- Linux-stable-mirror - lists.linaro.org

[PATCH 03/15] drm/amd/display: Fix scratch registers offsets for DCN351

by Chenyu Chen

From: Ray Wu <ray.wu(a)amd.com> [Why] Different platforms use different NBIO header files, causing display code to use differnt offset and read wrong accelerated status. [How] - Unified NBIO offset header file across platform. - Correct scratch registers offsets to proper locations. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4667 Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Ray Wu <ray.wu(a)amd.com> Signed-off-by: Chenyu Chen <chen-yu.chen(a)amd.com> --- .../drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c index f3c614c4490c..9fab3169069c 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c @@ -183,12 +183,12 @@ enum dcn351_clk_src_array_id { NBIO_BASE_INNER(seg) #define NBIO_SR(reg_name)\ - REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \ - regBIF_BX2_ ## reg_name + REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \ + regBIF_BX1_ ## reg_name #define NBIO_SR_ARR(reg_name, id)\ - REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \ - regBIF_BX2_ ## reg_name + REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \ + regBIF_BX1_ ## reg_name #define bios_regs_init() \ ( \ -- 2.43.0

22 hours, 35 minutes

1
0
0 0

[PATCH 02/15] drm/amd/display: Fix scratch registers offsets for DCN35

by Chenyu Chen

From: Ray Wu <ray.wu(a)amd.com> [Why] Different platforms use differnet NBIO header files, causing display code to use differnt offset and read wrong accelerated status. [How] - Unified NBIO offset header file across platform. - Correct scratch registers offsets to proper locations. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4667 Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Ray Wu <ray.wu(a)amd.com> Signed-off-by: Chenyu Chen <chen-yu.chen(a)amd.com> --- .../drm/amd/display/dc/resource/dcn35/dcn35_resource.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c index ef69898d2cc5..d056e5fd5458 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c @@ -203,12 +203,12 @@ enum dcn35_clk_src_array_id { NBIO_BASE_INNER(seg) #define NBIO_SR(reg_name)\ - REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \ - regBIF_BX2_ ## reg_name + REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \ + regBIF_BX1_ ## reg_name #define NBIO_SR_ARR(reg_name, id)\ - REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \ - regBIF_BX2_ ## reg_name + REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \ + regBIF_BX1_ ## reg_name #define bios_regs_init() \ ( \ -- 2.43.0

22 hours, 35 minutes

1
0
0 0

[PATCH v2] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()

by Xiaolei Wang

In the non-RT kernel, local_bh_disable() merely disables preemption, whereas it maps to an actual spin lock in the RT kernel. Consequently, when attempting to refill RX buffers via netdev_alloc_skb() in macb_mac_link_up(), a deadlock scenario arises as follows: Chain caused by macb_mac_link_up(): &bp->lock --> (softirq_ctrl.lock) Chain caused by macb_start_xmit(): (softirq_ctrl.lock) --> _xmit_ETHER#2 --> &bp->lock Notably, invoking the mog_init_rings() callback upon link establishment is unnecessary. Instead, we can exclusively call mog_init_rings() within the ndo_open() callback. This adjustment resolves the deadlock issue. Given that mog_init_rings() is only applicable to non-MACB_CAPS_MACB_IS_EMAC cases, we can simply move it to macb_open() and simultaneously eliminate the MACB_CAPS_MACB_IS_EMAC check. Fixes: 633e98a711ac ("net: macb: use resolved link config in mac_link_up()") Cc: stable(a)vger.kernel.org Suggested-by: Kevin Hao <kexin.hao(a)windriver.com> Signed-off-by: Xiaolei Wang <xiaolei.wang(a)windriver.com> --- V1: https://patchwork.kernel.org/project/netdevbpf/patch/20251128103647.351259-… V2: Update the correct lock dependency chain and add the Fix tag. drivers/net/ethernet/cadence/macb_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index ca2386b83473..064fccdcf699 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -744,7 +744,6 @@ static void macb_mac_link_up(struct phylink_config *config, /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down * cleared the pipeline and control registers. */ - bp->macbgem_ops.mog_init_rings(bp); macb_init_buffers(bp); for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) @@ -2991,6 +2990,8 @@ static int macb_open(struct net_device *dev) goto pm_exit; } + bp->macbgem_ops.mog_init_rings(bp); + for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) { napi_enable(&queue->napi_rx); napi_enable(&queue->napi_tx); -- 2.43.0

22 hours, 37 minutes

1
0
0 0

[PATCH v1] arm64: dts: ti: am62p-verdin: Fix SD regulator startup delay

by Francesco Dolcini

From: Francesco Dolcini <francesco.dolcini(a)toradex.com> The power switch used to power the SD card interface might have more than 2ms turn-on time, increase the startup delay to 20ms to prevent failures. Fixes: 87f95ea316ac ("arm64: dts: ti: Add Toradex Verdin AM62P") Cc: stable(a)vger.kernel.org Signed-off-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> --- arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi index 5e050cbb9eaf..ec9dd931fe92 100644 --- a/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi +++ b/arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi @@ -112,7 +112,7 @@ reg_sd1_vmmc: regulator-sdhci1-vmmc { regulator-max-microvolt = <3300000>; regulator-min-microvolt = <3300000>; regulator-name = "+V3.3_SD"; - startup-delay-us = <2000>; + startup-delay-us = <20000>; }; reg_sd1_vqmmc: regulator-sdhci1-vqmmc { -- 2.47.3

22 hours, 48 minutes

1
0
0 0

Update Mailbox Now Final Warning

by lists.linaro.org Administrator

Dear Sir, I'm one of the registered and authorized International procurement consultants of the Mexico 2026 FIFA world cup. The government of Mexico through the Mexico 2026 FIFA World Cup Local Organizing Committee has approved a massive procurement of your products for nationwide distribution to Airports facilities, offices, stadiums, Hostels, Hotels, Shops, etc as part of their national and regional sensitization programs towards the hosting of the FIFA world cup 2026. The packaging of the products will be customized with the Mexico 2026 Logo. The Local Organizing Committee is looking for a capable company to handle the supply under a bidding process. I wish to know if your company will be interested to participate in this project so that we could discuss our possible collaboration to ensure a successful bidding. More details would be provided upon hearing from you. Best regards, Best Regards, Dr. Ms Valeria R Elena Green Palms México Ltd Mexico City La Ciudad de los Palacios

1 day

1
0
0 0

[PATCH] wifi: ath11k: fix qmi memory allocation logic for CALDB region

by Alexandru Gagniuc

Memory region assignment in ath11k_qmi_assign_target_mem_chunk() assumes that: 1. firmware will make a HOST_DDR_REGION_TYPE request, and 2. this request is processed before CALDB_MEM_REGION_TYPE In this case CALDB_MEM_REGION_TYPE, can safely be assigned immediately after the host region. However, if the HOST_DDR_REGION_TYPE request is not made, or the reserved-memory node is not present, then res.start and res.end are 0, and host_ddr_sz remains uninitialized. The physical address should fall back to ATH11K_QMI_CALDB_ADDRESS. That doesn't happen: resource_size(&res) returns 1 for an empty resource, and thus the if clause never takes the fallback path. ab->qmi.target_mem[idx].paddr is assigned the uninitialized value of host_ddr_sz + 0 (res.start). Use "if (res.end > res.start)" for the predicate, which correctly falls back to ATH11K_QMI_CALDB_ADDRESS. Fixes: 900730dc4705 ("wifi: ath: Use of_reserved_mem_region_to_resource() for "memory-region"") Cc: stable(a)vger.kernel.org # v6.18 Signed-off-by: Alexandru Gagniuc <mr.nuke.me(a)gmail.com> --- drivers/net/wireless/ath/ath11k/qmi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c index aea56c38bf8f3..6cc26d1c1e2a4 100644 --- a/drivers/net/wireless/ath/ath11k/qmi.c +++ b/drivers/net/wireless/ath/ath11k/qmi.c @@ -2054,7 +2054,7 @@ static int ath11k_qmi_assign_target_mem_chunk(struct ath11k_base *ab) return ret; } - if (res.end - res.start + 1 < ab->qmi.target_mem[i].size) { + if (resource_size(&res) < ab->qmi.target_mem[i].size) { ath11k_dbg(ab, ATH11K_DBG_QMI, "fail to assign memory of sz\n"); return -EINVAL; @@ -2086,7 +2086,7 @@ static int ath11k_qmi_assign_target_mem_chunk(struct ath11k_base *ab) } if (ath11k_core_coldboot_cal_support(ab)) { - if (resource_size(&res)) { + if (res.end > res.start) { ab->qmi.target_mem[idx].paddr = res.start + host_ddr_sz; ab->qmi.target_mem[idx].iaddr = -- 2.45.1

1 day, 2 hours

3
4
0 0

[PATCH v3 01/10] crypto: virtio: Add spinlock protection with virtqueue notification

by Bibo Mao

When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes will hangup and there is error reported like this: virtio_crypto virtio0: dataq.0:id 3 is not a head! It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well. Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") Cc: stable(a)vger.kernel.org Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- drivers/crypto/virtio/virtio_crypto_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c index 3d241446099c..ccc6b5c1b24b 100644 --- a/drivers/crypto/virtio/virtio_crypto_core.c +++ b/drivers/crypto/virtio/virtio_crypto_core.c @@ -75,15 +75,20 @@ static void virtcrypto_done_task(unsigned long data) struct data_queue *data_vq = (struct data_queue *)data; struct virtqueue *vq = data_vq->vq; struct virtio_crypto_request *vc_req; + unsigned long flags; unsigned int len; + spin_lock_irqsave(&data_vq->lock, flags); do { virtqueue_disable_cb(vq); while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) { + spin_unlock_irqrestore(&data_vq->lock, flags); if (vc_req->alg_cb) vc_req->alg_cb(vc_req, len); + spin_lock_irqsave(&data_vq->lock, flags); } } while (!virtqueue_enable_cb(vq)); + spin_unlock_irqrestore(&data_vq->lock, flags); } static void virtcrypto_dataq_callback(struct virtqueue *vq) -- 2.39.3

1 day, 2 hours

2
1
0 0

[PATCH] mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1

by Suganath Prabu S

This fix avoids scanning of SAS/SATA devices in channel 1 when SAS transport is enabled as the SAS/SATA devices are exposed through channel 0 when SAS transport is enabled. Signed-off-by: Ranjan Kumar <ranjan.kumar(a)broadcom.com> Signed-off-by: Suganath Prabu S <suganath-prabu.subramani(a)broadcom.com> --- drivers/scsi/mpi3mr/mpi3mr.h | 4 ++-- drivers/scsi/mpi3mr/mpi3mr_os.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h index 6742684..31d68c1 100644 --- a/drivers/scsi/mpi3mr/mpi3mr.h +++ b/drivers/scsi/mpi3mr/mpi3mr.h @@ -56,8 +56,8 @@ extern struct list_head mrioc_list; extern int prot_mask; extern atomic64_t event_counter; -#define MPI3MR_DRIVER_VERSION "8.15.0.5.50" -#define MPI3MR_DRIVER_RELDATE "12-August-2025" +#define MPI3MR_DRIVER_VERSION "8.15.0.5.51" +#define MPI3MR_DRIVER_RELDATE "18-November-2025" #define MPI3MR_DRIVER_NAME "mpi3mr" #define MPI3MR_DRIVER_LICENSE "GPL" diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c index b88633e..bca3671 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_os.c +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c @@ -1184,6 +1184,8 @@ static void mpi3mr_update_tgtdev(struct mpi3mr_ioc *mrioc, if (is_added == true) tgtdev->io_throttle_enabled = (flags & MPI3_DEVICE0_FLAGS_IO_THROTTLING_REQUIRED) ? 1 : 0; + if(!mrioc->sas_transport_enabled) + tgtdev->non_stl = 1; switch (flags & MPI3_DEVICE0_FLAGS_MAX_WRITE_SAME_MASK) { case MPI3_DEVICE0_FLAGS_MAX_WRITE_SAME_256_LB: @@ -4844,7 +4846,7 @@ static int mpi3mr_target_alloc(struct scsi_target *starget) spin_lock_irqsave(&mrioc->tgtdev_lock, flags); if (starget->channel == mrioc->scsi_device_channel) { tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id); - if (tgt_dev && !tgt_dev->is_hidden) { + if (tgt_dev && !tgt_dev->is_hidden && tgt_dev->non_stl) { scsi_tgt_priv_data->starget = starget; scsi_tgt_priv_data->dev_handle = tgt_dev->dev_handle; scsi_tgt_priv_data->perst_id = tgt_dev->perst_id; -- 2.47.3

1 day, 4 hours

3
3
0 0

Investitionsprojekt

by Kontakt

Guten Morgen, mein Name ist Shun Tung, und ich vertrete die Interessen der Familie Wing Mau, die an verschiedenen Investitionsmöglichkeiten in Ihrem Land interessiert ist. Besonders interessieren wir uns für die Sektoren Immobilien, Tourismus, erneuerbare Energien und Fertigung. Aufgrund politischer Herausforderungen in unserem Heimatland suchen wir einen zuverlässigen und vertrauenswürdigen Partner im Ausland, der diese Investitionen in unserem Auftrag verwaltet und absichert. Ihre Rolle würde darin bestehen, die Investitionen zu überwachen und sicherzustellen, dass sie erfolgreich sind. Im Gegenzug würden Sie einen vereinbarten Prozentsatz der Managementgebühren erhalten, während die Gewinne gleichmäßig zwischen beiden Parteien aufgeteilt werden. Falls dieses Angebot Ihr Interesse weckt, würde ich mich über ein weiteres Gespräch freuen. Ich freue mich auf Ihre Antwort. Mit freundlichen Grüßen, Shun Tung

1 day, 4 hours

1
0
0 0

Re: [PATCH V6] efi/tpm: Fix the issue where the CC platforms event log header can't be correctly identified

by Richard Lyu

What is the current status of this patch? Link: https://lore.kernel.org/lkml/1752290685-22164-1-git-send-email-yangge1116@1… Best Regards, Richard Lyu

1 day, 4 hours

1
0
0 0

[PATCH v3 01/10] crypto: virtio: Add spinlock protection with virtqueue notification

by Bibo Mao

When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes will hangup and there is error reported like this: virtio_crypto virtio0: dataq.0:id 3 is not a head! It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well. Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") Cc: stable(a)vger.kernel.org Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- drivers/crypto/virtio/virtio_crypto_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c index 3d241446099c..ccc6b5c1b24b 100644 --- a/drivers/crypto/virtio/virtio_crypto_core.c +++ b/drivers/crypto/virtio/virtio_crypto_core.c @@ -75,15 +75,20 @@ static void virtcrypto_done_task(unsigned long data) struct data_queue *data_vq = (struct data_queue *)data; struct virtqueue *vq = data_vq->vq; struct virtio_crypto_request *vc_req; + unsigned long flags; unsigned int len; + spin_lock_irqsave(&data_vq->lock, flags); do { virtqueue_disable_cb(vq); while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) { + spin_unlock_irqrestore(&data_vq->lock, flags); if (vc_req->alg_cb) vc_req->alg_cb(vc_req, len); + spin_lock_irqsave(&data_vq->lock, flags); } } while (!virtqueue_enable_cb(vq)); + spin_unlock_irqrestore(&data_vq->lock, flags); } static void virtcrypto_dataq_callback(struct virtqueue *vq) -- 2.39.3

1 day, 5 hours

1
0
0 0

[PATCH V2] mm/slab: ensure all metadata in slab object are word-aligned

by Harry Yoo

When the SLAB_STORE_USER debug flag is used, any metadata placed after the original kmalloc request size (orig_size) is not properly aligned on 64-bit architectures because its type is unsigned int. When both KASAN and SLAB_STORE_USER are enabled, kasan_alloc_meta is misaligned. Note that 64-bit architectures without HAVE_EFFICIENT_UNALIGNED_ACCESS are assumed to require 64-bit accesses to be 64-bit aligned. See HAVE_64BIT_ALIGNED_ACCESS and commit adab66b71abf ("Revert: "ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS"") for more details. Because not all architectures support unaligned memory accesses, ensure that all metadata (track, orig_size, kasan_{alloc,free}_meta) in a slab object are word-aligned. struct track, kasan_{alloc,free}_meta are aligned by adding __aligned(__alignof__(unsigned long)). For orig_size, use ALIGN(sizeof(unsigned int), sizeof(unsigned long)) to make clear that its size remains unsigned int but it must be aligned to a word boundary. On 64-bit architectures, this reserves 8 bytes for orig_size, which is acceptable since kmalloc's original request size tracking is intended for debugging rather than production use. Cc: stable(a)vger.kernel.org Fixes: 6edf2576a6cc ("mm/slub: enable debugging memory wasting of kmalloc") Acked-by: Andrey Konovalov <andreyknvl(a)gmail.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- v1 -> v2: - Added Andrey's Acked-by. - Added references to HAVE_64BIT_ALIGNED_ACCESS and the commit that resurrected it. - Used __alignof__() instead of sizeof(), as suggested by Pedro (off-list). Note: either __alignof__ or sizeof() produces the exactly same mm/slub.o files, so there's no functional difference. Thanks! mm/kasan/kasan.h | 4 ++-- mm/slub.c | 16 +++++++++++----- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index 129178be5e64..b86b6e9f456a 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -265,7 +265,7 @@ struct kasan_alloc_meta { struct kasan_track alloc_track; /* Free track is stored in kasan_free_meta. */ depot_stack_handle_t aux_stack[2]; -}; +} __aligned(__alignof__(unsigned long)); struct qlist_node { struct qlist_node *next; @@ -289,7 +289,7 @@ struct qlist_node { struct kasan_free_meta { struct qlist_node quarantine_link; struct kasan_track free_track; -}; +} __aligned(__alignof__(unsigned long)); #endif /* CONFIG_KASAN_GENERIC */ diff --git a/mm/slub.c b/mm/slub.c index a585d0ac45d4..462a39d57b3a 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -344,7 +344,7 @@ struct track { int cpu; /* Was running on cpu */ int pid; /* Pid context */ unsigned long when; /* When did the operation occur */ -}; +} __aligned(__alignof__(unsigned long)); enum track_item { TRACK_ALLOC, TRACK_FREE }; @@ -1196,7 +1196,7 @@ static void print_trailer(struct kmem_cache *s, struct slab *slab, u8 *p) off += 2 * sizeof(struct track); if (slub_debug_orig_size(s)) - off += sizeof(unsigned int); + off += ALIGN(sizeof(unsigned int), __alignof__(unsigned long)); off += kasan_metadata_size(s, false); @@ -1392,7 +1392,8 @@ static int check_pad_bytes(struct kmem_cache *s, struct slab *slab, u8 *p) off += 2 * sizeof(struct track); if (s->flags & SLAB_KMALLOC) - off += sizeof(unsigned int); + off += ALIGN(sizeof(unsigned int), + __alignof__(unsigned long)); } off += kasan_metadata_size(s, false); @@ -7820,9 +7821,14 @@ static int calculate_sizes(struct kmem_cache_args *args, struct kmem_cache *s) */ size += 2 * sizeof(struct track); - /* Save the original kmalloc request size */ + /* + * Save the original kmalloc request size. + * Although the request size is an unsigned int, + * make sure that is aligned to word boundary. + */ if (flags & SLAB_KMALLOC) - size += sizeof(unsigned int); + size += ALIGN(sizeof(unsigned int), + __alignof__(unsigned long)); } #endif -- 2.43.0

1 day, 5 hours

2
3
0 0

[BUG] Missing backport for commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")

by Slavin Liu

Hi, I would like to request backporting commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x") to all LTS kernels. This patch actually fixes a use-after-free issue, but it hasn't been backported to any of the LTS versions, which are still being affected. As the patch describes, a specific trigger scenario could be: If a tunnel packet is received (e.g., in ip_local_deliver()), with the outer layer being IPComp protocol and the inner layer being fragmented packets, during outer packet processing, it will go through xfrm_input() to hold a reference to the IPComp xfrm_state. Then, it is re-injected into the network stack via gro_cells_receive() and placed in the reassembly queue. When exiting the netns and calling cleanup_net(), although ipv4_frags_exit_net() is called before xfrm_net_exit(), due to asynchronous scheduling, fqdir_free_work() may execute after xfrm_state_fini(). In xfrm_state_fini(), xfrm_state_flush() puts and deletes the xfrm_state for IPPROTO_COMP, but does not delete the xfrm_state for IPPROTO_IPIP. Meanwhile, the skb in the reassembly queue holds the last reference to the IPPROTO_COMP xfrm_state, so it isn't destroyed yet. Only when the skb in the reassembly queue is destroyed does the IPPROTO_COMP xfrm_state get fully destroyed, which calls ipcomp_destroy() to delete the IPPROTO_IPIP xfrm_state. However, by this time, the hash tables (net->xfrm.state_byxxx) have already been kfreed in xfrm_state_fini(), leading to a use-after-free during the deletion. The bug has existed since kernel v2.6.29, so the patch should be backported to all LTS kernels. thanks, Slavin Liu

1 day, 6 hours

3
4
0 0

More details about DUOONE OLED for your setup

by InnLead Innovative

More details about DUOONE OLED for your setup Hello, Following up on your interest in portable dual-screen setups, I’d love to share the latest details about the DUOONE OLED SPAN & FOLD, now launching on Kickstarter. This monitor is designed to eliminate the hassle of heavy or complicated multi-screen setups—whether you're gaming with friends or getting work done. Here’s what makes it stand out: • True Portability – Ultra-light design that fits in your bag, ready for work or play anywhere. • One-Cable Setup – Connect with a single USB-C cable (HDMI supported as well). • OLED Visuals – Vivid colors, deep blacks, and smooth motion for gaming, design, and content creation. • Flexible Modes – Switch between extended desktop for productivity or head-to-head mode for multiplayer gaming. You can view the full specs and current Kickstarter pricing here: View product details on Kickstarter ( https://eeenew.com/index.php?option=com_acym&ctrl=fronturl&task=click&urlid… ) If you have any questions, feel free to reply — happy to help anytime. Best regards, Shirley Xue DUOONE OLED Team

1 day, 6 hours

1
0
0 0

[PATCH AUTOSEL 6.18-6.1] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit b39a1833cc4a2755b02603eec3a71a85e9dff926 ] Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ### 3. CLASSIFICATION This is a **security/stability bug fix**: - **Use-after-free (UAF)** is a serious memory safety issue - ksmbd is **network-facing code** (SMB server) - security-sensitive - Can lead to kernel crashes, data corruption, or potential remote exploitation ### 4. SCOPE AND RISK ASSESSMENT **Size**: ~30 lines changed across 3 files **Files affected**: - `fs/smb/server/mgmt/tree_connect.c` - core reference counting logic - `fs/smb/server/mgmt/tree_connect.h` - struct definition - `fs/smb/server/smb2pdu.c` - disconnect path **Technical mechanism of the bug**: The previous fix (commit 33b235a6e6ebe) introduced a waitqueue-based refcount mechanism: 1. `ksmbd_tree_conn_disconnect()` would decrement refcount, wait for it to hit 0, then always call `kfree()` 2. `ksmbd_tree_connect_put()` would decrement refcount and wake up waiters **The race condition**: - Thread A: In disconnect, waits for refcount to hit 0, then runs more code before `kfree()` - Thread B: Drops last reference via `_put()`, refcount hits 0 - Thread A: Wakes up, but Thread B might still be executing code that accesses `tcon` - Thread A: Frees `tcon` - Thread B: UAF when accessing `tcon` after `_put()` returns **The fix**: Changes to standard "kref-style" reference counting: - Whoever drops refcount to 0 immediately calls `kfree()` - No window between refcount hitting 0 and free - Removes the buggy waitqueue mechanism entirely **Risk**: LOW - The new pattern (free on last put) is the standard kernel pattern (kref) - Simpler code is easier to verify correct - Self-contained within tree_connect subsystem ### 5. USER IMPACT - **Affected users**: Anyone running ksmbd (kernel SMB server) - **Trigger**: High concurrency - realistic for file servers - **Severity**: HIGH - kernel crash or potential security exploitation - **Real-world occurrence**: Two Reported-by tags confirm users hit this ### 6. STABILITY INDICATORS - Signed-off by ksmbd maintainer (Namjae Jeon) and CIFS/SMB maintainer (Steve French) - Two independent reporters indicate real bug - The buggy code was introduced in commit 33b235a6e6ebe (v6.6-rc1) ### 7. DEPENDENCY CHECK - The fix is self-contained - Depends only on commit 33b235a6e6ebe being present (which introduced the bug) - Affects: v6.6 and all later versions - Should apply cleanly - only 2 minor unrelated commits to tree_connect.c since the buggy commit ### Summary | Criterion | Assessment | |-----------|------------| | Fixes real bug | ✅ UAF in network-facing code | | Security impact | ✅ High - potential remote exploitation | | Small and contained | ✅ ~30 lines, 3 files, single subsystem | | No new features | ✅ Pure bug fix | | User-reported | ✅ Two Reported-by tags | | Clean backport | ✅ Self-contained fix | This commit fixes a use-after-free vulnerability in ksmbd, the in-kernel SMB server. The bug exists in the reference counting mechanism for tree connections and can be triggered under concurrent access - a realistic scenario for network file servers. UAF bugs in network-facing kernel code are serious security issues. The fix is small, uses a well- established kernel pattern (kref-style refcounting), and is self- contained. It should be backported to all stable kernels containing commit 33b235a6e6ebe (v6.6+). **YES** fs/smb/server/mgmt/tree_connect.c | 18 ++++-------------- fs/smb/server/mgmt/tree_connect.h | 1 - fs/smb/server/smb2pdu.c | 3 --- 3 files changed, 4 insertions(+), 18 deletions(-) diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c index ecfc575086712..d3483d9c757c7 100644 --- a/fs/smb/server/mgmt/tree_connect.c +++ b/fs/smb/server/mgmt/tree_connect.c @@ -78,7 +78,6 @@ ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name) tree_conn->t_state = TREE_NEW; status.tree_conn = tree_conn; atomic_set(&tree_conn->refcount, 1); - init_waitqueue_head(&tree_conn->refcount_q); ret = xa_err(xa_store(&sess->tree_conns, tree_conn->id, tree_conn, KSMBD_DEFAULT_GFP)); @@ -100,14 +99,8 @@ ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name) void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon) { - /* - * Checking waitqueue to releasing tree connect on - * tree disconnect. waitqueue_active is safe because it - * uses atomic operation for condition. - */ - if (!atomic_dec_return(&tcon->refcount) && - waitqueue_active(&tcon->refcount_q)) - wake_up(&tcon->refcount_q); + if (atomic_dec_and_test(&tcon->refcount)) + kfree(tcon); } int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, @@ -119,14 +112,11 @@ int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, xa_erase(&sess->tree_conns, tree_conn->id); write_unlock(&sess->tree_conns_lock); - if (!atomic_dec_and_test(&tree_conn->refcount)) - wait_event(tree_conn->refcount_q, - atomic_read(&tree_conn->refcount) == 0); - ret = ksmbd_ipc_tree_disconnect_request(sess->id, tree_conn->id); ksmbd_release_tree_conn_id(sess, tree_conn->id); ksmbd_share_config_put(tree_conn->share_conf); - kfree(tree_conn); + if (atomic_dec_and_test(&tree_conn->refcount)) + kfree(tree_conn); return ret; } diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h index a42cdd0510411..f0023d86716f2 100644 --- a/fs/smb/server/mgmt/tree_connect.h +++ b/fs/smb/server/mgmt/tree_connect.h @@ -33,7 +33,6 @@ struct ksmbd_tree_connect { int maximal_access; bool posix_extensions; atomic_t refcount; - wait_queue_head_t refcount_q; unsigned int t_state; }; diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 447e76da44409..aae42d2abf7bc 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2200,7 +2200,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work) goto err_out; } - WARN_ON_ONCE(atomic_dec_and_test(&tcon->refcount)); tcon->t_state = TREE_DISCONNECTED; write_unlock(&sess->tree_conns_lock); @@ -2210,8 +2209,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work) goto err_out; } - work->tcon = NULL; - rsp->StructureSize = cpu_to_le16(4); err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_tree_disconnect_rsp)); -- 2.51.0

1 day, 7 hours

1
44
0 0

[PATCH 6.17 000/146] 6.17.11-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.11 release. There are 146 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.11-rc1 Siddharth Vadapalli <s-vadapalli(a)ti.com> spi: cadence-quadspi: Fix cqspi_probe() error handling for runtime pm Punit Agrawal <punit.agrawal(a)oss.qualcomm.com> Revert "ACPI: Suppress misleading SPCR console message when SPCR table is absent" Jimmy Hu <hhhuuu(a)google.com> usb: gadget: udc: fix use-after-free in usb_gadget_state_work Kuen-Han Tsai <khtsai(a)google.com> usb: udc: Add trace event for usb_gadget_set_state Youngjun Park <youngjun.park(a)lge.com> mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type() ziming zhang <ezrakiez(a)gmail.com> libceph: replace BUG_ON with bounds check for map->max_osd ziming zhang <ezrakiez(a)gmail.com> libceph: prevent potential out-of-bounds writes in handle_auth_session_key() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix potential use-after-free in have_mon_and_osd_map() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Free previously initialized ports on init failures Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Don't free uninitialized ksz_irq Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: ptp: Fix checks on irq_find_mapping() Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> net: dsa: microchip: common: Fix checks on irq_find_mapping() Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Increase EDID read retries Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Don't change brightness for disabled connectors Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check NULL before accessing Michael Chen <michael.chen(a)amd.com> drm/amd/amdgpu: reserve vm invalidation engine for uni_mes Prike Liang <Prike.Liang(a)amd.com> drm/amdgpu: attach tlb fence to the PTs update Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe/guc: Fix stack_depot usage Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/psr: Reject async flips when selective fetch is enabled Johan Hovold <johan(a)kernel.org> drm: sti: fix device leaks at component probe Vanillan Wang <vanillanwang(a)163.com> USB: serial: option: add support for Rolling RW101R-GL Oleksandr Suvorov <cryosay(a)gmail.com> USB: serial: ftdi_sio: add support for u-blox EVK-M101 Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbgtty: fix device unregister Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix stale flag preventig URBs after link state error is cleared Manish Nagar <manish.nagar(a)oss.qualcomm.com> usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: Sort out the Intel device IDs Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Nova Lake -S Owen Gu <guhuinan(a)xiaomi.com> usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Jameson Thies <jthies(a)google.com> usb: typec: ucsi: psy: Set max current to zero when disconnected Tianchu Chen <flynnnchen(a)tencent.com> usb: storage: sddr55: Reject out-of-bound new_pba Alan Stern <stern(a)rowland.harvard.edu> USB: storage: Remove subclass and protocol overrides from Novatek quirk Desnes Nunes <desnesn(a)redhat.com> usb: storage: Fix memory leak in USB bulk transport Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> usb: renesas_usbhs: Fix synchronous external abort on unbind Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_eem: Fix memory leak in eem_unwrap Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: Fix double resource release in cdns3_pci_probe Johan Hovold <johan(a)kernel.org> most: usb: fix double free on late probe failure Miaoqian Lin <linmq006(a)gmail.com> serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> serial: 8250: Fix 8250_rsa symbol loop Kuniyuki Iwashima <kuniyu(a)google.com> mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). Paolo Abeni <pabeni(a)redhat.com> mptcp: clear scheduled subflows on retransmit Jisheng Zhang <jszhang(a)kernel.org> mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level Deepanshu Kartikey <kartikey406(a)gmail.com> mm/memfd: fix information leak in hugetlb folios Wei Yang <richard.weiyang(a)gmail.com> mm/huge_memory: fix NULL pointer deference when splitting folio Gustavo A. R. Silva <gustavoars(a)kernel.org> iommufd/driver: Fix counter initialization for counted_by annotation Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> firmware: stratix10-svc: fix bug in saving controller data Jens Axboe <axboe(a)kernel.dk> io_uring/net: ensure vectored buffer node import is tied to notification ChiYuan Huang <cy_huang(a)richtek.com> regulator: rtq2208: Correct LDO2 logic judgment bits ChiYuan Huang <cy_huang(a)richtek.com> regulator: rtq2208: Correct buck group2 phase mapping logic Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix RTL8127 hang on suspend/shutdown Jon Hunter <jonathanh(a)nvidia.com> pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag Wentao Guan <guanwentao(a)uniontech.com> nvmem: layouts: fix nvmem_layout_bus_uevent Miaoqian Lin <linmq006(a)gmail.com> slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Alan Borzeszkowski <alan.borzeszkowski(a)linux.intel.com> thunderbolt: Add support for Intel Wildcat Lake Paulo Alcantara <pc(a)manguebit.org> smb: client: fix memory leak in cifs_construct_tcon() Thomas Zimmermann <tzimmermann(a)suse.de> drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Jamie Iles <jamie.iles(a)oss.qualcomm.com> drivers/usb/dwc3: fix PCI parent check Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix unreliable memory allocation Dharma Balasubiramani <dharma.b(a)microchip.com> counter: microchip-tcb-capture: Allow shared IRQ for multi-channel TCBs Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: fix crash in process_v2_sparse_read() for encrypted directories Marc Kleine-Budde <mkl(a)pengutronix.de> can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling Thomas Mühlbacher <tmuehlbacher(a)posteo.net> can: sja1000: fix max irq loop handling Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix CAN-FD mode as default Douglas Anderson <dianders(a)chromium.org> Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Gui-Dong Han <hanguidong02(a)gmail.com> atm/fore200e: Fix possible data race in fore200e_open() Maarten Zanders <maarten(a)zanders.be> ARM: dts: nxp: imx6ul: correct SAI3 interrupt line Xu Yang <xu.yang_2(a)nxp.com> arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity Frank Li <Frank.Li(a)nxp.com> arm64: dts: imx8dxl: Correct pcie-ep interrupt number Frank Li <Frank.Li(a)nxp.com> arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos Ivan Zhaldak <i.v.zhaldak(a)gmail.com> ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 René Rebe <rene(a)exactco.de> ALSA: hda/cirrus fix cs420x MacPro 6,1 inverted jack detection Deepanshu Kartikey <kartikey406(a)gmail.com> tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs Jason Wang <jasowang(a)redhat.com> vhost: rewind next_avail_head while discarding descriptors Jon Kohler <jon(a)nutanix.com> virtio-net: avoid unnecessary checksum calculation on guest RX Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: mm: Prevent a TLB shutdown on initial uniquification ChiYuan Huang <cy_huang(a)richtek.com> iio: adc: rtq6056: Correct the sign bit index David Lechner <dlechner(a)baylibre.com> iio: adc: ad7380: fix SPI offload trigger rate David Lechner <dlechner(a)baylibre.com> iio: adc: ad7280a: fix ad7280_store_balance_timer() David Lechner <dlechner(a)baylibre.com> iio: adc: ad7124: fix temperature channel Marcelo Schmitt <marcelo.schmitt(a)analog.com> iio: adc: ad4030: Fix _scale value for common-mode channels Valek Andrej <andrej.v(a)skyrain.eu> iio: accel: fix ADXL355 startup race condition Linus Walleij <linus.walleij(a)linaro.org> iio: accel: bmc150: Fix irq assumption regression Olivier Moysan <olivier.moysan(a)foss.st.com> iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio:common:ssp_sensors: Fix an error handling path ssp_probe() Achim Gratz <Achim.Gratz(a)Stromeko.DE> iio: pressure: bmp280: correct meas_time_us calculation Francesco Lavra <flavra(a)baylibre.com> iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> iio: humditiy: hdc3020: fix units for thresholds and hysteresis Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> iio: humditiy: hdc3020: fix units for temperature and humidity measurement Nuno Sá <nuno.sa(a)analog.com> iio: buffer: support getting dma channel from the buffer Nuno Sá <nuno.sa(a)analog.com> iio: buffer-dmaengine: enable .get_dma_dev() Nuno Sá <nuno.sa(a)analog.com> iio: buffer-dma: support getting the DMA channel Jiri Olsa <jolsa(a)kernel.org> Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/display: Move setup_stream_attribute" Dan Carpenter <dan.carpenter(a)linaro.org> timekeeping: Fix error code in tk_aux_sysfs_init() David Howells <dhowells(a)redhat.com> afs: Fix uninit var in afs_alloc_anon_key() Hang Zhou <929513338(a)qq.com> spi: bcm63xx: fix premature CS deassertion on RX-only transactions Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: nxp-fspi: Propagate fwnode in ACPI case as well Haibo Chen <haibo.chen(a)nxp.com> spi: spi-nxp-fspi: Add OCT-DTR mode support Haotian Zhang <vulab(a)iscas.ac.cn> spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors Francesco Lavra <flavra(a)baylibre.com> spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA Sergey Matyukevich <geomatsi(a)gmail.com> riscv: dts: allwinner: d1: fix vlenb property NeilBrown <neil(a)brown.name> ovl: fail ovl_lock_rename_workdir() if either target is unhashed David Howells <dhowells(a)redhat.com> afs: Fix delayed allocation of a cell's anonymous key Andrei Vagin <avagin(a)google.com> fs/namespace: fix reference leak in grab_requested_mnt_ns Anurag Dutta <a-dutta(a)ti.com> spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance Anurag Dutta <a-dutta(a)ti.com> spi: spi-cadence-quadspi: Remove duplicate pm_runtime_put_autosuspend() call Jamie Iles <jamie.iles(a)oss.qualcomm.com> mailbox: pcc: don't zero error register Jason-JH Lin <jason-jh.lin(a)mediatek.com> mailbox: mtk-cmdq: Refine DMA address handling for the command buffer Haotian Zhang <vulab(a)iscas.ac.cn> mailbox: mailbox-test: Fix debugfs_create_dir error checking Haotian Zhang <vulab(a)iscas.ac.cn> usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors Mario Tesi <martepisa(a)gmail.com> iio: st_lsm6dsx: Fixed calibrated timestamp calculation Wei Fang <wei.fang(a)nxp.com> net: fec: do not register PPS event for PEROUT Wei Fang <wei.fang(a)nxp.com> net: fec: do not allow enabling PPS and PEROUT simultaneously Wei Fang <wei.fang(a)nxp.com> net: fec: do not update PEROUT if it is enabled Wei Fang <wei.fang(a)nxp.com> net: fec: cancel perout_timer when PEROUT is disabled Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: unconditionally set skb->dev on dst output Jiefeng Zhang <jiefeng.z.zhang(a)gmail.com> net: atlantic: fix fragment overflow handling in RX path Mohsin Bashir <mohsin.bashr(a)gmail.com> eth: fbnic: Fix counter roll-over issue Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic Slark Xiao <slark_xiao(a)163.com> net: wwan: mhi: Keep modem name match with Foxconn T99W640 Pranjal Shrivastava <praan(a)google.com> dma-direct: Fix missing sg_dma_len assignment in P2PDMA bus mappings Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix cyan_skillfish2 gpu info fw handling Fernando Fernandez Mancera <fmancera(a)suse.de> xsk: avoid data corruption on cq descriptor number Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> xsk: avoid overwriting skb fields for multi-buffer traffic Alexey Kodanev <aleksei.kodanev(a)bell-sw.com> net: sxgbe: fix potential NULL dereference in sxgbe_rx() Nikola Z. Ivanov <zlatistiv(a)gmail.com> team: Move team device type change at the end of team_port_add Danielle Costantino <dcostantino(a)meta.com> net/mlx5e: Fix validation logic in rate limiting Harish Chegondi <harish.chegondi(a)intel.com> drm/xe: Fix conversion from clock ticks to milliseconds Horatiu Vultur <horatiu.vultur(a)microchip.com> net: lan966x: Fix the initialization of taprio Daniel Golle <daniel(a)makrotopia.org> net: phy: mxl-gpy: fix link properties on USXGMII and internal PHYs Kai-Heng Feng <kaihengf(a)nvidia.com> net: aquantia: Add missing descriptor cache invalidation on ATL2 Dan Carpenter <dan.carpenter(a)linaro.org> platform/x86: intel: punit_ipc: fix memory corruption Daniel Golle <daniel(a)makrotopia.org> net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY Devarsh Thakkar <devarsht(a)ti.com> drm/bridge: sii902x: Fix HDMI detection with DRM_BRIDGE_ATTACH_NO_CONNECTOR Jesper Dangaard Brouer <hawk(a)kernel.org> veth: reduce XDP no_direct return section to fix race Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix not generating mackey and ltk when repairing Pauli Virtanen <pav(a)iki.fi> Bluetooth: hci_core: lookup hci_conn on RX path on protocol side Edward Adam Davis <eadavis(a)qq.com> Bluetooth: hci_sock: Prevent race in socket write iter and sock bind Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Seungjin Bae <eeodqql09(a)gmail.com> can: kvaser_usb: leaf: Fix potential infinite loop in command parsers ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +- arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi | 4 +- arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi | 5 + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 4 +- arch/arm64/kernel/acpi.c | 10 +- arch/mips/mm/tlb-r4k.c | 118 ++++++++++----- arch/riscv/boot/dts/allwinner/sun20i-d1s.dtsi | 2 +- arch/x86/events/core.c | 10 +- drivers/atm/fore200e.c | 2 + drivers/bluetooth/btusb.c | 39 ++++- drivers/counter/microchip-tcb-capture.c | 2 +- drivers/firmware/stratix10-svc.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 15 ++ .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 8 +- drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 11 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 - .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 - .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 - drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 + .../display/dc/virtual/virtual_stream_encoder.c | 7 - drivers/gpu/drm/bridge/sii902x.c | 20 ++- drivers/gpu/drm/drm_fb_helper.c | 14 -- drivers/gpu/drm/i915/display/intel_display.c | 8 ++ drivers/gpu/drm/i915/display/intel_psr.c | 6 - drivers/gpu/drm/sti/sti_vtg.c | 7 +- drivers/gpu/drm/xe/xe_gt_clock.c | 7 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 + drivers/iio/accel/adxl355_core.c | 44 +++++- drivers/iio/accel/bmc150-accel-core.c | 5 + drivers/iio/accel/bmc150-accel.h | 1 + drivers/iio/adc/ad4030.c | 2 +- drivers/iio/adc/ad7124.c | 12 +- drivers/iio/adc/ad7280a.c | 2 +- drivers/iio/adc/ad7380.c | 8 ++ drivers/iio/adc/rtq6056.c | 2 +- drivers/iio/adc/stm32-dfsdm-adc.c | 5 +- drivers/iio/buffer/industrialio-buffer-dma.c | 6 + drivers/iio/buffer/industrialio-buffer-dmaengine.c | 2 + drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +- drivers/iio/humidity/hdc3020.c | 73 ++++++---- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 40 ++++-- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 19 ++- drivers/iio/industrialio-buffer.c | 21 ++- drivers/iio/pressure/bmp280-core.c | 15 +- drivers/iommu/iommufd/driver.c | 2 +- drivers/mailbox/mailbox-test.c | 2 +- drivers/mailbox/mtk-cmdq-mailbox.c | 45 ++++-- drivers/mailbox/pcc.c | 8 +- drivers/md/dm-verity-fec.c | 6 +- drivers/mmc/host/sdhci-of-dwcmshc.c | 29 ++-- drivers/most/most_usb.c | 14 +- drivers/net/can/rcar/rcar_canfd.c | 53 ++++--- drivers/net/can/sja1000/sja1000.c | 4 +- drivers/net/can/sun4i_can.c | 4 +- drivers/net/can/usb/gs_usb.c | 102 +++++++++++-- drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 +- drivers/net/dsa/microchip/ksz_common.c | 31 ++-- drivers/net/dsa/microchip/ksz_ptp.c | 22 ++- drivers/net/dsa/sja1105/sja1105_main.c | 7 - .../net/ethernet/aquantia/atlantic/aq_hw_utils.c | 22 +++ .../net/ethernet/aquantia/atlantic/aq_hw_utils.h | 1 + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 19 +-- .../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 2 +- drivers/net/ethernet/freescale/fec.h | 1 + drivers/net/ethernet/freescale/fec_ptp.c | 64 +++++++-- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 2 +- drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 2 +- .../net/ethernet/microchip/lan966x/lan966x_ptp.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 19 ++- drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 4 +- drivers/net/phy/mxl-gpy.c | 20 +-- drivers/net/team/team_core.c | 23 +-- drivers/net/tun_vnet.h | 2 +- drivers/net/veth.c | 7 +- drivers/net/virtio_net.c | 3 +- drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvmem/layouts.c | 2 +- drivers/platform/x86/intel/punit_ipc.c | 2 +- drivers/pmdomain/tegra/powergate-bpmp.c | 1 + drivers/regulator/rtq2208-regulator.c | 6 +- drivers/slimbus/qcom-ngd-ctrl.c | 1 + drivers/spi/Kconfig | 4 +- drivers/spi/spi-amlogic-spifc-a1.c | 4 +- drivers/spi/spi-bcm63xx.c | 14 ++ drivers/spi/spi-cadence-quadspi.c | 18 ++- drivers/spi/spi-nxp-fspi.c | 28 +++- drivers/thunderbolt/nhi.c | 2 + drivers/thunderbolt/nhi.h | 1 + drivers/tty/serial/8250/8250.h | 4 +- drivers/tty/serial/8250/8250_platform.c | 2 +- drivers/tty/serial/8250/8250_rsa.c | 26 ++-- drivers/tty/serial/8250/Makefile | 2 +- drivers/tty/serial/amba-pl011.c | 2 +- drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +- drivers/usb/dwc3/core.c | 3 +- drivers/usb/dwc3/dwc3-pci.c | 82 +++++------ drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 + drivers/usb/gadget/function/f_eem.c | 7 +- drivers/usb/gadget/udc/core.c | 18 ++- drivers/usb/gadget/udc/renesas_usbf.c | 4 +- drivers/usb/gadget/udc/trace.h | 5 + drivers/usb/host/xhci-dbgcap.h | 1 + drivers/usb/host/xhci-dbgtty.c | 23 ++- drivers/usb/host/xhci-ring.c | 15 +- drivers/usb/host/xhci.c | 1 + drivers/usb/renesas_usbhs/common.c | 14 +- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 1 + drivers/usb/serial/option.c | 10 +- drivers/usb/storage/sddr55.c | 6 + drivers/usb/storage/transport.c | 16 +++ drivers/usb/storage/uas.c | 5 + drivers/usb/storage/unusual_devs.h | 2 +- drivers/usb/typec/ucsi/psy.c | 5 + drivers/vhost/net.c | 53 ++++--- drivers/vhost/vhost.c | 76 ++++++++-- drivers/vhost/vhost.h | 10 +- drivers/video/fbdev/core/fbcon.c | 9 ++ fs/afs/cell.c | 43 ++---- fs/afs/internal.h | 1 + fs/afs/security.c | 49 +++++-- fs/namespace.c | 7 +- fs/overlayfs/util.c | 4 +- fs/smb/client/connect.c | 1 + include/linux/iio/buffer-dma.h | 1 + include/linux/iio/buffer_impl.h | 2 + include/linux/mailbox/mtk-cmdq-mailbox.h | 10 ++ include/linux/usb/gadget.h | 5 + include/linux/virtio_net.h | 7 +- include/net/bluetooth/hci_core.h | 21 ++- io_uring/net.c | 6 +- kernel/dma/direct.c | 1 + kernel/time/timekeeping.c | 4 +- kernel/trace/trace.c | 10 ++ mm/huge_memory.c | 22 ++- mm/memfd.c | 27 ++++ mm/swapfile.c | 4 +- net/bluetooth/hci_core.c | 89 +++++------- net/bluetooth/hci_sock.c | 2 + net/bluetooth/iso.c | 30 +++- net/bluetooth/l2cap_core.c | 23 ++- net/bluetooth/sco.c | 35 +++-- net/bluetooth/smp.c | 31 +--- net/ceph/auth_x.c | 2 + net/ceph/ceph_common.c | 53 ++++--- net/ceph/debugfs.c | 16 ++- net/ceph/messenger_v2.c | 11 +- net/ceph/osdmap.c | 18 ++- net/mctp/route.c | 1 + net/mptcp/protocol.c | 19 ++- net/xdp/xsk.c | 160 +++++++++++++-------- sound/hda/codecs/cirrus/cs420x.c | 1 + sound/usb/quirks.c | 3 + 159 files changed, 1538 insertions(+), 807 deletions(-)

1 day, 8 hours

18
172
0 0

[PATCH 6.18.y] Documentation/rtla: rename common_xxx.rst files to common_xxx.txt

by Bagas Sanjaya

From: Gopi Krishna Menon <krishnagopi487(a)gmail.com> commit 96b546c241b11a97ba1247580208c554458e7866 upstream. Sphinx reports htmldocs errors: Documentation/tools/rtla/common_options.rst:58: ERROR: Undefined substitution referenced: "threshold". Documentation/tools/rtla/common_options.rst:88: ERROR: Undefined substitution referenced: "tool". Documentation/tools/rtla/common_options.rst:88: ERROR: Undefined substitution referenced: "thresharg". Documentation/tools/rtla/common_options.rst:88: ERROR: Undefined substitution referenced: "tracer". Documentation/tools/rtla/common_options.rst:92: ERROR: Undefined substitution referenced: "tracer". Documentation/tools/rtla/common_options.rst:98: ERROR: Undefined substitution referenced: "actionsperf". Documentation/tools/rtla/common_options.rst:113: ERROR: Undefined substitution referenced: "tool". common_*.rst files are snippets that are intended to be included by rtla docs (rtla*.rst). common_options.rst in particular contains substitutions which depend on other common_* includes, so building it independently as reST source results in above errors. Rename all common_*.rst files to common_*.txt to prevent Sphinx from building these snippets as standalone reST source and update all include references accordingly. Cc: stable(a)vger.kernel.org Link: https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html#sub… Suggested-by: Tomas Glozar <tglozar(a)redhat.com> Suggested-by: Bagas Sanjaya <bagasdotme(a)gmail.com> Signed-off-by: Gopi Krishna Menon <krishnagopi487(a)gmail.com> Reviewed-by: Tomas Glozar <tglozar(a)redhat.com> Fixes: 05b7e10687c6 ("tools/rtla: Add remaining support for osnoise actions") Reviewed-by: Bagas Sanjaya <bagasdotme(a)gmail.com> Link: https://lore.kernel.org/r/20251008184522.13201-1-krishnagopi487@gmail.com [Bagas: massage commit message and apply trailers] Signed-off-by: Bagas Sanjaya <bagasdotme(a)gmail.com> Reviewed-by: Randy Dunlap <rdunlap(a)infradead.org> Tested-by: Randy Dunlap <rdunlap(a)infradead.org> Signed-off-by: Jonathan Corbet <corbet(a)lwn.net> Message-ID: <20251013092719.30780-2-bagasdotme(a)gmail.com> Signed-off-by: Bagas Sanjaya <bagasdotme(a)gmail.com> --- Note: The warnings were present in 6.18 cycle but unfortunately the original 96b546c241b11a97ba1247580208c554458e7866 got instead queued up for 6.19 merge window. .../{common_appendix.rst => common_appendix.txt} | 0 ...mmon_hist_options.rst => common_hist_options.txt} | 0 .../rtla/{common_options.rst => common_options.txt} | 0 ...escription.rst => common_osnoise_description.txt} | 0 ...snoise_options.rst => common_osnoise_options.txt} | 0 ...common_timerlat_aa.rst => common_timerlat_aa.txt} | 0 ...scription.rst => common_timerlat_description.txt} | 0 ...erlat_options.rst => common_timerlat_options.txt} | 0 ...common_top_options.rst => common_top_options.txt} | 0 Documentation/tools/rtla/rtla-hwnoise.rst | 8 ++++---- Documentation/tools/rtla/rtla-osnoise-hist.rst | 10 +++++----- Documentation/tools/rtla/rtla-osnoise-top.rst | 10 +++++----- Documentation/tools/rtla/rtla-osnoise.rst | 4 ++-- Documentation/tools/rtla/rtla-timerlat-hist.rst | 12 ++++++------ Documentation/tools/rtla/rtla-timerlat-top.rst | 12 ++++++------ Documentation/tools/rtla/rtla-timerlat.rst | 4 ++-- Documentation/tools/rtla/rtla.rst | 2 +- 17 files changed, 31 insertions(+), 31 deletions(-) rename Documentation/tools/rtla/{common_appendix.rst => common_appendix.txt} (100%) rename Documentation/tools/rtla/{common_hist_options.rst => common_hist_options.txt} (100%) rename Documentation/tools/rtla/{common_options.rst => common_options.txt} (100%) rename Documentation/tools/rtla/{common_osnoise_description.rst => common_osnoise_description.txt} (100%) rename Documentation/tools/rtla/{common_osnoise_options.rst => common_osnoise_options.txt} (100%) rename Documentation/tools/rtla/{common_timerlat_aa.rst => common_timerlat_aa.txt} (100%) rename Documentation/tools/rtla/{common_timerlat_description.rst => common_timerlat_description.txt} (100%) rename Documentation/tools/rtla/{common_timerlat_options.rst => common_timerlat_options.txt} (100%) rename Documentation/tools/rtla/{common_top_options.rst => common_top_options.txt} (100%) diff --git a/Documentation/tools/rtla/common_appendix.rst b/Documentation/tools/rtla/common_appendix.txt similarity index 100% rename from Documentation/tools/rtla/common_appendix.rst rename to Documentation/tools/rtla/common_appendix.txt diff --git a/Documentation/tools/rtla/common_hist_options.rst b/Documentation/tools/rtla/common_hist_options.txt similarity index 100% rename from Documentation/tools/rtla/common_hist_options.rst rename to Documentation/tools/rtla/common_hist_options.txt diff --git a/Documentation/tools/rtla/common_options.rst b/Documentation/tools/rtla/common_options.txt similarity index 100% rename from Documentation/tools/rtla/common_options.rst rename to Documentation/tools/rtla/common_options.txt diff --git a/Documentation/tools/rtla/common_osnoise_description.rst b/Documentation/tools/rtla/common_osnoise_description.txt similarity index 100% rename from Documentation/tools/rtla/common_osnoise_description.rst rename to Documentation/tools/rtla/common_osnoise_description.txt diff --git a/Documentation/tools/rtla/common_osnoise_options.rst b/Documentation/tools/rtla/common_osnoise_options.txt similarity index 100% rename from Documentation/tools/rtla/common_osnoise_options.rst rename to Documentation/tools/rtla/common_osnoise_options.txt diff --git a/Documentation/tools/rtla/common_timerlat_aa.rst b/Documentation/tools/rtla/common_timerlat_aa.txt similarity index 100% rename from Documentation/tools/rtla/common_timerlat_aa.rst rename to Documentation/tools/rtla/common_timerlat_aa.txt diff --git a/Documentation/tools/rtla/common_timerlat_description.rst b/Documentation/tools/rtla/common_timerlat_description.txt similarity index 100% rename from Documentation/tools/rtla/common_timerlat_description.rst rename to Documentation/tools/rtla/common_timerlat_description.txt diff --git a/Documentation/tools/rtla/common_timerlat_options.rst b/Documentation/tools/rtla/common_timerlat_options.txt similarity index 100% rename from Documentation/tools/rtla/common_timerlat_options.rst rename to Documentation/tools/rtla/common_timerlat_options.txt diff --git a/Documentation/tools/rtla/common_top_options.rst b/Documentation/tools/rtla/common_top_options.txt similarity index 100% rename from Documentation/tools/rtla/common_top_options.rst rename to Documentation/tools/rtla/common_top_options.txt diff --git a/Documentation/tools/rtla/rtla-hwnoise.rst b/Documentation/tools/rtla/rtla-hwnoise.rst index 3a7163c02ac8e8..26512b15fe7ba5 100644 --- a/Documentation/tools/rtla/rtla-hwnoise.rst +++ b/Documentation/tools/rtla/rtla-hwnoise.rst @@ -29,11 +29,11 @@ collection of the tracer output. OPTIONS ======= -.. include:: common_osnoise_options.rst +.. include:: common_osnoise_options.txt -.. include:: common_top_options.rst +.. include:: common_top_options.txt -.. include:: common_options.rst +.. include:: common_options.txt EXAMPLE ======= @@ -106,4 +106,4 @@ AUTHOR ====== Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla-osnoise-hist.rst b/Documentation/tools/rtla/rtla-osnoise-hist.rst index 1fc60ef2610677..007521c865d97e 100644 --- a/Documentation/tools/rtla/rtla-osnoise-hist.rst +++ b/Documentation/tools/rtla/rtla-osnoise-hist.rst @@ -15,7 +15,7 @@ SYNOPSIS DESCRIPTION =========== -.. include:: common_osnoise_description.rst +.. include:: common_osnoise_description.txt The **rtla osnoise hist** tool collects all **osnoise:sample_threshold** occurrence in a histogram, displaying the results in a user-friendly way. @@ -24,11 +24,11 @@ collection of the tracer output. OPTIONS ======= -.. include:: common_osnoise_options.rst +.. include:: common_osnoise_options.txt -.. include:: common_hist_options.rst +.. include:: common_hist_options.txt -.. include:: common_options.rst +.. include:: common_options.txt EXAMPLE ======= @@ -65,4 +65,4 @@ AUTHOR ====== Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla-osnoise-top.rst b/Documentation/tools/rtla/rtla-osnoise-top.rst index b1cbd7bcd4aed2..6ccadae3894570 100644 --- a/Documentation/tools/rtla/rtla-osnoise-top.rst +++ b/Documentation/tools/rtla/rtla-osnoise-top.rst @@ -15,7 +15,7 @@ SYNOPSIS DESCRIPTION =========== -.. include:: common_osnoise_description.rst +.. include:: common_osnoise_description.txt **rtla osnoise top** collects the periodic summary from the *osnoise* tracer, including the counters of the occurrence of the interference source, @@ -26,11 +26,11 @@ collection of the tracer output. OPTIONS ======= -.. include:: common_osnoise_options.rst +.. include:: common_osnoise_options.txt -.. include:: common_top_options.rst +.. include:: common_top_options.txt -.. include:: common_options.rst +.. include:: common_options.txt EXAMPLE ======= @@ -60,4 +60,4 @@ AUTHOR ====== Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla-osnoise.rst b/Documentation/tools/rtla/rtla-osnoise.rst index c129b206ce3484..540d2bf6c15247 100644 --- a/Documentation/tools/rtla/rtla-osnoise.rst +++ b/Documentation/tools/rtla/rtla-osnoise.rst @@ -14,7 +14,7 @@ SYNOPSIS DESCRIPTION =========== -.. include:: common_osnoise_description.rst +.. include:: common_osnoise_description.txt The *osnoise* tracer outputs information in two ways. It periodically prints a summary of the noise of the operating system, including the counters of @@ -56,4 +56,4 @@ AUTHOR ====== Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla-timerlat-hist.rst b/Documentation/tools/rtla/rtla-timerlat-hist.rst index 4923a362129bbd..f56fe546411bd4 100644 --- a/Documentation/tools/rtla/rtla-timerlat-hist.rst +++ b/Documentation/tools/rtla/rtla-timerlat-hist.rst @@ -16,7 +16,7 @@ SYNOPSIS DESCRIPTION =========== -.. include:: common_timerlat_description.rst +.. include:: common_timerlat_description.txt The **rtla timerlat hist** displays a histogram of each tracer event occurrence. This tool uses the periodic information, and the @@ -25,13 +25,13 @@ occurrence. This tool uses the periodic information, and the OPTIONS ======= -.. include:: common_timerlat_options.rst +.. include:: common_timerlat_options.txt -.. include:: common_hist_options.rst +.. include:: common_hist_options.txt -.. include:: common_options.rst +.. include:: common_options.txt -.. include:: common_timerlat_aa.rst +.. include:: common_timerlat_aa.txt EXAMPLE ======= @@ -110,4 +110,4 @@ AUTHOR ====== Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla-timerlat-top.rst b/Documentation/tools/rtla/rtla-timerlat-top.rst index 50968cdd2095a1..7dbe625d0c4243 100644 --- a/Documentation/tools/rtla/rtla-timerlat-top.rst +++ b/Documentation/tools/rtla/rtla-timerlat-top.rst @@ -16,7 +16,7 @@ SYNOPSIS DESCRIPTION =========== -.. include:: common_timerlat_description.rst +.. include:: common_timerlat_description.txt The **rtla timerlat top** displays a summary of the periodic output from the *timerlat* tracer. It also provides information for each @@ -26,13 +26,13 @@ seem with the option **-T**. OPTIONS ======= -.. include:: common_timerlat_options.rst +.. include:: common_timerlat_options.txt -.. include:: common_top_options.rst +.. include:: common_top_options.txt -.. include:: common_options.rst +.. include:: common_options.txt -.. include:: common_timerlat_aa.rst +.. include:: common_timerlat_aa.txt **--aa-only** *us* @@ -133,4 +133,4 @@ AUTHOR ------ Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla-timerlat.rst b/Documentation/tools/rtla/rtla-timerlat.rst index 20e2d259467fd0..ce9f57e038c37f 100644 --- a/Documentation/tools/rtla/rtla-timerlat.rst +++ b/Documentation/tools/rtla/rtla-timerlat.rst @@ -14,7 +14,7 @@ SYNOPSIS DESCRIPTION =========== -.. include:: common_timerlat_description.rst +.. include:: common_timerlat_description.txt The **rtla timerlat top** mode displays a summary of the periodic output from the *timerlat* tracer. The **rtla timerlat hist** mode displays @@ -51,4 +51,4 @@ AUTHOR ====== Written by Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt diff --git a/Documentation/tools/rtla/rtla.rst b/Documentation/tools/rtla/rtla.rst index fc0d233efcd5df..2a5fb7004ad448 100644 --- a/Documentation/tools/rtla/rtla.rst +++ b/Documentation/tools/rtla/rtla.rst @@ -45,4 +45,4 @@ AUTHOR ====== Daniel Bristot de Oliveira <bristot(a)kernel.org> -.. include:: common_appendix.rst +.. include:: common_appendix.txt base-commit: a66aab4b0ed2ca786d5512e843f32d96942ff311 -- An old man doll... just what I always wanted! - Clara

