/cmm.c @@ -532,6 +532,7 @@ static int cmm_migratepage(struct balloon_dev_info *b_dev_info, spin_lock_irqsave(&b_dev_info->pages_lock, flags); balloon_page_insert(b_dev_info, newpage); + __count_vm_event(BALLOON_MIGRATE); b_dev_info->isolated_pages--; spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); -- 2.51.0

1 day, 21 hours

2
1
0 0

[PATCH 6.6 0/2] Backport 2 commits to 6.12.y to fix bond issue

by Rajani Kantha

Backport commit: 094ee6017ea0 ("bonding: check xdp prog when set bond mode") to 6.6.y to fix a bond issue. It depends on commit: 22ccb684c1ca ("bonding: return detailed error when loading native XDP fails) In order to make a clean backport on stable kernel, backport 2 commits. Hangbin Liu (1): bonding: return detailed error when loading native XDP fails Wang Liang (1): bonding: check xdp prog when set bond mode drivers/net/bonding/bond_main.c | 11 +++++++---- drivers/net/bonding/bond_options.c | 3 +++ include/net/bonding.h | 1 + 3 files changed, 11 insertions(+), 4 deletions(-) -- 2.17.1

1 day, 22 hours

1
2
0 0

[PATCH v1 1/2] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION

by David Hildenbrand

We always have to initialize the balloon_dev_info, even when compaction is not configured in: otherwise the containing list and the lock are left uninitialized. Likely not many such configs exist in practice, but let's CC stable to be sure. This was found by code inspection. Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction") Cc: <stable(a)vger.kernel.org> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- arch/powerpc/platforms/pseries/cmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/pseries/cmm.c b/arch/powerpc/platforms/pseries/cmm.c index 0823fa2da1516..688f5fa1c7245 100644 --- a/arch/powerpc/platforms/pseries/cmm.c +++ b/arch/powerpc/platforms/pseries/cmm.c @@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloon_dev_info *b_dev_info, static void cmm_balloon_compaction_init(void) { - balloon_devinfo_init(&b_dev_info); b_dev_info.migratepage = cmm_migratepage; } #else /* CONFIG_BALLOON_COMPACTION */ @@ -572,6 +571,7 @@ static int cmm_init(void) if (!firmware_has_feature(FW_FEATURE_CMO) && !simulate) return -EOPNOTSUPP; + balloon_devinfo_init(&b_dev_info); cmm_balloon_compaction_init(); rc = register_oom_notifier(&cmm_oom_nb); -- 2.51.0

1 day, 22 hours

2
1
0 0

[PATCH 6.6.y] net: macb: fix unregister_netdev call order in macb_remove()

by alvalan9＠foxmail.com

From: luoguangfei <15388634752(a)163.com> [ Upstream commit 01b9128c5db1b470575d07b05b67ffa3cb02ebf1 ] When removing a macb device, the driver calls phy_exit() before unregister_netdev(). This leads to a WARN from kernfs: ------------[ cut here ]------------ kernfs: can not remove 'attached_dev', no directory WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683 Call trace: kernfs_remove_by_name_ns+0xd8/0xf0 sysfs_remove_link+0x24/0x58 phy_detach+0x5c/0x168 phy_disconnect+0x4c/0x70 phylink_disconnect_phy+0x6c/0xc0 [phylink] macb_close+0x6c/0x170 [macb] ... macb_remove+0x60/0x168 [macb] platform_remove+0x5c/0x80 ... The warning happens because the PHY is being exited while the netdev is still registered. The correct order is to unregister the netdev before shutting down the PHY and cleaning up the MDIO bus. Fix this by moving unregister_netdev() ahead of phy_exit() in macb_remove(). Fixes: 8b73fa3ae02b ("net: macb: Added ZynqMP-specific initialization") Signed-off-by: luoguangfei <15388634752(a)163.com> Link: https://patch.msgid.link/20250818232527.1316-1-15388634752@163.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Minor context change fixed. ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/net/ethernet/cadence/macb_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index 7593255e6e53..bf7b5d1d5616 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -5182,11 +5182,11 @@ static int macb_remove(struct platform_device *pdev) if (dev) { bp = netdev_priv(dev); + unregister_netdev(dev); phy_exit(bp->sgmii_phy); mdiobus_unregister(bp->mii_bus); mdiobus_free(bp->mii_bus); - unregister_netdev(dev); tasklet_kill(&bp->hresp_err_tasklet); pm_runtime_disable(&pdev->dev); pm_runtime_dont_use_autosuspend(&pdev->dev); -- 2.43.0

1 day, 23 hours

1
0
0 0

[PATCH 6.17 000/175] 6.17.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.10 release. There are 175 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 29 Nov 2025 14:40:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.10-rc1 Emil Tsalapatis <etsal(a)meta.com> sched_ext: fix flag check for deferred callbacks Andrea Righi <arighi(a)nvidia.com> sched_ext: Fix scx_kick_pseqs corruption on concurrent scheduler loads Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/dp: Add device specific quirk to limit eDP rate to HBR2 Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> Revert "drm/i915/dp: Reject HBR3 when sink doesn't support TPS4" Jari Ruusu <jariruusu(a)protonmail.com> tty/vt: fix up incorrect backport to stable releases Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: Insert dccg log for easy debug Gang Yan <yangang(a)kylinos.cn> mptcp: fix address removal logic in mptcp_pm_nl_rm_addr Darrick J. Wong <djwong(a)kernel.org> xfs: fix out of bounds memory read error in symlink repair Marcelo Moreira <marcelomoreira1905(a)gmail.com> xfs: Replace strncpy with memcpy Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Add parse_cs for JPEG5_0_1 Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Move parse_cs to amdgpu_jpeg.c Imre Deak <imre.deak(a)intel.com> drm/i915/dp_mst: Disable Panel Replay Jouni Högander <jouni.hogander(a)intel.com> drm/i915/psr: Check drm_dp_dpcd_read return value on PSR dpcd init Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix incomplete backport in cfids_invalidation_worker() Samuel Zhang <guoqing.zhang(a)amd.com> drm/amdgpu: fix gpu page fault after hibernation on PF passthrough Filipe Manana <fdmanana(a)suse.com> btrfs: set inode flag BTRFS_INODE_COPY_EVERYTHING when logging new name Zhang Chujun <zhangchujun(a)cmss.chinamobile.com> tracing/tools: Fix incorrcet short option in usage text for --threads Nishanth Menon <nm(a)ti.com> net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Nitin Rawat <nitin.rawat(a)oss.qualcomm.com> scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) René Rebe <rene(a)exactco.de> ALSA: usb-audio: fix uac2 clock source at terminal parser Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Prevent BIT() overflow when handling invalid prefetch region Jakub Horký <jakub.git(a)horky.net> kconfig/nconf: Initialize the default locale at startup Jakub Horký <jakub.git(a)horky.net> kconfig/mconf: Initialize the default locale at startup Borislav Petkov (AMD) <bp(a)alien8.de> x86/CPU/AMD: Extend Zen6 model range Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Cancel RX async resync request on rcd_delta overflow Carlos Llamas <cmllamas(a)google.com> blk-crypto: use BLK_STS_INVAL for alignment errors Shahar Shitrit <shshitrit(a)nvidia.com> net: tls: Change async resync helpers argument Po-Hsu Lin <po-hsu.lin(a)canonical.com> selftests: net: use BASH for bareudp testing Paulo Alcantara <pc(a)manguebit.org> smb: client: handle lack of IPC in dfs_cache_refresh() Sidharth Seela <sidharthseela(a)gmail.com> selftests: cachestat: Fix warning on declaration under label Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Limit Entrysign signature checking to known generations dongsheng <dongsheng.x.zhang(a)intel.com> perf/x86/intel/uncore: Add uncore PMU support for Wildcat Lake Eren Demir <eren.demir2479090(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Victus 15-fa1xxx (MB 8C2D) Bart Van Assche <bvanassche(a)acm.org> scsi: core: Fix a regression triggered by scsi_host_busy() Steve French <stfrench(a)microsoft.com> cifs: fix typo in enable_gcm_256 module parameter Shuming Fan <shumingf(a)realtek.com> ASoC: rt721: fix prepare clock stop failed Rob Clark <robin.clark(a)oss.qualcomm.com> drm/msm: Fix pgtable prealloc error path Emil Tsalapatis <etsal(a)meta.com> sched_ext: defer queue_balance_callback() until after ops.dispatch Rafał Miłecki <rafal(a)milecki.pl> bcma: don't register devices disabled in OF Tejun Heo <tj(a)kernel.org> sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc() J-Donald Tournier <jdtournier(a)gmail.com> ALSA: hda/realtek: Add quirk for Lenovo Yoga 7 2-in-1 14AKP10 Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: kernel: Fix random segmentation faults Malaya Kumar Rout <mrout(a)redhat.com> timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths Michal Luczaj <mhal(a)rbox.co> vsock: Ignore signal/timeout on connect() if already established Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf: Fix 0 count issue of cpu-clock Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> cifs: fix memory leak in smb3_fs_context_parse_param error path Thomas Weißschuh <linux(a)weissschuh.net> LoongArch: Use UAPI types in ptrace UAPI header Wen Yang <wen.yang(a)linux.dev> tick/sched: Fix bogus condition in report_idle_softirq() Wei Fang <wei.fang(a)nxp.com> net: phylink: add missing supported link modes for the fixed-link Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: cdev: make sure the cdev fd is still active before emitting events Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic(). Pradyumn Rahar <pradyumn.rahar(a)oracle.com> net/mlx5: Clean up only new IRQ glue on request_irq() failure Shay Drory <shayd(a)nvidia.com> devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() Jared Kangas <jkangas(a)redhat.com> pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix PTP cleanup on driver removal in error path Emil Tantilov <emil.s.tantilov(a)intel.com> idpf: fix possible vport_config NULL pointer deref in remove Venkata Ramana Nayana <venkata.ramana.nayana(a)intel.com> drm/xe/irq: Handle msix vector0 interrupt Matt Roper <matthew.d.roper(a)intel.com> drm/xe/kunit: Fix forcewake assertion in mocs test Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/i915/xe3: Restrict PTL intel_encoder_is_c10phy() to only PHY A Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/i915/display: Add definition for wcl as subplatform Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/pcids: Split PTL pciids group to make wcl subplatform Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() Randy Dunlap <rdunlap(a)infradead.org> platform/x86: intel-uncore-freq: fix all header kernel-doc warnings Haotian Zhang <vulab(a)iscas.ac.cn> platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos Lorenzo Bianconi <lorenzo(a)kernel.org> net: airoha: Do not loopback traffic to GDM2 if it is available on the device Lorenzo Bianconi <lorenzo(a)kernel.org> net: airoha: Add wlan flowtable TX offload Ido Schimmel <idosch(a)nvidia.com> selftests: net: lib: Do not overwrite error messages Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> s390/ctcm: Fix double-kfree Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> drm/i915/xe3lpd: Load DMC for Xe3_LPD version 30.02 Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> nvme-multipath: fix lockdep WARN due to partition scan work Alistair Francis <alistair.francis(a)wdc.com> nvmet-auth: update sc_c in target host hash calculation Chen Pei <cp0613(a)linux.alibaba.com> tools: riscv: Fixed misalignment of CSR related definitions Jesper Dangaard Brouer <hawk(a)kernel.org> veth: more robust handing of race to avoid txq getting stuck Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove never-working support for setting nsh fields Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: mlxsw: linecards: fix missing error check in mlxsw_linecard_devlink_info_get() Pavel Zhigulin <Pavel.Zhigulin(a)kaspersky.com> net: dsa: hellcreek: fix missing error handling in LED registration Prateek Agarwal <praagarwal(a)nvidia.com> drm/tegra: Add call to put_pid() Zilin Guan <zilin(a)seu.edu.cn> mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() Jiaming Zhang <r772577952(a)gmail.com> net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: dts: econet: fix EN751221 core type Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Fix typo in WMI GUID Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Only load on MSI devices Haotian Zhang <vulab(a)iscas.ac.cn> pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() Jianbo Liu <jianbol(a)nvidia.com> xfrm: Prevent locally generated packets from direct output in tunnel mode Jianbo Liu <jianbol(a)nvidia.com> xfrm: Determine inner GSO type from packet inner protocol Jianbo Liu <jianbol(a)nvidia.com> xfrm: Check inner packet family directly from skb_dst Yu-Chun Lin <eleanor.lin(a)realtek.com> pinctrl: realtek: Select REGMAP_MMIO for RTD driver Chen-Yu Tsai <wens(a)kernel.org> clk: sunxi-ng: sun55i-a523-ccu: Lower audio0 pll minimum rate Chen-Yu Tsai <wens(a)kernel.org> clk: sunxi-ng: sun55i-a523-r-ccu: Mark bus-r-dma as critical Jernej Skrabec <jernej.skrabec(a)gmail.com> clk: sunxi-ng: Mark A523 bus-r-cpucfg clock as critical Sabrina Dubroca <sd(a)queasysnail.net> xfrm: set err and extack on failure to create pcpu SA Sabrina Dubroca <sd(a)queasysnail.net> xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add the state Sabrina Dubroca <sd(a)queasysnail.net> xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Sabrina Dubroca <sd(a)queasysnail.net> xfrm: drop SA reference in xfrm_state_update if dir doesn't match Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> pinctrl: mediatek: mt8189: align register base names to dt-bindings ones Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> pinctrl: mediatek: mt8196: align register base names to dt-bindings ones Kiryl Shutsemau <kas(a)kernel.org> mm/truncate: unmap large folio on split failure Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix pbn to kbps Conversion Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Move sleep into each retry for retrieve_link_cap() Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Increase DPCD read retries Yifan Zha <Yifan.Zha(a)amd.com> drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Skip power ungate during suspend for VPE Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/plane: Fix create_in_format_blob() return value Robert McClinton <rbmccav(a)gmail.com> drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Ma Ke <make24(a)iscas.ac.cn> drm/tegra: dc: Fix reference leak in tegra_dc_couple() Paolo Abeni <pabeni(a)redhat.com> mptcp: do not fallback when OoO is present Paolo Abeni <pabeni(a)redhat.com> mptcp: decouple mptcp fastclose from tcp close Paolo Abeni <pabeni(a)redhat.com> mptcp: avoid unneeded subflow-level drops Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer timeout Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer timeout Paolo Abeni <pabeni(a)redhat.com> mptcp: fix premature close in case of fallback Paolo Abeni <pabeni(a)redhat.com> mptcp: fix duplicate reset on fastclose Paolo Abeni <pabeni(a)redhat.com> mptcp: fix ack generation for fallback msk Eric Dumazet <edumazet(a)google.com> mptcp: fix a race in mptcp_pm_del_add_timer() Eric Dumazet <edumazet(a)google.com> mptcp: fix race condition in mptcp_schedule_work() Anthony Wong <anthony.wong(a)ubuntu.com> platform/x86: alienware-wmi-wmax: Add AWCC support to Alienware 16 Aurora Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for the whole "G" family Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for the whole "X" family Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add support for the whole "M" family Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Fix "Alienware m16 R1 AMD" quirk order Bibo Mao <maobibo(a)loongson.cn> LoongArch: Fix NUMA node parsing with numa_memblks Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Don't panic if no valid cache info for PCI Vincent Li <vincent.mc.li(a)gmail.com> LoongArch: BPF: Disable trampoline for kernel module function trace Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Malta: Fix !EVA SOC-it PCI MMIO Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() Bart Van Assche <bvanassche(a)acm.org> scsi: sg: Do not sleep in atomic context Saket Kumar Bhaskar <skb99(a)linux.ibm.com> sched_ext: Fix scx_enable() crash on helper kthread creation failure Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: core: Fix runtime PM enabling in device_resume_early() Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() Ewan D. Milne <emilne(a)redhat.com> nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() Nam Cao <namcao(a)linutronix.de> nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot Vlastimil Babka <vbabka(a)suse.cz> mm/mempool: fix poisoning order>0 pages with HIGHMEM Seungjin Bae <eeodqql09(a)gmail.com> Input: pegasus-notetaker - fix potential out-of-bounds access Dan Carpenter <dan.carpenter(a)linaro.org> Input: imx_sc_key - fix memory corruption on unload Hans de Goede <hansg(a)kernel.org> Input: goodix - add support for ACPI ID GDIX1003 Tzung-Bi Shih <tzungbi(a)kernel.org> Input: cros_ec_keyb - fix an invalid memory access Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Oleksij Rempel <o.rempel(a)pengutronix.de> net: dsa: microchip: lan937x: Fix RGMII delay tuning Jens Axboe <axboe(a)kernel.dk> io_uring/cmd_net: fix wrong argument types for skb_queue_splice() Andrey Vatoropin <a.vatoropin(a)crpt.ru> be2net: pass wrb_params in case of OS2BMC Yihang Li <liyihang9(a)h-partners.com> ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw89: hw_scan: Don't let the operating channel be last Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: introduce close_cached_dir_locked() Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: move avdcache to per-task security struct Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: rename task_security_struct to cred_security_struct Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification Niklas Cassel <cassel(a)kernel.org> ata: libata-scsi: Fix system suspend for a security locked drive Tony Luck <tony.luck(a)intel.com> ACPI: APEI: EINJ: Fix EINJV2 initialization and injection Pasha Tatashin <pasha.tatashin(a)soleen.com> lib/test_kho: check if KHO is enabled Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Fix proto fallback detection with BPF Heiko Carstens <hca(a)linux.ibm.com> s390/mm: Fix __ptep_rdp() inline assembly Jiayuan Chen <jiayuan.chen(a)linux.dev> mptcp: Disallow MPTCP subflows from sockmap Yongpeng Yang <yangyongpeng(a)xiaomi.com> exfat: check return value of sb_min_blocksize in exfat_read_boot_sector Mike Yuan <me(a)yhndnzj.com> shmem: fix tmpfs reconfiguration (remount) when noswap is set Yongpeng Yang <yangyongpeng(a)xiaomi.com> isofs: check the return value of sb_min_blocksize() in isofs_fill_super Yongpeng Yang <yangyongpeng(a)xiaomi.com> xfs: check the return value of sb_min_blocksize() in xfs_fs_fill_super Dan Carpenter <dan.carpenter(a)linaro.org> mtdchar: fix integer overflow in read/write ioctls Zhen Ni <zhen.ni(a)easystack.cn> fs: Fix uninitialized 'offp' in statmount_string() Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> mtd: rawnand: cadence: fix DMA device NULL pointer dereference Yongpeng Yang <yangyongpeng(a)xiaomi.com> vfat: fix missing sb_min_blocksize() return value checks Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Fix redundant updates of LBR MSR intercepts Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable HS400 on RK3588 Tiger Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 Laurentiu Mihalcea <laurentiu.mihalcea(a)nxp.com> reset: imx8mp-audiomix: Fix bad mask values Mykola Kvach <xakep.amatop(a)gmail.com> arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 Diederik de Haas <diederik(a)cknow-tech.com> arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 Zhang Heng <zhangheng(a)kylinos.cn> HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 Mario Limonciello (AMD) <superm1(a)kernel.org> HID: amd_sfh: Stop sensor before starting Alexey Charkov <alchark(a)gmail.com> arm64: dts: rockchip: Remove non-functioning CPU OPPs from RK3576 Yipeng Zou <zouyipeng(a)huawei.com> timers: Fix NULL function pointer race in timer_shutdown_sync() Sebastian Ene <sebastianene(a)google.com> KVM: arm64: Check the untrusted offset in FF-A memory share ------------- Diffstat: .../bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++-- Documentation/wmi/driver-development-guide.rst | 1 + Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3576.dtsi | 12 -- arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +- .../arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 +- arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +- arch/loongarch/include/uapi/asm/ptrace.h | 40 +++---- arch/loongarch/kernel/numa.c | 60 +++------- arch/loongarch/net/bpf_jit.c | 3 + arch/loongarch/pci/pci.c | 8 +- arch/mips/boot/dts/econet/en751221.dtsi | 2 +- arch/mips/kernel/process.c | 2 +- arch/mips/mm/tlb-r4k.c | 102 ++++++++++------- arch/mips/mti-malta/malta-init.c | 20 ++-- arch/s390/include/asm/pgtable.h | 12 +- arch/s390/mm/pgtable.c | 4 +- arch/x86/events/intel/uncore.c | 1 + arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/microcode/amd.c | 20 +++- arch/x86/kvm/svm/svm.c | 9 +- arch/x86/kvm/svm/svm.h | 1 + block/blk-crypto.c | 2 +- drivers/acpi/apei/einj-core.c | 64 +++++++---- drivers/ata/libata-scsi.c | 11 +- drivers/base/power/main.c | 25 +++-- drivers/bcma/main.c | 6 + drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 4 +- drivers/clk/sunxi-ng/ccu-sun55i-a523.c | 2 +- drivers/gpio/gpiolib-cdev.c | 9 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 65 +++++++++++ drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.h | 10 ++ drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 3 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 4 +- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 58 +--------- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 - drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 4 +- drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 1 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 ++++------ .../amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 4 +- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 26 ++++- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 ++ .../display/dc/link/protocols/link_dp_capability.c | 11 +- drivers/gpu/drm/drm_plane.c | 4 +- drivers/gpu/drm/i915/display/intel_cx0_phy.c | 14 +-- .../gpu/drm/i915/display/intel_display_device.c | 13 +++ .../gpu/drm/i915/display/intel_display_device.h | 4 +- drivers/gpu/drm/i915/display/intel_dmc.c | 10 +- drivers/gpu/drm/i915/display/intel_dp.c | 30 ++--- drivers/gpu/drm/i915/display/intel_psr.c | 36 ++++-- drivers/gpu/drm/i915/display/intel_quirks.c | 9 ++ drivers/gpu/drm/i915/display/intel_quirks.h | 1 + drivers/gpu/drm/msm/msm_iommu.c | 5 + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 + drivers/gpu/drm/radeon/radeon_fence.c | 7 -- drivers/gpu/drm/tegra/dc.c | 1 + drivers/gpu/drm/tegra/dsi.c | 9 -- drivers/gpu/drm/tegra/uapi.c | 7 +- drivers/gpu/drm/xe/tests/xe_mocs.c | 2 +- drivers/gpu/drm/xe/xe_irq.c | 18 +-- drivers/gpu/drm/xe/xe_pci.c | 1 + drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 + drivers/hid/hid-ids.h | 4 +- drivers/hid/hid-quirks.c | 13 ++- drivers/input/keyboard/cros_ec_keyb.c | 6 + drivers/input/keyboard/imx_sc_key.c | 2 +- drivers/input/tablet/pegasus_notetaker.c | 9 ++ drivers/input/touchscreen/goodix.c | 1 + drivers/mtd/mtdchar.c | 6 +- drivers/mtd/nand/raw/cadence-nand-controller.c | 3 +- drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++- drivers/net/dsa/microchip/lan937x_main.c | 1 + drivers/net/ethernet/airoha/airoha_eth.h | 11 ++ drivers/net/ethernet/airoha/airoha_ppe.c | 95 +++++++++++----- drivers/net/ethernet/emulex/benet/be_main.c | 7 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 22 +++- drivers/net/ethernet/intel/idpf/idpf_main.c | 2 + .../ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 9 +- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 +- .../net/ethernet/mellanox/mlxsw/core_linecards.c | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +- drivers/net/ethernet/ti/netcp_core.c | 10 +- drivers/net/phy/phylink.c | 3 + drivers/net/veth.c | 38 ++++--- drivers/net/wireless/realtek/rtw89/fw.c | 7 ++ drivers/nvme/host/fc.c | 15 +-- drivers/nvme/host/multipath.c | 2 +- drivers/nvme/target/auth.c | 4 +- drivers/nvme/target/fabrics-cmd-auth.c | 1 + drivers/nvme/target/nvmet.h | 1 + drivers/perf/riscv_pmu_sbi.c | 2 +- drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 21 +++- drivers/pinctrl/mediatek/pinctrl-mt8189.c | 4 +- drivers/pinctrl/mediatek/pinctrl-mt8196.c | 6 +- drivers/pinctrl/nxp/pinctrl-s32cc.c | 3 +- drivers/pinctrl/realtek/Kconfig | 1 + drivers/platform/x86/Kconfig | 1 + drivers/platform/x86/dell/alienware-wmi-wmax.c | 104 +++++------------- .../x86/intel/speed_select_if/isst_if_mmio.c | 4 +- .../uncore-frequency/uncore-frequency-common.h | 9 +- drivers/platform/x86/msi-wmi-platform.c | 43 +++++++- drivers/reset/reset-imx8mp-audiomix.c | 4 +- drivers/s390/net/ctcm_mpc.c | 1 - drivers/scsi/hosts.c | 5 +- drivers/scsi/sg.c | 10 +- drivers/soc/ti/knav_dma.c | 14 +-- drivers/target/loopback/tcm_loop.c | 3 + drivers/tty/vt/vt_ioctl.c | 4 +- drivers/ufs/host/ufs-qcom.c | 15 ++- fs/btrfs/inode.c | 1 - fs/btrfs/tree-log.c | 3 + fs/exfat/super.c | 5 +- fs/fat/inode.c | 6 +- fs/isofs/inode.c | 5 + fs/namespace.c | 4 +- fs/smb/client/cached_dir.c | 43 +++++++- fs/smb/client/cifsfs.c | 2 +- fs/smb/client/cifsproto.h | 2 + fs/smb/client/connect.c | 38 +++---- fs/smb/client/dfs_cache.c | 55 ++++++++-- fs/smb/client/fs_context.c | 4 + fs/xfs/scrub/symlink_repair.c | 4 +- fs/xfs/xfs_super.c | 5 +- include/drm/intel/pciids.h | 5 +- include/linux/ata.h | 1 + include/net/tls.h | 25 +++-- include/net/xfrm.h | 3 +- io_uring/cmd_net.c | 2 +- kernel/events/core.c | 2 +- kernel/sched/ext.c | 121 +++++++++++++++++++-- kernel/sched/sched.h | 1 + kernel/time/tick-sched.c | 11 +- kernel/time/timekeeping.c | 21 ++-- kernel/time/timer.c | 7 +- lib/test_kho.c | 3 + mm/mempool.c | 32 +++++- mm/shmem.c | 15 ++- mm/truncate.c | 35 +++++- net/core/dev_ioctl.c | 3 + net/devlink/rate.c | 4 +- net/ipv4/esp4_offload.c | 6 +- net/ipv6/esp6_offload.c | 6 +- net/mptcp/options.c | 54 ++++++++- net/mptcp/pm.c | 20 ++-- net/mptcp/pm_kernel.c | 2 +- net/mptcp/protocol.c | 84 +++++++++----- net/mptcp/protocol.h | 3 +- net/mptcp/subflow.c | 8 ++ net/openvswitch/actions.c | 68 +----------- net/openvswitch/flow_netlink.c | 64 ++--------- net/openvswitch/flow_netlink.h | 2 - net/tls/tls_device.c | 4 +- net/unix/af_unix.c | 3 +- net/vmw_vsock/af_vsock.c | 40 +++++-- net/xfrm/xfrm_device.c | 2 +- net/xfrm/xfrm_output.c | 8 +- net/xfrm/xfrm_state.c | 16 ++- net/xfrm/xfrm_user.c | 5 +- scripts/kconfig/mconf.c | 3 + scripts/kconfig/nconf.c | 3 + security/selinux/hooks.c | 79 +++++++------- security/selinux/include/objsec.h | 20 +++- sound/hda/codecs/realtek/alc269.c | 2 + sound/soc/codecs/rt721-sdca.c | 4 + sound/soc/codecs/rt721-sdca.h | 1 + sound/usb/mixer.c | 2 +- tools/arch/riscv/include/asm/csr.h | 5 +- tools/testing/selftests/cachestat/test_cachestat.c | 4 +- tools/testing/selftests/net/bareudp.sh | 2 +- .../selftests/net/forwarding/lib_sh_test.sh | 7 ++ tools/testing/selftests/net/lib.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 +-- tools/tracing/latency/latency-collector.c | 2 +- 184 files changed, 1552 insertions(+), 952 deletions(-)

2 days, 1 hour

3
178
0 0

TOTAL (RFQ_062573)

by Thomas Pierre

Good day, I am reaching out to invite your company to provide a quotation for the products detailed in the attached request. We recognise that some of these items may not align with your usual supplies, but we expect your expertise in sourcing and supplying these products. Please note that this is a one-time tender, and we require the product and its components delivered on or before the date specified in the attached document. We anticipate your prompt response to enable us to proceed to the next step. Thank you and looking forward to reviewing your proposal soonest. Thomas Pierre Procurement Manager Phone: +1-713-564-2377 fax: +1-713-969-7350 Email: totalenergiesbids(a)contractor.net Note: This message, including any attachments, is intended solely for the use of the individual or entity to whom it is addressed and may contain confidential, proprietary, or legally privileged information. Any unauthorized review, use, disclosure, distribution, reproduction, or any form of dissemination of this communication is strictly prohibited.If you are not the intended recipient, please notify the sender immediately, delete this message from your system, and do not retain, copy, or distribute it.Please note that any views or opinions expressed in this communication are those of the sender and do not necessarily reflect the official views or policies of the company. "Please consider the environment before printing this email."

2 days, 1 hour

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror