From: Ryan Roberts <ryan.roberts(a)arm.com>
commit c910f2b65518 ("arm64/mm: Update tlb invalidation routines for
FEAT_LPA2") changed the "invalidation level unknown" hint from 0 to
TLBI_TTL_UNKNOWN (INT_MAX). But the fallback "unknown level" path in
flush_hugetlb_tlb_range() was not updated. So as it stands, when trying
to invalidate CONT_PMD_SIZE or CONT_PTE_SIZE hugetlb mappings, we will
spuriously try to invalidate at level 0 on LPA2-enabled systems.
Fix this so that the fallback passes TLBI_TTL_UNKNOWN, and while we are
at it, explicitly use the correct stride and level for CONT_PMD_SIZE and
CONT_PTE_SIZE, which should provide a minor optimization.
Cc: stable(a)vger.kernel.org
Fixes: c910f2b65518 ("arm64/mm: Update tlb invalidation routines for FEAT_LPA2")
Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com>
Link: https://lore.kernel.org/r/20250226120656.2400136-4-ryan.roberts@arm.com
Signed-off-by: Will Deacon <will(a)kernel.org>
Signed-off-by: Jia He <justin.he(a)arm.com>
---
arch/arm64/include/asm/hugetlb.h | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/include/asm/hugetlb.h b/arch/arm64/include/asm/hugetlb.h
index 92a5e0879b11..eb413631edea 100644
--- a/arch/arm64/include/asm/hugetlb.h
+++ b/arch/arm64/include/asm/hugetlb.h
@@ -68,12 +68,22 @@ static inline void flush_hugetlb_tlb_range(struct vm_area_struct *vma,
{
unsigned long stride = huge_page_size(hstate_vma(vma));
- if (stride == PMD_SIZE)
- __flush_tlb_range(vma, start, end, stride, false, 2);
- else if (stride == PUD_SIZE)
- __flush_tlb_range(vma, start, end, stride, false, 1);
- else
- __flush_tlb_range(vma, start, end, PAGE_SIZE, false, 0);
+ switch (stride) {
+#ifndef __PAGETABLE_PMD_FOLDED
+ case PUD_SIZE:
+ __flush_tlb_range(vma, start, end, PUD_SIZE, false, 1);
+ break;
+#endif
+ case CONT_PMD_SIZE:
+ case PMD_SIZE:
+ __flush_tlb_range(vma, start, end, PMD_SIZE, false, 2);
+ break;
+ case CONT_PTE_SIZE:
+ __flush_tlb_range(vma, start, end, PAGE_SIZE, false, 3);
+ break;
+ default:
+ __flush_tlb_range(vma, start, end, PAGE_SIZE, false, TLBI_TTL_UNKNOWN);
+ }
}
#endif /* __ASM_HUGETLB_H */
--
2.34.1
From: Ryan Roberts <ryan.roberts(a)arm.com>
arm64 supports multiple huge_pte sizes. Some of the sizes are covered by
a single pte entry at a particular level (PMD_SIZE, PUD_SIZE), and some
are covered by multiple ptes at a particular level (CONT_PTE_SIZE,
CONT_PMD_SIZE). So the function has to figure out the size from the
huge_pte pointer. This was previously done by walking the pgtable to
determine the level and by using the PTE_CONT bit to determine the
number of ptes at the level.
But the PTE_CONT bit is only valid when the pte is present. For
non-present pte values (e.g. markers, migration entries), the previous
implementation was therefore erroneously determining the size. There is
at least one known caller in core-mm, move_huge_pte(), which may call
huge_ptep_get_and_clear() for a non-present pte. So we must be robust to
this case. Additionally the "regular" ptep_get_and_clear() is robust to
being called for non-present ptes so it makes sense to follow the
behavior.
Fix this by using the new sz parameter which is now provided to the
function. Additionally when clearing each pte in a contig range, don't
gather the access and dirty bits if the pte is not present.
An alternative approach that would not require API changes would be to
store the PTE_CONT bit in a spare bit in the swap entry pte for the
non-present case. But it felt cleaner to follow other APIs' lead and
just pass in the size.
As an aside, PTE_CONT is bit 52, which corresponds to bit 40 in the swap
entry offset field (layout of non-present pte). Since hugetlb is never
swapped to disk, this field will only be populated for markers, which
always set this bit to 0 and hwpoison swap entries, which set the offset
field to a PFN; So it would only ever be 1 for a 52-bit PVA system where
memory in that high half was poisoned (I think!). So in practice, this
bit would almost always be zero for non-present ptes and we would only
clear the first entry if it was actually a contiguous block. That's
probably a less severe symptom than if it was always interpreted as 1
and cleared out potentially-present neighboring PTEs.
Cc: stable(a)vger.kernel.org
Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit")
Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com>
Link: https://lore.kernel.org/r/20250226120656.2400136-3-ryan.roberts@arm.com
Signed-off-by: Will Deacon <will(a)kernel.org>
Signed-off-by: Jia He <justin.he(a)arm.com>
---
arch/arm64/mm/hugetlbpage.c | 53 ++++++++++++++-----------------------
1 file changed, 20 insertions(+), 33 deletions(-)
diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
index 7a54f8b4164b..d631d52986ec 100644
--- a/arch/arm64/mm/hugetlbpage.c
+++ b/arch/arm64/mm/hugetlbpage.c
@@ -121,20 +121,11 @@ static int find_num_contig(struct mm_struct *mm, unsigned long addr,
static inline int num_contig_ptes(unsigned long size, size_t *pgsize)
{
- int contig_ptes = 0;
+ int contig_ptes = 1;
*pgsize = size;
switch (size) {
-#ifndef __PAGETABLE_PMD_FOLDED
- case PUD_SIZE:
- if (pud_sect_supported())
- contig_ptes = 1;
- break;
-#endif
- case PMD_SIZE:
- contig_ptes = 1;
- break;
case CONT_PMD_SIZE:
*pgsize = PMD_SIZE;
contig_ptes = CONT_PMDS;
@@ -143,6 +134,8 @@ static inline int num_contig_ptes(unsigned long size, size_t *pgsize)
*pgsize = PAGE_SIZE;
contig_ptes = CONT_PTES;
break;
+ default:
+ WARN_ON(!__hugetlb_valid_size(size));
}
return contig_ptes;
@@ -184,24 +177,23 @@ static pte_t get_clear_contig(struct mm_struct *mm,
unsigned long pgsize,
unsigned long ncontig)
{
- pte_t orig_pte = __ptep_get(ptep);
- unsigned long i;
-
- for (i = 0; i < ncontig; i++, addr += pgsize, ptep++) {
- pte_t pte = __ptep_get_and_clear(mm, addr, ptep);
-
- /*
- * If HW_AFDBM is enabled, then the HW could turn on
- * the dirty or accessed bit for any page in the set,
- * so check them all.
- */
- if (pte_dirty(pte))
- orig_pte = pte_mkdirty(orig_pte);
-
- if (pte_young(pte))
- orig_pte = pte_mkyoung(orig_pte);
+ pte_t pte, tmp_pte;
+ bool present;
+
+ pte = __ptep_get_and_clear(mm, addr, ptep);
+ present = pte_present(pte);
+ while (--ncontig) {
+ ptep++;
+ addr += pgsize;
+ tmp_pte = __ptep_get_and_clear(mm, addr, ptep);
+ if (present) {
+ if (pte_dirty(tmp_pte))
+ pte = pte_mkdirty(pte);
+ if (pte_young(tmp_pte))
+ pte = pte_mkyoung(pte);
+ }
}
- return orig_pte;
+ return pte;
}
static pte_t get_clear_contig_flush(struct mm_struct *mm,
@@ -419,13 +411,8 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
{
int ncontig;
size_t pgsize;
- pte_t orig_pte = __ptep_get(ptep);
-
- if (!pte_cont(orig_pte))
- return __ptep_get_and_clear(mm, addr, ptep);
-
- ncontig = find_num_contig(mm, addr, ptep, &pgsize);
+ ncontig = num_contig_ptes(sz, &pgsize);
return get_clear_contig(mm, addr, ptep, pgsize, ncontig);
}
--
2.34.1
The VMA count limit check in do_mmap() and do_brk_flags() uses a
strict inequality (>), which allows a process's VMA count to exceed
the configured sysctl_max_map_count limit by one.
A process with mm->map_count == sysctl_max_map_count will incorrectly
pass this check and then exceed the limit upon allocation of a new VMA
when its map_count is incremented.
Other VMA allocation paths, such as split_vma(), already use the
correct, inclusive (>=) comparison.
Fix this bug by changing the comparison to be inclusive in do_mmap()
and do_brk_flags(), bringing them in line with the correct behavior
of other allocation paths.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable(a)vger.kernel.org>
Cc: Andrew Morton <akpm(a)linux-foundation.org>
Cc: David Hildenbrand <david(a)redhat.com>
Cc: "Liam R. Howlett" <Liam.Howlett(a)oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Cc: Mike Rapoport <rppt(a)kernel.org>
Cc: Minchan Kim <minchan(a)kernel.org>
Cc: Pedro Falcato <pfalcato(a)suse.de>
Signed-off-by: Kalesh Singh <kaleshsingh(a)google.com>
---
Chnages in v2:
- Fix mmap check, per Pedro
mm/mmap.c | 2 +-
mm/vma.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index 7306253cc3b5..e5370e7fcd8f 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -374,7 +374,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
return -EOVERFLOW;
/* Too many mappings? */
- if (mm->map_count > sysctl_max_map_count)
+ if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
/*
diff --git a/mm/vma.c b/mm/vma.c
index 3b12c7579831..033a388bc4b1 100644
--- a/mm/vma.c
+++ b/mm/vma.c
@@ -2772,7 +2772,7 @@ int do_brk_flags(struct vma_iterator *vmi, struct vm_area_struct *vma,
if (!may_expand_vm(mm, vm_flags, len >> PAGE_SHIFT))
return -ENOMEM;
- if (mm->map_count > sysctl_max_map_count)
+ if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
--
2.51.0.384.g4c02a37b29-goog
This series backports seven commits from v5.15.y that update minmax.h
and related code:
- ed6e37e30826 ("tracing: Define the is_signed_type() macro once")
- 998f03984e25 ("minmax: sanity check constant bounds when clamping")
- d470787b25e6 ("minmax: clamp more efficiently by avoiding extra
comparison")
- 1c2ee5bc9f11 ("minmax: fix header inclusions")
- d53b5d862acd ("minmax: allow min()/max()/clamp() if the arguments
have the same signedness.")
- 7ed91c5560df ("minmax: allow comparisons of 'int' against 'unsigned
char/short'")
- 22f7794ef5a3 ("minmax: relax check to allow comparison between
unsigned arguments and signed constants")
The main motivation is commit d53b5d862acd, which removes the strict
type check in min()/max() when both arguments have the same signedness.
Without this, kernel 5.10 builds can emit warnings that become build
failures when -Werror is used.
Additionally, commit ed6e37e30826 from tracing is required as a
dependency; without it, compilation fails.
Andy Shevchenko (1):
minmax: fix header inclusions
Bart Van Assche (1):
tracing: Define the is_signed_type() macro once
David Laight (3):
minmax: allow min()/max()/clamp() if the arguments have the same
signedness.
minmax: allow comparisons of 'int' against 'unsigned char/short'
minmax: relax check to allow comparison between unsigned arguments and
signed constants
Jason A. Donenfeld (2):
minmax: sanity check constant bounds when clamping
minmax: clamp more efficiently by avoiding extra comparison
include/linux/compiler.h | 6 +++
include/linux/minmax.h | 89 ++++++++++++++++++++++++++----------
include/linux/overflow.h | 1 -
include/linux/trace_events.h | 2 -
4 files changed, 70 insertions(+), 28 deletions(-)
--
2.47.3
Running sha224_kunit on a KMSAN-enabled kernel results in a crash in
kmsan_internal_set_shadow_origin():
BUG: unable to handle page fault for address: ffffbc3840291000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0
Oops: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)
Tainted: [N]=TEST
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100
[...]
Call Trace:
<TASK>
__msan_memset+0xee/0x1a0
sha224_final+0x9e/0x350
test_hash_buffer_overruns+0x46f/0x5f0
? kmsan_get_shadow_origin_ptr+0x46/0xa0
? __pfx_test_hash_buffer_overruns+0x10/0x10
kunit_try_run_case+0x198/0xa00
This occurs when memset() is called on a buffer that is not 4-byte
aligned and extends to the end of a guard page, i.e. the next page is
unmapped.
The bug is that the loop at the end of
kmsan_internal_set_shadow_origin() accesses the wrong shadow memory
bytes when the address is not 4-byte aligned. Since each 4 bytes are
associated with an origin, it rounds the address and size so that it can
access all the origins that contain the buffer. However, when it checks
the corresponding shadow bytes for a particular origin, it incorrectly
uses the original unrounded shadow address. This results in reads from
shadow memory beyond the end of the buffer's shadow memory, which
crashes when that memory is not mapped.
To fix this, correctly align the shadow address before accessing the 4
shadow bytes corresponding to each origin.
Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning")
Cc: stable(a)vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers(a)kernel.org>
---
v2: Added test case to kmsan_test.
mm/kmsan/core.c | 10 +++++++---
mm/kmsan/kmsan_test.c | 16 ++++++++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/mm/kmsan/core.c b/mm/kmsan/core.c
index 1ea711786c522..8bca7fece47f0 100644
--- a/mm/kmsan/core.c
+++ b/mm/kmsan/core.c
@@ -193,11 +193,12 @@ depot_stack_handle_t kmsan_internal_chain_origin(depot_stack_handle_t id)
void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
u32 origin, bool checked)
{
u64 address = (u64)addr;
- u32 *shadow_start, *origin_start;
+ void *shadow_start;
+ u32 *aligned_shadow, *origin_start;
size_t pad = 0;
KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size));
shadow_start = kmsan_get_metadata(addr, KMSAN_META_SHADOW);
if (!shadow_start) {
@@ -212,13 +213,16 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
}
return;
}
__memset(shadow_start, b, size);
- if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) {
+ if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) {
+ aligned_shadow = shadow_start;
+ } else {
pad = address % KMSAN_ORIGIN_SIZE;
address -= pad;
+ aligned_shadow = shadow_start - pad;
size += pad;
}
size = ALIGN(size, KMSAN_ORIGIN_SIZE);
origin_start =
(u32 *)kmsan_get_metadata((void *)address, KMSAN_META_ORIGIN);
@@ -228,11 +232,11 @@ void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b,
* and unconditionally overwrite the old origin slot.
* If the new origin is zero, overwrite the old origin slot iff the
* corresponding shadow slot is zero.
*/
for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) {
- if (origin || !shadow_start[i])
+ if (origin || !aligned_shadow[i])
origin_start[i] = origin;
}
}
struct page *kmsan_vmalloc_to_page_or_null(void *vaddr)
diff --git a/mm/kmsan/kmsan_test.c b/mm/kmsan/kmsan_test.c
index c6c5b2bbede0c..902ec48b1e3e6 100644
--- a/mm/kmsan/kmsan_test.c
+++ b/mm/kmsan/kmsan_test.c
@@ -554,10 +554,25 @@ static void test_memcpy_initialized_gap(struct kunit *test)
DEFINE_TEST_MEMSETXX(16)
DEFINE_TEST_MEMSETXX(32)
DEFINE_TEST_MEMSETXX(64)
+/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */
+static void test_memset_on_guarded_buffer(struct kunit *test)
+{
+ void *buf = vmalloc(PAGE_SIZE);
+
+ kunit_info(test,
+ "memset() on ends of guarded buffer should not crash\n");
+
+ for (size_t size = 0; size <= 128; size++) {
+ memset(buf, 0xff, size);
+ memset(buf + PAGE_SIZE - size, 0xff, size);
+ }
+ vfree(buf);
+}
+
static noinline void fibonacci(int *array, int size, int start)
{
if (start < 2 || (start == size))
return;
array[start] = array[start - 1] + array[start - 2];
@@ -675,10 +690,11 @@ static struct kunit_case kmsan_test_cases[] = {
KUNIT_CASE(test_memcpy_aligned_to_unaligned),
KUNIT_CASE(test_memcpy_initialized_gap),
KUNIT_CASE(test_memset16),
KUNIT_CASE(test_memset32),
KUNIT_CASE(test_memset64),
+ KUNIT_CASE(test_memset_on_guarded_buffer),
KUNIT_CASE(test_long_origin_chain),
KUNIT_CASE(test_stackdepot_roundtrip),
KUNIT_CASE(test_unpoison_memory),
KUNIT_CASE(test_copy_from_kernel_nofault),
{},
base-commit: e59a039119c3ec241228adf12dca0dd4398104d0
--
2.51.0
Hi, All
Please help to cherry-pick the following commit
25daf9af0ac1 ("soc: qcom: mdt_loader: Deal with zero e_shentsize")
into the following branches:
linux-5.4.y
linux-5.10.y
linux-5.15.y
linux-6.1.y
Which is to fix the issue caused by the following commit in the
branches already:
9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past
the ELF header")
Just please note, for the linux-6.1.y branch the following commit
needs to be cherry-picked first:
9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in
mdt_header_valid()")
before the cherry-pick of the 25daf9af0ac1 commit.
# if this needs to be in a separate cherry-pick request
# please let me know.
--
Best Regards,
Yongqin Liu
---------------------------------------------------------------
#mailing list
linaro-android(a)lists.linaro.org
http://lists.linaro.org/mailman/listinfo/linaro-android
Commit 67a873df0c41 ("vhost: basic in order support") pass the number
of used elem to vhost_net_rx_peek_head_len() to make sure it can
signal the used correctly before trying to do busy polling. But it
forgets to clear the count, this would cause the count run out of sync
with handle_rx() and break the busy polling.
Fixing this by passing the pointer of the count and clearing it after
the signaling the used.
Acked-by: Michael S. Tsirkin <mst(a)redhat.com>
Cc: stable(a)vger.kernel.org
Fixes: 67a873df0c41 ("vhost: basic in order support")
Signed-off-by: Jason Wang <jasowang(a)redhat.com>
---
drivers/vhost/net.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index c6508fe0d5c8..16e39f3ab956 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1014,7 +1014,7 @@ static int peek_head_len(struct vhost_net_virtqueue *rvq, struct sock *sk)
}
static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk,
- bool *busyloop_intr, unsigned int count)
+ bool *busyloop_intr, unsigned int *count)
{
struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];
struct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX];
@@ -1024,7 +1024,8 @@ static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk,
if (!len && rvq->busyloop_timeout) {
/* Flush batched heads first */
- vhost_net_signal_used(rnvq, count);
+ vhost_net_signal_used(rnvq, *count);
+ *count = 0;
/* Both tx vq and rx socket were polled here */
vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true);
@@ -1180,7 +1181,7 @@ static void handle_rx(struct vhost_net *net)
do {
sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
- &busyloop_intr, count);
+ &busyloop_intr, &count);
if (!sock_len)
break;
sock_len += sock_hlen;
--
2.34.1
This is the start of the stable review cycle for the 5.15.192 release.
There are 64 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.192-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.15.192-rc1
Qiu-ji Chen <chenqiuji666(a)gmail.com>
dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status()
Aaron Kling <webgeek1234(a)gmail.com>
spi: tegra114: Use value to check for invalid delays
Taniya Das <quic_tdas(a)quicinc.com>
clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
Ian Rogers <irogers(a)google.com>
perf bpf-event: Fix use-after-free in synthesis
Michael Walle <mwalle(a)kernel.org>
drm/bridge: ti-sn65dsi86: fix REFCLK setting
Larisa Grigore <larisa.grigore(a)nxp.com>
spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort
Larisa Grigore <larisa.grigore(a)nxp.com>
spi: spi-fsl-lpspi: Set correct chip-select polarity bit
Larisa Grigore <larisa.grigore(a)nxp.com>
spi: spi-fsl-lpspi: Fix transmissions when using CONT
Wentao Liang <vulab(a)iscas.ac.cn>
pcmcia: Add error handling for add_interval() in do_validate_mem()
Takashi Iwai <tiwai(a)suse.de>
ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model
Li Qiong <liqiong(a)nfschina.com>
mm/slub: avoid accessing metadata when pointer is invalid in object_err()
Kees Cook <kees(a)kernel.org>
randstruct: gcc-plugin: Fix attribute addition
Kees Cook <kees(a)kernel.org>
randstruct: gcc-plugin: Remove bogus void member
Gabor Juhos <j4g8y7(a)gmail.com>
arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs
Ronak Doshi <ronak.doshi(a)broadcom.com>
vmxnet3: update MTU after device quiesce
Jakob Unterwurzacher <jakobunt(a)gmail.com>
net: dsa: microchip: linearize skb for tail-tagging switches
Pieter Van Trappen <pieter.van.trappen(a)cern.ch>
net: dsa: microchip: update tag_ksz masks for KSZ9477 family
Qiu-ji Chen <chenqiuji666(a)gmail.com>
dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()
Hyejeong Choi <hjeong.choi(a)samsung.com>
dma-buf: insert memory barrier before updating num_fences
Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com>
gpio: pca953x: fix IRQ storm on system wake up
Luca Ceresoli <luca.ceresoli(a)bootlin.com>
iio: light: opt3001: fix deadlock due to concurrent flag access
David Lechner <dlechner(a)baylibre.com>
iio: chemical: pms7003: use aligned_s64 for timestamp
Aaron Kling <webgeek1234(a)gmail.com>
spi: tegra114: Don't fail set_cs_timing when delays are zero
Alexander Danilenko <al.b.danilenko(a)gmail.com>
spi: tegra114: Remove unnecessary NULL-pointer checks
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer
Rafael J. Wysocki <rafael.j.wysocki(a)intel.com>
cpufreq/sched: Explicitly synchronize limits_changed flag handling
Jann Horn <jannh(a)google.com>
mm/khugepaged: fix ->anon_vma race
Vitaly Lifshits <vitaly.lifshits(a)intel.com>
e1000e: fix heap overflow in e1000_set_eeprom
Stanislav Fort <stanislav.fort(a)aisle.com>
batman-adv: fix OOB read/write in network-coding decode
John Evans <evans1210144(a)gmail.com>
scsi: lpfc: Fix buffer free/clear order in deferred receive path
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu: drop hw access in non-DC audio fini
Qianfeng Rong <rongqianfeng(a)vivo.com>
wifi: mwifiex: Initialize the chan_stats array to zero
Harry Yoo <harry.yoo(a)oracle.com>
mm: move page table sync declarations to linux/pgtable.h
Harry Yoo <harry.yoo(a)oracle.com>
x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
Ma Ke <make24(a)iscas.ac.cn>
pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
Cryolitia PukNgae <cryolitia(a)uniontech.com>
ALSA: usb-audio: Add mute TLV for playback volumes on some devices
Horatiu Vultur <horatiu.vultur(a)microchip.com>
phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
Horatiu Vultur <horatiu.vultur(a)microchip.com>
net: phy: mscc: Fix memory leak when using one step timestamping
Kurt Kanzenbach <kurt(a)linutronix.de>
ptp: Add generic PTP is_sync() function
Qingfang Deng <dqfext(a)gmail.com>
ppp: fix memory leak in pad_compress_skb
Wang Liang <wangliang74(a)huawei.com>
net: atm: fix memory leak in atm_register_sysfs when device_register fail
Eric Dumazet <edumazet(a)google.com>
ax25: properly unshare skbs in ax25_kiss_rcv()
Dan Carpenter <dan.carpenter(a)linaro.org>
ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
Rosen Penev <rosenp(a)gmail.com>
net: thunder_bgx: decrement cleanup index before use
Rosen Penev <rosenp(a)gmail.com>
net: thunder_bgx: add a missing of_node_put
Dan Carpenter <dan.carpenter(a)linaro.org>
wifi: libertas: cap SSID len in lbs_associate()
Dan Carpenter <dan.carpenter(a)linaro.org>
wifi: cw1200: cap SSID length in cw1200_do_join()
Felix Fietkau <nbd(a)nbd.name>
net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
Zhen Ni <zhen.ni(a)easystack.cn>
i40e: Fix potential invalid access when MAC list is empty
Fabian Bläse <fabian(a)blaese.de>
icmp: fix icmp_ndo_send address translation for reply direction
Miaoqian Lin <linmq006(a)gmail.com>
mISDN: Fix memory leak in dsp_hwec_enable()
Alok Tiwari <alok.a.tiwari(a)oracle.com>
xirc2ps_cs: fix register access when enabling FullDuplex
Kuniyuki Iwashima <kuniyu(a)google.com>
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Phil Sutter <phil(a)nwl.cc>
netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
Wang Liang <wangliang74(a)huawei.com>
netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
Dmitry Antipov <dmantipov(a)yandex.ru>
wifi: cfg80211: fix use-after-free in cmp_bss()
Peter Robinson <pbrobinson(a)gmail.com>
arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro
Pei Xiao <xiaopei01(a)kylinos.cn>
tee: fix NULL pointer dereference in tee_shm_put
Jiufei Xue <jiufei.xue(a)samsung.com>
fs: writeback: fix use-after-free in __mark_inode_dirty()
Timur Kristóf <timur.kristof(a)gmail.com>
drm/amd/display: Don't warn when missing DCE encoder caps
Daniel Borkmann <daniel(a)iogearbox.net>
bpf: Fix oob access in cgroup local storage
Daniel Borkmann <daniel(a)iogearbox.net>
bpf: Move bpf map owner out of common struct
Daniel Borkmann <daniel(a)iogearbox.net>
bpf: Move cgroup iterator helpers to bpf.h
Daniel Borkmann <daniel(a)iogearbox.net>
bpf: Add cookie object to bpf maps
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 9 +-
.../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 +
arch/x86/include/asm/pgtable_64_types.h | 3 +
arch/x86/kvm/x86.c | 18 ++-
arch/x86/mm/init_64.c | 18 +++
drivers/clk/qcom/gdsc.c | 21 ++--
drivers/dma-buf/dma-resv.c | 5 +-
drivers/dma/mediatek/mtk-cqdma.c | 10 +-
drivers/gpio/gpio-pca953x.c | 5 +
drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 -
drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 -
.../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +-
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 ++
drivers/iio/chemical/pms7003.c | 5 +-
drivers/iio/light/opt3001.c | 5 +-
drivers/isdn/mISDN/dsp_hwec.c | 6 +-
drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +--
drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +-
drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +-
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +-
drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +-
drivers/net/phy/mscc/mscc_ptp.c | 34 +++---
drivers/net/ppp/ppp_generic.c | 6 +-
drivers/net/vmxnet3/vmxnet3_drv.c | 5 +-
drivers/net/wireless/marvell/libertas/cfg.c | 9 +-
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +-
drivers/net/wireless/marvell/mwifiex/main.c | 4 +-
drivers/net/wireless/st/cw1200/sta.c | 2 +-
drivers/pcmcia/rsrc_iodyn.c | 3 +
drivers/pcmcia/rsrc_nonstatic.c | 4 +-
drivers/scsi/lpfc/lpfc_nvmet.c | 10 +-
drivers/spi/spi-fsl-lpspi.c | 15 +--
drivers/spi/spi-tegra114.c | 18 ++-
drivers/tee/tee_shm.c | 6 +-
fs/fs-writeback.c | 9 +-
include/linux/bpf-cgroup.h | 5 -
include/linux/bpf.h | 134 ++++++++++++++++++---
include/linux/pgtable.h | 16 +++
include/linux/ptp_classify.h | 15 +++
include/linux/vmalloc.h | 16 ---
kernel/bpf/arraymap.c | 1 -
kernel/bpf/core.c | 83 ++++++++++---
kernel/bpf/syscall.c | 22 ++--
kernel/sched/cpufreq_schedutil.c | 28 ++++-
mm/khugepaged.c | 15 ++-
mm/slub.c | 7 +-
net/atm/resources.c | 6 +-
net/ax25/ax25_in.c | 4 +
net/batman-adv/network-coding.c | 7 +-
net/bluetooth/l2cap_sock.c | 3 +
net/bridge/br_netfilter_hooks.c | 3 -
net/core/ptp_classifier.c | 12 ++
net/dsa/tag_ksz.c | 22 +++-
net/ipv4/devinet.c | 7 +-
net/ipv4/icmp.c | 6 +-
net/ipv6/ip6_icmp.c | 6 +-
net/netfilter/nf_conntrack_helper.c | 4 +-
net/wireless/scan.c | 3 +-
scripts/gcc-plugins/gcc-common.h | 32 +++++
scripts/gcc-plugins/randomize_layout_plugin.c | 40 ++----
sound/pci/hda/patch_hdmi.c | 1 +
sound/usb/mixer_quirks.c | 2 +
tools/perf/util/bpf-event.c | 39 ++++--
66 files changed, 600 insertions(+), 264 deletions(-)