April 2025 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.26 release. There are 280 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 01 May 2025 16:10:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.26-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.26-rc1 Christoph Hellwig <hch(a)lst.de> mq-deadline: don't call req_get_ioprio from the I/O completion handler Keerthy <j-keerthy(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size Herbert Xu <herbert(a)gondor.apana.org.au> crypto: Kconfig - Select LIB generic option Dan Carpenter <dan.carpenter(a)linaro.org> usb: typec: class: Unlocked on error in typec_register_partner() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Silence more KCOV warnings, part 2 Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Ignore end-of-section jumps for KCOV/GCOV Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix Short Packet handling rework ignoring errors Hannes Reinecke <hare(a)kernel.org> nvme: fixup scan failure for non-ANA multipath controllers Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: cm: Fix warning if MIPS_CM is disabled Dan Carpenter <dan.carpenter(a)linaro.org> media: i2c: imx214: Fix uninitialized variable in imx214_set_ctrl() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: lib/Kconfig - Hide arch options from user Robin Murphy <robin.murphy(a)arm.com> iommu: Handle race with default domain setup Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: enable STU methods for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: enable .port_set_policy() for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: enable PVT for 6321 switch Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix atu_move_port_mask for 6341 family Marek Behún <kabel(a)kernel.org> Revert "net: dsa: mv88e6xxx: fix internal PHYs for 6320 family" Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: class: Invalidate USB device pointers on partner unregistration Baokun Li <libaokun1(a)huawei.com> ext4: goto right label 'out_mmap_sem' in ext4_setattr() Ian Abbott <abbotti(a)mev.co.uk> comedi: jr3_pci: Fix synchronous deletion of timer Daniel Borkmann <daniel(a)iogearbox.net> vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: class: Fix NULL pointer access Shigeru Yoshida <syoshida(a)redhat.com> selftests/bpf: Adjust data size to have ETH_HLEN Alexis Lothoré (eBPF Foundation) <alexis.lothore(a)bootlin.com> selftests/bpf: check program redirect in xdp_cpumap_attach Alexis Lothoré (eBPF Foundation) <alexis.lothore(a)bootlin.com> selftests/bpf: make xdp_cpumap_attach keep redirect prog attached Alexis Lothoré (eBPF Foundation) <alexis.lothore(a)bootlin.com> selftests/bpf: fix bpf_map_redirect call for cpu map test Christoph Hellwig <hch(a)lst.de> xfs: flush inodegc before swapon Christoph Hellwig <hch(a)lst.de> xfs: rename xfs_iomap_swapfile_activate to xfs_vm_swap_activate Carlos Maiolino <cem(a)kernel.org> xfs: Do not allow norecovery mount with quotacheck Lukas Herbolt <lukas(a)herbolt.com> xfs: do not check NEEDSREPAIR if ro,norecovery mount. Dmitry Torokhov <dmitry.torokhov(a)gmail.com> driver core: fix potential NULL pointer dereference in dev_uevent() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> driver core: introduce device_set_driver() helper Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Revert "drivers: core: synchronize really_probe() and dev_uevent()" Tamura Dai <kirinode0(a)gmail.com> spi: spi-imx: Add check for spi_imx_setupxfer() Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Use the right function for hdp flush Christian König <christian.koenig(a)amd.com> drm/amdgpu: use a dummy owner for sysfs triggered cleaner shaders v4 Meir Elisha <meir.elisha(a)volumez.com> md/raid1: Add check for missing source disk in process_checks() Pi Xiange <xiange.pi(a)intel.com> x86/cpu: Add CPU model number for Bartlett Lake CPUs with Raptor Cove cores Mostafa Saleh <smostafa(a)google.com> ubsan: Fix panic from test_ubsan_out_of_bounds Breno Leitao <leitao(a)debian.org> spi: tegra210-quad: add rate limiting and simplify timeout error message Breno Leitao <leitao(a)debian.org> spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix WARNING "do not call blocking ops when !TASK_RUNNING" Andrew Jones <ajones(a)ventanamicro.com> riscv: Provide all alternative macros all the time Gou Hao <gouhao(a)uniontech.com> iomap: skip unnecessary ifs_block_is_uptodate check Song Liu <song(a)kernel.org> netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS Fernando Fernandez Mancera <ffmancera(a)riseup.net> x86/i8253: Call clockevent_i8253_disable() with interrupts disabled Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_asrc_dma: get codec or cpu dai from backend Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy_attached to zero when device is gone Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: gs101: Put UFS device in reset on .suspend() Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Move phy calls to .exit() callback Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure pre_link() executes before exynos_ufs_phy_init() Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: make block validity check resistent to sb bh corruption Robin Murphy <robin.murphy(a)arm.com> iommu: Clear iommu-dma ops on cleanup Pali Rohár <pali(a)kernel.org> cifs: Fix querying of WSL CHR and BLK reparse points over SMB1 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> timekeeping: Add a lockdep override in tick_freeze() Pali Rohár <pali(a)kernel.org> cifs: Fix encoding of SMB1 Session Setup Kerberos Request in non-UNICODE mode Daniel Wagner <wagi(a)kernel.org> nvmet-fc: put ref when assoc->del_work is already scheduled Daniel Wagner <wagi(a)kernel.org> nvmet-fc: take tgtport reference only once Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on context switch with eIBRS Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Use SBPB in write_ibpb() if applicable Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> selftests/mincore: Allow read-ahead pages to reach the end of the file Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: disable CPU idle and frequency drivers for PVH dom0 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: of: Move Atmel HSMCI quirk up out of the regulator comment Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Stop UNRET validation on UD2 Uday Shankar <ushankar(a)purestorage.com> nvme: multipath: fix return value of nvme_available_path Hannes Reinecke <hare(a)kernel.org> nvme: re-read ANA log page after ns scan completes Julia Filipchuk <julia.filipchuk(a)intel.com> drm/xe/xe3lpg: Apply Wa_14022293748, Wa_22019794406 Jay Cornwall <jay.cornwall(a)amd.com> drm/amdgpu: Increase KIQ invalidate_tlbs timeout Jean-Marc Eurin <jmeurin(a)google.com> ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Mario Limonciello <mario.limonciello(a)amd.com> ACPI: EC: Set ec_no_wakeup for Lenovo Go S Hannes Reinecke <hare(a)kernel.org> nvme: requeue namespace scan on missed AENs Jason Andryuk <jason.andryuk(a)amd.com> xen: Change xen-acpi-processor dom0 dependency Gabriel Shahrouzi <gshahrouzi(a)gmail.com> perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix test_stripe_04 Waiman Long <longman(a)redhat.com> cgroup/cpuset: Don't allow creation of local partition over a remote one Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through debug printing Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through tracepoints Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Xi Ruoyao <xry111(a)xry111.site> kbuild: add dependency from vmlinux to sorttable Pavel Begunkov <asml.silence(a)gmail.com> io_uring: always do atomic put from iowq Lukas Stockmann <lukas.stockmann(a)siemens.com> rtc: pcf85063: do a SW reset if POR failed Ignacio Encinas <ignacio(a)iencinas.com> 9p/trans_fd: mark concurrent read and writes to p9_conn->err Dominique Martinet <asmadeus(a)codewreck.org> 9p/net: fix improper handling of bogus negative read/write replies Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> ntb_hw_amd: Add NTB PCI ID for new gen CPU Arnd Bergmann <arnd(a)arndb.de> ntb: reduce stack usage in idt_scan_mws Al Viro <viro(a)zeniv.linux.org.uk> qibfs: fix _another_ leak Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, lkdtm: Obfuscate the do_nothing() pointer Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, regulator: rk808: Remove potential undefined behavior in rk806_set_mode_dcdc() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, panic: Disable SMAP in __stack_chk_fail() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Silence more KCOV warnings Benjamin Berg <benjamin.berg(a)intel.com> um: work around sched_yield not yielding in time-travel mode Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Scan retimers after device router has been enumerated Théo Lebrun <theo.lebrun(a)bootlin.com> usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func Chenyuan Yang <chenyuan0y(a)gmail.com> usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Andy Yan <andy.yan(a)rock-chips.com> phy: rockchip: usbdp: Avoid call hpd_event_trigger in dp_phy_init Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running Vinicius Costa Gomes <vinicius.gomes(a)intel.com> dmaengine: dmatest: Fix dmatest waiting less when interrupted Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Add support for Nuvoton npcm845 i3c Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Handle spurious events on Etron host isoc enpoints Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix isochronous Ring Underrun/Overrun event handling Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Complete 'error mid TD' transfers when handling Missed Service John Stultz <jstultz(a)google.com> sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: gadget: Refactor loop to avoid NULL endpoints Edward Adam Davis <eadavis(a)qq.com> fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size Lizhi Xu <lizhi.xu(a)windriver.com> fs/ntfs3: Keep write operations atomic Alexander Stein <alexander.stein(a)mailbox.org> usb: host: max3421-hcd: Add missing spi_device_id table Sudeep Holla <sudeep.holla(a)arm.com> mailbox: pcc: Always clear the platform ack interrupt first Huisong Li <lihuisong(a)huawei.com> mailbox: pcc: Fix the possible race in updation of chan_in_use flag Yafang Shao <laoar.shao(a)gmail.com> bpf: Reject attaching fexit/fmod_ret to __noreturn functions Martin KaFai Lau <martin.lau(a)kernel.org> bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it creates storage Sewon Nam <swnam0729(a)gmail.com> bpf: bpftool: Setting error code in do_loader() Haoxiang Li <haoxiang_li2024(a)163.com> s390/tty: Fix a potential memory leak bug Haoxiang Li <haoxiang_li2024(a)163.com> s390/sclp: Add check for get_zeroed_page() Yu-Chun Lin <eleanor15x(a)gmail.com> parisc: PDT: Fix missing prototype warning Heiko Stuebner <heiko(a)sntech.de> clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Alexei Starovoitov <ast(a)kernel.org> bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix kmemleak warning for percpu hashmap Herbert Xu <herbert(a)gondor.apana.org.au> crypto: null - Use spin lock instead of mutex Herbert Xu <herbert(a)gondor.apana.org.au> crypto: lib/Kconfig - Fix lib built-in failure when arch is modular Devaraj Rangasamy <Devaraj.Rangasamy(a)amd.com> crypto: ccp - Add support for PCI device 0x1134 Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: cm: Detect CM quirks from device tree Dmitry Mastykin <mastichi(a)gmail.com> pinctrl: mcp23s08: Get rid of spurious level interrupts Chenyuan Yang <chenyuan0y(a)gmail.com> pinctrl: renesas: rza2: Fix potential NULL pointer dereference Amery Hung <ameryhung(a)gmail.com> selftests/bpf: Fix stdout race condition in traffic monitor Oliver Neukum <oneukum(a)suse.com> USB: wdm: add annotation Oliver Neukum <oneukum(a)suse.com> USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context Oliver Neukum <oneukum(a)suse.com> USB: wdm: close race between wdm_open and wdm_wwan_port_stop Oliver Neukum <oneukum(a)suse.com> USB: wdm: handle IO errors in wdm_wwan_port_start Oliver Neukum <oneukum(a)suse.com> USB: VLI disk crashes if LPM is used Miao Li <limiao(a)kylinos.cn> usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive Miao Li <limiao(a)kylinos.cn> usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Mike Looijmans <mike.looijmans(a)topic.nl> usb: dwc3: xilinx: Prevent spike in reset signal Frode Isaksen <frode(a)meta.com> usb: dwc3: gadget: check that event count does not exceed event buffer length Huacai Chen <chenhuacai(a)kernel.org> USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: fix usbmisc handling Ralph Siemsen <ralph.siemsen(a)linaro.org> usb: cdns3: Fix deadlock when using NCM gadget Michal Pecio <michal.pecio(a)gmail.com> usb: xhci: Fix invalid pointer dereference in Etron workaround Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Limit time spent with xHC interrupts disabled during bus resume Craig Hesling <craig(a)hesling.com> USB: serial: simple: add OWON HDS200 series oscilloscope support Adam Xue <zxue(a)semtech.com> USB: serial: option: add Sierra Wireless EM9291 Michael Ehrenreich <michideep(a)gmail.com> USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Ryo Takakura <ryotkkr98(a)gmail.com> serial: sifive: lock port in startup()/shutdown() callbacks Stephan Gerhold <stephan.gerhold(a)linaro.org> serial: msm: Configure correct working mode before starting earlycon Günther Noack <gnoack3000(a)gmail.com> tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT Mahesh Rao <mahesh.rao(a)intel.com> firmware: stratix10-svc: Add of_platform_default_populate() Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack Rengarajan S <rengarajan.s(a)microchip.com> misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> char: misc: register chrdev region with all possible minors Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Sean Christopherson <seanjc(a)google.com> KVM: x86: Reset IRTE to host control if *new* route isn't postable Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly treat routing entry type changes as changes Hans de Goede <hdegoede(a)redhat.com> mei: vsc: Fix fortify-panic caused by invalid counted_by() use Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake H DID Damien Le Moal <dlemoal(a)kernel.org> scsi: Improve CDL control Oliver Neukum <oneukum(a)suse.com> USB: storage: quirk for ADATA Portable HDD CH94 Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_msense_control_ata_feature() Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Improve CDL control Haoxiang Li <haoxiang_li2024(a)163.com> mcb: fix a double free bug in chameleon_parse_gdd() Smita Koralahalli <Smita.KoralahalliChannabasappa(a)amd.com> cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports Sean Christopherson <seanjc(a)google.com> KVM: SVM: Allocate IR data using atomic allocation Jens Axboe <axboe(a)kernel.dk> io_uring: fix 'sync' handling of io_fallback_tw() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix PMU pass-through issue if VM exits to host finally Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fully clear some CSRs when VM reboot Petr Tesarik <ptesarik(a)suse.com> LoongArch: Remove a bogus reference to ZONE_DMA Ming Wang <wangming01(a)loongson.cn> LoongArch: Return NULL from huge_pte_offset() for invalid PMD Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle fp, lsx, lasx and lbt assembly symbols Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/insn: Fix CTEST instruction decoding Roman Li <Roman.Li(a)amd.com> drm/amd/display: Force full update in gpu reset Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix gpu reset in multidisplay config Hugo Villeneuve <hvilleneuve(a)dimonoff.com> drm: panel: jd9365da: fix reset signal polarity in unprepare Christian Schrefl <chrisi.schrefl(a)gmail.com> rust: firmware: Use `ffi::c_char` type in `FwFunc` Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Fix pending I/O counter Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Oleksij Rempel <o.rempel(a)pengutronix.de> net: selftests: initialize TCP header and skb payload with zero Alexey Nepomnyashih <sdl(a)nppct.ru> xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() Marek Behún <kabel(a)kernel.org> crypto: atmel-sha204a - Set hwrng quality to lowest possible Breno Leitao <leitao(a)debian.org> sched_ext: Use kvzalloc for large exit_dump allocation Halil Pasic <pasic(a)linux.ibm.com> virtio_console: fix missing byte order handling for cols and rows Florian Westphal <fw(a)strlen.de> netfilter: fib: avoid lookup if socket is available Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> KVM: SVM: Disable AVIC on SNP-enabled system without HvInUseWrAllowed feature Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make do_xyz() exception handlers more robust Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make regs_irqs_disabled() more clear Yuli Wang <wangyuli(a)uniontech.com> LoongArch: Select ARCH_USE_MEMTEST Luo Gengkun <luogengkun(a)huaweicloud.com> perf/x86: Fix non-sampling (counting) events on certain x86 platforms Alexei Starovoitov <ast(a)kernel.org> bpf: Add namespace to BPF internal symbols T.J. Mercier <tjmercier(a)google.com> splice: remove duplicate noinline from pipe_clear_nowait Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Björn Töpel <bjorn(a)rivosinc.com> riscv: Replace function-like macro by static inline function Sean Christopherson <seanjc(a)google.com> iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Christoph Hellwig <hch(a)lst.de> block: never reduce ra_pages in blk_apply_bdi_limits Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make wait_context part of q_info Brett Creeley <brett.creeley(a)amd.com> pds_core: Remove unnecessary check in pds_client_adminq_cmd() Brett Creeley <brett.creeley(a)amd.com> pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result Brett Creeley <brett.creeley(a)amd.com> pds_core: Prevent possible adminq overflow/stuck condition Daniel Golle <daniel(a)makrotopia.org> net: dsa: mt7530: sync driver-specific behavior of MT7531 variants Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a UAF vulnerability in class handling Al Viro <viro(a)zeniv.linux.org.uk> fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount() Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: net: revise NETSYSv3 hardware configuration Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Qingfang Deng <qingfang.deng(a)siflower.com.cn> net: phy: leds: fix memory leak Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: disable BHs when required Chenyuan Yang <chenyuan0y(a)gmail.com> scsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer() Anastasia Kovaleva <a.kovaleva(a)yadro.com> scsi: core: Clear flags for scsi_cmnd that did not complete Henry Martin <bsdhenrymartin(a)gmail.com> net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin <bsdhenrymartin(a)gmail.com> net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: Fix vhost_scsi_send_status() Dongli Zhang <dongli.zhang(a)oracle.com> vhost-scsi: Fix vhost_scsi_send_bad_target() Mike Christie <michael.christie(a)oracle.com> vhost-scsi: Add better resource allocation failure handling T.J. Mercier <tjmercier(a)google.com> cgroup/cpuset-v1: Add missing support for cpuset_v2_mode Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: return EIO on RAID1 block group write pointer mismatch Qu Wenruo <wqu(a)suse.com> btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range() Johan Hovold <johan+linaro(a)kernel.org> cpufreq: fix compile-test defaults Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> cpufreq: Do not enable by default during compile testing Marc Zyngier <maz(a)kernel.org> cpufreq: cppc: Fix invalid return value in .get() callback Chenyuan Yang <chenyuan0y(a)gmail.com> scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() Arnd Bergmann <arnd(a)arndb.de> dma/contiguous: avoid warning about unused size_bytes Andre Przywara <andre.przywara(a)arm.com> cpufreq: sun50i: prevent out-of-bounds access David Howells <dhowells(a)redhat.com> ceph: Fix incorrect flush end position calculation Nathan Chancellor <nathan(a)kernel.org> lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display/dml2: use vzalloc rather than kzalloc Rohit Chavan <roheetchavan(a)gmail.com> drm/amd/display: Fix unnecessary cast warnings from checkpatch Matt Roper <matthew.d.roper(a)intel.com> drm/xe/bmg: Add one additional PCI ID Jonathan Currier <dullfire(a)yahoo.com> net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Move UFS shareability value to drvdata Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Add gs101_ufs_drv_init() hook and enable WriteBooster Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: exynos: Remove superfluous function parameter Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: exynos: Remove empty drv_init method Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in __smb2_lease_break_noti() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add netdev-up/down event debug print Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: use __GFP_RETRY_MAYFAIL Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Fix the NPU's DPU frequency calculation Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Add auto selection logic for job scheduler Jonathan Currier <dullfire(a)yahoo.com> PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Thomas Gleixner <tglx(a)linutronix.de> PCI/MSI: Handle the NOMASK flag correctly for all PCI/MSI backends Roger Pau Monne <roger.pau(a)citrix.com> PCI/MSI: Convert pci_msi_ignore_mask to per MSI domain flag Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Support mmap() of PCI resources except for ISM devices Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Report PCI error recovery results via SCLP Niklas Schnelle <schnelle(a)linux.ibm.com> s390/sclp: Allow user-space to provide PCI reports for optical modules Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Zijun Hu <quic_zijuhu(a)quicinc.com> of: resolver: Fix device node refcount leakage in of_resolve_phandles() Rob Herring (Arm) <robh(a)kernel.org> of: resolver: Simplify of_resolve_phandles() using __free() Siddharth Vadapalli <s-vadapalli(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks Manorit Chawdhry <m-chawdhry(a)ti.com> arm64: dts: ti: Refactor J784s4 SoC files to a common file Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: adc: ad7768-1: Fix conversion result sign Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix VTU methods for 6320 family Ming Lei <ming.lei(a)redhat.com> block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone Christoph Hellwig <hch(a)lst.de> block: remove the ioprio field from struct request Christoph Hellwig <hch(a)lst.de> block: remove the write_hint field from struct request Hans de Goede <hdegoede(a)redhat.com> media: ov08x40: Add missing ov08x40_identify_module() call on stream-start Hans de Goede <hdegoede(a)redhat.com> media: ov08x40: Move ov08x40_identify_module() function up André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Fix link frequency validation André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Check number of lanes from device tree André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Replace register addresses with macros André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Convert to CCI register access helpers André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Simplify with dev_err_probe() André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Use subdev active state Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: EM: Address RCU-related sparse warnings Li RongQing <lirongqing(a)baidu.com> PM: EM: use kfree_rcu() to simplify the code Tudor Ambarus <tudor.ambarus(a)linaro.org> mmc: sdhci-msm: fix dev reference leaked through of_qcom_ice_get Tudor Ambarus <tudor.ambarus(a)linaro.org> soc: qcom: ice: introduce devm_of_qcom_ice_get Jinjiang Tu <tujinjiang(a)huawei.com> mm/vmscan: don't try to reclaim hwpoison folio Steven Rostedt <rostedt(a)goodmis.org> tracing: Verify event formats that have "%*p.." Steven Rostedt <rostedt(a)goodmis.org> tracing: Add __print_dynamic_array() helper Thorsten Leemhuis <linux(a)leemhuis.info> module: sign with sha512 instead of sha1 by default ------------- Diffstat: Documentation/bpf/bpf_devel_QA.rst | 8 + Makefile | 4 +- arch/arm/crypto/Kconfig | 10 +- .../arm64/boot/dts/ti/k3-j784s4-j742s2-common.dtsi | 148 ++ .../boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 2673 +++++++++++++++++++ ...tsi => k3-j784s4-j742s2-mcu-wakeup-common.dtsi} | 2 +- ...l.dtsi => k3-j784s4-j742s2-thermal-common.dtsi} | 0 arch/arm64/boot/dts/ti/k3-j784s4-main.dtsi | 2705 +------------------- arch/arm64/boot/dts/ti/k3-j784s4.dtsi | 133 +- arch/arm64/crypto/Kconfig | 6 +- arch/loongarch/Kconfig | 1 + arch/loongarch/include/asm/fpu.h | 33 +- arch/loongarch/include/asm/lbt.h | 10 +- arch/loongarch/include/asm/ptrace.h | 4 +- arch/loongarch/kernel/fpu.S | 6 + arch/loongarch/kernel/lbt.S | 4 + arch/loongarch/kernel/signal.c | 21 - arch/loongarch/kernel/traps.c | 20 +- arch/loongarch/kvm/vcpu.c | 8 + arch/loongarch/mm/hugetlbpage.c | 2 +- arch/loongarch/mm/init.c | 3 - arch/mips/crypto/Kconfig | 7 +- arch/mips/include/asm/mips-cm.h | 22 + arch/mips/kernel/mips-cm.c | 14 + arch/parisc/kernel/pdt.c | 2 + arch/powerpc/crypto/Kconfig | 7 +- arch/riscv/crypto/Kconfig | 1 - arch/riscv/include/asm/alternative-macros.h | 21 +- arch/riscv/include/asm/cacheflush.h | 15 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/s390/Kconfig | 4 +- arch/s390/crypto/Kconfig | 3 +- arch/s390/include/asm/pci.h | 3 + arch/s390/include/asm/sclp.h | 33 + arch/s390/kvm/intercept.c | 2 +- arch/s390/kvm/interrupt.c | 8 +- arch/s390/kvm/kvm-s390.c | 10 +- arch/s390/kvm/trace-s390.h | 4 +- arch/s390/pci/Makefile | 2 +- arch/s390/pci/pci_event.c | 21 +- arch/s390/pci/pci_fixup.c | 23 + arch/s390/pci/pci_report.c | 111 + arch/s390/pci/pci_report.h | 16 + arch/um/include/linux/time-internal.h | 2 + arch/um/kernel/skas/syscall.c | 11 + arch/x86/crypto/Kconfig | 11 +- arch/x86/entry/entry.S | 2 +- arch/x86/events/core.c | 2 +- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/intel-family.h | 2 + arch/x86/kernel/cpu/bugs.c | 36 +- arch/x86/kernel/i8253.c | 3 +- arch/x86/kvm/svm/avic.c | 66 +- arch/x86/kvm/vmx/posted_intr.c | 28 +- arch/x86/kvm/x86.c | 20 +- arch/x86/lib/x86-opcode-map.txt | 4 +- arch/x86/mm/tlb.c | 6 +- arch/x86/pci/xen.c | 8 +- arch/x86/xen/enlighten_pvh.c | 19 +- block/blk-merge.c | 26 +- block/blk-mq.c | 6 +- block/blk-settings.c | 8 +- block/mq-deadline.c | 13 +- crypto/Kconfig | 3 + crypto/crypto_null.c | 37 +- drivers/accel/ivpu/ivpu_drv.c | 10 +- drivers/accel/ivpu/ivpu_drv.h | 2 + drivers/accel/ivpu/ivpu_fw.c | 18 +- drivers/accel/ivpu/ivpu_fw.h | 3 + drivers/accel/ivpu/ivpu_hw.h | 12 +- drivers/accel/ivpu/ivpu_hw_btrs.c | 128 +- drivers/accel/ivpu/ivpu_hw_btrs.h | 6 +- drivers/accel/ivpu/ivpu_job.c | 14 +- drivers/accel/ivpu/ivpu_sysfs.c | 24 + drivers/acpi/ec.c | 28 + drivers/acpi/pptt.c | 4 +- drivers/ata/libata-scsi.c | 25 +- drivers/base/base.h | 17 + drivers/base/bus.c | 2 +- drivers/base/core.c | 38 +- drivers/base/dd.c | 7 +- drivers/char/misc.c | 2 +- drivers/char/virtio_console.c | 7 +- drivers/clk/clk.c | 4 + drivers/comedi/drivers/jr3_pci.c | 2 +- drivers/cpufreq/Kconfig.arm | 20 +- drivers/cpufreq/apple-soc-cpufreq.c | 10 +- drivers/cpufreq/cppc_cpufreq.c | 2 +- drivers/cpufreq/scmi-cpufreq.c | 10 +- drivers/cpufreq/scpi-cpufreq.c | 13 +- drivers/cpufreq/sun50i-cpufreq-nvmem.c | 18 +- drivers/crypto/atmel-sha204a.c | 6 + drivers/crypto/ccp/sp-pci.c | 1 + drivers/cxl/core/regs.c | 4 - drivers/dma/dmatest.c | 6 +- drivers/firmware/stratix10-svc.c | 14 +- drivers/gpio/gpiolib-of.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 19 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 6 +- drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +- .../drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 11 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 6 +- drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 4 +- drivers/gpu/drm/xe/xe_wa_oob.rules | 2 + drivers/i3c/master/svc-i3c-master.c | 17 +- drivers/iio/adc/ad7768-1.c | 5 +- drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/iommu/amd/iommu.c | 2 +- drivers/iommu/iommu.c | 8 + drivers/irqchip/irq-gic-v2m.c | 2 +- drivers/mailbox/pcc.c | 15 +- drivers/mcb/mcb-parse.c | 2 +- drivers/md/raid1.c | 26 +- drivers/media/i2c/Kconfig | 1 + drivers/media/i2c/imx214.c | 934 ++++--- drivers/media/i2c/ov08x40.c | 78 +- drivers/misc/lkdtm/perms.c | 14 +- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 8 +- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + drivers/misc/mei/vsc-tp.c | 26 +- drivers/mmc/host/sdhci-msm.c | 2 +- drivers/net/dsa/mt7530.c | 6 +- drivers/net/dsa/mv88e6xxx/chip.c | 27 +- drivers/net/ethernet/amd/pds_core/adminq.c | 36 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 3 - drivers/net/ethernet/amd/pds_core/core.c | 9 +- drivers/net/ethernet/amd/pds_core/core.h | 4 +- drivers/net/ethernet/amd/pds_core/devlink.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 24 +- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 10 +- .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 26 +- drivers/net/ethernet/sun/niu.c | 2 + drivers/net/phy/microchip.c | 46 +- drivers/net/phy/phy_led_triggers.c | 23 +- drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +- drivers/net/xen-netfront.c | 19 +- drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +- drivers/nvme/host/core.c | 9 + drivers/nvme/host/multipath.c | 2 +- drivers/nvme/target/fc.c | 25 +- drivers/of/resolver.c | 37 +- drivers/pci/msi/msi.c | 38 +- drivers/phy/rockchip/phy-rockchip-usbdp.c | 1 - drivers/pinctrl/pinctrl-mcp23s08.c | 23 +- drivers/pinctrl/renesas/pinctrl-rza2.c | 3 + drivers/regulator/rk808-regulator.c | 4 +- drivers/rtc/rtc-pcf85063.c | 19 +- drivers/s390/char/sclp.h | 14 - drivers/s390/char/sclp_con.c | 17 + drivers/s390/char/sclp_pci.c | 19 +- drivers/s390/char/sclp_tty.c | 12 + drivers/s390/net/ism_drv.c | 1 - drivers/scsi/hisi_sas/hisi_sas_main.c | 20 + drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +- drivers/scsi/pm8001/pm8001_sas.c | 1 + drivers/scsi/scsi.c | 36 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/sd.c | 6 +- drivers/soc/qcom/ice.c | 48 + drivers/spi/spi-imx.c | 5 +- drivers/spi/spi-tegra210-quad.c | 6 +- drivers/thunderbolt/tb.c | 16 +- drivers/tty/serial/msm_serial.c | 6 + drivers/tty/serial/sifive.c | 6 + drivers/tty/vt/selection.c | 5 +- drivers/ufs/core/ufs-mcq.c | 12 +- drivers/ufs/core/ufshcd.c | 2 + drivers/ufs/host/ufs-exynos.c | 106 +- drivers/ufs/host/ufs-exynos.h | 8 +- drivers/ufs/host/ufs-qcom.c | 2 +- drivers/usb/cdns3/cdns3-gadget.c | 2 + drivers/usb/chipidea/ci_hdrc_imx.c | 44 +- drivers/usb/class/cdc-wdm.c | 21 +- drivers/usb/core/quirks.c | 9 + drivers/usb/dwc3/dwc3-pci.c | 10 + drivers/usb/dwc3/dwc3-xilinx.c | 4 +- drivers/usb/dwc3/gadget.c | 28 +- drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 + drivers/usb/host/max3421-hcd.c | 7 + drivers/usb/host/ohci-pci.c | 23 + drivers/usb/host/xhci-hub.c | 30 +- drivers/usb/host/xhci-mvebu.c | 10 - drivers/usb/host/xhci-mvebu.h | 6 - drivers/usb/host/xhci-plat.c | 2 +- drivers/usb/host/xhci-ring.c | 75 +- drivers/usb/host/xhci.c | 4 +- drivers/usb/host/xhci.h | 4 +- drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 5 + drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb-serial-simple.c | 7 + drivers/usb/storage/unusual_uas.h | 7 + drivers/usb/typec/class.c | 24 +- drivers/usb/typec/class.h | 1 + drivers/vhost/scsi.c | 80 +- drivers/xen/Kconfig | 2 +- fs/btrfs/file.c | 9 +- fs/btrfs/zoned.c | 1 - fs/ceph/inode.c | 2 +- fs/ext4/block_validity.c | 5 +- fs/ext4/inode.c | 9 +- fs/iomap/buffered-io.c | 2 +- fs/namespace.c | 69 +- fs/netfs/main.c | 4 + fs/ntfs3/file.c | 20 +- fs/smb/client/sess.c | 60 +- fs/smb/client/smb1ops.c | 36 + fs/smb/server/asn1.c | 6 +- fs/smb/server/auth.c | 19 +- fs/smb/server/connection.c | 8 +- fs/smb/server/crypto_ctx.c | 6 +- fs/smb/server/glob.h | 2 + fs/smb/server/ksmbd_netlink.h | 3 +- fs/smb/server/ksmbd_work.c | 10 +- fs/smb/server/mgmt/ksmbd_ida.c | 11 +- fs/smb/server/mgmt/share_config.c | 10 +- fs/smb/server/mgmt/tree_connect.c | 5 +- fs/smb/server/mgmt/user_config.c | 8 +- fs/smb/server/mgmt/user_session.c | 10 +- fs/smb/server/misc.c | 11 +- fs/smb/server/ndr.c | 10 +- fs/smb/server/oplock.c | 12 +- fs/smb/server/server.c | 4 +- fs/smb/server/server.h | 1 + fs/smb/server/smb2pdu.c | 42 +- fs/smb/server/smb_common.c | 2 +- fs/smb/server/smbacl.c | 23 +- fs/smb/server/transport_ipc.c | 7 +- fs/smb/server/transport_rdma.c | 10 +- fs/smb/server/transport_tcp.c | 93 +- fs/smb/server/transport_tcp.h | 2 + fs/smb/server/unicode.c | 4 +- fs/smb/server/vfs.c | 12 +- fs/smb/server/vfs_cache.c | 18 +- fs/splice.c | 2 +- fs/xfs/xfs_aops.c | 41 +- fs/xfs/xfs_qm_bhv.c | 49 +- fs/xfs/xfs_super.c | 8 +- include/drm/intel/i915_pciids.h | 1 + include/linux/blk-mq.h | 8 +- include/linux/energy_model.h | 12 +- include/linux/msi.h | 3 +- include/linux/pci.h | 2 + include/linux/pci_ids.h | 1 + include/net/netfilter/nft_fib.h | 21 + include/soc/qcom/ice.h | 2 + include/trace/events/block.h | 6 +- include/trace/stages/stage3_trace_output.h | 8 + include/trace/stages/stage7_class_define.h | 1 + include/uapi/drm/ivpu_accel.h | 4 +- init/Kconfig | 2 +- io_uring/io_uring.c | 15 +- io_uring/refs.h | 7 + kernel/bpf/bpf_cgrp_storage.c | 11 +- kernel/bpf/hashtab.c | 6 +- kernel/bpf/preload/bpf_preload_kern.c | 1 + kernel/bpf/syscall.c | 6 +- kernel/bpf/verifier.c | 32 + kernel/cgroup/cgroup.c | 29 + kernel/cgroup/cpuset-internal.h | 1 + kernel/cgroup/cpuset.c | 14 + kernel/dma/contiguous.c | 3 +- kernel/events/core.c | 6 +- kernel/irq/msi.c | 2 +- kernel/module/Kconfig | 1 + kernel/panic.c | 6 + kernel/power/energy_model.c | 47 +- kernel/sched/ext.c | 4 +- kernel/time/tick-common.c | 22 + kernel/trace/bpf_trace.c | 7 +- kernel/trace/trace_events.c | 7 + lib/Kconfig.ubsan | 1 - lib/crypto/Kconfig | 37 +- lib/test_ubsan.c | 18 +- mm/vmscan.c | 7 + net/9p/client.c | 30 +- net/9p/trans_fd.c | 17 +- net/core/lwtunnel.c | 26 +- net/core/selftests.c | 18 +- net/ipv4/netfilter/nft_fib_ipv4.c | 11 +- net/ipv6/netfilter/nft_fib_ipv6.c | 19 +- net/sched/sch_hfsc.c | 23 +- net/tipc/monitor.c | 3 +- rust/kernel/firmware.rs | 8 +- samples/trace_events/trace-events-sample.h | 13 +- scripts/Makefile.lib | 2 +- scripts/Makefile.vmlinux | 4 + sound/soc/codecs/wcd934x.c | 2 +- sound/soc/fsl/fsl_asrc_dma.c | 15 +- sound/virtio/virtio_pcm.c | 21 +- tools/arch/x86/lib/x86-opcode-map.txt | 4 +- tools/bpf/bpftool/prog.c | 1 + tools/objtool/check.c | 36 +- tools/testing/selftests/bpf/network_helpers.c | 33 +- .../selftests/bpf/prog_tests/xdp_cpumap_attach.c | 44 +- .../selftests/bpf/prog_tests/xdp_devmap_attach.c | 8 +- .../bpf/progs/test_xdp_with_cpumap_helpers.c | 7 +- tools/testing/selftests/mincore/mincore_selftest.c | 3 - tools/testing/selftests/ublk/test_stripe_04.sh | 24 + 312 files changed, 6080 insertions(+), 4681 deletions(-)

7 months, 4 weeks

13
293
0 0

[PATCH] fs/eventpoll: fix endless busy loop after timeout has expired

by Max Kellermann

After commit 0a65bc27bd64 ("eventpoll: Set epoll timeout if it's in the future"), the following program would immediately enter a busy loop in the kernel: ``` int main() { int e = epoll_create1(0); struct epoll_event event = {.events = EPOLLIN}; epoll_ctl(e, EPOLL_CTL_ADD, 0, &event); const struct timespec timeout = {.tv_nsec = 1}; epoll_pwait2(e, &event, 1, &timeout, 0); } ``` This happens because the given (non-zero) timeout of 1 nanosecond usually expires before ep_poll() is entered and then ep_schedule_timeout() returns false, but `timed_out` is never set because the code line that sets it is skipped. This quickly turns into a soft lockup, RCU stalls and deadlocks, inflicting severe headaches to the whole system. When the timeout has expired, we don't need to schedule a hrtimer, but we should set the `timed_out` variable. Therefore, I suggest moving the ep_schedule_timeout() check into the `timed_out` expression instead of skipping it. Fixes: 0a65bc27bd64 ("eventpoll: Set epoll timeout if it's in the future") Cc: Joe Damato <jdamato(a)fastly.com> Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- fs/eventpoll.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 4bc264b854c4..d4dbffdedd08 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2111,9 +2111,10 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, write_unlock_irq(&ep->lock); - if (!eavail && ep_schedule_timeout(to)) - timed_out = !schedule_hrtimeout_range(to, slack, - HRTIMER_MODE_ABS); + if (!eavail) + timed_out = !ep_schedule_timeout(to) || + !schedule_hrtimeout_range(to, slack, + HRTIMER_MODE_ABS); __set_current_state(TASK_RUNNING); /* -- 2.47.2

7 months, 4 weeks

3
2
0 0

[PATCH 5.10 000/286] 5.10.237-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.237 release. There are 286 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 01 May 2025 16:10:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.237-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.237-rc1 Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: hfi_parser: Check for instance after hfi platform get Colin Ian King <colin.king(a)canonical.com> media: venus: Fix uninitialized variable count being checked for zero Krzysztof Kozlowski <krzk(a)kernel.org> soc: samsung: exynos-chipid: correct helpers __init annotation Rob Herring <robh(a)kernel.org> PCI: Fix use-after-free in pci_bus_release_domain_nr() Hannes Reinecke <hare(a)kernel.org> nvme: fixup scan failure for non-ANA multipath controllers Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: cm: Fix warning if MIPS_CM is disabled Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> xdp: Reset bpf_redirect_info before running a xdp's BPF prog. Marek Behún <kabel(a)kernel.org> crypto: atmel-sha204a - Set hwrng quality to lowest possible Ian Abbott <abbotti(a)mev.co.uk> comedi: jr3_pci: Fix synchronous deletion of timer David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Meir Elisha <meir.elisha(a)volumez.com> md/raid1: Add check for missing source disk in process_checks() Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy_attached to zero when device is gone Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: make block validity check resistent to sb bh corruption Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Use SBPB in write_ibpb() if applicable Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> selftests/mincore: Allow read-ahead pages to reach the end of the file Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Stop UNRET validation on UD2 Hannes Reinecke <hare(a)kernel.org> nvme: re-read ANA log page after ns scan completes Jean-Marc Eurin <jmeurin(a)google.com> ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Hannes Reinecke <hare(a)kernel.org> nvme: requeue namespace scan on missed AENs Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix test_stripe_04 Xiaogang Chen <xiaogang.chen(a)amd.com> udmabuf: fix a buf size overflow issue during udmabuf creation Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through tracepoints Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Arnd Bergmann <arnd(a)arndb.de> ntb: reduce stack usage in idt_scan_mws Al Viro <viro(a)zeniv.linux.org.uk> qibfs: fix _another_ leak Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() Chenyuan Yang <chenyuan0y(a)gmail.com> usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Vinicius Costa Gomes <vinicius.gomes(a)intel.com> dmaengine: dmatest: Fix dmatest waiting less when interrupted Alexander Stein <alexander.stein(a)mailbox.org> usb: host: max3421-hcd: Add missing spi_device_id table Yu-Chun Lin <eleanor15x(a)gmail.com> parisc: PDT: Fix missing prototype warning Heiko Stuebner <heiko(a)sntech.de> clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: null - Use spin lock instead of mutex Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: cm: Detect CM quirks from device tree Oliver Neukum <oneukum(a)suse.com> USB: VLI disk crashes if LPM is used Miao Li <limiao(a)kylinos.cn> usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive Miao Li <limiao(a)kylinos.cn> usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Frode Isaksen <frode(a)meta.com> usb: dwc3: gadget: check that event count does not exceed event buffer length Huacai Chen <chenhuacai(a)loongson.cn> USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Ralph Siemsen <ralph.siemsen(a)linaro.org> usb: cdns3: Fix deadlock when using NCM gadget Craig Hesling <craig(a)hesling.com> USB: serial: simple: add OWON HDS200 series oscilloscope support Adam Xue <zxue(a)semtech.com> USB: serial: option: add Sierra Wireless EM9291 Michael Ehrenreich <michideep(a)gmail.com> USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Ryo Takakura <ryotkkr98(a)gmail.com> serial: sifive: lock port in startup()/shutdown() callbacks Sean Christopherson <seanjc(a)google.com> KVM: x86: Reset IRTE to host control if *new* route isn't postable Alexander Usyskin <alexander.usyskin(a)intel.com> mei: me: add panther lake H DID Oliver Neukum <oneukum(a)suse.com> USB: storage: quirk for ADATA Portable HDD CH94 Haoxiang Li <haoxiang_li2024(a)163.com> mcb: fix a double free bug in chameleon_parse_gdd() Sean Christopherson <seanjc(a)google.com> KVM: SVM: Allocate IR data using atomic allocation Halil Pasic <pasic(a)linux.ibm.com> virtio_console: fix missing byte order handling for cols and rows Sean Christopherson <seanjc(a)google.com> iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a UAF vulnerability in class handling Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Qingfang Deng <qingfang.deng(a)siflower.com.cn> net: phy: leds: fix memory leak Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Arnd Bergmann <arnd(a)arndb.de> dma/contiguous: avoid warning about unused size_bytes Matthew Auld <matthew.auld(a)intel.com> drm/amdgpu/dma_buf: fix page_link check Ramesh Errabolu <Ramesh.Errabolu(a)amd.com> drm/amdgpu: Remove amdgpu_device arg from free_sgt api (v2) Lee Jones <lee.jones(a)linaro.org> drm/amd/amdgpu/amdgpu_vram_mgr: Add missing descriptions for 'dev' and 'dir' Mark Brown <broonie(a)kernel.org> selftests/mm: generate a temporary mountpoint for cgroup filesystem Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_register_host_bridge() Pali Rohár <pali(a)kernel.org> PCI: Assign PCI domain IDs by ida_alloc() Kai-Heng Feng <kai.heng.feng(a)canonical.com> PCI: Coalesce host bridge contiguous apertures Boqun Feng <boqun.feng(a)gmail.com> PCI: Introduce domain_nr in pci_host_bridge Alexandra Diupina <adiupina(a)astralinux.ru> cifs: avoid NULL pointer dereference in dbg call Enzo Matsumiya <ematsumiya(a)suse.de> cifs: print TIDs as hex Herve Codina <herve.codina(a)bootlin.com> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: adc: ad7768-1: Fix conversion result sign Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Chenyuan Yang <chenyuan0y(a)gmail.com> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Sam Protsenko <semen.protsenko(a)linaro.org> soc: samsung: exynos-chipid: Pass revision reg offsets Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> soc: samsung: exynos-chipid: avoid soc_device_to_device() Krzysztof Kozlowski <krzk(a)kernel.org> soc: samsung: exynos-chipid: convert to driver and merge exynos-asv Krzysztof Kozlowski <krzk(a)kernel.org> soc: samsung: exynos-chipid: initialize later - with arch_initcall Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix VTU methods for 6320 family Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: refactor hfi packet parsing logic Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: Get codecs and capabilities from hfi platform Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: hfi_plat: Add codecs and capabilities ops Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: Rename venus_caps to hfi_plat_caps Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: Create hfi platform and move vpp/vsp there Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: pm_helpers: Check instance state when calculate instance frequency Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: hfi: Correct session init return error Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: Limit HFI sessions to the maximum supported Stanimir Varbanov <stanimir.varbanov(a)linaro.org> media: venus: venc: Init the session only once in queue_setup Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: fix race between device disconnection and urb callback Sean Young <sean(a)mess.org> media: streamzap: remove unused struct members Sean Young <sean(a)mess.org> media: streamzap: less chatter Sean Young <sean(a)mess.org> media: streamzap: no need for usb pid/vid in device name Sean Young <sean(a)mess.org> media: streamzap: remove unnecessary ir_raw_event_reset and handle Douglas Raillard <douglas.raillard(a)arm.com> tracing: Fix synth event printk format for str fields Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Allow synthetic events to pass around stacktraces Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Correct command storage data length Hans de Goede <hdegoede(a)redhat.com> drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler() Kunwu Chan <chentao(a)kylinos.cn> pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Miroslav Franc <mfranc(a)suse.cz> s390/dasd: fix double module refcount decrement Duoming Zhou <duoming(a)zju.edu.cn> drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix apply_to_existing_page_range() Oleg Nesterov <oleg(a)redhat.com> fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats Chris Wilson <chris.p.wilson(a)intel.com> drm/i915/gt: Cleanup partial engine discovery failures Miaohe Lin <linmiaohe(a)huawei.com> kernel/resource: fix kfree() of bootmem memory again Abhishek Sahu <abhsahu(a)nvidia.com> vfio/pci: fix memory leak during D3hot to D0 transition Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix flushing uninitialized delayed_work on cache_ctr error Pei Li <peili.dev(a)gmail.com> jfs: Fix shift-out-of-bounds in dbDiscardAG WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Eric Dumazet <edumazet(a)google.com> net: defer final 'struct net' free in netns dismantle Guixin Liu <kanie(a)linux.alibaba.com> scsi: ufs: bsg: Set bsg_queue to NULL after removal Tuo Li <islituo(a)gmail.com> scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Felix Huettner <felix.huettner(a)mail.schwarz> net: openvswitch: fix race on port output Chen Hanxiao <chenhx.fnst(a)fujitsu.com> ipvs: properly dereference pe in ip_vs_add_service Vlad Buslov <vladbu(a)nvidia.com> net/mlx5e: Fix use-after-free of encap entry in neigh update handler Xiaxi Shen <shenxiaxi26(a)gmail.com> ext4: fix timer use-after-free on failed mount Li Nan <linan122(a)huawei.com> blk-iocost: do not WARN if iocg was already offlined Yu Kuai <yukuai3(a)huawei.com> blk-cgroup: support to track if policy is online Hou Tao <houtao1(a)huawei.com> bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers Andrii Nakryiko <andrii(a)kernel.org> bpf: avoid holding freeze_mutex during mmap operation Paulo Alcantara <pc(a)manguebit.com> smb: client: fix NULL ptr deref in crypto_aead_setkey() Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: fix UAF in async decryption Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential UAF in cifs_stats_proc_show() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential deadlock when releasing mids Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> cifs: Fix UAF in cifs_demultiplex_thread() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential UAF in cifs_debug_files_proc_show() WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Hersen Wu <hersenxs.wu(a)amd.com> drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Kang Yang <quic_kangyang(a)quicinc.com> wifi: ath10k: avoid NULL pointer error during sdio remove Miaoqian Lin <linmq006(a)gmail.com> phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Chunguang Xu <chunguang.xu(a)shopee.com> nvme: avoid double free special payload Ard Biesheuvel <ardb(a)kernel.org> x86/pvh: Call C code via the kernel virtual mapping Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting IPV6_V6ONLY Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: only inc MPJoinAckHMacFailure for HMAC failures Gang Yan <yangang(a)kylinos.cn> mptcp: fix NULL pointer in can_accept_new_subflow Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay: Prevent division by zero Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Thorsten Leemhuis <linux(a)leemhuis.info> module: sign with sha512 instead of sha1 by default Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Steven Rostedt <rostedt(a)goodmis.org> tracing: Fix filter string testing Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Herbert Xu <herbert(a)gondor.apana.org.au> crypto: caam/qi - Fix drv_ctx refcount bug Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: decrease sc_count directly if fail to queue dl_recall Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Jeff Layton <jlayton(a)kernel.org> nfs: move nfs_fhandle_hash to common include file Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Do not inline arch_kgdb_breakpoint() Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Abdun Nihaal <abdun.nihaal(a)gmail.com> cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Christopher S M Hall <christopher.s.hall(a)intel.com> igc: cleanup PTP module if probe fails Christopher S M Hall <christopher.s.hall(a)intel.com> igc: handle the IGC_PTP_ENABLED flag correctly Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Shay Drory <shayd(a)nvidia.com> RDMA/core: Silence oversized kvmalloc() warning Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix wrong maximum DMA segment size Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Kaixin Wang <kxwang23(a)m.fudan.edu.cn> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Daniel Golle <daniel(a)makrotopia.org> pwm: mediatek: always use bus clock for PWM on MT7622 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Stephan Gerhold <stephan.gerhold(a)linaro.org> pinctrl: qcom: Clear latched interrupt status when changing IRQ type Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Chenyuan Yang <chenyuan0y(a)gmail.com> mfd: ene-kb3930: Fix a potential NULL pointer dereference Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix oversized null mkey longer than 32bit Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Alexandre Torgue <alexandre.torgue(a)foss.st.com> clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Replace kcalloc() with devm_kcalloc() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Miquel Raynal <miquel.raynal(a)bootlin.com> spi: cadence-qspi: Fix probe on AM62A LP SK Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Eric Biggers <ebiggers(a)google.com> ext4: reject casefold inode flag without casefold feature Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Ben Dooks <ben.dooks(a)sifive.com> bpf: Add endian modifiers to fix endian warnings Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: rcar: Improve register calculation Geert Uytterhoeven <geert+renesas(a)glider.be> pwm: rcar: Simplify multiplication/shift logic Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Fabien Parent <fparent(a)baylibre.com> pwm: mediatek: Always use bus clock Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/bridge: panel: forbid initializing a panel with unknown connector type Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Trond Myklebust <trond.myklebust(a)hammerspace.com> umount: Allow superblock owners to force umount Florian Westphal <fw(a)strlen.de> nft_set_pipapo: fix incorrect avx2 match of 5th field octet Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Daniel Wagner <wagi(a)kernel.org> nvmet-fcloop: swap list_add_tail arguments Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Hannes Reinecke <hare(a)suse.de> ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones Jakub Kicinski <kuba(a)kernel.org> net: tls: explicitly disallow disconnect Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() ------------- Diffstat: Makefile | 7 +- arch/arm/mach-exynos/Kconfig | 1 - arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/kernel/proton-pack.c | 1 + arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/include/asm/mips-cm.h | 22 +++ arch/mips/kernel/cevt-ds1287.c | 1 + arch/mips/kernel/mips-cm.c | 14 ++ arch/parisc/kernel/pdt.c | 2 + arch/powerpc/kernel/rtas.c | 4 + arch/riscv/include/asm/kgdb.h | 9 +- arch/riscv/include/asm/syscall.h | 7 +- arch/riscv/kernel/kgdb.c | 6 + arch/s390/kvm/trace-s390.h | 4 +- arch/sparc/mm/tlb.c | 5 +- arch/x86/entry/entry.S | 2 +- arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 49 ++----- arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/bugs.c | 8 +- arch/x86/kernel/e820.c | 17 ++- arch/x86/kvm/svm/avic.c | 60 ++++---- arch/x86/kvm/vmx/posted_intr.c | 28 ++-- arch/x86/platform/pvh/head.S | 7 +- block/blk-cgroup.c | 24 +++- block/blk-iocost.c | 7 +- crypto/crypto_null.c | 37 +++-- drivers/acpi/pptt.c | 4 +- drivers/ata/ahci.c | 2 + drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 + drivers/ata/sata_sx4.c | 118 ++++++--------- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_ldisc.c | 19 ++- drivers/bluetooth/hci_uart.h | 1 + drivers/char/virtio_console.c | 7 +- drivers/clk/clk.c | 4 + drivers/clocksource/timer-stm32-lp.c | 4 +- drivers/cpufreq/cpufreq.c | 8 ++ drivers/cpufreq/scpi-cpufreq.c | 13 +- drivers/crypto/atmel-sha204a.c | 7 +- drivers/crypto/caam/qi.c | 6 +- drivers/crypto/ccp/sp-pci.c | 15 +- drivers/dma-buf/udmabuf.c | 2 +- drivers/dma/dmatest.c | 6 +- drivers/gpio/gpio-zynq.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 9 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 6 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +- .../gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_panel.c | 5 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 10 +- drivers/gpu/drm/i915/gt/intel_engine_cs.c | 7 +- drivers/gpu/drm/mediatek/mtk_dpi.c | 9 ++ drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/hid/usbhid/hid-pidff.c | 60 +++++--- drivers/hsi/clients/ssi_protocol.c | 1 + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i3c/master.c | 3 + drivers/iio/adc/ad7768-1.c | 5 +- drivers/infiniband/core/umem_odp.c | 6 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +- drivers/iommu/amd/iommu.c | 2 +- drivers/mcb/mcb-parse.c | 2 +- drivers/md/dm-cache-target.c | 24 ++-- drivers/md/dm-integrity.c | 3 + drivers/md/raid1.c | 26 ++-- drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ov7251.c | 4 +- drivers/media/platform/qcom/venus/Makefile | 3 +- drivers/media/platform/qcom/venus/core.c | 17 --- drivers/media/platform/qcom/venus/core.h | 41 +----- drivers/media/platform/qcom/venus/helpers.c | 60 ++++---- drivers/media/platform/qcom/venus/helpers.h | 2 +- drivers/media/platform/qcom/venus/hfi.c | 18 ++- drivers/media/platform/qcom/venus/hfi_parser.c | 159 ++++++++++++++++----- drivers/media/platform/qcom/venus/hfi_parser.h | 2 +- drivers/media/platform/qcom/venus/hfi_platform.c | 49 +++++++ drivers/media/platform/qcom/venus/hfi_platform.h | 61 ++++++++ .../media/platform/qcom/venus/hfi_platform_v4.c | 60 ++++++++ drivers/media/platform/qcom/venus/hfi_venus.c | 18 ++- drivers/media/platform/qcom/venus/pm_helpers.c | 12 +- drivers/media/platform/qcom/venus/vdec.c | 8 +- drivers/media/platform/qcom/venus/venc.c | 91 ++++++++---- drivers/media/rc/streamzap.c | 135 +++++++---------- drivers/media/test-drivers/vim2m.c | 6 +- drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/mfd/ene-kb3930.c | 2 +- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + drivers/misc/pci_endpoint_test.c | 6 +- drivers/mtd/inftlcore.c | 9 +- drivers/mtd/mtdpstore.c | 9 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/dsa/b53/b53_common.c | 10 ++ drivers/net/dsa/mv88e6xxx/chip.c | 25 +++- drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 7 + .../net/ethernet/mellanox/mlx5/core/en/rep/neigh.c | 15 +- .../net/ethernet/mellanox/mlx5/core/en/rep/tc.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 33 ++++- drivers/net/ethernet/mellanox/mlx5/core/en_tc.h | 3 + drivers/net/phy/phy_led_triggers.c | 23 +-- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/wireless/ath/ath10k/sdio.c | 5 +- drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +-- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/host/core.c | 10 ++ drivers/nvme/target/fc.c | 14 -- drivers/nvme/target/fcloop.c | 2 +- drivers/of/irq.c | 13 +- drivers/pci/controller/pcie-brcmstb.c | 13 +- drivers/pci/pci.c | 107 ++++++++------ drivers/pci/probe.c | 60 ++++++-- drivers/pci/remove.c | 7 + drivers/perf/arm_pmu.c | 8 +- drivers/phy/tegra/xusb.c | 2 +- drivers/pinctrl/qcom/pinctrl-msm.c | 12 +- drivers/platform/x86/asus-laptop.c | 9 +- .../x86/intel_speed_select_if/isst_if_common.c | 2 +- drivers/pwm/pwm-fsl-ftm.c | 6 + drivers/pwm/pwm-mediatek.c | 20 ++- drivers/pwm/pwm-rcar.c | 24 ++-- drivers/s390/block/dasd.c | 5 +- drivers/s390/virtio/virtio_ccw.c | 16 ++- drivers/scsi/lpfc/lpfc_hbadisc.c | 2 + drivers/scsi/pm8001/pm8001_sas.c | 1 + drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/st.c | 2 +- drivers/scsi/ufs/ufs_bsg.c | 1 + drivers/soc/samsung/Kconfig | 12 +- drivers/soc/samsung/Makefile | 3 +- drivers/soc/samsung/exynos-asv.c | 45 ++---- drivers/soc/samsung/exynos-asv.h | 2 + drivers/soc/samsung/exynos-chipid.c | 139 +++++++++++++----- drivers/soc/ti/omap_prm.c | 2 + drivers/spi/spi-cadence-quadspi.c | 6 + drivers/staging/comedi/drivers/jr3_pci.c | 15 +- drivers/staging/rtl8723bs/core/rtw_mlme.c | 2 + drivers/thermal/rockchip_thermal.c | 1 + drivers/tty/serial/sifive.c | 6 + drivers/usb/cdns3/gadget.c | 2 + drivers/usb/core/quirks.c | 9 ++ drivers/usb/dwc3/gadget.c | 6 + drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 + drivers/usb/host/max3421-hcd.c | 7 + drivers/usb/host/ohci-pci.c | 23 +++ drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 5 + drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb-serial-simple.c | 7 + drivers/usb/storage/unusual_uas.h | 7 + drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/vfio/pci/vfio_pci.c | 13 ++ drivers/video/backlight/led_bl.c | 5 +- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/Kconfig | 1 + fs/btrfs/super.c | 3 +- fs/cifs/cifs_debug.c | 6 + fs/cifs/cifsglob.h | 9 ++ fs/cifs/cifsproto.h | 7 +- fs/cifs/connect.c | 2 +- fs/cifs/smb2misc.c | 11 +- fs/cifs/smb2ops.c | 48 ++++--- fs/cifs/smb2pdu.c | 10 +- fs/cifs/transport.c | 43 +++--- fs/ext4/block_validity.c | 5 +- fs/ext4/inode.c | 76 +++++++--- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 19 ++- fs/ext4/xattr.c | 11 +- fs/f2fs/node.c | 9 +- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 + fs/hfsplus/bnode.c | 6 + fs/isofs/export.c | 2 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 12 +- fs/jfs/jfs_imap.c | 2 +- fs/namespace.c | 3 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 22 --- fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsfh.h | 7 - fs/proc/array.c | 64 +++++---- include/linux/backing-dev.h | 1 + include/linux/blk-cgroup.h | 1 + include/linux/filter.h | 4 + include/linux/nfs.h | 13 ++ include/linux/pci.h | 12 ++ include/linux/soc/samsung/exynos-chipid.h | 6 +- include/net/net_namespace.h | 1 + include/net/sctp/structs.h | 3 +- include/uapi/linux/kfd_ioctl.h | 2 + include/xen/interface/xen-mca.h | 2 +- init/Kconfig | 3 +- kernel/bpf/helpers.c | 11 +- kernel/bpf/syscall.c | 17 ++- kernel/dma/contiguous.c | 3 +- kernel/locking/lockdep.c | 3 + kernel/resource.c | 41 ++---- kernel/sched/cpufreq_schedutil.c | 18 ++- kernel/trace/ftrace.c | 1 + kernel/trace/trace.h | 4 + kernel/trace/trace_events.c | 4 +- kernel/trace/trace_events_filter.c | 4 +- kernel/trace/trace_events_hist.c | 7 +- kernel/trace/trace_events_synth.c | 82 ++++++++++- kernel/trace/trace_synth.h | 1 + lib/sg_split.c | 2 - mm/memory.c | 4 +- mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +--- net/bluetooth/hci_event.c | 5 +- net/core/dev.c | 1 + net/core/filter.c | 80 ++++++----- net/core/net_namespace.c | 21 ++- net/core/page_pool.c | 8 +- net/ipv4/inet_connection_sock.c | 19 ++- net/mac80211/iface.c | 3 + net/mac80211/mesh_hwmp.c | 14 +- net/mptcp/protocol.c | 45 ++++++ net/mptcp/subflow.c | 15 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/nft_set_pipapo_avx2.c | 3 +- net/openvswitch/actions.c | 4 +- net/openvswitch/flow_netlink.c | 3 +- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_hfsc.c | 23 ++- net/sctp/socket.c | 22 +-- net/sctp/transport.c | 2 + net/tipc/link.c | 1 + net/tipc/monitor.c | 3 +- net/tls/tls_main.c | 6 + sound/pci/hda/hda_intel.c | 15 +- sound/soc/codecs/wcd934x.c | 2 +- sound/soc/qcom/qdsp6/q6asm-dai.c | 19 ++- sound/usb/midi.c | 80 ++++++++++- tools/objtool/check.c | 3 + tools/power/cpupower/bench/parse.c | 4 + tools/testing/selftests/mincore/mincore_selftest.c | 3 - tools/testing/selftests/ublk/test_stripe_04.sh | 24 ++++ .../selftests/vm/charge_reserved_hugetlb.sh | 4 +- .../selftests/vm/hugetlb_reparenting_test.sh | 2 +- 268 files changed, 2396 insertions(+), 1209 deletions(-)

7 months, 4 weeks

6
291
0 0

[PATCH 5.4 000/179] 5.4.293-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.293 release. There are 179 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 01 May 2025 16:10:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.293-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.293-rc1 Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> MIPS: cm: Fix warning if MIPS_CM is disabled Marek Behún <kabel(a)kernel.org> crypto: atmel-sha204a - Set hwrng quality to lowest possible Ian Abbott <abbotti(a)mev.co.uk> comedi: jr3_pci: Fix synchronous deletion of timer David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Meir Elisha <meir.elisha(a)volumez.com> md/raid1: Add check for missing source disk in process_checks() Igor Pylypiv <ipylypiv(a)google.com> scsi: pm80xx: Set phy_attached to zero when device is gone Josh Poimboeuf <jpoimboe(a)kernel.org> x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline Jean-Marc Eurin <jmeurin(a)google.com> ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls Ming Lei <ming.lei(a)redhat.com> selftests: ublk: fix test_stripe_04 Xiaogang Chen <xiaogang.chen(a)amd.com> udmabuf: fix a buf size overflow issue during udmabuf creation Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> KVM: s390: Don't use %pK through tracepoints Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP Arnd Bergmann <arnd(a)arndb.de> ntb: reduce stack usage in idt_scan_mws Al Viro <viro(a)zeniv.linux.org.uk> qibfs: fix _another_ leak Chenyuan Yang <chenyuan0y(a)gmail.com> usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() Vinicius Costa Gomes <vinicius.gomes(a)intel.com> dmaengine: dmatest: Fix dmatest waiting less when interrupted Alexander Stein <alexander.stein(a)mailbox.org> usb: host: max3421-hcd: Add missing spi_device_id table Yu-Chun Lin <eleanor15x(a)gmail.com> parisc: PDT: Fix missing prototype warning Heiko Stuebner <heiko(a)sntech.de> clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: null - Use spin lock instead of mutex Gregory CLEMENT <gregory.clement(a)bootlin.com> MIPS: cm: Detect CM quirks from device tree Oliver Neukum <oneukum(a)suse.com> USB: VLI disk crashes if LPM is used Miao Li <limiao(a)kylinos.cn> usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive Miao Li <limiao(a)kylinos.cn> usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive Frode Isaksen <frode(a)meta.com> usb: dwc3: gadget: check that event count does not exceed event buffer length Huacai Chen <chenhuacai(a)loongson.cn> USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) Ralph Siemsen <ralph.siemsen(a)linaro.org> usb: cdns3: Fix deadlock when using NCM gadget Craig Hesling <craig(a)hesling.com> USB: serial: simple: add OWON HDS200 series oscilloscope support Adam Xue <zxue(a)semtech.com> USB: serial: option: add Sierra Wireless EM9291 Michael Ehrenreich <michideep(a)gmail.com> USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe Ryo Takakura <ryotkkr98(a)gmail.com> serial: sifive: lock port in startup()/shutdown() callbacks Oliver Neukum <oneukum(a)suse.com> USB: storage: quirk for ADATA Portable HDD CH94 Haoxiang Li <haoxiang_li2024(a)163.com> mcb: fix a double free bug in chameleon_parse_gdd() Halil Pasic <pasic(a)linux.ibm.com> virtio_console: fix missing byte order handling for cols and rows Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: hfsc: Fix a UAF vulnerability in class handling Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix NULL pointer dereference in tipc_mon_reinit_self() Qingfang Deng <qingfang.deng(a)siflower.com.cn> net: phy: leds: fix memory leak Henry Martin <bsdhenrymartin(a)gmail.com> cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() Denis Arefev <arefev(a)swemel.ru> drm/amd/pm: Prevent division by zero Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Damien Le Moal <dlemoal(a)kernel.org> misc: pci_endpoint_test: Use INTX instead of LEGACY Bjorn Helgaas <bhelgaas(a)google.com> PCI: Rename PCI_IRQ_LEGACY to PCI_IRQ_INTX Sergiu Cuciurean <sergiu.cuciurean(a)analog.com> iio: adc: ad7768-1: Fix conversion result sign Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix VTU methods for 6320 family Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Acs, Jakub <acsjakub(a)amazon.de> ext4: fix OOB read when checking dotdot dir Theodore Ts'o <tytso(a)mit.edu> ext4: optimize __ext4_check_dir_entry() Theodore Ts'o <tytso(a)mit.edu> ext4: don't over-report free space or inodes in statvfs Chengguang Xu <cgxu519(a)mykernel.net> ext4: code cleanup for ext4_statfs_project() Jan Kara <jack(a)suse.cz> ext4: simplify checking quota limits in ext4_statfs() Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Correct command storage data length WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Xie Yongji <xieyongji(a)bytedance.com> virtio-net: Add validation for used length Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Support specifying the srpt_service_guid parameter Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Felix Huettner <felix.huettner(a)mail.schwarz> net: openvswitch: fix race on port output Seunghwan Baek <sh8267.baek(a)samsung.com> mmc: cqhci: Fix checking of CQHCI_HALT state WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Martin Kepplinger <martin.kepplinger(a)puri.sm> usb: dwc3: support continuous runtime PM with dual role Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Nathan Chancellor <natechancellor(a)gmail.com> powerpc/prom_init: Use -ffreestanding to avoid a reference to bcmp Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Thorsten Leemhuis <linux(a)leemhuis.info> module: sign with sha512 instead of sha1 by default Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Jeff Layton <jlayton(a)kernel.org> nfs: move nfs_fhandle_hash to common include file Chuck Lever <chuck.lever(a)oracle.com> NFSD: Constify @fh argument of knfsd_fh_hash() Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Kaixin Wang <kxwang23(a)m.fudan.edu.cn> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Daniel Golle <daniel(a)makrotopia.org> pwm: mediatek: always use bus clock for PWM on MT7622 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Eric Biggers <ebiggers(a)google.com> ext4: reject casefold inode flag without casefold feature Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Ben Dooks <ben.dooks(a)sifive.com> bpf: Add endian modifiers to fix endian warnings Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Fabien Parent <fparent(a)baylibre.com> pwm: mediatek: Always use bus clock Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Hannes Reinecke <hare(a)suse.de> ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() ------------- Diffstat: Makefile | 7 +- arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 2 + arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/include/asm/mips-cm.h | 22 ++++ arch/mips/kernel/cevt-ds1287.c | 1 + arch/mips/kernel/mips-cm.c | 14 +++ arch/parisc/kernel/pdt.c | 2 + arch/powerpc/kernel/Makefile | 1 + arch/riscv/include/asm/syscall.h | 7 +- arch/s390/kvm/trace-s390.h | 4 +- arch/sparc/mm/tlb.c | 5 +- arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 16 +-- arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/bugs.c | 8 +- arch/x86/kernel/e820.c | 17 ++- crypto/crypto_null.c | 37 ++++--- drivers/acpi/pptt.c | 4 +- drivers/ata/ahci.c | 2 + drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 ++ drivers/ata/sata_sx4.c | 118 ++++++++------------- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_ldisc.c | 19 +++- drivers/bluetooth/hci_uart.h | 1 + drivers/char/virtio_console.c | 7 +- drivers/clk/clk.c | 4 + drivers/cpufreq/cpufreq.c | 8 ++ drivers/cpufreq/scpi-cpufreq.c | 13 ++- drivers/crypto/atmel-sha204a.c | 7 +- drivers/crypto/ccp/sp-pci.c | 15 +-- drivers/dma-buf/udmabuf.c | 2 +- drivers/dma/dmatest.c | 6 +- drivers/gpio/gpio-zynq.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- .../gpu/drm/amd/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 10 +- drivers/gpu/drm/mediatek/mtk_dpi.c | 9 ++ drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/hid/usbhid/hid-pidff.c | 60 +++++++---- drivers/hsi/clients/ssi_protocol.c | 1 + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i3c/master.c | 3 + drivers/iio/adc/ad7768-1.c | 5 +- drivers/infiniband/hw/qib/qib_fs.c | 1 + drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +-- drivers/infiniband/ulp/srpt/ib_srpt.c | 8 +- drivers/mcb/mcb-parse.c | 2 +- drivers/md/dm-integrity.c | 3 + drivers/md/raid1.c | 26 +++-- drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ov7251.c | 4 +- drivers/media/platform/qcom/venus/hfi_parser.c | 2 + drivers/media/platform/qcom/venus/hfi_venus.c | 18 +++- drivers/media/platform/vim2m.c | 6 +- drivers/media/rc/streamzap.c | 68 ++++++------ drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/misc/pci_endpoint_test.c | 36 ++++--- drivers/mmc/host/cqhci.c | 2 +- drivers/mtd/inftlcore.c | 9 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/dsa/b53/b53_common.c | 10 ++ drivers/net/dsa/mv88e6xxx/chip.c | 25 ++++- drivers/net/phy/phy_led_triggers.c | 23 ++-- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/virtio_net.c | 22 ++-- drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/ntb/hw/idt/ntb_hw_idt.c | 18 ++-- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/target/fc.c | 14 --- drivers/of/irq.c | 13 ++- drivers/pci/probe.c | 5 +- drivers/perf/arm_pmu.c | 8 +- drivers/platform/x86/asus-laptop.c | 9 +- .../x86/intel_speed_select_if/isst_if_common.c | 2 +- drivers/pwm/pwm-fsl-ftm.c | 6 ++ drivers/pwm/pwm-mediatek.c | 20 +++- drivers/s390/virtio/virtio_ccw.c | 16 ++- drivers/scsi/pm8001/pm8001_sas.c | 1 + drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/st.c | 2 +- drivers/staging/comedi/drivers/jr3_pci.c | 15 ++- drivers/thermal/rockchip_thermal.c | 1 + drivers/tty/serial/sifive.c | 6 ++ drivers/usb/cdns3/gadget.c | 2 + drivers/usb/core/quirks.c | 9 ++ drivers/usb/dwc3/core.c | 11 +- drivers/usb/dwc3/gadget.c | 6 ++ drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 + drivers/usb/host/max3421-hcd.c | 7 ++ drivers/usb/host/ohci-pci.c | 23 ++++ drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 5 + drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb-serial-simple.c | 7 ++ drivers/usb/storage/unusual_uas.h | 7 ++ drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/Kconfig | 1 + fs/btrfs/super.c | 3 +- fs/ext4/dir.c | 12 ++- fs/ext4/inode.c | 69 ++++++++---- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 61 ++++++----- fs/ext4/xattr.c | 11 +- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 ++ fs/hfsplus/bnode.c | 6 ++ fs/isofs/export.c | 2 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 2 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 22 ---- fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfsfh.h | 12 +-- include/linux/backing-dev.h | 1 + include/linux/nfs.h | 13 +++ include/linux/pci.h | 4 +- include/net/sctp/structs.h | 3 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/pcitest.h | 3 +- include/xen/interface/xen-mca.h | 2 +- init/Kconfig | 3 +- kernel/locking/lockdep.c | 3 + kernel/trace/ftrace.c | 1 + kernel/trace/trace_events.c | 4 +- lib/sg_split.c | 2 - mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +----- net/bluetooth/hci_event.c | 5 +- net/core/dev.c | 1 + net/core/filter.c | 80 +++++++------- net/core/page_pool.c | 8 +- net/ipv4/inet_connection_sock.c | 19 +++- net/mac80211/iface.c | 3 + net/mac80211/mesh_hwmp.c | 14 ++- net/openvswitch/actions.c | 4 +- net/openvswitch/flow_netlink.c | 3 +- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_hfsc.c | 23 ++-- net/sctp/socket.c | 22 ++-- net/sctp/transport.c | 2 + net/tipc/link.c | 1 + net/tipc/monitor.c | 3 +- sound/pci/hda/hda_intel.c | 15 ++- sound/usb/midi.c | 80 ++++++++++++-- tools/power/cpupower/bench/parse.c | 4 + tools/testing/selftests/ublk/test_stripe_04.sh | 24 +++++ 162 files changed, 1121 insertions(+), 557 deletions(-)

7 months, 4 weeks

6
184
0 0

[PATCH 0/1] mm: Fix regression after THP PTE optimization on Xen PV Dom0

by Petr Vaněk

Hi all, I have found a problem in recent kernels 6.9+ when running under the Xen hypervisor as a PV dom0. In my setup (PV Dom0 with 4G RAM, using XFS), I shrink memory to 256M via the balloon driver after boot: xl mem-set Domain-0 256m Once memory is reduced, even running a simple command like ls usually triggers the following warning: [ 27.963562] [ T2553] page: refcount:88 mapcount:21 mapping:ffff88813ff6f6a8 index:0x110 pfn:0x10085c [ 27.963564] [ T2553] head: order:2 mapcount:83 entire_mapcount:0 nr_pages_mapped:4 pincount:0 [ 27.963565] [ T2553] memcg:ffff888003573000 [ 27.963567] [ T2553] aops:0xffffffff8226fd20 ino:82467c dentry name(?):"libc.so.6" [ 27.963570] [ T2553] flags: 0x2000000000416c(referenced|uptodate|lru|active|private|head|node=0|zone=2) [ 27.963573] [ T2553] raw: 002000000000416c ffffea0004021e88 ffffea0004021908 ffff88813ff6f6a8 [ 27.963574] [ T2553] raw: 0000000000000110 ffff88811bf06b60 0000005800000014 ffff888003573000 [ 27.963576] [ T2553] head: 002000000000416c ffffea0004021e88 ffffea0004021908 ffff88813ff6f6a8 [ 27.963577] [ T2553] head: 0000000000000110 ffff88811bf06b60 0000005800000014 ffff888003573000 [ 27.963578] [ T2553] head: 0020000000000202 ffffea0004021701 0000000400000052 00000000ffffffff [ 27.963580] [ T2553] head: 0000000300000003 8000000300000002 0000000000000014 0000000000000004 [ 27.963581] [ T2553] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) [ 27.963590] [ T2553] ------------[ cut here ]------------ [ 27.963591] [ T2553] WARNING: CPU: 1 PID: 2553 at include/linux/rmap.h:427 __folio_rmap_sanity_checks+0x1a0/0x270 [ 27.963596] [ T2553] CPU: 1 UID: 0 PID: 2553 Comm: ls Not tainted 6.15.0-rc4-00002-ge0363f942651 #270 PREEMPT(undef) [ 27.963599] [ T2553] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-20240910_120124-localhost 04/01/2014 [ 27.963601] [ T2553] RIP: e030:__folio_rmap_sanity_checks+0x1a0/0x270 [ 27.963603] [ T2553] Code: 89 df e8 b3 7d fd ff 0f 0b e9 eb fe ff ff 48 8d 42 ff 48 39 c3 0f 84 0e ff ff ff 48 c7 c6 e8 49 5b 82 48 89 df e8 90 7d fd ff <0f> 0b e9 f8 fe ff ff 41 f7 c4 ff 0f 00 00 0f 85 b2 fe ff ff 49 8b [ 27.963605] [ T2553] RSP: e02b:ffffc90040f8fac0 EFLAGS: 00010246 [ 27.963608] [ T2553] RAX: 00000000000000e5 RBX: ffffea0004021700 RCX: 0000000000000000 [ 27.963609] [ T2553] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff [ 27.963610] [ T2553] RBP: ffffc90040f8fae0 R08: 00000000ffffdfff R09: ffffffff82929308 [ 27.963612] [ T2553] R10: ffffffff82879360 R11: 0000000000000002 R12: ffffea0004021700 [ 27.963613] [ T2553] R13: 0000000000000005 R14: 0000000000000000 R15: 0000000000000005 [ 27.963625] [ T2553] FS: 00007ff06dafe740(0000) GS:ffff8880b7ccb000(0000) knlGS:0000000000000000 [ 27.963627] [ T2553] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.963628] [ T2553] CR2: 000055deb932f630 CR3: 0000000002844000 CR4: 0000000000050660 [ 27.963630] [ T2553] Call Trace: [ 27.963632] [ T2553] <TASK> [ 27.963633] [ T2553] folio_remove_rmap_ptes+0x24/0x2b0 [ 27.963635] [ T2553] unmap_page_range+0x132e/0x17e0 [ 27.963638] [ T2553] unmap_single_vma+0x81/0xd0 [ 27.963640] [ T2553] unmap_vmas+0xb5/0x180 [ 27.963642] [ T2553] exit_mmap+0x10c/0x460 [ 27.963644] [ T2553] mmput+0x59/0x120 [ 27.963647] [ T2553] do_exit+0x2d1/0xbd0 [ 27.963649] [ T2553] do_group_exit+0x2f/0x90 [ 27.963651] [ T2553] __x64_sys_exit_group+0x13/0x20 [ 27.963652] [ T2553] x64_sys_call+0x126b/0x1d70 [ 27.963655] [ T2553] do_syscall_64+0x54/0x120 [ 27.963657] [ T2553] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 27.963659] [ T2553] RIP: 0033:0x7ff06dbdbe9d [ 27.963660] [ T2553] Code: Unable to access opcode bytes at 0x7ff06dbdbe73. [ 27.963661] [ T2553] RSP: 002b:00007ffde44f9ac8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 27.963664] [ T2553] RAX: ffffffffffffffda RBX: 00007ff06dce4fa8 RCX: 00007ff06dbdbe9d [ 27.963665] [ T2553] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000 [ 27.963666] [ T2553] RBP: 0000000000000000 R08: 00007ffde44f9a70 R09: 00007ffde44f99ff [ 27.963667] [ T2553] R10: 00007ffde44f9980 R11: 0000000000000206 R12: 00007ff06dce3680 [ 27.963668] [ T2553] R13: 00007ff06dd010e0 R14: 0000000000000002 R15: 00007ff06dce4fc0 [ 27.963670] [ T2553] </TASK> [ 27.963671] [ T2553] ---[ end trace 0000000000000000 ]--- Later on bigger problems start to appear: [ 69.035059] [ T2593] BUG: Bad page map in process ls pte:10006c125 pmd:1003dc067 [ 69.035061] [ T2593] page: refcount:8 mapcount:20 mapping:ffff88813fd736a8 index:0x110 pfn:0x10006c [ 69.035064] [ T2593] head: order:2 mapcount:-2 entire_mapcount:0 nr_pages_mapped:8388532 pincount:0 [ 69.035066] [ T2593] memcg:ffff888003573000 [ 69.035067] [ T2593] aops:0xffffffff8226fd20 ino:82467c dentry name(?):"libc.so.6" [ 69.035069] [ T2593] flags: 0x2000000000416c(referenced|uptodate|lru|active|private|head|node=0|zone=2) [ 69.035072] [ T2593] raw: 002000000000416c ffffea0004002348 ffffea0004001d08 ffff88813fd736a8 [ 69.035074] [ T2593] raw: 0000000000000110 ffff888100d19860 0000000800000013 ffff888003573000 [ 69.035076] [ T2593] head: 002000000000416c ffffea0004002348 ffffea0004001d08 ffff88813fd736a8 [ 69.035078] [ T2593] head: 0000000000000110 ffff888100d19860 0000000800000013 ffff888003573000 [ 69.035079] [ T2593] head: 0020000000000202 ffffea0004001b01 ffffffb4fffffffd 00000000ffffffff [ 69.035081] [ T2593] head: 0000000300000003 0000000500000002 0000000000000013 0000000000000004 [ 69.035082] [ T2593] page dumped because: bad pte [ 69.035083] [ T2593] addr:00007f6524b96000 vm_flags:00000075 anon_vma:0000000000000000 mapping:ffff88813fd736a8 index:110 [ 69.035086] [ T2593] file:libc.so.6 fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio The system eventually becomes unusable and typically crashes. I was able to bisect this issue to the commit: 10ebac4f95e7 ("mm/memory: optimize unmap/zap with PTE-mapped THP"). If I understand correctly, the folio from the first warning has 4 pages, but folio_pte_batch incorrectly counts 5 pages, because expected_pte and pte are both zero-valued PTEs, and the loop is not broken in such a case because pte_same() returns true. [ 27.963266] [ T2553] folio_pte_batch debug: printing PTE values starting at addr=0x7ff06dc11000 [ 27.963268] [ T2553] PTE[ 0] = 000000010085c125 [ 27.963272] [ T2553] PTE[ 1] = 000000010085d125 [ 27.963274] [ T2553] PTE[ 2] = 000000010085e125 [ 27.963276] [ T2553] PTE[ 3] = 000000010085f125 [ 27.963277] [ T2553] PTE[ 4] = 0000000000000000 <-- not present [ 27.963279] [ T2553] PTE[ 5] = 0000000102e47125 [ 27.963281] [ T2553] PTE[ 6] = 0000000102e48125 [ 27.963283] [ T2553] PTE[ 7] = 0000000102e49125 As a consequence, zap_present_folio_ptes() is called with nr = 5, which later calls folio_remove_rmap_ptes(), where __folio_rmap_sanity_checks() emits the warning log. The patch in the following message fixes the problem for me. It adds a check that breaks the loop when encountering non-present PTE, before the !pte_same() check. I still don't fully understand how the zero-valued PTE appears there or why this issue is triggered only when xen-balloon driver shrinks the memory. I wasn't able to reproduce it without shrinking. Cheers, Petr Petr Vaněk (1): mm: Fix folio_pte_batch() overcount with zero PTEs mm/internal.h | 2 ++ 1 file changed, 2 insertions(+) -- 2.48.1

7 months, 4 weeks

3
19
0 0

FAILED: patch "[PATCH] KVM: x86: Load DR6 with guest value only before entering" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c2fee09fc167c74a64adb08656cb993ea475197e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021815-protract-greasily-cdea@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2fee09fc167c74a64adb08656cb993ea475197e Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Fri, 24 Jan 2025 17:18:33 -0800 Subject: [PATCH] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_entry: vcpu 23 L1 writes DR7, L0 disables DR interception CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000007 CPU 23/KVM-5046 [001] d.... 3410.005613: kvm_entry: vcpu 23 L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005613: <hack>: Set DRs, DR6 = 0xffff0ff0 A: <L1 writes DR6 = 1, no interception, arch.dr6 is still '0'> B: CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_exit: vcpu 23 reason PREEMPTION_TIMER CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_entry: vcpu 23 C: L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005614: <hack>: Set DRs, DR6 = 0xffff0ff0 L1 => L2 nested VM-Enter CPU 23/KVM-5046 [001] d.... 3410.005616: kvm_exit: vcpu 23 reason VMRESUME L0 reads DR6, arch.dr6 = 0 Reported-by: John Stultz <jstultz(a)google.com> Closes: https://lkml.kernel.org/r/CANDhNCq5_F3HfFYABqFGCA1bPd_%2BxgNj-iDQhH4tDk%2Bw… Fixes: 375e28ffc0cf ("KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT") Fixes: d67668e9dd76 ("KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6") Cc: stable(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Tested-by: John Stultz <jstultz(a)google.com> Link: https://lore.kernel.org/r/20250125011833.3644371-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index c35550581da0..823c0434bbad 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -48,6 +48,7 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) +KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b15cde0a9b5c..0b7af5902ff7 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1696,6 +1696,7 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); + void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7640a84e554a..a713c803a3a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1991,11 +1991,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd) svm->asid = sd->next_asid++; } -static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value) +static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value) { - struct vmcb *vmcb = svm->vmcb; + struct vmcb *vmcb = to_svm(vcpu)->vmcb; - if (svm->vcpu.arch.guest_state_protected) + if (vcpu->arch.guest_state_protected) return; if (unlikely(value != vmcb->save.dr6)) { @@ -4247,10 +4247,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, * Run with all-zero DR6 unless needed, so that we can get the exact cause * of a #DB. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - svm_set_dr6(svm, vcpu->arch.dr6); - else - svm_set_dr6(svm, DR6_ACTIVE_LOW); + if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); clgi(); kvm_load_guest_xsave_state(vcpu); @@ -5043,6 +5041,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_idt = svm_set_idt, .get_gdt = svm_get_gdt, .set_gdt = svm_set_gdt, + .set_dr6 = svm_set_dr6, .set_dr7 = svm_set_dr7, .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, .cache_reg = svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 2427f918e763..43ee9ed11291 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -61,6 +61,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .set_idt = vmx_set_idt, .get_gdt = vmx_get_gdt, .set_gdt = vmx_set_gdt, + .set_dr6 = vmx_set_dr6, .set_dr7 = vmx_set_dr7, .sync_dirty_debug_regs = vmx_sync_dirty_debug_regs, .cache_reg = vmx_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f72835e85b6d..6c56d5235f0f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5648,6 +5648,12 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +{ + lockdep_assert_irqs_disabled(); + set_debugreg(vcpu->arch.dr6, 6); +} + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7417,10 +7423,6 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) vmx->loaded_vmcs->host_state.cr4 = cr4; } - /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - set_debugreg(vcpu->arch.dr6, 6); - /* When single-stepping over STI and MOV SS, we must clear the * corresponding interruptibility bits in the guest state. Otherwise * vmentry fails as it then expects bit 14 (BS) in pending debug diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index ce3295a67c04..430773a5ef8e 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -73,6 +73,7 @@ void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val); void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val); void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu); void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 8e77e61d4fbd..02159c967d29 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10961,6 +10961,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) + kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); }

7 months, 4 weeks

3
2
0 0

FAILED: patch "[PATCH] KVM: x86: Load DR6 with guest value only before entering" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c2fee09fc167c74a64adb08656cb993ea475197e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021809-census-mammal-224b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2fee09fc167c74a64adb08656cb993ea475197e Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Fri, 24 Jan 2025 17:18:33 -0800 Subject: [PATCH] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_entry: vcpu 23 L1 writes DR7, L0 disables DR interception CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000007 CPU 23/KVM-5046 [001] d.... 3410.005613: kvm_entry: vcpu 23 L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005613: <hack>: Set DRs, DR6 = 0xffff0ff0 A: <L1 writes DR6 = 1, no interception, arch.dr6 is still '0'> B: CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_exit: vcpu 23 reason PREEMPTION_TIMER CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_entry: vcpu 23 C: L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005614: <hack>: Set DRs, DR6 = 0xffff0ff0 L1 => L2 nested VM-Enter CPU 23/KVM-5046 [001] d.... 3410.005616: kvm_exit: vcpu 23 reason VMRESUME L0 reads DR6, arch.dr6 = 0 Reported-by: John Stultz <jstultz(a)google.com> Closes: https://lkml.kernel.org/r/CANDhNCq5_F3HfFYABqFGCA1bPd_%2BxgNj-iDQhH4tDk%2Bw… Fixes: 375e28ffc0cf ("KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT") Fixes: d67668e9dd76 ("KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6") Cc: stable(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Tested-by: John Stultz <jstultz(a)google.com> Link: https://lore.kernel.org/r/20250125011833.3644371-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index c35550581da0..823c0434bbad 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -48,6 +48,7 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) +KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b15cde0a9b5c..0b7af5902ff7 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1696,6 +1696,7 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); + void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7640a84e554a..a713c803a3a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1991,11 +1991,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd) svm->asid = sd->next_asid++; } -static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value) +static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value) { - struct vmcb *vmcb = svm->vmcb; + struct vmcb *vmcb = to_svm(vcpu)->vmcb; - if (svm->vcpu.arch.guest_state_protected) + if (vcpu->arch.guest_state_protected) return; if (unlikely(value != vmcb->save.dr6)) { @@ -4247,10 +4247,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, * Run with all-zero DR6 unless needed, so that we can get the exact cause * of a #DB. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - svm_set_dr6(svm, vcpu->arch.dr6); - else - svm_set_dr6(svm, DR6_ACTIVE_LOW); + if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); clgi(); kvm_load_guest_xsave_state(vcpu); @@ -5043,6 +5041,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_idt = svm_set_idt, .get_gdt = svm_get_gdt, .set_gdt = svm_set_gdt, + .set_dr6 = svm_set_dr6, .set_dr7 = svm_set_dr7, .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, .cache_reg = svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 2427f918e763..43ee9ed11291 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -61,6 +61,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .set_idt = vmx_set_idt, .get_gdt = vmx_get_gdt, .set_gdt = vmx_set_gdt, + .set_dr6 = vmx_set_dr6, .set_dr7 = vmx_set_dr7, .sync_dirty_debug_regs = vmx_sync_dirty_debug_regs, .cache_reg = vmx_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f72835e85b6d..6c56d5235f0f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5648,6 +5648,12 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +{ + lockdep_assert_irqs_disabled(); + set_debugreg(vcpu->arch.dr6, 6); +} + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7417,10 +7423,6 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) vmx->loaded_vmcs->host_state.cr4 = cr4; } - /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - set_debugreg(vcpu->arch.dr6, 6); - /* When single-stepping over STI and MOV SS, we must clear the * corresponding interruptibility bits in the guest state. Otherwise * vmentry fails as it then expects bit 14 (BS) in pending debug diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index ce3295a67c04..430773a5ef8e 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -73,6 +73,7 @@ void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val); void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val); void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu); void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 8e77e61d4fbd..02159c967d29 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10961,6 +10961,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) + kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); }

7 months, 4 weeks

3
2
0 0

FAILED: patch "[PATCH] KVM: x86: Load DR6 with guest value only before entering" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c2fee09fc167c74a64adb08656cb993ea475197e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021812-candied-hamper-7f08@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c2fee09fc167c74a64adb08656cb993ea475197e Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Fri, 24 Jan 2025 17:18:33 -0800 Subject: [PATCH] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_entry: vcpu 23 L1 writes DR7, L0 disables DR interception CPU 23/KVM-5046 [001] d.... 3410.005612: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000007 CPU 23/KVM-5046 [001] d.... 3410.005613: kvm_entry: vcpu 23 L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005613: <hack>: Set DRs, DR6 = 0xffff0ff0 A: <L1 writes DR6 = 1, no interception, arch.dr6 is still '0'> B: CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_exit: vcpu 23 reason PREEMPTION_TIMER CPU 23/KVM-5046 [001] d.... 3410.005614: kvm_entry: vcpu 23 C: L0 writes DR6 = 0 (arch.dr6) CPU 23/KVM-5046 [001] d.... 3410.005614: <hack>: Set DRs, DR6 = 0xffff0ff0 L1 => L2 nested VM-Enter CPU 23/KVM-5046 [001] d.... 3410.005616: kvm_exit: vcpu 23 reason VMRESUME L0 reads DR6, arch.dr6 = 0 Reported-by: John Stultz <jstultz(a)google.com> Closes: https://lkml.kernel.org/r/CANDhNCq5_F3HfFYABqFGCA1bPd_%2BxgNj-iDQhH4tDk%2Bw… Fixes: 375e28ffc0cf ("KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT") Fixes: d67668e9dd76 ("KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6") Cc: stable(a)vger.kernel.org Cc: Jim Mattson <jmattson(a)google.com> Tested-by: John Stultz <jstultz(a)google.com> Link: https://lore.kernel.org/r/20250125011833.3644371-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm-x86-ops.h b/arch/x86/include/asm/kvm-x86-ops.h index c35550581da0..823c0434bbad 100644 --- a/arch/x86/include/asm/kvm-x86-ops.h +++ b/arch/x86/include/asm/kvm-x86-ops.h @@ -48,6 +48,7 @@ KVM_X86_OP(set_idt) KVM_X86_OP(get_gdt) KVM_X86_OP(set_gdt) KVM_X86_OP(sync_dirty_debug_regs) +KVM_X86_OP(set_dr6) KVM_X86_OP(set_dr7) KVM_X86_OP(cache_reg) KVM_X86_OP(get_rflags) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b15cde0a9b5c..0b7af5902ff7 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1696,6 +1696,7 @@ struct kvm_x86_ops { void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); + void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7640a84e554a..a713c803a3a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1991,11 +1991,11 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd) svm->asid = sd->next_asid++; } -static void svm_set_dr6(struct vcpu_svm *svm, unsigned long value) +static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value) { - struct vmcb *vmcb = svm->vmcb; + struct vmcb *vmcb = to_svm(vcpu)->vmcb; - if (svm->vcpu.arch.guest_state_protected) + if (vcpu->arch.guest_state_protected) return; if (unlikely(value != vmcb->save.dr6)) { @@ -4247,10 +4247,8 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, * Run with all-zero DR6 unless needed, so that we can get the exact cause * of a #DB. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - svm_set_dr6(svm, vcpu->arch.dr6); - else - svm_set_dr6(svm, DR6_ACTIVE_LOW); + if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); clgi(); kvm_load_guest_xsave_state(vcpu); @@ -5043,6 +5041,7 @@ static struct kvm_x86_ops svm_x86_ops __initdata = { .set_idt = svm_set_idt, .get_gdt = svm_get_gdt, .set_gdt = svm_set_gdt, + .set_dr6 = svm_set_dr6, .set_dr7 = svm_set_dr7, .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, .cache_reg = svm_cache_reg, diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index 2427f918e763..43ee9ed11291 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -61,6 +61,7 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .set_idt = vmx_set_idt, .get_gdt = vmx_get_gdt, .set_gdt = vmx_set_gdt, + .set_dr6 = vmx_set_dr6, .set_dr7 = vmx_set_dr7, .sync_dirty_debug_regs = vmx_sync_dirty_debug_regs, .cache_reg = vmx_cache_reg, diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f72835e85b6d..6c56d5235f0f 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5648,6 +5648,12 @@ void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu) set_debugreg(DR6_RESERVED, 6); } +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +{ + lockdep_assert_irqs_disabled(); + set_debugreg(vcpu->arch.dr6, 6); +} + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) { vmcs_writel(GUEST_DR7, val); @@ -7417,10 +7423,6 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) vmx->loaded_vmcs->host_state.cr4 = cr4; } - /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ - if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) - set_debugreg(vcpu->arch.dr6, 6); - /* When single-stepping over STI and MOV SS, we must clear the * corresponding interruptibility bits in the guest state. Otherwise * vmentry fails as it then expects bit 14 (BS) in pending debug diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index ce3295a67c04..430773a5ef8e 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -73,6 +73,7 @@ void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt); +void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val); void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val); void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu); void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 8e77e61d4fbd..02159c967d29 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10961,6 +10961,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(vcpu->arch.eff_db[1], 1); set_debugreg(vcpu->arch.eff_db[2], 2); set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) + kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); } else if (unlikely(hw_breakpoint_active())) { set_debugreg(0, 7); }

7 months, 4 weeks

3
2
0 0

Re: [PATCH] Handle Ice Lake MONITOR erratum

by Christian Ludloff

> [ICX143 in https://cdrdv2.intel.com/v1/dl/getContent/637780] > There is no equivalent erratum for the "Xeon D" Ice Lakes so > INTEL_ICELAKE_D is not affected. There is ICXD80 in... https://www.intel.com/content/www/us/en/content-details/714069/intel-xeon-d… https://www.intel.com/content/www/us/en/content-details/714071/intel-xeon-d… And although the ICL spec update... https://edc.intel.com/content/www/us/en/design/ipla/software-development-pl… ...doesn't seem to have a MONITOR erratum, it might be a good idea for Intel to double check. -- Christian

7 months, 4 weeks

2
1
0 0

[PATCH v5] Restrict devmem for confidential VMs

by Dan Williams

Changes since v3 [1] (note v4 was a partial re-roll, but more feedback came in requiring a v5): - Fix a kbuild robot report for a missing header include of cc_platform.h - Switch to selecting STRICT_DEVMEM and IOSTRICT_DEVMEM rather than "depends on". (Naveen) - Clarify the "SEPT violation" vs "crash" and other changelog fixups for devmem maintainers and other arch maintainers. (Dave) - Drop patch numbering since patch2 is a fix and has no dependencies on patch1 [1]: http://lore.kernel.org/174491711228.1395340.3647010925173796093.stgit@dwill… --- The original response to Nikolay's report of a "crash" (unhandled SEPT violation) triggered by /dev/mem access to private memory was "let's just turn off /dev/mem". After some machinations of x86_platform_ops to block a subset of problematic access, spelunking the history of devmem_is_allowed() returning "2" to enable some compatibility benefits while blocking access, and discovering that userspace depends buggy kernel behavior for mmap(2) of the first 1MB of memory on x86, the proposal has circled back to "disable /dev/mem". Require both STRICT_DEVMEM and IO_STRICT_DEVMEM for x86 confidential guests to close /dev/mem hole while still allowing for userspace mapping of PCI MMIO as long as the kernel and userspace are not mapping the range at the same time. The range_is_allowed() cleanup is not strictly necessary, but might as well close a 17 year-old "TODO". Dan Williams (2): x86/devmem: Remove duplicate range_is_allowed() definition x86/devmem: Drop /dev/mem access for confidential guests arch/x86/Kconfig | 4 ++++ arch/x86/mm/pat/memtype.c | 31 ++++--------------------------- drivers/char/mem.c | 28 ++++++++++------------------ include/linux/io.h | 21 +++++++++++++++++++++ 4 files changed, 39 insertions(+), 45 deletions(-) base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 -- 2.49.0

7 months, 4 weeks

4
10
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025