- Linux-stable-mirror - lists.linaro.org

[PATCH] wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan

by Mingyen Hsieh

From: Michael Lo <michael.lo(a)mediatek.com> Update the destination index to use 'n_ssids', which is incremented only when a valid SSID is present. Previously, both mt76_connac_mcu_hw_scan() and mt7925_mcu_hw_scan() used the loop index 'i' for the destination array, potentially leaving gaps if any source SSIDs had zero length. Cc: stable(a)vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Michael Lo <michael.lo(a)mediatek.com> Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++-- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c index db85a9d984c5..660c8df89910 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c @@ -1740,8 +1740,8 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, if (!sreq->ssids[i].ssid_len) continue; - req->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); - memcpy(req->ssids[i].ssid, sreq->ssids[i].ssid, + req->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); + memcpy(req->ssids[n_ssids].ssid, sreq->ssids[i].ssid, sreq->ssids[i].ssid_len); n_ssids++; } diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index 2bd506a4208c..66bac3047b2b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -3178,8 +3178,8 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, if (i > MT7925_RNR_SCAN_MAX_BSSIDS) break; - ssid->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); - memcpy(ssid->ssids[i].ssid, sreq->ssids[i].ssid, + ssid->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); + memcpy(ssid->ssids[n_ssids].ssid, sreq->ssids[i].ssid, sreq->ssids[i].ssid_len); n_ssids++; } -- 2.34.1

3 weeks, 4 days

1
0
0 0

[PATCH] wifi: mt76: mt7925: fix the wrong config for tx interrupt

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> MT_INT_TX_DONE_MCU_WM may cause tx interrupt to be mishandled during a reset failure, leading to the reset process failing. By using MT_INT_TX_DONE_MCU instead of MT_INT_TX_DONE_MCU_WM, the handling of tx interrupt is improved. Cc: stable(a)vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/regs.h b/drivers/net/wireless/mediatek/mt76/mt7925/regs.h index 547489092c29..341987e47f67 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/regs.h +++ b/drivers/net/wireless/mediatek/mt76/mt7925/regs.h @@ -58,7 +58,7 @@ #define MT_INT_TX_DONE_MCU (MT_INT_TX_DONE_MCU_WM | \ MT_INT_TX_DONE_FWDL) -#define MT_INT_TX_DONE_ALL (MT_INT_TX_DONE_MCU_WM | \ +#define MT_INT_TX_DONE_ALL (MT_INT_TX_DONE_MCU | \ MT_INT_TX_DONE_BAND0 | \ GENMASK(18, 4)) -- 2.34.1

3 weeks, 4 days

1
0
0 0

[merged mm-hotfixes-stable] drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite has been removed from the -mm tree. Its filename was drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite Date: Sat Jun 7 05:43:18 PM PDT 2025 In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace. Reported-by: maher azz <maherazz04(a)gmail.com> Cc: Matt Porter <mporter(a)kernel.crashing.org> Cc: Alexandre Bounine <alex.bou9(a)gmail.com> Cc: Linus Torvalds <torvalds(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/rapidio/rio_cm.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/rapidio/rio_cm.c~drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized +++ a/drivers/rapidio/rio_cm.c @@ -783,6 +783,9 @@ static int riocm_ch_send(u16 ch_id, void if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) return -EINVAL; + if (len < sizeof(struct rio_ch_chan_hdr)) + return -EINVAL; /* insufficient data from user */ + ch = riocm_get_channel(ch_id); if (!ch) { riocm_error("%s(%d) ch_%d not found", current->comm, _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems-fix.patch

3 weeks, 4 days

1
0
0 0

[merged mm-hotfixes-stable] mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: close theoretical race where stale TLB entries could linger has been removed from the -mm tree. Its filename was mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryan Roberts <ryan.roberts(a)arm.com> Subject: mm: close theoretical race where stale TLB entries could linger Date: Fri, 6 Jun 2025 10:28:07 +0100 Commit 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") described a theoretical race as such: """ Nadav Amit identified a theoretical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows: CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE and also exists for operations that can leave an old TLB entry behind such as munmap, mremap and madvise. """ The solution was to introduce flush_tlb_batched_pending() and call it under the PTL from mprotect/madvise/munmap/mremap to complete any pending tlb flushes. However, while madvise_free_pte_range() and madvise_cold_or_pageout_pte_range() were both retro-fitted to call flush_tlb_batched_pending() immediately after initially acquiring the PTL, they both temporarily release the PTL to split a large folio if they stumble upon one. In this case, where re-acquiring the PTL flush_tlb_batched_pending() must be called again, but it previously was not. Let's fix that. There are 2 Fixes: tags here: the first is the commit that fixed madvise_free_pte_range(). The second is the commit that added madvise_cold_or_pageout_pte_range(), which looks like it copy/pasted the faulty pattern from madvise_free_pte_range(). This is a theoretical bug discovered during code review. Link: https://lkml.kernel.org/r/20250606092809.4194056-1-ryan.roberts@arm.com Fixes: 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") Fixes: 9c276cc65a58 ("mm: introduce MADV_COLD") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Jann Horn <jannh(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mel Gorman <mgorman <mgorman(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/madvise.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/madvise.c~mm-close-theoretical-race-where-stale-tlb-entries-could-linger +++ a/mm/madvise.c @@ -508,6 +508,7 @@ restart: pte_offset_map_lock(mm, pmd, addr, &ptl); if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; @@ -741,6 +742,7 @@ static int madvise_free_pte_range(pmd_t start_pte = pte; if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; _ Patches currently in -mm which might be from ryan.roberts(a)arm.com are mm-readahead-honour-new_order-in-page_cache_ra_order.patch mm-readahead-terminate-async-readahead-on-natural-boundary.patch mm-readahead-make-space-in-struct-file_ra_state.patch mm-readahead-store-folio-order-in-struct-file_ra_state.patch mm-filemap-allow-arch-to-request-folio-size-for-exec-memory.patch mm-remove-arch_flush_tlb_batched_pending-arch-helper.patch

