- Linux-stable-mirror - lists.linaro.org

by Csókás, Bence

On certain i.MX8 series parts [1], the PPS channel 0 is routed internally to eDMA, and the external PPS pin is available on channel 1. In addition, on certain boards, the PPS may be wired on the PCB to an EVENTOUTn pin other than 0. On these systems it is necessary that the PPS channel be able to be configured from the Device Tree. [1] https://lore.kernel.org/all/ZrPYOWA3FESx197L@lizhi-Precision-Tower-5810/ Francesco Dolcini (3): dt-bindings: net: fec: add pps channel property net: fec: refactor PPS channel configuration net: fec: make PPS channel configurable Documentation/devicetree/bindings/net/fsl,fec.yaml | 7 +++++++ drivers/net/ethernet/freescale/fec_ptp.c | 11 ++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) -- 2.34.1

9 months, 3 weeks

4
8
0 0

[PATCH] xhci: dbc: Fix STALL transfer event handling

by Mathias Nyman

commit 9044ad57b60b0556d42b6f8aa218a68865e810a4 upstream Backport targeted specifically for linux-6.6.y stable kernel. Resolve minor conflict due to 10-patch dbc cleanup series in 6.8 Don't flush all pending DbC data requests when an endpoint halts. An endpoint may halt and xHC DbC triggers a STALL error event if there's an issue with a bulk data transfer. The transfer should restart once xHC DbC receives a ClearFeature(ENDPOINT_HALT) request from the host. Once xHC DbC restarts it will start from the TRB pointed to by dequeue field in the endpoint context, which might be the same TRB we got the STALL event for. Turn the TRB to a no-op in this case to make sure xHC DbC doesn't reuse and tries to retransmit this same TRB after we already handled it, and gave its corresponding data request back. Other STALL events might be completely bogus. Lukasz Bartosik discovered that xHC DbC might issue spurious STALL events if hosts sends a ClearFeature(ENDPOINT_HALT) request to non-halted endpoints even without any active bulk transfers. Assume STALL event is spurious if it reports 0 bytes transferred, and the endpoint stopped on the STALLED TRB. Don't give back the data request corresponding to the TRB in this case. The halted status is per endpoint. Track it with a per endpoint flag instead of the driver invented DbC wide DS_STALLED state. DbC remains in DbC-Configured state even if endpoints halt. There is no Stalled state in the DbC Port state Machine (xhci section 7.6.6) Reported-by: Łukasz Bartosik <ukaszb(a)chromium.org> Closes: https://lore.kernel.org/linux-usb/20240725074857.623299-1-ukaszb@chromium.o… Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-dbgcap.c | 132 ++++++++++++++++++++------------- drivers/usb/host/xhci-dbgcap.h | 2 +- 2 files changed, 83 insertions(+), 51 deletions(-) diff --git a/drivers/usb/host/xhci-dbgcap.c b/drivers/usb/host/xhci-dbgcap.c index b40d9238d447..69067015f0d5 100644 --- a/drivers/usb/host/xhci-dbgcap.c +++ b/drivers/usb/host/xhci-dbgcap.c @@ -158,16 +158,18 @@ static void xhci_dbc_giveback(struct dbc_request *req, int status) spin_lock(&dbc->lock); } -static void xhci_dbc_flush_single_request(struct dbc_request *req) +static void trb_to_noop(union xhci_trb *trb) { - union xhci_trb *trb = req->trb; - trb->generic.field[0] = 0; trb->generic.field[1] = 0; trb->generic.field[2] = 0; trb->generic.field[3] &= cpu_to_le32(TRB_CYCLE); trb->generic.field[3] |= cpu_to_le32(TRB_TYPE(TRB_TR_NOOP)); +} +static void xhci_dbc_flush_single_request(struct dbc_request *req) +{ + trb_to_noop(req->trb); xhci_dbc_giveback(req, -ESHUTDOWN); } @@ -637,7 +639,6 @@ static void xhci_dbc_stop(struct xhci_dbc *dbc) case DS_DISABLED: return; case DS_CONFIGURED: - case DS_STALLED: if (dbc->driver->disconnect) dbc->driver->disconnect(dbc); break; @@ -657,6 +658,23 @@ static void xhci_dbc_stop(struct xhci_dbc *dbc) } } +static void +handle_ep_halt_changes(struct xhci_dbc *dbc, struct dbc_ep *dep, bool halted) +{ + if (halted) { + dev_info(dbc->dev, "DbC Endpoint halted\n"); + dep->halted = 1; + + } else if (dep->halted) { + dev_info(dbc->dev, "DbC Endpoint halt cleared\n"); + dep->halted = 0; + + if (!list_empty(&dep->list_pending)) + writel(DBC_DOOR_BELL_TARGET(dep->direction), + &dbc->regs->doorbell); + } +} + static void dbc_handle_port_status(struct xhci_dbc *dbc, union xhci_trb *event) { @@ -685,6 +703,7 @@ static void dbc_handle_xfer_event(struct xhci_dbc *dbc, union xhci_trb *event) struct xhci_ring *ring; int ep_id; int status; + struct xhci_ep_ctx *ep_ctx; u32 comp_code; size_t remain_length; struct dbc_request *req = NULL, *r; @@ -694,8 +713,30 @@ static void dbc_handle_xfer_event(struct xhci_dbc *dbc, union xhci_trb *event) ep_id = TRB_TO_EP_ID(le32_to_cpu(event->generic.field[3])); dep = (ep_id == EPID_OUT) ? get_out_ep(dbc) : get_in_ep(dbc); + ep_ctx = (ep_id == EPID_OUT) ? + dbc_bulkout_ctx(dbc) : dbc_bulkin_ctx(dbc); ring = dep->ring; + /* Match the pending request: */ + list_for_each_entry(r, &dep->list_pending, list_pending) { + if (r->trb_dma == event->trans_event.buffer) { + req = r; + break; + } + if (r->status == -COMP_STALL_ERROR) { + dev_warn(dbc->dev, "Give back stale stalled req\n"); + ring->num_trbs_free++; + xhci_dbc_giveback(r, 0); + } + } + + if (!req) { + dev_warn(dbc->dev, "no matched request\n"); + return; + } + + trace_xhci_dbc_handle_transfer(ring, &req->trb->generic); + switch (comp_code) { case COMP_SUCCESS: remain_length = 0; @@ -706,31 +747,49 @@ static void dbc_handle_xfer_event(struct xhci_dbc *dbc, union xhci_trb *event) case COMP_TRB_ERROR: case COMP_BABBLE_DETECTED_ERROR: case COMP_USB_TRANSACTION_ERROR: - case COMP_STALL_ERROR: dev_warn(dbc->dev, "tx error %d detected\n", comp_code); status = -comp_code; break; + case COMP_STALL_ERROR: + dev_warn(dbc->dev, "Stall error at bulk TRB %llx, remaining %zu, ep deq %llx\n", + event->trans_event.buffer, remain_length, ep_ctx->deq); + status = 0; + dep->halted = 1; + + /* + * xHC DbC may trigger a STALL bulk xfer event when host sends a + * ClearFeature(ENDPOINT_HALT) request even if there wasn't an + * active bulk transfer. + * + * Don't give back this transfer request as hardware will later + * start processing TRBs starting from this 'STALLED' TRB, + * causing TRBs and requests to be out of sync. + * + * If STALL event shows some bytes were transferred then assume + * it's an actual transfer issue and give back the request. + * In this case mark the TRB as No-Op to avoid hw from using the + * TRB again. + */ + + if ((ep_ctx->deq & ~TRB_CYCLE) == event->trans_event.buffer) { + dev_dbg(dbc->dev, "Ep stopped on Stalled TRB\n"); + if (remain_length == req->length) { + dev_dbg(dbc->dev, "Spurious stall event, keep req\n"); + req->status = -COMP_STALL_ERROR; + req->actual = 0; + return; + } + dev_dbg(dbc->dev, "Give back stalled req, but turn TRB to No-op\n"); + trb_to_noop(req->trb); + } + break; + default: dev_err(dbc->dev, "unknown tx error %d\n", comp_code); status = -comp_code; break; } - /* Match the pending request: */ - list_for_each_entry(r, &dep->list_pending, list_pending) { - if (r->trb_dma == event->trans_event.buffer) { - req = r; - break; - } - } - - if (!req) { - dev_warn(dbc->dev, "no matched request\n"); - return; - } - - trace_xhci_dbc_handle_transfer(ring, &req->trb->generic); - ring->num_trbs_free++; req->actual = req->length - remain_length; xhci_dbc_giveback(req, status); @@ -750,7 +809,6 @@ static void inc_evt_deq(struct xhci_ring *ring) static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) { dma_addr_t deq; - struct dbc_ep *dep; union xhci_trb *evt; u32 ctrl, portsc; bool update_erdp = false; @@ -802,43 +860,17 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) return EVT_DISC; } - /* Handle endpoint stall event: */ + /* Check and handle changes in endpoint halt status */ ctrl = readl(&dbc->regs->control); - if ((ctrl & DBC_CTRL_HALT_IN_TR) || - (ctrl & DBC_CTRL_HALT_OUT_TR)) { - dev_info(dbc->dev, "DbC Endpoint stall\n"); - dbc->state = DS_STALLED; - - if (ctrl & DBC_CTRL_HALT_IN_TR) { - dep = get_in_ep(dbc); - xhci_dbc_flush_endpoint_requests(dep); - } - - if (ctrl & DBC_CTRL_HALT_OUT_TR) { - dep = get_out_ep(dbc); - xhci_dbc_flush_endpoint_requests(dep); - } - - return EVT_DONE; - } + handle_ep_halt_changes(dbc, get_in_ep(dbc), ctrl & DBC_CTRL_HALT_IN_TR); + handle_ep_halt_changes(dbc, get_out_ep(dbc), ctrl & DBC_CTRL_HALT_OUT_TR); /* Clear DbC run change bit: */ if (ctrl & DBC_CTRL_DBC_RUN_CHANGE) { writel(ctrl, &dbc->regs->control); ctrl = readl(&dbc->regs->control); } - break; - case DS_STALLED: - ctrl = readl(&dbc->regs->control); - if (!(ctrl & DBC_CTRL_HALT_IN_TR) && - !(ctrl & DBC_CTRL_HALT_OUT_TR) && - (ctrl & DBC_CTRL_DBC_RUN)) { - dbc->state = DS_CONFIGURED; - break; - } - - return EVT_DONE; default: dev_err(dbc->dev, "Unknown DbC state %d\n", dbc->state); break; diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 76170d7a7e7c..2de0dc49a3e9 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -81,7 +81,6 @@ enum dbc_state { DS_ENABLED, DS_CONNECTED, DS_CONFIGURED, - DS_STALLED, }; struct dbc_ep { @@ -89,6 +88,7 @@ struct dbc_ep { struct list_head list_pending; struct xhci_ring *ring; unsigned int direction:1; + unsigned int halted:1; }; #define DBC_QUEUE_SIZE 16 -- 2.25.1

9 months, 3 weeks

3
3
0 0

[PATCH 6.1] gve: Fixes for napi_poll when budget is 0

by Ziwei Xiao

Netpoll will explicitly pass the polling call with a budget of 0 to indicate it's clearing the Tx path only. For the gve_rx_poll and gve_xdp_poll, they were mistakenly taking the 0 budget as the indication to do all the work. Add check to avoid the rx path and xdp path being called when budget is 0. And also avoid napi_complete_done being called when budget is 0 for netpoll. The original fix was merged here: https://lore.kernel.org/r/20231114004144.2022268-1-ziweixiao@google.com Resend it since the original one was not cleanly applied to 6.1 kernel. Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: Ziwei Xiao <ziweixiao(a)google.com> Reviewed-by: Praveen Kaligineedi <pkaligineedi(a)google.com> Signed-off-by: Praveen Kaligineedi <pkaligineedi(a)google.com> --- drivers/net/ethernet/google/gve/gve_main.c | 7 +++++++ drivers/net/ethernet/google/gve/gve_rx.c | 4 ---- drivers/net/ethernet/google/gve/gve_tx.c | 4 ---- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index d3f6ad586ba1..8771ccfc69b4 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -202,6 +202,10 @@ static int gve_napi_poll(struct napi_struct *napi, int budget) if (block->tx) reschedule |= gve_tx_poll(block, budget); + + if (!budget) + return 0; + if (block->rx) { work_done = gve_rx_poll(block, budget); reschedule |= work_done == budget; @@ -242,6 +246,9 @@ static int gve_napi_poll_dqo(struct napi_struct *napi, int budget) if (block->tx) reschedule |= gve_tx_poll_dqo(block, /*do_clean=*/true); + if (!budget) + return 0; + if (block->rx) { work_done = gve_rx_poll_dqo(block, budget); reschedule |= work_done == budget; diff --git a/drivers/net/ethernet/google/gve/gve_rx.c b/drivers/net/ethernet/google/gve/gve_rx.c index 021bbf308d68..639eb6848c7d 100644 --- a/drivers/net/ethernet/google/gve/gve_rx.c +++ b/drivers/net/ethernet/google/gve/gve_rx.c @@ -778,10 +778,6 @@ int gve_rx_poll(struct gve_notify_block *block, int budget) feat = block->napi.dev->features; - /* If budget is 0, do all the work */ - if (budget == 0) - budget = INT_MAX; - if (budget > 0) work_done = gve_clean_rx_done(rx, budget, feat); diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c index 5e11b8236754..bf1ac0d1dc6f 100644 --- a/drivers/net/ethernet/google/gve/gve_tx.c +++ b/drivers/net/ethernet/google/gve/gve_tx.c @@ -725,10 +725,6 @@ bool gve_tx_poll(struct gve_notify_block *block, int budget) u32 nic_done; u32 to_do; - /* If budget is 0, do all the work */ - if (budget == 0) - budget = INT_MAX; - /* In TX path, it may try to clean completed pkts in order to xmit, * to avoid cleaning conflict, use spin_lock(), it yields better * concurrency between xmit/clean than netif's lock. -- 2.47.0.338.g60cca15819-goog

9 months, 3 weeks

3
2
0 0

[PATCH net 14/15] can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6.

by Marc Kleine-Budde

Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") introduced mcp251xfd_get_tef_len() to get the number of unhandled transmit events from the Transmit Event FIFO (TEF). As the TEF has no head index, the driver uses the TX-FIFO's tail index instead, assuming that send frames are completed. When calculating the number of unhandled TEF events, that commit didn't take mcp2518fd erratum DS80000789E 6. into account. According to that erratum, the FIFOCI bits of a FIFOSTA register, here the TX-FIFO tail index might be corrupted. However here it seems the bit indicating that the TX-FIFO is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the TX-FIFO tail index is. Assume that the TX-FIFO is indeed empty if: - Chip's head and tail index are equal (len == 0). - The TX-FIFO is less than half full. (The TX-FIFO empty case has already been checked at the beginning of this function.) - No free buffers in the TX ring. If the TX-FIFO is assumed to be empty, assume that the TEF is full and return the number of elements in the TX-FIFO (which equals the number of TEF elements). If these assumptions are false, the driver might read to many objects from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers and will refuse to process old events. Reported-by: Renjaya Raga Zenta <renjaya.zenta(a)formulatrix.com> Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7Gg… Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") Tested-by: Renjaya Raga Zenta <renjaya.zenta(a)formulatrix.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20241126-mcp251xfd-fix-length-calculation-v2-1-c2e… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c index d3ac865933fd..e94321849fd7 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c @@ -21,6 +21,11 @@ static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; } +static inline bool mcp251xfd_tx_fifo_sta_less_than_half_full(u32 fifo_sta) +{ + return fifo_sta & MCP251XFD_REG_FIFOSTA_TFHRFHIF; +} + static inline int mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv, u8 *tef_tail) @@ -147,7 +152,29 @@ mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p) BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len)); len = (chip_tx_tail << shift) - (tail << shift); - *len_p = len >> shift; + len >>= shift; + + /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI + * bits of a FIFOSTA register, here the TX-FIFO tail index + * might be corrupted. + * + * However here it seems the bit indicating that the TX-FIFO + * is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct + * while the TX-FIFO tail index is. + * + * We assume the TX-FIFO is empty, i.e. all pending CAN frames + * haven been send, if: + * - Chip's head and tail index are equal (len == 0). + * - The TX-FIFO is less than half full. + * (The TX-FIFO empty case has already been checked at the + * beginning of this function.) + * - No free buffers in the TX ring. + */ + if (len == 0 && mcp251xfd_tx_fifo_sta_less_than_half_full(fifo_sta) && + mcp251xfd_get_tx_free(tx_ring) == 0) + len = tx_ring->obj_num; + + *len_p = len; return 0; } -- 2.45.2

9 months, 3 weeks

1
0
0 0

f2fs: fix fiemap failure issue when page size is 16KB

by Daniel Rosenberg

Commit a7a7c1d423a6 ("f2fs: fix fiemap failure issue when page size is 16KB") It resolves an infinite loop in fiemap when using 16k f2fs filesystems. Please apply to stable 6.7-6.12 -Daniel

9 months, 3 weeks

2
1
0 0

[PATCH v4 0/4] media: uvcvideo: Two fixes for async controls

by Ricardo Ribalda

This patchset fixes two bugs with the async controls for the uvc driver. They were found while implementing the granular PM, but I am sending them as a separate patches, so they can be reviewed sooner. They fix real issues in the driver that need to be taken care. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v4: - Fix implementation of uvc_ctrl_set_handle. - Link to v3: https://lore.kernel.org/r/20241129-uvc-fix-async-v3-0-ab675ce66db7@chromium… Changes in v3: - change again! order of patches. - Introduce uvc_ctrl_set_handle. - Do not change ctrl->handle if it is not NULL. Changes in v2: - Annotate lockdep - ctrl->handle != handle - Change order of patches - Move documentation of mutex - Link to v1: https://lore.kernel.org/r/20241127-uvc-fix-async-v1-0-eb8722531b8c@chromium… --- Ricardo Ribalda (4): media: uvcvideo: Do not replace the handler of an async ctrl media: uvcvideo: Remove dangling pointers media: uvcvideo: Annotate lock requirements for uvc_ctrl_set media: uvcvideo: Remove redundant NULL assignment drivers/media/usb/uvc/uvc_ctrl.c | 62 ++++++++++++++++++++++++++++++++++++---- drivers/media/usb/uvc/uvc_v4l2.c | 2 ++ drivers/media/usb/uvc/uvcvideo.h | 14 +++++++-- 3 files changed, 70 insertions(+), 8 deletions(-) --- base-commit: 72ad4ff638047bbbdf3232178fea4bec1f429319 change-id: 20241127-uvc-fix-async-2c9d40413ad8 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 3 weeks

1
4
0 0

[PATCH 6.6 000/538] 6.6.54-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.54 release. There are 538 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 04 Oct 2024 12:56:13 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.54-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.54-rc1 Alexey Gladkov (Intel) <legion(a)kernel.org> x86/tdx: Fix "in-kernel MMIO" check Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Fix NULL pointer dereference in tb_port_update_credits() Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Fix minimum allocated USB 3.x and PCIe bandwidth Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Send uevent after asymmetric/symmetric switch Martin KaFai Lau <martin.lau(a)kernel.org> libbpf: Ensure undefined bpf_attr field stays 0 Arend van Spriel <arend.vanspriel(a)broadcom.com> wifi: brcmfmac: add linefeed at end of file André Apitzsch <git(a)apitzsch.eu> iio: magnetometer: ak8975: Fix 'Unexpected device' error Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Fail DTC counter allocation correctly Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> usb: yurex: Fix inconsistent locking bug in yurex_read() Oleg Nesterov <oleg(a)redhat.com> bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() Paolo Bonzini <pbonzini(a)redhat.com> Documentation: KVM: fix warning in "make htmldocs" Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: isch: Add missed 'else' Tommy Huang <tommy_huang(a)aspeedtech.com> i2c: aspeed: Update the stop sw state when the bus recovery occurs Liam R. Howlett <Liam.Howlett(a)oracle.com> mm/damon/vaddr: protect vma traversal in __damon_va_thre_regions() with rcu read lock Dmitry Vyukov <dvyukov(a)google.com> module: Fix KCOV-ignored file name Haibo Chen <haibo.chen(a)nxp.com> spi: fspi: add support for imx8ulp David Gow <davidgow(a)google.com> mm: only enforce minimum stack gap size if it's sensible Zhiguo Niu <zhiguo.niu(a)unisoc.com> lockdep: fix deadlock issue between lockdep and rcu Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: restart or panic on an I/O error Song Liu <song(a)kernel.org> bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0 Kairui Song <kasong(a)tencent.com> mm/filemap: optimize filemap folio adding Kairui Song <kasong(a)tencent.com> lib/xarray: introduce a new helper xas_get_order Kairui Song <kasong(a)tencent.com> mm/filemap: return early if failed to allocate memory for split Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Improve DisplayPort tunnel setup process to be more robust Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Configure asymmetric link if needed and bandwidth allows Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Add support for asymmetric link Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Introduce tb_switch_depth() Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Introduce tb_for_each_upstream_port_on_path() Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Introduce tb_port_path_direction_downstream() Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Change bandwidth reservations to comply USB4 v2 Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Make is_gen4_link() available to the rest of the driver Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Use weight constants in tb_usb3_consumed_bandwidth() Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Use constants for path weight and priority Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Create multiple DisplayPort tunnels if there are more DP IN/OUT pairs Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Expose tb_tunnel_xxx() log macros to the rest of the driver Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Use tb_tunnel_dbg() where possible to make logging more consistent Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Fix debug log when DisplayPort adapter not available for pairing Haibo Chen <haibo.chen(a)nxp.com> dt-bindings: spi: nxp-fspi: add imx8ulp support Peng Fan <peng.fan(a)nxp.com> dt-bindings: spi: nxp-fspi: support i.MX93 and i.MX95 Filipe Manana <fdmanana(a)suse.com> btrfs: fix race setting file private on concurrent lseek using same fd Filipe Manana <fdmanana(a)suse.com> btrfs: update comment for struct btrfs_inode::lock David Sterba <dsterba(a)suse.com> btrfs: reorder btrfs_inode to fill gaps Qu Wenruo <wqu(a)suse.com> btrfs: subpage: fix the bitmap dump which can cause bitmap corruption Syed Nayyar Waris <syednwaris(a)gmail.com> lib/bitmap: add bitmap_{read,write}() Dmitry Vyukov <dvyukov(a)google.com> x86/entry: Remove unwanted instrumentation in common_interrupt() Xin Li <xin3.li(a)intel.com> x86/idtentry: Incorporate definitions/declarations of the FRED entries Jiri Slaby (SUSE) <jirislaby(a)kernel.org> serial: don't use uninitialized value in uart_poll_init() Michael Trimarchi <michael(a)amarulasolutions.com> tty: serial: kgdboc: Fix 8250_* kgdb over serial Ma Ke <make24(a)iscas.ac.cn> pps: add an error check in parport_attach Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pps: remove usage of the deprecated ida_simple_xx() API Pawel Laszczak <pawell(a)cadence.com> usb: xhci: fix loss of data on Cadence xHC Daehwan Jung <dh10.jung(a)samsung.com> xhci: Add a quirk for writing ERST in high-low order Oliver Neukum <oneukum(a)suse.com> USB: misc: yurex: fix race between read and write Lee Jones <lee(a)kernel.org> usb: yurex: Replace snprintf() with the safer scnprintf() variant Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix soc_dev leak during device remove Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix memory leak during device remove Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: imx6ul-geam: fix fsl,pins property in tscgrp pinctrl Haibo Chen <haibo.chen(a)nxp.com> spi: fspi: involve lut_num for struct nxp_fspi_devtype_data VanGiang Nguyen <vangiang.nguyen(a)rohde-schwarz.com> padata: use integer wrap around to prevent deadlock on seq_nr overflow Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> cpuidle: riscv-sbi: Use scoped device node handling to fix missing of_node_put Eric Dumazet <edumazet(a)google.com> icmp: change the order of rate limits Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/igen6: Fix conversion of system address to physical memory address Li Lingfeng <lilingfeng3(a)huawei.com> nfs: fix memory leak in error path of nfs4_do_reclaim Mickaël Salaün <mic(a)digikod.net> fs: Fix file_set_fowner LSM hook inconsistencies Julian Sun <sunjunchao2870(a)gmail.com> vfs: fix race between evice_inodes() and find_inode()&iput() Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity Qingqing Zhou <quic_qqzhou(a)quicinc.com> arm64: dts: qcom: sa8775p: Mark APPS and PCIe SMMUs as DMA coherent Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency D Scott Phillips <scott(a)os.amperecomputing.com> arm64: errata: Enable the AC03_CPU_38 workaround for ampere1a Anastasia Belova <abelova(a)astralinux.ru> arm64: esr: Define ESR_ELx_EC_* constants as UL Gaosheng Cui <cuigaosheng1(a)huawei.com> hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume Gaosheng Cui <cuigaosheng1(a)huawei.com> hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init Guoqing Jiang <guoqing.jiang(a)canonical.com> hwrng: mtk - Use devm_pm_runtime_enable Chao Yu <chao(a)kernel.org> f2fs: fix to check atomic_file in f2fs ioctl interfaces Jann Horn <jannh(a)google.com> f2fs: Require FMODE_WRITE for atomic write ioctls Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: prevent possible int overflow in dir_block_index() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: fix several potential integer overflows in file offsets Luca Stefani <luca.stefani.ge1(a)gmail.com> btrfs: always update fstrim_range on failure in FITRIM ioctl Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the wrong output of data backref objectid Zhen Lei <thunder.leizhen(a)huawei.com> debugobjects: Fix conditions in fill_pool() Ma Ke <make24(a)iscas.ac.cn> wifi: mt76: mt7615: check devm_kasprintf() returned value Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: 8822c: Fix reported RX band width Nick Morrow <morrownr(a)gmail.com> wifi: rtw88: 8821cu: Remove VID/PID 0bda:c82c Ma Ke <make24(a)iscas.ac.cn> wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he Ma Ke <make24(a)iscas.ac.cn> wifi: mt76: mt7915: check devm_kasprintf() returned value Ma Ke <make24(a)iscas.ac.cn> wifi: mt76: mt7921: Check devm_kasprintf() returned value Adrian Hunter <adrian.hunter(a)intel.com> perf/x86/intel/pt: Fix sampling synchronization Ard Biesheuvel <ardb(a)kernel.org> efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption Werner Sembach <wse(a)tuxedocomputers.com> ACPI: resource: Add another DMI match for the TongFang GMxXGxx Thomas Weißschuh <linux(a)weissschuh.net> ACPI: sysfs: validate return type of _STR method Mikhail Lobanov <m.lobanov(a)rosalinux.ru> drbd: Add NULL check for net_conf to prevent dereference in state validation Qiu-ji Chen <chenqiuji666(a)gmail.com> drbd: Fix atomicity violation in drbd_uuid_set_bm() Pavan Kumar Paluri <papaluri(a)amd.com> crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure Johan Hovold <johan+linaro(a)kernel.org> serial: qcom-geni: fix fifo polling timeout Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them. Florian Fainelli <florian.fainelli(a)broadcom.com> tty: rp2: Fix reset with non forgiving PCIe host bridges Jann Horn <jannh(a)google.com> firmware_loader: Block path traversal Fabio Porcedda <fabio.porcedda(a)gmail.com> bus: mhi: host: pci_generic: Fix the name for the Telit FE990A Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> bus: integrator-lm: fix OF node leak in probe() Tomas Marek <tomas.marek(a)elrest.cz> usb: dwc2: drd: fix clock gating on USB role switch Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix incorrect usb_request status Oliver Neukum <oneukum(a)suse.com> USB: class: CDC-ACM: fix race between get_serial and set_serial Oliver Neukum <oneukum(a)suse.com> USB: misc: cypress_cy7c63: check for short transfer Oliver Neukum <oneukum(a)suse.com> USB: appledisplay: close race between probe and completion handler Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled Oliver Neukum <oneukum(a)suse.com> usbnet: fix cyclical race on disconnect with work queue Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix USB/SDIO devices not transmitting beacons Stefan Mätje <stefan.maetje(a)esd.eu> can: esd_usb: Remove CAN_CTRLMODE_3_SAMPLES for CAN-USB/3-FD Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Disallow bus errors during PDMA send Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Refactor polling loop Finn Thain <fthain(a)linux-m68k.org> scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages Manish Pandey <quic_mapa(a)quicinc.com> scsi: ufs: qcom: Update MODE_MAX cfg_bw value Martin Wilck <mwilck(a)suse.com> scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_msense_control() CDL page reporting Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: handle caseless file creation Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow write with FILE_APPEND_DATA Hobin Woo <hobin.woo(a)samsung.com> ksmbd: make __dir_empty() compatible with POSIX Chuck Lever <chuck.lever(a)oracle.com> fs: Create a generic is_dot_dotdot() utility Michael Ellerman <mpe(a)ellerman.id.au> powerpc/atomic: Use YZ constraints for DS-form instructions Roman Smirnov <r.smirnov(a)omp.ru> KEYS: prevent NULL pointer dereference in find_asymmetric_key() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Validate backlight caps are sane Robin Chen <robin.chen(a)amd.com> drm/amd/display: Round calculated vtotal Leo Ma <hanghong.ma(a)amd.com> drm/amd/display: Add HDMI DSC native YCbCr422 support Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Skip Recompute DSC Params if no Stream on Link Sean Christopherson <seanjc(a)google.com> KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock Sean Christopherson <seanjc(a)google.com> KVM: x86: Move x2APIC ICR helper above kvm_apic_write_nodecode() Sean Christopherson <seanjc(a)google.com> KVM: x86: Enforce x2APIC's must-be-zero reserved ICR bits Snehal Koukuntla <snehalreddy(a)google.com> KVM: arm64: Add memory length checks and remove inline in do_ffa_mem_xfer Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table Nuno Sa <nuno.sa(a)analog.com> Input: adp5588-keys - fix check on return code Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Protect against overflow of ALIGN() during iova allocation Roman Smirnov <r.smirnov(a)omp.ru> Revert "media: tuners: fix error return code of hybrid_tuner_request_state()" Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: integrator: fix OF node leak in probe() error path Herve Codina <herve.codina(a)bootlin.com> soc: fsl: cpm1: tsa: Fix tsa_write8() Ma Ke <make24(a)iscas.ac.cn> ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Revert "soc: qcom: smd-rpm: Match rpmsg channel instead of compatible" Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Maciej W. Rozycki <macro(a)orcam.me.uk> PCI: Use an error code with PCIe failed link retraining Maciej W. Rozycki <macro(a)orcam.me.uk> PCI: Correct error reporting with PCIe failed link retraining Frank Li <Frank.Li(a)nxp.com> PCI: imx6: Fix missing call to phy_power_off() in error handling Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: dra7xx: Fix threaded IRQ request for "dra7xx-pcie-main" IRQ Maciej W. Rozycki <macro(a)orcam.me.uk> PCI: Clear the LBMS bit after a link retrain Maciej W. Rozycki <macro(a)orcam.me.uk> PCI: Revert to the original speed after PCIe failed link retraining Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Remove *.orig pattern from .gitignore Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not put cpumask on stack Jens Axboe <axboe(a)kernel.dk> io_uring/sqpoll: retain test for whether the CPU is valid Juergen Gross <jgross(a)suse.com> xen: allow mapping ACPI data using a different physical address Juergen Gross <jgross(a)suse.com> xen: move checks for e820 conflicts further up Duanqiang Wen <duanqiangwen(a)net-swift.com> Revert "net: libwx: fix alloc msix vectors failed" Zack Rusin <zack.rusin(a)broadcom.com> drm/vmwgfx: Prevent unmapping active read buffers Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination Shu Han <ebpqwerty472123(a)gmail.com> mm: call the security_mmap_file() LSM hook in remap_file_pages() Jens Axboe <axboe(a)kernel.dk> io_uring: check for presence of task_work rather than TIF_NOTIFY_SIGNAL Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/sqpoll: do not allow pinning outside of cpuset Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path Simon Horman <horms(a)kernel.org> netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Keep deleted flowtable hooks until after RCU Furong Xu <0x1207(a)gmail.com> net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled Wenbo Li <liwenbo.martin(a)bytedance.com> virtio_net: Fix mismatched buf address when unmapping for small packets Jiwon Kim <jiwonaid0(a)gmail.com> bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave() Youssef Samir <quic_yabdulra(a)quicinc.com> net: qrtr: Update packets cloning when broadcasting Josh Hunt <johunt(a)akamai.com> tcp: check skb is non-NULL in tcp_rto_delta_us() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL Kaixin Wang <kxwang23(a)m.fudan.edu.cn> net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix packet counting Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Schedule NAPI in two steps Mikulas Patocka <mpatocka(a)redhat.com> Revert "dm: requeue IO if mapping table not yet available" Dan Carpenter <alexander.sverdlin(a)gmail.com> ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() Jason Wang <jasowang(a)redhat.com> vhost_vdpa: assign irq bypass producer token correctly Yanfei Xu <yanfei.xu(a)intel.com> cxl/pci: Fix to record only non-zero ranges Kees Cook <kees(a)kernel.org> interconnect: icc-clk: Add missed num_nodes initialization Suzuki K Poulose <suzuki.poulose(a)arm.com> coresight: tmc: sg: Do not leak sg_table Markus Schneider-Pargmann <msp(a)baylibre.com> serial: 8250: omap: Cleanup on error in request_irq Jinjie Ruan <ruanjinjie(a)huawei.com> driver core: Fix a potential null-ptr-deref in module_add_driver() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: iio: asahi-kasei,ak8975: drop incorrect AK09116 compatible Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> iio: magnetometer: ak8975: drop incorrect AK09116 compatible Biju Das <biju.das.jz(a)bp.renesas.com> iio: magnetometer: ak8975: Convert enum->pointer for data in the match tables Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: chemical: bme680: Fix read/write ops to device by adding mutexes Antoniu Miclaus <antoniu.miclaus(a)analog.com> ABI: testing: fix admv8818 attr description Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: Fix error handling in driver API device_rename() Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix standby gpio state to match the documentation Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix oversampling gpio array Hannes Reinecke <hare(a)kernel.org> nvme-multipath: system fails to create generic nvme device Alexander Dahl <ada(a)thorsis.com> spi: atmel-quadspi: Avoid overwriting delay register settings Ming Lei <ming.lei(a)redhat.com> lib/sbitmap: define swap_lock as raw_spinlock_t Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time Jinjie Ruan <ruanjinjie(a)huawei.com> spi: atmel-quadspi: Undo runtime PM changes at driver exit time Chao Yu <chao(a)kernel.org> f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error() Chao Yu <chao(a)kernel.org> f2fs: get rid of online repaire on corrupted directory Chao Yu <chao(a)kernel.org> f2fs: clean up w/ dotdot_name Daeho Jeong <daehojeong(a)google.com> f2fs: prevent atomic file from being dirtied before commit Yeongjin Gil <youngjin.gil(a)samsung.com> f2fs: compress: don't redirty sparse cluster during {,de}compress Chao Yu <chao(a)kernel.org> f2fs: compress: do sanity check on cluster when CONFIG_F2FS_CHECK_FS is on Chao Yu <chao(a)kernel.org> f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() Chao Yu <chao(a)kernel.org> f2fs: support .shutdown in f2fs_sops Chao Yu <chao(a)kernel.org> f2fs: atomic: fix to truncate pagecache before on-disk metadata truncation Chao Yu <chao(a)kernel.org> f2fs: fix to wait page writeback before setting gcing flag Yeongjin Gil <youngjin.gil(a)samsung.com> f2fs: Create COW inode from parent dentry for atomic write Chao Yu <chao(a)kernel.org> f2fs: fix to avoid racing in between read and OPU dio write Chao Yu <chao(a)kernel.org> f2fs: reduce expensive checkpoint trigger frequency Chao Yu <chao(a)kernel.org> f2fs: atomic: fix to avoid racing w/ GC Danny Tsen <dtsen(a)linux.ibm.com> crypto: powerpc/p10-aes-gcm - Disable CRYPTO_AES_GCM_P10 Herbert Xu <herbert(a)gondor.apana.org.au> crypto: caam - Pad SG length when allocating hash edesc Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: return -EINVAL when namelen is 0 Guoqing Jiang <guoqing.jiang(a)linux.dev> nfsd: call cache_put if xdr_reserve_space returns NULL Dave Jiang <dave.jiang(a)intel.com> ntb: Force physically contiguous allocation of rx ring buffers Max Hawking <maxahawking(a)sonnenkinder.org> ntb_perf: Fix printk format Jinjie Ruan <ruanjinjie(a)huawei.com> ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> RDMA/irdma: fix error message in irdma_modify_qp_roce() Mikhail Lobanov <m.lobanov(a)rosalinux.ru> RDMA/cxgb4: Added NULL check for lookup_atid Jinjie Ruan <ruanjinjie(a)huawei.com> riscv: Fix fp alignment bug in perf_callchain_user() Mark Bloch <mbloch(a)nvidia.com> RDMA/mlx5: Obtain upper net device only when needed Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix restricted __le16 degrades to integer issue Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Optimize hem allocation performance Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Don't modify rq next block addr in HIP09 QPC Jonas Blixt <jonas.blixt(a)actia.se> watchdog: imx_sc_wdt: Don't disable WDT in suspend Michael Guralnik <michaelgur(a)nvidia.com> RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache Cheng Xu <chengyou(a)linux.alibaba.com> RDMA/erdma: Return QP state in erdma_query_qp Alexandra Diupina <adiupina(a)astralinux.ru> PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() Patrisious Haddad <phaddad(a)nvidia.com> IB/core: Fix ib_cache_setup_one error flow cleanup Wang Jianzheng <wangjianzheng(a)vivo.com> pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function Jeff Layton <jlayton(a)kernel.org> nfsd: fix refcount leak when file is unhashed after being found Jeff Layton <jlayton(a)kernel.org> nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire Alexander Shiyan <eagle.alexander923(a)gmail.com> clk: rockchip: rk3588: Fix 32k clock name for pmu_24m_32k_100m_src_p Yuntao Liu <liuyuntao12(a)huawei.com> clk: starfive: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage David Lechner <dlechner(a)baylibre.com> clk: ti: dra7-atl: Fix leak of of_nodes Md Haris Iqbal <haris.iqbal(a)ionos.com> RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds Jack Wang <jinpu.wang(a)ionos.com> RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: Fix H264 stateless decoder smatch warning Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning Claudiu Beznea <claudiu.beznea(a)tuxon.dev> clk: at91: sama7g5: Allocate only the needed amount of memory for PLLs Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: single: fix missing error code in pcs_probe() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Biju Das <biju.das.jz(a)bp.renesas.com> media: platform: rzg2l-cru: rzg2l-csi2: Add missing MODULE_DEVICE_TABLE Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Clean up clock on probe failure/removal Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix register misspelling Li Zhijian <lizhijian(a)fujitsu.com> nvdimm: Fix devs leaks in scan_labels() Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> x86/PCI: Check pcie_find_root_port() return for NULL Javier Carrasco <javier.carrasco.cruz(a)gmail.com> leds: pca995x: Fix device child node usage in pca995x_probe() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> leds: pca995x: Use device_for_each_child_node() to access device child nodes Pieterjan Camerlynck <pieterjanca(a)gmail.com> leds: leds-pca995x: Add support for NXP PCA9956B Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use special function for Lucid 5LPE PLL Varadarajan Narayanan <quic_varada(a)quicinc.com> clk: qcom: ipq5332: Register gcc_qdss_tsctr_clk_src Dan Carpenter <dan.carpenter(a)linaro.org> PCI: keystone: Fix if-statement expression in ks_pcie_quirk() Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: core: correct range of block for case of switch statement Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Wait for Link before restoring Downstream Buses Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Input: ilitek_ts_i2c - add report id message validation Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> Input: ilitek_ts_i2c - avoid wrong input subsystem sync Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pinctrl: ti: ti-iodelay: Fix some error handling paths Peng Fan <peng.fan(a)nxp.com> pinctrl: ti: iodelay: Use scope based of_node_put() cleanups Rob Herring <robh(a)kernel.org> pinctrl: Use device_get_match_data() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> pinctrl: ti: ti-iodelay: Convert to platform remove callback returning void Javier Carrasco <javier.carrasco.cruz(a)gmail.com> leds: bd2606mvv: Fix device child node usage in bd2606mvv_probe() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8550: use rcg2_shared_ops for ESC RCGs Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8650: Update the GDSC flags Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8550: use rcg2_ops for mdss_dptx1_aux_clk_src Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8550: fix several supposed typos Jonas Karlman <jonas(a)kwiboo.se> clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Initialize workqueue earlier Peng Fan <peng.fan(a)nxp.com> remoteproc: imx_rproc: Correct ddr alias for i.MX8M Peng Fan <peng.fan(a)nxp.com> clk: imx: imx8qxp: Parent should be initialized earlier than the clock Peng Fan <peng.fan(a)nxp.com> clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk Zhipeng Wang <zhipeng.wang_1(a)nxp.com> clk: imx: imx8mp: fix clock tree update of TF-A managed clocks Pengfei Li <pengfei.li_1(a)nxp.com> clk: imx: fracn-gppll: fix fractional part of PLL getting lost Ye Li <ye.li(a)nxp.com> clk: imx: composite-7ulp: Check the PCC present bit Jacky Bai <ping.bai(a)nxp.com> clk: imx: composite-93: keep root clock on when mcore enabled Peng Fan <peng.fan(a)nxp.com> clk: imx: composite-8m: Enable gate clk with mcore_booted Markus Elfring <elfring(a)users.sourceforge.net> clk: imx: composite-8m: Less function calls in __imx8m_clk_hw_composite() after error detection Sebastien Laveze <slaveze(a)smartandconnective.com> clk: imx: imx6ul: fix default parent for enet*_ref_sel Shengjiu Wang <shengjiu.wang(a)nxp.com> clk: imx: clk-audiomix: Correct parent clock for earc_phy and audpll Ian Rogers <irogers(a)google.com> perf time-utils: Fix 32-bit nsec parsing Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yicong Yang <yangyicong(a)hisilicon.com> perf stat: Display iostat headers correctly Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fix missing free of session in perf_sched__timehist() Kan Liang <kan.liang(a)linux.intel.com> perf report: Fix --total-cycles --stdio output error Namhyung Kim <namhyung(a)kernel.org> perf ui/browser/annotate: Use global annotation_options Namhyung Kim <namhyung(a)kernel.org> perf annotate: Move some source code related fields from 'struct annotation' to 'struct annotated_source' Namhyung Kim <namhyung(a)kernel.org> perf annotate: Split branch stack cycles info from 'struct annotation' Ian Rogers <irogers(a)google.com> perf inject: Fix leader sampling inserting additional samples Ian Rogers <irogers(a)google.com> perf callchain: Fix stitch LBR memory leaks Namhyung Kim <namhyung(a)kernel.org> perf mem: Free the allocated sort string, fixing a leak Daniel Borkmann <daniel(a)iogearbox.net> bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error Daniel Borkmann <daniel(a)iogearbox.net> bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix helper writes to read-only maps Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential oob read in nilfs_btree_check_delete() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: determine empty node blocks as corrupted Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Yujie Liu <yujie.liu(a)intel.com> sched/numa: Fix the vma scan starving issue Mel Gorman <mgorman(a)techsingularity.net> sched/numa: Complete scanning of inactive VMAs when there is no alternative Mel Gorman <mgorman(a)techsingularity.net> sched/numa: Complete scanning of partial VMAs regardless of PID activity Raghavendra K T <raghavendra.kt(a)amd.com> sched/numa: Move up the access pid reset logic Mel Gorman <mgorman(a)techsingularity.net> sched/numa: Trace decisions related to skipping VMAs Mel Gorman <mgorman(a)techsingularity.net> sched/numa: Rename vma_numab_state::access_pids[] => ::pids_active[], ::next_pid_reset => ::pids_active_reset Mel Gorman <mgorman(a)techsingularity.net> sched/numa: Document vma_numab_state fields Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: check stripe size compatibility on remount as well Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: avoid OOB when system.data xattr changes underneath the filesystem Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: return error on ext4_find_inline_entry Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid negative min_clusters in find_group_orlov() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid potential buffer_head leak in __ext4_new_inode() Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid buffer_head leak in ext4_mark_inode_used() Jiawei Ye <jiawei.ye(a)foxmail.com> smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso yangerkun <yangerkun(a)huawei.com> ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard Chen Yu <yu.c.chen(a)intel.com> kthread: fix task state in kthread worker if being frozen Lasse Collin <lasse.collin(a)tukaani.org> xz: cleanup CRC32 edits from 2018 Eduard Zingerman <eddyz87(a)gmail.com> bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos Jiangshan Yi <yijiangshan(a)kylinos.cn> samples/bpf: Fix compilation errors with cf-protection option Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling tc_redirect.c with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compile if backtrace support missing in libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix redefinition errors compiling lwt_reroute.c Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix flaky selftest lwt_redirect/lwt_reroute Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix C++ compile error from missing _Bool type Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling test_lru_map.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix arg parsing in veristat, test_progs David Vernet <void(a)manifault.com> libbpf: Don't take direct pointers into BTF data from st_ops Eduard Zingerman <eddyz87(a)gmail.com> libbpf: Sync progs autoload with maps autocreate for struct_ops maps Kui-Feng Lee <thinker.li(a)gmail.com> libbpf: Convert st_ops->data to shadow type. Kui-Feng Lee <thinker.li(a)gmail.com> libbpf: Find correct module BTFs for struct_ops maps and progs. Andrii Nakryiko <andrii(a)kernel.org> libbpf: use stable map placeholder FDs Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix errors compiling decap_sanity.c with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix errors compiling lwt_redirect.c with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling core_reloc.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling tcp_rtt.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling flow_dissector.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling kfree_skb.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling parse_tcp_hdr_opt.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix include of <sys/fcntl.h> Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Refactor out some functions in ns_current_pid_tgid test Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Replace CHECK with ASSERT_* in ns_current_pid_tgid test Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing BUILD_BUG_ON() declaration Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing UINT_MAX definitions in benchmarks Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Drop unneeded error.h includes Tushar Vyavahare <tushar.vyavahare(a)intel.com> selftests/bpf: Implement get_hw_ring_size function to retrieve current and max interface size Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Use pid_t consistently in test_progs.c Tony Ambardar <tony.ambardar(a)gmail.com> tools/runqslower: Fix LDFLAGS and add LDLIBS support Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix wrong binary in Makefile log output Cupertino Miranda <cupertino.miranda(a)oracle.com> selftests/bpf: Add CFLAGS per source file and runner Jose E. Marchesi <jose.marchesi(a)oracle.com> bpf: Temporarily define BPF_NO_PRESEVE_ACCESS_INDEX for GCC Jose E. Marchesi <jose.marchesi(a)oracle.com> bpf: Disable some `attribute ignored' warnings in GCC Jose E. Marchesi <jose.marchesi(a)oracle.com> bpf: Use -Wno-error in certain tests when building with GCC Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error linking uprobe_multi on mips Alexei Starovoitov <ast(a)kernel.org> selftests/bpf: Workaround strict bpf_lsm return value check. Tianchen Ding <dtcccc(a)linux.alibaba.com> sched/fair: Make SCHED_IDLE entity be preempted in strict hierarchy Jonathan McDowell <noodles(a)meta.com> tpm: Clean up TPM space after command failure Juergen Gross <jgross(a)suse.com> xen/swiotlb: fix allocated size Juergen Gross <jgross(a)suse.com> xen/swiotlb: add alignment check for dma buffers Juergen Gross <jgross(a)suse.com> xen: tolerate ACPI NVS memory overlapping with Xen allocated memory Juergen Gross <jgross(a)suse.com> xen: add capability to remap non-RAM pages to different PFNs Juergen Gross <jgross(a)suse.com> xen: move max_pfn in xen_memory_setup() out of function scope Juergen Gross <jgross(a)suse.com> xen: introduce generic helper checking for memory map conflicts Linus Torvalds <torvalds(a)linux-foundation.org> minmax: avoid overly complex min()/max() macro arguments in xen Niklas Cassel <cassel(a)kernel.org> ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Do not warn about dropped packets for first packet Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Support sequence numbers smaller than 16-bit Juergen Gross <jgross(a)suse.com> xen: use correct end address of kernel for conflict checking Yuesong Li <liyuesong(a)vivo.com> drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() Sherry Yang <sherry.yang(a)oracle.com> drm/msm: fix %s null argument error Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dsi: correct programming sequence for SM8350 / SM8450 Wolfram Sang <wsa+renesas(a)sang-engineering.com> ipmi: docs: don't advertise deprecated sysfs entries Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: workaround early ring-buffer emptiness check Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: fix races in preemption evaluation stage Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: properly clear preemption records on resume Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: disable preemption in submits by default Aleksandr Mishin <amishin(a)t-argos.ru> drm/msm: Fix incorrect file name output in adreno_request_fw() Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Inconditionally use CFUNC macro Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix kernel vs user address comparison Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix initial memory mapping Fei Shao <fshao(a)chromium.org> drm/mediatek: Use spin_lock_irqsave() for CRTC event lock Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix missing configuration flags in mtk_crtc_ddp_config() Jeongjun Park <aha310510(a)gmail.com> jfs: fix out-of-bounds in dbNextAG() and diAlloc() Dan Carpenter <dan.carpenter(a)linaro.org> scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() Stefan Wahren <wahrenst(a)gmx.net> drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get Liu Ying <victor.liu(a)nxp.com> drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets Jonas Karlman <jonas(a)kwiboo.se> drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode Alex Bee <knaerzche(a)gmail.com> drm/rockchip: vop: Allow 4096px width scaling WangYuli <wangyuli(a)uniontech.com> drm/amd/amdgpu: Properly tune the size of struct Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Check for phase match during PDMA fixup Gilbert Wu <Gilbert.Wu(a)microchip.com> scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: properly handle vbios fake edid sizing Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: properly handle vbios fake edid sizing Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func Claudiu Beznea <claudiu.beznea(a)microchip.com> drm/stm: ltdc: check memory returned by devm_kzalloc() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/stm: Fix an error handling path in stm_drm_platform_probe() Geert Uytterhoeven <geert+renesas(a)glider.be> pmdomain: core: Harden inter-column space in debug summary Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660 Konrad Dybcio <konrad.dybcio(a)linaro.org> iommu/arm-smmu-qcom: Work around SDM845 Adreno SMMU w/ 16K pages Marc Gonzalez <mgonzalez(a)freebox.fr> iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: mtk: Fix init error path Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: mtk: Factorize out the logic cleaning mtk chips Jinjie Ruan <ruanjinjie(a)huawei.com> mtd: rawnand: mtk: Use for_each_child_of_node_scoped() Frederic Weisbecker <frederic(a)kernel.org> rcu/nocb: Fix RT throttling hrtimer armed from offline CPU Charles Han <hanchunchao(a)inspur.com> mtd: powernv: Add check devm_kasprintf() returned value Jason Gunthorpe <jgg(a)ziepe.ca> iommu/amd: Do not set the D bit on AMD v2 table entries Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() Artur Weber <aweber.kernel(a)gmail.com> power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Chris Morgan <macromorgan(a)hotmail.com> power: supply: axp20x_battery: Remove design from min and max voltage Yuntao Liu <liuyuntao12(a)huawei.com> hwmon: (ntc_thermistor) fix module autoloading Mirsad Todorovac <mtodorovac69(a)gmail.com> mtd: slram: insert break after errors in parsing the map Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix alarm attributes Andrew Davis <afd(a)ti.com> hwmon: (max16065) Remove use of i2c_match_id() Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix overflows seen when writing limits tangbin <tangbin(a)cmss.chinamobile.com> ASoC: loongson: fix error release Finn Thain <fthain(a)linux-m68k.org> m68k: Fix kernel_clone_args.flags in m68k_clone() Yuntao Liu <liuyuntao12(a)huawei.com> ALSA: hda: cs35l41: fix module autoloading Masami Hiramatsu (Google) <mhiramat(a)kernel.org> selftests/ftrace: Add required dependency for kprobe tests Linus Walleij <linus.walleij(a)linaro.org> ASoC: tas2781-i2c: Get the right GPIO line Linus Walleij <linus.walleij(a)linaro.org> ASoC: tas2781-i2c: Drop weird GPIO code Rob Herring (Arm) <robh(a)kernel.org> ASoC: tas2781: Use of_property_read_reg() Gergo Koteles <soyer(a)irl.hu> ASoC: tas2781: remove unused acpi_subysystem_id Ma Ke <make24(a)iscas.ac.cn> ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the error Yosry Ahmed <yosryahmed(a)google.com> x86/mm: Use IPIs to synchronize LAM enablement Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8195: Correct clock order for dp_intf* Ankit Agrawal <agrawal.ag.ankit(a)gmail.com> clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: k210: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: berlin: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: versatile: fix OF node leak in CPUs prepare Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property Claudiu Beznea <claudiu.beznea(a)tuxon.dev> ARM: dts: microchip: sama7g5: Fix RTT clock Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcmbca-hsspi: Fix missing pm_runtime_disable() Andrew Davis <afd(a)ti.com> arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x carveout locations Andrew Davis <afd(a)ti.com> arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations Jonas Karlman <jonas(a)kwiboo.se> arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1 Alexander Dahl <ada(a)thorsis.com> ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g054: Correct GICD and GICR sizes Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> arm64: dts: renesas: r9a07g043u: Correct GICD and GICR sizes Chen-Yu Tsai <wenst(a)chromium.org> regulator: Return actual error in of_regulator_bulk_get_all() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Fix double free in OPTEE transport AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt8186: Fix supported-hw mask for GPU OPPs David Virag <virag.david003(a)gmail.com> arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB Ma Ke <make24(a)iscas.ac.cn> spi: ppc4xx: handle irq_of_parse_and_map() errors Riyan Dhiman <riyandhiman14(a)gmail.com> block: fix potential invalid pointer dereference in blk_add_partition Christian Heusel <christian(a)heusel.eu> block: print symbolic error name instead of error code Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/io-wq: inherit cpuset of cgroup in io worker Felix Moessbauer <felix.moessbauer(a)siemens.com> io_uring/io-wq: do not allow pinning outside of cpuset Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix procress reference leakage for bfqq in merge chain Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix uaf for accessing waker_bfqq after splitting Gao Xiang <xiang(a)kernel.org> erofs: fix incorrect symlink detection in fast symlink David Howells <dhowells(a)redhat.com> cachefiles: Fix non-taking of sb_writers around set/removexattr Yu Kuai <yukuai3(a)huawei.com> block, bfq: don't break merge chain in bfq_split_bfqq() Yu Kuai <yukuai3(a)huawei.com> block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix possible UAF for bfqq->bic with merge chain Ming Lei <ming.lei(a)redhat.com> nbd: fix race between timeout and normal completion Ming Lei <ming.lei(a)redhat.com> ublk: move zone report data out of request pdu Eric Dumazet <edumazet(a)google.com> ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Su Hui <suhui(a)nfschina.com> net: tipc: avoid possible garbage value Justin Iurman <justin.iurman(a)uliege.be> net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input Heiner Kallweit <hkallweit1(a)gmail.com> r8169: disable ALDPS per default for RTL8125 Jinjie Ruan <ruanjinjie(a)huawei.com> net: enetc: Use IRQF_NO_AUTOEN flag in request_irq() Guillaume Nault <gnault(a)redhat.com> bareudp: Pull inner IP header on xmit. Guillaume Nault <gnault(a)redhat.com> bareudp: Pull inner IP header in bareudp_udp_encap_recv(). Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix not handling ZPL/short-transfer Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_close(): stop clocks after device has been shut down Jake Hamby <Jake.Hamby(a)Teledyne.com> can: m_can: enable NAPI before enabling interrupts Kuniyuki Iwashima <kuniyu(a)amazon.com> can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Eric Dumazet <edumazet(a)google.com> sock_map: Add a cond_resched() in sock_hash_free() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED Jiawei Ye <jiawei.ye(a)foxmail.com> wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param Dmitry Antipov <dmantipov(a)yandex.ru> wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7996: fix uninitialized TLV data Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7996: ensure 4-byte alignment for beacon commands Howard Hsu <howard-yh.hsu(a)mediatek.com> wifi: mt76: mt7915: fix rx filter setting for bfee functionality Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7603: fix mixed declarations and code Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - inject error before stopping queue Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - reset device before enabling it Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/hpre - mask cluster timeout error John B. Wyatt IV <jwyatt(a)redhat.com> pm:cpupower: Add missing powercap_set_enabled() stub function Aaron Lu <aaron.lu(a)intel.com> x86/sgx: Fix deadlock in SGX NUMA node search Howard Hsu <howard-yh.hsu(a)mediatek.com> wifi: mt76: mt7996: fix EHT beamforming capability check Howard Hsu <howard-yh.hsu(a)mediatek.com> wifi: mt76: mt7996: fix HE and EHT beamforming capabilities Peter Chiu <chui-hao.chiu(a)mediatek.com> wifi: mt76: mt7996: fix wmm set of station interface to 3 Peter Chiu <chui-hao.chiu(a)mediatek.com> wifi: mt76: mt7996: fix traffic delay when switching back to working channel Peter Chiu <chui-hao.chiu(a)mediatek.com> wifi: mt76: mt7996: use hweight16 to get correct tx antenna Bjørn Mork <bjorn(a)mork.no> wifi: mt76: mt7915: fix oops on non-dbdc mt7986 Nishanth Menon <nm(a)ti.com> cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Ensure dtm_idx is big enough Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Fix CCLA register offset Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Refactor node ID handling. Again. Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Improve debugfs pretty-printing for large configs Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Rework DTC counters (again) Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: remove annotation to access set timeout while holding lock Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject expiration higher than timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject element expiration with no timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire Clément Léger <cleger(a)rivosinc.com> ACPI: CPPC: Fix MASK_VAL() usage Zhang Changzhong <zhangchangzhong(a)huawei.com> can: j1939: use correct function name in comment Mark Brown <broonie(a)kernel.org> kselftest/arm64: Actually test SME vector length changes via sigreturn Yicong Yang <yangyicong(a)hisilicon.com> drivers/perf: hisi_pcie: Fix TLP headers bandwidth counting Yicong Yang <yangyicong(a)hisilicon.com> drivers/perf: hisi_pcie: Record hardware counts correctly Kamlesh Gurudasani <kamlesh(a)ti.com> padata: Honor the caller's alignment in case of chunk_size 0 Avraham Stern <avraham.stern(a)intel.com> wifi: iwlwifi: mvm: increase the time between ranging measurements Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: config: label 'gl' devices as discrete Golan Ben Ami <golan.ben.ami(a)intel.com> wifi: iwlwifi: remove AX101, AX201 and AX203 support from LNL Ping-Ke Shih <pkshih(a)realtek.com> wifi: mac80211: don't use rate mask for offchannel TX either Jing Zhang <renyu.zj(a)linux.alibaba.com> drivers/perf: Fix ali_drw_pmu driver interrupt status clearing Andre Przywara <andre.przywara(a)arm.com> kselftest/arm64: signal: fix/refactor SVE vector length enumeration Dan Carpenter <dan.carpenter(a)linaro.org> powercap: intel_rapl: Fix off by one in get_rpi() Calvin Owens <calvin(a)wbinvd.org> ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Olaf Hering <olaf(a)aepfle.de> mount: handle OOM on mnt_warn_timestamp_expiry Atish Patra <atishp(a)rivosinc.com> RISC-V: KVM: Fix to allow hpmcounter31 from the guest Atish Patra <atishp(a)rivosinc.com> RISC-V: KVM: Allow legacy PMU access from guest Andrew Jones <ajones(a)ventanamicro.com> RISC-V: KVM: Fix sbiret init before forwarding to userspace Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: rtw88: remove CPT execution branch never used Dave Martin <Dave.Martin(a)arm.com> arm64: signal: Fix some under-bracketed UAPI macros Yanteng Si <siyanteng(a)loongson.cn> net: stmmac: dwmac-loongson: Init ref and PTP clocks rate Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath12k: fix invalid AMPDU factor calculation in ath12k_peer_assoc_h_he() P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: match WMI BSS chan info structure with firmware definition P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: fix BSS chan info request WMI command Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k: Remove error checks when creating debugfs entries Arend van Spriel <arend.vanspriel(a)broadcom.com> wifi: brcmfmac: introducing fwil query functions Arend van Spriel <arend.vanspriel(a)broadcom.com> wifi: brcmfmac: export firmware interface functions Aleksandr Mishin <amishin(a)t-argos.ru> ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() Helge Deller <deller(a)kernel.org> crypto: xor - fix template benchmarking Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: always wait for both firmware loading attempts Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> EDAC/synopsys: Fix error injection on Zynq UltraScale+ Serge Semin <fancer.lancer(a)gmail.com> EDAC/synopsys: Fix ECC status and IRQ control race condition ------------- Diffstat: .gitignore | 1 - .../ABI/testing/sysfs-bus-iio-filter-admv8818 | 2 +- Documentation/arch/arm64/silicon-errata.rst | 2 + .../iio/magnetometer/asahi-kasei,ak8975.yaml | 1 - .../devicetree/bindings/spi/spi-nxp-fspi.yaml | 19 +- Documentation/driver-api/ipmi.rst | 2 +- Documentation/virt/kvm/locking.rst | 33 +- Makefile | 4 +- arch/arm/boot/dts/microchip/sam9x60.dtsi | 4 +- arch/arm/boot/dts/microchip/sama7g5.dtsi | 2 +- arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts | 2 +- arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts | 2 +- arch/arm/mach-ep93xx/clock.c | 2 +- arch/arm/mach-versatile/platsmp-realview.c | 1 + arch/arm/vfp/vfpinstr.h | 44 +- arch/arm64/Kconfig | 2 +- .../boot/dts/exynos/exynos7885-jackpotlte.dts | 2 +- arch/arm64/boot/dts/mediatek/mt8186.dtsi | 12 +- arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 12 +- arch/arm64/boot/dts/qcom/sa8775p.dtsi | 2 + arch/arm64/boot/dts/renesas/r9a07g043u.dtsi | 4 +- arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 4 +- arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 4 +- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 4 +- arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 +- arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts | 4 +- arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 4 +- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/esr.h | 88 +-- arch/arm64/include/uapi/asm/sigcontext.h | 6 +- arch/arm64/kernel/cpu_errata.c | 10 +- arch/arm64/kvm/hyp/nvhe/ffa.c | 21 +- arch/m68k/kernel/process.c | 2 +- arch/powerpc/crypto/Kconfig | 1 + arch/powerpc/include/asm/asm-compat.h | 6 + arch/powerpc/include/asm/atomic.h | 5 +- arch/powerpc/include/asm/uaccess.h | 7 +- arch/powerpc/kernel/head_8xx.S | 6 +- arch/powerpc/kernel/vdso/gettimeofday.S | 4 - arch/powerpc/mm/nohash/8xx.c | 4 +- arch/riscv/include/asm/kvm_vcpu_pmu.h | 21 +- arch/riscv/kernel/perf_callchain.c | 2 +- arch/riscv/kvm/vcpu_sbi.c | 4 +- arch/x86/coco/tdx/tdx.c | 6 + arch/x86/events/intel/pt.c | 15 +- arch/x86/include/asm/acpi.h | 8 + arch/x86/include/asm/hardirq.h | 8 +- arch/x86/include/asm/idtentry.h | 73 +- arch/x86/kernel/acpi/boot.c | 11 + arch/x86/kernel/cpu/sgx/main.c | 27 +- arch/x86/kernel/jailhouse.c | 1 + arch/x86/kernel/mmconf-fam10h_64.c | 1 + arch/x86/kernel/process_64.c | 29 +- arch/x86/kernel/smpboot.c | 1 + arch/x86/kernel/x86_init.c | 1 + arch/x86/kvm/lapic.c | 35 +- arch/x86/mm/tlb.c | 7 +- arch/x86/pci/fixup.c | 4 +- arch/x86/xen/mmu_pv.c | 5 +- arch/x86/xen/p2m.c | 98 +++ arch/x86/xen/setup.c | 203 ++++-- arch/x86/xen/xen-ops.h | 6 +- block/bfq-iosched.c | 81 +- block/partitions/core.c | 8 +- crypto/asymmetric_keys/asymmetric_type.c | 7 +- crypto/xor.c | 31 +- drivers/acpi/cppc_acpi.c | 43 +- drivers/acpi/device_sysfs.c | 5 +- drivers/acpi/pmic/tps68470_pmic.c | 6 +- drivers/acpi/resource.c | 6 + drivers/ata/libata-eh.c | 8 + drivers/ata/libata-scsi.c | 5 +- drivers/base/core.c | 15 +- drivers/base/firmware_loader/main.c | 30 + drivers/base/module.c | 14 +- drivers/base/power/domain.c | 2 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_state.c | 2 +- drivers/block/nbd.c | 13 +- drivers/block/ublk_drv.c | 62 +- drivers/bluetooth/btusb.c | 5 +- drivers/bus/arm-integrator-lm.c | 1 + drivers/bus/mhi/host/pci_generic.c | 13 +- drivers/char/hw_random/bcm2835-rng.c | 4 +- drivers/char/hw_random/cctrng.c | 1 + drivers/char/hw_random/mtk-rng.c | 2 +- drivers/char/tpm/tpm-dev-common.c | 2 + drivers/char/tpm/tpm2-space.c | 3 + drivers/clk/at91/sama7g5.c | 5 +- drivers/clk/imx/clk-composite-7ulp.c | 7 + drivers/clk/imx/clk-composite-8m.c | 61 +- drivers/clk/imx/clk-composite-93.c | 15 +- drivers/clk/imx/clk-fracn-gppll.c | 4 + drivers/clk/imx/clk-imx6ul.c | 4 +- drivers/clk/imx/clk-imx8mp-audiomix.c | 13 +- drivers/clk/imx/clk-imx8mp.c | 4 +- drivers/clk/imx/clk-imx8qxp.c | 10 +- drivers/clk/qcom/clk-alpha-pll.c | 52 ++ drivers/clk/qcom/clk-alpha-pll.h | 2 + drivers/clk/qcom/dispcc-sm8250.c | 9 +- drivers/clk/qcom/dispcc-sm8550.c | 14 +- drivers/clk/qcom/gcc-ipq5332.c | 1 + drivers/clk/rockchip/clk-rk3228.c | 2 +- drivers/clk/rockchip/clk-rk3588.c | 2 +- drivers/clk/starfive/clk-starfive-jh7110-vout.c | 2 +- drivers/clk/ti/clk-dra7-atl.c | 1 + drivers/clocksource/timer-qcom.c | 7 +- drivers/cpufreq/ti-cpufreq.c | 10 +- drivers/cpuidle/cpuidle-riscv-sbi.c | 21 +- drivers/crypto/caam/caamhash.c | 1 + drivers/crypto/ccp/sev-dev.c | 2 + drivers/crypto/hisilicon/hpre/hpre_main.c | 54 +- drivers/crypto/hisilicon/qm.c | 151 ++-- drivers/crypto/hisilicon/sec2/sec_main.c | 16 +- drivers/crypto/hisilicon/zip/zip_main.c | 23 +- drivers/cxl/core/pci.c | 8 +- drivers/edac/igen6_edac.c | 2 +- drivers/edac/synopsys_edac.c | 85 ++- drivers/firewire/core-cdev.c | 2 +- drivers/firmware/arm_scmi/optee.c | 7 + drivers/firmware/efi/libstub/tpm.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h | 4 +- drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 29 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 9 +- drivers/gpu/drm/amd/display/dc/dc_dsc.h | 3 +- drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 6 +- drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 5 +- .../drm/amd/display/modules/freesync/freesync.c | 2 +- drivers/gpu/drm/bridge/lontium-lt8912b.c | 35 +- drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 32 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 12 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 2 + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 30 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 12 +- drivers/gpu/drm/radeon/evergreen_cs.c | 62 +- drivers/gpu/drm/radeon/radeon_atombios.c | 29 +- drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 +- drivers/gpu/drm/stm/drv.c | 4 +- drivers/gpu/drm/stm/ltdc.c | 2 + drivers/gpu/drm/vc4/vc4_hdmi.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 13 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 + drivers/hid/wacom_wac.c | 13 +- drivers/hid/wacom_wac.h | 2 +- drivers/hwmon/max16065.c | 27 +- drivers/hwmon/ntc_thermistor.c | 1 + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- drivers/i2c/busses/i2c-aspeed.c | 16 +- drivers/i2c/busses/i2c-isch.c | 3 +- drivers/iio/adc/ad7606.c | 8 +- drivers/iio/adc/ad7606_spi.c | 5 +- drivers/iio/chemical/bme680_core.c | 7 + drivers/iio/magnetometer/ak8975.c | 85 +-- drivers/infiniband/core/cache.c | 4 +- drivers/infiniband/core/iwcm.c | 2 +- drivers/infiniband/hw/cxgb4/cm.c | 5 + drivers/infiniband/hw/erdma/erdma_verbs.c | 25 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 22 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 33 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 16 +- drivers/infiniband/hw/irdma/verbs.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 2 +- drivers/infiniband/hw/mlx5/mr.c | 14 +- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 9 +- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 1 + drivers/input/keyboard/adp5588-keys.c | 2 +- drivers/input/serio/i8042-acpipnpio.h | 37 + drivers/input/touchscreen/ilitek_ts_i2c.c | 18 +- drivers/interconnect/icc-clk.c | 3 +- drivers/iommu/amd/io_pgtable_v2.c | 2 +- drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 28 + drivers/iommu/iommufd/io_pagetable.c | 8 + drivers/leds/leds-bd2606mvv.c | 23 +- drivers/leds/leds-pca995x.c | 78 +- drivers/md/dm-rq.c | 4 +- drivers/md/dm-verity-target.c | 23 +- drivers/md/dm.c | 11 +- drivers/media/dvb-frontends/rtl2830.c | 2 +- drivers/media/dvb-frontends/rtl2832.c | 2 +- .../vcodec/decoder/vdec/vdec_h264_req_if.c | 9 +- .../vcodec/decoder/vdec/vdec_h264_req_multi_if.c | 9 +- .../mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c | 10 +- .../media/platform/renesas/rzg2l-cru/rzg2l-csi2.c | 1 + drivers/media/tuners/tuner-i2c.h | 4 +- drivers/mtd/devices/powernv_flash.c | 3 + drivers/mtd/devices/slram.c | 2 + drivers/mtd/nand/raw/mtk_nand.c | 36 +- drivers/net/bareudp.c | 26 +- drivers/net/bonding/bond_main.c | 6 +- drivers/net/can/m_can/m_can.c | 14 +- drivers/net/can/usb/esd_usb.c | 6 +- drivers/net/ethernet/freescale/enetc/enetc.c | 3 +- drivers/net/ethernet/realtek/r8169_phy_config.c | 2 + drivers/net/ethernet/seeq/ether3.c | 2 + .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 2 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 37 +- drivers/net/usb/usbnet.c | 37 +- drivers/net/virtio_net.c | 10 +- drivers/net/wireless/ath/ath12k/mac.c | 5 +- drivers/net/wireless/ath/ath12k/wmi.c | 1 + drivers/net/wireless/ath/ath12k/wmi.h | 3 +- drivers/net/wireless/ath/ath9k/debug.c | 2 - drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 - .../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 2 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 26 +- .../wireless/broadcom/brcm80211/brcmfmac/fwil.c | 115 +-- .../wireless/broadcom/brcm80211/brcmfmac/fwil.h | 145 +++- drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 11 + drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1 + drivers/net/wireless/intel/iwlwifi/mvm/constants.h | 2 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 36 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7603/dma.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7615/init.c | 3 + drivers/net/wireless/mediatek/mt76/mt7915/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7921/init.c | 2 + drivers/net/wireless/mediatek/mt76/mt7996/init.c | 65 +- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 6 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 23 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 4 +- drivers/net/wireless/microchip/wilc1000/hif.c | 4 +- drivers/net/wireless/realtek/rtw88/coex.c | 38 +- drivers/net/wireless/realtek/rtw88/fw.c | 13 +- drivers/net/wireless/realtek/rtw88/main.c | 7 +- drivers/net/wireless/realtek/rtw88/rtw8821cu.c | 2 - drivers/net/wireless/realtek/rtw88/rtw8822c.c | 12 +- drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- drivers/ntb/ntb_transport.c | 23 +- drivers/ntb/test/ntb_perf.c | 2 +- drivers/nvdimm/namespace_devs.c | 34 +- drivers/nvme/host/multipath.c | 2 +- drivers/pci/controller/dwc/pci-dra7xx.c | 3 +- drivers/pci/controller/dwc/pci-imx6.c | 7 +- drivers/pci/controller/dwc/pci-keystone.c | 2 +- drivers/pci/controller/dwc/pcie-kirin.c | 4 +- drivers/pci/controller/pcie-xilinx-nwl.c | 39 +- drivers/pci/pci.c | 20 +- drivers/pci/pci.h | 6 +- drivers/pci/quirks.c | 31 +- drivers/perf/alibaba_uncore_drw_pmu.c | 2 +- drivers/perf/arm-cmn.c | 242 +++--- drivers/perf/hisilicon/hisi_pcie_pmu.c | 16 +- drivers/pinctrl/bcm/pinctrl-ns.c | 8 +- drivers/pinctrl/berlin/berlin-bg2.c | 8 +- drivers/pinctrl/berlin/berlin-bg2cd.c | 8 +- drivers/pinctrl/berlin/berlin-bg2q.c | 8 +- drivers/pinctrl/berlin/berlin-bg4ct.c | 9 +- drivers/pinctrl/berlin/pinctrl-as370.c | 9 +- drivers/pinctrl/mvebu/pinctrl-armada-38x.c | 9 +- drivers/pinctrl/mvebu/pinctrl-armada-39x.c | 9 +- drivers/pinctrl/mvebu/pinctrl-armada-ap806.c | 5 +- drivers/pinctrl/mvebu/pinctrl-armada-cp110.c | 6 +- drivers/pinctrl/mvebu/pinctrl-armada-xp.c | 9 +- drivers/pinctrl/mvebu/pinctrl-dove.c | 48 +- drivers/pinctrl/mvebu/pinctrl-kirkwood.c | 7 +- drivers/pinctrl/mvebu/pinctrl-orion.c | 7 +- drivers/pinctrl/nomadik/pinctrl-abx500.c | 9 +- drivers/pinctrl/nomadik/pinctrl-nomadik.c | 10 +- drivers/pinctrl/pinctrl-at91.c | 11 +- drivers/pinctrl/pinctrl-single.c | 3 +- drivers/pinctrl/pinctrl-xway.c | 11 +- drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 113 ++- drivers/power/supply/axp20x_battery.c | 16 +- drivers/power/supply/max17042_battery.c | 5 +- drivers/powercap/intel_rapl_common.c | 2 +- drivers/pps/clients/pps_parport.c | 14 +- drivers/regulator/of_regulator.c | 2 +- drivers/remoteproc/imx_rproc.c | 6 +- drivers/reset/reset-berlin.c | 3 +- drivers/reset/reset-k210.c | 3 +- drivers/scsi/NCR5380.c | 78 +- drivers/scsi/elx/libefc/efc_nport.c | 2 +- drivers/scsi/mac_scsi.c | 166 ++--- drivers/scsi/sd.c | 2 +- drivers/scsi/smartpqi/smartpqi_init.c | 20 +- drivers/soc/fsl/qe/tsa.c | 2 +- drivers/soc/qcom/smd-rpm.c | 35 +- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 +- drivers/spi/atmel-quadspi.c | 15 +- drivers/spi/spi-bcmbca-hsspi.c | 8 +- drivers/spi/spi-fsl-lpspi.c | 1 + drivers/spi/spi-nxp-fspi.c | 54 +- drivers/spi/spi-ppc4xx.c | 7 +- drivers/thunderbolt/switch.c | 331 +++++++-- drivers/thunderbolt/tb.c | 812 ++++++++++++++++----- drivers/thunderbolt/tb.h | 56 +- drivers/thunderbolt/tb_regs.h | 9 +- drivers/thunderbolt/tunnel.c | 217 ++++-- drivers/thunderbolt/tunnel.h | 26 +- drivers/thunderbolt/usb4.c | 116 ++- drivers/tty/serial/8250/8250_omap.c | 2 +- drivers/tty/serial/qcom_geni_serial.c | 31 +- drivers/tty/serial/rp2.c | 2 +- drivers/tty/serial/serial_core.c | 14 +- drivers/ufs/host/ufs-qcom.c | 2 +- drivers/usb/cdns3/cdnsp-ring.c | 6 +- drivers/usb/cdns3/host.c | 4 +- drivers/usb/class/cdc-acm.c | 2 + drivers/usb/dwc2/drd.c | 9 + drivers/usb/host/xhci-mem.c | 5 +- drivers/usb/host/xhci-pci.c | 17 +- drivers/usb/host/xhci-ring.c | 14 + drivers/usb/host/xhci.h | 3 + drivers/usb/misc/appledisplay.c | 15 +- drivers/usb/misc/cypress_cy7c63.c | 4 + drivers/usb/misc/yurex.c | 24 +- drivers/vhost/vdpa.c | 16 +- drivers/video/fbdev/hpfb.c | 1 + drivers/watchdog/imx_sc_wdt.c | 24 - drivers/xen/swiotlb-xen.c | 10 +- fs/btrfs/btrfs_inode.h | 47 +- fs/btrfs/ctree.h | 2 + fs/btrfs/extent-tree.c | 4 +- fs/btrfs/file.c | 34 +- fs/btrfs/ioctl.c | 4 +- fs/btrfs/subpage.c | 10 +- fs/btrfs/tree-checker.c | 2 +- fs/cachefiles/xattr.c | 34 +- fs/crypto/fname.c | 8 +- fs/ecryptfs/crypto.c | 10 - fs/erofs/inode.c | 20 +- fs/ext4/ialloc.c | 14 +- fs/ext4/inline.c | 35 +- fs/ext4/mballoc.c | 10 +- fs/ext4/super.c | 29 +- fs/f2fs/compress.c | 87 ++- fs/f2fs/data.c | 14 +- fs/f2fs/dir.c | 3 +- fs/f2fs/extent_cache.c | 4 +- fs/f2fs/f2fs.h | 48 +- fs/f2fs/file.c | 167 +++-- fs/f2fs/inode.c | 5 + fs/f2fs/namei.c | 69 -- fs/f2fs/segment.c | 8 + fs/f2fs/super.c | 20 +- fs/f2fs/xattr.c | 14 +- fs/fcntl.c | 14 +- fs/inode.c | 4 + fs/jfs/jfs_dmap.c | 4 +- fs/jfs/jfs_imap.c | 2 +- fs/namei.c | 6 +- fs/namespace.c | 14 +- fs/nfs/nfs4state.c | 1 + fs/nfsd/filecache.c | 3 +- fs/nfsd/nfs4idmap.c | 13 +- fs/nfsd/nfs4recover.c | 8 + fs/nilfs2/btree.c | 12 +- fs/smb/server/vfs.c | 19 +- include/acpi/cppc_acpi.h | 2 + include/linux/bitmap.h | 77 ++ include/linux/bpf.h | 7 +- include/linux/f2fs_fs.h | 2 +- include/linux/fs.h | 11 + include/linux/mm.h | 4 +- include/linux/mm_types.h | 31 +- include/linux/sbitmap.h | 2 +- include/linux/sched/numa_balancing.h | 10 + include/linux/usb/usbnet.h | 15 + include/linux/xarray.h | 6 + include/net/bluetooth/hci_core.h | 4 +- include/net/ip.h | 2 + include/net/mac80211.h | 7 +- include/net/tcp.h | 21 +- include/sound/tas2781.h | 8 +- include/trace/events/f2fs.h | 3 +- include/trace/events/sched.h | 52 ++ io_uring/io-wq.c | 25 +- io_uring/io_uring.c | 4 +- io_uring/sqpoll.c | 12 + kernel/bpf/btf.c | 8 + kernel/bpf/helpers.c | 12 +- kernel/bpf/syscall.c | 4 +- kernel/bpf/verifier.c | 57 +- kernel/kthread.c | 10 +- kernel/locking/lockdep.c | 50 +- kernel/module/Makefile | 2 +- kernel/padata.c | 6 +- kernel/rcu/tree_nocb.h | 5 +- kernel/sched/fair.c | 134 +++- kernel/trace/bpf_trace.c | 15 +- lib/debugobjects.c | 5 +- lib/sbitmap.c | 4 +- lib/test_xarray.c | 93 +++ lib/xarray.c | 53 +- lib/xz/xz_crc32.c | 2 +- lib/xz/xz_private.h | 4 - mm/damon/vaddr.c | 2 + mm/filemap.c | 50 +- mm/mmap.c | 4 + mm/util.c | 2 +- net/bluetooth/hci_conn.c | 6 +- net/bluetooth/hci_sync.c | 5 +- net/bluetooth/mgmt.c | 13 +- net/can/bcm.c | 4 +- net/can/j1939/transport.c | 8 +- net/core/filter.c | 50 +- net/core/sock_map.c | 1 + net/ipv4/icmp.c | 103 +-- net/ipv6/Kconfig | 1 + net/ipv6/icmp.c | 28 +- net/ipv6/netfilter/nf_reject_ipv6.c | 14 +- net/ipv6/route.c | 2 +- net/ipv6/rpl_iptunnel.c | 12 +- net/mac80211/iface.c | 17 +- net/mac80211/offchannel.c | 1 + net/mac80211/rate.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/tx.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 7 +- net/netfilter/nf_tables_api.c | 16 +- net/qrtr/af_qrtr.c | 2 +- net/tipc/bcast.c | 2 +- net/wireless/nl80211.c | 3 +- net/wireless/scan.c | 6 +- net/wireless/sme.c | 3 +- samples/bpf/Makefile | 6 +- security/bpf/hooks.c | 1 - security/smack/smackfs.c | 2 +- sound/pci/hda/cs35l41_hda_spi.c | 1 + sound/pci/hda/tas2781_hda_i2c.c | 14 +- sound/soc/codecs/rt5682.c | 4 +- sound/soc/codecs/rt5682s.c | 4 +- sound/soc/codecs/tas2781-comlib.c | 4 - sound/soc/codecs/tas2781-fmwlib.c | 1 - sound/soc/codecs/tas2781-i2c.c | 56 +- sound/soc/loongson/loongson_card.c | 4 +- tools/bpf/runqslower/Makefile | 3 +- tools/lib/bpf/bpf.c | 4 +- tools/lib/bpf/bpf.h | 4 +- tools/lib/bpf/libbpf.c | 246 +++++-- tools/lib/bpf/libbpf_internal.h | 14 + tools/lib/bpf/libbpf_probes.c | 1 + tools/perf/builtin-annotate.c | 2 +- tools/perf/builtin-inject.c | 1 + tools/perf/builtin-mem.c | 1 + tools/perf/builtin-report.c | 11 +- tools/perf/builtin-sched.c | 8 +- tools/perf/builtin-top.c | 3 +- tools/perf/ui/browsers/annotate.c | 77 +- tools/perf/ui/browsers/hists.c | 34 +- tools/perf/ui/browsers/hists.h | 2 - tools/perf/util/annotate.c | 118 +-- tools/perf/util/annotate.h | 39 +- tools/perf/util/block-info.c | 10 +- tools/perf/util/block-info.h | 3 +- tools/perf/util/hist.h | 25 +- tools/perf/util/machine.c | 17 +- tools/perf/util/session.c | 3 + tools/perf/util/sort.c | 14 +- tools/perf/util/stat-display.c | 3 +- tools/perf/util/thread.c | 4 + tools/perf/util/thread.h | 1 + tools/perf/util/time-utils.c | 4 +- tools/perf/util/tool.h | 1 + tools/power/cpupower/lib/powercap.c | 8 + tools/testing/selftests/arm64/signal/Makefile | 2 +- tools/testing/selftests/arm64/signal/sve_helpers.c | 56 ++ tools/testing/selftests/arm64/signal/sve_helpers.h | 21 + .../testcases/fake_sigreturn_sme_change_vl.c | 46 +- .../testcases/fake_sigreturn_sve_change_vl.c | 30 +- .../selftests/arm64/signal/testcases/ssve_regs.c | 36 +- .../arm64/signal/testcases/ssve_za_regs.c | 36 +- .../selftests/arm64/signal/testcases/sve_regs.c | 32 +- .../selftests/arm64/signal/testcases/za_no_regs.c | 32 +- .../selftests/arm64/signal/testcases/za_regs.c | 36 +- tools/testing/selftests/bpf/Makefile | 30 +- tools/testing/selftests/bpf/bench.c | 1 + tools/testing/selftests/bpf/bench.h | 1 + .../selftests/bpf/map_tests/sk_storage_map.c | 2 +- tools/testing/selftests/bpf/network_helpers.c | 24 + tools/testing/selftests/bpf/network_helpers.h | 4 + .../selftests/bpf/prog_tests/bpf_iter_setsockopt.c | 2 +- .../testing/selftests/bpf/prog_tests/core_reloc.c | 1 + .../selftests/bpf/prog_tests/decap_sanity.c | 1 - .../selftests/bpf/prog_tests/flow_dissector.c | 3 +- tools/testing/selftests/bpf/prog_tests/kfree_skb.c | 1 + .../testing/selftests/bpf/prog_tests/lwt_helpers.h | 2 - .../selftests/bpf/prog_tests/lwt_redirect.c | 2 +- .../testing/selftests/bpf/prog_tests/lwt_reroute.c | 2 + .../selftests/bpf/prog_tests/ns_current_pid_tgid.c | 156 +++- .../selftests/bpf/prog_tests/parse_tcp_hdr_opt.c | 1 + tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 1 - .../testing/selftests/bpf/prog_tests/tc_redirect.c | 12 +- tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 + .../selftests/bpf/prog_tests/user_ringbuf.c | 1 + .../testing/selftests/bpf/progs/cg_storage_multi.h | 2 - .../bpf/progs/test_libbpf_get_fd_by_id_opts.c | 1 + .../selftests/bpf/progs/test_ns_current_pid_tgid.c | 17 +- tools/testing/selftests/bpf/test_cpp.cpp | 4 + tools/testing/selftests/bpf/test_lru_map.c | 3 +- tools/testing/selftests/bpf/test_progs.c | 18 +- tools/testing/selftests/bpf/testing_helpers.c | 4 +- tools/testing/selftests/bpf/unpriv_helpers.c | 1 - tools/testing/selftests/bpf/veristat.c | 8 +- tools/testing/selftests/bpf/xdp_hw_metadata.c | 14 - .../ftrace/test.d/kprobe/kprobe_args_char.tc | 2 +- .../ftrace/test.d/kprobe/kprobe_args_string.tc | 2 +- virt/kvm/kvm_main.c | 31 +- 508 files changed, 6523 insertions(+), 3354 deletions(-)

9 months, 3 weeks

11
555
0 0

[PATCH v3 1/1] xhci: Correctly handle last TRB of isoc TD on Etron xHCI host

by Kuangyi Chiang

Unplugging a USB3.0 webcam while streaming results in errors like this: [ 132.646387] xhci_hcd 0000:03:00.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 18 comp_code 13 [ 132.646446] xhci_hcd 0000:03:00.0: Looking for event-dma 000000002fdf8630 trb-start 000000002fdf8640 trb-end 000000002fdf8650 seg-start 000000002fdf8000 seg-end 000000002fdf8ff0 [ 132.646560] xhci_hcd 0000:03:00.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 18 comp_code 13 [ 132.646568] xhci_hcd 0000:03:00.0: Looking for event-dma 000000002fdf8660 trb-start 000000002fdf8670 trb-end 000000002fdf8670 seg-start 000000002fdf8000 seg-end 000000002fdf8ff0 If an error is detected while processing the last TRB of an isoc TD, the Etron xHC generates two transfer events for the TRB where the error was detected. The first event can be any sort of error (like USB Transaction or Babble Detected, etc), and the final event is Success. The xHCI driver will handle the TD after the first event and remove it from its internal list, and then print an "Transfer event TRB DMA ptr not part of current TD" error message after the final event. Commit 5372c65e1311 ("xhci: process isoc TD properly when there was a transaction error mid TD.") is designed to address isoc transaction errors, but unfortunately it doesn't account for this scenario. To work around this by reusing the logic that handles isoc transaction errors, but continuing to wait for the final event when this condition occurs. Sometimes we see the Stopped event after an error mid TD, this is a normal event for a pending TD and we can think of it as the final event we are waiting for. Check if the XHCI_ETRON_HOST quirk flag is set before invoking the workaround in process_isoc_td(). Fixes: 5372c65e1311 ("xhci: process isoc TD properly when there was a transaction error mid TD.") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> --- drivers/usb/host/xhci-ring.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 4cf5363875c7..a51eb3526ae3 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2450,8 +2450,10 @@ static void process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, switch (trb_comp_code) { case COMP_SUCCESS: /* Don't overwrite status if TD had an error, see xHCI 4.9.1 */ - if (td->error_mid_td) + if (td->error_mid_td) { + td->error_mid_td = false; break; + } if (remaining) { frame->status = short_framestatus; sum_trbs_for_length = true; @@ -2466,25 +2468,36 @@ static void process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, case COMP_BANDWIDTH_OVERRUN_ERROR: frame->status = -ECOMM; break; + case COMP_USB_TRANSACTION_ERROR: case COMP_BABBLE_DETECTED_ERROR: sum_trbs_for_length = true; fallthrough; case COMP_ISOCH_BUFFER_OVERRUN: frame->status = -EOVERFLOW; + if (trb_comp_code == COMP_USB_TRANSACTION_ERROR) + frame->status = -EPROTO; if (ep_trb != td->end_trb) td->error_mid_td = true; + else + td->error_mid_td = false; + + /* + * If an error is detected on the last TRB of the TD, + * wait for the final event. + */ + if ((xhci->quirks & XHCI_ETRON_HOST) && + td->urb->dev->speed >= USB_SPEED_SUPER && + ep_trb == td->end_trb) + td->error_mid_td = true; break; case COMP_INCOMPATIBLE_DEVICE_ERROR: case COMP_STALL_ERROR: frame->status = -EPROTO; break; - case COMP_USB_TRANSACTION_ERROR: - frame->status = -EPROTO; - sum_trbs_for_length = true; - if (ep_trb != td->end_trb) - td->error_mid_td = true; - break; case COMP_STOPPED: + /* Think of it as the final event if TD had an error */ + if (td->error_mid_td) + td->error_mid_td = false; sum_trbs_for_length = true; break; case COMP_STOPPED_SHORT_PACKET: @@ -2517,7 +2530,7 @@ static void process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, finish_td: /* Don't give back TD yet if we encountered an error mid TD */ - if (td->error_mid_td && ep_trb != td->end_trb) { + if (td->error_mid_td) { xhci_dbg(xhci, "Error mid isoc TD, wait for final completion event\n"); td->urb_length_set = true; return; -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH] virtio_net: drain unconsumed tx completions if any before dql_reset

by Koichiro Den

When virtnet_close is followed by virtnet_open, there is a slight chance that some TX completions remain unconsumed. Those are handled during the first NAPI poll, but since dql_reset occurs just beforehand, it can lead to a crash [1]. This issue can be reproduced by running: `while :; do ip l set DEV down; ip l set DEV up; done` under heavy network TX load from inside of the machine. To fix this, drain unconsumed TX completions if any before dql_reset, allowing BQL to start cleanly. ------------[ cut here ]------------ kernel BUG at lib/dynamic_queue_limits.c:99! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 UID: 0 PID: 1598 Comm: ip Tainted: G N 6.12.0net-next_main+ #2 Tainted: [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), \ BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dql_completed+0x26b/0x290 Code: b7 c2 49 89 e9 44 89 da 89 c6 4c 89 d7 e8 ed 17 47 00 58 65 ff 0d 4d 27 90 7e 0f 85 fd fe ff ff e8 ea 53 8d ff e9 f3 fe ff ff <0f> 0b 01 d2 44 89 d1 29 d1 ba 00 00 00 00 0f 48 ca e9 28 ff ff ff RSP: 0018:ffffc900002b0d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff888102398c80 RCX: 0000000080190009 RDX: 0000000000000000 RSI: 000000000000006a RDI: 0000000000000000 RBP: ffff888102398c00 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000ca R11: 0000000000015681 R12: 0000000000000001 R13: ffffc900002b0d68 R14: ffff88811115e000 R15: ffff8881107aca40 FS: 00007f41ded69500(0000) GS:ffff888667dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ccc2dc1a0 CR3: 0000000104fd8003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: <IRQ> ? die+0x32/0x80 ? do_trap+0xd9/0x100 ? dql_completed+0x26b/0x290 ? dql_completed+0x26b/0x290 ? do_error_trap+0x6d/0xb0 ? dql_completed+0x26b/0x290 ? exc_invalid_op+0x4c/0x60 ? dql_completed+0x26b/0x290 ? asm_exc_invalid_op+0x16/0x20 ? dql_completed+0x26b/0x290 __free_old_xmit+0xff/0x170 [virtio_net] free_old_xmit+0x54/0xc0 [virtio_net] virtnet_poll+0xf4/0xe30 [virtio_net] ? __update_load_avg_cfs_rq+0x264/0x2d0 ? update_curr+0x35/0x260 ? reweight_entity+0x1be/0x260 __napi_poll.constprop.0+0x28/0x1c0 net_rx_action+0x329/0x420 ? enqueue_hrtimer+0x35/0x90 ? trace_hardirqs_on+0x1d/0x80 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? sched_clock_cpu+0xd/0x1a0 handle_softirqs+0x138/0x3e0 do_softirq.part.0+0x89/0xc0 </IRQ> <TASK> __local_bh_enable_ip+0xa7/0xb0 virtnet_open+0xc8/0x310 [virtio_net] __dev_open+0xfa/0x1b0 __dev_change_flags+0x1de/0x250 dev_change_flags+0x22/0x60 do_setlink.isra.0+0x2df/0x10b0 ? rtnetlink_rcv_msg+0x34f/0x3f0 ? netlink_rcv_skb+0x54/0x100 ? netlink_unicast+0x23e/0x390 ? netlink_sendmsg+0x21e/0x490 ? ____sys_sendmsg+0x31b/0x350 ? avc_has_perm_noaudit+0x67/0xf0 ? cred_has_capability.isra.0+0x75/0x110 ? __nla_validate_parse+0x5f/0xee0 ? __pfx___probestub_irq_enable+0x3/0x10 ? __create_object+0x5e/0x90 ? security_capable+0x3b/0x70 rtnl_newlink+0x784/0xaf0 ? avc_has_perm_noaudit+0x67/0xf0 ? cred_has_capability.isra.0+0x75/0x110 ? stack_depot_save_flags+0x24/0x6d0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x34f/0x3f0 ? do_syscall_64+0x6c/0x180 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x54/0x100 netlink_unicast+0x23e/0x390 netlink_sendmsg+0x21e/0x490 ____sys_sendmsg+0x31b/0x350 ? copy_msghdr_from_user+0x6d/0xa0 ___sys_sendmsg+0x86/0xd0 ? __pte_offset_map+0x17/0x160 ? preempt_count_add+0x69/0xa0 ? __call_rcu_common.constprop.0+0x147/0x610 ? preempt_count_add+0x69/0xa0 ? preempt_count_add+0x69/0xa0 ? _raw_spin_trylock+0x13/0x60 ? trace_hardirqs_on+0x1d/0x80 __sys_sendmsg+0x66/0xc0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f41defe5b34 Code: 15 e1 12 0f 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d 35 95 0f 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 RSP: 002b:00007ffe5336ecc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f41defe5b34 RDX: 0000000000000000 RSI: 00007ffe5336ed30 RDI: 0000000000000003 RBP: 00007ffe5336eda0 R08: 0000000000000010 R09: 0000000000000001 R10: 00007ffe5336f6f9 R11: 0000000000000202 R12: 0000000000000003 R13: 0000000067452259 R14: 0000556ccc28b040 R15: 0000000000000000 </TASK> [...] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Fixes: c8bd1f7f3e61 ("virtio_net: add support for Byte Queue Limits") Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> --- drivers/net/virtio_net.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 64c87bb48a41..3e36c0470600 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -513,7 +513,7 @@ static struct sk_buff *virtnet_skb_append_frag(struct sk_buff *head_skb, struct sk_buff *curr_skb, struct page *page, void *buf, int len, int truesize); -static void virtnet_xsk_completed(struct send_queue *sq, int num); +static void virtnet_xsk_completed(struct send_queue *sq, int num, bool drain); enum virtnet_xmit_type { VIRTNET_XMIT_TYPE_SKB, @@ -580,7 +580,8 @@ static void sg_fill_dma(struct scatterlist *sg, dma_addr_t addr, u32 len) } static void __free_old_xmit(struct send_queue *sq, struct netdev_queue *txq, - bool in_napi, struct virtnet_sq_free_stats *stats) + bool in_napi, struct virtnet_sq_free_stats *stats, + bool drain) { struct xdp_frame *frame; struct sk_buff *skb; @@ -620,7 +621,8 @@ static void __free_old_xmit(struct send_queue *sq, struct netdev_queue *txq, break; } } - netdev_tx_completed_queue(txq, stats->napi_packets, stats->napi_bytes); + if (!drain) + netdev_tx_completed_queue(txq, stats->napi_packets, stats->napi_bytes); } static void virtnet_free_old_xmit(struct send_queue *sq, @@ -628,10 +630,21 @@ static void virtnet_free_old_xmit(struct send_queue *sq, bool in_napi, struct virtnet_sq_free_stats *stats) { - __free_old_xmit(sq, txq, in_napi, stats); + __free_old_xmit(sq, txq, in_napi, stats, false); if (stats->xsk) - virtnet_xsk_completed(sq, stats->xsk); + virtnet_xsk_completed(sq, stats->xsk, false); +} + +static void virtnet_drain_old_xmit(struct send_queue *sq, + struct netdev_queue *txq) +{ + struct virtnet_sq_free_stats stats = {0}; + + __free_old_xmit(sq, txq, false, &stats, true); + + if (stats.xsk) + virtnet_xsk_completed(sq, stats.xsk, true); } /* Converting between virtqueue no. and kernel tx/rx queue no. @@ -1499,7 +1512,8 @@ static bool virtnet_xsk_xmit(struct send_queue *sq, struct xsk_buff_pool *pool, /* Avoid to wakeup napi meanless, so call __free_old_xmit instead of * free_old_xmit(). */ - __free_old_xmit(sq, netdev_get_tx_queue(dev, sq - vi->sq), true, &stats); + __free_old_xmit(sq, netdev_get_tx_queue(dev, sq - vi->sq), true, + &stats, false); if (stats.xsk) xsk_tx_completed(sq->xsk_pool, stats.xsk); @@ -1556,10 +1570,13 @@ static int virtnet_xsk_wakeup(struct net_device *dev, u32 qid, u32 flag) return 0; } -static void virtnet_xsk_completed(struct send_queue *sq, int num) +static void virtnet_xsk_completed(struct send_queue *sq, int num, bool drain) { xsk_tx_completed(sq->xsk_pool, num); + if (drain) + return; + /* If this is called by rx poll, start_xmit and xdp xmit we should * wakeup the tx napi to consume the xsk tx queue, because the tx * interrupt may not be triggered. @@ -3041,6 +3058,7 @@ static void virtnet_disable_queue_pair(struct virtnet_info *vi, int qp_index) static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index) { + struct netdev_queue *txq = netdev_get_tx_queue(vi->dev, qp_index); struct net_device *dev = vi->dev; int err; @@ -3054,7 +3072,10 @@ static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index) if (err < 0) goto err_xdp_reg_mem_model; - netdev_tx_reset_queue(netdev_get_tx_queue(vi->dev, qp_index)); + /* Drain any unconsumed TX skbs transmitted before the last virtnet_close */ + virtnet_drain_old_xmit(&vi->sq[qp_index], txq); + + netdev_tx_reset_queue(txq); virtnet_napi_enable(vi->rq[qp_index].vq, &vi->rq[qp_index].napi); virtnet_napi_tx_enable(vi, vi->sq[qp_index].vq, &vi->sq[qp_index].napi); -- 2.43.0

9 months, 3 weeks

2
9
0 0

[PATCH v2] arch_numa: Restore nid checks before registering a memblock with a node

by Marc Zyngier

Commit 767507654c22 ("arch_numa: switch over to numa_memblks") significantly cleaned up the NUMA registration code, but also dropped a significant check that was refusing to accept to configure a memblock with an invalid nid. On "quality hardware" such as my ThunderX machine, this results in a kernel that dies immediately: [ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x431f0a10] [ 0.000000] Linux version 6.12.0-00013-g8920d74cf8db (maz@valley-girl) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #3872 SMP PREEMPT Wed Nov 27 15:25:49 GMT 2024 [ 0.000000] KASLR disabled due to lack of seed [ 0.000000] Machine model: Cavium ThunderX CN88XX board [ 0.000000] efi: EFI v2.4 by American Megatrends [ 0.000000] efi: ESRT=0xffce0ff18 SMBIOS 3.0=0xfffb0000 ACPI 2.0=0xffec60000 MEMRESERVE=0xffc905d98 [ 0.000000] esrt: Reserving ESRT space from 0x0000000ffce0ff18 to 0x0000000ffce0ff50. [ 0.000000] earlycon: pl11 at MMIO 0x000087e024000000 (options '115200n8') [ 0.000000] printk: legacy bootconsole [pl11] enabled [ 0.000000] NODE_DATA(0) allocated [mem 0xff6754580-0xff67566bf] [ 0.000000] Unable to handle kernel paging request at virtual address 0000000000001d40 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x0000000096000004 [ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] FSC = 0x04: level 0 translation fault [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 0.000000] [0000000000001d40] user address but active_mm is swapper [ 0.000000] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.12.0-00013-g8920d74cf8db #3872 [ 0.000000] Hardware name: Cavium ThunderX CN88XX board (DT) [ 0.000000] pstate: a00000c5 (NzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.000000] pc : sparse_init_nid+0x54/0x428 [ 0.000000] lr : sparse_init+0x118/0x240 [ 0.000000] sp : ffff800081da3cb0 [ 0.000000] x29: ffff800081da3cb0 x28: 0000000fedbab10c x27: 0000000000000001 [ 0.000000] x26: 0000000ffee250f8 x25: 0000000000000001 x24: ffff800082102cd0 [ 0.000000] x23: 0000000000000001 x22: 0000000000000000 x21: 00000000001fffff [ 0.000000] x20: 0000000000000001 x19: 0000000000000000 x18: ffffffffffffffff [ 0.000000] x17: 0000000001b00000 x16: 0000000ffd130000 x15: 0000000000000000 [ 0.000000] x14: 00000000003e0000 x13: 00000000000001c8 x12: 0000000000000014 [ 0.000000] x11: ffff800081e82860 x10: ffff8000820fb2c8 x9 : ffff8000820fb490 [ 0.000000] x8 : 0000000000ffed20 x7 : 0000000000000014 x6 : 00000000001fffff [ 0.000000] x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000000 [ 0.000000] x2 : 0000000000000000 x1 : 0000000000000040 x0 : 0000000000000007 [ 0.000000] Call trace: [ 0.000000] sparse_init_nid+0x54/0x428 [ 0.000000] sparse_init+0x118/0x240 [ 0.000000] bootmem_init+0x70/0x1c8 [ 0.000000] setup_arch+0x184/0x270 [ 0.000000] start_kernel+0x74/0x670 [ 0.000000] __primary_switched+0x80/0x90 [ 0.000000] Code: f865d804 d37df060 cb030000 d2800003 (b95d4084) [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- while previous kernel versions were able to recognise how brain-damaged the machine is, and only build a fake node. Use the memblock_validate_numa_coverage() helper to restore some sanity and a "working" system. Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") Suggested-by: Mike Rapoport <rppt(a)kernel.org> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Zi Yan <ziy(a)nvidia.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: stable(a)vger.kernel.org --- drivers/base/arch_numa.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/base/arch_numa.c b/drivers/base/arch_numa.c index e187016764265..c63a72a1fed64 100644 --- a/drivers/base/arch_numa.c +++ b/drivers/base/arch_numa.c @@ -208,6 +208,10 @@ static int __init numa_register_nodes(void) { int nid; + /* Check the validity of the memblock/node mapping */ + if (!memblock_validate_numa_coverage(1)) + return -EINVAL; + /* Finally register nodes. */ for_each_node_mask(nid, numa_nodes_parsed) { unsigned long start_pfn, end_pfn; -- 2.39.2

9 months, 3 weeks

2
3
0 0

[PATCH v3] x86/cpu: Add INTEL_LUNARLAKE_M to X86_BUG_MONITOR

by Len Brown

From: Len Brown <len.brown(a)intel.com> Under some conditions, MONITOR wakeups on Lunar Lake processors can be lost, resulting in significant user-visible delays. Add LunarLake to X86_BUG_MONITOR so that wake_up_idle_cpu() always sends an IPI, avoiding this potential delay. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219364 Cc: stable(a)vger.kernel.org # 6.11 Signed-off-by: Len Brown <len.brown(a)intel.com> --- v3 syntax tweak v2 leave smp_kick_mwait_play_dead() alone arch/x86/kernel/cpu/intel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c index e7656cbef68d..4b5f3d052151 100644 --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -586,7 +586,9 @@ static void init_intel(struct cpuinfo_x86 *c) c->x86_vfm == INTEL_WESTMERE_EX)) set_cpu_bug(c, X86_BUG_CLFLUSH_MONITOR); - if (boot_cpu_has(X86_FEATURE_MWAIT) && c->x86_vfm == INTEL_ATOM_GOLDMONT) + if (boot_cpu_has(X86_FEATURE_MWAIT) && + (c->x86_vfm == INTEL_ATOM_GOLDMONT || + c->x86_vfm == INTEL_LUNARLAKE_M)) set_cpu_bug(c, X86_BUG_MONITOR); #ifdef CONFIG_X86_64 -- 2.43.0

9 months, 3 weeks

4
6
0 0

[PATCH] cifs: Fix buffer overflow when parsing NFS reparse points

by Mahmoud Adam

From: Pali Rohár <pali(a)kernel.org> upstream e2a8910af01653c1c268984855629d71fb81f404 commit. ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev(). Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Pali Rohár <pali(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> [use variable name symlink_buf, the other buf->InodeType accesses are not used in current version so skip] Signed-off-by: Mahmoud Adam <mngyadam(a)amazon.com> --- This fixes CVE-2024-49996, and applies cleanly on 5.4->6.1, 6.6 and later already has the fix. fs/smb/client/smb2ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index d1e5ff9a3cd39..fcfbc096924a8 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -2897,6 +2897,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ len = le16_to_cpu(symlink_buf->ReparseDataLength); + if (len < sizeof(symlink_buf->InodeType)) { + cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); + return -EIO; + } + + len -= sizeof(symlink_buf->InodeType); if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { cifs_dbg(VFS, "%lld not a supported symlink type\n", -- 2.40.1

9 months, 3 weeks

5
8
0 0

RE: [PATCH v2] x86: Allow user accesses to the base of the guard page

by David Laight

CC stable. This needs picking up for 6.12 Head commit 573f45a9f9a47 applied by Linus with a modified commit message. David > -----Original Message----- > From: David Laight > Sent: 24 November 2024 15:39 > To: 'Linus Torvalds' <torvalds(a)linux-foundation.org>; 'Andrew Cooper' <andrew.cooper3(a)citrix.com>; > 'bp(a)alien8.de' <bp(a)alien8.de>; 'Josh Poimboeuf' <jpoimboe(a)kernel.org> > Cc: 'x86(a)kernel.org' <x86(a)kernel.org>; 'linux-kernel(a)vger.kernel.org' <linux-kernel(a)vger.kernel.org>; > 'Arnd Bergmann' <arnd(a)kernel.org>; 'Mikel Rychliski' <mikel(a)mikelr.com>; 'Thomas Gleixner' > <tglx(a)linutronix.de>; 'Ingo Molnar' <mingo(a)redhat.com>; 'Borislav Petkov' <bp(a)alien8.de>; 'Dave > Hansen' <dave.hansen(a)linux.intel.com>; 'H. Peter Anvin' <hpa(a)zytor.com> > Subject: [PATCH v2] x86: Allow user accesses to the base of the guard page > > __access_ok() calls valid_user_address() with the address after > the last byte of the user buffer. > It is valid for a buffer to end with the last valid user address > so valid_user_address() must allow accesses to the base of the > guard page. > > Fixes: 86e6b1547b3d0 ("x86: fix user address masking non-canonical speculation issue") > Signed-off-by: David Laight <david.laight(a)aculab.com> > --- > > v2: Rewritten commit message. > > arch/x86/kernel/cpu/common.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c > index 06a516f6795b..ca327cfa42ae 100644 > --- a/arch/x86/kernel/cpu/common.c > +++ b/arch/x86/kernel/cpu/common.c > @@ -2389,12 +2389,12 @@ void __init arch_cpu_finalize_init(void) > alternative_instructions(); > > if (IS_ENABLED(CONFIG_X86_64)) { > - unsigned long USER_PTR_MAX = TASK_SIZE_MAX-1; > + unsigned long USER_PTR_MAX = TASK_SIZE_MAX; > > /* > * Enable this when LAM is gated on LASS support > if (cpu_feature_enabled(X86_FEATURE_LAM)) > - USER_PTR_MAX = (1ul << 63) - PAGE_SIZE - 1; > + USER_PTR_MAX = (1ul << 63) - PAGE_SIZE; > */ > runtime_const_init(ptr, USER_PTR_MAX); > > -- > 2.17.1 - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)

9 months, 3 weeks

1
0
0 0

[to-be-updated] mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmscan: ensure kswapd is woken up if the wait queue is active has been removed from the -mm tree. Its filename was mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Seiji Nishikawa <snishika(a)redhat.com> Subject: mm: vmscan: ensure kswapd is woken up if the wait queue is active Date: Wed, 27 Nov 2024 00:06:12 +0900 Even after commit 501b26510ae3 ("vmstat: allow_direct_reclaim should use zone_page_state_snapshot"), a task may remain indefinitely stuck in throttle_direct_reclaim() while holding mm->rwsem. __alloc_pages_nodemask try_to_free_pages throttle_direct_reclaim This can cause numerous other tasks to wait on the same rwsem, leading to severe system hangups: [1088963.358712] INFO: task python3:1670971 blocked for more than 120 seconds. [1088963.365653] Tainted: G OE -------- - - 4.18.0-553.el8_10.aarch64 #1 [1088963.373887] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [1088963.381862] task:python3 state:D stack:0 pid:1670971 ppid:1667117 flags:0x00800080 [1088963.381869] Call trace: [1088963.381872] __switch_to+0xd0/0x120 [1088963.381877] __schedule+0x340/0xac8 [1088963.381881] schedule+0x68/0x118 [1088963.381886] rwsem_down_read_slowpath+0x2d4/0x4b8 The issue arises when allow_direct_reclaim(pgdat) returns false, preventing progress even when the pgdat->pfmemalloc_wait wait queue is empty. Despite the wait queue being empty, the condition, allow_direct_reclaim(pgdat), may still be returning false, causing it to continue looping. In some cases, reclaimable pages exist (zone_reclaimable_pages() returns > 0), but calculations of pfmemalloc_reserve and free_pages result in wmark_ok being false. And then, despite the pgdat->kswapd_wait queue being non-empty, kswapd is not woken up, further exacerbating the problem: crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_highest_zoneidx $775 = __MAX_NR_ZONES The issue likely occurs under specific conditions: high memory pressure with frequent direct reclaim, contention on mmap_sem from concurrent memory allocations, reclaimable pages exist, but zone states cause wmark_ok to return false. Modern workloads (e.g., Python multiprocessing) and changes in kernel reclaim logic may have surfaced such edge cases more prominently than before. The workload involves concurrent Python processes under high memory pressure, leading to contention on mmap_sem. While not unusual, this workload may trigger a rare combination of conditions that expose the issue. This patch modifies allow_direct_reclaim() to wake kswapd if the pgdat->kswapd_wait queue is active, regardless of whether wmark_ok is true or false. This change ensures kswapd does not miss wake-ups under high memory pressure, reducing the risk of task stalls in the throttled reclaim path. Link: https://lkml.kernel.org/r/20241126150612.114561-1-snishika@redhat.com Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/mm/vmscan.c~mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active +++ a/mm/vmscan.c @@ -6389,8 +6389,8 @@ static bool allow_direct_reclaim(pg_data wmark_ok = free_pages > pfmemalloc_reserve / 2; - /* kswapd must be awake if processes are being throttled */ - if (!wmark_ok && waitqueue_active(&pgdat->kswapd_wait)) { + /* Always wake up kswapd if the wait queue is not empty */ + if (waitqueue_active(&pgdat->kswapd_wait)) { if (READ_ONCE(pgdat->kswapd_highest_zoneidx) > ZONE_NORMAL) WRITE_ONCE(pgdat->kswapd_highest_zoneidx, ZONE_NORMAL); _ Patches currently in -mm which might be from snishika(a)redhat.com are mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch

9 months, 3 weeks

1
0
0 0

[to-be-updated] mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory has been removed from the -mm tree. Its filename was mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Date: Fri, 12 Jul 2024 14:42:49 +0800 When I did memory failure tests recently, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Call Trace: <TASK> unpoison_memory+0x2f3/0x590 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xd5/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xb9/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08f0314887 RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887 RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001 RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00 </TASK> Modules linked in: hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- We're hitting a BUG_ON in PF_ANY(): PAGEFLAG(HWPoison, hwpoison, PF_ANY) #define PF_ANY(page, enforce) PF_POISONED_CHECK(page) #define PF_POISONED_CHECK(page) ({ \ VM_BUG_ON_PGFLAGS(PagePoisoned(page), page); \ page; }) #define PAGE_POISON_PATTERN -1l static inline int PagePoisoned(const struct page *page) { return READ_ONCE(page->flags) == PAGE_POISON_PATTERN; } The offlined pages will have page->flags set to PAGE_POISON_PATTERN while pfn is still valid: offline_pages remove_pfn_range_from_zone page_init_poison memset(page, PAGE_POISON_PATTERN, size); The root cause is that unpoison_memory() tries to check the PG_HWPoison flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is triggered. This can be reproduced by below steps: 1.Offline memory block: echo offline > /sys/devices/system/memory/memory12/state 2.Get offlined memory pfn: page-types -b n -rlN 3.Write pfn to unpoison-pfn echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn Link: https://lkml.kernel.org/r/20240712064249.3882707-1-linmiaohe@huawei.com Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/mm/memory-failure.c~mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory +++ a/mm/memory-failure.c @@ -2578,6 +2578,13 @@ int unpoison_memory(unsigned long pfn) goto unlock_mutex; } + if (PagePoisoned(p)) { + unpoison_pr_info("%#lx: page is uninitialized\n", + pfn, &unpoison_rs); + ret = -EOPNOTSUPP; + goto unlock_mutex; + } + if (!PageHWPoison(p)) { unpoison_pr_info("%#lx: page was already unpoisoned\n", pfn, &unpoison_rs); _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are

9 months, 3 weeks

1
0
0 0

+ mm-hugetlb-change-enospc-to-enomem-in-alloc_hugetlb_folio.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: change ENOSPC to ENOMEM in alloc_hugetlb_folio has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-change-enospc-to-enomem-in-alloc_hugetlb_folio.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Dafna Hirschfeld <dafna.hirschfeld(a)intel.com> Subject: mm/hugetlb: change ENOSPC to ENOMEM in alloc_hugetlb_folio Date: Sun, 1 Dec 2024 03:03:41 +0200 The error ENOSPC is translated in vmf_error to VM_FAULT_SIGBUS which is further translated in EFAULT in i.e. pin/get_user_pages. But when running out of pages/hugepages we expect to see ENOMEM and not EFAULT. Link: https://lkml.kernel.org/r/20241201010341.1382431-1-dafna.hirschfeld@intel.c… Fixes: 8f34af6f93ae ("mm, hugetlb: move the error handle logic out of normal code path") Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/hugetlb.c~mm-hugetlb-change-enospc-to-enomem-in-alloc_hugetlb_folio +++ a/mm/hugetlb.c @@ -3113,7 +3113,7 @@ out_end_reservation: if (!memcg_charge_ret) mem_cgroup_cancel_charge(memcg, nr_pages); mem_cgroup_put(memcg); - return ERR_PTR(-ENOSPC); + return ERR_PTR(-ENOMEM); } int alloc_bootmem_huge_page(struct hstate *h, int nid) _ Patches currently in -mm which might be from dafna.hirschfeld(a)intel.com are mm-hugetlb-change-enospc-to-enomem-in-alloc_hugetlb_folio.patch

9 months, 3 weeks

1
0
0 0

+ mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Seiji Nishikawa <snishika(a)redhat.com> Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Date: Sun, 1 Dec 2024 01:12:34 +0900 The task sometimes continues looping in throttle_direct_reclaim() because allow_direct_reclaim(pgdat) keeps returning false. #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550 #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68 #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98 #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8 #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974 #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4 At this point, the pgdat contains the following two zones: NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32" SIZE: 20480 MIN/LOW/HIGH: 11/28/45 VM_STAT: NR_FREE_PAGES: 359 NR_ZONE_INACTIVE_ANON: 18813 NR_ZONE_ACTIVE_ANON: 0 NR_ZONE_INACTIVE_FILE: 50 NR_ZONE_ACTIVE_FILE: 0 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal" SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264 VM_STAT: NR_FREE_PAGES: 146 NR_ZONE_INACTIVE_ANON: 94668 NR_ZONE_ACTIVE_ANON: 3 NR_ZONE_INACTIVE_FILE: 735 NR_ZONE_ACTIVE_FILE: 78 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of inactive/active file-backed pages calculated in zone_reclaimable_pages() based on the result of zone_page_state_snapshot() is zero. Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped. crash> p nr_swap_pages nr_swap_pages = $1937 = { counter = 0 } As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark. The problem is that the pgdat->kswapd_failures hasn't been incremented. crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures $1935 = 0x0 This is because the node deemed balanced. The node balancing logic in balance_pgdat() evaluates all zones collectively. If one or more zones (e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balance_pgdat() to exit early before incrementing the kswapd_failures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure. The patch ensures that zone_reclaimable_pages() includes free pages (NR_FREE_PAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONE_DMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONE_NORMAL, and prevents infinite loops in throttle_direct_reclaim() caused by allow_direct_reclaim(pgdat) repeatedly returning false. The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages() returning 0 for zones without reclaimable file- backed or anonymous pages, causing zones like ZONE_DMA32 with sufficient free pages to be skipped. The lack of swap or reclaimable pages results in ZONE_DMA32 being ignored during reclaim, masking pressure in other zones. Consequently, pgdat->kswapd_failures remains 0 in balance_pgdat(), preventing fallback mechanisms in allow_direct_reclaim() from being triggered, leading to an infinite loop in throttle_direct_reclaim(). This patch modifies zone_reclaimable_pages() to account for free pages (NR_FREE_PAGES) when no other reclaimable pages exist. This ensures zones with sufficient free pages are not skipped, enabling proper balancing and reclaim behavior. Link: https://lkml.kernel.org/r/20241130164346.436469-1-snishika@redhat.com Link: https://lkml.kernel.org/r/20241130161236.433747-2-snishika@redhat.com Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/mm/vmscan.c~mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim +++ a/mm/vmscan.c @@ -374,7 +374,14 @@ unsigned long zone_reclaimable_pages(str if (can_reclaim_anon_pages(NULL, zone_to_nid(zone), NULL)) nr += zone_page_state_snapshot(zone, NR_ZONE_INACTIVE_ANON) + zone_page_state_snapshot(zone, NR_ZONE_ACTIVE_ANON); - + /* + * If there are no reclaimable file-backed or anonymous pages, + * ensure zones with sufficient free pages are not skipped. + * This prevents zones like DMA32 from being ignored in reclaim + * scenarios where they can still help alleviate memory pressure. + */ + if (nr == 0) + nr = zone_page_state_snapshot(zone, NR_FREE_PAGES); return nr; } _ Patches currently in -mm which might be from snishika(a)redhat.com are mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch

9 months, 3 weeks

1
0
0 0

+ mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Seiji Nishikawa <snishika(a)redhat.com> Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Date: Sun, 1 Dec 2024 01:12:34 +0900 The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages() returning 0 for zones without reclaimable file- backed or anonymous pages, causing zones like ZONE_DMA32 with sufficient free pages to be skipped. The lack of swap or reclaimable pages results in ZONE_DMA32 being ignored during reclaim, masking pressure in other zones. Consequently, pgdat->kswapd_failures remains 0 in balance_pgdat(), preventing fallback mechanisms in allow_direct_reclaim() from being triggered, leading to an infinite loop in throttle_direct_reclaim(). This patch modifies zone_reclaimable_pages() to account for free pages (NR_FREE_PAGES) when no other reclaimable pages exist. This ensures zones with sufficient free pages are not skipped, enabling proper balancing and reclaim behavior. Link: https://lkml.kernel.org/r/20241130161236.433747-2-snishika@redhat.com Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/mm/vmscan.c~mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim +++ a/mm/vmscan.c @@ -374,7 +374,14 @@ unsigned long zone_reclaimable_pages(str if (can_reclaim_anon_pages(NULL, zone_to_nid(zone), NULL)) nr += zone_page_state_snapshot(zone, NR_ZONE_INACTIVE_ANON) + zone_page_state_snapshot(zone, NR_ZONE_ACTIVE_ANON); - + /* + * If there are no reclaimable file-backed or anonymous pages, + * ensure zones with sufficient free pages are not skipped. + * This prevents zones like DMA32 from being ignored in reclaim + * scenarios where they can still help alleviate memory pressure. + */ + if (nr == 0) + nr = zone_page_state_snapshot(zone, NR_FREE_PAGES); return nr; } _ Patches currently in -mm which might be from snishika(a)redhat.com are mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch

9 months, 3 weeks

1
0
0 0

[PATCH 6.11/6.12] net_sched: sch_fq: don't follow the fast path if Tx is behind now

by Jakub Kicinski

[ Upstream commit 122aba8c80618eca904490b1733af27fb8f07528 ] Recent kernels cause a lot of TCP retransmissions [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 2.24 GBytes 19.2 Gbits/sec 2767 442 KBytes [ 5] 1.00-2.00 sec 2.23 GBytes 19.1 Gbits/sec 2312 350 KBytes ^^^^ Replacing the qdisc with pfifo makes retransmissions go away. It appears that a flow may have a delayed packet with a very near Tx time. Later, we may get busy processing Rx and the target Tx time will pass, but we won't service Tx since the CPU is busy with Rx. If Rx sees an ACK and we try to push more data for the delayed flow we may fastpath the skb, not realizing that there are already "ready to send" packets for this flow sitting in the qdisc. Don't trust the fastpath if we are "behind" according to the projected Tx time for next flow waiting in the Qdisc. Because we consider anything within the offload window to be okay for fastpath we must consider the entire offload window as "now". Qdisc config: qdisc fq 8001: dev eth0 parent 1234:1 limit 10000p flow_limit 100p \ buckets 32768 orphan_mask 1023 bands 3 \ priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 \ weights 589824 196608 65536 quantum 3028b initial_quantum 15140b \ low_rate_threshold 550Kbit \ refill_delay 40ms timer_slack 10us horizon 10s horizon_drop For iperf this change seems to do fine, the reordering is gone. The fastpath still gets used most of the time: gc 0 highprio 0 fastpath 142614 throttled 418309 latency 19.1us xx_behind 2731 where "xx_behind" counts how many times we hit the new "return false". CC: stable(a)vger.kernel.org Fixes: 076433bd78d7 ("net_sched: sch_fq: add fast path for mostly idle qdisc") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241124022148.3126719-1-kuba@kernel.org Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [stable: drop the offload horizon, it's not supported / 0] Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> --- Per Fixes tag 6.7+, so the two non-longterm branches. --- net/sched/sch_fq.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c index 19a49af5a9e5..afefe124d903 100644 --- a/net/sched/sch_fq.c +++ b/net/sched/sch_fq.c @@ -331,6 +331,12 @@ static bool fq_fastpath_check(const struct Qdisc *sch, struct sk_buff *skb, */ if (q->internal.qlen >= 8) return false; + + /* Ordering invariants fall apart if some delayed flows + * are ready but we haven't serviced them, yet. + */ + if (q->time_next_delayed_flow <= now) + return false; } sk = skb->sk; -- 2.47.0

9 months, 3 weeks

2
1
0 0

[PATCH 5.10] IB/core: Fix ib_cache_setup_one error flow cleanup

by Nikita Zhandarovich

From: Patrisious Haddad <phaddad(a)nvidia.com> [ Upstream commit 1403c8b14765eab805377dd3b75e96ace8747aed ] When ib_cache_update return an error, we exit ib_cache_setup_one instantly with no proper cleanup, even though before this we had already successfully done gid_table_setup_one, that results in the kernel WARN below. Do proper cleanup using gid_table_cleanup_one before returning the err in order to fix the issue. WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0 Modules linked in: CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:gid_table_release_one+0x181/0x1a0 Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41 RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527 RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001 RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631 R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001 R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001 FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x94/0xa0 ? __warn+0x9e/0x1c0 ? gid_table_release_one+0x181/0x1a0 ? report_bug+0x1f9/0x340 ? gid_table_release_one+0x181/0x1a0 ? handle_bug+0xa2/0x110 ? exc_invalid_op+0x31/0xa0 ? asm_exc_invalid_op+0x16/0x20 ? __warn_printk+0xc7/0x180 ? __warn_printk+0xd4/0x180 ? gid_table_release_one+0x181/0x1a0 ib_device_release+0x71/0xe0 ? __pfx_ib_device_release+0x10/0x10 device_release+0x44/0xd0 kobject_put+0x135/0x3d0 put_device+0x20/0x30 rxe_net_add+0x7d/0xa0 rxe_newlink+0xd7/0x190 nldev_newlink+0x1b0/0x2a0 ? __pfx_nldev_newlink+0x10/0x10 rdma_nl_rcv_msg+0x1ad/0x2e0 rdma_nl_rcv_skb.constprop.0+0x176/0x210 netlink_unicast+0x2de/0x400 netlink_sendmsg+0x306/0x660 __sock_sendmsg+0x110/0x120 ____sys_sendmsg+0x30e/0x390 ___sys_sendmsg+0x9b/0xf0 ? kstrtouint+0x6e/0xa0 ? kstrtouint_from_user+0x7c/0xb0 ? get_pid_task+0xb0/0xd0 ? proc_fail_nth_write+0x5b/0x140 ? __fget_light+0x9a/0x200 ? preempt_count_add+0x47/0xa0 __sys_sendmsg+0x61/0xd0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache") Signed-off-by: Patrisious Haddad <phaddad(a)nvidia.com> Reviewed-by: Maher Sanalla <msanalla(a)nvidia.com> Link: https://patch.msgid.link/79137687d829899b0b1c9835fcb4b258004c439a.172527335… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> [Nikita: minor fix to resolve merge conflict.] Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> --- drivers/infiniband/core/cache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index 7989b7e1d1c0..21b405abb0e1 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -1633,8 +1633,10 @@ int ib_cache_setup_one(struct ib_device *device) rdma_for_each_port (device, p) { err = ib_cache_update(device, p, true); - if (err) + if (err) { + gid_table_cleanup_one(device); return err; + } } return 0; -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH] riscv/entry: get correct syscall number from syscall_get_nr()

by Celeste Liu via B4 Relay

From: Celeste Liu <CoelacanthusHex(a)gmail.com> The return value of syscall_enter_from_user_mode() is always -1 when the syscall was filtered. We can't know whether syscall_nr is -1 when we get -1 from syscall_enter_from_user_mode(). And the old syscall variable is unusable because syscall_enter_from_user_mode() may change a7 register. So get correct syscall number from syscall_get_nr(). So syscall number part of return value of syscall_enter_from_user_mode() is completely useless. We can remove it from API and require caller to get syscall number from syscall_get_nr(). But this change affect more architectures and will block more time. So we split it into another patchset to avoid block this fix. (Other architectures can works without this change but riscv need it, see Link: tag below) Fixes: 61119394631f ("riscv: entry: always initialize regs->a0 to -ENOSYS") Reported-by: Andrea Bolognani <abologna(a)redhat.com> Closes: https://github.com/strace/strace/issues/315 Link: https://lore.kernel.org/all/59505464-c84a-403d-972f-d4b2055eeaac@gmail.com/ Signed-off-by: Celeste Liu <CoelacanthusHex(a)gmail.com> --- arch/riscv/kernel/traps.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 51ebfd23e0076447518081d137102a9a11ff2e45..3125fab8ee4af468ace9f692dd34e1797555cce3 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -316,18 +316,25 @@ void do_trap_ecall_u(struct pt_regs *regs) { if (user_mode(regs)) { long syscall = regs->a7; + long res; regs->epc += 4; regs->orig_a0 = regs->a0; - regs->a0 = -ENOSYS; riscv_v_vstate_discard(regs); - syscall = syscall_enter_from_user_mode(regs, syscall); + res = syscall_enter_from_user_mode(regs, syscall); + /* + * Call syscall_get_nr() again because syscall_enter_from_user_mode() + * may change a7 register. + */ + syscall = syscall_get_nr(current, regs); add_random_kstack_offset(); - if (syscall >= 0 && syscall < NR_syscalls) + if (syscall < 0 || syscall >= NR_syscalls) + regs->a0 = -ENOSYS; + else if (res != -1) syscall_handler(regs, syscall); /* --- base-commit: 2f87d0916ce0d2925cedbc9e8f5d6291ba2ac7b2 change-id: 20241016-fix-riscv-syscall-nr-917b566f97f3 Best regards, -- Celeste Liu <CoelacanthusHex(a)gmail.com>

9 months, 3 weeks

8
17
0 0

RE: Good afternoon. Data and Graphics for Your Evaluation.

by Diann Gibbs

Respected Partners, Thank you for being patient, and we regret the delay in replying to your last message. We acknowledge your inquiry and are delighted to offer you the information you need. This email contains an attached screenshot with essential information about your request. Open the attachment to explore the relevant details and gain a full understanding of the data included. If you have any inquiries or need further assistance, please do not hesitate to reach out. We are ready and willing to assist you, providing all the help you require. With appreciation, Diann Gibbs Sapphire Strategies, LLC +1 (212) 586-44-37

9 months, 3 weeks

1
0
0 0

[PATCH 6.1.y] fs/ntfs3: Fixed overflow check in mi_enum_attr()

by Nikita Zhandarovich

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb ] Reported-by: Robert Morris <rtm(a)csail.mit.edu> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [Nikita: Fix for CVE-2024-27407 in 6.1.y. No changes were made to get it to apply to older branch.] Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> --- fs/ntfs3/record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 7ab452710572..826a756669a3 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -273,7 +273,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (t16 > asize) return NULL; - if (t16 + le32_to_cpu(attr->res.data_size) > asize) + if (le32_to_cpu(attr->res.data_size) > asize - t16) return NULL; if (attr->name_len && -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH 5.15] kernfs: switch global kernfs_rwsem lock to per-fs lock

by Jeremi Piotrowski

From: Minchan Kim <minchan(a)kernel.org> [ Upstream commit 393c3714081a53795bbff0e985d24146def6f57f ] The kernfs implementation has big lock granularity(kernfs_rwsem) so every kernfs-based(e.g., sysfs, cgroup) fs are able to compete the lock. It makes trouble for some cases to wait the global lock for a long time even though they are totally independent contexts each other. A general example is process A goes under direct reclaim with holding the lock when it accessed the file in sysfs and process B is waiting the lock with exclusive mode and then process C is waiting the lock until process B could finish the job after it gets the lock from process A. This patch switches the global kernfs_rwsem to per-fs lock, which put the rwsem into kernfs_root. Suggested-by: Tejun Heo <tj(a)kernel.org> Acked-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Minchan Kim <minchan(a)kernel.org> Link: https://lore.kernel.org/r/20211118230008.2679780-1-minchan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jeremi Piotrowski <jpiotrowski(a)linux.microsoft.com> --- Hi Stable Maintainers, This upstream commit fixes a kernel hang due to severe lock contention on kernfs_rwsem that occurs when container workloads perform a lot of cgroupfs accesses. Could you please apply to 5.15.y? I cherry-pick the upstream commit to v5.15.173 and then performed `git format-patch`. Thanks, Jeremi fs/kernfs/dir.c | 110 ++++++++++++++++++++++++----------------- fs/kernfs/file.c | 6 ++- fs/kernfs/inode.c | 22 ++++++--- fs/kernfs/mount.c | 15 +++--- fs/kernfs/symlink.c | 5 +- include/linux/kernfs.h | 2 + 6 files changed, 97 insertions(+), 63 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index 36430bdf9381..ebe4ab0765ee 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -17,7 +17,6 @@ #include "kernfs-internal.h" -DECLARE_RWSEM(kernfs_rwsem); static DEFINE_SPINLOCK(kernfs_rename_lock); /* kn->parent and ->name */ /* * Don't use rename_lock to piggy back on pr_cont_buf. We don't want to @@ -34,7 +33,7 @@ static DEFINE_SPINLOCK(kernfs_idr_lock); /* root->ino_idr */ static bool kernfs_active(struct kernfs_node *kn) { - lockdep_assert_held(&kernfs_rwsem); + lockdep_assert_held(&kernfs_root(kn)->kernfs_rwsem); return atomic_read(&kn->active) >= 0; } @@ -465,14 +464,15 @@ void kernfs_put_active(struct kernfs_node *kn) * return after draining is complete. */ static void kernfs_drain(struct kernfs_node *kn) - __releases(&kernfs_rwsem) __acquires(&kernfs_rwsem) + __releases(&kernfs_root(kn)->kernfs_rwsem) + __acquires(&kernfs_root(kn)->kernfs_rwsem) { struct kernfs_root *root = kernfs_root(kn); - lockdep_assert_held_write(&kernfs_rwsem); + lockdep_assert_held_write(&root->kernfs_rwsem); WARN_ON_ONCE(kernfs_active(kn)); - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); if (kernfs_lockdep(kn)) { rwsem_acquire(&kn->dep_map, 0, 0, _RET_IP_); @@ -491,7 +491,7 @@ static void kernfs_drain(struct kernfs_node *kn) kernfs_drain_open_files(kn); - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); } /** @@ -740,11 +740,12 @@ struct kernfs_node *kernfs_find_and_get_node_by_id(struct kernfs_root *root, int kernfs_add_one(struct kernfs_node *kn) { struct kernfs_node *parent = kn->parent; + struct kernfs_root *root = kernfs_root(parent); struct kernfs_iattrs *ps_iattr; bool has_ns; int ret; - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); ret = -EINVAL; has_ns = kernfs_ns_enabled(parent); @@ -775,7 +776,7 @@ int kernfs_add_one(struct kernfs_node *kn) ps_iattr->ia_mtime = ps_iattr->ia_ctime; } - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); /* * Activate the new node unless CREATE_DEACTIVATED is requested. @@ -789,7 +790,7 @@ int kernfs_add_one(struct kernfs_node *kn) return 0; out_unlock: - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); return ret; } @@ -810,7 +811,7 @@ static struct kernfs_node *kernfs_find_ns(struct kernfs_node *parent, bool has_ns = kernfs_ns_enabled(parent); unsigned int hash; - lockdep_assert_held(&kernfs_rwsem); + lockdep_assert_held(&kernfs_root(parent)->kernfs_rwsem); if (has_ns != (bool)ns) { WARN(1, KERN_WARNING "kernfs: ns %s in '%s' for '%s'\n", @@ -842,7 +843,7 @@ static struct kernfs_node *kernfs_walk_ns(struct kernfs_node *parent, size_t len; char *p, *name; - lockdep_assert_held_read(&kernfs_rwsem); + lockdep_assert_held_read(&kernfs_root(parent)->kernfs_rwsem); spin_lock_irq(&kernfs_pr_cont_lock); @@ -880,11 +881,12 @@ struct kernfs_node *kernfs_find_and_get_ns(struct kernfs_node *parent, const char *name, const void *ns) { struct kernfs_node *kn; + struct kernfs_root *root = kernfs_root(parent); - down_read(&kernfs_rwsem); + down_read(&root->kernfs_rwsem); kn = kernfs_find_ns(parent, name, ns); kernfs_get(kn); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return kn; } @@ -904,11 +906,12 @@ struct kernfs_node *kernfs_walk_and_get_ns(struct kernfs_node *parent, const char *path, const void *ns) { struct kernfs_node *kn; + struct kernfs_root *root = kernfs_root(parent); - down_read(&kernfs_rwsem); + down_read(&root->kernfs_rwsem); kn = kernfs_walk_ns(parent, path, ns); kernfs_get(kn); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return kn; } @@ -933,6 +936,7 @@ struct kernfs_root *kernfs_create_root(struct kernfs_syscall_ops *scops, return ERR_PTR(-ENOMEM); idr_init(&root->ino_idr); + init_rwsem(&root->kernfs_rwsem); INIT_LIST_HEAD(&root->supers); /* @@ -1056,6 +1060,7 @@ struct kernfs_node *kernfs_create_empty_dir(struct kernfs_node *parent, static int kernfs_dop_revalidate(struct dentry *dentry, unsigned int flags) { struct kernfs_node *kn; + struct kernfs_root *root; if (flags & LOOKUP_RCU) return -ECHILD; @@ -1067,18 +1072,19 @@ static int kernfs_dop_revalidate(struct dentry *dentry, unsigned int flags) /* If the kernfs parent node has changed discard and * proceed to ->lookup. */ - down_read(&kernfs_rwsem); spin_lock(&dentry->d_lock); parent = kernfs_dentry_node(dentry->d_parent); if (parent) { + spin_unlock(&dentry->d_lock); + root = kernfs_root(parent); + down_read(&root->kernfs_rwsem); if (kernfs_dir_changed(parent, dentry)) { - spin_unlock(&dentry->d_lock); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return 0; } - } - spin_unlock(&dentry->d_lock); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); + } else + spin_unlock(&dentry->d_lock); /* The kernfs parent node hasn't changed, leave the * dentry negative and return success. @@ -1087,7 +1093,8 @@ static int kernfs_dop_revalidate(struct dentry *dentry, unsigned int flags) } kn = kernfs_dentry_node(dentry); - down_read(&kernfs_rwsem); + root = kernfs_root(kn); + down_read(&root->kernfs_rwsem); /* The kernfs node has been deactivated */ if (!kernfs_active(kn)) @@ -1106,10 +1113,10 @@ static int kernfs_dop_revalidate(struct dentry *dentry, unsigned int flags) kernfs_info(dentry->d_sb)->ns != kn->ns) goto out_bad; - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return 1; out_bad: - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return 0; } @@ -1123,10 +1130,12 @@ static struct dentry *kernfs_iop_lookup(struct inode *dir, { struct kernfs_node *parent = dir->i_private; struct kernfs_node *kn; + struct kernfs_root *root; struct inode *inode = NULL; const void *ns = NULL; - down_read(&kernfs_rwsem); + root = kernfs_root(parent); + down_read(&root->kernfs_rwsem); if (kernfs_ns_enabled(parent)) ns = kernfs_info(dir->i_sb)->ns; @@ -1137,7 +1146,7 @@ static struct dentry *kernfs_iop_lookup(struct inode *dir, * create a negative. */ if (!kernfs_active(kn)) { - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return NULL; } inode = kernfs_get_inode(dir->i_sb, kn); @@ -1152,7 +1161,7 @@ static struct dentry *kernfs_iop_lookup(struct inode *dir, */ if (!IS_ERR(inode)) kernfs_set_rev(parent, dentry); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); /* instantiate and hash (possibly negative) dentry */ return d_splice_alias(inode, dentry); @@ -1275,7 +1284,7 @@ static struct kernfs_node *kernfs_next_descendant_post(struct kernfs_node *pos, { struct rb_node *rbn; - lockdep_assert_held_write(&kernfs_rwsem); + lockdep_assert_held_write(&kernfs_root(root)->kernfs_rwsem); /* if first iteration, visit leftmost descendant which may be root */ if (!pos) @@ -1310,8 +1319,9 @@ static struct kernfs_node *kernfs_next_descendant_post(struct kernfs_node *pos, void kernfs_activate(struct kernfs_node *kn) { struct kernfs_node *pos; + struct kernfs_root *root = kernfs_root(kn); - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); pos = NULL; while ((pos = kernfs_next_descendant_post(pos, kn))) { @@ -1325,14 +1335,14 @@ void kernfs_activate(struct kernfs_node *kn) pos->flags |= KERNFS_ACTIVATED; } - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); } static void __kernfs_remove(struct kernfs_node *kn) { struct kernfs_node *pos; - lockdep_assert_held_write(&kernfs_rwsem); + lockdep_assert_held_write(&kernfs_root(kn)->kernfs_rwsem); /* * Short-circuit if non-root @kn has already finished removal. @@ -1402,9 +1412,11 @@ static void __kernfs_remove(struct kernfs_node *kn) */ void kernfs_remove(struct kernfs_node *kn) { - down_write(&kernfs_rwsem); + struct kernfs_root *root = kernfs_root(kn); + + down_write(&root->kernfs_rwsem); __kernfs_remove(kn); - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); } /** @@ -1490,8 +1502,9 @@ void kernfs_unbreak_active_protection(struct kernfs_node *kn) bool kernfs_remove_self(struct kernfs_node *kn) { bool ret; + struct kernfs_root *root = kernfs_root(kn); - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); kernfs_break_active_protection(kn); /* @@ -1519,9 +1532,9 @@ bool kernfs_remove_self(struct kernfs_node *kn) atomic_read(&kn->active) == KN_DEACTIVATED_BIAS) break; - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); schedule(); - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); } finish_wait(waitq, &wait); WARN_ON_ONCE(!RB_EMPTY_NODE(&kn->rb)); @@ -1534,7 +1547,7 @@ bool kernfs_remove_self(struct kernfs_node *kn) */ kernfs_unbreak_active_protection(kn); - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); return ret; } @@ -1551,6 +1564,7 @@ int kernfs_remove_by_name_ns(struct kernfs_node *parent, const char *name, const void *ns) { struct kernfs_node *kn; + struct kernfs_root *root; if (!parent) { WARN(1, KERN_WARNING "kernfs: can not remove '%s', no directory\n", @@ -1558,7 +1572,8 @@ int kernfs_remove_by_name_ns(struct kernfs_node *parent, const char *name, return -ENOENT; } - down_write(&kernfs_rwsem); + root = kernfs_root(parent); + down_write(&root->kernfs_rwsem); kn = kernfs_find_ns(parent, name, ns); if (kn) { @@ -1567,7 +1582,7 @@ int kernfs_remove_by_name_ns(struct kernfs_node *parent, const char *name, kernfs_put(kn); } - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); if (kn) return 0; @@ -1586,6 +1601,7 @@ int kernfs_rename_ns(struct kernfs_node *kn, struct kernfs_node *new_parent, const char *new_name, const void *new_ns) { struct kernfs_node *old_parent; + struct kernfs_root *root; const char *old_name = NULL; int error; @@ -1593,7 +1609,8 @@ int kernfs_rename_ns(struct kernfs_node *kn, struct kernfs_node *new_parent, if (!kn->parent) return -EINVAL; - down_write(&kernfs_rwsem); + root = kernfs_root(kn); + down_write(&root->kernfs_rwsem); error = -ENOENT; if (!kernfs_active(kn) || !kernfs_active(new_parent) || @@ -1647,7 +1664,7 @@ int kernfs_rename_ns(struct kernfs_node *kn, struct kernfs_node *new_parent, error = 0; out: - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); return error; } @@ -1718,11 +1735,14 @@ static int kernfs_fop_readdir(struct file *file, struct dir_context *ctx) struct dentry *dentry = file->f_path.dentry; struct kernfs_node *parent = kernfs_dentry_node(dentry); struct kernfs_node *pos = file->private_data; + struct kernfs_root *root; const void *ns = NULL; if (!dir_emit_dots(file, ctx)) return 0; - down_read(&kernfs_rwsem); + + root = kernfs_root(parent); + down_read(&root->kernfs_rwsem); if (kernfs_ns_enabled(parent)) ns = kernfs_info(dentry->d_sb)->ns; @@ -1739,12 +1759,12 @@ static int kernfs_fop_readdir(struct file *file, struct dir_context *ctx) file->private_data = pos; kernfs_get(pos); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); if (!dir_emit(ctx, name, len, ino, type)) return 0; - down_read(&kernfs_rwsem); + down_read(&root->kernfs_rwsem); } - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); file->private_data = NULL; ctx->pos = INT_MAX; return 0; diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c index 60e2a86c535e..9414a7a60a9f 100644 --- a/fs/kernfs/file.c +++ b/fs/kernfs/file.c @@ -847,6 +847,7 @@ static void kernfs_notify_workfn(struct work_struct *work) { struct kernfs_node *kn; struct kernfs_super_info *info; + struct kernfs_root *root; repeat: /* pop one off the notify_list */ spin_lock_irq(&kernfs_notify_lock); @@ -859,8 +860,9 @@ static void kernfs_notify_workfn(struct work_struct *work) kn->attr.notify_next = NULL; spin_unlock_irq(&kernfs_notify_lock); + root = kernfs_root(kn); /* kick fsnotify */ - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); list_for_each_entry(info, &kernfs_root(kn)->supers, node) { struct kernfs_node *parent; @@ -898,7 +900,7 @@ static void kernfs_notify_workfn(struct work_struct *work) iput(inode); } - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); kernfs_put(kn); goto repeat; } diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c index c0eae1725435..3d783d80f5da 100644 --- a/fs/kernfs/inode.c +++ b/fs/kernfs/inode.c @@ -99,10 +99,11 @@ int __kernfs_setattr(struct kernfs_node *kn, const struct iattr *iattr) int kernfs_setattr(struct kernfs_node *kn, const struct iattr *iattr) { int ret; + struct kernfs_root *root = kernfs_root(kn); - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); ret = __kernfs_setattr(kn, iattr); - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); return ret; } @@ -111,12 +112,14 @@ int kernfs_iop_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, { struct inode *inode = d_inode(dentry); struct kernfs_node *kn = inode->i_private; + struct kernfs_root *root; int error; if (!kn) return -EINVAL; - down_write(&kernfs_rwsem); + root = kernfs_root(kn); + down_write(&root->kernfs_rwsem); error = setattr_prepare(&init_user_ns, dentry, iattr); if (error) goto out; @@ -129,7 +132,7 @@ int kernfs_iop_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, setattr_copy(&init_user_ns, inode, iattr); out: - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); return error; } @@ -184,13 +187,14 @@ int kernfs_iop_getattr(struct user_namespace *mnt_userns, { struct inode *inode = d_inode(path->dentry); struct kernfs_node *kn = inode->i_private; + struct kernfs_root *root = kernfs_root(kn); - down_read(&kernfs_rwsem); + down_read(&root->kernfs_rwsem); spin_lock(&inode->i_lock); kernfs_refresh_inode(kn, inode); generic_fillattr(&init_user_ns, inode, stat); spin_unlock(&inode->i_lock); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return 0; } @@ -274,19 +278,21 @@ int kernfs_iop_permission(struct user_namespace *mnt_userns, struct inode *inode, int mask) { struct kernfs_node *kn; + struct kernfs_root *root; int ret; if (mask & MAY_NOT_BLOCK) return -ECHILD; kn = inode->i_private; + root = kernfs_root(kn); - down_read(&kernfs_rwsem); + down_read(&root->kernfs_rwsem); spin_lock(&inode->i_lock); kernfs_refresh_inode(kn, inode); ret = generic_permission(&init_user_ns, inode, mask); spin_unlock(&inode->i_lock); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return ret; } diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c index f2f909d09f52..cfa79715fc1a 100644 --- a/fs/kernfs/mount.c +++ b/fs/kernfs/mount.c @@ -236,6 +236,7 @@ struct dentry *kernfs_node_dentry(struct kernfs_node *kn, static int kernfs_fill_super(struct super_block *sb, struct kernfs_fs_context *kfc) { struct kernfs_super_info *info = kernfs_info(sb); + struct kernfs_root *kf_root = kfc->root; struct inode *inode; struct dentry *root; @@ -255,9 +256,9 @@ static int kernfs_fill_super(struct super_block *sb, struct kernfs_fs_context *k sb->s_shrink.seeks = 0; /* get root inode, initialize and unlock it */ - down_read(&kernfs_rwsem); + down_read(&kf_root->kernfs_rwsem); inode = kernfs_get_inode(sb, info->root->kn); - up_read(&kernfs_rwsem); + up_read(&kf_root->kernfs_rwsem); if (!inode) { pr_debug("kernfs: could not get root inode\n"); return -ENOMEM; @@ -334,6 +335,7 @@ int kernfs_get_tree(struct fs_context *fc) if (!sb->s_root) { struct kernfs_super_info *info = kernfs_info(sb); + struct kernfs_root *root = kfc->root; kfc->new_sb_created = true; @@ -344,9 +346,9 @@ int kernfs_get_tree(struct fs_context *fc) } sb->s_flags |= SB_ACTIVE; - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); list_add(&info->node, &info->root->supers); - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); } fc->root = dget(sb->s_root); @@ -371,10 +373,11 @@ void kernfs_free_fs_context(struct fs_context *fc) void kernfs_kill_sb(struct super_block *sb) { struct kernfs_super_info *info = kernfs_info(sb); + struct kernfs_root *root = info->root; - down_write(&kernfs_rwsem); + down_write(&root->kernfs_rwsem); list_del(&info->node); - up_write(&kernfs_rwsem); + up_write(&root->kernfs_rwsem); /* * Remove the superblock from fs_supers/s_instances diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c index c8f8e41b8411..efb0b9ca9057 100644 --- a/fs/kernfs/symlink.c +++ b/fs/kernfs/symlink.c @@ -114,11 +114,12 @@ static int kernfs_getlink(struct inode *inode, char *path) struct kernfs_node *kn = inode->i_private; struct kernfs_node *parent = kn->parent; struct kernfs_node *target = kn->symlink.target_kn; + struct kernfs_root *root = kernfs_root(parent); int error; - down_read(&kernfs_rwsem); + down_read(&root->kernfs_rwsem); error = kernfs_get_target_path(parent, target, path); - up_read(&kernfs_rwsem); + up_read(&root->kernfs_rwsem); return error; } diff --git a/include/linux/kernfs.h b/include/linux/kernfs.h index 1093abf7c28c..e7078cde3522 100644 --- a/include/linux/kernfs.h +++ b/include/linux/kernfs.h @@ -16,6 +16,7 @@ #include <linux/atomic.h> #include <linux/uidgid.h> #include <linux/wait.h> +#include <linux/rwsem.h> struct file; struct dentry; @@ -197,6 +198,7 @@ struct kernfs_root { struct list_head supers; wait_queue_head_t deactivate_waitq; + struct rw_semaphore kernfs_rwsem; }; struct kernfs_open_file { -- 2.39.5

9 months, 3 weeks

3
4
0 0

MST/DSC fixes for stable

by Mario Limonciello

Hi, Jerry has been working on getting a lot of testing for these two commits: commit 9afeda049642 ("drm/amd/display: Skip Invalid Streams from DSC Policy") commit 4641169a8c95 ("drm/amd/display: Fix incorrect DSC recompute trigger") They fix a ton of MST issues reported in the drm/amd tracker over the last few kernel releases. Can you please apply to 6.11.y and 6.12.y? Thanks,

9 months, 3 weeks

1
0
0 0

[PATCH 5.10/5.15] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

by Nikita Zhandarovich

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> commit b25e11f978b63cb7857890edb3a698599cddb10e upstream. This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4 ("Bluetooth: Always request for user confirmation for Just Works") always request user confirmation with confirm_hint set since the likes of bluetoothd have dedicated policy around JUST_WORKS method (e.g. main.conf:JustWorksRepairing). CVE: CVE-2024-8805 Cc: stable(a)vger.kernel.org Fixes: ba15a58b179e ("Bluetooth: Fix SSP acceptor just-works confirmation without MITM") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Tested-by: Kiran K <kiran.k(a)intel.com> [Nikita: minor fix to resolve a conflict caused by different debug print macros used around the change: keep BT_DBG() instead of bt_dev_dbg().] Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> --- net/bluetooth/hci_event.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 58c029958759..546795425119 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4751,19 +4751,16 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev, goto unlock; } - /* If no side requires MITM protection; auto-accept */ + /* If no side requires MITM protection; use JUST_CFM method */ if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { - /* If we're not the initiators request authorization to - * proceed from user space (mgmt_user_confirm with - * confirm_hint set to 1). The exception is if neither - * side had MITM or if the local IO capability is - * NoInputNoOutput, in which case we do auto-accept + /* If we're not the initiator of request authorization and the + * local IO capability is not NoInputNoOutput, use JUST_WORKS + * method (mgmt_user_confirm with confirm_hint set to 1). */ if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && - conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && - (loc_mitm || rem_mitm)) { + conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) { BT_DBG("Confirming auto-accept as acceptor"); confirm_hint = 1; goto confirm; -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH V2 1/3] MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK

by Huacai Chen

When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, cpu_max_bits_warn() generates a runtime warning similar as below while we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/Loongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<98000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<980000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/mips/kernel/proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/kernel/proc.c b/arch/mips/kernel/proc.c index 4184d641f05e..33a02f3814f5 100644 --- a/arch/mips/kernel/proc.c +++ b/arch/mips/kernel/proc.c @@ -172,7 +172,7 @@ static void *c_start(struct seq_file *m, loff_t *pos) { unsigned long i = *pos; - return i < NR_CPUS ? (void *) (i + 1) : NULL; + return i < nr_cpu_ids ? (void *) (i + 1) : NULL; } static void *c_next(struct seq_file *m, void *v, loff_t *pos) -- 2.31.1

9 months, 3 weeks

5
15
0 0

[PATCH] sn65dsi83.c: fix dual-channel LVDS output also divide porches

by Bauer, Markus

sn65dsi83.c: fix dual-channel LVDS output also divide porches When generating dual-channel LVDS to a single display, the horizontal part has to be divided in halves for each channel. This was done correctly for hactive, but not for the porches. Of course this does only apply to sn65dsi84, which is also covered by this driver. Cc: stable(a)vger.kernel.org Signed-off-by: Markus Bauer <markus.bauer2(a)avnet.com> --- drivers/gpu/drm/bridge/ti-sn65dsi83.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c index ad73f69d768d..d71f752e79ec 100644 --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c @@ -399,7 +399,7 @@ static void sn65dsi83_atomic_pre_enable(struct drm_bridge *bridge, unsigned int pval; __le16 le16val; u16 val; - int ret; + int ret, hfront, hback; ret = regulator_enable(ctx->vcc); if (ret) { @@ -521,12 +521,22 @@ static void sn65dsi83_atomic_pre_enable(struct drm_bridge *bridge, le16val = cpu_to_le16(mode->vsync_end - mode->vsync_start); regmap_bulk_write(ctx->regmap, REG_VID_CHA_VSYNC_PULSE_WIDTH_LOW, &le16val, 2); + + hback = mode->htotal - mode->hsync_end; + if (ctx->lvds_dual_link) + hback /= 2; + regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_BACK_PORCH, - mode->htotal - mode->hsync_end); + hback); regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_BACK_PORCH, mode->vtotal - mode->vsync_end); + + hfront = mode->hsync_start - mode->hdisplay; + if (ctx->lvds_dual_link) + hfront /= 2; + regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_FRONT_PORCH, - mode->hsync_start - mode->hdisplay); + hfront); regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_FRONT_PORCH, mode->vsync_start - mode->vdisplay); regmap_write(ctx->regmap, REG_VID_CHA_TEST_PATTERN, 0x00); -- 2.34.1 -- Markus Bauer Avnet Embedded is becoming TRIA: www.tria-technologies.com We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. Please read our privacy statement including an information notice and data protection policy for detailed information on our website.

9 months, 3 weeks

2
1
0 0

+ maple_tree-simplify-split-calculation.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: maple_tree: simplify split calculation has been added to the -mm mm-unstable branch. Its filename is maple_tree-simplify-split-calculation.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: maple_tree: simplify split calculation Date: Wed, 13 Nov 2024 03:16:14 +0000 Patch series "simplify split calculation", v3. This patch (of 3): The current calculation for splitting nodes tries to enforce a minimum span on the leaf nodes. This code is complex and never worked correctly to begin with, due to the min value being passed as 0 for all leaves. The calculation should just split the data as equally as possible between the new nodes. Note that b_end will be one more than the data, so the left side is still favoured in the calculation. The current code may also lead to a deficient node by not leaving enough data for the right side of the split. This issue is also addressed with the split calculation change. [Liam.Howlett(a)Oracle.com: rephrase the change log] Link: https://lkml.kernel.org/r/20241113031616.10530-1-richard.weiyang@gmail.com Link: https://lkml.kernel.org/r/20241113031616.10530-2-richard.weiyang@gmail.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) --- a/lib/maple_tree.c~maple_tree-simplify-split-calculation +++ a/lib/maple_tree.c @@ -1863,11 +1863,11 @@ static inline int mab_no_null_split(stru * Return: The first split location. The middle split is set in @mid_split. */ static inline int mab_calc_split(struct ma_state *mas, - struct maple_big_node *bn, unsigned char *mid_split, unsigned long min) + struct maple_big_node *bn, unsigned char *mid_split) { unsigned char b_end = bn->b_end; int split = b_end / 2; /* Assume equal split. */ - unsigned char slot_min, slot_count = mt_slots[bn->type]; + unsigned char slot_count = mt_slots[bn->type]; /* * To support gap tracking, all NULL entries are kept together and a node cannot @@ -1900,18 +1900,7 @@ static inline int mab_calc_split(struct split = b_end / 3; *mid_split = split * 2; } else { - slot_min = mt_min_slots[bn->type]; - *mid_split = 0; - /* - * Avoid having a range less than the slot count unless it - * causes one node to be deficient. - * NOTE: mt_min_slots is 1 based, b_end and split are zero. - */ - while ((split < slot_count - 1) && - ((bn->pivot[split] - min) < slot_count - 1) && - (b_end - split > slot_min)) - split++; } /* Avoid ending a node on a NULL entry */ @@ -2377,7 +2366,7 @@ static inline struct maple_enode static inline unsigned char mas_mab_to_node(struct ma_state *mas, struct maple_big_node *b_node, struct maple_enode **left, struct maple_enode **right, struct maple_enode **middle, - unsigned char *mid_split, unsigned long min) + unsigned char *mid_split) { unsigned char split = 0; unsigned char slot_count = mt_slots[b_node->type]; @@ -2390,7 +2379,7 @@ static inline unsigned char mas_mab_to_n if (b_node->b_end < slot_count) { split = b_node->b_end; } else { - split = mab_calc_split(mas, b_node, mid_split, min); + split = mab_calc_split(mas, b_node, mid_split); *right = mas_new_ma_node(mas, b_node); } @@ -2877,7 +2866,7 @@ static void mas_spanning_rebalance(struc mast->bn->b_end--; mast->bn->type = mte_node_type(mast->orig_l->node); split = mas_mab_to_node(mas, mast->bn, &left, &right, &middle, - &mid_split, mast->orig_l->min); + &mid_split); mast_set_split_parents(mast, left, middle, right, split, mid_split); mast_cp_to_nodes(mast, left, middle, right, split, mid_split); @@ -3365,7 +3354,7 @@ static void mas_split(struct ma_state *m if (mas_push_data(mas, height, &mast, false)) break; - split = mab_calc_split(mas, b_node, &mid_split, prev_l_mas.min); + split = mab_calc_split(mas, b_node, &mid_split); mast_split_data(&mast, mas, split); /* * Usually correct, mab_mas_cp in the above call overwrites _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are maple_tree-use-mas_next_slot-directly.patch maple_tree-index-has-been-checked-to-be-smaller-than-pivot.patch maple_tree-not-possible-to-be-a-root-node-after-loop.patch maple_tree-we-dont-set-offset-to-maple_node_slots-on-error.patch maple_tree-simplify-split-calculation.patch maple_tree-add-a-test-check-deficient-node.patch maple_tree-only-root-node-could-be-deficient.patch

9 months, 4 weeks

1
0
0 0

+ sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: sched/numa: fix memory leak due to the overwritten vma->numab_state has been added to the -mm mm-hotfixes-unstable branch. Its filename is sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Adrian Huang <ahuang12(a)lenovo.com> Subject: sched/numa: fix memory leak due to the overwritten vma->numab_state Date: Wed, 13 Nov 2024 18:21:46 +0800 [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0 [<ffffffff8113f715>] task_numa_work+0x725/0xa00 [<ffffffff8110f878>] task_work_run+0x58/0x90 [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0 [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150 [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/ Link: https://lkml.kernel.org/r/20241113102146.2384-1-ahuang12@lenovo.com Fixes: ef6a22b70f6d ("sched/numa: apply the scan delay to every new vma") Signed-off-by: Adrian Huang <ahuang12(a)lenovo.com> Reported-by: Jiwei Sun <sunjw10(a)lenovo.com> Reviewed-by: Raghavendra K T <raghavendra.kt(a)amd.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Ben Segall <bsegall(a)google.com> Cc: Dietmar Eggemann <dietmar.eggemann(a)arm.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Juri Lelli <juri.lelli(a)redhat.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Valentin Schneider <vschneid(a)redhat.com> Cc: Vincent Guittot <vincent.guittot(a)linaro.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sched/fair.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/kernel/sched/fair.c~sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state +++ a/kernel/sched/fair.c @@ -3399,10 +3399,16 @@ retry_pids: /* Initialise new per-VMA NUMAB state. */ if (!vma->numab_state) { - vma->numab_state = kzalloc(sizeof(struct vma_numab_state), - GFP_KERNEL); - if (!vma->numab_state) + struct vma_numab_state *ptr; + + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); + if (!ptr) + continue; + + if (cmpxchg(&vma->numab_state, NULL, ptr)) { + kfree(ptr); continue; + } vma->numab_state->start_scan_seq = mm->numa_scan_seq; _ Patches currently in -mm which might be from ahuang12(a)lenovo.com are sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch

9 months, 4 weeks

1
0
0 0

+ mm-damon-fix-order-of-arguments-in-damos_before_apply-tracepoint.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon: fix order of arguments in damos_before_apply tracepoint has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-fix-order-of-arguments-in-damos_before_apply-tracepoint.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Akinobu Mita <akinobu.mita(a)gmail.com> Subject: mm/damon: fix order of arguments in damos_before_apply tracepoint Date: Fri, 15 Nov 2024 10:20:23 -0800 Since the order of the scheme_idx and target_idx arguments in TP_ARGS is reversed, they are stored in the trace record in reverse. Link: https://lkml.kernel.org/r/20241115182023.43118-1-sj@kernel.org Link: https://patch.msgid.link/20241112154828.40307-1-akinobu.mita@gmail.com Fixes: c603c630b509 ("mm/damon/core: add a tracepoint for damos apply target regions") Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/trace/events/damon.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/trace/events/damon.h~mm-damon-fix-order-of-arguments-in-damos_before_apply-tracepoint +++ a/include/trace/events/damon.h @@ -15,7 +15,7 @@ TRACE_EVENT_CONDITION(damos_before_apply unsigned int target_idx, struct damon_region *r, unsigned int nr_regions, bool do_trace), - TP_ARGS(context_idx, target_idx, scheme_idx, r, nr_regions, do_trace), + TP_ARGS(context_idx, scheme_idx, target_idx, r, nr_regions, do_trace), TP_CONDITION(do_trace), _ Patches currently in -mm which might be from akinobu.mita(a)gmail.com are mm-damon-fix-order-of-arguments-in-damos_before_apply-tracepoint.patch

9 months, 4 weeks

1
0
0 0

+ lib-stackinit-hide-never-taken-branch-from-compiler.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: lib: stackinit: hide never-taken branch from compiler has been added to the -mm mm-hotfixes-unstable branch. Its filename is lib-stackinit-hide-never-taken-branch-from-compiler.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kees Cook <kees(a)kernel.org> Subject: lib: stackinit: hide never-taken branch from compiler Date: Sun, 17 Nov 2024 03:38:13 -0800 The never-taken branch leads to an invalid bounds condition, which is by design. To avoid the unwanted warning from the compiler, hide the variable from the optimizer. ../lib/stackinit_kunit.c: In function 'do_nothing_u16_zero': ../lib/stackinit_kunit.c:51:49: error: array subscript 1 is outside array bounds of 'u16[0]' {aka 'short unsigned int[]'} [-Werror=array-bounds=] 51 | #define DO_NOTHING_RETURN_SCALAR(ptr) *(ptr) | ^~~~~~ ../lib/stackinit_kunit.c:219:24: note: in expansion of macro 'DO_NOTHING_RETURN_SCALAR' 219 | return DO_NOTHING_RETURN_ ## which(ptr + 1); \ | ^~~~~~~~~~~~~~~~~~ Link: https://lkml.kernel.org/r/20241117113813.work.735-kees@kernel.org Signed-off-by: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/stackinit_kunit.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/stackinit_kunit.c~lib-stackinit-hide-never-taken-branch-from-compiler +++ a/lib/stackinit_kunit.c @@ -212,6 +212,7 @@ static noinline void test_ ## name (stru static noinline DO_NOTHING_TYPE_ ## which(var_type) \ do_nothing_ ## name(var_type *ptr) \ { \ + OPTIMIZER_HIDE_VAR(ptr); \ /* Will always be true, but compiler doesn't know. */ \ if ((unsigned long)ptr > 0x2) \ return DO_NOTHING_RETURN_ ## which(ptr); \ _ Patches currently in -mm which might be from kees(a)kernel.org are lib-stackinit-hide-never-taken-branch-from-compiler.patch

9 months, 4 weeks

1
0
0 0

+ alloc_tag-fix-set_codetag_empty-when-config_mem_alloc_profiling_debug.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: alloc_tag: fix set_codetag_empty() when !CONFIG_MEM_ALLOC_PROFILING_DEBUG has been added to the -mm mm-hotfixes-unstable branch. Its filename is alloc_tag-fix-set_codetag_empty-when-config_mem_alloc_profiling_debug.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: fix set_codetag_empty() when !CONFIG_MEM_ALLOC_PROFILING_DEBUG Date: Fri, 29 Nov 2024 16:14:23 -0800 It was recently noticed that set_codetag_empty() might be used not only to mark NULL alloctag references as empty to avoid warnings but also to reset valid tags (in clear_page_tag_ref()). Since set_codetag_empty() is defined as NOOP for CONFIG_MEM_ALLOC_PROFILING_DEBUG=n, such use of set_codetag_empty() leads to subtle bugs. Fix set_codetag_empty() for CONFIG_MEM_ALLOC_PROFILING_DEBUG=n to reset the tag reference. Link: https://lkml.kernel.org/r/20241130001423.1114965-2-surenb@google.com Fixes: a8fc28dad6d5 ("alloc_tag: introduce clear_page_tag_ref() helper function") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/lkml/20241124074318.399027-1-00107082@163.com/ Cc: David Wang <00107082(a)163.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Sourav Panda <souravpanda(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/alloc_tag.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/include/linux/alloc_tag.h~alloc_tag-fix-set_codetag_empty-when-config_mem_alloc_profiling_debug +++ a/include/linux/alloc_tag.h @@ -63,7 +63,12 @@ static inline void set_codetag_empty(uni #else /* CONFIG_MEM_ALLOC_PROFILING_DEBUG */ static inline bool is_codetag_empty(union codetag_ref *ref) { return false; } -static inline void set_codetag_empty(union codetag_ref *ref) {} + +static inline void set_codetag_empty(union codetag_ref *ref) +{ + if (ref) + ref->ct = NULL; +} #endif /* CONFIG_MEM_ALLOC_PROFILING_DEBUG */ _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-fix-module-allocation-tags-populated-area-calculation.patch alloc_tag-fix-set_codetag_empty-when-config_mem_alloc_profiling_debug.patch mm-convert-mm_lock_seq-to-a-proper-seqcount.patch mm-introduce-mmap_lock_speculation_beginend.patch

9 months, 4 weeks

1
0
0 0

+ alloc_tag-fix-module-allocation-tags-populated-area-calculation.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: alloc_tag: fix module allocation tags populated area calculation has been added to the -mm mm-hotfixes-unstable branch. Its filename is alloc_tag-fix-module-allocation-tags-populated-area-calculation.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: fix module allocation tags populated area calculation Date: Fri, 29 Nov 2024 16:14:22 -0800 vm_module_tags_populate() calculation of the populated area assumes that area starts at a page boundary and therefore when new pages are allocation, the end of the area is page-aligned as well. If the start of the area is not page-aligned then allocating a page and incrementing the end of the area by PAGE_SIZE leads to an area at the end but within the area boundary which is not populated. Accessing this are will lead to a kernel panic. Fix the calculation by down-aligning the start of the area and using that as the location allocated pages are mapped to. Link: https://lkml.kernel.org/r/20241130001423.1114965-1-surenb@google.com Fixes: 0f9b685626da ("alloc_tag: populate memory for module tags as needed") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202411132111.6a221562-lkp@intel.com Cc: David Wang <00107082(a)163.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Sourav Panda <souravpanda(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/alloc_tag.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/lib/alloc_tag.c~alloc_tag-fix-module-allocation-tags-populated-area-calculation +++ a/lib/alloc_tag.c @@ -401,19 +401,20 @@ repeat: static int vm_module_tags_populate(void) { - unsigned long phys_size = vm_module_tags->nr_pages << PAGE_SHIFT; + unsigned long phys_end = ALIGN_DOWN(module_tags.start_addr, PAGE_SIZE) + + (vm_module_tags->nr_pages << PAGE_SHIFT); + unsigned long new_end = module_tags.start_addr + module_tags.size; - if (phys_size < module_tags.size) { + if (phys_end < new_end) { struct page **next_page = vm_module_tags->pages + vm_module_tags->nr_pages; - unsigned long addr = module_tags.start_addr + phys_size; unsigned long more_pages; unsigned long nr; - more_pages = ALIGN(module_tags.size - phys_size, PAGE_SIZE) >> PAGE_SHIFT; + more_pages = ALIGN(new_end - phys_end, PAGE_SIZE) >> PAGE_SHIFT; nr = alloc_pages_bulk_array_node(GFP_KERNEL | __GFP_NOWARN, NUMA_NO_NODE, more_pages, next_page); if (nr < more_pages || - vmap_pages_range(addr, addr + (nr << PAGE_SHIFT), PAGE_KERNEL, + vmap_pages_range(phys_end, phys_end + (nr << PAGE_SHIFT), PAGE_KERNEL, next_page, PAGE_SHIFT) < 0) { /* Clean up and error out */ for (int i = 0; i < nr; i++) _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-fix-module-allocation-tags-populated-area-calculation.patch alloc_tag-fix-set_codetag_empty-when-config_mem_alloc_profiling_debug.patch mm-convert-mm_lock_seq-to-a-proper-seqcount.patch mm-introduce-mmap_lock_speculation_beginend.patch

9 months, 4 weeks

1
0
0 0

I am checking if you;ve gotten my email

by Jim Bertles

Hi Hope you are doing well. Did you get a chance to see my previous email?? If you are interested, Please reply so that I can provide details in accordance. Best regards Jim Bertles

9 months, 4 weeks

1
0
0 0

[PATCH AUTOSEL 5.15 01/12] watch_queue: fix kcalloc() arguments order

by Sasha Levin

From: Dmitry Antipov <dmantipov(a)yandex.ru> [ Upstream commit 1bfc466b13cf6652ba227c282c27a30ffede69a5 ] When compiling with gcc version 14.0.0 20231220 (experimental) and W=1, I've noticed the following warning: kernel/watch_queue.c: In function 'watch_queue_set_size': kernel/watch_queue.c:273:32: warning: 'kcalloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args] 273 | pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL); | ^~~~~~ Since 'n' and 'size' arguments of 'kcalloc()' are multiplied to calculate the final size, their actual order doesn't affect the result and so this is not a bug. But it's still worth to fix it. Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Link: https://lore.kernel.org/r/20231221090139.12579-1-dmantipov@yandex.ru Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/watch_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c index ae31bf8d2feb..bf86e1d71cd3 100644 --- a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -275,7 +275,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes) goto error; ret = -ENOMEM; - pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL); + pages = kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL); if (!pages) goto error; -- 2.43.0

9 months, 4 weeks

4
26
0 0

[PATCH v3 0/4] media: uvcvideo: Two fixes for async controls

by Ricardo Ribalda

This patchset fixes two bugs with the async controls for the uvc driver. They were found while implementing the granular PM, but I am sending them as a separate patches, so they can be reviewed sooner. They fix real issues in the driver that need to be taken care. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v3: - change again! order of patches. - Introduce uvc_ctrl_set_handle. - Do not change ctrl->handle if it is not NULL. Changes in v2: - Annotate lockdep - ctrl->handle != handle - Change order of patches - Move documentation of mutex - Link to v1: https://lore.kernel.org/r/20241127-uvc-fix-async-v1-0-eb8722531b8c@chromium… --- Ricardo Ribalda (4): media: uvcvideo: Do not replace the handler of an async ctrl media: uvcvideo: Remove dangling pointers media: uvcvideo: Annotate lock requirements for uvc_ctrl_set media: uvcvideo: Remove redundant NULL assignment drivers/media/usb/uvc/uvc_ctrl.c | 52 +++++++++++++++++++++++++++++++++++----- drivers/media/usb/uvc/uvc_v4l2.c | 2 ++ drivers/media/usb/uvc/uvcvideo.h | 14 +++++++++-- 3 files changed, 60 insertions(+), 8 deletions(-) --- base-commit: 72ad4ff638047bbbdf3232178fea4bec1f429319 change-id: 20241127-uvc-fix-async-2c9d40413ad8 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 4 weeks

1
3
0 0

[PATCH 6.6] perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated

by Hagar Hemdan

From: Kan Liang <kan.liang(a)linux.intel.com> [ Upstream commit 556a7c039a52c21da33eaae9269984a1ef59189b ] The below error is observed on Ice Lake VM. $ perf stat Error: The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (slots). /bin/dmesg | grep -i perf may provide additional information. In a virtualization env, the Topdown metrics and the slots event haven't been supported yet. The guest CPUID doesn't enumerate them. However, the current kernel unconditionally exposes the slots event and the Topdown metrics events to sysfs, which misleads the perf tool and triggers the error. Hide the perf-metrics topdown events and the slots event if the perf-metrics feature is not enumerated. The big core of a hybrid platform can also supports the perf-metrics feature. Fix the hybrid platform as well. Closes: https://lore.kernel.org/lkml/CAM9d7cj8z+ryyzUHR+P1Dcpot2jjW+Qcc4CPQpfafTXN=… Reported-by: Dongli Zhang <dongli.zhang(a)oracle.com> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Tested-by: Dongli Zhang <dongli.zhang(a)oracle.com> Link: https://lkml.kernel.org/r/20240708193336.1192217-2-kan.liang@linux.intel.com [ Minor changes to make it work on 6.6 ] Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- arch/x86/events/intel/core.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 27968d10dd0b..3bc31cd20c81 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -5409,8 +5409,22 @@ default_is_visible(struct kobject *kobj, struct attribute *attr, int i) return attr->mode; } +static umode_t +td_is_visible(struct kobject *kobj, struct attribute *attr, int i) +{ + /* + * Hide the perf metrics topdown events + * if the feature is not enumerated. + */ + if (x86_pmu.num_topdown_events) + return x86_pmu.intel_cap.perf_metrics ? attr->mode : 0; + + return attr->mode; +} + static struct attribute_group group_events_td = { .name = "events", + .is_visible = td_is_visible, }; static struct attribute_group group_events_mem = { @@ -5587,9 +5601,27 @@ static umode_t hybrid_format_is_visible(struct kobject *kobj, return (cpu >= 0) && (pmu->cpu_type & pmu_attr->pmu_type) ? attr->mode : 0; } +static umode_t hybrid_td_is_visible(struct kobject *kobj, + struct attribute *attr, int i) +{ + struct device *dev = kobj_to_dev(kobj); + struct x86_hybrid_pmu *pmu = + container_of(dev_get_drvdata(dev), struct x86_hybrid_pmu, pmu); + + if (!is_attr_for_this_pmu(kobj, attr)) + return 0; + + + /* Only the big core supports perf metrics */ + if (pmu->cpu_type == hybrid_big) + return pmu->intel_cap.perf_metrics ? attr->mode : 0; + + return attr->mode; +} + static struct attribute_group hybrid_group_events_td = { .name = "events", - .is_visible = hybrid_events_is_visible, + .is_visible = hybrid_td_is_visible, }; static struct attribute_group hybrid_group_events_mem = { -- 2.40.1

9 months, 4 weeks

2
3
0 0

[PATCH 6.1] btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

by Xiangyu Chen

From: Boris Burkov <boris(a)bur.io> commit 74e97958121aa1f5854da6effba70143f051b0cd upstream. Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. Ultimately, this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount for the leaked reservation. The fix is to ensure that every qgroup PREALLOC reservation observes the following properties: 1. any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation. 2. after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation. This patch enforces those properties on the three operations. Without it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 runs on my system. With this patch, it ran successfully 1000 times in a row. Fixes: e85fde5162bf ("btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Boris Burkov <boris(a)bur.io> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Xiangyu: BP to fix CVE-2024-35956, due to 6.1 btrfs_subvolume_release_metadata() defined in ctree.h, modified the header file name from root-tree.h to ctree.h] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++++++++- fs/btrfs/ioctl.c | 36 ++++++++++++++++++++++++++++-------- fs/btrfs/root-tree.c | 10 ---------- 4 files changed, 40 insertions(+), 21 deletions(-) diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h index cca1acf2e037..cab023927b43 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -2987,8 +2987,6 @@ enum btrfs_flush_state { int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, struct btrfs_block_rsv *rsv, int nitems, bool use_global_rsv); -void btrfs_subvolume_release_metadata(struct btrfs_root *root, - struct btrfs_block_rsv *rsv); void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes); int btrfs_delalloc_reserve_metadata(struct btrfs_inode *inode, u64 num_bytes, diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index a79da940f5b2..8fc8a24a1afe 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -4707,6 +4707,7 @@ int btrfs_delete_subvolume(struct inode *dir, struct dentry *dentry) struct btrfs_trans_handle *trans; struct btrfs_block_rsv block_rsv; u64 root_flags; + u64 qgroup_reserved = 0; int ret; down_write(&fs_info->subvol_sem); @@ -4751,12 +4752,20 @@ int btrfs_delete_subvolume(struct inode *dir, struct dentry *dentry) ret = btrfs_subvolume_reserve_metadata(root, &block_rsv, 5, true); if (ret) goto out_undead; + qgroup_reserved = block_rsv.qgroup_rsv_reserved; trans = btrfs_start_transaction(root, 0); if (IS_ERR(trans)) { ret = PTR_ERR(trans); goto out_release; } + ret = btrfs_record_root_in_trans(trans, root); + if (ret) { + btrfs_abort_transaction(trans, ret); + goto out_end_trans; + } + btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); + qgroup_reserved = 0; trans->block_rsv = &block_rsv; trans->bytes_reserved = block_rsv.size; @@ -4815,7 +4824,9 @@ int btrfs_delete_subvolume(struct inode *dir, struct dentry *dentry) ret = btrfs_end_transaction(trans); inode->i_flags |= S_DEAD; out_release: - btrfs_subvolume_release_metadata(root, &block_rsv); + btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL); + if (qgroup_reserved) + btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); out_undead: if (ret) { spin_lock(&dest->root_item_lock); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 31f7fe31b607..a30379936af5 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -592,6 +592,7 @@ static noinline int create_subvol(struct user_namespace *mnt_userns, int ret; dev_t anon_dev; u64 objectid; + u64 qgroup_reserved = 0; root_item = kzalloc(sizeof(*root_item), GFP_KERNEL); if (!root_item) @@ -629,13 +630,18 @@ static noinline int create_subvol(struct user_namespace *mnt_userns, trans_num_items, false); if (ret) goto out_new_inode_args; + qgroup_reserved = block_rsv.qgroup_rsv_reserved; trans = btrfs_start_transaction(root, 0); if (IS_ERR(trans)) { ret = PTR_ERR(trans); - btrfs_subvolume_release_metadata(root, &block_rsv); - goto out_new_inode_args; + goto out_release_rsv; } + ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root); + if (ret) + goto out; + btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); + qgroup_reserved = 0; trans->block_rsv = &block_rsv; trans->bytes_reserved = block_rsv.size; @@ -744,12 +750,15 @@ static noinline int create_subvol(struct user_namespace *mnt_userns, out: trans->block_rsv = NULL; trans->bytes_reserved = 0; - btrfs_subvolume_release_metadata(root, &block_rsv); if (ret) btrfs_end_transaction(trans); else ret = btrfs_commit_transaction(trans); +out_release_rsv: + btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL); + if (qgroup_reserved) + btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); out_new_inode_args: btrfs_new_inode_args_destroy(&new_inode_args); out_inode: @@ -771,6 +780,8 @@ static int create_snapshot(struct btrfs_root *root, struct inode *dir, struct btrfs_pending_snapshot *pending_snapshot; unsigned int trans_num_items; struct btrfs_trans_handle *trans; + struct btrfs_block_rsv *block_rsv; + u64 qgroup_reserved = 0; int ret; /* We do not support snapshotting right now. */ @@ -807,19 +818,19 @@ static int create_snapshot(struct btrfs_root *root, struct inode *dir, goto free_pending; } - btrfs_init_block_rsv(&pending_snapshot->block_rsv, - BTRFS_BLOCK_RSV_TEMP); + block_rsv = &pending_snapshot->block_rsv; + btrfs_init_block_rsv(block_rsv, BTRFS_BLOCK_RSV_TEMP); /* * 1 to add dir item * 1 to add dir index * 1 to update parent inode item */ trans_num_items = create_subvol_num_items(inherit) + 3; - ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, - &pending_snapshot->block_rsv, + ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, block_rsv, trans_num_items, false); if (ret) goto free_pending; + qgroup_reserved = block_rsv->qgroup_rsv_reserved; pending_snapshot->dentry = dentry; pending_snapshot->root = root; @@ -832,6 +843,13 @@ static int create_snapshot(struct btrfs_root *root, struct inode *dir, ret = PTR_ERR(trans); goto fail; } + ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root); + if (ret) { + btrfs_end_transaction(trans); + goto fail; + } + btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); + qgroup_reserved = 0; trans->pending_snapshot = pending_snapshot; @@ -861,7 +879,9 @@ static int create_snapshot(struct btrfs_root *root, struct inode *dir, if (ret && pending_snapshot->snap) pending_snapshot->snap->anon_dev = 0; btrfs_put_root(pending_snapshot->snap); - btrfs_subvolume_release_metadata(root, &pending_snapshot->block_rsv); + btrfs_block_rsv_release(fs_info, block_rsv, (u64)-1, NULL); + if (qgroup_reserved) + btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); free_pending: if (pending_snapshot->anon_dev) free_anon_bdev(pending_snapshot->anon_dev); diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c index 7d783f094306..37780ede89ba 100644 --- a/fs/btrfs/root-tree.c +++ b/fs/btrfs/root-tree.c @@ -532,13 +532,3 @@ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, } return ret; } - -void btrfs_subvolume_release_metadata(struct btrfs_root *root, - struct btrfs_block_rsv *rsv) -{ - struct btrfs_fs_info *fs_info = root->fs_info; - u64 qgroup_to_release; - - btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); - btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); -} -- 2.25.1

9 months, 4 weeks

2
1
0 0

[PATCH 6.6] btrfs: do not BUG_ON() when freeing tree block after error

by bin.lan.cn＠eng.windriver.com

From: Filipe Manana <fdmanana(a)suse.com> [ Upstream commit bb3868033a4cccff7be57e9145f2117cbdc91c11 ] When freeing a tree block, at btrfs_free_tree_block(), if we fail to create a delayed reference we don't deal with the error and just do a BUG_ON(). The error most likely to happen is -ENOMEM, and we have a comment mentioning that only -ENOMEM can happen, but that is not true, because in case qgroups are enabled any error returned from btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned from btrfs_search_slot() for example) can be propagated back to btrfs_free_tree_block(). So stop doing a BUG_ON() and return the error to the callers and make them abort the transaction to prevent leaking space. Syzbot was triggering this, likely due to memory allocation failure injection. Reported-by: syzbot+a306f914b4d01b3958fe(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/000000000000fcba1e05e998263c@google.com/ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- fs/btrfs/ctree.c | 51 ++++++++++++++++++++++++++++++-------- fs/btrfs/extent-tree.c | 22 +++++++++------- fs/btrfs/extent-tree.h | 8 +++--- fs/btrfs/free-space-tree.c | 10 +++++--- fs/btrfs/ioctl.c | 6 ++++- fs/btrfs/qgroup.c | 6 +++-- 6 files changed, 74 insertions(+), 29 deletions(-) diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 2eb4e03080ac..bb5d317fcdbe 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -617,10 +617,16 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans, atomic_inc(&cow->refs); rcu_assign_pointer(root->node, cow); - btrfs_free_tree_block(trans, btrfs_root_id(root), buf, - parent_start, last_ref); + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), buf, + parent_start, last_ref); free_extent_buffer(buf); add_root_to_dirty_list(root); + if (ret < 0) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } } else { WARN_ON(trans->transid != btrfs_header_generation(parent)); ret = btrfs_tree_mod_log_insert_key(parent, parent_slot, @@ -645,8 +651,14 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans, return ret; } } - btrfs_free_tree_block(trans, btrfs_root_id(root), buf, - parent_start, last_ref); + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), buf, + parent_start, last_ref); + if (ret < 0) { + btrfs_tree_unlock(cow); + free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } } if (unlock_orig) btrfs_tree_unlock(buf); @@ -1121,9 +1133,13 @@ static noinline int balance_level(struct btrfs_trans_handle *trans, free_extent_buffer(mid); root_sub_used(root, mid->len); - btrfs_free_tree_block(trans, btrfs_root_id(root), mid, 0, 1); + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), mid, 0, 1); /* once for the root ptr */ free_extent_buffer_stale(mid); + if (ret < 0) { + btrfs_abort_transaction(trans, ret); + goto out; + } return 0; } if (btrfs_header_nritems(mid) > @@ -1191,10 +1207,14 @@ static noinline int balance_level(struct btrfs_trans_handle *trans, goto out; } root_sub_used(root, right->len); - btrfs_free_tree_block(trans, btrfs_root_id(root), right, + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), right, 0, 1); free_extent_buffer_stale(right); right = NULL; + if (ret < 0) { + btrfs_abort_transaction(trans, ret); + goto out; + } } else { struct btrfs_disk_key right_key; btrfs_node_key(right, &right_key, 0); @@ -1249,9 +1269,13 @@ static noinline int balance_level(struct btrfs_trans_handle *trans, goto out; } root_sub_used(root, mid->len); - btrfs_free_tree_block(trans, btrfs_root_id(root), mid, 0, 1); + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), mid, 0, 1); free_extent_buffer_stale(mid); mid = NULL; + if (ret < 0) { + btrfs_abort_transaction(trans, ret); + goto out; + } } else { /* update the parent key to reflect our changes */ struct btrfs_disk_key mid_key; @@ -3022,7 +3046,11 @@ static noinline int insert_new_root(struct btrfs_trans_handle *trans, old = root->node; ret = btrfs_tree_mod_log_insert_root(root->node, c, false); if (ret < 0) { - btrfs_free_tree_block(trans, btrfs_root_id(root), c, 0, 1); + int ret2; + + ret2 = btrfs_free_tree_block(trans, btrfs_root_id(root), c, 0, 1); + if (ret2 < 0) + btrfs_abort_transaction(trans, ret2); btrfs_tree_unlock(c); free_extent_buffer(c); return ret; @@ -4587,9 +4615,12 @@ static noinline int btrfs_del_leaf(struct btrfs_trans_handle *trans, root_sub_used(root, leaf->len); atomic_inc(&leaf->refs); - btrfs_free_tree_block(trans, btrfs_root_id(root), leaf, 0, 1); + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), leaf, 0, 1); free_extent_buffer_stale(leaf); - return 0; + if (ret < 0) + btrfs_abort_transaction(trans, ret); + + return ret; } /* * delete the item at the leaf level in path. If that empties diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index b3680e1c7054..94fc86c9c65e 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -3290,10 +3290,10 @@ static noinline int check_ref_cleanup(struct btrfs_trans_handle *trans, return 0; } -void btrfs_free_tree_block(struct btrfs_trans_handle *trans, - u64 root_id, - struct extent_buffer *buf, - u64 parent, int last_ref) +int btrfs_free_tree_block(struct btrfs_trans_handle *trans, + u64 root_id, + struct extent_buffer *buf, + u64 parent, int last_ref) { struct btrfs_fs_info *fs_info = trans->fs_info; struct btrfs_ref generic_ref = { 0 }; @@ -3307,7 +3307,8 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans, if (root_id != BTRFS_TREE_LOG_OBJECTID) { btrfs_ref_tree_mod(fs_info, &generic_ref); ret = btrfs_add_delayed_tree_ref(trans, &generic_ref, NULL); - BUG_ON(ret); /* -ENOMEM */ + if (ret < 0) + return ret; } if (last_ref && btrfs_header_generation(buf) == trans->transid) { @@ -3371,6 +3372,7 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans, */ clear_bit(EXTENT_BUFFER_CORRUPT, &buf->bflags); } + return 0; } /* Can return -ENOMEM */ @@ -5474,7 +5476,7 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans, struct walk_control *wc) { struct btrfs_fs_info *fs_info = root->fs_info; - int ret; + int ret = 0; int level = wc->level; struct extent_buffer *eb = path->nodes[level]; u64 parent = 0; @@ -5565,12 +5567,14 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans, goto owner_mismatch; } - btrfs_free_tree_block(trans, btrfs_root_id(root), eb, parent, - wc->refs[level] == 1); + ret = btrfs_free_tree_block(trans, btrfs_root_id(root), eb, parent, + wc->refs[level] == 1); + if (ret < 0) + btrfs_abort_transaction(trans, ret); out: wc->refs[level] = 0; wc->flags[level] = 0; - return 0; + return ret; owner_mismatch: btrfs_err_rl(fs_info, "unexpected tree owner, have %llu expect %llu", diff --git a/fs/btrfs/extent-tree.h b/fs/btrfs/extent-tree.h index 88c249c37516..ef1c1c99294e 100644 --- a/fs/btrfs/extent-tree.h +++ b/fs/btrfs/extent-tree.h @@ -114,10 +114,10 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans, int level, u64 hint, u64 empty_size, enum btrfs_lock_nesting nest); -void btrfs_free_tree_block(struct btrfs_trans_handle *trans, - u64 root_id, - struct extent_buffer *buf, - u64 parent, int last_ref); +int btrfs_free_tree_block(struct btrfs_trans_handle *trans, + u64 root_id, + struct extent_buffer *buf, + u64 parent, int last_ref); int btrfs_alloc_reserved_file_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root, u64 owner, u64 offset, u64 ram_bytes, diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c index 7b598b070700..a0d8160b5375 100644 --- a/fs/btrfs/free-space-tree.c +++ b/fs/btrfs/free-space-tree.c @@ -1289,10 +1289,14 @@ int btrfs_delete_free_space_tree(struct btrfs_fs_info *fs_info) btrfs_tree_lock(free_space_root->node); btrfs_clear_buffer_dirty(trans, free_space_root->node); btrfs_tree_unlock(free_space_root->node); - btrfs_free_tree_block(trans, btrfs_root_id(free_space_root), - free_space_root->node, 0, 1); - + ret = btrfs_free_tree_block(trans, btrfs_root_id(free_space_root), + free_space_root->node, 0, 1); btrfs_put_root(free_space_root); + if (ret < 0) { + btrfs_abort_transaction(trans, ret); + btrfs_end_transaction(trans); + return ret; + } return btrfs_commit_transaction(trans); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 5f0c9c3f3bbf..ae6806bc3929 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -707,6 +707,8 @@ static noinline int create_subvol(struct mnt_idmap *idmap, ret = btrfs_insert_root(trans, fs_info->tree_root, &key, root_item); if (ret) { + int ret2; + /* * Since we don't abort the transaction in this case, free the * tree block so that we don't leak space and leave the @@ -717,7 +719,9 @@ static noinline int create_subvol(struct mnt_idmap *idmap, btrfs_tree_lock(leaf); btrfs_clear_buffer_dirty(trans, leaf); btrfs_tree_unlock(leaf); - btrfs_free_tree_block(trans, objectid, leaf, 0, 1); + ret2 = btrfs_free_tree_block(trans, objectid, leaf, 0, 1); + if (ret2 < 0) + btrfs_abort_transaction(trans, ret2); free_extent_buffer(leaf); goto out; } diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 74b82390fe84..1b9f4f16d124 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1320,9 +1320,11 @@ int btrfs_quota_disable(struct btrfs_fs_info *fs_info) btrfs_tree_lock(quota_root->node); btrfs_clear_buffer_dirty(trans, quota_root->node); btrfs_tree_unlock(quota_root->node); - btrfs_free_tree_block(trans, btrfs_root_id(quota_root), - quota_root->node, 0, 1); + ret = btrfs_free_tree_block(trans, btrfs_root_id(quota_root), + quota_root->node, 0, 1); + if (ret < 0) + btrfs_abort_transaction(trans, ret); out: btrfs_put_root(quota_root); -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH 6.6] drm/amd/display: Add NULL pointer check for kzalloc

by bin.lan.cn＠eng.windriver.com

From: Hersen Wu <hersenxs.wu(a)amd.com> [ Upstream commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 ] [Why & How] Check return pointer of kzalloc before using it. Reviewed-by: Alex Hung <alex.hung(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Hersen Wu <hersenxs.wu(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- .../gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c | 8 ++++++++ .../gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 8 ++++++++ drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 3 +++ drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 5 +++++ drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c | 5 +++++ drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 2 ++ drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c | 2 ++ drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 5 +++++ drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 2 ++ 9 files changed, 40 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c index 3271c8c7905d..4e036356b6a8 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c @@ -560,11 +560,19 @@ void dcn3_clk_mgr_construct( dce_clock_read_ss_info(clk_mgr); clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); + if (!clk_mgr->base.bw_params) { + BREAK_TO_DEBUGGER(); + return; + } /* need physical address of table to give to PMFW */ clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), &clk_mgr->wm_range_table_addr); + if (!clk_mgr->wm_range_table) { + BREAK_TO_DEBUGGER(); + return; + } } void dcn3_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c index 2428a4763b85..1c5ae4d62e37 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c @@ -1022,11 +1022,19 @@ void dcn32_clk_mgr_construct( clk_mgr->smu_present = false; clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); + if (!clk_mgr->base.bw_params) { + BREAK_TO_DEBUGGER(); + return; + } /* need physical address of table to give to PMFW */ clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), &clk_mgr->wm_range_table_addr); + if (!clk_mgr->wm_range_table) { + BREAK_TO_DEBUGGER(); + return; + } } void dcn32_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c index 88c0b24a3249..de83acd12250 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c @@ -2045,6 +2045,9 @@ bool dcn30_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + DC_FP_START(); out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); DC_FP_END(); diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c index 82de4fe2637f..84e3df49be2f 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c @@ -1308,6 +1308,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], @@ -1764,6 +1766,9 @@ bool dcn31_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + DC_FP_START(); out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); DC_FP_END(); diff --git a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c index 3e65e683db0a..6e52851bc031 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c @@ -1381,6 +1381,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], @@ -1741,6 +1743,9 @@ bool dcn314_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + if (filter_modes_for_single_channel_workaround(dc, context)) goto validate_fail; diff --git a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c index 127487ea3d7d..3f3b555b4523 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c @@ -1308,6 +1308,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], diff --git a/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c b/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c index 5fe2c61527df..37b7973fc949 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c @@ -1305,6 +1305,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, &hpo_dp_link_enc_regs[inst], diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c index f9d601c8c721..4d4ff13a2af8 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c @@ -1299,6 +1299,8 @@ static struct hpo_dp_link_encoder *dcn32_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ #undef REG_STRUCT #define REG_STRUCT hpo_dp_link_enc_regs @@ -1842,6 +1844,9 @@ bool dcn32_validate_bandwidth(struct dc *dc, BW_VAL_TRACE_COUNT(); + if (!pipes) + goto validate_fail; + DC_FP_START(); out = dcn32_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate); DC_FP_END(); diff --git a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c index aa4c64eec7b3..4289cd1643ec 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c @@ -1285,6 +1285,8 @@ static struct hpo_dp_link_encoder *dcn321_hpo_dp_link_encoder_create( /* allocate HPO link encoder */ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); + if (!hpo_dp_enc31) + return NULL; /* out of memory */ #undef REG_STRUCT #define REG_STRUCT hpo_dp_link_enc_regs -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH v2 2/2] x86/efi: Apply EFI Memory Attributes after kexec

by Nicolas Saenz Julienne

Kexec bypasses EFI's switch to virtual mode. In exchange, it has its own routine, kexec_enter_virtual_mode(), which replays the mappings made by the original kernel. Unfortunately, that function fails to reinstate EFI's memory attributes, which would've otherwise been set after entering virtual mode. Remediate this by calling efi_runtime_update_mappings() within kexec's routine. Cc: stable(a)vger.kernel.org Fixes: 18141e89a76c ("x86/efi: Add support for EFI_MEMORY_ATTRIBUTES_TABLE") Signed-off-by: Nicolas Saenz Julienne <nsaenz(a)amazon.com> --- Notes: - Tested with QEMU/OVMF. arch/x86/platform/efi/efi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c index 375ebd78296a..a7ff189421c3 100644 --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -765,6 +765,7 @@ static void __init kexec_enter_virtual_mode(void) efi_sync_low_kernel_mappings(); efi_native_runtime_setup(); + efi_runtime_update_mappings(); #endif } -- 2.40.1

9 months, 4 weeks

3
7
0 0

[PATCH 6.1] erofs: reliably distinguish block based and fscache mode

by Xiangyu Chen

From: Christian Brauner <brauner(a)kernel.org> commit 7af2ae1b1531feab5d38ec9c8f472dc6cceb4606 upstream. When erofs_kill_sb() is called in block dev based mode, s_bdev may not have been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled, it will be mistaken for fscache mode, and then attempt to free an anon_dev that has never been allocated, triggering the following warning: ============================================ ida_free called for id=0 which is not allocated. WARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140 Modules linked in: CPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630 RIP: 0010:ida_free+0x134/0x140 Call Trace: <TASK> erofs_kill_sb+0x81/0x90 deactivate_locked_super+0x35/0x80 get_tree_bdev+0x136/0x1e0 vfs_get_tree+0x2c/0xf0 do_new_mount+0x190/0x2f0 [...] ============================================ Now when erofs_kill_sb() is called, erofs_sb_info must have been initialised, so use sbi->fsid to distinguish between the two modes. Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jingbo Xu <jefflexu(a)linux.alibaba.com> Reviewed-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Link: https://lore.kernel.org/r/20240419123611.947084-3-libaokun1@huawei.com Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- fs/erofs/super.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/fs/erofs/super.c b/fs/erofs/super.c index 25cd66e487e8..5bb194558da5 100644 --- a/fs/erofs/super.c +++ b/fs/erofs/super.c @@ -892,7 +892,7 @@ static int erofs_init_fs_context(struct fs_context *fc) */ static void erofs_kill_sb(struct super_block *sb) { - struct erofs_sb_info *sbi; + struct erofs_sb_info *sbi = EROFS_SB(sb); WARN_ON(sb->s_magic != EROFS_SUPER_MAGIC); @@ -902,15 +902,11 @@ static void erofs_kill_sb(struct super_block *sb) return; } - if (erofs_is_fscache_mode(sb)) + if (IS_ENABLED(CONFIG_EROFS_FS_ONDEMAND) && sbi->fsid) kill_anon_super(sb); else kill_block_super(sb); - sbi = EROFS_SB(sb); - if (!sbi) - return; - erofs_free_dev_context(sbi->devs); fs_put_dax(sbi->dax_dev, NULL); erofs_fscache_unregister_fs(sb); -- 2.25.1

9 months, 4 weeks

2
1
0 0

[PATCH 1/4] drm/i915/fb: Relax clear color alignment to 64 bytes

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Mesa changed its clear color alignment from 4k to 64 bytes without informing the kernel side about the change. This is now likely to cause framebuffer creation to fail. The only thing we do with the clear color buffer in i915 is: 1. map a single page 2. read out bytes 16-23 from said page 3. unmap the page So the only requirement we really have is that those 8 bytes are all contained within one page. Thus we can deal with the Mesa regression by reducing the alignment requiment from 4k to the same 64 bytes in the kernel. We could even go as low as 32 bytes, but IIRC 64 bytes is the hardware requirement on the 3D engine side so matching that seems sensible. Cc: stable(a)vger.kernel.org Cc: Sagar Ghuge <sagar.ghuge(a)intel.com> Cc: Nanley Chery <nanley.g.chery(a)intel.com> Reported-by: Xi Ruoyao <xry111(a)xry111.site> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13057 Closes: https://lore.kernel.org/all/45a5bba8de009347262d86a4acb27169d9ae0d9f.camel@… Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/17f97a69c13832a6c1b0b3aad… Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_fb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_fb.c b/drivers/gpu/drm/i915/display/intel_fb.c index 6a7060889f40..223c4218c019 100644 --- a/drivers/gpu/drm/i915/display/intel_fb.c +++ b/drivers/gpu/drm/i915/display/intel_fb.c @@ -1694,7 +1694,7 @@ int intel_fill_fb_info(struct drm_i915_private *i915, struct intel_framebuffer * * arithmetic related to alignment and offset calculation. */ if (is_gen12_ccs_cc_plane(&fb->base, i)) { - if (IS_ALIGNED(fb->base.offsets[i], PAGE_SIZE)) + if (IS_ALIGNED(fb->base.offsets[i], 64)) continue; else return -EINVAL; -- 2.45.2

9 months, 4 weeks

2
1
0 0

[PATCH 1/2] drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm_mode_vrefresh() is trying to avoid divide by zero by checking whether htotal or vtotal are zero. But we may still end up with a div-by-zero of vtotal*htotal*... Cc: stable(a)vger.kernel.org Reported-by: syzbot+622bba18029bcde672e1(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=622bba18029bcde672e1 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/drm_modes.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c index 6ba167a33461..71573b85d924 100644 --- a/drivers/gpu/drm/drm_modes.c +++ b/drivers/gpu/drm/drm_modes.c @@ -1287,14 +1287,11 @@ EXPORT_SYMBOL(drm_mode_set_name); */ int drm_mode_vrefresh(const struct drm_display_mode *mode) { - unsigned int num, den; + unsigned int num = 1, den = 1; if (mode->htotal == 0 || mode->vtotal == 0) return 0; - num = mode->clock; - den = mode->htotal * mode->vtotal; - if (mode->flags & DRM_MODE_FLAG_INTERLACE) num *= 2; if (mode->flags & DRM_MODE_FLAG_DBLSCAN) @@ -1302,6 +1299,12 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode) if (mode->vscan > 1) den *= mode->vscan; + if (check_mul_overflow(mode->clock, num, &num)) + return 0; + + if (check_mul_overflow(mode->htotal * mode->vtotal, den, &den)) + return 0; + return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den); } EXPORT_SYMBOL(drm_mode_vrefresh); -- 2.45.2

9 months, 4 weeks

3
2
0 0

[PATCH v6 0/3] clk: qcom: Add support for multiple power-domains for a clock controller.

by Bryan O'Donoghue

Changes in v6: - Passes NULL to second parameter of devm_pm_domain_attach_list - Vlad - Link to v5: https://lore.kernel.org/r/20241128-b4-linux-next-24-11-18-clock-multiple-po… Changes in v5: - In-lines devm_pm_domain_attach_list() in probe() directly - Vlad - Link to v4: https://lore.kernel.org/r/20241127-b4-linux-next-24-11-18-clock-multiple-po… v4: - Adds Bjorn's RB to first patch - Bjorn - Drops the 'd' in "and int" - Bjorn - Amends commit log of patch 3 to capture a number of open questions - Bjorn - Link to v3: https://lore.kernel.org/r/20241126-b4-linux-next-24-11-18-clock-multiple-po… v3: - Fixes commit log "per which" - Bryan - Link to v2: https://lore.kernel.org/r/20241125-b4-linux-next-24-11-18-clock-multiple-po… v2: The main change in this version is Bjorn's pointing out that pm_runtime_* inside of the gdsc_enable/gdsc_disable path would be recursive and cause a lockdep splat. Dmitry alluded to this too. Bjorn pointed to stuff being done lower in the gdsc_register() routine that might be a starting point. I iterated around that idea and came up with patch #3. When a gdsc has no parent and the pd_list is non-NULL then attach that orphan GDSC to the clock controller power-domain list. Existing subdomain code in gdsc_register() will connect the parent GDSCs in the clock-controller to the clock-controller subdomain, the new code here does that same job for a list of power-domains the clock controller depends on. To Dmitry's point about MMCX and MCX dependencies for the registers inside of the clock controller, I have switched off all references in a test dtsi and confirmed that accessing the clock-controller regs themselves isn't required. On the second point I also verified my test branch with lockdep on which was a concern with the pm_domain version of this solution but I wanted to cover it anyway with the new approach for completeness sake. Here's the item-by-item list of changes: - Adds a patch to capture pm_genpd_add_subdomain() result code - Bryan - Changes changelog of second patch to remove singleton and generally to make the commit log easier to understand - Bjorn - Uses demv_pm_domain_attach_list - Vlad - Changes error check to if (ret < 0 && ret != -EEXIST) - Vlad - Retains passing &pd_data instead of NULL - because NULL doesn't do the same thing - Bryan/Vlad - Retains standalone function qcom_cc_pds_attach() because the pd_data enumeration looks neater in a standalone function - Bryan/Vlad - Drops pm_runtime in favour of gdsc_add_subdomain_list() for each power-domain in the pd_list. The pd_list will be whatever is pointed to by power-domains = <> in the dtsi - Bjorn - Link to v1: https://lore.kernel.org/r/20241118-b4-linux-next-24-11-18-clock-multiple-po… v1: On x1e80100 and it's SKUs the Camera Clock Controller - CAMCC has multiple power-domains which power it. Usually with a single power-domain the core platform code will automatically switch on the singleton power-domain for you. If you have multiple power-domains for a device, in this case the clock controller, you need to switch those power-domains on/off yourself. The clock controllers can also contain Global Distributed Switch Controllers - GDSCs which themselves can be referenced from dtsi nodes ultimately triggering a gdsc_en() in drivers/clk/qcom/gdsc.c. As an example: cci0: cci@ac4a000 { power-domains = <&camcc TITAN_TOP_GDSC>; }; This series adds the support to attach a power-domain list to the clock-controllers and the GDSCs those controllers provide so that in the case of the above example gdsc_toggle_logic() will trigger the power-domain list with pm_runtime_resume_and_get() and pm_runtime_put_sync() respectively. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> --- Bryan O'Donoghue (3): clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code clk: qcom: common: Add support for power-domain attachment clk: qcom: Support attaching GDSCs to multiple parents drivers/clk/qcom/common.c | 6 ++++++ drivers/clk/qcom/gdsc.c | 41 +++++++++++++++++++++++++++++++++++++++-- drivers/clk/qcom/gdsc.h | 1 + 3 files changed, 46 insertions(+), 2 deletions(-) --- base-commit: 744cf71b8bdfcdd77aaf58395e068b7457634b2c change-id: 20241118-b4-linux-next-24-11-18-clock-multiple-power-domains-a5f994dc452a Best regards, -- Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>

9 months, 4 weeks

1
1
0 0

[PATCH 5.4/5.10 0/1] Backport fix for CVE-2023-52531

by Nikita Zhandarovich

This patch fixes CVE-2023-52531 [1] present in 5.4 and 5.10 stable kernels. The vulnerability concerns flawed pointer arithmetic in iwlwifi driver caused by use of spurious casting to (u8 *). Original upstream commit [3] removed that cast but kept a change to increment a pointer first and only then cast it to (void *) or other type. However, as older branches did not receive commit 3827cb59b3b8 ("iwlwifi: avoid void pointer arithmetic") [2], the aforementioned kept change is also missing, which should be corrected and applied to other vulnerable versions. This backport ensures that correction and keeps away from dangerous void pointer arithmetic. [PATCH 5.4/5.10 1/1] wifi: iwlwifi: mvm: Fix a memory corruption issue Change 'channels' pointer before casting it to (void *). Fixes [1]. [1] https://nvd.nist.gov/vuln/detail/cve-2023-52531 [2] https://github.com/torvalds/linux/commit/3827cb59b3b8ce4b1687385d35034dadcd… [3] https://github.com/torvalds/linux/commit/8ba438ef3cacc4808a63ed0ce24d4f0942…

9 months, 4 weeks

1
1
0 0

[tip: timers/urgent] posix-timers: Target group sigqueue to current task only if not exiting

by tip-bot2 for Frederic Weisbecker

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: 63dffecfba3eddcf67a8f76d80e0c141f93d44a5 Gitweb: https://git.kernel.org/tip/63dffecfba3eddcf67a8f76d80e0c141f93d44a5 Author: Frederic Weisbecker <frederic(a)kernel.org> AuthorDate: Sat, 23 Nov 2024 00:48:11 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Fri, 29 Nov 2024 13:19:09 +01:00 posix-timers: Target group sigqueue to current task only if not exiting A sigqueue belonging to a posix timer, which target is not a specific thread but a whole thread group, is preferrably targeted to the current task if it is part of that thread group. However nothing prevents a posix timer event from queueing such a sigqueue from a reaped yet running task. The interruptible code space between exit_notify() and the final call to schedule() is enough for posix_timer_fn() hrtimer to fire. If that happens while the current task is part of the thread group target, it is proposed to handle it but since its sighand pointer may have been cleared already, the sigqueue is dropped even if there are other tasks running within the group that could handle it. As a result posix timers with thread group wide target may miss signals when some of their threads are exiting. Fix this with verifying that the current task hasn't been through exit_notify() before proposing it as a preferred target so as to ensure that its sighand is still here and stable. complete_signal() might still reconsider the choice and find a better target within the group if current has passed retarget_shared_pending() already. Fixes: bcb7ee79029d ("posix-timers: Prefer delivery of signals to the current thread") Reported-by: Anthony Mallet <anthony.mallet(a)laas.fr> Suggested-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Frederic Weisbecker <frederic(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20241122234811.60455-1-frederic@kernel.org Closes: https://lore.kernel.org/all/26411.57288.238690.681680@gargle.gargle.HOWL --- kernel/signal.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel/signal.c b/kernel/signal.c index 98b65cb..989b1cc 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -1959,14 +1959,15 @@ static void posixtimer_queue_sigqueue(struct sigqueue *q, struct task_struct *t, * * Where type is not PIDTYPE_PID, signals must be delivered to the * process. In this case, prefer to deliver to current if it is in - * the same thread group as the target process, which avoids - * unnecessarily waking up a potentially idle task. + * the same thread group as the target process and its sighand is + * stable, which avoids unnecessarily waking up a potentially idle task. */ static inline struct task_struct *posixtimer_get_target(struct k_itimer *tmr) { struct task_struct *t = pid_task(tmr->it_pid, tmr->it_pid_type); - if (t && tmr->it_pid_type != PIDTYPE_PID && same_thread_group(t, current)) + if (t && tmr->it_pid_type != PIDTYPE_PID && + same_thread_group(t, current) && !current->exit_state) t = current; return t; }

9 months, 4 weeks

1
0
0 0

[PATCH net 14/14] can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6.

by Marc Kleine-Budde

Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") introduced mcp251xfd_get_tef_len() to get the number of unhandled transmit events from the Transmit Event FIFO (TEF). As the TEF has no head index, the driver uses the TX-FIFO's tail index instead, assuming that send frames are completed. When calculating the number of unhandled TEF events, that commit didn't take mcp2518fd erratum DS80000789E 6. into account. According to that erratum, the FIFOCI bits of a FIFOSTA register, here the TX-FIFO tail index might be corrupted. However here it seems the bit indicating that the TX-FIFO is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the TX-FIFO tail index is. Assume that the TX-FIFO is indeed empty if: - Chip's head and tail index are equal (len == 0). - The TX-FIFO is less than half full. (The TX-FIFO empty case has already been checked at the beginning of this function.) - No free buffers in the TX ring. If the TX-FIFO is assumed to be empty, assume that the TEF is full and return the number of elements in the TX-FIFO (which equals the number of TEF elements). If these assumptions are false, the driver might read to many objects from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers and will refuse to process old events. Reported-by: Renjaya Raga Zenta <renjaya.zenta(a)formulatrix.com> Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7Gg… Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") Tested-by: Renjaya Raga Zenta <renjaya.zenta(a)formulatrix.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20241126-mcp251xfd-fix-length-calculation-v2-1-c2e… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c index d3ac865933fd..e94321849fd7 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c @@ -21,6 +21,11 @@ static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; } +static inline bool mcp251xfd_tx_fifo_sta_less_than_half_full(u32 fifo_sta) +{ + return fifo_sta & MCP251XFD_REG_FIFOSTA_TFHRFHIF; +} + static inline int mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv, u8 *tef_tail) @@ -147,7 +152,29 @@ mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p) BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len)); len = (chip_tx_tail << shift) - (tail << shift); - *len_p = len >> shift; + len >>= shift; + + /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI + * bits of a FIFOSTA register, here the TX-FIFO tail index + * might be corrupted. + * + * However here it seems the bit indicating that the TX-FIFO + * is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct + * while the TX-FIFO tail index is. + * + * We assume the TX-FIFO is empty, i.e. all pending CAN frames + * haven been send, if: + * - Chip's head and tail index are equal (len == 0). + * - The TX-FIFO is less than half full. + * (The TX-FIFO empty case has already been checked at the + * beginning of this function.) + * - No free buffers in the TX ring. + */ + if (len == 0 && mcp251xfd_tx_fifo_sta_less_than_half_full(fifo_sta) && + mcp251xfd_get_tx_free(tx_ring) == 0) + len = tx_ring->obj_num; + + *len_p = len; return 0; } -- 2.45.2

9 months, 4 weeks

1
0
0 0

[PATCH net 01/14] can: dev: can_set_termination(): allow sleeping GPIOs

by Marc Kleine-Budde

In commit 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") GPIO based termination support was added. For no particular reason that patch uses gpiod_set_value() to set the GPIO. This leads to the following warning, if the systems uses a sleeping GPIO, i.e. behind an I2C port expander: | WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c | CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c Replace gpiod_set_value() by gpiod_set_value_cansleep() to allow the use of sleeping GPIOs. Cc: Nicolai Buchwitz <nb(a)tipi-net.de> Cc: Lino Sanfilippo <l.sanfilippo(a)kunbus.com> Cc: stable(a)vger.kernel.org Reported-by: Leonard Göhrs <l.goehrs(a)pengutronix.de> Tested-by: Leonard Göhrs <l.goehrs(a)pengutronix.de> Fixes: 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") Link: https://patch.msgid.link/20241121-dev-fix-can_set_termination-v1-1-41fa6e29… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/dev/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 6792c14fd7eb..681643ab3780 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -468,7 +468,7 @@ static int can_set_termination(struct net_device *ndev, u16 term) else set = 0; - gpiod_set_value(priv->termination_gpio, set); + gpiod_set_value_cansleep(priv->termination_gpio, set); return 0; } base-commit: 9bb88c659673003453fd42e0ddf95c9628409094 -- 2.45.2

9 months, 4 weeks

1
0
0 0

+ mm-respect-mmap-hint-address-when-aligning-for-thp.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: Respect mmap hint address when aligning for THP has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-respect-mmap-hint-address-when-aligning-for-thp.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kalesh Singh <kaleshsingh(a)google.com> Subject: mm: Respect mmap hint address when aligning for THP Date: Mon, 18 Nov 2024 13:46:48 -0800 Commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") updated __get_unmapped_area() to align the start address for the VMA to a PMD boundary if CONFIG_TRANSPARENT_HUGEPAGE=y. It does this by effectively looking up a region that is of size, request_size + PMD_SIZE, and aligning up the start to a PMD boundary. Commit 4ef9ad19e176 ("mm: huge_memory: don't force huge page alignment on 32 bit") opted out of this for 32bit due to regressions in mmap base randomization. Commit d4148aeab412 ("mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes") restricted this to only mmap sizes that are multiples of the PMD_SIZE due to reported regressions in some performance benchmarks -- which seemed mostly due to the reduced spatial locality of related mappings due to the forced PMD-alignment. Another unintended side effect has emerged: When a user specifies an mmap hint address, the THP alignment logic modifies the behavior, potentially ignoring the hint even if a sufficiently large gap exists at the requested hint location. Example Scenario: Consider the following simplified virtual address (VA) space: ... 0x200000-0x400000 --- VMA A 0x400000-0x600000 --- Hole 0x600000-0x800000 --- VMA B ... A call to mmap() with hint=0x400000 and len=0x200000 behaves differently: - Before THP alignment: The requested region (size 0x200000) fits into the gap at 0x400000, so the hint is respected. - After alignment: The logic searches for a region of size 0x400000 (len + PMD_SIZE) starting at 0x400000. This search fails due to the mapping at 0x600000 (VMA B), and the hint is ignored, falling back to arch_get_unmapped_area[_topdown](). In general the hint is effectively ignored, if there is any existing mapping in the below range: [mmap_hint + mmap_size, mmap_hint + mmap_size + PMD_SIZE) This changes the semantics of mmap hint; from ""Respect the hint if a sufficiently large gap exists at the requested location" to "Respect the hint only if an additional PMD-sized gap exists beyond the requested size". This has performance implications for allocators that allocate their heap using mmap but try to keep it "as contiguous as possible" by using the end of the exisiting heap as the address hint. With the new behavior it's more likely to get a much less contiguous heap, adding extra fragmentation and performance overhead. To restore the expected behavior; don't use thp_get_unmapped_area_vmflags() when the user provided a hint address, for anonymous mappings. Note: As Yang Shi pointed out: the issue still remains for filesystems which are using thp_get_unmapped_area() for their get_unmapped_area() op. It is unclear what worklaods will regress for if we ignore THP alignment when the hint address is provided for such file backed mappings -- so this fix will be handled separately. Link: https://lkml.kernel.org/r/20241118214650.3667577-1-kaleshsingh@google.com Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") Signed-off-by: Kalesh Singh <kaleshsingh(a)google.com> Reviewed-by: Rik van Riel <riel(a)surriel.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yang Shi <yang(a)os.amperecomputing.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Hans Boehm <hboehm(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mmap.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/mmap.c~mm-respect-mmap-hint-address-when-aligning-for-thp +++ a/mm/mmap.c @@ -893,6 +893,7 @@ __get_unmapped_area(struct file *file, u if (get_area) { addr = get_area(file, addr, len, pgoff, flags); } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) + && !addr /* no hint */ && IS_ALIGNED(len, PMD_SIZE)) { /* Ensures that larger anonymous mappings are THP aligned. */ addr = thp_get_unmapped_area_vmflags(file, addr, len, _ Patches currently in -mm which might be from kaleshsingh(a)google.com are mm-respect-mmap-hint-address-when-aligning-for-thp.patch

9 months, 4 weeks

1
0
0 0

[PATCH] arch_numa: Restore nid checks before registering a memblock with a node

by Marc Zyngier

Commit 767507654c22 ("arch_numa: switch over to numa_memblks") significantly cleaned up the NUMA registration code, but also dropped a significant check that was refusing to accept to configure a memblock with an invalid nid. On "quality hardware" such as my ThunderX machine, this results in a kernel that dies immediately: [ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x431f0a10] [ 0.000000] Linux version 6.12.0-00013-g8920d74cf8db (maz@valley-girl) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #3872 SMP PREEMPT Wed Nov 27 15:25:49 GMT 2024 [ 0.000000] KASLR disabled due to lack of seed [ 0.000000] Machine model: Cavium ThunderX CN88XX board [ 0.000000] efi: EFI v2.4 by American Megatrends [ 0.000000] efi: ESRT=0xffce0ff18 SMBIOS 3.0=0xfffb0000 ACPI 2.0=0xffec60000 MEMRESERVE=0xffc905d98 [ 0.000000] esrt: Reserving ESRT space from 0x0000000ffce0ff18 to 0x0000000ffce0ff50. [ 0.000000] earlycon: pl11 at MMIO 0x000087e024000000 (options '115200n8') [ 0.000000] printk: legacy bootconsole [pl11] enabled [ 0.000000] NODE_DATA(0) allocated [mem 0xff6754580-0xff67566bf] [ 0.000000] Unable to handle kernel paging request at virtual address 0000000000001d40 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x0000000096000004 [ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] FSC = 0x04: level 0 translation fault [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 0.000000] [0000000000001d40] user address but active_mm is swapper [ 0.000000] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.12.0-00013-g8920d74cf8db #3872 [ 0.000000] Hardware name: Cavium ThunderX CN88XX board (DT) [ 0.000000] pstate: a00000c5 (NzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.000000] pc : sparse_init_nid+0x54/0x428 [ 0.000000] lr : sparse_init+0x118/0x240 [ 0.000000] sp : ffff800081da3cb0 [ 0.000000] x29: ffff800081da3cb0 x28: 0000000fedbab10c x27: 0000000000000001 [ 0.000000] x26: 0000000ffee250f8 x25: 0000000000000001 x24: ffff800082102cd0 [ 0.000000] x23: 0000000000000001 x22: 0000000000000000 x21: 00000000001fffff [ 0.000000] x20: 0000000000000001 x19: 0000000000000000 x18: ffffffffffffffff [ 0.000000] x17: 0000000001b00000 x16: 0000000ffd130000 x15: 0000000000000000 [ 0.000000] x14: 00000000003e0000 x13: 00000000000001c8 x12: 0000000000000014 [ 0.000000] x11: ffff800081e82860 x10: ffff8000820fb2c8 x9 : ffff8000820fb490 [ 0.000000] x8 : 0000000000ffed20 x7 : 0000000000000014 x6 : 00000000001fffff [ 0.000000] x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000000 [ 0.000000] x2 : 0000000000000000 x1 : 0000000000000040 x0 : 0000000000000007 [ 0.000000] Call trace: [ 0.000000] sparse_init_nid+0x54/0x428 [ 0.000000] sparse_init+0x118/0x240 [ 0.000000] bootmem_init+0x70/0x1c8 [ 0.000000] setup_arch+0x184/0x270 [ 0.000000] start_kernel+0x74/0x670 [ 0.000000] __primary_switched+0x80/0x90 [ 0.000000] Code: f865d804 d37df060 cb030000 d2800003 (b95d4084) [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- while previous kernel versions were able to recognise how brain-damaged the machine is, and only build a fake node. Restoring the check brings back some sanity and a "working" system. Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Zi Yan <ziy(a)nvidia.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: stable(a)vger.kernel.org --- drivers/base/arch_numa.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/base/arch_numa.c b/drivers/base/arch_numa.c index e187016764265..5457248eb0811 100644 --- a/drivers/base/arch_numa.c +++ b/drivers/base/arch_numa.c @@ -207,7 +207,21 @@ static void __init setup_node_data(int nid, u64 start_pfn, u64 end_pfn) static int __init numa_register_nodes(void) { int nid; - + struct memblock_region *mblk; + + /* Check that valid nid is set to memblks */ + for_each_mem_region(mblk) { + int mblk_nid = memblock_get_region_node(mblk); + phys_addr_t start = mblk->base; + phys_addr_t end = mblk->base + mblk->size - 1; + + if (mblk_nid == NUMA_NO_NODE || mblk_nid >= MAX_NUMNODES) { + pr_warn("Warning: invalid memblk node %d [mem %pap-%pap]\n", + mblk_nid, &start, &end); + return -EINVAL; + } + } + /* Finally register nodes. */ for_each_node_mask(nid, numa_nodes_parsed) { unsigned long start_pfn, end_pfn; -- 2.39.2

9 months, 4 weeks

3
6
0 0

[merged] arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: arch_numa: restore nid checks before registering a memblock with a node has been removed from the -mm tree. Its filename was arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Marc Zyngier <maz(a)kernel.org> Subject: arch_numa: restore nid checks before registering a memblock with a node Date: Wed, 27 Nov 2024 19:30:00 +0000 Commit 767507654c22 ("arch_numa: switch over to numa_memblks") significantly cleaned up the NUMA registration code, but also dropped a significant check that was refusing to accept to configure a memblock with an invalid nid. On "quality hardware" such as my ThunderX machine, this results in a kernel that dies immediately: [ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x431f0a10] [ 0.000000] Linux version 6.12.0-00013-g8920d74cf8db (maz@valley-girl) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #3872 SMP PREEMPT Wed Nov 27 15:25:49 GMT 2024 [ 0.000000] KASLR disabled due to lack of seed [ 0.000000] Machine model: Cavium ThunderX CN88XX board [ 0.000000] efi: EFI v2.4 by American Megatrends [ 0.000000] efi: ESRT=0xffce0ff18 SMBIOS 3.0=0xfffb0000 ACPI 2.0=0xffec60000 MEMRESERVE=0xffc905d98 [ 0.000000] esrt: Reserving ESRT space from 0x0000000ffce0ff18 to 0x0000000ffce0ff50. [ 0.000000] earlycon: pl11 at MMIO 0x000087e024000000 (options '115200n8') [ 0.000000] printk: legacy bootconsole [pl11] enabled [ 0.000000] NODE_DATA(0) allocated [mem 0xff6754580-0xff67566bf] [ 0.000000] Unable to handle kernel paging request at virtual address 0000000000001d40 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x0000000096000004 [ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] FSC = 0x04: level 0 translation fault [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 0.000000] [0000000000001d40] user address but active_mm is swapper [ 0.000000] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.12.0-00013-g8920d74cf8db #3872 [ 0.000000] Hardware name: Cavium ThunderX CN88XX board (DT) [ 0.000000] pstate: a00000c5 (NzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.000000] pc : sparse_init_nid+0x54/0x428 [ 0.000000] lr : sparse_init+0x118/0x240 [ 0.000000] sp : ffff800081da3cb0 [ 0.000000] x29: ffff800081da3cb0 x28: 0000000fedbab10c x27: 0000000000000001 [ 0.000000] x26: 0000000ffee250f8 x25: 0000000000000001 x24: ffff800082102cd0 [ 0.000000] x23: 0000000000000001 x22: 0000000000000000 x21: 00000000001fffff [ 0.000000] x20: 0000000000000001 x19: 0000000000000000 x18: ffffffffffffffff [ 0.000000] x17: 0000000001b00000 x16: 0000000ffd130000 x15: 0000000000000000 [ 0.000000] x14: 00000000003e0000 x13: 00000000000001c8 x12: 0000000000000014 [ 0.000000] x11: ffff800081e82860 x10: ffff8000820fb2c8 x9 : ffff8000820fb490 [ 0.000000] x8 : 0000000000ffed20 x7 : 0000000000000014 x6 : 00000000001fffff [ 0.000000] x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000000 [ 0.000000] x2 : 0000000000000000 x1 : 0000000000000040 x0 : 0000000000000007 [ 0.000000] Call trace: [ 0.000000] sparse_init_nid+0x54/0x428 [ 0.000000] sparse_init+0x118/0x240 [ 0.000000] bootmem_init+0x70/0x1c8 [ 0.000000] setup_arch+0x184/0x270 [ 0.000000] start_kernel+0x74/0x670 [ 0.000000] __primary_switched+0x80/0x90 [ 0.000000] Code: f865d804 d37df060 cb030000 d2800003 (b95d4084) [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- while previous kernel versions were able to recognise how brain-damaged the machine is, and only build a fake node. Restoring the check brings back some sanity and a "working" system. Link: https://lkml.kernel.org/r/20241127193000.3702637-1-maz@kernel.org Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Zi Yan <ziy(a)nvidia.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/base/arch_numa.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/drivers/base/arch_numa.c~arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node +++ a/drivers/base/arch_numa.c @@ -207,7 +207,21 @@ static void __init setup_node_data(int n static int __init numa_register_nodes(void) { int nid; + struct memblock_region *mblk; + /* Check that valid nid is set to memblks */ + for_each_mem_region(mblk) { + int mblk_nid = memblock_get_region_node(mblk); + phys_addr_t start = mblk->base; + phys_addr_t end = mblk->base + mblk->size - 1; + + if (mblk_nid == NUMA_NO_NODE || mblk_nid >= MAX_NUMNODES) { + pr_warn("Warning: invalid memblk node %d [mem %pap-%pap]\n", + mblk_nid, &start, &end); + return -EINVAL; + } + } + /* Finally register nodes. */ for_each_node_mask(nid, numa_nodes_parsed) { unsigned long start_pfn, end_pfn; _ Patches currently in -mm which might be from maz(a)kernel.org are

9 months, 4 weeks

1
0
0 0

+ mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: reinstate ability to map write-sealed memfd mappings read-only has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: reinstate ability to map write-sealed memfd mappings read-only Date: Thu, 28 Nov 2024 15:06:17 +0000 Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/memfd.h | 14 +++++++++ include/linux/mm.h | 58 +++++++++++++++++++++++++++------------- mm/memfd.c | 2 - mm/mmap.c | 4 ++ 4 files changed, 59 insertions(+), 19 deletions(-) --- a/include/linux/memfd.h~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_ { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ --- a/include/linux/mm.h~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/include/linux/mm.h @@ -4091,6 +4091,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4102,24 +4133,15 @@ static inline void mem_dump_obj(void *ob */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; - - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + if (!is_write_sealed(seals)) + return 0; + + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } --- a/mm/memfd.c~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct ad return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; --- a/mm/mmap.c~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ)) _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch docs-mm-add-vma-locks-documentation.patch docs-mm-add-vma-locks-documentation-v3.patch docs-mm-add-vma-locks-documentation-fix.patch

9 months, 4 weeks

1
0
0 0

+ mm-memcg-declare-do_memsw_account-inline.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: memcg: declare do_memsw_account inline has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memcg-declare-do_memsw_account-inline.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: John Sperbeck <jsperbeck(a)google.com> Subject: mm: memcg: declare do_memsw_account inline Date: Thu, 28 Nov 2024 12:39:59 -0800 In commit 66d60c428b23 ("mm: memcg: move legacy memcg event code into memcontrol-v1.c"), the static do_memsw_account() function was moved from a .c file to a .h file. Unfortunately, the traditional inline keyword wasn't added. If a file (e.g., a unit test) includes the .h file, but doesn't refer to do_memsw_account(), it will get a warning like: mm/memcontrol-v1.h:41:13: warning: unused function 'do_memsw_account' [-Wunused-function] 41 | static bool do_memsw_account(void) | ^~~~~~~~~~~~~~~~ Link: https://lkml.kernel.org/r/20241128203959.726527-1-jsperbeck@google.com Fixes: 66d60c428b23 ("mm: memcg: move legacy memcg event code into memcontrol-v1.c") Signed-off-by: John Sperbeck <jsperbeck(a)google.com> Acked-by: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol-v1.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/memcontrol-v1.h~mm-memcg-declare-do_memsw_account-inline +++ a/mm/memcontrol-v1.h @@ -38,7 +38,7 @@ void mem_cgroup_id_put_many(struct mem_c iter = mem_cgroup_iter(NULL, iter, NULL)) /* Whether legacy memory+swap accounting is active */ -static bool do_memsw_account(void) +static inline bool do_memsw_account(void) { return !cgroup_subsys_on_dfl(memory_cgrp_subsys); } _ Patches currently in -mm which might be from jsperbeck(a)google.com are mm-memcg-declare-do_memsw_account-inline.patch

9 months, 4 weeks

1
0
0 0

[PATCH] btrfs: do proper folio cleanup when cow_file_range() failed

by Qu Wenruo

[BUG] When testing with COW fixup marked as BUG_ON() (this is involved with the new pin_user_pages*() change, which should not result new out-of-band dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW fixup path. This BUG_ON() happens just after a failed btrfs_run_delalloc_range(): BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1444! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : extent_writepage_io+0x2d4/0x308 [btrfs] lr : extent_writepage_io+0x2d4/0x308 [btrfs] Call trace: extent_writepage_io+0x2d4/0x308 [btrfs] extent_writepage+0x218/0x330 [btrfs] extent_write_cache_pages+0x1d4/0x4b0 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x180/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] That failure is mostly from cow_file_range(), where we can hit -ENOSPC. Although the -ENOSPC is already a bug related to our space reservation code, let's just focus on the error handling. For example, we have the following dirty range [0, 64K) of an inode, with 4K sector size and 4K page size: 0 16K 32K 48K 64K |///////////////////////////////////////| |#######################################| Where |///| means page are still dirty, and |###| means the extent io tree has EXTENT_DELALLOC flag. - Enter extent_writepage() for page 0 - Enter btrfs_run_delalloc_range() for range [0, 64K) - Enter cow_file_range() for range [0, 64K) - Function btrfs_reserve_extent() only reserved one 16K extent So we created extent map and ordered extent for range [0, 16K) 0 16K 32K 48K 64K |////////|//////////////////////////////| |<- OE ->|##############################| And range [0, 16K) has its delalloc flag cleared. But since we haven't yet submit any bio, involved 4 pages are still dirty. - Function btrfs_reserve_extent() return with -ENOSPC Now we have to run error cleanup, which will clear all EXTENT_DELALLOC* flags and clear the dirty flags for the remaining ranges: 0 16K 32K 48K 64K |////////| | | | | Note that range [0, 16K) still has their pages dirty. - Some time later, writeback are triggered again for the range [0, 16K) since the page range still have dirty flags. - btrfs_run_delalloc_range() will do nothing because there is no EXTENT_DELALLOC flag. - extent_writepage_io() find page 0 has no ordered flag Which falls into the COW fixup path, triggering the BUG_ON(). Unfortunately this error handling bug dates back to the introduction of btrfs. Thankfully with the abuse of cow fixup, at least it won't crash the kernel. [FIX] Instead of immediately unlock the extent and folios, we keep the extent and folios locked until either erroring out or the whole delalloc range finished. When the whole delalloc range finished without error, we just unlock the whole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked cases), with EXTENT_DELALLOC and EXTENT_LOCKED cleared. And those involved folios will be properly submitted, with their dirty flags cleared during submission. For the error path, it will be a little more complex: - The range with ordered extent allocated (range (1)) We only clear the EXTENT_DELALLOC and EXTENT_LOCKED, as the remaining flags are cleaned up by btrfs_mark_ordered_io_finished()->btrfs_finish_one_ordered(). For folios we finish the IO (clear dirty, start writeback and immediately finish the writeback) and unlock the folios. - The range with reserved extent but no ordered extent (range(2)) - The range we never touched (range(3)) For both range (2) and range(3) the behavior is not changed. Now even if cow_file_range() failed halfway with some successfully reserved extents/ordered extents, we will keep all folios clean, so there will be no future writeback triggered on them. Cc: stable(a)vger.kernel.org Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- fs/btrfs/inode.c | 63 ++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 32 deletions(-) --- The similar bug exists for nocow path too (and other routines like zoned), the fix for nocow will come later after the patch get reviewed. diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 9267861f8ab0..e8232ac7917f 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -1372,6 +1372,17 @@ static noinline int cow_file_range(struct btrfs_inode *inode, alloc_hint = btrfs_get_extent_allocation_hint(inode, start, num_bytes); + /* + * We're not doing compressed IO, don't unlock the first page + * (which the caller expects to stay locked), don't clear any + * dirty bits and don't set any writeback bits + * + * Do set the Ordered (Private2) bit so we know this page was + * properly setup for writepage. + */ + page_ops = (keep_locked ? 0 : PAGE_UNLOCK); + page_ops |= PAGE_SET_ORDERED; + /* * Relocation relies on the relocated extents to have exactly the same * size as the original extents. Normally writeback for relocation data @@ -1431,6 +1442,10 @@ static noinline int cow_file_range(struct btrfs_inode *inode, file_extent.offset = 0; file_extent.compression = BTRFS_COMPRESS_NONE; + /* + * Locked range will be released either during error clean up or + * after the whole range is finished. + */ lock_extent(&inode->io_tree, start, start + cur_alloc_size - 1, &cached); @@ -1476,21 +1491,6 @@ static noinline int cow_file_range(struct btrfs_inode *inode, btrfs_dec_block_group_reservations(fs_info, ins.objectid); - /* - * We're not doing compressed IO, don't unlock the first page - * (which the caller expects to stay locked), don't clear any - * dirty bits and don't set any writeback bits - * - * Do set the Ordered (Private2) bit so we know this page was - * properly setup for writepage. - */ - page_ops = (keep_locked ? 0 : PAGE_UNLOCK); - page_ops |= PAGE_SET_ORDERED; - - extent_clear_unlock_delalloc(inode, start, start + cur_alloc_size - 1, - locked_folio, &cached, - EXTENT_LOCKED | EXTENT_DELALLOC, - page_ops); if (num_bytes < cur_alloc_size) num_bytes = 0; else @@ -1507,6 +1507,9 @@ static noinline int cow_file_range(struct btrfs_inode *inode, if (ret) goto out_unlock; } + extent_clear_unlock_delalloc(inode, orig_start, end, locked_folio, &cached, + EXTENT_LOCKED | EXTENT_DELALLOC, + page_ops); done: if (done_offset) *done_offset = end; @@ -1527,35 +1530,31 @@ static noinline int cow_file_range(struct btrfs_inode *inode, * We process each region below. */ - clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW | - EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV; - page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK; - /* * For the range (1). We have already instantiated the ordered extents * for this region. They are cleaned up by * btrfs_cleanup_ordered_extents() in e.g, - * btrfs_run_delalloc_range(). EXTENT_LOCKED | EXTENT_DELALLOC are - * already cleared in the above loop. And, EXTENT_DELALLOC_NEW | - * EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV are handled by the cleanup - * function. + * btrfs_run_delalloc_range(). + * EXTENT_DELALLOC_NEW | EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV + * are also handled by the cleanup function. * - * However, in case of @keep_locked, we still need to unlock the pages - * (except @locked_folio) to ensure all the pages are unlocked. + * So here we only clear EXTENT_LOCKED and EXTENT_DELALLOC flag, + * and finish the writeback of the involved folios, which will be + * never submitted. */ - if (keep_locked && orig_start < start) { + if (orig_start < start) { + clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC; + page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK; + if (!locked_folio) mapping_set_error(inode->vfs_inode.i_mapping, ret); extent_clear_unlock_delalloc(inode, orig_start, start - 1, locked_folio, NULL, 0, page_ops); } - /* - * At this point we're unlocked, we want to make sure we're only - * clearing these flags under the extent lock, so lock the rest of the - * range and clear everything up. - */ - lock_extent(&inode->io_tree, start, end, NULL); + clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW | + EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV; + page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK; /* * For the range (2). If we reserved an extent for our delalloc range -- 2.47.0

9 months, 4 weeks

1
0
0 0

[PATCH 6.6] f2fs: fix null reference error when checking end of zone

by bin.lan.cn＠eng.windriver.com

From: Daejun Park <daejun7.park(a)samsung.com> [ Upstream commit c82bc1ab2a8a5e73d9728e80c4c2ed87e8921a38 ] This patch fixes a potentially null pointer being accessed by is_end_zone_blkaddr() that checks the last block of a zone when f2fs is mounted as a single device. Fixes: e067dc3c6b9c ("f2fs: maintain six open zones for zoned devices") Signed-off-by: Daejun Park <daejun7.park(a)samsung.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Reviewed-by: Daeho Jeong <daehojeong(a)google.com> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- fs/f2fs/data.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index 1c59a3b2b2c3..d5ff22138bf9 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -924,6 +924,7 @@ int f2fs_merge_page_bio(struct f2fs_io_info *fio) #ifdef CONFIG_BLK_DEV_ZONED static bool is_end_zone_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr) { + struct block_device *bdev = sbi->sb->s_bdev; int devi = 0; if (f2fs_is_multi_device(sbi)) { @@ -934,8 +935,9 @@ static bool is_end_zone_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr) return false; } blkaddr -= FDEV(devi).start_blk; + bdev = FDEV(devi).bdev; } - return bdev_zoned_model(FDEV(devi).bdev) == BLK_ZONED_HM && + return bdev_is_zoned(bdev) && f2fs_blkz_is_seq(sbi, devi, blkaddr) && (blkaddr % sbi->blocks_per_blkz == sbi->blocks_per_blkz - 1); } -- 2.34.1

9 months, 4 weeks

1
0
0 0

[PATCH v6 2/3] drm/xe: Move the coredump registration to the worker thread

by John.C.Harrison＠Intel.com

From: John Harrison <John.C.Harrison(a)Intel.com> Adding lockdep checking to the coredump code showed that there was an existing violation. The dev_coredumpm_timeout() call is used to register the dump with the base coredump subsystem. However, that makes multiple memory allocations, only some of which use the GFP_ flags passed in. So that also needs to be deferred to the worker function where it is safe to allocate with arbitrary flags. In order to not add protoypes for the callback functions, moving the _timeout call also means moving the worker thread function to later in the file. v2: Rebased after other changes to the worker function. Fixes: e799485044cb ("drm/xe: Introduce the dev_coredump infrastructure.") Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Jani Nikula <jani.nikula(a)linux.intel.com> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Francois Dugast <francois.dugast(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: "Thomas Hellström" <thomas.hellstrom(a)linux.intel.com> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: "Christian König" <christian.koenig(a)amd.com> Cc: intel-xe(a)lists.freedesktop.org Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Cc: <stable(a)vger.kernel.org> # v6.8+ Signed-off-by: John Harrison <John.C.Harrison(a)Intel.com> Reviewed-by: Matthew Brost <matthew.brost(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 73 +++++++++++++++-------------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index baac50f6dd7e..d24f1088e298 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -168,36 +168,6 @@ static void xe_devcoredump_snapshot_free(struct xe_devcoredump_snapshot *ss) ss->vm = NULL; } -static void xe_devcoredump_deferred_snap_work(struct work_struct *work) -{ - struct xe_devcoredump_snapshot *ss = container_of(work, typeof(*ss), work); - struct xe_devcoredump *coredump = container_of(ss, typeof(*coredump), snapshot); - struct xe_device *xe = coredump_to_xe(coredump); - unsigned int fw_ref; - - xe_pm_runtime_get(xe); - - /* keep going if fw fails as we still want to save the memory and SW data */ - fw_ref = xe_force_wake_get(gt_to_fw(ss->gt), XE_FORCEWAKE_ALL); - if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL)) - xe_gt_info(ss->gt, "failed to get forcewake for coredump capture\n"); - xe_vm_snapshot_capture_delayed(ss->vm); - xe_guc_exec_queue_snapshot_capture_delayed(ss->ge); - xe_force_wake_put(gt_to_fw(ss->gt), fw_ref); - - xe_pm_runtime_put(xe); - - /* Calculate devcoredump size */ - ss->read.size = __xe_devcoredump_read(NULL, INT_MAX, coredump); - - ss->read.buffer = kvmalloc(ss->read.size, GFP_USER); - if (!ss->read.buffer) - return; - - __xe_devcoredump_read(ss->read.buffer, ss->read.size, coredump); - xe_devcoredump_snapshot_free(ss); -} - static ssize_t xe_devcoredump_read(char *buffer, loff_t offset, size_t count, void *data, size_t datalen) { @@ -246,6 +216,45 @@ static void xe_devcoredump_free(void *data) "Xe device coredump has been deleted.\n"); } +static void xe_devcoredump_deferred_snap_work(struct work_struct *work) +{ + struct xe_devcoredump_snapshot *ss = container_of(work, typeof(*ss), work); + struct xe_devcoredump *coredump = container_of(ss, typeof(*coredump), snapshot); + struct xe_device *xe = coredump_to_xe(coredump); + unsigned int fw_ref; + + /* + * NB: Despite passing a GFP_ flags parameter here, more allocations are done + * internally using GFP_KERNEL expliictly. Hence this call must be in the worker + * thread and not in the initial capture call. + */ + dev_coredumpm_timeout(gt_to_xe(ss->gt)->drm.dev, THIS_MODULE, coredump, 0, GFP_KERNEL, + xe_devcoredump_read, xe_devcoredump_free, + XE_COREDUMP_TIMEOUT_JIFFIES); + + xe_pm_runtime_get(xe); + + /* keep going if fw fails as we still want to save the memory and SW data */ + fw_ref = xe_force_wake_get(gt_to_fw(ss->gt), XE_FORCEWAKE_ALL); + if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL)) + xe_gt_info(ss->gt, "failed to get forcewake for coredump capture\n"); + xe_vm_snapshot_capture_delayed(ss->vm); + xe_guc_exec_queue_snapshot_capture_delayed(ss->ge); + xe_force_wake_put(gt_to_fw(ss->gt), fw_ref); + + xe_pm_runtime_put(xe); + + /* Calculate devcoredump size */ + ss->read.size = __xe_devcoredump_read(NULL, INT_MAX, coredump); + + ss->read.buffer = kvmalloc(ss->read.size, GFP_USER); + if (!ss->read.buffer) + return; + + __xe_devcoredump_read(ss->read.buffer, ss->read.size, coredump); + xe_devcoredump_snapshot_free(ss); +} + static void devcoredump_snapshot(struct xe_devcoredump *coredump, struct xe_exec_queue *q, struct xe_sched_job *job) @@ -334,10 +343,6 @@ void xe_devcoredump(struct xe_exec_queue *q, struct xe_sched_job *job, const cha drm_info(&xe->drm, "Xe device coredump has been created\n"); drm_info(&xe->drm, "Check your /sys/class/drm/card%d/device/devcoredump/data\n", xe->drm.primary->index); - - dev_coredumpm_timeout(xe->drm.dev, THIS_MODULE, coredump, 0, GFP_KERNEL, - xe_devcoredump_read, xe_devcoredump_free, - XE_COREDUMP_TIMEOUT_JIFFIES); } static void xe_driver_devcoredump_fini(void *arg) -- 2.47.0

9 months, 4 weeks

1
0
0 0

[PATCH 0/2] media: uvcvideo: Two fixes for async controls

by Ricardo Ribalda

This patchset fixes two bugs with the async controls for the uvc driver. They were found while implementing the granular PM, but I am sending them as a separate patches, so they can be reviewed sooner. They fix real issues in the driver that need to be taken care. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Ricardo Ribalda (2): media: uvcvideo: Do not set an async control owned by other fh media: uvcvideo: Remove dangling pointers drivers/media/usb/uvc/uvc_ctrl.c | 44 ++++++++++++++++++++++++++++++++++++++-- drivers/media/usb/uvc/uvc_v4l2.c | 2 ++ drivers/media/usb/uvc/uvcvideo.h | 3 +++ 3 files changed, 47 insertions(+), 2 deletions(-) --- base-commit: 72ad4ff638047bbbdf3232178fea4bec1f429319 change-id: 20241127-uvc-fix-async-2c9d40413ad8 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 4 weeks

2
10
0 0

[PATCH v4 0/2] media: uvcvideo: Support partial control reads and minor changes

by Ricardo Ribalda

Some cameras do not return all the bytes requested from a control if it can fit in less bytes. Eg: returning 0xab instead of 0x00ab. Support these devices. Also, now that we are at it, improve uvc_query_ctrl() logging. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v4: - Improve comment. - Keep old likely(ret == size) - Link to v3: https://lore.kernel.org/r/20241118-uvc-readless-v3-0-d97c1a3084d0@chromium.… Changes in v3: - Improve documentation. - Do not change return sequence. - Use dev_ratelimit and dev_warn_once - Link to v2: https://lore.kernel.org/r/20241008-uvc-readless-v2-0-04d9d51aee56@chromium.… Changes in v2: - Rewrite error handling (Thanks Sakari) - Discard 2/3. It is not needed after rewriting the error handling. - Link to v1: https://lore.kernel.org/r/20241008-uvc-readless-v1-0-042ac4581f44@chromium.… --- Ricardo Ribalda (2): media: uvcvideo: Support partial control reads media: uvcvideo: Add more logging to uvc_query_ctrl() drivers/media/usb/uvc/uvc_video.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241008-uvc-readless-23f9b8cad0b3 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 4 weeks

3
9
0 0

[PATCH 5.4/5.10/5.15 0/1] Backport fix for CVE-2023-1075

by Nikita Zhandarovich

This patch addresses an issue of type confusion in tls_is_tx_ready(), as a check for NULL of list_first_entry() return value is wrong. This issue has been given a CVE entry CVE-2023-1075 [1] and is still present in several stable branches. As the flawed function tls_is_tx_ready() is named is_tx_ready() and is situated in another file (specifically, include/net/tls.h) in older kernel versions, fix the error there instead. This adapted backport can be cleanly applied to 5.4, 5.10 and 5.15 branches. [PATCH 5.4/5.10/5.15 1/1] net/tls: tls_is_tx_ready() checked list_entry Use list_first_entry_or_null() instead of list_entry() to properly check for empty lists. Fixes [1]. [1] https://nvd.nist.gov/vuln/detail/cve-2023-1075 [2] https://github.com/torvalds/linux/commit/ffe2a22562444720b05bdfeb999c03e810…

9 months, 4 weeks

1
1
0 0

[PATCH 6.1 00/98] 6.1.117-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.117 release. There are 98 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 14 Nov 2024 10:18:19 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.117-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.117-rc1 Alexander Stein <alexander.stein(a)ew.tq-group.com> media: amphion: Fix VPU core alias name Hyunwoo Kim <v4bel(a)theori.io> vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans Hyunwoo Kim <v4bel(a)theori.io> hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: use RCU read-side critical section in taprio_dump() Mingcong Bai <jeffbai(a)aosc.io> ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022 Andrei Vagin <avagin(a)google.com> ucounts: fix counter leak in inc_rlimit_get_ucounts() Andrew Kanner <andrew.kanner(a)gmail.com> ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Marc Zyngier <maz(a)kernel.org> irqchip/gic-v3: Force propagation of the active state with a read-back Benoît Monin <benoit.monin(a)gmx.fr> USB: serial: option: add Quectel RG650V Reinhard Speyerer <rspmn(a)arcor.de> USB: serial: option: add Fibocom FG132 0x0112 composition Jack Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add support for Sierra Wireless EM86xx Dan Carpenter <dan.carpenter(a)linaro.org> USB: serial: io_edgeport: fix use after free in debug printk Dan Carpenter <dan.carpenter(a)linaro.org> usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() Roger Quadros <rogerq(a)kernel.org> usb: dwc3: fix fault at system suspend if device was already runtime suspended Zijun Hu <quic_zijuhu(a)quicinc.com> usb: musb: sunxi: Fix accessing an released usb phy Roman Gushchin <roman.gushchin(a)linux.dev> signal: restore the override_rlimit logic Qi Xi <xiqi2(a)huawei.com> fs/proc: fix compile warning about variable 'vmcore_mmap_ops' Trond Myklebust <trond.myklebust(a)hammerspace.com> filemap: Fix bounds checking in filemap_read() Benoit Sevens <bsevens(a)google.com> media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Mark Brown <broonie(a)kernel.org> kselftest/arm64: Initialise current at build time in signal tests Eric Dumazet <edumazet(a)google.com> net: do not delay dst_entries_add() in dst_release() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "wifi: mac80211: fix RCU list iterations" Michal Schmidt <mschmidt(a)redhat.com> bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Daniel Maslowski <cyrevolt(a)googlemail.com> riscv/purgatory: align riscv_kernel_entry Filipe Manana <fdmanana(a)suse.com> btrfs: reinitialize delayed ref list after deleting it from the list Mark Rutland <mark.rutland(a)arm.com> arm64: Kconfig: Make SME depend on BROKEN for now Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: use sock_kfree_s instead of kfree Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible double free of TX skb Jinjie Ruan <ruanjinjie(a)huawei.com> net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc() Roberto Sassu <roberto.sassu(a)huawei.com> nfs: Fix KMSAN warning in decode_getfattr_attrs() Benjamin Segall <bsegall(a)google.com> posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add quirk for HP 320 FHD Webcam Zichen Xie <zichenxie0106(a)gmail.com> dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix potential out-of-bounds access on the first resume Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: optimize dirty bit checking with find_next_bit when resizing Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix out-of-bounds access to the dirty bitset when resizing Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix flushing uninitialized delayed_work on cache_ctr error Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: correct the number of origin blocks to match the target length Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> thermal/drivers/qcom/lmh: Remove false lockdep backtrace Antonio Quartulli <antonio(a)mandelbit.com> drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: Adjust debugfs eviction and IB access permissions Erik Schumacher <erik.schumacher(a)iris-sensing.com> pwm: imx-tpm: Use correct MODULO value for EPWM mode Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp Jinjie Ruan <ruanjinjie(a)huawei.com> ksmbd: Fix the missing xa_store error check Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: v4l2-tpg: prevent the risk of a division by zero Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: pulse8-cec: fix data timestamp at pulse8_setup() Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: cx24116: prevent overflows on SNR calculus Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: ar0521: don't overflow when checking PLL values Amelie Delaunay <amelie.delaunay(a)foss.st.com> ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove Icenowy Zheng <uwu(a)icenowy.me> thermal/of: support thermal zones w/o trips subnode Emil Dahl Juhl <emdj(a)bang-olufsen.dk> tools/lib/thermal: Fix sampling handler context ptr Murad Masimov <m.masimov(a)maxima.ru> ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: adv7604: prevent underflow condition when reporting colorspace Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvb_frontend: don't play tricks with underflow values Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: prevent the risk of out of memory access Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: stb0899_algo: initialize cfr before using it Jarosław Janik <jaroslaw.janik(a)gmail.com> Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown" Johan Jonker <jbx6244(a)gmail.com> net: arc: rockchip: fix emac mdio node support Johan Jonker <jbx6244(a)gmail.com> net: arc: fix the device for dma_map_single/dma_unmap_single Philo Lu <lulie(a)linux.alibaba.com> virtio_net: Add hash_key_length check Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case Diogo Silva <diogompaissilva(a)gmail.com> net: phy: ti: add PHY_RST_AFTER_CLK_EN flag Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: fix kernel crash when uninstalling driver Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix race condition by adding filter's intermediate sync state Mateusz Polchlopek <mateusz.polchlopek(a)intel.com> ice: change q_index variable type to s16 to store -1 value Dario Binacchi <dario.binacchi(a)amarulasolutions.com> can: c_can: fix {rx,tx}_errors statistics Xin Long <lucien.xin(a)gmail.com> sctp: properly validate chunk size in sctp_sf_ootb() Wei Fang <wei.fang(a)nxp.com> net: enetc: set MAC address to the VF net_device Chen Ridong <chenridong(a)huawei.com> security/keys: fix slab-out-of-bounds in key_task_permission Mike Snitzer <snitzer(a)kernel.org> nfs: avoid i_lock contention in nfs_clear_invalid_mapping NeilBrown <neilb(a)suse.de> NFSv3: handle out-of-order write replies. NeilBrown <neilb(a)suse.de> NFSv3: only use NFS timeout for MOUNT when protocols are compatible NeilBrown <neilb(a)suse.de> sunrpc: handle -ENOTCONN in xs_tcp_setup_socket() Corey Hickey <bugfood-c(a)fatooh.org> platform/x86/amd/pmc: Detect when STB is not available Jiri Kosina <jkosina(a)suse.com> HID: core: zero-initialize the report buffer Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: Fix the spi controller on rk3036 Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: drop grf reference from rk3036 hdmi Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: fix rk3036 acodec node Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp: correct sdhc ipg clk Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: imx8qxp: Add VPU subsystem file Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: imx8qm: Fix VPU core alias name Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328 Geert Uytterhoeven <geert+renesas(a)glider.be> arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator Geert Uytterhoeven <geert+renesas(a)glider.be> arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610 ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3036-kylin.dts | 4 +- arch/arm/boot/dts/rk3036.dtsi | 14 +-- arch/arm64/Kconfig | 1 + arch/arm64/boot/dts/freescale/imx8-ss-vpu.dtsi | 4 +- arch/arm64/boot/dts/freescale/imx8mp.dtsi | 6 +- arch/arm64/boot/dts/freescale/imx8qxp-ss-vpu.dtsi | 25 +++++ arch/arm64/boot/dts/freescale/imx8qxp.dtsi | 6 +- arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts | 4 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 3 +- arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi | 1 - arch/arm64/boot/dts/rockchip/rk3399-eaidk-610.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi | 2 +- .../dts/rockchip/rk3399-sapphire-excavator.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3566-pinenote.dtsi | 4 +- arch/riscv/purgatory/entry.S | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 +- drivers/hid/hid-core.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 +- drivers/irqchip/irq-gic-v3.c | 7 ++ drivers/md/dm-cache-target.c | 59 +++++----- drivers/md/dm-unstripe.c | 4 +- drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 + drivers/media/dvb-core/dvb_frontend.c | 4 +- drivers/media/dvb-core/dvbdev.c | 17 ++- drivers/media/dvb-frontends/cx24116.c | 7 +- drivers/media/dvb-frontends/stb0899_algo.c | 2 +- drivers/media/i2c/adv7604.c | 26 +++-- drivers/media/i2c/ar0521.c | 4 +- drivers/media/platform/amphion/vpu_core.c | 2 +- .../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 ++- drivers/media/usb/uvc/uvc_driver.c | 2 +- drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 ++- drivers/net/can/c_can/c_can_main.c | 7 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 8 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 10 +- drivers/net/ethernet/arc/emac_main.c | 27 +++-- drivers/net/ethernet/arc/emac_mdio.c | 9 +- drivers/net/ethernet/freescale/enetc/enetc_vf.c | 9 +- drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 +- drivers/net/ethernet/intel/i40e/i40e.h | 1 + drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 1 + drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +- drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c | 3 +- drivers/net/ethernet/intel/ice/ice_fdir.h | 4 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + drivers/net/ethernet/vertexcom/mse102x.c | 5 +- drivers/net/phy/dp83848.c | 2 + drivers/net/virtio_net.c | 6 + drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +- drivers/platform/x86/amd/pmc.c | 5 + drivers/pwm/pwm-imx-tpm.c | 4 +- drivers/scsi/sd_zbc.c | 3 +- drivers/thermal/qcom/lmh.c | 7 ++ drivers/thermal/thermal_of.c | 21 ++-- drivers/usb/dwc3/core.c | 25 ++--- drivers/usb/musb/sunxi.c | 2 - drivers/usb/serial/io_edgeport.c | 8 +- drivers/usb/serial/option.c | 6 + drivers/usb/serial/qcserial.c | 2 + drivers/usb/typec/ucsi/ucsi_ccg.c | 2 + fs/btrfs/delayed-ref.c | 2 +- fs/nfs/inode.c | 125 ++++++++++++++++++--- fs/nfs/super.c | 10 +- fs/ocfs2/xattr.c | 3 +- fs/proc/vmcore.c | 9 +- fs/smb/server/mgmt/user_session.c | 15 ++- fs/smb/server/server.c | 4 +- include/linux/nfs_fs.h | 47 ++++++++ include/linux/tick.h | 8 ++ include/linux/user_namespace.h | 3 +- kernel/fork.c | 2 + kernel/signal.c | 3 +- kernel/ucount.c | 9 +- mm/filemap.c | 2 +- net/core/dst.c | 17 ++- net/mac80211/chan.c | 4 +- net/mac80211/mlme.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/util.c | 4 +- net/mptcp/pm_userspace.c | 3 +- net/sched/sch_taprio.c | 18 ++- net/sctp/sm_statefuns.c | 2 +- net/sunrpc/xprtsock.c | 1 + net/vmw_vsock/hyperv_transport.c | 1 + net/vmw_vsock/virtio_transport_common.c | 1 + security/keys/keyring.c | 7 +- sound/firewire/tascam/amdtp-tascam.c | 2 +- sound/pci/hda/patch_conexant.c | 2 - sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 ++ sound/soc/stm/stm32_spdifrx.c | 2 +- sound/usb/mixer.c | 1 + sound/usb/quirks.c | 2 + tools/lib/thermal/sampling.c | 2 + .../testing/selftests/arm64/signal/test_signals.c | 4 +- 98 files changed, 570 insertions(+), 229 deletions(-)

9 months, 4 weeks

10
108
0 0

[PATCH 5.10 000/110] 5.10.229-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.229 release. There are 110 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 08 Nov 2024 12:02:47 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.229-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.229-rc1 Johannes Berg <johannes.berg(a)intel.com> mac80211: always have ieee80211_sta_restart() Jeongjun Park <aha310510(a)gmail.com> vt: prevent kernel-infoleak in con_font_get() Wachowski, Karol <karol.wachowski(a)intel.com> drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Jason-JH.Lin <jason-jh.lin(a)mediatek.com> Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Jeongjun Park <aha310510(a)gmail.com> mm: shmem: fix data-race in shmem_getattr() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of checked flag Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bugs: Use code segment selector for VERW operand Edward Adam Davis <eadavis(a)qq.com> ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove duplicated GET_RM Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove unused GENERATING_ASM_OFFSETS WangYuli <wangyuli(a)uniontech.com> riscv: Use '%u' to format the output of 'cpu' Heinrich Schuchardt <heinrich.schuchardt(a)canonical.com> riscv: efi: Set NX compat flag in PE/COFF header Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: vdso: Prevent the compiler from inserting calls to memset() Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Christoph Hellwig <hch(a)lst.de> mm: add remap_pfn_range_notrack Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential deadlock with newly created symlinks Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix microlux value calculation Zicheng Qu <quzicheng(a)huawei.com> staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Ville Syrjälä <ville.syrjala(a)linux.intel.com> wifi: iwlegacy: Clear stale interrupts before resuming device Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> wifi: ath10k: Fix memory leak in management tx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "driver core: Fix uevent_show() vs driver detach race" Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Use pm_runtime_get to prevent RPM on unsupported systems Faisal Hassan <quic_faisalh(a)quicinc.com> xhci: Fix Link TRB DMA in command ring stopped completion event Zijun Hu <quic_zijuhu(a)quicinc.com> usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou <zhouzongmin(a)kylinos.cn> usbip: tools: Fix detach_port() invalid port error path Dimitri Sivanich <sivanich(a)hpe.com> misc: sgi-gru: Don't disable preemption in GRU driver Dai Ngo <dai.ngo(a)oracle.com> NFS: remove revoked delegation from server's delegation list Daniel Palmer <daniel(a)0x0f.com> net: amd: mvme147: Fix probe banner message Xiongfeng Wang <wangxiongfeng2(a)huawei.com> firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Marco Elver <elver(a)google.com> kasan: Fix Software Tag-Based KASAN with GCC Miguel Ojeda <ojeda(a)kernel.org> compiler-gcc: remove attribute support check for `__no_sanitize_address__` Miguel Ojeda <ojeda(a)kernel.org> compiler-gcc: be consistent with underscores use for `no_sanitize` Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Benoît Monin <benoit.monin(a)gmx.fr> net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Xin Long <lucien.xin(a)gmail.com> net: support ip generic csum processing in skb_csum_hwoffload_help Byeonguk Jeong <jungbu2855(a)gmail.com> bpf: Fix out-of-bounds write in trie_get_next_key() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pablo Neira Ayuso <pablo(a)netfilter.org> gtp: allow -1 to be specified as file description from userspace Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Wander Lairson Costa <wander(a)redhat.com> igb: Disable threaded IRQ for igb_msix_other Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Youghandhar Chintala <youghand(a)codeaurora.org> mac80211: Add support to trigger sta disconnect on hardware restart Johannes Berg <johannes.berg(a)intel.com> mac80211: do drv_reconfig_complete() before restarting all Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: synchronize the qp-handle table array Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Leon Romanovsky <leon(a)kernel.org> RDMA/cxgb4: Dump vendor specific QP details Geert Uytterhoeven <geert(a)linux-m68k.org> wifi: brcm80211: BRCM_TRACING should depend on TRACING Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Geert Uytterhoeven <geert(a)linux-m68k.org> mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Xiu Jianfeng <xiujianfeng(a)huawei.com> cgroup: Fix potential overflow issue when checking max_depth Donet Tom <donettom(a)linux.ibm.com> selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Sabrina Dubroca <sd(a)queasysnail.net> xfrm: validate new SA's prefixlen using SA family when sel.family is unset junhua huang <huang.junhua(a)zte.com.cn> arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Zichen Xie <zichenxie0106(a)gmail.com> ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Michel Alex <Alex.Michel(a)wiedemann-group.com> net: phy: dp83822: Fix reset pin definitions Jiri Slaby (SUSE) <jirislaby(a)kernel.org> serial: protect uart_port_dtr_rts() in uart_shutdown() too Paul Moore <paul(a)paul-moore.com> selinux: improve error checking in sel_write_load() Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event José Relvas <josemonsantorelvas(a)gmail.com> ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Aleksa Sarai <cyphar(a)cyphar.com> openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Christian Heusel <christian(a)heusel.eu> ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Andrey Shumilin <shum.sdl(a)nppct.ru> ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: avoid unsolicited interrupts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: fix use-after-free in taprio_change() Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Eyal Birger <eyal.birger(a)gmail.com> xfrm: respect ip protocols rules criteria when performing dst lookups Eyal Birger <eyal.birger(a)gmail.com> xfrm: extract dst lookup parameters into a struct Leo Yan <leo.yan(a)arm.com> tracing: Consider the NULL character when validating the event length Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Mark Rutland <mark.rutland(a)arm.com> arm64: Force position-independent veneers Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Hans de Goede <hdegoede(a)redhat.com> drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Christoph Hellwig <hch(a)lst.de> iomap: update ki_pos a little later in iomap_dio_complete Mateusz Guzik <mjguzik(a)gmail.com> exec: don't WARN for racy path_noexec check Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix procress reference leakage for bfqq in merge chain Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Cleanup access to guest pages Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor access address range check Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor gpa and length calculation Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels junhua huang <huang.junhua(a)zte.com.cn> arm64:uprobe fix the uprobe SWBP_INSN in big-endian Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Heiko Carstens <hca(a)linux.ibm.com> s390: Initialize psw mask in perf_arch_fetch_caller_regs() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOBs when building SMB2_IOCTL request Wang Hai <wanghai38(a)huawei.com> scsi: target: core: Fix null-ptr-deref in target_alloc_device() Eric Dumazet <edumazet(a)google.com> genetlink: hold RCU in genlmsg_mcast() Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Li RongQing <lirongqing(a)baidu.com> net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Bhargava Chenna Marreddy <bhargava.marreddy(a)broadcom.com> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Xin Long <lucien.xin(a)gmail.com> ipv4: give an IPv4 dev to blackhole_netdev Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Florian Klink <flokli(a)flokli.de> ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Add a check for memory allocation Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 +- arch/arm64/Makefile | 2 +- arch/arm64/include/asm/uprobes.h | 12 +- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/riscv/kernel/asm-offsets.c | 2 - arch/riscv/kernel/cpu-hotplug.c | 2 +- arch/riscv/kernel/efi-header.S | 2 +- arch/riscv/kernel/traps_misaligned.c | 2 - arch/riscv/kernel/vdso/Makefile | 1 + arch/s390/include/asm/perf_event.h | 1 + arch/s390/kvm/gaccess.c | 162 ++++++++++++++---------- arch/s390/kvm/gaccess.h | 14 +- arch/x86/include/asm/nospec-branch.h | 11 +- arch/x86/kvm/svm/nested.c | 6 +- block/bfq-iosched.c | 33 +++-- drivers/acpi/button.c | 11 ++ drivers/acpi/resource.c | 7 + drivers/base/core.c | 13 +- drivers/base/module.c | 4 - drivers/firmware/arm_sdei.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 ++- drivers/gpu/drm/drm_gem_shmem_helper.c | 5 + drivers/gpu/drm/drm_mipi_dsi.c | 2 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +- drivers/iio/light/veml6030.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 15 ++- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 + drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 +-- drivers/infiniband/hw/cxgb4/cm.c | 9 +- drivers/infiniband/hw/cxgb4/provider.c | 1 + drivers/infiniband/hw/mlx5/qp.c | 4 +- drivers/misc/sgi-gru/grukservices.c | 2 - drivers/misc/sgi-gru/grumain.c | 4 - drivers/misc/sgi-gru/grutlbpurge.c | 2 - drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/amd/mvme147.c | 7 +- drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/i825xx/sun3_82586.c | 1 + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- drivers/net/ethernet/realtek/r8169_main.c | 4 +- drivers/net/gtp.c | 22 ++-- drivers/net/hyperv/netvsc_drv.c | 30 +++++ drivers/net/macsec.c | 18 --- drivers/net/phy/dp83822.c | 4 +- drivers/net/usb/usbnet.c | 3 +- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 + drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 + drivers/net/wireless/intel/iwlegacy/common.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +++- drivers/staging/iio/frequency/ad9832.c | 7 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_user.c | 2 +- drivers/tty/serial/serial_core.c | 16 ++- drivers/tty/vt/vt.c | 2 +- drivers/usb/host/xhci-pci.c | 6 +- drivers/usb/host/xhci-ring.c | 16 +-- drivers/usb/phy/phy.c | 2 +- drivers/usb/typec/class.c | 3 + fs/cifs/smb2pdu.c | 9 ++ fs/exec.c | 21 ++- fs/iomap/direct-io.c | 18 +-- fs/jfs/jfs_dmap.c | 2 +- fs/nfs/delegation.c | 5 + fs/nilfs2/namei.c | 3 + fs/nilfs2/page.c | 7 +- fs/ocfs2/file.c | 8 ++ fs/open.c | 2 + include/linux/compiler-gcc.h | 12 +- include/linux/mm.h | 2 + include/net/genetlink.h | 3 +- include/net/ip_tunnels.h | 2 +- include/net/mac80211.h | 10 ++ include/net/xfrm.h | 28 ++-- kernel/bpf/lpm_trie.c | 2 +- kernel/cgroup/cgroup.c | 4 +- kernel/time/posix-clock.c | 6 +- kernel/trace/trace_probe.c | 2 +- mm/memory.c | 72 +++++++---- mm/shmem.c | 2 + net/bluetooth/bnep/core.c | 3 +- net/core/dev.c | 17 ++- net/ipv4/devinet.c | 35 +++-- net/ipv4/xfrm4_policy.c | 38 +++--- net/ipv6/xfrm6_policy.c | 31 ++--- net/l2tp/l2tp_netlink.c | 4 +- net/mac80211/Kconfig | 2 +- net/mac80211/cfg.c | 3 +- net/mac80211/ieee80211_i.h | 3 + net/mac80211/key.c | 42 +++--- net/mac80211/mlme.c | 14 +- net/mac80211/util.c | 45 +++++-- net/netfilter/nft_payload.c | 3 + net/netlink/genetlink.c | 28 ++-- net/sched/sch_api.c | 2 +- net/sched/sch_taprio.c | 3 +- net/smc/smc_pnet.c | 2 +- net/wireless/nl80211.c | 8 +- net/xfrm/xfrm_device.c | 11 +- net/xfrm/xfrm_policy.c | 50 ++++++-- net/xfrm/xfrm_user.c | 6 +- security/selinux/selinuxfs.c | 27 ++-- sound/firewire/amdtp-stream.c | 3 + sound/pci/hda/patch_realtek.c | 48 ++++--- sound/soc/codecs/cs42l51.c | 7 +- sound/soc/fsl/fsl_sai.c | 5 +- sound/soc/fsl/fsl_sai.h | 1 + sound/soc/qcom/lpass-cpu.c | 2 + tools/testing/selftests/vm/hmm-tests.c | 2 +- tools/usb/usbip/src/usbip_detach.c | 1 + 116 files changed, 791 insertions(+), 473 deletions(-)

9 months, 4 weeks

7
117
0 0

[PATCH 6.6 0/3] Backport fixes for CVE-2024-42155, CVE-2024-42156 and CVE-2024-42158

by Nikita Zhandarovich

This series addresses several s390 driver vulnerabilities related to improper handling of sensitive keys-related material and its lack of proper disposal in stable kernel branches. These issues have been announced as CVE-2024-42155 [1], CVE-2024-42156 [2] and CVE-2024-42158 [4] and fixed in upstream. Another problem named as CVE-2024-42157 [3] has already been successfully backported. All patches have been cherry-picked and are ready to be cleanly applied to 6.6 stable branch. Backports for 5.10/5.15 [5] and 6.1 [6] have already been sent. [PATCH 6.6 1/3] s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Use kfree_sensitive() instead of kfree() and memzero_explicit(). Fixes CVE-2024-42158. [PATCH 6.6 2/3] s390/pkey: Wipe copies of clear-key structures on failure Properly wipe sensitive key material from stack for IOCTLs that deal with clear-key conversion. Fixes CVE-2024-42156. Note: this patch has already been sent separately by Bin Lan <bin.lan.cn(a)windriver.com>, see [7]. [PATCH 6.6 3/3] s390/pkey: Wipe copies of protected- and secure-keys Properly wipe key copies from stack for affected IOCTLs. Fixes CVE-2024-42155. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-42155 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-42156 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-42157 [4] https://nvd.nist.gov/vuln/detail/CVE-2024-42158 [5] https://lore.kernel.org/all/20241128142245.18136-1-n.zhandarovich@fintech.r… [6] https://lore.kernel.org/all/20241128153337.19666-1-n.zhandarovich@fintech.r… [7] https://lore.kernel.org/all/20241121081222.3792207-1-bin.lan.cn@windriver.c…

9 months, 4 weeks

1
3
0 0

[PATCH v5 0/3] clk: qcom: Add support for multiple power-domains for a clock controller.

by Bryan O'Donoghue

Changes in v5: - In-lines devm_pm_domain_attach_list() in probe() directly - Vlad - Link to v4: https://lore.kernel.org/r/20241127-b4-linux-next-24-11-18-clock-multiple-po… v4: - Adds Bjorn's RB to first patch - Bjorn - Drops the 'd' in "and int" - Bjorn - Amends commit log of patch 3 to capture a number of open questions - Bjorn - Link to v3: https://lore.kernel.org/r/20241126-b4-linux-next-24-11-18-clock-multiple-po… v3: - Fixes commit log "per which" - Bryan - Link to v2: https://lore.kernel.org/r/20241125-b4-linux-next-24-11-18-clock-multiple-po… v2: The main change in this version is Bjorn's pointing out that pm_runtime_* inside of the gdsc_enable/gdsc_disable path would be recursive and cause a lockdep splat. Dmitry alluded to this too. Bjorn pointed to stuff being done lower in the gdsc_register() routine that might be a starting point. I iterated around that idea and came up with patch #3. When a gdsc has no parent and the pd_list is non-NULL then attach that orphan GDSC to the clock controller power-domain list. Existing subdomain code in gdsc_register() will connect the parent GDSCs in the clock-controller to the clock-controller subdomain, the new code here does that same job for a list of power-domains the clock controller depends on. To Dmitry's point about MMCX and MCX dependencies for the registers inside of the clock controller, I have switched off all references in a test dtsi and confirmed that accessing the clock-controller regs themselves isn't required. On the second point I also verified my test branch with lockdep on which was a concern with the pm_domain version of this solution but I wanted to cover it anyway with the new approach for completeness sake. Here's the item-by-item list of changes: - Adds a patch to capture pm_genpd_add_subdomain() result code - Bryan - Changes changelog of second patch to remove singleton and generally to make the commit log easier to understand - Bjorn - Uses demv_pm_domain_attach_list - Vlad - Changes error check to if (ret < 0 && ret != -EEXIST) - Vlad - Retains passing &pd_data instead of NULL - because NULL doesn't do the same thing - Bryan/Vlad - Retains standalone function qcom_cc_pds_attach() because the pd_data enumeration looks neater in a standalone function - Bryan/Vlad - Drops pm_runtime in favour of gdsc_add_subdomain_list() for each power-domain in the pd_list. The pd_list will be whatever is pointed to by power-domains = <> in the dtsi - Bjorn - Link to v1: https://lore.kernel.org/r/20241118-b4-linux-next-24-11-18-clock-multiple-po… v1: On x1e80100 and it's SKUs the Camera Clock Controller - CAMCC has multiple power-domains which power it. Usually with a single power-domain the core platform code will automatically switch on the singleton power-domain for you. If you have multiple power-domains for a device, in this case the clock controller, you need to switch those power-domains on/off yourself. The clock controllers can also contain Global Distributed Switch Controllers - GDSCs which themselves can be referenced from dtsi nodes ultimately triggering a gdsc_en() in drivers/clk/qcom/gdsc.c. As an example: cci0: cci@ac4a000 { power-domains = <&camcc TITAN_TOP_GDSC>; }; This series adds the support to attach a power-domain list to the clock-controllers and the GDSCs those controllers provide so that in the case of the above example gdsc_toggle_logic() will trigger the power-domain list with pm_runtime_resume_and_get() and pm_runtime_put_sync() respectively. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> --- Bryan O'Donoghue (3): clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code clk: qcom: common: Add support for power-domain attachment clk: qcom: Support attaching GDSCs to multiple parents drivers/clk/qcom/common.c | 10 ++++++++++ drivers/clk/qcom/gdsc.c | 41 +++++++++++++++++++++++++++++++++++++++-- drivers/clk/qcom/gdsc.h | 1 + 3 files changed, 50 insertions(+), 2 deletions(-) --- base-commit: 744cf71b8bdfcdd77aaf58395e068b7457634b2c change-id: 20241118-b4-linux-next-24-11-18-clock-multiple-power-domains-a5f994dc452a Best regards, -- Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>

9 months, 4 weeks

1
1
0 0

[PATCH] HID: i2c-hid: Revert to using power commands to wake on resume

by Kenny Levinsen

7d6f065de37c ("HID: i2c-hid: Use address probe to wake on resume") replaced the retry of power commands with the dummy read "bus probe" we use on boot which accounts for a necessary delay before retry. This made at least one Weida device (2575:0910 in an ASUS Vivobook S14) very unhappy, as the bus probe despite being successful somehow lead to the following power command failing so hard that the device never lets go of the bus. This means that even retries of the power command would fail on a timeout as the bus remains busy. Remove the bus probe on resume and instead reintroduce retry of the power command for wake-up purposes while respecting the newly established wake-up retry timings. Fixes: 7d6f065de37c ("HID: i2c-hid: Use address probe to wake on resume") Cc: stable(a)vger.kernel.org Reported-by: Michael <auslands-kv(a)gmx.de> Link: https://bugzilla.kernel.org/show_bug.cgi?id=219440 Link: https://lore.kernel.org/r/d5acb485-7377-4139-826d-4df04d21b5ed@leemhuis.inf… Signed-off-by: Kenny Levinsen <kl(a)kl.wtf> --- As I don't have access to the hardware in question, a test by the reporter (Michael) would be preferred to confirm the final patch. drivers/hid/i2c-hid/i2c-hid-core.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c index 43664a24176f..4e87380d3edd 100644 --- a/drivers/hid/i2c-hid/i2c-hid-core.c +++ b/drivers/hid/i2c-hid/i2c-hid-core.c @@ -414,7 +414,19 @@ static int i2c_hid_set_power(struct i2c_hid *ihid, int power_state) i2c_hid_dbg(ihid, "%s\n", __func__); + /* + * Some STM-based devices need 400µs after a rising clock edge to wake + * from deep sleep, in which case the first request will fail due to + * the address not being acknowledged. Try after a short sleep to see + * if the device came alive on the bus. Certain Weida Tech devices also + * need this. + */ ret = i2c_hid_set_power_command(ihid, power_state); + if (ret && power_state == I2C_HID_PWR_ON) { + usleep_range(400, 500); + ret = i2c_hid_set_power_command(ihid, I2C_HID_PWR_ON); + } + if (ret) dev_err(&ihid->client->dev, "failed to change power setting.\n"); @@ -976,14 +988,6 @@ static int i2c_hid_core_resume(struct i2c_hid *ihid) enable_irq(client->irq); - /* Make sure the device is awake on the bus */ - ret = i2c_hid_probe_address(ihid); - if (ret < 0) { - dev_err(&client->dev, "nothing at address after resume: %d\n", - ret); - return -ENXIO; - } - /* On Goodix 27c6:0d42 wait extra time before device wakeup. * It's not clear why but if we send wakeup too early, the device will * never trigger input interrupts. -- 2.47.0

9 months, 4 weeks

2
1
0 0

[PATCH v1] usb: typec: ucsi: Fix completion notifications

by Łukasz Bartosik

OPM PPM LPM | 1.send cmd | | |-------------------------->| | | |-- | | | | 2.set busy bit in CCI | | |<- | | 3.notify the OPM | | |<--------------------------| | | | 4.send cmd to be executed | | |-------------------------->| | | | | | 5.cmd completed | | |<--------------------------| | | | | |-- | | | | 6.set cmd completed | | |<- bit in CCI | | | | | 7.handle notification | | | from point 3, read CCI | | |<--------------------------| | | | | | 8.notify the OPM | | |<--------------------------| | | | | When the PPM receives command from the OPM (p.1) it sets the busy bit in the CCI (p.2), sends notification to the OPM (p.3) and forwards the command to be executed by the LPM (p.4). When the PPM receives command completion from the LPM (p.5) it sets command completion bit in the CCI (p.6) and sends notification to the OPM (p.8). If command execution by the LPM is fast enough then when the OPM starts handling the notification from p.3 in p.7 and reads the CCI value it will see command completion bit and will call complete(). Then complete() might be called again when the OPM handles notification from p.8. This fix replaces test_bit() with test_and_clear_bit() in ucsi_notify_common() in order to call complete() only once per request. Fixes: 584e8df58942 ("usb: typec: ucsi: extract common code for command handling") Cc: stable(a)vger.kernel.org Signed-off-by: Łukasz Bartosik <ukaszb(a)chromium.org> --- drivers/usb/typec/ucsi/ucsi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index e0f3925e401b..7a9b987ea80c 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -46,11 +46,11 @@ void ucsi_notify_common(struct ucsi *ucsi, u32 cci) ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci)); if (cci & UCSI_CCI_ACK_COMPLETE && - test_bit(ACK_PENDING, &ucsi->flags)) + test_and_clear_bit(ACK_PENDING, &ucsi->flags)) complete(&ucsi->complete); if (cci & UCSI_CCI_COMMAND_COMPLETE && - test_bit(COMMAND_PENDING, &ucsi->flags)) + test_and_clear_bit(COMMAND_PENDING, &ucsi->flags)) complete(&ucsi->complete); } EXPORT_SYMBOL_GPL(ucsi_notify_common); -- 2.47.0.199.ga7371fff76-goog

9 months, 4 weeks

2
7
0 0

[PATCH 6.1 0/3] Backport fixes for CVE-2024-42155, CVE-2024-42156 and CVE-2024-42158

by Nikita Zhandarovich

This series addresses several s390 driver vulnerabilities related to improper handling of sensitive keys-related material and its lack of proper disposal in stable kernel branches. These issues have been announced as CVE-2024-42155 [1], CVE-2024-42156 [2] and CVE-2024-42158 [4] and fixed in upstream. Another problem named as CVE-2024-42157 [3] has already been successfully backported. All patches have been cherry-picked and are ready to be cleanly applied to 6.1 stable branch. Same series adapted for 6.6 version will follow separately. Backports for 5.10/5.15 have already been sent, see [5]. [PATCH 6.1 1/3] s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Use kfree_sensitive() instead of kfree() and memzero_explicit(). Fixes CVE-2024-42158. [PATCH 6.1 2/3] s390/pkey: Wipe copies of clear-key structures on failure Properly wipe sensitive key material from stack for IOCTLs that deal with clear-key conversion. Fixes CVE-2024-42156. [PATCH 6.1 3/3] s390/pkey: Wipe copies of protected- and secure-keys Properly wipe key copies from stack for affected IOCTLs. Fixes CVE-2024-42155. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-42155 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-42156 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-42157 [4] https://nvd.nist.gov/vuln/detail/CVE-2024-42158 [5] https://lore.kernel.org/all/20241128142245.18136-1-n.zhandarovich@fintech.r…

9 months, 4 weeks

1
3
0 0

[PATCH 5.10/5.15 0/3] Backport fixes for CVE-2024-42155, CVE-2024-42156 and CVE-2024-42158

by Nikita Zhandarovich

This series addresses several s390 driver vulnerabilities related to improper handling of sensitive keys-related material and its lack of proper disposal in stable kernel branches. These issues have been announced as CVE-2024-42155 [1], CVE-2024-42156 [2] and CVE-2024-42158 [4] and fixed in upstream. Another problem named as CVE-2024-42157 [3] has already been successfully backported. All patches have been cherry-picked and are ready to be cleanly applied to 5.10/5.15 stable branches. Same series adapted for 6.1 and 6.6 versions will follow separately. [PATCH 5.10/5.15 1/3] s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Use kfree_sensitive() instead of kfree() and memzero_explicit(). Fixes CVE-2024-42158. [PATCH 5.10/5.15 2/3] s390/pkey: Wipe copies of clear-key structures on failure Properly wipe sensitive key material from stack for IOCTLs that deal with clear-key conversion. Fixes CVE-2024-42156. [PATCH 5.10/5.15 3/3] s390/pkey: Wipe copies of protected- and secure-keys Properly wipe key copies from stack for affected IOCTLs. Fixes CVE-2024-42155. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-42155 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-42156 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-42157 [4] https://nvd.nist.gov/vuln/detail/CVE-2024-42158

9 months, 4 weeks

1
3
0 0

[PATCH 6.1] mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path

by Bin Lan

From: Ido Schimmel <idosch(a)nvidia.com> [ Upstream commit efeb7dfea8ee10cdec11b6b6ba4e405edbe75809 ] When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fixes: 22a677661f56 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation") Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Amit Cohen <amcohen(a)nvidia.com> Reviewed-by: Jiri Pirko <jiri(a)nvidia.com> Signed-off-by: Petr Machata <petrm(a)nvidia.com> Acked-by: Paolo Abeni <pabeni(a)redhat.com> Link: https://lore.kernel.org/r/fb6a4542bbc9fcab5a523802d97059bffbca7126.17055020… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ For the function mlxsw_sp_acl_to_tcam() is not exist in 6.1.y, pick mlxsw_sp_acl_to_tcam() from commit 74cbc3c03c828ccf265a72f9bcb5aee906978744 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 5 +++++ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 4 ++-- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h index c8ff2a6d7e90..57ab91133774 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h @@ -970,6 +970,7 @@ enum mlxsw_sp_acl_profile { }; struct mlxsw_afk *mlxsw_sp_acl_afk(struct mlxsw_sp_acl *acl); +struct mlxsw_sp_acl_tcam *mlxsw_sp_acl_to_tcam(struct mlxsw_sp_acl *acl); int mlxsw_sp_acl_ruleset_bind(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_flow_block *block, diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c index 6c5af018546f..93b71106b4c5 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c @@ -40,6 +40,11 @@ struct mlxsw_afk *mlxsw_sp_acl_afk(struct mlxsw_sp_acl *acl) return acl->afk; } +struct mlxsw_sp_acl_tcam *mlxsw_sp_acl_to_tcam(struct mlxsw_sp_acl *acl) +{ + return &acl->tcam; +} + struct mlxsw_sp_acl_ruleset_ht_key { struct mlxsw_sp_flow_block *block; u32 chain_index; diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c index 685bcf8cbfa9..6796edb24951 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c @@ -747,13 +747,13 @@ static void mlxsw_sp_acl_tcam_region_destroy(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_acl_tcam_region *region) { + struct mlxsw_sp_acl_tcam *tcam = mlxsw_sp_acl_to_tcam(mlxsw_sp->acl); const struct mlxsw_sp_acl_tcam_ops *ops = mlxsw_sp->acl_tcam_ops; ops->region_fini(mlxsw_sp, region->priv); mlxsw_sp_acl_tcam_region_disable(mlxsw_sp, region); mlxsw_sp_acl_tcam_region_free(mlxsw_sp, region); - mlxsw_sp_acl_tcam_region_id_put(region->group->tcam, - region->id); + mlxsw_sp_acl_tcam_region_id_put(tcam, region->id); kfree(region); } -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH 6.1] ntfs3: Add bounds checking to mi_enum_attr()

by bin.lan.cn＠eng.windriver.com

From: lei lu <llfamsec(a)gmail.com> [ Upstream commit 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 ] Added bounds checking to make sure that every attr don't stray beyond valid memory region. Signed-off-by: lei lu <llfamsec(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- fs/ntfs3/record.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 7ab452710572..a332b925cb37 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -217,28 +217,19 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) prev_type = 0; attr = Add2Ptr(rec, off); } else { - /* Check if input attr inside record. */ + /* + * We don't need to check previous attr here. There is + * a bounds checking in the previous round. + */ off = PtrOffset(rec, attr); - if (off >= used) - return NULL; asize = le32_to_cpu(attr->size); - if (asize < SIZEOF_RESIDENT) { - /* Impossible 'cause we should not return such attribute. */ - return NULL; - } - - /* Overflow check. */ - if (off + asize < off) - return NULL; prev_type = le32_to_cpu(attr->type); attr = Add2Ptr(attr, asize); off += asize; } - asize = le32_to_cpu(attr->size); - /* Can we use the first field (attr->type). */ if (off + 8 > used) { static_assert(ALIGN(sizeof(enum ATTR_TYPE), 8) == 8); @@ -259,6 +250,12 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (t32 < prev_type) return NULL; + asize = le32_to_cpu(attr->size); + if (asize < SIZEOF_RESIDENT) { + /* Impossible 'cause we should not return such attribute. */ + return NULL; + } + /* Check overflow and boundary. */ if (off + asize < off || off + asize > used) return NULL; -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH 6.6] mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()

by bin.lan.cn＠eng.windriver.com

From: "Jason-JH.Lin" <jason-jh.lin(a)mediatek.com> [ Upstream commit a8bd68e4329f9a0ad1b878733e0f80be6a971649 ] When mtk-cmdq unbinds, a WARN_ON message with condition pm_runtime_get_sync() < 0 occurs. According to the call tracei below: cmdq_mbox_shutdown mbox_free_channel mbox_controller_unregister __devm_mbox_controller_unregister ... The root cause can be deduced to be calling pm_runtime_get_sync() after calling pm_runtime_disable() as observed below: 1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() to bind the cmdq device to the mbox_controller, so devm_mbox_controller_unregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devm_mbox_controller_unregister() and cmdq_mbox_shoutdown() will be called after cmdq_remove(). 2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after devm_mbox_controller_register(), so that devm_pm_runtime_disable() will be called after cmdq_remove(), but before devm_mbox_controller_unregister(). To fix this problem, cmdq_probe() needs to move devm_mbox_controller_register() after devm_pm_runtime_enable() to make devm_pm_runtime_disable() be called after devm_mbox_controller_unregister(). Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver") Signed-off-by: Jason-JH.Lin <jason-jh.lin(a)mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Jassi Brar <jassisinghbrar(a)gmail.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/mailbox/mtk-cmdq-mailbox.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c index 4d62b07c1411..d5f5606585f4 100644 --- a/drivers/mailbox/mtk-cmdq-mailbox.c +++ b/drivers/mailbox/mtk-cmdq-mailbox.c @@ -623,12 +623,6 @@ static int cmdq_probe(struct platform_device *pdev) cmdq->mbox.chans[i].con_priv = (void *)&cmdq->thread[i]; } - err = devm_mbox_controller_register(dev, &cmdq->mbox); - if (err < 0) { - dev_err(dev, "failed to register mailbox: %d\n", err); - return err; - } - platform_set_drvdata(pdev, cmdq); WARN_ON(clk_bulk_prepare(cmdq->pdata->gce_num, cmdq->clocks)); @@ -642,6 +636,12 @@ static int cmdq_probe(struct platform_device *pdev) return err; } + err = devm_mbox_controller_register(dev, &cmdq->mbox); + if (err < 0) { + dev_err(dev, "failed to register mailbox: %d\n", err); + return err; + } + return 0; } -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH 5.15] tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

by mingli.yu＠eng.windriver.com

From: Mingli Yu <mingli.yu(a)windriver.com> commit 9462f4ca56e7d2430fdb6dcc8498244acbfc4489 upstream. BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. Signed-off-by: Longlong Xia <xialonglong(a)kylinos.cn> Cc: stable <stable(a)kernel.org> Suggested-by: Jiri Slaby <jirislaby(a)kernel.org> Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cn Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Mingli: Backport to fix CVE-2024-50073, no guard macro defined resolution] Signed-off-by: Mingli Yu <mingli.yu(a)windriver.com> --- drivers/tty/n_gsm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index aae9f73585bd..1becbdf7c470 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2443,6 +2443,7 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) int i; struct gsm_dlci *dlci; struct gsm_msg *txq, *ntxq; + unsigned long flags; gsm->dead = true; mutex_lock(&gsm->mutex); @@ -2471,9 +2472,12 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) mutex_unlock(&gsm->mutex); /* Now wipe the queues */ tty_ldisc_flush(gsm->tty); + + spin_lock_irqsave(&gsm->tx_lock, flags); list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list) kfree(txq); INIT_LIST_HEAD(&gsm->tx_list); + spin_unlock_irqrestore(&gsm->tx_lock, flags); } /** -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH v6.1] drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer

by Vamsi Krishna Brahmajosyula

From: Philip Yang <Philip.Yang(a)amd.com> [ Upstream commit c86ad39140bbcb9dc75a10046c2221f657e8083b ] Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug. Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Acked-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Vamsi Krishna Brahmajosyula <vamsi-krishna.brahmajosyula(a)broadcom.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +++++++------- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++-- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c index 5d9a34601a1a..c31e5f9d63da 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c @@ -344,15 +344,15 @@ int amdgpu_amdkfd_alloc_gtt_mem(struct amdgpu_device *adev, size_t size, return r; } -void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj) +void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj) { - struct amdgpu_bo *bo = (struct amdgpu_bo *) mem_obj; + struct amdgpu_bo **bo = (struct amdgpu_bo **) mem_obj; - amdgpu_bo_reserve(bo, true); - amdgpu_bo_kunmap(bo); - amdgpu_bo_unpin(bo); - amdgpu_bo_unreserve(bo); - amdgpu_bo_unref(&(bo)); + amdgpu_bo_reserve(*bo, true); + amdgpu_bo_kunmap(*bo); + amdgpu_bo_unpin(*bo); + amdgpu_bo_unreserve(*bo); + amdgpu_bo_unref(bo); } int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h index 4b694886715c..c7672a1d1560 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h @@ -210,7 +210,7 @@ int amdgpu_amdkfd_evict_userptr(struct kgd_mem *mem, struct mm_struct *mm) int amdgpu_amdkfd_alloc_gtt_mem(struct amdgpu_device *adev, size_t size, void **mem_obj, uint64_t *gpu_addr, void **cpu_ptr, bool mqd_gfx9); -void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj); +void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj); int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size, void **mem_obj); void amdgpu_amdkfd_free_gws(struct amdgpu_device *adev, void *mem_obj); diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c index e3cd66c4d95d..f83574107eb8 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c @@ -408,7 +408,7 @@ static int kfd_ioctl_create_queue(struct file *filep, struct kfd_process *p, err_create_queue: if (wptr_bo) - amdgpu_amdkfd_free_gtt_mem(dev->adev, wptr_bo); + amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&wptr_bo); err_wptr_map_gart: err_alloc_doorbells: err_bind_process: diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c index 27820f0a282d..e2c055abfea9 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c @@ -673,7 +673,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd, kfd_doorbell_error: kfd_gtt_sa_fini(kfd); kfd_gtt_sa_init_error: - amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem); + amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem); alloc_gtt_mem_failure: if (kfd->gws) amdgpu_amdkfd_free_gws(kfd->adev, kfd->gws); @@ -693,7 +693,7 @@ void kgd2kfd_device_exit(struct kfd_dev *kfd) kfd_doorbell_fini(kfd); ida_destroy(&kfd->doorbell_ida); kfd_gtt_sa_fini(kfd); - amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem); + amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem); if (kfd->gws) amdgpu_amdkfd_free_gws(kfd->adev, kfd->gws); } diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c index 1b7b29426480..3ab0a796af06 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c @@ -2392,7 +2392,7 @@ static void deallocate_hiq_sdma_mqd(struct kfd_dev *dev, { WARN(!mqd, "No hiq sdma mqd trunk to free"); - amdgpu_amdkfd_free_gtt_mem(dev->adev, mqd->gtt_mem); + amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem); } void device_queue_manager_uninit(struct device_queue_manager *dqm) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c index 623ccd227b7d..c733d6888c30 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c @@ -204,7 +204,7 @@ void kfd_free_mqd_cp(struct mqd_manager *mm, void *mqd, struct kfd_mem_obj *mqd_mem_obj) { if (mqd_mem_obj->gtt_mem) { - amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, mqd_mem_obj->gtt_mem); + amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, &mqd_mem_obj->gtt_mem); kfree(mqd_mem_obj); } else { kfd_gtt_sa_free(mm->dev, mqd_mem_obj); diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c index 5bca6abd55ae..9582c9449fff 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c @@ -1052,7 +1052,7 @@ static void kfd_process_destroy_pdds(struct kfd_process *p) if (pdd->dev->shared_resources.enable_mes) amdgpu_amdkfd_free_gtt_mem(pdd->dev->adev, - pdd->proc_ctx_bo); + &pdd->proc_ctx_bo); /* * before destroying pdd, make sure to report availability * for auto suspend diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c index 99aa8a8399d6..1918a3c06ac8 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c @@ -441,9 +441,9 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid) if (dev->shared_resources.enable_mes) { amdgpu_amdkfd_free_gtt_mem(dev->adev, - pqn->q->gang_ctx_bo); + &pqn->q->gang_ctx_bo); if (pqn->q->wptr_bo) - amdgpu_amdkfd_free_gtt_mem(dev->adev, pqn->q->wptr_bo); + amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&pqn->q->wptr_bo); } uninit_queue(pqn->q); -- 2.39.4

9 months, 4 weeks

4
3
0 0

[PATCH 6.1] mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()

by bin.lan.cn＠eng.windriver.com

From: "Jason-JH.Lin" <jason-jh.lin(a)mediatek.com> [ Upstream commit a8bd68e4329f9a0ad1b878733e0f80be6a971649 ] When mtk-cmdq unbinds, a WARN_ON message with condition pm_runtime_get_sync() < 0 occurs. According to the call tracei below: cmdq_mbox_shutdown mbox_free_channel mbox_controller_unregister __devm_mbox_controller_unregister ... The root cause can be deduced to be calling pm_runtime_get_sync() after calling pm_runtime_disable() as observed below: 1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() to bind the cmdq device to the mbox_controller, so devm_mbox_controller_unregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devm_mbox_controller_unregister() and cmdq_mbox_shoutdown() will be called after cmdq_remove(). 2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after devm_mbox_controller_register(), so that devm_pm_runtime_disable() will be called after cmdq_remove(), but before devm_mbox_controller_unregister(). To fix this problem, cmdq_probe() needs to move devm_mbox_controller_register() after devm_pm_runtime_enable() to make devm_pm_runtime_disable() be called after devm_mbox_controller_unregister(). Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver") Signed-off-by: Jason-JH.Lin <jason-jh.lin(a)mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Jassi Brar <jassisinghbrar(a)gmail.com> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/mailbox/mtk-cmdq-mailbox.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c index 9465f9081515..3d369c23970c 100644 --- a/drivers/mailbox/mtk-cmdq-mailbox.c +++ b/drivers/mailbox/mtk-cmdq-mailbox.c @@ -605,18 +605,18 @@ static int cmdq_probe(struct platform_device *pdev) cmdq->mbox.chans[i].con_priv = (void *)&cmdq->thread[i]; } - err = devm_mbox_controller_register(dev, &cmdq->mbox); - if (err < 0) { - dev_err(dev, "failed to register mailbox: %d\n", err); - return err; - } - platform_set_drvdata(pdev, cmdq); WARN_ON(clk_bulk_prepare(cmdq->gce_num, cmdq->clocks)); cmdq_init(cmdq); + err = devm_mbox_controller_register(dev, &cmdq->mbox); + if (err < 0) { + dev_err(dev, "failed to register mailbox: %d\n", err); + return err; + } + return 0; } -- 2.34.1

9 months, 4 weeks

2
1
0 0

M&E- Consult-RQ387690

by Ethan Allen

Good day Sir/Madam, I am Ethan Allen, Procurement Managerr at MACHINARY&EQUIPMENT Co. Inc. We have bulk order requirement for export to our customers in Spain and India. kindly confirm if you can supply to Spain and India. We would greatly appreciate any additional information you can provide, as well as digital copy of your products catalog (PDF or Online link), information on new or featured products, pricing and packaging details. I look forward to reviewing your catalog. Regards, Ethan Allen Procurement Manager Northern California 3401 Bayshore Blvd, Brisbane, CA 94005 +1 415 467-3400 +1 909 599-3916 www.machineryandequipment.com

9 months, 4 weeks

1
0
0 0

[PATCH] ARM: dts: ti/omap: gta04: fix pm issues caused by spi module

by Andreas Kemnade

Despite CM_IDLEST1_CORE and CM_FCLKEN1_CORE behaving normal, disabling SPI leads to messages like: Powerdomain (core_pwrdm) didn't enter target state 0 and according to /sys/kernel/debug/pm_debug/count off state is not entered. That was not connected to SPI during the discussion of disabling SPI. See: https://lore.kernel.org/linux-omap/20230122100852.32ae082c@aktux/ Fix excess DMA channel usage by disabling DMA only instead of disabling the SPI modules, so powermanagement can da all its work. Fixes: a622310f7f01 ("ARM: dts: gta04: fix excess dma channel usage") CC: stable(a)vger.kernel.org Signed-off-by: Andreas Kemnade <andreas(a)kemnade.info> --- arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi b/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi index 3661340009e7a..11f8af34498b1 100644 --- a/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi +++ b/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi @@ -612,19 +612,23 @@ &i2c3 { }; &mcspi1 { - status = "disabled"; + /delete-property/ dmas; + /delete-property/ dma-names; }; &mcspi2 { - status = "disabled"; + /delete-property/ dmas; + /delete-property/ dma-names; }; &mcspi3 { - status = "disabled"; + /delete-property/ dmas; + /delete-property/ dma-names; }; &mcspi4 { - status = "disabled"; + /delete-property/ dmas; + /delete-property/ dma-names; }; &usb_otg_hs { -- 2.39.2

9 months, 4 weeks

3
12
0 0

[PATCH 6.1 0/1] arm64: esr: Define ESR_ELx_EC_* constants as UL

by Anastasia Belova

Incorrect casting is possible in 6.1 stable release using ESR_ELx_EC_* constants. The problem has been fixed by the following upstream patch that was adapted to 6.1. The patch couldn't be applied clearly but the changes made are minor. Found by Linux Verification Center (linuxtesting.org) with SVACE.

9 months, 4 weeks

1
2
0 0

[tip: timers/urgent] ntp: Remove invalid cast in time offset math

by tip-bot2 for Marcelo Dalmas

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: f5807b0606da7ac7c1b74a386b22134ec7702d05 Gitweb: https://git.kernel.org/tip/f5807b0606da7ac7c1b74a386b22134ec7702d05 Author: Marcelo Dalmas <marcelo.dalmas(a)ge.com> AuthorDate: Mon, 25 Nov 2024 12:16:09 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 28 Nov 2024 12:02:38 +01:00 ntp: Remove invalid cast in time offset math Due to an unsigned cast, adjtimex() returns the wrong offest when using ADJ_MICRO and the offset is negative. In this case a small negative offset returns approximately 4.29 seconds (~ 2^32/1000 milliseconds) due to the unsigned cast of the negative offset. This cast was added when the kernel internal struct timex was changed to use type long long for the time offset value to address the problem of a 64bit/32bit division on 32bit systems. The correct cast would have been (s32), which is correct as time_offset can only be in the range of [INT_MIN..INT_MAX] because the shift constant used for calculating it is 32. But that's non-obvious. Remove the cast and use div_s64() to cure the issue. [ tglx: Fix white space damage, use div_s64() and amend the change log ] Fixes: ead25417f82e ("timex: use __kernel_timex internally") Signed-off-by: Marcelo Dalmas <marcelo.dalmas(a)ge.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/SJ0P101MB03687BF7D5A10FD3C49C51E5F42E2@SJ0P101M… --- kernel/time/ntp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index b550ebe..163e7a2 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -798,7 +798,7 @@ int __do_adjtimex(struct __kernel_timex *txc, const struct timespec64 *ts, txc->offset = shift_right(ntpdata->time_offset * NTP_INTERVAL_FREQ, NTP_SCALE_SHIFT); if (!(ntpdata->time_status & STA_NANO)) - txc->offset = (u32)txc->offset / NSEC_PER_USEC; + txc->offset = div_s64(txc->offset, NSEC_PER_USEC); } result = ntpdata->time_state;

9 months, 4 weeks

1
0
0 0

[PATCH net v2] net_sched: sch_fq: don't follow the fast path if Tx is behind now

by Jakub Kicinski

Recent kernels cause a lot of TCP retransmissions [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 2.24 GBytes 19.2 Gbits/sec 2767 442 KBytes [ 5] 1.00-2.00 sec 2.23 GBytes 19.1 Gbits/sec 2312 350 KBytes ^^^^ Replacing the qdisc with pfifo makes retransmissions go away. It appears that a flow may have a delayed packet with a very near Tx time. Later, we may get busy processing Rx and the target Tx time will pass, but we won't service Tx since the CPU is busy with Rx. If Rx sees an ACK and we try to push more data for the delayed flow we may fastpath the skb, not realizing that there are already "ready to send" packets for this flow sitting in the qdisc. Don't trust the fastpath if we are "behind" according to the projected Tx time for next flow waiting in the Qdisc. Because we consider anything within the offload window to be okay for fastpath we must consider the entire offload window as "now". Qdisc config: qdisc fq 8001: dev eth0 parent 1234:1 limit 10000p flow_limit 100p \ buckets 32768 orphan_mask 1023 bands 3 \ priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 \ weights 589824 196608 65536 quantum 3028b initial_quantum 15140b \ low_rate_threshold 550Kbit \ refill_delay 40ms timer_slack 10us horizon 10s horizon_drop For iperf this change seems to do fine, the reordering is gone. The fastpath still gets used most of the time: gc 0 highprio 0 fastpath 142614 throttled 418309 latency 19.1us xx_behind 2731 where "xx_behind" counts how many times we hit the new "return false". CC: stable(a)vger.kernel.org Fixes: 076433bd78d7 ("net_sched: sch_fq: add fast path for mostly idle qdisc") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> --- v2: - use Eric's condition (fix offload, don't care about throttled) - throttled -> delayed - explicitly CC stable, it won't build on 6.12 because of the offload horizon, so make sure they don't just drop this v1: https://lore.kernel.org/20241122162108.2697803-1-kuba@kernel.org CC: jhs(a)mojatatu.com CC: xiyou.wangcong(a)gmail.com CC: jiri(a)resnulli.us --- net/sched/sch_fq.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c index a97638bef6da..a5e87f9ea986 100644 --- a/net/sched/sch_fq.c +++ b/net/sched/sch_fq.c @@ -332,6 +332,12 @@ static bool fq_fastpath_check(const struct Qdisc *sch, struct sk_buff *skb, */ if (q->internal.qlen >= 8) return false; + + /* Ordering invariants fall apart if some delayed flows + * are ready but we haven't serviced them, yet. + */ + if (q->time_next_delayed_flow <= now + q->offload_horizon) + return false; } sk = skb->sk; -- 2.47.0

9 months, 4 weeks

3
2
0 0

[PATCH v2] ALSA: core: Fix possible NULL dereference caused by kunit_kzalloc()

by Gax-c

From: Zichen Xie <zichenxie0106(a)gmail.com> kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add NULL checks for all the kunit_kzalloc() in sound_kunit.c Fixes: 3e39acf56ede ("ALSA: core: Add sound core KUnit test") Signed-off-by: Zichen Xie <zichenxie0106(a)gmail.com> Cc: stable(a)vger.kernel.org --- v2: Add Fixes tag. --- sound/core/sound_kunit.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sound/core/sound_kunit.c b/sound/core/sound_kunit.c index bfed1a25fc8f..84e337ecbddd 100644 --- a/sound/core/sound_kunit.c +++ b/sound/core/sound_kunit.c @@ -172,6 +172,7 @@ static void test_format_fill_silence(struct kunit *test) u32 i, j; buffer = kunit_kzalloc(test, SILENCE_BUFFER_SIZE, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer); for (i = 0; i < ARRAY_SIZE(buf_samples); i++) { for (j = 0; j < ARRAY_SIZE(valid_fmt); j++) @@ -208,8 +209,12 @@ static void test_playback_avail(struct kunit *test) struct snd_pcm_runtime *r = kunit_kzalloc(test, sizeof(*r), GFP_KERNEL); u32 i; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, r); + r->status = kunit_kzalloc(test, sizeof(*r->status), GFP_KERNEL); r->control = kunit_kzalloc(test, sizeof(*r->control), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, r->status); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, r->control); for (i = 0; i < ARRAY_SIZE(p_avail_data); i++) { r->buffer_size = p_avail_data[i].buffer_size; @@ -232,8 +237,12 @@ static void test_capture_avail(struct kunit *test) struct snd_pcm_runtime *r = kunit_kzalloc(test, sizeof(*r), GFP_KERNEL); u32 i; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, r); + r->status = kunit_kzalloc(test, sizeof(*r->status), GFP_KERNEL); r->control = kunit_kzalloc(test, sizeof(*r->control), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, r->status); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, r->control); for (i = 0; i < ARRAY_SIZE(c_avail_data); i++) { r->buffer_size = c_avail_data[i].buffer_size; @@ -247,6 +256,7 @@ static void test_capture_avail(struct kunit *test) static void test_card_set_id(struct kunit *test) { struct snd_card *card = kunit_kzalloc(test, sizeof(*card), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, card); snd_card_set_id(card, VALID_NAME); KUNIT_EXPECT_STREQ(test, card->id, VALID_NAME); @@ -280,6 +290,7 @@ static void test_pcm_format_name(struct kunit *test) static void test_card_add_component(struct kunit *test) { struct snd_card *card = kunit_kzalloc(test, sizeof(*card), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, card); snd_component_add(card, TEST_FIRST_COMPONENT); KUNIT_ASSERT_STREQ(test, card->components, TEST_FIRST_COMPONENT); -- 2.34.1

10 months

2
1
0 0

+ ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next-v2.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: update seq_file index in ocfs2_dlm_seq_next has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next-v2.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wengang Wang <wen.gang.wang(a)oracle.com> Subject: ocfs2: update seq_file index in ocfs2_dlm_seq_next Date: Tue, 19 Nov 2024 09:45:00 -0800 The following INFO level message was seen: seq_file: buggy .next function ocfs2_dlm_seq_next [ocfs2] did not update position index Fix: Update *pos (so m->index) to make seq_read_iter happy though the index its self makes no sense to ocfs2_dlm_seq_next. Link: https://lkml.kernel.org/r/20241119174500.9198-1-wen.gang.wang@oracle.com Signed-off-by: Wengang Wang <wen.gang.wang(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/dlmglue.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/ocfs2/dlmglue.c~ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next-v2 +++ a/fs/ocfs2/dlmglue.c @@ -3110,6 +3110,7 @@ static void *ocfs2_dlm_seq_next(struct s struct ocfs2_lock_res *iter = v; struct ocfs2_lock_res *dummy = &priv->p_iter_res; + (*pos)++; spin_lock(&ocfs2_dlm_tracking_lock); iter = ocfs2_dlm_next_res(iter, priv); list_del_init(&dummy->l_debug_list); _ Patches currently in -mm which might be from wen.gang.wang(a)oracle.com are ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next-v2.patch

10 months

1
0
0 0

+ stackdepot-fix-stack_depot_save_flags-in-nmi-context.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: stackdepot: fix stack_depot_save_flags() in NMI context has been added to the -mm mm-hotfixes-unstable branch. Its filename is stackdepot-fix-stack_depot_save_flags-in-nmi-context.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marco Elver <elver(a)google.com> Subject: stackdepot: fix stack_depot_save_flags() in NMI context Date: Fri, 22 Nov 2024 16:39:47 +0100 Per documentation, stack_depot_save_flags() was meant to be usable from NMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset. However, it still would try to take the pool_lock in an attempt to save a stack trace in the current pool (if space is available). This could result in deadlock if an NMI is handled while pool_lock is already held. To avoid deadlock, only try to take the lock in NMI context and give up if unsuccessful. The documentation is fixed to clearly convey this. Link: https://lkml.kernel.org/r/Z0CcyfbPqmxJ9uJH@elver.google.com Link: https://lkml.kernel.org/r/20241122154051.3914732-1-elver@google.com Fixes: 4434a56ec209 ("stackdepot: make fast paths lock-less again") Signed-off-by: Marco Elver <elver(a)google.com> Reported-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Reviewed-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/stackdepot.h | 6 +++--- lib/stackdepot.c | 10 +++++++++- 2 files changed, 12 insertions(+), 4 deletions(-) --- a/include/linux/stackdepot.h~stackdepot-fix-stack_depot_save_flags-in-nmi-context +++ a/include/linux/stackdepot.h @@ -147,7 +147,7 @@ static inline int stack_depot_early_init * If the provided stack trace comes from the interrupt context, only the part * up to the interrupt entry is saved. * - * Context: Any context, but setting STACK_DEPOT_FLAG_CAN_ALLOC is required if + * Context: Any context, but unsetting STACK_DEPOT_FLAG_CAN_ALLOC is required if * alloc_pages() cannot be used from the current context. Currently * this is the case for contexts where neither %GFP_ATOMIC nor * %GFP_NOWAIT can be used (NMI, raw_spin_lock). @@ -156,7 +156,7 @@ static inline int stack_depot_early_init */ depot_stack_handle_t stack_depot_save_flags(unsigned long *entries, unsigned int nr_entries, - gfp_t gfp_flags, + gfp_t alloc_flags, depot_flags_t depot_flags); /** @@ -175,7 +175,7 @@ depot_stack_handle_t stack_depot_save_fl * Return: Handle of the stack trace stored in depot, 0 on failure */ depot_stack_handle_t stack_depot_save(unsigned long *entries, - unsigned int nr_entries, gfp_t gfp_flags); + unsigned int nr_entries, gfp_t alloc_flags); /** * __stack_depot_get_stack_record - Get a pointer to a stack_record struct --- a/lib/stackdepot.c~stackdepot-fix-stack_depot_save_flags-in-nmi-context +++ a/lib/stackdepot.c @@ -630,7 +630,15 @@ depot_stack_handle_t stack_depot_save_fl prealloc = page_address(page); } - raw_spin_lock_irqsave(&pool_lock, flags); + if (in_nmi()) { + /* We can never allocate in NMI context. */ + WARN_ON_ONCE(can_alloc); + /* Best effort; bail if we fail to take the lock. */ + if (!raw_spin_trylock_irqsave(&pool_lock, flags)) + goto exit; + } else { + raw_spin_lock_irqsave(&pool_lock, flags); + } printk_deferred_enter(); /* Try to find again, to avoid concurrently inserting duplicates. */ _ Patches currently in -mm which might be from elver(a)google.com are stackdepot-fix-stack_depot_save_flags-in-nmi-context.patch

10 months

1
0
0 0

+ mm-open-code-page_folio-in-dump_page.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: open-code page_folio() in dump_page() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-open-code-page_folio-in-dump_page.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Subject: mm: open-code page_folio() in dump_page() Date: Mon, 25 Nov 2024 20:17:19 +0000 page_folio() calls page_fixed_fake_head() which will misidentify this page as being a fake head and load off the end of 'precise'. We may have a pointer to a fake head, but that's OK because it contains the right information for dump_page(). gcc-15 is smart enough to catch this with -Warray-bounds: In function 'page_fixed_fake_head', inlined from '_compound_head' at ../include/linux/page-flags.h:251:24, inlined from '__dump_page' at ../mm/debug.c:123:11: ../include/asm-generic/rwonce.h:44:26: warning: array subscript 9 is outside +array bounds of 'struct page[1]' [-Warray-bounds=] Link: https://lkml.kernel.org/r/20241125201721.2963278-2-willy@infradead.org Fixes: fae7d834c43c ("mm: add __dump_folio()") Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Reported-by: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/debug.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/mm/debug.c~mm-open-code-page_folio-in-dump_page +++ a/mm/debug.c @@ -124,19 +124,22 @@ static void __dump_page(const struct pag { struct folio *foliop, folio; struct page precise; + unsigned long head; unsigned long pfn = page_to_pfn(page); unsigned long idx, nr_pages = 1; int loops = 5; again: memcpy(&precise, page, sizeof(*page)); - foliop = page_folio(&precise); - if (foliop == (struct folio *)&precise) { + head = precise.compound_head; + if ((head & 1) == 0) { + foliop = (struct folio *)&precise; idx = 0; if (!folio_test_large(foliop)) goto dump; foliop = (struct folio *)page; } else { + foliop = (struct folio *)(head - 1); idx = folio_page_idx(foliop, page); } _ Patches currently in -mm which might be from willy(a)infradead.org are mm-open-code-pagetail-in-folio_flags-and-const_folio_flags.patch mm-open-code-page_folio-in-dump_page.patch mm-page_alloc-cache-page_zone-result-in-free_unref_page.patch mm-make-alloc_pages_mpol-static.patch mm-page_alloc-export-free_frozen_pages-instead-of-free_unref_page.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-post_alloc_hook.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-prep_new_page.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-get_page_from_freelist.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_cpuset_fallback.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_may_oom.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_direct_compact.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_direct_reclaim.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_slowpath.patch mm-page_alloc-move-set_page_refcounted-to-end-of-__alloc_pages.patch mm-page_alloc-add-__alloc_frozen_pages.patch mm-mempolicy-add-alloc_frozen_pages.patch slab-allocate-frozen-pages.patch

10 months

1
0
0 0

+ mm-open-code-pagetail-in-folio_flags-and-const_folio_flags.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: open-code PageTail in folio_flags() and const_folio_flags() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-open-code-pagetail-in-folio_flags-and-const_folio_flags.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Subject: mm: open-code PageTail in folio_flags() and const_folio_flags() Date: Mon, 25 Nov 2024 20:17:18 +0000 It is unsafe to call PageTail() in dump_page() as page_is_fake_head() will almost certainly return true when called on a head page that is copied to the stack. That will cause the VM_BUG_ON_PGFLAGS() in const_folio_flags() to trigger when it shouldn't. Fortunately, we don't need to call PageTail() here; it's fine to have a pointer to a virtual alias of the page's flag word rather than the real page's flag word. Link: https://lkml.kernel.org/r/20241125201721.2963278-1-willy@infradead.org Fixes: fae7d834c43c ("mm: add __dump_folio()") Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Cc: Kees Cook <kees(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page-flags.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/include/linux/page-flags.h~mm-open-code-pagetail-in-folio_flags-and-const_folio_flags +++ a/include/linux/page-flags.h @@ -306,7 +306,7 @@ static const unsigned long *const_folio_ { const struct page *page = &folio->page; - VM_BUG_ON_PGFLAGS(PageTail(page), page); + VM_BUG_ON_PGFLAGS(page->compound_head & 1, page); VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page); return &page[n].flags; } @@ -315,7 +315,7 @@ static unsigned long *folio_flags(struct { struct page *page = &folio->page; - VM_BUG_ON_PGFLAGS(PageTail(page), page); + VM_BUG_ON_PGFLAGS(page->compound_head & 1, page); VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page); return &page[n].flags; } _ Patches currently in -mm which might be from willy(a)infradead.org are mm-open-code-pagetail-in-folio_flags-and-const_folio_flags.patch mm-open-code-page_folio-in-dump_page.patch mm-page_alloc-cache-page_zone-result-in-free_unref_page.patch mm-make-alloc_pages_mpol-static.patch mm-page_alloc-export-free_frozen_pages-instead-of-free_unref_page.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-post_alloc_hook.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-prep_new_page.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-get_page_from_freelist.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_cpuset_fallback.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_may_oom.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_direct_compact.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_direct_reclaim.patch mm-page_alloc-move-set_page_refcounted-to-callers-of-__alloc_pages_slowpath.patch mm-page_alloc-move-set_page_refcounted-to-end-of-__alloc_pages.patch mm-page_alloc-add-__alloc_frozen_pages.patch mm-mempolicy-add-alloc_frozen_pages.patch slab-allocate-frozen-pages.patch

10 months

1
0
0 0

+ mm-fix-vreallocs-kasan-poisoning-logic.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: fix vrealloc()'s KASAN poisoning logic has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-fix-vreallocs-kasan-poisoning-logic.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Andrii Nakryiko <andrii(a)kernel.org> Subject: mm: fix vrealloc()'s KASAN poisoning logic Date: Mon, 25 Nov 2024 16:52:06 -0800 When vrealloc() reuses already allocated vmap_area, we need to re-annotate poisoned and unpoisoned portions of underlying memory according to the new size. Note, hard-coding KASAN_VMALLOC_PROT_NORMAL might not be exactly correct, but KASAN flag logic is pretty involved and spread out throughout __vmalloc_node_range_noprof(), so I'm using the bare minimum flag here and leaving the rest to mm people to refactor this logic and reuse it here. Link: https://lkml.kernel.org/r/20241126005206.3457974-1-andrii@kernel.org Fixes: 3ddc2fefe6f3 ("mm: vmalloc: implement vrealloc()") Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/vmalloc.c~mm-fix-vreallocs-kasan-poisoning-logic +++ a/mm/vmalloc.c @@ -4093,7 +4093,8 @@ void *vrealloc_noprof(const void *p, siz /* Zero out spare memory. */ if (want_init_on_alloc(flags)) memset((void *)p + size, 0, old_size - size); - + kasan_poison_vmalloc(p + size, old_size - size); + kasan_unpoison_vmalloc(p, size, KASAN_VMALLOC_PROT_NORMAL); return (void *)p; } _ Patches currently in -mm which might be from andrii(a)kernel.org are mm-fix-vreallocs-kasan-poisoning-logic.patch

10 months

1
0
0 0

+ revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jan Kara <jack(a)suse.cz> Subject: Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()" Date: Tue, 26 Nov 2024 15:52:08 +0100 This reverts commit 7c877586da3178974a8a94577b6045a48377ff25. Anders and Philippe have reported that recent kernels occasionally hang when used with NFS in readahead code. The problem has been bisected to 7c877586da3 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()"). The cause of the problem is that ra->size can be shrunk by read_pages() call and subsequently we end up calling do_page_cache_ra() with negative (read huge positive) number of pages. Let's revert 7c877586da3 for now until we can find a proper way how the logic in read_pages() and page_cache_ra_order() can coexist. This can lead to reduced readahead throughput due to readahead window confusion but that's better than outright hangs. Link: https://lkml.kernel.org/r/20241126145208.985-1-jack@suse.cz Fixes: 7c877586da31 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()") Reported-by: Anders Blomdell <anders.blomdell(a)gmail.com> Reported-by: Philippe Troin <phil(a)fifi.org> Signed-off-by: Jan Kara <jack(a)suse.cz> Tested-by: Philippe Troin <phil(a)fifi.org> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/readahead.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/mm/readahead.c~revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra +++ a/mm/readahead.c @@ -460,8 +460,7 @@ void page_cache_ra_order(struct readahea struct file_ra_state *ra, unsigned int new_order) { struct address_space *mapping = ractl->mapping; - pgoff_t start = readahead_index(ractl); - pgoff_t index = start; + pgoff_t index = readahead_index(ractl); unsigned int min_order = mapping_min_folio_order(mapping); pgoff_t limit = (i_size_read(mapping->host) - 1) >> PAGE_SHIFT; pgoff_t mark = index + ra->size - ra->async_size; @@ -524,7 +523,7 @@ void page_cache_ra_order(struct readahea if (!err) return; fallback: - do_page_cache_ra(ractl, ra->size - (index - start), ra->async_size); + do_page_cache_ra(ractl, ra->size, ra->async_size); } static unsigned long ractl_max_pages(struct readahead_control *ractl, _ Patches currently in -mm which might be from jack(a)suse.cz are revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch

10 months

1
0
0 0

+ mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmscan: ensure kswapd is woken up if the wait queue is active has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Seiji Nishikawa <snishika(a)redhat.com> Subject: mm: vmscan: ensure kswapd is woken up if the wait queue is active Date: Wed, 27 Nov 2024 00:06:12 +0900 Even after commit 501b26510ae3 ("vmstat: allow_direct_reclaim should use zone_page_state_snapshot"), a task may remain indefinitely stuck in throttle_direct_reclaim() while holding mm->rwsem. __alloc_pages_nodemask try_to_free_pages throttle_direct_reclaim This can cause numerous other tasks to wait on the same rwsem, leading to severe system hangups: [1088963.358712] INFO: task python3:1670971 blocked for more than 120 seconds. [1088963.365653] Tainted: G OE -------- - - 4.18.0-553.el8_10.aarch64 #1 [1088963.373887] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [1088963.381862] task:python3 state:D stack:0 pid:1670971 ppid:1667117 flags:0x00800080 [1088963.381869] Call trace: [1088963.381872] __switch_to+0xd0/0x120 [1088963.381877] __schedule+0x340/0xac8 [1088963.381881] schedule+0x68/0x118 [1088963.381886] rwsem_down_read_slowpath+0x2d4/0x4b8 The issue arises when allow_direct_reclaim(pgdat) returns false, preventing progress even when the pgdat->pfmemalloc_wait wait queue is empty. Despite the wait queue being empty, the condition, allow_direct_reclaim(pgdat), may still be returning false, causing it to continue looping. In some cases, reclaimable pages exist (zone_reclaimable_pages() returns > 0), but calculations of pfmemalloc_reserve and free_pages result in wmark_ok being false. And then, despite the pgdat->kswapd_wait queue being non-empty, kswapd is not woken up, further exacerbating the problem: crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_highest_zoneidx $775 = __MAX_NR_ZONES This patch modifies allow_direct_reclaim() to wake kswapd if the pgdat->kswapd_wait queue is active, regardless of whether wmark_ok is true or false. This change ensures kswapd does not miss wake-ups under high memory pressure, reducing the risk of task stalls in the throttled reclaim path. Link: https://lkml.kernel.org/r/20241126150612.114561-1-snishika@redhat.com Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/mm/vmscan.c~mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active +++ a/mm/vmscan.c @@ -6389,8 +6389,8 @@ static bool allow_direct_reclaim(pg_data wmark_ok = free_pages > pfmemalloc_reserve / 2; - /* kswapd must be awake if processes are being throttled */ - if (!wmark_ok && waitqueue_active(&pgdat->kswapd_wait)) { + /* Always wake up kswapd if the wait queue is not empty */ + if (waitqueue_active(&pgdat->kswapd_wait)) { if (READ_ONCE(pgdat->kswapd_highest_zoneidx) > ZONE_NORMAL) WRITE_ONCE(pgdat->kswapd_highest_zoneidx, ZONE_NORMAL); _ Patches currently in -mm which might be from snishika(a)redhat.com are mm-vmscan-ensure-kswapd-is-woken-up-if-the-wait-queue-is-active.patch

10 months

1
0
0 0

+ selftests-damon-add-_damon_sysfspy-to-test_files.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftests/damon: add _damon_sysfs.py to TEST_FILES has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftests-damon-add-_damon_sysfspy-to-test_files.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Maximilian Heyne <mheyne(a)amazon.de> Subject: selftests/damon: add _damon_sysfs.py to TEST_FILES Date: Wed, 27 Nov 2024 12:08:53 +0000 When running selftests I encountered the following error message with some damon tests: # Traceback (most recent call last): # File "[...]/damon/./damos_quota.py", line 7, in <module> # import _damon_sysfs # ModuleNotFoundError: No module named '_damon_sysfs' Fix this by adding the _damon_sysfs.py file to TEST_FILES so that it will be available when running the respective damon selftests. Link: https://lkml.kernel.org/r/20241127-picks-visitor-7416685b-mheyne@amazon.de Fixes: 306abb63a8ca ("selftests/damon: implement a python module for test-purpose DAMON sysfs controls") Signed-off-by: Maximilian Heyne <mheyne(a)amazon.de> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/damon/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/testing/selftests/damon/Makefile~selftests-damon-add-_damon_sysfspy-to-test_files +++ a/tools/testing/selftests/damon/Makefile @@ -6,7 +6,7 @@ TEST_GEN_FILES += debugfs_target_ids_rea TEST_GEN_FILES += debugfs_target_ids_pid_leak TEST_GEN_FILES += access_memory access_memory_even -TEST_FILES = _chk_dependency.sh _debugfs_common.sh +TEST_FILES = _chk_dependency.sh _debugfs_common.sh _damon_sysfs.py # functionality tests TEST_PROGS = debugfs_attrs.sh debugfs_schemes.sh debugfs_target_ids.sh _ Patches currently in -mm which might be from mheyne(a)amazon.de are selftests-damon-add-_damon_sysfspy-to-test_files.patch

10 months

1
0
0 0

+ selftest-hugetlb_dio-fix-test-naming.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftest: hugetlb_dio: fix test naming has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftest-hugetlb_dio-fix-test-naming.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Mark Brown <broonie(a)kernel.org> Subject: selftest: hugetlb_dio: fix test naming Date: Wed, 27 Nov 2024 16:14:22 +0000 The string logged when a test passes or fails is used by the selftest framework to identify which test is being reported. The hugetlb_dio test not only uses the same strings for every test that is run but it also uses different strings for test passes and failures which means that test automation is unable to follow what the test is doing at all. Pull the existing duplicated logging of the number of free huge pages before and after the test out of the conditional and replace that and the logging of the result with a single ksft_print_result() which incorporates the parameters passed into the test into the output. Link: https://lkml.kernel.org/r/20241127-kselftest-mm-hugetlb-dio-names-v1-1-22aa… Fixes: fae1980347bf ("selftests: hugetlb_dio: fixup check for initial conditions to skip in the start") Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: Donet Tom <donettom(a)linux.ibm.com> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/hugetlb_dio.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) --- a/tools/testing/selftests/mm/hugetlb_dio.c~selftest-hugetlb_dio-fix-test-naming +++ a/tools/testing/selftests/mm/hugetlb_dio.c @@ -76,19 +76,15 @@ void run_dio_using_hugetlb(unsigned int /* Get the free huge pages after unmap*/ free_hpage_a = get_free_hugepages(); + ksft_print_msg("No. Free pages before allocation : %d\n", free_hpage_b); + ksft_print_msg("No. Free pages after munmap : %d\n", free_hpage_a); + /* * If the no. of free hugepages before allocation and after unmap does * not match - that means there could still be a page which is pinned. */ - if (free_hpage_a != free_hpage_b) { - ksft_print_msg("No. Free pages before allocation : %d\n", free_hpage_b); - ksft_print_msg("No. Free pages after munmap : %d\n", free_hpage_a); - ksft_test_result_fail(": Huge pages not freed!\n"); - } else { - ksft_print_msg("No. Free pages before allocation : %d\n", free_hpage_b); - ksft_print_msg("No. Free pages after munmap : %d\n", free_hpage_a); - ksft_test_result_pass(": Huge pages freed successfully !\n"); - } + ksft_test_result(free_hpage_a == free_hpage_b, + "free huge pages from %u-%u\n", start_off, end_off); } int main(void) _ Patches currently in -mm which might be from broonie(a)kernel.org are selftest-hugetlb_dio-fix-test-naming.patch

10 months

1
0
0 0

+ arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: arch_numa: restore nid checks before registering a memblock with a node has been added to the -mm mm-hotfixes-unstable branch. Its filename is arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marc Zyngier <maz(a)kernel.org> Subject: arch_numa: restore nid checks before registering a memblock with a node Date: Wed, 27 Nov 2024 19:30:00 +0000 Commit 767507654c22 ("arch_numa: switch over to numa_memblks") significantly cleaned up the NUMA registration code, but also dropped a significant check that was refusing to accept to configure a memblock with an invalid nid. On "quality hardware" such as my ThunderX machine, this results in a kernel that dies immediately: [ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x431f0a10] [ 0.000000] Linux version 6.12.0-00013-g8920d74cf8db (maz@valley-girl) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #3872 SMP PREEMPT Wed Nov 27 15:25:49 GMT 2024 [ 0.000000] KASLR disabled due to lack of seed [ 0.000000] Machine model: Cavium ThunderX CN88XX board [ 0.000000] efi: EFI v2.4 by American Megatrends [ 0.000000] efi: ESRT=0xffce0ff18 SMBIOS 3.0=0xfffb0000 ACPI 2.0=0xffec60000 MEMRESERVE=0xffc905d98 [ 0.000000] esrt: Reserving ESRT space from 0x0000000ffce0ff18 to 0x0000000ffce0ff50. [ 0.000000] earlycon: pl11 at MMIO 0x000087e024000000 (options '115200n8') [ 0.000000] printk: legacy bootconsole [pl11] enabled [ 0.000000] NODE_DATA(0) allocated [mem 0xff6754580-0xff67566bf] [ 0.000000] Unable to handle kernel paging request at virtual address 0000000000001d40 [ 0.000000] Mem abort info: [ 0.000000] ESR = 0x0000000096000004 [ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.000000] SET = 0, FnV = 0 [ 0.000000] EA = 0, S1PTW = 0 [ 0.000000] FSC = 0x04: level 0 translation fault [ 0.000000] Data abort info: [ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 0.000000] [0000000000001d40] user address but active_mm is swapper [ 0.000000] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.12.0-00013-g8920d74cf8db #3872 [ 0.000000] Hardware name: Cavium ThunderX CN88XX board (DT) [ 0.000000] pstate: a00000c5 (NzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.000000] pc : sparse_init_nid+0x54/0x428 [ 0.000000] lr : sparse_init+0x118/0x240 [ 0.000000] sp : ffff800081da3cb0 [ 0.000000] x29: ffff800081da3cb0 x28: 0000000fedbab10c x27: 0000000000000001 [ 0.000000] x26: 0000000ffee250f8 x25: 0000000000000001 x24: ffff800082102cd0 [ 0.000000] x23: 0000000000000001 x22: 0000000000000000 x21: 00000000001fffff [ 0.000000] x20: 0000000000000001 x19: 0000000000000000 x18: ffffffffffffffff [ 0.000000] x17: 0000000001b00000 x16: 0000000ffd130000 x15: 0000000000000000 [ 0.000000] x14: 00000000003e0000 x13: 00000000000001c8 x12: 0000000000000014 [ 0.000000] x11: ffff800081e82860 x10: ffff8000820fb2c8 x9 : ffff8000820fb490 [ 0.000000] x8 : 0000000000ffed20 x7 : 0000000000000014 x6 : 00000000001fffff [ 0.000000] x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000000 [ 0.000000] x2 : 0000000000000000 x1 : 0000000000000040 x0 : 0000000000000007 [ 0.000000] Call trace: [ 0.000000] sparse_init_nid+0x54/0x428 [ 0.000000] sparse_init+0x118/0x240 [ 0.000000] bootmem_init+0x70/0x1c8 [ 0.000000] setup_arch+0x184/0x270 [ 0.000000] start_kernel+0x74/0x670 [ 0.000000] __primary_switched+0x80/0x90 [ 0.000000] Code: f865d804 d37df060 cb030000 d2800003 (b95d4084) [ 0.000000] ---[ end trace 0000000000000000 ]--- [ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- while previous kernel versions were able to recognise how brain-damaged the machine is, and only build a fake node. Restoring the check brings back some sanity and a "working" system. Link: https://lkml.kernel.org/r/20241127193000.3702637-1-maz@kernel.org Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Zi Yan <ziy(a)nvidia.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/base/arch_numa.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/drivers/base/arch_numa.c~arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node +++ a/drivers/base/arch_numa.c @@ -207,7 +207,21 @@ static void __init setup_node_data(int n static int __init numa_register_nodes(void) { int nid; + struct memblock_region *mblk; + /* Check that valid nid is set to memblks */ + for_each_mem_region(mblk) { + int mblk_nid = memblock_get_region_node(mblk); + phys_addr_t start = mblk->base; + phys_addr_t end = mblk->base + mblk->size - 1; + + if (mblk_nid == NUMA_NO_NODE || mblk_nid >= MAX_NUMNODES) { + pr_warn("Warning: invalid memblk node %d [mem %pap-%pap]\n", + mblk_nid, &start, &end); + return -EINVAL; + } + } + /* Finally register nodes. */ for_each_node_mask(nid, numa_nodes_parsed) { unsigned long start_pfn, end_pfn; _ Patches currently in -mm which might be from maz(a)kernel.org are arch_numa-restore-nid-checks-before-registering-a-memblock-with-a-node.patch

10 months

1
0
0 0

[merged] fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc/kcore.c: clear ret value in read_kcore_iter after successful iov_iter_zero has been removed from the -mm tree. Its filename was fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Jiri Olsa <jolsa(a)kernel.org> Subject: fs/proc/kcore.c: clear ret value in read_kcore_iter after successful iov_iter_zero Date: Fri, 22 Nov 2024 00:11:18 +0100 If iov_iter_zero succeeds after failed copy_from_kernel_nofault, we need to reset the ret value to zero otherwise it will be returned as final return value of read_kcore_iter. This fixes objdump -d dump over /proc/kcore for me. Link: https://lkml.kernel.org/r/20241121231118.3212000-1-jolsa@kernel.org Fixes: 3d5854d75e31 ("fs/proc/kcore.c: allow translation of physical memory addresses") Signed-off-by: Jiri Olsa <jolsa(a)kernel.org> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: <hca(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/kcore.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/proc/kcore.c~fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero +++ a/fs/proc/kcore.c @@ -600,6 +600,7 @@ static ssize_t read_kcore_iter(struct ki ret = -EFAULT; goto out; } + ret = 0; /* * We know the bounce buffer is safe to copy from, so * use _copy_to_iter() directly. _ Patches currently in -mm which might be from jolsa(a)kernel.org are

10 months

1
0
0 0

[PATCH v2] ARM: dts: ti/omap: gta04: fix pm issues caused by spi module

by Andreas Kemnade

Despite CM_IDLEST1_CORE and CM_FCLKEN1_CORE behaving normal, disabling SPI leads to messages like: Powerdomain (core_pwrdm) didn't enter target state 0 and according to /sys/kernel/debug/pm_debug/count off state is not entered. That was not connected to SPI during the discussion of disabling SPI. See: https://lore.kernel.org/linux-omap/20230122100852.32ae082c@aktux/ The reason is that SPI is per default in slave mode. Linux driver will turn it to master per default. It slave mode, the powerdomain seems to be kept active if active chip select input is sensed. Fix that by explicitly disabling the SPI3 pins which are muxed by the bootloader since they are available on an optionally fitted header which would require dtb overlays anyways. Fixes: a622310f7f01 ("ARM: dts: gta04: fix excess dma channel usage") CC: stable(a)vger.kernel.org Signed-off-by: Andreas Kemnade <andreas(a)kemnade.info> --- arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi b/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi index 3661340009e7a..3940909a5aac7 100644 --- a/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi +++ b/arch/arm/boot/dts/ti/omap/omap3-gta04.dtsi @@ -446,6 +446,7 @@ &omap3_pmx_core2 { pinctrl-names = "default"; pinctrl-0 = < &hsusb2_2_pins + &mcspi3hog_pins >; hsusb2_2_pins: hsusb2-2-pins { @@ -459,6 +460,15 @@ OMAP3630_CORE2_IOPAD(0x25fa, PIN_INPUT_PULLDOWN | MUX_MODE3) /* etk_d15.hsusb2_d >; }; + mcspi3hog_pins: mcspi3hog-pins { + pinctrl-single,pins = < + OMAP3630_CORE2_IOPAD(0x25dc, PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* etk_d0 */ + OMAP3630_CORE2_IOPAD(0x25de, PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* etk_d1 */ + OMAP3630_CORE2_IOPAD(0x25e0, PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* etk_d2 */ + OMAP3630_CORE2_IOPAD(0x25e2, PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* etk_d3 */ + >; + }; + spi_gpio_pins: spi-gpio-pinmux-pins { pinctrl-single,pins = < OMAP3630_CORE2_IOPAD(0x25d8, PIN_OUTPUT | MUX_MODE4) /* clk */ -- 2.39.2

10 months

1
1
0 0

[PATCH v3] fs/ceph/file: fix buffer overflow in __ceph_sync_read()

by Max Kellermann

If the inode size gets truncated by another task, __ceph_sync_read() may crash with a buffer overflow because it sets `left` to a huge value: else if (off + ret > i_size) left = i_size - off; Imagine `i_size` was truncated to zero; `off + ret > i_size` is always true, but `i_size - off` can be negative; since `left` is unsigned, it turns into a rather huge number, and thus the `while (left > 0)` loop never stops until it eventually crashes because `pages[idx]` overflows the `pages` allocation. We need to ensure that `i_size` never becomes smaller than `off`. I suggest breaking from the loop as soon as this happens, right after the `i_size = i_size_read(inode)` update. This can be reproduced easily by running a program like this on one Ceph client: ioctl(fd, CEPH_IOC_SYNCIO); char buffer[16384]; while (1) pread(fd, buffer, sizeof(buffer), 8192); Then, on another server, truncate and rewrite the file until the first server's kernel crashes (I never needed more than two attempts to trigger the kernel crash): dd if=/dev/urandom of=foo bs=1k count=64 This is how the crash looks like (with KASAN and some debug logs from `__ceph_sync_read` and `ceph_fill_file_size`): ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 16384 i_size 65536 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 16384 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: size 65536 -> 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_seq 36656 -> 36657 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 1024 i_size 0 ================================================================== BUG: KASAN: slab-out-of-bounds in __ceph_sync_read+0x173f/0x1b10 Read of size 8 at addr ffff8881d5dfbea0 by task pread/3276 CPU: 3 UID: 2147488069 PID: 3276 Comm: pread Not tainted 6.11.10-cm4all1-hp+ #254 Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 09/05/2019 Call Trace: <TASK> dump_stack_lvl+0x62/0x90 print_report+0xc4/0x5e0 ? __virt_addr_valid+0x1e9/0x3a0 ? __ceph_sync_read+0x173f/0x1b10 kasan_report+0xb9/0xf0 ? __ceph_sync_read+0x173f/0x1b10 __ceph_sync_read+0x173f/0x1b10 ? __pfx___ceph_sync_read+0x10/0x10 ? lock_acquire+0x186/0x4d0 ? ceph_read_iter+0xace/0x19f0 ceph_read_iter+0xace/0x19f0 ? lock_release+0x648/0xb50 ? __pfx_ceph_read_iter+0x10/0x10 ? __rseq_handle_notify_resume+0x8ed/0xd40 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? vfs_read+0x6e0/0xba0 vfs_read+0x6e0/0xba0 ? __pfx_vfs_read+0x10/0x10 ? syscall_exit_to_user_mode+0x9a/0x190 ? syscall_exit_to_user_mode+0x9a/0x190 __x64_sys_pread64+0x19b/0x1f0 ? __pfx___x64_sys_pread64+0x10/0x10 ? __pfx___rseq_handle_notify_resume+0x10/0x10 do_syscall_64+0x82/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f8449d18343 Code: 48 8b 6c 24 48 e8 3d 00 f3 ff 41 b8 02 00 00 00 e9 38 f6 ff ff 66 90 80 3d a1 42 0e 00 00 49 89 ca 74 14 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5d c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 10 RSP: 002b:00007ffd7a2e8b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 00007ffd7a2e8cc8 RCX: 00007f8449d18343 RDX: 0000000000004000 RSI: 0000557f7917c2a0 RDI: 0000000000000003 RBP: 00007ffd7a2e8bb0 R08: 0000557f7919d000 R09: 0000000000021001 R10: 0000000000002000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffd7a2e8cf0 R14: 0000557f436c2dd8 R15: 00007f8449e43020 </TASK> Allocated by task 3276: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x8b/0x90 __kmalloc_noprof+0x1bf/0x490 ceph_alloc_page_vector+0x36/0x110 __ceph_sync_read+0x769/0x1b10 ceph_read_iter+0xace/0x19f0 vfs_read+0x6e0/0xba0 __x64_sys_pread64+0x19b/0x1f0 do_syscall_64+0x82/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8881d5dfbe80 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes to the right of allocated 32-byte region [ffff8881d5dfbe80, ffff8881d5dfbea0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d5dfb flags: 0x2fffc0000000000(node=0|zone=2|lastcpupid=0x3fff) page_type: 0xfdffffff(slab) raw: 02fffc0000000000 ffff888100042780 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080400040 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d5dfbd80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff8881d5dfbe00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc >ffff8881d5dfbe80: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc ^ ffff8881d5dfbf00: fc fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc ffff8881d5dfbf80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint Oops: general protection fault, probably for non-canonical address 0xe021fc6b8000019a: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x0110035c00000cd0-0x0110035c00000cd7] CPU: 3 UID: 2147488069 PID: 3276 Comm: pread Tainted: G B 6.11.10-cm4all1-hp+ #254 Tainted: [B]=BAD_PAGE Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 09/05/2019 RIP: 0010:__ceph_sync_read+0xc33/0x1b10 Code: 39 e7 4d 0f 47 fc 48 8d 0c c6 48 89 c8 48 c1 e8 03 42 80 3c 30 00 0f 85 0b 0b 00 00 48 8b 11 48 8d 7a 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 0d 0b 00 00 48 8b 42 08 a8 01 0f 84 ee 04 00 RSP: 0018:ffff8881ed6e78e0 EFLAGS: 00010207 RAX: 0022006b8000019a RBX: 0000000000000000 RCX: ffff8881d5dfbea0 RDX: 0110035c00000ccc RSI: 0000000000000008 RDI: 0110035c00000cd4 RBP: ffff8881ed6e7a80 R08: 0000000000000001 R09: fffffbfff28b44ac R10: ffffffff945a2567 R11: 0000000000000001 R12: ffffffffffffa000 R13: 0000000000000004 R14: dffffc0000000000 R15: 0000000000001000 FS: 00007f8449c1f740(0000) GS:ffff88d2b5a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb72c6aecf0 CR3: 00000001ed7b6003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x113/0x200 ? asm_exc_general_protection+0x22/0x30 ? __ceph_sync_read+0xc33/0x1b10 ? __pfx___ceph_sync_read+0x10/0x10 ? lock_acquire+0x186/0x4d0 ? ceph_read_iter+0xace/0x19f0 ceph_read_iter+0xace/0x19f0 ? lock_release+0x648/0xb50 ? __pfx_ceph_read_iter+0x10/0x10 ? __rseq_handle_notify_resume+0x8ed/0xd40 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? vfs_read+0x6e0/0xba0 vfs_read+0x6e0/0xba0 ? __pfx_vfs_read+0x10/0x10 ? syscall_exit_to_user_mode+0x9a/0x190 ? syscall_exit_to_user_mode+0x9a/0x190 __x64_sys_pread64+0x19b/0x1f0 ? __pfx___x64_sys_pread64+0x10/0x10 ? __pfx___rseq_handle_notify_resume+0x10/0x10 do_syscall_64+0x82/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f8449d18343 Code: 48 8b 6c 24 48 e8 3d 00 f3 ff 41 b8 02 00 00 00 e9 38 f6 ff ff 66 90 80 3d a1 42 0e 00 00 49 89 ca 74 14 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5d c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 10 RSP: 002b:00007ffd7a2e8b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 00007ffd7a2e8cc8 RCX: 00007f8449d18343 RDX: 0000000000004000 RSI: 0000557f7917c2a0 RDI: 0000000000000003 RBP: 00007ffd7a2e8bb0 R08: 0000557f7919d000 R09: 0000000000021001 R10: 0000000000002000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffd7a2e8cf0 R14: 0000557f436c2dd8 R15: 00007f8449e43020 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__ceph_sync_read+0xc33/0x1b10 Code: 39 e7 4d 0f 47 fc 48 8d 0c c6 48 89 c8 48 c1 e8 03 42 80 3c 30 00 0f 85 0b 0b 00 00 48 8b 11 48 8d 7a 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 0d 0b 00 00 48 8b 42 08 a8 01 0f 84 ee 04 00 RSP: 0018:ffff8881ed6e78e0 EFLAGS: 00010207 RAX: 0022006b8000019a RBX: 0000000000000000 RCX: ffff8881d5dfbea0 RDX: 0110035c00000ccc RSI: 0000000000000008 RDI: 0110035c00000cd4 RBP: ffff8881ed6e7a80 R08: 0000000000000001 R09: fffffbfff28b44ac R10: ffffffff945a2567 R11: 0000000000000001 R12: ffffffffffffa000 R13: 0000000000000004 R14: dffffc0000000000 R15: 0000000000001000 FS: 00007f8449c1f740(0000) GS:ffff88d2b5a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb72c6aecf0 CR3: 00000001ed7b6003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 workqueue: ceph_con_workfn hogged CPU for >10000us 35 times, consider switching to WQ_UNBOUND ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: size 0 -> 65536 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 Fixes: 1065da21e5df ("ceph: stop copying to iter at EOF on sync reads") Fixes: https://tracker.ceph.com/issues/67524 Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- v2: public posting; added link to Ceph bug tracker (vulnerability had been known already for 3 months) v3: memory leak fix --- fs/ceph/file.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 4b8d59ebda00..1f0aed6cd9d5 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -1154,6 +1154,16 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos, doutc(cl, "%llu~%llu got %zd i_size %llu%s\n", off, len, ret, i_size, (more ? " MORE" : "")); + if (off >= i_size) { + /* meanwhile, the file has been truncated by + * another task and the offset is no longer + * valid; stop here + */ + ceph_release_page_vector(pages, num_pages); + ceph_osdc_put_request(req); + break; + } + /* Fix it to go to end of extent map */ if (sparse && ret >= 0) ret = ceph_sparse_ext_map_end(op); -- 2.45.2

10 months

1
0
0 0

[PATCH v2] fs/ceph/file: fix buffer overflow in __ceph_sync_read()

by Max Kellermann

If the inode size gets truncated by another task, __ceph_sync_read() may crash with a buffer overflow because it sets `left` to a huge value: else if (off + ret > i_size) left = i_size - off; Imagine `i_size` was truncated to zero; `off + ret > i_size` is always true, but `i_size - off` can be negative; since `left` is unsigned, it turns into a rather huge number, and thus the `while (left > 0)` loop never stops until it eventually crashes because `pages[idx]` overflows the `pages` allocation. We need to ensure that `i_size` never becomes smaller than `off`. I suggest breaking from the loop as soon as this happens, right after the `i_size = i_size_read(inode)` update. This can be reproduced easily by running a program like this on one Ceph client: ioctl(fd, CEPH_IOC_SYNCIO); char buffer[16384]; while (1) pread(fd, buffer, sizeof(buffer), 8192); Then, on another server, truncate and rewrite the file until the first server's kernel crashes (I never needed more than two attempts to trigger the kernel crash): dd if=/dev/urandom of=foo bs=1k count=64 This is how the crash looks like (with KASAN and some debug logs from `__ceph_sync_read` and `ceph_fill_file_size`): ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 16384 i_size 65536 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 16384 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: size 65536 -> 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_seq 36656 -> 36657 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 0 i_size 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: result 0 retry_op 0 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: on inode 0000000035059a6f 1000235edb7.fffffffffffffffe 2000~4000 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: orig 8192~16384 reading 8192~16384 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] __ceph_sync_read: 8192~16384 got 1024 i_size 0 ================================================================== BUG: KASAN: slab-out-of-bounds in __ceph_sync_read+0x173f/0x1b10 Read of size 8 at addr ffff8881d5dfbea0 by task pread/3276 CPU: 3 UID: 2147488069 PID: 3276 Comm: pread Not tainted 6.11.10-cm4all1-hp+ #254 Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 09/05/2019 Call Trace: <TASK> dump_stack_lvl+0x62/0x90 print_report+0xc4/0x5e0 ? __virt_addr_valid+0x1e9/0x3a0 ? __ceph_sync_read+0x173f/0x1b10 kasan_report+0xb9/0xf0 ? __ceph_sync_read+0x173f/0x1b10 __ceph_sync_read+0x173f/0x1b10 ? __pfx___ceph_sync_read+0x10/0x10 ? lock_acquire+0x186/0x4d0 ? ceph_read_iter+0xace/0x19f0 ceph_read_iter+0xace/0x19f0 ? lock_release+0x648/0xb50 ? __pfx_ceph_read_iter+0x10/0x10 ? __rseq_handle_notify_resume+0x8ed/0xd40 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? vfs_read+0x6e0/0xba0 vfs_read+0x6e0/0xba0 ? __pfx_vfs_read+0x10/0x10 ? syscall_exit_to_user_mode+0x9a/0x190 ? syscall_exit_to_user_mode+0x9a/0x190 __x64_sys_pread64+0x19b/0x1f0 ? __pfx___x64_sys_pread64+0x10/0x10 ? __pfx___rseq_handle_notify_resume+0x10/0x10 do_syscall_64+0x82/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f8449d18343 Code: 48 8b 6c 24 48 e8 3d 00 f3 ff 41 b8 02 00 00 00 e9 38 f6 ff ff 66 90 80 3d a1 42 0e 00 00 49 89 ca 74 14 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5d c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 10 RSP: 002b:00007ffd7a2e8b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 00007ffd7a2e8cc8 RCX: 00007f8449d18343 RDX: 0000000000004000 RSI: 0000557f7917c2a0 RDI: 0000000000000003 RBP: 00007ffd7a2e8bb0 R08: 0000557f7919d000 R09: 0000000000021001 R10: 0000000000002000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffd7a2e8cf0 R14: 0000557f436c2dd8 R15: 00007f8449e43020 </TASK> Allocated by task 3276: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x8b/0x90 __kmalloc_noprof+0x1bf/0x490 ceph_alloc_page_vector+0x36/0x110 __ceph_sync_read+0x769/0x1b10 ceph_read_iter+0xace/0x19f0 vfs_read+0x6e0/0xba0 __x64_sys_pread64+0x19b/0x1f0 do_syscall_64+0x82/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8881d5dfbe80 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes to the right of allocated 32-byte region [ffff8881d5dfbe80, ffff8881d5dfbea0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d5dfb flags: 0x2fffc0000000000(node=0|zone=2|lastcpupid=0x3fff) page_type: 0xfdffffff(slab) raw: 02fffc0000000000 ffff888100042780 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080400040 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d5dfbd80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff8881d5dfbe00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc >ffff8881d5dfbe80: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc ^ ffff8881d5dfbf00: fc fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc ffff8881d5dfbf80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint Oops: general protection fault, probably for non-canonical address 0xe021fc6b8000019a: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x0110035c00000cd0-0x0110035c00000cd7] CPU: 3 UID: 2147488069 PID: 3276 Comm: pread Tainted: G B 6.11.10-cm4all1-hp+ #254 Tainted: [B]=BAD_PAGE Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 09/05/2019 RIP: 0010:__ceph_sync_read+0xc33/0x1b10 Code: 39 e7 4d 0f 47 fc 48 8d 0c c6 48 89 c8 48 c1 e8 03 42 80 3c 30 00 0f 85 0b 0b 00 00 48 8b 11 48 8d 7a 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 0d 0b 00 00 48 8b 42 08 a8 01 0f 84 ee 04 00 RSP: 0018:ffff8881ed6e78e0 EFLAGS: 00010207 RAX: 0022006b8000019a RBX: 0000000000000000 RCX: ffff8881d5dfbea0 RDX: 0110035c00000ccc RSI: 0000000000000008 RDI: 0110035c00000cd4 RBP: ffff8881ed6e7a80 R08: 0000000000000001 R09: fffffbfff28b44ac R10: ffffffff945a2567 R11: 0000000000000001 R12: ffffffffffffa000 R13: 0000000000000004 R14: dffffc0000000000 R15: 0000000000001000 FS: 00007f8449c1f740(0000) GS:ffff88d2b5a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb72c6aecf0 CR3: 00000001ed7b6003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x113/0x200 ? asm_exc_general_protection+0x22/0x30 ? __ceph_sync_read+0xc33/0x1b10 ? __pfx___ceph_sync_read+0x10/0x10 ? lock_acquire+0x186/0x4d0 ? ceph_read_iter+0xace/0x19f0 ceph_read_iter+0xace/0x19f0 ? lock_release+0x648/0xb50 ? __pfx_ceph_read_iter+0x10/0x10 ? __rseq_handle_notify_resume+0x8ed/0xd40 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? vfs_read+0x6e0/0xba0 vfs_read+0x6e0/0xba0 ? __pfx_vfs_read+0x10/0x10 ? syscall_exit_to_user_mode+0x9a/0x190 ? syscall_exit_to_user_mode+0x9a/0x190 __x64_sys_pread64+0x19b/0x1f0 ? __pfx___x64_sys_pread64+0x10/0x10 ? __pfx___rseq_handle_notify_resume+0x10/0x10 do_syscall_64+0x82/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? lockdep_hardirqs_on_prepare+0x275/0x3e0 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 ? do_syscall_64+0x8e/0x130 ? syscall_exit_to_user_mode+0x9a/0x190 ? do_syscall_64+0x8e/0x130 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f8449d18343 Code: 48 8b 6c 24 48 e8 3d 00 f3 ff 41 b8 02 00 00 00 e9 38 f6 ff ff 66 90 80 3d a1 42 0e 00 00 49 89 ca 74 14 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5d c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 10 RSP: 002b:00007ffd7a2e8b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 00007ffd7a2e8cc8 RCX: 00007f8449d18343 RDX: 0000000000004000 RSI: 0000557f7917c2a0 RDI: 0000000000000003 RBP: 00007ffd7a2e8bb0 R08: 0000557f7919d000 R09: 0000000000021001 R10: 0000000000002000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffd7a2e8cf0 R14: 0000557f436c2dd8 R15: 00007f8449e43020 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__ceph_sync_read+0xc33/0x1b10 Code: 39 e7 4d 0f 47 fc 48 8d 0c c6 48 89 c8 48 c1 e8 03 42 80 3c 30 00 0f 85 0b 0b 00 00 48 8b 11 48 8d 7a 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 0d 0b 00 00 48 8b 42 08 a8 01 0f 84 ee 04 00 RSP: 0018:ffff8881ed6e78e0 EFLAGS: 00010207 RAX: 0022006b8000019a RBX: 0000000000000000 RCX: ffff8881d5dfbea0 RDX: 0110035c00000ccc RSI: 0000000000000008 RDI: 0110035c00000cd4 RBP: ffff8881ed6e7a80 R08: 0000000000000001 R09: fffffbfff28b44ac R10: ffffffff945a2567 R11: 0000000000000001 R12: ffffffffffffa000 R13: 0000000000000004 R14: dffffc0000000000 R15: 0000000000001000 FS: 00007f8449c1f740(0000) GS:ffff88d2b5a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb72c6aecf0 CR3: 00000001ed7b6003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 workqueue: ceph_con_workfn hogged CPU for >10000us 35 times, consider switching to WQ_UNBOUND ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: size 0 -> 65536 ceph: [8f7ec2f3-0dcb-468f-bd16-37e0a61bf195 4098067] ceph_fill_file_size: truncate_size 0 -> 0, encrypted 0 Fixes: 1065da21e5df ("ceph: stop copying to iter at EOF on sync reads") Fixes: https://tracker.ceph.com/issues/67524 Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- v2: public posting; added link to Ceph bug tracker (vulnerability had been known already for 3 months) --- fs/ceph/file.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 4b8d59ebda00..57d7cdda0f87 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -1154,6 +1154,13 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos, doutc(cl, "%llu~%llu got %zd i_size %llu%s\n", off, len, ret, i_size, (more ? " MORE" : "")); + if (off >= i_size) + /* meanwhile, the file has been truncated by + * another task and the offset is no longer + * valid; stop here + */ + break; + /* Fix it to go to end of extent map */ if (sparse && ret >= 0) ret = ceph_sparse_ext_map_end(op); -- 2.45.2

10 months

2
4
0 0

[PATCH 2/4] drm/i915/color: Stop using non-posted DSB writes for legacy LUT

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> DSB LUT register writes vs. palette anti-collision logic appear to interact in interesting ways: - posted DSB writes simply vanish into thin air while anti-collision is active - non-posted DSB writes actually get blocked by the anti-collision logic, but unfortunately this ends up hogging the bus for long enough that unrelated parallel CPU MMIO accesses start to disappear instead Even though we are updating the LUT during vblank we aren't immune to the anti-collision logic because it kicks in brifly for pipe prefill (initiated at frame start). The safe time window for performing the LUT update is thus between the undelayed vblank and frame start. Turns out that with low enough CDCLK frequency (DSB execution speed depends on CDCLK) we can exceed that. As we are currently using non-posted writes for the legacy LUT updates, in which case we can hit the far more severe failure mode. The problem is exacerbated by the fact that non-posted writes are much slower than posted writes (~4x it seems). To mititage the problem let's switch to using posted DSB writes for legacy LUT updates (which will involve using the double write approach to avoid other problems with DSB vs. legacy LUT writes). Despite writing each register twice this will in fact make the legacy LUT update faster when compared to the non-posted write approach, making the problem less likely to appear. The failure mode is also less severe. This isn't the 100% solution we need though. That will involve estimating how long the LUT update will take, and pushing frame start and/or delayed vblank forward to guarantee that the update will have finished by the time the pipe prefill starts... Cc: stable(a)vger.kernel.org Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates") Fixes: 25ea3411bd23 ("drm/i915/dsb: Use non-posted register writes for legacy LUT") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12494 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_color.c | 30 ++++++++++++++-------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_color.c b/drivers/gpu/drm/i915/display/intel_color.c index 6ea3d5c58cb1..7cd902bbd244 100644 --- a/drivers/gpu/drm/i915/display/intel_color.c +++ b/drivers/gpu/drm/i915/display/intel_color.c @@ -1368,19 +1368,29 @@ static void ilk_load_lut_8(const struct intel_crtc_state *crtc_state, lut = blob->data; /* - * DSB fails to correctly load the legacy LUT - * unless we either write each entry twice, - * or use non-posted writes + * DSB fails to correctly load the legacy LUT unless + * we either write each entry twice when using posted + * writes, or we use non-posted writes. + * + * If palette anti-collision is active during LUT + * register writes: + * - posted writes simply get dropped and thus the LUT + * contents may not be correctly updated + * - non-posted writes are blocked and thus the LUT + * contents are always correct, but simultaneous CPU + * MMIO access will start to fail + * + * Choose the lesser of two evils and use posted writes. + * Using posted writes is also faster, even when having + * to write each register twice. */ - if (crtc_state->dsb_color_vblank) - intel_dsb_nonpost_start(crtc_state->dsb_color_vblank); - - for (i = 0; i < 256; i++) + for (i = 0; i < 256; i++) { ilk_lut_write(crtc_state, LGC_PALETTE(pipe, i), i9xx_lut_8(&lut[i])); - - if (crtc_state->dsb_color_vblank) - intel_dsb_nonpost_end(crtc_state->dsb_color_vblank); + if (crtc_state->dsb_color_vblank) + ilk_lut_write(crtc_state, LGC_PALETTE(pipe, i), + i9xx_lut_8(&lut[i])); + } } static void ilk_load_lut_10(const struct intel_crtc_state *crtc_state, -- 2.45.2

10 months

2
1
0 0

[PATCH 1/4] drm/i915/dsb: Don't use indexed register writes needlessly

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Turns out the DSB indexed register write command has rather significant initial overhead compared to the normal MMIO write command. Based on some quick experiments on TGL you have to write the register at least ~5 times for the indexed write command to come out ahead. If you write the register less times than that the MMIO write is faster. So it seems my automagic indexed write logic was a bit misguided. Go back to the original approach only use indexed writes for the cases we know will benefit from it (indexed LUT register updates). Currently we shouldn't have any cases where this truly matters (just some rare double writes to the precision LUT index registers), but we will need to switch the legacy LUT updates to write each LUT register twice (to avoid some palette anti-collision logic troubles). This would be close to the worst case for using indexed writes (two writes per register, and 256 separate registers). Using the MMIO write command should shave off around 30% of the execution time compared to using the indexed write command. Cc: stable(a)vger.kernel.org Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates") Fixes: 25ea3411bd23 ("drm/i915/dsb: Use non-posted register writes for legacy LUT") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_color.c | 51 +++++++++++++--------- drivers/gpu/drm/i915/display/intel_dsb.c | 19 ++++++-- drivers/gpu/drm/i915/display/intel_dsb.h | 2 + 3 files changed, 49 insertions(+), 23 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_color.c b/drivers/gpu/drm/i915/display/intel_color.c index 174753625bca..6ea3d5c58cb1 100644 --- a/drivers/gpu/drm/i915/display/intel_color.c +++ b/drivers/gpu/drm/i915/display/intel_color.c @@ -1343,6 +1343,17 @@ static void ilk_lut_write(const struct intel_crtc_state *crtc_state, intel_de_write_fw(display, reg, val); } +static void ilk_lut_write_indexed(const struct intel_crtc_state *crtc_state, + i915_reg_t reg, u32 val) +{ + struct intel_display *display = to_intel_display(crtc_state); + + if (crtc_state->dsb_color_vblank) + intel_dsb_reg_write_indexed(crtc_state->dsb_color_vblank, reg, val); + else + intel_de_write_fw(display, reg, val); +} + static void ilk_load_lut_8(const struct intel_crtc_state *crtc_state, const struct drm_property_blob *blob) { @@ -1458,8 +1469,8 @@ static void bdw_load_lut_10(const struct intel_crtc_state *crtc_state, prec_index); for (i = 0; i < lut_size; i++) - ilk_lut_write(crtc_state, PREC_PAL_DATA(pipe), - ilk_lut_10(&lut[i])); + ilk_lut_write_indexed(crtc_state, PREC_PAL_DATA(pipe), + ilk_lut_10(&lut[i])); /* * Reset the index, otherwise it prevents the legacy palette to be @@ -1612,16 +1623,16 @@ static void glk_load_degamma_lut(const struct intel_crtc_state *crtc_state, * ToDo: Extend to max 7.0. Enable 32 bit input value * as compared to just 16 to achieve this. */ - ilk_lut_write(crtc_state, PRE_CSC_GAMC_DATA(pipe), - DISPLAY_VER(display) >= 14 ? - mtl_degamma_lut(&lut[i]) : glk_degamma_lut(&lut[i])); + ilk_lut_write_indexed(crtc_state, PRE_CSC_GAMC_DATA(pipe), + DISPLAY_VER(display) >= 14 ? + mtl_degamma_lut(&lut[i]) : glk_degamma_lut(&lut[i])); } /* Clamp values > 1.0. */ while (i++ < glk_degamma_lut_size(display)) - ilk_lut_write(crtc_state, PRE_CSC_GAMC_DATA(pipe), - DISPLAY_VER(display) >= 14 ? - 1 << 24 : 1 << 16); + ilk_lut_write_indexed(crtc_state, PRE_CSC_GAMC_DATA(pipe), + DISPLAY_VER(display) >= 14 ? + 1 << 24 : 1 << 16); ilk_lut_write(crtc_state, PRE_CSC_GAMC_INDEX(pipe), 0); } @@ -1687,10 +1698,10 @@ icl_program_gamma_superfine_segment(const struct intel_crtc_state *crtc_state) for (i = 0; i < 9; i++) { const struct drm_color_lut *entry = &lut[i]; - ilk_lut_write(crtc_state, PREC_PAL_MULTI_SEG_DATA(pipe), - ilk_lut_12p4_ldw(entry)); - ilk_lut_write(crtc_state, PREC_PAL_MULTI_SEG_DATA(pipe), - ilk_lut_12p4_udw(entry)); + ilk_lut_write_indexed(crtc_state, PREC_PAL_MULTI_SEG_DATA(pipe), + ilk_lut_12p4_ldw(entry)); + ilk_lut_write_indexed(crtc_state, PREC_PAL_MULTI_SEG_DATA(pipe), + ilk_lut_12p4_udw(entry)); } ilk_lut_write(crtc_state, PREC_PAL_MULTI_SEG_INDEX(pipe), @@ -1726,10 +1737,10 @@ icl_program_gamma_multi_segment(const struct intel_crtc_state *crtc_state) for (i = 1; i < 257; i++) { entry = &lut[i * 8]; - ilk_lut_write(crtc_state, PREC_PAL_DATA(pipe), - ilk_lut_12p4_ldw(entry)); - ilk_lut_write(crtc_state, PREC_PAL_DATA(pipe), - ilk_lut_12p4_udw(entry)); + ilk_lut_write_indexed(crtc_state, PREC_PAL_DATA(pipe), + ilk_lut_12p4_ldw(entry)); + ilk_lut_write_indexed(crtc_state, PREC_PAL_DATA(pipe), + ilk_lut_12p4_udw(entry)); } /* @@ -1747,10 +1758,10 @@ icl_program_gamma_multi_segment(const struct intel_crtc_state *crtc_state) for (i = 0; i < 256; i++) { entry = &lut[i * 8 * 128]; - ilk_lut_write(crtc_state, PREC_PAL_DATA(pipe), - ilk_lut_12p4_ldw(entry)); - ilk_lut_write(crtc_state, PREC_PAL_DATA(pipe), - ilk_lut_12p4_udw(entry)); + ilk_lut_write_indexed(crtc_state, PREC_PAL_DATA(pipe), + ilk_lut_12p4_ldw(entry)); + ilk_lut_write_indexed(crtc_state, PREC_PAL_DATA(pipe), + ilk_lut_12p4_udw(entry)); } ilk_lut_write(crtc_state, PREC_PAL_INDEX(pipe), diff --git a/drivers/gpu/drm/i915/display/intel_dsb.c b/drivers/gpu/drm/i915/display/intel_dsb.c index b7b44399adaa..4d3785f5cb52 100644 --- a/drivers/gpu/drm/i915/display/intel_dsb.c +++ b/drivers/gpu/drm/i915/display/intel_dsb.c @@ -273,16 +273,20 @@ static bool intel_dsb_prev_ins_is_indexed_write(struct intel_dsb *dsb, i915_reg_ } /** - * intel_dsb_reg_write() - Emit register wriite to the DSB context + * intel_dsb_reg_write_indexed() - Emit register wriite to the DSB context * @dsb: DSB context * @reg: register address. * @val: value. * * This function is used for writing register-value pair in command * buffer of DSB. + * + * Note that indexed writes are slower than normal MMIO writes + * for a small number (less than 5 or so) of writes to the same + * register. */ -void intel_dsb_reg_write(struct intel_dsb *dsb, - i915_reg_t reg, u32 val) +void intel_dsb_reg_write_indexed(struct intel_dsb *dsb, + i915_reg_t reg, u32 val) { /* * For example the buffer will look like below for 3 dwords for auto @@ -340,6 +344,15 @@ void intel_dsb_reg_write(struct intel_dsb *dsb, } } +void intel_dsb_reg_write(struct intel_dsb *dsb, + i915_reg_t reg, u32 val) +{ + intel_dsb_emit(dsb, val, + (DSB_OPCODE_MMIO_WRITE << DSB_OPCODE_SHIFT) | + (DSB_BYTE_EN << DSB_BYTE_EN_SHIFT) | + i915_mmio_reg_offset(reg)); +} + static u32 intel_dsb_mask_to_byte_en(u32 mask) { return (!!(mask & 0xff000000) << 3 | diff --git a/drivers/gpu/drm/i915/display/intel_dsb.h b/drivers/gpu/drm/i915/display/intel_dsb.h index 33e0fc2ab380..da6df07a3c83 100644 --- a/drivers/gpu/drm/i915/display/intel_dsb.h +++ b/drivers/gpu/drm/i915/display/intel_dsb.h @@ -34,6 +34,8 @@ void intel_dsb_finish(struct intel_dsb *dsb); void intel_dsb_cleanup(struct intel_dsb *dsb); void intel_dsb_reg_write(struct intel_dsb *dsb, i915_reg_t reg, u32 val); +void intel_dsb_reg_write_indexed(struct intel_dsb *dsb, + i915_reg_t reg, u32 val); void intel_dsb_reg_write_masked(struct intel_dsb *dsb, i915_reg_t reg, u32 mask, u32 val); void intel_dsb_noop(struct intel_dsb *dsb, int count); -- 2.45.2

10 months

2
1
0 0

[PATCH 3/9] serial: sh-sci: Clean sci_ports[0] after at earlycon exit

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> The early_console_setup() function initializes the sci_ports[0].port with an object of type struct uart_port obtained from the object of type struct earlycon_device received as argument by the early_console_setup(). It may happen that later, when the rest of the serial ports are probed, the serial port that was used as earlycon (e.g., port A) to be mapped to a different position in sci_ports[] and the slot 0 to be used by a different serial port (e.g., port B), as follows: sci_ports[0] = port A sci_ports[X] = port B In this case, the new port mapped at index zero will have associated data that was used for earlycon. In case this happens, after Linux boot, any access to the serial port that maps on sci_ports[0] (port A) will block the serial port that was used as earlycon (port B). To fix this, add early_console_exit() that clean the sci_ports[0] at earlycon exit time. Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- drivers/tty/serial/sh-sci.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index 8e2d534401fa..2f8188bdb251 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -3546,6 +3546,32 @@ sh_early_platform_init_buffer("earlyprintk", &sci_driver, #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON static struct plat_sci_port port_cfg __initdata; +static int early_console_exit(struct console *co) +{ + struct sci_port *sci_port = &sci_ports[0]; + struct uart_port *port = &sci_port->port; + unsigned long flags; + int locked = 1; + + if (port->sysrq) + locked = 0; + else if (oops_in_progress) + locked = uart_port_trylock_irqsave(port, &flags); + else + uart_port_lock_irqsave(port, &flags); + + /* + * Clean the slot used by earlycon. A new SCI device might + * map to this slot. + */ + memset(sci_ports, 0, sizeof(*sci_port)); + + if (locked) + uart_port_unlock_irqrestore(port, flags); + + return 0; +} + static int __init early_console_setup(struct earlycon_device *device, int type) { @@ -3562,6 +3588,8 @@ static int __init early_console_setup(struct earlycon_device *device, SCSCR_RE | SCSCR_TE | port_cfg.scscr); device->con->write = serial_console_write; + device->con->exit = early_console_exit; + return 0; } static int __init sci_early_console_setup(struct earlycon_device *device, -- 2.39.2

10 months

3
2
0 0

[PATCH 6.1 1/1] scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths

by Xiangyu Chen

From: Justin Tee <justin.tee(a)broadcom.com> [ Upstream commit 2be1d4f11944cd6283cb97268b3e17c4424945ca ] When the HBA is undergoing a reset or is handling an errata event, NULL ptr dereference crashes may occur in routines such as lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or lpfc_abort_handler(). Add NULL ptr checks before dereferencing hdwq pointers that may have been freed due to operations colliding with a reset or errata event handler. Signed-off-by: Justin Tee <justin.tee(a)broadcom.com> Link: https://lore.kernel.org/r/20240726231512.92867-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Xiangyu: BP to fix CVE: CVE-2024-49891, no test_bit() conflict resolution] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++- drivers/scsi/lpfc/lpfc_scsi.c | 13 +++++++++++-- drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++++ 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c index aaa98a006fdc..d3a5f10b8b83 100644 --- a/drivers/scsi/lpfc/lpfc_hbadisc.c +++ b/drivers/scsi/lpfc/lpfc_hbadisc.c @@ -177,7 +177,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) /* Don't schedule a worker thread event if the vport is going down. * The teardown process cleans up the node via lpfc_drop_node. */ - if (vport->load_flag & FC_UNLOADING) { + if ((vport->load_flag & FC_UNLOADING) || + !(phba->hba_flag & HBA_SETUP)) { ((struct lpfc_rport_data *)rport->dd_data)->pnode = NULL; ndlp->rport = NULL; diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c index 2a81a42de5c1..ed32aa01c711 100644 --- a/drivers/scsi/lpfc/lpfc_scsi.c +++ b/drivers/scsi/lpfc/lpfc_scsi.c @@ -5554,11 +5554,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmnd) iocb = &lpfc_cmd->cur_iocbq; if (phba->sli_rev == LPFC_SLI_REV4) { - pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring; - if (!pring_s4) { + /* if the io_wq & pring are gone, the port was reset. */ + if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq || + !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) { + lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP, + "2877 SCSI Layer I/O Abort Request " + "IO CMPL Status x%x ID %d LUN %llu " + "HBA_SETUP %d\n", FAILED, + cmnd->device->id, + (u64)cmnd->device->lun, + (HBA_SETUP & phba->hba_flag)); ret = FAILED; goto out_unlock_hba; } + pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring; spin_lock(&pring_s4->ring_lock); } /* the command is in process of being cancelled */ diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 587e3c2f7c48..1e04b6fc127a 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -4668,6 +4668,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba *phba) /* Look on all the FCP Rings for the iotag */ if (phba->sli_rev >= LPFC_SLI_REV4) { for (i = 0; i < phba->cfg_hdw_queue; i++) { + if (!phba->sli4_hba.hdwq || + !phba->sli4_hba.hdwq[i].io_wq) { + lpfc_printf_log(phba, KERN_ERR, LOG_SLI, + "7777 hdwq's deleted %lx " + "%lx %x %x\n", + (unsigned long)phba->pport->load_flag, + (unsigned long)phba->hba_flag, + phba->link_state, + phba->sli.sli_flag); + return; + } pring = phba->sli4_hba.hdwq[i].io_wq->pring; spin_lock_irq(&pring->ring_lock); -- 2.25.1

10 months

2
3
0 0

[PATCH 6.6] dm: fix a crash if blk_alloc_disk fails

by Bin Lan

From: Mikulas Patocka <mpatocka(a)redhat.com> [ Upstream commit fed13a5478680614ba97fc87e71f16e2e197912e ] If blk_alloc_disk fails, the variable md->disk is set to an error value. cleanup_mapped_device will see that md->disk is non-NULL and it will attempt to access it, causing a crash on this statement "md->disk->private_data = NULL;". Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Reported-by: Chenyuan Yang <chenyuan0y(a)gmail.com> Closes: https://marc.info/?l=dm-devel&m=172824125004329&w=2 Cc: stable(a)vger.kernel.org Reviewed-by: Nitesh Shetty <nj.shetty(a)samsung.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/md/dm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 5dd0a42463a2..f45427291ea6 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2077,8 +2077,10 @@ static struct mapped_device *alloc_dev(int minor) * override accordingly. */ md->disk = blk_alloc_disk(md->numa_node_id); - if (!md->disk) + if (!md->disk){ + md->disk = NULL; goto bad; + } md->queue = md->disk->queue; init_waitqueue_head(&md->wait); -- 2.34.1

10 months

3
2
0 0