- Linux-stable-mirror - lists.linaro.org

CES 2026: Audience Breakdown & Leads

by Jessica Garcia

Hi , Trust you're in good spirits. Is the idea of buying the CES 2026 attendees' details for your marketing efforts something you'd like to explore? Expo Name: Consumer Electronics Show 2026 Total Number of records: 40,000 records List includes: Company Name, Contact Name, Job Title, Mailing Address, Phone, Emails, etc. Best chance to connect with participants Feel free to contact me if you are interested in acquiring this list so that I can share pricing information with you Hoping for your prompt feedback. Regards Jessica Marketing Manager Campaign Data Leads., Please reply with REMOVE if you don't wish to receive further emails

2 days, 17 hours

1
0
0 0

[PATCH v2] spi: fsl-cpm: Check length parity before switching to 16 bit mode

by Christophe Leroy

Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") Cc: stable(a)vger.kernel.org Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/ Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Reviewed-by: Sverdlin Alexander <alexander.sverdlin(a)siemens.com> --- v2: Updated with comments from Alexander --- drivers/spi/spi-fsl-spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c index 2f2082652a1a..481a7b28aacd 100644 --- a/drivers/spi/spi-fsl-spi.c +++ b/drivers/spi/spi-fsl-spi.c @@ -335,7 +335,7 @@ static int fsl_spi_prepare_message(struct spi_controller *ctlr, if (t->bits_per_word == 16 || t->bits_per_word == 32) t->bits_per_word = 8; /* pretend its 8 bits */ if (t->bits_per_word == 8 && t->len >= 256 && - (mpc8xxx_spi->flags & SPI_CPM1)) + !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1)) t->bits_per_word = 16; } } -- 2.49.0

2 days, 17 hours

2
1
0 0

[PATCH 6.6.y] ext4: fix error message when rejecting the default hash

by Ankan Biswas

From: Gabriel Krisman Bertazi <krisman(a)suse.de> [ Upstream commit a2187431c395cdfbf144e3536f25468c64fc7cfa ] Commit 985b67cd8639 ("ext4: filesystems without casefold feature cannot be mounted with siphash") properly rejects volumes where s_def_hash_version is set to DX_HASH_SIPHASH, but the check and the error message should not look into casefold setup - a filesystem should never have DX_HASH_SIPHASH as the default hash. Fix it and, since we are there, move the check to ext4_hash_info_init. Fixes:985b67cd8639 ("ext4: filesystems without casefold feature cannot be mounted with siphash") Signed-off-by: Gabriel Krisman Bertazi <krisman(a)suse.de> Link: https://patch.msgid.link/87jzg1en6j.fsf_-_@mailhost.krisman.be Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> [ The commit a2187431c395 intended to remove the if-block which was used for an old SIPHASH rejection check. ] Signed-off-by: Ankan Biswas <spyjetfayed(a)gmail.com> --- fs/ext4/ext4.h | 1 + fs/ext4/super.c | 20 +++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 7afce7b744c0..85ba12a48f26 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -2459,6 +2459,7 @@ static inline __le16 ext4_rec_len_to_disk(unsigned len, unsigned blocksize) #define DX_HASH_HALF_MD4_UNSIGNED 4 #define DX_HASH_TEA_UNSIGNED 5 #define DX_HASH_SIPHASH 6 +#define DX_HASH_LAST DX_HASH_SIPHASH static inline u32 ext4_chksum(struct ext4_sb_info *sbi, u32 crc, const void *address, unsigned int length) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 16a6c249580e..613f2bac439d 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5138,16 +5138,27 @@ static int ext4_load_super(struct super_block *sb, ext4_fsblk_t *lsb, return ret; } -static void ext4_hash_info_init(struct super_block *sb) +static int ext4_hash_info_init(struct super_block *sb) { struct ext4_sb_info *sbi = EXT4_SB(sb); struct ext4_super_block *es = sbi->s_es; unsigned int i; + sbi->s_def_hash_version = es->s_def_hash_version; + + if (sbi->s_def_hash_version > DX_HASH_LAST) { + ext4_msg(sb, KERN_ERR, + "Invalid default hash set in the superblock"); + return -EINVAL; + } else if (sbi->s_def_hash_version == DX_HASH_SIPHASH) { + ext4_msg(sb, KERN_ERR, + "SIPHASH is not a valid default hash value"); + return -EINVAL; + } + for (i = 0; i < 4; i++) sbi->s_hash_seed[i] = le32_to_cpu(es->s_hash_seed[i]); - sbi->s_def_hash_version = es->s_def_hash_version; if (ext4_has_feature_dir_index(sb)) { i = le32_to_cpu(es->s_flags); if (i & EXT2_FLAGS_UNSIGNED_HASH) @@ -5165,6 +5176,7 @@ static void ext4_hash_info_init(struct super_block *sb) #endif } } + return 0; } static int ext4_block_group_meta_init(struct super_block *sb, int silent) @@ -5309,7 +5321,9 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) if (err) goto failed_mount; - ext4_hash_info_init(sb); + err = ext4_hash_info_init(sb); + if (err) + goto failed_mount; err = ext4_handle_clustersize(sb); if (err) -- 2.52.0

2 days, 17 hours

1
0
0 0

[PATCH] media: stm32: dcmipp: avoid naming clock if only one is needed

by Alain Volmat

When DCMIPP requires only a single clock (kclk), avoid relying on its name to obtain it. The introduction of MP25 support added the mclk, which necessitated naming the first clock kclk. However, this breaks backward compatibility with existing MP13 device trees that do not specify clock names. Fixes: 686f27f7ea37 ("media: stm32: dcmipp: add core support for the stm32mp25") Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> Cc: Stable(a)vger.kernel.org # 6.14.x: 7f487562af49 media: stm32: dcmipp: correct ret type in dcmipp_graph_notify_bound Cc: Stable(a)vger.kernel.org # 6.14.x: c715dd62da30 media: stm32: dcmipp: add has_csi2 & needs_mclk in match data Cc: Stable(a)vger.kernel.org # 6.14.x: --- drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c index 1b7bae3266c8..49398d077764 100644 --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c @@ -526,7 +526,12 @@ static int dcmipp_probe(struct platform_device *pdev) return ret; } - kclk = devm_clk_get(&pdev->dev, "kclk"); + /* + * In case of the DCMIPP has only 1 clock (such as on MP13), the + * clock might not be named. + */ + kclk = devm_clk_get(&pdev->dev, + dcmipp->pipe_cfg->needs_mclk ? "kclk" : NULL); if (IS_ERR(kclk)) return dev_err_probe(&pdev->dev, PTR_ERR(kclk), "Unable to get kclk\n"); --- base-commit: f7231cff1f3ff8259bef02dc4999bc132abf29cf change-id: 20251215-stm32-dcmipp-mp13-kclk-fix-b36b1bf22be1 Best regards, -- Alain Volmat <alain.volmat(a)foss.st.com>

2 days, 19 hours

1
0
0 0

[PATCH] NFC: Fix error handling in nfc_genl_dump_targets

by Ma Ke

nfc_genl_dump_targets() increments the device reference count via nfc_get_device() but fails to decrement it properly. nfc_get_device() calls class_find_device() which internally calls get_device() to increment the reference count. No corresponding put_device() is made to decrement the reference count. Add proper reference count decrementing using nfc_put_device() when the dump operation completes or encounters an error, ensuring balanced reference counting. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- net/nfc/netlink.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c index a18e2c503da6..9ae138ee91dd 100644 --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb, cb->args[0] = i; + if (rc < 0 || i >= dev->n_targets) { + nfc_put_device(dev); + cb->args[1] = 0; + } + return skb->len; } -- 2.17.1

2 days, 20 hours

4
3
0 0

[PATCH] virtio: console: fix lost wakeup when device is written and polled

by Lorenz Bauer

A process issuing blocking writes to a virtio console may get stuck indefinitely if another thread polls the device. Here is how to trigger the bug: - Thread A writes to the port until the virtqueue is full. - Thread A calls wait_port_writable() and goes to sleep, waiting on port->waitqueue. - The host processes some of the write, marks buffers as used and raises an interrupt. - Before the interrupt is serviced, thread B executes port_fops_poll(). This calls reclaim_consumed_buffers() via will_write_block() and consumes all used buffers. - The interrupt is serviced. vring_interrupt() finds no used buffers via more_used() and returns without waking port->waitqueue. - Thread A is still in wait_event(port->waitqueue), waiting for a wakeup that never arrives. The crux is that invoking reclaim_consumed_buffers() may cause vring_interrupt() to omit wakeups. Fix this by making reclaim_consumed_buffers() issue an additional wake up if it consumed any buffers. Signed-off-by: Lorenz Bauer <lmb(a)isovalent.com> --- As far as I can tell all currently maintained stable series kernels need this commit. I've tested that it applies cleanly to 5.10.247, however wasn't able to build the kernel due to an unrelated link error. Instead I applied it to 5.15.197, which compiled and verified to be fixed. --- drivers/char/virtio_console.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 088182e54debd6029ea2c2a5542d7a28500e67b8..7cd3ad9da9b53a7a570410f12501acc7fd7e3b9b 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -581,6 +581,7 @@ static ssize_t send_control_msg(struct port *port, unsigned int event, static void reclaim_consumed_buffers(struct port *port) { struct port_buffer *buf; + bool freed = false; unsigned int len; if (!port->portdev) { @@ -589,7 +590,15 @@ static void reclaim_consumed_buffers(struct port *port) } while ((buf = virtqueue_get_buf(port->out_vq, &len))) { free_buf(buf, false); + freed = true; + } + if (freed) { + /* We freed all used buffers. Issue a wake up so that other pending + * tasks do not get stuck. This is necessary because vring_interrupt() + * will drop wakeups from the host if there are no used buffers. + */ port->outvq_full = false; + wake_up_interruptible(&port->waitqueue); } } --- base-commit: d358e5254674b70f34c847715ca509e46eb81e6f change-id: 20251215-virtio-console-lost-wakeup-0f566c5cd35f Best regards, -- Lorenz Bauer <lmb(a)isovalent.com>

2 days, 20 hours

3
3
0 0

[char-misc] mei: me: add nova lake point S DID

by Alexander Usyskin

Add Nova Lake S device id. Cc: stable(a)vger.kernel.org Co-developed-by: Tomas Winkler <tomasw(a)gmail.com> Signed-off-by: Tomas Winkler <tomasw(a)gmail.com> Signed-off-by: Alexander Usyskin <alexander.usyskin(a)intel.com> --- drivers/misc/mei/hw-me-regs.h | 2 ++ drivers/misc/mei/pci-me.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/drivers/misc/mei/hw-me-regs.h b/drivers/misc/mei/hw-me-regs.h index a4f75dc36929..fa30899a5fa2 100644 --- a/drivers/misc/mei/hw-me-regs.h +++ b/drivers/misc/mei/hw-me-regs.h @@ -122,6 +122,8 @@ #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */ +#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */ + /* * MEI HW Section */ diff --git a/drivers/misc/mei/pci-me.c b/drivers/misc/mei/pci-me.c index 73cad914be9f..2a6e569558b9 100644 --- a/drivers/misc/mei/pci-me.c +++ b/drivers/misc/mei/pci-me.c @@ -129,6 +129,8 @@ static const struct pci_device_id mei_me_pci_tbl[] = { {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)}, + /* required last entry */ {0, } }; -- 2.43.0

2 days, 20 hours

1
0
0 0

[PATCH v2 RESEND] coresight: etm-perf: Fix reference count leak in etm_setup_aux

by Ma Ke

In etm_setup_aux(), when a user sink is obtained via coresight_get_sink_by_id(), it increments the reference count of the sink device. However, if the sink is used in path building, the path holds a reference, but the initial reference from coresight_get_sink_by_id() is not released, causing a reference count leak. We should release the initial reference after the path is built. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch as suggestions. --- drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c index 17afa0f4cdee..56d012ab6d3a 100644 --- a/drivers/hwtracing/coresight/coresight-etm-perf.c +++ b/drivers/hwtracing/coresight/coresight-etm-perf.c @@ -454,6 +454,11 @@ static void *etm_setup_aux(struct perf_event *event, void **pages, goto err; out: + if (user_sink) { + put_device(&user_sink->dev); + user_sink = NULL; + } + return event_data; err: -- 2.17.1

2 days, 21 hours

4
3
0 0

[PATCH] tcpm: allow looking for role_sw device in the main node

by Arnaud Ferraris

When ports are defined in the tcpc main node, fwnode_usb_role_switch_get returns an error, meaning usb_role_switch_get (which would succeed) never gets a chance to run as port->role_sw isn't NULL, causing a regression on devices where this is the case. Fix this by turning the NULL check into IS_ERR_OR_NULL, so usb_role_switch_get can actually run and the device get properly probed. Fixes: 2d8713f807a4 ("tcpm: switch check for role_sw device with fw_node") Cc: stable(a)vger.kernel.org Signed-off-by: Arnaud Ferraris <arnaud.ferraris(a)collabora.com> --- drivers/usb/typec/tcpm/tcpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index cc78770509dbc..37698204d48d2 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -7877,7 +7877,7 @@ struct tcpm_port *tcpm_register_port(struct device *dev, struct tcpc_dev *tcpc) port->partner_desc.identity = &port->partner_ident; port->role_sw = fwnode_usb_role_switch_get(tcpc->fwnode); - if (!port->role_sw) + if (IS_ERR_OR_NULL(port->role_sw)) port->role_sw = usb_role_switch_get(port->dev); if (IS_ERR(port->role_sw)) { err = PTR_ERR(port->role_sw); --- base-commit: 765e56e41a5af2d456ddda6cbd617b9d3295ab4e change-id: 20251127-fix-ppp-power-6d47f3a746f8 Best regards, -- Arnaud Ferraris <arnaud.ferraris(a)collabora.com>

2 days, 21 hours

2
1
0 0

[PATCH] drm/amdgpu: don't attach the tlb fence for SI

by Hans de Goede

From: Alex Deucher <alexander.deucher(a)amd.com> commit eb296c09805ee37dd4ea520a7fb3ec157c31090f upstream. SI hardware doesn't support pasids, user mode queues, or KIQ/MES so there is no need for this. Doing so results in a segfault as these callbacks are non-existent for SI. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4744 Fixes: f3854e04b708 ("drm/amdgpu: attach tlb fence to the PTs update") Reviewed-by: Timur Kristóf <timur.kristof(a)gmail.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Hans de Goede <johannes.goede(a)oss.qualcomm.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c index 676e24fb8864..cdcafde3c71a 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c @@ -1066,7 +1066,9 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_update_params *params, } /* Prepare a TLB flush fence to be attached to PTs */ - if (!params->unlocked) { + if (!params->unlocked && + /* SI doesn't support pasid or KIQ/MES */ + params->adev->family > AMDGPU_FAMILY_SI) { amdgpu_vm_tlb_fence_create(params->adev, vm, fence); /* Makes sure no PD/PT is freed before the flush */ -- 2.52.0

2 days, 21 hours

2
4
0 0

[PATCH AUTOSEL 6.18] scsi: mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1

by Sasha Levin

From: Suganath Prabu S <suganath-prabu.subramani(a)broadcom.com> [ Upstream commit 4588e65cfd66fc8bbd9969ea730db39b60a36a30 ] Avoid scanning SAS/SATA devices in channel 1 when SAS transport is enabled, as the SAS/SATA devices are exposed through channel 0. Signed-off-by: Suganath Prabu S <suganath-prabu.subramani(a)broadcom.com> Signed-off-by: Ranjan Kumar <ranjan.kumar(a)broadcom.com> Link: https://lore.kernel.org/stable/20251120071955.463475-1-suganath-prabu.subra… Link: https://patch.msgid.link/20251120071955.463475-1-suganath-prabu.subramani@b… Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ### DEPENDENCY VERIFICATION The `non_stl` field and `sas_transport_enabled` were both introduced in commit c4723e68a0d81 ("scsi: mpi3mr: Enable STL on HBAs where multipath is disabled") from August 2022 (Linux 6.0 cycle). This means the patch is only applicable to stable kernels 6.1.y and later (not 5.15.y). ### SUMMARY **Bug being fixed**: Duplicate SAS/SATA device entries appearing in both channel 0 (SAS transport) and channel 1 (generic SCSI) when SAS transport is enabled, causing user confusion and management issues. **Stable kernel criteria assessment**: - ✅ **Obviously correct**: Simple conditional checks with clear logic - ✅ **Fixes a real bug**: Duplicate device enumeration is a real user- visible issue - ✅ **Small and contained**: Only 4 lines of actual code change - ✅ **No new features**: Just corrects existing device enumeration logic - ✅ **Tested**: Merged through maintainer tree with proper sign-offs - ✅ **Intentional stable submission**: Link to stable mailing list present **Risk vs Benefit**: - **Risk**: Very low - simple conditional check, worst case is device visibility issue - **Benefit**: Fixes confusing duplicate device entries for MPI3MR users with SAS transport **Concerns**: 1. Requires commit c4723e68a0d81 to be present (6.1.y and later only) 2. Version bump in header should be stripped for stable backport The explicit submission to the stable mailing list, the small surgical nature of the fix, and the clear bug it addresses make this a valid stable backport candidate for kernels 6.1.y and newer. **YES** drivers/scsi/mpi3mr/mpi3mr.h | 4 ++-- drivers/scsi/mpi3mr/mpi3mr_os.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h index 6742684e2990a..31d68c151b207 100644 --- a/drivers/scsi/mpi3mr/mpi3mr.h +++ b/drivers/scsi/mpi3mr/mpi3mr.h @@ -56,8 +56,8 @@ extern struct list_head mrioc_list; extern int prot_mask; extern atomic64_t event_counter; -#define MPI3MR_DRIVER_VERSION "8.15.0.5.50" -#define MPI3MR_DRIVER_RELDATE "12-August-2025" +#define MPI3MR_DRIVER_VERSION "8.15.0.5.51" +#define MPI3MR_DRIVER_RELDATE "18-November-2025" #define MPI3MR_DRIVER_NAME "mpi3mr" #define MPI3MR_DRIVER_LICENSE "GPL" diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c index b88633e1efe27..d4ca878d08869 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_os.c +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c @@ -1184,6 +1184,8 @@ static void mpi3mr_update_tgtdev(struct mpi3mr_ioc *mrioc, if (is_added == true) tgtdev->io_throttle_enabled = (flags & MPI3_DEVICE0_FLAGS_IO_THROTTLING_REQUIRED) ? 1 : 0; + if (!mrioc->sas_transport_enabled) + tgtdev->non_stl = 1; switch (flags & MPI3_DEVICE0_FLAGS_MAX_WRITE_SAME_MASK) { case MPI3_DEVICE0_FLAGS_MAX_WRITE_SAME_256_LB: @@ -4844,7 +4846,7 @@ static int mpi3mr_target_alloc(struct scsi_target *starget) spin_lock_irqsave(&mrioc->tgtdev_lock, flags); if (starget->channel == mrioc->scsi_device_channel) { tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id); - if (tgt_dev && !tgt_dev->is_hidden) { + if (tgt_dev && !tgt_dev->is_hidden && tgt_dev->non_stl) { scsi_tgt_priv_data->starget = starget; scsi_tgt_priv_data->dev_handle = tgt_dev->dev_handle; scsi_tgt_priv_data->perst_id = tgt_dev->perst_id; -- 2.51.0

2 days, 22 hours

1
3
0 0

[PATCH 6.6.y 0/2] Backport for CVE-2025-22121

by David Nyström

Signed-off-by: David Nyström <david.nystrom(a)est.tech> --- Ye Bin (2): ext4: introduce ITAIL helper ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() fs/ext4/inode.c | 5 +++++ fs/ext4/xattr.c | 32 ++++---------------------------- fs/ext4/xattr.h | 10 ++++++++++ 3 files changed, 19 insertions(+), 28 deletions(-) --- base-commit: 4791134e4aebe300af2b409dc550610ef69fae3e change-id: 20251212-cve-2025-22121-c30057f1bbcb Best regards, -- David Nyström <david.nystrom(a)est.tech>

2 days, 22 hours

1
2
0 0

[PATCH] cpufreq: pmac64-cpufreq: Fix refcount leak on error paths

by Miaoqian Lin

of_cpu_device_node_get obtain a reference to the device node which must be released with of_node_put(). Add missing of_node_put() on error paths to fix. Found via static analysis and code review. Fixes: 760287ab90a3 ("cpufreq: pmac64-cpufreq: remove device tree parsing for cpu nodes") Fixes: 4350147a816b ("[PATCH] ppc64: SMU based macs cpufreq support") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/cpufreq/pmac64-cpufreq.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/cpufreq/pmac64-cpufreq.c b/drivers/cpufreq/pmac64-cpufreq.c index 80897ec8f00e..0e0205b888ba 100644 --- a/drivers/cpufreq/pmac64-cpufreq.c +++ b/drivers/cpufreq/pmac64-cpufreq.c @@ -356,8 +356,10 @@ static int __init g5_neo2_cpufreq_init(struct device_node *cpunode) use_volts_smu = 1; else if (of_machine_is_compatible("PowerMac11,2")) use_volts_vdnap = 1; - else - return -ENODEV; + else { + rc = -ENODEV; + goto bail_noprops; + } /* Check 970FX for now */ valp = of_get_property(cpunode, "cpu-version", NULL); @@ -430,8 +432,11 @@ static int __init g5_neo2_cpufreq_init(struct device_node *cpunode) * supporting anything else. */ valp = of_get_property(cpunode, "clock-frequency", NULL); - if (!valp) - return -ENODEV; + if (!valp) { + rc = -ENODEV; + goto bail_noprops; + } + max_freq = (*valp)/1000; g5_cpu_freqs[0].frequency = max_freq; g5_cpu_freqs[1].frequency = max_freq/2; -- 2.25.1

3 days, 2 hours

2
1
0 0

[PATCH v2 RESEND] coresight: etm-perf: Fix reference count leak in etm_setup_aux

by Ma Ke

In etm_setup_aux(), when a user sink is obtained via coresight_get_sink_by_id(), it increments the reference count of the sink device. However, if the sink is used in path building, the path holds a reference, but the initial reference from coresight_get_sink_by_id() is not released, causing a reference count leak. We should release the initial reference after the path is built. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0e6c20517596 ("coresight: etm-perf: Allow an event to use different sinks") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch as suggestions. --- drivers/hwtracing/coresight/coresight-etm-perf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c index 17afa0f4cdee..56d012ab6d3a 100644 --- a/drivers/hwtracing/coresight/coresight-etm-perf.c +++ b/drivers/hwtracing/coresight/coresight-etm-perf.c @@ -454,6 +454,11 @@ static void *etm_setup_aux(struct perf_event *event, void **pages, goto err; out: + if (user_sink) { + put_device(&user_sink->dev); + user_sink = NULL; + } + return event_data; err: -- 2.17.1

3 days, 4 hours

1
0
0 0

[PATCH v2] USB: Fix error handling in gadget driver

by Ma Ke

lpc32xx_udc_probe() acquires an i2c_client reference through isp1301_get_client() but fails to release it in both error handling paths and the normal removal path. This could result in a reference count leak for the I2C device, preventing proper cleanup and potentially leading to resource exhaustion. Add put_device() to release the reference in the probe failure path and in the remove function. Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() -> i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode() says, 'The user must call put_device(&client->dev) once done with the i2c client.' Found by code review. Cc: stable(a)vger.kernel.org Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - simplified the patch as suggestions. --- drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c index 1a7d3c4f652f..73c0f28a8585 100644 --- a/drivers/usb/gadget/udc/lpc32xx_udc.c +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c @@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) pdev->dev.dma_mask = &lpc32xx_usbd_dmamask; retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); if (retval) - return retval; + goto i2c_fail; udc->board = &lpc32xx_usbddata; @@ -3038,28 +3038,32 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) /* Get IRQs */ for (i = 0; i < 4; i++) { udc->udp_irq[i] = platform_get_irq(pdev, i); - if (udc->udp_irq[i] < 0) - return udc->udp_irq[i]; + if (udc->udp_irq[i] < 0) { + retval = udc->udp_irq[i]; + goto i2c_fail; + } } udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0); if (IS_ERR(udc->udp_baseaddr)) { dev_err(udc->dev, "IO map failure\n"); - return PTR_ERR(udc->udp_baseaddr); + retval = PTR_ERR(udc->udp_baseaddr); + goto i2c_fail; } /* Get USB device clock */ udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL); if (IS_ERR(udc->usb_slv_clk)) { dev_err(udc->dev, "failed to acquire USB device clock\n"); - return PTR_ERR(udc->usb_slv_clk); + retval = PTR_ERR(udc->usb_slv_clk); + goto i2c_fail; } /* Enable USB device clock */ retval = clk_prepare_enable(udc->usb_slv_clk); if (retval < 0) { dev_err(udc->dev, "failed to start USB device clock\n"); - return retval; + goto i2c_fail; } /* Setup deferred workqueue data */ @@ -3161,6 +3165,8 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, udc->udca_v_base, udc->udca_p_base); i2c_fail: + if (udc->isp1301_i2c_client) + put_device(&udc->isp1301_i2c_client->dev); clk_disable_unprepare(udc->usb_slv_clk); dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval); @@ -3189,6 +3195,9 @@ static void lpc32xx_udc_remove(struct platform_device *pdev) dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, udc->udca_v_base, udc->udca_p_base); + if (udc->isp1301_i2c_client) + put_device(&udc->isp1301_i2c_client->dev); + clk_disable_unprepare(udc->usb_slv_clk); } -- 2.17.1

3 days, 5 hours

1
0
0 0

[PATCH] rpmsg: core: fix race in driver_override_show() and use core helper

by Gui-Dong Han

The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. Fixes: 39e47767ec9b ("rpmsg: Add driver_override device attribute for rpmsg_device") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- I verified this with a stress test that continuously writes/reads the attribute. It triggered KASAN and leaked bytes like a0 f4 81 9f a3 ff ff (likely kernel pointers). Since driver_override is world-readable (0644), this allows unprivileged users to leak kernel pointers and bypass KASLR. Similar races were fixed in other buses (e.g., commits 9561475db680 and 91d44c1afc61). Currently, 9 of 11 buses handle this correctly; this patch fixes one of the remaining two. --- drivers/rpmsg/rpmsg_core.c | 66 ++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 39 deletions(-) diff --git a/drivers/rpmsg/rpmsg_core.c b/drivers/rpmsg/rpmsg_core.c index 5d661681a9b6..96964745065b 100644 --- a/drivers/rpmsg/rpmsg_core.c +++ b/drivers/rpmsg/rpmsg_core.c @@ -352,50 +352,38 @@ field##_show(struct device *dev, \ } \ static DEVICE_ATTR_RO(field); -#define rpmsg_string_attr(field, member) \ -static ssize_t \ -field##_store(struct device *dev, struct device_attribute *attr, \ - const char *buf, size_t sz) \ -{ \ - struct rpmsg_device *rpdev = to_rpmsg_device(dev); \ - const char *old; \ - char *new; \ - \ - new = kstrndup(buf, sz, GFP_KERNEL); \ - if (!new) \ - return -ENOMEM; \ - new[strcspn(new, "\n")] = '\0'; \ - \ - device_lock(dev); \ - old = rpdev->member; \ - if (strlen(new)) { \ - rpdev->member = new; \ - } else { \ - kfree(new); \ - rpdev->member = NULL; \ - } \ - device_unlock(dev); \ - \ - kfree(old); \ - \ - return sz; \ -} \ -static ssize_t \ -field##_show(struct device *dev, \ - struct device_attribute *attr, char *buf) \ -{ \ - struct rpmsg_device *rpdev = to_rpmsg_device(dev); \ - \ - return sprintf(buf, "%s\n", rpdev->member); \ -} \ -static DEVICE_ATTR_RW(field) - /* for more info, see Documentation/ABI/testing/sysfs-bus-rpmsg */ rpmsg_show_attr(name, id.name, "%s\n"); rpmsg_show_attr(src, src, "0x%x\n"); rpmsg_show_attr(dst, dst, "0x%x\n"); rpmsg_show_attr(announce, announce ? "true" : "false", "%s\n"); -rpmsg_string_attr(driver_override, driver_override); + +static ssize_t driver_override_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) +{ + struct rpmsg_device *rpdev = to_rpmsg_device(dev); + int ret; + + ret = driver_set_override(dev, &rpdev->driver_override, buf, count); + if (ret) + return ret; + + return count; +} + +static ssize_t driver_override_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + struct rpmsg_device *rpdev = to_rpmsg_device(dev); + ssize_t len; + + device_lock(dev); + len = sysfs_emit(buf, "%s\n", rpdev->driver_override); + device_unlock(dev); + return len; +} +static DEVICE_ATTR_RW(driver_override); static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, char *buf) -- 2.43.0

3 days, 5 hours

3
2
0 0

Re: Patch "RAS: Report all ARM processor CPER information to userspace" has been added to the 6.18-stable tree

by Mauro Carvalho Chehab

Hi Sacha, Em Sat, 13 Dec 2025 04:49:42 -0500 Sasha Levin <sashal(a)kernel.org> escreveu: > This is a note to let you know that I've just added the patch titled > > RAS: Report all ARM processor CPER information to userspace > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > ras-report-all-arm-processor-cper-information-to-use.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. You should also backport this patch(*): 96b010536ee0 efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs It fixes a bug at the UEFI parser for the ARM Processor Error record: basically, the specs were not clear about how the error type should be reported. The Kernel implementation were assuming that this was an enum, but UEFI errata 2.9A make it clear that the value is a bitmap. So, basically, all kernels up to 6.18 are not parsing the field the expected way: only "Cache error" was properly reported. The other 3 types were wrong. (*) You could need to backport those patches as well: a976d790f494 efi/cper: Add a new helper function to print bitmasks 8ad2c72e21ef efi/cper: Adjust infopfx size to accept an extra space Regards, Mauro Thanks, Mauro

3 days, 5 hours

2
1
0 0

Re: Patch "block: fix cached zone reports on devices with native zone append" has been added to the 6.18-stable tree

by Damien Le Moal

On 12/15/25 09:37, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > block: fix cached zone reports on devices with native zone append > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > block-fix-cached-zone-reports-on-devices-with-native.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Sasha, This is a fix for a new feature that was queued for and is now added to 6.19. So backporting this to stable and LTS kernels is not advisable. -- Damien Le Moal Western Digital Research

3 days, 5 hours

2
2
0 0

Re: Patch "block: mq-deadline: Remove support for zone write locking" has been added to the 6.6-stable tree

by Damien Le Moal

On 12/13/25 20:09, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > block: mq-deadline: Remove support for zone write locking > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > block-mq-deadline-remove-support-for-zone-write-lock.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Sasha, Zone write locking in the mq-deadline scheduler was replaced with the generic zone write plugging in the block layer in 6.10. That was not backported as that is a new feature. So removing zone write locking in 6.6 will break support for SMR drives and other zoned block devices. Removing it from 6.6 is thus not OK. Please undo this. > commit bf2022eaa2291ad1243b0711d5bd03ba4105ffbb > Author: Damien Le Moal <dlemoal(a)kernel.org> > Date: Mon Apr 8 10:41:21 2024 +0900 > > block: mq-deadline: Remove support for zone write locking > > [ Upstream commit fde02699c242e88a71286677d27cc890a959b67f ] > > With the block layer generic plugging of write operations for zoned > block devices, mq-deadline, or any other scheduler, can only ever > see at most one write operation per zone at any time. There is thus no > sequentiality requirements for these writes and thus no need to tightly > control the dispatching of write requests using zone write locking. > > Remove all the code that implement this control in the mq-deadline > scheduler and remove advertizing support for the > ELEVATOR_F_ZBD_SEQ_WRITE elevator feature. > > Signed-off-by: Damien Le Moal <dlemoal(a)kernel.org> > Reviewed-by: Hannes Reinecke <hare(a)suse.de> > Reviewed-by: Christoph Hellwig <hch(a)lst.de> > Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> > Tested-by: Hans Holmberg <hans.holmberg(a)wdc.com> > Tested-by: Dennis Maisenbacher <dennis.maisenbacher(a)wdc.com> > Reviewed-by: Martin K. Petersen <martin.petersen(a)oracle.com> > Link: https://lore.kernel.org/r/20240408014128.205141-22-dlemoal@kernel.org > Signed-off-by: Jens Axboe <axboe(a)kernel.dk> > Stable-dep-of: d60055cf5270 ("block/mq-deadline: Switch back to a single dispatch list") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/block/mq-deadline.c b/block/mq-deadline.c > index 78a8aa204c156..23638b03d7b3d 100644 > --- a/block/mq-deadline.c > +++ b/block/mq-deadline.c > @@ -102,7 +102,6 @@ struct deadline_data { > int prio_aging_expire; > > spinlock_t lock; > - spinlock_t zone_lock; > }; > > /* Maps an I/O priority class to a deadline scheduler priority. */ > @@ -157,8 +156,7 @@ deadline_latter_request(struct request *rq) > } > > /* > - * Return the first request for which blk_rq_pos() >= @pos. For zoned devices, > - * return the first request after the start of the zone containing @pos. > + * Return the first request for which blk_rq_pos() >= @pos. > */ > static inline struct request *deadline_from_pos(struct dd_per_prio *per_prio, > enum dd_data_dir data_dir, sector_t pos) > @@ -170,14 +168,6 @@ static inline struct request *deadline_from_pos(struct dd_per_prio *per_prio, > return NULL; > > rq = rb_entry_rq(node); > - /* > - * A zoned write may have been requeued with a starting position that > - * is below that of the most recently dispatched request. Hence, for > - * zoned writes, start searching from the start of a zone. > - */ > - if (blk_rq_is_seq_zoned_write(rq)) > - pos = round_down(pos, rq->q->limits.chunk_sectors); > - > while (node) { > rq = rb_entry_rq(node); > if (blk_rq_pos(rq) >= pos) { > @@ -308,36 +298,6 @@ static inline bool deadline_check_fifo(struct dd_per_prio *per_prio, > return time_is_before_eq_jiffies((unsigned long)rq->fifo_time); > } > > -/* > - * Check if rq has a sequential request preceding it. > - */ > -static bool deadline_is_seq_write(struct deadline_data *dd, struct request *rq) > -{ > - struct request *prev = deadline_earlier_request(rq); > - > - if (!prev) > - return false; > - > - return blk_rq_pos(prev) + blk_rq_sectors(prev) == blk_rq_pos(rq); > -} > - > -/* > - * Skip all write requests that are sequential from @rq, even if we cross > - * a zone boundary. > - */ > -static struct request *deadline_skip_seq_writes(struct deadline_data *dd, > - struct request *rq) > -{ > - sector_t pos = blk_rq_pos(rq); > - > - do { > - pos += blk_rq_sectors(rq); > - rq = deadline_latter_request(rq); > - } while (rq && blk_rq_pos(rq) == pos); > - > - return rq; > -} > - > /* > * For the specified data direction, return the next request to > * dispatch using arrival ordered lists. > @@ -346,40 +306,10 @@ static struct request * > deadline_fifo_request(struct deadline_data *dd, struct dd_per_prio *per_prio, > enum dd_data_dir data_dir) > { > - struct request *rq, *rb_rq, *next; > - unsigned long flags; > - > if (list_empty(&per_prio->fifo_list[data_dir])) > return NULL; > > - rq = rq_entry_fifo(per_prio->fifo_list[data_dir].next); > - if (data_dir == DD_READ || !blk_queue_is_zoned(rq->q)) > - return rq; > - > - /* > - * Look for a write request that can be dispatched, that is one with > - * an unlocked target zone. For some HDDs, breaking a sequential > - * write stream can lead to lower throughput, so make sure to preserve > - * sequential write streams, even if that stream crosses into the next > - * zones and these zones are unlocked. > - */ > - spin_lock_irqsave(&dd->zone_lock, flags); > - list_for_each_entry_safe(rq, next, &per_prio->fifo_list[DD_WRITE], > - queuelist) { > - /* Check whether a prior request exists for the same zone. */ > - rb_rq = deadline_from_pos(per_prio, data_dir, blk_rq_pos(rq)); > - if (rb_rq && blk_rq_pos(rb_rq) < blk_rq_pos(rq)) > - rq = rb_rq; > - if (blk_req_can_dispatch_to_zone(rq) && > - (blk_queue_nonrot(rq->q) || > - !deadline_is_seq_write(dd, rq))) > - goto out; > - } > - rq = NULL; > -out: > - spin_unlock_irqrestore(&dd->zone_lock, flags); > - > - return rq; > + return rq_entry_fifo(per_prio->fifo_list[data_dir].next); > } > > /* > @@ -390,36 +320,8 @@ static struct request * > deadline_next_request(struct deadline_data *dd, struct dd_per_prio *per_prio, > enum dd_data_dir data_dir) > { > - struct request *rq; > - unsigned long flags; > - > - rq = deadline_from_pos(per_prio, data_dir, > - per_prio->latest_pos[data_dir]); > - if (!rq) > - return NULL; > - > - if (data_dir == DD_READ || !blk_queue_is_zoned(rq->q)) > - return rq; > - > - /* > - * Look for a write request that can be dispatched, that is one with > - * an unlocked target zone. For some HDDs, breaking a sequential > - * write stream can lead to lower throughput, so make sure to preserve > - * sequential write streams, even if that stream crosses into the next > - * zones and these zones are unlocked. > - */ > - spin_lock_irqsave(&dd->zone_lock, flags); > - while (rq) { > - if (blk_req_can_dispatch_to_zone(rq)) > - break; > - if (blk_queue_nonrot(rq->q)) > - rq = deadline_latter_request(rq); > - else > - rq = deadline_skip_seq_writes(dd, rq); > - } > - spin_unlock_irqrestore(&dd->zone_lock, flags); > - > - return rq; > + return deadline_from_pos(per_prio, data_dir, > + per_prio->latest_pos[data_dir]); > } > > /* > @@ -525,10 +427,6 @@ static struct request *__dd_dispatch_request(struct deadline_data *dd, > rq = next_rq; > } > > - /* > - * For a zoned block device, if we only have writes queued and none of > - * them can be dispatched, rq will be NULL. > - */ > if (!rq) > return NULL; > > @@ -549,10 +447,6 @@ static struct request *__dd_dispatch_request(struct deadline_data *dd, > prio = ioprio_class_to_prio[ioprio_class]; > dd->per_prio[prio].latest_pos[data_dir] = blk_rq_pos(rq); > dd->per_prio[prio].stats.dispatched++; > - /* > - * If the request needs its target zone locked, do it. > - */ > - blk_req_zone_write_lock(rq); > rq->rq_flags |= RQF_STARTED; > return rq; > } > @@ -736,7 +630,6 @@ static int dd_init_sched(struct request_queue *q, struct elevator_type *e) > dd->fifo_batch = fifo_batch; > dd->prio_aging_expire = prio_aging_expire; > spin_lock_init(&dd->lock); > - spin_lock_init(&dd->zone_lock); > > /* We dispatch from request queue wide instead of hw queue */ > blk_queue_flag_set(QUEUE_FLAG_SQ_SCHED, q); > @@ -818,12 +711,6 @@ static void dd_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq, > > lockdep_assert_held(&dd->lock); > > - /* > - * This may be a requeue of a write request that has locked its > - * target zone. If it is the case, this releases the zone lock. > - */ > - blk_req_zone_write_unlock(rq); > - > prio = ioprio_class_to_prio[ioprio_class]; > per_prio = &dd->per_prio[prio]; > if (!rq->elv.priv[0]) { > @@ -855,18 +742,6 @@ static void dd_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq, > */ > rq->fifo_time = jiffies + dd->fifo_expire[data_dir]; > insert_before = &per_prio->fifo_list[data_dir]; > -#ifdef CONFIG_BLK_DEV_ZONED > - /* > - * Insert zoned writes such that requests are sorted by > - * position per zone. > - */ > - if (blk_rq_is_seq_zoned_write(rq)) { > - struct request *rq2 = deadline_latter_request(rq); > - > - if (rq2 && blk_rq_zone_no(rq2) == blk_rq_zone_no(rq)) > - insert_before = &rq2->queuelist; > - } > -#endif > list_add_tail(&rq->queuelist, insert_before); > } > } > @@ -901,33 +776,8 @@ static void dd_prepare_request(struct request *rq) > rq->elv.priv[0] = NULL; > } > > -static bool dd_has_write_work(struct blk_mq_hw_ctx *hctx) > -{ > - struct deadline_data *dd = hctx->queue->elevator->elevator_data; > - enum dd_prio p; > - > - for (p = 0; p <= DD_PRIO_MAX; p++) > - if (!list_empty_careful(&dd->per_prio[p].fifo_list[DD_WRITE])) > - return true; > - > - return false; > -} > - > /* > * Callback from inside blk_mq_free_request(). > - * > - * For zoned block devices, write unlock the target zone of > - * completed write requests. Do this while holding the zone lock > - * spinlock so that the zone is never unlocked while deadline_fifo_request() > - * or deadline_next_request() are executing. This function is called for > - * all requests, whether or not these requests complete successfully. > - * > - * For a zoned block device, __dd_dispatch_request() may have stopped > - * dispatching requests if all the queued requests are write requests directed > - * at zones that are already locked due to on-going write requests. To ensure > - * write request dispatch progress in this case, mark the queue as needing a > - * restart to ensure that the queue is run again after completion of the > - * request and zones being unlocked. > */ > static void dd_finish_request(struct request *rq) > { > @@ -942,21 +792,8 @@ static void dd_finish_request(struct request *rq) > * called dd_insert_requests(). Skip requests that bypassed I/O > * scheduling. See also blk_mq_request_bypass_insert(). > */ > - if (!rq->elv.priv[0]) > - return; > - > - atomic_inc(&per_prio->stats.completed); > - > - if (blk_queue_is_zoned(q)) { > - unsigned long flags; > - > - spin_lock_irqsave(&dd->zone_lock, flags); > - blk_req_zone_write_unlock(rq); > - spin_unlock_irqrestore(&dd->zone_lock, flags); > - > - if (dd_has_write_work(rq->mq_hctx)) > - blk_mq_sched_mark_restart_hctx(rq->mq_hctx); > - } > + if (rq->elv.priv[0]) > + atomic_inc(&per_prio->stats.completed); > } > > static bool dd_has_work_for_prio(struct dd_per_prio *per_prio) > @@ -1280,7 +1117,6 @@ static struct elevator_type mq_deadline = { > .elevator_attrs = deadline_attrs, > .elevator_name = "mq-deadline", > .elevator_alias = "deadline", > - .elevator_features = ELEVATOR_F_ZBD_SEQ_WRITE, > .elevator_owner = THIS_MODULE, > }; > MODULE_ALIAS("mq-deadline-iosched"); -- Damien Le Moal Western Digital Research

3 days, 6 hours

1
0
0 0

PROBLEM: hwclock busted w/ M48T59 RTC (regression)

by Nick Bowler

Hi, After a stable kernel update, the hwclock command seems no longer functional on my SPARC system with an ST M48T59Y-70PC1 RTC: # hwclock [...long delay...] hwclock: select() to /dev/rtc0 to wait for clock tick timed out On prior kernels, there is no problem: # hwclock 2025-10-22 22:21:04.806992-04:00 I reproduced the same failure on 6.18-rc2 and bisected to this commit: commit 795cda8338eab036013314dbc0b04aae728880ab Author: Esben Haabendal <esben(a)geanix.com> Date: Fri May 16 09:23:35 2025 +0200 rtc: interface: Fix long-standing race when setting alarm This commit was backported to all current 6.x stable branches, as well as 5.15.x, so they all have the same regression. Reverting this commit on top of 6.18-rc2 corrects the problem. Let me know if you need any more info! Thanks, Nick

3 days, 9 hours

4
8
0 0

Live Design International 2025 Visitor List

by Sofia Nora

Hi, With Live Design International 2025 (LDI) concluded, I wanted to personally offer you exclusive access to our Visitor Contact List, featuring 16,956 fully verified leads, along with all on-site walk-ins. Each entry includes Name, Job Title, Company, Website, Address, Phone, Official Email and more. If you’d like more details, simply reply, “Send me pricing.” Kind Regards, Rose Sr. Demand Generation P.S. Not the right fit? Reply “Unfollow” to opt out.

3 days, 12 hours

1
0
0 0

[PATCH v2] net: dsa: Fix error handling in dsa_port_parse_of

by Ma Ke

When of_find_net_device_by_node() successfully acquires a reference to a network device but the subsequent call to dsa_port_parse_cpu() fails, dsa_port_parse_of() returns without releasing the reference count on the network device. of_find_net_device_by_node() increments the reference count of the returned structure, which should be balanced with a corresponding put_device() when the reference is no longer needed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: deff710703d8 ("net: dsa: Allow default tag protocol to be overridden from DT") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - simplified the patch as suggestions; - modified the Fixes tag as suggestions. --- net/dsa/dsa.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c index a20efabe778f..31b409a47491 100644 --- a/net/dsa/dsa.c +++ b/net/dsa/dsa.c @@ -1247,6 +1247,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) struct device_node *ethernet = of_parse_phandle(dn, "ethernet", 0); const char *name = of_get_property(dn, "label", NULL); bool link = of_property_read_bool(dn, "link"); + int err = 0; dp->dn = dn; @@ -1260,7 +1261,11 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) return -EPROBE_DEFER; user_protocol = of_get_property(dn, "dsa-tag-protocol", NULL); - return dsa_port_parse_cpu(dp, conduit, user_protocol); + err = dsa_port_parse_cpu(dp, conduit, user_protocol); + if (err) + put_device(conduit); + + return err; } if (link) -- 2.17.1

3 days, 13 hours

3
4
0 0

[PATCH v2] ocfs2: fix kernel BUG in ocfs2_write_block

by Prithvi Tambewagh

When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing an if condition block in ocfs2_update_disk_slot(), right before calling ocfs2_write_block(), which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned back to caller of ocfs2_update_disk_slot() i.e. ocfs2_find_slot(). If the return value is zero. then error code EIO is returned. Reported-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- v1->v2: - Remove usage of le16_to_cpu() from ocfs2_error() - Cast bh->b_blocknr to unsigned long long - Remove type casting for OCFS2_SUPER_BLOCK_BLKNO - Fix Sparse warnings reported in v1 by kernel test robot - Update title from 'ocfs2: Fix kernel BUG in ocfs2_write_block' to 'ocfs2: fix kernel BUG in ocfs2_write_block' v1 link: https://lore.kernel.org/all/20251206154819.175479-1-activprithvi@gmail.com/… fs/ocfs2/slot_map.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..e916a2e8f92d 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -193,6 +193,16 @@ static int ocfs2_update_disk_slot(struct ocfs2_super *osb, else ocfs2_update_disk_slot_old(si, slot_num, &bh); spin_unlock(&osb->osb_lock); + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + status = ocfs2_error(osb->sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >= %d", + (unsigned long long)bh->b_blocknr, + OCFS2_SUPER_BLOCK_BLKNO); + if (!status) + return -EIO; + return status; + } status = ocfs2_write_block(osb, bh, INODE_CACHE(si->si_inode)); if (status < 0) base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 -- 2.43.0

3 days, 13 hours

4
4
0 0

LDI Show 2025 Buyer Contacts

by Megan Castillo

Hi Exhibitor, Hope you had a successful experience at LDI Show 2025 (Dec 3–9, Las Vegas). We have access to a verified list of 13,594 attendees across the live events, lighting, audio, staging, and production-technology sectors. This includes lighting designers, audio engineers, production managers, AV integrators, stage/rigging technicians, venue operations heads, broadcast specialists, and other key live-event decision-makers. Don’t miss the opportunity to connect with high-quality prospects after the event. If interested, kindly reply “Send Pricing” to receive the details. Best regards, Megan Castillo Senior Market Analyst To opt-out, reply “Not Interested”.

3 days, 14 hours

1
0
0 0

[PATCH RESEND] drm/kmb: Fix error handling in kmb_probe

by Ma Ke

kmb_probe() obtain a reference to a platform device by of_find_device_by_node(). This call increases the reference count of the returned device, which should be dropped by calling put_device() when the device is no longer needed. However, the code fails to call put_device() in several error handling paths and the normal device removal path. This could result in reference count leaks that prevent the proper cleanup of the platform device when the driver is unloaded or during error recovery. Add put_device() in all code paths where dsi_pdev is no longer needed, including error paths and the normal removal path. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 7f7b96a8a0a1 ("drm/kmb: Add support for KeemBay Display") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/kmb/kmb_drv.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c index 7c2eb1152fc2..9733337abe92 100644 --- a/drivers/gpu/drm/kmb/kmb_drv.c +++ b/drivers/gpu/drm/kmb/kmb_drv.c @@ -474,6 +474,8 @@ static void kmb_remove(struct platform_device *pdev) /* Unregister DSI host */ kmb_dsi_host_unregister(kmb->kmb_dsi); + if (kmb->kmb_dsi && kmb->kmb_dsi->pdev) + put_device(&kmb->kmb_dsi->pdev->dev); drm_atomic_helper_shutdown(drm); } @@ -518,17 +520,20 @@ static int kmb_probe(struct platform_device *pdev) ret = kmb_dsi_host_bridge_init(get_device(&dsi_pdev->dev)); if (ret == -EPROBE_DEFER) { - return -EPROBE_DEFER; + ret = -EPROBE_DEFER; + goto err_free2; } else if (ret) { DRM_ERROR("probe failed to initialize DSI host bridge\n"); - return ret; + goto err_free2; } /* Create DRM device */ kmb = devm_drm_dev_alloc(dev, &kmb_driver, struct kmb_drm_private, drm); - if (IS_ERR(kmb)) - return PTR_ERR(kmb); + if (IS_ERR(kmb)) { + ret = PTR_ERR(kmb); + goto err_free2; + } dev_set_drvdata(dev, &kmb->drm); @@ -577,7 +582,8 @@ static int kmb_probe(struct platform_device *pdev) err_free1: dev_set_drvdata(dev, NULL); kmb_dsi_host_unregister(kmb->kmb_dsi); - +err_free2: + put_device(&dsi_pdev->dev); return ret; } -- 2.17.1

3 days, 18 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror