October 2023 - Linux-stable-mirror

FAILED: patch "[PATCH] btrfs: fix unwritten extent buffer after snapshotting a new" failed to apply to 6.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.5.y git checkout FETCH_HEAD git cherry-pick -x eb96e221937af3c7bb8a63208dbab813ca5d3d7e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023102711-dizziness-ethanol-ecdd@gregkh' --subject-prefix 'PATCH 6.5.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eb96e221937af3c7bb8a63208dbab813ca5d3d7e Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Thu, 19 Oct 2023 13:19:28 +0100 Subject: [PATCH] btrfs: fix unwritten extent buffer after snapshotting a new subvolume When creating a snapshot of a subvolume that was created in the current transaction, we can end up not persisting a dirty extent buffer that is referenced by the snapshot, resulting in IO errors due to checksum failures when trying to read the extent buffer later from disk. A sequence of steps that leads to this is the following: 1) At ioctl.c:create_subvol() we allocate an extent buffer, with logical address 36007936, for the leaf/root of a new subvolume that has an ID of 291. We mark the extent buffer as dirty, and at this point the subvolume tree has a single node/leaf which is also its root (level 0); 2) We no longer commit the transaction used to create the subvolume at create_subvol(). We used to, but that was recently removed in commit 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol create"); 3) The transaction used to create the subvolume has an ID of 33, so the extent buffer 36007936 has a generation of 33; 4) Several updates happen to subvolume 291 during transaction 33, several files created and its tree height changes from 0 to 1, so we end up with a new root at level 1 and the extent buffer 36007936 is now a leaf of that new root node, which is extent buffer 36048896. The commit root remains as 36007936, since we are still at transaction 33; 5) Creation of a snapshot of subvolume 291, with an ID of 292, starts at ioctl.c:create_snapshot(). This triggers a commit of transaction 33 and we end up at transaction.c:create_pending_snapshot(), in the critical section of a transaction commit. There we COW the root of subvolume 291, which is extent buffer 36048896. The COW operation returns extent buffer 36048896, since there's no need to COW because the extent buffer was created in this transaction and it was not written yet. The we call btrfs_copy_root() against the root node 36048896. During this operation we allocate a new extent buffer to turn into the root node of the snapshot, copy the contents of the root node 36048896 into this snapshot root extent buffer, set the owner to 292 (the ID of the snapshot), etc, and then we call btrfs_inc_ref(). This will create a delayed reference for each leaf pointed by the root node with a reference root of 292 - this includes a reference for the leaf 36007936. After that we set the bit BTRFS_ROOT_FORCE_COW in the root's state. Then we call btrfs_insert_dir_item(), to create the directory entry in in the tree of subvolume 291 that points to the snapshot. This ends up needing to modify leaf 36007936 to insert the respective directory items. Because the bit BTRFS_ROOT_FORCE_COW is set for the root's state, we need to COW the leaf. We end up at btrfs_force_cow_block() and then at update_ref_for_cow(). At update_ref_for_cow() we call btrfs_block_can_be_shared() which returns false, despite the fact the leaf 36007936 is shared - the subvolume's root and the snapshot's root point to that leaf. The reason that it incorrectly returns false is because the commit root of the subvolume is extent buffer 36007936 - it was the initial root of the subvolume when we created it. So btrfs_block_can_be_shared() which has the following logic: int btrfs_block_can_be_shared(struct btrfs_root *root, struct extent_buffer *buf) { if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) && buf != root->node && buf != root->commit_root && (btrfs_header_generation(buf) <= btrfs_root_last_snapshot(&root->root_item) || btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) return 1; return 0; } Returns false (0) since 'buf' (extent buffer 36007936) matches the root's commit root. As a result, at update_ref_for_cow(), we don't check for the number of references for extent buffer 36007936, we just assume it's not shared and therefore that it has only 1 reference, so we set the local variable 'refs' to 1. Later on, in the final if-else statement at update_ref_for_cow(): static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct extent_buffer *buf, struct extent_buffer *cow, int *last_ref) { (...) if (refs > 1) { (...) } else { (...) btrfs_clear_buffer_dirty(trans, buf); *last_ref = 1; } } So we mark the extent buffer 36007936 as not dirty, and as a result we don't write it to disk later in the transaction commit, despite the fact that the snapshot's root points to it. Attempting to access the leaf or dumping the tree for example shows that the extent buffer was not written: $ btrfs inspect-internal dump-tree -t 292 /dev/sdb btrfs-progs v6.2.2 file tree key (292 ROOT_ITEM 33) node 36110336 level 1 items 2 free space 119 generation 33 owner 292 node 36110336 flags 0x1(WRITTEN) backref revision 1 checksum stored a8103e3e checksum calced a8103e3e fs uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 chunk uuid e8c9c885-78f4-4d31-85fe-89e5f5fd4a07 key (256 INODE_ITEM 0) block 36007936 gen 33 key (257 EXTENT_DATA 0) block 36052992 gen 33 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 total bytes 107374182400 bytes used 38572032 uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 The respective on disk region is full of zeroes as the device was trimmed at mkfs time. Obviously 'btrfs check' also detects and complains about this: $ btrfs check /dev/sdb Opening filesystem to check... Checking filesystem on /dev/sdb UUID: 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 generation: 33 (33) [1/7] checking root items [2/7] checking extents checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 bad tree block 36007936, bytenr mismatch, want=36007936, have=0 owner ref check failed [36007936 4096] ERROR: errors found in extent allocation tree or chunk allocation [3/7] checking free space tree [4/7] checking fs roots checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 bad tree block 36007936, bytenr mismatch, want=36007936, have=0 The following tree block(s) is corrupted in tree 292: tree block bytenr: 36110336, level: 1, node key: (256, 1, 0) root 292 root dir 256 not found ERROR: errors found in fs roots found 38572032 bytes used, error(s) found total csum bytes: 16048 total tree bytes: 1265664 total fs tree bytes: 1118208 total extent tree bytes: 65536 btree space waste bytes: 562598 file data blocks allocated: 65978368 referenced 36569088 Fix this by updating btrfs_block_can_be_shared() to consider that an extent buffer may be shared if it matches the commit root and if its generation matches the current transaction's generation. This can be reproduced with the following script: $ cat test.sh #!/bin/bash MNT=/mnt/sdi DEV=/dev/sdi # Use a filesystem with a 64K node size so that we have the same node # size on every machine regardless of its page size (on x86_64 default # node size is 16K due to the 4K page size, while on PPC it's 64K by # default). This way we can make sure we are able to create a btree for # the subvolume with a height of 2. mkfs.btrfs -f -n 64K $DEV mount $DEV $MNT btrfs subvolume create $MNT/subvol # Create a few empty files on the subvolume, this bumps its btree # height to 2 (root node at level 1 and 2 leaves). for ((i = 1; i <= 300; i++)); do echo -n > $MNT/subvol/file_$i done btrfs subvolume snapshot -r $MNT/subvol $MNT/subvol/snap umount $DEV btrfs check $DEV Running it on a 6.5 kernel (or any 6.6-rc kernel at the moment): $ ./test.sh Create subvolume '/mnt/sdi/subvol' Create a readonly snapshot of '/mnt/sdi/subvol' in '/mnt/sdi/subvol/snap' Opening filesystem to check... Checking filesystem on /dev/sdi UUID: bbdde2ff-7d02-45ca-8a73-3c36f23755a1 [1/7] checking root items [2/7] checking extents parent transid verify failed on 30539776 wanted 7 found 5 parent transid verify failed on 30539776 wanted 7 found 5 parent transid verify failed on 30539776 wanted 7 found 5 Ignoring transid failure owner ref check failed [30539776 65536] ERROR: errors found in extent allocation tree or chunk allocation [3/7] checking free space tree [4/7] checking fs roots parent transid verify failed on 30539776 wanted 7 found 5 Ignoring transid failure Wrong key of child node/leaf, wanted: (256, 1, 0), have: (2, 132, 0) Wrong generation of child node/leaf, wanted: 5, have: 7 root 257 root dir 256 not found ERROR: errors found in fs roots found 917504 bytes used, error(s) found total csum bytes: 0 total tree bytes: 851968 total fs tree bytes: 393216 total extent tree bytes: 65536 btree space waste bytes: 736550 file data blocks allocated: 0 referenced 0 A test case for fstests will follow soon. Fixes: 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol create") CC: stable(a)vger.kernel.org # 6.5+ Reviewed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c index b7d54efb4728..a4a809efc92f 100644 --- a/fs/btrfs/backref.c +++ b/fs/btrfs/backref.c @@ -3196,12 +3196,14 @@ static int handle_direct_tree_backref(struct btrfs_backref_cache *cache, * We still need to do a tree search to find out the parents. This is for * TREE_BLOCK_REF backref (keyed or inlined). * + * @trans: Transaction handle. * @ref_key: The same as @ref_key in handle_direct_tree_backref() * @tree_key: The first key of this tree block. * @path: A clean (released) path, to avoid allocating path every time * the function get called. */ -static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache, +static int handle_indirect_tree_backref(struct btrfs_trans_handle *trans, + struct btrfs_backref_cache *cache, struct btrfs_path *path, struct btrfs_key *ref_key, struct btrfs_key *tree_key, @@ -3315,7 +3317,7 @@ static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache, * If we know the block isn't shared we can avoid * checking its backrefs. */ - if (btrfs_block_can_be_shared(root, eb)) + if (btrfs_block_can_be_shared(trans, root, eb)) upper->checked = 0; else upper->checked = 1; @@ -3363,11 +3365,13 @@ static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache, * links aren't yet bi-directional. Needs to finish such links. * Use btrfs_backref_finish_upper_links() to finish such linkage. * + * @trans: Transaction handle. * @path: Released path for indirect tree backref lookup * @iter: Released backref iter for extent tree search * @node_key: The first key of the tree block */ -int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, +int btrfs_backref_add_tree_node(struct btrfs_trans_handle *trans, + struct btrfs_backref_cache *cache, struct btrfs_path *path, struct btrfs_backref_iter *iter, struct btrfs_key *node_key, @@ -3467,8 +3471,8 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, * offset means the root objectid. We need to search * the tree to get its parent bytenr. */ - ret = handle_indirect_tree_backref(cache, path, &key, node_key, - cur); + ret = handle_indirect_tree_backref(trans, cache, path, + &key, node_key, cur); if (ret < 0) goto out; } diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h index 1616e3e3f1e4..71d535e03dca 100644 --- a/fs/btrfs/backref.h +++ b/fs/btrfs/backref.h @@ -540,7 +540,8 @@ static inline void btrfs_backref_panic(struct btrfs_fs_info *fs_info, bytenr); } -int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, +int btrfs_backref_add_tree_node(struct btrfs_trans_handle *trans, + struct btrfs_backref_cache *cache, struct btrfs_path *path, struct btrfs_backref_iter *iter, struct btrfs_key *node_key, diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index da519c1b6ad0..617d4827eec2 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -367,7 +367,8 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, /* * check if the tree block can be shared by multiple trees */ -int btrfs_block_can_be_shared(struct btrfs_root *root, +int btrfs_block_can_be_shared(struct btrfs_trans_handle *trans, + struct btrfs_root *root, struct extent_buffer *buf) { /* @@ -376,11 +377,21 @@ int btrfs_block_can_be_shared(struct btrfs_root *root, * not allocated by tree relocation, we know the block is not shared. */ if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) && - buf != root->node && buf != root->commit_root && + buf != root->node && (btrfs_header_generation(buf) <= btrfs_root_last_snapshot(&root->root_item) || - btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) - return 1; + btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) { + if (buf != root->commit_root) + return 1; + /* + * An extent buffer that used to be the commit root may still be + * shared because the tree height may have increased and it + * became a child of a higher level root. This can happen when + * snapshotting a subvolume created in the current transaction. + */ + if (btrfs_header_generation(buf) == trans->transid) + return 1; + } return 0; } @@ -415,7 +426,7 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, * are only allowed for blocks use full backrefs. */ - if (btrfs_block_can_be_shared(root, buf)) { + if (btrfs_block_can_be_shared(trans, root, buf)) { ret = btrfs_lookup_extent_info(trans, fs_info, buf->start, btrfs_header_level(buf), 1, &refs, &flags); diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h index 9419f4e37a58..ff40acd63a37 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -540,7 +540,8 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct extent_buffer *buf, struct extent_buffer **cow_ret, u64 new_root_objectid); -int btrfs_block_can_be_shared(struct btrfs_root *root, +int btrfs_block_can_be_shared(struct btrfs_trans_handle *trans, + struct btrfs_root *root, struct extent_buffer *buf); int btrfs_del_ptr(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct btrfs_path *path, int level, int slot); diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index 9951a0caf5bb..c6d4bb8cbe29 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -466,6 +466,7 @@ static bool handle_useless_nodes(struct reloc_control *rc, * cached. */ static noinline_for_stack struct btrfs_backref_node *build_backref_tree( + struct btrfs_trans_handle *trans, struct reloc_control *rc, struct btrfs_key *node_key, int level, u64 bytenr) { @@ -499,8 +500,8 @@ static noinline_for_stack struct btrfs_backref_node *build_backref_tree( /* Breadth-first search to build backref cache */ do { - ret = btrfs_backref_add_tree_node(cache, path, iter, node_key, - cur); + ret = btrfs_backref_add_tree_node(trans, cache, path, iter, + node_key, cur); if (ret < 0) { err = ret; goto out; @@ -2803,7 +2804,7 @@ int relocate_tree_blocks(struct btrfs_trans_handle *trans, /* Do tree relocation */ rbtree_postorder_for_each_entry_safe(block, next, blocks, rb_node) { - node = build_backref_tree(rc, &block->key, + node = build_backref_tree(trans, rc, &block->key, block->level, block->bytenr); if (IS_ERR(node)) { err = PTR_ERR(node);

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] vsock/virtio: initialize the_virtio_vsock before using VQs" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 53b08c4985158430fd6d035fb49443bada535210 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023102739-channel-upstream-7bca@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 53b08c4985158430fd6d035fb49443bada535210 Mon Sep 17 00:00:00 2001 From: Alexandru Matei <alexandru.matei(a)uipath.com> Date: Tue, 24 Oct 2023 22:17:42 +0300 Subject: [PATCH] vsock/virtio: initialize the_virtio_vsock before using VQs Once VQs are filled with empty buffers and we kick the host, it can send connection requests. If the_virtio_vsock is not initialized before, replies are silently dropped and do not reach the host. virtio_transport_send_pkt() can queue packets once the_virtio_vsock is set, but they won't be processed until vsock->tx_run is set to true. We queue vsock->send_pkt_work when initialization finishes to send those packets queued earlier. Fixes: 0deab087b16a ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") Signed-off-by: Alexandru Matei <alexandru.matei(a)uipath.com> Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Link: https://lore.kernel.org/r/20231024191742.14259-1-alexandru.matei@uipath.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index e95df847176b..b80bf681327b 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -555,6 +555,11 @@ static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) virtio_device_ready(vdev); + return 0; +} + +static void virtio_vsock_vqs_start(struct virtio_vsock *vsock) +{ mutex_lock(&vsock->tx_lock); vsock->tx_run = true; mutex_unlock(&vsock->tx_lock); @@ -569,7 +574,16 @@ static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) vsock->event_run = true; mutex_unlock(&vsock->event_lock); - return 0; + /* virtio_transport_send_pkt() can queue packets once + * the_virtio_vsock is set, but they won't be processed until + * vsock->tx_run is set to true. We queue vsock->send_pkt_work + * when initialization finishes to send those packets queued + * earlier. + * We don't need to queue the other workers (rx, event) because + * as long as we don't fill the queues with empty buffers, the + * host can't send us any notification. + */ + queue_work(virtio_vsock_workqueue, &vsock->send_pkt_work); } static void virtio_vsock_vqs_del(struct virtio_vsock *vsock) @@ -664,6 +678,7 @@ static int virtio_vsock_probe(struct virtio_device *vdev) goto out; rcu_assign_pointer(the_virtio_vsock, vsock); + virtio_vsock_vqs_start(vsock); mutex_unlock(&the_virtio_vsock_mutex); @@ -736,6 +751,7 @@ static int virtio_vsock_restore(struct virtio_device *vdev) goto out; rcu_assign_pointer(the_virtio_vsock, vsock); + virtio_vsock_vqs_start(vsock); out: mutex_unlock(&the_virtio_vsock_mutex);

1 year, 2 months

1
0
0 0

FAILED: patch "[PATCH] vsock/virtio: initialize the_virtio_vsock before using VQs" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 53b08c4985158430fd6d035fb49443bada535210 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023102738-scoring-accurate-da6f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 53b08c4985158430fd6d035fb49443bada535210 Mon Sep 17 00:00:00 2001 From: Alexandru Matei <alexandru.matei(a)uipath.com> Date: Tue, 24 Oct 2023 22:17:42 +0300 Subject: [PATCH] vsock/virtio: initialize the_virtio_vsock before using VQs Once VQs are filled with empty buffers and we kick the host, it can send connection requests. If the_virtio_vsock is not initialized before, replies are silently dropped and do not reach the host. virtio_transport_send_pkt() can queue packets once the_virtio_vsock is set, but they won't be processed until vsock->tx_run is set to true. We queue vsock->send_pkt_work when initialization finishes to send those packets queued earlier. Fixes: 0deab087b16a ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") Signed-off-by: Alexandru Matei <alexandru.matei(a)uipath.com> Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Link: https://lore.kernel.org/r/20231024191742.14259-1-alexandru.matei@uipath.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index e95df847176b..b80bf681327b 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -555,6 +555,11 @@ static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) virtio_device_ready(vdev); + return 0; +} + +static void virtio_vsock_vqs_start(struct virtio_vsock *vsock) +{ mutex_lock(&vsock->tx_lock); vsock->tx_run = true; mutex_unlock(&vsock->tx_lock); @@ -569,7 +574,16 @@ static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) vsock->event_run = true; mutex_unlock(&vsock->event_lock); - return 0; + /* virtio_transport_send_pkt() can queue packets once + * the_virtio_vsock is set, but they won't be processed until + * vsock->tx_run is set to true. We queue vsock->send_pkt_work + * when initialization finishes to send those packets queued + * earlier. + * We don't need to queue the other workers (rx, event) because + * as long as we don't fill the queues with empty buffers, the + * host can't send us any notification. + */ + queue_work(virtio_vsock_workqueue, &vsock->send_pkt_work); } static void virtio_vsock_vqs_del(struct virtio_vsock *vsock) @@ -664,6 +678,7 @@ static int virtio_vsock_probe(struct virtio_device *vdev) goto out; rcu_assign_pointer(the_virtio_vsock, vsock); + virtio_vsock_vqs_start(vsock); mutex_unlock(&the_virtio_vsock_mutex); @@ -736,6 +751,7 @@ static int virtio_vsock_restore(struct virtio_device *vdev) goto out; rcu_assign_pointer(the_virtio_vsock, vsock); + virtio_vsock_vqs_start(vsock); out: mutex_unlock(&the_virtio_vsock_mutex);

1 year, 2 months

1
0
0 0

[PATCH] net: dsa: lan9303: consequently nested-lock physical MDIO

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> When LAN9303 is MDIO-connected two callchains exist into mdio->bus->write(): 1. switch ports 1&2 ("physical" PHYs): virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})-> lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested 2. LAN9303 virtual PHY: virtual MDIO bus (lan9303_phy_{read|write}) -> lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write} If the latter functions just take mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP false-positive splat. It's false-positive because the first mdio_lock in the second callchain above belongs to virtual MDIO bus, the second mdio_lock belongs to physical MDIO bus. Consequent annotation in lan9303_mdio_{read|write} as nested lock (similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus) prevents the following splat: WARNING: possible circular locking dependency detected 5.15.71 #1 Not tainted ------------------------------------------------------ kworker/u4:3/609 is trying to acquire lock: ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex but task is already holding lock: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&bus->mdio_lock){+.+.}-{3:3}: lock_acquire __mutex_lock mutex_lock_nested lan9303_mdio_read _regmap_read regmap_read lan9303_probe lan9303_mdio_probe mdio_probe really_probe __driver_probe_device driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork -> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}: __lock_acquire lock_acquire.part.0 lock_acquire __mutex_lock mutex_lock_nested regmap_lock_mutex regmap_read lan9303_phy_read dsa_slave_phy_read __mdiobus_read mdiobus_read get_phy_device mdiobus_scan __mdiobus_register dsa_register_switch lan9303_probe lan9303_mdio_probe mdio_probe really_probe __driver_probe_device driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&bus->mdio_lock); lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); lock(&bus->mdio_lock); lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); *** DEADLOCK *** 5 locks held by kworker/u4:3/609: #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach #3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch #4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read stack backtrace: CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace show_stack dump_stack_lvl dump_stack print_circular_bug check_noncircular __lock_acquire lock_acquire.part.0 lock_acquire __mutex_lock mutex_lock_nested regmap_lock_mutex regmap_read lan9303_phy_read dsa_slave_phy_read __mdiobus_read mdiobus_read get_phy_device mdiobus_scan __mdiobus_register dsa_register_switch lan9303_probe lan9303_mdio_probe ... Cc: stable(a)vger.kernel.org Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support") Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- Tested with v5.15 vendor kernel, compiled against net-next/main (cc54d2e2c58a). Affected code is unchanged since original introduction in 2017. drivers/net/dsa/lan9303_mdio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/lan9303_mdio.c b/drivers/net/dsa/lan9303_mdio.c index d8ab2b77d201..167a86f39f27 100644 --- a/drivers/net/dsa/lan9303_mdio.c +++ b/drivers/net/dsa/lan9303_mdio.c @@ -32,7 +32,7 @@ static int lan9303_mdio_write(void *ctx, uint32_t reg, uint32_t val) struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; reg <<= 2; /* reg num to offset */ - mutex_lock(&sw_dev->device->bus->mdio_lock); + mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); lan9303_mdio_real_write(sw_dev->device, reg, val & 0xffff); lan9303_mdio_real_write(sw_dev->device, reg + 2, (val >> 16) & 0xffff); mutex_unlock(&sw_dev->device->bus->mdio_lock); @@ -50,7 +50,7 @@ static int lan9303_mdio_read(void *ctx, uint32_t reg, uint32_t *val) struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; reg <<= 2; /* reg num to offset */ - mutex_lock(&sw_dev->device->bus->mdio_lock); + mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); *val = lan9303_mdio_real_read(sw_dev->device, reg); *val |= (lan9303_mdio_real_read(sw_dev->device, reg + 2) << 16); mutex_unlock(&sw_dev->device->bus->mdio_lock); -- 2.41.0

1 year, 2 months

2
1
0 0

[PATCH V2] mm/sparsemem: fix race in accessing memory_section->usage

by Charan Teja Kalla

The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quici… Fixes: f46edbd1b151 ("mm/sparsemem: add helpers track active portions of a section at boot") Cc: stable(a)vger.kernel.org Signed-off-by: Charan Teja Kalla <quic_charante(a)quicinc.com> --- V2: Use kfree_rcu() inplace of synchronize_rcu() - David V1: https://lore.kernel.org/linux-mm/1697202267-23600-1-git-send-email-quic_cha… include/linux/mmzone.h | 14 +++++++++++--- mm/sparse.c | 17 +++++++++-------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h index 4106fbc..19a4b1d 100644 --- a/include/linux/mmzone.h +++ b/include/linux/mmzone.h @@ -1770,6 +1770,7 @@ static inline unsigned long section_nr_to_pfn(unsigned long sec) #define SUBSECTION_ALIGN_DOWN(pfn) ((pfn) & PAGE_SUBSECTION_MASK) struct mem_section_usage { + struct rcu_head rcu; #ifdef CONFIG_SPARSEMEM_VMEMMAP DECLARE_BITMAP(subsection_map, SUBSECTIONS_PER_SECTION); #endif @@ -1963,7 +1964,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn) { int idx = subsection_map_index(pfn); - return test_bit(idx, ms->usage->subsection_map); + return test_bit(idx, READ_ONCE(ms->usage)->subsection_map); } #else static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn) @@ -1987,6 +1988,7 @@ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn) static inline int pfn_valid(unsigned long pfn) { struct mem_section *ms; + int ret; /* * Ensure the upper PAGE_SHIFT bits are clear in the @@ -2000,13 +2002,19 @@ static inline int pfn_valid(unsigned long pfn) if (pfn_to_section_nr(pfn) >= NR_MEM_SECTIONS) return 0; ms = __pfn_to_section(pfn); - if (!valid_section(ms)) + rcu_read_lock(); + if (!valid_section(ms)) { + rcu_read_unlock(); return 0; + } /* * Traditionally early sections always returned pfn_valid() for * the entire section-sized span. */ - return early_section(ms) || pfn_section_valid(ms, pfn); + ret = early_section(ms) || pfn_section_valid(ms, pfn); + rcu_read_unlock(); + + return ret; } #endif diff --git a/mm/sparse.c b/mm/sparse.c index 77d91e5..338cf94 100644 --- a/mm/sparse.c +++ b/mm/sparse.c @@ -792,6 +792,13 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages, unsigned long section_nr = pfn_to_section_nr(pfn); /* + * Mark the section invalid so that valid_section() + * return false. This prevents code from dereferencing + * ms->usage array. + */ + ms->section_mem_map &= ~SECTION_HAS_MEM_MAP; + + /* * When removing an early section, the usage map is kept (as the * usage maps of other sections fall into the same page). It * will be re-used when re-adding the section - which is then no @@ -799,16 +806,10 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages, * was allocated during boot. */ if (!PageReserved(virt_to_page(ms->usage))) { - kfree(ms->usage); - ms->usage = NULL; + kfree_rcu(ms->usage, rcu); + WRITE_ONCE(ms->usage, NULL); } memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr); - /* - * Mark the section invalid so that valid_section() - * return false. This prevents code from dereferencing - * ms->usage array. - */ - ms->section_mem_map &= ~SECTION_HAS_MEM_MAP; } /* -- 2.7.4

1 year, 2 months

1
0
0 0

[PATCH v2] powerpc/pseries/iommu: enable_ddw incorrectly returns direct mapping for SR-IOV device

by Gaurav Batra

When a device is initialized, the driver invokes dma_supported() twice - first for streaming mappings followed by coherent mappings. For an SR-IOV device, default window is deleted and DDW created. With vPMEM enabled, TCE mappings are dynamically created for both vPMEM and SR-IOV device. There are no direct mappings. First time when dma_supported() is called with 64 bit mask, DDW is created and marked as dynamic window. The second time dma_supported() is called, enable_ddw() finds existing window for the device and incorrectly returns it as "direct mapping". This only happens when size of DDW is big enough to map max LPAR memory. This results in streaming TCEs to not get dynamically mapped, since code incorrently assumes these are already pre-mapped. The adapter initially comes up but goes down due to EEH. Fixes: 381ceda88c4c ("powerpc/pseries/iommu: Make use of DDW for indirect mapping") Cc: stable(a)vger.kernel.org Signed-off-by: Gaurav Batra <gbatra(a)linux.vnet.ibm.com> --- arch/powerpc/platforms/pseries/iommu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c index 16d93b580f61..496e16c588aa 100644 --- a/arch/powerpc/platforms/pseries/iommu.c +++ b/arch/powerpc/platforms/pseries/iommu.c @@ -914,7 +914,8 @@ static int remove_ddw(struct device_node *np, bool remove_prop, const char *win_ return 0; } -static bool find_existing_ddw(struct device_node *pdn, u64 *dma_addr, int *window_shift) +static bool find_existing_ddw(struct device_node *pdn, u64 *dma_addr, int *window_shift, + bool *direct_mapping) { struct dma_win *window; const struct dynamic_dma_window_prop *dma64; @@ -927,6 +928,7 @@ static bool find_existing_ddw(struct device_node *pdn, u64 *dma_addr, int *windo dma64 = window->prop; *dma_addr = be64_to_cpu(dma64->dma_base); *window_shift = be32_to_cpu(dma64->window_shift); + *direct_mapping = window->direct; found = true; break; } @@ -1270,10 +1272,8 @@ static bool enable_ddw(struct pci_dev *dev, struct device_node *pdn) mutex_lock(&dma_win_init_mutex); - if (find_existing_ddw(pdn, &dev->dev.archdata.dma_offset, &len)) { - direct_mapping = (len >= max_ram_len); + if (find_existing_ddw(pdn, &dev->dev.archdata.dma_offset, &len, &direct_mapping)) goto out_unlock; - } /* * If we already went through this for a previous function of -- 2.39.2 (Apple Git-143)

1 year, 2 months

2
1
0 0

[PATCH 2/2] media: mtk-jpeg: Fix timeout schedule error in mtk_jpegdec_worker.

by Zheng Wang

In mtk_jpegdec_worker, if error occurs in mtk_jpeg_set_dec_dst, it will start the timeout worker and invoke v4l2_m2m_job_finish at the same time. This will break the logic of design for there should be only one function to call v4l2_m2m_job_finish. But now the timeout handler and mtk_jpegdec_worker will both invoke it. Fix it by start the worker only if mtk_jpeg_set_dec_dst successfully finished. Fixes: da4ede4b7fd6 ("media: mtk-jpeg: move data/code inside CONFIG_OF blocks") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 7194f88edc0f..d099a9b67930 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1750,9 +1750,6 @@ static void mtk_jpegdec_worker(struct work_struct *work) v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); - schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, @@ -1762,6 +1759,9 @@ static void mtk_jpegdec_worker(struct work_struct *work) goto setdst_end; } + schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); ctx->total_frame_num++; mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base); -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH 1/2] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run

by Zheng Wang

In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 7194f88edc0f..252ba9b6857b 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void *priv) if (ret < 0) goto dec_end; - schedule_delayed_work(&jpeg->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) goto dec_end; + schedule_delayed_work(&jpeg->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&jpeg->hw_lock, flags); mtk_jpeg_dec_reset(jpeg->reg_base); mtk_jpeg_dec_set_config(jpeg->reg_base, -- 2.25.1

1 year, 2 months

1
0
0 0

[PATCH 6.5 000/285] 6.5.4-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.5.4 release. There are 285 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 19 Sep 2023 19:10:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.4-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.5.4-rc1 Wesley Chalmers <wesley.chalmers(a)amd.com> drm/amd/display: Fix a bug when searching for insert_above_mpcc Linus Torvalds <torvalds(a)linux-foundation.org> vm: fix move_vma() memory accounting being off Kuniyuki Iwashima <kuniyu(a)amazon.com> kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> net: renesas: rswitch: Fix unmasking irq condition Corinna Vinschen <vinschen(a)redhat.com> igb: clean up in all error paths when enabling SR-IOV Vadim Fedorenko <vadim.fedorenko(a)linux.dev> ixgbe: fix timestamp configuration code Kuniyuki Iwashima <kuniyu(a)amazon.com> selftest: tcp: Fix address length in bind_wildcard.c. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix bind() regression for v4-mapped-v6 wildcard address. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any). Eric Dumazet <edumazet(a)google.com> ipv6: fix ip6_sock_set_addr_preferences() typo Toke Høiland-Jørgensen <toke(a)redhat.com> veth: Update XDP feature set when bringing up device Sascha Hauer <s.hauer(a)pengutronix.de> net: macb: fix sleep inside spinlock Liu Jian <liujian56(a)huawei.com> net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Geert Uytterhoeven <geert+renesas(a)glider.be> platform/mellanox: NVSW_SN2201 should depend on ACPI Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events Shravan Kumar Ramani <shravankr(a)nvidia.com> platform/mellanox: mlxbf-pmc: Fix potential buffer overflows Liming Sun <limings(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: Drop jumbo frames Liming Sun <limings(a)nvidia.com> platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors Shigeru Yoshida <syoshida(a)redhat.com> kcm: Fix memory leak in error path of kcm_sendmsg() Hayes Wang <hayeswang(a)realtek.com> r8152: check budget for r8152_poll() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: hide all multicast addresses from "bridge fdb show" Ciprian Regus <ciprian.regus(a)analog.com> net:ethernet:adi:adin1110: Fix forwarding offload Yang Yingliang <yangyingliang(a)huawei.com> net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign broadcast address Ziyang Xuan <william.xuanziyang(a)huawei.com> hsr: Fix uninit-value access in fill_frame_info() Hangyu Hua <hbh25y(a)gmail.com> net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() Hangyu Hua <hbh25y(a)gmail.com> net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() Vincent Whitchurch <vincent.whitchurch(a)axis.com> net: stmmac: fix handling of zero coalescing tx-usecs Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add Ratheesh Kannoth <rkannoth(a)marvell.com> octeontx2-pf: Fix page pool cache index corruption. Jinjie Ruan <ruanjinjie(a)huawei.com> net: microchip: vcap api: Fix possible memory leak for vcap_dup_rule() Naveen N Rao <naveen(a)kernel.org> selftests/ftrace: Fix dependencies for some of the synthetic event tests Björn Töpel <bjorn(a)rivosinc.com> selftests: Keep symlinks, when possible Björn Töpel <bjorn(a)rivosinc.com> kselftest/runner.sh: Propagate SIGTERM to runner child Liu Jian <liujian56(a)huawei.com> net: ipv4: fix one memleak in __inet_del_ifa() Jinjie Ruan <ruanjinjie(a)huawei.com> kunit: Fix wild-memory-access bug in kunit_free_suite_set() Helge Deller <deller(a)gmx.de> parisc: sba_iommu: Fix build warning if procfs if disabled Biju Das <biju.das.jz(a)bp.renesas.com> regulator: raa215300: Fix resource leak in case of error Biju Das <biju.das.jz(a)bp.renesas.com> regulator: raa215300: Change the scope of the variables {clkin_name, xin_name} Arnd Bergmann <arnd(a)arndb.de> bpf: fix bpf_probe_read_kernel prototype mismatch Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amdgpu: register a dirty framebuffer callback for fbcon Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Add missing gfx11 MQD manager callbacks Gabe Teeger <gabe.teeger(a)amd.com> drm/amd/display: Remove wait while locked Wenjing Liu <wenjing.liu(a)amd.com> drm/amd/display: always switch off ODM before committing more streams Namhyung Kim <namhyung(a)kernel.org> perf hists browser: Fix the number of entries for 'e' key Namhyung Kim <namhyung(a)kernel.org> perf build: Include generated header files properly Namhyung Kim <namhyung(a)kernel.org> perf tools: Handle old data in PERF_RECORD_ATTR Namhyung Kim <namhyung(a)kernel.org> perf test shell stat_bpf_counters: Fix test on Intel Namhyung Kim <namhyung(a)kernel.org> perf build: Update build rule for generated files Namhyung Kim <namhyung(a)kernel.org> perf hists browser: Fix hierarchy mode header Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression Maciej W. Rozycki <macro(a)orcam.me.uk> MIPS: Only fiddle with CHECKFLAGS if `need-compiler' Sean Christopherson <seanjc(a)google.com> KVM: SVM: Skip VMSA init in sev_es_init_vmcb() if pointer is NULL Sean Christopherson <seanjc(a)google.com> KVM: SVM: Set target pCPU during IRTE update if target vCPU is running Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Check instead of asserting on nested TSC scaling support Sean Christopherson <seanjc(a)google.com> KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Sean Christopherson <seanjc(a)google.com> KVM: SVM: Don't inject #UD if KVM attempts to skip SEV guest insn Sean Christopherson <seanjc(a)google.com> KVM: SVM: Take and hold ir_list_lock when updating vCPU's Physical ID entry Sean Christopherson <seanjc(a)google.com> KVM: VMX: Refresh available regs and IDT vectoring info before NMI handling Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: prevent potential division by zero errors Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: limit the v_startup workaround to ASICs older than DCN3.1 Melissa Wen <mwen(a)igalia.com> drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma Hamza Mahfooz <hamza.mahfooz(a)amd.com> Revert "drm/amd/display: Remove v_startup workaround for dcn3+" William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix potential false time out warning Linus Walleij <linus.walleij(a)linaro.org> mtd: spi-nor: Correct flags for Winbond w25q128 William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write William Zhang <william.zhang(a)broadcom.com> mtd: rawnand: brcmnand: Fix crash during the panic_write Liu Ying <victor.liu(a)nxp.com> drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() Qu Wenruo <wqu(a)suse.com> btrfs: scrub: fix grouping of read IO Qu Wenruo <wqu(a)suse.com> btrfs: scrub: avoid unnecessary csum tree search preparing stripes Qu Wenruo <wqu(a)suse.com> btrfs: scrub: avoid unnecessary extent tree search preparing stripes Anand Jain <anand.jain(a)oracle.com> btrfs: use the correct superblock to compare fsid in btrfs_validate_super Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: re-enable metadata over-commit for zoned mode Josef Bacik <josef(a)toxicpanda.com> btrfs: set page extent mapped after read_folio in relocate_one_page Filipe Manana <fdmanana(a)suse.com> btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART Boris Burkov <boris(a)bur.io> btrfs: free qgroup rsv on io failure Boris Burkov <boris(a)bur.io> btrfs: fix start transaction qgroup rsv double free Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: do not zone finish data relocation block group ruanmeisi <ruan.meisi(a)zte.com.cn> fuse: nlookup missing decrement in fuse_direntplus_link Damien Le Moal <dlemoal(a)kernel.org> ata: pata_ftide010: Add missing MODULE_DESCRIPTION Damien Le Moal <dlemoal(a)kernel.org> ata: sata_gemini: Add missing MODULE_DESCRIPTION Michael Schmitz <schmitzmic(a)gmail.com> ata: pata_falcon: fix IO base selection for Q40 Werner Fischer <devlists(a)wefi.net> ata: ahci: Add Elkhart Lake AHCI controller Johannes Weiner <hannes(a)cmpxchg.org> memcontrol: ensure memcg acquired by id is properly set up Christian Marangi <ansuelsmth(a)gmail.com> hwspinlock: qcom: add missing regmap config for SFPB MMIO implementation Nathan Chancellor <nathan(a)kernel.org> lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix() Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: avoid false alarm of circular locking Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: flush inode if atomic file is aborted Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: get out of a repeat loop when getting a locked data page Brian Foster <bfoster(a)redhat.com> ext4: drop dio overwrite only flag and associated warning Luís Henriques <lhenriques(a)suse.de> ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} Wang Jianjian <wangjianjian0(a)foxmail.com> ext4: add correct group descriptors and reserved GDT blocks to system zone Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_es_insert_extent() Zhang Yi <yi.zhang(a)huawei.com> jbd2: correct the end of the journal recovery scan range Zhihao Cheng <chengzhihao1(a)huawei.com> jbd2: check 'jh->b_transaction' before removing it from checkpoint Zhang Yi <yi.zhang(a)huawei.com> jbd2: fix checkpoint cleanup performance regression Ekansh Gupta <quic_ekangupt(a)quicinc.com> misc: fastrpc: Fix incorrect DMA mapping unmap request Ekansh Gupta <quic_ekangupt(a)quicinc.com> misc: fastrpc: Fix remote heap allocation request Hien Huynh <hien.huynh.px(a)renesas.com> dmaengine: sh: rz-dmac: Fix destination and source data size setting Walter Chang <walter.chang(a)mediatek.com> clocksource/drivers/arm_arch_timer: Disable timer before programming CVAL Pavel Kozlov <pavel.kozlov(a)synopsys.com> ARC: atomics: Add compiler barrier to atomic operations... Fangzhi Zuo <jerry.zuo(a)amd.com> drm/amd/display: Temporary Disable MST DP Colorspace Property Florent CARLI <fcarli(a)gmail.com> watchdog: advantech_ec_wdt: fix Kconfig dependencies Masahiro Yamada <masahiroy(a)kernel.org> linux/export: fix reference to exported functions for parisc64 Duoming Zhou <duoming(a)zju.edu.cn> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug Petr Tesarik <petr.tesarik.ext(a)huawei.com> sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: enetc: distinguish error from valid pointers in enetc_fixup_clear_rss_rfs() Jie Wang <wangjie125(a)huawei.com> net: hns3: remove GSO partial feature bit Yisen Zhuang <yisen.zhuang(a)huawei.com> net: hns3: fix the port information display when sfp is absent Jijie Shao <shaojijie(a)huawei.com> net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue Hao Chen <chenhao418(a)huawei.com> net: hns3: fix debugfs concurrency issue between kfree buffer and read Hao Chen <chenhao418(a)huawei.com> net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read() Jian Shen <shenjian15(a)huawei.com> net: hns3: fix tx timeout issue Lukasz Majewski <lukma(a)denx.de> net: phy: Provide Module 4 KSZ9477 errata (DS80000754C) Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: Unbreak audit log reset Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction Wander Lairson Costa <wander(a)redhat.com> netfilter: nfnetlink_osf: avoid OOB read Florian Westphal <fw(a)strlen.de> netfilter: nftables: exthdr: fix 4-byte stack OOB write Martin KaFai Lau <martin.lau(a)kernel.org> bpf: bpf_sk_storage: Fix the missing uncharge in sk_omem_alloc Martin KaFai Lau <martin.lau(a)kernel.org> bpf: bpf_sk_storage: Fix invalid wait context lockdep report Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Pass through tail call counter in trampolines Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check. Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf(). Jakub Kicinski <kuba(a)kernel.org> net: phylink: fix sphinx complaint about invalid literal Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: complete tc-cbs offload support on SJA1110 Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload Bodong Wang <bodong(a)nvidia.com> mlx5/core: E-Switch, Create ACL FT for eswitch manager in switchdev mode Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Push devlink port PF/VF init/cleanup calls out of devlink_port_register/unregister() Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Rework devlink port alloc/free into init/cleanup Jiri Pirko <jiri(a)resnulli.us> net/mlx5: Give esw_offloads_load/unload_rep() "mlx5_" prefix Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Clear mirred devices array if the rule is split Eric Dumazet <edumazet(a)google.com> ip_tunnels: use DEV_STATS_INC() Ariel Marcovitch <arielmarcovitch(a)gmail.com> idr: fix param name in idr_alloc_cyclic() doc Jerome Neanne <jneanne(a)baylibre.com> regulator: tps6594-regulator: Fix random kernel crash Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> s390/zcrypt: don't leak memory if dev_set_name() fails Olga Zaborska <olga.zaborska(a)intel.com> igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 Olga Zaborska <olga.zaborska(a)intel.com> igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 Olga Zaborska <olga.zaborska(a)intel.com> igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 Geetha sowjanya <gakula(a)marvell.com> octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler Shigeru Yoshida <syoshida(a)redhat.com> kcm: Destroy mutex in kcm_exit_net() valis <sec(a)valis.email> net: sched: sch_qfq: Fix UAF in qfq_dequeue() Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data race around sk->sk_err. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data-races around sk->sk_shutdown. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data-race around unix_tot_inflight. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix data-races around user->unix_inflight. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Fix msg_controllen test in scm_pidfd_recv() for MSG_CMSG_COMPAT. John Fastabend <john.fastabend(a)gmail.com> bpf, sockmap: Fix skb refcnt race after locking changes Oleksij Rempel <linux(a)rempel-privat.de> net: phy: micrel: Correct bit assignments for phy_device flags Alex Henrie <alexhenrie24(a)gmail.com> net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr Liang Chen <liangchen.linux(a)gmail.com> veth: Fixing transmit return status for dropped packets Eric Dumazet <edumazet(a)google.com> gve: fix frag_list chaining Corinna Vinschen <vinschen(a)redhat.com> igb: disable virtualization features on 82580 Xu Kuohai <xukuohai(a)huawei.com> selftests/bpf: Fix a CI failure caused by vsock write Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> ipv6: ignore dst hint for multipath routes Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> ipv4: ignore dst hint for multipath routes Eric Dumazet <edumazet(a)google.com> net: annotate data-races around sk->sk_bind_phc Eric Dumazet <edumazet(a)google.com> net: annotate data-races around sk->sk_tsflags Eric Dumazet <edumazet(a)google.com> mptcp: annotate data-races around msk->rmem_fwd_alloc Eric Dumazet <edumazet(a)google.com> net: annotate data-races around sk->sk_forward_alloc Eric Dumazet <edumazet(a)google.com> net: use sk_forward_alloc_get() in sk_get_meminfo() Eric Dumazet <edumazet(a)google.com> net/handshake: fix null-ptr-deref in handshake_nl_done_doit() Hamza Mahfooz <hamza.mahfooz(a)amd.com> drm/amd/display: fix mode scaling (RMX_.*) Sean Christopherson <seanjc(a)google.com> drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() Sean Christopherson <seanjc(a)google.com> drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn() Sean Christopherson <seanjc(a)google.com> drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page" Xiubo Li <xiubli(a)redhat.com> ceph: make members in struct ceph_mds_request_args_ext a union Magnus Karlsson <magnus.karlsson(a)intel.com> xsk: Fix xsk_diag use-after-free error during socket cleanup Florian Westphal <fw(a)strlen.de> net: fib: avoid warn splat in flow dissector Eric Dumazet <edumazet(a)google.com> net: read sk->sk_family once in sk_mc_loop() Eric Dumazet <edumazet(a)google.com> ipv4: annotate data-races around fi->fib_dead Eric Dumazet <edumazet(a)google.com> sctp: annotate data-races around sk->sk_wmem_queued Eric Dumazet <edumazet(a)google.com> net/sched: fq_pie: avoid stalls in fq_pie_timer() Katya Orlova <e.orlova(a)ispras.ru> smb: propagate error code of extract_sharename() Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log rule reset Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log setelem reset Yu Kuai <yukuai3(a)huawei.com> blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice() Yu Kuai <yukuai3(a)huawei.com> blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice() Andrzej Hajda <andrzej.hajda(a)intel.com> drm/i915: mark requests for GuC virtual engines to avoid use-after-free Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix flaky cgroup_iter_sleepable subtest Vincent Whitchurch <vincent.whitchurch(a)axis.com> regulator: tps6287x: Fix n_voltages Namhyung Kim <namhyung(a)kernel.org> perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test Kajol Jain <kjain(a)linux.ibm.com> perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical operators Miquel Raynal <miquel.raynal(a)bootlin.com> i3c: master: svc: Describe member 'saved_regs' Ian Rogers <irogers(a)google.com> perf header: Fix missing PMU caps Justin Stitt <justinstitt(a)google.com> accel/ivpu: refactor deprecated strncpy Vladimir Zapolskiy <vz(a)mleia.com> pwm: lpc32xx: Remove handling of PWM channels Ilkka Koskinen <ilkka(a)os.amperecomputing.com> perf vendor events arm64: Remove L1D_CACHE_LMISS from AmpereOne list Raag Jadav <raag.jadav(a)intel.com> watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load Arnaldo Carvalho de Melo <acme(a)redhat.com> perf lock: Don't pass an ERR_PTR() directly to perf_session__delete() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf top: Don't pass an ERR_PTR() directly to perf_session__delete() Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Update metric event names for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Move JSON/events to appropriate files for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Drop STORES_PER_INST metric event for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Drop some of the JSON/events for power10 platform Kajol Jain <kjain(a)linux.ibm.com> perf vendor events: Update the JSON/events descriptions for power10 platform Adrian Hunter <adrian.hunter(a)intel.com> perf dlfilter: Add al_cleanup() Arnaldo Carvalho de Melo <acme(a)kernel.org> perf dlfilter: Initialize addr_location before passing it to thread__find_symbol_fb() Namhyung Kim <namhyung(a)kernel.org> perf bpf-filter: Fix sample flag check with || Ivan Babrou <ivan(a)cloudflare.com> perf script: Print "cgroup" field on the same line as "comm" Sean Christopherson <seanjc(a)google.com> x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf annotate bpf: Don't enclose non-debug code with an assert() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: tca6416-keypad - fix interrupt enable disbalance Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: tca6416-keypad - always expect proper IRQ number in i2c client Sean Christopherson <seanjc(a)google.com> KVM: SVM: Don't defer NMI unblocking until next exit for SEV-ES guests Ian Rogers <irogers(a)google.com> perf parse-events: Additional error reporting Ian Rogers <irogers(a)google.com> perf parse-events: Separate ENOMEM memory handling Ian Rogers <irogers(a)google.com> perf parse-events: Move instances of YYABORT to YYNOMEM Ian Rogers <irogers(a)google.com> perf parse-events: Separate YYABORT and YYNOMEM cases Ying Liu <victor.liu(a)nxp.com> backlight: gpio_backlight: Drop output GPIO direction check for initial power state Artur Weber <aweber.kernel(a)gmail.com> backlight: lp855x: Initialize PWM state on first brightness change Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: atmel-tcb: Fix resource freeing in error path and remove Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pwm: atmel-tcb: Harmonize resource allocation order Arnaldo Carvalho de Melo <acme(a)redhat.com> perf trace: Really free the evsel->priv area Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - configure power mode before triggering ATI Xie XiuQi <xiexiuqi(a)huawei.com> tools/mm: fix undefined reference to pthread_once Konstantin Meskhidze <konstantin.meskhidze(a)huawei.com> kconfig: fix possible buffer overflow Jonathan Marek <jonathan(a)marek.ca> mailbox: qcom-ipcc: fix incorrect num_chans counting Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: low-memory forced flush fixes Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Switch to wait_event in gfs2_logd Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> tpm_crb: Fix an error handling path in crb_acpi_add() Jiri Slaby <jirislaby(a)kernel.org> kbuild: dummy-tools: make MPROFILE_KERNEL checks work on BE Masahiro Yamada <masahiroy(a)kernel.org> kbuild: do not run depmod for 'make modules_sign' Masahiro Yamada <masahiroy(a)kernel.org> kbuild: rpm-pkg: define _arch conditionally Qiang Yu <quic_qianyu(a)quicinc.com> bus: mhi: host: Skip MHI reset if device is in RDDM Fedor Pchelkin <pchelkin(a)ispras.ru> NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix a potential data corruption Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: mss-sc7180: fix missing resume during probe Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: q6sstop-qcs404: fix missing resume during probe Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: lpasscc-sc7280: fix missing resume during probe Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: dispcc-sm8550: fix runtime PM imbalance on probe errors Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: dispcc-sm8450: fix runtime PM imbalance on probe errors Chris Lew <quic_clew(a)quicinc.com> soc: qcom: qmi_encdec: Restrict string length in decode Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock Marco Felsch <m.felsch(a)pengutronix.de> clk: imx: pll14xx: align pdiv with reference manual Ahmad Fatoum <a.fatoum(a)pengutronix.de> clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: clock: xlnx,versal-clk: drop select:false Raag Jadav <raag.jadav(a)intel.com> pinctrl: cherryview: fix address_space_handler() argument Bharath SM <bharathsm(a)microsoft.com> cifs: update desired access while requesting for directory lease Helge Deller <deller(a)gmx.de> parisc: led: Reduce CPU overhead for disk & lan LED computation Helge Deller <deller(a)gmx.de> parisc: led: Fix LAN receive and transmit LEDs Kalesh Singh <kaleshsingh(a)google.com> Multi-gen LRU: avoid race in inc_min_seq() Andrew Donnellan <ajd(a)linux.ibm.com> lib/test_meminit: allocate pages up to order MAX_ORDER Muchun Song <muchun.song(a)linux.dev> mm: hugetlb_vmemmap: fix a race between vmemmap pmd split Michal Hocko <mhocko(a)suse.com> memcg: drop kmem.limit_in_bytes Steve French <stfrench(a)microsoft.com> send channel sequence number in SMB3 requests after reconnects Aleksey Nasibulin <alealexpro100(a)ya.ru> ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 Chris Paterson <chris.paterson2(a)renesas.com> arm64: dts: renesas: rzg2l: Fix txdv-skew-psec typos Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974pro-castor: correct touchscreen syna,nosleep-mode Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974pro-castor: correct touchscreen function names Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8953-vince: drop duplicated touschreen parent interrupt Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974pro-castor: correct inverted X of touchscreen Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: turingcc-qcs404: fix missing resume during probe Sameer Pujar <spujar(a)nvidia.com> arm64: tegra: Update AHUB clock parent and rate Sheetal <sheetal(a)nvidia.com> arm64: tegra: Update AHUB clock parent and rate on Tegra234 Paul Cercueil <paul(a)crapouillou.net> ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size Sheetal <sheetal(a)nvidia.com> ASoC: tegra: Fix SFC conversion for few rates Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Fix DRAM init on AST2200 Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: camcc-sc7180: fix async resume during probe Thomas Zimmermann <tzimmermann(a)suse.de> fbdev/ep93xx-fb: Do not assign to struct fb_info.dev Ian Kent <raven(a)themaw.net> kernfs: fix missing kernfs_iattr_rwsem locking Chengming Zhou <zhouchengming(a)bytedance.com> null_blk: fix poll request timeout handling Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix firmware resource tracking Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Error code did not return to upper layer Nilesh Javali <njavali(a)marvell.com> scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Flush mailbox commands on chip reset Manish Rangankar <mrangankar(a)marvell.com> scsi: qla2xxx: Remove unsupported ql2xenabledif option Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix TMF leak through Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix session hang in gnl Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Turn off noisy message log Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix erroneous link up failure Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix command flush during TMF Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: fix inconsistent TMF timeout Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix deletion race condition Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Limit TMF to 8 per function Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Adjust IOCB resource on qpair create Bean Huo <beanhuo(a)micron.com> scsi: ufs: core: Add advanced RPMB support where UFSHCI 4.0 does not support EHS length in UTRD Gurchetan Singh <gurchetansingh(a)chromium.org> drm/virtio: Conditionally allocate virtio_gpu_fence Quan Tian <qtian(a)vmware.com> net/ipv6: SKB symmetric hash should incorporate transport ports ------------- Diffstat: Documentation/admin-guide/cgroup-v1/memory.rst | 2 - .../devicetree/bindings/clock/xlnx,versal-clk.yaml | 2 - Makefile | 6 +- arch/arc/include/asm/atomic-llsc.h | 6 +- arch/arc/include/asm/atomic64-arcv2.h | 6 +- .../dts/broadcom/bcm4708-linksys-ea6500-v2.dts | 3 +- .../qcom-msm8974pro-sony-xperia-shinano-castor.dts | 8 +- arch/arm/boot/dts/samsung/exynos4210-i9100.dts | 4 +- arch/arm64/boot/dts/nvidia/tegra186.dtsi | 3 +- arch/arm64/boot/dts/nvidia/tegra194.dtsi | 3 +- arch/arm64/boot/dts/nvidia/tegra210.dtsi | 3 +- arch/arm64/boot/dts/nvidia/tegra234.dtsi | 3 +- arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts | 1 - arch/arm64/boot/dts/renesas/rzg2l-smarc-som.dtsi | 4 +- arch/arm64/boot/dts/renesas/rzg2lc-smarc-som.dtsi | 2 +- arch/arm64/boot/dts/renesas/rzg2ul-smarc-som.dtsi | 4 +- arch/mips/Makefile | 6 +- arch/parisc/include/asm/led.h | 4 +- arch/parisc/include/asm/mckinley.h | 8 - arch/s390/net/bpf_jit_comp.c | 10 + arch/sh/boards/mach-ap325rxa/setup.c | 2 +- arch/sh/boards/mach-ecovec24/setup.c | 6 +- arch/sh/boards/mach-kfr2r09/setup.c | 2 +- arch/sh/boards/mach-migor/setup.c | 2 +- arch/sh/boards/mach-se/7724/setup.c | 6 +- arch/sh/drivers/push-switch.c | 2 +- arch/x86/include/asm/virtext.h | 6 - arch/x86/kvm/svm/avic.c | 59 +++- arch/x86/kvm/svm/nested.c | 9 +- arch/x86/kvm/svm/sev.c | 14 +- arch/x86/kvm/svm/svm.c | 45 ++- arch/x86/kvm/vmx/vmx.c | 21 +- block/blk-throttle.c | 99 +++--- drivers/accel/ivpu/ivpu_jsm_msg.c | 3 +- drivers/ata/ahci.c | 2 + drivers/ata/pata_falcon.c | 50 +-- drivers/ata/pata_ftide010.c | 1 + drivers/ata/sata_gemini.c | 1 + drivers/block/null_blk/main.c | 12 +- drivers/bus/mhi/host/pm.c | 5 + drivers/char/tpm/tpm_crb.c | 5 +- drivers/clk/imx/clk-pll14xx.c | 13 +- drivers/clk/qcom/camcc-sc7180.c | 2 +- drivers/clk/qcom/dispcc-sm8450.c | 13 +- drivers/clk/qcom/dispcc-sm8550.c | 13 +- drivers/clk/qcom/gcc-mdm9615.c | 2 +- drivers/clk/qcom/lpasscc-sc7280.c | 16 +- drivers/clk/qcom/mss-sc7180.c | 13 +- drivers/clk/qcom/q6sstop-qcs404.c | 15 +- drivers/clk/qcom/turingcc-qcs404.c | 13 +- drivers/clocksource/arm_arch_timer.c | 7 + drivers/dma/sh/rz-dmac.c | 11 +- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 26 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c | 3 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 7 + drivers/gpu/drm/amd/display/dc/Makefile | 1 + drivers/gpu/drm/amd/display/dc/core/dc.c | 68 ++-- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_mpc.c | 5 +- drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 11 - .../gpu/drm/amd/display/dc/dml/dcn20/dcn20_fpu.c | 25 +- .../drm/amd/display/modules/freesync/freesync.c | 9 +- drivers/gpu/drm/ast/ast_post.c | 2 +- drivers/gpu/drm/i915/gt/intel_engine_types.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 3 + drivers/gpu/drm/i915/gvt/gtt.c | 27 +- drivers/gpu/drm/i915/gvt/gtt.h | 1 - drivers/gpu/drm/i915/i915_request.c | 7 +- drivers/gpu/drm/mxsfb/mxsfb_kms.c | 9 + drivers/gpu/drm/virtio/virtgpu_submit.c | 32 +- drivers/hwspinlock/qcom_hwspinlock.c | 9 + drivers/i3c/master/svc-i3c-master.c | 1 + drivers/input/keyboard/tca6416-keypad.c | 31 +- drivers/input/misc/iqs7222.c | 8 +- drivers/mailbox/qcom-ipcc.c | 4 +- drivers/misc/fastrpc.c | 22 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 112 ++++-- drivers/mtd/spi-nor/winbond.c | 5 +- drivers/net/dsa/microchip/ksz_common.c | 16 +- drivers/net/dsa/sja1105/sja1105.h | 4 + drivers/net/dsa/sja1105/sja1105_dynamic_config.c | 93 +++-- drivers/net/dsa/sja1105/sja1105_main.c | 120 +++++-- drivers/net/dsa/sja1105/sja1105_spi.c | 4 + drivers/net/ethernet/adi/adin1110.c | 10 +- drivers/net/ethernet/cadence/macb_main.c | 5 +- drivers/net/ethernet/freescale/enetc/enetc_pf.c | 2 +- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 5 +- drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 19 +- drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 20 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 14 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.h | 2 - drivers/net/ethernet/intel/igb/igb.h | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 10 +- drivers/net/ethernet/intel/igbvf/igbvf.h | 4 +- drivers/net/ethernet/intel/igc/igc.h | 4 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 28 +- drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 + .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 21 +- drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 6 +- drivers/net/ethernet/marvell/octeontx2/nic/cn10k.h | 2 +- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 43 +-- .../ethernet/marvell/octeontx2/nic/otx2_common.h | 3 +- .../net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 7 +- .../net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 30 +- .../net/ethernet/marvell/octeontx2/nic/otx2_txrx.h | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 + .../net/ethernet/mellanox/mlx5/core/en/tc/act/ct.c | 4 +- .../ethernet/mellanox/mlx5/core/en/tc/act/mirred.c | 1 + .../ethernet/mellanox/mlx5/core/en/tc/act/pedit.c | 4 +- .../mlx5/core/en/tc/act/redirect_ingress.c | 1 + .../ethernet/mellanox/mlx5/core/en/tc/act/vlan.c | 1 + .../mellanox/mlx5/core/en/tc/act/vlan_mangle.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 1 + .../ethernet/mellanox/mlx5/core/esw/devlink_port.c | 62 ++-- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 64 +++- drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 8 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 75 ++-- drivers/net/ethernet/microchip/vcap/vcap_api.c | 18 +- drivers/net/ethernet/renesas/rswitch.c | 8 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 10 +- drivers/net/phy/micrel.c | 9 +- drivers/net/usb/r8152.c | 3 + drivers/net/veth.c | 6 +- drivers/parisc/led.c | 4 +- drivers/parisc/sba_iommu.c | 10 +- drivers/pinctrl/intel/pinctrl-cherryview.c | 5 +- drivers/platform/mellanox/Kconfig | 4 +- drivers/platform/mellanox/mlxbf-pmc.c | 41 +-- drivers/platform/mellanox/mlxbf-tmfifo.c | 90 +++-- drivers/pwm/pwm-atmel-tcb.c | 64 ++-- drivers/pwm/pwm-lpc32xx.c | 16 +- drivers/regulator/raa215300.c | 32 +- drivers/regulator/tps6287x-regulator.c | 2 +- drivers/regulator/tps6594-regulator.c | 31 +- drivers/s390/crypto/zcrypt_api.c | 1 + drivers/scsi/qla2xxx/qla_attr.c | 2 - drivers/scsi/qla2xxx/qla_dbg.c | 2 +- drivers/scsi/qla2xxx/qla_def.h | 21 +- drivers/scsi/qla2xxx/qla_dfs.c | 10 + drivers/scsi/qla2xxx/qla_gbl.h | 1 + drivers/scsi/qla2xxx/qla_init.c | 234 ++++++++----- drivers/scsi/qla2xxx/qla_inline.h | 57 +++- drivers/scsi/qla2xxx/qla_iocb.c | 1 + drivers/scsi/qla2xxx/qla_isr.c | 7 +- drivers/scsi/qla2xxx/qla_mbx.c | 7 +- drivers/scsi/qla2xxx/qla_nvme.c | 3 +- drivers/scsi/qla2xxx/qla_os.c | 26 +- drivers/scsi/qla2xxx/qla_target.c | 14 +- drivers/soc/qcom/qmi_encdec.c | 4 +- drivers/ufs/core/ufs_bsg.c | 3 +- drivers/ufs/core/ufshcd.c | 10 +- drivers/video/backlight/gpio_backlight.c | 3 +- drivers/video/backlight/lp855x_bl.c | 20 +- drivers/video/fbdev/ep93xx-fb.c | 1 - drivers/watchdog/Kconfig | 2 + drivers/watchdog/intel-mid_wdt.c | 1 + fs/btrfs/disk-io.c | 5 +- fs/btrfs/extent-tree.c | 43 +-- fs/btrfs/file-item.c | 34 +- fs/btrfs/file-item.h | 6 +- fs/btrfs/inode.c | 7 + fs/btrfs/raid56.c | 4 +- fs/btrfs/relocation.c | 12 +- fs/btrfs/scrub.c | 152 ++++++--- fs/btrfs/space-info.c | 6 +- fs/btrfs/transaction.c | 26 +- fs/btrfs/zoned.c | 16 +- fs/ext4/balloc.c | 15 +- fs/ext4/block_validity.c | 8 +- fs/ext4/crypto.c | 4 + fs/ext4/ext4.h | 2 + fs/ext4/extents_status.c | 44 ++- fs/ext4/file.c | 25 +- fs/f2fs/data.c | 8 +- fs/f2fs/f2fs.h | 24 +- fs/f2fs/inline.c | 3 +- fs/f2fs/segment.c | 2 + fs/fuse/readdir.c | 10 +- fs/gfs2/aops.c | 4 +- fs/gfs2/log.c | 25 +- fs/jbd2/checkpoint.c | 22 +- fs/jbd2/recovery.c | 12 +- fs/kernfs/dir.c | 4 + fs/nfs/direct.c | 20 +- fs/nfs/pnfs_dev.c | 2 +- fs/smb/client/cached_dir.c | 2 +- fs/smb/client/cifsglob.h | 1 + fs/smb/client/connect.c | 1 + fs/smb/client/fscache.c | 2 +- fs/smb/client/smb2ops.c | 11 +- fs/smb/client/smb2pdu.c | 11 + fs/smb/common/smb2pdu.h | 22 ++ include/linux/audit.h | 2 + include/linux/bpf.h | 12 + include/linux/ceph/ceph_fs.h | 24 +- include/linux/export-internal.h | 2 + include/linux/ipv6.h | 1 + include/linux/micrel_phy.h | 7 +- include/linux/phylink.h | 4 +- include/linux/tca6416_keypad.h | 1 - include/net/ip.h | 3 +- include/net/ip6_fib.h | 5 +- include/net/ip_fib.h | 5 +- include/net/ip_tunnels.h | 15 +- include/net/ipv6.h | 7 +- include/net/scm.h | 14 +- include/net/sock.h | 29 +- kernel/auditsc.c | 2 + kernel/bpf/bpf_local_storage.c | 49 +-- kernel/bpf/core.c | 10 +- kernel/bpf/syscall.c | 2 +- kernel/bpf/trampoline.c | 5 +- kernel/trace/bpf_trace.c | 11 - lib/idr.c | 2 +- lib/kunit/test.c | 3 +- lib/test_meminit.c | 2 +- lib/test_scanf.c | 2 +- mm/hugetlb_vmemmap.c | 34 +- mm/memcontrol.c | 32 +- mm/mremap.c | 2 +- mm/vmscan.c | 13 +- net/can/j1939/socket.c | 10 +- net/core/flow_dissector.c | 3 +- net/core/skbuff.c | 10 +- net/core/skmsg.c | 12 +- net/core/sock.c | 27 +- net/handshake/netlink.c | 18 +- net/hsr/hsr_forward.c | 1 + net/ipv4/devinet.c | 10 +- net/ipv4/fib_semantics.c | 5 +- net/ipv4/fib_trie.c | 3 +- net/ipv4/inet_hashtables.c | 36 +- net/ipv4/ip_input.c | 3 +- net/ipv4/ip_output.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/route.c | 1 + net/ipv4/tcp.c | 4 +- net/ipv4/tcp_output.c | 2 +- net/ipv4/udp.c | 6 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_input.c | 3 +- net/ipv6/ip6_output.c | 2 +- net/ipv6/ping.c | 2 +- net/ipv6/raw.c | 2 +- net/ipv6/route.c | 3 + net/ipv6/udp.c | 2 +- net/kcm/kcmsock.c | 15 +- net/mptcp/protocol.c | 23 +- net/netfilter/nf_tables_api.c | 54 ++- net/netfilter/nfnetlink_osf.c | 8 + net/netfilter/nft_exthdr.c | 22 +- net/netfilter/nft_set_rbtree.c | 8 +- net/sched/sch_fq_pie.c | 27 +- net/sched/sch_plug.c | 2 +- net/sched/sch_qfq.c | 22 +- net/sctp/proc.c | 2 +- net/sctp/socket.c | 10 +- net/smc/smc_core.c | 2 + net/socket.c | 15 +- net/tls/tls_sw.c | 4 +- net/unix/af_unix.c | 2 +- net/unix/scm.c | 6 +- net/xdp/xsk_diag.c | 3 + scripts/dummy-tools/gcc | 3 +- scripts/kconfig/preprocess.c | 3 + scripts/mod/modpost.c | 9 + scripts/package/mkspec | 2 +- sound/soc/tegra/tegra210_sfc.c | 31 +- sound/soc/tegra/tegra210_sfc.h | 4 +- tools/build/Makefile.build | 10 + tools/mm/Makefile | 4 +- tools/perf/Documentation/perf-dlfilter.txt | 22 +- tools/perf/Makefile.perf | 2 +- tools/perf/builtin-lock.c | 1 + tools/perf/builtin-script.c | 22 +- tools/perf/builtin-top.c | 1 + tools/perf/builtin-trace.c | 9 +- tools/perf/dlfilters/dlfilter-test-api-v2.c | 377 +++++++++++++++++++++ tools/perf/include/perf/perf_dlfilter.h | 11 +- tools/perf/pmu-events/Build | 6 + .../arch/arm64/ampere/ampereone/cache.json | 3 - .../pmu-events/arch/powerpc/power10/cache.json | 47 +-- .../arch/powerpc/power10/floating_point.json | 66 +++- .../pmu-events/arch/powerpc/power10/frontend.json | 188 +--------- .../pmu-events/arch/powerpc/power10/marked.json | 194 ++++++++--- .../pmu-events/arch/powerpc/power10/memory.json | 91 +---- .../pmu-events/arch/powerpc/power10/metrics.json | 56 ++- .../pmu-events/arch/powerpc/power10/others.json | 209 ++---------- .../pmu-events/arch/powerpc/power10/pipeline.json | 269 +++++++++++---- .../perf/pmu-events/arch/powerpc/power10/pmc.json | 193 ++++++++++- .../arch/powerpc/power10/translation.json | 42 +-- tools/perf/pmu-events/jevents.py | 2 +- tools/perf/tests/dlfilter-test.c | 38 ++- tools/perf/tests/shell/stat_bpf_counters.sh | 4 +- tools/perf/tests/shell/stat_bpf_counters_cgrp.sh | 28 +- tools/perf/ui/browsers/hists.c | 60 ++-- tools/perf/util/annotate.c | 10 +- tools/perf/util/bpf-filter.c | 14 +- tools/perf/util/dlfilter.c | 30 ++ tools/perf/util/expr.c | 4 +- tools/perf/util/header.c | 42 +-- tools/perf/util/parse-events.c | 4 +- tools/perf/util/parse-events.y | 256 +++++++++----- tools/perf/util/pmu.c | 4 +- .../selftests/bpf/prog_tests/bpf_obj_pinning.c | 5 +- .../selftests/bpf/prog_tests/sockmap_helpers.h | 26 ++ .../selftests/bpf/prog_tests/sockmap_listen.c | 7 + .../trigger-synthetic-event-dynstring.tc | 2 +- .../trigger-synthetic_event_syntax_errors.tc | 2 +- tools/testing/selftests/kselftest/runner.sh | 3 +- tools/testing/selftests/lib.mk | 4 +- tools/testing/selftests/net/bind_wildcard.c | 2 +- 316 files changed, 3898 insertions(+), 2319 deletions(-)

1 year, 2 months

18
318
0 0

[PATCH v2] nvme: remove unprivileged passthrough support

by Kanchan Joshi

Passthrough has got a hole that can be exploited to cause kernel memory corruption. This is about making the device do larger DMA into short meta/data buffer owned by kernel [1]. As a stopgap measure, disable the support of unprivileged passthrough. This patch brings back coarse-granular CAP_SYS_ADMIN checks by reverting following patches: - 7d9d7d59d44 ("nvme: replace the fmode_t argument to the nvme ioctl handlers with a simple bool") - 313c08c72ee ("nvme: don't allow unprivileged passthrough on partitions") - 6f99ac04c46 ("nvme: consult the CSE log page for unprivileged passthrough") - ea43fceea41 ("nvme: allow unprivileged passthrough of Identify Controller") - e4fbcf32c86 ("nvme: identify-namespace without CAP_SYS_ADMIN") - 855b7717f44 ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands") [1] https://lore.kernel.org/linux-nvme/20231013051458.39987-1-joshi.k@samsung.c… CC: stable(a)vger.kernel.org # 6.2 Fixes: 855b7717f44b1 ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands") Suggested-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Kanchan Joshi <joshi.k(a)samsung.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> --- Changes since v1: - Fix the way "Fixes:" was written before (Greg) drivers/nvme/host/ioctl.c | 159 ++++++++------------------------------ include/linux/nvme.h | 2 - 2 files changed, 34 insertions(+), 127 deletions(-) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index d8ff796fd5f2..788b36e7915a 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -10,80 +10,8 @@ enum { NVME_IOCTL_VEC = (1 << 0), - NVME_IOCTL_PARTITION = (1 << 1), }; -static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, - unsigned int flags, bool open_for_write) -{ - u32 effects; - - if (capable(CAP_SYS_ADMIN)) - return true; - - /* - * Do not allow unprivileged passthrough on partitions, as that allows an - * escape from the containment of the partition. - */ - if (flags & NVME_IOCTL_PARTITION) - return false; - - /* - * Do not allow unprivileged processes to send vendor specific or fabrics - * commands as we can't be sure about their effects. - */ - if (c->common.opcode >= nvme_cmd_vendor_start || - c->common.opcode == nvme_fabrics_command) - return false; - - /* - * Do not allow unprivileged passthrough of admin commands except - * for a subset of identify commands that contain information required - * to form proper I/O commands in userspace and do not expose any - * potentially sensitive information. - */ - if (!ns) { - if (c->common.opcode == nvme_admin_identify) { - switch (c->identify.cns) { - case NVME_ID_CNS_NS: - case NVME_ID_CNS_CS_NS: - case NVME_ID_CNS_NS_CS_INDEP: - case NVME_ID_CNS_CS_CTRL: - case NVME_ID_CNS_CTRL: - return true; - } - } - return false; - } - - /* - * Check if the controller provides a Commands Supported and Effects log - * and marks this command as supported. If not reject unprivileged - * passthrough. - */ - effects = nvme_command_effects(ns->ctrl, ns, c->common.opcode); - if (!(effects & NVME_CMD_EFFECTS_CSUPP)) - return false; - - /* - * Don't allow passthrough for command that have intrusive (or unknown) - * effects. - */ - if (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC | - NVME_CMD_EFFECTS_UUID_SEL | - NVME_CMD_EFFECTS_SCOPE_MASK)) - return false; - - /* - * Only allow I/O commands that transfer data to the controller or that - * change the logical block contents if the file descriptor is open for - * writing. - */ - if (nvme_is_write(c) || (effects & NVME_CMD_EFFECTS_LBCC)) - return open_for_write; - return true; -} - /* * Convert integer values from ioctl structures to user pointers, silently * ignoring the upper bits in the compat case to match behaviour of 32-bit @@ -335,8 +263,7 @@ static bool nvme_validate_passthru_nsid(struct nvme_ctrl *ctrl, } static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, - struct nvme_passthru_cmd __user *ucmd, unsigned int flags, - bool open_for_write) + struct nvme_passthru_cmd __user *ucmd) { struct nvme_passthru_cmd cmd; struct nvme_command c; @@ -344,6 +271,8 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u64 result; int status; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; if (copy_from_user(&cmd, ucmd, sizeof(cmd))) return -EFAULT; if (cmd.flags) @@ -364,9 +293,6 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(cmd.cdw14); c.common.cdw15 = cpu_to_le32(cmd.cdw15); - if (!nvme_cmd_allowed(ns, &c, 0, open_for_write)) - return -EACCES; - if (cmd.timeout_ms) timeout = msecs_to_jiffies(cmd.timeout_ms); @@ -383,14 +309,16 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, } static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns, - struct nvme_passthru_cmd64 __user *ucmd, unsigned int flags, - bool open_for_write) + struct nvme_passthru_cmd64 __user *ucmd, + unsigned int flags) { struct nvme_passthru_cmd64 cmd; struct nvme_command c; unsigned timeout = 0; int status; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; if (copy_from_user(&cmd, ucmd, sizeof(cmd))) return -EFAULT; if (cmd.flags) @@ -411,9 +339,6 @@ static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(cmd.cdw14); c.common.cdw15 = cpu_to_le32(cmd.cdw15); - if (!nvme_cmd_allowed(ns, &c, flags, open_for_write)) - return -EACCES; - if (cmd.timeout_ms) timeout = msecs_to_jiffies(cmd.timeout_ms); @@ -563,6 +488,9 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, void *meta = NULL; int ret; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + c.common.opcode = READ_ONCE(cmd->opcode); c.common.flags = READ_ONCE(cmd->flags); if (c.common.flags) @@ -584,9 +512,6 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(READ_ONCE(cmd->cdw14)); c.common.cdw15 = cpu_to_le32(READ_ONCE(cmd->cdw15)); - if (!nvme_cmd_allowed(ns, &c, 0, ioucmd->file->f_mode & FMODE_WRITE)) - return -EACCES; - d.metadata = READ_ONCE(cmd->metadata); d.addr = READ_ONCE(cmd->addr); d.data_len = READ_ONCE(cmd->data_len); @@ -643,13 +568,13 @@ static bool is_ctrl_ioctl(unsigned int cmd) } static int nvme_ctrl_ioctl(struct nvme_ctrl *ctrl, unsigned int cmd, - void __user *argp, bool open_for_write) + void __user *argp) { switch (cmd) { case NVME_IOCTL_ADMIN_CMD: - return nvme_user_cmd(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd(ctrl, NULL, argp); case NVME_IOCTL_ADMIN64_CMD: - return nvme_user_cmd64(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd64(ctrl, NULL, argp, 0); default: return sed_ioctl(ctrl->opal_dev, cmd, argp); } @@ -674,14 +599,16 @@ struct nvme_user_io32 { #endif /* COMPAT_FOR_U64_ALIGNMENT */ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned int cmd, - void __user *argp, unsigned int flags, bool open_for_write) + void __user *argp) { + unsigned int flags = 0; + switch (cmd) { case NVME_IOCTL_ID: force_successful_syscall_return(); return ns->head->ns_id; case NVME_IOCTL_IO_CMD: - return nvme_user_cmd(ns->ctrl, ns, argp, flags, open_for_write); + return nvme_user_cmd(ns->ctrl, ns, argp); /* * struct nvme_user_io can have different padding on some 32-bit ABIs. * Just accept the compat version as all fields that are used are the @@ -696,39 +623,32 @@ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned int cmd, flags |= NVME_IOCTL_VEC; fallthrough; case NVME_IOCTL_IO64_CMD: - return nvme_user_cmd64(ns->ctrl, ns, argp, flags, - open_for_write); + return nvme_user_cmd64(ns->ctrl, ns, argp, flags); default: return -ENOTTY; } } -int nvme_ioctl(struct block_device *bdev, blk_mode_t mode, +int nvme_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, unsigned long arg) { struct nvme_ns *ns = bdev->bd_disk->private_data; - bool open_for_write = mode & BLK_OPEN_WRITE; void __user *argp = (void __user *)arg; - unsigned int flags = 0; - - if (bdev_is_partition(bdev)) - flags |= NVME_IOCTL_PARTITION; if (is_ctrl_ioctl(cmd)) - return nvme_ctrl_ioctl(ns->ctrl, cmd, argp, open_for_write); - return nvme_ns_ioctl(ns, cmd, argp, flags, open_for_write); + return nvme_ctrl_ioctl(ns->ctrl, cmd, argp); + return nvme_ns_ioctl(ns, cmd, argp); } long nvme_ns_chr_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct nvme_ns *ns = container_of(file_inode(file)->i_cdev, struct nvme_ns, cdev); - bool open_for_write = file->f_mode & FMODE_WRITE; void __user *argp = (void __user *)arg; if (is_ctrl_ioctl(cmd)) - return nvme_ctrl_ioctl(ns->ctrl, cmd, argp, open_for_write); - return nvme_ns_ioctl(ns, cmd, argp, 0, open_for_write); + return nvme_ctrl_ioctl(ns->ctrl, cmd, argp); + return nvme_ns_ioctl(ns, cmd, argp); } static int nvme_uring_cmd_checks(unsigned int issue_flags) @@ -792,8 +712,7 @@ int nvme_ns_chr_uring_cmd_iopoll(struct io_uring_cmd *ioucmd, } #ifdef CONFIG_NVME_MULTIPATH static int nvme_ns_head_ctrl_ioctl(struct nvme_ns *ns, unsigned int cmd, - void __user *argp, struct nvme_ns_head *head, int srcu_idx, - bool open_for_write) + void __user *argp, struct nvme_ns_head *head, int srcu_idx) __releases(&head->srcu) { struct nvme_ctrl *ctrl = ns->ctrl; @@ -801,7 +720,7 @@ static int nvme_ns_head_ctrl_ioctl(struct nvme_ns *ns, unsigned int cmd, nvme_get_ctrl(ns->ctrl); srcu_read_unlock(&head->srcu, srcu_idx); - ret = nvme_ctrl_ioctl(ns->ctrl, cmd, argp, open_for_write); + ret = nvme_ctrl_ioctl(ns->ctrl, cmd, argp); nvme_put_ctrl(ctrl); return ret; @@ -811,14 +730,9 @@ int nvme_ns_head_ioctl(struct block_device *bdev, blk_mode_t mode, unsigned int cmd, unsigned long arg) { struct nvme_ns_head *head = bdev->bd_disk->private_data; - bool open_for_write = mode & BLK_OPEN_WRITE; void __user *argp = (void __user *)arg; struct nvme_ns *ns; int srcu_idx, ret = -EWOULDBLOCK; - unsigned int flags = 0; - - if (bdev_is_partition(bdev)) - flags |= NVME_IOCTL_PARTITION; srcu_idx = srcu_read_lock(&head->srcu); ns = nvme_find_path(head); @@ -831,10 +745,9 @@ int nvme_ns_head_ioctl(struct block_device *bdev, blk_mode_t mode, * deadlock when deleting namespaces using the passthrough interface. */ if (is_ctrl_ioctl(cmd)) - return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx, - open_for_write); + return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx); - ret = nvme_ns_ioctl(ns, cmd, argp, flags, open_for_write); + ret = nvme_ns_ioctl(ns, cmd, argp); out_unlock: srcu_read_unlock(&head->srcu, srcu_idx); return ret; @@ -843,7 +756,6 @@ int nvme_ns_head_ioctl(struct block_device *bdev, blk_mode_t mode, long nvme_ns_head_chr_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { - bool open_for_write = file->f_mode & FMODE_WRITE; struct cdev *cdev = file_inode(file)->i_cdev; struct nvme_ns_head *head = container_of(cdev, struct nvme_ns_head, cdev); @@ -857,10 +769,9 @@ long nvme_ns_head_chr_ioctl(struct file *file, unsigned int cmd, goto out_unlock; if (is_ctrl_ioctl(cmd)) - return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx, - open_for_write); + return nvme_ns_head_ctrl_ioctl(ns, cmd, argp, head, srcu_idx); - ret = nvme_ns_ioctl(ns, cmd, argp, 0, open_for_write); + ret = nvme_ns_ioctl(ns, cmd, argp); out_unlock: srcu_read_unlock(&head->srcu, srcu_idx); return ret; @@ -909,8 +820,7 @@ int nvme_dev_uring_cmd(struct io_uring_cmd *ioucmd, unsigned int issue_flags) return ret; } -static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp, - bool open_for_write) +static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp) { struct nvme_ns *ns; int ret; @@ -934,7 +844,7 @@ static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp, kref_get(&ns->kref); up_read(&ctrl->namespaces_rwsem); - ret = nvme_user_cmd(ctrl, ns, argp, 0, open_for_write); + ret = nvme_user_cmd(ctrl, ns, argp); nvme_put_ns(ns); return ret; @@ -946,17 +856,16 @@ static int nvme_dev_user_cmd(struct nvme_ctrl *ctrl, void __user *argp, long nvme_dev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { - bool open_for_write = file->f_mode & FMODE_WRITE; struct nvme_ctrl *ctrl = file->private_data; void __user *argp = (void __user *)arg; switch (cmd) { case NVME_IOCTL_ADMIN_CMD: - return nvme_user_cmd(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd(ctrl, NULL, argp); case NVME_IOCTL_ADMIN64_CMD: - return nvme_user_cmd64(ctrl, NULL, argp, 0, open_for_write); + return nvme_user_cmd64(ctrl, NULL, argp, 0); case NVME_IOCTL_IO_CMD: - return nvme_dev_user_cmd(ctrl, argp, open_for_write); + return nvme_dev_user_cmd(ctrl, argp); case NVME_IOCTL_RESET: if (!capable(CAP_SYS_ADMIN)) return -EACCES; diff --git a/include/linux/nvme.h b/include/linux/nvme.h index 26dd3f859d9d..df3e2c619448 100644 --- a/include/linux/nvme.h +++ b/include/linux/nvme.h @@ -642,7 +642,6 @@ enum { NVME_CMD_EFFECTS_CCC = 1 << 4, NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16), NVME_CMD_EFFECTS_UUID_SEL = 1 << 19, - NVME_CMD_EFFECTS_SCOPE_MASK = GENMASK(31, 20), }; struct nvme_effects_log { @@ -834,7 +833,6 @@ enum nvme_opcode { nvme_cmd_zone_mgmt_send = 0x79, nvme_cmd_zone_mgmt_recv = 0x7a, nvme_cmd_zone_append = 0x7d, - nvme_cmd_vendor_start = 0x80, }; #define nvme_opcode_name(opcode) { opcode, #opcode } -- 2.25.1

1 year, 2 months

4
12
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2023