3 weeks, 4 days

1
0
0 0

[merged mm-hotfixes-stable] mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure has been removed from the -mm tree. Its filename was mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure Date: Fri, 6 Jun 2025 13:50:32 +0100 While an OOM failure in commit_merge() isn't really feasible due to the allocation which might fail (a maple tree pre-allocation) being 'too small to fail', we do need to handle this case correctly regardless. In vma_merge_existing_range(), we can theoretically encounter failures which result in an OOM error in two ways - firstly dup_anon_vma() might fail with an OOM error, and secondly commit_merge() failing, ultimately, to pre-allocate a maple tree node. The abort logic for dup_anon_vma() resets the VMA iterator to the initial range, ensuring that any logic looping on this iterator will correctly proceed to the next VMA. However the commit_merge() abort logic does not do the same thing. This resulted in a syzbot report occurring because mlockall() iterates through VMAs, is tolerant of errors, but ended up with an incorrect previous VMA being specified due to incorrect iterator state. While making this change, it became apparent we are duplicating logic - the logic introduced in commit 41e6ddcaa0f1 ("mm/vma: add give_up_on_oom option on modify/merge, use in uffd release") duplicates the vmg->give_up_on_oom check in both abort branches. Additionally, we observe that we can perform the anon_dup check safely on dup_anon_vma() failure, as this will not be modified should this call fail. Finally, we need to reset the iterator in both cases, so now we can simply use the exact same code to abort for both. We remove the VM_WARN_ON(err != -ENOMEM) as it would be silly for this to be otherwise and it allows us to implement the abort check more neatly. Link: https://lkml.kernel.org/r/20250606125032.164249-1-lorenzo.stoakes@oracle.com Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: syzbot+d16409ea9ecc16ed261a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/6842cc67.a00a0220.29ac89.003b.GAE@google.c… Reviewed-by: Pedro Falcato <pfalcato(a)suse.de> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) --- a/mm/vma.c~mm-vma-reset-vma-iterator-on-commit_merge-oom-failure +++ a/mm/vma.c @@ -967,26 +967,9 @@ static __must_check struct vm_area_struc err = dup_anon_vma(next, middle, &anon_dup); } - if (err) + if (err || commit_merge(vmg)) goto abort; - err = commit_merge(vmg); - if (err) { - VM_WARN_ON(err != -ENOMEM); - - if (anon_dup) - unlink_anon_vmas(anon_dup); - - /* - * We've cleaned up any cloned anon_vma's, no VMAs have been - * modified, no harm no foul if the user requests that we not - * report this and just give up, leaving the VMAs unmerged. - */ - if (!vmg->give_up_on_oom) - vmg->state = VMA_MERGE_ERROR_NOMEM; - return NULL; - } - khugepaged_enter_vma(vmg->target, vmg->flags); vmg->state = VMA_MERGE_SUCCESS; return vmg->target; @@ -995,6 +978,9 @@ abort: vma_iter_set(vmg->vmi, start); vma_iter_load(vmg->vmi); + if (anon_dup) + unlink_anon_vmas(anon_dup); + /* * This means we have failed to clone anon_vma's correctly, but no * actual changes to VMAs have occurred, so no harm no foul - if the _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems.patch mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems-fix-2.patch docs-mm-expand-vma-doc-to-highlight-pte-freeing-non-vma-traversal.patch mm-ksm-have-ksm-vma-checks-not-require-a-vma-pointer.patch mm-ksm-refer-to-special-vmas-via-vm_special-in-ksm_compatible.patch mm-prevent-ksm-from-breaking-vma-merging-for-new-vmas.patch tools-testing-selftests-add-vma-merge-tests-for-ksm-merge.patch mm-pagewalk-split-walk_page_range_novma-into-kernel-user-parts.patch mm-mremap-introduce-more-mergeable-mremap-via-mremap_relocate_anon.patch mm-mremap-add-mremap_must_relocate_anon.patch mm-mremap-add-mremap_relocate_anon-support-for-large-folios.patch tools-uapi-update-copy-of-linux-mmanh-from-the-kernel-sources.patch tools-testing-selftests-add-sys_mremap-helper-to-vm_utilh.patch tools-testing-selftests-add-mremap-cases-that-merge-normally.patch tools-testing-selftests-add-mremap_relocate_anon-merge-test-cases.patch tools-testing-selftests-expand-mremap-tests-for-mremap_relocate_anon.patch tools-testing-selftests-have-cow-self-test-use-mremap_relocate_anon.patch tools-testing-selftests-test-relocate-anon-in-split-huge-page-test.patch tools-testing-selftests-add-mremap_relocate_anon-fork-tests.patch

3 weeks, 4 days

1
0
0 0

[PATCH v6] clk: qcom: dispcc-sm8750: Fix setting rate byte and pixel clocks

by Krzysztof Kozlowski

On SM8750 the setting rate of pixel and byte clocks, while the parent DSI PHY PLL, fails with: disp_cc_mdss_byte0_clk_src: rcg didn't update its configuration. DSI PHY PLL has to be unprepared and its "PLL Power Down" bits in CMN_CTRL_0 asserted. Mark these clocks with CLK_OPS_PARENT_ENABLE to ensure the parent is enabled during rate changes. Cc: <stable(a)vger.kernel.org> Fixes: f1080d8dab0f ("clk: qcom: dispcc-sm8750: Add SM8750 Display clock controller") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Changes in v6: 1. Add CLK_OPS_PARENT_ENABLE also to pclk1, pclk2 and byte1. 2. Add Fixes tag and cc-stable Previously part of v5 (thus b4 diff might not work nice here): https://lore.kernel.org/r/20250430-b4-sm8750-display-v5-6-8cab30c3e4df@lina… Changes in v5: 1. New patch in above patchset. Cc: Abhinav Kumar <quic_abhinavk(a)quicinc.com> Cc: Dmitry Baryshkov <lumag(a)kernel.org> --- drivers/clk/qcom/dispcc-sm8750.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/clk/qcom/dispcc-sm8750.c b/drivers/clk/qcom/dispcc-sm8750.c index 877b40d50e6f..ca09da111a50 100644 --- a/drivers/clk/qcom/dispcc-sm8750.c +++ b/drivers/clk/qcom/dispcc-sm8750.c @@ -393,7 +393,7 @@ static struct clk_rcg2 disp_cc_mdss_byte0_clk_src = { .name = "disp_cc_mdss_byte0_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_byte2_ops, }, }; @@ -408,7 +408,7 @@ static struct clk_rcg2 disp_cc_mdss_byte1_clk_src = { .name = "disp_cc_mdss_byte1_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_byte2_ops, }, }; @@ -712,7 +712,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk0_clk_src = { .name = "disp_cc_mdss_pclk0_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_pixel_ops, }, }; @@ -727,7 +727,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk1_clk_src = { .name = "disp_cc_mdss_pclk1_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_pixel_ops, }, }; @@ -742,7 +742,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk2_clk_src = { .name = "disp_cc_mdss_pclk2_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_pixel_ops, }, }; -- 2.45.2

3 weeks, 4 days

4
3
0 0

[PATCH] clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src

by Christian Marangi

With the conversion done by commit e88f03230dc0 ("clk: qcom: gcc-ipq8074: rework nss_port5/6 clock to multiple conf") a Copy-Paste error was made for the nss_port6_tx_clk_src frequency table. This was caused by the wrong setting of the parent in ftbl_nss_port6_tx_clk_src that was wrongly set to P_UNIPHY1_RX instead of P_UNIPHY2_TX. This cause the UNIPHY2 port to malfunction when it needs to be scaled to higher clock. The malfunction was observed with the example scenario with an Aquantia 10G PHY connected and a speed higher than 1G (example 2.5G) Fix the broken frequency table to restore original functionality. Cc: stable(a)vger.kernel.org Fixes: e88f03230dc0 ("clk: qcom: gcc-ipq8074: rework nss_port5/6 clock to multiple conf") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/clk/qcom/gcc-ipq8074.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c index 7258ba5c0900..1329ea28d703 100644 --- a/drivers/clk/qcom/gcc-ipq8074.c +++ b/drivers/clk/qcom/gcc-ipq8074.c @@ -1895,10 +1895,10 @@ static const struct freq_conf ftbl_nss_port6_tx_clk_src_125[] = { static const struct freq_multi_tbl ftbl_nss_port6_tx_clk_src[] = { FMS(19200000, P_XO, 1, 0, 0), FM(25000000, ftbl_nss_port6_tx_clk_src_25), - FMS(78125000, P_UNIPHY1_RX, 4, 0, 0), + FMS(78125000, P_UNIPHY2_TX, 4, 0, 0), FM(125000000, ftbl_nss_port6_tx_clk_src_125), - FMS(156250000, P_UNIPHY1_RX, 2, 0, 0), - FMS(312500000, P_UNIPHY1_RX, 1, 0, 0), + FMS(156250000, P_UNIPHY2_TX, 2, 0, 0), + FMS(312500000, P_UNIPHY2_TX, 1, 0, 0), { } }; -- 2.48.1

3 weeks, 4 days

3
2
0 0

[PATCH RESEND 5.10.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v5.10.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

3 weeks, 4 days

2
8
0 0

[PATCH 6.1.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v6.1.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

3 weeks, 4 days

2
8
0 0

[PATCH 5.15.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v5.15.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

3 weeks, 4 days

2
8
0 0

[PATCH 5.4.y] NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes

by Larry Bassel

From: Chuck Lever <chuck.lever(a)oracle.com> [ Upstream commit a648fdeb7c0e17177a2280344d015dba3fbe3314 ] iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE procedure to return NFS3ERR_FBIG. We believe that NFSv3 reference implementations also return NFS3ERR_FBIG when ia_size is too large. Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> (cherry picked from commit a648fdeb7c0e17177a2280344d015dba3fbe3314) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9cde9360d18d NFSD: Update the SETATTR3args decoder to use struct xdr_stream] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- fs/nfsd/nfs3xdr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c index 03e8c45a52f3..25b6b4db0af2 100644 --- a/fs/nfsd/nfs3xdr.c +++ b/fs/nfsd/nfs3xdr.c @@ -122,7 +122,7 @@ decode_sattr3(__be32 *p, struct iattr *iap, struct user_namespace *userns) iap->ia_valid |= ATTR_SIZE; p = xdr_decode_hyper(p, &newsize); - iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX); + iap->ia_size = newsize; } if ((tmp = ntohl(*p++)) == 1) { /* set to server time */ iap->ia_valid |= ATTR_ATIME; -- 2.46.0

3 weeks, 4 days

2
1
0 0

[PATCH 6.6.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v6.6.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

3 weeks, 4 days

2
8
0 0

[PATCH 5.4.y] NFSD: Fix ia_size underflow

by Larry Bassel

From: Chuck Lever <chuck.lever(a)oracle.com> [ Upstream commit e6faac3f58c7c4176b66f63def17a34232a17b0e ] iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr(). Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> (cherry picked from commit e6faac3f58c7c4176b66f63def17a34232a17b0e) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 2f221d6f7b88 attr: handle idmapped mounts] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- fs/nfsd/vfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 6aa968bee0ce..bee4fdf6e239 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -448,6 +448,10 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, .ia_size = iap->ia_size, }; + host_err = -EFBIG; + if (iap->ia_size < 0) + goto out_unlock; + host_err = notify_change(dentry, &size_attr, NULL); if (host_err) goto out_unlock; -- 2.46.0

3 weeks, 4 days

2
1
0 0

[PATCH v3 4/5] scsi: fnic: Turn off FDMI ACTIVE flags on link down

by Karan Tilak Kumar

When the link goes down and comes up, FDMI requests are not sent out anymore. Fix bug by turning off FNIC_FDMI_ACTIVE when the link goes down. Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Reviewed-by: Arun Easi <aeasi(a)cisco.com> Tested-by: Karan Tilak Kumar <kartilak(a)cisco.com> Cc: <stable(a)vger.kernel.org> # 6.14.x Please see patch description Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- drivers/scsi/fnic/fdls_disc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/fnic/fdls_disc.c b/drivers/scsi/fnic/fdls_disc.c index 9e9939d41fa8..14691db4d5f9 100644 --- a/drivers/scsi/fnic/fdls_disc.c +++ b/drivers/scsi/fnic/fdls_disc.c @@ -5078,9 +5078,12 @@ void fnic_fdls_link_down(struct fnic_iport_s *iport) fdls_delete_tport(iport, tport); } - if ((fnic_fdmi_support == 1) && (iport->fabric.fdmi_pending > 0)) { - timer_delete_sync(&iport->fabric.fdmi_timer); - iport->fabric.fdmi_pending = 0; + if (fnic_fdmi_support == 1) { + if (iport->fabric.fdmi_pending > 0) { + timer_delete_sync(&iport->fabric.fdmi_timer); + iport->fabric.fdmi_pending = 0; + } + iport->flags &= ~FNIC_FDMI_ACTIVE; } FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, -- 2.47.1

3 weeks, 4 days

1
0
0 0

[PATCH net v3 1/2] net: clear the dst when changing skb protocol

by Jakub Kicinski

A not-so-careful NAT46 BPF program can crash the kernel if it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000 ip6_rcv_core (net/ipv6/ip6_input.c:190:20) ipv6_rcv (net/ipv6/ip6_input.c:306:8) process_backlog (net/core/dev.c:6186:4) napi_poll (net/core/dev.c:6906:9) net_rx_action (net/core/dev.c:7028:13) do_softirq (kernel/softirq.c:462:3) netif_rx (net/core/dev.c:5326:3) dev_loopback_xmit (net/core/dev.c:4015:2) ip_mc_finish_output (net/ipv4/ip_output.c:363:8) NF_HOOK (./include/linux/netfilter.h:314:9) ip_mc_output (net/ipv4/ip_output.c:400:5) dst_output (./include/net/dst.h:459:9) ip_local_out (net/ipv4/ip_output.c:130:9) ip_send_skb (net/ipv4/ip_output.c:1496:8) udp_send_skb (net/ipv4/udp.c:1040:8) udp_sendmsg (net/ipv4/udp.c:1328:10) The output interface has a 4->6 program attached at ingress. We try to loop the multicast skb back to the sending socket. Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr and changes skb->protocol to v6. We enter ip6_rcv_core which tries to use skb_dst(). But the dst is still an IPv4 one left after IPv4 mcast output. Clear the dst in all BPF helpers which change the protocol. Try to preserve metadata dsts, those may carry non-routing metadata. Cc: stable(a)vger.kernel.org Reviewed-by: Maciej Żenczykowski <maze(a)google.com> Acked-by: Daniel Borkmann <daniel(a)iogearbox.net> Fixes: d219df60a70e ("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()") Fixes: 1b00e0dfe7d0 ("bpf: update skb->protocol in bpf_skb_net_grow") Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> --- v3: - go back to v1, the encap / decap which don't change proto will be added in -next - split out the test v2: https://lore.kernel.org/20250607204734.1588964-1-kuba@kernel.org - drop on encap/decap - fix typo (protcol) - add the test to the Makefile v1: https://lore.kernel.org/20250604210604.257036-1-kuba@kernel.org I wonder if we should not skip ingress (tc_skip_classify?) for looped back packets in the first place. But that doesn't seem robust enough vs multiple redirections to solve the crash. Ignoring LOOPBACK packets (like the NAT46 prog should) doesn't work either, since BPF can change pkt_type arbitrarily. CC: martin.lau(a)linux.dev CC: daniel(a)iogearbox.net CC: john.fastabend(a)gmail.com CC: eddyz87(a)gmail.com CC: sdf(a)fomichev.me CC: haoluo(a)google.com CC: willemb(a)google.com CC: william.xuanziyang(a)huawei.com CC: alan.maguire(a)oracle.com CC: bpf(a)vger.kernel.org CC: edumazet(a)google.com CC: maze(a)google.com CC: shuah(a)kernel.org CC: linux-kselftest(a)vger.kernel.org CC: yonghong.song(a)linux.dev --- net/core/filter.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 327ca73f9cd7..7a72f766aacf 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -3233,6 +3233,13 @@ static const struct bpf_func_proto bpf_skb_vlan_pop_proto = { .arg1_type = ARG_PTR_TO_CTX, }; +static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto) +{ + skb->protocol = htons(proto); + if (skb_valid_dst(skb)) + skb_dst_drop(skb); +} + static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len) { /* Caller already did skb_cow() with len as headroom, @@ -3329,7 +3336,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb) } } - skb->protocol = htons(ETH_P_IPV6); + bpf_skb_change_protocol(skb, ETH_P_IPV6); skb_clear_hash(skb); return 0; @@ -3359,7 +3366,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb) } } - skb->protocol = htons(ETH_P_IP); + bpf_skb_change_protocol(skb, ETH_P_IP); skb_clear_hash(skb); return 0; @@ -3550,10 +3557,10 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 off, u32 len_diff, /* Match skb->protocol to new outer l3 protocol */ if (skb->protocol == htons(ETH_P_IP) && flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6) - skb->protocol = htons(ETH_P_IPV6); + bpf_skb_change_protocol(skb, ETH_P_IPV6); else if (skb->protocol == htons(ETH_P_IPV6) && flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV4) - skb->protocol = htons(ETH_P_IP); + bpf_skb_change_protocol(skb, ETH_P_IP); } if (skb_is_gso(skb)) { @@ -3606,10 +3613,10 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 off, u32 len_diff, /* Match skb->protocol to new outer l3 protocol */ if (skb->protocol == htons(ETH_P_IP) && flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV6) - skb->protocol = htons(ETH_P_IPV6); + bpf_skb_change_protocol(skb, ETH_P_IPV6); else if (skb->protocol == htons(ETH_P_IPV6) && flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV4) - skb->protocol = htons(ETH_P_IP); + bpf_skb_change_protocol(skb, ETH_P_IP); if (skb_is_gso(skb)) { struct skb_shared_info *shinfo = skb_shinfo(skb); -- 2.49.0

3 weeks, 4 days

3
2
0 0

[PATCH v2 1/5] scsi: fnic: Set appropriate logging level for log message

by Karan Tilak Kumar

Replace KERN_INFO with KERN_DEBUG for a log message. Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Reviewed-by: Arun Easi <aeasi(a)cisco.com> Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- drivers/scsi/fnic/fnic_scsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c index 7133b254cbe4..75b29a018d1f 100644 --- a/drivers/scsi/fnic/fnic_scsi.c +++ b/drivers/scsi/fnic/fnic_scsi.c @@ -1046,7 +1046,7 @@ static void fnic_fcpio_icmnd_cmpl_handler(struct fnic *fnic, unsigned int cq_ind if (icmnd_cmpl->scsi_status == SAM_STAT_TASK_SET_FULL) atomic64_inc(&fnic_stats->misc_stats.queue_fulls); - FNIC_SCSI_DBG(KERN_INFO, fnic->host, fnic->fnic_num, + FNIC_SCSI_DBG(KERN_DEBUG, fnic->host, fnic->fnic_num, "xfer_len: %llu", xfer_len); break; -- 2.47.1

3 weeks, 5 days

2
5
0 0

[PATCH v4] mm: userfaultfd: fix race of userfaultfd_move and swap cache

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> On seeing a swap entry PTE, userfaultfd_move does a lockless swap cache lookup, and tries to move the found folio to the faulting vma. Currently, it relies on checking the PTE value to ensure that the moved folio still belongs to the src swap entry and that no new folio has been added to the swap cache, which turns out to be unreliable. While working and reviewing the swap table series with Barry, following existing races are observed and reproduced [1]: In the example below, move_pages_pte is moving src_pte to dst_pte, where src_pte is a swap entry PTE holding swap entry S1, and S1 is not in the swap cache: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1 ... < interrupted> ... <swapin src_pte, alloc and use folio A> // folio A is a new allocated folio // and get installed into src_pte <frees swap entry S1> // src_pte now points to folio A, S1 // has swap count == 0, it can be freed // by folio_swap_swap or swap // allocator's reclaim. <try to swap out another folio B> // folio B is a folio in another VMA. <put folio B to swap cache using S1 > // S1 is freed, folio B can use it // for swap out with no problem. ... folio = filemap_get_folio(S1) // Got folio B here !!! ... < interrupted again> ... <swapin folio B and free S1> // Now S1 is free to be used again. <swapout src_pte & folio A using S1> // Now src_pte is a swap entry PTE // holding S1 again. folio_trylock(folio) move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // Moved invalid folio B here !!! The race window is very short and requires multiple collisions of multiple rare events, so it's very unlikely to happen, but with a deliberately constructed reproducer and increased time window, it can be reproduced easily. This can be fixed by checking if the folio returned by filemap is the valid swap cache folio after acquiring the folio lock. Another similar race is possible: filemap_get_folio may return NULL, but folio (A) could be swapped in and then swapped out again using the same swap entry after the lookup. In such a case, folio (A) may remain in the swap cache, so it must be moved too: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1, and S1 is not in swap cache folio = filemap_get_folio(S1) // Got NULL ... < interrupted again> ... <swapin folio A and free S1> <swapout folio A re-using S1> move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // folio A is ignored !!! Fix this by checking the swap cache again after acquiring the src_pte lock. And to avoid the filemap overhead, we check swap_map directly [2]. The SWP_SYNCHRONOUS_IO path does make the problem more complex, but so far we don't need to worry about that, since folios can only be exposed to the swap cache in the swap out path, and this is covered in this patch by checking the swap cache again after acquiring the src_pte lock. Testing with a simple C program that allocates and moves several GB of memory did not show any observable performance change. Cc: <stable(a)vger.kernel.org> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Closes: https://lore.kernel.org/linux-mm/CAMgjq7B1K=6OOrK2OUZ0-tqCzi+EJt+2_K97TPGoS… [1] Link: https://lore.kernel.org/all/CAGsJ_4yJhJBo16XhiC-nUzSheyX-V3-nFE+tAi=8Y560K8… [2] Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Lokesh Gidra <lokeshgidra(a)google.com> --- V1: https://lore.kernel.org/linux-mm/20250530201710.81365-1-ryncsn@gmail.com/ Changes: - Check swap_map instead of doing a filemap lookup after acquiring the PTE lock to minimize critical section overhead [ Barry Song, Lokesh Gidra ] V2: https://lore.kernel.org/linux-mm/20250601200108.23186-1-ryncsn@gmail.com/ Changes: - Move the folio and swap check inside move_swap_pte to avoid skipping the check and potential overhead [ Lokesh Gidra ] - Add a READ_ONCE for the swap_map read to ensure it reads a up to dated value. V3: https://lore.kernel.org/all/20250602181419.20478-1-ryncsn@gmail.com/ Changes: - Add more comments and more context in commit message. mm/userfaultfd.c | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index bc473ad21202..8253978ee0fb 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1084,8 +1084,18 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, pte_t orig_dst_pte, pte_t orig_src_pte, pmd_t *dst_pmd, pmd_t dst_pmdval, spinlock_t *dst_ptl, spinlock_t *src_ptl, - struct folio *src_folio) + struct folio *src_folio, + struct swap_info_struct *si, swp_entry_t entry) { + /* + * Check if the folio still belongs to the target swap entry after + * acquiring the lock. Folio can be freed in the swap cache while + * not locked. + */ + if (src_folio && unlikely(!folio_test_swapcache(src_folio) || + entry.val != src_folio->swap.val)) + return -EAGAIN; + double_pt_lock(dst_ptl, src_ptl); if (!is_pte_pages_stable(dst_pte, src_pte, orig_dst_pte, orig_src_pte, @@ -1102,6 +1112,25 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, if (src_folio) { folio_move_anon_rmap(src_folio, dst_vma); src_folio->index = linear_page_index(dst_vma, dst_addr); + } else { + /* + * Check if the swap entry is cached after acquiring the src_pte + * lock. Otherwise, we might miss a newly loaded swap cache folio. + * + * Check swap_map directly to minimize overhead, READ_ONCE is sufficient. + * We are trying to catch newly added swap cache, the only possible case is + * when a folio is swapped in and out again staying in swap cache, using the + * same entry before the PTE check above. The PTL is acquired and released + * twice, each time after updating the swap_map's flag. So holding + * the PTL here ensures we see the updated value. False positive is possible, + * e.g. SWP_SYNCHRONOUS_IO swapin may set the flag without touching the + * cache, or during the tiny synchronization window between swap cache and + * swap_map, but it will be gone very quickly, worst result is retry jitters. + */ + if (READ_ONCE(si->swap_map[swp_offset(entry)]) & SWAP_HAS_CACHE) { + double_pt_unlock(dst_ptl, src_ptl); + return -EAGAIN; + } } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); @@ -1412,7 +1441,7 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, } err = move_swap_pte(mm, dst_vma, dst_addr, src_addr, dst_pte, src_pte, orig_dst_pte, orig_src_pte, dst_pmd, dst_pmdval, - dst_ptl, src_ptl, src_folio); + dst_ptl, src_ptl, src_folio, si, entry); } out: -- 2.49.0

3 weeks, 5 days

6
6
0 0

+ mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() has been added to the -mm mm-new branch. Its filename is mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() Date: Wed, 11 Jun 2025 14:06:52 +0200 Patch series "mm/huge_memory: vmf_insert_folio_*() and vmf_insert_pfn_pud() fixes", v2. While working on improving vm_normal_page() and friends, I stumbled over this issues: refcounted "normal" pages must not be marked using pmd_special() / pud_special(). Fortunately, so far there doesn't seem to be serious damage. This patch (of 3): We setup the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. Identified by code inspection. Link: https://lkml.kernel.org/r/20250611120654.545963-1-david@redhat.com Link: https://lkml.kernel.org/r/20250611120654.545963-2-david@redhat.com Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud +++ a/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_ pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct v add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; _ Patches currently in -mm which might be from david(a)redhat.com are mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch mm-gup-remove-vm_bug_ons.patch mm-gup-remove-vm_bug_ons-fix.patch mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch mm-huge_memory-dont-mark-refcounted-folios-special-in-vmf_insert_folio_pmd.patch mm-huge_memory-dont-mark-refcounted-folios-special-in-vmf_insert_folio_pud.patch

3 weeks, 5 days

1
0
0 0

[PATCH wireless v2] Revert "wifi: mwifiex: Fix HT40 bandwidth issue."

by Francesco Dolcini

From: Francesco Dolcini <francesco.dolcini(a)toradex.com> This reverts commit 4fcfcbe457349267fe048524078e8970807c1a5b. That commit introduces a regression, when HT40 mode is enabled, received packets are lost, this was experience with W8997 with both SDIO-UART and SDIO-SDIO variants. From an initial investigation the issue solves on its own after some time, but it's not clear what is the reason. Given that this was just a performance optimization, let's revert it till we have a better understanding of the issue and a proper fix. Cc: Jeff Chen <jeff.chen_1(a)nxp.com> Cc: stable(a)vger.kernel.org Fixes: 4fcfcbe45734 ("wifi: mwifiex: Fix HT40 bandwidth issue.") Closes: https://lore.kernel.org/all/20250603203337.GA109929@francesco-nb/ Signed-off-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> --- v2: fix reverted commit sha v1: https://lore.kernel.org/all/20250605100313.34014-1-francesco@dolcini.it/ --- drivers/net/wireless/marvell/mwifiex/11n.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c index 738bafc3749b..66f0f5377ac1 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n.c +++ b/drivers/net/wireless/marvell/mwifiex/11n.c @@ -403,14 +403,12 @@ mwifiex_cmd_append_11n_tlv(struct mwifiex_private *priv, if (sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 && bss_desc->bcn_ht_oper->ht_param & - IEEE80211_HT_PARAM_CHAN_WIDTH_ANY) { - chan_list->chan_scan_param[0].radio_type |= - CHAN_BW_40MHZ << 2; + IEEE80211_HT_PARAM_CHAN_WIDTH_ANY) SET_SECONDARYCHAN(chan_list->chan_scan_param[0]. radio_type, (bss_desc->bcn_ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET)); - } + *buffer += struct_size(chan_list, chan_scan_param, 1); ret_len += struct_size(chan_list, chan_scan_param, 1); } -- 2.39.5

3 weeks, 5 days

2
1
0 0

+ mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" Date: Wed, 11 Jun 2025 15:13:14 +0200 After commit 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked") we are able to longterm pin folios that are not supposed to get longterm pinned, simply because they temporarily have the LRU flag cleared (esp. temporarily isolated). For example, two __get_longterm_locked() callers can race, or __get_longterm_locked() can race with anything else that temporarily isolates folios. The introducing commit mentions the use case of a driver that uses vm_ops->fault to insert pages allocated through cma_alloc() into the page tables, assuming they can later get longterm pinned. These pages/ folios would never have the LRU flag set and consequently cannot get isolated. There is no known in-tree user making use of that so far, fortunately. To handle that in the future -- and avoid retrying forever to isolate/migrate them -- we will need a different mechanism for the CMA area *owner* to indicate that it actually already allocated the page and is fine with longterm pinning it. The LRU flag is not suitable for that. Probably we can lookup the relevant CMA area and query the bitmap; we only have have to care about some races, probably. If already allocated, we could just allow longterm pinning) Anyhow, let's fix the "must not be longterm pinned" problem first by reverting the original commit. Link: https://lkml.kernel.org/r/20250611131314.594529-1-david@redhat.com Fixes: 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked") Signed-off-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/all/20250522092755.GA3277597@tiffany/ Reported-by: Hyesoo Yu <hyesoo.yu(a)samsung.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Peter Xu <peterx(a)redhat.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: Aijun Sun <aijun.sun(a)unisoc.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) --- a/mm/gup.c~mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked +++ a/mm/gup.c @@ -2303,13 +2303,13 @@ static void pofs_unpin(struct pages_or_f /* * Returns the number of collected folios. Return value is always >= 0. */ -static void collect_longterm_unpinnable_folios( +static unsigned long collect_longterm_unpinnable_folios( struct list_head *movable_folio_list, struct pages_or_folios *pofs) { + unsigned long i, collected = 0; struct folio *prev_folio = NULL; bool drain_allow = true; - unsigned long i; for (i = 0; i < pofs->nr_entries; i++) { struct folio *folio = pofs_get_folio(pofs, i); @@ -2321,6 +2321,8 @@ static void collect_longterm_unpinnable_ if (folio_is_longterm_pinnable(folio)) continue; + collected++; + if (folio_is_device_coherent(folio)) continue; @@ -2342,6 +2344,8 @@ static void collect_longterm_unpinnable_ NR_ISOLATED_ANON + folio_is_file_lru(folio), folio_nr_pages(folio)); } + + return collected; } /* @@ -2418,9 +2422,11 @@ static long check_and_migrate_movable_pages_or_folios(struct pages_or_folios *pofs) { LIST_HEAD(movable_folio_list); + unsigned long collected; - collect_longterm_unpinnable_folios(&movable_folio_list, pofs); - if (list_empty(&movable_folio_list)) + collected = collect_longterm_unpinnable_folios(&movable_folio_list, + pofs); + if (!collected) return 0; return migrate_longterm_unpinnable_folios(&movable_folio_list, pofs); _ Patches currently in -mm which might be from david(a)redhat.com are mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch mm-gup-remove-vm_bug_ons.patch mm-gup-remove-vm_bug_ons-fix.patch

3 weeks, 5 days

1
0
0 0

[PATCH 0/5] Fixes for ITS mitigation and execmem

by Mike Rapoport

From: "Mike Rapoport (Microsoft)" <rppt(a)kernel.org> Hi, Jürgen Groß reported some bugs in interaction of ITS mitigation with execmem [1] when running on a Xen PV guest. These patches fix the issue by moving all the permissions management of ITS memory allocated from execmem into ITS code. I didn't test on a real Xen PV guest, but I emulated !PSE variant by force-disabling the ROX cache in x86::execmem_arch_setup(). Peter, I took liberty to put your SoB in the patch that actually implements the execmem permissions management in ITS, please let me know if I need to update something about the authorship. The patches are against v6.15. They are also available in git: https://web.git.kernel.org/pub/scm/linux/kernel/git/rppt/linux.git/log/?h=i… [1] https://lore.kernel.org/all/20250528123557.12847-2-jgross@suse.com/ Juergen Gross (1): x86/mm/pat: don't collapse pages without PSE set Mike Rapoport (Microsoft) (3): x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set x86/its: move its_pages array to struct mod_arch_specific Revert "mm/execmem: Unify early execmem_cache behaviour" Peter Zijlstra (Intel) (1): x86/its: explicitly manage permissions for ITS pages arch/x86/Kconfig | 2 +- arch/x86/include/asm/module.h | 8 ++++ arch/x86/kernel/alternative.c | 89 ++++++++++++++++++++++++++--------- arch/x86/mm/init_32.c | 3 -- arch/x86/mm/init_64.c | 3 -- arch/x86/mm/pat/set_memory.c | 3 ++ include/linux/execmem.h | 8 +--- include/linux/module.h | 5 -- mm/execmem.c | 40 ++-------------- 9 files changed, 82 insertions(+), 79 deletions(-) base-commit: 0ff41df1cb268fc69e703a08a57ee14ae967d0ca -- 2.47.2

3 weeks, 5 days

8
16
0 0

[PATCH] s390/pkey: prevent overflow in size calculation for memdup_user()

by Fedor Pchelkin

Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Return an error if an overflow is detected. Note that it is different from when nr_apqns is zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org). Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- drivers/s390/crypto/pkey_api.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index cef60770f68b..a731fc9c62a7 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -83,10 +83,15 @@ static void *_copy_key_from_user(void __user *ukey, size_t keylen) static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns) { + size_t size; + if (!uapqns || nr_apqns == 0) return NULL; - return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); + if (check_mul_overflow(nr_apqns, sizeof(struct pkey_apqn), &size)) + return ERR_PTR(-EINVAL); + + return memdup_user(uapqns, size); } static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs) -- 2.49.0

3 weeks, 5 days

2
1
0 0

[PATCH 05/10] drm/amd/display: Check dce_hwseq before dereferencing it

by Aurabindo Pillai

From: Alex Hung <alex.hung(a)amd.com> [WHAT] hws was checked for null earlier in dce110_blank_stream, indicating hws can be null, and should be checked whenever it is used. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> --- drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c index c717cc1eca6d..542468224789 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c @@ -1227,7 +1227,7 @@ void dce110_blank_stream(struct pipe_ctx *pipe_ctx) return; if (link->local_sink && link->local_sink->sink_signal == SIGNAL_TYPE_EDP) { - if (!link->skip_implict_edp_power_control) + if (!link->skip_implict_edp_power_control && hws) hws->funcs.edp_backlight_control(link, false); link->dc->hwss.set_abm_immediate_disable(pipe_ctx); } -- 2.49.0

3 weeks, 5 days

1
0
0 0

Re: [PATCH 5.10.y 2/3] rtc: Make rtc_time64_to_tm() support dates before 1970

by Alexandre Belloni

Hello Cassio, On 10/06/2025 21:31:48+0100, Cassio Neri wrote: > Hi all, > > Although untested, I'm pretty sure that with very small changes, the > previous revision (1d1bb12) can handle dates prior to 1970-01-01 with no > need to add extra branches or arithmetic operations. Indeed, 1d1bb12 > contains: > > <code> > /* time must be positive */ > days = div_s64_rem(time, 86400, &secs); > > /* day of the week, 1970-01-01 was a Thursday */ > tm->tm_wday = (days + 4) % 7; > > /* long comments */ > > udays = ((u32) days) + 719468; > </code> > > This could have been changed to: > > <code> > /* time must be >= -719468 * 86400 which corresponds to 0000-03-01 */ > udays = div_u64_rem(time + 719468 * 86400, 86400, &secs); > > /* day of the week, 0000-03-01 was a Wednesday (in the proleptic Gregorian > calendar) */ > tm->tm_wday = (days + 3) % 7; > > /* long comments */ > </code> > > Indeed, the addition of 719468 * 86400 to `time` makes `days` to be 719468 > more than it should be. Therefore, in the calculation of `udays`, the > addition of 719468 becomes unnecessary and thus, `udays == days`. Moreover, > this means that `days` can be removed altogether and replaced by `udays`. > (Not the other way around because in the remaining code `udays` must be > u32.) > > Now, 719468 % 7 = 1 and thus tm->wday is 1 day after what it should be and > we correct that by adding 3 instead of 4. > > Therefore, I suggest these changes on top of 1d1bb12 instead of those made > in 7df4cfe. Since you're working on this, can I please kindly suggest two > other changes? > > 1) Change the reference provided in the long comment. It should say, "The > following algorithm is, basically, Figure 12 of Neri and Schneider [1]" and > [1] should refer to the published article: > > Neri C, Schneider L. Euclidean affine functions and their application to > calendar algorithms. Softw Pract Exper. 2023;53(4):937-970. doi: > 10.1002/spe.3172 > https://doi.org/10.1002/spe.3172 > > The article is much better written and clearer than the pre-print currently > referred to. > Thanks for your input, I wanted to look again at your paper and make those optimizations which is why I took so long to review the original patch. Unfortunately, I didn't have the time before the merge window. I would also gladly take patches for this if you are up for the task. > 2) Function rtc_time64_to_tm_test_date_range in drivers/rtc/lib_test.c, is > a kunit test that checks the result for everyday in a 160000 years range > starting at 1970-01-01. It'd be nice if this test is adapted to the new > code and starts at 1900-01-01 (technically, it could start at 0000-03-01 > but since tm->year counts from 1900, it would be weird to see tm->year == > -1900 to mean that the calendar year is 0.) Also 160000 is definitely an > overkill (my bad!) and a couple of thousands of years, say 3000, should be > more than safe for anyone. :-) This is also something on my radar as some have been complaining about the time it takes to run those tests. > > Many thanks, > Cassio. > > > > On Tue, 10 Jun 2025 at 08:35, Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> > wrote: > > > From: Alexandre Mergnat <amergnat(a)baylibre.com> > > > > commit 7df4cfef8b351fec3156160bedfc7d6d29de4cce upstream. > > > > Conversion of dates before 1970 is still relevant today because these > > dates are reused on some hardwares to store dates bigger than the > > maximal date that is representable in the device's native format. > > This prominently and very soon affects the hardware covered by the > > rtc-mt6397 driver that can only natively store dates in the interval > > 1900-01-01 up to 2027-12-31. So to store the date 2028-01-01 00:00:00 > > to such a device, rtc_time64_to_tm() must do the right thing for > > time=-2208988800. > > > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > > Reviewed-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> > > Link: > > https://lore.kernel.org/r/20250428-enable-rtc-v4-1-2b2f7e3f9349@baylibre.com > > Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> > > Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> > > --- > > drivers/rtc/lib.c | 24 +++++++++++++++++++----- > > 1 file changed, 19 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/rtc/lib.c b/drivers/rtc/lib.c > > index fe361652727a..13b5b1f20465 100644 > > --- a/drivers/rtc/lib.c > > +++ b/drivers/rtc/lib.c > > @@ -46,24 +46,38 @@ EXPORT_SYMBOL(rtc_year_days); > > * rtc_time64_to_tm - converts time64_t to rtc_time. > > * > > * @time: The number of seconds since 01-01-1970 00:00:00. > > - * (Must be positive.) > > + * Works for values since at least 1900 > > * @tm: Pointer to the struct rtc_time. > > */ > > void rtc_time64_to_tm(time64_t time, struct rtc_time *tm) > > { > > - unsigned int secs; > > - int days; > > + int days, secs; > > > > u64 u64tmp; > > u32 u32tmp, udays, century, day_of_century, year_of_century, year, > > day_of_year, month, day; > > bool is_Jan_or_Feb, is_leap_year; > > > > - /* time must be positive */ > > + /* > > + * Get days and seconds while preserving the sign to > > + * handle negative time values (dates before 1970-01-01) > > + */ > > days = div_s64_rem(time, 86400, &secs); > > > > + /* > > + * We need 0 <= secs < 86400 which isn't given for negative > > + * values of time. Fixup accordingly. > > + */ > > + if (secs < 0) { > > + days -= 1; > > + secs += 86400; > > + } > > + > > /* day of the week, 1970-01-01 was a Thursday */ > > tm->tm_wday = (days + 4) % 7; > > + /* Ensure tm_wday is always positive */ > > + if (tm->tm_wday < 0) > > + tm->tm_wday += 7; > > > > /* > > * The following algorithm is, basically, Proposition 6.3 of Neri > > @@ -93,7 +107,7 @@ void rtc_time64_to_tm(time64_t time, struct rtc_time > > *tm) > > * thus, is slightly different from [1]. > > */ > > > > - udays = ((u32) days) + 719468; > > + udays = days + 719468; > > > > u32tmp = 4 * udays + 3; > > century = u32tmp / 146097; > > -- > > 2.49.0 > > > >

3 weeks, 5 days

2
1
0 0

[PATCH] Revert "block: don't reorder requests in blk_add_rq_to_plug"

by Hazem Mohamed Abuelfotoh

This reverts commit e70c301faece15b618e54b613b1fd6ece3dd05b4. Commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug") reversed how requests are stored in the blk_plug list, this had significant impact on bio merging with requests exist on the plug list. This impact has been reported in [1] and could easily be reproducible using 4k randwrite fio benchmark on an NVME based SSD without having any filesystem on the disk. My benchmark is: fio --time_based --name=benchmark --size=50G --rw=randwrite \ --runtime=60 --filename="/dev/nvme1n1" --ioengine=psync \ --randrepeat=0 --iodepth=1 --fsync=64 --invalidate=1 \ --verify=0 --verify_fatal=0 --blocksize=4k --numjobs=4 \ --group_reporting On 1.9TiB SSD(180K Max IOPS) attached to i3.16xlarge AWS EC2 instance. Kernel | fio (B.W MiB/sec) | I/O size (iostat) --------------+---------------------+-------------------- 6.15.1 | 362 | 2KiB 6.15.1+revert | 660 (+82%) | 4KiB --------------+---------------------+-------------------- I have run iostat while the fio benchmark was running and was able to see that the I/O size seen on the disk is shown as 2KB without this revert while it's 4KB with the revert. In the bad case the write bandwidth is capped at around 362MiB/sec which almost 2KiB * 180K IOPS so we are hitting the SSD Disk IOPS limit which is 180K. After the revert the I/O size has been doubled to 4KiB hence the bandwidth has been almost doubled as we no longer hit the Disk IOPS limit. I have done some tracing using bpftrace & bcc and was able to conclude that the reason behind the I/O size discrepancy with the revert is that this fio benchmark is subimitting each 4k I/O as 2 contiguous 2KB bios. In the good case each 2 bios are merged in a 4KB request that's then been submitted to the disk while in the bad case 2K bios are submitted to the disk without merging because blk_attempt_plug_merge() failed to merge them as seen below. **Without the revert** [12:12:28] r::blk_attempt_plug_merge():int:$retval COUNT EVENT 5618 $retval = 1 176578 $retval = 0 **With the revert** [12:11:43] r::blk_attempt_plug_merge():int:$retval COUNT EVENT 146684 $retval = 0 146686 $retval = 1 In blk_attempt_plug_merge() we are iterating ithrought the plug list from head to tail looking for a request with which we can merge the most recently submitted bio. With commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug") the most recent request will be at the tail so blk_attempt_plug_merge() will fail because it tries to merge bio with the plug list head. In blk_attempt_plug_merge() we don't iterate across the whole plug list because as we exit the loop once we fail merging in blk_attempt_bio_merge(). In commit <bc490f81731> ("block: change plugging to use a singly linked list") the plug list has been changed to single linked list so there's no way to iterate the list from tail to head which is the only way to mitigate the impact on bio merging if we want to keep commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug"). Given that moving plug list to a single linked list was mainly for performance reason then let's revert commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug") for now to mitigate the reported performance regression. [1] https://lore.kernel.org/lkml/202412122112.ca47bcec-lkp@intel.com/ Cc: stable(a)vger.kernel.org # 6.12 Reported-by: kernel test robot <oliver.sang(a)intel.com> Reported-by: Hagar Hemdan <hagarhem(a)amazon.com> Reported-and-bisected-by: Shaoying Xu <shaoyi(a)amazon.com> Signed-off-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com> --- block/blk-mq.c | 4 ++-- drivers/block/virtio_blk.c | 2 +- drivers/nvme/host/pci.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index c2697db59109..28965cac19fb 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -1394,7 +1394,7 @@ static void blk_add_rq_to_plug(struct blk_plug *plug, struct request *rq) */ if (!plug->has_elevator && (rq->rq_flags & RQF_SCHED_TAGS)) plug->has_elevator = true; - rq_list_add_tail(&plug->mq_list, rq); + rq_list_add_head(&plug->mq_list, rq); plug->rq_count++; } @@ -2846,7 +2846,7 @@ static void blk_mq_dispatch_plug_list(struct blk_plug *plug, bool from_sched) rq_list_add_tail(&requeue_list, rq); continue; } - list_add_tail(&rq->queuelist, &list); + list_add(&rq->queuelist, &list); depth++; } while (!rq_list_empty(&plug->mq_list)); diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 7cffea01d868..7992a171f905 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -513,7 +513,7 @@ static void virtio_queue_rqs(struct rq_list *rqlist) vq = this_vq; if (virtblk_prep_rq_batch(req)) - rq_list_add_tail(&submit_list, req); + rq_list_add_head(&submit_list, req); /* reverse order */ else rq_list_add_tail(&requeue_list, req); } diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index f1dd804151b1..5f7da42f9dac 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -1026,7 +1026,7 @@ static void nvme_queue_rqs(struct rq_list *rqlist) nvmeq = req->mq_hctx->driver_data; if (nvme_prep_rq_batch(nvmeq, req)) - rq_list_add_tail(&submit_list, req); + rq_list_add_head(&submit_list, req); /* reverse order */ else rq_list_add_tail(&requeue_list, req); } -- 2.47.1

3 weeks, 5 days

5
6
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror