- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.18.3 release. There are 430 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 31 Dec 2025 16:06:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.3-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.18.3-rc1 Cheng Ding <cding(a)ddn.com> fuse: missing copy_finish in fuse-over-io-uring argument copies Joanne Koong <joannelkoong(a)gmail.com> fuse: fix readahead reclaim deadlock Joanne Koong <joannelkoong(a)gmail.com> fuse: fix io-uring list corruption for terminated non-committed requests Johan Hovold <johan(a)kernel.org> iommu/mediatek: fix use-after-free on probe deferral Damien Le Moal <dlemoal(a)kernel.org> block: freeze queue when updating zone resources Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: dts: microchip: sama7d65: fix uart fifo size to 32 Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Gui-Dong Han <hanguidong02(a)gmail.com> hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU Gui-Dong Han <hanguidong02(a)gmail.com> hwmon: (w83791d) Convert macros to functions to avoid TOCTOU Johan Hovold <johan(a)kernel.org> hwmon: (max6697) fix regmap leak on probe failure Gui-Dong Han <hanguidong02(a)gmail.com> hwmon: (max16065) Use local variable to avoid TOCTOU Joanne Koong <joannelkoong(a)gmail.com> io_uring/rsrc: fix lost entries after cloned range Raviteja Laggyshetty <quic_rlaggysh(a)quicinc.com> interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes Ma Ke <make24(a)iscas.ac.cn> i2c: amd-mp2: fix reference leak in MP2 PCI device Eric Biggers <ebiggers(a)kernel.org> lib/crypto: riscv: Depend on RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> platform/x86: intel: chtwc_int33fe: don't dereference swnode args Biju Das <biju.das.jz(a)bp.renesas.com> pwm: rzg2l-gpt: Allow checking period_tick cache value only if sibling channel is enabled Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> rpmsg: glink: fix rpmsg device leak Tomas Glozar <tglozar(a)redhat.com> rtla/timerlat_bpf: Stop tracing on user latency Johan Hovold <johan(a)kernel.org> soc: amlogic: canvas: fix device leak on lookup Johan Hovold <johan(a)kernel.org> soc: apple: mailbox: fix device leak on lookup Johan Hovold <johan(a)kernel.org> soc: qcom: ocmem: fix device leak on lookup Johan Hovold <johan(a)kernel.org> soc: qcom: pbs: fix device leak on lookup Johan Hovold <johan(a)kernel.org> soc: samsung: exynos-pmu: fix device leak on regmap lookup Steven Rostedt <rostedt(a)goodmis.org> tracing: Fix fixed array of synthetic event Raghavendra Rao Ananta <rananta(a)google.com> vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd() Miaoqian Lin <linmq006(a)gmail.com> virtio: vdpa: Fix reference count leak in octep_sriov_enable() Damien Le Moal <dlemoal(a)kernel.org> zloop: make the write pointer of full zones invalid Damien Le Moal <dlemoal(a)kernel.org> zloop: fail zone append operations that are targeting full zones Johan Hovold <johan(a)kernel.org> amba: tegra-ahb: Fix device leak on SMMU enable Eric Biggers <ebiggers(a)kernel.org> crypto: arm64/ghash - Fix incorrect output from ghash-neon Guangshuo Li <lgs201920130244(a)gmail.com> crypto: caam - Add check for kcalloc() in test_len() Shivani Agarwal <shivani.agarwal(a)broadcom.com> crypto: af_alg - zero initialize memory allocated via sock_kmalloc Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets Krzysztof Kozlowski <krzk(a)kernel.org> dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets Jani Nikula <jani.nikula(a)intel.com> drm/displayid: pass iter to drm_find_displayid_extension() Ray Wu <ray.wu(a)amd.com> drm/amd/display: Fix scratch registers offsets for DCN351 Ray Wu <ray.wu(a)amd.com> drm/amd/display: Fix scratch registers offsets for DCN35 Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Mario Limonciello <mario.limonciello(a)amd.com> Revert "drm/amd/display: Fix pbn to kbps Conversion" Xi Ruoyao <xry111(a)xry111.site> gpio: loongson: Switch 2K2000/3000 GPIO to BYTE_CTRL_MODE Askar Safin <safinaskar(a)gmail.com> gpiolib: acpi: Add quirk for Dell Precision 7780 Wentao Guan <guanwentao(a)uniontech.com> gpio: regmap: Fix memleak in error path in gpio_regmap_register() Sven Schnelle <svens(a)linux.ibm.com> s390/ipl: Clear SBP flag when bootprog is set Shakeel Butt <shakeel.butt(a)linux.dev> cgroup: rstat: use LOCK CMPXCHG in css_rstat_updated Filipe Manana <fdmanana(a)suse.com> btrfs: don't log conflicting inode if it's a dir moved in the current transaction Nysal Jan K.A. <nysal(a)linux.ibm.com> powerpc/kexec: Enable SMT before waking offline CPUs Joshua Rogers <linux(a)joshua.hu> SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Joshua Rogers <linux(a)joshua.hu> svcrdma: use rc_pageoff for memcpy byte offset Joshua Rogers <linux(a)joshua.hu> svcrdma: return 0 on success from svc_rdma_copy_inline_range Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> nfsd: Mark variable __maybe_unused to avoid W=1 build break Joshua Rogers <linux(a)joshua.hu> svcrdma: bound check rq_pages index in inline path Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-topology: Convert FLOAT to S32 during blob selection Chuck Lever <chuck.lever(a)oracle.com> NFSD: Clear TIME_DELEG in the suppattr_exclcreat bitmap Antheas Kapenekakis <lkml(a)antheas.dev> ALSA: hda/realtek: Add Asus quirk for TAS amplifiers Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-topology: Prefer 32-bit DMIC blobs for 8-bit formats as well Chuck Lever <chuck.lever(a)oracle.com> NFSD: NFSv4 file creation neglects setting ACL Chuck Lever <chuck.lever(a)oracle.com> NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap caoping <caoping(a)cmss.chinamobile.com> net/handshake: restore destructor on submit failure Amir Goldstein <amir73il(a)gmail.com> fsnotify: do not generate ACCESS/MODIFY events on child for special files Thorsten Blum <thorsten.blum(a)linux.dev> net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write René Rebe <rene(a)exactco.de> r8169: fix RTL8117 Wake-on-Lan in DASH mode Charles Mirabile <cmirabil(a)redhat.com> lib/crypto: riscv: Add poly1305-core.S to .gitignore Mark Brown <broonie(a)kernel.org> arm64/gcs: Flush the GCS locking state on exec Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: runtime: Do not clear needs_force_resume with enabled runtime PM Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not register unsupported perf events Christoph Hellwig <hch(a)lst.de> xfs: validate that zoned RT devices are zone aligned Darrick J. Wong <djwong(a)kernel.org> xfs: fix a UAF problem in xattr repair Christoph Hellwig <hch(a)lst.de> xfs: fix the zoned RT growfs check for zone alignment Darrick J. Wong <djwong(a)kernel.org> xfs: fix stupid compiler warning Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> xfs: fix a memory leak in xfs_buf_item_init() Gavin Shan <gshan(a)redhat.com> KVM: selftests: Add missing "break" in rseq_test's param parsing Sean Christopherson <seanjc(a)google.com> KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2} Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Dongli Zhang <dongli.zhang(a)oracle.com> KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Sean Christopherson <seanjc(a)google.com> KVM: TDX: Explicitly set user-return MSRs that *may* be clobbered by the TDX-Module Jim Mattson <jmattson(a)google.com> KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Wanpeng Li <wanpengli(a)tencent.com> KVM: Fix last_boosted_vcpu index assignment bug Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Sean Christopherson <seanjc(a)google.com> KVM: selftests: Forcefully override ARCH from x86_64 to x86 Jim Mattson <jmattson(a)google.com> KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE fuqiang wang <fuqiang.wng(a)gmail.com> KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer fuqiang wang <fuqiang.wng(a)gmail.com> KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Sean Christopherson <seanjc(a)google.com> KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Finn Thain <fthain(a)linux-m68k.org> powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf() Ilya Dryomov <idryomov(a)gmail.com> libceph: make decode_pool() more resilient against corrupted osdmaps Vivian Wang <wangruikang(a)iscas.ac.cn> lib/crypto: riscv/chacha: Avoid s0/fp register Dongsheng Yang <dongsheng.yang(a)linux.dev> dm-pcache: advance slot index before writing slot Helge Deller <deller(a)gmx.de> parisc: Do not reprogram affinitiy on ASP chip Zhichi Lin <zhichi.lin(a)vivo.com> scs: fix a wrong parameter in __scs_magic Wangao Wang <wangao.wang(a)oss.qualcomm.com> media: iris: Add sanity check for stop streaming Tzung-Bi Shih <tzungbi(a)kernel.org> platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Maxim Levitsky <mlevitsk(a)redhat.com> KVM: x86: Don't clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Prithvi Tambewagh <activprithvi(a)gmail.com> ocfs2: fix kernel BUG in ocfs2_find_victim_chain Jeongjun Park <aha310510(a)gmail.com> media: vidtv: initialize local pointers upon transfer of memory ownership Deepanshu Kartikey <kartikey406(a)gmail.com> mm/slub: reset KASAN tag in defer_free() before accessing freed memory Sean Christopherson <seanjc(a)google.com> KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> pinctrl: renesas: rzg2l: Fix ISEL restore on resume Alison Schofield <alison.schofield(a)intel.com> tools/testing/nvdimm: Use per-DIMM device handle Chao Yu <chao(a)kernel.org> f2fs: fix return value of f2fs_recover_fsync_data() Chao Yu <chao(a)kernel.org> f2fs: fix to not account invalid blocks in get_left_section_blocks() Chao Yu <chao(a)kernel.org> f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Xiaole He <hexiaole1994(a)126.com> f2fs: fix uninitialized one_time_gc in victim_sel_policy Xiaole He <hexiaole1994(a)126.com> f2fs: fix age extent cache insertion skip on counter overflow Chao Yu <chao(a)kernel.org> f2fs: use global inline_xattr_slab instead of per-sb slab cache Deepanshu Kartikey <kartikey406(a)gmail.com> f2fs: invalidate dentry cache on failed whiteout creation Chao Yu <chao(a)kernel.org> f2fs: fix to avoid updating zero-sized extent in extent cache Chao Yu <chao(a)kernel.org> f2fs: fix to propagate error from f2fs_enable_checkpoint() Chao Yu <chao(a)kernel.org> f2fs: fix to avoid potential deadlock Chao Yu <chao(a)kernel.org> f2fs: fix to avoid updating compression context during writeback Jan Prusakowski <jprusakowski(a)google.com> f2fs: ensure node page reads complete before f2fs_put_super() finishes Seunghwan Baek <sh8267.baek(a)samsung.com> scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow Andrey Vatoropin <a.vatoropin(a)crpt.ru> scsi: target: Reset t_task_cdb pointer in error case Dai Ngo <dai.ngo(a)oracle.com> NFSD: use correct reservation type in nfsd4_scsi_fence_client Junrui Luo <moonafterrain(a)outlook.com> scsi: aic94xx: fix use-after-free in device removal path Tony Battersby <tonyb(a)cybernetics.com> scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Miaoqian Lin <linmq006(a)gmail.com> cpufreq: nforce2: fix reference count leak in nforce2 Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: governors: teo: Drop misguided target residency check Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> serial: sh-sci: Check that the DMA cookie is valid j.turek <jakub.turek(a)elsta.tech> serial: xilinx_uartps: fix rs485 delay_rts_after_send Alexander Stein <alexander.stein(a)ew.tq-group.com> serial: core: Fix serial device initialization Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: core: Restore sysfs fwnode information Junxiao Chang <junxiao.chang(a)intel.com> mei: gsc: add dependency on Xe driver Ma Ke <make24(a)iscas.ac.cn> mei: Fix error handling in mei_register Ma Ke <make24(a)iscas.ac.cn> intel_th: Fix error handling in intel_th_output_open Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> dt-bindings: slimbus: fix warning from example Tianchu Chen <flynnnchen(a)tencent.com> char: applicom: fix NULL pointer dereference in ac_ioctl Łukasz Bartosik <ukaszb(a)chromium.org> xhci: dbgtty: fix device unregister: fixup Haoxiang Li <haoxiang_li2024(a)163.com> usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Udipto Goswami <udipto.goswami(a)oss.qualcomm.com> usb: dwc3: keep susphy enabled during exit to avoid controller faults Miaoqian Lin <linmq006(a)gmail.com> usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Johan Hovold <johan(a)kernel.org> usb: gadget: lpc32xx_udc: fix clock imbalance in error path Johan Hovold <johan(a)kernel.org> usb: phy: isp1301: fix non-OF device reference imbalance Duoming Zhou <duoming(a)zju.edu.cn> usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Ma Ke <make24(a)iscas.ac.cn> USB: lpc32xx_udc: Fix error handling in probe Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() Arnd Bergmann <arnd(a)arndb.de> usb: typec: ucsi: huawei-gaokin: add DRM dependency Johan Hovold <johan(a)kernel.org> usb: ohci-nxp: fix device leak on probe failure Johan Hovold <johan(a)kernel.org> phy: broadcom: bcm63xx-usbh: fix section mismatches Colin Ian King <colin.i.king(a)gmail.com> media: pvrusb2: Fix incorrect variable used in trace message Jeongjun Park <aha310510(a)gmail.com> media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Chen Changcheng <chenchangcheng(a)kylinos.cn> usb: usb-storage: Maintain minimal modifications to the bcdDevice range. Paolo Abeni <pabeni(a)redhat.com> mptcp: avoid deadlock on fallback while reinjecting Paolo Abeni <pabeni(a)redhat.com> mptcp: schedule rtx timer only after pushing data Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: pm: ensure unknown flags are ignored Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: ignore unknown endpoint flags Harry Yoo <harry.yoo(a)oracle.com> mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction Hans de Goede <johannes.goede(a)oss.qualcomm.com> dma-mapping: Fix DMA_BIT_MASK() macro being broken Sourabh Jain <sourabhjain(a)linux.ibm.com> crash: let architecture decide crash memory export to iomem_resource Jarkko Sakkinen <jarkko(a)kernel.org> tpm2-sessions: Fix tpm2_read_public range checks Jarkko Sakkinen <jarkko(a)kernel.org> tpm2-sessions: Fix out of range indexing in name_size Wei Yang <richard.weiyang(a)gmail.com> mm/huge_memory: add pmd folio to ds_queue in do_huge_zero_wp_pmd() Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> media: v4l2-mem2mem: Fix outdated documentation xu xin <xu.xin16(a)zte.com.cn> mm/ksm: fix exec/fork inheritance support for prctl Bart Van Assche <bvanassche(a)acm.org> block: Remove queue freezing from several sysfs store callbacks Byungchul Park <byungchul(a)sk.com> jbd2: use a weaker annotation in journal handling Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Baokun Li <libaokun1(a)huawei.com> ext4: align max orphan file size with e2fsprogs limit Yongjian Sun <sunyongjian1(a)huawei.com> ext4: fix incorrect group number assertion in mb_check_buddy Haibo Chen <haibo.chen(a)nxp.com> ext4: clear i_state_flags when alloc inode Karina Yankevich <k.yankevich(a)omp.ru> ext4: xattr: fix null pointer deref in ext4_raw_inode() Fedor Pchelkin <pchelkin(a)ispras.ru> ext4: check if mount_opts is NUL-terminated in ext4_ioctl_set_tune_sb() Fedor Pchelkin <pchelkin(a)ispras.ru> ext4: fix string copying in parse_apply_sb_mount_options() John Ogness <john.ogness(a)linutronix.de> printk: Avoid irq_work for printk_deferred() on suspend John Ogness <john.ogness(a)linutronix.de> printk: Allow printk_trigger_flush() to flush all types Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> fs: PM: Fix reverse check in filesystems_freeze_callback() Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Cap the number of PCR banks Steven Rostedt <rostedt(a)goodmis.org> ktest.pl: Fix uninitialized var in config-bisect.pl Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: fix mount failure for sparse runs in run_unpack() Zheng Yejian <zhengyejian(a)huaweicloud.com> kallsyms: Fix wrong "big" kernel symbol type read from procfs Eric Biggers <ebiggers(a)kernel.org> crypto: scatterwalk - Fix memcpy_sglist() to always succeed Rene Rebe <rene(a)exactco.de> floppy: fix for PAGE_SIZE != 4KB Ye Bin <yebin10(a)huawei.com> jbd2: fix the inconsistency between checksum and data in memory for journal sb Li Chen <chenl311(a)chinatelecom.cn> block: rate-limit capacity change info log Alexey Velichayshiy <a.velichayshiy(a)ispras.ru> gfs2: fix freeze error handling Josef Bacik <josef(a)toxicpanda.com> btrfs: don't rewrite ret from inode_permission Sven Eckelmann (Plasma Cloud) <se(a)simonwunderlich.de> wifi: mt76: Fix DTS power-limits on little endian systems Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: Fix gendisk parent after copy pair swap Eric Biggers <ebiggers(a)kernel.org> lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Ma Ke <make24(a)iscas.ac.cn> perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister() Ard Biesheuvel <ardb(a)kernel.org> efi: Add missing static initializer for efi_mm::cpus_allowed_lock André Draszik <andre.draszik(a)linaro.org> phy: exynos5-usbdrd: fix clock prepare imbalance Alexey Minnekhanov <alexeymin(a)postmarketos.org> dt-bindings: clock: mmcc-sdm660: Add missing MDSS reset Sarthak Garg <sarthak.garg(a)oss.qualcomm.com> mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Avadhut Naik <avadhut.naik(a)amd.com> x86/mce: Do not clear bank's poll bit in mce_poll_banks on AMD SMCA systems Tejun Heo <tj(a)kernel.org> sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq() Tejun Heo <tj(a)kernel.org> sched_ext: Fix bypass depth leak on scx_enable() failure Zqiang <qiang.zhang(a)linux.dev> sched_ext: Fix the memleak for sch->helper objects Tejun Heo <tj(a)kernel.org> sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue() John Ogness <john.ogness(a)linutronix.de> printk: Avoid scheduling irq_work on suspend Prithvi Tambewagh <activprithvi(a)gmail.com> io_uring: fix filename leak in __io_openat_prep() Jens Axboe <axboe(a)kernel.dk> io_uring: fix min_wait wakeups for SQPOLL Jens Axboe <axboe(a)kernel.dk> io_uring/poll: correctly handle io_poll_add() return value on update Johan Hovold <johan(a)kernel.org> clk: keystone: syscon-clk: fix regmap leak on probe failure Jarkko Sakkinen <jarkko(a)kernel.org> KEYS: trusted: Fix a memory leak in tpm2_load_cmd Alice Ryhl <aliceryhl(a)google.com> rust: io: add typedef for phys_addr_t Alice Ryhl <aliceryhl(a)google.com> rust: io: move ResourceSize to top-level io module Alice Ryhl <aliceryhl(a)google.com> rust: io: define ResourceSize as resource_size_t Marko Turk <mt(a)markoturk.info> samples: rust: fix endianness issue in rust_driver_pci FUJITA Tomonori <fujita.tomonori(a)gmail.com> rust: dma: add helpers for architectures without CONFIG_HAS_DMA Alice Ryhl <aliceryhl(a)google.com> rust_binder: avoid mem::take on delivered_deaths Lyude Paul <lyude(a)redhat.com> rust/drm/gem: Fix missing header in `Object` rustdoc Zilin Guan <zilin(a)seu.edu.cn> cifs: Fix memory and information leak in smb3_reconfigure() Stefano Garzarella <sgarzare(a)redhat.com> vhost/vsock: improve RCU read sections around vhost_vsock_get() Dan Carpenter <dan.carpenter(a)linaro.org> block: rnbd-clt: Fix signedness bug in init_dev() Caleb Sander Mateos <csander(a)purestorage.com> ublk: clean up user copy references on ublk server exit Alok Tiwari <alok.a.tiwari(a)oracle.com> drm/msm/a6xx: move preempt_prepare_postamble after error check Neil Armstrong <neil.armstrong(a)linaro.org> drm/msm: adreno: fix deferencing ifpc_reglist when not declared John Garry <john.g.garry(a)oracle.com> scsi: scsi_debug: Fix atomic write enable module param description Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Pei Xiao <xiaopei01(a)kylinos.cn> hwmon: (emc2305) fix double put in emc2305_probe_childs_from_dt Justin Tee <justintee8345(a)gmail.com> nvme-fabrics: add ENOKEY to no retry criteria for authentication failures Pei Xiao <xiaopei01(a)kylinos.cn> hwmon: (emc2305) fix device node refcount leak in error path Daniel Wagner <wagi(a)kernel.org> nvme-fc: don't hold rport lock when putting ctrl Derek J. Clark <derekjohn.clark(a)gmail.com> platform/x86: wmi-gamezone: Add Legion Go 2 Quirks Jinhui Guo <guojinhui.liam(a)bytedance.com> i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Jens Reidel <adrian(a)mainlining.org> clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src Ian Rogers <irogers(a)google.com> libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Wenhua Lin <Wenhua.Lin(a)unisoc.com> serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Don't unchain link TRBs on quirky HCs Chen Changcheng <chenchangcheng(a)kylinos.cn> usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive. Hongyu Xie <xiehongyu1(a)kylinos.cn> usb: xhci: limit run_graceperiod for only usb 3.0 devices Pei Xiao <xiaopei01(a)kylinos.cn> iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Mark Pearson <mpearson-lenovo(a)squebb.ca> usb: typec: ucsi: Handle incorrect num_connectors capability Lizhi Xu <lizhi.xu(a)windriver.com> usbip: Fix locking bug in RT-enabled kernels Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: zero out post-EOF page cache on file extension Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix remount failure in different process environments Encrow Thorne <jyc0019(a)gmail.com> reset: fix BIT macro reference Al Viro <viro(a)zeniv.linux.org.uk> functionfs: fix the open/removal races Li Qiang <liqiang01(a)kylinos.cn> via_wdt: fix critical boot hang due to unnamed resource allocation Bernd Schubert <bschubert(a)ddn.com> fuse: Invalidate the page cache after FOPEN_DIRECT_IO write Bernd Schubert <bschubert(a)ddn.com> fuse: Always flush the page cache before FOPEN_DIRECT_IO write Tony Battersby <tonyb(a)cybernetics.com> scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Tony Battersby <tonyb(a)cybernetics.com> scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Tony Battersby <tonyb(a)cybernetics.com> scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Ben Collins <bcollins(a)kernel.org> powerpc/addnote: Fix overflow on 32-bit builds Josua Mayer <josua(a)solid-run.com> clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI David Strahan <David.Strahan(a)microchip.com> scsi: smartpqi: Add support for Hurray Data new controller PCI device Matthias Schiffer <matthias.schiffer(a)tq-group.com> ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Johannes Berg <johannes.berg(a)intel.com> um: init cpu_tasks[] earlier Peng Fan <peng.fan(a)nxp.com> firmware: imx: scu-irq: Init workqueue before request mbox channel Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix shutdown/suspend race condition Jinhui Guo <guojinhui.liam(a)bytedance.com> ipmi: Fix __scan_channels() failing to rescan channels Jinhui Guo <guojinhui.liam(a)bytedance.com> ipmi: Fix the race between __scan_channels() and deliver_response() Stefan Binding <sbinding(a)opensource.cirrus.com> ASoC: ops: fix snd_soc_get_volsw for sx controls Shuming Fan <shumingf(a)realtek.com> ASoC: SDCA: support Q7.8 volume format Shardul Bankar <shardul.b(a)mpiricsoftware.com> nfsd: fix memory leak in nfsd_create_serv error paths Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: ak4458: remove the reset operation in probe and remove Shipei Qu <qu(a)darknavy.com> ALSA: usb-mixer: us16x08: validate meter packet indices Haotian Zhang <vulab(a)iscas.ac.cn> ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path Haotian Zhang <vulab(a)iscas.ac.cn> ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Chancel Liu <chancel.liu(a)nxp.com> ASoC: fsl_sai: Constrain sample rates from audio PLLs only in master mode Tal Zussman <tz2294(a)columbia.edu> x86/mm/tlb/trace: Export the TLB_REMOTE_WRONG_CPU enum in <trace/events/tlb.h> Yongxin Liu <yongxin.liu(a)windriver.com> x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures Thomas Gleixner <tglx(a)linutronix.de> x86/msi: Make irq_retrigger() functional for posted MSI Peter Zijlstra <peterz(a)infradead.org> x86/bug: Fix old GCC compile fails Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Andrew Jeffery <andrew(a)codeconstruct.com.au> dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Sai Krishna Potthuri <sai.krishna.potthuri(a)amd.com> mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds Jared Kangas <jkangas(a)redhat.com> mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Christophe Leroy <christophe.leroy(a)csgroup.eu> spi: fsl-cpm: Check length parity before switching to 16 bit mode Pengjie Zhang <zhangpengjie2(a)huawei.com> ACPI: CPPC: Fix missing PCC check for guaranteed_perf Pengjie Zhang <zhangpengjie2(a)huawei.com> ACPI: PCC: Fix race condition by removing static qualifier Yongxin Liu <yongxin.liu(a)windriver.com> platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak Kartik Rajput <kkartik(a)nvidia.com> soc/tegra: fuse: Do not register SoC device on ACPI boot Marc Kleine-Budde <mkl(a)pengutronix.de> can: gs_usb: gs_can_open(): fix error handling Christoph Hellwig <hch(a)lst.de> xfs: don't leak a locked dquot when xfs_dquot_attach_buf fails Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Duoming Zhou <duoming(a)zju.edu.cn> Input: alps - fix use-after-free bugs caused by dev3_register_work Minseong Kim <ii4gsp(a)gmail.com> Input: lkkbd - disable pending work before freeing device Junjie Cao <junjie.cao(a)intel.com> Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Sanjay Govind <sanjay.govind9(a)gmail.com> Input: xpad - add support for CRKD Guitars Sasha Finkelstein <fnkl.kernel(a)gmail.com> Input: apple_z2 - fix reading incorrect reports after exiting sleep Ping Cheng <pinglinux(a)gmail.com> HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix buffer validation by including null terminator size in EA length Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: Fix refcount leak when invalid session is found on session lookup Qianchang Zhao <pioooooooooip(a)gmail.com> ksmbd: skip lock-range check on equal size to avoid size==0 underflow Nuno Sá <nuno.sa(a)analog.com> hwmon: (ltc4282): Fix reset_history file permissions Rob Herring (Arm) <robh(a)kernel.org> arm64: dts: mediatek: Apply mt8395-radxa DT overlay at build time Sairaj Kodilkar <sarunkod(a)amd.com> amd/iommu: Preserve domain ids inside the kdump kernel Ashutosh Dixit <ashutosh.dixit(a)intel.com> drm/xe/oa: Always set OAG_OAGLBCTXCTRL_COUNTER_RESUME Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/oa: Limit num_syncs to prevent oversized allocations Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Limit num_syncs to prevent oversized allocations Thomas Fourier <fourier.thomas(a)gmail.com> block: rnbd-clt: Fix leaked ID in init_dev() Ming Lei <ming.lei(a)redhat.com> ublk: fix deadlock when reading partition table Ming Lei <ming.lei(a)redhat.com> ublk: refactor auto buffer register in ublk_dispatch_req() Ming Lei <ming.lei(a)redhat.com> ublk: add `union ublk_io_buf` with improved naming Ming Lei <ming.lei(a)redhat.com> ublk: add parameter `struct io_uring_cmd *` to ublk_prep_auto_buf_reg() huang-jl <huang-jl(a)deepseek.com> io_uring: fix nr_segs calculation in io_import_kbuf Anurag Dutta <a-dutta(a)ti.com> spi: cadence-quadspi: Fix clock disable on probe failure path Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a job->pasid access race in gpu recovery Jianpeng Chang <jianpeng.chang.cn(a)windriver.com> arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder Juergen Gross <jgross(a)suse.com> x86/xen: Fix sparse warning in enlighten_pv.c Marijn Suijten <marijn.suijten(a)somainline.org> drm/panel: sony-td4353-jdi: Enable prepare_prev_first Haoxiang Li <haoxiang_li2024(a)163.com> MIPS: Fix a reference leak bug in ip22_check_gio() Jan Maslak <jan.maslak(a)intel.com> drm/xe: Restore engine registers before restarting schedulers after GT reset Jagmeet Randhawa <jagmeet.randhawa(a)intel.com> drm/xe: Increase TDF timeout Junxiao Chang <junxiao.chang(a)intel.com> drm/me/gsc: mei interrupt top half should be in irq disabled context Arnd Bergmann <arnd(a)arndb.de> drm/xe: fix drm_gpusvm_init() arguments Vinay Belgaumkar <vinay.belgaumkar(a)intel.com> drm/xe: Apply Wa_14020316580 in xe_gt_idle_enable_pg() Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe: Fix freq kobject leak on sysfs_create_files failure Alexey Simakov <bigalex934(a)gmail.com> hwmon: (tmp401) fix overflow caused by default conversion rate value Junrui Luo <moonafterrain(a)outlook.com> hwmon: (ibmpex) fix use-after-free in high/low store Denis Sergeev <denserg.edu(a)gmail.com> hwmon: (dell-smm) Limit fan multiplier to avoid overflow Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> spi: mpfs: Fix an error handling path in mpfs_spi_probe() Prajna Rajendra Kumar <prajna.rajendrakumar(a)microchip.com> spi: microchip: rename driver file and internal identifiers Ming Lei <ming.lei(a)redhat.com> block: fix race between wbt_enable_default and IO submission Nilay Shroff <nilay(a)linux.ibm.com> block: use {alloc|free}_sched data methods Nilay Shroff <nilay(a)linux.ibm.com> block: introduce alloc_sched_data and free_sched_data elevator methods Nilay Shroff <nilay(a)linux.ibm.com> block: move elevator tags into struct elevator_resources Nilay Shroff <nilay(a)linux.ibm.com> block: unify elevator tags and type xarrays into struct elv_change_ctx Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix overflow in ublk_queue_auto_zc_fallback() José Expósito <jose.exposito89(a)gmail.com> drm/tests: Handle EDEADLK in set_up_atomic_state() José Expósito <jose.exposito89(a)gmail.com> drm/tests: Handle EDEADLK in drm_test_check_valid_clones() José Expósito <jose.exposito89(a)gmail.com> drm/tests: hdmi: Handle drm_kunit_helper_enable_crtc_connector() returning EDEADLK Jian Shen <shenjian15(a)huawei.com> net: hns3: add VLAN id validation before using Jian Shen <shenjian15(a)huawei.com> net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Jian Shen <shenjian15(a)huawei.com> net: hns3: using the num_tqps in the vf driver to apply for resources Wei Fang <wei.fang(a)nxp.com> net: enetc: do not transmit redirected XDP frames when the link is down Scott Mayhew <smayhew(a)redhat.com> net/handshake: duplicate handshake cancellations leak socket Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Don't include PSP in the hard MTU calculations Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Trigger neighbor resolution for unresolved destinations Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init Shay Drory <shayd(a)nvidia.com> net/mlx5: Serialize firmware reset with devlink Shay Drory <shayd(a)nvidia.com> net/mlx5: fw_tracer, Handle escaped percent properly Shay Drory <shayd(a)nvidia.com> net/mlx5: fw_tracer, Validate format string parameters Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Drain firmware reset in shutdown callback Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: fw reset, clear reset requested on drain_fw_reset Gal Pressman <gal(a)nvidia.com> ethtool: Avoid overflowing userspace buffer on stats query Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: make j1939_sk_bind() fail if device is no longer registered Jason Gunthorpe <jgg(a)ziepe.ca> iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Jason Gunthorpe <jgg(a)ziepe.ca> iommufd/selftest: Make it clearer to gcc that the access is not out of bounds Florian Westphal <fw(a)strlen.de> selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: remove redundant chain validation on register store Florian Westphal <fw(a)strlen.de> netfilter: nf_nat: remove bogus direction check Dan Carpenter <dan.carpenter(a)linaro.org> nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Victor Nogueira <victor(a)mojatatu.com> net/sched: ets: Remove drr class from the active list if it changes to strict Junrui Luo <moonafterrain(a)outlook.com> caif: fix integer underflow in cffrml_receive() Florian Westphal <fw(a)strlen.de> selftests: netfilter: prefer xfail in case race wasn't triggered Slavin Liu <slavin452(a)gmail.com> ipvs: fix ipv4 null-ptr-deref in route error path Fernando Fernandez Mancera <fmancera(a)suse.de> netfilter: nf_conncount: fix leaked ct in error paths Jakub Kicinski <kuba(a)kernel.org> inet: frags: flush pending skbs in fqdir_pre_exit() Jakub Kicinski <kuba(a)kernel.org> inet: frags: add inet_frag_queue_flush() Jakub Kicinski <kuba(a)kernel.org> inet: frags: avoid theoretical race in ip_frag_reinit() Guenter Roeck <linux(a)roeck-us.net> selftests: net: tfo: Fix build warning Guenter Roeck <linux(a)roeck-us.net> selftests: net: Fix build warnings Guenter Roeck <linux(a)roeck-us.net> selftest: af_unix: Support compilers without flex-array-member-not-at-end support Alexey Simakov <bigalex934(a)gmail.com> broadcom: b44: prevent uninitialized value usage Arnd Bergmann <arnd(a)arndb.de> net: ti: icssg-prueth: add PTP_1588_CLOCK_OPTIONAL dependency Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix middle attribute validation in push_nsh() action Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix XDP_TX path Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_router: Fix neighbour use-after-free Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_router: Fix possible neighbour reference count leak Gerd Bayer <gbayer(a)linux.ibm.com> net/mlx5: Fix double unregister of HCA_PORTS component Dmitry Skorodumov <skorodumov.dmitry(a)huawei.com> ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Ivan Galkin <ivan.galkin(a)axis.com> net: phy: RTL8211FVD: Restore disabling of PHY-mode EEE Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: realtek: create rtl8211f_config_phy_eee() helper Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: realtek: eliminate priv->phycr1 variable Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: realtek: allow CLKOUT to be disabled on RTL8211F(D)(I)-VD-CG Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: realtek: eliminate has_phycr2 variable Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: realtek: eliminate priv->phycr2 variable Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Avoid unregistering PSP twice Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: make enable_mpesw idempotent Jamal Hadi Salim <jhs(a)mojatatu.com> net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Wang Liang <wangliang74(a)huawei.com> netrom: Fix memory leak in nr_sendmsg() Wei Fang <wei.fang(a)nxp.com> net: fec: ERR007885 Workaround for XDP TX path Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix use of bio_chain Max Chou <max.chou(a)realtek.com> Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT Gongwei Li <ligongwei(a)kylinos.cn> Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Shuai Zhang <quic_shuaz(a)quicinc.com> Bluetooth: btusb: add new custom firmwares Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btusb: MT7920: Add VID/PID 0489/e135 Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btusb: MT7922: Add VID/PID 0489/e170 Chingbin Li <liqb365(a)163.com> Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Qianchang Zhao <pioooooooooip(a)gmail.com> ksmbd: vfs: fix race on m_flags in vfs_cache Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_ioctl() Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad" Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: fix remote evict for read-only filesystems Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix volume corruption issue for generic/101 Qu Wenruo <wqu(a)suse.com> btrfs: scrub: always update btrfs_scrub_progress::last_physical Hans de Goede <hansg(a)kernel.org> wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Quan Zhou <quan.zhou(a)mediatek.com> wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: use cfg80211_leave() in iftype change Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: stop radar detection in cfg80211_leave() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: check for shutdown in fsync Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix volume corruption issue for generic/073 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> hfsplus: Verify inode mode when loading from disk Yang Chenzhi <yang.chenzhi(a)vivo.com> hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix volume corruption issue for generic/070 Pedro Demarchi Gomes <pedrodemargomes(a)gmail.com> ntfs: set dummy blocksize to read boot_block when mounting Mikhail Malyshev <mike.malyshev(a)gmail.com> kbuild: Use objtree for module signing key path Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Support timestamps prior to epoch Mario Limonciello (AMD) <superm1(a)kernel.org> crypto: ccp - Add support for PCI device 0x115A Song Liu <song(a)kernel.org> livepatch: Match old_sympos 0 and 1 in klp_find_func() Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> scripts: kdoc_parser.py: warn about Python version only once Yu Peng <pengyu(a)kylinos.cn> x86/microcode: Mark early_parse_cmdline() as __init Aboorva Devarajan <aboorvad(a)linux.ibm.com> cpuidle: menu: Use residency threshold in polling state override decisions Shuhao Fu <sfual(a)cse.ust.hk> cpufreq: s5pv210: fix refcount leak Armin Wolf <W_Armin(a)gmx.de> ACPI: fan: Workaround for 64-bit firmware bug Hal Feng <hal.feng(a)starfivetech.com> cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Sakari Ailus <sakari.ailus(a)linux.intel.com> ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Cryolitia PukNgae <cryolitia.pukngae(a)linux.dev> ACPICA: Avoid walking the Namespace if start_node is NULL Peter Zijlstra <peterz(a)infradead.org> x86/ptrace: Always inline trivial accessors Peter Zijlstra <peterz(a)infradead.org> sched/fair: Revert max_newidle_lb_cost bump Doug Berger <opendmb(a)gmail.com> sched/deadline: only set free_cpus for online runqueues George Kennedy <george.kennedy(a)oracle.com> perf/x86/amd: Check event before enable to avoid GPF Pankaj Raghav <p.raghav(a)samsung.com> scripts/faddr2line: Fix "Argument list too long" error Joanne Koong <joannelkoong(a)gmail.com> iomap: account for unaligned end offsets when truncating read range Joanne Koong <joannelkoong(a)gmail.com> iomap: adjust read range correctly for non-block-aligned positions Al Viro <viro(a)zeniv.linux.org.uk> shmem: fix recovery on rename failures Filipe Manana <fdmanana(a)suse.com> btrfs: fix changeset leak on mmap write after failure to reserve metadata Deepanshu Kartikey <kartikey406(a)gmail.com> btrfs: fix memory leak of fs_devices in degraded seed device path Shuran Liu <electronlsr(a)gmail.com> bpf: Fix verifier assumptions of bpf_d_path's output buffer T.J. Mercier <tjmercier(a)google.com> bpf: Fix truncated dmabuf iterator reads Ondrej Mosnacek <omosnace(a)redhat.com> bpf, arm64: Do not audit capability check in do_jit() Qu Wenruo <wqu(a)suse.com> btrfs: fix a potential path leak in print_data_reloc_error() Filipe Manana <fdmanana(a)suse.com> btrfs: do not skip logging new dentries when logging a new name ------------- Diffstat: .../devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +- .../devicetree/bindings/pci/qcom,pcie-sc7280.yaml | 5 + .../bindings/pci/qcom,pcie-sc8280xp.yaml | 3 + .../devicetree/bindings/pci/qcom,pcie-sm8150.yaml | 5 + .../devicetree/bindings/pci/qcom,pcie-sm8250.yaml | 5 + .../devicetree/bindings/pci/qcom,pcie-sm8350.yaml | 5 + .../devicetree/bindings/pci/qcom,pcie-sm8450.yaml | 5 + .../devicetree/bindings/pci/qcom,pcie-sm8550.yaml | 5 + .../devicetree/bindings/slimbus/slimbus.yaml | 16 +- Makefile | 4 +- arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +- arch/arm/boot/dts/microchip/sama7d65.dtsi | 6 +- arch/arm/boot/dts/microchip/sama7g5.dtsi | 4 +- arch/arm64/boot/dts/mediatek/Makefile | 2 + arch/arm64/crypto/ghash-ce-glue.c | 2 +- arch/arm64/kernel/process.c | 1 + arch/arm64/net/bpf_jit_comp.c | 2 +- arch/mips/kernel/ftrace.c | 25 ++- arch/mips/sgi-ip22/ip22-gio.c | 3 +- arch/powerpc/boot/addnote.c | 7 +- arch/powerpc/include/asm/crash_reserve.h | 8 + arch/powerpc/kernel/btext.c | 3 +- arch/powerpc/kexec/core_64.c | 19 ++ arch/riscv/crypto/Kconfig | 12 +- arch/s390/include/uapi/asm/ipl.h | 1 + arch/s390/kernel/ipl.c | 48 +++-- arch/um/kernel/process.c | 4 +- arch/um/kernel/um_arch.c | 2 - arch/x86/events/amd/core.c | 7 +- arch/x86/include/asm/bug.h | 2 +- arch/x86/include/asm/irq_remapping.h | 7 + arch/x86/include/asm/kvm_host.h | 1 - arch/x86/include/asm/ptrace.h | 20 +- arch/x86/kernel/cpu/mce/threshold.c | 3 +- arch/x86/kernel/cpu/microcode/core.c | 2 +- arch/x86/kernel/fpu/xstate.c | 4 +- arch/x86/kernel/irq.c | 23 +++ arch/x86/kvm/cpuid.c | 11 +- arch/x86/kvm/lapic.c | 32 +++- arch/x86/kvm/svm/nested.c | 6 +- arch/x86/kvm/svm/svm.c | 54 ++++-- arch/x86/kvm/svm/svm.h | 7 +- arch/x86/kvm/vmx/nested.c | 3 +- arch/x86/kvm/vmx/tdx.c | 56 +++--- arch/x86/kvm/vmx/tdx.h | 1 - arch/x86/kvm/x86.c | 34 ++-- arch/x86/xen/enlighten_pv.c | 2 +- block/bfq-iosched.c | 2 +- block/blk-mq-sched.c | 117 +++++++++--- block/blk-mq-sched.h | 40 +++- block/blk-mq.c | 50 ++--- block/blk-sysfs.c | 28 +-- block/blk-wbt.c | 20 +- block/blk-wbt.h | 5 + block/blk-zoned.c | 42 +++-- block/blk.h | 7 +- block/elevator.c | 84 ++++----- block/elevator.h | 27 ++- block/genhd.c | 2 +- crypto/af_alg.c | 5 +- crypto/algif_hash.c | 3 +- crypto/algif_rng.c | 3 +- crypto/scatterwalk.c | 95 ++++++++-- drivers/acpi/acpi_pcc.c | 2 +- drivers/acpi/acpica/nswalk.c | 9 +- drivers/acpi/cppc_acpi.c | 3 +- drivers/acpi/fan.h | 33 ++++ drivers/acpi/fan_hwmon.c | 10 +- drivers/acpi/property.c | 8 +- drivers/amba/tegra-ahb.c | 1 + drivers/android/binder/process.rs | 8 +- drivers/base/power/runtime.c | 22 ++- drivers/block/floppy.c | 2 +- drivers/block/rnbd/rnbd-clt.c | 13 +- drivers/block/rnbd/rnbd-clt.h | 2 +- drivers/block/ublk_drv.c | 139 +++++++++----- drivers/block/zloop.c | 12 +- drivers/bluetooth/btusb.c | 11 ++ drivers/bus/ti-sysc.c | 11 +- drivers/char/applicom.c | 5 +- drivers/char/ipmi/ipmi_msghandler.c | 20 +- drivers/char/tpm/tpm-chip.c | 1 - drivers/char/tpm/tpm1-cmd.c | 5 - drivers/char/tpm/tpm2-cmd.c | 34 +++- drivers/char/tpm/tpm2-sessions.c | 194 ++++++++++++------- drivers/clk/keystone/syscon-clk.c | 2 +- drivers/clk/mvebu/cp110-system-controller.c | 20 ++ drivers/clk/qcom/dispcc-sm7150.c | 2 +- drivers/cpufreq/cpufreq-dt-platdev.c | 1 + drivers/cpufreq/cpufreq-nforce2.c | 3 + drivers/cpufreq/s5pv210-cpufreq.c | 6 +- drivers/cpuidle/governors/menu.c | 9 +- drivers/cpuidle/governors/teo.c | 7 +- drivers/crypto/caam/caamrng.c | 4 +- drivers/crypto/ccp/sp-pci.c | 19 ++ drivers/firmware/efi/efi.c | 3 + drivers/firmware/imx/imx-scu-irq.c | 4 +- drivers/gpio/gpio-loongson-64bit.c | 10 +- drivers/gpio/gpio-regmap.c | 2 +- drivers/gpio/gpiolib-acpi-quirks.c | 22 +++ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 +++--- drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +- .../amd/display/dc/resource/dcn35/dcn35_resource.c | 8 +- .../display/dc/resource/dcn351/dcn351_resource.c | 8 +- drivers/gpu/drm/drm_displayid.c | 19 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 18 +- drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 4 +- drivers/gpu/drm/panel/panel-sony-td4353-jdi.c | 2 + drivers/gpu/drm/tests/drm_atomic_state_test.c | 40 +++- drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 143 ++++++++++++++ drivers/gpu/drm/xe/xe_device.c | 2 +- drivers/gpu/drm/xe/xe_exec.c | 3 +- drivers/gpu/drm/xe/xe_gt.c | 7 +- drivers/gpu/drm/xe/xe_gt_freq.c | 4 +- drivers/gpu/drm/xe/xe_gt_idle.c | 8 + drivers/gpu/drm/xe/xe_heci_gsc.c | 4 +- drivers/gpu/drm/xe/xe_oa.c | 10 +- drivers/gpu/drm/xe/xe_svm.h | 2 +- drivers/gpu/drm/xe/xe_vm.c | 3 + drivers/gpu/drm/xe/xe_wa.c | 8 - drivers/gpu/drm/xe/xe_wa_oob.rules | 1 + drivers/hid/hid-input.c | 18 +- drivers/hwmon/dell-smm-hwmon.c | 9 + drivers/hwmon/emc2305.c | 8 +- drivers/hwmon/ibmpex.c | 9 +- drivers/hwmon/ltc4282.c | 9 +- drivers/hwmon/max16065.c | 7 +- drivers/hwmon/max6697.c | 2 +- drivers/hwmon/tmp401.c | 2 +- drivers/hwmon/w83791d.c | 19 +- drivers/hwmon/w83l786ng.c | 26 ++- drivers/hwtracing/intel_th/core.c | 20 +- drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +- drivers/i2c/busses/i2c-designware-core.h | 1 + drivers/i2c/busses/i2c-designware-master.c | 7 + drivers/iio/adc/ti_am335x_adc.c | 2 +- drivers/input/joystick/xpad.c | 5 + drivers/input/keyboard/lkkbd.c | 5 +- drivers/input/mouse/alps.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 7 + drivers/input/touchscreen/apple_z2.c | 4 + drivers/input/touchscreen/ti_am335x_tsc.c | 2 +- drivers/interconnect/qcom/sdx75.c | 26 --- drivers/interconnect/qcom/sdx75.h | 2 - drivers/iommu/amd/init.c | 23 ++- drivers/iommu/intel/irq_remapping.c | 8 +- drivers/iommu/iommufd/selftest.c | 8 +- drivers/iommu/mtk_iommu.c | 25 ++- drivers/md/dm-pcache/cache.c | 8 +- drivers/md/dm-pcache/cache_segment.c | 8 +- drivers/media/platform/qcom/iris/iris_vb2.c | 8 +- drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 + drivers/media/usb/dvb-usb/dtv5100.c | 5 + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +- drivers/misc/mei/Kconfig | 2 +- drivers/misc/mei/main.c | 1 + drivers/mmc/host/Kconfig | 4 +- drivers/mmc/host/sdhci-msm.c | 27 +-- drivers/mmc/host/sdhci-of-arasan.c | 2 +- drivers/net/can/usb/gs_usb.c | 2 +- drivers/net/ethernet/broadcom/b44.c | 3 + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 3 +- drivers/net/ethernet/freescale/enetc/enetc.c | 3 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 5 + .../ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 97 ++++++++-- .../ethernet/mellanox/mlx5/core/diag/fw_tracer.h | 1 + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 - .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 6 + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 48 ++++- drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h | 1 + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 1 + .../net/ethernet/mellanox/mlx5/core/lag/mpesw.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 27 +-- drivers/net/ethernet/realtek/r8169_main.c | 5 +- drivers/net/ethernet/ti/Kconfig | 3 +- drivers/net/ipvlan/ipvlan_core.c | 3 + drivers/net/phy/marvell-88q2xxx.c | 2 +- drivers/net/phy/realtek/realtek_main.c | 114 ++++++----- .../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 14 ++ drivers/net/wireless/mediatek/mt76/eeprom.c | 37 ++-- drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 +- drivers/net/wireless/realtek/rtl8xxxu/core.c | 7 +- drivers/nfc/pn533/usb.c | 2 +- drivers/nvme/host/fabrics.c | 2 +- drivers/nvme/host/fc.c | 6 +- drivers/of/fdt.c | 2 +- drivers/parisc/gsc.c | 4 +- drivers/perf/arm_cspmu/arm_cspmu.c | 4 +- drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +- drivers/phy/samsung/phy-exynos5-usbdrd.c | 2 +- drivers/pinctrl/renesas/pinctrl-rzg2l.c | 71 ++++--- drivers/platform/chrome/cros_ec_ishtp.c | 1 + drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++- drivers/platform/x86/intel/hid.c | 12 ++ drivers/platform/x86/lenovo/wmi-gamezone.c | 17 +- drivers/pwm/pwm-rzg2l-gpt.c | 15 +- drivers/rpmsg/qcom_glink_native.c | 8 + drivers/s390/block/dasd_eckd.c | 8 + drivers/scsi/aic94xx/aic94xx_init.c | 3 + drivers/scsi/lpfc/lpfc_els.c | 36 +++- drivers/scsi/lpfc/lpfc_hbadisc.c | 4 +- drivers/scsi/mpi3mr/mpi/mpi30_ioc.h | 1 + drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 + drivers/scsi/qla2xxx/qla_def.h | 1 - drivers/scsi/qla2xxx/qla_gbl.h | 2 +- drivers/scsi/qla2xxx/qla_isr.c | 32 +--- drivers/scsi/qla2xxx/qla_mbx.c | 2 + drivers/scsi/qla2xxx/qla_mid.c | 4 +- drivers/scsi/qla2xxx/qla_os.c | 14 +- drivers/scsi/scsi_debug.c | 2 +- drivers/scsi/smartpqi/smartpqi_init.c | 4 + drivers/soc/amlogic/meson-canvas.c | 5 +- drivers/soc/apple/mailbox.c | 15 +- drivers/soc/qcom/ocmem.c | 2 +- drivers/soc/qcom/qcom-pbs.c | 2 + drivers/soc/samsung/exynos-pmu.c | 2 + drivers/soc/tegra/fuse/fuse-tegra.c | 2 - drivers/spi/Kconfig | 19 +- drivers/spi/Makefile | 2 +- drivers/spi/spi-cadence-quadspi.c | 4 +- drivers/spi/spi-fsl-spi.c | 2 +- drivers/spi/{spi-microchip-core.c => spi-mpfs.c} | 208 +++++++++++---------- drivers/target/target_core_transport.c | 1 + drivers/tty/serial/serial_base_bus.c | 11 +- drivers/tty/serial/sh-sci.c | 2 +- drivers/tty/serial/sprd_serial.c | 6 + drivers/tty/serial/xilinx_uartps.c | 14 +- drivers/ufs/core/ufshcd.c | 5 +- drivers/ufs/host/ufs-mediatek.c | 5 + drivers/usb/dwc3/dwc3-of-simple.c | 7 +- drivers/usb/dwc3/gadget.c | 2 +- drivers/usb/dwc3/host.c | 2 +- drivers/usb/gadget/function/f_fs.c | 53 +++++- drivers/usb/gadget/udc/lpc32xx_udc.c | 21 ++- drivers/usb/host/ohci-nxp.c | 2 + drivers/usb/host/xhci-dbgtty.c | 2 +- drivers/usb/host/xhci-hub.c | 2 +- drivers/usb/host/xhci-ring.c | 27 +-- drivers/usb/phy/phy-fsl-usb.c | 1 + drivers/usb/phy/phy-isp1301.c | 7 +- drivers/usb/renesas_usbhs/pipe.c | 2 + drivers/usb/storage/unusual_uas.h | 2 +- drivers/usb/typec/altmodes/displayport.c | 8 +- drivers/usb/typec/ucsi/Kconfig | 1 + drivers/usb/typec/ucsi/ucsi.c | 6 + drivers/usb/usbip/vhci_hcd.c | 6 +- drivers/vdpa/octeon_ep/octep_vdpa_main.c | 1 + drivers/vfio/device_cdev.c | 2 +- drivers/vhost/vsock.c | 15 +- drivers/watchdog/via_wdt.c | 1 + fs/btrfs/file.c | 3 +- fs/btrfs/inode.c | 1 + fs/btrfs/ioctl.c | 4 +- fs/btrfs/scrub.c | 5 + fs/btrfs/tree-log.c | 46 ++++- fs/btrfs/volumes.c | 1 + fs/exfat/file.c | 5 + fs/exfat/super.c | 19 +- fs/ext4/ialloc.c | 1 - fs/ext4/inode.c | 1 - fs/ext4/ioctl.c | 4 + fs/ext4/mballoc.c | 2 + fs/ext4/orphan.c | 4 +- fs/ext4/super.c | 6 +- fs/ext4/xattr.c | 6 +- fs/f2fs/compress.c | 5 +- fs/f2fs/data.c | 17 ++ fs/f2fs/extent_cache.c | 5 +- fs/f2fs/f2fs.h | 13 +- fs/f2fs/file.c | 12 +- fs/f2fs/gc.c | 2 +- fs/f2fs/namei.c | 6 +- fs/f2fs/recovery.c | 20 +- fs/f2fs/segment.c | 9 +- fs/f2fs/segment.h | 8 +- fs/f2fs/super.c | 116 +++++------- fs/f2fs/xattr.c | 32 ++-- fs/f2fs/xattr.h | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dev_uring.c | 6 +- fs/fuse/file.c | 37 +++- fs/fuse/fuse_dev_i.h | 1 + fs/gfs2/glops.c | 3 +- fs/gfs2/lops.c | 2 +- fs/gfs2/quota.c | 2 +- fs/gfs2/super.c | 4 +- fs/hfsplus/bnode.c | 4 +- fs/hfsplus/dir.c | 7 +- fs/hfsplus/hfsplus_fs.h | 2 + fs/hfsplus/inode.c | 41 +++- fs/hfsplus/super.c | 87 +++++---- fs/iomap/buffered-io.c | 41 +++- fs/jbd2/journal.c | 20 +- fs/jbd2/transaction.c | 2 +- fs/libfs.c | 50 +++-- fs/nfsd/blocklayout.c | 3 +- fs/nfsd/export.c | 2 +- fs/nfsd/nfs4xdr.c | 5 + fs/nfsd/nfsd.h | 8 +- fs/nfsd/nfssvc.c | 5 +- fs/nfsd/vfs.h | 3 +- fs/notify/fsnotify.c | 9 +- fs/ntfs3/file.c | 14 +- fs/ntfs3/ntfs_fs.h | 9 +- fs/ntfs3/run.c | 6 +- fs/ntfs3/super.c | 5 + fs/ocfs2/suballoc.c | 10 + fs/smb/client/fs_context.c | 2 + fs/smb/server/mgmt/tree_connect.c | 18 +- fs/smb/server/mgmt/tree_connect.h | 1 - fs/smb/server/mgmt/user_session.c | 4 +- fs/smb/server/smb2pdu.c | 16 +- fs/smb/server/vfs.c | 5 +- fs/smb/server/vfs_cache.c | 88 ++++++--- fs/super.c | 2 +- fs/xfs/libxfs/xfs_sb.c | 15 ++ fs/xfs/scrub/attr_repair.c | 2 +- fs/xfs/xfs_attr_item.c | 2 +- fs/xfs/xfs_buf_item.c | 1 + fs/xfs/xfs_qm.c | 5 +- fs/xfs/xfs_rtalloc.c | 14 +- include/crypto/scatterwalk.h | 52 +++--- include/dt-bindings/clock/qcom,mmcc-sdm660.h | 1 + include/linux/blkdev.h | 2 +- include/linux/crash_reserve.h | 6 + include/linux/dma-mapping.h | 2 +- include/linux/fs.h | 2 +- include/linux/jbd2.h | 6 + include/linux/ksm.h | 4 +- include/linux/platform_data/x86/intel_pmc_ipc.h | 4 +- include/linux/reset.h | 1 + include/linux/slab.h | 7 + include/linux/tpm.h | 21 ++- include/media/v4l2-mem2mem.h | 3 +- include/net/inet_frag.h | 18 +- include/net/ipv6_frag.h | 9 +- include/sound/soc.h | 1 + include/trace/events/tlb.h | 5 +- include/uapi/drm/xe_drm.h | 1 + include/uapi/linux/mptcp.h | 1 + io_uring/io_uring.c | 3 + io_uring/openclose.c | 2 +- io_uring/poll.c | 9 +- io_uring/rsrc.c | 13 +- kernel/bpf/dmabuf_iter.c | 56 +++++- kernel/cgroup/rstat.c | 13 +- kernel/crash_reserve.c | 3 + kernel/kallsyms.c | 5 +- kernel/livepatch/core.c | 8 +- kernel/printk/internal.h | 8 +- kernel/printk/nbcon.c | 9 +- kernel/printk/printk.c | 83 ++++++-- kernel/sched/cpudeadline.c | 34 +--- kernel/sched/cpudeadline.h | 4 +- kernel/sched/deadline.c | 8 +- kernel/sched/ext.c | 62 ++++-- kernel/sched/fair.c | 19 +- kernel/scs.c | 2 +- kernel/trace/bpf_trace.c | 2 +- kernel/trace/trace_events.c | 2 + kernel/trace/trace_events_synth.c | 1 - lib/crypto/Kconfig | 9 +- lib/crypto/riscv/.gitignore | 2 + lib/crypto/riscv/chacha-riscv64-zvkb.S | 5 +- lib/crypto/x86/blake2s-core.S | 4 +- mm/huge_memory.c | 2 +- mm/ksm.c | 20 +- mm/shmem.c | 24 ++- mm/slab.h | 1 + mm/slab_common.c | 52 ++++-- mm/slub.c | 59 +++--- net/caif/cffrml.c | 9 +- net/can/j1939/socket.c | 6 + net/ceph/osdmap.c | 116 ++++++------ net/ethtool/ioctl.c | 30 ++- net/handshake/request.c | 8 +- net/hsr/hsr_forward.c | 2 + net/ipv4/inet_fragment.c | 55 +++++- net/ipv4/ip_fragment.c | 22 +-- net/mptcp/pm_netlink.c | 3 +- net/mptcp/protocol.c | 22 ++- net/netfilter/ipvs/ip_vs_xmit.c | 3 + net/netfilter/nf_conncount.c | 25 +-- net/netfilter/nf_nat_core.c | 14 +- net/netfilter/nf_tables_api.c | 11 -- net/netrom/nr_out.c | 4 +- net/openvswitch/flow_netlink.c | 13 +- net/sched/sch_ets.c | 6 +- net/sunrpc/auth_gss/svcauth_gss.c | 3 +- net/sunrpc/xprtrdma/svc_rdma_rw.c | 7 +- net/wireless/core.c | 1 + net/wireless/core.h | 1 + net/wireless/mlme.c | 19 ++ net/wireless/util.c | 23 +-- rust/helpers/dma.c | 21 +++ rust/kernel/devres.rs | 18 +- rust/kernel/drm/gem/mod.rs | 2 +- rust/kernel/io.rs | 26 ++- rust/kernel/io/resource.rs | 13 +- samples/rust/rust_driver_pci.rs | 2 +- scripts/Makefile.modinst | 2 +- scripts/faddr2line | 13 +- scripts/lib/kdoc/kdoc_parser.py | 7 +- security/keys/trusted-keys/trusted_tpm2.c | 35 +++- sound/hda/codecs/realtek/alc269.c | 11 +- sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +- sound/pcmcia/vx/vxpocket.c | 8 +- sound/soc/codecs/ak4458.c | 4 - sound/soc/fsl/fsl_sai.c | 10 +- sound/soc/sdca/sdca_asoc.c | 34 +--- sound/soc/soc-ops.c | 84 +++++++-- sound/soc/sof/ipc4-topology.c | 24 ++- sound/usb/mixer_us16x08.c | 20 +- tools/lib/perf/cpumap.c | 10 +- tools/testing/ktest/config-bisect.pl | 4 +- tools/testing/nvdimm/test/nfit.c | 7 +- tools/testing/selftests/iommu/iommufd.c | 8 +- tools/testing/selftests/kvm/Makefile | 2 +- tools/testing/selftests/kvm/rseq_test.c | 1 + tools/testing/selftests/net/af_unix/Makefile | 7 +- tools/testing/selftests/net/lib/ksft.h | 6 +- tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 + tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 ++ .../selftests/net/netfilter/conntrack_clash.sh | 9 +- .../net/netfilter/conntrack_reverse_clash.c | 13 +- .../net/netfilter/conntrack_reverse_clash.sh | 2 + .../packetdrill/conntrack_syn_challenge_ack.pkt | 2 +- tools/testing/selftests/net/tfo.c | 3 +- tools/testing/selftests/ublk/kublk.h | 12 +- tools/tracing/rtla/src/timerlat.bpf.c | 3 + virt/kvm/kvm_main.c | 4 +- 441 files changed, 4077 insertions(+), 1949 deletions(-)

8 hours, 18 minutes

12
442
0 0

[PATCH 5.10,5.15,6.1,6.6 RESEND] leds: spi-byte: Initialize device node before access

by Tiffany Yang

Commit 7f9ab862e05c ("leds: spi-byte: Call of_node_put() on error path") was merged in 6.11 and then backported to stable trees through 5.10. It relocates the line that initializes the variable 'child' to a later point in spi_byte_probe(). Versions < 6.9 do not have commit ccc35ff2fd29 ("leds: spi-byte: Use devm_led_classdev_register_ext()"), which removes a line that reads a property from 'child' before its new initialization point. Consequently, spi_byte_probe() reads from an uninitialized device node in stable kernels 6.6-5.10. Initialize 'child' before it is first accessed. Fixes: 7f9ab862e05c ("leds: spi-byte: Call of_node_put() on error path") Signed-off-by: Tiffany Yang <ynaffit(a)google.com> --- As an alternative to moving the initialization of 'child' up, Fedor Pchelkin proposed [1] backporting the change that removes the intermediate access. [1] https://lore.kernel.org/stable/20241029204128.527033-1-pchelkin@ispras.ru/ --- drivers/leds/leds-spi-byte.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c index afe9bff7c7c1..4520df1e2341 100644 --- a/drivers/leds/leds-spi-byte.c +++ b/drivers/leds/leds-spi-byte.c @@ -96,6 +96,7 @@ static int spi_byte_probe(struct spi_device *spi) if (!led) return -ENOMEM; + child = of_get_next_available_child(dev_of_node(dev), NULL); of_property_read_string(child, "label", &name); strscpy(led->name, name, sizeof(led->name)); led->spi = spi; @@ -106,7 +107,6 @@ static int spi_byte_probe(struct spi_device *spi) led->ldev.max_brightness = led->cdef->max_value - led->cdef->off_value; led->ldev.brightness_set_blocking = spi_byte_brightness_set_blocking; - child = of_get_next_available_child(dev_of_node(dev), NULL); state = of_get_property(child, "default-state", NULL); if (state) { if (!strcmp(state, "on")) { -- 2.52.0.351.gbe84eed79e-goog

8 hours, 42 minutes

1
0
0 0

[PATCH] riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped

by Vivian Wang

Since commit 4b47a3aefb29 ("kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux") vmlinux has .rel*.dyn preserved. Therefore, use vmlinux to produce Image, not vmlinux.unstripped. Doing so fixes booting a RELOCATABLE=y Image with kexec. The problem is caused by this chain of events: - Since commit 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped"), vmlinux.unstripped gets a .modinfo section. - The .modinfo section has SHF_ALLOC, so it ends up in Image, at the end of it. - The Image header's image_size field does not expect to include .modinfo and does not account for it, since it should not be in Image. - If .modinfo is large enough, the file size of Image ends up larger than image_size, which eventually leads to it failing sanity_check_segment_list(). Using vmlinux instead of vmlinux.unstripped means that the unexpected .modinfo section is gone from Image, fixing the file size problem. Cc: stable(a)vger.kernel.org Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped") Signed-off-by: Vivian Wang <wangruikang(a)iscas.ac.cn> --- arch/riscv/boot/Makefile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/arch/riscv/boot/Makefile b/arch/riscv/boot/Makefile index bfc3d0b75b9b..5301adf5f3f5 100644 --- a/arch/riscv/boot/Makefile +++ b/arch/riscv/boot/Makefile @@ -31,11 +31,7 @@ $(obj)/xipImage: vmlinux FORCE endif -ifdef CONFIG_RELOCATABLE -$(obj)/Image: vmlinux.unstripped FORCE -else $(obj)/Image: vmlinux FORCE -endif $(call if_changed,objcopy) $(obj)/Image.gz: $(obj)/Image FORCE --- base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 change-id: 20251230-riscv-vmlinux-not-unstripped-30ec0c930fd2 Best regards, -- Vivian "dramforever" Wang

8 hours, 57 minutes

4
3
0 0

Please add 127b90315ca0 ("sched/proxy: Yield the donor task") to 6.12.y / 6.18.y

by Holger Hoffstätte

Hi - a Gentoo user recently found that 6.18.2 started to reproducuibly crash when building their go toolchain [1]. Apparently the addition of "sched/fair: Forfeit vruntime on yield" (mainline 79104becf42b) can result in the infamous NULL returned from pick_eevdf(), which is not supposed to happen. It turned out that the mentioned commit triggered a bug related to the recently added proxy execution feature, which was already fixed in mainline by "sched/proxy: Yield the donor task" (127b90315ca0), though not marked for stable. Applying this to 6.18.2/.3-rc1 (and probably 6.12 as well) has reproducibly fixed the problem. A possible reason the crash was triggered by the Go runtime could be its specific use of yield(), though that's just speculation on my part. So please add 127b90315ca0 ("sched/proxy: Yield the donor task") to 6.18.y/6.12.y. I know we're already in 6.18.3-rc1, but the crasher seems reproducible. Fernand, please correct me if I got the explanations wrong. Thanks! Holger [1] https://bugs.gentoo.org/968116 starting at #8

9 hours, 42 minutes

2
1
0 0

FAILED: patch "[PATCH] f2fs: use global inline_xattr_slab instead of per-sb slab" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025122924-placidly-rehire-4364@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 Mon Sep 17 00:00:00 2001 From: Chao Yu <chao(a)kernel.org> Date: Tue, 21 Oct 2025 11:48:56 +0800 Subject: [PATCH] f2fs: use global inline_xattr_slab instead of per-sb slab cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace: __kmem_cache_create include/linux/slab.h:353 [inline] f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline] f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843 f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918 get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692 vfs_get_tree+0x43/0x140 fs/super.c:1815 do_new_mount+0x201/0x550 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing. Fixes: a999150f4fe3 ("f2fs: use kmem_cache pool during inline xattr lookups") Cc: stable(a)kernel.org Reported-by: Hong Yun <yhong(a)link.cuhk.edu.hk> Tested-by: Hong Yun <yhong(a)link.cuhk.edu.hk> Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index e69b01c1173a..9ca2124aac84 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -1885,9 +1885,6 @@ struct f2fs_sb_info { spinlock_t error_lock; /* protect errors/stop_reason array */ bool error_dirty; /* errors of sb is dirty */ - struct kmem_cache *inline_xattr_slab; /* inline xattr entry */ - unsigned int inline_xattr_slab_size; /* default inline xattr slab size */ - /* For reclaimed segs statistics per each GC mode */ unsigned int gc_segment_mode; /* GC state for reclaimed segments */ unsigned int gc_reclaimed_segs[MAX_GC_MODE]; /* Reclaimed segs for each mode */ diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index d0b5791a1f8c..f76ba2b08be0 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -2027,7 +2027,6 @@ static void f2fs_put_super(struct super_block *sb) kfree(sbi->raw_super); f2fs_destroy_page_array_cache(sbi); - f2fs_destroy_xattr_caches(sbi); #ifdef CONFIG_QUOTA for (i = 0; i < MAXQUOTAS; i++) kfree(F2FS_OPTION(sbi).s_qf_names[i]); @@ -4975,13 +4974,9 @@ static int f2fs_fill_super(struct super_block *sb, struct fs_context *fc) if (err) goto free_iostat; - /* init per sbi slab cache */ - err = f2fs_init_xattr_caches(sbi); - if (err) - goto free_percpu; err = f2fs_init_page_array_cache(sbi); if (err) - goto free_xattr_cache; + goto free_percpu; /* get an inode for meta space */ sbi->meta_inode = f2fs_iget(sb, F2FS_META_INO(sbi)); @@ -5310,8 +5305,6 @@ static int f2fs_fill_super(struct super_block *sb, struct fs_context *fc) sbi->meta_inode = NULL; free_page_array_cache: f2fs_destroy_page_array_cache(sbi); -free_xattr_cache: - f2fs_destroy_xattr_caches(sbi); free_percpu: destroy_percpu_info(sbi); free_iostat: @@ -5514,10 +5507,15 @@ static int __init init_f2fs_fs(void) err = f2fs_create_casefold_cache(); if (err) goto free_compress_cache; - err = register_filesystem(&f2fs_fs_type); + err = f2fs_init_xattr_cache(); if (err) goto free_casefold_cache; + err = register_filesystem(&f2fs_fs_type); + if (err) + goto free_xattr_cache; return 0; +free_xattr_cache: + f2fs_destroy_xattr_cache(); free_casefold_cache: f2fs_destroy_casefold_cache(); free_compress_cache: @@ -5558,6 +5556,7 @@ static int __init init_f2fs_fs(void) static void __exit exit_f2fs_fs(void) { unregister_filesystem(&f2fs_fs_type); + f2fs_destroy_xattr_cache(); f2fs_destroy_casefold_cache(); f2fs_destroy_compress_cache(); f2fs_destroy_compress_mempool(); diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 58632a2b6613..b4e5c406632f 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -23,11 +23,12 @@ #include "xattr.h" #include "segment.h" +static struct kmem_cache *inline_xattr_slab; static void *xattr_alloc(struct f2fs_sb_info *sbi, int size, bool *is_inline) { - if (likely(size == sbi->inline_xattr_slab_size)) { + if (likely(size == DEFAULT_XATTR_SLAB_SIZE)) { *is_inline = true; - return f2fs_kmem_cache_alloc(sbi->inline_xattr_slab, + return f2fs_kmem_cache_alloc(inline_xattr_slab, GFP_F2FS_ZERO, false, sbi); } *is_inline = false; @@ -38,7 +39,7 @@ static void xattr_free(struct f2fs_sb_info *sbi, void *xattr_addr, bool is_inline) { if (is_inline) - kmem_cache_free(sbi->inline_xattr_slab, xattr_addr); + kmem_cache_free(inline_xattr_slab, xattr_addr); else kfree(xattr_addr); } @@ -830,25 +831,14 @@ int f2fs_setxattr(struct inode *inode, int index, const char *name, return err; } -int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) +int __init f2fs_init_xattr_cache(void) { - dev_t dev = sbi->sb->s_bdev->bd_dev; - char slab_name[32]; - - sprintf(slab_name, "f2fs_xattr_entry-%u:%u", MAJOR(dev), MINOR(dev)); - - sbi->inline_xattr_slab_size = F2FS_OPTION(sbi).inline_xattr_size * - sizeof(__le32) + XATTR_PADDING_SIZE; - - sbi->inline_xattr_slab = f2fs_kmem_cache_create(slab_name, - sbi->inline_xattr_slab_size); - if (!sbi->inline_xattr_slab) - return -ENOMEM; - - return 0; + inline_xattr_slab = f2fs_kmem_cache_create("f2fs_xattr_entry", + DEFAULT_XATTR_SLAB_SIZE); + return inline_xattr_slab ? 0 : -ENOMEM; } -void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) +void f2fs_destroy_xattr_cache(void) { - kmem_cache_destroy(sbi->inline_xattr_slab); -} + kmem_cache_destroy(inline_xattr_slab); +} \ No newline at end of file diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h index 4fc0b2305fbd..bce3d93e4755 100644 --- a/fs/f2fs/xattr.h +++ b/fs/f2fs/xattr.h @@ -89,6 +89,8 @@ struct f2fs_xattr_entry { F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \ DEF_INLINE_RESERVED_SIZE - \ MIN_INLINE_DENTRY_SIZE / sizeof(__le32)) +#define DEFAULT_XATTR_SLAB_SIZE (DEFAULT_INLINE_XATTR_ADDRS * \ + sizeof(__le32) + XATTR_PADDING_SIZE) /* * On-disk structure of f2fs_xattr @@ -132,8 +134,8 @@ int f2fs_setxattr(struct inode *, int, const char *, const void *, int f2fs_getxattr(struct inode *, int, const char *, void *, size_t, struct folio *); ssize_t f2fs_listxattr(struct dentry *, char *, size_t); -int f2fs_init_xattr_caches(struct f2fs_sb_info *); -void f2fs_destroy_xattr_caches(struct f2fs_sb_info *); +int __init f2fs_init_xattr_cache(void); +void f2fs_destroy_xattr_cache(void); #else #define f2fs_xattr_handlers NULL @@ -150,8 +152,8 @@ static inline int f2fs_getxattr(struct inode *inode, int index, { return -EOPNOTSUPP; } -static inline int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) { return 0; } -static inline void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) { } +static inline int __init f2fs_init_xattr_cache(void) { return 0; } +static inline void f2fs_destroy_xattr_cache(void) { } #endif #ifdef CONFIG_F2FS_FS_SECURITY

11 hours, 24 minutes

2
1
0 0

FAILED: patch "[PATCH] pinctrl: renesas: rzg2l: Fix ISEL restore on resume" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 44bf66122c12ef6d3382a9b84b9be1802e5f0e95 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025122907-jujitsu-boneless-55a8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44bf66122c12ef6d3382a9b84b9be1802e5f0e95 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Fri, 12 Sep 2025 12:53:08 +0300 Subject: [PATCH] pinctrl: renesas: rzg2l: Fix ISEL restore on resume Commit 1d2da79708cb ("pinctrl: renesas: rzg2l: Avoid configuring ISEL in gpio_irq_{en,dis}able*()") dropped the configuration of ISEL from struct irq_chip::{irq_enable, irq_disable} APIs and moved it to struct gpio_chip::irq::{child_to_parent_hwirq, child_irq_domain_ops::free} APIs to fix spurious IRQs. After commit 1d2da79708cb ("pinctrl: renesas: rzg2l: Avoid configuring ISEL in gpio_irq_{en,dis}able*()"), ISEL was no longer configured properly on resume. This is because the pinctrl resume code used struct irq_chip::irq_enable (called from rzg2l_gpio_irq_restore()) to reconfigure the wakeup interrupts. Some drivers (e.g. Ethernet) may also reconfigure non-wakeup interrupts on resume through their own code, eventually calling struct irq_chip::irq_enable. Fix this by adding ISEL configuration back into the struct irq_chip::irq_enable API and on resume path for wakeup interrupts. As struct irq_chip::irq_enable needs now to lock to update the ISEL, convert the struct rzg2l_pinctrl::lock to a raw spinlock and replace the locking API calls with the raw variants. Otherwise the lockdep reports invalid wait context when probing the adv7511 module on RZ/G2L: [ BUG: Invalid wait context ] 6.17.0-rc5-next-20250911-00001-gfcfac22533c9 #18 Not tainted ----------------------------- (udev-worker)/165 is trying to lock: ffff00000e3664a8 (&pctrl->lock){....}-{3:3}, at: rzg2l_gpio_irq_enable+0x38/0x78 other info that might help us debug this: context-{5:5} 3 locks held by (udev-worker)/165: #0: ffff00000e890108 (&dev->mutex){....}-{4:4}, at: __driver_attach+0x90/0x1ac #1: ffff000011c07240 (request_class){+.+.}-{4:4}, at: __setup_irq+0xb4/0x6dc #2: ffff000011c070c8 (lock_class){....}-{2:2}, at: __setup_irq+0xdc/0x6dc stack backtrace: CPU: 1 UID: 0 PID: 165 Comm: (udev-worker) Not tainted 6.17.0-rc5-next-20250911-00001-gfcfac22533c9 #18 PREEMPT Hardware name: Renesas SMARC EVK based on r9a07g044l2 (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x90/0xd0 dump_stack+0x18/0x24 __lock_acquire+0xa14/0x20b4 lock_acquire+0x1c8/0x354 _raw_spin_lock_irqsave+0x60/0x88 rzg2l_gpio_irq_enable+0x38/0x78 irq_enable+0x40/0x8c __irq_startup+0x78/0xa4 irq_startup+0x108/0x16c __setup_irq+0x3c0/0x6dc request_threaded_irq+0xec/0x1ac devm_request_threaded_irq+0x80/0x134 adv7511_probe+0x928/0x9a4 [adv7511] i2c_device_probe+0x22c/0x3dc really_probe+0xbc/0x2a0 __driver_probe_device+0x78/0x12c driver_probe_device+0x40/0x164 __driver_attach+0x9c/0x1ac bus_for_each_dev+0x74/0xd0 driver_attach+0x24/0x30 bus_add_driver+0xe4/0x208 driver_register+0x60/0x128 i2c_register_driver+0x48/0xd0 adv7511_init+0x5c/0x1000 [adv7511] do_one_initcall+0x64/0x30c do_init_module+0x58/0x23c load_module+0x1bcc/0x1d40 init_module_from_file+0x88/0xc4 idempotent_init_module+0x188/0x27c __arm64_sys_finit_module+0x68/0xac invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x4c/0x160 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Having ISEL configuration back into the struct irq_chip::irq_enable API should be safe with respect to spurious IRQs, as in the probe case IRQs are enabled anyway in struct gpio_chip::irq::child_to_parent_hwirq. No spurious IRQs were detected on suspend/resume, boot, ethernet link insert/remove tests (executed on RZ/G3S). Boot, ethernet link insert/remove tests were also executed successfully on RZ/G2L. Fixes: 1d2da79708cb ("pinctrl: renesas: rzg2l: Avoid configuring ISEL in gpio_irq_{en,dis}able*(") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Link: https://patch.msgid.link/20250912095308.3603704-1-claudiu.beznea.uj@bp.rene… Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c index f524af6f586f..c360e473488c 100644 --- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c +++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c @@ -359,7 +359,7 @@ struct rzg2l_pinctrl { spinlock_t bitmap_lock; /* protect tint_slot bitmap */ unsigned int hwirq[RZG2L_TINT_MAX_INTERRUPT]; - spinlock_t lock; /* lock read/write registers */ + raw_spinlock_t lock; /* lock read/write registers */ struct mutex mutex; /* serialize adding groups and functions */ struct rzg2l_pinctrl_pin_settings *settings; @@ -543,7 +543,7 @@ static void rzg2l_pinctrl_set_pfc_mode(struct rzg2l_pinctrl *pctrl, unsigned long flags; u32 reg; - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); /* Set pin to 'Non-use (Hi-Z input protection)' */ reg = readw(pctrl->base + PM(off)); @@ -567,7 +567,7 @@ static void rzg2l_pinctrl_set_pfc_mode(struct rzg2l_pinctrl *pctrl, pctrl->data->pwpr_pfc_lock_unlock(pctrl, true); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); }; static int rzg2l_pinctrl_set_mux(struct pinctrl_dev *pctldev, @@ -882,10 +882,10 @@ static void rzg2l_rmw_pin_config(struct rzg2l_pinctrl *pctrl, u32 offset, addr += 4; } - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); reg = readl(addr) & ~(mask << (bit * 8)); writel(reg | (val << (bit * 8)), addr); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); } static int rzg2l_caps_to_pwr_reg(const struct rzg2l_register_offsets *regs, u32 caps) @@ -1121,7 +1121,7 @@ static int rzg2l_write_oen(struct rzg2l_pinctrl *pctrl, unsigned int _pin, u8 oe if (bit < 0) return -EINVAL; - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); val = readb(pctrl->base + oen_offset); if (oen) val &= ~BIT(bit); @@ -1134,7 +1134,7 @@ static int rzg2l_write_oen(struct rzg2l_pinctrl *pctrl, unsigned int _pin, u8 oe writeb(val, pctrl->base + oen_offset); if (pctrl->data->hwcfg->oen_pwpr_lock) writeb(pwpr & ~PWPR_REGWE_B, pctrl->base + regs->pwpr); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); return 0; } @@ -1687,14 +1687,14 @@ static int rzg2l_gpio_request(struct gpio_chip *chip, unsigned int offset) if (ret) return ret; - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); /* Select GPIO mode in PMC Register */ reg8 = readb(pctrl->base + PMC(off)); reg8 &= ~BIT(bit); pctrl->data->pmc_writeb(pctrl, reg8, PMC(off)); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); return 0; } @@ -1709,7 +1709,7 @@ static void rzg2l_gpio_set_direction(struct rzg2l_pinctrl *pctrl, u32 offset, unsigned long flags; u16 reg16; - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); reg16 = readw(pctrl->base + PM(off)); reg16 &= ~(PM_MASK << (bit * 2)); @@ -1717,7 +1717,7 @@ static void rzg2l_gpio_set_direction(struct rzg2l_pinctrl *pctrl, u32 offset, reg16 |= (output ? PM_OUTPUT : PM_INPUT) << (bit * 2); writew(reg16, pctrl->base + PM(off)); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); } static int rzg2l_gpio_get_direction(struct gpio_chip *chip, unsigned int offset) @@ -1761,7 +1761,7 @@ static int rzg2l_gpio_set(struct gpio_chip *chip, unsigned int offset, unsigned long flags; u8 reg8; - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); reg8 = readb(pctrl->base + P(off)); @@ -1770,7 +1770,7 @@ static int rzg2l_gpio_set(struct gpio_chip *chip, unsigned int offset, else writeb(reg8 & ~BIT(bit), pctrl->base + P(off)); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); return 0; } @@ -2429,14 +2429,13 @@ static int rzg2l_gpio_get_gpioint(unsigned int virq, struct rzg2l_pinctrl *pctrl return gpioint; } -static void rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl, - unsigned int hwirq, bool enable) +static void __rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl, + unsigned int hwirq, bool enable) { const struct pinctrl_pin_desc *pin_desc = &pctrl->desc.pins[hwirq]; u64 *pin_data = pin_desc->drv_data; u32 off = RZG2L_PIN_CFG_TO_PORT_OFFSET(*pin_data); u8 bit = RZG2L_PIN_ID_TO_PIN(hwirq); - unsigned long flags; void __iomem *addr; addr = pctrl->base + ISEL(off); @@ -2445,12 +2444,20 @@ static void rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl, addr += 4; } - spin_lock_irqsave(&pctrl->lock, flags); if (enable) writel(readl(addr) | BIT(bit * 8), addr); else writel(readl(addr) & ~BIT(bit * 8), addr); - spin_unlock_irqrestore(&pctrl->lock, flags); +} + +static void rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl, + unsigned int hwirq, bool enable) +{ + unsigned long flags; + + raw_spin_lock_irqsave(&pctrl->lock, flags); + __rzg2l_gpio_irq_endisable(pctrl, hwirq, enable); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); } static void rzg2l_gpio_irq_disable(struct irq_data *d) @@ -2462,15 +2469,25 @@ static void rzg2l_gpio_irq_disable(struct irq_data *d) gpiochip_disable_irq(gc, hwirq); } -static void rzg2l_gpio_irq_enable(struct irq_data *d) +static void __rzg2l_gpio_irq_enable(struct irq_data *d, bool lock) { struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct rzg2l_pinctrl *pctrl = container_of(gc, struct rzg2l_pinctrl, gpio_chip); unsigned int hwirq = irqd_to_hwirq(d); gpiochip_enable_irq(gc, hwirq); + if (lock) + rzg2l_gpio_irq_endisable(pctrl, hwirq, true); + else + __rzg2l_gpio_irq_endisable(pctrl, hwirq, true); irq_chip_enable_parent(d); } +static void rzg2l_gpio_irq_enable(struct irq_data *d) +{ + __rzg2l_gpio_irq_enable(d, true); +} + static int rzg2l_gpio_irq_set_type(struct irq_data *d, unsigned int type) { return irq_chip_set_type_parent(d, type); @@ -2616,11 +2633,11 @@ static void rzg2l_gpio_irq_restore(struct rzg2l_pinctrl *pctrl) * This has to be atomically executed to protect against a concurrent * interrupt. */ - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); ret = rzg2l_gpio_irq_set_type(data, irqd_get_trigger_type(data)); if (!ret && !irqd_irq_disabled(data)) - rzg2l_gpio_irq_enable(data); - spin_unlock_irqrestore(&pctrl->lock, flags); + __rzg2l_gpio_irq_enable(data, false); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); if (ret) dev_crit(pctrl->dev, "Failed to set IRQ type for virq=%u\n", virq); @@ -2950,7 +2967,7 @@ static int rzg2l_pinctrl_probe(struct platform_device *pdev) "failed to enable GPIO clk\n"); } - spin_lock_init(&pctrl->lock); + raw_spin_lock_init(&pctrl->lock); spin_lock_init(&pctrl->bitmap_lock); mutex_init(&pctrl->mutex); atomic_set(&pctrl->wakeup_path, 0); @@ -3093,7 +3110,7 @@ static void rzg2l_pinctrl_pm_setup_pfc(struct rzg2l_pinctrl *pctrl) u32 nports = pctrl->data->n_port_pins / RZG2L_PINS_PER_PORT; unsigned long flags; - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); pctrl->data->pwpr_pfc_lock_unlock(pctrl, false); /* Restore port registers. */ @@ -3138,7 +3155,7 @@ static void rzg2l_pinctrl_pm_setup_pfc(struct rzg2l_pinctrl *pctrl) } pctrl->data->pwpr_pfc_lock_unlock(pctrl, true); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); } static int rzg2l_pinctrl_suspend_noirq(struct device *dev) @@ -3187,14 +3204,14 @@ static int rzg2l_pinctrl_resume_noirq(struct device *dev) writeb(cache->qspi, pctrl->base + QSPI); if (pctrl->data->hwcfg->oen_pwpr_lock) { - spin_lock_irqsave(&pctrl->lock, flags); + raw_spin_lock_irqsave(&pctrl->lock, flags); pwpr = readb(pctrl->base + regs->pwpr); writeb(pwpr | PWPR_REGWE_B, pctrl->base + regs->pwpr); } writeb(cache->oen, pctrl->base + pctrl->data->hwcfg->regs.oen); if (pctrl->data->hwcfg->oen_pwpr_lock) { writeb(pwpr & ~PWPR_REGWE_B, pctrl->base + regs->pwpr); - spin_unlock_irqrestore(&pctrl->lock, flags); + raw_spin_unlock_irqrestore(&pctrl->lock, flags); } for (u8 i = 0; i < 2; i++) { if (regs->sd_ch)

11 hours, 24 minutes

2
1
0 0

[PATCH RESEND v3 4/4] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather

by David Hildenbrand (Red Hat)

As reported, ever since commit 1013af4f585f ("mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race") we can end up in some situations where we perform so many IPI broadcasts when unsharing hugetlb PMD page tables that it severely regresses some workloads. In particular, when we fork()+exit(), or when we munmap() a large area backed by many shared PMD tables, we perform one IPI broadcast per unshared PMD table. There are two optimizations to be had: (1) When we process (unshare) multiple such PMD tables, such as during exit(), it is sufficient to send a single IPI broadcast (as long as we respect locking rules) instead of one per PMD table. Locking prevents that any of these PMD tables could get reused before we drop the lock. (2) When we are not the last sharer (> 2 users including us), there is no need to send the IPI broadcast. The shared PMD tables cannot become exclusive (fully unshared) before an IPI will be broadcasted by the last sharer. Concurrent GUP-fast could walk into a PMD table just before we unshared it. It could then succeed in grabbing a page from the shared page table even after munmap() etc succeeded (and supressed an IPI). But there is not difference compared to GUP-fast just sleeping for a while after grabbing the page and re-enabling IRQs. Most importantly, GUP-fast will never walk into page tables that are no-longer shared, because the last sharer will issue an IPI broadcast. (if ever required, checking whether the PUD changed in GUP-fast after grabbing the page like we do in the PTE case could handle this) So let's rework PMD sharing TLB flushing + IPI sync to use the mmu_gather infrastructure so we can implement these optimizations and demystify the code at least a bit. Extend the mmu_gather infrastructure to be able to deal with our special hugetlb PMD table sharing implementation. To make initialization of the mmu_gather easier when working on a single VMA (in particular, when dealing with hugetlb), provide tlb_gather_mmu_vma(). We'll consolidate the handling for (full) unsharing of PMD tables in tlb_unshare_pmd_ptdesc() and tlb_flush_unshared_tables(), and track in "struct mmu_gather" whether we had (full) unsharing of PMD tables. Because locking is very special (concurrent unsharing+reuse must be prevented), we disallow deferring flushing to tlb_finish_mmu() and instead require an explicit earlier call to tlb_flush_unshared_tables(). From hugetlb code, we call huge_pmd_unshare_flush() where we make sure that the expected lock protecting us from concurrent unsharing+reuse is still held. Check with a VM_WARN_ON_ONCE() in tlb_finish_mmu() that tlb_flush_unshared_tables() was properly called earlier. Document it all properly. Notes about tlb_remove_table_sync_one() interaction with unsharing: There are two fairly tricky things: (1) tlb_remove_table_sync_one() is a NOP on architectures without CONFIG_MMU_GATHER_RCU_TABLE_FREE. Here, the assumption is that the previous TLB flush would send an IPI to all relevant CPUs. Careful: some architectures like x86 only send IPIs to all relevant CPUs when tlb->freed_tables is set. The relevant architectures should be selecting MMU_GATHER_RCU_TABLE_FREE, but x86 might not do that in stable kernels and it might have been problematic before this patch. Also, the arch flushing behavior (independent of IPIs) is different when tlb->freed_tables is set. Do we have to enlighten them to also take care of tlb->unshared_tables? So far we didn't care, so hopefully we are fine. Of course, we could be setting tlb->freed_tables as well, but that might then unnecessarily flush too much, because the semantics of tlb->freed_tables are a bit fuzzy. This patch changes nothing in this regard. (2) tlb_remove_table_sync_one() is not a NOP on architectures with CONFIG_MMU_GATHER_RCU_TABLE_FREE that actually don't need a sync. Take x86 as an example: in the common case (!pv, !X86_FEATURE_INVLPGB) we still issue IPIs during TLB flushes and don't actually need the second tlb_remove_table_sync_one(). This optimized can be implemented on top of this, by checking e.g., in tlb_remove_table_sync_one() whether we really need IPIs. But as described in (1), it really must honor tlb->freed_tables then to send IPIs to all relevant CPUs. Notes on TLB flushing changes: (1) Flushing for non-shared PMD tables We're converting from flush_hugetlb_tlb_range() to tlb_remove_huge_tlb_entry(). Given that we properly initialize the MMU gather in tlb_gather_mmu_vma() to be hugetlb aware, similar to __unmap_hugepage_range(), that should be fine. (2) Flushing for shared PMD tables We're converting from various things (flush_hugetlb_tlb_range(), tlb_flush_pmd_range(), flush_tlb_range()) to tlb_flush_pmd_range(). tlb_flush_pmd_range() achieves the same that tlb_remove_huge_tlb_entry() would achieve in these scenarios. Note that tlb_remove_huge_tlb_entry() also calls __tlb_remove_tlb_entry(), however that is only implemented on powerpc, which does not support PMD table sharing. Similar to (1), tlb_gather_mmu_vma() should make sure that TLB flushing keeps on working as expected. Further, note that the ptdesc_pmd_pts_dec() in huge_pmd_share() is not a concern, as we are holding the i_mmap_lock the whole time, preventing concurrent unsharing. That ptdesc_pmd_pts_dec() usage will be removed separately as a cleanup later. There are plenty more cleanups to be had, but they have to wait until this is fixed. Fixes: 1013af4f585f ("mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race") Reported-by: Uschakow, Stanislav" <suschako(a)amazon.de> Closes: https://lore.kernel.org/all/4d3878531c76479d9f8ca9789dc6485d@amazon.de/ Tested-by: Laurence Oberman <loberman(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: David Hildenbrand (Red Hat) <david(a)kernel.org> --- include/asm-generic/tlb.h | 77 +++++++++++++++++++++++- include/linux/hugetlb.h | 15 +++-- include/linux/mm_types.h | 1 + mm/hugetlb.c | 123 ++++++++++++++++++++++---------------- mm/mmu_gather.c | 33 ++++++++++ mm/rmap.c | 25 +++++--- 6 files changed, 208 insertions(+), 66 deletions(-) diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h index 1fff717cae510..4d679d2a206b4 100644 --- a/include/asm-generic/tlb.h +++ b/include/asm-generic/tlb.h @@ -46,7 +46,8 @@ * * The mmu_gather API consists of: * - * - tlb_gather_mmu() / tlb_gather_mmu_fullmm() / tlb_finish_mmu() + * - tlb_gather_mmu() / tlb_gather_mmu_fullmm() / tlb_gather_mmu_vma() / + * tlb_finish_mmu() * * start and finish a mmu_gather * @@ -364,6 +365,20 @@ struct mmu_gather { unsigned int vma_huge : 1; unsigned int vma_pfn : 1; + /* + * Did we unshare (unmap) any shared page tables? For now only + * used for hugetlb PMD table sharing. + */ + unsigned int unshared_tables : 1; + + /* + * Did we unshare any page tables such that they are now exclusive + * and could get reused+modified by the new owner? When setting this + * flag, "unshared_tables" will be set as well. For now only used + * for hugetlb PMD table sharing. + */ + unsigned int fully_unshared_tables : 1; + unsigned int batch_count; #ifndef CONFIG_MMU_GATHER_NO_GATHER @@ -400,6 +415,7 @@ static inline void __tlb_reset_range(struct mmu_gather *tlb) tlb->cleared_pmds = 0; tlb->cleared_puds = 0; tlb->cleared_p4ds = 0; + tlb->unshared_tables = 0; /* * Do not reset mmu_gather::vma_* fields here, we do not * call into tlb_start_vma() again to set them if there is an @@ -484,7 +500,7 @@ static inline void tlb_flush_mmu_tlbonly(struct mmu_gather *tlb) * these bits. */ if (!(tlb->freed_tables || tlb->cleared_ptes || tlb->cleared_pmds || - tlb->cleared_puds || tlb->cleared_p4ds)) + tlb->cleared_puds || tlb->cleared_p4ds || tlb->unshared_tables)) return; tlb_flush(tlb); @@ -773,6 +789,63 @@ static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd) } #endif +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void tlb_unshare_pmd_ptdesc(struct mmu_gather *tlb, struct ptdesc *pt, + unsigned long addr) +{ + /* + * The caller must make sure that concurrent unsharing + exclusive + * reuse is impossible until tlb_flush_unshared_tables() was called. + */ + VM_WARN_ON_ONCE(!ptdesc_pmd_is_shared(pt)); + ptdesc_pmd_pts_dec(pt); + + /* Clearing a PUD pointing at a PMD table with PMD leaves. */ + tlb_flush_pmd_range(tlb, addr & PUD_MASK, PUD_SIZE); + + /* + * If the page table is now exclusively owned, we fully unshared + * a page table. + */ + if (!ptdesc_pmd_is_shared(pt)) + tlb->fully_unshared_tables = true; + tlb->unshared_tables = true; +} + +static inline void tlb_flush_unshared_tables(struct mmu_gather *tlb) +{ + /* + * As soon as the caller drops locks to allow for reuse of + * previously-shared tables, these tables could get modified and + * even reused outside of hugetlb context, so we have to make sure that + * any page table walkers (incl. TLB, GUP-fast) are aware of that + * change. + * + * Even if we are not fully unsharing a PMD table, we must + * flush the TLB for the unsharer now. + */ + if (tlb->unshared_tables) + tlb_flush_mmu_tlbonly(tlb); + + /* + * Similarly, we must make sure that concurrent GUP-fast will not + * walk previously-shared page tables that are getting modified+reused + * elsewhere. So broadcast an IPI to wait for any concurrent GUP-fast. + * + * We only perform this when we are the last sharer of a page table, + * as the IPI will reach all CPUs: any GUP-fast. + * + * Note that on configs where tlb_remove_table_sync_one() is a NOP, + * the expectation is that the tlb_flush_mmu_tlbonly() would have issued + * required IPIs already for us. + */ + if (tlb->fully_unshared_tables) { + tlb_remove_table_sync_one(); + tlb->fully_unshared_tables = false; + } +} +#endif /* CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING */ + #endif /* CONFIG_MMU */ #endif /* _ASM_GENERIC__TLB_H */ diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 03c8725efa289..e51b8ef0cebd9 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -240,8 +240,9 @@ pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, pte_t *huge_pte_offset(struct mm_struct *mm, unsigned long addr, unsigned long sz); unsigned long hugetlb_mask_last_page(struct hstate *h); -int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long addr, pte_t *ptep); +int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep); +void huge_pmd_unshare_flush(struct mmu_gather *tlb, struct vm_area_struct *vma); void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, unsigned long *start, unsigned long *end); @@ -300,13 +301,17 @@ static inline struct address_space *hugetlb_folio_mapping_lock_write( return NULL; } -static inline int huge_pmd_unshare(struct mm_struct *mm, - struct vm_area_struct *vma, - unsigned long addr, pte_t *ptep) +static inline int huge_pmd_unshare(struct mmu_gather *tlb, + struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { return 0; } +static inline void huge_pmd_unshare_flush(struct mmu_gather *tlb, + struct vm_area_struct *vma) +{ +} + static inline void adjust_range_if_pmd_sharing_possible( struct vm_area_struct *vma, unsigned long *start, unsigned long *end) diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 42af2292951d4..d1053b2c1f800 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -1522,6 +1522,7 @@ static inline unsigned int mm_cid_size(void) struct mmu_gather; extern void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm); extern void tlb_gather_mmu_fullmm(struct mmu_gather *tlb, struct mm_struct *mm); +void tlb_gather_mmu_vma(struct mmu_gather *tlb, struct vm_area_struct *vma); extern void tlb_finish_mmu(struct mmu_gather *tlb); struct vm_fault; diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 3c77cdef12a32..2609b6d58f99e 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5096,7 +5096,7 @@ int move_hugetlb_page_tables(struct vm_area_struct *vma, unsigned long last_addr_mask; pte_t *src_pte, *dst_pte; struct mmu_notifier_range range; - bool shared_pmd = false; + struct mmu_gather tlb; mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm, old_addr, old_end); @@ -5106,6 +5106,7 @@ int move_hugetlb_page_tables(struct vm_area_struct *vma, * range. */ flush_cache_range(vma, range.start, range.end); + tlb_gather_mmu_vma(&tlb, vma); mmu_notifier_invalidate_range_start(&range); last_addr_mask = hugetlb_mask_last_page(h); @@ -5122,8 +5123,7 @@ int move_hugetlb_page_tables(struct vm_area_struct *vma, if (huge_pte_none(huge_ptep_get(mm, old_addr, src_pte))) continue; - if (huge_pmd_unshare(mm, vma, old_addr, src_pte)) { - shared_pmd = true; + if (huge_pmd_unshare(&tlb, vma, old_addr, src_pte)) { old_addr |= last_addr_mask; new_addr |= last_addr_mask; continue; @@ -5134,15 +5134,16 @@ int move_hugetlb_page_tables(struct vm_area_struct *vma, break; move_huge_pte(vma, old_addr, new_addr, src_pte, dst_pte, sz); + tlb_remove_huge_tlb_entry(h, &tlb, src_pte, old_addr); } - if (shared_pmd) - flush_hugetlb_tlb_range(vma, range.start, range.end); - else - flush_hugetlb_tlb_range(vma, old_end - len, old_end); + tlb_flush_mmu_tlbonly(&tlb); + huge_pmd_unshare_flush(&tlb, vma); + mmu_notifier_invalidate_range_end(&range); i_mmap_unlock_write(mapping); hugetlb_vma_unlock_write(vma); + tlb_finish_mmu(&tlb); return len + old_addr - old_end; } @@ -5161,7 +5162,6 @@ void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct *vma, unsigned long sz = huge_page_size(h); bool adjust_reservation; unsigned long last_addr_mask; - bool force_flush = false; WARN_ON(!is_vm_hugetlb_page(vma)); BUG_ON(start & ~huge_page_mask(h)); @@ -5184,10 +5184,8 @@ void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct *vma, } ptl = huge_pte_lock(h, mm, ptep); - if (huge_pmd_unshare(mm, vma, address, ptep)) { + if (huge_pmd_unshare(tlb, vma, address, ptep)) { spin_unlock(ptl); - tlb_flush_pmd_range(tlb, address & PUD_MASK, PUD_SIZE); - force_flush = true; address |= last_addr_mask; continue; } @@ -5303,14 +5301,7 @@ void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct *vma, } tlb_end_vma(tlb, vma); - /* - * There is nothing protecting a previously-shared page table that we - * unshared through huge_pmd_unshare() from getting freed after we - * release i_mmap_rwsem, so flush the TLB now. If huge_pmd_unshare() - * succeeded, flush the range corresponding to the pud. - */ - if (force_flush) - tlb_flush_mmu_tlbonly(tlb); + huge_pmd_unshare_flush(tlb, vma); } void __hugetlb_zap_begin(struct vm_area_struct *vma, @@ -6409,11 +6400,11 @@ long hugetlb_change_protection(struct vm_area_struct *vma, pte_t pte; struct hstate *h = hstate_vma(vma); long pages = 0, psize = huge_page_size(h); - bool shared_pmd = false; struct mmu_notifier_range range; unsigned long last_addr_mask; bool uffd_wp = cp_flags & MM_CP_UFFD_WP; bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE; + struct mmu_gather tlb; /* * In the case of shared PMDs, the area to flush could be beyond @@ -6426,6 +6417,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, BUG_ON(address >= end); flush_cache_range(vma, range.start, range.end); + tlb_gather_mmu_vma(&tlb, vma); mmu_notifier_invalidate_range_start(&range); hugetlb_vma_lock_write(vma); @@ -6452,7 +6444,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, } } ptl = huge_pte_lock(h, mm, ptep); - if (huge_pmd_unshare(mm, vma, address, ptep)) { + if (huge_pmd_unshare(&tlb, vma, address, ptep)) { /* * When uffd-wp is enabled on the vma, unshare * shouldn't happen at all. Warn about it if it @@ -6461,7 +6453,6 @@ long hugetlb_change_protection(struct vm_area_struct *vma, WARN_ON_ONCE(uffd_wp || uffd_wp_resolve); pages++; spin_unlock(ptl); - shared_pmd = true; address |= last_addr_mask; continue; } @@ -6522,22 +6513,16 @@ long hugetlb_change_protection(struct vm_area_struct *vma, pte = huge_pte_clear_uffd_wp(pte); huge_ptep_modify_prot_commit(vma, address, ptep, old_pte, pte); pages++; + tlb_remove_huge_tlb_entry(h, &tlb, ptep, address); } next: spin_unlock(ptl); cond_resched(); } - /* - * There is nothing protecting a previously-shared page table that we - * unshared through huge_pmd_unshare() from getting freed after we - * release i_mmap_rwsem, so flush the TLB now. If huge_pmd_unshare() - * succeeded, flush the range corresponding to the pud. - */ - if (shared_pmd) - flush_hugetlb_tlb_range(vma, range.start, range.end); - else - flush_hugetlb_tlb_range(vma, start, end); + + tlb_flush_mmu_tlbonly(&tlb); + huge_pmd_unshare_flush(&tlb, vma); /* * No need to call mmu_notifier_arch_invalidate_secondary_tlbs() we are * downgrading page table protection not changing it to point to a new @@ -6548,6 +6533,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, i_mmap_unlock_write(vma->vm_file->f_mapping); hugetlb_vma_unlock_write(vma); mmu_notifier_invalidate_range_end(&range); + tlb_finish_mmu(&tlb); return pages > 0 ? (pages << h->order) : pages; } @@ -6904,18 +6890,27 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, return pte; } -/* - * unmap huge page backed by shared pte. +/** + * huge_pmd_unshare - Unmap a pmd table if it is shared by multiple users + * @tlb: the current mmu_gather. + * @vma: the vma covering the pmd table. + * @addr: the address we are trying to unshare. + * @ptep: pointer into the (pmd) page table. + * + * Called with the page table lock held, the i_mmap_rwsem held in write mode + * and the hugetlb vma lock held in write mode. * - * Called with page table lock held. + * Note: The caller must call huge_pmd_unshare_flush() before dropping the + * i_mmap_rwsem. * - * returns: 1 successfully unmapped a shared pte page - * 0 the underlying pte page is not shared, or it is the last user + * Returns: 1 if it was a shared PMD table and it got unmapped, or 0 if it + * was not a shared PMD table. */ -int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long addr, pte_t *ptep) +int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep) { unsigned long sz = huge_page_size(hstate_vma(vma)); + struct mm_struct *mm = vma->vm_mm; pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); @@ -6927,18 +6922,36 @@ int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); pud_clear(pud); - /* - * Once our caller drops the rmap lock, some other process might be - * using this page table as a normal, non-hugetlb page table. - * Wait for pending gup_fast() in other threads to finish before letting - * that happen. - */ - tlb_remove_table_sync_one(); - ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); + + tlb_unshare_pmd_ptdesc(tlb, virt_to_ptdesc(ptep), addr); + mm_dec_nr_pmds(mm); return 1; } +/* + * huge_pmd_unshare_flush - Complete a sequence of huge_pmd_unshare() calls + * @tlb: the current mmu_gather. + * @vma: the vma covering the pmd table. + * + * Perform necessary TLB flushes or IPI broadcasts to synchronize PMD table + * unsharing with concurrent page table walkers. + * + * This function must be called after a sequence of huge_pmd_unshare() + * calls while still holding the i_mmap_rwsem. + */ +void huge_pmd_unshare_flush(struct mmu_gather *tlb, struct vm_area_struct *vma) +{ + /* + * We must synchronize page table unsharing such that nobody will + * try reusing a previously-shared page table while it might still + * be in use by previous sharers (TLB, GUP_fast). + */ + i_mmap_assert_write_locked(vma->vm_file->f_mapping); + + tlb_flush_unshared_tables(tlb); +} + #else /* !CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING */ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, @@ -6947,12 +6960,16 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, return NULL; } -int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long addr, pte_t *ptep) +int huge_pmd_unshare(struct mmu_gather *tlb, struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep) { return 0; } +void huge_pmd_unshare_flush(struct mmu_gather *tlb, struct vm_area_struct *vma) +{ +} + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, unsigned long *start, unsigned long *end) { @@ -7219,6 +7236,7 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, unsigned long sz = huge_page_size(h); struct mm_struct *mm = vma->vm_mm; struct mmu_notifier_range range; + struct mmu_gather tlb; unsigned long address; spinlock_t *ptl; pte_t *ptep; @@ -7230,6 +7248,8 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, return; flush_cache_range(vma, start, end); + tlb_gather_mmu_vma(&tlb, vma); + /* * No need to call adjust_range_if_pmd_sharing_possible(), because * we have already done the PUD_SIZE alignment. @@ -7248,10 +7268,10 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, if (!ptep) continue; ptl = huge_pte_lock(h, mm, ptep); - huge_pmd_unshare(mm, vma, address, ptep); + huge_pmd_unshare(&tlb, vma, address, ptep); spin_unlock(ptl); } - flush_hugetlb_tlb_range(vma, start, end); + huge_pmd_unshare_flush(&tlb, vma); if (take_locks) { i_mmap_unlock_write(vma->vm_file->f_mapping); hugetlb_vma_unlock_write(vma); @@ -7261,6 +7281,7 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, * Documentation/mm/mmu_notifier.rst. */ mmu_notifier_invalidate_range_end(&range); + tlb_finish_mmu(&tlb); } /* diff --git a/mm/mmu_gather.c b/mm/mmu_gather.c index 247e3f9db6c7a..cd32c2dbf501b 100644 --- a/mm/mmu_gather.c +++ b/mm/mmu_gather.c @@ -10,6 +10,7 @@ #include <linux/swap.h> #include <linux/rmap.h> #include <linux/pgalloc.h> +#include <linux/hugetlb.h> #include <asm/tlb.h> @@ -426,6 +427,7 @@ static void __tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, #endif tlb->vma_pfn = 0; + tlb->fully_unshared_tables = 0; __tlb_reset_range(tlb); inc_tlb_flush_pending(tlb->mm); } @@ -459,6 +461,31 @@ void tlb_gather_mmu_fullmm(struct mmu_gather *tlb, struct mm_struct *mm) __tlb_gather_mmu(tlb, mm, true); } +/** + * tlb_gather_mmu - initialize an mmu_gather structure for operating on a single + * VMA + * @tlb: the mmu_gather structure to initialize + * @vma: the vm_area_struct + * + * Called to initialize an (on-stack) mmu_gather structure for operating on + * a single VMA. In contrast to tlb_gather_mmu(), calling this function will + * not require another call to tlb_start_vma(). In contrast to tlb_start_vma(), + * this function will *not* call flush_cache_range(). + * + * For hugetlb VMAs, this function will also initialize the mmu_gather + * page_size accordingly, not requiring a separate call to + * tlb_change_page_size(). + * + */ +void tlb_gather_mmu_vma(struct mmu_gather *tlb, struct vm_area_struct *vma) +{ + tlb_gather_mmu(tlb, vma->vm_mm); + tlb_update_vma_flags(tlb, vma); + if (is_vm_hugetlb_page(vma)) + /* All entries have the same size. */ + tlb_change_page_size(tlb, huge_page_size(hstate_vma(vma))); +} + /** * tlb_finish_mmu - finish an mmu_gather structure * @tlb: the mmu_gather structure to finish @@ -468,6 +495,12 @@ void tlb_gather_mmu_fullmm(struct mmu_gather *tlb, struct mm_struct *mm) */ void tlb_finish_mmu(struct mmu_gather *tlb) { + /* + * We expect an earlier huge_pmd_unshare_flush() call to sort this out, + * due to complicated locking requirements with page table unsharing. + */ + VM_WARN_ON_ONCE(tlb->fully_unshared_tables); + /* * If there are parallel threads are doing PTE changes on same range * under non-exclusive lock (e.g., mmap_lock read-side) but defer TLB diff --git a/mm/rmap.c b/mm/rmap.c index 748f48727a162..7b9879ef442d9 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -76,7 +76,7 @@ #include <linux/mm_inline.h> #include <linux/oom.h> -#include <asm/tlbflush.h> +#include <asm/tlb.h> #define CREATE_TRACE_POINTS #include <trace/events/migrate.h> @@ -2008,13 +2008,17 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, * if unsuccessful. */ if (!anon) { + struct mmu_gather tlb; + VM_BUG_ON(!(flags & TTU_RMAP_LOCKED)); if (!hugetlb_vma_trylock_write(vma)) goto walk_abort; - if (huge_pmd_unshare(mm, vma, address, pvmw.pte)) { + + tlb_gather_mmu_vma(&tlb, vma); + if (huge_pmd_unshare(&tlb, vma, address, pvmw.pte)) { hugetlb_vma_unlock_write(vma); - flush_tlb_range(vma, - range.start, range.end); + huge_pmd_unshare_flush(&tlb, vma); + tlb_finish_mmu(&tlb); /* * The PMD table was unmapped, * consequently unmapping the folio. @@ -2022,6 +2026,7 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, goto walk_done; } hugetlb_vma_unlock_write(vma); + tlb_finish_mmu(&tlb); } pteval = huge_ptep_clear_flush(vma, address, pvmw.pte); if (pte_dirty(pteval)) @@ -2398,17 +2403,20 @@ static bool try_to_migrate_one(struct folio *folio, struct vm_area_struct *vma, * fail if unsuccessful. */ if (!anon) { + struct mmu_gather tlb; + VM_BUG_ON(!(flags & TTU_RMAP_LOCKED)); if (!hugetlb_vma_trylock_write(vma)) { page_vma_mapped_walk_done(&pvmw); ret = false; break; } - if (huge_pmd_unshare(mm, vma, address, pvmw.pte)) { - hugetlb_vma_unlock_write(vma); - flush_tlb_range(vma, - range.start, range.end); + tlb_gather_mmu_vma(&tlb, vma); + if (huge_pmd_unshare(&tlb, vma, address, pvmw.pte)) { + hugetlb_vma_unlock_write(vma); + huge_pmd_unshare_flush(&tlb, vma); + tlb_finish_mmu(&tlb); /* * The PMD table was unmapped, * consequently unmapping the folio. @@ -2417,6 +2425,7 @@ static bool try_to_migrate_one(struct folio *folio, struct vm_area_struct *vma, break; } hugetlb_vma_unlock_write(vma); + tlb_finish_mmu(&tlb); } /* Nuke the hugetlb page table entry */ pteval = huge_ptep_clear_flush(vma, address, pvmw.pte); -- 2.52.0

11 hours, 27 minutes

2
3
0 0

[PATCH 5.10,5.15,6.1,6.6] leds: spi-byte: Initialize device node before access

by Tiffany Yang

Commit 7f9ab862e05c ("leds: spi-byte: Call of_node_put() on error path") was merged in 6.11 and then backported to stable trees through 5.10. It relocates the line that initializes the variable 'child' to a later point in spi_byte_probe(). Versions < 6.9 do not have commit ccc35ff2fd29 ("leds: spi-byte: Use devm_led_classdev_register_ext()"), which removes a line that reads a property from 'child' before its new initialization point. Consequently, spi_byte_probe() reads from an uninitialized device node in stable kernels 6.6-5.10. Initialize 'child' before it is first accessed. Fixes: 7f9ab862e05c ("leds: spi-byte: Call of_node_put() on error path") Signed-off-by: Tiffany Yang <ynaffit(a)google.com> --- As an alternative to moving the initialization of 'child' up, Fedor Pchelkin proposed [1] backporting the change that removes the intermediate access. [1] https://lore.kernel.org/stable/20241029204128.527033-1-pchelkin@ispras.ru/ --- drivers/leds/leds-spi-byte.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c index afe9bff7c7c1..4520df1e2341 100644 --- a/drivers/leds/leds-spi-byte.c +++ b/drivers/leds/leds-spi-byte.c @@ -96,6 +96,7 @@ static int spi_byte_probe(struct spi_device *spi) if (!led) return -ENOMEM; + child = of_get_next_available_child(dev_of_node(dev), NULL); of_property_read_string(child, "label", &name); strscpy(led->name, name, sizeof(led->name)); led->spi = spi; @@ -106,7 +107,6 @@ static int spi_byte_probe(struct spi_device *spi) led->ldev.max_brightness = led->cdef->max_value - led->cdef->off_value; led->ldev.brightness_set_blocking = spi_byte_brightness_set_blocking; - child = of_get_next_available_child(dev_of_node(dev), NULL); state = of_get_property(child, "default-state", NULL); if (state) { if (!strcmp(state, "on")) { -- 2.52.0.351.gbe84eed79e-goog

12 hours, 5 minutes

1
0
0 0

+ x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: x86/kexec: add a sanity check on previous kernel's ima kexec buffer has been added to the -mm mm-nonmm-unstable branch. Its filename is x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Subject: x86/kexec: add a sanity check on previous kernel's ima kexec buffer Date: Mon, 29 Dec 2025 00:15:23 -0800 When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) �� not-present page Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86. Without carrying the measurement list across kexec, the attestation would fail. Link: https://lkml.kernel.org/r/20251229081523.622515-4-harshit.m.mogalapalli@ora… Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec") Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Reported-by: Paul Webb <paul.x.webb(a)oracle.com> Cc: Alexander Graf <graf(a)amazon.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Borislav Betkov <bp(a)alien8.de> Cc: guoweikang <guoweikang.kernel(a)gmail.com> Cc: Henry Willard <henry.willard(a)oracle.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jiri Bohac <jbohac(a)suse.cz> Cc: Joel Granados <joel.granados(a)kernel.org> Cc: Jonathan McDowell <noodles(a)fb.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Mimi Zohar <zohar(a)linux.ibm.com> Cc: Sohil Mehta <sohil.mehta(a)intel.com> Cc: Sourabh Jain <sourabhjain(a)linux.ibm.com> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Yifei Liu <yifei.l.liu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/kernel/setup.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/arch/x86/kernel/setup.c~x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer +++ a/arch/x86/kernel/setup.c @@ -439,9 +439,15 @@ int __init ima_free_kexec_buffer(void) int __init ima_get_kexec_buffer(void **addr, size_t *size) { + int ret; + if (!ima_kexec_buffer_size) return -ENOENT; + ret = ima_validate_range(ima_kexec_buffer_phys, ima_kexec_buffer_size); + if (ret) + return ret; + *addr = __va(ima_kexec_buffer_phys); *size = ima_kexec_buffer_size; _ Patches currently in -mm which might be from harshit.m.mogalapalli(a)oracle.com are ima-add-ima_validate_range-for-previous-kernel-ima-buffer.patch of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_validate_range.patch x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer.patch

12 hours, 45 minutes

1
0
0 0

+ of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_validate_range.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range() has been added to the -mm mm-nonmm-unstable branch. Its filename is of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_validate_range.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Subject: of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range() Date: Mon, 29 Dec 2025 00:15:22 -0800 Refactor the OF/DT ima_get_kexec_buffer() to use a generic helper to validate the address range. No functional change intended. Link: https://lkml.kernel.org/r/20251229081523.622515-3-harshit.m.mogalapalli@ora… Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec") Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Cc: Alexander Graf <graf(a)amazon.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Borislav Betkov <bp(a)alien8.de> Cc: guoweikang <guoweikang.kernel(a)gmail.com> Cc: Henry Willard <henry.willard(a)oracle.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jiri Bohac <jbohac(a)suse.cz> Cc: Joel Granados <joel.granados(a)kernel.org> Cc: Jonathan McDowell <noodles(a)fb.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Mimi Zohar <zohar(a)linux.ibm.com> Cc: Paul Webb <paul.x.webb(a)oracle.com> Cc: Sohil Mehta <sohil.mehta(a)intel.com> Cc: Sourabh Jain <sourabhjain(a)linux.ibm.com> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Yifei Liu <yifei.l.liu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/of/kexec.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) --- a/drivers/of/kexec.c~of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_validate_range +++ a/drivers/of/kexec.c @@ -128,7 +128,6 @@ int __init ima_get_kexec_buffer(void **a { int ret, len; unsigned long tmp_addr; - unsigned long start_pfn, end_pfn; size_t tmp_size; const void *prop; @@ -144,17 +143,9 @@ int __init ima_get_kexec_buffer(void **a if (!tmp_size) return -ENOENT; - /* - * Calculate the PFNs for the buffer and ensure - * they are with in addressable memory. - */ - start_pfn = PHYS_PFN(tmp_addr); - end_pfn = PHYS_PFN(tmp_addr + tmp_size - 1); - if (!page_is_ram(start_pfn) || !page_is_ram(end_pfn)) { - pr_warn("IMA buffer at 0x%lx, size = 0x%zx beyond memory\n", - tmp_addr, tmp_size); - return -EINVAL; - } + ret = ima_validate_range(tmp_addr, tmp_size); + if (ret) + return ret; *addr = __va(tmp_addr); *size = tmp_size; _ Patches currently in -mm which might be from harshit.m.mogalapalli(a)oracle.com are ima-add-ima_validate_range-for-previous-kernel-ima-buffer.patch of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_validate_range.patch x86-kexec-add-a-sanity-check-on-previous-kernels-ima-kexec-buffer.patch

12 hours, 45 minutes

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror