- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.8 release. There are 189 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.8-rc1 Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Stephan Gerhold <stephan.gerhold(a)linaro.org> phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix MIDI2 IN EP max packet size Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix missing UMP group attributes initialization RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: properly deliver cable vdms to altmode drivers Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix memory leak regression when freeing xhci vdev devices depth first Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Yuezhang Mo <Yuezhang.Mo(a)sony.com> erofs: fix runtime warning on truncate_folio_batch_exceptionals() Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Gao Xiang <xiang(a)kernel.org> erofs: fix invalid algorithm for encoded extents Gao Xiang <xiang(a)kernel.org> erofs: unify meta buffers in z_erofs_fill_inode() Gao Xiang <xiang(a)kernel.org> erofs: remove need_kmap in erofs_read_metabuf() Gao Xiang <xiang(a)kernel.org> erofs: get rid of {get,put}_page() for ztailpacking data Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Fix refcount underflow on module unload Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Remove improper idxd_free Pengyu Luo <mitltlatltl(a)gmail.com> phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Hangbin Liu <liuhangbin(a)gmail.com> hsr: hold rcu and dev lock for hsr_get_port_ndev Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: restart set lookup on base_seq change Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: make nft_set_do_lookup available unconditionally Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: place base_seq in struct net Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Reintroduce shortened deletion notifications Florian Westphal <fw(a)strlen.de> netfilter: nft_set_rbtree: continue traversal if element is inactive Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't check genbit from packetpath lookups Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't return bogus extension pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: merge pipapo_get/lookup Florian Westphal <fw(a)strlen.de> netfilter: nft_set: remove one argument from lookup and update functions Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove unused arguments Florian Westphal <fw(a)strlen.de> netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: implement NETDEV_UNREGISTER notification handler Davide Caratti <dcaratti(a)redhat.com> selftests: can: enable CONFIG_CAN_VCAN as a module Stanislav Fomichev <sdf(a)fomichev.me> macsec: sync features on RTM_NEWLINK Carolina Jubran <cjubran(a)nvidia.com> net: dev_ioctl: take ops lock in hwtstamp lower paths Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: use udelay rather than fsleep Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/configfs: Don't touch survivability_mode on fini Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Tianyu Xu <tianyxu(a)cisco.com> igb: Fix NULL pointer dereference in ethtool loopback test Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Petr Machata <petrm(a)nvidia.com> net: bridge: Bounce invalid boolopts Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix ageing time for BCM53101 Alok Tiwari <alok.a.tiwari(a)oracle.com> genetlink: fix genl_bind() invoking bind() after -EPERM Klaus Kudielka <klaus.kudielka(a)gmail.com> PCI: mvebu: Fix use of for_each_of_range() iterator Miaoqing Pan <miaoqing.pan(a)oss.qualcomm.com> wifi: ath12k: fix WMI TLV header misalignment Sriram R <quic_srirrama(a)quicinc.com> wifi: ath12k: Add support to enqueue management frame at MLD level Sarika Sharma <quic_sarishar(a)quicinc.com> wifi: ath12k: add link support for multi-link in arsta Miaoqing Pan <miaoqing.pan(a)oss.qualcomm.com> wifi: ath12k: Fix missing station power save configuration Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: transfer phy_config_inband() locking responsibility to phylink Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phylink: add lock for serializing concurrent pl->phydev writes with resolver Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Chia-I Wu <olvaffe(a)gmail.com> drm/panthor: validate group queue count Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mtd: rawnand: nuvoton: Fix an error handling path in ma35_nand_chips_init() Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for Flydigi Apex 5 Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts K Prateek Nayak <kprateek.nayak(a)amd.com> x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Reinette Chatre <reinette.chatre(a)intel.com> fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Pratap Nirujogi <pratap.nirujogi(a)amd.com> drm/amd/amdgpu: Declare isp firmware binary file Mario Limonciello (AMD) <mario.limonciello(a)amd.com> drm/amd/display: Drop dm_prepare_suspend() and dm_complete() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Destroy cached state in complete() callback Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Santhosh Kumar K <s-k6(a)ti.com> mtd: spinand: winbond: Fix oob_layout for W25N01JW Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: winbond: Enable high-speed modes on w25n0xjw Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: Add a ->configure_chip() hook Max Kellermann <max.kellermann(a)ionos.com> ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error Max Kellermann <max.kellermann(a)ionos.com> ceph: always call ceph_shift_unused_folios_left() Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition where r_parent becomes stale before sending message Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition validating r_parent before applying state Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Qu Wenruo <wqu(a)suse.com> btrfs: fix corruption reading compressed range when block size is smaller than page size Boris Burkov <boris(a)bur.io> btrfs: use readahead_expand() on compressed extents Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Disable DPCD Probe Quirk Imre Deak <imre.deak(a)intel.com> drm/dp: Add an EDID quirk for the DPCD register access probe Imre Deak <imre.deak(a)intel.com> drm/edid: Add support for quirks visible to DRM core and drivers Imre Deak <imre.deak(a)intel.com> drm/edid: Define the quirks in an enum list Geoffrey McRae <geoffrey.mcrae(a)amd.com> drm/amd/display: remove oem i2c adapter on finish Ovidiu Bunea <ovidiu.bunea(a)amd.com> drm/amd/display: Correct sequences and delays for DCN35 PG & RCG David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Block exec and rebind worker while evicting for suspend / hibernate Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Allow the pm notifier to continue on failure Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Attempt to bring bos back to VRAM after eviction Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Johan Hovold <johan(a)kernel.org> drm/mediatek: fix potential OF node use-after-free Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Sang-Heon Jeon <ekffu200098(a)gmail.com> mm/damon/core: set quota->charged_from to jiffies at first charge window Kyle Meyer <kyle.meyer(a)hpe.com> mm/memory-failure: fix redundant updates for already poisoned pages Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Uladzislau Rezki (Sony) <urezki(a)gmail.com> mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Jeongjun Park <aha310510(a)gmail.com> mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Amir Goldstein <amir73il(a)gmail.com> fuse: do not allow mapping a non-regular backing file Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Alexander Sverdlin <alexander.sverdlin(a)gmail.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Paulo Alcantara <pc(a)manguebit.org> smb: client: fix data loss due to broken rename(2) Paulo Alcantara <pc(a)manguebit.org> smb: client: fix compound alignment with encryption Breno Leitao <leitao(a)debian.org> s390: kexec: initialize kexec_buf struct Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: fix 130/1030 configs Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: hibernate: Restrict GFP mask in hibernation_snapshot() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: EM: Add function for registering a PD without capacity update Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix to enable RSS Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: remove broken SMBus Quick operation support Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: ensure data length is within supported range Chiasheng Lee <chiasheng.lee(a)linux.intel.com> i2c: i801: Hide Intel Birch Stream SoC TCO WDT Omar Sandoval <osandov(a)fb.com> btrfs: fix subvolume deletion lockup caused by inodes xarray race Boris Burkov <boris(a)bur.io> btrfs: fix squota compressed stats leak Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Matthieu Baerts (NGI0) <matttbe(a)kernel.org> netlink: specs: mptcp: fix if-idx attribute type Matthieu Baerts (NGI0) <matttbe(a)kernel.org> doc: mptcp: net.mptcp.pm_type is deprecated Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Breno Leitao <leitao(a)debian.org> arm64: kexec: initialize kexec_buf struct in load_other_segments() Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: fix channel number bound check Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Peilin Ye <yepeilin(a)google.com> bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() KaFai Wan <kafai.wan(a)linux.dev> bpf: Allow fall back to interpreter for programs with stack size <= 512 Kumar Kartikeya Dwivedi <memxor(a)gmail.com> rqspinlock: Choose trylock fallback for NMI waiters Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> xsk: Fix immature cq descriptor production Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Mario Limonciello (AMD) <superm1(a)kernel.org> cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Thomas Richter <tmricht(a)linux.ibm.com> s390/pai: Deny all events not handled by this PMU Gautham R. Shenoy <gautham.shenoy(a)amd.com> cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor Jesper Dangaard Brouer <hawk(a)kernel.org> bpf, cpumap: Disable page_pool direct xdp_return need larger scope Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: nfs_invalidate_folio() must observe the offset and size arguments Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and copy range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and clone range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and fallocate() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Serialise O_DIRECT i/o and truncate() Wang Liang <wangliang74(a)huawei.com> tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Scott Mayhew <smayhew(a)redhat.com> nfs/localio: restore creds before releasing pageio data Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Guenter Roeck <linux(a)roeck-us.net> trace/fgraph: Fix error handling Xiao Ni <xni(a)redhat.com> md: keep recovery_cp in mdp_superblock_s Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Justin Worrell <jworrell(a)gmail.com> SUNRPC: call xs_sock_process_cmsg for all cmsg Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Add more checks to PSP mailbox" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix getname not returning broadcast fields Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix running bis_cleanup for hci_conn->type PA_LINK Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Split paging_domain_compatible() Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Create unique domain ops for each stage Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not cleaning up Broadcaster/Broadcast Source Dan Carpenter <dan.carpenter(a)linaro.org> irqchip/mvebu-gicp: Fix an IS_ERR() vs NULL check in probe() Kan Liang <kan.liang(a)linux.intel.com> perf: Fix the POLL_HUP delivery breakage Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> dma-debug: don't enforce dma mapping check on noncoherent allocations Amir Goldstein <amir73il(a)gmail.com> fhandle: use more consistent rules for decoding file handle from userns Edward Adam Davis <eadavis(a)qq.com> fuse: Block access to folio overlimit Christian Brauner <brauner(a)kernel.org> coredump: don't pointlessly check and spew warnings Christoph Hellwig <hch(a)lst.de> block: don't silently ignore metadata for sync read/write Christoph Hellwig <hch(a)lst.de> fs: add a FMODE_ flag to indicate IOCB_HAS_METADATA availability ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/netlink/specs/mptcp_pm.yaml | 2 +- Documentation/networking/can.rst | 2 +- Documentation/networking/mptcp.rst | 8 +- Makefile | 4 +- arch/arm64/kernel/machine_kexec_file.c | 2 +- arch/s390/kernel/kexec_elf.c | 2 +- arch/s390/kernel/kexec_image.c | 2 +- arch/s390/kernel/machine_kexec_file.c | 6 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/s390/kernel/perf_pai_crypto.c | 4 +- arch/s390/kernel/perf_pai_ext.c | 2 +- arch/x86/kernel/cpu/topology_amd.c | 25 +- block/fops.c | 13 +- drivers/cpufreq/amd-pstate.c | 19 +- drivers/cpufreq/intel_pstate.c | 4 +- drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 39 +-- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 - drivers/gpu/drm/amd/amdgpu/isp_v4_1_1.c | 2 + drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 +-- drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 +- drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 60 +++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 106 +++++---- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 + drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 74 +++--- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 +- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 115 ++------- .../gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 3 - .../drm/amd/display/dc/hwss/dcn351/dcn351_init.c | 3 - drivers/gpu/drm/amd/display/dc/inc/hw/pg_cntl.h | 1 + .../drm/amd/display/dc/pg/dcn35/dcn35_pg_cntl.c | 78 +++--- drivers/gpu/drm/display/drm_dp_helper.c | 42 +++- drivers/gpu/drm/drm_edid.c | 232 +++++++++--------- drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +- drivers/gpu/drm/panthor/panthor_drv.c | 2 +- drivers/gpu/drm/xe/tests/xe_bo.c | 2 +- drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 +- drivers/gpu/drm/xe/xe_bo.c | 16 +- drivers/gpu/drm/xe/xe_bo.h | 2 +- drivers/gpu/drm/xe/xe_device_types.h | 6 + drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- drivers/gpu/drm/xe/xe_exec.c | 9 + drivers/gpu/drm/xe/xe_pm.c | 42 +++- drivers/gpu/drm/xe/xe_survivability_mode.c | 3 +- drivers/gpu/drm/xe/xe_vm.c | 42 +++- drivers/gpu/drm/xe/xe_vm.h | 2 + drivers/gpu/drm/xe/xe_vm_types.h | 5 + drivers/i2c/busses/i2c-i801.c | 2 +- drivers/i2c/busses/i2c-rtl9300.c | 22 +- drivers/input/joystick/xpad.c | 2 + drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/iommu/intel/cache.c | 5 +- drivers/iommu/intel/iommu.c | 263 ++++++++++++++------- drivers/iommu/intel/iommu.h | 12 + drivers/iommu/intel/nested.c | 4 +- drivers/iommu/intel/svm.c | 1 - drivers/irqchip/irq-mvebu-gicp.c | 2 +- drivers/md/md.c | 6 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 16 +- .../mtd/nand/raw/nuvoton-ma35d1-nand-controller.c | 4 +- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 ++-- drivers/mtd/nand/spi/core.c | 18 +- drivers/mtd/nand/spi/winbond.c | 80 ++++++- drivers/net/can/xilinx_can.c | 16 +- drivers/net/dsa/b53/b53_common.c | 17 +- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- drivers/net/ethernet/intel/igb/igb_main.c | 3 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 4 - drivers/net/macsec.c | 1 + drivers/net/phy/phy.c | 12 +- drivers/net/phy/phylink.c | 28 ++- drivers/net/wireless/ath/ath12k/core.h | 1 + drivers/net/wireless/ath/ath12k/dp_mon.c | 22 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 11 +- drivers/net/wireless/ath/ath12k/hw.c | 55 +++++ drivers/net/wireless/ath/ath12k/hw.h | 2 + drivers/net/wireless/ath/ath12k/mac.c | 127 +++++----- drivers/net/wireless/ath/ath12k/peer.c | 2 +- drivers/net/wireless/ath/ath12k/peer.h | 28 +++ drivers/net/wireless/ath/ath12k/wmi.c | 58 ++++- drivers/net/wireless/ath/ath12k/wmi.h | 16 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 +- drivers/pci/controller/pci-mvebu.c | 21 +- drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 +- drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-omap-usb2.c | 13 + drivers/phy/ti/phy-ti-pipe3.c | 13 + drivers/regulator/sy7636a-regulator.c | 7 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/function/f_midi2.c | 11 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/host/xhci-dbgcap.c | 94 +++++--- drivers/usb/host/xhci-mem.c | 2 +- drivers/usb/serial/option.c | 17 ++ drivers/usb/typec/tcpm/tcpm.c | 12 +- fs/btrfs/extent_io.c | 73 +++++- fs/btrfs/inode.c | 12 +- fs/btrfs/qgroup.c | 6 +- fs/ceph/addr.c | 9 +- fs/ceph/debugfs.c | 14 +- fs/ceph/dir.c | 17 +- fs/ceph/file.c | 24 +- fs/ceph/inode.c | 88 +++++-- fs/ceph/mds_client.c | 172 ++++++++------ fs/ceph/mds_client.h | 18 +- fs/coredump.c | 4 + fs/erofs/data.c | 8 +- fs/erofs/fileio.c | 2 +- fs/erofs/fscache.c | 2 +- fs/erofs/inode.c | 8 +- fs/erofs/internal.h | 2 +- fs/erofs/super.c | 16 +- fs/erofs/zdata.c | 17 +- fs/erofs/zmap.c | 98 ++++---- fs/exec.c | 2 +- fs/fhandle.c | 8 + fs/fuse/dev.c | 2 +- fs/fuse/file.c | 5 +- fs/fuse/passthrough.c | 5 + fs/kernfs/file.c | 58 +++-- fs/nfs/client.c | 2 + fs/nfs/file.c | 7 +- fs/nfs/flexfilelayout/flexfilelayout.c | 21 +- fs/nfs/inode.c | 4 +- fs/nfs/internal.h | 10 + fs/nfs/io.c | 13 +- fs/nfs/localio.c | 12 +- fs/nfs/nfs42proc.c | 2 + fs/nfs/nfs4file.c | 2 + fs/nfs/nfs4proc.c | 7 +- fs/nfs/write.c | 1 + fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- fs/resctrl/ctrlmondata.c | 2 +- fs/resctrl/internal.h | 4 +- fs/resctrl/monitor.c | 6 +- fs/smb/client/cifsglob.h | 13 +- fs/smb/client/file.c | 18 +- fs/smb/client/inode.c | 86 +++++-- fs/smb/client/smb2glob.h | 3 +- fs/smb/client/smb2inode.c | 204 ++++++++++++---- fs/smb/client/smb2ops.c | 32 ++- fs/smb/client/smb2proto.h | 3 + fs/smb/client/trace.h | 9 +- include/drm/display/drm_dp_helper.h | 6 + include/drm/drm_connector.h | 4 +- include/drm/drm_edid.h | 8 + include/linux/compiler-clang.h | 31 ++- include/linux/energy_model.h | 10 + include/linux/fs.h | 3 +- include/linux/kasan.h | 6 +- include/linux/mtd/spinand.h | 8 + include/net/netfilter/nf_tables.h | 11 +- include/net/netfilter/nf_tables_core.h | 49 ++-- include/net/netns/nftables.h | 1 + include/uapi/linux/raid/md_p.h | 2 +- io_uring/rw.c | 3 + kernel/bpf/Makefile | 1 + kernel/bpf/core.c | 16 +- kernel/bpf/cpumap.c | 4 +- kernel/bpf/crypto.c | 2 +- kernel/bpf/helpers.c | 7 +- kernel/bpf/rqspinlock.c | 2 +- kernel/dma/debug.c | 48 +++- kernel/dma/debug.h | 20 ++ kernel/dma/mapping.c | 4 +- kernel/events/core.c | 1 + kernel/power/energy_model.c | 29 ++- kernel/power/hibernate.c | 1 + kernel/time/hrtimer.c | 11 +- kernel/trace/fgraph.c | 3 +- kernel/trace/trace.c | 10 +- kernel/trace/trace_osnoise.c | 3 + mm/damon/core.c | 4 + mm/damon/lru_sort.c | 5 + mm/damon/reclaim.c | 5 + mm/damon/sysfs.c | 14 +- mm/hugetlb.c | 9 +- mm/kasan/shadow.c | 31 ++- mm/khugepaged.c | 4 +- mm/memory-failure.c | 20 +- mm/vmalloc.c | 8 +- net/bluetooth/hci_conn.c | 14 +- net/bluetooth/hci_event.c | 7 +- net/bluetooth/iso.c | 2 +- net/bridge/br.c | 7 + net/can/j1939/bus.c | 5 +- net/can/j1939/j1939-priv.h | 1 + net/can/j1939/main.c | 3 + net/can/j1939/socket.c | 52 ++++ net/ceph/messenger.c | 7 +- net/core/dev_ioctl.c | 22 +- net/hsr/hsr_device.c | 28 ++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 3 + net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/netfilter/nf_tables_api.c | 123 ++++++---- net/netfilter/nft_dynset.c | 5 +- net/netfilter/nft_lookup.c | 67 ++++-- net/netfilter/nft_objref.c | 5 +- net/netfilter/nft_set_bitmap.c | 14 +- net/netfilter/nft_set_hash.c | 54 ++--- net/netfilter/nft_set_pipapo.c | 211 ++++++----------- net/netfilter/nft_set_pipapo_avx2.c | 29 +-- net/netfilter/nft_set_rbtree.c | 46 ++-- net/netlink/genetlink.c | 3 + net/sunrpc/sched.c | 2 - net/sunrpc/xprtsock.c | 6 +- net/xdp/xsk.c | 113 +++++++-- net/xdp/xsk_queue.h | 12 + samples/ftrace/ftrace-direct-modify.c | 2 +- tools/testing/selftests/net/can/config | 3 + 234 files changed, 3151 insertions(+), 1711 deletions(-)

2 minutes

4
192
0 0

[PATCH 6.12 000/140] 6.12.48-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.48 release. There are 140 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.48-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.48-rc1 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Buday Csaba <buday.csaba(a)prolan.hu> net: mdiobus: release reset_gpio in mdiobus_unregister_device() K Prateek Nayak <kprateek.nayak(a)amd.com> x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix MIDI2 IN EP max packet size Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix missing UMP group attributes initialization RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: properly deliver cable vdms to altmode drivers Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix memory leak regression when freeing xhci vdev devices depth first Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: Remove unnecessary include from compat.h Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Fix refcount underflow on module unload Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Remove improper idxd_free Pengyu Luo <mitltlatltl(a)gmail.com> phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add VLAN CTAG filter support Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: restart set lookup on base_seq change Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: make nft_set_do_lookup available unconditionally Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: place base_seq in struct net Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Reintroduce shortened deletion notifications Florian Westphal <fw(a)strlen.de> netfilter: nft_set_rbtree: continue traversal if element is inactive Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't check genbit from packetpath lookups Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't return bogus extension pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: merge pipapo_get/lookup Florian Westphal <fw(a)strlen.de> netfilter: nft_set: remove one argument from lookup and update functions Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove unused arguments Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: use udelay rather than fsleep Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Petr Machata <petrm(a)nvidia.com> net: bridge: Bounce invalid boolopts Alok Tiwari <alok.a.tiwari(a)oracle.com> genetlink: fix genl_bind() invoking bind() after -EPERM Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Chia-I Wu <olvaffe(a)gmail.com> drm/panthor: validate group queue count Linus Torvalds <torvalds(a)linux-foundation.org> Disable SLUB_TINY for build testing Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Qu Wenruo <wqu(a)suse.com> btrfs: fix corruption reading compressed range when block size is smaller than page size Boris Burkov <boris(a)bur.io> btrfs: use readahead_expand() on compressed extents Santhosh Kumar K <s-k6(a)ti.com> mtd: spinand: winbond: Fix oob_layout for W25N01JW Jeongjun Park <aha310510(a)gmail.com> mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition where r_parent becomes stale before sending message Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition validating r_parent before applying state Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Matthieu Baerts (NGI0) <matttbe(a)kernel.org> netlink: specs: mptcp: fix if-idx attribute type Jakub Kicinski <kuba(a)kernel.org> netlink: specs: mptcp: replace underscores with dashes in names Matthieu Baerts (NGI0) <matttbe(a)kernel.org> netlink: specs: mptcp: clearly mention attributes Matthieu Baerts (NGI0) <matttbe(a)kernel.org> netlink: specs: mptcp: add missing 'server-side' attr David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Attempt to bring bos back to VRAM after eviction Johan Hovold <johan(a)kernel.org> drm/mediatek: fix potential OF node use-after-free Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Sang-Heon Jeon <ekffu200098(a)gmail.com> mm/damon/core: set quota->charged_from to jiffies at first charge window Kyle Meyer <kyle.meyer(a)hpe.com> mm/memory-failure: fix redundant updates for already poisoned pages Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Amir Goldstein <amir73il(a)gmail.com> fuse: do not allow mapping a non-regular backing file Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Alexander Sverdlin <alexander.sverdlin(a)siemens.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Chiasheng Lee <chiasheng.lee(a)linux.intel.com> i2c: i801: Hide Intel Birch Stream SoC TCO WDT Omar Sandoval <osandov(a)fb.com> btrfs: fix subvolume deletion lockup caused by inodes xarray race Boris Burkov <boris(a)bur.io> btrfs: fix squota compressed stats leak Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Peilin Ye <yepeilin(a)google.com> bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() KaFai Wan <kafai.wan(a)linux.dev> bpf: Allow fall back to interpreter for programs with stack size <= 512 Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Thomas Richter <tmricht(a)linux.ibm.com> s390/pai: Deny all events not handled by this PMU Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: nfs_invalidate_folio() must observe the offset and size arguments Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and copy range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and clone range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and fallocate() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Serialise O_DIRECT i/o and truncate() Max Kellermann <max.kellermann(a)ionos.com> fs/nfs/io: make nfs_start_io_*() killable Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Scott Mayhew <smayhew(a)redhat.com> nfs/localio: restore creds before releasing pageio data Mike Snitzer <snitzer(a)kernel.org> nfs/localio: add direct IO enablement with sync and async IO support Mike Snitzer <snitzer(a)kernel.org> nfs/localio: remove extra indirect nfs_to call to check {read,write}_iter Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Guenter Roeck <linux(a)roeck-us.net> trace/fgraph: Fix error handling Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Justin Worrell <jworrell(a)gmail.com> SUNRPC: call xs_sock_process_cmsg for all cmsg Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read David Rosca <david.rosca(a)amd.com> drm/amdgpu: Add back JPEG to video caps for carrizo and newer Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA Aurabindo Pillai <aurabindo.pillai(a)amd.com> Revert "drm/amd/display: Optimize cursor position updates" Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> drm/i915/pmu: Fix zero delta busyness issue Theodore Ts'o <tytso(a)mit.edu> ext4: introduce linear search for dentries Huan Yang <link(a)vivo.com> Revert "udmabuf: fix vmap_udmabuf error page set" Maurizio Lombardi <mlombard(a)redhat.com> nvme-pci: skip nvme_write_sq_db on empty rqlist Fedor Pchelkin <pchelkin(a)ispras.ru> dma-debug: fix physical address calculation for struct dma_debug_entry Sean Anderson <sean.anderson(a)linux.dev> dma-mapping: fix swapped dir/flags arguments to trace_dma_alloc_sgt_err Harry Yoo <harry.yoo(a)oracle.com> mm: introduce and use {pgd,p4d}_populate_kernel() Yevgeny Kliteynik <kliteyn(a)nvidia.com> net/mlx5: HWS, change error flow on matcher disconnect Yeoreum Yun <yeoreum.yun(a)arm.com> kunit: kasan_test: disable fortify string checker on kasan_strings() test Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> dma-debug: don't enforce dma mapping check on noncoherent allocations Sean Anderson <sean.anderson(a)linux.dev> dma-mapping: trace more error paths Sean Anderson <sean.anderson(a)linux.dev> dma-mapping: use trace_dma_alloc for dma_alloc* instead of using trace_dma_map Sean Anderson <sean.anderson(a)linux.dev> dma-mapping: trace dma_alloc/free direction Christoph Hellwig <hch(a)lst.de> dma-debug: store a phys_addr_t in struct dma_debug_entry Amir Goldstein <amir73il(a)gmail.com> fhandle: use more consistent rules for decoding file handle from userns ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/filesystems/nfs/localio.rst | 13 ++ Documentation/netlink/specs/mptcp_pm.yaml | 52 ++--- Documentation/networking/can.rst | 2 +- Makefile | 4 +- arch/riscv/include/asm/compat.h | 1 - arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/s390/kernel/perf_pai_crypto.c | 4 +- arch/s390/kernel/perf_pai_ext.c | 2 +- arch/x86/kernel/cpu/topology_amd.c | 25 +-- drivers/dma-buf/Kconfig | 1 - drivers/dma-buf/udmabuf.c | 22 +-- drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 39 ++-- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 - drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 60 +++--- drivers/gpu/drm/amd/amdgpu/vi.c | 7 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 + .../gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 7 +- .../drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c | 6 +- .../gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c | 8 +- .../drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c | 10 +- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 +- drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 16 ++ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +- drivers/gpu/drm/panthor/panthor_drv.c | 2 +- drivers/gpu/drm/xe/tests/xe_bo.c | 2 +- drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 +- drivers/gpu/drm/xe/xe_bo.c | 16 +- drivers/gpu/drm/xe/xe_bo.h | 2 +- drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- drivers/i2c/busses/i2c-i801.c | 2 +- drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/mtd/nand/raw/atmel/nand-controller.c | 16 +- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 ++--- drivers/mtd/nand/spi/winbond.c | 37 +++- drivers/net/can/xilinx_can.c | 16 +- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- .../mlx5/core/steering/hws/mlx5hws_matcher.c | 24 +-- drivers/net/phy/mdio_bus.c | 4 +- drivers/nvme/host/pci.c | 3 + drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-omap-usb2.c | 13 ++ drivers/phy/ti/phy-ti-pipe3.c | 13 ++ drivers/regulator/sy7636a-regulator.c | 7 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/function/f_midi2.c | 11 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/host/xhci-mem.c | 2 +- drivers/usb/serial/option.c | 17 ++ drivers/usb/typec/tcpm/tcpm.c | 12 +- fs/btrfs/extent_io.c | 72 ++++++- fs/btrfs/inode.c | 12 +- fs/btrfs/qgroup.c | 6 +- fs/ceph/debugfs.c | 14 +- fs/ceph/dir.c | 17 +- fs/ceph/file.c | 24 +-- fs/ceph/inode.c | 88 +++++++-- fs/ceph/mds_client.c | 172 ++++++++++------- fs/ceph/mds_client.h | 18 +- fs/ext4/namei.c | 14 +- fs/fhandle.c | 8 + fs/fuse/file.c | 5 +- fs/fuse/passthrough.c | 5 + fs/kernfs/file.c | 58 ++++-- fs/nfs/client.c | 2 + fs/nfs/direct.c | 22 ++- fs/nfs/file.c | 21 +- fs/nfs/flexfilelayout/flexfilelayout.c | 21 +- fs/nfs/inode.c | 4 +- fs/nfs/internal.h | 17 +- fs/nfs/io.c | 55 ++++-- fs/nfs/localio.c | 125 +++++++++--- fs/nfs/nfs42proc.c | 2 + fs/nfs/nfs4file.c | 2 + fs/nfs/nfs4proc.c | 7 +- fs/nfs/write.c | 1 + fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- include/linux/compiler-clang.h | 31 ++- include/linux/fs.h | 10 +- include/linux/nfs_xdr.h | 1 + include/linux/pgalloc.h | 29 +++ include/linux/pgtable.h | 13 +- include/net/netfilter/nf_tables.h | 11 +- include/net/netfilter/nf_tables_core.h | 49 ++--- include/net/netns/nftables.h | 1 + include/trace/events/dma.h | 153 ++++++++++++++- include/uapi/linux/mptcp_pm.h | 50 ++--- kernel/bpf/core.c | 16 +- kernel/bpf/crypto.c | 2 +- kernel/bpf/helpers.c | 7 +- kernel/dma/debug.c | 135 ++++++++----- kernel/dma/debug.h | 20 ++ kernel/dma/mapping.c | 41 ++-- kernel/time/hrtimer.c | 11 +- kernel/trace/fgraph.c | 3 +- kernel/trace/trace.c | 10 +- mm/Kconfig | 2 +- mm/damon/core.c | 4 + mm/damon/lru_sort.c | 5 + mm/damon/reclaim.c | 5 + mm/damon/sysfs.c | 14 +- mm/hugetlb.c | 9 +- mm/kasan/init.c | 12 +- mm/kasan/kasan_test_c.c | 1 + mm/khugepaged.c | 4 +- mm/memory-failure.c | 20 +- mm/percpu.c | 6 +- mm/sparse-vmemmap.c | 6 +- net/bridge/br.c | 7 + net/can/j1939/bus.c | 5 +- net/can/j1939/socket.c | 3 + net/ceph/messenger.c | 7 +- net/hsr/hsr_device.c | 97 +++++++++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 3 + net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/netfilter/nf_tables_api.c | 123 +++++++----- net/netfilter/nft_dynset.c | 5 +- net/netfilter/nft_lookup.c | 67 +++++-- net/netfilter/nft_objref.c | 5 +- net/netfilter/nft_set_bitmap.c | 11 +- net/netfilter/nft_set_hash.c | 54 +++--- net/netfilter/nft_set_pipapo.c | 211 ++++++++------------- net/netfilter/nft_set_pipapo_avx2.c | 29 +-- net/netfilter/nft_set_rbtree.c | 46 +++-- net/netlink/genetlink.c | 3 + net/sunrpc/sched.c | 2 - net/sunrpc/xprtsock.c | 6 +- samples/ftrace/ftrace-direct-modify.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + 144 files changed, 1887 insertions(+), 986 deletions(-)

2 minutes

4
144
0 0

[PATCH 6.6 000/101] 6.6.107-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.107 release. There are 101 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.107-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.107-rc1 Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Buday Csaba <buday.csaba(a)prolan.hu> net: mdiobus: release reset_gpio in mdiobus_unregister_device() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix null pointer dereference in alloc_preauth_hash() Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix MIDI2 IN EP max packet size Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix missing UMP group attributes initialization Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix memory leak regression when freeing xhci vdev devices depth first Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: Remove unnecessary include from compat.h Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> hrtimer: Remove unused function Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Fix refcount underflow on module unload Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Remove improper idxd_free Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add VLAN CTAG filter support Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add support for MC filtering at the slave device Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Petr Machata <petrm(a)nvidia.com> net: bridge: Bounce invalid boolopts Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Linus Torvalds <torvalds(a)linux-foundation.org> Disable SLUB_TINY for build testing Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Yang Erkun <yangerkun(a)huawei.com> cifs: fix pagecache leak when do writepages Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Qu Wenruo <wqu(a)suse.com> btrfs: fix corruption reading compressed range when block size is smaller than page size Boris Burkov <boris(a)bur.io> btrfs: use readahead_expand() on compressed extents Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Alexander Sverdlin <alexander.sverdlin(a)siemens.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alexander Dahl <ada(a)thorsis.com> mtd: nand: raw: atmel: Fix comment in timings preparation David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time Johan Hovold <johan(a)kernel.org> drm/mediatek: fix potential OF node use-after-free Sang-Heon Jeon <ekffu200098(a)gmail.com> mm/damon/core: set quota->charged_from to jiffies at first charge window Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Chiasheng Lee <chiasheng.lee(a)linux.intel.com> i2c: i801: Hide Intel Birch Stream SoC TCO WDT Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call Borislav Petkov (AMD) <bp(a)alien8.de> KVM: SVM: Set synthesized TSA CPUID flags Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Maintain real-time response in rcu_tasks_postscan() Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Eliminate deadlocks involving do_exit() and RCU tasks Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Maintain lists to eliminate RCU-tasks/do_exit() deadlocks wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Peilin Ye <yepeilin(a)google.com> bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and copy range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and clone range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and fallocate() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Serialise O_DIRECT i/o and truncate() Max Kellermann <max.kellermann(a)ionos.com> fs/nfs/io: make nfs_start_io_*() killable Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Justin Worrell <jworrell(a)gmail.com> SUNRPC: call xs_sock_process_cmsg for all cmsg Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of ToMToU integrity violations Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Fix link frequency validation Chuck Lever <chuck.lever(a)oracle.com> NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs() Trond Myklebust <trond.myklebust(a)hammerspace.com> nfsd: Fix a regression in nfsd_setattr() Ada Couprie Diaz <ada.coupriediaz(a)arm.com> kasan: fix GCC mem-intrinsic prefix with sw tags Harry Yoo <harry.yoo(a)oracle.com> mm: introduce and use {pgd,p4d}_populate_kernel() Yeoreum Yun <yeoreum.yun(a)arm.com> kunit: kasan_test: disable fortify string checker on kasan_strings() test ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/networking/can.rst | 2 +- Makefile | 4 +- arch/riscv/include/asm/compat.h | 1 - arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/x86/kvm/cpuid.c | 5 + drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 39 ++--- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 - drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 60 ++++---- drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +- drivers/i2c/busses/i2c-i801.c | 2 +- drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/media/i2c/imx214.c | 27 ++-- drivers/mtd/nand/raw/atmel/nand-controller.c | 18 ++- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +++--- drivers/net/can/xilinx_can.c | 16 +-- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- drivers/net/phy/mdio_bus.c | 4 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-ti-pipe3.c | 13 ++ drivers/regulator/sy7636a-regulator.c | 7 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/function/f_midi2.c | 11 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/host/xhci-mem.c | 2 +- drivers/usb/serial/option.c | 17 +++ fs/btrfs/extent_io.c | 78 ++++++++-- fs/fuse/file.c | 5 +- fs/kernfs/file.c | 54 ++++--- fs/nfs/client.c | 2 + fs/nfs/direct.c | 21 ++- fs/nfs/file.c | 14 +- fs/nfs/flexfilelayout/flexfilelayout.c | 21 +-- fs/nfs/inode.c | 4 +- fs/nfs/internal.h | 17 ++- fs/nfs/io.c | 55 ++++--- fs/nfs/nfs42proc.c | 2 + fs/nfs/nfs4file.c | 2 + fs/nfs/nfs4proc.c | 6 +- fs/nfsd/nfs4proc.c | 4 + fs/nfsd/vfs.c | 13 +- fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- fs/smb/client/file.c | 16 ++- fs/smb/server/connection.h | 11 ++ fs/smb/server/mgmt/user_session.c | 4 +- fs/smb/server/smb2pdu.c | 14 +- include/linux/compiler-clang.h | 31 +++- include/linux/pgalloc.h | 29 ++++ include/linux/pgtable.h | 13 +- include/net/sock.h | 40 +++++- kernel/bpf/helpers.c | 7 +- kernel/rcu/tasks.h | 107 ++++++++++---- kernel/time/hrtimer.c | 50 ++----- kernel/trace/trace.c | 10 +- mm/Kconfig | 2 +- mm/damon/core.c | 4 + mm/damon/lru_sort.c | 3 + mm/damon/reclaim.c | 3 + mm/damon/sysfs.c | 14 +- mm/kasan/init.c | 12 +- mm/kasan/kasan_test.c | 1 + mm/khugepaged.c | 22 +-- mm/memory-failure.c | 7 +- mm/percpu.c | 6 +- mm/sparse-vmemmap.c | 6 +- net/bridge/br.c | 7 + net/can/j1939/bus.c | 5 +- net/can/j1939/socket.c | 3 + net/ceph/messenger.c | 7 +- net/core/sock.c | 5 + net/hsr/hsr_device.c | 158 ++++++++++++++++++++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 3 + net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/sunrpc/sched.c | 2 - net/sunrpc/xprtsock.c | 6 +- samples/ftrace/ftrace-direct-modify.c | 2 +- scripts/Makefile.kasan | 12 +- security/integrity/ima/ima_main.c | 16 ++- security/integrity/integrity.h | 3 +- 93 files changed, 976 insertions(+), 403 deletions(-)

2 minutes

4
105
0 0

[PATCH 6.1 00/78] 6.1.153-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.153 release. There are 78 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.153-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.153-rc1 Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Deal with zero e_shentsize Dan Carpenter <dan.carpenter(a)linaro.org> soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> hrtimer: Remove unused function Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add VLAN CTAG filter support Murali Karicheri <m-karicheri2(a)ti.com> net: hsr: Add support for MC filtering at the slave device Ravi Gunasekaran <r-gunasekaran(a)ti.com> net: hsr: Disable promiscuous mode in offload mode Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Alexander Sverdlin <alexander.sverdlin(a)siemens.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alexander Dahl <ada(a)thorsis.com> mtd: nand: raw: atmel: Fix comment in timings preparation Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Oleksij Rempel <linux(a)rempel-privat.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call Borislav Petkov (AMD) <bp(a)alien8.de> KVM: SVM: Set synthesized TSA CPUID flags Boris Ostrovsky <boris.ostrovsky(a)oracle.com> KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() Kim Phillips <kim.phillips(a)amd.com> KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not add length to print format in synthetic events Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. André Apitzsch <git(a)apitzsch.eu> media: i2c: imx214: Fix link frequency validation Arnd Bergmann <arnd(a)arndb.de> media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Harry Yoo <harry.yoo(a)oracle.com> mm: introduce and use {pgd,p4d}_populate_kernel() Yeoreum Yun <yeoreum.yun(a)arm.com> kunit: kasan_test: disable fortify string checker on kasan_strings() test ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/networking/can.rst | 2 +- Makefile | 4 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/x86/kvm/cpuid.c | 33 +++-- drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 33 +++-- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 - drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/media/i2c/imx214.c | 27 +++- .../platform/mediatek/vcodec/mtk_vcodec_fw_scp.c | 4 +- .../platform/mediatek/vcodec/venc/venc_h264_if.c | 6 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 18 ++- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +++--- drivers/net/can/xilinx_can.c | 16 +- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-ti-pipe3.c | 13 ++ drivers/regulator/sy7636a-regulator.c | 7 +- drivers/soc/qcom/mdt_loader.c | 14 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/serial/option.c | 17 +++ fs/fuse/file.c | 5 +- fs/kernfs/file.c | 54 ++++--- fs/nfs/client.c | 2 + fs/nfs/flexfilelayout/flexfilelayout.c | 21 ++- fs/nfs/nfs4proc.c | 6 +- fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- include/linux/compiler-clang.h | 31 +++- include/linux/pgalloc.h | 29 ++++ include/linux/pgtable.h | 13 +- include/net/sock.h | 40 ++++- kernel/time/hrtimer.c | 50 ++----- kernel/trace/trace.c | 10 +- kernel/trace/trace_events_synth.c | 2 - mm/damon/lru_sort.c | 3 + mm/damon/reclaim.c | 3 + mm/damon/sysfs.c | 14 +- mm/kasan/init.c | 12 +- mm/kasan/kasan_test.c | 1 + mm/khugepaged.c | 22 +-- mm/memory-failure.c | 7 +- mm/percpu.c | 6 +- mm/sparse-vmemmap.c | 6 +- net/can/j1939/bus.c | 5 +- net/can/j1939/socket.c | 3 + net/ceph/messenger.c | 7 +- net/core/sock.c | 5 + net/hsr/hsr_device.c | 163 ++++++++++++++++++++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 4 + net/hsr/hsr_slave.c | 15 +- net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/sunrpc/sched.c | 2 - samples/ftrace/ftrace-direct-modify.c | 2 +- sound/soc/qcom/qdsp6/q6apm-dai.c | 28 +++- 68 files changed, 669 insertions(+), 285 deletions(-)

3 minutes

4
83
0 0

[PATCH v2] ceph: fix deadlock bugs by making iput() calls asynchronous

by Max Kellermann

The iput() function is a dangerous one - if the reference counter goes to zero, the function may block for a long time due to: - inode_wait_for_writeback() waits until writeback on this inode completes - the filesystem-specific "evict_inode" callback can do similar things; e.g. all netfs-based filesystems will call netfs_wait_for_outstanding_io() which is similar to inode_wait_for_writeback() Therefore, callers must carefully evaluate the context they're in and check whether invoking iput() is a good idea at all. Most of the time, this is not a problem because the dcache holds references to all inodes, and the dcache is usually the one to release the last reference. But this assumption is fragile. For example, under (memcg) memory pressure, the dcache shrinker is more likely to release inode references, moving the inode eviction to contexts where that was extremely unlikely to occur. Our production servers "found" at least two deadlock bugs in the Ceph filesystem that were caused by this iput() behavior: 1. Writeback may lead to iput() calls in Ceph (e.g. from ceph_put_wrbuffer_cap_refs()) which deadlocks in inode_wait_for_writeback(). Waiting for writeback completion from within writeback will obviously never be able to make any progress. This leads to blocked kworkers like this: INFO: task kworker/u777:6:1270802 blocked for more than 122 seconds. Not tainted 6.16.7-i1-es #773 task:kworker/u777:6 state:D stack:0 pid:1270802 tgid:1270802 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: writeback wb_workfn (flush-ceph-3) Call Trace: <TASK> __schedule+0x4ea/0x17d0 schedule+0x1c/0xc0 inode_wait_for_writeback+0x71/0xb0 evict+0xcf/0x200 ceph_put_wrbuffer_cap_refs+0xdd/0x220 ceph_invalidate_folio+0x97/0xc0 ceph_writepages_start+0x127b/0x14d0 do_writepages+0xba/0x150 __writeback_single_inode+0x34/0x290 writeback_sb_inodes+0x203/0x470 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x189/0x2b0 wb_workfn+0x30b/0x3d0 process_one_work+0x143/0x2b0 worker_thread+0x30a/0x450 2. In the Ceph messenger thread (net/ceph/messenger*.c), any iput() call may invoke ceph_evict_inode() which will deadlock in netfs_wait_for_outstanding_io(); since this blocks the messenger thread, completions from the Ceph servers will not ever be received and handled. It looks like these deadlock bugs have been in the Ceph filesystem code since forever (therefore no "Fixes" tag in this patch). There may be various ways to solve this: - make iput() asynchronous and defer the actual eviction like fput() (may add overhead) - make iput() only asynchronous if I_SYNC is set (doesn't solve random things happening inside the "evict_inode" callback) - add iput_deferred() to make this asynchronous behavior/overhead optional and explicit - refactor Ceph to avoid iput() calls from within writeback and messenger (if that is even possible) - add a Ceph-specific workaround After advice from Mateusz Guzik, I decided to do the latter. The implementation is simple because it piggybacks on the existing work_struct for ceph_queue_inode_work() - ceph_inode_work() calls iput() at the end which means we can donate the last reference to it. This patch adds ceph_iput_async() and converts lots of iput() calls to it - at least those that may come through writeback and the messenger. Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: stable(a)vger.kernel.org --- v1->v2: using atomic_add_unless() instead of atomic_add_unless() to avoid letting i_count drop to zero which may cause races (thanks Mateusz Guzik) Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- fs/ceph/addr.c | 2 +- fs/ceph/caps.c | 16 ++++++++-------- fs/ceph/dir.c | 2 +- fs/ceph/inode.c | 34 ++++++++++++++++++++++++++++++++++ fs/ceph/mds_client.c | 30 +++++++++++++++--------------- fs/ceph/quota.c | 4 ++-- fs/ceph/snap.c | 10 +++++----- fs/ceph/super.h | 2 ++ 8 files changed, 68 insertions(+), 32 deletions(-) diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c index 322ed268f14a..fc497c91530e 100644 --- a/fs/ceph/addr.c +++ b/fs/ceph/addr.c @@ -265,7 +265,7 @@ static void finish_netfs_read(struct ceph_osd_request *req) subreq->error = err; trace_netfs_sreq(subreq, netfs_sreq_trace_io_progress); netfs_read_subreq_terminated(subreq); - iput(req->r_inode); + ceph_iput_async(req->r_inode); ceph_dec_osd_stopping_blocker(fsc->mdsc); } diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index b1a8ff612c41..af9e3ae9ab7e 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -1771,7 +1771,7 @@ void ceph_flush_snaps(struct ceph_inode_info *ci, spin_unlock(&mdsc->snap_flush_lock); if (need_put) - iput(inode); + ceph_iput_async(inode); } /* @@ -3319,7 +3319,7 @@ static void __ceph_put_cap_refs(struct ceph_inode_info *ci, int had, if (wake) wake_up_all(&ci->i_cap_wq); while (put-- > 0) - iput(inode); + ceph_iput_async(inode); } void ceph_put_cap_refs(struct ceph_inode_info *ci, int had) @@ -3419,7 +3419,7 @@ void ceph_put_wrbuffer_cap_refs(struct ceph_inode_info *ci, int nr, if (complete_capsnap) wake_up_all(&ci->i_cap_wq); while (put-- > 0) { - iput(inode); + ceph_iput_async(inode); } } @@ -3917,7 +3917,7 @@ static void handle_cap_flush_ack(struct inode *inode, u64 flush_tid, if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); if (drop) - iput(inode); + ceph_iput_async(inode); } void __ceph_remove_capsnap(struct inode *inode, struct ceph_cap_snap *capsnap, @@ -4008,7 +4008,7 @@ static void handle_cap_flushsnap_ack(struct inode *inode, u64 flush_tid, wake_up_all(&ci->i_cap_wq); if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); - iput(inode); + ceph_iput_async(inode); } } @@ -4557,7 +4557,7 @@ void ceph_handle_caps(struct ceph_mds_session *session, done: mutex_unlock(&session->s_mutex); done_unlocked: - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); @@ -4636,7 +4636,7 @@ unsigned long ceph_check_delayed_caps(struct ceph_mds_client *mdsc) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, 0); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } @@ -4675,7 +4675,7 @@ static void flush_dirty_session_caps(struct ceph_mds_session *s) spin_unlock(&mdsc->cap_dirty_lock); ceph_wait_on_async_create(inode); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_dirty_lock); } spin_unlock(&mdsc->cap_dirty_lock); diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c index 32973c62c1a2..ec73ed52a227 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -1290,7 +1290,7 @@ static void ceph_async_unlink_cb(struct ceph_mds_client *mdsc, ceph_mdsc_free_path_info(&path_info); } out: - iput(req->r_old_inode); + ceph_iput_async(req->r_old_inode); ceph_mdsc_release_dir_caps(req); } diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index f67025465de0..d7c0ed82bf62 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -2191,6 +2191,40 @@ void ceph_queue_inode_work(struct inode *inode, int work_bit) } } +/** + * Queue an asynchronous iput() call in a worker thread. Use this + * instead of iput() in contexts where evicting the inode is unsafe. + * For example, inode eviction may cause deadlocks in + * inode_wait_for_writeback() (when called from within writeback) or + * in netfs_wait_for_outstanding_io() (when called from within the + * Ceph messenger). + */ +void ceph_iput_async(struct inode *inode) +{ + if (unlikely(!inode)) + return; + + if (likely(atomic_add_unless(&inode->i_count, -1, 1))) + /* somebody else is holding another reference - + * nothing left to do for us + */ + return; + + doutc(ceph_inode_to_fs_client(inode)->client, "%p %llx.%llx\n", inode, ceph_vinop(inode)); + + /* simply queue a ceph_inode_work() (donating the remaining + * reference) without setting i_work_mask bit; other than + * putting the reference, there is nothing to do + */ + WARN_ON_ONCE(!queue_work(ceph_inode_to_fs_client(inode)->inode_wq, + &ceph_inode(inode)->i_work)); + + /* note: queue_work() cannot fail; it i_work were already + * queued, then it would be holding another reference, but no + * such reference exists + */ +} + static void ceph_do_invalidate_pages(struct inode *inode) { struct ceph_client *cl = ceph_inode_to_client(inode); diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 3bc72b47fe4d..22d75c3be5a8 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -1097,14 +1097,14 @@ void ceph_mdsc_release_request(struct kref *kref) ceph_msg_put(req->r_reply); if (req->r_inode) { ceph_put_cap_refs(ceph_inode(req->r_inode), CEPH_CAP_PIN); - iput(req->r_inode); + ceph_iput_async(req->r_inode); } if (req->r_parent) { ceph_put_cap_refs(ceph_inode(req->r_parent), CEPH_CAP_PIN); - iput(req->r_parent); + ceph_iput_async(req->r_parent); } - iput(req->r_target_inode); - iput(req->r_new_inode); + ceph_iput_async(req->r_target_inode); + ceph_iput_async(req->r_new_inode); if (req->r_dentry) dput(req->r_dentry); if (req->r_old_dentry) @@ -1118,7 +1118,7 @@ void ceph_mdsc_release_request(struct kref *kref) */ ceph_put_cap_refs(ceph_inode(req->r_old_dentry_dir), CEPH_CAP_PIN); - iput(req->r_old_dentry_dir); + ceph_iput_async(req->r_old_dentry_dir); } kfree(req->r_path1); kfree(req->r_path2); @@ -1240,7 +1240,7 @@ static void __unregister_request(struct ceph_mds_client *mdsc, } if (req->r_unsafe_dir) { - iput(req->r_unsafe_dir); + ceph_iput_async(req->r_unsafe_dir); req->r_unsafe_dir = NULL; } @@ -1413,7 +1413,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap = rb_entry(rb_first(&ci->i_caps), struct ceph_cap, ci_node); if (!cap) { spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); goto random; } mds = cap->session->s_mds; @@ -1422,7 +1422,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap == ci->i_auth_cap ? "auth " : "", cap); spin_unlock(&ci->i_ceph_lock); out: - iput(inode); + ceph_iput_async(inode); return mds; random: @@ -1841,7 +1841,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, spin_unlock(&session->s_cap_lock); if (last_inode) { - iput(last_inode); + ceph_iput_async(last_inode); last_inode = NULL; } if (old_cap) { @@ -1874,7 +1874,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, session->s_cap_iterator = NULL; spin_unlock(&session->s_cap_lock); - iput(last_inode); + ceph_iput_async(last_inode); if (old_cap) ceph_put_cap(session->s_mdsc, old_cap); @@ -1904,7 +1904,7 @@ static int remove_session_caps_cb(struct inode *inode, int mds, void *arg) if (invalidate) ceph_queue_invalidate(inode); while (iputs--) - iput(inode); + ceph_iput_async(inode); return 0; } @@ -1944,7 +1944,7 @@ static void remove_session_caps(struct ceph_mds_session *session) spin_unlock(&session->s_cap_lock); inode = ceph_find_inode(sb, vino); - iput(inode); + ceph_iput_async(inode); spin_lock(&session->s_cap_lock); } @@ -2512,7 +2512,7 @@ static void ceph_cap_unlink_work(struct work_struct *work) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } } @@ -3933,7 +3933,7 @@ static void handle_reply(struct ceph_mds_session *session, struct ceph_msg *msg) !req->r_reply_info.has_create_ino) { /* This should never happen on an async create */ WARN_ON_ONCE(req->r_deleg_ino); - iput(in); + ceph_iput_async(in); in = NULL; } @@ -5313,7 +5313,7 @@ static void handle_lease(struct ceph_mds_client *mdsc, out: mutex_unlock(&session->s_mutex); - iput(inode); + ceph_iput_async(inode); ceph_dec_mds_stopping_blocker(mdsc); return; diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c index d90eda19bcc4..bba00f8926e6 100644 --- a/fs/ceph/quota.c +++ b/fs/ceph/quota.c @@ -76,7 +76,7 @@ void ceph_handle_quota(struct ceph_mds_client *mdsc, le64_to_cpu(h->max_files)); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); } @@ -190,7 +190,7 @@ void ceph_cleanup_quotarealms_inodes(struct ceph_mds_client *mdsc) node = rb_first(&mdsc->quotarealms_inodes); qri = rb_entry(node, struct ceph_quotarealm_inode, node); rb_erase(node, &mdsc->quotarealms_inodes); - iput(qri->inode); + ceph_iput_async(qri->inode); kfree(qri); } mutex_unlock(&mdsc->quotarealms_inodes_mutex); diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c index c65f2b202b2b..19f097e79b3c 100644 --- a/fs/ceph/snap.c +++ b/fs/ceph/snap.c @@ -735,7 +735,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, if (!inode) continue; spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); lastinode = inode; /* @@ -762,7 +762,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, spin_lock(&realm->inodes_with_caps_lock); } spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); if (capsnap) kmem_cache_free(ceph_cap_snap_cachep, capsnap); @@ -955,7 +955,7 @@ static void flush_snaps(struct ceph_mds_client *mdsc) ihold(inode); spin_unlock(&mdsc->snap_flush_lock); ceph_flush_snaps(ci, &session); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->snap_flush_lock); } spin_unlock(&mdsc->snap_flush_lock); @@ -1116,12 +1116,12 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc, ceph_get_snap_realm(mdsc, realm); ceph_change_snap_realm(inode, realm); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); continue; skip_inode: spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); } /* we may have taken some of the old realm's children. */ diff --git a/fs/ceph/super.h b/fs/ceph/super.h index cf176aab0f82..361a72a67bb8 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -1085,6 +1085,8 @@ static inline void ceph_queue_flush_snaps(struct inode *inode) ceph_queue_inode_work(inode, CEPH_I_WORK_FLUSH_SNAPS); } +void ceph_iput_async(struct inode *inode); + extern int ceph_try_to_choose_auth_mds(struct inode *inode, int mask); extern int __ceph_do_getattr(struct inode *inode, struct page *locked_page, int mask, bool force); -- 2.47.3

38 minutes

3
6
0 0

[PATCH] RDMA/rxe: Fix race in do_task() when draining

by Gui-Dong Han

When do_task() exhausts its RXE_MAX_ITERATIONS budget, it unconditionally sets the task state to TASK_STATE_IDLE to reschedule. This overwrites the TASK_STATE_DRAINING state that may have been concurrently set by rxe_cleanup_task() or rxe_disable_task(). This race condition breaks the cleanup and disable logic, which expects the task to stop processing new work. The cleanup code may proceed while do_task() reschedules itself, leading to a potential use-after-free. This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost. Fix this by restoring the original behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, continue the loop by setting cont to 1. This allows new iterations to finish the remaining work and reach the switch statement, which properly transitions the state to TASK_STATE_DRAINED and stops the task as intended. Fixes: 9b4b7c1f9f54 ("RDMA/rxe: Add workqueue support for rxe tasks") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- drivers/infiniband/sw/rxe/rxe_task.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c index 6f8f353e9583..f522820b950c 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.c +++ b/drivers/infiniband/sw/rxe/rxe_task.c @@ -132,8 +132,12 @@ static void do_task(struct rxe_task *task) * yield the cpu and reschedule the task */ if (!ret) { - task->state = TASK_STATE_IDLE; - resched = 1; + if (task->state != TASK_STATE_DRAINING) { + task->state = TASK_STATE_IDLE; + resched = 1; + } else { + cont = 1; + } goto exit; } -- 2.25.1

40 minutes

2
1
0 0

[PATCH] wifi: ath11k: fix NULL derefence in ath11k_qmi_m3_load()

by Matvey Kovalev

If ab->fw.m3_data points to data, then fw pointer remains null. Further, if m3_mem is not allocated, then fw is dereferenced to be passed to ath11k_err function. Replace fw->size by m3_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7db88b962f06 ("wifi: ath11k: add firmware-2.bin support") Cc: stable(a)vger.kernel.org Signed-off-by: Matvey Kovalev <matvey.kovalev(a)ispras.ru> --- drivers/net/wireless/ath/ath11k/qmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c index 378ac96b861b7..1a42b4abe7168 100644 --- a/drivers/net/wireless/ath/ath11k/qmi.c +++ b/drivers/net/wireless/ath/ath11k/qmi.c @@ -2557,7 +2557,7 @@ static int ath11k_qmi_m3_load(struct ath11k_base *ab) GFP_KERNEL); if (!m3_mem->vaddr) { ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n", - fw->size); + m3_len); ret = -ENOMEM; goto out; } -- 2.43.0.windows.1

51 minutes

1
0
0 0

[PATCH net v1 1/1] net: usb: asix: forbid runtime PM to avoid PM/MDIO + RTNL deadlock

by Oleksij Rempel

Forbid USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM by default in probe, so disabling it via the usb_driver flag is ineffective. For AX88772B, autosuspend shows no measurable power saving in my tests (no link partner, admin up/down). The ~0.453 W -> ~0.248 W reduction on 6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. With autosuspend active, resume paths may require calling phylink/phylib (caller must hold RTNL) and doing MDIO I/O. Taking RTNL from a USB PM resume can deadlock (RTNL may already be held), and MDIO can attempt a runtime-wake while the USB PM lock is held. Given the lack of benefit and poor test coverage (autosuspend is usually disabled by default in distros), forbid runtime PM here to avoid these hazards. This affects only AX88772* devices (per-interface in bind). System sleep/resume is unchanged. Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC") Reported-by: Hubert Wiśniewski <hubert.wisniewski.25632(a)gmail.com> Closes: https://lore.kernel.org/all/20220622141638.GE930160@montezuma.acc.umu.se Reported-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> --- Link to the measurement results: https://lore.kernel.org/all/aMkPMa650kfKfmF4@pengutronix.de/ --- drivers/net/usb/asix_devices.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c index 792ddda1ad49..0d341d7e6154 100644 --- a/drivers/net/usb/asix_devices.c +++ b/drivers/net/usb/asix_devices.c @@ -625,6 +625,22 @@ static void ax88772_suspend(struct usbnet *dev) asix_read_medium_status(dev, 1)); } +/* + * Notes on PM callbacks and locking context: + * + * - asix_suspend()/asix_resume() are invoked for both runtime PM and + * system-wide suspend/resume. For struct usb_driver the ->resume() + * callback does not receive pm_message_t, so the resume type cannot + * be distinguished here. + * + * - The MAC driver must hold RTNL when calling phylink interfaces such as + * phylink_suspend()/resume(). Those calls will also perform MDIO I/O. + * + * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while + * the USB PM lock is held) is fragile. Since autosuspend brings no + * measurable power saving for this device with current driver version, it is + * disabled below. + */ static int asix_suspend(struct usb_interface *intf, pm_message_t message) { struct usbnet *dev = usb_get_intfdata(intf); @@ -919,6 +935,16 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) if (ret) goto initphy_err; + /* Disable USB runtime PM (autosuspend) for this interface. + * Rationale: + * - No measurable power saving from autosuspend for this device. + * - phylink/phylib calls require caller-held RTNL and do MDIO I/O, + * which is unsafe from USB PM resume paths (possible RTNL already + * held, USB PM lock held). + * System suspend/resume is unaffected. + */ + pm_runtime_forbid(&intf->dev); + return 0; initphy_err: @@ -948,6 +974,10 @@ static void ax88772_unbind(struct usbnet *dev, struct usb_interface *intf) phylink_destroy(priv->phylink); ax88772_mdio_unregister(priv); asix_rx_fixup_common_free(dev->driver_priv); + /* Re-allow runtime PM on disconnect for tidiness. The interface + * goes away anyway, but this balances forbid for debug sanity. + */ + pm_runtime_allow(&intf->dev); } static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf) @@ -1600,6 +1630,10 @@ static struct usb_driver asix_driver = { .resume = asix_resume, .reset_resume = asix_resume, .disconnect = usbnet_disconnect, + /* usbnet will force supports_autosuspend=1; we explicitly forbid RPM + * per-interface in bind to keep autosuspend disabled for this driver + * by using pm_runtime_forbid(). + */ .supports_autosuspend = 1, .disable_hub_initiated_lpm = 1, }; -- 2.47.3

1 hour, 12 minutes

5
8
0 0

[PATCH 2/2] eventpoll: Fix epoll_wait() report false negative

by Nam Cao

ep_events_available() checks for available events by looking at ep->rdllist and ep->ovflist. However, this is done without a lock, therefore the returned value is not reliable. Because it is possible that both checks on ep->rdllist and ep->ovflist are false while ep_start_scan() or ep_done_scan() is being executed on other CPUs, despite events are available. This bug can be observed by: 1. Create an eventpoll with at least one ready level-triggered event 2. Create multiple threads who do epoll_wait() with zero timeout. The threads do not consume the events, therefore all epoll_wait() should return at least one event. If one thread is executing ep_events_available() while another thread is executing ep_start_scan() or ep_done_scan(), epoll_wait() may wrongly return no event for the former thread. This reproducer is implemented as TEST(epoll65) in tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c Fix it by skipping ep_events_available(), just call ep_try_send_events() directly. epoll_sendevents() (io_uring) suffers the same problem, fix that as well. There is still ep_busy_loop() who uses ep_events_available() without lock, but it is probably okay (?) for busy-polling. Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") Fixes: ae3a4f1fdc2c ("eventpoll: add epoll_sendevents() helper") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0fbf5dfedb24..541481eafc20 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2022,7 +2022,7 @@ static int ep_schedule_timeout(ktime_t *to) static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, int maxevents, struct timespec64 *timeout) { - int res, eavail, timed_out = 0; + int res, eavail = 1, timed_out = 0; u64 slack = 0; wait_queue_entry_t wait; ktime_t expires, *to = NULL; @@ -2041,16 +2041,6 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, timed_out = 1; } - /* - * This call is racy: We may or may not see events that are being added - * to the ready list under the lock (e.g., in IRQ callbacks). For cases - * with a non-zero timeout, this thread will check the ready list under - * lock and will add to the wait queue. For cases with a zero - * timeout, the user by definition should not care and will have to - * recheck again. - */ - eavail = ep_events_available(ep); - while (1) { if (eavail) { res = ep_try_send_events(ep, events, maxevents); @@ -2496,9 +2486,7 @@ int epoll_sendevents(struct file *file, struct epoll_event __user *events, * Racy call, but that's ok - it should get retried based on * poll readiness anyway. */ - if (ep_events_available(ep)) - return ep_try_send_events(ep, events, maxevents); - return 0; + return ep_try_send_events(ep, events, maxevents); } /* -- 2.39.5

2 hours, 7 minutes

4
7
0 0

[PATCH] ovl: check before dereferencing s_root field

by Jakub Acs

Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) <snip registers, unreliable trace> [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Minimize the window of opportunity by adding explicit check. Fixes: c45beebfde34 ("ovl: support encoding fid from inode with no alias") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Miklos Szeredi <miklos(a)szeredi.hu> Cc: Amir Goldstein <amir73il(a)gmail.com> Cc: linux-unionfs(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- I'm happy to take suggestions for a better fix - I looked at taking s_umount for reading, but it wasn't clear to me for how long would the fdinfo path need to hold it. Hence the most primitive suggestion in this v1. I'm also not sure if ENOENT or EBUSY is better?.. or even something else? fs/overlayfs/export.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c index 83f80fdb1567..424c73188e06 100644 --- a/fs/overlayfs/export.c +++ b/fs/overlayfs/export.c @@ -195,6 +195,8 @@ static int ovl_check_encode_origin(struct inode *inode) if (!ovl_inode_lower(inode)) return 0; + if (!inode->i_sb->s_root) + return -ENOENT; /* * Root is never indexed, so if there's an upper layer, encode upper for * root. -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

2 hours, 19 minutes

3
10
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror