July 2024 - Linux-stable-mirror

[PATCH 5.10 000/317] 5.10.219-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.219 release. There are 317 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 15 Jun 2024 11:31:50 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.219-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.219-rc1 Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix CQ and QP cache affinity Yangyang Li <liyangyang20(a)huawei.com> RDMA/hns: Use mutex instead of spinlock for ida allocation Chao Yu <chao(a)kernel.org> f2fs: compress: fix compression chksum Neil Armstrong <neil.armstrong(a)linaro.org> scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5 Anna Schumaker <Anna.Schumaker(a)Netapp.com> NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS Sergey Shtylyov <s.shtylyov(a)omp.ru> nfs: fix undefined behavior in nfs_block_bits() Harald Freudenberger <freude(a)linux.ibm.com> s390/ap: Fix crash in AP internal function modify_bitmap() Baokun Li <libaokun1(a)huawei.com> ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() Mike Gilbert <floppym(a)gentoo.org> sparc: move struct termio to asm/termios.h Eric Dumazet <edumazet(a)google.com> net: fix __dst_negative_advice() race Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Use format-specifiers rather than memset() for padding in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Merge identical case statements in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Fix console handling when editing and tab-completing commands Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Use format-strings rather than '\0' injection in kdb_read() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Fix buffer overflow during tab-complete Judith Mendez <jm(a)ti.com> watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin Sam Ravnborg <sam(a)ravnborg.org> sparc64: Fix number of online CPUs Alexander Shishkin <alexander.shishkin(a)linux.intel.com> intel_th: pci: Add Meteor Lake-S CPU support Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net/9p: fix uninit-value in p9_client_rpc() xu xin <xu.xin16(a)zte.com.cn> net/ipv6: Fix route deleting failure when metric equals 0 Herbert Xu <herbert(a)gondor.apana.org.au> crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Vitaly Chikunov <vt(a)altlinux.org> crypto: ecrdsa - Fix module auto-load on add_key Marc Zyngier <maz(a)kernel.org> KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode Cai Xinchen <caixinchen1(a)huawei.com> fbdev: savage: Handle err return when savagefb_check_var failed Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working Hans de Goede <hdegoede(a)redhat.com> mmc: sdhci-acpi: Sort DMI quirks alphabetically Hans de Goede <hdegoede(a)redhat.com> mmc: core: Add mmc_gpiod_set_cd_config() function Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: v4l2-core: hold videodev_lock until dev reg, finishes Nathan Chancellor <nathan(a)kernel.org> media: mxl5xx: Move xpt structures off stack Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: mc: mark the media devnode as registered from the, start Yang Xiwen <forbidden405(a)outlook.com> arm64: dts: hi3798cv200: fix the size of GICR Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU Yu Kuai <yukuai3(a)huawei.com> md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: qcs404: fix bluetooth device address Krzysztof Kozlowski <krzk(a)kernel.org> arm64: tegra: Correct Tegra132 I2C alias Christoffer Sandberg <cs(a)tuxedo.de> ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx Sergey Shtylyov <s.shtylyov(a)omp.ru> ata: pata_legacy: make legacy_exit() work again Bob Zhou <bob.zhou(a)amd.com> drm/amdgpu: add error handle to avoid out-of-bounds Zheyu Ma <zheyuma97(a)gmail.com> media: lgdt3306a: Add a check against null-pointer-def Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() Ziyang Xuan <william.xuanziyang(a)huawei.com> netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Linus Torvalds <torvalds(a)linux-foundation.org> x86/mm: Remove broken vsyscall emulation code from the page fault code Daniel Borkmann <daniel(a)iogearbox.net> vxlan: Fix regression when dropping packets due to invalid src addresses Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix use-after-free of timer for log writer thread Marc Dionne <marc.dionne(a)auristor.com> afs: Don't cross .backup mountpoint from backup volume Ming Lei <ming.lei(a)redhat.com> io_uring: fail NOP if non-zero op flags is passed in Jorge Ramirez-Ortiz <jorge(a)foundries.io> mmc: core: Do not force a retune before RPMB switch Carlos Llamas <cmllamas(a)google.com> binder: fix max_thread type inconsistency Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix loop termination condition in gss_free_in_token_pages() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: core: add adap_nb_transmit_canceled() callback Dongli Zhang <dongli.zhang(a)oracle.com> genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Set lower bound of start tick time Guenter Roeck <linux(a)roeck-us.net> hwmon: (shtc1) Fix property misspelling Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/uaccess: Use asm goto for get_user when compiler supports it Yue Haibing <yuehaibing(a)huawei.com> ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> spi: stm32: Don't warn about spurious interrupts Masahiro Yamada <masahiroy(a)kernel.org> kconfig: fix comparison to constant symbols, 'm', 'n' Florian Westphal <fw(a)strlen.de> netfilter: tproxy: bail out if IP has been disabled on the device Xiaolei Wang <xiaolei.wang(a)windriver.com> net:fec: Add fec_enet_deinit() Jakub Sitnicki <jakub(a)cloudflare.com> bpf: Allow delete from sockmap/sockhash only if update is allowed Parthiban Veerasooran <Parthiban.Veerasooran(a)microchip.com> net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM Roded Zats <rzats(a)paloaltonetworks.com> enic: Validate length of nl attributes in enic_set_vf_port Friedrich Vock <friedrich.vock(a)gmx.de> bpf: Fix potential integer overflow in resolve_btfids Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> dma-buf/sw-sync: don't enable IRQ from sync_print_obj() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion Sagi Grimberg <sagi(a)grimberg.me> nvmet: fix ns enable/disable possible hang Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: Don't mark message DMA mapped when no transfer in it is Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: restore vlan q-in-q match support Eric Dumazet <edumazet(a)google.com> netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() Ryosuke Yasuoka <ryasuoka(a)redhat.com> nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> nfc: nci: Fix kcov check in nci_rx_work() Dae R. Jeong <threeearcat(a)gmail.com> tls: fix missing memory barrier in tls_init Wei Fang <wei.fang(a)nxp.com> net: fec: avoid lock evasion when reading pps_enable Matthew Bystrin <dev.mbstr(a)gmail.com> riscv: stacktrace: fixed walk_stackframe() Guo Ren <guoren(a)linux.alibaba.com> riscv: stacktrace: Make walk_stackframe cross pt_regs frame Kefeng Wang <wangkefeng.wang(a)huawei.com> riscv: Cleanup stacktrace Jiri Pirko <jiri(a)nvidia.com> virtio: delete vq in vp_find_vqs_msix() when request_irq() fails Jiangfeng Xiao <xiaojiangfeng(a)huawei.com> arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY Aaron Conole <aconole(a)redhat.com> openvswitch: Set the skbuff pkt_type for proper pmtud support. Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). Sagi Grimberg <sagi(a)grimberg.me> params: lift param_set_uint_minmax to common code Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: fix memleak in seg6_hmac_init_algo Dan Aloni <dan.aloni(a)vastdata.com> rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL Dan Aloni <dan.aloni(a)vastdata.com> sunrpc: fix NFSACL RPC retry on soft mount Shenghao Ding <shenghao-ding(a)ti.com> ASoC: tas2552: Add TX path for capturing AUDIO-OUT data Ryosuke Yasuoka <ryasuoka(a)redhat.com> nfc: nci: Fix uninit-value in nci_rx_work Masahiro Yamada <masahiroy(a)kernel.org> x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y Matti Vaittinen <mazziesaccount(a)gmail.com> regulator: bd71828: Don't overwrite runtime voltages Zhu Yanjun <yanjun.zhu(a)linux.dev> null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: core: avoid confusing "transmit timed out" message Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: core: avoid recursive cec_claim_log_addrs Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec-adap.c: drop activate_cnt, use state info instead Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: use call_op and check for !unregistered Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: correctly pass on reply results Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: abort if the current transmit was canceled Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: call enable_adap on s_log_addrs Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: fix a deadlock situation Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: core headers: fix kernel-doc warnings Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: cec-api: add locking in cec_release() Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: cec: cec-adap: always cancel work in cec_transmit_msg_fh Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix the -Wmissing-prototypes warning for __switch_mm Shrikanth Hegde <sshegde(a)linux.ibm.com> powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp Dongliang Mu <mudongliangabcd(a)gmail.com> media: flexcop-usb: fix sanity check of bNumEndpoints Johan Hovold <johan(a)kernel.org> media: flexcop-usb: clean up endpoint sanity checks Azeem Shaikh <azeemshaikh38(a)gmail.com> scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() Dan Carpenter <dan.carpenter(a)linaro.org> media: stk1160: fix bounds checking in stk1160_copy_video() Michael Walle <mwalle(a)kernel.org> drm/bridge: tc358775: fix support for jeida-18 and jeida-24 Johannes Berg <johannes.berg(a)intel.com> um: vector: fix bpfflash parameter evaluation Roberto Sassu <roberto.sassu(a)huawei.com> um: Add winch to winch_handlers before registering winch IRQ Duoming Zhou <duoming(a)zju.edu.cn> um: Fix return value in ubd_init() Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Always flush the slave INTF on the CTL Fenglin Wu <quic_fenglinw(a)quicinc.com> Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Fix ITAPDLY for HS400 timing Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Add OTAP/ITAP delay enable Vignesh Raghavendra <vigneshr(a)ti.com> mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Write ITAPDLY for DDR52 timing Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Add tuning algorithm for delay chain Karel Balej <balejk(a)matfyz.cz> Input: ioc3kbd - add device table Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Input: ioc3kbd - convert to platform remove callback returning void Arnd Bergmann <arnd(a)arndb.de> Input: ims-pcu - fix printf string overflow Alexander Egorenkov <egorenar(a)linux.ibm.com> s390/ipl: Fix incorrect initialization of nvme dump block Alexander Egorenkov <egorenar(a)linux.ibm.com> s390/ipl: Fix incorrect initialization of len fields in nvme reipl block Ian Rogers <irogers(a)google.com> perf stat: Don't display metric header for non-leader uncore events Ian Rogers <irogers(a)google.com> libsubcmd: Fix parse-options memory leak Wolfram Sang <wsa+renesas(a)sang-engineering.com> serial: sh-sci: protect invalidating RXDMA on shutdown Chao Yu <chao(a)kernel.org> f2fs: compress: don't allow unaligned truncation on released compress inode Chao Yu <chao(a)kernel.org> f2fs: fix to release node block count in error path of f2fs_new_node_page() Chao Yu <chao(a)kernel.org> f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock Ian Rogers <irogers(a)google.com> perf report: Avoid SEGV in report__setup_sample_type() Ian Rogers <irogers(a)google.com> perf ui browser: Avoid SEGV on title Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3 Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3 Randy Dunlap <rdunlap(a)infradead.org> extcon: max8997: select IRQ_DOMAIN instead of depending on it Ian Rogers <irogers(a)google.com> perf ui browser: Don't save pointer to stack memory Ian Rogers <irogers(a)google.com> perf ui: Update use of pthread mutex yaowenbin <yaowenbin1(a)huawei.com> perf top: Fix TUI exit screen refresh race condition He Zhe <zhe.he(a)windriver.com> perf bench internals inject-build-id: Fix trap divide when collecting just one DSO Huai-Yuan Liu <qq810974084(a)gmail.com> ppdev: Add an error check in register_device Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ppdev: Remove usage of the deprecated ida_simple_xx() API Dan Carpenter <dan.carpenter(a)linaro.org> stm class: Fix a double free in stm_register_device() Chris Wulff <Chris.Wulff(a)biamp.com> usb: gadget: u_audio: Clear uac pointer when freed. Miklos Szeredi <mszeredi(a)redhat.com> ovl: remove upper umask handling from ovl_create_upper() Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix unassigned instruction op (discovered by MemorySanitizer) Michal Simek <michal.simek(a)amd.com> microblaze: Remove early printk call from cpuinfo-static.c Michal Simek <michal.simek(a)amd.com> microblaze: Remove gcc flag for non existing early_printk.c file Marco Pagani <marpagan(a)redhat.com> fpga: region: add owner module and take its refcount Russ Weight <russell.h.weight(a)intel.com> fpga: region: Use standard dev_release for class driver Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> docs: driver-api: fpga: avoid using UTF-8 chars Russ Weight <russell.h.weight(a)intel.com> fpga: region: Rename dev to parent for parent device Tom Rix <trix(a)redhat.com> fpga: region: change FPGA indirect article to an Thomas Haemmerle <thomas.haemmerle(a)leica-geosystems.com> iio: pressure: dps310: support negative temperature values Chao Yu <chao(a)kernel.org> f2fs: fix to check pinfile flag in f2fs_move_file_range() Chao Yu <chao(a)kernel.org> f2fs: fix to relocate check condition in f2fs_fallocate() Jinyoung CHOI <j-young.choi(a)samsung.com> f2fs: fix typos in comments Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: do not allow partial truncation on pinned file Chao Yu <chao(a)kernel.org> f2fs: fix to force keeping write barrier for strict fsync mode Chao Yu <chao(a)kernel.org> f2fs: add cp_error check in f2fs_write_compressed_pages Chao Yu <chao(a)kernel.org> f2fs: compress: fix to relocate check condition in f2fs_{release,reserve}_compress_blocks() Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: introduce FI_COMPRESS_RELEASED instead of using IMMUTABLE bit Chao Yu <chao(a)kernel.org> f2fs: compress: remove unneeded preallocation Chao Yu <chao(a)kernel.org> f2fs: compress: clean up parameter of __f2fs_cluster_blocks() Daeho Jeong <daehojeong(a)google.com> f2fs: add compress_mode mount option Chao Yu <chao(a)kernel.org> f2fs: compress: support chksum Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: add proper sched.h include for sched_set_fifo() Arnd Bergmann <arnd(a)arndb.de> greybus: arche-ctrl: move device table to its right location Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: max3100: Fix bitwise types Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: max3100: Update uart_driver_registered on driver removal Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: max3100: Lock port->lock when calling uart_handle_cts_change() Arnd Bergmann <arnd(a)arndb.de> firmware: dmi-id: add a release callback function Chen Ni <nichen(a)iscas.ac.cn> dmaengine: idma64: Add check for dma_set_max_seg_size Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> soundwire: cadence: fix invalid PDI offset Namhyung Kim <namhyung(a)kernel.org> perf annotate: Get rid of duplicate --group option item Martin Liška <mliska(a)suse.cz> perf annotate: Add --demangle and --demangle-kernel Chao Yu <chao(a)kernel.org> f2fs: fix to wait on page writeback in __clone_blkaddrs() Rui Miguel Silva <rmfrfs(a)gmail.com> greybus: lights: check return of get_channel_from_mode Arnaldo Carvalho de Melo <acme(a)redhat.com> perf probe: Add missing libgen.h header needed for using basename() Ian Rogers <irogers(a)google.com> perf record: Delete session after stopping sideband thread Arnaldo Carvalho de Melo <acme(a)redhat.com> perf evlist: Use the right prefix for 'struct evlist' sideband thread methods Vitalii Bursov <vitaly(a)bursov.com> sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level Eric Dumazet <edumazet(a)google.com> af_packet: do not call packet_read_pending() from tpacket_destruct_skb() Eric Dumazet <edumazet(a)google.com> netrom: fix possible dead-lock in nr_rt_ioctl() Chris Lew <quic_clew(a)quicinc.com> net: qrtr: ns: Fix module refcnt Qinglang Miao <miaoqinglang(a)huawei.com> net: qrtr: fix null-ptr-deref in qrtr_ns_remove Leon Romanovsky <leon(a)kernel.org> RDMA/IPoIB: Fix format truncation compilation errors Edward Liaw <edliaw(a)google.com> selftests/kcmp: remove unused open mode Gautam Menghani <gautammenghani201(a)gmail.com> selftests/kcmp: Make the test output consistent and clear Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Fix gss_free_in_token_pages() Dan Carpenter <dan.carpenter(a)linaro.org> ext4: fix potential unnitialized variable Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: remove unused parameter from ext4_mb_new_blocks_simple() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: try all groups in ext4_mb_new_blocks_simple Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: fix unit mismatch in ext4_mb_new_blocks_simple Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple Aleksandr Aprelkov <aaprelkov(a)usergate.com> sunrpc: removed redundant procp check Jan Kara <jack(a)suse.cz> ext4: avoid excessive credit estimate in ext4_tmpfile() Adrian Hunter <adrian.hunter(a)intel.com> x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map Marc Gonzalez <mgonzalez(a)freebox.fr> clk: qcom: mmcc-msm8998: fix venus clock issue Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Modify the print level of CQE error Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Use complete parentheses in macros Zhengchao Shao <shaozhengchao(a)huawei.com> RDMA/hns: Fix return value in hns_roce_map_mr_sg Wenpeng Liang <liangwenpeng(a)huawei.com> RDMA/hns: Fix incorrect symbol types Yangyang Li <liyangyang20(a)huawei.com> RDMA/hns: Create QP with selected QPN for bank load balance Xi Wang <wangxi11(a)huawei.com> RDMA/hns: Refactor the hns_roce_buf allocation flow Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/mipi-dsi: use correct return type for the DSC functions Marek Vasut <marex(a)denx.de> drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector Nícolas F. R. A. Prado <nfraprado(a)collabora.com> drm/bridge: tc358775: Don't log an error when DSI host can't be found Nícolas F. R. A. Prado <nfraprado(a)collabora.com> drm/bridge: lt9611: Don't log an error when DSI host can't be found Steven Rostedt <rostedt(a)goodmis.org> ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value Aleksandr Mishin <amishin(a)t-argos.ru> drm: vc4: Fix possible null pointer dereference Huai-Yuan Liu <qq810974084(a)gmail.com> drm/arm/malidp: fix a possible null pointer dereference Zhipeng Lu <alexious(a)zju.edu.cn> media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries Randy Dunlap <rdunlap(a)infradead.org> fbdev: sh7760fb: allow modular build Aleksandr Mishin <amishin(a)t-argos.ru> drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference Ricardo Ribalda <ribalda(a)chromium.org> media: radio-shark2: Avoid led_names truncations Aleksandr Burakov <a.burakov(a)rosalinux.ru> media: ngene: Add dvb_ca_en50221_init return value check Arnd Bergmann <arnd(a)arndb.de> fbdev: sisfb: hide unused variables Arnd Bergmann <arnd(a)arndb.de> powerpc/fsl-soc: hide unused const variable Justin Green <greenjustin(a)chromium.org> drm/mediatek: Add 0 size check to mtk_drm_gem_obj Christian Hewitt <christianshewitt(a)gmail.com> drm/meson: vclk: fix calculation of 59.94 fractional rates Arnd Bergmann <arnd(a)arndb.de> fbdev: shmobile: fix snprintf truncation Maxim Korotkov <korotkov.maxim.s(a)gmail.com> mtd: rawnand: hynix: fixed typo Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: Disable route checks for Skylake boards Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: soc-acpi: add helper to identify parent driver. Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix potential index out of bounds in color transformation function Akiva Goldberger <agoldberger(a)nvidia.com> net/mlx5: Discard command completions in internal error Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: fix invalid unregister error path Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: fix incorrect unregister order Hangbin Liu <liuhangbin(a)gmail.com> ipv6: sr: add missing seg6_local_exit Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix overwriting ct original tuple for ICMPv6 Eric Dumazet <edumazet(a)google.com> net: usb: smsc95xx: stop lying about skb->truesize Breno Leitao <leitao(a)debian.org> af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Locking fixes Jakub Kicinski <kuba(a)kernel.org> eth: sungem: remove .ndo_poll_controller to avoid deadlocks gaoxingwang <gaoxingwang1(a)huawei.com> net: ipv6: fix wrong start position when receive hop-by-hop fragment Finn Thain <fthain(a)linux-m68k.org> m68k: mac: Fix reboot hang on Mac IIci Michael Schmitz <schmitzmic(a)gmail.com> m68k: Fix spinlock race in kernel thread creation Eric Dumazet <edumazet(a)google.com> net: usb: sr9700: stop lying about skb->truesize Eric Dumazet <edumazet(a)google.com> usb: aqc111: stop lying about skb->truesize Dan Carpenter <dan.carpenter(a)linaro.org> wifi: mwl8k: initialize cmd->addr[] properly Bui Quang Minh <minhquangbui99(a)gmail.com> scsi: qedf: Ensure the copied buf is NUL terminated Bui Quang Minh <minhquangbui99(a)gmail.com> scsi: bfa: Ensure the copied buf is NUL terminated Chen Ni <nichen(a)iscas.ac.cn> HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors John Hubbard <jhubbard(a)nvidia.com> selftests/binderfs: use the Makefile's rules, not Make's implicit rules Guenter Roeck <linux(a)roeck-us.net> Revert "sh: Handle calling csum_partial with misaligned data" Geert Uytterhoeven <geert+renesas(a)glider.be> sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: ar5523: enable proper endpoint verification Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> wifi: carl9170: add a proper sanity check for endpoints Finn Thain <fthain(a)linux-m68k.org> macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" Eric Dumazet <edumazet(a)google.com> net: give more chances to rcu in netdev_wait_allrefs_any() Eric Dumazet <edumazet(a)google.com> tcp: avoid premature drops in tcp_add_backlog() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> wifi: ath10k: populate board data for WCN3990 Su Hui <suhui(a)nfschina.com> wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() Ard Biesheuvel <ardb(a)kernel.org> x86/purgatory: Switch to the position-independent small code model Yuri Karpov <YKarpov(a)ispras.ru> scsi: hpsa: Fix allocation size for Scsi_Host private data Xingui Yang <yangxingui(a)huawei.com> scsi: libsas: Fix the failure of adding phy with zero-address to port Gabriel Krisman Bertazi <krisman(a)suse.de> udp: Avoid call to compute_score on multiple sites Lorenz Bauer <lmb(a)isovalent.com> net: remove duplicate reuseport_lookup functions Lorenz Bauer <lmb(a)isovalent.com> net: export inet_lookup_reuseport and inet6_lookup_reuseport Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: exit() callback is optional Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Rearrange locking in cpufreq_remove_dev() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Split cpufreq_offline() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reorganize checks in cpufreq_offline() Geliang Tang <tanggeliang(a)kylinos.cn> selftests/bpf: Fix umount cgroup2 error in test_sockmap Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix "ignore unlock failures after withdraw" Arnd Bergmann <arnd(a)arndb.de> ACPI: disable -Wstringop-truncation Zenghui Yu <yuzenghui(a)huawei.com> irqchip/loongson-pch-msi: Fix off-by-one on allocation error path Zenghui Yu <yuzenghui(a)huawei.com> irqchip/alpine-msi: Fix off-by-one in allocation error path Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: core: Perform read back after disabling interrupts Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing CGC enable Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing unipro mode Abel Vesa <abel.vesa(a)linaro.org> scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5 Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0 Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US Ziqi Chen <ziqichen(a)codeaurora.org> scsi: ufs-qcom: Fix ufs RST_n spec violation Andrew Halaney <ahalaney(a)redhat.com> scsi: ufs: qcom: Perform read back after writing reset bit Arnd Bergmann <arnd(a)arndb.de> qed: avoid truncating work queue length Guixiong Wei <weiguixiong(a)bytedance.com> x86/boot: Ignore relocations in .notes sections in walk_relocs() too Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath10k: poll service ready message before failing Yu Kuai <yukuai3(a)huawei.com> md: fix resync softlockup when bitmap size is less than array size Zhu Yanjun <yanjun.zhu(a)linux.dev> null_blk: Fix missing mutex_destroy() at module removal Chun-Kuang Hu <chunkuang.hu(a)kernel.org> soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE Ilya Denisyev <dev(a)elkcl.ru> jffs2: prevent xattr node from overflowing the eraseblock Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: fix tracepoint subchannel type field Eric Biggers <ebiggers(a)google.com> crypto: x86/sha256-avx2 - add missing vzeroupper Eric Biggers <ebiggers(a)google.com> crypto: x86/nh-avx2 - add missing vzeroupper Arnd Bergmann <arnd(a)arndb.de> crypto: ccp - drop platform ifdef checks Al Viro <viro(a)zeniv.linux.org.uk> parisc: add missing export of __cmpxchg_u8() Arnd Bergmann <arnd(a)arndb.de> nilfs2: fix out-of-range warning Brian Kubisiak <brian(a)kubisiak.com> ecryptfs: Fix buffer size for tag 66 packet Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> firmware: raspberrypi: Use correct device for DMA mappings Aleksandr Mishin <amishin(a)t-argos.ru> crypto: bcm - Fix pointer arithmetic Eric Sandeen <sandeen(a)redhat.com> openpromfs: finish conversion to the new mount API Nilay Shroff <nilay(a)linux.ibm.com> nvme: find numa distance only if controller has valid numa id Lancelot SIX <lancelot.six(a)amd.com> drm/amdkfd: Flush the process wq before creating a kfd_process Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: da7219-aad: fix usage of device_get_named_child_node() Jack Yu <jack.yu(a)realtek.com> ASoC: rt715: add vendor clear control register Krzysztof Kozlowski <krzk(a)kernel.org> regulator: vqmmc-ipq4019: fix module autoloading Derek Fang <derek.fang(a)realtek.com> ASoC: dt-bindings: rt5645: add cbj sleeve gpio property Derek Fang <derek.fang(a)realtek.com> ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating Joshua Ashton <joshua(a)froggi.es> drm/amd/display: Set color_mgmt_changed to true on unsuspend Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: add Telit FN920C04 compositions Igor Artemiev <Igor.A.Artemiev(a)mcst.ru> wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class Takashi Iwai <tiwai(a)suse.de> ALSA: core: Fix NULL module pointer assignment at card init Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential hang in nilfs_detach_log_writer() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix unexpected freezing of nilfs_segctor_sync() Thorsten Blum <thorsten.blum(a)toblux.com> net: smc91x: Fix m68k kernel compilation for ColdFire CPU Petr Pavlu <petr.pavlu(a)suse.com> ring-buffer: Fix a race between readers and resize checks Ken Milmore <ken.milmore(a)gmail.com> r8169: Fix possible ring buffer corruption on fragmented Tx packets. Dan Carpenter <dan.carpenter(a)linaro.org> speakup: Fix sizeof() vs ARRAY_SIZE() bug Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Daniel J Blueman <daniel(a)quora.org> x86/tsc: Trust initial offset in architectural TSC-adjust MSRs ------------- Diffstat: Documentation/devicetree/bindings/sound/rt5645.txt | 6 + Documentation/driver-api/fpga/fpga-bridge.rst | 10 +- Documentation/driver-api/fpga/fpga-mgr.rst | 12 +- Documentation/driver-api/fpga/fpga-programming.rst | 8 +- Documentation/driver-api/fpga/fpga-region.rst | 35 ++- Documentation/filesystems/f2fs.rst | 36 +++ Makefile | 4 +- arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 2 +- arch/arm64/boot/dts/nvidia/tegra132-norrin.dts | 4 +- arch/arm64/boot/dts/nvidia/tegra132.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404-evb.dtsi | 2 +- arch/arm64/include/asm/asm-bug.h | 1 + arch/arm64/kvm/guest.c | 1 + arch/m68k/kernel/entry.S | 4 +- arch/m68k/mac/misc.c | 36 +-- arch/microblaze/kernel/Makefile | 1 - arch/microblaze/kernel/cpu/cpuinfo-static.c | 2 +- arch/parisc/kernel/parisc_ksyms.c | 1 + arch/powerpc/include/asm/hvcall.h | 2 +- arch/powerpc/include/asm/uaccess.h | 55 ++++ arch/powerpc/platforms/pseries/lpar.c | 6 +- arch/powerpc/platforms/pseries/lparcfg.c | 6 +- arch/powerpc/sysdev/fsl_msi.c | 2 + arch/riscv/include/asm/stacktrace.h | 17 ++ arch/riscv/kernel/entry.S | 3 +- arch/riscv/kernel/perf_callchain.c | 10 +- arch/riscv/kernel/stacktrace.c | 36 ++- arch/s390/kernel/ipl.c | 10 +- arch/sh/kernel/kprobes.c | 7 +- arch/sh/lib/checksum.S | 67 ++--- arch/sparc/include/asm/smp_64.h | 2 - arch/sparc/include/uapi/asm/termbits.h | 10 - arch/sparc/include/uapi/asm/termios.h | 9 + arch/sparc/kernel/prom_64.c | 4 +- arch/sparc/kernel/setup_64.c | 1 - arch/sparc/kernel/smp_64.c | 14 - arch/um/drivers/line.c | 14 +- arch/um/drivers/ubd_kern.c | 4 +- arch/um/drivers/vector_kern.c | 2 +- arch/um/include/asm/mmu.h | 2 - arch/um/include/shared/skas/mm_id.h | 2 + arch/x86/Kconfig.debug | 5 +- arch/x86/crypto/nh-avx2-x86_64.S | 1 + arch/x86/crypto/sha256-avx2-asm.S | 1 + arch/x86/entry/vsyscall/vsyscall_64.c | 28 +- arch/x86/include/asm/processor.h | 1 - arch/x86/kernel/apic/vector.c | 9 +- arch/x86/kernel/tsc_sync.c | 6 +- arch/x86/lib/x86-opcode-map.txt | 2 +- arch/x86/mm/fault.c | 27 +- arch/x86/purgatory/Makefile | 3 +- arch/x86/tools/relocs.c | 9 + crypto/ecrdsa.c | 1 + drivers/accessibility/speakup/main.c | 2 +- drivers/acpi/acpica/Makefile | 1 + drivers/acpi/resource.c | 12 + drivers/android/binder.c | 4 +- drivers/ata/pata_legacy.c | 8 +- drivers/block/null_blk/main.c | 3 + drivers/char/ppdev.c | 21 +- drivers/clk/qcom/mmcc-msm8998.c | 8 + drivers/cpufreq/cpufreq.c | 85 +++--- drivers/crypto/bcm/spu2.c | 2 +- drivers/crypto/ccp/sp-platform.c | 14 +- drivers/crypto/qat/qat_common/adf_aer.c | 19 +- drivers/dma-buf/sync_debug.c | 4 +- drivers/dma/idma64.c | 4 +- drivers/extcon/Kconfig | 3 +- drivers/firmware/dmi-id.c | 7 +- drivers/firmware/raspberrypi.c | 7 +- drivers/fpga/dfl-fme-region.c | 17 +- drivers/fpga/dfl.c | 12 +- drivers/fpga/fpga-region.c | 145 +++++----- drivers/fpga/of-fpga-region.c | 10 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 3 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 8 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 + drivers/gpu/drm/arm/malidp_mw.c | 5 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 + drivers/gpu/drm/bridge/lontium-lt9611.c | 6 +- drivers/gpu/drm/bridge/tc358775.c | 27 +- drivers/gpu/drm/drm_mipi_dsi.c | 6 +- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 + drivers/gpu/drm/meson/meson_vclk.c | 6 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 3 - drivers/gpu/drm/panel/panel-simple.c | 3 + drivers/gpu/drm/vc4/vc4_hdmi.c | 2 + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 5 + drivers/hwmon/shtc1.c | 2 +- drivers/hwtracing/intel_th/pci.c | 5 + drivers/hwtracing/stm/core.c | 11 +- drivers/iio/pressure/dps310.c | 11 +- drivers/infiniband/hw/hns/hns_roce_alloc.c | 128 +++++---- drivers/infiniband/hw/hns/hns_roce_cmd.c | 10 +- drivers/infiniband/hw/hns/hns_roce_cmd.h | 2 +- drivers/infiniband/hw/hns/hns_roce_common.h | 14 +- drivers/infiniband/hw/hns/hns_roce_db.c | 8 +- drivers/infiniband/hw/hns/hns_roce_device.h | 115 ++++---- drivers/infiniband/hw/hns/hns_roce_hem.h | 12 +- drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 8 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 35 +-- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_mr.c | 65 ++--- drivers/infiniband/hw/hns/hns_roce_qp.c | 129 +++++++-- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/misc/pm8xxx-vibrator.c | 7 +- drivers/input/serio/ioc3kbd.c | 13 +- drivers/irqchip/irq-alpine-msi.c | 2 +- drivers/irqchip/irq-loongson-pch-msi.c | 2 +- drivers/macintosh/via-macii.c | 11 +- drivers/md/md-bitmap.c | 6 +- drivers/md/raid5.c | 15 +- drivers/media/cec/core/cec-adap.c | 291 +++++++++++++-------- drivers/media/cec/core/cec-api.c | 31 +-- drivers/media/cec/core/cec-core.c | 7 +- drivers/media/cec/core/cec-pin-priv.h | 11 + drivers/media/cec/core/cec-pin.c | 23 +- drivers/media/cec/core/cec-priv.h | 10 + drivers/media/dvb-frontends/lgdt3306a.c | 5 + drivers/media/dvb-frontends/mxl5xx.c | 22 +- drivers/media/mc/mc-devnode.c | 5 +- drivers/media/pci/ngene/ngene-core.c | 4 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/usb/b2c2/flexcop-usb.c | 12 +- drivers/media/usb/stk1160/stk1160-video.c | 20 +- drivers/media/v4l2-core/v4l2-dev.c | 3 + drivers/mmc/core/host.c | 3 +- drivers/mmc/core/slot-gpio.c | 20 ++ drivers/mmc/host/sdhci-acpi.c | 48 +++- drivers/mmc/host/sdhci_am654.c | 205 ++++++++++----- drivers/mtd/nand/raw/nand_hynix.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 12 + drivers/net/ethernet/cortina/gemini.c | 12 +- drivers/net/ethernet/freescale/fec_main.c | 10 + drivers/net/ethernet/freescale/fec_ptp.c | 14 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 3 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- drivers/net/ethernet/qlogic/qed/qed_main.c | 9 +- drivers/net/ethernet/realtek/r8169_main.c | 3 +- drivers/net/ethernet/smsc/smc91x.h | 4 +- drivers/net/ethernet/sun/sungem.c | 14 - drivers/net/ipvlan/ipvlan_core.c | 4 +- drivers/net/usb/aqc111.c | 8 +- drivers/net/usb/qmi_wwan.c | 3 + drivers/net/usb/smsc95xx.c | 26 +- drivers/net/usb/sr9700.c | 10 +- drivers/net/vxlan/vxlan_core.c | 4 - drivers/net/wireless/ath/ar5523/ar5523.c | 14 + drivers/net/wireless/ath/ath10k/core.c | 3 + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- drivers/net/wireless/ath/ath10k/hw.h | 1 + drivers/net/wireless/ath/ath10k/targaddrs.h | 3 + drivers/net/wireless/ath/ath10k/wmi.c | 26 +- drivers/net/wireless/ath/carl9170/usb.c | 32 +++ drivers/net/wireless/marvell/mwl8k.c | 2 +- .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 26 +- .../net/wireless/realtek/rtlwifi/rtl8192de/trx.c | 21 +- .../net/wireless/realtek/rtlwifi/rtl8192de/trx.h | 79 ++---- drivers/nvme/host/multipath.c | 3 +- drivers/nvme/target/configfs.c | 8 + drivers/pci/pcie/edr.c | 28 +- drivers/regulator/bd71828-regulator.c | 58 +--- drivers/regulator/vqmmc-ipq4019-regulator.c | 1 + drivers/s390/cio/trace.h | 2 +- drivers/s390/crypto/ap_bus.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 4 +- drivers/scsi/hpsa.c | 2 +- drivers/scsi/libsas/sas_expander.c | 3 +- drivers/scsi/qedf/qedf_debugfs.c | 2 +- drivers/scsi/qla2xxx/qla_init.c | 8 +- drivers/scsi/qla2xxx/qla_mr.c | 20 +- drivers/scsi/ufs/cdns-pltfrm.c | 2 +- drivers/scsi/ufs/ufs-qcom.c | 31 ++- drivers/scsi/ufs/ufs-qcom.h | 21 +- drivers/scsi/ufs/ufshcd.c | 4 +- drivers/soc/mediatek/mtk-cmdq-helper.c | 5 +- drivers/soundwire/cadence_master.c | 2 +- drivers/spi/spi-stm32.c | 2 +- drivers/spi/spi.c | 4 + drivers/staging/greybus/arche-apb-ctrl.c | 1 + drivers/staging/greybus/arche-platform.c | 9 +- drivers/staging/greybus/light.c | 8 +- drivers/staging/media/atomisp/pci/sh_css.c | 1 + drivers/tty/n_gsm.c | 8 +- drivers/tty/serial/max3100.c | 22 +- drivers/tty/serial/sc16is7xx.c | 2 +- drivers/tty/serial/sh-sci.c | 5 + drivers/usb/gadget/function/u_audio.c | 2 + drivers/video/fbdev/Kconfig | 4 +- drivers/video/fbdev/savage/savagefb_driver.c | 5 +- drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +- drivers/video/fbdev/sis/init301.c | 3 +- drivers/virtio/virtio_pci_common.c | 4 +- drivers/watchdog/rti_wdt.c | 34 ++- fs/afs/mntpt.c | 5 + fs/ecryptfs/keystore.c | 4 +- fs/ext4/mballoc.c | 134 +++++----- fs/ext4/namei.c | 2 +- fs/ext4/xattr.c | 4 +- fs/f2fs/checkpoint.c | 4 +- fs/f2fs/compress.c | 91 +++---- fs/f2fs/data.c | 10 +- fs/f2fs/extent_cache.c | 4 +- fs/f2fs/f2fs.h | 52 +++- fs/f2fs/file.c | 86 ++++-- fs/f2fs/inode.c | 9 + fs/f2fs/namei.c | 2 +- fs/f2fs/node.c | 2 +- fs/f2fs/segment.c | 4 +- fs/f2fs/super.c | 32 +++ fs/gfs2/glock.c | 4 +- fs/gfs2/util.c | 1 - fs/jffs2/xattr.c | 3 + fs/nfs/internal.h | 4 +- fs/nfs/nfs4proc.c | 2 +- fs/nilfs2/ioctl.c | 2 +- fs/nilfs2/segment.c | 63 ++++- fs/openpromfs/inode.c | 8 +- fs/overlayfs/dir.c | 3 - include/drm/drm_mipi_dsi.h | 6 +- include/linux/f2fs_fs.h | 3 +- include/linux/fpga/fpga-region.h | 43 ++- include/linux/mmc/slot-gpio.h | 1 + include/linux/moduleparam.h | 2 + include/media/cec.h | 26 +- include/media/v4l2-h264.h | 6 +- include/media/v4l2-jpeg.h | 2 + include/net/dst_ops.h | 2 +- include/net/inet6_hashtables.h | 16 ++ include/net/inet_hashtables.h | 18 +- include/net/netfilter/nf_tables.h | 2 + include/net/sock.h | 13 +- include/sound/soc-acpi.h | 6 + include/trace/events/asoc.h | 2 + include/uapi/linux/cec.h | 3 +- include/uapi/linux/v4l2-subdev.h | 12 +- include/uapi/linux/videodev2.h | 15 +- io_uring/io_uring.c | 2 + kernel/bpf/verifier.c | 10 +- kernel/cgroup/cpuset.c | 2 +- kernel/debug/kdb/kdb_io.c | 99 ++++--- kernel/irq/cpuhotplug.c | 16 +- kernel/params.c | 18 ++ kernel/sched/topology.c | 2 +- kernel/trace/ring_buffer.c | 9 + net/9p/client.c | 2 + net/core/dev.c | 3 +- net/ipv4/inet_hashtables.c | 29 +- net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 + net/ipv4/route.c | 22 +- net/ipv4/tcp_dctcp.c | 13 +- net/ipv4/tcp_ipv4.c | 13 +- net/ipv4/udp.c | 55 ++-- net/ipv6/inet6_hashtables.c | 27 +- net/ipv6/reassembly.c | 2 +- net/ipv6/route.c | 34 +-- net/ipv6/seg6.c | 5 +- net/ipv6/seg6_hmac.c | 42 ++- net/ipv6/udp.c | 61 +++-- net/netfilter/nf_tables_api.c | 22 +- net/netfilter/nfnetlink_queue.c | 2 + net/netfilter/nft_payload.c | 23 +- net/netfilter/nft_tunnel.c | 1 + net/netrom/nr_route.c | 19 +- net/nfc/nci/core.c | 17 +- net/openvswitch/actions.c | 6 + net/openvswitch/flow.c | 3 +- net/packet/af_packet.c | 3 +- net/qrtr/af_qrtr.c | 16 +- net/qrtr/ns.c | 34 ++- net/qrtr/qrtr.h | 2 +- net/sunrpc/auth_gss/svcauth_gss.c | 12 +- net/sunrpc/clnt.c | 1 + net/sunrpc/svc.c | 2 - net/sunrpc/xprtrdma/verbs.c | 6 +- net/sunrpc/xprtsock.c | 18 -- net/tls/tls_main.c | 10 +- net/unix/af_unix.c | 2 +- net/wireless/trace.h | 4 +- net/xfrm/xfrm_policy.c | 11 +- scripts/kconfig/symbol.c | 6 +- sound/core/init.c | 2 +- sound/core/timer.c | 10 + sound/soc/codecs/da7219-aad.c | 6 +- sound/soc/codecs/rt5645.c | 25 ++ sound/soc/codecs/rt715-sdw.c | 1 + sound/soc/codecs/tas2552.c | 15 +- sound/soc/intel/boards/bxt_da7219_max98357a.c | 1 + sound/soc/intel/boards/bxt_rt298.c | 1 + sound/soc/intel/boards/glk_rt5682_max98357a.c | 2 + sound/soc/intel/boards/kbl_da7219_max98357a.c | 1 + sound/soc/intel/boards/kbl_da7219_max98927.c | 4 + sound/soc/intel/boards/kbl_rt5660.c | 1 + sound/soc/intel/boards/kbl_rt5663_max98927.c | 2 + .../soc/intel/boards/kbl_rt5663_rt5514_max98927.c | 1 + sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 + sound/soc/intel/boards/skl_nau88l25_max98357a.c | 1 + sound/soc/intel/boards/skl_rt286.c | 1 + tools/arch/x86/lib/x86-opcode-map.txt | 2 +- tools/bpf/resolve_btfids/main.c | 2 +- tools/lib/subcmd/parse-options.c | 8 +- tools/perf/Documentation/perf-annotate.txt | 7 + tools/perf/bench/inject-buildid.c | 2 +- tools/perf/builtin-annotate.c | 6 +- tools/perf/builtin-record.c | 8 +- tools/perf/builtin-report.c | 2 +- tools/perf/builtin-top.c | 4 +- tools/perf/ui/browser.c | 26 +- tools/perf/ui/browser.h | 2 +- tools/perf/ui/browsers/annotate.c | 2 +- tools/perf/ui/setup.c | 5 +- tools/perf/ui/tui/helpline.c | 5 +- tools/perf/ui/tui/progress.c | 8 +- tools/perf/ui/tui/setup.c | 12 +- tools/perf/ui/tui/util.c | 18 +- tools/perf/ui/ui.h | 4 +- tools/perf/util/bpf-event.c | 2 +- tools/perf/util/evlist.h | 11 +- .../perf/util/intel-pt-decoder/intel-pt-decoder.c | 2 + tools/perf/util/intel-pt.c | 2 + tools/perf/util/probe-event.c | 1 + tools/perf/util/sideband_evlist.c | 8 +- tools/perf/util/stat-display.c | 3 + tools/testing/selftests/bpf/test_sockmap.c | 2 +- .../selftests/filesystems/binderfs/Makefile | 2 - tools/testing/selftests/kcmp/kcmp_test.c | 8 +- 328 files changed, 2834 insertions(+), 1844 deletions(-)

10 months

11
335
0 0

FAILED: patch "[PATCH] media: uvcvideo: Fix integer overflow calculating timestamp" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024072959-overpass-sapling-797e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 8676a5e796fa ("media: uvcvideo: Fix integer overflow calculating timestamp") 9e56380ae625 ("media: uvcvideo: Rename debug functions") ed4c5fa4d804 ("media: uvcvideo: use dev_printk() for uvc_trace()") 59e92bf62771 ("media: uvcvideo: New macro uvc_trace_cont") 69df09547e7a ("media: uvcvideo: Use dev_ printk aliases") 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT") 351509c604dc ("media: uvcvideo: Move guid to entity") dc9455ffae02 ("media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values") b400b6f28af0 ("media: uvcvideo: Force UVC version to 1.0a for 1bcf:0b40") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda <ribalda(a)chromium.org> Date: Mon, 10 Jun 2024 19:17:49 +0000 Subject: [PATCH] media: uvcvideo: Fix integer overflow calculating timestamp The function uvc_video_clock_update() supports a single SOF overflow. Or in other words, the maximum difference between the first ant the last timestamp can be 4096 ticks or 4.096 seconds. This results in a maximum value for y2 of: 0x12FBECA00, that overflows 32bits. y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; Extend the size of y2 to u64 to support all its values. Without this patch: # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0 Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened. Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes. Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 Current frame rate: 1/5 Setting frame rate to: 1/5 Frame rate set: 1/5 8 buffers requested. length: 4147200 offset: 0 timestamp type/source: mono/SoE Buffer 0/0 mapped at address 0x7947ea94c000. length: 4147200 offset: 4149248 timestamp type/source: mono/SoE Buffer 1/0 mapped at address 0x7947ea557000. length: 4147200 offset: 8298496 timestamp type/source: mono/SoE Buffer 2/0 mapped at address 0x7947ea162000. length: 4147200 offset: 12447744 timestamp type/source: mono/SoE Buffer 3/0 mapped at address 0x7947e9d6d000. length: 4147200 offset: 16596992 timestamp type/source: mono/SoE Buffer 4/0 mapped at address 0x7947e9978000. length: 4147200 offset: 20746240 timestamp type/source: mono/SoE Buffer 5/0 mapped at address 0x7947e9583000. length: 4147200 offset: 24895488 timestamp type/source: mono/SoE Buffer 6/0 mapped at address 0x7947e918e000. length: 4147200 offset: 29044736 timestamp type/source: mono/SoE Buffer 7/0 mapped at address 0x7947e8d99000. 0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE 1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE 2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE 3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE 4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE 5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE 6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE 7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE 8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE 9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE 10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE 11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE 12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE 13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE 14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE 15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE 16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE 17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE 18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE 19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE 20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE 21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE 22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE 23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE 24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE 25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE 26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE 27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE 28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE 29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE 30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE 31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE 32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE 33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE 34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE 35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE Cc: stable(a)vger.kernel.org Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support") Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@c… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index aebcf9b25a16..4dfc1b86bdee 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -760,11 +760,11 @@ void uvc_video_clock_update(struct uvc_streaming *stream, unsigned long flags; u64 timestamp; u32 delta_stc; - u32 y1, y2; + u32 y1; u32 x1, x2; u32 mean; u32 sof; - u64 y; + u64 y, y2; if (!uvc_hw_timestamps_param) return; @@ -816,7 +816,7 @@ void uvc_video_clock_update(struct uvc_streaming *stream, sof = y; uvc_dbg(stream->dev, CLOCK, - "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n", + "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n", stream->dev->name, buf->pts, y >> 16, div_u64((y & 0xffff) * 1000000, 65536), sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), @@ -831,7 +831,7 @@ void uvc_video_clock_update(struct uvc_streaming *stream, goto done; y1 = NSEC_PER_SEC; - y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; /* * Interpolated and host SOF timestamps can wrap around at slightly @@ -852,7 +852,7 @@ void uvc_video_clock_update(struct uvc_streaming *stream, timestamp = ktime_to_ns(first->host_time) + y - y1; uvc_dbg(stream->dev, CLOCK, - "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n", + "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n", stream->dev->name, sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), y, timestamp, vbuf->vb2_buf.timestamp,

10 months

3
2
0 0

[PATCH v5] x86/entry_32: Use stack segment selector for VERW operand

by Pawan Gupta

Robert Gill reported below #GP when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Replace CLEAR_CPU_BUFFERS with a safer version that uses %ss to refer VERW operand mds_verw_sel. This ensures VERW will not #GP for an arbitrary user %ds. Also, in NMI return path, move VERW to after RESTORE_ALL_NMI that touches GPRs. For clarity, below are the locations where the new CLEAR_CPU_BUFFERS_SAFE version is being used: * entry_INT80_32(), entry_SYSENTER_32() and interrupts (via handle_exception_return) do: restore_all_switch_stack: [...] mov %esi,%esi verw %ss:0xc0fc92c0 <------------- iret * Opportunistic SYSEXIT: [...] verw %ss:0xc0fc92c0 <------------- btrl $0x9,(%esp) popf pop %eax sti sysexit * nmi_return and nmi_from_espfix: mov %esi,%esi verw %ss:0xc0fc92c0 <------------- jmp .Lirq_return Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Cc: stable(a)vger.kernel.org # 5.10+ Reported-by: Robert Gill <rtgill82(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> # Use %ss Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- v5: - Simplify the use of ALTERNATIVE construct (Uros/Jiri/Peter). v4: https://lore.kernel.org/r/20240710-fix-dosemu-vm86-v4-1-aa6464e1de6f@linux.… - Further simplify the patch by using %ss for all VERW calls in 32-bit mode (Brian). - In NMI exit path move VERW after RESTORE_ALL_NMI that touches GPRs (Dave). v3: https://lore.kernel.org/r/20240701-fix-dosemu-vm86-v3-1-b1969532c75a@linux.… - Simplify CLEAR_CPU_BUFFERS_SAFE by using %ss instead of %ds (Brian). - Do verw before popf in SYSEXIT path (Jari). v2: https://lore.kernel.org/r/20240627-fix-dosemu-vm86-v2-1-d5579f698e77@linux.… - Safe guard against any other system calls like vm86() that might change %ds (Dave). v1: https://lore.kernel.org/r/20240426-fix-dosemu-vm86-v1-1-88c826a3f378@linux.… --- --- arch/x86/entry/entry_32.S | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index d3a814efbff6..25c942149fb5 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -253,6 +253,14 @@ .Lend_\@: .endm +/* + * Safer version of CLEAR_CPU_BUFFERS that uses %ss to reference VERW operand + * mds_verw_sel. This ensures VERW will not #GP for an arbitrary user %ds. + */ +.macro CLEAR_CPU_BUFFERS_SAFE + ALTERNATIVE "", __stringify(verw %ss:_ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +.endm + .macro RESTORE_INT_REGS popl %ebx popl %ecx @@ -871,6 +879,8 @@ SYM_FUNC_START(entry_SYSENTER_32) /* Now ready to switch the cr3 */ SWITCH_TO_USER_CR3 scratch_reg=%eax + /* Clobbers ZF */ + CLEAR_CPU_BUFFERS_SAFE /* * Restore all flags except IF. (We restore IF separately because @@ -881,7 +891,6 @@ SYM_FUNC_START(entry_SYSENTER_32) BUG_IF_WRONG_CR3 no_user_check=1 popfl popl %eax - CLEAR_CPU_BUFFERS /* * Return back to the vDSO, which will pop ecx and edx. @@ -951,7 +960,7 @@ restore_all_switch_stack: /* Restore user state */ RESTORE_REGS pop=4 # skip orig_eax/error_code - CLEAR_CPU_BUFFERS + CLEAR_CPU_BUFFERS_SAFE .Lirq_return: /* * ARCH_HAS_MEMBARRIER_SYNC_CORE rely on IRET core serialization @@ -1144,7 +1153,6 @@ SYM_CODE_START(asm_exc_nmi) /* Not on SYSENTER stack. */ call exc_nmi - CLEAR_CPU_BUFFERS jmp .Lnmi_return .Lnmi_from_sysenter_stack: @@ -1165,6 +1173,7 @@ SYM_CODE_START(asm_exc_nmi) CHECK_AND_APPLY_ESPFIX RESTORE_ALL_NMI cr3_reg=%edi pop=4 + CLEAR_CPU_BUFFERS_SAFE jmp .Lirq_return #ifdef CONFIG_X86_ESPFIX32 @@ -1206,6 +1215,7 @@ SYM_CODE_START(asm_exc_nmi) * 1 - orig_ax */ lss (1+5+6)*4(%esp), %esp # back to espfix stack + CLEAR_CPU_BUFFERS_SAFE jmp .Lirq_return #endif SYM_CODE_END(asm_exc_nmi) --- base-commit: f2661062f16b2de5d7b6a5c42a9a5c96326b8454 change-id: 20240426-fix-dosemu-vm86-dd111a01737e

10 months, 1 week

2
2
0 0

[PATCH v2 0/5] soc: qcom: fix rpm_requests module probing

by Dmitry Baryshkov

The GLINK RPMSG channels get modalias based on the compatible string rather than the channel type, however the smd-rpm module uses rpmsg ID instead. Thus if the smd-rpm is built as a module, it doesn't get automatically loaded. Add generic compatible to such devices and fix module's ID table. Module loading worked before the commit bcabe1e09135 ("soc: qcom: smd-rpm: Match rpmsg channel instead of compatible"), because the driver listed all compatible strings, but the mentioned commit changed ID table. Revert the offending commit and add generic compatible strings instead. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- Changes in v2: - Separate fix from the improvements (Krzysztof - Split the qcom,glink-smd-rpm compat from the qcom,smd-rpm as they use different channels underneath. - Link to v1: https://lore.kernel.org/r/20240729-fix-smd-rpm-v1-0-99a96133cc65@linaro.org --- Dmitry Baryshkov (5): Revert "soc: qcom: smd-rpm: Match rpmsg channel instead of compatible" dt-bindings: soc: qcom: smd-rpm: add generic compatibles soc: qcom: smd-rpm: add qcom,smd-rpm compatible ARM: dts: qcom: add generic compat string to RPM glink channels arm64: dts: qcom: add generic compat string to RPM glink channels .../devicetree/bindings/clock/qcom,rpmcc.yaml | 2 +- .../bindings/remoteproc/qcom,glink-rpm-edge.yaml | 2 +- .../bindings/remoteproc/qcom,rpm-proc.yaml | 4 +- .../devicetree/bindings/soc/qcom/qcom,smd-rpm.yaml | 74 ++++++++++------------ .../devicetree/bindings/soc/qcom/qcom,smd.yaml | 2 +- arch/arm/boot/dts/qcom/qcom-apq8084.dtsi | 2 +- arch/arm/boot/dts/qcom/qcom-msm8226.dtsi | 2 +- arch/arm/boot/dts/qcom/qcom-msm8974.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq9574.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8939.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8953.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8998.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcm2290.dtsi | 2 +- arch/arm64/boot/dts/qcom/qcs404.dtsi | 2 +- arch/arm64/boot/dts/qcom/sdm630.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6115.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6125.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6375.dtsi | 2 +- drivers/soc/qcom/smd-rpm.c | 41 +++++++++--- 24 files changed, 88 insertions(+), 73 deletions(-) --- base-commit: 668d33c9ff922c4590c58754ab064aaf53c387dd change-id: 20240729-fix-smd-rpm-9651e87a9bb0 Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

10 months, 1 week

3
3
0 0

[PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> On ilk/snb the pipe may be configured to place the LUT before or after the CSC depending on various factors, but as there is only one LUT (no split mode like on IVB+) we only advertise a gamma_lut and no degamma_lut in the uapi to avoid confusing userspace. This can cause a problem during readout if the VBIOS/GOP enabled the LUT in the pre CSC configuration. The current code blindly assigns the results of the readout to the degamma_lut, which will cause a failure during the next atomic_check() as we aren't expecting anything to be in degamma_lut since it's not visible to userspace. Fix the problem by assigning whatever LUT we read out from the hardware into gamma_lut. Cc: stable(a)vger.kernel.org Fixes: d2559299d339 ("drm/i915: Make ilk_read_luts() capable of degamma readout") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11608 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- .../drm/i915/display/intel_modeset_setup.c | 31 ++++++++++++++++--- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_modeset_setup.c b/drivers/gpu/drm/i915/display/intel_modeset_setup.c index 7602cb30ebf1..e1213f3d93cc 100644 --- a/drivers/gpu/drm/i915/display/intel_modeset_setup.c +++ b/drivers/gpu/drm/i915/display/intel_modeset_setup.c @@ -326,6 +326,8 @@ static void intel_modeset_update_connector_atomic_state(struct drm_i915_private static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state) { + struct drm_i915_private *i915 = to_i915(crtc_state->uapi.crtc->dev); + if (intel_crtc_is_joiner_secondary(crtc_state)) return; @@ -337,11 +339,30 @@ static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state crtc_state->uapi.adjusted_mode = crtc_state->hw.adjusted_mode; crtc_state->uapi.scaling_filter = crtc_state->hw.scaling_filter; - /* assume 1:1 mapping */ - drm_property_replace_blob(&crtc_state->hw.degamma_lut, - crtc_state->pre_csc_lut); - drm_property_replace_blob(&crtc_state->hw.gamma_lut, - crtc_state->post_csc_lut); + if (DISPLAY_INFO(i915)->color.degamma_lut_size) { + /* assume 1:1 mapping */ + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + crtc_state->pre_csc_lut); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut); + } else { + /* + * ilk/snb hw may be configured for either pre_csc_lut + * or post_csc_lut, but we don't advertise degamma_lut as + * being available in the uapi since there is only one + * hardware LUT. Always assign the result of the readout + * to gamma_lut as that is the only valid source of LUTs + * in the uapi. + */ + drm_WARN_ON(&i915->drm, crtc_state->post_csc_lut && + crtc_state->pre_csc_lut); + + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + NULL); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut ?: + crtc_state->pre_csc_lut); + } drm_property_replace_blob(&crtc_state->uapi.degamma_lut, crtc_state->hw.degamma_lut); -- 2.44.2

10 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] ata: libata-core: Fix null pointer dereference on error" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5d92c7c566dc76d96e0e19e481d926bbe6631c1e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024070108-cabana-swifter-f1c9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 5d92c7c566dc ("ata: libata-core: Fix null pointer dereference on error") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Sat, 29 Jun 2024 14:42:11 +0200 Subject: [PATCH] ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index efb5195da60c..bdccf4ea251a 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5517,6 +5517,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf);

10 months, 1 week

2
1
0 0

FAILED: patch "[PATCH] ata: libata-core: Fix null pointer dereference on error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 5d92c7c566dc76d96e0e19e481d926bbe6631c1e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024070107-underrate-unusable-ddb9@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 5d92c7c566dc ("ata: libata-core: Fix null pointer dereference on error") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Sat, 29 Jun 2024 14:42:11 +0200 Subject: [PATCH] ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index efb5195da60c..bdccf4ea251a 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5517,6 +5517,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf);

10 months, 1 week

2
1
0 0

[PATCH v3] mm: Fix race between __split_huge_pmd_locked() and GUP-fast

by Ryan Roberts

__split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> --- Right v3; this goes back to the original approach in v1 to fix core-mm rather than push the fix into arm64, since we discovered that x86 can't handle pmd_mkinvalid() being called for non-present pmds either. I'm pulling in more arch maintainers because this version adds some warnings in arch code to help spot incorrect usage. Although Catalin had already accepted v2 (fixing arm64) [2] into for-next/fixes, he's agreed to either remove or revert it. Changes since v1 [1] ==================== - Improve pmdp_mkinvalid() docs to make it clear it can only be called for present pmd (per JohnH, Zi Yan) - Added warnings to arch overrides of pmdp_invalidate[_ad]() (per Zi Yan) - Moved comment next to new location of pmpd_invalidate() (per Zi Yan) [1] https://lore.kernel.org/linux-mm/20240425170704.3379492-1-ryan.roberts@arm.… [2] https://lore.kernel.org/all/20240430133138.732088-1-ryan.roberts@arm.com/ Thanks, Ryan Documentation/mm/arch_pgtable_helpers.rst | 6 ++- arch/powerpc/mm/book3s64/pgtable.c | 1 + arch/s390/include/asm/pgtable.h | 4 +- arch/sparc/mm/tlb.c | 1 + arch/x86/mm/pgtable.c | 2 + mm/huge_memory.c | 49 ++++++++++++----------- mm/pgtable-generic.c | 2 + 7 files changed, 39 insertions(+), 26 deletions(-) diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 60950e7a25f5..480bea44559d 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1768,8 +1768,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index b44d79d778c7..ef69127d7e5e 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index d007591b8059..103cbccf1d7d 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 89f58c7603b2..dd1fc105f70b 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2493,32 +2493,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2529,6 +2508,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif -- 2.25.1

10 months, 1 week

5
8
0 0

[PATCH 1/1] nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM173X

by Saeed Mirzamohammadi

This adds a quirk to fix the Samsung PM1733a and PM173X reporting bogus eui64 so they are not marked as "non globally unique" duplicates. Cc: <stable(a)vger.kernel.org> Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- drivers/nvme/host/pci.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index 5b95c94ee40f2..c0b1caba1c893 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -3359,6 +3359,10 @@ static const struct pci_device_id nvme_id_table[] = { .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY | NVME_QUIRK_DISABLE_WRITE_ZEROES| NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x144d, 0xa824), /* Samsung PM173X */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x144d, 0xa825), /* Samsung PM1733a */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5012), /* Phison E12 */ .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5016), /* Phison E16 */ -- 2.39.2

10 months, 1 week

6
13
0 0

[PATCH net] net: drop bad gso csum_start and offset in virtio_net_hdr

by Willem de Bruijn

From: Willem de Bruijn <willemb(a)google.com> Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Migitage with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org Fixes: e269d79c7d35 ("net: missing check virtio") Cc: stable(a)vger.kernel.org Signed-off-by: Willem de Bruijn <willemb(a)google.com> --- include/linux/virtio_net.h | 16 +++++----------- net/ipv4/tcp_offload.c | 3 +++ net/ipv4/udp_offload.c | 3 +++ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index d1d7825318c32..6c395a2600e8d 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -56,7 +56,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, unsigned int thlen = 0; unsigned int p_off = 0; unsigned int ip_proto; - u64 ret, remainder, gso_size; if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { @@ -99,16 +98,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset); u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16)); - if (hdr->gso_size) { - gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); - ret = div64_u64_rem(skb->len, gso_size, &remainder); - if (!(ret && (hdr->gso_size > needed) && - ((remainder > needed) || (remainder == 0)))) { - return -EINVAL; - } - skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG; - } - if (!pskb_may_pull(skb, needed)) return -EINVAL; @@ -182,6 +171,11 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (gso_type != SKB_GSO_UDP_L4) return -EINVAL; break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: + if (skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; } /* Kernel has a special handling for GSO_BY_FRAGS. */ diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index 4b791e74529e1..9e49ffcc77071 100644 --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -140,6 +140,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, if (thlen < sizeof(*th)) goto out; + if (unlikely(skb->csum_start != skb->transport_header)) + goto out; + if (!pskb_may_pull(skb, thlen)) goto out; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index aa2e0a28ca613..f521152c40871 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -278,6 +278,9 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, if (gso_skb->len <= sizeof(*uh) + mss) return ERR_PTR(-EINVAL); + if (unlikely(gso_skb->csum_start != gso_skb->transport_header)) + return ERR_PTR(-EINVAL); + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { /* Packet is from an untrusted source, reset gso_segs. */ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), -- 2.46.0.rc1.232.g9752f9e123-goog

10 months, 1 week

10
25
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2024