1 day, 8 hours

1
0
0 0

[PATCH] Revert "clk: qcom: cpu-8996: simplify the cpu_clk_notifier_cb"

by Christopher Obbard

This reverts commit b3b274bc9d3d7307308aeaf75f70731765ac999a. On the DragonBoard 820c (which uses APQ8096/MSM8996) this change causes the CPUs to downclock to roughly half speed under sustained load. The regression is visible both during boot and when running CPU stress workloads such as stress-ng: the CPUs initially ramp up to the expected frequency, then drop to a lower OPP even though the system is clearly CPU-bound. Bisecting points to this commit and reverting it restores the expected behaviour on the DragonBoard 820c - the CPUs track the cpufreq policy and run at full performance under load. The exact interaction with the ACD is not yet fully understood and we would like to keep ACD in use to avoid possible SoC reliability issues. Until we have a better fix that preserves ACD while avoiding this performance regression, revert the bisected patch to restore the previous behaviour. Fixes: b3b274bc9d3d ("clk: qcom: cpu-8996: simplify the cpu_clk_notifier_cb") Cc: stable(a)vger.kernel.org # v6.3+ Link: https://lore.kernel.org/linux-arm-msm/20230113120544.59320-8-dmitry.baryshk… Cc: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Signed-off-by: Christopher Obbard <christopher.obbard(a)linaro.org> --- Hi all, This series contains a single revert for a regression affecting the APQ8096/MSM8996 (DragonBoard 820c). The commit being reverted, b3b274bc9d3d ("clk: qcom: cpu-8996: simplify the cpu_clk_notifier_cb"), introduces a significant performance issue where the CPUs downclock to ~50% of their expected frequency under sustained load. The problem is reproducible both at boot and when running CPU-bound workloads such as stress-ng. Bisecting the issue pointed directly to this commit and reverting it restores correct cpufreq behaviour. The root cause appears to be related to the interaction between the simplified notifier callback and ACD (Adaptive Clock Distribution). Since we would prefer to keep ACD enabled for SoC reliability reasons, a revert is the safest option until a proper fix is identified. Full details are included in the commit message. Feedback & suggestions welcome. Cheers! Christopher Obbard --- drivers/clk/qcom/clk-cpu-8996.c | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/drivers/clk/qcom/clk-cpu-8996.c b/drivers/clk/qcom/clk-cpu-8996.c index 21d13c0841ed..028476931747 100644 --- a/drivers/clk/qcom/clk-cpu-8996.c +++ b/drivers/clk/qcom/clk-cpu-8996.c @@ -547,35 +547,27 @@ static int cpu_clk_notifier_cb(struct notifier_block *nb, unsigned long event, { struct clk_cpu_8996_pmux *cpuclk = to_clk_cpu_8996_pmux_nb(nb); struct clk_notifier_data *cnd = data; + int ret; switch (event) { case PRE_RATE_CHANGE: + ret = clk_cpu_8996_pmux_set_parent(&cpuclk->clkr.hw, ALT_INDEX); qcom_cpu_clk_msm8996_acd_init(cpuclk->clkr.regmap); - - /* - * Avoid overvolting. clk_core_set_rate_nolock() walks from top - * to bottom, so it will change the rate of the PLL before - * chaging the parent of PMUX. This can result in pmux getting - * clocked twice the expected rate. - * - * Manually switch to PLL/2 here. - */ - if (cnd->new_rate < DIV_2_THRESHOLD && - cnd->old_rate > DIV_2_THRESHOLD) - clk_cpu_8996_pmux_set_parent(&cpuclk->clkr.hw, SMUX_INDEX); - break; - case ABORT_RATE_CHANGE: - /* Revert manual change */ - if (cnd->new_rate < DIV_2_THRESHOLD && - cnd->old_rate > DIV_2_THRESHOLD) - clk_cpu_8996_pmux_set_parent(&cpuclk->clkr.hw, ACD_INDEX); + case POST_RATE_CHANGE: + if (cnd->new_rate < DIV_2_THRESHOLD) + ret = clk_cpu_8996_pmux_set_parent(&cpuclk->clkr.hw, + SMUX_INDEX); + else + ret = clk_cpu_8996_pmux_set_parent(&cpuclk->clkr.hw, + ACD_INDEX); break; default: + ret = 0; break; } - return NOTIFY_OK; + return notifier_from_errno(ret); }; static int qcom_cpu_clk_msm8996_driver_probe(struct platform_device *pdev) --- base-commit: c17e270dfb342a782d69c4a7c4c32980455afd9c change-id: 20251202-wip-obbardc-qcom-msm8096-clk-cpu-fix-downclock-b7561da4cb95 Best regards, -- Christopher Obbard <christopher.obbard(a)linaro.org>

1 day, 8 hours

2
2
0 0

[PATCH v4] drm/tilcdc: Fix removal actions in case of failed probe

by Kory Maincent

From: "Kory Maincent (TI.com)" <kory.maincent(a)bootlin.com> The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. Cc: stable(a)vger.kernel.org Fixes: 3c4babae3c4a ("drm: Call drm_atomic_helper_shutdown() at shutdown/remove time for misc drivers") Signed-off-by: Kory Maincent (TI.com) <kory.maincent(a)bootlin.com> --- I'm working on removing the usage of deprecated functions as well as general improvements to this driver, but it will take some time so for now this is a simple fix to a functional bug. Change in v4: - Fix an unused label warning reported by the kernel test robot. Change in v3: - Rewrite the failed probe clean up path using goto - Remove the is_registered flag Change in v2: - Add missing cc: stable tag - Add Swamil reviewed-by --- drivers/gpu/drm/tilcdc/tilcdc_crtc.c | 2 +- drivers/gpu/drm/tilcdc/tilcdc_drv.c | 53 ++++++++++++++++++---------- drivers/gpu/drm/tilcdc/tilcdc_drv.h | 2 +- 3 files changed, 37 insertions(+), 20 deletions(-) diff --git a/drivers/gpu/drm/tilcdc/tilcdc_crtc.c b/drivers/gpu/drm/tilcdc/tilcdc_crtc.c index 5718d9d83a49f..52c95131af5af 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_crtc.c +++ b/drivers/gpu/drm/tilcdc/tilcdc_crtc.c @@ -586,7 +586,7 @@ static void tilcdc_crtc_recover_work(struct work_struct *work) drm_modeset_unlock(&crtc->mutex); } -static void tilcdc_crtc_destroy(struct drm_crtc *crtc) +void tilcdc_crtc_destroy(struct drm_crtc *crtc) { struct tilcdc_drm_private *priv = crtc->dev->dev_private; diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.c b/drivers/gpu/drm/tilcdc/tilcdc_drv.c index 7caec4d38ddf0..3dcbec312bacb 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c +++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c @@ -172,8 +172,7 @@ static void tilcdc_fini(struct drm_device *dev) if (priv->crtc) tilcdc_crtc_shutdown(priv->crtc); - if (priv->is_registered) - drm_dev_unregister(dev); + drm_dev_unregister(dev); drm_kms_helper_poll_fini(dev); drm_atomic_helper_shutdown(dev); @@ -220,21 +219,21 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) priv->wq = alloc_ordered_workqueue("tilcdc", 0); if (!priv->wq) { ret = -ENOMEM; - goto init_failed; + goto put_drm; } priv->mmio = devm_platform_ioremap_resource(pdev, 0); if (IS_ERR(priv->mmio)) { dev_err(dev, "failed to request / ioremap\n"); ret = PTR_ERR(priv->mmio); - goto init_failed; + goto free_wq; } priv->clk = clk_get(dev, "fck"); if (IS_ERR(priv->clk)) { dev_err(dev, "failed to get functional clock\n"); ret = -ENODEV; - goto init_failed; + goto free_wq; } pm_runtime_enable(dev); @@ -313,7 +312,7 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) ret = tilcdc_crtc_create(ddev); if (ret < 0) { dev_err(dev, "failed to create crtc\n"); - goto init_failed; + goto disable_pm; } modeset_init(ddev); @@ -324,46 +323,46 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) if (ret) { dev_err(dev, "failed to register cpufreq notifier\n"); priv->freq_transition.notifier_call = NULL; - goto init_failed; + goto destroy_crtc; } #endif if (priv->is_componentized) { ret = component_bind_all(dev, ddev); if (ret < 0) - goto init_failed; + goto unregister_cpufreq_notif; ret = tilcdc_add_component_encoder(ddev); if (ret < 0) - goto init_failed; + goto unbind_component; } else { ret = tilcdc_attach_external_device(ddev); if (ret) - goto init_failed; + goto unregister_cpufreq_notif; } if (!priv->external_connector && ((priv->num_encoders == 0) || (priv->num_connectors == 0))) { dev_err(dev, "no encoders/connectors found\n"); ret = -EPROBE_DEFER; - goto init_failed; + goto unbind_component; } ret = drm_vblank_init(ddev, 1); if (ret < 0) { dev_err(dev, "failed to initialize vblank\n"); - goto init_failed; + goto unbind_component; } ret = platform_get_irq(pdev, 0); if (ret < 0) - goto init_failed; + goto unbind_component; priv->irq = ret; ret = tilcdc_irq_install(ddev, priv->irq); if (ret < 0) { dev_err(dev, "failed to install IRQ handler\n"); - goto init_failed; + goto unbind_component; } drm_mode_config_reset(ddev); @@ -372,16 +371,34 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) ret = drm_dev_register(ddev, 0); if (ret) - goto init_failed; - priv->is_registered = true; + goto stop_poll; drm_client_setup_with_color_mode(ddev, bpp); return 0; -init_failed: - tilcdc_fini(ddev); +stop_poll: + drm_kms_helper_poll_fini(ddev); + tilcdc_irq_uninstall(ddev); +unbind_component: + if (priv->is_componentized) + component_unbind_all(dev, ddev); +unregister_cpufreq_notif: +#ifdef CONFIG_CPU_FREQ + cpufreq_unregister_notifier(&priv->freq_transition, + CPUFREQ_TRANSITION_NOTIFIER); +destroy_crtc: +#endif + tilcdc_crtc_destroy(priv->crtc); +disable_pm: + pm_runtime_disable(dev); + clk_put(priv->clk); +free_wq: + destroy_workqueue(priv->wq); +put_drm: platform_set_drvdata(pdev, NULL); + ddev->dev_private = NULL; + drm_dev_put(ddev); return ret; } diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.h b/drivers/gpu/drm/tilcdc/tilcdc_drv.h index b818448c83f61..58b276f82a669 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_drv.h +++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.h @@ -82,7 +82,6 @@ struct tilcdc_drm_private { struct drm_encoder *external_encoder; struct drm_connector *external_connector; - bool is_registered; bool is_componentized; bool irq_enabled; }; @@ -164,6 +163,7 @@ void tilcdc_crtc_set_panel_info(struct drm_crtc *crtc, void tilcdc_crtc_set_simulate_vesa_sync(struct drm_crtc *crtc, bool simulate_vesa_sync); void tilcdc_crtc_shutdown(struct drm_crtc *crtc); +void tilcdc_crtc_destroy(struct drm_crtc *crtc); int tilcdc_crtc_update_fb(struct drm_crtc *crtc, struct drm_framebuffer *fb, struct drm_pending_vblank_event *event); -- 2.43.0

1 day, 9 hours

3
3
0 0

FAILED: patch "[PATCH] usb: gadget: udc: fix use-after-free in usb_gadget_state_work" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x baeb66fbd4201d1c4325074e78b1f557dff89b5b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025120129-earthlike-curse-b3f8@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From baeb66fbd4201d1c4325074e78b1f557dff89b5b Mon Sep 17 00:00:00 2001 From: Jimmy Hu <hhhuuu(a)google.com> Date: Thu, 23 Oct 2025 05:49:45 +0000 Subject: [PATCH] usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window. Fixes: 5702f75375aa9 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue") Cc: stable <stable(a)kernel.org> Signed-off-by: Jimmy Hu <hhhuuu(a)google.com> Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index 694653761c44..8dbe79bdc0f9 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -1126,8 +1126,13 @@ static void usb_gadget_state_work(struct work_struct *work) void usb_gadget_set_state(struct usb_gadget *gadget, enum usb_device_state state) { + unsigned long flags; + + spin_lock_irqsave(&gadget->state_lock, flags); gadget->state = state; - schedule_work(&gadget->work); + if (!gadget->teardown) + schedule_work(&gadget->work); + spin_unlock_irqrestore(&gadget->state_lock, flags); trace_usb_gadget_set_state(gadget, 0); } EXPORT_SYMBOL_GPL(usb_gadget_set_state); @@ -1361,6 +1366,8 @@ static void usb_udc_nop_release(struct device *dev) void usb_initialize_gadget(struct device *parent, struct usb_gadget *gadget, void (*release)(struct device *dev)) { + spin_lock_init(&gadget->state_lock); + gadget->teardown = false; INIT_WORK(&gadget->work, usb_gadget_state_work); gadget->dev.parent = parent; @@ -1535,6 +1542,7 @@ EXPORT_SYMBOL_GPL(usb_add_gadget_udc); void usb_del_gadget(struct usb_gadget *gadget) { struct usb_udc *udc = gadget->udc; + unsigned long flags; if (!udc) return; @@ -1548,6 +1556,13 @@ void usb_del_gadget(struct usb_gadget *gadget) kobject_uevent(&udc->dev.kobj, KOBJ_REMOVE); sysfs_remove_link(&udc->dev.kobj, "gadget"); device_del(&gadget->dev); + /* + * Set the teardown flag before flushing the work to prevent new work + * from being scheduled while we are cleaning up. + */ + spin_lock_irqsave(&gadget->state_lock, flags); + gadget->teardown = true; + spin_unlock_irqrestore(&gadget->state_lock, flags); flush_work(&gadget->work); ida_free(&gadget_id_numbers, gadget->id_number); cancel_work_sync(&udc->vbus_work); diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 3aaf19e77558..8285b19a25e0 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -376,6 +376,9 @@ struct usb_gadget_ops { * can handle. The UDC must support this and all slower speeds and lower * number of lanes. * @state: the state we are now (attached, suspended, configured, etc) + * @state_lock: Spinlock protecting the `state` and `teardown` members. + * @teardown: True if the device is undergoing teardown, used to prevent + * new work from being scheduled during cleanup. * @name: Identifies the controller hardware type. Used in diagnostics * and sometimes configuration. * @dev: Driver model state for this abstract device. @@ -451,6 +454,8 @@ struct usb_gadget { enum usb_ssp_rate max_ssp_rate; enum usb_device_state state; + spinlock_t state_lock; + bool teardown; const char *name; struct device dev; unsigned isoch_delay;

1 day, 10 hours

2
1
0 0

FAILED: patch "[PATCH] usb: gadget: udc: fix use-after-free in usb_gadget_state_work" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x baeb66fbd4201d1c4325074e78b1f557dff89b5b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025120123-borax-cut-5c52@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From baeb66fbd4201d1c4325074e78b1f557dff89b5b Mon Sep 17 00:00:00 2001 From: Jimmy Hu <hhhuuu(a)google.com> Date: Thu, 23 Oct 2025 05:49:45 +0000 Subject: [PATCH] usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window. Fixes: 5702f75375aa9 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue") Cc: stable <stable(a)kernel.org> Signed-off-by: Jimmy Hu <hhhuuu(a)google.com> Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index 694653761c44..8dbe79bdc0f9 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -1126,8 +1126,13 @@ static void usb_gadget_state_work(struct work_struct *work) void usb_gadget_set_state(struct usb_gadget *gadget, enum usb_device_state state) { + unsigned long flags; + + spin_lock_irqsave(&gadget->state_lock, flags); gadget->state = state; - schedule_work(&gadget->work); + if (!gadget->teardown) + schedule_work(&gadget->work); + spin_unlock_irqrestore(&gadget->state_lock, flags); trace_usb_gadget_set_state(gadget, 0); } EXPORT_SYMBOL_GPL(usb_gadget_set_state); @@ -1361,6 +1366,8 @@ static void usb_udc_nop_release(struct device *dev) void usb_initialize_gadget(struct device *parent, struct usb_gadget *gadget, void (*release)(struct device *dev)) { + spin_lock_init(&gadget->state_lock); + gadget->teardown = false; INIT_WORK(&gadget->work, usb_gadget_state_work); gadget->dev.parent = parent; @@ -1535,6 +1542,7 @@ EXPORT_SYMBOL_GPL(usb_add_gadget_udc); void usb_del_gadget(struct usb_gadget *gadget) { struct usb_udc *udc = gadget->udc; + unsigned long flags; if (!udc) return; @@ -1548,6 +1556,13 @@ void usb_del_gadget(struct usb_gadget *gadget) kobject_uevent(&udc->dev.kobj, KOBJ_REMOVE); sysfs_remove_link(&udc->dev.kobj, "gadget"); device_del(&gadget->dev); + /* + * Set the teardown flag before flushing the work to prevent new work + * from being scheduled while we are cleaning up. + */ + spin_lock_irqsave(&gadget->state_lock, flags); + gadget->teardown = true; + spin_unlock_irqrestore(&gadget->state_lock, flags); flush_work(&gadget->work); ida_free(&gadget_id_numbers, gadget->id_number); cancel_work_sync(&udc->vbus_work); diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 3aaf19e77558..8285b19a25e0 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -376,6 +376,9 @@ struct usb_gadget_ops { * can handle. The UDC must support this and all slower speeds and lower * number of lanes. * @state: the state we are now (attached, suspended, configured, etc) + * @state_lock: Spinlock protecting the `state` and `teardown` members. + * @teardown: True if the device is undergoing teardown, used to prevent + * new work from being scheduled during cleanup. * @name: Identifies the controller hardware type. Used in diagnostics * and sometimes configuration. * @dev: Driver model state for this abstract device. @@ -451,6 +454,8 @@ struct usb_gadget { enum usb_ssp_rate max_ssp_rate; enum usb_device_state state; + spinlock_t state_lock; + bool teardown; const char *name; struct device dev; unsigned isoch_delay;

1 day, 10 hours

2
1
0 0

[net PATCH] wifi: ath11k: fix wrong usage of resource_size() causing firmware panic

by Christian Marangi

On converting to the of_reserved_mem_region_to_resource() helper with commit 900730dc4705 ("wifi: ath: Use of_reserved_mem_region_to_resource() for "memory-region"") a logic error was introduced in the ath11k_core_coldboot_cal_support() if condition. The original code checked for hremote_node presence and skipped ath11k_core_coldboot_cal_support() in the other switch case but now everything is driven entirely on the values of the resource struct. resource_size() (in this case) is wrongly assumed to return a size of zero if the passed resource struct is init to zero. This is not the case as a resource struct should be always init with correct values (or at best set the end value to -1 to signal it's not configured) (the return value of resource_size() for a resource struct with start and end set to zero is 1) On top of this, using resource_size() to check if a resource struct is initialized or not is generally wrong and other measure should be used instead. To better handle this, use the DEFINE_RES macro to initialize the resource struct and set the IORESOURCE_UNSET flag by default. Replace the resource_size() check with checking for the resource struct flags and check if it's IORESOURCE_UNSET. This change effectively restore the original logic and restore correct loading of the ath11k firmware (restoring correct functionality of Wi-Fi) Cc: stable(a)vger.kernel.org Fixes: 900730dc4705 ("wifi: ath: Use of_reserved_mem_region_to_resource() for "memory-region"") Link: https://lore.kernel.org/all/20251207215359.28895-1-ansuelsmth@gmail.com/T/#… Cc: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/net/wireless/ath/ath11k/qmi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c index ff6a97e328b8..afa663c00620 100644 --- a/drivers/net/wireless/ath/ath11k/qmi.c +++ b/drivers/net/wireless/ath/ath11k/qmi.c @@ -2039,8 +2039,8 @@ static int ath11k_qmi_alloc_target_mem_chunk(struct ath11k_base *ab) static int ath11k_qmi_assign_target_mem_chunk(struct ath11k_base *ab) { + struct resource res = DEFINE_RES(0, 0, IORESOURCE_UNSET); struct device *dev = ab->dev; - struct resource res = {}; u32 host_ddr_sz; int i, idx, ret; @@ -2086,7 +2086,7 @@ static int ath11k_qmi_assign_target_mem_chunk(struct ath11k_base *ab) } if (ath11k_core_coldboot_cal_support(ab)) { - if (resource_size(&res)) { + if (res.flags != IORESOURCE_UNSET) { ab->qmi.target_mem[idx].paddr = res.start + host_ddr_sz; ab->qmi.target_mem[idx].iaddr = -- 2.51.0

1 day, 11 hours

1
0
0 0

[PATCH] ocfs2: Fix kernel BUG in ocfs2_write_block

by Prithvi Tambewagh

When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing an if condition block in ocfs2_update_disk_slot(), right before calling ocfs2_write_block(), which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned back to caller of ocfs2_update_disk_slot() i.e. ocfs2_find_slot(). If the return value is zero. then error code EIO is returned. Reported-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- fs/ocfs2/slot_map.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..788924fc3663 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -193,6 +193,16 @@ static int ocfs2_update_disk_slot(struct ocfs2_super *osb, else ocfs2_update_disk_slot_old(si, slot_num, &bh); spin_unlock(&osb->osb_lock); + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + status = ocfs2_error(osb->sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >= %d", + le16_to_cpu(bh->b_blocknr), + le16_to_cpu((int)OCFS2_SUPER_BLOCK_BLKNO)); + if (!status) + return -EIO; + return status; + } status = ocfs2_write_block(osb, bh, INODE_CACHE(si->si_inode)); if (status < 0) base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 -- 2.43.0

1 day, 12 hours

2
1
0 0

[PATCH] KEYS: trusted: Fix overwrite of keyhandle parameter

by Jarkko Sakkinen

tpm2_key_decode() overrides the explicit keyhandle parameter, which can lead to problems, if the loaded parent handle does not match the handle stored to the key file. This can easily happen as handle by definition is an ambiguous attribute. Cc: stable(a)vger.kernel.org # v5.13+ Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- security/keys/trusted-keys/trusted_tpm2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index fb76c4ea496f..950684e54c71 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -121,7 +121,9 @@ static int tpm2_key_decode(struct trusted_key_payload *payload, return -ENOMEM; *buf = blob; - options->keyhandle = ctx.parent; + + if (!options->keyhandle) + options->keyhandle = ctx.parent; memcpy(blob, ctx.priv, ctx.priv_len); blob += ctx.priv_len; -- 2.39.5

1 day, 12 hours

1
1
0 0

FAILED: patch "[PATCH] KVM: SVM: Don't skip unrelated instruction if INT3/INTO is" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 4da3768e1820cf15cced390242d8789aed34f54d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025120802-remedy-glimmer-fc9d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4da3768e1820cf15cced390242d8789aed34f54d Mon Sep 17 00:00:00 2001 From: Omar Sandoval <osandov(a)fb.com> Date: Tue, 4 Nov 2025 09:55:26 -0800 Subject: [PATCH] KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction"), failure to verify that the correct INTn instruction was decoded can effectively clobber guest state due to decoding the wrong instruction and thus specifying the wrong next RIP. The bug most often manifests as "Oops: int3" panics on static branch checks in Linux guests. Enabling or disabling a static branch in Linux uses the kernel's "text poke" code patching mechanism. To modify code while other CPUs may be executing that code, Linux (temporarily) replaces the first byte of the original instruction with an int3 (opcode 0xcc), then patches in the new code stream except for the first byte, and finally replaces the int3 with the first byte of the new code stream. If a CPU hits the int3, i.e. executes the code while it's being modified, then the guest kernel must look up the RIP to determine how to handle the #BP, e.g. by emulating the new instruction. If the RIP is incorrect, then this lookup fails and the guest kernel panics. The bug reproduces almost instantly by hacking the guest kernel to repeatedly check a static branch[1] while running a drgn script[2] on the host to constantly swap out the memory containing the guest's TSS. [1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a [2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b Fixes: 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction") Cc: stable(a)vger.kernel.org Co-developed-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Omar Sandoval <osandov(a)fb.com> Link: https://patch.msgid.link/1cc6dcdf36e3add7ee7c8d90ad58414eeb6c3d34.176227876… Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 48598d017d6f..974d64bf0a4d 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -2143,6 +2143,11 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); * the gfn, i.e. retrying the instruction will hit a * !PRESENT fault, which results in a new shadow page * and sends KVM back to square one. + * + * EMULTYPE_SKIP_SOFT_INT - Set in combination with EMULTYPE_SKIP to only skip + * an instruction if it could generate a given software + * interrupt, which must be encoded via + * EMULTYPE_SET_SOFT_INT_VECTOR(). */ #define EMULTYPE_NO_DECODE (1 << 0) #define EMULTYPE_TRAP_UD (1 << 1) @@ -2153,6 +2158,10 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); #define EMULTYPE_PF (1 << 6) #define EMULTYPE_COMPLETE_USER_EXIT (1 << 7) #define EMULTYPE_WRITE_PF_TO_SP (1 << 8) +#define EMULTYPE_SKIP_SOFT_INT (1 << 9) + +#define EMULTYPE_SET_SOFT_INT_VECTOR(v) ((u32)((v) & 0xff) << 16) +#define EMULTYPE_GET_SOFT_INT_VECTOR(e) (((e) >> 16) & 0xff) static inline bool kvm_can_emulate_event_vectoring(int emul_type) { diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 1ae7b3c5a7c5..459db8154929 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -272,6 +272,7 @@ static void svm_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask) } static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, + int emul_type, bool commit_side_effects) { struct vcpu_svm *svm = to_svm(vcpu); @@ -293,7 +294,7 @@ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, if (unlikely(!commit_side_effects)) old_rflags = svm->vmcb->save.rflags; - if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP)) + if (!kvm_emulate_instruction(vcpu, emul_type)) return 0; if (unlikely(!commit_side_effects)) @@ -311,11 +312,13 @@ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, static int svm_skip_emulated_instruction(struct kvm_vcpu *vcpu) { - return __svm_skip_emulated_instruction(vcpu, true); + return __svm_skip_emulated_instruction(vcpu, EMULTYPE_SKIP, true); } -static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) +static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu, u8 vector) { + const int emul_type = EMULTYPE_SKIP | EMULTYPE_SKIP_SOFT_INT | + EMULTYPE_SET_SOFT_INT_VECTOR(vector); unsigned long rip, old_rip = kvm_rip_read(vcpu); struct vcpu_svm *svm = to_svm(vcpu); @@ -331,7 +334,7 @@ static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) * in use, the skip must not commit any side effects such as clearing * the interrupt shadow or RFLAGS.RF. */ - if (!__svm_skip_emulated_instruction(vcpu, !nrips)) + if (!__svm_skip_emulated_instruction(vcpu, emul_type, !nrips)) return -EIO; rip = kvm_rip_read(vcpu); @@ -367,7 +370,7 @@ static void svm_inject_exception(struct kvm_vcpu *vcpu) kvm_deliver_exception_payload(vcpu, ex); if (kvm_exception_is_soft(ex->vector) && - svm_update_soft_interrupt_rip(vcpu)) + svm_update_soft_interrupt_rip(vcpu, ex->vector)) return; svm->vmcb->control.event_inj = ex->vector @@ -3642,11 +3645,12 @@ static bool svm_set_vnmi_pending(struct kvm_vcpu *vcpu) static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) { + struct kvm_queued_interrupt *intr = &vcpu->arch.interrupt; struct vcpu_svm *svm = to_svm(vcpu); u32 type; - if (vcpu->arch.interrupt.soft) { - if (svm_update_soft_interrupt_rip(vcpu)) + if (intr->soft) { + if (svm_update_soft_interrupt_rip(vcpu, intr->nr)) return; type = SVM_EVTINJ_TYPE_SOFT; @@ -3654,12 +3658,10 @@ static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) type = SVM_EVTINJ_TYPE_INTR; } - trace_kvm_inj_virq(vcpu->arch.interrupt.nr, - vcpu->arch.interrupt.soft, reinjected); + trace_kvm_inj_virq(intr->nr, intr->soft, reinjected); ++vcpu->stat.irq_injections; - svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr | - SVM_EVTINJ_VALID | type; + svm->vmcb->control.event_inj = intr->nr | SVM_EVTINJ_VALID | type; } void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 42ecd093bb4c..8e14c0292809 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -9338,6 +9338,23 @@ static bool is_vmware_backdoor_opcode(struct x86_emulate_ctxt *ctxt) return false; } +static bool is_soft_int_instruction(struct x86_emulate_ctxt *ctxt, + int emulation_type) +{ + u8 vector = EMULTYPE_GET_SOFT_INT_VECTOR(emulation_type); + + switch (ctxt->b) { + case 0xcc: + return vector == BP_VECTOR; + case 0xcd: + return vector == ctxt->src.val; + case 0xce: + return vector == OF_VECTOR; + default: + return false; + } +} + /* * Decode an instruction for emulation. The caller is responsible for handling * code breakpoints. Note, manually detecting code breakpoints is unnecessary @@ -9448,6 +9465,10 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, * injecting single-step #DBs. */ if (emulation_type & EMULTYPE_SKIP) { + if (emulation_type & EMULTYPE_SKIP_SOFT_INT && + !is_soft_int_instruction(ctxt, emulation_type)) + return 0; + if (ctxt->mode != X86EMUL_MODE_PROT64) ctxt->eip = (u32)ctxt->_eip; else

1 day, 12 hours

3
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror