January 2025 - Linux-stable-mirror

by manuel.rodrigues＠ene-kolla.pt

Hello, My name is wioleta. we would like to know if you export to Poland, as We have active projects that require most products as seen on your website. If yes, please kindly keep us informed upon your feedback so we can send our preferred listing for quote. For further information or have any questions, please do not hesitate to write us. Sten Arnlund Purchase Manager wioleta.raimer(a)invpolamd.com a: Vedwalterdige by 2, Holmerskulle, 432 68 Poland.

2 months, 3 weeks

1
0
0 0

[PATCH] posix-clock: Explicitly handle compat ioctls

by Thomas Weißschuh

Pointer arguments passed to ioctls need to pass through compat_ptr() to work correctly on s390; as explained in Documentation/driver-api/ioctl.rst. Plumb the compat_ioctl callback through 'struct posix_clock_operations' and handle the different ioctls cmds in the new ptp_compat_ioctl(). Using compat_ptr_ioctl is not possible. For the commands PTP_ENABLE_PPS/PTP_ENABLE_PPS2 on s390 it would corrupt the argument 0x80000000, aka BIT(31) to zero. Fixes: 0606f422b453 ("posix clocks: Introduce dynamic clocks") Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/ptp/ptp_chardev.c | 18 ++++++++++++++++++ drivers/ptp/ptp_clock.c | 1 + drivers/ptp/ptp_private.h | 7 +++++++ include/linux/posix-clock.h | 3 +++ kernel/time/posix-clock.c | 4 ++-- 5 files changed, 31 insertions(+), 2 deletions(-) diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c index ea96a14d72d141a4b255563b66bac8ed568b45e9..704af620c1173c12ee26b3b6c7982693e3c4c21f 100644 --- a/drivers/ptp/ptp_chardev.c +++ b/drivers/ptp/ptp_chardev.c @@ -4,6 +4,7 @@ * * Copyright (C) 2010 OMICRON electronics GmbH */ +#include <linux/compat.h> #include <linux/module.h> #include <linux/posix-clock.h> #include <linux/poll.h> @@ -507,6 +508,23 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, return err; } +#ifdef CONFIG_COMPAT +long ptp_compat_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, + unsigned long arg) +{ + switch (cmd) { + case PTP_ENABLE_PPS: + case PTP_ENABLE_PPS2: + /* These take in scalar arg, do not convert */ + break; + default: + arg = (unsigned long)compat_ptr(arg); + } + + return ptp_ioctl(pccontext, cmd, arg); +} +#endif + __poll_t ptp_poll(struct posix_clock_context *pccontext, struct file *fp, poll_table *wait) { diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c index 77a36e7bddd54e8f45eab317e687f033f57cc5bc..dec84b81cedfd13bcf8c97be6c3c27d73cd671f6 100644 --- a/drivers/ptp/ptp_clock.c +++ b/drivers/ptp/ptp_clock.c @@ -180,6 +180,7 @@ static struct posix_clock_operations ptp_clock_ops = { .clock_getres = ptp_clock_getres, .clock_settime = ptp_clock_settime, .ioctl = ptp_ioctl, + .compat_ioctl = ptp_compat_ioctl, .open = ptp_open, .release = ptp_release, .poll = ptp_poll, diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h index 18934e28469ee6e3bf9c9e6d1a1adb82808d88e6..13999a7af47a7b67ae8dc549351fbafef2ae402f 100644 --- a/drivers/ptp/ptp_private.h +++ b/drivers/ptp/ptp_private.h @@ -133,6 +133,13 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin, long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, unsigned long arg); +#ifdef CONFIG_COMPAT +long ptp_compat_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, + unsigned long arg); +#else +#define ptp_compat_ioctl NULL +#endif + int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode); int ptp_release(struct posix_clock_context *pccontext); diff --git a/include/linux/posix-clock.h b/include/linux/posix-clock.h index ef8619f489203eeb369ae580fc4d4b2439c94ae9..8bdc7aec5f7979c42752a233077620818d15acdd 100644 --- a/include/linux/posix-clock.h +++ b/include/linux/posix-clock.h @@ -54,6 +54,9 @@ struct posix_clock_operations { long (*ioctl)(struct posix_clock_context *pccontext, unsigned int cmd, unsigned long arg); + long (*compat_ioctl)(struct posix_clock_context *pccontext, unsigned int cmd, + unsigned long arg); + int (*open)(struct posix_clock_context *pccontext, fmode_t f_mode); __poll_t (*poll)(struct posix_clock_context *pccontext, struct file *file, diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c index 1af0bb2cc45c0aab843f77eb156992de469c8fb9..63184d92ef139c3fb9254745619ebca120fecce6 100644 --- a/kernel/time/posix-clock.c +++ b/kernel/time/posix-clock.c @@ -101,8 +101,8 @@ static long posix_clock_compat_ioctl(struct file *fp, if (!clk) return -ENODEV; - if (clk->ops.ioctl) - err = clk->ops.ioctl(pccontext, cmd, arg); + if (clk->ops.compat_ioctl) + err = clk->ops.compat_ioctl(pccontext, cmd, arg); put_posix_clock(clk); --- base-commit: 0bc21e701a6ffacfdde7f04f87d664d82e8a13bf change-id: 20250103-posix-clock-compat_ioctl-96fbac549146 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

2 months, 3 weeks

5
9
0 0

[PATCH 6.1.y] ssb: Fix potential NULL pointer dereference in ssb_device_uevent()

by Imkanmod Khan

From: Rand Deeb <rand.sec96(a)gmail.com> [ Upstream commit 789c17185fb0f39560496c2beab9b57ce1d0cbe7 ] The ssb_device_uevent() function first attempts to convert the 'dev' pointer to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before performing the NULL check, potentially leading to a NULL pointer dereference if 'dev' is NULL. To fix this issue, move the NULL check before dereferencing the 'dev' pointer, ensuring that the pointer is valid before attempting to use it. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Rand Deeb <rand.sec96(a)gmail.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://msgid.link/20240306123028.164155-1-rand.sec96@gmail.com Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- drivers/ssb/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c index d52e91258e98..aae50a5dfb57 100644 --- a/drivers/ssb/main.c +++ b/drivers/ssb/main.c @@ -341,11 +341,13 @@ static int ssb_bus_match(struct device *dev, struct device_driver *drv) static int ssb_device_uevent(struct device *dev, struct kobj_uevent_env *env) { - struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); + struct ssb_device *ssb_dev; if (!dev) return -ENODEV; + ssb_dev = dev_to_ssb_dev(dev); + return add_uevent_var(env, "MODALIAS=ssb:v%04Xid%04Xrev%02X", ssb_dev->id.vendor, ssb_dev->id.coreid, -- 2.25.1

2 months, 3 weeks

2
1
0 0

[PATCH 5.15.y] platform/chrome: cros_ec_typec: Check for EC driver

by Laura Nao

From: Akihiko Odaki <akihiko.odaki(a)gmail.com> [ upstream commit 7464ff8bf2d762251b9537863db0e1caf9b0e402 ] The EC driver may not be initialized when cros_typec_probe is called, particulary when CONFIG_CROS_EC_CHARDEV=m. Signed-off-by: Akihiko Odaki <akihiko.odaki(a)gmail.com> Reviewed-by: Guenter Roeck <groeck(a)chromium.org> Link: https://lore.kernel.org/r/20220404041101.6276-1-akihiko.odaki@gmail.com Signed-off-by: Prashant Malani <pmalani(a)chromium.org> Signed-off-by: Laura Nao <laura.nao(a)collabora.com> --- This solves the kernel NULL pointer dereference exception detected by KernelCI on many x86_64 Chromebooks - see e.g.: https://staging.dashboard.kernelci.org:9000/test/maestro%3A6790c13e09f33884… drivers/platform/chrome/cros_ec_typec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c index 2b8bef0d7ee5..c065963b9a42 100644 --- a/drivers/platform/chrome/cros_ec_typec.c +++ b/drivers/platform/chrome/cros_ec_typec.c @@ -1123,6 +1123,9 @@ static int cros_typec_probe(struct platform_device *pdev) } ec_dev = dev_get_drvdata(&typec->ec->ec->dev); + if (!ec_dev) + return -EPROBE_DEFER; + typec->typec_cmd_supported = !!cros_ec_check_features(ec_dev, EC_FEATURE_TYPEC_CMD); typec->needs_mux_ack = !!cros_ec_check_features(ec_dev, EC_FEATURE_TYPEC_MUX_REQUIRE_AP_ACK); -- 2.30.2

2 months, 3 weeks

2
1
0 0

[PATCH 1/3] drm/xe: Fix and re-enable xe_print_blob_ascii85()

by José Roberto de Souza

From: Lucas De Marchi <lucas.demarchi(a)intel.com> Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") partially reverted some changes to workaround breakage caused to mesa tools. However, in doing so it also broke fetching the GuC log via debugfs since xe_print_blob_ascii85() simply bails out. The fix is to avoid the extra newlines: the devcoredump interface is line-oriented and adding random newlines in the middle breaks it. If a tool is able to parse it by looking at the data and checking for chars that are out of the ascii85 space, it can still do so. A format change that breaks the line-oriented output on devcoredump however needs better coordination with existing tools. Reviewed-by: José Roberto de Souza <jose.souza(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Julia Filipchuk <julia.filipchuk(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 30 +++++++++-------------------- drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 ++- drivers/gpu/drm/xe/xe_guc_log.c | 4 +++- 4 files changed, 15 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index 81dc7795c0651..1c86e6456d60f 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -395,42 +395,30 @@ int xe_devcoredump_init(struct xe_device *xe) /** * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 * - * The output is split to multiple lines because some print targets, e.g. dmesg - * cannot handle arbitrarily long lines. Note also that printing to dmesg in - * piece-meal fashion is not possible, each separate call to drm_puts() has a - * line-feed automatically added! Therefore, the entire output line must be - * constructed in a local buffer first, then printed in one atomic output call. + * The output is split to multiple print calls because some print targets, e.g. + * dmesg cannot handle arbitrarily long lines. These targets may add newline + * between calls. * * There is also a scheduler yield call to prevent the 'task has been stuck for * 120s' kernel hang check feature from firing when printing to a slow target * such as dmesg over a serial port. * - * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. - * * @p: the printer object to output to * @prefix: optional prefix to add to output string * @blob: the Binary Large OBject to dump out * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) */ -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size) { const u32 *blob32 = (const u32 *)blob; char buff[ASCII85_BUFSZ], *line_buff; size_t line_pos = 0; - /* - * Splitting blobs across multiple lines is not compatible with the mesa - * debug decoder tool. Note that even dropping the explicit '\n' below - * doesn't help because the GuC log is so big some underlying implementation - * still splits the lines at 512K characters. So just bail completely for - * the moment. - */ - return; - #define DMESG_MAX_LINE_LEN 800 -#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ + /* Always leave space for the suffix char and the \0 */ +#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "<suffix>\0" */ if (size & 3) drm_printf(p, "Size not word aligned: %zu", size); @@ -462,7 +450,6 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, line_pos += strlen(line_buff + line_pos); if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; drm_puts(p, line_buff); @@ -474,10 +461,11 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, } } + if (suffix) + line_buff[line_pos++] = suffix; + if (line_pos) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; - drm_puts(p, line_buff); } diff --git a/drivers/gpu/drm/xe/xe_devcoredump.h b/drivers/gpu/drm/xe/xe_devcoredump.h index 6a17e6d601022..5391a80a4d1ba 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.h +++ b/drivers/gpu/drm/xe/xe_devcoredump.h @@ -29,7 +29,7 @@ static inline int xe_devcoredump_init(struct xe_device *xe) } #endif -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size); #endif diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 8b65c5e959cc2..50c8076b51585 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -1724,7 +1724,8 @@ void xe_guc_ct_snapshot_print(struct xe_guc_ct_snapshot *snapshot, snapshot->g2h_outstanding); if (snapshot->ctb) - xe_print_blob_ascii85(p, "CTB data", snapshot->ctb, 0, snapshot->ctb_size); + xe_print_blob_ascii85(p, "CTB data", '\n', + snapshot->ctb, 0, snapshot->ctb_size); } else { drm_puts(p, "CT disabled\n"); } diff --git a/drivers/gpu/drm/xe/xe_guc_log.c b/drivers/gpu/drm/xe/xe_guc_log.c index 80151ff6a71f8..44482ea919924 100644 --- a/drivers/gpu/drm/xe/xe_guc_log.c +++ b/drivers/gpu/drm/xe/xe_guc_log.c @@ -207,8 +207,10 @@ void xe_guc_log_snapshot_print(struct xe_guc_log_snapshot *snapshot, struct drm_ remain = snapshot->size; for (i = 0; i < snapshot->num_chunks; i++) { size_t size = min(GUC_LOG_CHUNK_SIZE, remain); + const char *prefix = i ? NULL : "Log data"; + char suffix = i == snapshot->num_chunks - 1 ? '\n' : 0; - xe_print_blob_ascii85(p, i ? NULL : "Log data", snapshot->copy[i], 0, size); + xe_print_blob_ascii85(p, prefix, suffix, snapshot->copy[i], 0, size); remain -= size; } } -- 2.48.1

2 months, 3 weeks

3
2
0 0

[PATCH 2/2] drm/xe: Fix and re-enable xe_print_blob_ascii85()

by Lucas De Marchi

Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") partially reverted some changes to workaround breakage caused to mesa tools. However, in doing so it also broke fetching the GuC log via debugfs since xe_print_blob_ascii85() simply bails out. The fix is to avoid the extra newlines: the devcoredump interface is line-oriented and adding random newlines in the middle breaks it. If a tool is able to parse it by looking at the data and checking for chars that are out of the ascii85 space, it can still do so. A format change that breaks the line-oriented output on devcoredump however needs better coordination with existing tools. Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Julia Filipchuk <julia.filipchuk(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 30 +++++++++-------------------- drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 ++- drivers/gpu/drm/xe/xe_guc_log.c | 4 +++- 4 files changed, 15 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index a7946a76777e7..d9b71bb690860 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -391,42 +391,30 @@ int xe_devcoredump_init(struct xe_device *xe) /** * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 * - * The output is split to multiple lines because some print targets, e.g. dmesg - * cannot handle arbitrarily long lines. Note also that printing to dmesg in - * piece-meal fashion is not possible, each separate call to drm_puts() has a - * line-feed automatically added! Therefore, the entire output line must be - * constructed in a local buffer first, then printed in one atomic output call. + * The output is split to multiple print calls because some print targets, e.g. + * dmesg cannot handle arbitrarily long lines. These targets may add newline + * between calls. * * There is also a scheduler yield call to prevent the 'task has been stuck for * 120s' kernel hang check feature from firing when printing to a slow target * such as dmesg over a serial port. * - * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. - * * @p: the printer object to output to * @prefix: optional prefix to add to output string * @blob: the Binary Large OBject to dump out * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) */ -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size) { const u32 *blob32 = (const u32 *)blob; char buff[ASCII85_BUFSZ], *line_buff; size_t line_pos = 0; - /* - * Splitting blobs across multiple lines is not compatible with the mesa - * debug decoder tool. Note that even dropping the explicit '\n' below - * doesn't help because the GuC log is so big some underlying implementation - * still splits the lines at 512K characters. So just bail completely for - * the moment. - */ - return; - #define DMESG_MAX_LINE_LEN 800 -#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ + /* Always leave space for the suffix char and the \0 */ +#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "<suffix>\0" */ if (size & 3) drm_printf(p, "Size not word aligned: %zu", size); @@ -458,7 +446,6 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, line_pos += strlen(line_buff + line_pos); if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; drm_puts(p, line_buff); @@ -470,10 +457,11 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, } } + if (suffix) + line_buff[line_pos++] = suffix; + if (line_pos) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; - drm_puts(p, line_buff); } diff --git a/drivers/gpu/drm/xe/xe_devcoredump.h b/drivers/gpu/drm/xe/xe_devcoredump.h index 6a17e6d601022..5391a80a4d1ba 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.h +++ b/drivers/gpu/drm/xe/xe_devcoredump.h @@ -29,7 +29,7 @@ static inline int xe_devcoredump_init(struct xe_device *xe) } #endif -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size); #endif diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 8b65c5e959cc2..50c8076b51585 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -1724,7 +1724,8 @@ void xe_guc_ct_snapshot_print(struct xe_guc_ct_snapshot *snapshot, snapshot->g2h_outstanding); if (snapshot->ctb) - xe_print_blob_ascii85(p, "CTB data", snapshot->ctb, 0, snapshot->ctb_size); + xe_print_blob_ascii85(p, "CTB data", '\n', + snapshot->ctb, 0, snapshot->ctb_size); } else { drm_puts(p, "CT disabled\n"); } diff --git a/drivers/gpu/drm/xe/xe_guc_log.c b/drivers/gpu/drm/xe/xe_guc_log.c index 80151ff6a71f8..44482ea919924 100644 --- a/drivers/gpu/drm/xe/xe_guc_log.c +++ b/drivers/gpu/drm/xe/xe_guc_log.c @@ -207,8 +207,10 @@ void xe_guc_log_snapshot_print(struct xe_guc_log_snapshot *snapshot, struct drm_ remain = snapshot->size; for (i = 0; i < snapshot->num_chunks; i++) { size_t size = min(GUC_LOG_CHUNK_SIZE, remain); + const char *prefix = i ? NULL : "Log data"; + char suffix = i == snapshot->num_chunks - 1 ? '\n' : 0; - xe_print_blob_ascii85(p, i ? NULL : "Log data", snapshot->copy[i], 0, size); + xe_print_blob_ascii85(p, prefix, suffix, snapshot->copy[i], 0, size); remain -= size; } } -- 2.48.0

2 months, 3 weeks

3
4
0 0

[PATCH] pwm: Ensure callbacks exist before calling them

by Uwe Kleine-König

If one of the waveform functions is called for a chip that only supports .apply(), we want that an error code is returned and not a NULL pointer exception. Fixes: 6c5126c6406d ("pwm: Provide new consumer API functions for waveforms") Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> --- Hello, assuming nobody spots a problem I will send this patch to Linus next week for inclusion in -rc1. Best regards Uwe drivers/pwm/core.c | 13 +++++++++++-- include/linux/pwm.h | 17 +++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c index 9c733877e98e..1a36ee3cab91 100644 --- a/drivers/pwm/core.c +++ b/drivers/pwm/core.c @@ -242,6 +242,9 @@ int pwm_round_waveform_might_sleep(struct pwm_device *pwm, struct pwm_waveform * BUG_ON(WFHWSIZE < ops->sizeof_wfhw); + if (!pwmchip_supports_waveform(chip)) + return -EOPNOTSUPP; + if (!pwm_wf_valid(wf)) return -EINVAL; @@ -294,6 +297,9 @@ int pwm_get_waveform_might_sleep(struct pwm_device *pwm, struct pwm_waveform *wf BUG_ON(WFHWSIZE < ops->sizeof_wfhw); + if (!pwmchip_supports_waveform(chip) || !ops->read_waveform) + return -EOPNOTSUPP; + guard(pwmchip)(chip); if (!chip->operational) @@ -320,6 +326,9 @@ static int __pwm_set_waveform(struct pwm_device *pwm, BUG_ON(WFHWSIZE < ops->sizeof_wfhw); + if (!pwmchip_supports_waveform(chip)) + return -EOPNOTSUPP; + if (!pwm_wf_valid(wf)) return -EINVAL; @@ -592,7 +601,7 @@ static int __pwm_apply(struct pwm_device *pwm, const struct pwm_state *state) state->usage_power == pwm->state.usage_power) return 0; - if (ops->write_waveform) { + if (pwmchip_supports_waveform(chip)) { struct pwm_waveform wf; char wfhw[WFHWSIZE]; @@ -746,7 +755,7 @@ int pwm_get_state_hw(struct pwm_device *pwm, struct pwm_state *state) if (!chip->operational) return -ENODEV; - if (ops->read_waveform) { + if (pwmchip_supports_waveform(chip) && ops->read_waveform) { char wfhw[WFHWSIZE]; struct pwm_waveform wf; diff --git a/include/linux/pwm.h b/include/linux/pwm.h index 78827f312407..b8d78009e779 100644 --- a/include/linux/pwm.h +++ b/include/linux/pwm.h @@ -347,6 +347,23 @@ struct pwm_chip { struct pwm_device pwms[] __counted_by(npwm); }; +/** + * pwmchip_supports_waveform() - checks if the given chip supports waveform callbacks + * @chip: The pwm_chip to test + * + * Returns true iff the pwm chip support the waveform functions like + * pwm_set_waveform_might_sleep() and pwm_round_waveform_might_sleep() + */ +static inline bool pwmchip_supports_waveform(struct pwm_chip *chip) +{ + /* + * only check for .write_waveform(). If that is available, + * .round_waveform_tohw() and .round_waveform_fromhw() asserted to be + * available, too, in pwmchip_add(). + */ + return chip->ops->write_waveform != NULL; +} + static inline struct device *pwmchip_parent(const struct pwm_chip *chip) { return chip->dev.parent; base-commit: e8c59791ebb60790c74b2c3ab520f04a8a57219a prerequisite-patch-id: f5f481d393ddd1fd20a685c86cd4e93dd40d26c7 -- 2.47.1

2 months, 3 weeks

2
1
0 0

[PATCH] drm/v3d: Assign job pointer to NULL before signaling the fence

by Maíra Canal

In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466.573826] __handle_irq_event_percpu+0x60/0x228 [ 466.578546] handle_irq_event+0x54/0xb8 [ 466.582391] handle_fasteoi_irq+0xac/0x240 [ 466.586498] generic_handle_domain_irq+0x34/0x58 [ 466.591128] gic_handle_irq+0x48/0xd8 [ 466.594798] call_on_irq_stack+0x24/0x58 [ 466.598730] do_interrupt_handler+0x88/0x98 [ 466.602923] el0_interrupt+0x44/0xc0 [ 466.606508] __el0_irq_handler_common+0x18/0x28 [ 466.611050] el0t_64_irq_handler+0x10/0x20 [ 466.615156] el0t_64_irq+0x198/0x1a0 [ 466.618740] Code: 52800035 3607faf3 f9442e80 52800021 (f9406018) [ 466.624853] ---[ end trace 0000000000000000 ]--- [ 466.629483] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 466.636384] SMP: stopping secondary CPUs [ 466.640320] Kernel Offset: 0x100c400000 from 0xffffffc080000000 [ 466.646259] PHYS_OFFSET: 0x0 [ 466.649141] CPU features: 0x100,00000170,00901250,0200720b [ 466.654644] Memory Limit: none [ 466.657706] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Fix the crash by assigning the job pointer to NULL before signaling the fence. This ensures that the job pointer is cleared before any new job starts execution, preventing the race condition and the NULL pointer dereference crash. Cc: stable(a)vger.kernel.org Fixes: e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion") Signed-off-by: Maíra Canal <mcanal(a)igalia.com> --- drivers/gpu/drm/v3d/v3d_irq.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index da203045df9b..72b6a119412f 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -107,8 +107,10 @@ v3d_irq(int irq, void *arg) v3d_job_update_stats(&v3d->bin_job->base, V3D_BIN); trace_v3d_bcl_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->bin_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } @@ -118,8 +120,10 @@ v3d_irq(int irq, void *arg) v3d_job_update_stats(&v3d->render_job->base, V3D_RENDER); trace_v3d_rcl_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->render_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } @@ -129,8 +133,10 @@ v3d_irq(int irq, void *arg) v3d_job_update_stats(&v3d->csd_job->base, V3D_CSD); trace_v3d_csd_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->csd_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } @@ -167,8 +173,10 @@ v3d_hub_irq(int irq, void *arg) v3d_job_update_stats(&v3d->tfu_job->base, V3D_TFU); trace_v3d_tfu_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->tfu_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } -- 2.39.5 (Apple Git-154)

2 months, 3 weeks

4
4
0 0

[tip: timers/urgent] hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING

by tip-bot2 for Frederic Weisbecker

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: 53dac345395c0d2493cbc2f4c85fe38aef5b63f5 Gitweb: https://git.kernel.org/tip/53dac345395c0d2493cbc2f4c85fe38aef5b63f5 Author: Frederic Weisbecker <frederic(a)kernel.org> AuthorDate: Sat, 18 Jan 2025 00:24:33 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 23 Jan 2025 20:06:35 +01:00 hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING hrtimers are migrated away from the dying CPU to any online target at the CPUHP_AP_HRTIMERS_DYING stage in order not to delay bandwidth timers handling tasks involved in the CPU hotplug forward progress. However wakeups can still be performed by the outgoing CPU after CPUHP_AP_HRTIMERS_DYING. Those can result again in bandwidth timers being armed. Depending on several considerations (crystal ball power management based election, earliest timer already enqueued, timer migration enabled or not), the target may eventually be the current CPU even if offline. If that happens, the timer is eventually ignored. The most notable example is RCU which had to deal with each and every of those wake-ups by deferring them to an online CPU, along with related workarounds: _ e787644caf76 (rcu: Defer RCU kthreads wakeup when CPU is dying) _ 9139f93209d1 (rcu/nocb: Fix RT throttling hrtimer armed from offline CPU) _ f7345ccc62a4 (rcu/nocb: Fix rcuog wake-up from offline softirq) The problem isn't confined to RCU though as the stop machine kthread (which runs CPUHP_AP_HRTIMERS_DYING) reports its completion at the end of its work through cpu_stop_signal_done() and performs a wake up that eventually arms the deadline server timer: WARNING: CPU: 94 PID: 588 at kernel/time/hrtimer.c:1086 hrtimer_start_range_ns+0x289/0x2d0 CPU: 94 UID: 0 PID: 588 Comm: migration/94 Not tainted Stopper: multi_cpu_stop+0x0/0x120 <- stop_machine_cpuslocked+0x66/0xc0 RIP: 0010:hrtimer_start_range_ns+0x289/0x2d0 Call Trace: <TASK> start_dl_timer enqueue_dl_entity dl_server_start enqueue_task_fair enqueue_task ttwu_do_activate try_to_wake_up complete cpu_stopper_thread Instead of providing yet another bandaid to work around the situation, fix it in the hrtimers infrastructure instead: always migrate away a timer to an online target whenever it is enqueued from an offline CPU. This will also allow to revert all the above RCU disgraceful hacks. Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") Reported-by: Vlad Poenaru <vlad.wing(a)gmail.com> Reported-by: Usama Arif <usamaarif642(a)gmail.com> Signed-off-by: Frederic Weisbecker <frederic(a)kernel.org> Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Tested-by: Paul E. McKenney <paulmck(a)kernel.org> Link: https://lore.kernel.org/all/20250117232433.24027-1-frederic@kernel.org Closes: 20241213203739.1519801-1-usamaarif642(a)gmail.com --- include/linux/hrtimer_defs.h | 1 +- kernel/time/hrtimer.c | 103 +++++++++++++++++++++++++++------- 2 files changed, 83 insertions(+), 21 deletions(-) diff --git a/include/linux/hrtimer_defs.h b/include/linux/hrtimer_defs.h index c3b4b7e..84a5045 100644 --- a/include/linux/hrtimer_defs.h +++ b/include/linux/hrtimer_defs.h @@ -125,6 +125,7 @@ struct hrtimer_cpu_base { ktime_t softirq_expires_next; struct hrtimer *softirq_next_timer; struct hrtimer_clock_base clock_base[HRTIMER_MAX_CLOCK_BASES]; + call_single_data_t csd; } ____cacheline_aligned; diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 4fb81f8..deb1aa3 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -58,6 +58,8 @@ #define HRTIMER_ACTIVE_SOFT (HRTIMER_ACTIVE_HARD << MASK_SHIFT) #define HRTIMER_ACTIVE_ALL (HRTIMER_ACTIVE_SOFT | HRTIMER_ACTIVE_HARD) +static void retrigger_next_event(void *arg); + /* * The timer bases: * @@ -111,7 +113,8 @@ DEFINE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases) = .clockid = CLOCK_TAI, .get_time = &ktime_get_clocktai, }, - } + }, + .csd = CSD_INIT(retrigger_next_event, NULL) }; static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = { @@ -124,6 +127,14 @@ static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = { [CLOCK_TAI] = HRTIMER_BASE_TAI, }; +static inline bool hrtimer_base_is_online(struct hrtimer_cpu_base *base) +{ + if (!IS_ENABLED(CONFIG_HOTPLUG_CPU)) + return true; + else + return likely(base->online); +} + /* * Functions and macros which are different for UP/SMP systems are kept in a * single place @@ -178,27 +189,54 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer, } /* - * We do not migrate the timer when it is expiring before the next - * event on the target cpu. When high resolution is enabled, we cannot - * reprogram the target cpu hardware and we would cause it to fire - * late. To keep it simple, we handle the high resolution enabled and - * disabled case similar. + * Check if the elected target is suitable considering its next + * event and the hotplug state of the current CPU. + * + * If the elected target is remote and its next event is after the timer + * to queue, then a remote reprogram is necessary. However there is no + * guarantee the IPI handling the operation would arrive in time to meet + * the high resolution deadline. In this case the local CPU becomes a + * preferred target, unless it is offline. + * + * High and low resolution modes are handled the same way for simplicity. * * Called with cpu_base->lock of target cpu held. */ -static int -hrtimer_check_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base) +static bool hrtimer_suitable_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base, + struct hrtimer_cpu_base *new_cpu_base, + struct hrtimer_cpu_base *this_cpu_base) { ktime_t expires; + /* + * The local CPU clockevent can be reprogrammed. Also get_target_base() + * guarantees it is online. + */ + if (new_cpu_base == this_cpu_base) + return true; + + /* + * The offline local CPU can't be the default target if the + * next remote target event is after this timer. Keep the + * elected new base. An IPI will we issued to reprogram + * it as a last resort. + */ + if (!hrtimer_base_is_online(this_cpu_base)) + return true; + expires = ktime_sub(hrtimer_get_expires(timer), new_base->offset); - return expires < new_base->cpu_base->expires_next; + + return expires >= new_base->cpu_base->expires_next; } -static inline -struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base, - int pinned) +static inline struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base, int pinned) { + if (!hrtimer_base_is_online(base)) { + int cpu = cpumask_any_and(cpu_online_mask, housekeeping_cpumask(HK_TYPE_TIMER)); + + return &per_cpu(hrtimer_bases, cpu); + } + #if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON) if (static_branch_likely(&timers_migration_enabled) && !pinned) return &per_cpu(hrtimer_bases, get_nohz_timer_target()); @@ -249,8 +287,8 @@ again: raw_spin_unlock(&base->cpu_base->lock); raw_spin_lock(&new_base->cpu_base->lock); - if (new_cpu_base != this_cpu_base && - hrtimer_check_target(timer, new_base)) { + if (!hrtimer_suitable_target(timer, new_base, new_cpu_base, + this_cpu_base)) { raw_spin_unlock(&new_base->cpu_base->lock); raw_spin_lock(&base->cpu_base->lock); new_cpu_base = this_cpu_base; @@ -259,8 +297,7 @@ again: } WRITE_ONCE(timer->base, new_base); } else { - if (new_cpu_base != this_cpu_base && - hrtimer_check_target(timer, new_base)) { + if (!hrtimer_suitable_target(timer, new_base, new_cpu_base, this_cpu_base)) { new_cpu_base = this_cpu_base; goto again; } @@ -706,8 +743,6 @@ static inline int hrtimer_is_hres_enabled(void) return hrtimer_hres_enabled; } -static void retrigger_next_event(void *arg); - /* * Switch to high resolution mode */ @@ -1195,6 +1230,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, u64 delta_ns, const enum hrtimer_mode mode, struct hrtimer_clock_base *base) { + struct hrtimer_cpu_base *this_cpu_base = this_cpu_ptr(&hrtimer_bases); struct hrtimer_clock_base *new_base; bool force_local, first; @@ -1206,10 +1242,16 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, * and enforce reprogramming after it is queued no matter whether * it is the new first expiring timer again or not. */ - force_local = base->cpu_base == this_cpu_ptr(&hrtimer_bases); + force_local = base->cpu_base == this_cpu_base; force_local &= base->cpu_base->next_timer == timer; /* + * Don't force local queuing if this enqueue happens on a unplugged + * CPU after hrtimer_cpu_dying() has been invoked. + */ + force_local &= this_cpu_base->online; + + /* * Remove an active timer from the queue. In case it is not queued * on the current CPU, make sure that remove_hrtimer() updates the * remote data correctly. @@ -1238,8 +1280,27 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, } first = enqueue_hrtimer(timer, new_base, mode); - if (!force_local) - return first; + if (!force_local) { + /* + * If the current CPU base is online, then the timer is + * never queued on a remote CPU if it would be the first + * expiring timer there. + */ + if (hrtimer_base_is_online(this_cpu_base)) + return first; + + /* + * Timer was enqueued remote because the current base is + * already offline. If the timer is the first to expire, + * kick the remote CPU to reprogram the clock event. + */ + if (first) { + struct hrtimer_cpu_base *new_cpu_base = new_base->cpu_base; + + smp_call_function_single_async(new_cpu_base->cpu, &new_cpu_base->csd); + } + return 0; + } /* * Timer was forced to stay on the current CPU to avoid

2 months, 3 weeks

1
0
0 0

Linux 6.6.74

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.74 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/include/asm/special_insns.h | 2 arch/x86/xen/xen-asm.S | 2 block/blk-sysfs.c | 6 - block/genhd.c | 9 - drivers/acpi/resource.c | 6 - drivers/block/zram/zram_drv.c | 1 drivers/gpio/gpio-xilinx.c | 32 +++--- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 45 --------- drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 4 drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 drivers/gpu/drm/i915/display/intel_fb.c | 2 drivers/gpu/drm/nouveau/nouveau_fence.c | 6 - drivers/gpu/drm/v3d/v3d_irq.c | 4 drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 - drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 1 drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 7 - drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 5 - drivers/hwmon/tmp513.c | 7 - drivers/i2c/busses/i2c-rcar.c | 20 +++- drivers/i2c/i2c-atr.c | 2 drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++ drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 drivers/irqchip/irq-gic-v3-its.c | 2 drivers/irqchip/irq-gic-v3.c | 2 drivers/irqchip/irqchip.c | 4 drivers/mtd/spi-nor/core.c | 2 drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 --- drivers/net/ethernet/freescale/fec_main.c | 19 ++- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 22 ++-- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 42 +++++--- drivers/nvme/target/io-cmd-bdev.c | 2 drivers/pci/controller/pci-host-common.c | 4 drivers/pci/probe.c | 20 ++-- drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 2 drivers/ufs/core/ufshcd.c | 9 + fs/cachefiles/daemon.c | 14 +- fs/cachefiles/internal.h | 3 fs/cachefiles/security.c | 6 - fs/file.c | 1 fs/hfs/super.c | 4 fs/iomap/buffered-io.c | 2 fs/nfsd/filecache.c | 18 ++- fs/nfsd/filecache.h | 1 fs/notify/fdinfo.c | 4 fs/ocfs2/extent_map.c | 8 + fs/overlayfs/copy_up.c | 16 +-- fs/overlayfs/export.c | 49 +++++----- fs/overlayfs/namei.c | 4 fs/overlayfs/overlayfs.h | 2 fs/proc/vmcore.c | 2 fs/smb/client/connect.c | 3 include/linux/hrtimer.h | 1 include/linux/poll.h | 10 +- include/linux/pruss_driver.h | 12 +- include/net/net_namespace.h | 3 kernel/cpu.c | 2 kernel/gen_kheaders.sh | 1 kernel/time/hrtimer.c | 11 ++ mm/filemap.c | 2 net/core/filter.c | 30 +++--- net/core/net_namespace.c | 31 ++++++ net/core/pktgen.c | 6 - net/dccp/ipv6.c | 2 net/ipv6/tcp_ipv6.c | 4 net/mac802154/iface.c | 4 net/mptcp/options.c | 6 - net/mptcp/protocol.h | 9 + net/openvswitch/actions.c | 4 net/vmw_vsock/af_vsock.c | 18 +++ net/vmw_vsock/virtio_transport_common.c | 36 +++++-- net/vmw_vsock/vsock_bpf.c | 9 + sound/pci/hda/patch_realtek.c | 1 tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++++++-- tools/testing/selftests/tc-testing/tc-tests/filters/flow.json | 4 90 files changed, 477 insertions(+), 313 deletions(-) Amir Goldstein (3): ovl: pass realinode to ovl_encode_real_fh() instead of realdentry ovl: support encoding fid from inode with no alias fs: relax assertions on failure to encode file handles Artem Chernyshev (1): pktgen: Avoid out-of-bounds access in get_imix_entries Christian König (1): drm/amdgpu: always sync the GFX pipe on ctx switch Dan Carpenter (1): nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Dave Airlie (1): nouveau/fence: handle cross device fences properly David Howells (1): kheaders: Ignore silly-rename files David Lechner (1): hwmon: (tmp513) Fix division of negative numbers Eric Dumazet (2): net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method Greg Kroah-Hartman (2): Revert "drm/amdgpu: rework resume handling for display (v2)" Linux 6.6.74 Hans de Goede (1): ACPI: resource: acpi_dev_irq_override(): Check DMI match last Heiner Kallweit (1): net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Hongguang Gao (1): RDMA/bnxt_re: Fix to export port num to ib_query_qp Ian Forbes (1): drm/vmwgfx: Add new keep_resv BO param Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier Jakub Kicinski (1): selftests: tc-testing: reduce rshift value Jean-Baptiste Maneyrol (1): iio: imu: inv_icm42600: fix spi burst write not supported Joe Hattori (1): irqchip: Plug a OF node reference leak in platform_irqchip_probe() Juergen Gross (2): x86/asm: Make serialize() always_inline x86/xen: fix SLS mitigation in xen_hypercall_iret() Kairui Song (1): zram: fix potential UAF of zram table Kevin Groeneveld (1): net: fec: handle page_pool_dev_alloc_pages error Koichiro Den (1): hrtimers: Handle CPU state correctly on hotplug Kuniyuki Iwashima (2): gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. Leo Stone (1): hfs: Sanity check the root record Leon Romanovsky (3): net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel net/mlx5e: Rely on reqid in IPsec tunnel mode net/mlx5e: Always start IPsec sequence number from 1 Lizhi Xu (1): mac802154: check local interfaces before deleting sdata list Luis Chamberlain (1): nvmet: propagate npwg topology MD Danish Anwar (1): soc: ti: pruss: Fix pruss APIs Manivannan Sadhasivam (1): scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Marco Nelissen (2): iomap: avoid avoid truncating 64-bit offset to 32 bits filemap: avoid truncating 64-bit offset to 32 bits Mark Zhang (1): net/mlx5: Clear port select structure when fail to create Max Kellermann (1): cachefiles: Parse the "secctx" immediately Maíra Canal (1): drm/v3d: Ensure job pointer is set to NULL after job completion Michal Luczaj (1): bpf: Fix bpf_sk_select_reuseport() memory leak Mohammed Anees (1): ocfs2: fix deadlock in ocfs2_get_system_file_inode Oleg Nesterov (1): poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Paolo Abeni (3): mptcp: be sure to send ack when mptcp-level window re-opens mptcp: fix spurious wake-up on under memory pressure selftests: mptcp: avoid spurious errors on disconnect Patrisious Haddad (1): net/mlx5: Fix RDMA TX steering prio Paulo Alcantara (1): smb: client: fix double free of TCP_Server_Info::hostname Pratyush Yadav (1): Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore (part 2) Sean Anderson (2): net: xilinx: axienet: Fix IRQ coalescing packet count overflow gpio: xilinx: Convert gpio_lock to raw spinlock Srinivasan Shanmugam (1): drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Stefan Binding (1): ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Stefano Garzarella (5): vsock/bpf: return early if transport is not assigned vsock/virtio: discard packets if the transport changes vsock/virtio: cancel close work in the destructor vsock: reset socket state when de-assigning the transport vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Sudheer Kumar Doredla (1): net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Terry Tritton (1): Revert "PCI: Use preserve_config in place of pci_flags" Tomas Krcka (1): irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Tomi Valkeinen (1): i2c: atr: Fix client detach Ville Syrjälä (1): drm/i915/fb: Relax clear color alignment to 64 bytes Wang Liang (1): net: fix data-races around sk->sk_forward_alloc Wolfram Sang (2): i2c: mux: demux-pinctrl: check initial mux selection, too i2c: rcar: fix NACK handling when being a target Xiaolei Wang (1): pmdomain: imx8mp-blk-ctrl: add missing loop break condition Yogesh Lal (1): irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Youzhong Yang (1): nfsd: add list_head nf_gc to struct nfsd_file Yu Kuai (1): block: fix uaf for flush rq while iterating tags Zhang Kunbo (1): fs: fix missing declaration of init_files

2 months, 3 weeks

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2025