- Linux-stable-mirror - lists.linaro.org

+ signal-restore-the-override_rlimit-logic.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: signal: restore the override_rlimit logic has been added to the -mm mm-hotfixes-unstable branch. Its filename is signal-restore-the-override_rlimit-logic.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Roman Gushchin <roman.gushchin(a)linux.dev> Subject: signal: restore the override_rlimit logic Date: Thu, 31 Oct 2024 20:04:38 +0000 Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of signals. However now it's enforced unconditionally, even if override_rlimit is set. This behavior change caused production issues. For example, if the limit is reached and a process receives a SIGSEGV signal, sigqueue_alloc fails to allocate the necessary resources for the signal delivery, preventing the signal from being delivered with siginfo. This prevents the process from correctly identifying the fault address and handling the error. From the user-space perspective, applications are unaware that the limit has been reached and that the siginfo is effectively 'corrupted'. This can lead to unpredictable behavior and crashes, as we observed with java applications. Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip the comparison to max there if override_rlimit is set. This effectively restores the old behavior. Link: https://lkml.kernel.org/r/20241031200438.2951287-1-roman.gushchin@linux.dev Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Co-developed-by: Andrei Vagin <avagin(a)google.com> Signed-off-by: Andrei Vagin <avagin(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: "Eric W. Biederman" <ebiederm(a)xmission.com> Cc: Alexey Gladkov <legion(a)kernel.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/user_namespace.h | 3 ++- kernel/signal.c | 3 ++- kernel/ucount.c | 5 +++-- 3 files changed, 7 insertions(+), 4 deletions(-) --- a/include/linux/user_namespace.h~signal-restore-the-override_rlimit-logic +++ a/include/linux/user_namespace.h @@ -141,7 +141,8 @@ static inline long get_rlimit_value(stru long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); -long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type); +long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, + bool override_rlimit); void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type); bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max); --- a/kernel/signal.c~signal-restore-the-override_rlimit-logic +++ a/kernel/signal.c @@ -419,7 +419,8 @@ __sigqueue_alloc(int sig, struct task_st */ rcu_read_lock(); ucounts = task_ucounts(t); - sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING); + sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, + override_rlimit); rcu_read_unlock(); if (!sigpending) return NULL; --- a/kernel/ucount.c~signal-restore-the-override_rlimit-logic +++ a/kernel/ucount.c @@ -307,7 +307,8 @@ void dec_rlimit_put_ucounts(struct ucoun do_dec_rlimit_put_ucounts(ucounts, NULL, type); } -long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type) +long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, + bool override_rlimit) { /* Caller must hold a reference to ucounts */ struct ucounts *iter; @@ -316,7 +317,7 @@ long inc_rlimit_get_ucounts(struct ucoun for (iter = ucounts; iter; iter = iter->ns->ucounts) { long new = atomic_long_add_return(1, &iter->rlimit[type]); - if (new < 0 || new > max) + if (new < 0 || (!override_rlimit && (new > max))) goto unwind; if (iter == ucounts) ret = new; _ Patches currently in -mm which might be from roman.gushchin(a)linux.dev are signal-restore-the-override_rlimit-logic.patch

10 months, 3 weeks

1
0
0 0

[PATCH v7 bpf-next 01/10] lib/buildid: harden build ID parsing logic

by Andrii Nakryiko

Harden build ID parsing logic, adding explicit READ_ONCE() where it's important to have a consistent value read and validated just once. Also, as pointed out by Andi Kleen, we need to make sure that entire ELF note is within a page bounds, so move the overflow check up and add an extra note_size boundaries validation. Fixes tag below points to the code that moved this code into lib/buildid.c, and then subsequently was used in perf subsystem, making this code exposed to perf_event_open() users in v5.12+. Cc: stable(a)vger.kernel.org Reviewed-by: Eduard Zingerman <eddyz87(a)gmail.com> Reviewed-by: Jann Horn <jannh(a)google.com> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Fixes: bd7525dacd7e ("bpf: Move stack_map_get_build_id into lib") Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> --- lib/buildid.c | 76 +++++++++++++++++++++++++++++---------------------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/lib/buildid.c b/lib/buildid.c index e02b5507418b..26007cc99a38 100644 --- a/lib/buildid.c +++ b/lib/buildid.c @@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id, const void *note_start, Elf32_Word note_size) { - Elf32_Word note_offs = 0, new_offs; - - while (note_offs + sizeof(Elf32_Nhdr) < note_size) { - Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs); + const char note_name[] = "GNU"; + const size_t note_name_sz = sizeof(note_name); + u64 note_off = 0, new_off, name_sz, desc_sz; + const char *data; + + while (note_off + sizeof(Elf32_Nhdr) < note_size && + note_off + sizeof(Elf32_Nhdr) > note_off /* overflow */) { + Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_off); + + name_sz = READ_ONCE(nhdr->n_namesz); + desc_sz = READ_ONCE(nhdr->n_descsz); + + new_off = note_off + sizeof(Elf32_Nhdr); + if (check_add_overflow(new_off, ALIGN(name_sz, 4), &new_off) || + check_add_overflow(new_off, ALIGN(desc_sz, 4), &new_off) || + new_off > note_size) + break; if (nhdr->n_type == BUILD_ID && - nhdr->n_namesz == sizeof("GNU") && - !strcmp((char *)(nhdr + 1), "GNU") && - nhdr->n_descsz > 0 && - nhdr->n_descsz <= BUILD_ID_SIZE_MAX) { - memcpy(build_id, - note_start + note_offs + - ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr), - nhdr->n_descsz); - memset(build_id + nhdr->n_descsz, 0, - BUILD_ID_SIZE_MAX - nhdr->n_descsz); + name_sz == note_name_sz && + memcmp(nhdr + 1, note_name, note_name_sz) == 0 && + desc_sz > 0 && desc_sz <= BUILD_ID_SIZE_MAX) { + data = note_start + note_off + ALIGN(note_name_sz, 4); + memcpy(build_id, data, desc_sz); + memset(build_id + desc_sz, 0, BUILD_ID_SIZE_MAX - desc_sz); if (size) - *size = nhdr->n_descsz; + *size = desc_sz; return 0; } - new_offs = note_offs + sizeof(Elf32_Nhdr) + - ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4); - if (new_offs <= note_offs) /* overflow */ - break; - note_offs = new_offs; + + note_off = new_off; } return -EINVAL; @@ -71,7 +77,7 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, { Elf32_Ehdr *ehdr = (Elf32_Ehdr *)page_addr; Elf32_Phdr *phdr; - int i; + __u32 i, phnum; /* * FIXME @@ -80,18 +86,19 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, */ if (ehdr->e_phoff != sizeof(Elf32_Ehdr)) return -EINVAL; + + phnum = READ_ONCE(ehdr->e_phnum); /* only supports phdr that fits in one page */ - if (ehdr->e_phnum > - (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) + if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) return -EINVAL; phdr = (Elf32_Phdr *)(page_addr + sizeof(Elf32_Ehdr)); - for (i = 0; i < ehdr->e_phnum; ++i) { + for (i = 0; i < phnum; ++i) { if (phdr[i].p_type == PT_NOTE && !parse_build_id(page_addr, build_id, size, - page_addr + phdr[i].p_offset, - phdr[i].p_filesz)) + page_addr + READ_ONCE(phdr[i].p_offset), + READ_ONCE(phdr[i].p_filesz))) return 0; } return -EINVAL; @@ -103,7 +110,7 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id, { Elf64_Ehdr *ehdr = (Elf64_Ehdr *)page_addr; Elf64_Phdr *phdr; - int i; + __u32 i, phnum; /* * FIXME @@ -112,18 +119,19 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id, */ if (ehdr->e_phoff != sizeof(Elf64_Ehdr)) return -EINVAL; + + phnum = READ_ONCE(ehdr->e_phnum); /* only supports phdr that fits in one page */ - if (ehdr->e_phnum > - (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) + if (phnum > (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) return -EINVAL; phdr = (Elf64_Phdr *)(page_addr + sizeof(Elf64_Ehdr)); - for (i = 0; i < ehdr->e_phnum; ++i) { + for (i = 0; i < phnum; ++i) { if (phdr[i].p_type == PT_NOTE && !parse_build_id(page_addr, build_id, size, - page_addr + phdr[i].p_offset, - phdr[i].p_filesz)) + page_addr + READ_ONCE(phdr[i].p_offset), + READ_ONCE(phdr[i].p_filesz))) return 0; } return -EINVAL; @@ -152,6 +160,10 @@ int build_id_parse(struct vm_area_struct *vma, unsigned char *build_id, page = find_get_page(vma->vm_file->f_mapping, 0); if (!page) return -EFAULT; /* page not mapped */ + if (!PageUptodate(page)) { + put_page(page); + return -EFAULT; + } ret = -EINVAL; page_addr = kmap_local_page(page); -- 2.43.5

10 months, 3 weeks

3
2
0 0

Re: [PATCH 6.6 000/213] 6.6.57-rc1 review

by Ivan Fay

Sent from my iPhone

10 months, 3 weeks

1
0
0 0

[PATCH 2/2] drm/xe: improve hibernation on igpu

by Matthew Auld

The GGTT looks to be stored inside stolen memory on igpu which is not treated as normal RAM. The core kernel skips this memory range when creating the hibernation image, therefore when coming back from hibernation the GGTT programming is lost. This seems to cause issues with broken resume where GuC FW fails to load: [drm] *ERROR* GT0: load failed: status = 0x400000A0, time = 10ms, freq = 1250MHz (req 1300MHz), done = -1 [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01 [drm] *ERROR* GT0: firmware signature verification failed [drm] *ERROR* CRITICAL: Xe has declared device 0000:00:02.0 as wedged. Current GGTT users are kernel internal and tracked as pinned, so it should be possible to hook into the existing save/restore logic that we use for dgpu, where the actual evict is skipped but on restore we importantly restore the GGTT programming. This has been confirmed to fix hibernation on at least ADL and MTL, though likely all igpu platforms are affected. This also means we have a hole in our testing, where the existing s4 tests only really test the driver hooks, and don't go as far as actually rebooting and restoring from the hibernation image and in turn powering down RAM (and therefore losing the contents of stolen). Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3275 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_bo.c | 36 ++++++++++++++------------------ drivers/gpu/drm/xe/xe_bo_evict.c | 6 ------ 2 files changed, 16 insertions(+), 26 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index d79d8ef5c7d5..0ae5c8f7bab8 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -950,7 +950,10 @@ int xe_bo_restore_pinned(struct xe_bo *bo) if (WARN_ON(!xe_bo_is_pinned(bo))) return -EINVAL; - if (WARN_ON(xe_bo_is_vram(bo) || !bo->ttm.ttm)) + if (WARN_ON(xe_bo_is_vram(bo))) + return -EINVAL; + + if (WARN_ON(!bo->ttm.ttm && !xe_bo_is_stolen(bo))) return -EINVAL; if (!mem_type_is_vram(place->mem_type)) @@ -1770,6 +1773,7 @@ int xe_bo_pin_external(struct xe_bo *bo) int xe_bo_pin(struct xe_bo *bo) { + struct ttm_place *place = &(bo->placements[0]); struct xe_device *xe = xe_bo_device(bo); int err; @@ -1800,7 +1804,6 @@ int xe_bo_pin(struct xe_bo *bo) */ if (IS_DGFX(xe) && !(IS_ENABLED(CONFIG_DRM_XE_DEBUG) && bo->flags & XE_BO_FLAG_INTERNAL_TEST)) { - struct ttm_place *place = &(bo->placements[0]); if (mem_type_is_vram(place->mem_type)) { xe_assert(xe, place->flags & TTM_PL_FLAG_CONTIGUOUS); @@ -1809,13 +1812,12 @@ int xe_bo_pin(struct xe_bo *bo) vram_region_gpu_offset(bo->ttm.resource)) >> PAGE_SHIFT; place->lpfn = place->fpfn + (bo->size >> PAGE_SHIFT); } + } - if (mem_type_is_vram(place->mem_type) || - bo->flags & XE_BO_FLAG_GGTT) { - spin_lock(&xe->pinned.lock); - list_add_tail(&bo->pinned_link, &xe->pinned.kernel_bo_present); - spin_unlock(&xe->pinned.lock); - } + if (mem_type_is_vram(place->mem_type) || bo->flags & XE_BO_FLAG_GGTT) { + spin_lock(&xe->pinned.lock); + list_add_tail(&bo->pinned_link, &xe->pinned.kernel_bo_present); + spin_unlock(&xe->pinned.lock); } ttm_bo_pin(&bo->ttm); @@ -1863,24 +1865,18 @@ void xe_bo_unpin_external(struct xe_bo *bo) void xe_bo_unpin(struct xe_bo *bo) { + struct ttm_place *place = &(bo->placements[0]); struct xe_device *xe = xe_bo_device(bo); xe_assert(xe, !bo->ttm.base.import_attach); xe_assert(xe, xe_bo_is_pinned(bo)); - if (IS_DGFX(xe) && !(IS_ENABLED(CONFIG_DRM_XE_DEBUG) && - bo->flags & XE_BO_FLAG_INTERNAL_TEST)) { - struct ttm_place *place = &(bo->placements[0]); - - if (mem_type_is_vram(place->mem_type) || - bo->flags & XE_BO_FLAG_GGTT) { - spin_lock(&xe->pinned.lock); - xe_assert(xe, !list_empty(&bo->pinned_link)); - list_del_init(&bo->pinned_link); - spin_unlock(&xe->pinned.lock); - } + if (mem_type_is_vram(place->mem_type) || bo->flags & XE_BO_FLAG_GGTT) { + spin_lock(&xe->pinned.lock); + xe_assert(xe, !list_empty(&bo->pinned_link)); + list_del_init(&bo->pinned_link); + spin_unlock(&xe->pinned.lock); } - ttm_bo_unpin(&bo->ttm); } diff --git a/drivers/gpu/drm/xe/xe_bo_evict.c b/drivers/gpu/drm/xe/xe_bo_evict.c index 32043e1e5a86..b01bc20eb90b 100644 --- a/drivers/gpu/drm/xe/xe_bo_evict.c +++ b/drivers/gpu/drm/xe/xe_bo_evict.c @@ -34,9 +34,6 @@ int xe_bo_evict_all(struct xe_device *xe) u8 id; int ret; - if (!IS_DGFX(xe)) - return 0; - /* User memory */ for (mem_type = XE_PL_VRAM0; mem_type <= XE_PL_VRAM1; ++mem_type) { struct ttm_resource_manager *man = @@ -125,9 +122,6 @@ int xe_bo_restore_kernel(struct xe_device *xe) struct xe_bo *bo; int ret; - if (!IS_DGFX(xe)) - return 0; - spin_lock(&xe->pinned.lock); for (;;) { bo = list_first_entry_or_null(&xe->pinned.evicted, -- 2.47.0

10 months, 3 weeks

2
1
0 0

Re: Patch "lib: alloc_tag_module_unload must wait for pending kfree_rcu calls" has been added to the 6.11-stable tree

by Suren Baghdasaryan

On Fri, Nov 1, 2024 at 6:58 AM Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > lib: alloc_tag_module_unload must wait for pending kfree_rcu calls > > to the 6.11-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > lib-alloc_tag_module_unload-must-wait-for-pending-kf.patch > and it can be found in the queue-6.11 subdirectory. Thanks Sasha! Could you please double-check that the prerequisite patch https://lore.kernel.org/all/20241021171003.2907935-1-surenb@google.com/ was also picked up? I don't see it in the queue-6.11 directory. Without that patch this one will cause build errors, that's why I sent them as a patchset. Thanks, Suren. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 536dfe685ebd28b27ebfbc3d4b9168207b7e28a3 > Author: Florian Westphal <fw(a)strlen.de> > Date: Mon Oct 7 22:52:24 2024 +0200 > > lib: alloc_tag_module_unload must wait for pending kfree_rcu calls > > [ Upstream commit dc783ba4b9df3fb3e76e968b2cbeb9960069263c ] > > Ben Greear reports following splat: > ------------[ cut here ]------------ > net/netfilter/nf_nat_core.c:1114 module nf_nat func:nf_nat_register_fn has 256 allocated at module unload > WARNING: CPU: 1 PID: 10421 at lib/alloc_tag.c:168 alloc_tag_module_unload+0x22b/0x3f0 > Modules linked in: nf_nat(-) btrfs ufs qnx4 hfsplus hfs minix vfat msdos fat > ... > Hardware name: Default string Default string/SKYBAY, BIOS 5.12 08/04/2020 > RIP: 0010:alloc_tag_module_unload+0x22b/0x3f0 > codetag_unload_module+0x19b/0x2a0 > ? codetag_load_module+0x80/0x80 > > nf_nat module exit calls kfree_rcu on those addresses, but the free > operation is likely still pending by the time alloc_tag checks for leaks. > > Wait for outstanding kfree_rcu operations to complete before checking > resolves this warning. > > Reproducer: > unshare -n iptables-nft -t nat -A PREROUTING -p tcp > grep nf_nat /proc/allocinfo # will list 4 allocations > rmmod nft_chain_nat > rmmod nf_nat # will WARN. > > [akpm(a)linux-foundation.org: add comment] > Link: https://lkml.kernel.org/r/20241007205236.11847-1-fw@strlen.de > Fixes: a473573964e5 ("lib: code tagging module support") > Signed-off-by: Florian Westphal <fw(a)strlen.de> > Reported-by: Ben Greear <greearb(a)candelatech.com> > Closes: https://lore.kernel.org/netdev/bdaaef9d-4364-4171-b82b-bcfc12e207eb@candela… > Cc: Uladzislau Rezki <urezki(a)gmail.com> > Cc: Vlastimil Babka <vbabka(a)suse.cz> > Cc: Suren Baghdasaryan <surenb(a)google.com> > Cc: Kent Overstreet <kent.overstreet(a)linux.dev> > Cc: <stable(a)vger.kernel.org> > Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/lib/codetag.c b/lib/codetag.c > index afa8a2d4f3173..d1fbbb7c2ec3d 100644 > --- a/lib/codetag.c > +++ b/lib/codetag.c > @@ -228,6 +228,9 @@ bool codetag_unload_module(struct module *mod) > if (!mod) > return true; > > + /* await any module's kfree_rcu() operations to complete */ > + kvfree_rcu_barrier(); > + > mutex_lock(&codetag_lock); > list_for_each_entry(cttype, &codetag_types, link) { > struct codetag_module *found = NULL;

10 months, 3 weeks

1
0
0 0

[PATCH] nvme: rdma: Add check for queue in nvmet_rdma_cm_handler()

by George Rurikov

From: MrRurikov <grurikov(a)gmal.com> After having been assigned to a NULL value at rdma.c:1758, pointer 'queue' is passed as 1st parameter in call to function 'nvmet_rdma_queue_established' at rdma.c:1773, as 1st parameter in call to function 'nvmet_rdma_queue_disconnect' at rdma.c:1787 and as 2nd parameter in call to function 'nvmet_rdma_queue_connect_fail' at rdma.c:1800, where it is dereferenced. I understand, that driver is confident that the RDMA_CM_EVENT_CONNECT_REQUEST event will occur first and perform initialization, but maliciously prepared hardware could send events in violation of the protocol. Nothing guarantees that the sequence of events will start with RDMA_CM_EVENT_CONNECT_REQUEST. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: e1a2ee249b19 ("nvmet-rdma: Fix use after free in nvmet_rdma_cm_handler()") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/nvme/target/rdma.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c index 1b6264fa5803..becebc95f349 100644 --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c @@ -1770,8 +1770,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, ret = nvmet_rdma_queue_connect(cm_id, event); break; case RDMA_CM_EVENT_ESTABLISHED: - nvmet_rdma_queue_established(queue); - break; + if (!queue) { + nvmet_rdma_queue_established(queue); + break; + } case RDMA_CM_EVENT_ADDR_CHANGE: if (!queue) { struct nvmet_rdma_port *port = cm_id->context; @@ -1782,8 +1784,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_DISCONNECTED: case RDMA_CM_EVENT_TIMEWAIT_EXIT: - nvmet_rdma_queue_disconnect(queue); - break; + if (!queue) { + nvmet_rdma_queue_disconnect(queue); + break; + } case RDMA_CM_EVENT_DEVICE_REMOVAL: ret = nvmet_rdma_device_removal(cm_id, queue); break; @@ -1793,8 +1797,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_UNREACHABLE: case RDMA_CM_EVENT_CONNECT_ERROR: - nvmet_rdma_queue_connect_fail(cm_id, queue); - break; + if (!queue) { + nvmet_rdma_queue_connect_fail(cm_id, queue); + break; + } default: pr_err("received unrecognized RDMA CM event %d\n", event->event); -- 2.34.1

10 months, 3 weeks

3
3
0 0

Passenger traffic 2024

by Camille Batiste

Hey, Would you be interested in acquiring the attendees list of Passenger traffic Expo 2024? List contains: Names, Titles, Phone Numbers, Company Details, and more… Interested? Let me know so that I’ll send you the pricing for the same. Kind Regards, Camille Batiste Marketing Executive If you do not wish to receive our emails, please reply with "Not Interested."

10 months, 3 weeks

1
0
0 0

[PATCH 0/1: 5.10/5.15] net: bridge: xmit: make sure we have at least eth header len bytes

by Randy.MacLeod＠windriver.com

From: Randy MacLeod <Randy.MacLeod(a)windriver.com> This is my first commit to -stable so I'm going to carefully explain what I've done. I work on the Yocto Project and I have done some work on the Linux network stack a long time ago so I'm not quite a complete newbie. I took the commit found here: https://lore.kernel.org/stable/20240527185645.658299380@linuxfoundation.org/ and backported as per my commit log: Based on above commit but simplified since pskb_may_pull_reason() does not exist until 6.1. I also trimmed the original commit log of the "Tested by dropwatch" section as well as the full stack trace since that may have changed in 5.10/5.15 and It compiles fine for 5.10 and 5.15 but I have not tested with dropwatch since the patch is just dropping short xmit packets for bridging. Finally, since the patch is much simpler than the original, I've removed the original patch author's SOB line. Please let me know if any of this is not what y'all'd like to see. Randy MacLeod (1): net: bridge: xmit: make sure we have at least eth header len bytes net/bridge/br_device.c | 5 +++++ 1 file changed, 5 insertions(+) base-commit: 5a8fa04b2a4de1d52be4a04690dcb52ac7998943 -- 2.34.1

10 months, 3 weeks

1
1
0 0

[PATCH v2] drm/bridge: Fix assignment of the of_node of the parent to aux bridge

by Abel Vesa

The assignment of the of_node to the aux bridge needs to mark the of_node as reused as well, otherwise resource providers like pinctrl will report a gpio as already requested by a different device when both pinconf and gpios property are present. Fix that by using the device_set_of_node_from_dev() helper instead. Fixes: 6914968a0b52 ("drm/bridge: properly refcount DT nodes in aux bridge drivers") Cc: stable(a)vger.kernel.org # 6.8 Cc: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- Changes in v2: - Re-worded commit to be more explicit of what it fixes, as Johan suggested - Used device_set_of_node_from_dev() helper, as per Johan's suggestion - Added Fixes tag and cc'ed stable - Link to v1: https://lore.kernel.org/r/20241017-drm-aux-bridge-mark-of-node-reused-v1-1-… --- drivers/gpu/drm/bridge/aux-bridge.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/aux-bridge.c b/drivers/gpu/drm/bridge/aux-bridge.c index b29980f95379ec7af873ed6e0fb79a9abb663c7b..295e9d031e2dc86cbfd2a7350718fca181c99487 100644 --- a/drivers/gpu/drm/bridge/aux-bridge.c +++ b/drivers/gpu/drm/bridge/aux-bridge.c @@ -58,9 +58,10 @@ int drm_aux_bridge_register(struct device *parent) adev->id = ret; adev->name = "aux_bridge"; adev->dev.parent = parent; - adev->dev.of_node = of_node_get(parent->of_node); adev->dev.release = drm_aux_bridge_release; + device_set_of_node_from_dev(&adev->dev, parent); + ret = auxiliary_device_init(adev); if (ret) { ida_free(&drm_aux_bridge_ida, adev->id); --- base-commit: d61a00525464bfc5fe92c6ad713350988e492b88 change-id: 20241017-drm-aux-bridge-mark-of-node-reused-5c2ee740ff19 Best regards, -- Abel Vesa <abel.vesa(a)linaro.org>

10 months, 3 weeks

6
25
0 0

[PATCH] vfio/qat: fix overflow check in qat_vf_resume_write()

by Giovanni Cabiddu

The unsigned variable `size_t len` is cast to the signed type `loff_t` when passed to the function check_add_overflow(). This function considers the type of the destination, which is of type loff_t (signed), potentially leading to an overflow. This issue is similar to the one described in the link below. Remove the cast. Note that even if check_add_overflow() is bypassed, by setting `len` to a value that is greater than LONG_MAX (which is considered as a negative value after the cast), the function copy_from_user(), invoked a few lines later, will not perform any copy and return `len` as (len > INT_MAX) causing qat_vf_resume_write() to fail with -EFAULT. Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices") CC: stable(a)vger.kernel.org # 6.10+ Link: https://lore.kernel.org/all/138bd2e2-ede8-4bcc-aa7b-f3d9de167a37@moroto.mou… Reported-by: Zijie Zhao <zzjas98(a)gmail.com> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Reviewed-by: Xin Zeng <xin.zeng(a)intel.com> --- drivers/vfio/pci/qat/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c index e36740a282e7..1e3563fe7cab 100644 --- a/drivers/vfio/pci/qat/main.c +++ b/drivers/vfio/pci/qat/main.c @@ -305,7 +305,7 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf, offs = &filp->f_pos; if (*offs < 0 || - check_add_overflow((loff_t)len, *offs, &end)) + check_add_overflow(len, *offs, &end)) return -EOVERFLOW; if (end > mig_dev->state_size) -- 2.47.0

10 months, 3 weeks

2
1
0 0

[PATCH v2 1/5] xhci: Combine two if statements for Etron xHCI host

by Kuangyi Chiang

Combine two if statements, because these hosts have the same quirk flags applied. Fixes: 91f7a1524a92 ("xhci: Apply broken streams quirk to Etron EJ188 xHCI host") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> --- drivers/usb/host/xhci-pci.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index 7e538194a0a4..33a6d99afc10 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -395,12 +395,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; if (pdev->vendor == PCI_VENDOR_ID_ETRON && - pdev->device == PCI_DEVICE_ID_EJ168) { - xhci->quirks |= XHCI_RESET_ON_RESUME; - xhci->quirks |= XHCI_BROKEN_STREAMS; - } - if (pdev->vendor == PCI_VENDOR_ID_ETRON && - pdev->device == PCI_DEVICE_ID_EJ188) { + (pdev->device == PCI_DEVICE_ID_EJ168 || + pdev->device == PCI_DEVICE_ID_EJ188)) { xhci->quirks |= XHCI_RESET_ON_RESUME; xhci->quirks |= XHCI_BROKEN_STREAMS; } -- 2.25.1

10 months, 3 weeks

2
3
0 0

[PATCH 6.6] rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()

by liwei

From: Zqiang <qiang.zhang1211(a)gmail.com> [ Upstream commit fd70e9f1d85f5323096ad313ba73f5fe3d15ea41 ] For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is defined as NR_CPUS instead of the number of possible cpus, this will cause the following system panic: smpboot: Allowing 4 CPUs, 0 hotplug CPUs ... setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1 ... BUG: unable to handle page fault for address: ffffffff9911c8c8 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W 6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6 RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0 RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082 CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0 Call Trace: <TASK> ? __die+0x23/0x80 ? page_fault_oops+0xa4/0x180 ? exc_page_fault+0x152/0x180 ? asm_exc_page_fault+0x26/0x40 ? rcu_tasks_need_gpcb+0x25d/0x2c0 ? __pfx_rcu_tasks_kthread+0x40/0x40 rcu_tasks_one_gp+0x69/0x180 rcu_tasks_kthread+0x94/0xc0 kthread+0xe8/0x140 ? __pfx_kthread+0x40/0x40 ret_from_fork+0x34/0x80 ? __pfx_kthread+0x40/0x40 ret_from_fork_asm+0x1b/0x80 </TASK> Considering that there may be holes in the CPU numbers, use the maximum possible cpu number, instead of nr_cpu_ids, for configuring enqueue and dequeue limits. [ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ] Closes: https://lore.kernel.org/linux-input/CALMA0xaTSMN+p4xUXkzrtR5r6k7hgoswcaXx7b… Reported-by: Zhixu Liu <zhixu.liu(a)gmail.com> Signed-off-by: Zqiang <qiang.zhang1211(a)gmail.com> Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay(a)kernel.org> [liwei: adaptation context conflict] Signed-off-by: liwei <liwei728(a)huawei.com> --- kernel/rcu/tasks.h | 83 ++++++++++++++++++++++++++++++---------------- 1 file changed, 54 insertions(+), 29 deletions(-) diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h index df81506cf2bd..fbfa0f90f884 100644 --- a/kernel/rcu/tasks.h +++ b/kernel/rcu/tasks.h @@ -33,6 +33,7 @@ typedef void (*postgp_func_t)(struct rcu_tasks *rtp); * @barrier_q_head: RCU callback for barrier operation. * @rtp_blkd_tasks: List of tasks blocked as readers. * @cpu: CPU number corresponding to this entry. + * @index: Index of this CPU in rtpcp_array of the rcu_tasks structure. * @rtpp: Pointer to the rcu_tasks structure. */ struct rcu_tasks_percpu { @@ -47,6 +48,7 @@ struct rcu_tasks_percpu { struct rcu_head barrier_q_head; struct list_head rtp_blkd_tasks; int cpu; + int index; struct rcu_tasks *rtpp; }; @@ -73,6 +75,7 @@ struct rcu_tasks_percpu { * @postgp_func: This flavor's post-grace-period function (optional). * @call_func: This flavor's call_rcu()-equivalent function. * @rtpcpu: This flavor's rcu_tasks_percpu structure. + * @rtpcp_array: Array of pointers to rcu_tasks_percpu structure of CPUs in cpu_possible_mask. * @percpu_enqueue_shift: Shift down CPU ID this much when enqueuing callbacks. * @percpu_enqueue_lim: Number of per-CPU callback queues in use for enqueuing. * @percpu_dequeue_lim: Number of per-CPU callback queues in use for dequeuing. @@ -106,6 +109,7 @@ struct rcu_tasks { postgp_func_t postgp_func; call_rcu_func_t call_func; struct rcu_tasks_percpu __percpu *rtpcpu; + struct rcu_tasks_percpu **rtpcp_array; int percpu_enqueue_shift; int percpu_enqueue_lim; int percpu_dequeue_lim; @@ -179,6 +183,8 @@ module_param(rcu_task_collapse_lim, int, 0444); static int rcu_task_lazy_lim __read_mostly = 32; module_param(rcu_task_lazy_lim, int, 0444); +static int rcu_task_cpu_ids; + /* RCU tasks grace-period state for debugging. */ #define RTGS_INIT 0 #define RTGS_WAIT_WAIT_CBS 1 @@ -243,6 +249,8 @@ static void cblist_init_generic(struct rcu_tasks *rtp) unsigned long flags; int lim; int shift; + int maxcpu; + int index = 0; if (rcu_task_enqueue_lim < 0) { rcu_task_enqueue_lim = 1; @@ -252,14 +260,9 @@ static void cblist_init_generic(struct rcu_tasks *rtp) } lim = rcu_task_enqueue_lim; - if (lim > nr_cpu_ids) - lim = nr_cpu_ids; - shift = ilog2(nr_cpu_ids / lim); - if (((nr_cpu_ids - 1) >> shift) >= lim) - shift++; - WRITE_ONCE(rtp->percpu_enqueue_shift, shift); - WRITE_ONCE(rtp->percpu_dequeue_lim, lim); - smp_store_release(&rtp->percpu_enqueue_lim, lim); + rtp->rtpcp_array = kcalloc(num_possible_cpus(), sizeof(struct rcu_tasks_percpu *), GFP_KERNEL); + BUG_ON(!rtp->rtpcp_array); + for_each_possible_cpu(cpu) { struct rcu_tasks_percpu *rtpcp = per_cpu_ptr(rtp->rtpcpu, cpu); @@ -273,12 +276,28 @@ static void cblist_init_generic(struct rcu_tasks *rtp) INIT_WORK(&rtpcp->rtp_work, rcu_tasks_invoke_cbs_wq); rtpcp->cpu = cpu; rtpcp->rtpp = rtp; + rtpcp->index = index; + rtp->rtpcp_array[index] = rtpcp; + index++; if (!rtpcp->rtp_blkd_tasks.next) INIT_LIST_HEAD(&rtpcp->rtp_blkd_tasks); + + maxcpu = cpu; } - pr_info("%s: Setting shift to %d and lim to %d rcu_task_cb_adjust=%d.\n", rtp->name, - data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim), rcu_task_cb_adjust); + rcu_task_cpu_ids = maxcpu + 1; + if (lim > rcu_task_cpu_ids) + lim = rcu_task_cpu_ids; + shift = ilog2(rcu_task_cpu_ids / lim); + if (((rcu_task_cpu_ids - 1) >> shift) >= lim) + shift++; + WRITE_ONCE(rtp->percpu_enqueue_shift, shift); + WRITE_ONCE(rtp->percpu_dequeue_lim, lim); + smp_store_release(&rtp->percpu_enqueue_lim, lim); + + pr_info("%s: Setting shift to %d and lim to %d rcu_task_cb_adjust=%d rcu_task_cpu_ids=%d.\n", + rtp->name, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim), + rcu_task_cb_adjust, rcu_task_cpu_ids); } // Compute wakeup time for lazy callback timer. @@ -346,7 +365,7 @@ static void call_rcu_tasks_generic(struct rcu_head *rhp, rcu_callback_t func, rtpcp->rtp_n_lock_retries = 0; } if (rcu_task_cb_adjust && ++rtpcp->rtp_n_lock_retries > rcu_task_contend_lim && - READ_ONCE(rtp->percpu_enqueue_lim) != nr_cpu_ids) + READ_ONCE(rtp->percpu_enqueue_lim) != rcu_task_cpu_ids) needadjust = true; // Defer adjustment to avoid deadlock. } // Queuing callbacks before initialization not yet supported. @@ -366,10 +385,10 @@ static void call_rcu_tasks_generic(struct rcu_head *rhp, rcu_callback_t func, raw_spin_unlock_irqrestore_rcu_node(rtpcp, flags); if (unlikely(needadjust)) { raw_spin_lock_irqsave(&rtp->cbs_gbl_lock, flags); - if (rtp->percpu_enqueue_lim != nr_cpu_ids) { + if (rtp->percpu_enqueue_lim != rcu_task_cpu_ids) { WRITE_ONCE(rtp->percpu_enqueue_shift, 0); - WRITE_ONCE(rtp->percpu_dequeue_lim, nr_cpu_ids); - smp_store_release(&rtp->percpu_enqueue_lim, nr_cpu_ids); + WRITE_ONCE(rtp->percpu_dequeue_lim, rcu_task_cpu_ids); + smp_store_release(&rtp->percpu_enqueue_lim, rcu_task_cpu_ids); pr_info("Switching %s to per-CPU callback queuing.\n", rtp->name); } raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags); @@ -440,6 +459,8 @@ static int rcu_tasks_need_gpcb(struct rcu_tasks *rtp) int needgpcb = 0; for (cpu = 0; cpu < smp_load_acquire(&rtp->percpu_dequeue_lim); cpu++) { + if (!cpu_possible(cpu)) + continue; struct rcu_tasks_percpu *rtpcp = per_cpu_ptr(rtp->rtpcpu, cpu); /* Advance and accelerate any new callbacks. */ @@ -477,7 +498,7 @@ static int rcu_tasks_need_gpcb(struct rcu_tasks *rtp) if (rcu_task_cb_adjust && ncbs <= rcu_task_collapse_lim) { raw_spin_lock_irqsave(&rtp->cbs_gbl_lock, flags); if (rtp->percpu_enqueue_lim > 1) { - WRITE_ONCE(rtp->percpu_enqueue_shift, order_base_2(nr_cpu_ids)); + WRITE_ONCE(rtp->percpu_enqueue_shift, order_base_2(rcu_task_cpu_ids)); smp_store_release(&rtp->percpu_enqueue_lim, 1); rtp->percpu_dequeue_gpseq = get_state_synchronize_rcu(); gpdone = false; @@ -492,7 +513,9 @@ static int rcu_tasks_need_gpcb(struct rcu_tasks *rtp) pr_info("Completing switch %s to CPU-0 callback queuing.\n", rtp->name); } if (rtp->percpu_dequeue_lim == 1) { - for (cpu = rtp->percpu_dequeue_lim; cpu < nr_cpu_ids; cpu++) { + for (cpu = rtp->percpu_dequeue_lim; cpu < rcu_task_cpu_ids; cpu++) { + if (!cpu_possible(cpu)) + continue; struct rcu_tasks_percpu *rtpcp = per_cpu_ptr(rtp->rtpcpu, cpu); WARN_ON_ONCE(rcu_segcblist_n_cbs(&rtpcp->cblist)); @@ -507,30 +530,32 @@ static int rcu_tasks_need_gpcb(struct rcu_tasks *rtp) // Advance callbacks and invoke any that are ready. static void rcu_tasks_invoke_cbs(struct rcu_tasks *rtp, struct rcu_tasks_percpu *rtpcp) { - int cpu; - int cpunext; int cpuwq; unsigned long flags; int len; + int index; struct rcu_head *rhp; struct rcu_cblist rcl = RCU_CBLIST_INITIALIZER(rcl); struct rcu_tasks_percpu *rtpcp_next; - cpu = rtpcp->cpu; - cpunext = cpu * 2 + 1; - if (cpunext < smp_load_acquire(&rtp->percpu_dequeue_lim)) { - rtpcp_next = per_cpu_ptr(rtp->rtpcpu, cpunext); - cpuwq = rcu_cpu_beenfullyonline(cpunext) ? cpunext : WORK_CPU_UNBOUND; - queue_work_on(cpuwq, system_wq, &rtpcp_next->rtp_work); - cpunext++; - if (cpunext < smp_load_acquire(&rtp->percpu_dequeue_lim)) { - rtpcp_next = per_cpu_ptr(rtp->rtpcpu, cpunext); - cpuwq = rcu_cpu_beenfullyonline(cpunext) ? cpunext : WORK_CPU_UNBOUND; + index = rtpcp->index * 2 + 1; + if (index < num_possible_cpus()) { + rtpcp_next = rtp->rtpcp_array[index]; + if (rtpcp_next->cpu < smp_load_acquire(&rtp->percpu_dequeue_lim)) { + cpuwq = rcu_cpu_beenfullyonline(rtpcp_next->cpu) ? rtpcp_next->cpu : WORK_CPU_UNBOUND; queue_work_on(cpuwq, system_wq, &rtpcp_next->rtp_work); + index++; + if (index < num_possible_cpus()) { + rtpcp_next = rtp->rtpcp_array[index]; + if (rtpcp_next->cpu < smp_load_acquire(&rtp->percpu_dequeue_lim)) { + cpuwq = rcu_cpu_beenfullyonline(rtpcp_next->cpu) ? rtpcp_next->cpu : WORK_CPU_UNBOUND; + queue_work_on(cpuwq, system_wq, &rtpcp_next->rtp_work); + } + } } } - if (rcu_segcblist_empty(&rtpcp->cblist) || !cpu_possible(cpu)) + if (rcu_segcblist_empty(&rtpcp->cblist)) return; raw_spin_lock_irqsave_rcu_node(rtpcp, flags); rcu_segcblist_advance(&rtpcp->cblist, rcu_seq_current(&rtp->tasks_gp_seq)); -- 2.25.1

10 months, 3 weeks

1
0
0 0

[PATCH] counter: stm32-timer-cnt: fix device_node handling in probe_encoder()

by Javier Carrasco

Device nodes accessed via of_get_compatible_child() require of_node_put() to be called when the node is no longer required to avoid leaving a reference to the node behind, leaking the resource. In this case, the usage of 'tnode' is straightforward and there are no error paths, allowing for a single of_node_put() when 'tnode' is no longer required. Cc: stable(a)vger.kernel.org Fixes: 29646ee33cc3 ("counter: stm32-timer-cnt: add checks on quadrature encoder capability") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/counter/stm32-timer-cnt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/counter/stm32-timer-cnt.c b/drivers/counter/stm32-timer-cnt.c index 186e73d6ccb4..0d8206adccb3 100644 --- a/drivers/counter/stm32-timer-cnt.c +++ b/drivers/counter/stm32-timer-cnt.c @@ -694,6 +694,7 @@ static int stm32_timer_cnt_probe_encoder(struct device *dev, } ret = of_property_read_u32(tnode, "reg", &idx); + of_node_put(tnode); if (ret) { dev_err(dev, "Can't get index (%d)\n", ret); return ret; --- base-commit: a39230ecf6b3057f5897bc4744a790070cfbe7a8 change-id: 20241027-stm32-timer-cnt-of_node_put-8c6695e7a373 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 3 weeks

2
1
0 0

Linux 6.11.6

by Greg Kroah-Hartman

I'm announcing the release of the 6.11.6 kernel. All users of the 6.11 kernel series must upgrade. The updated 6.11.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.11.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/sound/davinci-mcasp-audio.yaml | 18 Makefile | 2 arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 arch/arm64/Makefile | 2 arch/arm64/kvm/arm.c | 3 arch/arm64/kvm/sys_regs.c | 2 arch/arm64/kvm/vgic/vgic-init.c | 28 + arch/arm64/net/bpf_jit_comp.c | 12 arch/loongarch/include/asm/bootinfo.h | 4 arch/loongarch/include/asm/kasan.h | 2 arch/loongarch/kernel/process.c | 16 arch/loongarch/kernel/setup.c | 3 arch/loongarch/kernel/traps.c | 5 arch/riscv/net/bpf_jit_comp64.c | 8 arch/s390/include/asm/perf_event.h | 1 arch/s390/pci/pci_event.c | 17 arch/x86/Kconfig | 1 arch/x86/events/rapl.c | 47 ++ arch/x86/include/asm/runtime-const.h | 4 arch/x86/include/asm/uaccess_64.h | 45 +- arch/x86/kernel/amd_nb.c | 6 arch/x86/kernel/cpu/common.c | 10 arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 - arch/x86/kernel/vmlinux.lds.S | 1 arch/x86/kvm/svm/nested.c | 6 arch/x86/lib/getuser.S | 9 arch/x86/virt/svm/sev.c | 2 block/elevator.c | 17 drivers/accel/qaic/qaic_control.c | 2 drivers/accel/qaic/qaic_data.c | 6 drivers/acpi/button.c | 11 drivers/acpi/cppc_acpi.c | 22 - drivers/acpi/prmt.c | 29 + drivers/acpi/resource.c | 7 drivers/ata/libata-eh.c | 1 drivers/cdrom/cdrom.c | 2 drivers/clk/rockchip/clk.c | 2 drivers/cpufreq/amd-pstate.c | 10 drivers/firewire/core-topology.c | 2 drivers/firmware/arm_scmi/driver.c | 4 drivers/firmware/arm_scmi/mailbox.c | 32 + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 13 drivers/gpu/drm/amd/display/modules/power/power_helpers.c | 2 drivers/gpu/drm/bridge/aux-bridge.c | 3 drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 16 drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 20 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 68 ++- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 7 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 5 drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 drivers/gpu/drm/msm/dsi/dsi_host.c | 4 drivers/gpu/drm/panel/panel-himax-hx83102.c | 12 drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 drivers/gpu/drm/xe/xe_device.c | 4 drivers/gpu/drm/xe/xe_exec.c | 12 drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 drivers/gpu/drm/xe/xe_gt_mcr.c | 2 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 29 - drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h | 1 drivers/gpu/drm/xe/xe_guc_submit.c | 7 drivers/gpu/drm/xe/xe_vm.c | 8 drivers/hwmon/jc42.c | 2 drivers/iio/accel/bma400_core.c | 3 drivers/iio/adc/Kconfig | 2 drivers/iio/frequency/Kconfig | 33 - drivers/infiniband/core/addr.c | 2 drivers/infiniband/hw/bnxt_re/hw_counters.c | 2 drivers/infiniband/hw/bnxt_re/ib_verbs.h | 1 drivers/infiniband/hw/bnxt_re/main.c | 29 - drivers/infiniband/hw/bnxt_re/qplib_fp.c | 16 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 3 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 - drivers/infiniband/hw/bnxt_re/qplib_sp.c | 11 drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 drivers/infiniband/hw/cxgb4/cm.c | 9 drivers/infiniband/hw/irdma/cm.c | 2 drivers/infiniband/ulp/srpt/ib_srpt.c | 80 +++ drivers/irqchip/irq-renesas-rzg2l.c | 16 drivers/irqchip/irq-riscv-imsic-platform.c | 2 drivers/md/raid10.c | 7 drivers/net/dsa/microchip/ksz_common.c | 21 - drivers/net/dsa/mv88e6xxx/chip.c | 2 drivers/net/dsa/mv88e6xxx/chip.h | 6 drivers/net/dsa/mv88e6xxx/port.c | 1 drivers/net/dsa/mv88e6xxx/ptp.c | 108 +++-- drivers/net/dsa/vitesse-vsc73xx-core.c | 1 drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 22 - drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 70 ++- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 12 drivers/net/ethernet/emulex/benet/be_main.c | 10 drivers/net/ethernet/freescale/fman/mac.c | 68 ++- drivers/net/ethernet/freescale/fman/mac.h | 6 drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 82 ++-- drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 9 drivers/net/ethernet/microchip/sparx5/sparx5_mirror.c | 12 drivers/net/ethernet/realtek/r8169_main.c | 4 drivers/net/ethernet/renesas/ravb_main.c | 25 - drivers/net/ethernet/renesas/rtsn.c | 1 drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 drivers/net/hyperv/netvsc_drv.c | 30 + drivers/net/macsec.c | 18 drivers/net/netdevsim/dev.c | 15 drivers/net/phy/dp83822.c | 4 drivers/net/plip/plip.c | 2 drivers/net/pse-pd/pse_core.c | 4 drivers/net/usb/usbnet.c | 4 drivers/net/virtio_net.c | 2 drivers/net/vmxnet3/vmxnet3_xdp.c | 2 drivers/net/wwan/wwan_core.c | 2 drivers/nvme/host/pci.c | 19 drivers/pci/probe.c | 2 drivers/pci/pwrctl/pci-pwrctl-pwrseq.c | 58 ++ drivers/platform/x86/dell/dell-wmi-base.c | 9 drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 drivers/platform/x86/intel/pmc/core_ssram.c | 4 drivers/powercap/dtpm_devfreq.c | 2 drivers/reset/starfive/reset-starfive-jh71x0.c | 3 drivers/soundwire/intel_ace2x.c | 19 drivers/target/target_core_device.c | 2 drivers/target/target_core_user.c | 2 drivers/usb/host/xhci-dbgcap.h | 2 drivers/usb/host/xhci-dbgtty.c | 73 ++- drivers/usb/typec/class.c | 3 drivers/video/fbdev/Kconfig | 1 fs/9p/v9fs.h | 34 + fs/9p/v9fs_vfs.h | 2 fs/9p/vfs_inode.c | 129 ++++-- fs/9p/vfs_inode_dotl.c | 112 ++++- fs/9p/vfs_super.c | 2 fs/backing-file.c | 8 fs/btrfs/block-group.c | 2 fs/btrfs/dir-item.c | 4 fs/btrfs/disk-io.c | 2 fs/btrfs/extent_map.c | 31 - fs/btrfs/inode.c | 7 fs/btrfs/qgroup.c | 2 fs/btrfs/qgroup.h | 2 fs/btrfs/super.c | 12 fs/fuse/passthrough.c | 8 fs/jfs/jfs_dmap.c | 2 fs/namespace.c | 4 fs/nfsd/nfs4state.c | 50 ++ fs/nfsd/state.h | 2 fs/nilfs2/page.c | 6 fs/notify/fsnotify.c | 21 - fs/notify/inotify/inotify_user.c | 2 fs/notify/mark.c | 8 fs/open.c | 2 fs/overlayfs/file.c | 9 fs/select.c | 4 fs/smb/client/cifsfs.c | 2 fs/smb/client/fs_context.c | 7 fs/smb/client/reparse.c | 23 + fs/smb/client/smb2ops.c | 3 fs/smb/client/smb2pdu.c | 9 fs/udf/balloc.c | 38 + fs/udf/directory.c | 23 - fs/udf/inode.c | 202 ++++++---- fs/udf/partition.c | 6 fs/udf/super.c | 3 fs/udf/truncate.c | 43 +- fs/udf/udfdecl.h | 15 fs/xfs/scrub/repair.c | 8 include/linux/backing-file.h | 2 include/linux/bpf.h | 14 include/linux/bpf_types.h | 1 include/linux/huge_mm.h | 18 include/linux/netdevice.h | 12 include/linux/shmem_fs.h | 11 include/linux/task_work.h | 5 include/linux/uaccess.h | 7 include/net/bluetooth/bluetooth.h | 1 include/net/genetlink.h | 3 include/net/sock.h | 5 include/net/xfrm.h | 28 - include/uapi/linux/bpf.h | 16 include/uapi/sound/asoc.h | 2 kernel/bpf/btf.c | 15 kernel/bpf/devmap.c | 11 kernel/bpf/helpers.c | 10 kernel/bpf/inode.c | 5 kernel/bpf/log.c | 3 kernel/bpf/ringbuf.c | 14 kernel/bpf/syscall.c | 31 + kernel/bpf/task_iter.c | 2 kernel/bpf/verifier.c | 107 ++--- kernel/sched/core.c | 4 kernel/task_work.c | 15 kernel/time/posix-clock.c | 6 kernel/trace/bpf_trace.c | 42 -- kernel/trace/fgraph.c | 15 kernel/trace/ring_buffer.c | 44 +- kernel/trace/trace_eprobe.c | 7 kernel/trace/trace_fprobe.c | 6 kernel/trace/trace_kprobe.c | 6 kernel/trace/trace_probe.c | 2 kernel/trace/trace_uprobe.c | 13 lib/Kconfig.debug | 2 lib/objpool.c | 2 lib/strncpy_from_user.c | 9 lib/strnlen_user.c | 9 mm/huge_memory.c | 24 - mm/memory.c | 9 mm/shmem.c | 55 +- net/bluetooth/af_bluetooth.c | 22 + net/bluetooth/bnep/core.c | 3 net/bluetooth/hci_core.c | 24 - net/bluetooth/hci_sync.c | 12 net/bluetooth/iso.c | 18 net/bluetooth/sco.c | 18 net/core/filter.c | 50 -- net/core/sock_map.c | 8 net/ipv4/devinet.c | 35 + net/ipv4/inet_connection_sock.c | 21 - net/ipv4/xfrm4_policy.c | 40 - net/ipv6/xfrm6_policy.c | 31 - net/l2tp/l2tp_netlink.c | 4 net/netfilter/nf_bpf_link.c | 7 net/netfilter/xt_NFLOG.c | 2 net/netfilter/xt_TRACE.c | 1 net/netfilter/xt_mark.c | 2 net/netlink/genetlink.c | 28 - net/sched/act_api.c | 23 + net/sched/sch_generic.c | 8 net/sched/sch_taprio.c | 21 - net/smc/smc_pnet.c | 2 net/smc/smc_wr.c | 6 net/vmw_vsock/virtio_transport_common.c | 14 net/vmw_vsock/vsock_bpf.c | 8 net/wireless/nl80211.c | 8 net/xfrm/xfrm_device.c | 11 net/xfrm/xfrm_policy.c | 50 +- net/xfrm/xfrm_user.c | 10 sound/firewire/amdtp-stream.c | 3 sound/pci/hda/Kconfig | 2 sound/pci/hda/patch_cs8409.c | 5 sound/pci/hda/patch_realtek.c | 48 +- sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/lpass-rx-macro.c | 2 sound/soc/codecs/max98388.c | 1 sound/soc/fsl/fsl_micfil.c | 43 ++ sound/soc/fsl/fsl_sai.c | 5 sound/soc/fsl/fsl_sai.h | 1 sound/soc/loongson/loongson_card.c | 1 sound/soc/qcom/Kconfig | 2 sound/soc/qcom/lpass-cpu.c | 2 sound/soc/qcom/sc7280.c | 10 sound/soc/qcom/sdm845.c | 7 sound/soc/qcom/sm8250.c | 1 sound/soc/sh/rcar/core.c | 7 sound/soc/soc-dapm.c | 4 sound/soc/sof/intel/hda-dai-ops.c | 23 - sound/soc/sof/intel/hda-dai.c | 37 + sound/soc/sof/intel/hda-loader.c | 17 sound/soc/sof/ipc4-topology.c | 15 tools/include/uapi/linux/bpf.h | 3 tools/testing/selftests/bpf/Makefile | 2 tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 9 274 files changed, 2654 insertions(+), 1268 deletions(-) Abel Vesa (1): drm/bridge: Fix assignment of the of_node of the parent to aux bridge Abhishek Mohapatra (1): RDMA/bnxt_re: Fix the max CQ WQEs for older adapters Aleksa Sarai (1): openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Aleksandr Mishin (4): octeon_ep: Implement helper for iterating packets in Rx queue octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() fsl/fman: Save device references taken in mac_probe() fsl/fman: Fix refcount handling of fman-related devices Alexander Zubkov (1): RDMA/irdma: Fix misspelling of "accept*" Alexey Klimov (3): ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string ASoC: qcom: sdm845: add missing soundwire runtime stream alloc Amadeusz Sławiński (1): ASoC: topology: Bump minimal topology ABI version Amir Goldstein (2): fs: pass offset and result to backing_file end_write() callback fuse: update inode size after extending passthrough write Andrea Parri (1): riscv, bpf: Make BPF_CMPXCHG fully ordered Andrew Jones (1): irqchip/riscv-imsic: Fix output text of base address Andrey Shumilin (1): ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Andrii Nakryiko (1): bpf: fix do_misc_fixups() for bpf_get_branch_snapshot() Anumula Murali Mohan Reddy (2): RDMA/core: Fix ENODEV error for iWARP test over vlan RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Armin Wolf (1): platform/x86: dell-wmi: Ignore suspend notifications Arnd Bergmann (1): fbdev: wm8505fb: select CONFIG_FB_IOMEM_FOPS Ashish Kalra (1): x86/sev: Ensure that RMP table fixups are reserved Aurabindo Pillai (1): drm/amd/display: temp w/a for DP Link Layer compliance Baolin Wang (2): mm: shmem: rename shmem_is_huge() to shmem_huge_global_enabled() mm: shmem: move shmem_huge_global_enabled() into shmem_allowable_huge_orders() Bart Van Assche (1): RDMA/srpt: Make slab cache names unique Bartosz Golaszewski (2): PCI: Hold rescan lock while adding devices during host probe PCI/pwrctl: Abandon QCom WCN probe on pre-pwrseq device-trees Benjamin Bara (1): ASoC: dapm: avoid container_of() to get component Bhargava Chenna Marreddy (1): RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Binbin Zhou (1): ASoC: loongson: Fix component check failed on FDT systems Boris Burkov (1): btrfs: fix read corruption due to race with extent map merging Breno Leitao (2): elevator: do not request_module if elevator exists elevator: Remove argument from elevator_find_get Chancel Liu (1): ASoC: fsl_micfil: Add a flag to distinguish with different volume control types Chandramohan Akula (1): RDMA/bnxt_re: Change the sequence of updating the CQ toggle value Changhuang Liang (1): reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC Christian Brauner (1): fs: don't try and remove empty rbtree node Christian Heusel (1): ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Colin Ian King (2): octeontx2-af: Fix potential integer overflows on integer shifts ASoC: max98388: Fix missing increment of variable slot_found Cong Yang (1): drm/panel: himax-hx83102: Adjust power and gamma to optimize brightness Cosmin Ratiu (2): net/mlx5: Unregister notifier on eswitch init failure net/mlx5e: Don't call cleanup on profile rollback failure Crag Wang (1): platform/x86: dell-sysman: add support for alienware products Dan Carpenter (1): ACPI: PRM: Clean up guid type in struct prm_handler_info Daniel Borkmann (6): vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame bpf: Fix incorrect delta propagation between linked registers bpf: Fix print_reg_state's constant scalar dump bpf: Add MEM_WRITE attribute bpf: Fix overloading of MEM_UNINIT's meaning bpf: Remove MEM_UNINIT from skb/xdp MTU helpers Daniel Machon (1): net: sparx5: fix source port register when mirroring Darrick J. Wong (1): xfs: don't fail repairs on metadata files with no attr fork Dave Kleikamp (1): jfs: Fix sanity check in dbMount David Hildenbrand (1): mm: don't install PMD mappings when THPs are disabled by the hw/process/vma David Lawrence Glanzman (1): ASoC: amd: yc: Add quirk for HP Dragonfly pro one Dhananjay Ugwekar (2): cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory systems perf/x86/rapl: Fix the energy-pkg event for AMD CPUs Dimitar Kanaliev (1): bpf: Fix truncation bug in coerce_reg_to_size_sx() Dmitry Antipov (2): net: sched: fix use-after-free in taprio_change() net: sched: use RCU read-side critical section in taprio_dump() Dmitry Baryshkov (3): drm/msm/dpu: make sure phys resources are properly initialized drm/msm/dpu: move CRTC resource assignment to dpu_encoder_virt_atomic_check drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds() Dominique Martinet (4): Revert " fs/9p: mitigate inode collisions" Revert "fs/9p: remove redundant pointer v9ses" Revert "fs/9p: fix uaf in in v9fs_stat2inode_dotl" Revert "fs/9p: simplify iget to remove unnecessary paths" Douglas Anderson (2): drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() drm/msm: Allocate memory for disp snapshot with kvzalloc() Eduard Zingerman (1): bpf: sync_linked_regs() must preserve subreg_def Eric Biggers (1): ALSA: hda/tas2781: select CRC32 instead of CRC32_SARWATE Eric Dumazet (3): netdevsim: use cond_resched() in nsim_dev_trap_report_work() genetlink: hold RCU in genlmsg_mcast() net: fix races in netdev_tx_sent_queue()/dev_watchdog() Eyal Birger (2): xfrm: extract dst lookup parameters into a struct xfrm: respect ip protocols rules criteria when performing dst lookups Fabrizio Castro (1): irqchip/renesas-rzg2l: Fix missing put_device Felix Fietkau (1): net: ethernet: mtk_eth_soc: fix memory corruption during fq dma init Filipe Manana (1): btrfs: clear force-compress on remount when compress mount option is given Florian Kauer (1): bpf: devmap: provide rxq after redirect Florian Klink (1): ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Florian Westphal (1): netfilter: bpf: must hold reference on net namespace Gal Pressman (1): ravb: Remove setting of RX software timestamp Gianfranco Trad (1): udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman (1): Linux 6.11.6 Gustavo Sousa (1): drm/xe/mcr: Use Xe2_LPM steering tables for Xe2_HPM Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Hans de Goede (1): drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Heiko Carstens (1): s390: Initialize psw mask in perf_arch_fetch_caller_regs() Heiner Kallweit (1): r8169: avoid unsolicited interrupts Henrique Carvalho (1): smb: client: Handle kstrdup failures for passwords Hongguang Gao (1): RDMA/bnxt_re: Get the toggle bits from SRQ events Hou Tao (3): bpf: Check the remaining info_cnt before repeating btf fields bpf: Preserve param->string when parsing mount options bpf: Add the missing BPF_LINK_TYPE invocation for sockmap Huacai Chen (3): LoongArch: Get correct cores_per_package for SMT systems LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context LoongArch: Make KASAN usable for variable cpu_vabits Ian Forbes (1): drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check Ilkka Koskinen (1): KVM: arm64: Fix shift-out-of-bounds bug Jakub Boehm (1): net: plip: fix break; causing plip to never transmit Jan Kara (1): fsnotify: Avoid data race between fsnotify_recalc_mask() and fsnotify_object_watched() Javier Carrasco (3): iio: frequency: {admv4420,adrf6780}: format Kconfig entries iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jean Delvare (1): [PATCH} hwmon: (jc42) Properly detect TSE2004-compliant devices again Jessica Zhang (2): drm/msm/dpu: Don't always set merge_3d pending flush drm/msm/dpu: don't always program merge_3d block Jinjie Ruan (1): posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jiri Olsa (2): bpf: Fix memory leak in bpf_core_apply bpf,perf: Fix perf_event_detach_bpf_prog error handling Jiri Slaby (SUSE) (2): xhci: dbgtty: remove kfifo_out() wrapper xhci: dbgtty: use kfifo from tty_port struct Jonathan Marek (2): drm/msm/dsi: improve/fix dsc pclk calculation drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jordan Rome (1): bpf: Fix iter/task tid filtering Josh Poimboeuf (1): cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed() José Relvas (1): ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Justin Chen (1): firmware: arm_scmi: Queue in scmi layer for mailbox implementation Kai Shen (1): net/smc: Fix memory leak when using percpu refs Kai Vehmanen (1): ASoC: SOF: Intel: hda-loader: do not wait for HDaudio IOC Kailang Yang (1): ALSA: hda/realtek: Update default depop procedure Kalesh AP (5): RDMA/bnxt_re: Fix a possible memory leak RDMA/bnxt_re: Add a check for memory allocation RDMA/bnxt_re: Fix out of bound check RDMA/bnxt_re: Return more meaningful error RDMA/bnxt_re: Fix the GID table length Kashyap Desai (1): RDMA/bnxt_re: Fix incorrect dereference of srq in async event Kefeng Wang (1): mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() Koba Ko (1): ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Konrad Dybcio (1): PCI/pwrctl: Add WCN6855 support Kory Maincent (1): net: pse-pd: Fix out of bound for loop Krzysztof Kozlowski (2): ASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc ASoC: qcom: Select missing common Soundwire module code on SDM845 Kuniyuki Iwashima (1): tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Lad Prabhakar (1): ASoC: rsnd: Fix probe failure on HiHope boards due to endpoint parsing Leo Yan (1): tracing: Consider the NULL character when validating the event length Li Huafei (1): fgraph: Fix missing unlock in register_ftrace_graph() Li RongQing (1): net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Lin Ma (1): net: wwan: fix global oob in wwan_rtnl_policy Linus Torvalds (3): x86: support user address masking instead of non-speculative conditional x86: fix whitespace in runtime-const assembler output x86: fix user address masking non-canonical speculation issue Luiz Augusto von Dentz (3): Bluetooth: hci_core: Disable works on hci_unregister_dev Bluetooth: SCO: Fix UAF on sco_sock_timeout Bluetooth: ISO: Fix UAF on iso_sock_timeout Maher Sanalla (1): net/mlx5: Check for invalid vector index on EQ creation Marc Zyngier (1): KVM: arm64: Don't eagerly teardown the vgic on init error Mario Limonciello (2): drm/amd: Guard against bad data for ATIF ACPI method drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Mark Rutland (1): arm64: Force position-independent veneers Martin Kletzander (1): x86/resctrl: Avoid overflow in MB settings in bw_validate() Mathias Nyman (1): xhci: dbc: honor usb transfer size boundaries. Matthew Auld (2): drm/xe: fix unbalanced rpm put() with fence_fini() drm/xe: fix unbalanced rpm put() with declare_wedged() Matthew Brost (3): drm/xe: Take job list lock in xe_sched_add_pending_job drm/xe: Don't free job in TDR drm/xe: Use bookkeep slots for external BO's in exec IOCTL Maurizio Lombardi (1): nvme-pci: fix race condition between reset and nvme_dev_disable() Michael S. Tsirkin (1): virtio_net: fix integer overflow in stats Michal Luczaj (4): bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock vsock: Update rx_bytes on read_skb() vsock: Update msg_count on read_skb() bpf, vsock: Drop static vsock_bpf_prot initialization Michel Alex (1): net: phy: dp83822: Fix reset pin definitions Mikel Rychliski (1): tracing/probes: Fix MAX_TRACE_ARGS limit handling Mikhail Lobanov (1): iio: accel: bma400: Fix uninitialized variable field_value in tap event handling. Miquel Raynal (2): ASoC: dt-bindings: davinci-mcasp: Fix interrupts property ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties Murad Masimov (1): ALSA: hda/cs8409: Fix possible NULL dereference Naohiro Aota (1): btrfs: zoned: fix zone unusable accounting for freed reserved extent Niklas Cassel (1): ata: libata: Set DID_TIME_OUT for commands that actually timed out Niklas Schnelle (1): s390/pci: Handle PCI error codes other than 0x3a Niklas Söderlund (1): net: ravb: Only advertise Rx/Tx timestamps if hardware supports it Olga Kornievskaia (1): nfsd: fix race between laundromat and free_stateid Oliver Neukum (2): net: usb: usbnet: fix race in probe failure net: usb: usbnet: fix name regression Oliver Upton (1): KVM: arm64: Unregister redistributor for failed vCPU creation Pablo Neira Ayuso (1): netfilter: xtables: fix typo causing some targets not to load on IPv6 Pali Rohár (1): cifs: Validate content of NFS reparse point buffer Paritosh Dixit (1): net: stmmac: dwmac-tegra: Fix link bring-up sequence Paulo Alcantara (1): smb: client: fix OOBs when building SMB2_IOCTL request Pawan Gupta (1): x86/lam: Disable ADDRESS_MASKING in most cases Peter Collingbourne (1): bpf, arm64: Fix address emission with tag-based KASAN enabled Peter Rashleigh (2): net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361 net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Petr Pavlu (1): ring-buffer: Fix reader locking when changing the sub buffer order Petr Vaganov (1): xfrm: fix one more kernel-infoleak in algo dumping Pranjal Ramajor Asha Kanojiya (1): accel/qaic: Fix the for loop used to walk SG table Pu Lehui (1): riscv, bpf: Fix possible infinite tailcall when CONFIG_CFI_CLANG is enabled Qiao Ma (1): uprobe: avoid out-of-bounds memory access of fetching args Qu Wenruo (2): btrfs: qgroup: set a more sane default value for subtree drop threshold btrfs: reject ro->rw reconfiguration if there are hard ro requirements Ranjani Sridharan (4): ASoC: SOF: Intel: hda: Handle prepare without close for non-HDA DAI's ASoC: SOF: Intel: hda: Always clean up link DMA during stop ASoC: SOF: ipc4-topology: Do not set ALH node_id for aggregated DAIs soundwire: intel_ace2x: Send PDI stream number during prepare Richard Gong (2): x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h-70h x86/amd_nb: Add new PCI ID for AMD family 1Ah model 20h Rob Clark (1): drm/msm/a6xx+: Insert a fence wait before SMMU table update Ryusuke Konishi (1): nilfs2: fix kernel bug due to missing clearing of buffer delay flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Christopherson (1): KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Selvin Xavier (1): RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Shay Drory (1): net/mlx5: Fix command bitmask initialization Shenghao Yang (3): net: dsa: mv88e6xxx: group cycle counter coefficients net: dsa: mv88e6xxx: read cycle counter period from hardware net: dsa: mv88e6xxx: support 4000ps cycle counter period Shengjiu Wang (1): ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Srinivasan Shanmugam (1): drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring Steven Rostedt (2): fgraph: Allocate ret_stack_list with proper size fgraph: Change the name of cpuhp state to "fgraph:online" Su Hui (2): firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup() smb: client: fix possible double free in smb2_set_ea() Takashi Sakamoto (1): firewire: core: fix invalid port index for parent device Thadeu Lima de Souza Cascardo (1): usb: typec: altmode should keep reference to parent Thomas Weißschuh (1): LoongArch: Don't crash in stack_top() for tasks without vDSO Tim Harvey (1): net: dsa: microchip: disable EEE for KSZ879x/KSZ877x/KSZ876x Timo Grautstueck (1): lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW Toke Høiland-Jørgensen (2): bpf: Make sure internal and UAPI bpf_redirect flags don't overlap bpf: fix kfunc btf caching for modules Tony Ambardar (1): selftests/bpf: Fix cross-compiling urandom_read Tyrone Wu (4): bpf: fix unpopulated name_len field in perf_event link info selftests/bpf: fix perf_event link info name_len assertion bpf: Fix unpopulated path_size when uprobe_multi fields unset bpf: Fix link info netfilter flags to populate defrag flag Vadim Fedorenko (1): bnxt_en: replace ptp_lock with irqsave variant Vamsi Krishna Brahmajosyula (1): platform/x86/intel/pmc: Fix pmc_core_iounmap to call iounmap for valid addresses Viktor Malik (1): objpool: fix choosing allocation for percpu slots Vladimir Oltean (2): net: dsa: vsc73xx: fix reception from VLAN-unaware bridges net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers Waiman Long (1): sched/core: Disable page allocation in task_tick_mm_cid() Wander Lairson Costa (1): bpf: Use raw_spinlock_t in ringbuf Wang Hai (8): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() net: ethernet: rtsn: fix potential memory leak in rtsn_start_xmit() net: systemport: fix potential memory leak in bcm_sysport_xmit() net: bcmasp: fix potential memory leak in bcmasp_xmit() scsi: target: core: Fix null-ptr-deref in target_alloc_device() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() Xin Long (1): ipv4: give an IPv4 dev to blackhole_netdev Yang Erkun (1): nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Yao Zi (1): clk: rockchip: fix finding of maximum clock ID Ye Bin (2): Bluetooth: bnep: fix wild-memory-access in proto_unregister cifs: fix warning when destroy 'cifs_io_request_pool' Yu Kuai (1): md/raid10: fix null ptr dereference in raid10_size() Yuan Can (2): mlxsw: spectrum_router: fix xa_store() error checking powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() Yue Haibing (1): btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item() Zhao Mengmeng (3): udf: refactor udf_current_aext() to handle error udf: refactor udf_next_aext() to handle error udf: refactor inode_bmap() to handle error Zichen Xie (1): ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() liwei (1): cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception

10 months, 3 weeks

1
1
0 0

Linux 6.6.59

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.59 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/sound/davinci-mcasp-audio.yaml | 18 Makefile | 2 arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 arch/arm64/Makefile | 2 arch/arm64/kvm/arm.c | 3 arch/arm64/kvm/sys_regs.c | 2 arch/arm64/kvm/vgic/vgic-init.c | 6 arch/loongarch/include/asm/bootinfo.h | 4 arch/loongarch/include/asm/kasan.h | 2 arch/loongarch/kernel/process.c | 16 arch/loongarch/kernel/setup.c | 3 arch/loongarch/kernel/traps.c | 5 arch/riscv/net/bpf_jit_comp64.c | 4 arch/s390/include/asm/perf_event.h | 1 arch/s390/pci/pci_event.c | 17 arch/x86/Kconfig | 1 arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 arch/x86/kvm/svm/nested.c | 6 drivers/accel/qaic/qaic_control.c | 2 drivers/accel/qaic/qaic_data.c | 6 drivers/acpi/button.c | 11 drivers/acpi/cppc_acpi.c | 116 ++++ drivers/acpi/prmt.c | 29 - drivers/acpi/resource.c | 7 drivers/ata/libata-eh.c | 1 drivers/cdrom/cdrom.c | 2 drivers/cpufreq/amd-pstate.c | 10 drivers/cpufreq/cppc_cpufreq.c | 139 ----- drivers/firmware/arm_scmi/driver.c | 4 drivers/firmware/arm_scmi/mailbox.c | 32 - drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 drivers/gpu/drm/amd/display/modules/power/power_helpers.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 17 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 2 drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 drivers/gpu/drm/msm/dsi/dsi_host.c | 4 drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 drivers/iio/accel/bma400_core.c | 3 drivers/iio/adc/Kconfig | 2 drivers/iio/frequency/Kconfig | 33 - drivers/infiniband/core/addr.c | 2 drivers/infiniband/hw/bnxt_re/hw_counters.c | 6 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 48 + drivers/infiniband/hw/bnxt_re/main.c | 42 - drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 4 drivers/infiniband/hw/bnxt_re/qplib_res.c | 23 drivers/infiniband/hw/bnxt_re/qplib_res.h | 20 drivers/infiniband/hw/bnxt_re/qplib_sp.c | 22 drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 drivers/infiniband/hw/cxgb4/cm.c | 9 drivers/infiniband/hw/irdma/cm.c | 2 drivers/infiniband/ulp/srpt/ib_srpt.c | 80 ++- drivers/irqchip/irq-renesas-rzg2l.c | 94 +++ drivers/net/dsa/mv88e6xxx/chip.c | 2 drivers/net/dsa/mv88e6xxx/chip.h | 6 drivers/net/dsa/mv88e6xxx/port.c | 1 drivers/net/dsa/mv88e6xxx/ptp.c | 108 ++-- drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/emulex/benet/be_main.c | 10 drivers/net/ethernet/freescale/fman/mac.c | 68 +- drivers/net/ethernet/freescale/fman/mac.h | 6 drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 82 ++- drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 drivers/net/ethernet/realtek/r8169_main.c | 4 drivers/net/ethernet/renesas/ravb_main.c | 25 drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 drivers/net/hyperv/netvsc_drv.c | 30 + drivers/net/macsec.c | 18 drivers/net/netdevsim/dev.c | 15 drivers/net/phy/dp83822.c | 4 drivers/net/plip/plip.c | 2 drivers/net/usb/usbnet.c | 4 drivers/net/vmxnet3/vmxnet3_xdp.c | 2 drivers/net/wwan/wwan_core.c | 2 drivers/nvme/host/pci.c | 21 drivers/platform/x86/dell/dell-wmi-base.c | 9 drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 drivers/powercap/dtpm_devfreq.c | 2 drivers/target/target_core_device.c | 2 drivers/target/target_core_user.c | 2 drivers/usb/dwc3/core.c | 19 drivers/usb/dwc3/core.h | 3 drivers/usb/gadget/function/f_uac2.c | 13 drivers/usb/host/xhci-caps.h | 85 +++ drivers/usb/host/xhci-dbgcap.h | 2 drivers/usb/host/xhci-dbgtty.c | 73 ++ drivers/usb/host/xhci-port.h | 176 ++++++ drivers/usb/host/xhci.h | 262 ---------- drivers/usb/typec/class.c | 3 fs/btrfs/block-group.c | 2 fs/btrfs/dir-item.c | 4 fs/btrfs/inode.c | 7 fs/exec.c | 21 fs/jfs/jfs_dmap.c | 2 fs/nfsd/nfs4state.c | 2 fs/nilfs2/page.c | 6 fs/open.c | 2 fs/smb/client/fs_context.c | 7 fs/smb/client/reparse.c | 23 fs/smb/client/smb2ops.c | 3 fs/smb/client/smb2pdu.c | 9 fs/udf/balloc.c | 38 - fs/udf/directory.c | 23 fs/udf/inode.c | 202 +++++-- fs/udf/partition.c | 6 fs/udf/super.c | 3 fs/udf/truncate.c | 43 + fs/udf/udfdecl.h | 15 include/acpi/cppc_acpi.h | 2 include/linux/bpf.h | 14 include/linux/memcontrol.h | 14 include/linux/netdevice.h | 12 include/linux/task_work.h | 6 include/linux/trace_events.h | 6 include/net/bluetooth/bluetooth.h | 1 include/net/genetlink.h | 3 include/net/sock.h | 5 include/net/xfrm.h | 28 - include/trace/events/huge_memory.h | 10 include/uapi/linux/bpf.h | 20 kernel/bpf/btf.c | 1 kernel/bpf/devmap.c | 11 kernel/bpf/helpers.c | 10 kernel/bpf/ringbuf.c | 2 kernel/bpf/syscall.c | 47 + kernel/bpf/task_iter.c | 2 kernel/bpf/verifier.c | 99 +-- kernel/sched/core.c | 4 kernel/task_work.c | 43 + kernel/time/posix-clock.c | 6 kernel/trace/bpf_trace.c | 11 kernel/trace/trace.c | 1 kernel/trace/trace_eprobe.c | 15 kernel/trace/trace_fprobe.c | 65 +- kernel/trace/trace_kprobe.c | 78 ++ kernel/trace/trace_probe.c | 189 ++++++- kernel/trace/trace_probe.h | 30 + kernel/trace/trace_probe_tmpl.h | 10 kernel/trace/trace_uprobe.c | 114 ++-- lib/Kconfig.debug | 2 mm/khugepaged.c | 127 ++-- net/bluetooth/af_bluetooth.c | 22 net/bluetooth/bnep/core.c | 3 net/bluetooth/iso.c | 18 net/bluetooth/sco.c | 18 net/core/filter.c | 50 - net/core/sock_map.c | 8 net/ipv4/devinet.c | 35 - net/ipv4/inet_connection_sock.c | 21 net/ipv4/xfrm4_policy.c | 40 - net/ipv6/xfrm6_policy.c | 31 - net/l2tp/l2tp_netlink.c | 4 net/netfilter/nf_bpf_link.c | 7 net/netfilter/xt_NFLOG.c | 2 net/netfilter/xt_TRACE.c | 1 net/netfilter/xt_mark.c | 2 net/netlink/genetlink.c | 28 - net/sched/act_api.c | 23 net/sched/sch_generic.c | 17 net/sched/sch_taprio.c | 21 net/smc/smc_pnet.c | 2 net/smc/smc_wr.c | 6 net/vmw_vsock/virtio_transport_common.c | 14 net/vmw_vsock/vsock_bpf.c | 8 net/wireless/nl80211.c | 8 net/xfrm/xfrm_device.c | 11 net/xfrm/xfrm_policy.c | 50 + net/xfrm/xfrm_user.c | 10 security/selinux/selinuxfs.c | 30 - sound/firewire/amdtp-stream.c | 3 sound/pci/hda/Kconfig | 2 sound/pci/hda/patch_cs8409.c | 5 sound/pci/hda/patch_realtek.c | 48 + sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/lpass-rx-macro.c | 2 sound/soc/codecs/max98388.c | 1 sound/soc/fsl/fsl_micfil.c | 43 + sound/soc/fsl/fsl_sai.c | 5 sound/soc/fsl/fsl_sai.h | 1 sound/soc/loongson/loongson_card.c | 1 sound/soc/qcom/lpass-cpu.c | 2 sound/soc/qcom/sm8250.c | 1 sound/soc/sh/rcar/core.c | 7 tools/include/uapi/linux/bpf.h | 7 tools/testing/selftests/bpf/Makefile | 2 tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 69 +- tools/testing/selftests/bpf/progs/verifier_helper_value_access.c | 8 tools/testing/selftests/bpf/progs/verifier_raw_stack.c | 2 tools/testing/selftests/ftrace/test.d/dynevent/fprobe_syntax_errors.tc | 4 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc | 2 203 files changed, 2729 insertions(+), 1460 deletions(-) Abhishek Mohapatra (1): RDMA/bnxt_re: Fix the max CQ WQEs for older adapters Aleksa Sarai (1): openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Aleksandr Mishin (4): octeon_ep: Implement helper for iterating packets in Rx queue octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() fsl/fman: Save device references taken in mac_probe() fsl/fman: Fix refcount handling of fman-related devices Alexander Zubkov (1): RDMA/irdma: Fix misspelling of "accept*" Alexey Klimov (2): ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Andrea Parri (1): riscv, bpf: Make BPF_CMPXCHG fully ordered Andrei Matei (1): bpf: Simplify checking size of helper accesses Andrey Shumilin (1): ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Andrii Nakryiko (3): uprobes: encapsulate preparation of uprobe args buffer uprobes: prepare uprobe args buffer lazily uprobes: prevent mutex_lock() under rcu_read_lock() Anumula Murali Mohan Reddy (2): RDMA/core: Fix ENODEV error for iWARP test over vlan RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Armin Wolf (1): platform/x86: dell-wmi: Ignore suspend notifications Bart Van Assche (1): RDMA/srpt: Make slab cache names unique Bhargava Chenna Marreddy (1): RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Binbin Zhou (1): ASoC: loongson: Fix component check failed on FDT systems Chancel Liu (1): ASoC: fsl_micfil: Add a flag to distinguish with different volume control types Christian Heusel (1): ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Claudiu Beznea (3): irqchip/renesas-rzg2l: Align struct member names to tabs irqchip/renesas-rzg2l: Document structure members irqchip/renesas-rzg2l: Add support for suspend to RAM Colin Ian King (2): octeontx2-af: Fix potential integer overflows on integer shifts ASoC: max98388: Fix missing increment of variable slot_found Cosmin Ratiu (1): net/mlx5: Unregister notifier on eswitch init failure Crag Wang (1): platform/x86: dell-sysman: add support for alienware products Dan Carpenter (1): ACPI: PRM: Clean up guid type in struct prm_handler_info Daniel Borkmann (4): vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame bpf: Add MEM_WRITE attribute bpf: Fix overloading of MEM_UNINIT's meaning bpf: Remove MEM_UNINIT from skb/xdp MTU helpers Dave Kleikamp (1): jfs: Fix sanity check in dbMount David Lawrence Glanzman (1): ASoC: amd: yc: Add quirk for HP Dragonfly pro one Dhananjay Ugwekar (1): cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory systems Dimitar Kanaliev (1): bpf: Fix truncation bug in coerce_reg_to_size_sx() Dmitry Antipov (2): net: sched: fix use-after-free in taprio_change() net: sched: use RCU read-side critical section in taprio_dump() Dmitry Baryshkov (2): drm/msm/dpu: make sure phys resources are properly initialized drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds() Douglas Anderson (2): drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() drm/msm: Allocate memory for disp snapshot with kvzalloc() Eric Biggers (1): ALSA: hda/tas2781: select CRC32 instead of CRC32_SARWATE Eric Dumazet (3): netdevsim: use cond_resched() in nsim_dev_trap_report_work() genetlink: hold RCU in genlmsg_mcast() net: fix races in netdev_tx_sent_queue()/dev_watchdog() Eyal Birger (2): xfrm: extract dst lookup parameters into a struct xfrm: respect ip protocols rules criteria when performing dst lookups Fabrizio Castro (1): irqchip/renesas-rzg2l: Fix missing put_device Florian Kauer (1): bpf: devmap: provide rxq after redirect Florian Klink (1): ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Florian Westphal (1): netfilter: bpf: must hold reference on net namespace Frank Li (1): XHCI: Separate PORT and CAPs macros into dedicated file Gal Pressman (1): ravb: Remove setting of RX software timestamp Gianfranco Trad (1): udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman (1): Linux 6.6.59 Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Hans de Goede (1): drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Heiko Carstens (1): s390: Initialize psw mask in perf_arch_fetch_caller_regs() Heiner Kallweit (1): r8169: avoid unsolicited interrupts Henrique Carvalho (1): smb: client: Handle kstrdup failures for passwords Huacai Chen (3): LoongArch: Get correct cores_per_package for SMT systems LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context LoongArch: Make KASAN usable for variable cpu_vabits Ian Forbes (1): drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check Ilkka Koskinen (1): KVM: arm64: Fix shift-out-of-bounds bug Jakub Boehm (1): net: plip: fix break; causing plip to never transmit Javier Carrasco (3): iio: frequency: {admv4420,adrf6780}: format Kconfig entries iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jessica Zhang (1): drm/msm/dpu: don't always program merge_3d block Jinjie Ruan (1): posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jiri Olsa (6): bpf: Fix memory leak in bpf_core_apply bpf: Add missed value to kprobe perf link info bpf: Add cookie to perf_event bpf_link_info records selftests/bpf: Use bpf_link__destroy in fill_link_info tests selftests/bpf: Add cookies check for perf_event fill_link_info test bpf,perf: Fix perf_event_detach_bpf_prog error handling Jiri Slaby (SUSE) (2): xhci: dbgtty: remove kfifo_out() wrapper xhci: dbgtty: use kfifo from tty_port struct John Keeping (1): usb: gadget: f_uac2: fix non-newline-terminated function name Jonathan Marek (2): drm/msm/dsi: improve/fix dsc pclk calculation drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jordan Rome (1): bpf: Fix iter/task tid filtering Josh Poimboeuf (1): cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed() José Relvas (1): ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Justin Chen (1): firmware: arm_scmi: Queue in scmi layer for mailbox implementation Kai Shen (1): net/smc: Fix memory leak when using percpu refs Kailang Yang (1): ALSA: hda/realtek: Update default depop procedure Kalesh AP (7): RDMA/bnxt_re: Fix a possible memory leak RDMA/bnxt_re: Add a check for memory allocation RDMA/bnxt_re: Fix out of bound check RDMA/bnxt_re: Return more meaningful error RDMA/bnxt_re: Fix the GID table length RDMA/bnxt_re: Avoid creating fence MR for newer adapters RDMA/bnxt_re: Fix unconditional fence for newer adapters Kevin Groeneveld (1): usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store Koba Ko (1): ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Kuniyuki Iwashima (1): tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Lad Prabhakar (1): ASoC: rsnd: Fix probe failure on HiHope boards due to endpoint parsing Lee Jones (1): usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf() variant Leo Yan (1): tracing: Consider the NULL character when validating the event length Li RongQing (1): net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Lin Ma (1): net: wwan: fix global oob in wwan_rtnl_policy Linus Torvalds (1): task_work: make TWA_NMI_CURRENT handling conditional on IRQ_WORK Luiz Augusto von Dentz (2): Bluetooth: SCO: Fix UAF on sco_sock_timeout Bluetooth: ISO: Fix UAF on iso_sock_timeout Maher Sanalla (1): net/mlx5: Check for invalid vector index on EQ creation Marc Zyngier (1): KVM: arm64: Don't eagerly teardown the vgic on init error Mario Limonciello (2): drm/amd: Guard against bad data for ATIF ACPI method drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Mark Rutland (1): arm64: Force position-independent veneers Martin Kletzander (1): x86/resctrl: Avoid overflow in MB settings in bw_validate() Masami Hiramatsu (Google) (4): tracing/fprobe-event: cleanup: Fix a wrong comment in fprobe event tracing/probes: cleanup: Set trace_probe::nr_args at trace_probe_init tracing/probes: Support $argN in return probe (kprobe and fprobe) tracing: probes: Fix to zero initialize a local variable Mateusz Guzik (1): exec: don't WARN for racy path_noexec check Mathias Nyman (1): xhci: dbc: honor usb transfer size boundaries. Matthew Wilcox (Oracle) (5): mm: convert collapse_huge_page() to use a folio mm/khugepaged: use a folio more in collapse_file() khugepaged: inline hpage_collapse_alloc_folio() khugepaged: convert alloc_charge_hpage to alloc_charge_folio khugepaged: remove hpage from collapse_file() Maurizio Lombardi (1): nvme-pci: fix race condition between reset and nvme_dev_disable() Michal Luczaj (4): bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock vsock: Update rx_bytes on read_skb() vsock: Update msg_count on read_skb() bpf, vsock: Drop static vsock_bpf_prot initialization Michel Alex (1): net: phy: dp83822: Fix reset pin definitions Mikel Rychliski (1): tracing/probes: Fix MAX_TRACE_ARGS limit handling Mikhail Lobanov (1): iio: accel: bma400: Fix uninitialized variable field_value in tap event handling. Miquel Raynal (2): ASoC: dt-bindings: davinci-mcasp: Fix interrupts property ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties Murad Masimov (1): ALSA: hda/cs8409: Fix possible NULL dereference Naohiro Aota (1): btrfs: zoned: fix zone unusable accounting for freed reserved extent Niklas Cassel (1): ata: libata: Set DID_TIME_OUT for commands that actually timed out Niklas Schnelle (1): s390/pci: Handle PCI error codes other than 0x3a Niklas Söderlund (1): net: ravb: Only advertise Rx/Tx timestamps if hardware supports it Oliver Neukum (2): net: usb: usbnet: fix race in probe failure net: usb: usbnet: fix name regression Pablo Neira Ayuso (1): netfilter: xtables: fix typo causing some targets not to load on IPv6 Pali Rohár (1): cifs: Validate content of NFS reparse point buffer Paritosh Dixit (1): net: stmmac: dwmac-tegra: Fix link bring-up sequence Paul Moore (1): selinux: improve error checking in sel_write_load() Paulo Alcantara (1): smb: client: fix OOBs when building SMB2_IOCTL request Pawan Gupta (1): x86/lam: Disable ADDRESS_MASKING in most cases Peter Rashleigh (2): net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361 net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Petr Vaganov (1): xfrm: fix one more kernel-infoleak in algo dumping Pranjal Ramajor Asha Kanojiya (1): accel/qaic: Fix the for loop used to walk SG table Praveen Kumar Kannoju (1): net/sched: adjust device watchdog timer to detect stopped queue at right time Qiao Ma (1): uprobe: avoid out-of-bounds memory access of fetching args Roger Quadros (1): usb: dwc3: core: Fix system suspend on TI AM62 platforms Ryusuke Konishi (1): nilfs2: fix kernel bug due to missing clearing of buffer delay flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Christopherson (1): KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Sebastian Andrzej Siewior (1): task_work: Add TWA_NMI_CURRENT as an additional notify mode. Selvin Xavier (3): RDMA/bnxt_re: Support new 5760X P7 devices RDMA/bnxt_re: Update the BAR offsets RDMA/bnxt_re: Fix the offset for GenP7 adapters for user applications Shay Drory (1): net/mlx5: Fix command bitmask initialization Shenghao Yang (3): net: dsa: mv88e6xxx: group cycle counter coefficients net: dsa: mv88e6xxx: read cycle counter period from hardware net: dsa: mv88e6xxx: support 4000ps cycle counter period Shengjiu Wang (1): ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Srinivasan Shanmugam (1): drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring Su Hui (2): firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup() smb: client: fix possible double free in smb2_set_ea() Thadeu Lima de Souza Cascardo (1): usb: typec: altmode should keep reference to parent Thomas Weißschuh (1): LoongArch: Don't crash in stack_top() for tasks without vDSO Timo Grautstueck (1): lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW Toke Høiland-Jørgensen (2): bpf: Make sure internal and UAPI bpf_redirect flags don't overlap bpf: fix kfunc btf caching for modules Tony Ambardar (1): selftests/bpf: Fix cross-compiling urandom_read Tyrone Wu (3): bpf: fix unpopulated name_len field in perf_event link info selftests/bpf: fix perf_event link info name_len assertion bpf: Fix link info netfilter flags to populate defrag flag Vincent Guittot (1): cpufreq/cppc: Move and rename cppc_cpufreq_{perf_to_khz|khz_to_perf}() Vishal Moola (Oracle) (1): mm/khugepaged: convert alloc_charge_hpage() to use folios Vladimir Oltean (1): net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers Waiman Long (1): sched/core: Disable page allocation in task_tick_mm_cid() Wang Hai (7): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() net: systemport: fix potential memory leak in bcm_sysport_xmit() net: bcmasp: fix potential memory leak in bcmasp_xmit() scsi: target: core: Fix null-ptr-deref in target_alloc_device() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() William Butler (1): nvme-pci: set doorbell config before unquiescing Xin Long (1): ipv4: give an IPv4 dev to blackhole_netdev Yang Erkun (1): nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Yang Shi (1): mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point Ye Bin (1): Bluetooth: bnep: fix wild-memory-access in proto_unregister Yuan Can (1): powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() Yue Haibing (1): btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item() Zhao Mengmeng (3): udf: refactor udf_current_aext() to handle error udf: refactor udf_next_aext() to handle error udf: refactor inode_bmap() to handle error Zichen Xie (1): ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() liwei (1): cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception

10 months, 3 weeks

1
1
0 0

Linux 6.1.115

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.115 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/sound/davinci-mcasp-audio.yaml | 18 Documentation/networking/driver.rst | 97 ++- Makefile | 2 arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 arch/arm64/Makefile | 2 arch/arm64/include/asm/uprobes.h | 12 arch/arm64/kernel/probes/uprobes.c | 4 arch/arm64/kvm/arm.c | 3 arch/arm64/kvm/vgic/vgic-init.c | 6 arch/loongarch/Kconfig | 1 arch/loongarch/include/asm/bootinfo.h | 4 arch/loongarch/include/asm/page.h | 1 arch/loongarch/include/asm/vdso/gettimeofday.h | 9 arch/loongarch/include/asm/vdso/vdso.h | 32 + arch/loongarch/kernel/process.c | 16 arch/loongarch/kernel/setup.c | 3 arch/loongarch/kernel/vdso.c | 98 +++ arch/loongarch/vdso/vgetcpu.c | 2 arch/riscv/net/bpf_jit_comp64.c | 4 arch/s390/include/asm/perf_event.h | 1 arch/s390/pci/pci_event.c | 17 arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 arch/x86/kvm/svm/nested.c | 6 block/bfq-iosched.c | 37 - drivers/acpi/button.c | 11 drivers/acpi/cppc_acpi.c | 116 ++++ drivers/acpi/prmt.c | 29 - drivers/acpi/resource.c | 7 drivers/cpufreq/cppc_cpufreq.c | 139 ----- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 drivers/gpu/drm/amd/display/modules/power/power_helpers.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 1 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 3 drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 drivers/gpu/drm/msm/dsi/dsi_host.c | 2 drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 drivers/iio/accel/bma400_core.c | 3 drivers/iio/frequency/Kconfig | 33 - drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 drivers/infiniband/hw/cxgb4/cm.c | 9 drivers/infiniband/hw/irdma/cm.c | 2 drivers/infiniband/ulp/srpt/ib_srpt.c | 80 ++- drivers/irqchip/irq-renesas-rzg2l.c | 94 +++ drivers/net/dsa/mv88e6xxx/port.c | 1 drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/emulex/benet/be_main.c | 10 drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 82 ++- drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 138 ++--- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 drivers/net/ethernet/mellanox/mlx5/core/main.c | 15 drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h | 2 drivers/net/ethernet/realtek/r8169_main.c | 4 drivers/net/ethernet/renesas/ravb_main.c | 25 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 drivers/net/hyperv/netvsc_drv.c | 30 + drivers/net/macsec.c | 18 drivers/net/netdevsim/dev.c | 15 drivers/net/phy/dp83822.c | 4 drivers/net/plip/plip.c | 2 drivers/net/usb/usbnet.c | 4 drivers/net/wwan/wwan_core.c | 2 drivers/platform/x86/dell/dell-wmi-base.c | 9 drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 drivers/powercap/dtpm_devfreq.c | 2 drivers/pps/clients/pps-ldisc.c | 6 drivers/target/target_core_device.c | 2 drivers/target/target_core_user.c | 2 drivers/tty/serial/imx.c | 17 drivers/tty/serial/max3100.c | 2 drivers/tty/serial/max310x.c | 3 drivers/tty/serial/serial_core.c | 32 - drivers/tty/serial/sunhv.c | 8 drivers/usb/dwc3/core.c | 19 drivers/usb/dwc3/core.h | 3 drivers/usb/gadget/composite.c | 40 + drivers/usb/gadget/function/f_uac2.c | 13 drivers/usb/host/xhci-caps.h | 85 +++ drivers/usb/host/xhci-dbgcap.h | 2 drivers/usb/host/xhci-dbgtty.c | 73 ++ drivers/usb/host/xhci-port.h | 176 ++++++ drivers/usb/host/xhci.h | 262 ---------- drivers/usb/typec/class.c | 3 fs/btrfs/block-group.c | 2 fs/btrfs/dir-item.c | 4 fs/btrfs/inode.c | 7 fs/exec.c | 21 fs/jfs/jfs_dmap.c | 2 fs/nilfs2/page.c | 6 fs/ntfs3/record.c | 67 ++ fs/open.c | 2 fs/smb/client/smb2pdu.c | 9 fs/udf/inode.c | 49 + fs/udf/truncate.c | 10 fs/udf/udfdecl.h | 5 include/acpi/cppc_acpi.h | 2 include/linux/netdevice.h | 13 include/linux/serial_core.h | 6 include/linux/tty_ldisc.h | 4 include/linux/usb/composite.h | 6 include/linux/usb/gadget.h | 1 include/net/bluetooth/bluetooth.h | 1 include/net/genetlink.h | 3 include/net/netdev_queues.h | 144 +++++ include/net/xfrm.h | 28 - include/uapi/linux/bpf.h | 13 kernel/bpf/btf.c | 1 kernel/bpf/devmap.c | 11 kernel/bpf/ringbuf.c | 12 kernel/bpf/task_iter.c | 2 kernel/bpf/verifier.c | 8 kernel/time/posix-clock.c | 6 kernel/trace/bpf_trace.c | 2 kernel/trace/trace_probe.c | 2 net/bluetooth/af_bluetooth.c | 22 net/bluetooth/bnep/core.c | 3 net/bluetooth/iso.c | 18 net/bluetooth/sco.c | 18 net/core/filter.c | 8 net/ipv4/devinet.c | 35 - net/ipv4/inet_connection_sock.c | 21 net/ipv4/xfrm4_policy.c | 40 - net/ipv6/xfrm6_policy.c | 31 - net/l2tp/l2tp_netlink.c | 4 net/netfilter/xt_NFLOG.c | 2 net/netfilter/xt_TRACE.c | 1 net/netfilter/xt_mark.c | 2 net/netlink/genetlink.c | 28 - net/sched/act_api.c | 23 net/sched/sch_generic.c | 17 net/sched/sch_taprio.c | 3 net/smc/smc_pnet.c | 2 net/wireless/nl80211.c | 8 net/xfrm/xfrm_device.c | 11 net/xfrm/xfrm_policy.c | 50 + net/xfrm/xfrm_user.c | 10 security/selinux/selinuxfs.c | 27 - sound/firewire/amdtp-stream.c | 3 sound/pci/hda/patch_cs8409.c | 5 sound/pci/hda/patch_realtek.c | 48 + sound/soc/codecs/lpass-rx-macro.c | 2 sound/soc/fsl/fsl_sai.c | 5 sound/soc/fsl/fsl_sai.h | 1 sound/soc/qcom/lpass-cpu.c | 2 sound/soc/qcom/sm8250.c | 1 tools/testing/selftests/bpf/Makefile | 2 154 files changed, 1985 insertions(+), 1067 deletions(-) Aleksa Sarai (1): openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Aleksandr Mishin (2): octeon_ep: Implement helper for iterating packets in Rx queue octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() Alexander Zubkov (1): RDMA/irdma: Fix misspelling of "accept*" Alexey Klimov (2): ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Andrea Parri (1): riscv, bpf: Make BPF_CMPXCHG fully ordered Andrey Shumilin (1): ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Anumula Murali Mohan Reddy (1): RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Armin Wolf (1): platform/x86: dell-wmi: Ignore suspend notifications Bart Van Assche (1): RDMA/srpt: Make slab cache names unique Bhargava Chenna Marreddy (1): RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Christian Heusel (1): ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Claudiu Beznea (3): irqchip/renesas-rzg2l: Align struct member names to tabs irqchip/renesas-rzg2l: Document structure members irqchip/renesas-rzg2l: Add support for suspend to RAM Colin Ian King (1): octeontx2-af: Fix potential integer overflows on integer shifts Cosmin Ratiu (1): net/mlx5: Unregister notifier on eswitch init failure Crag Wang (1): platform/x86: dell-sysman: add support for alienware products Dan Carpenter (1): ACPI: PRM: Clean up guid type in struct prm_handler_info Dave Kleikamp (1): jfs: Fix sanity check in dbMount Dmitry Antipov (1): net: sched: fix use-after-free in taprio_change() Dmitry Baryshkov (1): drm/msm/dpu: make sure phys resources are properly initialized Douglas Anderson (2): drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() drm/msm: Allocate memory for disp snapshot with kvzalloc() Elson Roy Serrao (1): usb: gadget: Add function wakeup support Eric Dumazet (3): netdevsim: use cond_resched() in nsim_dev_trap_report_work() genetlink: hold RCU in genlmsg_mcast() net: fix races in netdev_tx_sent_queue()/dev_watchdog() Eyal Birger (2): xfrm: extract dst lookup parameters into a struct xfrm: respect ip protocols rules criteria when performing dst lookups Fabrizio Castro (1): irqchip/renesas-rzg2l: Fix missing put_device Florian Kauer (1): bpf: devmap: provide rxq after redirect Florian Klink (1): ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Frank Li (1): XHCI: Separate PORT and CAPs macros into dedicated file Gal Pressman (1): ravb: Remove setting of RX software timestamp Gianfranco Trad (1): udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman (1): Linux 6.1.115 Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Hans de Goede (1): drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Heiko Carstens (1): s390: Initialize psw mask in perf_arch_fetch_caller_regs() Heiner Kallweit (1): r8169: avoid unsolicited interrupts Huacai Chen (1): LoongArch: Get correct cores_per_package for SMT systems Ian Forbes (1): drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check Ilpo Järvinen (2): tty/serial: Make ->dcd_change()+uart_handle_dcd_change() status bool active serial: Make uart_handle_cts_change() status param bool active Jakub Boehm (1): net: plip: fix break; causing plip to never transmit Jakub Kicinski (2): docs: net: reformat driver.rst from a list to sections net: provide macros for commonly copied lockless queue stop/wake code Javier Carrasco (2): iio: frequency: {admv4420,adrf6780}: format Kconfig entries iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig Jessica Zhang (1): drm/msm/dpu: don't always program merge_3d block Jinjie Ruan (1): posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jiri Olsa (2): bpf: Fix memory leak in bpf_core_apply bpf,perf: Fix perf_event_detach_bpf_prog error handling Jiri Slaby (SUSE) (3): xhci: dbgtty: remove kfifo_out() wrapper xhci: dbgtty: use kfifo from tty_port struct serial: protect uart_port_dtr_rts() in uart_shutdown() too John Keeping (1): usb: gadget: f_uac2: fix non-newline-terminated function name Jonathan Marek (1): drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jordan Rome (1): bpf: Fix iter/task tid filtering José Relvas (1): ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Kailang Yang (1): ALSA: hda/realtek: Update default depop procedure Kalesh AP (2): RDMA/bnxt_re: Add a check for memory allocation RDMA/bnxt_re: Return more meaningful error Kevin Groeneveld (1): usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store Koba Ko (1): ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Konstantin Komarov (1): fs/ntfs3: Add more attributes checks in mi_enum_attr() Kuniyuki Iwashima (1): tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Lee Jones (1): usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf() variant Leo Yan (1): tracing: Consider the NULL character when validating the event length Li RongQing (1): net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Lin Ma (1): net: wwan: fix global oob in wwan_rtnl_policy Luiz Augusto von Dentz (2): Bluetooth: SCO: Fix UAF on sco_sock_timeout Bluetooth: ISO: Fix UAF on iso_sock_timeout Marc Zyngier (1): KVM: arm64: Don't eagerly teardown the vgic on init error Marek Vasut (1): serial: imx: Update mctrl old_status on RTSD interrupt Marijn Suijten (1): drm/msm/dpu: Wire up DSC mask for active CTL configuration Mario Limonciello (2): drm/amd: Guard against bad data for ATIF ACPI method drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Mark Rutland (2): arm64: probes: Fix uprobes for big-endian kernels arm64: Force position-independent veneers Martin Kletzander (1): x86/resctrl: Avoid overflow in MB settings in bw_validate() Mateusz Guzik (1): exec: don't WARN for racy path_noexec check Mathias Nyman (1): xhci: dbc: honor usb transfer size boundaries. Michel Alex (1): net: phy: dp83822: Fix reset pin definitions Mikhail Lobanov (1): iio: accel: bma400: Fix uninitialized variable field_value in tap event handling. Miquel Raynal (2): ASoC: dt-bindings: davinci-mcasp: Fix interrupts property ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties Murad Masimov (1): ALSA: hda/cs8409: Fix possible NULL dereference Naohiro Aota (1): btrfs: zoned: fix zone unusable accounting for freed reserved extent Niklas Schnelle (1): s390/pci: Handle PCI error codes other than 0x3a Niklas Söderlund (1): net: ravb: Only advertise Rx/Tx timestamps if hardware supports it Oliver Neukum (2): net: usb: usbnet: fix race in probe failure net: usb: usbnet: fix name regression Pablo Neira Ayuso (1): netfilter: xtables: fix typo causing some targets not to load on IPv6 Paul Moore (1): selinux: improve error checking in sel_write_load() Paulo Alcantara (1): smb: client: fix OOBs when building SMB2_IOCTL request Peter Rashleigh (1): net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Petr Vaganov (1): xfrm: fix one more kernel-infoleak in algo dumping Praveen Kumar Kannoju (1): net/sched: adjust device watchdog timer to detect stopped queue at right time Roger Quadros (1): usb: dwc3: core: Fix system suspend on TI AM62 platforms Ryusuke Konishi (1): nilfs2: fix kernel bug due to missing clearing of buffer delay flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Christopherson (1): KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Shay Drory (3): net/mlx5: Remove redundant cmdif revision check net/mlx5: split mlx5_cmd_init() to probe and reload routines net/mlx5: Fix command bitmask initialization Shengjiu Wang (1): ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Srinivasan Shanmugam (1): drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring Thadeu Lima de Souza Cascardo (1): usb: typec: altmode should keep reference to parent Thomas Weißschuh (1): LoongArch: Don't crash in stack_top() for tasks without vDSO Tiezhu Yang (1): LoongArch: Add support to clone a time namespace Toke Høiland-Jørgensen (2): bpf: Make sure internal and UAPI bpf_redirect flags don't overlap bpf: fix kfunc btf caching for modules Tony Ambardar (1): selftests/bpf: Fix cross-compiling urandom_read Vincent Guittot (1): cpufreq/cppc: Move and rename cppc_cpufreq_{perf_to_khz|khz_to_perf}() Vladimir Oltean (1): net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers Wander Lairson Costa (1): bpf: Use raw_spinlock_t in ringbuf Wang Hai (6): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() net: systemport: fix potential memory leak in bcm_sysport_xmit() scsi: target: core: Fix null-ptr-deref in target_alloc_device() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() Xin Long (1): ipv4: give an IPv4 dev to blackhole_netdev Ye Bin (1): Bluetooth: bnep: fix wild-memory-access in proto_unregister Yu Kuai (1): block, bfq: fix procress reference leakage for bfqq in merge chain Yuan Can (1): powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() Yue Haibing (1): btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item() Zhao Mengmeng (1): udf: refactor udf_current_aext() to handle error Zichen Xie (1): ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() junhua huang (2): arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning liwei (1): cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception

10 months, 3 weeks

1
1
0 0

Linux 5.15.170

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.170 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 arch/arm64/Makefile | 2 arch/arm64/include/asm/uprobes.h | 12 arch/arm64/kernel/probes/uprobes.c | 4 arch/s390/include/asm/perf_event.h | 1 arch/s390/kvm/gaccess.c | 162 +++++++----- arch/s390/kvm/gaccess.h | 14 - arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 + arch/x86/kvm/svm/nested.c | 6 block/bfq-iosched.c | 37 +- drivers/acpi/button.c | 11 drivers/acpi/resource.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 - drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 - drivers/gpu/drm/msm/dsi/dsi_host.c | 2 drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 - drivers/infiniband/hw/cxgb4/cm.c | 9 drivers/infiniband/hw/irdma/cm.c | 2 drivers/net/dsa/mv88e6xxx/port.c | 1 drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/emulex/benet/be_main.c | 10 drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 drivers/net/ethernet/realtek/r8169_main.c | 4 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 drivers/net/hyperv/netvsc_drv.c | 30 ++ drivers/net/macsec.c | 18 - drivers/net/phy/dp83822.c | 4 drivers/net/plip/plip.c | 2 drivers/net/usb/usbnet.c | 4 drivers/net/wwan/wwan_core.c | 2 drivers/platform/x86/dell/dell-wmi-base.c | 9 drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 drivers/target/target_core_device.c | 2 drivers/target/target_core_user.c | 2 drivers/tty/serial/serial_core.c | 16 - drivers/usb/dwc3/core.c | 19 + drivers/usb/dwc3/core.h | 3 drivers/usb/gadget/composite.c | 40 +++ drivers/usb/host/xhci-caps.h | 85 ++++++ drivers/usb/host/xhci-port.h | 176 +++++++++++++ drivers/usb/host/xhci.h | 262 -------------------- drivers/usb/typec/class.c | 3 fs/btrfs/block-group.c | 2 fs/cifs/smb2pdu.c | 9 fs/exec.c | 21 - fs/jfs/jfs_dmap.c | 2 fs/nilfs2/page.c | 6 fs/open.c | 2 fs/udf/inode.c | 9 include/linux/usb/composite.h | 6 include/linux/usb/gadget.h | 1 include/net/genetlink.h | 3 include/net/xfrm.h | 28 +- include/uapi/linux/bpf.h | 13 kernel/bpf/devmap.c | 11 kernel/time/posix-clock.c | 6 kernel/trace/bpf_trace.c | 2 kernel/trace/trace_probe.c | 2 net/bluetooth/bnep/core.c | 3 net/core/filter.c | 8 net/ipv4/devinet.c | 35 +- net/ipv4/inet_connection_sock.c | 21 + net/ipv4/xfrm4_policy.c | 40 +-- net/ipv6/xfrm6_policy.c | 31 +- net/l2tp/l2tp_netlink.c | 4 net/netfilter/xt_NFLOG.c | 2 net/netfilter/xt_TRACE.c | 1 net/netfilter/xt_mark.c | 2 net/netlink/genetlink.c | 28 +- net/sched/sch_taprio.c | 3 net/smc/smc_pnet.c | 2 net/wireless/nl80211.c | 8 net/xfrm/xfrm_device.c | 11 net/xfrm/xfrm_policy.c | 50 ++- net/xfrm/xfrm_user.c | 10 security/selinux/selinuxfs.c | 27 +- sound/firewire/amdtp-stream.c | 3 sound/pci/hda/patch_cs8409.c | 5 sound/pci/hda/patch_realtek.c | 48 ++- sound/soc/codecs/lpass-rx-macro.c | 2 sound/soc/fsl/fsl_sai.c | 5 sound/soc/fsl/fsl_sai.h | 1 sound/soc/qcom/lpass-cpu.c | 2 sound/soc/qcom/sm8250.c | 1 91 files changed, 905 insertions(+), 644 deletions(-) Aleksa Sarai (1): openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Alexander Zubkov (1): RDMA/irdma: Fix misspelling of "accept*" Alexey Klimov (2): ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Andrey Shumilin (1): ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Anumula Murali Mohan Reddy (1): RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Armin Wolf (1): platform/x86: dell-wmi: Ignore suspend notifications Bhargava Chenna Marreddy (1): RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Christian Heusel (1): ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Colin Ian King (1): octeontx2-af: Fix potential integer overflows on integer shifts Crag Wang (1): platform/x86: dell-sysman: add support for alienware products Dave Kleikamp (1): jfs: Fix sanity check in dbMount Dmitry Antipov (1): net: sched: fix use-after-free in taprio_change() Douglas Anderson (2): drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() drm/msm: Allocate memory for disp snapshot with kvzalloc() Elson Roy Serrao (1): usb: gadget: Add function wakeup support Eric Dumazet (1): genetlink: hold RCU in genlmsg_mcast() Eyal Birger (2): xfrm: extract dst lookup parameters into a struct xfrm: respect ip protocols rules criteria when performing dst lookups Florian Kauer (1): bpf: devmap: provide rxq after redirect Florian Klink (1): ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Frank Li (1): XHCI: Separate PORT and CAPs macros into dedicated file Gianfranco Trad (1): udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman (1): Linux 5.15.170 Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Hans de Goede (1): drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Heiko Carstens (1): s390: Initialize psw mask in perf_arch_fetch_caller_regs() Heiner Kallweit (1): r8169: avoid unsolicited interrupts Jakub Boehm (1): net: plip: fix break; causing plip to never transmit Janis Schoetterl-Glausch (3): KVM: s390: gaccess: Refactor gpa and length calculation KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Cleanup access to guest pages Jinjie Ruan (1): posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jiri Olsa (1): bpf,perf: Fix perf_event_detach_bpf_prog error handling Jiri Slaby (SUSE) (1): serial: protect uart_port_dtr_rts() in uart_shutdown() too Jonathan Marek (1): drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation José Relvas (1): ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Kailang Yang (1): ALSA: hda/realtek: Update default depop procedure Kalesh AP (2): RDMA/bnxt_re: Add a check for memory allocation RDMA/bnxt_re: Return more meaningful error Kuniyuki Iwashima (1): tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Leo Yan (1): tracing: Consider the NULL character when validating the event length Li RongQing (1): net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Lin Ma (1): net: wwan: fix global oob in wwan_rtnl_policy Mario Limonciello (1): drm/amd: Guard against bad data for ATIF ACPI method Mark Rutland (2): arm64: probes: Fix uprobes for big-endian kernels arm64: Force position-independent veneers Martin Kletzander (1): x86/resctrl: Avoid overflow in MB settings in bw_validate() Mateusz Guzik (1): exec: don't WARN for racy path_noexec check Michel Alex (1): net: phy: dp83822: Fix reset pin definitions Murad Masimov (1): ALSA: hda/cs8409: Fix possible NULL dereference Naohiro Aota (1): btrfs: zoned: fix zone unusable accounting for freed reserved extent Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Oliver Neukum (2): net: usb: usbnet: fix race in probe failure net: usb: usbnet: fix name regression Pablo Neira Ayuso (1): netfilter: xtables: fix typo causing some targets not to load on IPv6 Paul Moore (1): selinux: improve error checking in sel_write_load() Paulo Alcantara (1): smb: client: fix OOBs when building SMB2_IOCTL request Peter Rashleigh (1): net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Petr Vaganov (1): xfrm: fix one more kernel-infoleak in algo dumping Roger Quadros (1): usb: dwc3: core: Fix system suspend on TI AM62 platforms Ryusuke Konishi (1): nilfs2: fix kernel bug due to missing clearing of buffer delay flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Christopherson (1): KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Shengjiu Wang (1): ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Thadeu Lima de Souza Cascardo (1): usb: typec: altmode should keep reference to parent Toke Høiland-Jørgensen (1): bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Wang Hai (6): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() net: systemport: fix potential memory leak in bcm_sysport_xmit() scsi: target: core: Fix null-ptr-deref in target_alloc_device() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() Xin Long (1): ipv4: give an IPv4 dev to blackhole_netdev Ye Bin (1): Bluetooth: bnep: fix wild-memory-access in proto_unregister Yu Kuai (1): block, bfq: fix procress reference leakage for bfqq in merge chain Zichen Xie (1): ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() junhua huang (2): arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning

10 months, 3 weeks

1
1
0 0

+ mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: avoid overflow in damon_feed_loop_next_input() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: avoid overflow in damon_feed_loop_next_input() Date: Thu, 31 Oct 2024 09:12:03 -0700 damon_feed_loop_next_input() is inefficient and fragile to overflows. Specifically, 'score_goal_diff_bp' calculation can overflow when 'score' is high. The calculation is actually unnecessary at all because 'goal' is a constant of value 10,000. Calculation of 'compensation' is again fragile to overflow. Final calculation of return value for under-achiving case is again fragile to overflow when the current score is under-achieving the target. Add two corner cases handling at the beginning of the function to make the body easier to read, and rewrite the body of the function to avoid overflows and the unnecessary bp value calcuation. Link: https://lkml.kernel.org/r/20241031161203.47751-1-sj@kernel.org Fixes: 9294a037c015 ("mm/damon/core: implement goal-oriented feedback-driven quota auto-tuning") Signed-off-by: SeongJae Park <sj(a)kernel.org> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Closes: https://lore.kernel.org/944f3d5b-9177-48e7-8ec9-7f1331a3fea3@roeck-us.net Tested-by: Guenter Roeck <linux(a)roeck-us.net> Cc: <stable(a)vger.kernel.org> [6.8.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) --- a/mm/damon/core.c~mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input +++ a/mm/damon/core.c @@ -1456,17 +1456,31 @@ static unsigned long damon_feed_loop_nex unsigned long score) { const unsigned long goal = 10000; - unsigned long score_goal_diff = max(goal, score) - min(goal, score); - unsigned long score_goal_diff_bp = score_goal_diff * 10000 / goal; - unsigned long compensation = last_input * score_goal_diff_bp / 10000; /* Set minimum input as 10000 to avoid compensation be zero */ const unsigned long min_input = 10000; + unsigned long score_goal_diff, compensation; + bool over_achieving = score > goal; - if (goal > score) + if (score == goal) + return last_input; + if (score >= goal * 2) + return min_input; + + if (over_achieving) + score_goal_diff = score - goal; + else + score_goal_diff = goal - score; + + if (last_input < ULONG_MAX / score_goal_diff) + compensation = last_input * score_goal_diff / goal; + else + compensation = last_input / goal * score_goal_diff; + + if (over_achieving) + return max(last_input - compensation, min_input); + if (last_input < ULONG_MAX - compensation) return last_input + compensation; - if (last_input > compensation + min_input) - return last_input - compensation; - return min_input; + return ULONG_MAX; } #ifdef CONFIG_PSI _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-handle-zero-aggregationops_update-intervals.patch mm-damon-core-handle-zero-schemes-apply-interval.patch mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input.patch selftests-damon-huge_count_read_write-remove-unnecessary-debugging-message.patch selftests-damon-_debugfs_common-hide-expected-error-message-from-test_write_result.patch selftests-damon-debugfs_duplicate_context_creation-hide-errors-from-expected-file-write-failures.patch mm-damon-kconfig-update-dbgfs_kunit-prompt-copy-for-sysfs_kunit.patch mm-damon-tests-dbgfs-kunit-fix-the-header-double-inclusion-guarding-ifdef-comment.patch

10 months, 3 weeks

1
0
0 0

+ mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() Date: Sat, 19 Oct 2024 01:29:39 +0000 When the MM_WALK capability is enabled, memory that is mostly accessed by a VM appears younger than it really is, therefore this memory will be less likely to be evicted. Therefore, the presence of a running VM can significantly increase swap-outs for non-VM memory, regressing the performance for the rest of the system. Fix this regression by always calling {ptep,pmdp}_clear_young_notify() whenever we clear the young bits on PMDs/PTEs. Link: https://lkml.kernel.org/r/20241019012940.3656292-3-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Signed-off-by: James Houghton <jthoughton(a)google.com> Reported-by: David Stevens <stevensd(a)google.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: David Matlack <dmatlack(a)google.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Cc: kernel test robot <lkp(a)intel.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 5 +- mm/rmap.c | 9 +-- mm/vmscan.c | 91 +++++++++++++++++++++------------------ 3 files changed, 55 insertions(+), 50 deletions(-) --- a/include/linux/mmzone.h~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/include/linux/mmzone.h @@ -555,7 +555,7 @@ struct lru_gen_memcg { void lru_gen_init_pgdat(struct pglist_data *pgdat); void lru_gen_init_lruvec(struct lruvec *lruvec); -void lru_gen_look_around(struct page_vma_mapped_walk *pvmw); +bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw); void lru_gen_init_memcg(struct mem_cgroup *memcg); void lru_gen_exit_memcg(struct mem_cgroup *memcg); @@ -574,8 +574,9 @@ static inline void lru_gen_init_lruvec(s { } -static inline void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) +static inline bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw) { + return false; } static inline void lru_gen_init_memcg(struct mem_cgroup *memcg) --- a/mm/rmap.c~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/mm/rmap.c @@ -885,13 +885,10 @@ static bool folio_referenced_one(struct return false; } - if (pvmw.pte) { - if (lru_gen_enabled() && - pte_young(ptep_get(pvmw.pte))) { - lru_gen_look_around(&pvmw); + if (lru_gen_enabled() && pvmw.pte) { + if (lru_gen_look_around(&pvmw)) referenced++; - } - + } else if (pvmw.pte) { if (ptep_clear_flush_young_notify(vma, address, pvmw.pte)) referenced++; --- a/mm/vmscan.c~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/mm/vmscan.c @@ -56,6 +56,7 @@ #include <linux/khugepaged.h> #include <linux/rculist_nulls.h> #include <linux/random.h> +#include <linux/mmu_notifier.h> #include <asm/tlbflush.h> #include <asm/div64.h> @@ -3294,7 +3295,8 @@ static bool get_next_vma(unsigned long m return false; } -static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr, + struct pglist_data *pgdat) { unsigned long pfn = pte_pfn(pte); @@ -3306,13 +3308,20 @@ static unsigned long get_pte_pfn(pte_t p if (WARN_ON_ONCE(pte_devmap(pte) || pte_special(pte))) return -1; + if (!pte_young(pte) && !mm_has_notifiers(vma->vm_mm)) + return -1; + if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; + if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) + return -1; + return pfn; } -static unsigned long get_pmd_pfn(pmd_t pmd, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pmd_pfn(pmd_t pmd, struct vm_area_struct *vma, unsigned long addr, + struct pglist_data *pgdat) { unsigned long pfn = pmd_pfn(pmd); @@ -3324,9 +3333,15 @@ static unsigned long get_pmd_pfn(pmd_t p if (WARN_ON_ONCE(pmd_devmap(pmd))) return -1; + if (!pmd_young(pmd) && !mm_has_notifiers(vma->vm_mm)) + return -1; + if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; + if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) + return -1; + return pfn; } @@ -3335,10 +3350,6 @@ static struct folio *get_pfn_folio(unsig { struct folio *folio; - /* try to avoid unnecessary memory loads */ - if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) - return NULL; - folio = pfn_folio(pfn); if (folio_nid(folio) != pgdat->node_id) return NULL; @@ -3394,20 +3405,16 @@ restart: total++; walk->mm_stats[MM_LEAF_TOTAL]++; - pfn = get_pte_pfn(ptent, args->vma, addr); + pfn = get_pte_pfn(ptent, args->vma, addr, pgdat); if (pfn == -1) continue; - if (!pte_young(ptent)) { - continue; - } - folio = get_pfn_folio(pfn, memcg, pgdat, walk->can_swap); if (!folio) continue; - if (!ptep_test_and_clear_young(args->vma, addr, pte + i)) - VM_WARN_ON_ONCE(true); + if (!ptep_clear_young_notify(args->vma, addr, pte + i)) + continue; young++; walk->mm_stats[MM_LEAF_YOUNG]++; @@ -3473,21 +3480,22 @@ static void walk_pmd_range_locked(pud_t /* don't round down the first address */ addr = i ? (*first & PMD_MASK) + i * PMD_SIZE : *first; - pfn = get_pmd_pfn(pmd[i], vma, addr); - if (pfn == -1) - goto next; - - if (!pmd_trans_huge(pmd[i])) { - if (!walk->force_scan && should_clear_pmd_young()) + if (pmd_present(pmd[i]) && !pmd_trans_huge(pmd[i])) { + if (!walk->force_scan && should_clear_pmd_young() && + !mm_has_notifiers(args->mm)) pmdp_test_and_clear_young(vma, addr, pmd + i); goto next; } + pfn = get_pmd_pfn(pmd[i], vma, addr, pgdat); + if (pfn == -1) + goto next; + folio = get_pfn_folio(pfn, memcg, pgdat, walk->can_swap); if (!folio) goto next; - if (!pmdp_test_and_clear_young(vma, addr, pmd + i)) + if (!pmdp_clear_young_notify(vma, addr, pmd + i)) goto next; walk->mm_stats[MM_LEAF_YOUNG]++; @@ -3545,24 +3553,18 @@ restart: } if (pmd_trans_huge(val)) { - unsigned long pfn = pmd_pfn(val); struct pglist_data *pgdat = lruvec_pgdat(walk->lruvec); + unsigned long pfn = get_pmd_pfn(val, vma, addr, pgdat); walk->mm_stats[MM_LEAF_TOTAL]++; - if (!pmd_young(val)) { - continue; - } - - /* try to avoid unnecessary memory loads */ - if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) - continue; - - walk_pmd_range_locked(pud, addr, vma, args, bitmap, &first); + if (pfn != -1) + walk_pmd_range_locked(pud, addr, vma, args, bitmap, &first); continue; } - if (!walk->force_scan && should_clear_pmd_young()) { + if (!walk->force_scan && should_clear_pmd_young() && + !mm_has_notifiers(args->mm)) { if (!pmd_young(val)) continue; @@ -4036,13 +4038,13 @@ static void lru_gen_age_node(struct pgli * the PTE table to the Bloom filter. This forms a feedback loop between the * eviction and the aging. */ -void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) +bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw) { int i; unsigned long start; unsigned long end; struct lru_gen_mm_walk *walk; - int young = 0; + int young = 1; pte_t *pte = pvmw->pte; unsigned long addr = pvmw->address; struct vm_area_struct *vma = pvmw->vma; @@ -4058,12 +4060,15 @@ void lru_gen_look_around(struct page_vma lockdep_assert_held(pvmw->ptl); VM_WARN_ON_ONCE_FOLIO(folio_test_lru(folio), folio); + if (!ptep_clear_young_notify(vma, addr, pte)) + return false; + if (spin_is_contended(pvmw->ptl)) - return; + return true; /* exclude special VMAs containing anon pages from COW */ if (vma->vm_flags & VM_SPECIAL) - return; + return true; /* avoid taking the LRU lock under the PTL when possible */ walk = current->reclaim_state ? current->reclaim_state->mm_walk : NULL; @@ -4071,6 +4076,9 @@ void lru_gen_look_around(struct page_vma start = max(addr & PMD_MASK, vma->vm_start); end = min(addr | ~PMD_MASK, vma->vm_end - 1) + 1; + if (end - start == PAGE_SIZE) + return true; + if (end - start > MIN_LRU_BATCH * PAGE_SIZE) { if (addr - start < MIN_LRU_BATCH * PAGE_SIZE / 2) end = start + MIN_LRU_BATCH * PAGE_SIZE; @@ -4084,7 +4092,7 @@ void lru_gen_look_around(struct page_vma /* folio_update_gen() requires stable folio_memcg() */ if (!mem_cgroup_trylock_pages(memcg)) - return; + return true; arch_enter_lazy_mmu_mode(); @@ -4094,19 +4102,16 @@ void lru_gen_look_around(struct page_vma unsigned long pfn; pte_t ptent = ptep_get(pte + i); - pfn = get_pte_pfn(ptent, vma, addr); + pfn = get_pte_pfn(ptent, vma, addr, pgdat); if (pfn == -1) continue; - if (!pte_young(ptent)) - continue; - folio = get_pfn_folio(pfn, memcg, pgdat, can_swap); if (!folio) continue; - if (!ptep_test_and_clear_young(vma, addr, pte + i)) - VM_WARN_ON_ONCE(true); + if (!ptep_clear_young_notify(vma, addr, pte + i)) + continue; young++; @@ -4136,6 +4141,8 @@ void lru_gen_look_around(struct page_vma /* feedback from rmap walkers to page table walkers */ if (mm_state && suitable_to_scan(i, young)) update_bloom_filter(mm_state, max_seq, pvmw->pmd); + + return true; } /****************************************************************************** _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch mm-page_alloc-keep-track-of-free-highatomic.patch

10 months, 3 weeks

1
0
0 0

+ mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats Date: Sat, 19 Oct 2024 01:29:38 +0000 Patch series "mm: multi-gen LRU: Have secondary MMUs participate in MM_WALK". Today, the MM_WALK capability causes MGLRU to clear the young bit from PMDs and PTEs during the page table walk before eviction, but MGLRU does not call the clear_young() MMU notifier in this case. By not calling this notifier, the MM walk takes less time/CPU, but it causes pages that are accessed mostly through KVM / secondary MMUs to appear younger than they should be. We do call the clear_young() notifier today, but only when attempting to evict the page, so we end up clearing young/accessed information less frequently for secondary MMUs than for mm PTEs, and therefore they appear younger and are less likely to be evicted. Therefore, memory that is *not* being accessed mostly by KVM will be evicted *more* frequently, worsening performance. ChromeOS observed a tab-open latency regression when enabling MGLRU with a setup that involved running a VM: Tab-open latency histogram (ms) Version p50 mean p95 p99 max base 1315 1198 2347 3454 10319 mglru 2559 1311 7399 12060 43758 fix 1119 926 2470 4211 6947 This series replaces the final non-selftest patchs from this series[1], which introduced a similar change (and a new MMU notifier) with KVM optimizations. I'll send a separate series (to Sean and Paolo) for the KVM optimizations. This series also makes proactive reclaim with MGLRU possible for KVM memory. I have verified that this functions correctly with the selftest from [1], but given that that test is a KVM selftest, I'll send it with the rest of the KVM optimizations later. Andrew, let me know if you'd like to take the test now anyway. [1]: https://lore.kernel.org/linux-mm/20240926013506.860253-18-jthoughton@google… This patch (of 2): The removed stats, MM_LEAF_OLD and MM_NONLEAF_TOTAL, are not very helpful and become more complicated to properly compute when adding test/clear_young() notifiers in MGLRU's mm walk. Link: https://lkml.kernel.org/r/20241019012940.3656292-1-jthoughton@google.com Link: https://lkml.kernel.org/r/20241019012940.3656292-2-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Signed-off-by: James Houghton <jthoughton(a)google.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: David Matlack <dmatlack(a)google.com> Cc: David Rientjes <rientjes(a)google.com> Cc: David Stevens <stevensd(a)google.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 2 -- mm/vmscan.c | 14 +++++--------- 2 files changed, 5 insertions(+), 11 deletions(-) --- a/include/linux/mmzone.h~mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats +++ a/include/linux/mmzone.h @@ -458,9 +458,7 @@ struct lru_gen_folio { enum { MM_LEAF_TOTAL, /* total leaf entries */ - MM_LEAF_OLD, /* old leaf entries */ MM_LEAF_YOUNG, /* young leaf entries */ - MM_NONLEAF_TOTAL, /* total non-leaf entries */ MM_NONLEAF_FOUND, /* non-leaf entries found in Bloom filters */ MM_NONLEAF_ADDED, /* non-leaf entries added to Bloom filters */ NR_MM_STATS --- a/mm/vmscan.c~mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats +++ a/mm/vmscan.c @@ -3399,7 +3399,6 @@ restart: continue; if (!pte_young(ptent)) { - walk->mm_stats[MM_LEAF_OLD]++; continue; } @@ -3552,7 +3551,6 @@ restart: walk->mm_stats[MM_LEAF_TOTAL]++; if (!pmd_young(val)) { - walk->mm_stats[MM_LEAF_OLD]++; continue; } @@ -3564,8 +3562,6 @@ restart: continue; } - walk->mm_stats[MM_NONLEAF_TOTAL]++; - if (!walk->force_scan && should_clear_pmd_young()) { if (!pmd_young(val)) continue; @@ -5254,11 +5250,11 @@ static void lru_gen_seq_show_full(struct for (tier = 0; tier < MAX_NR_TIERS; tier++) { seq_printf(m, " %10d", tier); for (type = 0; type < ANON_AND_FILE; type++) { - const char *s = " "; + const char *s = "xxx"; unsigned long n[3] = {}; if (seq == max_seq) { - s = "RT "; + s = "RTx"; n[0] = READ_ONCE(lrugen->avg_refaulted[type][tier]); n[1] = READ_ONCE(lrugen->avg_total[type][tier]); } else if (seq == min_seq[type] || NR_HIST_GENS > 1) { @@ -5280,14 +5276,14 @@ static void lru_gen_seq_show_full(struct seq_puts(m, " "); for (i = 0; i < NR_MM_STATS; i++) { - const char *s = " "; + const char *s = "xxxx"; unsigned long n = 0; if (seq == max_seq && NR_HIST_GENS == 1) { - s = "LOYNFA"; + s = "TYFA"; n = READ_ONCE(mm_state->stats[hist][i]); } else if (seq != max_seq && NR_HIST_GENS > 1) { - s = "loynfa"; + s = "tyfa"; n = READ_ONCE(mm_state->stats[hist][i]); } _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch mm-page_alloc-keep-track-of-free-highatomic.patch

10 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() has been removed from the -mm tree. Its filename was mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() Date: Sat, 19 Oct 2024 01:29:39 +0000 When the MM_WALK capability is enabled, memory that is mostly accessed by a VM appears younger than it really is, therefore this memory will be less likely to be evicted. Therefore, the presence of a running VM can significantly increase swap-outs for non-VM memory, regressing the performance for the rest of the system. Fix this regression by always calling {ptep,pmdp}_clear_young_notify() whenever we clear the young bits on PMDs/PTEs. Link: https://lkml.kernel.org/r/20241019012940.3656292-3-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Signed-off-by: James Houghton <jthoughton(a)google.com> Reported-by: David Stevens <stevensd(a)google.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: David Matlack <dmatlack(a)google.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 5 +- mm/rmap.c | 9 +-- mm/vmscan.c | 91 +++++++++++++++++++++------------------ 3 files changed, 55 insertions(+), 50 deletions(-) --- a/include/linux/mmzone.h~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/include/linux/mmzone.h @@ -555,7 +555,7 @@ struct lru_gen_memcg { void lru_gen_init_pgdat(struct pglist_data *pgdat); void lru_gen_init_lruvec(struct lruvec *lruvec); -void lru_gen_look_around(struct page_vma_mapped_walk *pvmw); +bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw); void lru_gen_init_memcg(struct mem_cgroup *memcg); void lru_gen_exit_memcg(struct mem_cgroup *memcg); @@ -574,8 +574,9 @@ static inline void lru_gen_init_lruvec(s { } -static inline void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) +static inline bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw) { + return false; } static inline void lru_gen_init_memcg(struct mem_cgroup *memcg) --- a/mm/rmap.c~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/mm/rmap.c @@ -885,13 +885,10 @@ static bool folio_referenced_one(struct return false; } - if (pvmw.pte) { - if (lru_gen_enabled() && - pte_young(ptep_get(pvmw.pte))) { - lru_gen_look_around(&pvmw); + if (lru_gen_enabled() && pvmw.pte) { + if (lru_gen_look_around(&pvmw)) referenced++; - } - + } else if (pvmw.pte) { if (ptep_clear_flush_young_notify(vma, address, pvmw.pte)) referenced++; --- a/mm/vmscan.c~mm-multi-gen-lru-use-pteppmdp_clear_young_notify +++ a/mm/vmscan.c @@ -56,6 +56,7 @@ #include <linux/khugepaged.h> #include <linux/rculist_nulls.h> #include <linux/random.h> +#include <linux/mmu_notifier.h> #include <asm/tlbflush.h> #include <asm/div64.h> @@ -3294,7 +3295,8 @@ static bool get_next_vma(unsigned long m return false; } -static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr, + struct pglist_data *pgdat) { unsigned long pfn = pte_pfn(pte); @@ -3306,13 +3308,20 @@ static unsigned long get_pte_pfn(pte_t p if (WARN_ON_ONCE(pte_devmap(pte) || pte_special(pte))) return -1; + if (!pte_young(pte) && !mm_has_notifiers(vma->vm_mm)) + return -1; + if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; + if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) + return -1; + return pfn; } -static unsigned long get_pmd_pfn(pmd_t pmd, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pmd_pfn(pmd_t pmd, struct vm_area_struct *vma, unsigned long addr, + struct pglist_data *pgdat) { unsigned long pfn = pmd_pfn(pmd); @@ -3324,9 +3333,15 @@ static unsigned long get_pmd_pfn(pmd_t p if (WARN_ON_ONCE(pmd_devmap(pmd))) return -1; + if (!pmd_young(pmd) && !mm_has_notifiers(vma->vm_mm)) + return -1; + if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; + if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) + return -1; + return pfn; } @@ -3335,10 +3350,6 @@ static struct folio *get_pfn_folio(unsig { struct folio *folio; - /* try to avoid unnecessary memory loads */ - if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) - return NULL; - folio = pfn_folio(pfn); if (folio_nid(folio) != pgdat->node_id) return NULL; @@ -3394,20 +3405,16 @@ restart: total++; walk->mm_stats[MM_LEAF_TOTAL]++; - pfn = get_pte_pfn(ptent, args->vma, addr); + pfn = get_pte_pfn(ptent, args->vma, addr, pgdat); if (pfn == -1) continue; - if (!pte_young(ptent)) { - continue; - } - folio = get_pfn_folio(pfn, memcg, pgdat, walk->can_swap); if (!folio) continue; - if (!ptep_test_and_clear_young(args->vma, addr, pte + i)) - VM_WARN_ON_ONCE(true); + if (!ptep_clear_young_notify(args->vma, addr, pte + i)) + continue; young++; walk->mm_stats[MM_LEAF_YOUNG]++; @@ -3473,21 +3480,22 @@ static void walk_pmd_range_locked(pud_t /* don't round down the first address */ addr = i ? (*first & PMD_MASK) + i * PMD_SIZE : *first; - pfn = get_pmd_pfn(pmd[i], vma, addr); - if (pfn == -1) - goto next; - - if (!pmd_trans_huge(pmd[i])) { - if (!walk->force_scan && should_clear_pmd_young()) + if (pmd_present(pmd[i]) && !pmd_trans_huge(pmd[i])) { + if (!walk->force_scan && should_clear_pmd_young() && + !mm_has_notifiers(args->mm)) pmdp_test_and_clear_young(vma, addr, pmd + i); goto next; } + pfn = get_pmd_pfn(pmd[i], vma, addr, pgdat); + if (pfn == -1) + goto next; + folio = get_pfn_folio(pfn, memcg, pgdat, walk->can_swap); if (!folio) goto next; - if (!pmdp_test_and_clear_young(vma, addr, pmd + i)) + if (!pmdp_clear_young_notify(vma, addr, pmd + i)) goto next; walk->mm_stats[MM_LEAF_YOUNG]++; @@ -3545,24 +3553,18 @@ restart: } if (pmd_trans_huge(val)) { - unsigned long pfn = pmd_pfn(val); struct pglist_data *pgdat = lruvec_pgdat(walk->lruvec); + unsigned long pfn = get_pmd_pfn(val, vma, addr, pgdat); walk->mm_stats[MM_LEAF_TOTAL]++; - if (!pmd_young(val)) { - continue; - } - - /* try to avoid unnecessary memory loads */ - if (pfn < pgdat->node_start_pfn || pfn >= pgdat_end_pfn(pgdat)) - continue; - - walk_pmd_range_locked(pud, addr, vma, args, bitmap, &first); + if (pfn != -1) + walk_pmd_range_locked(pud, addr, vma, args, bitmap, &first); continue; } - if (!walk->force_scan && should_clear_pmd_young()) { + if (!walk->force_scan && should_clear_pmd_young() && + !mm_has_notifiers(args->mm)) { if (!pmd_young(val)) continue; @@ -4036,13 +4038,13 @@ static void lru_gen_age_node(struct pgli * the PTE table to the Bloom filter. This forms a feedback loop between the * eviction and the aging. */ -void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) +bool lru_gen_look_around(struct page_vma_mapped_walk *pvmw) { int i; unsigned long start; unsigned long end; struct lru_gen_mm_walk *walk; - int young = 0; + int young = 1; pte_t *pte = pvmw->pte; unsigned long addr = pvmw->address; struct vm_area_struct *vma = pvmw->vma; @@ -4058,12 +4060,15 @@ void lru_gen_look_around(struct page_vma lockdep_assert_held(pvmw->ptl); VM_WARN_ON_ONCE_FOLIO(folio_test_lru(folio), folio); + if (!ptep_clear_young_notify(vma, addr, pte)) + return false; + if (spin_is_contended(pvmw->ptl)) - return; + return true; /* exclude special VMAs containing anon pages from COW */ if (vma->vm_flags & VM_SPECIAL) - return; + return true; /* avoid taking the LRU lock under the PTL when possible */ walk = current->reclaim_state ? current->reclaim_state->mm_walk : NULL; @@ -4071,6 +4076,9 @@ void lru_gen_look_around(struct page_vma start = max(addr & PMD_MASK, vma->vm_start); end = min(addr | ~PMD_MASK, vma->vm_end - 1) + 1; + if (end - start == PAGE_SIZE) + return true; + if (end - start > MIN_LRU_BATCH * PAGE_SIZE) { if (addr - start < MIN_LRU_BATCH * PAGE_SIZE / 2) end = start + MIN_LRU_BATCH * PAGE_SIZE; @@ -4084,7 +4092,7 @@ void lru_gen_look_around(struct page_vma /* folio_update_gen() requires stable folio_memcg() */ if (!mem_cgroup_trylock_pages(memcg)) - return; + return true; arch_enter_lazy_mmu_mode(); @@ -4094,19 +4102,16 @@ void lru_gen_look_around(struct page_vma unsigned long pfn; pte_t ptent = ptep_get(pte + i); - pfn = get_pte_pfn(ptent, vma, addr); + pfn = get_pte_pfn(ptent, vma, addr, pgdat); if (pfn == -1) continue; - if (!pte_young(ptent)) - continue; - folio = get_pfn_folio(pfn, memcg, pgdat, can_swap); if (!folio) continue; - if (!ptep_test_and_clear_young(vma, addr, pte + i)) - VM_WARN_ON_ONCE(true); + if (!ptep_clear_young_notify(vma, addr, pte + i)) + continue; young++; @@ -4136,6 +4141,8 @@ void lru_gen_look_around(struct page_vma /* feedback from rmap walkers to page table walkers */ if (mm_state && suitable_to_scan(i, young)) update_bloom_filter(mm_state, max_seq, pvmw->pmd); + + return true; } /****************************************************************************** _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-page_alloc-keep-track-of-free-highatomic.patch

10 months, 3 weeks

2
2
0 0

[PATCH RESEND] thermal/drivers/qcom/lmh: remove false lockdep backtrace

by Dmitry Baryshkov

Annotate LMH IRQs with lockdep classes so that the lockdep doesn't report possible recursive locking issue between LMH and GIC interrupts. For the reference: CPU0 ---- lock(&irq_desc_lock_class); lock(&irq_desc_lock_class); *** DEADLOCK *** Call trace: dump_backtrace+0x98/0xf0 show_stack+0x18/0x24 dump_stack_lvl+0x90/0xd0 dump_stack+0x18/0x24 print_deadlock_bug+0x258/0x348 __lock_acquire+0x1078/0x1f44 lock_acquire+0x1fc/0x32c _raw_spin_lock_irqsave+0x60/0x88 __irq_get_desc_lock+0x58/0x98 enable_irq+0x38/0xa0 lmh_enable_interrupt+0x2c/0x38 irq_enable+0x40/0x8c __irq_startup+0x78/0xa4 irq_startup+0x78/0x168 __enable_irq+0x70/0x7c enable_irq+0x4c/0xa0 qcom_cpufreq_ready+0x20/0x2c cpufreq_online+0x2a8/0x988 cpufreq_add_dev+0x80/0x98 subsys_interface_register+0x104/0x134 cpufreq_register_driver+0x150/0x234 qcom_cpufreq_hw_driver_probe+0x2a8/0x388 platform_probe+0x68/0xc0 really_probe+0xbc/0x298 __driver_probe_device+0x78/0x12c driver_probe_device+0x3c/0x160 __device_attach_driver+0xb8/0x138 bus_for_each_drv+0x84/0xe0 __device_attach+0x9c/0x188 device_initial_probe+0x14/0x20 bus_probe_device+0xac/0xb0 deferred_probe_work_func+0x8c/0xc8 process_one_work+0x20c/0x62c worker_thread+0x1bc/0x36c kthread+0x120/0x124 ret_from_fork+0x10/0x20 Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver") Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- drivers/thermal/qcom/lmh.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/thermal/qcom/lmh.c b/drivers/thermal/qcom/lmh.c index 5225b3621a56c4a11f0ae56af1060d6d1460ef02..d2d49264cf83a4c4646202044700a7a8bf3c0b95 100644 --- a/drivers/thermal/qcom/lmh.c +++ b/drivers/thermal/qcom/lmh.c @@ -73,7 +73,14 @@ static struct irq_chip lmh_irq_chip = { static int lmh_irq_map(struct irq_domain *d, unsigned int irq, irq_hw_number_t hw) { struct lmh_hw_data *lmh_data = d->host_data; + static struct lock_class_key lmh_lock_key; + static struct lock_class_key lmh_request_key; + /* + * This lock class tells lockdep that GPIO irqs are in a different + * category than their parents, so it won't report false recursion. + */ + irq_set_lockdep_class(irq, &lmh_lock_key, &lmh_request_key); irq_set_chip_and_handler(irq, &lmh_irq_chip, handle_simple_irq); irq_set_chip_data(irq, lmh_data); --- base-commit: 797012914d2d031430268fe512af0ccd7d8e46ef change-id: 20240721-lmh-lockdep-88de09e77089 Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

10 months, 3 weeks

1
0
0 0

+ mm-damon-core-handle-zero-schemes-apply-interval.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: handle zero schemes apply interval has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-handle-zero-schemes-apply-interval.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: handle zero schemes apply interval Date: Thu, 31 Oct 2024 11:37:57 -0700 DAMON's logics to determine if this is the time to apply damos schemes assumes next_apply_sis is always set larger than current passed_sample_intervals. And therefore assume continuously incrementing passed_sample_intervals will make it reaches to the next_apply_sis in future. The logic hence does apply the scheme and update next_apply_sis only if passed_sample_intervals is same to next_apply_sis. If Schemes apply interval is set as zero, however, next_apply_sis is set same to current passed_sample_intervals, respectively. And passed_sample_intervals is incremented before doing the next_apply_sis check. Hence, next_apply_sis becomes larger than next_apply_sis, and the logic says it is not the time to apply schemes and update next_apply_sis. In other words, DAMON stops applying schemes until passed_sample_intervals overflows. Based on the documents and the common sense, a reasonable behavior for such inputs would be applying the schemes for every sampling interval. Handle the case by removing the assumption. Link: https://lkml.kernel.org/r/20241031183757.49610-3-sj@kernel.org Fixes: 42f994b71404 ("mm/damon/core: implement scheme-specific apply interval") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.7.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/mm/damon/core.c~mm-damon-core-handle-zero-schemes-apply-interval +++ a/mm/damon/core.c @@ -1412,7 +1412,7 @@ static void damon_do_apply_schemes(struc damon_for_each_scheme(s, c) { struct damos_quota *quota = &s->quota; - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; if (!s->wmarks.activated) @@ -1622,7 +1622,7 @@ static void kdamond_apply_schemes(struct bool has_schemes_to_apply = false; damon_for_each_scheme(s, c) { - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; if (!s->wmarks.activated) @@ -1642,9 +1642,9 @@ static void kdamond_apply_schemes(struct } damon_for_each_scheme(s, c) { - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; - s->next_apply_sis += + s->next_apply_sis = c->passed_sample_intervals + (s->apply_interval_us ? s->apply_interval_us : c->attrs.aggr_interval) / sample_interval; } _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-handle-zero-aggregationops_update-intervals.patch mm-damon-core-handle-zero-schemes-apply-interval.patch selftests-damon-huge_count_read_write-remove-unnecessary-debugging-message.patch selftests-damon-_debugfs_common-hide-expected-error-message-from-test_write_result.patch selftests-damon-debugfs_duplicate_context_creation-hide-errors-from-expected-file-write-failures.patch mm-damon-kconfig-update-dbgfs_kunit-prompt-copy-for-sysfs_kunit.patch mm-damon-tests-dbgfs-kunit-fix-the-header-double-inclusion-guarding-ifdef-comment.patch

10 months, 3 weeks

1
0
0 0

+ mm-damon-core-handle-zero-aggregationops_update-intervals.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: handle zero {aggregation,ops_update} intervals has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-handle-zero-aggregationops_update-intervals.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: handle zero {aggregation,ops_update} intervals Date: Thu, 31 Oct 2024 11:37:56 -0700 Patch series "mm/damon/core: fix handling of zero non-sampling intervals". DAMON's internal intervals accounting logic is not correctly handling non-sampling intervals of zero values for a wrong assumption. This could cause unexpected monitoring behavior, and even result in infinite hang of DAMON sysfs interface user threads in case of zero aggregation interval. Fix those by updating the intervals accounting logic. For details of the root case and solutions, please refer to commit messages of fixes. This patch (of 2): DAMON's logics to determine if this is the time to do aggregation and ops update assumes next_{aggregation,ops_update}_sis are always set larger than current passed_sample_intervals. And therefore it further assumes continuously incrementing passed_sample_intervals every sampling interval will make it reaches to the next_{aggregation,ops_update}_sis in future. The logic therefore make the action and update next_{aggregation,ops_updaste}_sis only if passed_sample_intervals is same to the counts, respectively. If Aggregation interval or Ops update interval are zero, however, next_aggregation_sis or next_ops_update_sis are set same to current passed_sample_intervals, respectively. And passed_sample_intervals is incremented before doing the next_{aggregation,ops_update}_sis check. Hence, passed_sample_intervals becomes larger than next_{aggregation,ops_update}_sis, and the logic says it is not the time to do the action and update next_{aggregation,ops_update}_sis forever, until an overflow happens. In other words, DAMON stops doing aggregations or ops updates effectively forever, and users cannot get monitoring results. Based on the documents and the common sense, a reasonable behavior for such inputs is doing an aggregation and an ops update for every sampling interval. Handle the case by removing the assumption. Note that this could incur particular real issue for DAMON sysfs interface users, in case of zero Aggregation interval. When user starts DAMON with zero Aggregation interval and asks online DAMON parameter tuning via DAMON sysfs interface, the request is handled by the aggregation callback. Until the callback finishes the work, the user who requested the online tuning just waits. Hence, the user will be stuck until the passed_sample_intervals overflows. Link: https://lkml.kernel.org/r/20241031183757.49610-1-sj@kernel.org Link: https://lkml.kernel.org/r/20241031183757.49610-2-sj@kernel.org Fixes: 4472edf63d66 ("mm/damon/core: use number of passed access sampling as a timer") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.7.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/damon/core.c~mm-damon-core-handle-zero-aggregationops_update-intervals +++ a/mm/damon/core.c @@ -2000,7 +2000,7 @@ static int kdamond_fn(void *data) if (ctx->ops.check_accesses) max_nr_accesses = ctx->ops.check_accesses(ctx); - if (ctx->passed_sample_intervals == next_aggregation_sis) { + if (ctx->passed_sample_intervals >= next_aggregation_sis) { kdamond_merge_regions(ctx, max_nr_accesses / 10, sz_limit); @@ -2018,7 +2018,7 @@ static int kdamond_fn(void *data) sample_interval = ctx->attrs.sample_interval ? ctx->attrs.sample_interval : 1; - if (ctx->passed_sample_intervals == next_aggregation_sis) { + if (ctx->passed_sample_intervals >= next_aggregation_sis) { ctx->next_aggregation_sis = next_aggregation_sis + ctx->attrs.aggr_interval / sample_interval; @@ -2028,7 +2028,7 @@ static int kdamond_fn(void *data) ctx->ops.reset_aggregated(ctx); } - if (ctx->passed_sample_intervals == next_ops_update_sis) { + if (ctx->passed_sample_intervals >= next_ops_update_sis) { ctx->next_ops_update_sis = next_ops_update_sis + ctx->attrs.ops_update_interval / sample_interval; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-handle-zero-aggregationops_update-intervals.patch mm-damon-core-handle-zero-schemes-apply-interval.patch selftests-damon-huge_count_read_write-remove-unnecessary-debugging-message.patch selftests-damon-_debugfs_common-hide-expected-error-message-from-test_write_result.patch selftests-damon-debugfs_duplicate_context_creation-hide-errors-from-expected-file-write-failures.patch mm-damon-kconfig-update-dbgfs_kunit-prompt-copy-for-sysfs_kunit.patch mm-damon-tests-dbgfs-kunit-fix-the-header-double-inclusion-guarding-ifdef-comment.patch

10 months, 3 weeks

1
0
0 0

[PATCH 5.10] perf/x86/intel: Fix PEBS-via-PT reload base value for Extended PEBS

by Murad Masimov

From: Like Xu <like.xu.linux(a)gmail.com> commit 4c58d922c0877e23cc7d3d7c6bff49b85faaca89 upstream. If we use the "PEBS-via-PT" feature on a platform that supports extended PBES, like this: perf record -c 10000 \ -e '{intel_pt/branch=0/,branch-instructions/aux-output/p}' uname we will encounter the following call trace: [ 250.906542] unchecked MSR access error: WRMSR to 0x14e1 (tried to write 0x0000000000000000) at rIP: 0xffffffff88073624 (native_write_msr+0x4/0x20) [ 250.920779] Call Trace: [ 250.923508] intel_pmu_pebs_enable+0x12c/0x190 [ 250.928359] intel_pmu_enable_event+0x346/0x390 [ 250.933300] x86_pmu_start+0x64/0x80 [ 250.937231] x86_pmu_enable+0x16a/0x2f0 [ 250.941434] perf_event_exec+0x144/0x4c0 [ 250.945731] begin_new_exec+0x650/0xbf0 [ 250.949933] load_elf_binary+0x13e/0x1700 [ 250.954321] ? lock_acquire+0xc2/0x390 [ 250.958430] ? bprm_execve+0x34f/0x8a0 [ 250.962544] ? lock_is_held_type+0xa7/0x120 [ 250.967118] ? find_held_lock+0x32/0x90 [ 250.971321] ? sched_clock_cpu+0xc/0xb0 [ 250.975527] bprm_execve+0x33d/0x8a0 [ 250.979452] do_execveat_common.isra.0+0x161/0x1d0 [ 250.984673] __x64_sys_execve+0x33/0x40 [ 250.988877] do_syscall_64+0x3d/0x80 [ 250.992806] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 250.998302] RIP: 0033:0x7fbc971d82fb [ 251.002235] Code: Unable to access opcode bytes at RIP 0x7fbc971d82d1. [ 251.009303] RSP: 002b:00007fffb8aed808 EFLAGS: 00000202 ORIG_RAX: 000000000000003b [ 251.017478] RAX: ffffffffffffffda RBX: 00007fffb8af2f00 RCX: 00007fbc971d82fb [ 251.025187] RDX: 00005574792aac50 RSI: 00007fffb8af2f00 RDI: 00007fffb8aed810 [ 251.032901] RBP: 00007fffb8aed970 R08: 0000000000000020 R09: 00007fbc9725c8b0 [ 251.040613] R10: 6d6c61632f6d6f63 R11: 0000000000000202 R12: 00005574792aac50 [ 251.048327] R13: 00007fffb8af35f0 R14: 00005574792aafdf R15: 00005574792aafe7 This is because the target reload msr address is calculated based on the wrong base msr and the target reload msr value is accessed from ds->pebs_event_reset[] with the wrong offset. According to Intel SDM Table 2-14, for extended PBES feature, the reload msr for MSR_IA32_FIXED_CTRx should be based on MSR_RELOAD_FIXED_CTRx. For fixed counters, let's fix it by overriding the reload msr address and its value, thus avoiding out-of-bounds access. Fixes: 42880f726c66("perf/x86/intel: Support PEBS output to PT") Signed-off-by: Like Xu <likexu(a)tencent.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lkml.kernel.org/r/20210621034710.31107-1-likexu@tencent.com Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- arch/x86/events/intel/ds.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c index 48f30ffef1f4..182908aebed0 100644 --- a/arch/x86/events/intel/ds.c +++ b/arch/x86/events/intel/ds.c @@ -1093,6 +1093,9 @@ static void intel_pmu_pebs_via_pt_enable(struct perf_event *event) struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); struct hw_perf_event *hwc = &event->hw; struct debug_store *ds = cpuc->ds; + u64 value = ds->pebs_event_reset[hwc->idx]; + u32 base = MSR_RELOAD_PMC0; + unsigned int idx = hwc->idx; if (!is_pebs_pt(event)) return; @@ -1102,7 +1105,12 @@ static void intel_pmu_pebs_via_pt_enable(struct perf_event *event) cpuc->pebs_enabled |= PEBS_OUTPUT_PT; - wrmsrl(MSR_RELOAD_PMC0 + hwc->idx, ds->pebs_event_reset[hwc->idx]); + if (hwc->idx >= INTEL_PMC_IDX_FIXED) { + base = MSR_RELOAD_FIXED_CTR0; + idx = hwc->idx - INTEL_PMC_IDX_FIXED; + value = ds->pebs_event_reset[MAX_PEBS_EVENTS + idx]; + } + wrmsrl(base + idx, value); } void intel_pmu_pebs_enable(struct perf_event *event) @@ -1110,6 +1118,7 @@ void intel_pmu_pebs_enable(struct perf_event *event) struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events); struct hw_perf_event *hwc = &event->hw; struct debug_store *ds = cpuc->ds; + unsigned int idx = hwc->idx; hwc->config &= ~ARCH_PERFMON_EVENTSEL_INT; @@ -1128,19 +1137,18 @@ void intel_pmu_pebs_enable(struct perf_event *event) } } + if (idx >= INTEL_PMC_IDX_FIXED) + idx = MAX_PEBS_EVENTS + (idx - INTEL_PMC_IDX_FIXED); + /* * Use auto-reload if possible to save a MSR write in the PMI. * This must be done in pmu::start(), because PERF_EVENT_IOC_PERIOD. */ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { - unsigned int idx = hwc->idx; - - if (idx >= INTEL_PMC_IDX_FIXED) - idx = MAX_PEBS_EVENTS + (idx - INTEL_PMC_IDX_FIXED); ds->pebs_event_reset[idx] = (u64)(-hwc->sample_period) & x86_pmu.cntval_mask; } else { - ds->pebs_event_reset[hwc->idx] = 0; + ds->pebs_event_reset[idx] = 0; } intel_pmu_pebs_via_pt_enable(event); -- 2.39.2

10 months, 3 weeks

1
0
0 0

[PATCH v2] KVM: arm64: Get rid of userspace_irqchip_in_use

by Raghavendra Rao Ananta

Improper use of userspace_irqchip_in_use led to syzbot hitting the following WARN_ON() in kvm_timer_update_irq(): WARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459 kvm_timer_update_irq+0x21c/0x394 Call trace: kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459 kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968 kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264 kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline] kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline] kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695 kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The following sequence led to the scenario: - Userspace creates a VM and a vCPU. - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during KVM_ARM_VCPU_INIT. - Without any other setup, such as vGIC or vPMU, userspace issues KVM_RUN on the vCPU. Since the vPMU is requested, but not setup, kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change(). As a result, KVM_RUN returns after enabling the timer, but before incrementing 'userspace_irqchip_in_use': kvm_arch_vcpu_run_pid_change() ret = kvm_arm_pmu_v3_enable() if (!vcpu->arch.pmu.created) return -EINVAL; if (ret) return ret; [...] if (!irqchip_in_kernel(kvm)) static_branch_inc(&userspace_irqchip_in_use); - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again. Since the timer is already enabled, control moves through the following flow, ultimately hitting the WARN_ON(): kvm_timer_vcpu_reset() if (timer->enabled) kvm_timer_update_irq() if (!userspace_irqchip()) ret = kvm_vgic_inject_irq() ret = vgic_lazy_init() if (unlikely(!vgic_initialized(kvm))) if (kvm->arch.vgic.vgic_model != KVM_DEV_TYPE_ARM_VGIC_V2) return -EBUSY; WARN_ON(ret); Theoretically, since userspace_irqchip_in_use's functionality can be simply replaced by '!irqchip_in_kernel()', get rid of the static key to avoid the mismanagement, which also helps with the syzbot issue. Cc: <stable(a)vger.kernel.org> Reported-by: syzbot <syzkaller(a)googlegroups.com> Suggested-by: Marc Zyngier <maz(a)kernel.org> Signed-off-by: Raghavendra Rao Ananta <rananta(a)google.com> --- v2: - Picked the diff shared by Marc to get rid of 'userspace_irqchip_in_use' (thanks). - Adjusted the commit message accordingly. v1: https://lore.kernel.org/all/20241025221220.2985227-1-rananta@google.com/ arch/arm64/include/asm/kvm_host.h | 2 -- arch/arm64/kvm/arch_timer.c | 3 +-- arch/arm64/kvm/arm.c | 18 +++--------------- 3 files changed, 4 insertions(+), 19 deletions(-) diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h index 329619c6fa961..9f96594a0e05d 100644 --- a/arch/arm64/include/asm/kvm_host.h +++ b/arch/arm64/include/asm/kvm_host.h @@ -73,8 +73,6 @@ enum kvm_mode kvm_get_mode(void); static inline enum kvm_mode kvm_get_mode(void) { return KVM_MODE_NONE; }; #endif -DECLARE_STATIC_KEY_FALSE(userspace_irqchip_in_use); - extern unsigned int __ro_after_init kvm_sve_max_vl; extern unsigned int __ro_after_init kvm_host_sve_max_vl; int __init kvm_arm_init_sve(void); diff --git a/arch/arm64/kvm/arch_timer.c b/arch/arm64/kvm/arch_timer.c index 879982b1cc739..1215df5904185 100644 --- a/arch/arm64/kvm/arch_timer.c +++ b/arch/arm64/kvm/arch_timer.c @@ -206,8 +206,7 @@ void get_timer_map(struct kvm_vcpu *vcpu, struct timer_map *map) static inline bool userspace_irqchip(struct kvm *kvm) { - return static_branch_unlikely(&userspace_irqchip_in_use) && - unlikely(!irqchip_in_kernel(kvm)); + return unlikely(!irqchip_in_kernel(kvm)); } static void soft_timer_start(struct hrtimer *hrt, u64 ns) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index a0d01c46e4084..63f5c05e9dec6 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -69,7 +69,6 @@ DECLARE_KVM_NVHE_PER_CPU(struct kvm_cpu_context, kvm_hyp_ctxt); static bool vgic_present, kvm_arm_initialised; static DEFINE_PER_CPU(unsigned char, kvm_hyp_initialized); -DEFINE_STATIC_KEY_FALSE(userspace_irqchip_in_use); bool is_kvm_arm_initialised(void) { @@ -503,9 +502,6 @@ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu) void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu) { - if (vcpu_has_run_once(vcpu) && unlikely(!irqchip_in_kernel(vcpu->kvm))) - static_branch_dec(&userspace_irqchip_in_use); - kvm_mmu_free_memory_cache(&vcpu->arch.mmu_page_cache); kvm_timer_vcpu_terminate(vcpu); kvm_pmu_vcpu_destroy(vcpu); @@ -848,14 +844,6 @@ int kvm_arch_vcpu_run_pid_change(struct kvm_vcpu *vcpu) return ret; } - if (!irqchip_in_kernel(kvm)) { - /* - * Tell the rest of the code that there are userspace irqchip - * VMs in the wild. - */ - static_branch_inc(&userspace_irqchip_in_use); - } - /* * Initialize traps for protected VMs. * NOTE: Move to run in EL2 directly, rather than via a hypercall, once @@ -1072,7 +1060,7 @@ static bool kvm_vcpu_exit_request(struct kvm_vcpu *vcpu, int *ret) * state gets updated in kvm_timer_update_run and * kvm_pmu_update_run below). */ - if (static_branch_unlikely(&userspace_irqchip_in_use)) { + if (unlikely(!irqchip_in_kernel(vcpu->kvm))) { if (kvm_timer_should_notify_user(vcpu) || kvm_pmu_should_notify_user(vcpu)) { *ret = -EINTR; @@ -1194,7 +1182,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) vcpu->mode = OUTSIDE_GUEST_MODE; isb(); /* Ensure work in x_flush_hwstate is committed */ kvm_pmu_sync_hwstate(vcpu); - if (static_branch_unlikely(&userspace_irqchip_in_use)) + if (unlikely(!irqchip_in_kernel(vcpu->kvm))) kvm_timer_sync_user(vcpu); kvm_vgic_sync_hwstate(vcpu); local_irq_enable(); @@ -1240,7 +1228,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) * we don't want vtimer interrupts to race with syncing the * timer virtual interrupt state. */ - if (static_branch_unlikely(&userspace_irqchip_in_use)) + if (unlikely(!irqchip_in_kernel(vcpu->kvm))) kvm_timer_sync_user(vcpu); kvm_arch_vcpu_ctxsync_fp(vcpu); base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc -- 2.47.0.163.g1226f6d8fa-goog

10 months, 3 weeks

3
8
0 0

[PATCH 2/2] mm/damon/core: handle zero schemes apply interval

by SeongJae Park

DAMON's logics to determine if this is the time to apply damos schemes assumes next_apply_sis is always set larger than current passed_sample_intervals. And therefore assume continuously incrementing passed_sample_intervals will make it reaches to the next_apply_sis in future. The logic hence does apply the scheme and update next_apply_sis only if passed_sample_intervals is same to next_apply_sis. If Schemes apply interval is set as zero, however, next_apply_sis is set same to current passed_sample_intervals, respectively. And passed_sample_intervals is incremented before doing the next_apply_sis check. Hence, next_apply_sis becomes larger than next_apply_sis, and the logic says it is not the time to apply schemes and update next_apply_sis. In other words, DAMON stops applying schemes until passed_sample_intervals overflows. Based on the documents and the common sense, a reasonable behavior for such inputs would be applying the schemes for every sampling interval. Handle the case by removing the assumption. Fixes: 42f994b71404 ("mm/damon/core: implement scheme-specific apply interval") Cc: <stable(a)vger.kernel.org> # 6.7.x Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index 931526fb2d2e..511c3f61ab44 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1412,7 +1412,7 @@ static void damon_do_apply_schemes(struct damon_ctx *c, damon_for_each_scheme(s, c) { struct damos_quota *quota = &s->quota; - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; if (!s->wmarks.activated) @@ -1636,7 +1636,7 @@ static void kdamond_apply_schemes(struct damon_ctx *c) bool has_schemes_to_apply = false; damon_for_each_scheme(s, c) { - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; if (!s->wmarks.activated) @@ -1656,9 +1656,9 @@ static void kdamond_apply_schemes(struct damon_ctx *c) } damon_for_each_scheme(s, c) { - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; - s->next_apply_sis += + s->next_apply_sis = c->passed_sample_intervals + (s->apply_interval_us ? s->apply_interval_us : c->attrs.aggr_interval) / sample_interval; } -- 2.39.5

10 months, 3 weeks

1
0
0 0

[PATCH 1/2] mm/damon/core: handle zero {aggregation,ops_update} intervals

by SeongJae Park

DAMON's logics to determine if this is the time to do aggregation and ops update assumes next_{aggregation,ops_update}_sis are always set larger than current passed_sample_intervals. And therefore it further assumes continuously incrementing passed_sample_intervals every sampling interval will make it reaches to the next_{aggregation,ops_update}_sis in future. The logic therefore make the action and update next_{aggregation,ops_updaste}_sis only if passed_sample_intervals is same to the counts, respectively. If Aggregation interval or Ops update interval are zero, however, next_aggregation_sis or next_ops_update_sis are set same to current passed_sample_intervals, respectively. And passed_sample_intervals is incremented before doing the next_{aggregation,ops_update}_sis check. Hence, passed_sample_intervals becomes larger than next_{aggregation,ops_update}_sis, and the logic says it is not the time to do the action and update next_{aggregation,ops_update}_sis forever, until an overflow happens. In other words, DAMON stops doing aggregations or ops updates effectively forever, and users cannot get monitoring results. Based on the documents and the common sense, a reasonable behavior for such inputs is doing an aggregation and an ops update for every sampling interval. Handle the case by removing the assumption. Note that this could incur particular real issue for DAMON sysfs interface users, in case of zero Aggregation interval. When user starts DAMON with zero Aggregation interval and asks online DAMON parameter tuning via DAMON sysfs interface, the request is handled by the aggregation callback. Until the callback finishes the work, the user who requested the online tuning just waits. Hence, the user will be stuck until the passed_sample_intervals overflows. Fixes: 4472edf63d66 ("mm/damon/core: use number of passed access sampling as a timer") Cc: <stable(a)vger.kernel.org> # 6.7.x Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index 27745dcf855f..931526fb2d2e 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -2014,7 +2014,7 @@ static int kdamond_fn(void *data) if (ctx->ops.check_accesses) max_nr_accesses = ctx->ops.check_accesses(ctx); - if (ctx->passed_sample_intervals == next_aggregation_sis) { + if (ctx->passed_sample_intervals >= next_aggregation_sis) { kdamond_merge_regions(ctx, max_nr_accesses / 10, sz_limit); @@ -2032,7 +2032,7 @@ static int kdamond_fn(void *data) sample_interval = ctx->attrs.sample_interval ? ctx->attrs.sample_interval : 1; - if (ctx->passed_sample_intervals == next_aggregation_sis) { + if (ctx->passed_sample_intervals >= next_aggregation_sis) { ctx->next_aggregation_sis = next_aggregation_sis + ctx->attrs.aggr_interval / sample_interval; @@ -2042,7 +2042,7 @@ static int kdamond_fn(void *data) ctx->ops.reset_aggregated(ctx); } - if (ctx->passed_sample_intervals == next_ops_update_sis) { + if (ctx->passed_sample_intervals >= next_ops_update_sis) { ctx->next_ops_update_sis = next_ops_update_sis + ctx->attrs.ops_update_interval / sample_interval; -- 2.39.5

10 months, 3 weeks

1
0
0 0

[PATCH 2/3] gpiolib: fix debugfs dangling chip separator

by Johan Hovold

Add the missing newline after entries for recently removed gpio chips so that the chip sections are separated by a newline as intended. Fixes: e348544f7994 ("gpio: protect the list of GPIO devices with SRCU") Cc: stable(a)vger.kernel.org # 6.9 Cc: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/gpio/gpiolib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index e27488a90bc9..2b02655abb56 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4971,7 +4971,7 @@ static int gpiolib_seq_show(struct seq_file *s, void *v) gc = srcu_dereference(gdev->chip, &gdev->srcu); if (!gc) { - seq_printf(s, "%s%s: (dangling chip)", + seq_printf(s, "%s%s: (dangling chip)\n", priv->newline ? "\n" : "", dev_name(&gdev->dev)); return 0; -- 2.45.2

10 months, 3 weeks

3
3
0 0

[PATCH] net: ethernet: broadcom: Fix uninitialized lockal variable

by George Rurikov

I can't find any reason why it won't happen. In SERDES_TG3_SGMII_MODE, when current_link_up == true and current_duplex == DUPLEX_FULL, program execution will be transferred using the goto fiber_setup_done, where the uninitialized remote_adv variable is passed as the second parameter to the tg3_setup_flow_control function. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 85730a631f0c ("tg3: Add SGMII phy support for 5719/5718 serdes") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <grurikov(a)gmail.com> --- drivers/net/ethernet/broadcom/tg3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c index 378815917741..b1c60851c841 100644 --- a/drivers/net/ethernet/broadcom/tg3.c +++ b/drivers/net/ethernet/broadcom/tg3.c @@ -5802,7 +5802,8 @@ static int tg3_setup_fiber_mii_phy(struct tg3 *tp, bool force_reset) u32 current_speed = SPEED_UNKNOWN; u8 current_duplex = DUPLEX_UNKNOWN; bool current_link_up = false; - u32 local_adv, remote_adv, sgsr; + u32 local_adv, sgsr; + u32 remote_adv = 0; if ((tg3_asic_rev(tp) == ASIC_REV_5719 || tg3_asic_rev(tp) == ASIC_REV_5720) && -- 2.34.1

10 months, 3 weeks

2
1
0 0

[PATCH] ucounts: fix counter leak in inc_rlimit_get_ucounts()

by Andrei Vagin

The inc_rlimit_get_ucounts() increments the specified rlimit counter and then checks its limit. If the value exceeds the limit, the function returns an error without decrementing the counter. Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting") Tested-by: Roman Gushchin <roman.gushchin(a)linux.dev> Co-debugged-by: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: Kees Cook <kees(a)kernel.org> Cc: Andrei Vagin <avagin(a)google.com> Cc: "Eric W. Biederman" <ebiederm(a)xmission.com> Cc: Alexey Gladkov <legion(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrei Vagin <avagin(a)google.com> --- kernel/ucount.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/ucount.c b/kernel/ucount.c index 8c07714ff27d..16c0ea1cb432 100644 --- a/kernel/ucount.c +++ b/kernel/ucount.c @@ -328,13 +328,12 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type) if (new != 1) continue; if (!get_ucounts(iter)) - goto dec_unwind; + goto unwind; } return ret; -dec_unwind: +unwind: dec = atomic_long_sub_return(1, &iter->rlimit[type]); WARN_ON_ONCE(dec < 0); -unwind: do_dec_rlimit_put_ucounts(ucounts, iter, type); return 0; } -- 2.47.0.163.g1226f6d8fa-goog

10 months, 3 weeks

3
4
0 0

[PATCH v2] serial: 8250: omap: Move pm_runtime_get_sync

by Judith Mendez

From: Bin Liu <b-liu(a)ti.com> Currently in omap_8250_shutdown, the dma->rx_running flag is set to zero in omap_8250_rx_dma_flush. Next pm_runtime_get_sync is called, which is a runtime resume call stack which can re-set the flag. When the call omap_8250_shutdown returns, the flag is expected to be UN-SET, but this is not the case. This is causing issues the next time UART is re-opened and omap_8250_rx_dma is called. Fix by moving pm_runtime_get_sync before the omap_8250_rx_dma_flush. cc: stable(a)vger.kernel.org Fixes: 0e31c8d173ab ("tty: serial: 8250_omap: add custom DMA-RX callback") Signed-off-by: Bin Liu <b-liu(a)ti.com> [Judith: Add commit message] Signed-off-by: Judith Mendez <jm(a)ti.com> Reviewed-by: Kevin Hilman <khilman(a)baylibre.com> Tested-by: Kevin Hilman <khilman(a)baylibre.com> --- Issue seen on am335x devices so far [0]. The patch has been tested with sanity boot test on am335x EVM, am335x-boneblack and am57xx-beagle-x15. Changes since v1 RESEND: - Fix email header and commit description length - Add fixes tag, add link [0], cc stable, add kevin's reviewed-by/tested-by's - Separate patch from patch series [1] [0] https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1… Link to v1 RESEND: [1] https://lore.kernel.org/linux-omap/20241011173356.870883-1-jm@ti.com/ --- drivers/tty/serial/8250/8250_omap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index 88b58f44e4e97..0dd68bdbfbcf7 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -776,12 +776,12 @@ static void omap_8250_shutdown(struct uart_port *port) struct uart_8250_port *up = up_to_u8250p(port); struct omap8250_priv *priv = port->private_data; + pm_runtime_get_sync(port->dev); + flush_work(&priv->qos_work); if (up->dma) omap_8250_rx_dma_flush(up); - pm_runtime_get_sync(port->dev); - serial_out(up, UART_OMAP_WER, 0); if (priv->habit & UART_HAS_EFR2) serial_out(up, UART_OMAP_EFR2, 0x0); -- 2.47.0

10 months, 3 weeks

1
0
0 0

[PATCH 0/2] leds: max5970: fix unreleased fwnode_handle in probe function

by Javier Carrasco

This series fixes the wrong management of the 'led_node' fwnode_handle, which is not released after it is no longer required. This affects both the normal path of execution and the existing error paths (currently two) in max5970_led_probe(). First, the missing callst to fwnode_handle_put() in the different code paths are added, to make the patch available for stable kernels. Then, the code gets updated to a more robust approach by means of the __free() macro to automatically release the node when it goes out of scope, removing the need for explicit calls to fwnode_handle_put(). Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): leds: max5970: fix unreleased fwnode_handle in probe function leds: max5970: use cleanup facility for fwnode_handle led_node drivers/leds/leds-max5970.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- base-commit: f2493655d2d3d5c6958ed996b043c821c23ae8d3 change-id: 20241019-max5970-of_node_put-939b004f57d2 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 3 weeks

2
3
0 0

[PATCH] mm/damon/core: avoid overflow in damon_feed_loop_next_input()

by SeongJae Park

damon_feed_loop_next_input() is inefficient and fragile to overflows. Specifically, 'score_goal_diff_bp' calculation can overflow when 'score' is high. The calculation is actually unnecessary at all because 'goal' is a constant of value 10,000. Calculation of 'compensation' is again fragile to overflow. Final calculation of return value for under-achiving case is again fragile to overflow when the current score is under-achieving the target. Add two corner cases handling at the beginning of the function to make the body easier to read, and rewrite the body of the function to avoid overflows and the unnecessary bp value calcuation. Reported-by: Guenter Roeck <linux(a)roeck-us.net> Closes: https://lore.kernel.org/944f3d5b-9177-48e7-8ec9-7f1331a3fea3@roeck-us.net Fixes: 9294a037c015 ("mm/damon/core: implement goal-oriented feedback-driven quota auto-tuning") Cc: <stable(a)vger.kernel.org> # 6.8.x Signed-off-by: SeongJae Park <sj(a)kernel.org> Tested-by: Guenter Roeck <linux(a)roeck-us.net> --- Changes from RFC (https://lore.kernel.org/20240905172405.46995-1-sj@kernel.org) - Rebase on latest mm-unstable and cleanup code mm/damon/core.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index a83f3b736d51..27745dcf855f 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1456,17 +1456,31 @@ static unsigned long damon_feed_loop_next_input(unsigned long last_input, unsigned long score) { const unsigned long goal = 10000; - unsigned long score_goal_diff = max(goal, score) - min(goal, score); - unsigned long score_goal_diff_bp = score_goal_diff * 10000 / goal; - unsigned long compensation = last_input * score_goal_diff_bp / 10000; /* Set minimum input as 10000 to avoid compensation be zero */ const unsigned long min_input = 10000; + unsigned long score_goal_diff, compensation; + bool over_achieving = score > goal; - if (goal > score) + if (score == goal) + return last_input; + if (score >= goal * 2) + return min_input; + + if (over_achieving) + score_goal_diff = score - goal; + else + score_goal_diff = goal - score; + + if (last_input < ULONG_MAX / score_goal_diff) + compensation = last_input * score_goal_diff / goal; + else + compensation = last_input / goal * score_goal_diff; + + if (over_achieving) + return max(last_input - compensation, min_input); + if (last_input < ULONG_MAX - compensation) return last_input + compensation; - if (last_input > compensation + min_input) - return last_input - compensation; - return min_input; + return ULONG_MAX; } #ifdef CONFIG_PSI -- 2.39.5

10 months, 3 weeks

1
0
0 0

[PATCH] tpm: set TPM_CHIP_FLAG_SUSPENDED early

by Jarkko Sakkinen

Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according to the bug report, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. Move setting of the flag into the beginning. Cc: stable(a)vger.kernel.org # v6.4+ Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume") Reported-by: Mike Seo <mikeseohyungjin(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383 Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- drivers/char/tpm/tpm-interface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 8134f002b121..3f96bc8b95df 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -370,6 +370,8 @@ int tpm_pm_suspend(struct device *dev) if (!chip) return -ENODEV; + chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) goto suspended; @@ -390,8 +392,6 @@ int tpm_pm_suspend(struct device *dev) } suspended: - chip->flags |= TPM_CHIP_FLAG_SUSPENDED; - if (rc) dev_err(dev, "Ignoring error %d while suspending\n", rc); return 0; -- 2.47.0

10 months, 3 weeks

2
6
0 0

[PATCH V2] wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures

by Guilherme G. Piccoli

Syzkaller reported a hung task with uevent_show() on stack trace. That specific issue was addressed by another commit [0], but even with that fix applied (for example, running v6.12-rc5) we face another type of hung task that comes from the same reproducer [1]. By investigating that, we could narrow it to the following path: (a) Syzkaller emulates a Realtek USB WiFi adapter using raw-gadget and dummy_hcd infrastructure. (b) During the probe of rtl8192cu, the driver ends-up performing an efuse read procedure (which is related to EEPROM load IIUC), and here lies the issue: the function read_efuse() calls read_efuse_byte() many times, as loop iterations depending on the efuse size (in our example, 512 in total). This procedure for reading efuse bytes relies in a loop that performs an I/O read up to *10k* times in case of failures. We measured the time of the loop inside read_efuse_byte() alone, and in this reproducer (which involves the dummy_hcd emulation layer), it takes 15 seconds each. As a consequence, we have the driver stuck in its probe routine for big time, exposing a stack trace like below if we attempt to reboot the system, for example: task:kworker/0:3 state:D stack:0 pid:662 tgid:662 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: __schedule+0xe22/0xeb6 schedule_timeout+0xe7/0x132 __wait_for_common+0xb5/0x12e usb_start_wait_urb+0xc5/0x1ef ? usb_alloc_urb+0x95/0xa4 usb_control_msg+0xff/0x184 _usbctrl_vendorreq_sync+0xa0/0x161 _usb_read_sync+0xb3/0xc5 read_efuse_byte+0x13c/0x146 read_efuse+0x351/0x5f0 efuse_read_all_map+0x42/0x52 rtl_efuse_shadow_map_update+0x60/0xef rtl_get_hwinfo+0x5d/0x1c2 rtl92cu_read_eeprom_info+0x10a/0x8d5 ? rtl92c_read_chip_version+0x14f/0x17e rtl_usb_probe+0x323/0x851 usb_probe_interface+0x278/0x34b really_probe+0x202/0x4a4 __driver_probe_device+0x166/0x1b2 driver_probe_device+0x2f/0xd8 [...] We propose hereby to drastically reduce the attempts of doing the I/O reads in case of failures, restricted to USB devices (given that they're inherently slower than PCIe ones). By retrying up to 10 times (instead of 10000), we got responsiveness in the reproducer, while seems reasonable to believe that there's no sane USB device implementation in the field requiring this amount of retries (at every I/O read) in order to properly work. Based on that assumption, it'd be good to have it backported to stable but maybe not since driver implementation (the 10k number comes from day 0), perhaps up to 6.x series makes sense. [0] Commit 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race"). [1] A note about that: this syzkaller report presents multiple reproducers that differs by the type of emulated USB device. For this specific case, check the entry from 2024/08/08 06:23 in the list of crashes; the C repro is available at https://syzkaller.appspot.com/text?tag=ReproC&x=1521fc83980000. Cc: stable(a)vger.kernel.org # v6.1+ Reported-by: syzbot+edd9fe0d3a65b14588d5(a)syzkaller.appspotmail.com Tested-by: Bitterblue Smith <rtl8821cerfe2(a)gmail.com> Signed-off-by: Guilherme G. Piccoli <gpiccoli(a)igalia.com> --- V2: - Restrict the change to USB device only (thanks Ping-Ke Shih). - Tested in 2 USB devices by Bitterblue Smith - thanks a lot! V1: https://lore.kernel.org/lkml/20241025150226.896613-1-gpiccoli@igalia.com/ drivers/net/wireless/realtek/rtlwifi/efuse.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtlwifi/efuse.c b/drivers/net/wireless/realtek/rtlwifi/efuse.c index 82cf5fb5175f..f741066c06de 100644 --- a/drivers/net/wireless/realtek/rtlwifi/efuse.c +++ b/drivers/net/wireless/realtek/rtlwifi/efuse.c @@ -164,7 +164,17 @@ void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) struct rtl_priv *rtlpriv = rtl_priv(hw); u32 value32; u8 readbyte; - u16 retry; + u16 retry, max_attempts; + + /* + * In case of USB devices, transfer speeds are limited, hence + * efuse I/O reads could be (way) slower. So, decrease (a lot) + * the read attempts in case of failures. + */ + if (rtlpriv->rtlhal.interface == INTF_PCI) + max_attempts = 10000; + else + max_attempts = 10; rtl_write_byte(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL] + 1, (_offset & 0xff)); @@ -178,7 +188,7 @@ void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) retry = 0; value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); - while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < 10000)) { + while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < max_attempts)) { value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); retry++; -- 2.46.2

10 months, 3 weeks

2
2
0 0

[PATCH v2] leds: lp55xx: Remove redundant test for invalid channel number

by Michal Vokáč

Since commit 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") there are two subsequent tests if the chan_nr (reg property) is in valid range. One in the lp55xx_init_led() function and one in the lp55xx_parse_common_child() function that was added with the mentioned commit. There are two issues with that. First is in the lp55xx_parse_common_child() function where the reg property is tested right after it is read from the device tree. Test for the upper range is not correct though. Valid reg values are 0 to (max_channel - 1) so it should be >=. Second issue is that in case the parsed value is out of the range the probe just fails and no error message is shown as the code never reaches the second test that prints and error message. Remove the test form lp55xx_parse_common_child() function completely and keep the one in lp55xx_init_led() function to deal with it. Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michal Vokáč <michal.vokac(a)ysoft.com> --- v2: - Complete change of the approach to the problem. In v1 I removed the test from lp55xx_init_led() but I failed to test that solution properly. It could not work. In v2 I removed the test for chan_nr being out of range from the lp55xx_parse_common_child() function. - Re-worded the subject and commit message to fit the changes. It was: "leds: lp55xx: Fix check for invalid channel number" drivers/leds/leds-lp55xx-common.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c index 5a2e259679cf..e71456a56ab8 100644 --- a/drivers/leds/leds-lp55xx-common.c +++ b/drivers/leds/leds-lp55xx-common.c @@ -1132,9 +1132,6 @@ static int lp55xx_parse_common_child(struct device_node *np, if (ret) return ret; - if (*chan_nr < 0 || *chan_nr > cfg->max_channel) - return -EINVAL; - return 0; } -- 2.1.4

10 months, 3 weeks

2
1
0 0

[PATCH v3 12/14] scsi: ufs: exynos: fix hibern8 notify callbacks

by Peter Griffin

v1 of the patch which introduced the ufshcd_vops_hibern8_notify() callback used a bool instead of an enum. In v2 this was updated to an enum based on the review feedback in [1]. ufs-exynos hibernate calls have always been broken upstream as it follows the v1 bool implementation. Link: https://patchwork.kernel.org/project/linux-scsi/patch/001f01d23994$719997c0… [1] Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs") Signed-off-by: Peter Griffin <peter.griffin(a)linaro.org> Reviewed-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> Cc: stable(a)vger.kernel.org --- v3: Added Link tag, and CC stable, and Reviewed-by (Tudor) --- drivers/ufs/host/ufs-exynos.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c index 5078210b2a5c..9b6c4cfd7665 100644 --- a/drivers/ufs/host/ufs-exynos.c +++ b/drivers/ufs/host/ufs-exynos.c @@ -1526,12 +1526,12 @@ static void exynos_ufs_dev_hw_reset(struct ufs_hba *hba) hci_writel(ufs, 1 << 0, HCI_GPIO_OUT); } -static void exynos_ufs_pre_hibern8(struct ufs_hba *hba, u8 enter) +static void exynos_ufs_pre_hibern8(struct ufs_hba *hba, enum uic_cmd_dme cmd) { struct exynos_ufs *ufs = ufshcd_get_variant(hba); struct exynos_ufs_uic_attr *attr = ufs->drv_data->uic_attr; - if (!enter) { + if (cmd == UIC_CMD_DME_HIBER_EXIT) { if (ufs->opts & EXYNOS_UFS_OPT_BROKEN_AUTO_CLK_CTRL) exynos_ufs_disable_auto_ctrl_hcc(ufs); exynos_ufs_ungate_clks(ufs); @@ -1559,11 +1559,11 @@ static void exynos_ufs_pre_hibern8(struct ufs_hba *hba, u8 enter) } } -static void exynos_ufs_post_hibern8(struct ufs_hba *hba, u8 enter) +static void exynos_ufs_post_hibern8(struct ufs_hba *hba, enum uic_cmd_dme cmd) { struct exynos_ufs *ufs = ufshcd_get_variant(hba); - if (!enter) { + if (cmd == UIC_CMD_DME_HIBER_EXIT) { u32 cur_mode = 0; u32 pwrmode; @@ -1582,7 +1582,7 @@ static void exynos_ufs_post_hibern8(struct ufs_hba *hba, u8 enter) if (!(ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)) exynos_ufs_establish_connt(ufs); - } else { + } else if (cmd == UIC_CMD_DME_HIBER_ENTER) { ufs->entry_hibern8_t = ktime_get(); exynos_ufs_gate_clks(ufs); if (ufs->opts & EXYNOS_UFS_OPT_BROKEN_AUTO_CLK_CTRL) @@ -1669,15 +1669,15 @@ static int exynos_ufs_pwr_change_notify(struct ufs_hba *hba, } static void exynos_ufs_hibern8_notify(struct ufs_hba *hba, - enum uic_cmd_dme enter, + enum uic_cmd_dme cmd, enum ufs_notify_change_status notify) { switch ((u8)notify) { case PRE_CHANGE: - exynos_ufs_pre_hibern8(hba, enter); + exynos_ufs_pre_hibern8(hba, cmd); break; case POST_CHANGE: - exynos_ufs_post_hibern8(hba, enter); + exynos_ufs_post_hibern8(hba, cmd); break; } } -- 2.47.0.163.g1226f6d8fa-goog

10 months, 3 weeks

1
0
0 0

[PATCH v3 04/14] scsi: ufs: exynos: add check inside exynos_ufs_config_smu()

by Peter Griffin

Move the EXYNOS_UFS_OPT_UFSPR_SECURE check inside exynos_ufs_config_smu(). This way all call sites will benefit from the check. This fixes a bug currently in the exynos_ufs_resume() path on gs101 as it calls exynos_ufs_config_smu() and we end up accessing registers that can only be accessed from secure world which results in a serror. Fixes: d11e0a318df8 ("scsi: ufs: exynos: Add support for Tensor gs101 SoC") Signed-off-by: Peter Griffin <peter.griffin(a)linaro.org> Reviewed-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> Cc: stable(a)vger.kernel.org --- v3: CC stable and be more verbose in commit message (Tudor) --- drivers/ufs/host/ufs-exynos.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c index 33de7ff747a2..f4454e89040f 100644 --- a/drivers/ufs/host/ufs-exynos.c +++ b/drivers/ufs/host/ufs-exynos.c @@ -719,6 +719,9 @@ static void exynos_ufs_config_smu(struct exynos_ufs *ufs) { u32 reg, val; + if (ufs->opts & EXYNOS_UFS_OPT_UFSPR_SECURE) + return; + exynos_ufs_disable_auto_ctrl_hcc_save(ufs, &val); /* make encryption disabled by default */ @@ -1454,8 +1457,8 @@ static int exynos_ufs_init(struct ufs_hba *hba) if (ret) goto out; exynos_ufs_specify_phy_time_attr(ufs); - if (!(ufs->opts & EXYNOS_UFS_OPT_UFSPR_SECURE)) - exynos_ufs_config_smu(ufs); + + exynos_ufs_config_smu(ufs); hba->host->dma_alignment = DATA_UNIT_SIZE - 1; return 0; -- 2.47.0.163.g1226f6d8fa-goog

10 months, 3 weeks

1
0
0 0

[PATCH v3] ext4: prevent data-race that occur when read/write ext4_group_desc structure members

by Jeongjun Park

Currently, data-race like [1] occur in fs/ext4/ialloc.c find_group_other() and find_group_orlov() read *_lo, *_hi with ext4_free_inodes_count without additional locking. This can cause data-race, but since the lock is held for most writes and free inodes value is generally not a problem even if it is incorrect, it is more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking. [1] ================================================================== BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1: ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405 __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216 ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 vfs_symlink+0xca/0x1d0 fs/namei.c:4615 do_symlinkat+0xe3/0x340 fs/namei.c:4641 __do_sys_symlinkat fs/namei.c:4657 [inline] __se_sys_symlinkat fs/namei.c:4654 [inline] __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0: ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349 find_group_other fs/ext4/ialloc.c:594 [inline] __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017 ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 vfs_symlink+0xca/0x1d0 fs/namei.c:4615 do_symlinkat+0xe3/0x340 fs/namei.c:4641 __do_sys_symlinkat fs/namei.c:4657 [inline] __se_sys_symlinkat fs/namei.c:4654 [inline] __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x185c -> 0x185b Cc: <stable(a)vger.kernel.org> Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- fs/ext4/super.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 16a4ce704460..8337c4999f90 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -346,9 +346,9 @@ __u32 ext4_free_group_clusters(struct super_block *sb, __u32 ext4_free_inodes_count(struct super_block *sb, struct ext4_group_desc *bg) { - return le16_to_cpu(bg->bg_free_inodes_count_lo) | + return le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_lo)) | (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT ? - (__u32)le16_to_cpu(bg->bg_free_inodes_count_hi) << 16 : 0); + (__u32)le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_hi)) << 16 : 0); } __u32 ext4_used_dirs_count(struct super_block *sb, @@ -402,9 +402,9 @@ void ext4_free_group_clusters_set(struct super_block *sb, void ext4_free_inodes_set(struct super_block *sb, struct ext4_group_desc *bg, __u32 count) { - bg->bg_free_inodes_count_lo = cpu_to_le16((__u16)count); + WRITE_ONCE(bg->bg_free_inodes_count_lo, cpu_to_le16((__u16)count)); if (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT) - bg->bg_free_inodes_count_hi = cpu_to_le16(count >> 16); + WRITE_ONCE(bg->bg_free_inodes_count_hi, cpu_to_le16(count >> 16)); } void ext4_used_dirs_set(struct super_block *sb, --

10 months, 3 weeks

3
2
0 0

[PATCH] vp_vdpa: fix id_table array not null terminated error

by Xiaoguang Wang

Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory. Fixes: ffbda8e9df10 ("vdpa/vp_vdpa : add vdpa tool support in vp_vdpa") Cc: stable(a)vger.kernel.org Signed-off-by: Xiaoguang Wang <lege.wang(a)jaguarmicro.com> --- drivers/vdpa/virtio_pci/vp_vdpa.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/vdpa/virtio_pci/vp_vdpa.c b/drivers/vdpa/virtio_pci/vp_vdpa.c index ac4ab22f7d8b..74cc4ed77cc4 100644 --- a/drivers/vdpa/virtio_pci/vp_vdpa.c +++ b/drivers/vdpa/virtio_pci/vp_vdpa.c @@ -612,7 +612,11 @@ static int vp_vdpa_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto mdev_err; } - mdev_id = kzalloc(sizeof(struct virtio_device_id), GFP_KERNEL); + /* + * id_table should be a null terminated array. + * See vdpa_mgmtdev_get_classes(). + */ + mdev_id = kzalloc(sizeof(struct virtio_device_id) * 2, GFP_KERNEL); if (!mdev_id) { err = -ENOMEM; goto mdev_id_err; -- 2.40.1

10 months, 4 weeks

3
2
0 0

[PATCH] efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using a EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic. Cc: <stable(a)vger.kernel.org> Reported-by: Breno Leitao <leitao(a)debian.org> Tested-by: Usama Arif <usamaarif642(a)gmail.com> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/libstub/tpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c index df3182f2e63a..1fd6823248ab 100644 --- a/drivers/firmware/efi/libstub/tpm.c +++ b/drivers/firmware/efi/libstub/tpm.c @@ -96,7 +96,7 @@ static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_loca } /* Allocate space for the logs and copy them. */ - status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, + status = efi_bs_call(allocate_pool, EFI_ACPI_RECLAIM_MEMORY, sizeof(*log_tbl) + log_size, (void **)&log_tbl); if (status != EFI_SUCCESS) { -- 2.46.0.662.g92d0881bb0-goog

10 months, 4 weeks

7
19
0 0

[PATCH 6.6] Revert "selftests/bpf: Implement get_hw_ring_size function to retrieve current and max interface size"

by Pu Lehui

From: Pu Lehui <pulehui(a)huawei.com> This reverts commit c8c590f07ad7ffaa6ef11e90b81202212077497b which is commit 90a695c3d31e1c9f0adb8c4c80028ed4ea7ed5ab upstream. Commit c8c590f07ad7 ("selftests/bpf: Implement get_hw_ring_size function to retrieve current and max interface size") will cause the following bpf selftests compilation error in the 6.6 stable branch, and it is not the Stable-dep-of of commit 103c0431c7fb ("selftests/bpf: Drop unneeded error.h includes"). So let's revert commit c8c590f07ad7 to fix this compilation error. ./network_helpers.h:66:43: error: 'struct ethtool_ringparam' declared inside parameter list will not be visible outside of this definition or declaration [-Werror] 66 | int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param); Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- tools/testing/selftests/bpf/network_helpers.c | 24 ------------------- tools/testing/selftests/bpf/network_helpers.h | 4 ---- .../selftests/bpf/prog_tests/flow_dissector.c | 1 + tools/testing/selftests/bpf/xdp_hw_metadata.c | 14 +++++++++++ 4 files changed, 15 insertions(+), 28 deletions(-) diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c index d2acc8875212..0877b60ec81f 100644 --- a/tools/testing/selftests/bpf/network_helpers.c +++ b/tools/testing/selftests/bpf/network_helpers.c @@ -465,27 +465,3 @@ int get_socket_local_port(int sock_fd) return -1; } - -int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param) -{ - struct ifreq ifr = {0}; - int sockfd, err; - - sockfd = socket(AF_INET, SOCK_DGRAM, 0); - if (sockfd < 0) - return -errno; - - memcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); - - ring_param->cmd = ETHTOOL_GRINGPARAM; - ifr.ifr_data = (char *)ring_param; - - if (ioctl(sockfd, SIOCETHTOOL, &ifr) < 0) { - err = errno; - close(sockfd); - return -err; - } - - close(sockfd); - return 0; -} diff --git a/tools/testing/selftests/bpf/network_helpers.h b/tools/testing/selftests/bpf/network_helpers.h index 11cbe194769b..5eccc67d1a99 100644 --- a/tools/testing/selftests/bpf/network_helpers.h +++ b/tools/testing/selftests/bpf/network_helpers.h @@ -9,11 +9,8 @@ typedef __u16 __sum16; #include <linux/if_packet.h> #include <linux/ip.h> #include <linux/ipv6.h> -#include <linux/ethtool.h> -#include <linux/sockios.h> #include <netinet/tcp.h> #include <bpf/bpf_endian.h> -#include <net/if.h> #define MAGIC_VAL 0x1234 #define NUM_ITER 100000 @@ -63,7 +60,6 @@ int make_sockaddr(int family, const char *addr_str, __u16 port, struct sockaddr_storage *addr, socklen_t *len); char *ping_command(int family); int get_socket_local_port(int sock_fd); -int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param); struct nstoken; /** diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c index 3171047414a7..b81046806579 100644 --- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c @@ -2,6 +2,7 @@ #define _GNU_SOURCE #include <test_progs.h> #include <network_helpers.h> +#include <linux/if.h> #include <linux/if_tun.h> #include <sys/uio.h> diff --git a/tools/testing/selftests/bpf/xdp_hw_metadata.c b/tools/testing/selftests/bpf/xdp_hw_metadata.c index 79f2da8f6ead..adb77c1a6a74 100644 --- a/tools/testing/selftests/bpf/xdp_hw_metadata.c +++ b/tools/testing/selftests/bpf/xdp_hw_metadata.c @@ -288,6 +288,20 @@ static int verify_metadata(struct xsk *rx_xsk, int rxq, int server_fd, clockid_t return 0; } +struct ethtool_channels { + __u32 cmd; + __u32 max_rx; + __u32 max_tx; + __u32 max_other; + __u32 max_combined; + __u32 rx_count; + __u32 tx_count; + __u32 other_count; + __u32 combined_count; +}; + +#define ETHTOOL_GCHANNELS 0x0000003c /* Get no of channels */ + static int rxq_num(const char *ifname) { struct ethtool_channels ch = { -- 2.34.1

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-mmap-limit-thp-aligment-of-anonymous-mappings-to-pmd-aligned-sizes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes has been removed from the -mm tree. Its filename was mm-mmap-limit-thp-aligment-of-anonymous-mappings-to-pmd-aligned-sizes.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes Date: Thu, 24 Oct 2024 17:12:29 +0200 Since commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") a mmap() of anonymous memory without a specific address hint and of at least PMD_SIZE will be aligned to PMD so that it can benefit from a THP backing page. However this change has been shown to regress some workloads significantly. [1] reports regressions in various spec benchmarks, with up to 600% slowdown of the cactusBSSN benchmark on some platforms. The benchmark seems to create many mappings of 4632kB, which would have merged to a large THP-backed area before commit efa7df3e3bb5 and now they are fragmented to multiple areas each aligned to PMD boundary with gaps between. The regression then seems to be caused mainly due to the benchmark's memory access pattern suffering from TLB or cache aliasing due to the aligned boundaries of the individual areas. Another known regression bisected to commit efa7df3e3bb5 is darktable [2] [3] and early testing suggests this patch fixes the regression there as well. To fix the regression but still try to benefit from THP-friendly anonymous mapping alignment, add a condition that the size of the mapping must be a multiple of PMD size instead of at least PMD size. In case of many odd-sized mapping like the cactusBSSN creates, those will stop being aligned and with gaps between, and instead naturally merge again. Link: https://lkml.kernel.org/r/20241024151228.101841-2-vbabka@suse.cz Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Reported-by: Michael Matz <matz(a)suse.de> Debugged-by: Gabriel Krisman Bertazi <gabriel(a)krisman.be> Closes: https://bugzilla.suse.com/show_bug.cgi?id=1229012 [1] Reported-by: Matthias Bodenbinder <matthias(a)bodenbinder.de> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219366 [2] Closes: https://lore.kernel.org/all/2050f0d4-57b0-481d-bab8-05e8d48fed0c@leemhuis.i… [3] Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Petr Tesarik <ptesarik(a)suse.com> Cc: Thorsten Leemhuis <regressions(a)leemhuis.info> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/mmap.c~mm-mmap-limit-thp-aligment-of-anonymous-mappings-to-pmd-aligned-sizes +++ a/mm/mmap.c @@ -900,7 +900,8 @@ __get_unmapped_area(struct file *file, u if (get_area) { addr = get_area(file, addr, len, pgoff, flags); - } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) { + } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) + && IS_ALIGNED(len, PMD_SIZE)) { /* Ensures that larger anonymous mappings are THP aligned. */ addr = thp_get_unmapped_area_vmflags(file, addr, len, pgoff, flags, vm_flags); _ Patches currently in -mm which might be from vbabka(a)suse.cz are

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-shrinker-avoid-memleak-in-alloc_shrinker_info.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: shrinker: avoid memleak in alloc_shrinker_info has been removed from the -mm tree. Its filename was mm-shrinker-avoid-memleak-in-alloc_shrinker_info.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Chen Ridong <chenridong(a)huawei.com> Subject: mm: shrinker: avoid memleak in alloc_shrinker_info Date: Fri, 25 Oct 2024 06:09:42 +0000 A memleak was found as below: unreferenced object 0xffff8881010d2a80 (size 32): comm "mkdir", pid 1559, jiffies 4294932666 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @............... backtrace (crc 2e7ef6fa): [<ffffffff81372754>] __kmalloc_node_noprof+0x394/0x470 [<ffffffff813024ab>] alloc_shrinker_info+0x7b/0x1a0 [<ffffffff813b526a>] mem_cgroup_css_online+0x11a/0x3b0 [<ffffffff81198dd9>] online_css+0x29/0xa0 [<ffffffff811a243d>] cgroup_apply_control_enable+0x20d/0x360 [<ffffffff811a5728>] cgroup_mkdir+0x168/0x5f0 [<ffffffff8148543e>] kernfs_iop_mkdir+0x5e/0x90 [<ffffffff813dbb24>] vfs_mkdir+0x144/0x220 [<ffffffff813e1c97>] do_mkdirat+0x87/0x130 [<ffffffff813e1de9>] __x64_sys_mkdir+0x49/0x70 [<ffffffff81f8c928>] do_syscall_64+0x68/0x140 [<ffffffff8200012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e alloc_shrinker_info(), when shrinker_unit_alloc() returns an errer, the info won't be freed. Just fix it. Link: https://lkml.kernel.org/r/20241025060942.1049263-1-chenridong@huaweicloud.c… Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}") Signed-off-by: Chen Ridong <chenridong(a)huawei.com> Acked-by: Qi Zheng <zhengqi.arch(a)bytedance.com> Acked-by: Roman Gushchin <roman.gushchin(a)linux.dev> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reviewed-by: Dave Chinner <dchinner(a)redhat.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Wang Weiyang <wangweiyang2(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shrinker.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/mm/shrinker.c~mm-shrinker-avoid-memleak-in-alloc_shrinker_info +++ a/mm/shrinker.c @@ -76,19 +76,21 @@ void free_shrinker_info(struct mem_cgrou int alloc_shrinker_info(struct mem_cgroup *memcg) { - struct shrinker_info *info; int nid, ret = 0; int array_size = 0; mutex_lock(&shrinker_mutex); array_size = shrinker_unit_size(shrinker_nr_max); for_each_node(nid) { - info = kvzalloc_node(sizeof(*info) + array_size, GFP_KERNEL, nid); + struct shrinker_info *info = kvzalloc_node(sizeof(*info) + array_size, + GFP_KERNEL, nid); if (!info) goto err; info->map_nr_max = shrinker_nr_max; - if (shrinker_unit_alloc(info, NULL, nid)) + if (shrinker_unit_alloc(info, NULL, nid)) { + kvfree(info); goto err; + } rcu_assign_pointer(memcg->nodeinfo[nid]->shrinker_info, info); } mutex_unlock(&shrinker_mutex); _ Patches currently in -mm which might be from chenridong(a)huawei.com are

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] vmscanmigrate-fix-double-decrement-on-node-stats-when-demoting-pages.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: vmscan,migrate: fix page count imbalance on node stats when demoting pages has been removed from the -mm tree. Its filename was vmscanmigrate-fix-double-decrement-on-node-stats-when-demoting-pages.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Gregory Price <gourry(a)gourry.net> Subject: vmscan,migrate: fix page count imbalance on node stats when demoting pages Date: Fri, 25 Oct 2024 10:17:24 -0400 When numa balancing is enabled with demotion, vmscan will call migrate_pages when shrinking LRUs. migrate_pages will decrement the the node's isolated page count, leading to an imbalanced count when invoked from (MG)LRU code. The result is dmesg output like such: $ cat /proc/sys/vm/stat_refresh [77383.088417] vmstat_refresh: nr_isolated_anon -103212 [77383.088417] vmstat_refresh: nr_isolated_file -899642 This negative value may impact compaction and reclaim throttling. The following path produces the decrement: shrink_folio_list demote_folio_list migrate_pages migrate_pages_batch migrate_folio_move migrate_folio_done mod_node_page_state(-ve) <- decrement This path happens for SUCCESSFUL migrations, not failures. Typically callers to migrate_pages are required to handle putback/accounting for failures, but this is already handled in the shrink code. When accounting for migrations, instead do not decrement the count when the migration reason is MR_DEMOTION. As of v6.11, this demotion logic is the only source of MR_DEMOTION. Link: https://lkml.kernel.org/r/20241025141724.17927-1-gourry@gourry.net Fixes: 26aa2d199d6f ("mm/migrate: demote pages during reclaim") Signed-off-by: Gregory Price <gourry(a)gourry.net> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Reviewed-by: Davidlohr Bueso <dave(a)stgolabs.net> Reviewed-by: Shakeel Butt <shakeel.butt(a)linux.dev> Reviewed-by: "Huang, Ying" <ying.huang(a)intel.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/migrate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/migrate.c~vmscanmigrate-fix-double-decrement-on-node-stats-when-demoting-pages +++ a/mm/migrate.c @@ -1178,7 +1178,7 @@ static void migrate_folio_done(struct fo * not accounted to NR_ISOLATED_*. They can be recognized * as __folio_test_movable */ - if (likely(!__folio_test_movable(src))) + if (likely(!__folio_test_movable(src)) && reason != MR_DEMOTION) mod_node_page_state(folio_pgdat(src), NR_ISOLATED_ANON + folio_is_file_lru(src), -folio_nr_pages(src)); _ Patches currently in -mm which might be from gourry(a)gourry.net are

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats has been removed from the -mm tree. Its filename was mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats Date: Sat, 19 Oct 2024 01:29:38 +0000 Patch series "mm: multi-gen LRU: Have secondary MMUs participate in MM_WALK". Today, the MM_WALK capability causes MGLRU to clear the young bit from PMDs and PTEs during the page table walk before eviction, but MGLRU does not call the clear_young() MMU notifier in this case. By not calling this notifier, the MM walk takes less time/CPU, but it causes pages that are accessed mostly through KVM / secondary MMUs to appear younger than they should be. We do call the clear_young() notifier today, but only when attempting to evict the page, so we end up clearing young/accessed information less frequently for secondary MMUs than for mm PTEs, and therefore they appear younger and are less likely to be evicted. Therefore, memory that is *not* being accessed mostly by KVM will be evicted *more* frequently, worsening performance. ChromeOS observed a tab-open latency regression when enabling MGLRU with a setup that involved running a VM: Tab-open latency histogram (ms) Version p50 mean p95 p99 max base 1315 1198 2347 3454 10319 mglru 2559 1311 7399 12060 43758 fix 1119 926 2470 4211 6947 This series replaces the final non-selftest patchs from this series[1], which introduced a similar change (and a new MMU notifier) with KVM optimizations. I'll send a separate series (to Sean and Paolo) for the KVM optimizations. This series also makes proactive reclaim with MGLRU possible for KVM memory. I have verified that this functions correctly with the selftest from [1], but given that that test is a KVM selftest, I'll send it with the rest of the KVM optimizations later. Andrew, let me know if you'd like to take the test now anyway. [1]: https://lore.kernel.org/linux-mm/20240926013506.860253-18-jthoughton@google… This patch (of 2): The removed stats, MM_LEAF_OLD and MM_NONLEAF_TOTAL, are not very helpful and become more complicated to properly compute when adding test/clear_young() notifiers in MGLRU's mm walk. Link: https://lkml.kernel.org/r/20241019012940.3656292-1-jthoughton@google.com Link: https://lkml.kernel.org/r/20241019012940.3656292-2-jthoughton@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Signed-off-by: James Houghton <jthoughton(a)google.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: David Matlack <dmatlack(a)google.com> Cc: David Rientjes <rientjes(a)google.com> Cc: David Stevens <stevensd(a)google.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Wei Xu <weixugc(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 2 -- mm/vmscan.c | 14 +++++--------- 2 files changed, 5 insertions(+), 11 deletions(-) --- a/include/linux/mmzone.h~mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats +++ a/include/linux/mmzone.h @@ -458,9 +458,7 @@ struct lru_gen_folio { enum { MM_LEAF_TOTAL, /* total leaf entries */ - MM_LEAF_OLD, /* old leaf entries */ MM_LEAF_YOUNG, /* young leaf entries */ - MM_NONLEAF_TOTAL, /* total non-leaf entries */ MM_NONLEAF_FOUND, /* non-leaf entries found in Bloom filters */ MM_NONLEAF_ADDED, /* non-leaf entries added to Bloom filters */ NR_MM_STATS --- a/mm/vmscan.c~mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats +++ a/mm/vmscan.c @@ -3399,7 +3399,6 @@ restart: continue; if (!pte_young(ptent)) { - walk->mm_stats[MM_LEAF_OLD]++; continue; } @@ -3552,7 +3551,6 @@ restart: walk->mm_stats[MM_LEAF_TOTAL]++; if (!pmd_young(val)) { - walk->mm_stats[MM_LEAF_OLD]++; continue; } @@ -3564,8 +3562,6 @@ restart: continue; } - walk->mm_stats[MM_NONLEAF_TOTAL]++; - if (!walk->force_scan && should_clear_pmd_young()) { if (!pmd_young(val)) continue; @@ -5254,11 +5250,11 @@ static void lru_gen_seq_show_full(struct for (tier = 0; tier < MAX_NR_TIERS; tier++) { seq_printf(m, " %10d", tier); for (type = 0; type < ANON_AND_FILE; type++) { - const char *s = " "; + const char *s = "xxx"; unsigned long n[3] = {}; if (seq == max_seq) { - s = "RT "; + s = "RTx"; n[0] = READ_ONCE(lrugen->avg_refaulted[type][tier]); n[1] = READ_ONCE(lrugen->avg_total[type][tier]); } else if (seq == min_seq[type] || NR_HIST_GENS > 1) { @@ -5280,14 +5276,14 @@ static void lru_gen_seq_show_full(struct seq_puts(m, " "); for (i = 0; i < NR_MM_STATS; i++) { - const char *s = " "; + const char *s = "xxxx"; unsigned long n = 0; if (seq == max_seq && NR_HIST_GENS == 1) { - s = "LOYNFA"; + s = "TYFA"; n = READ_ONCE(mm_state->stats[hist][i]); } else if (seq != max_seq && NR_HIST_GENS > 1) { - s = "loynfa"; + s = "tyfa"; n = READ_ONCE(mm_state->stats[hist][i]); } _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-page_alloc-keep-track-of-free-highatomic.patch

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-allow-set-clear-page_type-again.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: allow set/clear page_type again has been removed from the -mm tree. Its filename was mm-allow-set-clear-page_type-again.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm: allow set/clear page_type again Date: Sat, 19 Oct 2024 22:22:12 -0600 Some page flags (page->flags) were converted to page types (page->page_types). A recent example is PG_hugetlb. From the exclusive writer's perspective, e.g., a thread doing __folio_set_hugetlb(), there is a difference between the page flag and type APIs: the former allows the same non-atomic operation to be repeated whereas the latter does not. For example, calling __folio_set_hugetlb() twice triggers VM_BUG_ON_FOLIO(), since the second call expects the type (PG_hugetlb) not to be set previously. Using add_hugetlb_folio() as an example, it calls __folio_set_hugetlb() in the following error-handling path. And when that happens, it triggers the aforementioned VM_BUG_ON_FOLIO(). if (folio_test_hugetlb(folio)) { rc = hugetlb_vmemmap_restore_folio(h, folio); if (rc) { spin_lock_irq(&hugetlb_lock); add_hugetlb_folio(h, folio, false); ... It is possible to make hugeTLB comply with the new requirements from the page type API. However, a straightforward fix would be to just allow the same page type to be set or cleared again inside the API, to avoid any changes to its callers. Link: https://lkml.kernel.org/r/20241020042212.296781-1-yuzhao@google.com Fixes: d99e3140a4d3 ("mm: turn folio_test_hugetlb into a PageType") Signed-off-by: Yu Zhao <yuzhao(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page-flags.h | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/include/linux/page-flags.h~mm-allow-set-clear-page_type-again +++ a/include/linux/page-flags.h @@ -975,12 +975,16 @@ static __always_inline bool folio_test_# } \ static __always_inline void __folio_set_##fname(struct folio *folio) \ { \ + if (folio_test_##fname(folio)) \ + return; \ VM_BUG_ON_FOLIO(data_race(folio->page.page_type) != UINT_MAX, \ folio); \ folio->page.page_type = (unsigned int)PGTY_##lname << 24; \ } \ static __always_inline void __folio_clear_##fname(struct folio *folio) \ { \ + if (folio->page.page_type == UINT_MAX) \ + return; \ VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ folio->page.page_type = UINT_MAX; \ } @@ -993,11 +997,15 @@ static __always_inline int Page##uname(c } \ static __always_inline void __SetPage##uname(struct page *page) \ { \ + if (Page##uname(page)) \ + return; \ VM_BUG_ON_PAGE(data_race(page->page_type) != UINT_MAX, page); \ page->page_type = (unsigned int)PGTY_##lname << 24; \ } \ static __always_inline void __ClearPage##uname(struct page *page) \ { \ + if (page->page_type == UINT_MAX) \ + return; \ VM_BUG_ON_PAGE(!Page##uname(page), page); \ page->page_type = UINT_MAX; \ } _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-page_alloc-keep-track-of-free-highatomic.patch

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: nilfs2: fix potential deadlock with newly created symlinks has been removed from the -mm tree. Its filename was nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix potential deadlock with newly created symlinks Date: Sun, 20 Oct 2024 13:51:28 +0900 Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers memory reclamation involving the filesystem layer, which can result in circular lock dependencies among the reader/writer semaphore nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the fs_reclaim pseudo lock. This is because after commit 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem"), the gfp flags of the page cache for symbolic links are overwritten to GFP_KERNEL via inode_nohighmem(). This is not a problem for symlinks read from the backing device, because the __GFP_FS flag is dropped after inode_nohighmem() is called. However, when a new symlink is created with nilfs_symlink(), the gfp flags remain overwritten to GFP_KERNEL. Then, memory allocation called from page_symlink() etc. triggers memory reclamation including the FS layer, which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can cause a deadlock if they are called while nilfs->ns_segctor_sem is held: Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags of newly created symlinks in the same way that nilfs_new_inode() and __nilfs_read_inode() do, as a workaround until we adopt nofs allocation scope consistently or improve the locking constraints. Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+9ef37ac20608f4836256(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256 Tested-by: syzbot+9ef37ac20608f4836256(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/namei.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/nilfs2/namei.c~nilfs2-fix-potential-deadlock-with-newly-created-symlinks +++ a/fs/nilfs2/namei.c @@ -157,6 +157,9 @@ static int nilfs_symlink(struct mnt_idma /* slow symlink */ inode->i_op = &nilfs_symlink_inode_operations; inode_nohighmem(inode); + mapping_set_gfp_mask(inode->i_mapping, + mapping_gfp_constraint(inode->i_mapping, + ~__GFP_FS)); inode->i_mapping->a_ops = &nilfs_aops; err = page_symlink(inode, symname, l); if (err) _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-convert-segment-buffer-to-be-folio-based.patch nilfs2-convert-common-metadata-file-code-to-be-folio-based.patch nilfs2-convert-segment-usage-file-to-be-folio-based.patch nilfs2-convert-persistent-object-allocator-to-be-folio-based.patch nilfs2-convert-inode-file-to-be-folio-based.patch nilfs2-convert-dat-file-to-be-folio-based.patch nilfs2-remove-nilfs_palloc_block_get_entry.patch nilfs2-convert-checkpoint-file-to-be-folio-based.patch

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] kasan-remove-vmalloc_percpu-test.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kasan: remove vmalloc_percpu test has been removed from the -mm tree. Its filename was kasan-remove-vmalloc_percpu-test.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrey Konovalov <andreyknvl(a)gmail.com> Subject: kasan: remove vmalloc_percpu test Date: Tue, 22 Oct 2024 18:07:06 +0200 Commit 1a2473f0cbc0 ("kasan: improve vmalloc tests") added the vmalloc_percpu KASAN test with the assumption that __alloc_percpu always uses vmalloc internally, which is tagged by KASAN. However, __alloc_percpu might allocate memory from the first per-CPU chunk, which is not allocated via vmalloc(). As a result, the test might fail. Remove the test until proper KASAN annotation for the per-CPU allocated are added; tracked in https://bugzilla.kernel.org/show_bug.cgi?id=215019. Link: https://lkml.kernel.org/r/20241022160706.38943-1-andrey.konovalov@linux.dev Fixes: 1a2473f0cbc0 ("kasan: improve vmalloc tests") Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> Reported-by: Samuel Holland <samuel.holland(a)sifive.com> Link: https://lore.kernel.org/all/4a245fff-cc46-44d1-a5f9-fd2f1c3764ae@sifive.com/ Reported-by: Sabyrzhan Tasbolatov <snovitoll(a)gmail.com> Link: https://lore.kernel.org/all/CACzwLxiWzNqPBp4C1VkaXZ2wDwvY3yZeetCi1TLGFipKW7… Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Sabyrzhan Tasbolatov <snovitoll(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan_test_c.c | 27 --------------------------- 1 file changed, 27 deletions(-) --- a/mm/kasan/kasan_test_c.c~kasan-remove-vmalloc_percpu-test +++ a/mm/kasan/kasan_test_c.c @@ -1810,32 +1810,6 @@ static void vm_map_ram_tags(struct kunit free_pages((unsigned long)p_ptr, 1); } -static void vmalloc_percpu(struct kunit *test) -{ - char __percpu *ptr; - int cpu; - - /* - * This test is specifically crafted for the software tag-based mode, - * the only tag-based mode that poisons percpu mappings. - */ - KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS); - - ptr = __alloc_percpu(PAGE_SIZE, PAGE_SIZE); - - for_each_possible_cpu(cpu) { - char *c_ptr = per_cpu_ptr(ptr, cpu); - - KUNIT_EXPECT_GE(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_MIN); - KUNIT_EXPECT_LT(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_KERNEL); - - /* Make sure that in-bounds accesses don't crash the kernel. */ - *c_ptr = 0; - } - - free_percpu(ptr); -} - /* * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN, * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based @@ -2023,7 +1997,6 @@ static struct kunit_case kasan_kunit_tes KUNIT_CASE(vmalloc_oob), KUNIT_CASE(vmap_tags), KUNIT_CASE(vm_map_ram_tags), - KUNIT_CASE(vmalloc_percpu), KUNIT_CASE(match_all_not_assigned), KUNIT_CASE(match_all_ptr_tag), KUNIT_CASE(match_all_mem_tag), _ Patches currently in -mm which might be from andreyknvl(a)gmail.com are

10 months, 4 weeks

1
0
0 0

[merged mm-hotfixes-stable] tools-mm-werror-fixes-in-page-types-slabinfo.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: tools/mm: -Werror fixes in page-types/slabinfo has been removed from the -mm tree. Its filename was tools-mm-werror-fixes-in-page-types-slabinfo.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wladislav Wiebe <wladislav.kw(a)gmail.com> Subject: tools/mm: -Werror fixes in page-types/slabinfo Date: Tue, 22 Oct 2024 19:21:13 +0200 Commit e6d2c436ff693 ("tools/mm: allow users to provide additional cflags/ldflags") passes now CFLAGS to Makefile. With this, build systems with default -Werror enabled found: slabinfo.c:1300:25: error: ignoring return value of 'chdir' declared with attribute 'warn_unused_result' [-Werror=unused-result] �� chdir(".."); �� ^~~~~~~~~~~ page-types.c:397:35: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'uint64_t' {aka 'long long unsigned int'} [-Werror=format=] �� printf("%lu\t", mapcnt0); �� ~~^�� ~~~~~~~ .. Fix page-types by using PRIu64 for uint64_t prints and check in slabinfo for return code on chdir(".."). Link: https://lkml.kernel.org/r/c1ceb507-94bc-461c-934d-c19b77edd825@gmail.com Fixes: e6d2c436ff69 ("tools/mm: allow users to provide additional cflags/ldflags") Signed-off-by: Wladislav Wiebe <wladislav.kw(a)gmail.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Herton R. Krzesinski <herton(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/mm/page-types.c | 9 +++++---- tools/mm/slabinfo.c | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) --- a/tools/mm/page-types.c~tools-mm-werror-fixes-in-page-types-slabinfo +++ a/tools/mm/page-types.c @@ -22,6 +22,7 @@ #include <time.h> #include <setjmp.h> #include <signal.h> +#include <inttypes.h> #include <sys/types.h> #include <sys/errno.h> #include <sys/fcntl.h> @@ -391,9 +392,9 @@ static void show_page_range(unsigned lon if (opt_file) printf("%lx\t", voff); if (opt_list_cgroup) - printf("@%llu\t", (unsigned long long)cgroup0); + printf("@%" PRIu64 "\t", cgroup0); if (opt_list_mapcnt) - printf("%lu\t", mapcnt0); + printf("%" PRIu64 "\t", mapcnt0); printf("%lx\t%lx\t%s\n", index, count, page_flag_name(flags0)); } @@ -419,9 +420,9 @@ static void show_page(unsigned long voff if (opt_file) printf("%lx\t", voffset); if (opt_list_cgroup) - printf("@%llu\t", (unsigned long long)cgroup); + printf("@%" PRIu64 "\t", cgroup) if (opt_list_mapcnt) - printf("%lu\t", mapcnt); + printf("%" PRIu64 "\t", mapcnt); printf("%lx\t%s\n", offset, page_flag_name(flags)); } --- a/tools/mm/slabinfo.c~tools-mm-werror-fixes-in-page-types-slabinfo +++ a/tools/mm/slabinfo.c @@ -1297,7 +1297,9 @@ static void read_slab_dir(void) slab->cpu_partial_free = get_obj("cpu_partial_free"); slab->alloc_node_mismatch = get_obj("alloc_node_mismatch"); slab->deactivate_bypass = get_obj("deactivate_bypass"); - chdir(".."); + if (chdir("..")) + fatal("Unable to chdir from slab ../%s\n", + slab->name); if (slab->name[0] == ':') alias_targets++; slab++; _ Patches currently in -mm which might be from wladislav.kw(a)gmail.com are

10 months, 4 weeks

1
0
0 0

[PATCH 6.1] Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails

by Xiangyu Chen

From: Rick Edgecombe <rick.p.edgecombe(a)intel.com> [ Upstream commit 03f5a999adba062456c8c818a683beb1b498983a ] In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens. Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Link: https://lore.kernel.org/r/20240311161558.1310-2-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240311161558.1310-2-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Xiangyu: bp to fix CVE-2024-36913, resolved minor conflicts] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/hv/connection.c | 66 ++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 24 deletions(-) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index da51b50787df..23fb0df9d350 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -243,8 +243,17 @@ int vmbus_connect(void) ret |= set_memory_decrypted((unsigned long) vmbus_connection.monitor_pages[1], 1); - if (ret) + if (ret) { + /* + * If set_memory_decrypted() fails, the encryption state + * of the memory is unknown. So leak the memory instead + * of risking returning decrypted memory to the free list. + * For simplicity, always handle both pages the same. + */ + vmbus_connection.monitor_pages[0] = NULL; + vmbus_connection.monitor_pages[1] = NULL; goto cleanup; + } /* * Isolation VM with AMD SNP needs to access monitor page via @@ -377,30 +386,39 @@ void vmbus_disconnect(void) } if (hv_is_isolation_supported()) { - /* - * memunmap() checks input address is ioremap address or not - * inside. It doesn't unmap any thing in the non-SNP CVM and - * so not check CVM type here. - */ - memunmap(vmbus_connection.monitor_pages[0]); - memunmap(vmbus_connection.monitor_pages[1]); - - set_memory_encrypted((unsigned long) - vmbus_connection.monitor_pages_original[0], - 1); - set_memory_encrypted((unsigned long) - vmbus_connection.monitor_pages_original[1], - 1); - } + if(vmbus_connection.monitor_pages[0]) { + /* + * memunmap() checks input address is ioremap address or not + * inside. It doesn't unmap any thing in the non-SNP CVM and + * so not check CVM type here. + */ + memunmap(vmbus_connection.monitor_pages[0]); + if (!set_memory_encrypted((unsigned long) + vmbus_connection.monitor_pages_original[0], 1)) + hv_free_hyperv_page((unsigned long)vmbus_connection.monitor_pages[0]); + vmbus_connection.monitor_pages_original[0] = + vmbus_connection.monitor_pages[0] = NULL; + } + + if(vmbus_connection.monitor_pages[1]) { + memunmap(vmbus_connection.monitor_pages[1]); + if (!set_memory_encrypted((unsigned long) + vmbus_connection.monitor_pages_original[1], 1)) + hv_free_hyperv_page((unsigned long)vmbus_connection.monitor_pages[1]); + vmbus_connection.monitor_pages_original[1] = + vmbus_connection.monitor_pages[1] = NULL; + } + } else { - hv_free_hyperv_page((unsigned long) - vmbus_connection.monitor_pages_original[0]); - hv_free_hyperv_page((unsigned long) - vmbus_connection.monitor_pages_original[1]); - vmbus_connection.monitor_pages_original[0] = - vmbus_connection.monitor_pages[0] = NULL; - vmbus_connection.monitor_pages_original[1] = - vmbus_connection.monitor_pages[1] = NULL; + hv_free_hyperv_page((unsigned long) + vmbus_connection.monitor_pages_original[0]); + hv_free_hyperv_page((unsigned long) + vmbus_connection.monitor_pages_original[1]); + vmbus_connection.monitor_pages_original[0] = + vmbus_connection.monitor_pages[0] = NULL; + vmbus_connection.monitor_pages_original[1] = + vmbus_connection.monitor_pages[1] = NULL; + } } /* -- 2.43.0

10 months, 4 weeks

1
0
0 0

[PATCH v2] tpm: Lock TPM chip in tpm_pm_suspend() first

by Jarkko Sakkinen

Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according to the bug report, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. To address this, lock the TPM chip before checking any possible flags. This will guarantee that tpm_hwrng_read() and tpm_pm_suspend() won't conflict with each other. Cc: stable(a)vger.kernel.org # v6.4+ Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume") Reported-by: Mike Seo <mikeseohyungjin(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383 Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: - Addressed my own remark: https://lore.kernel.org/linux-integrity/D59JAI6RR2CD.G5E5T4ZCZ49W@kernel.or… --- drivers/char/tpm/tpm-interface.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 8134f002b121..e37fcf9361bc 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -370,6 +370,13 @@ int tpm_pm_suspend(struct device *dev) if (!chip) return -ENODEV; + rc = tpm_try_get_ops(chip); + if (rc) { + /* Can be safely set out of locks, as no action cannot race: */ + chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) goto suspended; @@ -377,23 +384,22 @@ int tpm_pm_suspend(struct device *dev) !pm_suspend_via_firmware()) goto suspended; - rc = tpm_try_get_ops(chip); - if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) { - tpm2_end_auth_session(chip); - tpm2_shutdown(chip, TPM2_SU_STATE); - } else { - rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); - } - - tpm_put_ops(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); + tpm2_shutdown(chip, TPM2_SU_STATE); + goto suspended; } + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + suspended: chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + tpm_put_ops(chip); +out: if (rc) dev_err(dev, "Ignoring error %d while suspending\n", rc); + return 0; } EXPORT_SYMBOL_GPL(tpm_pm_suspend); -- 2.47.0

10 months, 4 weeks

1
0
0 0

[PATCH v8 2/3] tpm: Rollback tpm2_load_null()

by Jarkko Sakkinen

Do not continue on tpm2_create_primary() failure in tpm2_load_null(). Cc: stable(a)vger.kernel.org # v6.10+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Reviewed-by: Stefan Berger <stefanb(a)linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v8: - Fix stray character in a log message. v7: - No changes. v6: - Address Stefan's remark: https://lore.kernel.org/linux-integrity/def4ec2d-584b-405f-9d5e-99267013c3c… v5: - Fix the TPM error code leak from tpm2_load_context(). v4: - No changes. v3: - Update log messages. Previously the log message incorrectly stated on load failure that integrity check had been failed, even tho the check is done *after* the load operation. v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 44 +++++++++++++++++--------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a0306126e86c..950a3e48293b 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -915,33 +915,37 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) - return rc; + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; + goto err; + } - /* an integrity failure may mean the TPM has been reset */ - dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ - return rc; - /* - * Fatal TPM failure: the NULL seed has actually changed, so - * the TPM must have been illegally reset. All in-kernel TPM - * operations will fail because the NULL primary can't be - * loaded to salt the sessions, but disable the TPM anyway so - * userspace programmes can't be compromised by it. - */ - dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); + /* Try to re-create null key, given the integrity failure: */ + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) + goto err; + + /* Return null key if the name has not been changed: */ + if (!memcmp(name, chip->null_key_name, sizeof(name))) { + *null_key = tmp_null_key; + return 0; + } + + /* Deduce from the name change TPM interference: */ + dev_err(&chip->dev, "null key integrity check failed\n"); + tpm2_flush_context(chip, tmp_null_key); chip->flags |= TPM_CHIP_FLAG_DISABLE; - return rc; +err: + return rc ? -ENODEV : 0; } /** -- 2.47.0

10 months, 4 weeks

3
7
0 0

+ mm-mlock-set-the-correct-prev-on-failure.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/mlock: set the correct prev on failure has been added to the -mm mm-unstable branch. Its filename is mm-mlock-set-the-correct-prev-on-failure.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: mm/mlock: set the correct prev on failure Date: Sun, 27 Oct 2024 12:33:21 +0000 After commit 94d7d9233951 ("mm: abstract the vma_merge()/split_vma() pattern for mprotect() et al."), if vma_modify_flags() return error, the vma is set to an error code. This will lead to an invalid prev be returned. Generally this shouldn't matter as the caller should treat an error as indicating state is now invalidated, however unfortunately apply_mlockall_flags() does not check for errors and assumes that mlock_fixup() correctly maintains prev even if an error were to occur. This patch fixes that assumption. [lorenzo.stoakes(a)oracle.com: provide a better fix and rephrase the log] Link: https://lkml.kernel.org/r/20241027123321.19511-1-richard.weiyang@gmail.com Fixes: 94d7d9233951 ("mm: abstract the vma_merge()/split_vma() pattern for mprotect() et al.") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mlock.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/mm/mlock.c~mm-mlock-set-the-correct-prev-on-failure +++ a/mm/mlock.c @@ -725,14 +725,17 @@ static int apply_mlockall_flags(int flag } for_each_vma(vmi, vma) { + int error; vm_flags_t newflags; newflags = vma->vm_flags & ~VM_LOCKED_MASK; newflags |= to_add; - /* Ignore errors */ - mlock_fixup(&vmi, vma, &prev, vma->vm_start, vma->vm_end, - newflags); + error = mlock_fixup(&vmi, vma, &prev, vma->vm_start, vma->vm_end, + newflags); + /* Ignore errors, but prev needs fixing up. */ + if (error) + prev = vma; cond_resched(); } out: _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are maple_tree-i-is-always-less-than-or-equal-to-mas_end.patch maple_tree-goto-complete-directly-on-a-pivot-of-0.patch maple_tree-remove-maple_big_nodeparent.patch maple_tree-memset-maple_big_node-as-a-whole.patch maple_tree-root-node-could-be-handled-by-p_slot-too.patch maple_tree-clear-request_count-for-new-allocated-one.patch maple_tree-total-is-not-changed-for-nomem_one-case.patch maple_tree-simplify-mas_push_node.patch maple_tree-calculate-new_end-when-needed.patch maple_tree-remove-sanity-check-from-mas_wr_slot_store.patch mm-vma-the-pgoff-is-correct-if-can_merge_right.patch mm-mlock-set-the-correct-prev-on-failure.patch

10 months, 4 weeks

2
2
0 0

[PATCH 0/2] clk: renesas: cpg-mssr: fix 'soc' node handling and automate cleanup

by Javier Carrasco

This series releases the 'soc' device_node when it is no longer required by adding the missing calls to of_node_put() to make the fix compatible with all affected stable kernels. Then, the more robust approach via cleanup attribute is used to simplify the handling and prevent issues if the loop gets new execution paths. These issues were found while analyzing the code, and the patches have been successfully compiled, but not tested on real hardware as I don't have access to it. Any volunteering for testing is always more than welcome. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): clk: renesas: cpg-mssr: fix 'soc' node handling in cpg_mssr_reserved_init() clk: renesas: cpg-mssr: automate 'soc' node release in cpg_mssr_reserved_init() drivers/clk/renesas/renesas-cpg-mssr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- base-commit: 86e3904dcdc7e70e3257fc1de294a1b75f3d8d04 change-id: 20241031-clk-renesas-cpg-mssr-cleanup-1933df63bc9c Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 4 weeks

1
1
0 0

[PATCH] drm/i915/color: Stop using non-posted DSB writes for legacy LUT

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Apparently using non-posted DSB writes to update the legacy LUT can cause CPU MMIO accesses to fail on TGL. Stop using them for the legacy LUT updates, and instead switch to using the double write approach (which is the other empirically found workaround for the issue of DSB failing to correctly update the legacy LUT). Cc: stable(a)vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12494 Fixes: 25ea3411bd23 ("drm/i915/dsb: Use non-posted register writes for legacy LUT") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_color.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_color.c b/drivers/gpu/drm/i915/display/intel_color.c index 174753625bca..aa50ecaf368d 100644 --- a/drivers/gpu/drm/i915/display/intel_color.c +++ b/drivers/gpu/drm/i915/display/intel_color.c @@ -1357,19 +1357,19 @@ static void ilk_load_lut_8(const struct intel_crtc_state *crtc_state, lut = blob->data; /* - * DSB fails to correctly load the legacy LUT - * unless we either write each entry twice, - * or use non-posted writes + * DSB fails to correctly load the legacy LUT unless + * we either write each entry twice, or use non-posted + * writes. However using non-posted writes can cause + * CPU MMIO accesses to fail on TGL, so we choose to + * use the double write approach. */ - if (crtc_state->dsb_color_vblank) - intel_dsb_nonpost_start(crtc_state->dsb_color_vblank); - - for (i = 0; i < 256; i++) + for (i = 0; i < 256; i++) { ilk_lut_write(crtc_state, LGC_PALETTE(pipe, i), i9xx_lut_8(&lut[i])); - - if (crtc_state->dsb_color_vblank) - intel_dsb_nonpost_end(crtc_state->dsb_color_vblank); + if (crtc_state->dsb_color_vblank) + ilk_lut_write(crtc_state, LGC_PALETTE(pipe, i), + i9xx_lut_8(&lut[i])); + } } static void ilk_load_lut_10(const struct intel_crtc_state *crtc_state, -- 2.45.2

10 months, 4 weeks

1
0
0 0

[PATCH] arm64/signal: Avoid corruption of SME state when entering signal handler

by Mark Brown

When we enter a signal handler we exit streaming mode in order to ensure that signal handlers can run normal FPSIMD code, and while we're at it we also clear PSTATE.ZA. Currently the code in setup_return() updates both the in memory copy of the state and the register state. Not only is this redundant it can also lead to corruption if we are preempted. Consider two tasks on one CPU: A: Begins signal entry in kernel mode, is preempted prior to SMSTOP. B: Using SM and/or ZA in userspace with register state current on the CPU, is preempted. A: Scheduled in, no register state changes made as in kernel mode. A: Executes SMSTOP, modifying live register state. A: Scheduled out. B: Scheduled in, fpsimd_thread_switch() sees the register state on the CPU is tracked as being that for task B so the state is not reloaded prior to returning to userspace. Task B is now running with SM and ZA incorrectly cleared. Fix this by check TIF_FOREIGN_FPSTATE and only updating one of the live register context or the in memory copy when entering a signal handler. Since this needs to happen atomically and all code that atomically accesses FP state is in fpsimd.c also move the code there to ensure consistency. This race has been observed intermittently with fp-stress, especially with preempt disabled. Fixes: 40a8e87bb3285 ("arm64/sme: Disable ZA and streaming mode when handling signals") Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/include/asm/fpsimd.h | 1 + arch/arm64/kernel/fpsimd.c | 30 ++++++++++++++++++++++++++++++ arch/arm64/kernel/signal.c | 19 +------------------ 3 files changed, 32 insertions(+), 18 deletions(-) diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h index f2a84efc361858d4deda99faf1967cc7cac386c1..09af7cfd9f6c2cec26332caa4c254976e117b1bf 100644 --- a/arch/arm64/include/asm/fpsimd.h +++ b/arch/arm64/include/asm/fpsimd.h @@ -76,6 +76,7 @@ extern void fpsimd_load_state(struct user_fpsimd_state *state); extern void fpsimd_thread_switch(struct task_struct *next); extern void fpsimd_flush_thread(void); +extern void fpsimd_enter_sighandler(void); extern void fpsimd_signal_preserve_current_state(void); extern void fpsimd_preserve_current_state(void); extern void fpsimd_restore_current_state(void); diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index 77006df20a75aee7c991cf116b6d06bfe953d1a4..e6b086dc09f21e7f30df32ab4f6875b53c4228fd 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1693,6 +1693,36 @@ void fpsimd_signal_preserve_current_state(void) sve_to_fpsimd(current); } +/* + * Called by the signal handling code when preparing current to enter + * a signal handler. Currently this only needs to take care of exiting + * streaming mode and clearing ZA on SME systems. + */ +void fpsimd_enter_sighandler(void) +{ + if (!system_supports_sme()) + return; + + get_cpu_fpsimd_context(); + + if (test_thread_flag(TIF_FOREIGN_FPSTATE)) { + /* Exiting streaming mode zeros the FPSIMD state */ + if (current->thread.svcr & SVCR_SM_MASK) { + memset(&current->thread.uw.fpsimd_state, 0, + sizeof(current->thread.uw.fpsimd_state)); + current->thread.fp_type = FP_STATE_FPSIMD; + } + + current->thread.svcr &= ~(SVCR_ZA_MASK | + SVCR_SM_MASK); + } else { + /* The register state is current, just update it. */ + sme_smstop(); + } + + put_cpu_fpsimd_context(); +} + /* * Called by KVM when entering the guest. */ diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 5619869475304776fc005fe24a385bf86bfdd253..fe07d0bd9f7978d73973f07ce38b7bdd7914abb2 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -1218,24 +1218,7 @@ static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, /* TCO (Tag Check Override) always cleared for signal handlers */ regs->pstate &= ~PSR_TCO_BIT; - /* Signal handlers are invoked with ZA and streaming mode disabled */ - if (system_supports_sme()) { - /* - * If we were in streaming mode the saved register - * state was SVE but we will exit SM and use the - * FPSIMD register state - flush the saved FPSIMD - * register state in case it gets loaded. - */ - if (current->thread.svcr & SVCR_SM_MASK) { - memset(&current->thread.uw.fpsimd_state, 0, - sizeof(current->thread.uw.fpsimd_state)); - current->thread.fp_type = FP_STATE_FPSIMD; - } - - current->thread.svcr &= ~(SVCR_ZA_MASK | - SVCR_SM_MASK); - sme_smstop(); - } + fpsimd_enter_sighandler(); if (system_supports_poe()) write_sysreg_s(POR_EL0_INIT, SYS_POR_EL0); --- base-commit: 8e929cb546ee42c9a61d24fae60605e9e3192354 change-id: 20241023-arm64-fp-sme-sigentry-a2bd7187e71b Best regards, -- Mark Brown <broonie(a)kernel.org>

10 months, 4 weeks

2
2
0 0

[PATCH] drm/amdgpu: fix random data corruption for sdma 7

by Alex Deucher

From: Frank Min <Frank.Min(a)amd.com> There is random data corruption caused by const fill, this is caused by write compression mode not correctly configured. So correct compression mode for const fill. Signed-off-by: Frank Min <Frank.Min(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 75400f8d6e36afc88d59db8a1f3e4b7d90d836ad) Cc: stable(a)vger.kernel.org # 6.11.x (cherry picked from commit 108bc59fe817686a59d2008f217bad38a5cf4427) --- drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c index 403c177f2434..bbf43e668c1c 100644 --- a/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c +++ b/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c @@ -51,6 +51,12 @@ MODULE_FIRMWARE("amdgpu/sdma_7_0_1.bin"); #define SDMA0_HYP_DEC_REG_END 0x589a #define SDMA1_HYP_DEC_REG_OFFSET 0x20 +/*define for compression field for sdma7*/ +#define SDMA_PKT_CONSTANT_FILL_HEADER_compress_offset 0 +#define SDMA_PKT_CONSTANT_FILL_HEADER_compress_mask 0x00000001 +#define SDMA_PKT_CONSTANT_FILL_HEADER_compress_shift 16 +#define SDMA_PKT_CONSTANT_FILL_HEADER_COMPRESS(x) (((x) & SDMA_PKT_CONSTANT_FILL_HEADER_compress_mask) << SDMA_PKT_CONSTANT_FILL_HEADER_compress_shift) + static void sdma_v7_0_set_ring_funcs(struct amdgpu_device *adev); static void sdma_v7_0_set_buffer_funcs(struct amdgpu_device *adev); static void sdma_v7_0_set_vm_pte_funcs(struct amdgpu_device *adev); @@ -1611,7 +1617,8 @@ static void sdma_v7_0_emit_fill_buffer(struct amdgpu_ib *ib, uint64_t dst_offset, uint32_t byte_count) { - ib->ptr[ib->length_dw++] = SDMA_PKT_COPY_LINEAR_HEADER_OP(SDMA_OP_CONST_FILL); + ib->ptr[ib->length_dw++] = SDMA_PKT_CONSTANT_FILL_HEADER_OP(SDMA_OP_CONST_FILL) | + SDMA_PKT_CONSTANT_FILL_HEADER_COMPRESS(1); ib->ptr[ib->length_dw++] = lower_32_bits(dst_offset); ib->ptr[ib->length_dw++] = upper_32_bits(dst_offset); ib->ptr[ib->length_dw++] = src_data; -- 2.47.0

10 months, 4 weeks

1
0
0 0

[PATCH 0/2] drivers: soc: atmel: fix device_node release in atmel_soc_device_init()

by Javier Carrasco

This series releases the np device_node when it is no longer required by adding the missing calls to of_node_put() to make the fix compatible with all affected stable kernels. Then, the more robust approach via cleanup attribute is used to simplify the handling and prevent issues if the loop gets new execution paths. These issues were found while analyzing the code, and the patches have been successfully compiled, but not tested on real hardware as I don't have access to it. Any volunteering for testing is always more than welcome. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): drivers: soc: atmel: fix device_node release in atmel_soc_device_init() drivers: soc: atmel: use automatic cleanup for device_node in atmel_soc_device_init() drivers/soc/atmel/soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- base-commit: 86e3904dcdc7e70e3257fc1de294a1b75f3d8d04 change-id: 20241030-soc-atmel-soc-cleanup-8fcf3029bb28 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 4 weeks

1
1
0 0

[PATCH 0/2] Bluetooth: btbcm: fix missing of_node_put() in btbcm_get_board_name()

by Javier Carrasco

This series fixes a missing call to of_node_put() in two steps: first adding the call (compatible with all affected kernels), and then moving to a more robust approach once the issue is fixed. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): Bluetooth: btbcm: fix missing of_node_put() in btbcm_get_board_name() Bluetooth: btbcm: automate node cleanup in btbcm_get_board_name() drivers/bluetooth/btbcm.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- base-commit: 6fb2fa9805c501d9ade047fc511961f3273cdcb5 change-id: 20241030-bluetooth-btbcm-node-cleanup-23d21a73870c Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 4 weeks

1
1
0 0

[PATCH net] mptcp: Ensure RCU read lock is held when calling mptcp_sched_find()

by Breno Leitao

The mptcp_sched_find() function must be called with the RCU read lock held, as it accesses RCU-protected data structures. This requirement was not properly enforced in the mptcp_init_sock() function, leading to a RCU list traversal in a non-reader section error when CONFIG_PROVE_RCU_LIST is enabled. net/mptcp/sched.c:44 RCU-list traversed in non-reader section!! Fix it by acquiring the RCU read lock before calling the mptcp_sched_find() function. This ensures that the function is invoked with the necessary RCU protection in place, as it accesses RCU-protected data structures. Additionally, the patch breaks down the mptcp_init_sched() call into smaller parts, with the RCU read lock only covering the specific call to mptcp_sched_find(). This helps minimize the critical section, reducing the time during which RCU grace periods are blocked. The mptcp_sched_list_lock is not held in this case, and it is not clear if it is necessary. Signed-off-by: Breno Leitao <leitao(a)debian.org> Fixes: 1730b2b2c5a5 ("mptcp: add sched in mptcp_sock") Cc: stable(a)vger.kernel.org --- net/mptcp/protocol.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 6d0e201c3eb2..8ece630f80d4 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2854,6 +2854,7 @@ static void mptcp_ca_reset(struct sock *sk) static int mptcp_init_sock(struct sock *sk) { struct net *net = sock_net(sk); + struct mptcp_sched_ops *sched; int ret; __mptcp_init_sock(sk); @@ -2864,8 +2865,10 @@ static int mptcp_init_sock(struct sock *sk) if (unlikely(!net->mib.mptcp_statistics) && !mptcp_mib_alloc(net)) return -ENOMEM; - ret = mptcp_init_sched(mptcp_sk(sk), - mptcp_sched_find(mptcp_get_scheduler(net))); + rcu_read_lock(); + sched = mptcp_sched_find(mptcp_get_scheduler(net)); + rcu_read_unlock(); + ret = mptcp_init_sched(mptcp_sk(sk), sched); if (ret) return ret; -- 2.43.5

10 months, 4 weeks

3
5
0 0

[PATCH v3 0/6] phy: core: Fix bugs for several APIs and simplify an API

by Zijun Hu

This patch series is to fix bugs for below APIs: devm_phy_put() devm_of_phy_provider_unregister() devm_phy_destroy() phy_get() of_phy_get() devm_phy_get() devm_of_phy_get() devm_of_phy_get_by_index() And simplify below API: of_phy_simple_xlate(). Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v3: - Correct commit message based on Johan's suggestions for patches 1/6-3/6. - Use goto label solution suggested by Johan for patch 1/6, also correct commit message and remove the inline comment for it. - Link to v2: https://lore.kernel.org/r/20241024-phy_core_fix-v2-0-fc0c63dbfcf3@quicinc.c… Changes in v2: - Correct title, commit message, and inline comments. - Link to v1: https://lore.kernel.org/r/20241020-phy_core_fix-v1-0-078062f7da71@quicinc.c… --- Zijun Hu (6): phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Simplify API of_phy_simple_xlate() implementation drivers/phy/phy-core.c | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) --- base-commit: e70d2677ef4088d59158739d72b67ac36d1b132b change-id: 20241020-phy_core_fix-e3ad65db98f7 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

10 months, 4 weeks

2
7
0 0

[PATCH] wifi: rtlwifi: Drastically reduce the attempts to read efuse bytes in case of failures

by Guilherme G. Piccoli

Syzkaller reported a hung task with uevent_show() on stack trace. That specific issue was addressed by another commit [0], but even with that fix applied (for example, running v6.12-rc4) we face another type of hung task that comes from the same reproducer [1]. By investigating that, we could narrow it to the following path: (a) Syzkaller emulates a Realtek USB WiFi adapter using raw-gadget and dummy_hcd infrastructure. (b) During the probe of rtl8192cu, the driver ends-up performing an efuse read procedure (which is related to EEPROM load IIUC), and here lies the issue: the function read_efuse() calls read_efuse_byte() many times, as loop iterations depending on the efuse size (in our example, 512 in total). This procedure for reading efuse bytes relies in a loop that performs an I/O read up to *10k* times in case of failures. We measured the time of the loop inside read_efuse_byte() alone, and in this reproducer (which involves the dummy_hcd emulation layer), it takes 15 seconds each. As a consequence, we have the driver stuck in its probe routine for big time, exposing a stack trace like below if we attempt to reboot the system, for example: task:kworker/0:3 state:D stack:0 pid:662 tgid:662 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: __schedule+0xe22/0xeb6 schedule_timeout+0xe7/0x132 __wait_for_common+0xb5/0x12e usb_start_wait_urb+0xc5/0x1ef ? usb_alloc_urb+0x95/0xa4 usb_control_msg+0xff/0x184 _usbctrl_vendorreq_sync+0xa0/0x161 _usb_read_sync+0xb3/0xc5 read_efuse_byte+0x13c/0x146 read_efuse+0x351/0x5f0 efuse_read_all_map+0x42/0x52 rtl_efuse_shadow_map_update+0x60/0xef rtl_get_hwinfo+0x5d/0x1c2 rtl92cu_read_eeprom_info+0x10a/0x8d5 ? rtl92c_read_chip_version+0x14f/0x17e rtl_usb_probe+0x323/0x851 usb_probe_interface+0x278/0x34b really_probe+0x202/0x4a4 __driver_probe_device+0x166/0x1b2 driver_probe_device+0x2f/0xd8 [...] We propose hereby to drastically reduce the attempts of doing the I/O read in case of failures, from 10000 to 10. With that, we got reponsiveness in the reproducer, while seems reasonable to believe that there's no sane device implementation in the field requiring this amount of retries at every I/O read in order to properly work. Based on that assumption it'd be good to have it backported to stable but maybe not since driver implementation (the 10k number comes from day 0), perhaps up to 6.x series makes sense. [0] Commit 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race"). [1] A note about that: this syzkaller report presents multiple reproducers that differs by the type of emulated USB device. For this specific case, check the entry from 2024/08/08 06:23 in the list of crashes; the C repro is available at https://syzkaller.appspot.com/text?tag=ReproC&x=1521fc83980000. Cc: stable(a)vger.kernel.org # v6.1+ Reported-by: syzbot+edd9fe0d3a65b14588d5(a)syzkaller.appspotmail.com Signed-off-by: Guilherme G. Piccoli <gpiccoli(a)igalia.com> --- drivers/net/wireless/realtek/rtlwifi/efuse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtlwifi/efuse.c b/drivers/net/wireless/realtek/rtlwifi/efuse.c index 82cf5fb5175f..2f75e376c0f6 100644 --- a/drivers/net/wireless/realtek/rtlwifi/efuse.c +++ b/drivers/net/wireless/realtek/rtlwifi/efuse.c @@ -178,7 +178,7 @@ void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) retry = 0; value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); - while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < 10000)) { + while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < 10)) { value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); retry++; -- 2.46.2

10 months, 4 weeks

3
9
0 0

[PATCH 1/1] nvmem: core: Check read_only flag for force_ro in bin_attr_nvmem_write()

by srinivas.kandagatla＠linaro.org

From: Marek Vasut <marex(a)denx.de> The bin_attr_nvmem_write() must check the read_only flag and block writes on read-only devices, now that a nvmem device can be switched between read-write and read-only mode at runtime using the force_ro attribute. Add the missing check. Fixes: 9d7eb234ac7a ("nvmem: core: Implement force_ro sysfs attribute") Cc: Stable(a)vger.kernel.org Signed-off-by: Marek Vasut <marex(a)denx.de> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- drivers/nvmem/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index 33ffa2aa4c11..e1a15fbc6ad0 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -267,7 +267,7 @@ static ssize_t bin_attr_nvmem_write(struct file *filp, struct kobject *kobj, count = round_down(count, nvmem->word_size); - if (!nvmem->reg_write) + if (!nvmem->reg_write || nvmem->read_only) return -EPERM; rc = nvmem_reg_write(nvmem, pos, buf, count); -- 2.25.1

10 months, 4 weeks

1
0
0 0

[PATCH v3] usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier

by Rex Nie

If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and txbuf_len are uninitialized. This commit stops to print uninitialized value and misleading/false data. --- V2 -> V3: - add changelog, add Fixes tag, add Cc stable ml. Thanks heikki - Link to v2: https://lore.kernel.org/all/20241030022753.2045-1-rex.nie@jaguarmicro.com/ V1 -> V2: - keep printout when data didn't transmit, thanks Bjorn, bod, greg k-h - Links: https://lore.kernel.org/all/b177e736-e640-47ed-9f1e-ee65971dfc9c@linaro.org/ Cc: stable(a)vger.kernel.org Fixes: a4422ff22142 (" usb: typec: qcom: Add Qualcomm PMIC Type-C driver") Signed-off-by: Rex Nie <rex.nie(a)jaguarmicro.com> --- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c index 5b7f52b74a40..726423684bae 100644 --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c @@ -227,6 +227,10 @@ qcom_pmic_typec_pdphy_pd_transmit_payload(struct pmic_typec_pdphy *pmic_typec_pd spin_lock_irqsave(&pmic_typec_pdphy->lock, flags); + hdr_len = sizeof(msg->header); + txbuf_len = pd_header_cnt_le(msg->header) * 4; + txsize_len = hdr_len + txbuf_len - 1; + ret = regmap_read(pmic_typec_pdphy->regmap, pmic_typec_pdphy->base + USB_PDPHY_RX_ACKNOWLEDGE_REG, &val); @@ -244,10 +248,6 @@ qcom_pmic_typec_pdphy_pd_transmit_payload(struct pmic_typec_pdphy *pmic_typec_pd if (ret) goto done; - hdr_len = sizeof(msg->header); - txbuf_len = pd_header_cnt_le(msg->header) * 4; - txsize_len = hdr_len + txbuf_len - 1; - /* Write message header sizeof(u16) to USB_PDPHY_TX_BUFFER_HDR_REG */ ret = regmap_bulk_write(pmic_typec_pdphy->regmap, pmic_typec_pdphy->base + USB_PDPHY_TX_BUFFER_HDR_REG, -- 2.17.1

10 months, 4 weeks

3
3
0 0

[PATCH v2 2/5] xhci: Don't issue Reset Device command to Etron xHCI host

by Kuangyi Chiang

Sometimes the hub driver does not recognize the USB device connected to the external USB2.0 hub when the system resumes from S4. After the SetPortFeature(PORT_RESET) request is completed, the hub driver calls the HCD reset_device callback, which will issue a Reset Device command and free all structures associated with endpoints that were disabled. This happens when the xHCI driver issue a Reset Device command to inform the Etron xHCI host that the USB device associated with a device slot has been reset. Seems that the Etron xHCI host can not perform this command correctly, affecting the USB device. To work around this, the xHCI driver should obtain a new device slot with reference to commit 651aaf36a7d7 ("usb: xhci: Handle USB transaction error on address command"), which is another way to inform the Etron xHCI host that the USB device has been reset. Add a new XHCI_ETRON_HOST quirk flag to invoke the workaround in xhci_discover_or_reset_device(). Fixes: 2a8f82c4ceaf ("USB: xhci: Notify the xHC when a device is reset.") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> --- drivers/usb/host/xhci-pci.c | 1 + drivers/usb/host/xhci.c | 19 +++++++++++++++++++ drivers/usb/host/xhci.h | 1 + 3 files changed, 21 insertions(+) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index 33a6d99afc10..ddc9a82cceec 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -397,6 +397,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) if (pdev->vendor == PCI_VENDOR_ID_ETRON && (pdev->device == PCI_DEVICE_ID_EJ168 || pdev->device == PCI_DEVICE_ID_EJ188)) { + xhci->quirks |= XHCI_ETRON_HOST; xhci->quirks |= XHCI_RESET_ON_RESUME; xhci->quirks |= XHCI_BROKEN_STREAMS; } diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 899c0effb5d3..ef7ead6393d4 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3692,6 +3692,8 @@ void xhci_free_device_endpoint_resources(struct xhci_hcd *xhci, xhci->num_active_eps); } +static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev); + /* * This submits a Reset Device Command, which will set the device state to 0, * set the device address to 0, and disable all the endpoints except the default @@ -3762,6 +3764,23 @@ static int xhci_discover_or_reset_device(struct usb_hcd *hcd, SLOT_STATE_DISABLED) return 0; + if (xhci->quirks & XHCI_ETRON_HOST) { + /* + * Obtaining a new device slot to inform the xHCI host that + * the USB device has been reset. + */ + ret = xhci_disable_slot(xhci, udev->slot_id); + xhci_free_virt_device(xhci, udev->slot_id); + if (!ret) { + ret = xhci_alloc_dev(hcd, udev); + if (ret == 1) + ret = 0; + else + ret = -EINVAL; + } + return ret; + } + trace_xhci_discover_or_reset_device(slot_ctx); xhci_dbg(xhci, "Resetting device with slot ID %u\n", slot_id); diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index f0fb696d5619..4f5b732e8944 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1624,6 +1624,7 @@ struct xhci_hcd { #define XHCI_ZHAOXIN_HOST BIT_ULL(46) #define XHCI_WRITE_64_HI_LO BIT_ULL(47) #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) +#define XHCI_ETRON_HOST BIT_ULL(49) unsigned int num_active_eps; unsigned int limit_active_eps; -- 2.25.1

10 months, 4 weeks

2
1
0 0

[PATCH V5 1/6] firmware: arm_scmi: Ensure that the message-id supports fastchannel

by Sibi Sankar

Currently the perf and powercap protocol relies on the protocol domain attributes, which just ensures that one fastchannel per domain, before instantiating fastchannels for all possible message-ids. Fix this by ensuring that each message-id supports fastchannel before initialization. Logs: scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:0] - ret:-95. Using regular messaging. scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:1] - ret:-95. Using regular messaging. scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:2] - ret:-95. Using regular messaging. CC: stable(a)vger.kernel.org Reported-by: Johan Hovold <johan+linaro(a)kernel.org> Closes: https://lore.kernel.org/lkml/ZoQjAWse2YxwyRJv@hovoldconsulting.com/ Fixes: 6f9ea4dabd2d ("firmware: arm_scmi: Generalize the fast channel support") Signed-off-by: Sibi Sankar <quic_sibis(a)quicinc.com> Reviewed-by: Sudeep Holla <sudeep.holla(a)arm.com> Tested-by: Johan Hovold <johan+linaro(a)kernel.org> --- v4: * Add cc stable and err logs to patch 1 commit message [Johan] drivers/firmware/arm_scmi/driver.c | 72 +++++++++++++++------------ drivers/firmware/arm_scmi/protocols.h | 2 + 2 files changed, 41 insertions(+), 33 deletions(-) diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c index 1f53ca1f87e3..55e496e78403 100644 --- a/drivers/firmware/arm_scmi/driver.c +++ b/drivers/firmware/arm_scmi/driver.c @@ -1698,6 +1698,39 @@ static int scmi_common_get_max_msg_size(const struct scmi_protocol_handle *ph) return info->desc->max_msg_size; } +/** + * scmi_protocol_msg_check - Check protocol message attributes + * + * @ph: A reference to the protocol handle. + * @message_id: The ID of the message to check. + * @attributes: A parameter to optionally return the retrieved message + * attributes, in case of Success. + * + * An helper to check protocol message attributes for a specific protocol + * and message pair. + * + * Return: 0 on SUCCESS + */ +static int scmi_protocol_msg_check(const struct scmi_protocol_handle *ph, + u32 message_id, u32 *attributes) +{ + int ret; + struct scmi_xfer *t; + + ret = xfer_get_init(ph, PROTOCOL_MESSAGE_ATTRIBUTES, + sizeof(__le32), 0, &t); + if (ret) + return ret; + + put_unaligned_le32(message_id, t->tx.buf); + ret = do_xfer(ph, t); + if (!ret && attributes) + *attributes = get_unaligned_le32(t->rx.buf); + xfer_put(ph, t); + + return ret; +} + /** * struct scmi_iterator - Iterator descriptor * @msg: A reference to the message TX buffer; filled by @prepare_message with @@ -1839,6 +1872,7 @@ scmi_common_fastchannel_init(const struct scmi_protocol_handle *ph, int ret; u32 flags; u64 phys_addr; + u32 attributes; u8 size; void __iomem *addr; struct scmi_xfer *t; @@ -1847,6 +1881,11 @@ scmi_common_fastchannel_init(const struct scmi_protocol_handle *ph, struct scmi_msg_resp_desc_fc *resp; const struct scmi_protocol_instance *pi = ph_to_pi(ph); + /* Check if the MSG_ID supports fastchannel */ + ret = scmi_protocol_msg_check(ph, message_id, &attributes); + if (!ret && !MSG_SUPPORTS_FASTCHANNEL(attributes)) + return; + if (!p_addr) { ret = -EINVAL; goto err_out; @@ -1974,39 +2013,6 @@ static void scmi_common_fastchannel_db_ring(struct scmi_fc_db_info *db) #endif } -/** - * scmi_protocol_msg_check - Check protocol message attributes - * - * @ph: A reference to the protocol handle. - * @message_id: The ID of the message to check. - * @attributes: A parameter to optionally return the retrieved message - * attributes, in case of Success. - * - * An helper to check protocol message attributes for a specific protocol - * and message pair. - * - * Return: 0 on SUCCESS - */ -static int scmi_protocol_msg_check(const struct scmi_protocol_handle *ph, - u32 message_id, u32 *attributes) -{ - int ret; - struct scmi_xfer *t; - - ret = xfer_get_init(ph, PROTOCOL_MESSAGE_ATTRIBUTES, - sizeof(__le32), 0, &t); - if (ret) - return ret; - - put_unaligned_le32(message_id, t->tx.buf); - ret = do_xfer(ph, t); - if (!ret && attributes) - *attributes = get_unaligned_le32(t->rx.buf); - xfer_put(ph, t); - - return ret; -} - static const struct scmi_proto_helpers_ops helpers_ops = { .extended_name_get = scmi_common_extended_name_get, .get_max_msg_size = scmi_common_get_max_msg_size, diff --git a/drivers/firmware/arm_scmi/protocols.h b/drivers/firmware/arm_scmi/protocols.h index aaee57cdcd55..d62c4469d1fd 100644 --- a/drivers/firmware/arm_scmi/protocols.h +++ b/drivers/firmware/arm_scmi/protocols.h @@ -31,6 +31,8 @@ #define SCMI_PROTOCOL_VENDOR_BASE 0x80 +#define MSG_SUPPORTS_FASTCHANNEL(x) ((x) & BIT(0)) + enum scmi_common_cmd { PROTOCOL_VERSION = 0x0, PROTOCOL_ATTRIBUTES = 0x1, -- 2.34.1

10 months, 4 weeks

1
0
0 0

[PATCH v2] drm: xlnx: zynqmp_dpsub: fix hotplug detection

by Steffen Dirkwinkel

From: Steffen Dirkwinkel <s.dirkwinkel(a)beckhoff.com> drm_kms_helper_poll_init needs to be called after zynqmp_dpsub_kms_init. zynqmp_dpsub_kms_init creates the connector and without it we don't enable hotplug detection. Fixes: eb2d64bfcc17 ("drm: xlnx: zynqmp_dpsub: Report HPD through the bridge") Cc: stable(a)vger.kernel.org Signed-off-by: Steffen Dirkwinkel <s.dirkwinkel(a)beckhoff.com> --- drivers/gpu/drm/xlnx/zynqmp_kms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xlnx/zynqmp_kms.c b/drivers/gpu/drm/xlnx/zynqmp_kms.c index bd1368df7870..311397cee5ca 100644 --- a/drivers/gpu/drm/xlnx/zynqmp_kms.c +++ b/drivers/gpu/drm/xlnx/zynqmp_kms.c @@ -509,12 +509,12 @@ int zynqmp_dpsub_drm_init(struct zynqmp_dpsub *dpsub) if (ret) return ret; - drm_kms_helper_poll_init(drm); - ret = zynqmp_dpsub_kms_init(dpsub); if (ret < 0) goto err_poll_fini; + drm_kms_helper_poll_init(drm); + /* Reset all components and register the DRM device. */ drm_mode_config_reset(drm); -- 2.47.0

10 months, 4 weeks

2
1
0 0

[PATCH 0/2] cpuidle: qcom-spm: fix resource release in spm_cpuidle_register

by Javier Carrasco

This series addresses two issues in spm_cpuidle_register: a missing device_node release in an error path, and releasing a reference to a device after its usage. These issues were found while analyzing the code, and the patches have been successfully compiled and statically analyzed, but not tested on real hardware as I don't have access to it. Any volunteering for testing is always more than welcome. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): cpuidle: qcom-spm: fix device node release in spm_cpuidle_register cpuidle: qcom-spm: fix platform device release in spm_cpuidle_register drivers/cpuidle/cpuidle-qcom-spm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- base-commit: 6fb2fa9805c501d9ade047fc511961f3273cdcb5 change-id: 20241029-cpuidle-qcom-spm-cleanup-6f03669bcd70 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 4 weeks

2
4
0 0

[PATCH] accel/ivpu: Fix NOC firewall interrupt handling

by Jacek Lawrynowicz

From: Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> The NOC firewall interrupt means that the HW prevented unauthorized access to a protected resource, so there is no need to trigger device reset in such case. To facilitate security testing add firewall_irq_counter debugfs file that tracks firewall interrupts. Fixes: 8a27ad81f7d3 ("accel/ivpu: Split IP and buttress code") Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_debugfs.c | 9 +++++++++ drivers/accel/ivpu/ivpu_hw.c | 1 + drivers/accel/ivpu/ivpu_hw.h | 1 + drivers/accel/ivpu/ivpu_hw_ip.c | 5 ++++- 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/accel/ivpu/ivpu_debugfs.c b/drivers/accel/ivpu/ivpu_debugfs.c index 8958145c49adb..8180b95ed69dc 100644 --- a/drivers/accel/ivpu/ivpu_debugfs.c +++ b/drivers/accel/ivpu/ivpu_debugfs.c @@ -116,6 +116,14 @@ static int reset_pending_show(struct seq_file *s, void *v) return 0; } +static int firewall_irq_counter_show(struct seq_file *s, void *v) +{ + struct ivpu_device *vdev = seq_to_ivpu(s); + + seq_printf(s, "%d\n", atomic_read(&vdev->hw->firewall_irq_counter)); + return 0; +} + static const struct drm_debugfs_info vdev_debugfs_list[] = { {"bo_list", bo_list_show, 0}, {"fw_name", fw_name_show, 0}, @@ -125,6 +133,7 @@ static const struct drm_debugfs_info vdev_debugfs_list[] = { {"last_bootmode", last_bootmode_show, 0}, {"reset_counter", reset_counter_show, 0}, {"reset_pending", reset_pending_show, 0}, + {"firewall_irq_counter", firewall_irq_counter_show, 0}, }; static int dvfs_mode_get(void *data, u64 *dvfs_mode) diff --git a/drivers/accel/ivpu/ivpu_hw.c b/drivers/accel/ivpu/ivpu_hw.c index 09ada8b500b99..4e1054f3466e8 100644 --- a/drivers/accel/ivpu/ivpu_hw.c +++ b/drivers/accel/ivpu/ivpu_hw.c @@ -252,6 +252,7 @@ int ivpu_hw_init(struct ivpu_device *vdev) platform_init(vdev); wa_init(vdev); timeouts_init(vdev); + atomic_set(&vdev->hw->firewall_irq_counter, 0); return 0; } diff --git a/drivers/accel/ivpu/ivpu_hw.h b/drivers/accel/ivpu/ivpu_hw.h index dc5518248c405..fc4dbfc980c81 100644 --- a/drivers/accel/ivpu/ivpu_hw.h +++ b/drivers/accel/ivpu/ivpu_hw.h @@ -51,6 +51,7 @@ struct ivpu_hw_info { int dma_bits; ktime_t d0i3_entry_host_ts; u64 d0i3_entry_vpu_ts; + atomic_t firewall_irq_counter; }; int ivpu_hw_init(struct ivpu_device *vdev); diff --git a/drivers/accel/ivpu/ivpu_hw_ip.c b/drivers/accel/ivpu/ivpu_hw_ip.c index b9b16f4041434..029dd065614b2 100644 --- a/drivers/accel/ivpu/ivpu_hw_ip.c +++ b/drivers/accel/ivpu/ivpu_hw_ip.c @@ -1073,7 +1073,10 @@ static void irq_wdt_mss_handler(struct ivpu_device *vdev) static void irq_noc_firewall_handler(struct ivpu_device *vdev) { - ivpu_pm_trigger_recovery(vdev, "NOC Firewall IRQ"); + atomic_inc(&vdev->hw->firewall_irq_counter); + + ivpu_dbg(vdev, IRQ, "NOC Firewall interrupt detected, counter %d\n", + atomic_read(&vdev->hw->firewall_irq_counter)); } /* Handler for IRQs from NPU core */ -- 2.45.1

10 months, 4 weeks

2
3
0 0

+ mm-page_alloc-keep-track-of-free-highatomic.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/page_alloc: keep track of free highatomic has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-page_alloc-keep-track-of-free-highatomic.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yu Zhao <yuzhao(a)google.com> Subject: mm/page_alloc: keep track of free highatomic Date: Mon, 28 Oct 2024 12:26:53 -0600 OOM kills due to vastly overestimated free highatomic reserves were observed: ... invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0 ... Node 0 Normal free:1482936kB boost:0kB min:410416kB low:739404kB high:1068392kB reserved_highatomic:1073152KB ... Node 0 Normal: 1292*4kB (ME) 1920*8kB (E) 383*16kB (UE) 220*32kB (ME) 340*64kB (E) 2155*128kB (UE) 3243*256kB (UE) 615*512kB (U) 1*1024kB (M) 0*2048kB 0*4096kB = 1477408kB The second line above shows that the OOM kill was due to the following condition: free (1482936kB) - reserved_highatomic (1073152kB) = 409784KB < min (410416kB) And the third line shows there were no free pages in any MIGRATE_HIGHATOMIC pageblocks, which otherwise would show up as type 'H'. Therefore __zone_watermark_unusable_free() underestimated the usable free memory by over 1GB, which resulted in the unnecessary OOM kill above. The comments in __zone_watermark_unusable_free() warns about the potential risk, i.e., If the caller does not have rights to reserves below the min watermark then subtract the high-atomic reserves. This will over-estimate the size of the atomic reserve but it avoids a search. However, it is possible to keep track of free pages in reserved highatomic pageblocks with a new per-zone counter nr_free_highatomic protected by the zone lock, to avoid a search when calculating the usable free memory. And the cost would be minimal, i.e., simple arithmetics in the highatomic alloc/free/move paths. Note that since nr_free_highatomic can be relatively small, using a per-cpu counter might cause too much drift and defeat its purpose, in addition to the extra memory overhead. Link: https://lkml.kernel.org/r/20241028182653.3420139-1-yuzhao@google.com Signed-off-by: Yu Zhao <yuzhao(a)google.com> Reported-by: Link Lin <linkl(a)google.com> Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [6.12+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 1 + mm/page_alloc.c | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) --- a/include/linux/mmzone.h~mm-page_alloc-keep-track-of-free-highatomic +++ a/include/linux/mmzone.h @@ -823,6 +823,7 @@ struct zone { unsigned long watermark_boost; unsigned long nr_reserved_highatomic; + unsigned long nr_free_highatomic; /* * We don't know if the memory that we're going to allocate will be --- a/mm/page_alloc.c~mm-page_alloc-keep-track-of-free-highatomic +++ a/mm/page_alloc.c @@ -635,6 +635,8 @@ compaction_capture(struct capture_contro static inline void account_freepages(struct zone *zone, int nr_pages, int migratetype) { + lockdep_assert_held(&zone->lock); + if (is_migrate_isolate(migratetype)) return; @@ -642,6 +644,9 @@ static inline void account_freepages(str if (is_migrate_cma(migratetype)) __mod_zone_page_state(zone, NR_FREE_CMA_PAGES, nr_pages); + + if (is_migrate_highatomic(migratetype)) + WRITE_ONCE(zone->nr_free_highatomic, zone->nr_free_highatomic + nr_pages); } /* Used for pages not on another list */ @@ -3081,11 +3086,10 @@ static inline long __zone_watermark_unus /* * If the caller does not have rights to reserves below the min - * watermark then subtract the high-atomic reserves. This will - * over-estimate the size of the atomic reserve but it avoids a search. + * watermark then subtract the free pages reserved for highatomic. */ if (likely(!(alloc_flags & ALLOC_RESERVES))) - unusable_free += z->nr_reserved_highatomic; + unusable_free += READ_ONCE(z->nr_free_highatomic); #ifdef CONFIG_CMA /* If allocation can't use CMA areas don't use free CMA pages */ _ Patches currently in -mm which might be from yuzhao(a)google.com are mm-allow-set-clear-page_type-again.patch mm-multi-gen-lru-remove-mm_leaf_old-and-mm_nonleaf_total-stats.patch mm-multi-gen-lru-use-pteppmdp_clear_young_notify.patch mm-page_alloc-keep-track-of-free-highatomic.patch

10 months, 4 weeks

2
3
0 0

[PATCH v7 6/7] PCI: qcom: Disable ASPM L0s and remove BDF2SID mapping config for X1E80100 SoC

by Qiang Yu

Currently, the cfg_1_9_0 which is being used for X1E80100 has config_sid callback in its ops and doesn't disable ASPM L0s. However, as same as SC8280X, PCIe controllers on X1E80100 are connected to SMMUv3, hence don't need config_sid() callback and hardware team has recommended to disable L0s as it is broken in the controller. Hence reuse cfg_sc8280xp for X1E80100. Fixes: 6d0c39324c5f ("PCI: qcom: Add X1E80100 PCIe support") Cc: stable(a)vger.kernel.org Signed-off-by: Qiang Yu <quic_qianyu(a)quicinc.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- drivers/pci/controller/dwc/pcie-qcom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c index 468bd4242e61..c533e6024ba2 100644 --- a/drivers/pci/controller/dwc/pcie-qcom.c +++ b/drivers/pci/controller/dwc/pcie-qcom.c @@ -1847,7 +1847,7 @@ static const struct of_device_id qcom_pcie_match[] = { { .compatible = "qcom,pcie-sm8450-pcie0", .data = &cfg_1_9_0 }, { .compatible = "qcom,pcie-sm8450-pcie1", .data = &cfg_1_9_0 }, { .compatible = "qcom,pcie-sm8550", .data = &cfg_1_9_0 }, - { .compatible = "qcom,pcie-x1e80100", .data = &cfg_1_9_0 }, + { .compatible = "qcom,pcie-x1e80100", .data = &cfg_sc8280xp }, { } }; -- 2.34.1

10 months, 4 weeks

4
9
0 0

[PATCH 6.1/6.6] drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)eng.windriver.com> [ Upstream commit 15c2990e0f0108b9c3752d7072a97d45d4283aea ] This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922) Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Cc: Bhawanpreet Lakha <Bhawanpreet.Lakha(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Hersen Wu <hersenxs.wu(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [Xiangyu: Modified file path to backport this commit] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c index 407f7889e8fd..7a643690fdc7 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c @@ -762,6 +762,9 @@ bool dcn30_apply_idle_power_optimizations(struct dc *dc, bool enable) stream = dc->current_state->streams[0]; plane = (stream ? dc->current_state->stream_status[0].plane_states[0] : NULL); + if (!stream || !plane) + return false; + if (stream && plane) { cursor_cache_enable = stream->cursor_position.enable && plane->address.grph.cursor_cache_addr.quad_part; -- 2.43.0

10 months, 4 weeks

1
0
0 0

[PATCH RESEND] drivers:media:radio: Fix atomicity violation in fmc_send_cmd()

by Qiu-ji Chen

Atomicity violation occurs when the fmc_send_cmd() function is executed simultaneously with the modification of the fmdev->resp_skb value. Consider a scenario where, after passing the validity check within the function, a non-null fmdev->resp_skb variable is assigned a null value. This results in an invalid fmdev->resp_skb variable passing the validity check. As seen in the later part of the function, skb = fmdev->resp_skb; when the invalid fmdev->resp_skb passes the check, a null pointer dereference error may occur at line 478, evt_hdr = (void *)skb->data; To address this issue, it is recommended to include the validity check of fmdev->resp_skb within the locked section of the function. This modification ensures that the value of fmdev->resp_skb does not change during the validation process, thereby maintaining its validity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/media/radio/wl128x/fmdrv_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c index 3d36f323a8f8..4d032436691c 100644 --- a/drivers/media/radio/wl128x/fmdrv_common.c +++ b/drivers/media/radio/wl128x/fmdrv_common.c @@ -466,11 +466,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload, jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000); return -ETIMEDOUT; } + spin_lock_irqsave(&fmdev->resp_skb_lock, flags); if (!fmdev->resp_skb) { + spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); fmerr("Response SKB is missing\n"); return -EFAULT; } - spin_lock_irqsave(&fmdev->resp_skb_lock, flags); skb = fmdev->resp_skb; fmdev->resp_skb = NULL; spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); -- 2.34.1

10 months, 4 weeks

2
1
0 0

[PATCH v2] virtio: console: Fix atomicity violation in fill_readbuf()

by Qiu-ji Chen

The atomicity violation issue is due to the invalidation of the function port_has_data()'s check caused by concurrency. Imagine a scenario where a port that contains data passes the validity check but is simultaneously assigned a value with no data. This could result in an empty port passing the validity check, potentially leading to a null pointer dereference error later in the program, which is inconsistent. To address this issue, we added a separate validity check for the variable buf after its assignment. This ensures that an invalid buf does not proceed further into the program, thereby preventing a null pointer dereference error. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 203baab8ba31 ("virtio: console: Introduce function to hand off data from host to readers") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: The logic of the fix has been modified. --- drivers/char/virtio_console.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index c62b208b42f1..54fee192d93c 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -660,6 +660,10 @@ static ssize_t fill_readbuf(struct port *port, u8 __user *out_buf, return 0; buf = port->inbuf; + + if (!buf) + return 0; + out_count = min(out_count, buf->len - buf->offset); if (to_user) { -- 2.34.1

10 months, 4 weeks

1
0
0 0

[PATCH v2] PM / devfreq: Fix atomicity violation in devfreq_update_interval()

by Qiu-ji Chen

The atomicity violation occurs when the variables cur_delay and new_delay are defined. Imagine a scenario where, while defining cur_delay and new_delay, the values stored in devfreq->profile->polling_ms and the delay variable change. After acquiring the mutex_lock and entering the critical section, due to possible concurrent modifications, cur_delay and new_delay may no longer represent the correct values. Subsequent usage, such as if (cur_delay > new_delay), could cause the program to run incorrectly, resulting in inconsistencies. If the read of devfreq->profile->polling_ms is not protected by the lock, the cur_delay that enters the critical section would not store the actual old value of devfreq->profile->polling_ms, which would affect the subsequent checks like if (!cur_delay) and if (cur_delay > new_delay), potentially causing the driver to perform incorrect operations. We believe that moving the read of devfreq->profile->polling_ms inside the lock is beneficial as it ensures that cur_delay stores the true old value of devfreq->profile->polling_ms, ensuring the correctness of the later checks. To address this issue, it is recommended to acquire a lock in advance, ensuring that devfreq->profile->polling_ms and delay are protected by the lock when being read. This will help ensure the consistency of the program. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 7e6fdd4bad03 ("PM / devfreq: Core updates to support devices which can idle") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: Added some descriptions to reduce misunderstandings. Thanks to MyungJoo Ham for suggesting this improvement. --- drivers/devfreq/devfreq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index 98657d3b9435..9634739fc9cb 100644 --- a/drivers/devfreq/devfreq.c +++ b/drivers/devfreq/devfreq.c @@ -616,10 +616,10 @@ EXPORT_SYMBOL(devfreq_monitor_resume); */ void devfreq_update_interval(struct devfreq *devfreq, unsigned int *delay) { + mutex_lock(&devfreq->lock); unsigned int cur_delay = devfreq->profile->polling_ms; unsigned int new_delay = *delay; - mutex_lock(&devfreq->lock); devfreq->profile->polling_ms = new_delay; if (IS_SUPPORTED_FLAG(devfreq->governor->flags, IRQ_DRIVEN)) -- 2.34.1

10 months, 4 weeks

1
0
0 0

[PATCH v2] drm/vc4: Fix atomicity violation in vc4_crtc_send_vblank()

by Qiu-ji Chen

An atomicity violation occurs when the vc4_crtc_send_vblank function executes simultaneously with modifications to crtc->state->event. Consider a scenario where crtc->state->event is non-null, allowing it to pass the validity check. However, at the same time, crtc->state->event might be set to null. In this case, the validity check in vc4_crtc_send_vblank might act on the old crtc->state->event (before locking), allowing invalid values to pass the validity check, which could lead to a null pointer dereference. In the drm_device structure, it is mentioned: "@event_lock: Protects @vblank_event_list and event delivery in general." I believe that the validity check and the subsequent null assignment operation are part of the event delivery process, and all of these should be protected by the event_lock. If there is no lock protection before the validity check, it is possible for a null crtc->state->event to be passed into the drm_crtc_send_vblank_event() function, leading to a null pointer dereference error. We have observed its callers and found that they are from the drm_crtc_helper_funcs driver interface. We believe that functions within driver interfaces can be concurrent, potentially causing a data race on crtc->state->event. To address this issue, it is recommended to include the validity check of crtc->state and crtc->state->event within the locking section of the function. This modification ensures that the values of crtc->state->event and crtc->state do not change during the validation process, maintaining their valid conditions. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 68e4a69aec4d ("drm/vc4: crtc: Create vblank reporting function") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: The description of the patch has been modified to make it clearer. Thanks to Simona Vetter for suggesting this improvement. --- drivers/gpu/drm/vc4/vc4_crtc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index 8b5a7e5eb146..98885f519827 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -575,10 +575,12 @@ void vc4_crtc_send_vblank(struct drm_crtc *crtc) struct drm_device *dev = crtc->dev; unsigned long flags; - if (!crtc->state || !crtc->state->event) + spin_lock_irqsave(&dev->event_lock, flags); + if (!crtc->state || !crtc->state->event) { + spin_unlock_irqrestore(&dev->event_lock, flags); return; + } - spin_lock_irqsave(&dev->event_lock, flags); drm_crtc_send_vblank_event(crtc, crtc->state->event); crtc->state->event = NULL; spin_unlock_irqrestore(&dev->event_lock, flags); -- 2.34.1

10 months, 4 weeks

1
0
0 0

[PATCH 0/2] cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu

by Javier Carrasco

This series releases the np device_node when it is no longer required by adding the missing calls to of_node_put() to make the fix compatible with all affected stable kernels. Then, the more robust approach via cleanup attribute is used to simplify the handling and prevent issues if the loop gets new execution paths. These issues were found while analyzing the code, and the patches have been successfully compiled, but not tested on real hardware as I don't have access to it. Any volunteering for testing is always more than welcome. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (2): cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu cpuidle: riscv-sbi: use cleanup attribute for np in for_each_possible_cpu drivers/cpuidle/cpuidle-riscv-sbi.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- base-commit: 6fb2fa9805c501d9ade047fc511961f3273cdcb5 change-id: 20241029-cpuidle-riscv-sbi-cleanup-e9b3cb96e16d Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

10 months, 4 weeks

1
1
0 0

[PATCH] Revert "cpufreq: brcmstb-avs-cpufreq: Fix initial command check"

by Colin Ian King

Currently the condition ((rc != -ENOTSUPP) || (rc != -EINVAL)) is always true because rc cannot be equal to two different values at the same time, so it must be not equal to at least one of them. Fix the original commit that introduced the issue. This reverts commit 22a26cc6a51ef73dcfeb64c50513903f6b2d53d8. Signed-off-by: Colin Ian King <colin.i.king(a)gmail.com> --- drivers/cpufreq/brcmstb-avs-cpufreq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c index 5d03a295a085..2fd0f6be6fa3 100644 --- a/drivers/cpufreq/brcmstb-avs-cpufreq.c +++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c @@ -474,8 +474,8 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv) rc = brcm_avs_get_pmap(priv, NULL); magic = readl(priv->base + AVS_MBOX_MAGIC); - return (magic == AVS_FIRMWARE_MAGIC) && ((rc != -ENOTSUPP) || - (rc != -EINVAL)); + return (magic == AVS_FIRMWARE_MAGIC) && (rc != -ENOTSUPP) && + (rc != -EINVAL); } static unsigned int brcm_avs_cpufreq_get(unsigned int cpu) -- 2.39.5

10 months, 4 weeks

3
2
0 0

Re: [PATCH] mm/gup: restore the ability to pin more than 2GB at a time

by kernel test robot

Hi, Thanks for your patch. FYI: kernel test robot notices the stable kernel rule is not satisfied. The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opt… Rule: add the tag "Cc: stable(a)vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH] mm/gup: restore the ability to pin more than 2GB at a time Link: https://lore.kernel.org/stable/20241030030116.670307-1-jhubbard%40nvidia.com -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

10 months, 4 weeks

2
1
0 0

[PATCH 5.15 00/80] 5.15.170-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.170 release. There are 80 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 30 Oct 2024 06:22:39 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.170-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.170-rc1 Zichen Xie <zichenxie0106(a)gmail.com> ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Michel Alex <Alex.Michel(a)wiedemann-group.com> net: phy: dp83822: Fix reset pin definitions Jiri Slaby (SUSE) <jirislaby(a)kernel.org> serial: protect uart_port_dtr_rts() in uart_shutdown() too Paul Moore <paul(a)paul-moore.com> selinux: improve error checking in sel_write_load() Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Petr Vaganov <p.vaganov(a)ideco.ru> xfrm: fix one more kernel-infoleak in algo dumping José Relvas <josemonsantorelvas(a)gmail.com> ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Aleksa Sarai <cyphar(a)cyphar.com> openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Christian Heusel <christian(a)heusel.eu> ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix zone unusable accounting for freed reserved extent Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Andrey Shumilin <shum.sdl(a)nppct.ru> ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Jiri Olsa <jolsa(a)kernel.org> bpf,perf: Fix perf_event_detach_bpf_prog error handling Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: avoid unsolicited interrupts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: fix use-after-free in taprio_change() Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Lin Ma <linma(a)zju.edu.cn> net: wwan: fix global oob in wwan_rtnl_policy Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: xtables: fix typo causing some targets not to load on IPv6 Peter Rashleigh <peter(a)rashleigh.ca> net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Jakub Boehm <boehm.jakub(a)gmail.com> net: plip: fix break; causing plip to never transmit Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Eyal Birger <eyal.birger(a)gmail.com> xfrm: respect ip protocols rules criteria when performing dst lookups Eyal Birger <eyal.birger(a)gmail.com> xfrm: extract dst lookup parameters into a struct Leo Yan <leo.yan(a)arm.com> tracing: Consider the NULL character when validating the event length Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Crag Wang <crag_wang(a)dell.com> platform/x86: dell-sysman: add support for alienware products Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string junhua huang <huang.junhua(a)zte.com.cn> arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Armin Wolf <W_Armin(a)gmx.de> platform/x86: dell-wmi: Ignore suspend notifications Gianfranco Trad <gianf.trad(a)gmail.com> udf: fix uninit-value use in udf_get_fileshortad Mark Rutland <mark.rutland(a)arm.com> arm64: Force position-independent veneers Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values Hans de Goede <hdegoede(a)redhat.com> drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Mateusz Guzik <mjguzik(a)gmail.com> exec: don't WARN for racy path_noexec check Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix procress reference leakage for bfqq in merge chain Roger Quadros <rogerq(a)kernel.org> usb: dwc3: core: Fix system suspend on TI AM62 platforms Frank Li <Frank.Li(a)nxp.com> XHCI: Separate PORT and CAPs macros into dedicated file Elson Roy Serrao <quic_eserrao(a)quicinc.com> usb: gadget: Add function wakeup support Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Cleanup access to guest pages Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor access address range check Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor gpa and length calculation Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels junhua huang <huang.junhua(a)zte.com.cn> arm64:uprobe fix the uprobe SWBP_INSN in big-endian Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Heiko Carstens <hca(a)linux.ibm.com> s390: Initialize psw mask in perf_arch_fetch_caller_regs() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOBs when building SMB2_IOCTL request Wang Hai <wanghai38(a)huawei.com> scsi: target: core: Fix null-ptr-deref in target_alloc_device() Eric Dumazet <edumazet(a)google.com> genetlink: hold RCU in genlmsg_mcast() Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Wang Hai <wanghai38(a)huawei.com> net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() Li RongQing <lirongqing(a)baidu.com> net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Colin Ian King <colin.i.king(a)gmail.com> octeontx2-af: Fix potential integer overflows on integer shifts Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix race in probe failure Douglas Anderson <dianders(a)chromium.org> drm/msm: Allocate memory for disp snapshot with kvzalloc() Douglas Anderson <dianders(a)chromium.org> drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Bhargava Chenna Marreddy <bhargava.marreddy(a)broadcom.com> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Xin Long <lucien.xin(a)gmail.com> ipv4: give an IPv4 dev to blackhole_netdev Alexander Zubkov <green(a)qrator.net> RDMA/irdma: Fix misspelling of "accept*" Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Murad Masimov <m.masimov(a)maxima.ru> ALSA: hda/cs8409: Fix possible NULL dereference Florian Klink <flokli(a)flokli.de> ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Martin Kletzander <nert.pinx(a)gmail.com> x86/resctrl: Avoid overflow in MB settings in bw_validate() Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Add a check for memory allocation Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Florian Kauer <florian.kauer(a)linutronix.de> bpf: devmap: provide rxq after redirect Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: Make sure internal and UAPI bpf_redirect flags don't overlap ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 +- arch/arm64/Makefile | 2 +- arch/arm64/include/asm/uprobes.h | 12 +- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/s390/include/asm/perf_event.h | 1 + arch/s390/kvm/gaccess.c | 162 +++++++------ arch/s390/kvm/gaccess.h | 14 +- arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 +- arch/x86/kvm/svm/nested.c | 6 +- block/bfq-iosched.c | 37 ++- drivers/acpi/button.c | 11 + drivers/acpi/resource.c | 7 + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 +- drivers/infiniband/hw/cxgb4/cm.c | 9 +- drivers/infiniband/hw/irdma/cm.c | 2 +- drivers/net/dsa/mv88e6xxx/port.c | 1 + drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/i825xx/sun3_82586.c | 1 + .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 +- drivers/net/ethernet/realtek/r8169_main.c | 4 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 + drivers/net/hyperv/netvsc_drv.c | 30 +++ drivers/net/macsec.c | 18 -- drivers/net/phy/dp83822.c | 4 +- drivers/net/plip/plip.c | 2 +- drivers/net/usb/usbnet.c | 4 +- drivers/net/wwan/wwan_core.c | 2 +- drivers/platform/x86/dell/dell-wmi-base.c | 9 + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_user.c | 2 +- drivers/tty/serial/serial_core.c | 16 +- drivers/usb/dwc3/core.c | 19 ++ drivers/usb/dwc3/core.h | 3 + drivers/usb/gadget/composite.c | 40 ++++ drivers/usb/host/xhci-caps.h | 85 +++++++ drivers/usb/host/xhci-port.h | 176 ++++++++++++++ drivers/usb/host/xhci.h | 262 +-------------------- drivers/usb/typec/class.c | 3 + fs/btrfs/block-group.c | 2 + fs/cifs/smb2pdu.c | 9 + fs/exec.c | 21 +- fs/jfs/jfs_dmap.c | 2 +- fs/nilfs2/page.c | 6 +- fs/open.c | 2 + fs/udf/inode.c | 9 +- include/linux/usb/composite.h | 6 + include/linux/usb/gadget.h | 1 + include/net/genetlink.h | 3 +- include/net/xfrm.h | 28 ++- include/uapi/linux/bpf.h | 13 +- kernel/bpf/devmap.c | 11 +- kernel/time/posix-clock.c | 6 +- kernel/trace/bpf_trace.c | 2 - kernel/trace/trace_probe.c | 2 +- net/bluetooth/bnep/core.c | 3 +- net/core/filter.c | 8 +- net/ipv4/devinet.c | 35 ++- net/ipv4/inet_connection_sock.c | 21 +- net/ipv4/xfrm4_policy.c | 38 ++- net/ipv6/xfrm6_policy.c | 31 +-- net/l2tp/l2tp_netlink.c | 4 +- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_TRACE.c | 1 + net/netfilter/xt_mark.c | 2 +- net/netlink/genetlink.c | 28 +-- net/sched/sch_taprio.c | 3 +- net/smc/smc_pnet.c | 2 +- net/wireless/nl80211.c | 8 +- net/xfrm/xfrm_device.c | 11 +- net/xfrm/xfrm_policy.c | 50 +++- net/xfrm/xfrm_user.c | 4 +- security/selinux/selinuxfs.c | 27 ++- sound/firewire/amdtp-stream.c | 3 + sound/pci/hda/patch_cs8409.c | 5 +- sound/pci/hda/patch_realtek.c | 48 ++-- sound/soc/codecs/lpass-rx-macro.c | 2 +- sound/soc/fsl/fsl_sai.c | 5 +- sound/soc/fsl/fsl_sai.h | 1 + sound/soc/qcom/lpass-cpu.c | 2 + sound/soc/qcom/sm8250.c | 1 + 91 files changed, 900 insertions(+), 643 deletions(-)

10 months, 4 weeks

9
88
0 0

[PATCH 6.6 000/208] 6.6.59-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.59 release. There are 208 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 30 Oct 2024 06:22:39 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.59-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.59-rc1 Linus Torvalds <torvalds(a)linux-foundation.org> task_work: make TWA_NMI_CURRENT handling conditional on IRQ_WORK Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probes: Fix to zero initialize a local variable Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix unconditional fence for newer adapters Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Avoid creating fence MR for newer adapters Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix the offset for GenP7 adapters for user applications Dan Carpenter <dan.carpenter(a)linaro.org> ACPI: PRM: Clean up guid type in struct prm_handler_info Armin Wolf <W_Armin(a)gmx.de> platform/x86: dell-wmi: Ignore suspend notifications Zichen Xie <zichenxie0106(a)gmail.com> ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Niklas Cassel <cassel(a)kernel.org> ata: libata: Set DID_TIME_OUT for commands that actually timed out Xinyu Zhang <xizhang(a)purestorage.com> block: fix sanity checks in blk_rq_map_user_bvec Michel Alex <Alex.Michel(a)wiedemann-group.com> net: phy: dp83822: Fix reset pin definitions Paul Moore <paul(a)paul-moore.com> selinux: improve error checking in sel_write_load() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Petr Vaganov <p.vaganov(a)ideco.ru> xfrm: fix one more kernel-infoleak in algo dumping Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN usable for variable cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Get correct cores_per_package for SMT systems José Relvas <josemonsantorelvas(a)gmail.com> ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Eric Biggers <ebiggers(a)google.com> ALSA: hda/tas2781: select CRC32 instead of CRC32_SARWATE Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/lam: Disable ADDRESS_MASKING in most cases Marc Zyngier <maz(a)kernel.org> KVM: arm64: Don't eagerly teardown the vgic on init error Ilkka Koskinen <ilkka(a)os.amperecomputing.com> KVM: arm64: Fix shift-out-of-bounds bug Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Aleksa Sarai <cyphar(a)cyphar.com> openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Koba Ko <kobak(a)nvidia.com> ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Christian Heusel <christian(a)heusel.eu> ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix zone unusable accounting for freed reserved extent Yue Haibing <yuehaibing(a)huawei.com> btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item() liwei <liwei728(a)huawei.com> cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception Vincent Guittot <vincent.guittot(a)linaro.org> cpufreq/cppc: Move and rename cppc_cpufreq_{perf_to_khz|khz_to_perf}() Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Handle kstrdup failures for passwords Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Yang Erkun <yangerkun(a)huaweicloud.com> nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Yuan Can <yuancan(a)huawei.com> powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() Andrey Shumilin <shum.sdl(a)nppct.ru> ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Chancel Liu <chancel.liu(a)nxp.com> ASoC: fsl_micfil: Add a flag to distinguish with different volume control types Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> ASoC: rsnd: Fix probe failure on HiHope boards due to endpoint parsing Colin Ian King <colin.i.king(a)gmail.com> ASoC: max98388: Fix missing increment of variable slot_found Binbin Zhou <zhoubinbin(a)loongson.cn> ASoC: loongson: Fix component check failed on FDT systems Miquel Raynal <miquel.raynal(a)bootlin.com> ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties Miquel Raynal <miquel.raynal(a)bootlin.com> ASoC: dt-bindings: davinci-mcasp: Fix interrupts property Shenghao Yang <me(a)shenghaoyang.info> net: dsa: mv88e6xxx: support 4000ps cycle counter period Shenghao Yang <me(a)shenghaoyang.info> net: dsa: mv88e6xxx: read cycle counter period from hardware Shenghao Yang <me(a)shenghaoyang.info> net: dsa: mv88e6xxx: group cycle counter coefficients Jiri Olsa <jolsa(a)kernel.org> bpf,perf: Fix perf_event_detach_bpf_prog error handling Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix UAF on iso_sock_timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SCO: Fix UAF on sco_sock_timeout Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: avoid unsolicited interrupts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: use RCU read-side critical section in taprio_dump() Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: fix use-after-free in taprio_change() Vladimir Oltean <vladimir.oltean(a)nxp.com> net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers Daniel Borkmann <daniel(a)iogearbox.net> bpf: Remove MEM_UNINIT from skb/xdp MTU helpers Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix overloading of MEM_UNINIT's meaning Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add MEM_WRITE attribute Andrei Matei <andreimatei1(a)gmail.com> bpf: Simplify checking size of helper accesses Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Eric Dumazet <edumazet(a)google.com> net: fix races in netdev_tx_sent_queue()/dev_watchdog() Praveen Kumar Kannoju <praveen.kannoju(a)oracle.com> net/sched: adjust device watchdog timer to detect stopped queue at right time Lin Ma <linma(a)zju.edu.cn> net: wwan: fix global oob in wwan_rtnl_policy Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: xtables: fix typo causing some targets not to load on IPv6 Aleksandr Mishin <amishin(a)t-argos.ru> fsl/fman: Fix refcount handling of fman-related devices Aleksandr Mishin <amishin(a)t-argos.ru> fsl/fman: Save device references taken in mac_probe() Peter Rashleigh <peter(a)rashleigh.ca> net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Aleksandr Mishin <amishin(a)t-argos.ru> octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() Aleksandr Mishin <amishin(a)t-argos.ru> octeon_ep: Implement helper for iterating packets in Rx queue Jakub Boehm <boehm.jakub(a)gmail.com> net: plip: fix break; causing plip to never transmit Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Florian Westphal <fw(a)strlen.de> netfilter: bpf: must hold reference on net namespace Sabrina Dubroca <sd(a)queasysnail.net> xfrm: validate new SA's prefixlen using SA family when sel.family is unset Antony Antony <antony.antony(a)secunet.com> xfrm: Add Direction to the SA in or out Eyal Birger <eyal.birger(a)gmail.com> xfrm: respect ip protocols rules criteria when performing dst lookups Eyal Birger <eyal.birger(a)gmail.com> xfrm: extract dst lookup parameters into a struct Leo Yan <leo.yan(a)arm.com> tracing: Consider the NULL character when validating the event length Mikel Rychliski <mikel(a)mikelr.com> tracing/probes: Fix MAX_TRACE_ARGS limit handling Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> LoongArch: Don't crash in stack_top() for tasks without vDSO Crag Wang <crag_wang(a)dell.com> platform/x86: dell-sysman: add support for alienware products Pali Rohár <pali(a)kernel.org> cifs: Validate content of NFS reparse point buffer Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Gianfranco Trad <gianf.trad(a)gmail.com> udf: fix uninit-value use in udf_get_fileshortad Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor inode_bmap() to handle error Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor udf_next_aext() to handle error Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor udf_current_aext() to handle error Mark Rutland <mark.rutland(a)arm.com> arm64: Force position-independent veneers Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values David Lawrence Glanzman <davidglanzman(a)yahoo.com> ASoC: amd: yc: Add quirk for HP Dragonfly pro one Hans de Goede <hdegoede(a)redhat.com> drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Mateusz Guzik <mjguzik(a)gmail.com> exec: don't WARN for racy path_noexec check Qiao Ma <mqaio(a)linux.alibaba.com> uprobe: avoid out-of-bounds memory access of fetching args Andrii Nakryiko <andrii(a)kernel.org> uprobes: prevent mutex_lock() under rcu_read_lock() Andrii Nakryiko <andrii(a)kernel.org> uprobes: prepare uprobe args buffer lazily Andrii Nakryiko <andrii(a)kernel.org> uprobes: encapsulate preparation of uprobe args buffer Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/probes: Support $argN in return probe (kprobe and fprobe) Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/probes: cleanup: Set trace_probe::nr_args at trace_probe_init Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/fprobe-event: cleanup: Fix a wrong comment in fprobe event Roger Quadros <rogerq(a)kernel.org> usb: dwc3: core: Fix system suspend on TI AM62 platforms Frank Li <Frank.Li(a)nxp.com> XHCI: Separate PORT and CAPs macros into dedicated file Kevin Groeneveld <kgroeneveld(a)lenbrook.com> usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store John Keeping <jkeeping(a)inmusicbrands.com> usb: gadget: f_uac2: fix non-newline-terminated function name Lee Jones <lee(a)kernel.org> usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf() variant Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: honor usb transfer size boundaries. Jiri Slaby (SUSE) <jirislaby(a)kernel.org> xhci: dbgtty: use kfifo from tty_port struct Jiri Slaby (SUSE) <jirislaby(a)kernel.org> xhci: dbgtty: remove kfifo_out() wrapper Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Yang Shi <yang(a)os.amperecomputing.com> mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point Matthew Wilcox (Oracle) <willy(a)infradead.org> khugepaged: remove hpage from collapse_file() Matthew Wilcox (Oracle) <willy(a)infradead.org> khugepaged: convert alloc_charge_hpage to alloc_charge_folio Matthew Wilcox (Oracle) <willy(a)infradead.org> khugepaged: inline hpage_collapse_alloc_folio() Matthew Wilcox (Oracle) <willy(a)infradead.org> mm/khugepaged: use a folio more in collapse_file() Matthew Wilcox (Oracle) <willy(a)infradead.org> mm: convert collapse_huge_page() to use a folio Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm/khugepaged: convert alloc_charge_hpage() to use folios Josh Poimboeuf <jpoimboe(a)kernel.org> cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed() Jordan Rome <linux(a)jordanrome.com> bpf: Fix iter/task tid filtering Maurizio Lombardi <mlombard(a)redhat.com> nvme-pci: fix race condition between reset and nvme_dev_disable() William Butler <wab(a)google.com> nvme-pci: set doorbell config before unquiescing Andrea Parri <parri.andrea(a)gmail.com> riscv, bpf: Make BPF_CMPXCHG fully ordered Michal Luczaj <mhal(a)rbox.co> bpf, vsock: Drop static vsock_bpf_prot initialization Michal Luczaj <mhal(a)rbox.co> vsock: Update msg_count on read_skb() Michal Luczaj <mhal(a)rbox.co> vsock: Update rx_bytes on read_skb() Michal Luczaj <mhal(a)rbox.co> bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Unregister notifier on eswitch init failure Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix command bitmask initialization Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Check for invalid vector index on EQ creation Daniel Borkmann <daniel(a)iogearbox.net> vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Tyrone Wu <wudevelops(a)gmail.com> bpf: Fix link info netfilter flags to populate defrag flag Heiko Carstens <hca(a)linux.ibm.com> s390: Initialize psw mask in perf_arch_fetch_caller_regs() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOBs when building SMB2_IOCTL request Su Hui <suhui(a)nfschina.com> smb: client: fix possible double free in smb2_set_ea() Wang Hai <wanghai38(a)huawei.com> scsi: target: core: Fix null-ptr-deref in target_alloc_device() Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: ravb: Only advertise Rx/Tx timestamps if hardware supports it Gal Pressman <gal(a)nvidia.com> ravb: Remove setting of RX software timestamp Eric Dumazet <edumazet(a)google.com> genetlink: hold RCU in genlmsg_mcast() Peter Rashleigh <peter(a)rashleigh.ca> net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361 Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Wang Hai <wanghai38(a)huawei.com> net: bcmasp: fix potential memory leak in bcmasp_xmit() Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: don't always program merge_3d block Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> irqchip/renesas-rzg2l: Fix missing put_device Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> irqchip/renesas-rzg2l: Add support for suspend to RAM Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> irqchip/renesas-rzg2l: Document structure members Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> irqchip/renesas-rzg2l: Align struct member names to tabs Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Dimitar Kanaliev <dimitar.kanaliev(a)siteground.com> bpf: Fix truncation bug in coerce_reg_to_size_sx() Wang Hai <wanghai38(a)huawei.com> net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() Li RongQing <lirongqing(a)baidu.com> net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Eric Dumazet <edumazet(a)google.com> netdevsim: use cond_resched() in nsim_dev_trap_report_work() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring Colin Ian King <colin.i.king(a)gmail.com> octeontx2-af: Fix potential integer overflows on integer shifts Paritosh Dixit <paritoshd(a)nvidia.com> net: stmmac: dwmac-tegra: Fix link bring-up sequence Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix race in probe failure Kai Shen <KaiShen(a)linux.alibaba.com> net/smc: Fix memory leak when using percpu refs Justin Chen <justin.chen(a)broadcom.com> firmware: arm_scmi: Queue in scmi layer for mailbox implementation Douglas Anderson <dianders(a)chromium.org> drm/msm: Allocate memory for disp snapshot with kvzalloc() Douglas Anderson <dianders(a)chromium.org> drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: improve/fix dsc pclk calculation Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: make sure phys resources are properly initialized Pranjal Ramajor Asha Kanojiya <quic_pkanojiy(a)quicinc.com> accel/qaic: Fix the for loop used to walk SG table Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix the GID table length Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Update the BAR offsets Bhargava Chenna Marreddy <bhargava.marreddy(a)broadcom.com> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix out of bound check Abhishek Mohapatra <abhishek.mohapatra(a)broadcom.com> RDMA/bnxt_re: Fix the max CQ WQEs for older adapters Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Support new 5760X P7 devices Xin Long <lucien.xin(a)gmail.com> ipv4: give an IPv4 dev to blackhole_netdev Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Make slab cache names unique Alexander Zubkov <green(a)qrator.net> RDMA/irdma: Fix misspelling of "accept*" Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Su Hui <suhui(a)nfschina.com> firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup() Murad Masimov <m.masimov(a)maxima.ru> ALSA: hda/cs8409: Fix possible NULL dereference Waiman Long <longman(a)redhat.com> sched/core: Disable page allocation in task_tick_mm_cid() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> task_work: Add TWA_NMI_CURRENT as an additional notify mode. Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix cross-compiling urandom_read Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: {admv4420,adrf6780}: format Kconfig entries Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: fix kfunc btf caching for modules Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Handle PCI error codes other than 0x3a Tyrone Wu <wudevelops(a)gmail.com> selftests/bpf: fix perf_event link info name_len assertion Jiri Olsa <jolsa(a)kernel.org> selftests/bpf: Add cookies check for perf_event fill_link_info test Jiri Olsa <jolsa(a)kernel.org> selftests/bpf: Use bpf_link__destroy in fill_link_info tests Tyrone Wu <wudevelops(a)gmail.com> bpf: fix unpopulated name_len field in perf_event link info Jiri Olsa <jolsa(a)kernel.org> bpf: Add cookie to perf_event bpf_link_info records Jiri Olsa <jolsa(a)kernel.org> bpf: Add missed value to kprobe perf link info Florian Klink <flokli(a)flokli.de> ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Martin Kletzander <nert.pinx(a)gmail.com> x86/resctrl: Avoid overflow in MB settings in bw_validate() Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/core: Fix ENODEV error for iWARP test over vlan Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Add a check for memory allocation Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix a possible memory leak Jiri Olsa <jolsa(a)kernel.org> bpf: Fix memory leak in bpf_core_apply Timo Grautstueck <timo.grautstueck(a)web.de> lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW Dhananjay Ugwekar <Dhananjay.Ugwekar(a)amd.com> cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory systems Florian Kauer <florian.kauer(a)linutronix.de> bpf: devmap: provide rxq after redirect Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Mikhail Lobanov <m.lobanov(a)rosalinux.ru> iio: accel: bma400: Fix uninitialized variable field_value in tap event handling. ------------- Diffstat: .../bindings/sound/davinci-mcasp-audio.yaml | 18 +- Makefile | 4 +- arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 +- arch/arm64/Makefile | 2 +- arch/arm64/kvm/arm.c | 3 + arch/arm64/kvm/sys_regs.c | 2 +- arch/arm64/kvm/vgic/vgic-init.c | 6 +- arch/loongarch/include/asm/bootinfo.h | 4 + arch/loongarch/include/asm/kasan.h | 2 +- arch/loongarch/kernel/process.c | 14 +- arch/loongarch/kernel/setup.c | 3 +- arch/loongarch/kernel/traps.c | 5 + arch/riscv/net/bpf_jit_comp64.c | 4 +- arch/s390/include/asm/perf_event.h | 1 + arch/s390/pci/pci_event.c | 17 +- arch/x86/Kconfig | 1 + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 +- arch/x86/kvm/svm/nested.c | 6 +- block/blk-map.c | 4 +- drivers/accel/qaic/qaic_control.c | 2 +- drivers/accel/qaic/qaic_data.c | 6 +- drivers/acpi/button.c | 11 + drivers/acpi/cppc_acpi.c | 116 +++++++++ drivers/acpi/prmt.c | 29 ++- drivers/acpi/resource.c | 7 + drivers/ata/libata-eh.c | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/cpufreq/amd-pstate.c | 10 + drivers/cpufreq/cppc_cpufreq.c | 139 ++--------- drivers/firmware/arm_scmi/driver.c | 4 +- drivers/firmware/arm_scmi/mailbox.c | 32 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +- .../drm/amd/display/modules/power/power_helpers.c | 2 + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 17 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 2 +- drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 4 +- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 + drivers/iio/accel/bma400_core.c | 3 +- drivers/iio/adc/Kconfig | 2 + drivers/iio/frequency/Kconfig | 31 +-- drivers/infiniband/core/addr.c | 2 + drivers/infiniband/hw/bnxt_re/hw_counters.c | 6 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 48 ++-- drivers/infiniband/hw/bnxt_re/main.c | 42 ++-- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 4 +- drivers/infiniband/hw/bnxt_re/qplib_res.c | 23 +- drivers/infiniband/hw/bnxt_re/qplib_res.h | 20 +- drivers/infiniband/hw/bnxt_re/qplib_sp.c | 22 +- drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 + drivers/infiniband/hw/cxgb4/cm.c | 9 +- drivers/infiniband/hw/irdma/cm.c | 2 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 80 ++++++- drivers/irqchip/irq-renesas-rzg2l.c | 94 ++++++-- drivers/net/dsa/mv88e6xxx/chip.c | 2 +- drivers/net/dsa/mv88e6xxx/chip.h | 6 +- drivers/net/dsa/mv88e6xxx/port.c | 1 + drivers/net/dsa/mv88e6xxx/ptp.c | 108 ++++++--- drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 + drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/freescale/fman/mac.c | 68 ++++-- drivers/net/ethernet/freescale/fman/mac.h | 6 +- drivers/net/ethernet/i825xx/sun3_82586.c | 1 + drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 82 +++++-- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 4 +- drivers/net/ethernet/renesas/ravb_main.c | 25 +- drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 18 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 + drivers/net/hyperv/netvsc_drv.c | 30 +++ drivers/net/macsec.c | 18 -- drivers/net/netdevsim/dev.c | 15 +- drivers/net/phy/dp83822.c | 4 +- drivers/net/plip/plip.c | 2 +- drivers/net/usb/usbnet.c | 4 +- drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +- drivers/net/wwan/wwan_core.c | 2 +- drivers/nvme/host/pci.c | 21 +- drivers/platform/x86/dell/dell-wmi-base.c | 9 + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 + drivers/powercap/dtpm_devfreq.c | 2 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_user.c | 2 +- drivers/usb/dwc3/core.c | 19 ++ drivers/usb/dwc3/core.h | 3 + drivers/usb/gadget/function/f_uac2.c | 13 +- drivers/usb/host/xhci-caps.h | 85 +++++++ drivers/usb/host/xhci-dbgcap.h | 2 +- drivers/usb/host/xhci-dbgtty.c | 71 ++++-- drivers/usb/host/xhci-port.h | 176 ++++++++++++++ drivers/usb/host/xhci.h | 262 +-------------------- drivers/usb/typec/class.c | 3 + fs/btrfs/block-group.c | 2 + fs/btrfs/dir-item.c | 4 +- fs/btrfs/inode.c | 7 +- fs/exec.c | 21 +- fs/jfs/jfs_dmap.c | 2 +- fs/nfsd/nfs4state.c | 2 +- fs/nilfs2/page.c | 6 +- fs/open.c | 2 + fs/smb/client/fs_context.c | 7 + fs/smb/client/reparse.c | 23 ++ fs/smb/client/smb2ops.c | 3 +- fs/smb/client/smb2pdu.c | 9 + fs/udf/balloc.c | 38 ++- fs/udf/directory.c | 23 +- fs/udf/inode.c | 202 ++++++++++------ fs/udf/partition.c | 6 +- fs/udf/super.c | 3 +- fs/udf/truncate.c | 43 +++- fs/udf/udfdecl.h | 15 +- include/acpi/cppc_acpi.h | 2 + include/linux/bpf.h | 14 +- include/linux/memcontrol.h | 14 -- include/linux/netdevice.h | 12 + include/linux/task_work.h | 6 +- include/linux/trace_events.h | 6 +- include/net/bluetooth/bluetooth.h | 1 + include/net/genetlink.h | 3 +- include/net/sock.h | 5 + include/net/xfrm.h | 29 ++- include/trace/events/huge_memory.h | 10 +- include/uapi/linux/bpf.h | 20 +- include/uapi/linux/xfrm.h | 6 + kernel/bpf/btf.c | 1 + kernel/bpf/devmap.c | 11 +- kernel/bpf/helpers.c | 10 +- kernel/bpf/ringbuf.c | 2 +- kernel/bpf/syscall.c | 49 ++-- kernel/bpf/task_iter.c | 2 +- kernel/bpf/verifier.c | 99 ++++---- kernel/sched/core.c | 4 +- kernel/task_work.c | 41 +++- kernel/time/posix-clock.c | 6 +- kernel/trace/bpf_trace.c | 11 +- kernel/trace/trace.c | 1 + kernel/trace/trace_eprobe.c | 15 +- kernel/trace/trace_fprobe.c | 65 +++-- kernel/trace/trace_kprobe.c | 78 ++++-- kernel/trace/trace_probe.c | 189 +++++++++++++-- kernel/trace/trace_probe.h | 30 ++- kernel/trace/trace_probe_tmpl.h | 10 +- kernel/trace/trace_uprobe.c | 114 +++++---- lib/Kconfig.debug | 2 +- mm/khugepaged.c | 127 +++++----- net/bluetooth/af_bluetooth.c | 22 ++ net/bluetooth/bnep/core.c | 3 +- net/bluetooth/iso.c | 18 +- net/bluetooth/sco.c | 18 +- net/core/filter.c | 50 ++-- net/core/sock_map.c | 8 + net/ipv4/devinet.c | 35 ++- net/ipv4/inet_connection_sock.c | 21 +- net/ipv4/xfrm4_policy.c | 38 ++- net/ipv6/xfrm6_policy.c | 31 +-- net/l2tp/l2tp_netlink.c | 4 +- net/netfilter/nf_bpf_link.c | 7 +- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_TRACE.c | 1 + net/netfilter/xt_mark.c | 2 +- net/netlink/genetlink.c | 28 +-- net/sched/act_api.c | 23 +- net/sched/sch_generic.c | 17 +- net/sched/sch_taprio.c | 21 +- net/smc/smc_pnet.c | 2 +- net/smc/smc_wr.c | 6 +- net/vmw_vsock/virtio_transport_common.c | 14 +- net/vmw_vsock/vsock_bpf.c | 8 - net/wireless/nl80211.c | 8 +- net/xfrm/xfrm_compat.c | 7 +- net/xfrm/xfrm_device.c | 17 +- net/xfrm/xfrm_policy.c | 50 +++- net/xfrm/xfrm_replay.c | 3 +- net/xfrm/xfrm_state.c | 8 + net/xfrm/xfrm_user.c | 148 +++++++++++- security/selinux/selinuxfs.c | 30 +-- sound/firewire/amdtp-stream.c | 3 + sound/pci/hda/Kconfig | 2 +- sound/pci/hda/patch_cs8409.c | 5 +- sound/pci/hda/patch_realtek.c | 48 ++-- sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/lpass-rx-macro.c | 2 +- sound/soc/codecs/max98388.c | 1 + sound/soc/fsl/fsl_micfil.c | 43 +++- sound/soc/fsl/fsl_sai.c | 5 +- sound/soc/fsl/fsl_sai.h | 1 + sound/soc/loongson/loongson_card.c | 1 + sound/soc/qcom/lpass-cpu.c | 2 + sound/soc/qcom/sm8250.c | 1 + sound/soc/sh/rcar/core.c | 7 +- tools/include/uapi/linux/bpf.h | 7 + tools/testing/selftests/bpf/Makefile | 2 +- .../selftests/bpf/prog_tests/fill_link_info.c | 69 ++++-- .../bpf/progs/verifier_helper_value_access.c | 8 +- .../selftests/bpf/progs/verifier_raw_stack.c | 2 +- .../ftrace/test.d/dynevent/fprobe_syntax_errors.tc | 4 + .../ftrace/test.d/kprobe/kprobe_syntax_errors.tc | 2 + 208 files changed, 2889 insertions(+), 1471 deletions(-)

10 months, 4 weeks

14
223
0 0

[PATCH 6.11 000/261] 6.11.6-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.6 release. There are 261 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 30 Oct 2024 06:22:39 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.6-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.6-rc1 Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: Select missing common Soundwire module code on SDM845 Dan Carpenter <dan.carpenter(a)linaro.org> ACPI: PRM: Clean up guid type in struct prm_handler_info Armin Wolf <W_Armin(a)gmx.de> platform/x86: dell-wmi: Ignore suspend notifications Linus Torvalds <torvalds(a)linux-foundation.org> x86: fix user address masking non-canonical speculation issue Linus Torvalds <torvalds(a)linux-foundation.org> x86: fix whitespace in runtime-const assembler output Linus Torvalds <torvalds(a)linux-foundation.org> x86: support user address masking instead of non-speculative conditional Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> soundwire: intel_ace2x: Send PDI stream number during prepare Dominique Martinet <asmadeus(a)codewreck.org> Revert "fs/9p: simplify iget to remove unnecessary paths" Dominique Martinet <asmadeus(a)codewreck.org> Revert "fs/9p: fix uaf in in v9fs_stat2inode_dotl" Dominique Martinet <asmadeus(a)codewreck.org> Revert "fs/9p: remove redundant pointer v9ses" Dominique Martinet <asmadeus(a)codewreck.org> Revert " fs/9p: mitigate inode collisions" Zichen Xie <zichenxie0106(a)gmail.com> ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sdm845: add missing soundwire runtime stream alloc Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc Benjamin Bara <benjamin.bara(a)skidata.com> ASoC: dapm: avoid container_of() to get component Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> ASoC: SOF: ipc4-topology: Do not set ALH node_id for aggregated DAIs Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> ASoC: SOF: Intel: hda: Always clean up link DMA during stop Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> ASoC: SOF: Intel: hda: Handle prepare without close for non-HDA DAI's Kai Vehmanen <kai.vehmanen(a)linux.intel.com> ASoC: SOF: Intel: hda-loader: do not wait for HDaudio IOC Niklas Cassel <cassel(a)kernel.org> ata: libata: Set DID_TIME_OUT for commands that actually timed out Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: temp w/a for DP Link Layer compliance Xinyu Zhang <xizhang(a)purestorage.com> block: fix sanity checks in blk_rq_map_user_bvec Olga Kornievskaia <okorniev(a)redhat.com> nfsd: fix race between laundromat and free_stateid Michel Alex <Alex.Michel(a)wiedemann-group.com> net: phy: dp83822: Fix reset pin definitions Steven Rostedt <rostedt(a)goodmis.org> fgraph: Change the name of cpuhp state to "fgraph:online" Li Huafei <lihuafei1(a)huawei.com> fgraph: Fix missing unlock in register_ftrace_graph() Vamsi Krishna Brahmajosyula <vamsikrishna.brahmajosyula(a)gmail.com> platform/x86/intel/pmc: Fix pmc_core_iounmap to call iounmap for valid addresses Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Abel Vesa <abel.vesa(a)linaro.org> drm/bridge: Fix assignment of the of_node of the parent to aux bridge Yu Kuai <yukuai3(a)huawei.com> md/raid10: fix null ptr dereference in raid10_size() Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Petr Vaganov <p.vaganov(a)ideco.ru> xfrm: fix one more kernel-infoleak in algo dumping Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN usable for variable cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Get correct cores_per_package for SMT systems José Relvas <josemonsantorelvas(a)gmail.com> ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Eric Biggers <ebiggers(a)google.com> ALSA: hda/tas2781: select CRC32 instead of CRC32_SARWATE Ashish Kalra <ashish.kalra(a)amd.com> x86/sev: Ensure that RMP table fixups are reserved Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/lam: Disable ADDRESS_MASKING in most cases Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: core: fix invalid port index for parent device Marc Zyngier <maz(a)kernel.org> KVM: arm64: Don't eagerly teardown the vgic on init error Ilkka Koskinen <ilkka(a)os.amperecomputing.com> KVM: arm64: Fix shift-out-of-bounds bug Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: Unregister redistributor for failed vCPU creation Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Aleksa Sarai <cyphar(a)cyphar.com> openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Darrick J. Wong <djwong(a)kernel.org> xfs: don't fail repairs on metadata files with no attr fork Christian Brauner <brauner(a)kernel.org> fs: don't try and remove empty rbtree node Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Koba Ko <kobak(a)nvidia.com> ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Christian Heusel <christian(a)heusel.eu> ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Boris Burkov <boris(a)bur.io> btrfs: fix read corruption due to race with extent map merging Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix zone unusable accounting for freed reserved extent Qu Wenruo <wqu(a)suse.com> btrfs: reject ro->rw reconfiguration if there are hard ro requirements Dhananjay Ugwekar <Dhananjay.Ugwekar(a)amd.com> perf/x86/rapl: Fix the energy-pkg event for AMD CPUs Richard Gong <richard.gong(a)amd.com> x86/amd_nb: Add new PCI ID for AMD family 1Ah model 20h Richard Gong <richard.gong(a)amd.com> x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h-70h Yue Haibing <yuehaibing(a)huawei.com> btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item() Filipe Manana <fdmanana(a)suse.com> btrfs: clear force-compress on remount when compress mount option is given Qu Wenruo <wqu(a)suse.com> btrfs: qgroup: set a more sane default value for subtree drop threshold liwei <liwei728(a)huawei.com> cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> PCI/pwrctl: Abandon QCom WCN probe on pre-pwrseq device-trees Konrad Dybcio <konradybcio(a)kernel.org> PCI/pwrctl: Add WCN6855 support Ye Bin <yebin10(a)huawei.com> cifs: fix warning when destroy 'cifs_io_request_pool' Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Handle kstrdup failures for passwords Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Yang Erkun <yangerkun(a)huaweicloud.com> nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Yuan Can <yuancan(a)huawei.com> powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() Arnd Bergmann <arnd(a)arndb.de> fbdev: wm8505fb: select CONFIG_FB_IOMEM_FOPS Andrey Shumilin <shum.sdl(a)nppct.ru> ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Chancel Liu <chancel.liu(a)nxp.com> ASoC: fsl_micfil: Add a flag to distinguish with different volume control types Amir Goldstein <amir73il(a)gmail.com> fuse: update inode size after extending passthrough write Amir Goldstein <amir73il(a)gmail.com> fs: pass offset and result to backing_file end_write() callback Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> PCI: Hold rescan lock while adding devices during host probe Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> ASoC: rsnd: Fix probe failure on HiHope boards due to endpoint parsing Colin Ian King <colin.i.king(a)gmail.com> ASoC: max98388: Fix missing increment of variable slot_found Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ASoC: topology: Bump minimal topology ABI version Binbin Zhou <zhoubinbin(a)loongson.cn> ASoC: loongson: Fix component check failed on FDT systems Miquel Raynal <miquel.raynal(a)bootlin.com> ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties Miquel Raynal <miquel.raynal(a)bootlin.com> ASoC: dt-bindings: davinci-mcasp: Fix interrupts property Hou Tao <houtao1(a)huawei.com> bpf: Add the missing BPF_LINK_TYPE invocation for sockmap Shenghao Yang <me(a)shenghaoyang.info> net: dsa: mv88e6xxx: support 4000ps cycle counter period Shenghao Yang <me(a)shenghaoyang.info> net: dsa: mv88e6xxx: read cycle counter period from hardware Shenghao Yang <me(a)shenghaoyang.info> net: dsa: mv88e6xxx: group cycle counter coefficients Tim Harvey <tharvey(a)gateworks.com> net: dsa: microchip: disable EEE for KSZ879x/KSZ877x/KSZ876x Andrii Nakryiko <andrii(a)kernel.org> bpf: fix do_misc_fixups() for bpf_get_branch_snapshot() Jiri Olsa <jolsa(a)kernel.org> bpf,perf: Fix perf_event_detach_bpf_prog error handling Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix UAF on iso_sock_timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SCO: Fix UAF on sco_sock_timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Disable works on hci_unregister_dev Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: avoid unsolicited interrupts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: use RCU read-side critical section in taprio_dump() Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: fix use-after-free in taprio_change() Vladimir Oltean <vladimir.oltean(a)nxp.com> net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers Daniel Borkmann <daniel(a)iogearbox.net> bpf: Remove MEM_UNINIT from skb/xdp MTU helpers Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix overloading of MEM_UNINIT's meaning Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add MEM_WRITE attribute Hou Tao <houtao1(a)huawei.com> bpf: Preserve param->string when parsing mount options Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Yuan Can <yuancan(a)huawei.com> mlxsw: spectrum_router: fix xa_store() error checking Michael S. Tsirkin <mst(a)redhat.com> virtio_net: fix integer overflow in stats Eric Dumazet <edumazet(a)google.com> net: fix races in netdev_tx_sent_queue()/dev_watchdog() Lin Ma <linma(a)zju.edu.cn> net: wwan: fix global oob in wwan_rtnl_policy Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: xtables: fix typo causing some targets not to load on IPv6 Aleksandr Mishin <amishin(a)t-argos.ru> fsl/fman: Fix refcount handling of fman-related devices Aleksandr Mishin <amishin(a)t-argos.ru> fsl/fman: Save device references taken in mac_probe() Peter Collingbourne <pcc(a)google.com> bpf, arm64: Fix address emission with tag-based KASAN enabled Peter Rashleigh <peter(a)rashleigh.ca> net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Aleksandr Mishin <amishin(a)t-argos.ru> octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() Aleksandr Mishin <amishin(a)t-argos.ru> octeon_ep: Implement helper for iterating packets in Rx queue Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: replace ptp_lock with irqsave variant Jakub Boehm <boehm.jakub(a)gmail.com> net: plip: fix break; causing plip to never transmit Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Kory Maincent <kory.maincent(a)bootlin.com> net: pse-pd: Fix out of bound for loop Florian Westphal <fw(a)strlen.de> netfilter: bpf: must hold reference on net namespace Sabrina Dubroca <sd(a)queasysnail.net> xfrm: validate new SA's prefixlen using SA family when sel.family is unset Eyal Birger <eyal.birger(a)gmail.com> xfrm: respect ip protocols rules criteria when performing dst lookups Eyal Birger <eyal.birger(a)gmail.com> xfrm: extract dst lookup parameters into a struct Leo Yan <leo.yan(a)arm.com> tracing: Consider the NULL character when validating the event length Mikel Rychliski <mikel(a)mikelr.com> tracing/probes: Fix MAX_TRACE_ARGS limit handling Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Viktor Malik <vmalik(a)redhat.com> objpool: fix choosing allocation for percpu slots Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> LoongArch: Don't crash in stack_top() for tasks without vDSO Crag Wang <crag_wang(a)dell.com> platform/x86: dell-sysman: add support for alienware products Pali Rohár <pali(a)kernel.org> cifs: Validate content of NFS reparse point buffer Gustavo Sousa <gustavo.sousa(a)intel.com> drm/xe/mcr: Use Xe2_LPM steering tables for Xe2_HPM Jan Kara <jack(a)suse.cz> fsnotify: Avoid data race between fsnotify_recalc_mask() and fsnotify_object_watched() Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Gianfranco Trad <gianf.trad(a)gmail.com> udf: fix uninit-value use in udf_get_fileshortad Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor inode_bmap() to handle error Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor udf_next_aext() to handle error Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor udf_current_aext() to handle error Mark Rutland <mark.rutland(a)arm.com> arm64: Force position-independent veneers Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values David Lawrence Glanzman <davidglanzman(a)yahoo.com> ASoC: amd: yc: Add quirk for HP Dragonfly pro one Hans de Goede <hdegoede(a)redhat.com> drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Qiao Ma <mqaio(a)linux.alibaba.com> uprobe: avoid out-of-bounds memory access of fetching args Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: honor usb transfer size boundaries. Jiri Slaby (SUSE) <jirislaby(a)kernel.org> xhci: dbgtty: use kfifo from tty_port struct Jiri Slaby (SUSE) <jirislaby(a)kernel.org> xhci: dbgtty: remove kfifo_out() wrapper Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig David Hildenbrand <david(a)redhat.com> mm: don't install PMD mappings when THPs are disabled by the hw/process/vma Kefeng Wang <wangkefeng.wang(a)huawei.com> mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: shmem: move shmem_huge_global_enabled() into shmem_allowable_huge_orders() Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: shmem: rename shmem_is_huge() to shmem_huge_global_enabled() Steven Rostedt <rostedt(a)goodmis.org> fgraph: Allocate ret_stack_list with proper size Josh Poimboeuf <jpoimboe(a)kernel.org> cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed() Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix print_reg_state's constant scalar dump Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix incorrect delta propagation between linked registers Jordan Rome <linux(a)jordanrome.com> bpf: Fix iter/task tid filtering Maurizio Lombardi <mlombard(a)redhat.com> nvme-pci: fix race condition between reset and nvme_dev_disable() Andrea Parri <parri.andrea(a)gmail.com> riscv, bpf: Make BPF_CMPXCHG fully ordered Michal Luczaj <mhal(a)rbox.co> bpf, vsock: Drop static vsock_bpf_prot initialization Michal Luczaj <mhal(a)rbox.co> vsock: Update msg_count on read_skb() Michal Luczaj <mhal(a)rbox.co> vsock: Update rx_bytes on read_skb() Michal Luczaj <mhal(a)rbox.co> bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Don't call cleanup on profile rollback failure Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Unregister notifier on eswitch init failure Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix command bitmask initialization Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Check for invalid vector index on EQ creation Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix memory corruption during fq dma init Daniel Borkmann <daniel(a)iogearbox.net> vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Tyrone Wu <wudevelops(a)gmail.com> bpf: Fix link info netfilter flags to populate defrag flag Matthew Brost <matthew.brost(a)intel.com> drm/xe: Use bookkeep slots for external BO's in exec IOCTL Matthew Brost <matthew.brost(a)intel.com> drm/xe: Don't free job in TDR Matthew Brost <matthew.brost(a)intel.com> drm/xe: Take job list lock in xe_sched_add_pending_job Matthew Auld <matthew.auld(a)intel.com> drm/xe: fix unbalanced rpm put() with declare_wedged() Matthew Auld <matthew.auld(a)intel.com> drm/xe: fix unbalanced rpm put() with fence_fini() Heiko Carstens <hca(a)linux.ibm.com> s390: Initialize psw mask in perf_arch_fetch_caller_regs() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOBs when building SMB2_IOCTL request Su Hui <suhui(a)nfschina.com> smb: client: fix possible double free in smb2_set_ea() Wang Hai <wanghai38(a)huawei.com> scsi: target: core: Fix null-ptr-deref in target_alloc_device() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: vsc73xx: fix reception from VLAN-unaware bridges Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: ravb: Only advertise Rx/Tx timestamps if hardware supports it Gal Pressman <gal(a)nvidia.com> ravb: Remove setting of RX software timestamp Eric Dumazet <edumazet(a)google.com> genetlink: hold RCU in genlmsg_mcast() Peter Rashleigh <peter(a)rashleigh.ca> net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361 Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Rob Clark <robdclark(a)chromium.org> drm/msm/a6xx+: Insert a fence wait before SMMU table update Wang Hai <wanghai38(a)huawei.com> net: bcmasp: fix potential memory leak in bcmasp_xmit() Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: don't always program merge_3d block Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: Don't always set merge_3d pending flush Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> irqchip/renesas-rzg2l: Fix missing put_device Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Dimitar Kanaliev <dimitar.kanaliev(a)siteground.com> bpf: Fix truncation bug in coerce_reg_to_size_sx() Wang Hai <wanghai38(a)huawei.com> net: ethernet: rtsn: fix potential memory leak in rtsn_start_xmit() Wang Hai <wanghai38(a)huawei.com> net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() Li RongQing <lirongqing(a)baidu.com> net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Eric Dumazet <edumazet(a)google.com> netdevsim: use cond_resched() in nsim_dev_trap_report_work() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring Petr Pavlu <petr.pavlu(a)suse.com> ring-buffer: Fix reader locking when changing the sub buffer order Colin Ian King <colin.i.king(a)gmail.com> octeontx2-af: Fix potential integer overflows on integer shifts Paritosh Dixit <paritoshd(a)nvidia.com> net: stmmac: dwmac-tegra: Fix link bring-up sequence Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix race in probe failure Jean Delvare <jdelvare(a)suse.de> [PATCH} hwmon: (jc42) Properly detect TSE2004-compliant devices again Kai Shen <KaiShen(a)linux.alibaba.com> net/smc: Fix memory leak when using percpu refs Justin Chen <justin.chen(a)broadcom.com> firmware: arm_scmi: Queue in scmi layer for mailbox implementation Douglas Anderson <dianders(a)chromium.org> drm/msm: Allocate memory for disp snapshot with kvzalloc() Douglas Anderson <dianders(a)chromium.org> drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: improve/fix dsc pclk calculation Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: move CRTC resource assignment to dpu_encoder_virt_atomic_check Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: make sure phys resources are properly initialized Cong Yang <yangcong5(a)huaqin.corp-partner.google.com> drm/panel: himax-hx83102: Adjust power and gamma to optimize brightness Pranjal Ramajor Asha Kanojiya <quic_pkanojiy(a)quicinc.com> accel/qaic: Fix the for loop used to walk SG table Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix the GID table length Bhargava Chenna Marreddy <bhargava.marreddy(a)broadcom.com> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Chandramohan Akula <chandramohan.akula(a)broadcom.com> RDMA/bnxt_re: Change the sequence of updating the CQ toggle value Hongguang Gao <hongguang.gao(a)broadcom.com> RDMA/bnxt_re: Get the toggle bits from SRQ events Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Fix incorrect dereference of srq in async event Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix out of bound check Abhishek Mohapatra <abhishek.mohapatra(a)broadcom.com> RDMA/bnxt_re: Fix the max CQ WQEs for older adapters Daniel Machon <daniel.machon(a)microchip.com> net: sparx5: fix source port register when mirroring Xin Long <lucien.xin(a)gmail.com> ipv4: give an IPv4 dev to blackhole_netdev Breno Leitao <leitao(a)debian.org> elevator: Remove argument from elevator_find_get Breno Leitao <leitao(a)debian.org> elevator: do not request_module if elevator exists Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Make slab cache names unique Alexander Zubkov <green(a)qrator.net> RDMA/irdma: Fix misspelling of "accept*" Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Su Hui <suhui(a)nfschina.com> firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup() Murad Masimov <m.masimov(a)maxima.ru> ALSA: hda/cs8409: Fix possible NULL dereference Waiman Long <longman(a)redhat.com> sched/core: Disable page allocation in task_tick_mm_cid() Tyrone Wu <wudevelops(a)gmail.com> bpf: Fix unpopulated path_size when uprobe_multi fields unset Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix cross-compiling urandom_read Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: {admv4420,adrf6780}: format Kconfig entries Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: fix kfunc btf caching for modules Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Handle PCI error codes other than 0x3a Pu Lehui <pulehui(a)huawei.com> riscv, bpf: Fix possible infinite tailcall when CONFIG_CFI_CLANG is enabled Tyrone Wu <wudevelops(a)gmail.com> selftests/bpf: fix perf_event link info name_len assertion Tyrone Wu <wudevelops(a)gmail.com> bpf: fix unpopulated name_len field in perf_event link info Hou Tao <houtao1(a)huawei.com> bpf: Check the remaining info_cnt before repeating btf fields Yao Zi <ziyao(a)disroot.org> clk: rockchip: fix finding of maximum clock ID Florian Klink <flokli(a)flokli.de> ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Martin Kletzander <nert.pinx(a)gmail.com> x86/resctrl: Avoid overflow in MB settings in bw_validate() Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/core: Fix ENODEV error for iWARP test over vlan Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Add a check for memory allocation Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix a possible memory leak Jiri Olsa <jolsa(a)kernel.org> bpf: Fix memory leak in bpf_core_apply Timo Grautstueck <timo.grautstueck(a)web.de> lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW Dhananjay Ugwekar <Dhananjay.Ugwekar(a)amd.com> cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory systems Florian Kauer <florian.kauer(a)linutronix.de> bpf: devmap: provide rxq after redirect Andrew Jones <ajones(a)ventanamicro.com> irqchip/riscv-imsic: Fix output text of base address Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Eduard Zingerman <eddyz87(a)gmail.com> bpf: sync_linked_regs() must preserve subreg_def Changhuang Liang <changhuang.liang(a)starfivetech.com> reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC Mikhail Lobanov <m.lobanov(a)rosalinux.ru> iio: accel: bma400: Fix uninitialized variable field_value in tap event handling. Wander Lairson Costa <wander.lairson(a)gmail.com> bpf: Use raw_spinlock_t in ringbuf ------------- Diffstat: .../bindings/sound/davinci-mcasp-audio.yaml | 18 +- Makefile | 4 +- arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 +- arch/arm64/Makefile | 2 +- arch/arm64/kvm/arm.c | 3 + arch/arm64/kvm/sys_regs.c | 2 +- arch/arm64/kvm/vgic/vgic-init.c | 28 ++- arch/arm64/net/bpf_jit_comp.c | 12 +- arch/loongarch/include/asm/bootinfo.h | 4 + arch/loongarch/include/asm/kasan.h | 2 +- arch/loongarch/kernel/process.c | 14 +- arch/loongarch/kernel/setup.c | 3 +- arch/loongarch/kernel/traps.c | 5 + arch/riscv/net/bpf_jit_comp64.c | 8 +- arch/s390/include/asm/perf_event.h | 1 + arch/s390/pci/pci_event.c | 17 +- arch/x86/Kconfig | 1 + arch/x86/events/rapl.c | 47 ++++- arch/x86/include/asm/runtime-const.h | 4 +- arch/x86/include/asm/uaccess_64.h | 45 +++-- arch/x86/kernel/amd_nb.c | 6 + arch/x86/kernel/cpu/common.c | 10 + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 ++- arch/x86/kernel/vmlinux.lds.S | 1 + arch/x86/kvm/svm/nested.c | 6 +- arch/x86/lib/getuser.S | 9 +- arch/x86/virt/svm/sev.c | 2 + block/blk-map.c | 4 +- block/elevator.c | 17 +- drivers/accel/qaic/qaic_control.c | 2 +- drivers/accel/qaic/qaic_data.c | 6 +- drivers/acpi/button.c | 11 ++ drivers/acpi/cppc_acpi.c | 22 ++- drivers/acpi/prmt.c | 29 ++- drivers/acpi/resource.c | 7 + drivers/ata/libata-eh.c | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/clk/rockchip/clk.c | 2 +- drivers/cpufreq/amd-pstate.c | 10 + drivers/firewire/core-topology.c | 2 +- drivers/firmware/arm_scmi/driver.c | 4 +- drivers/firmware/arm_scmi/mailbox.c | 32 ++-- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 13 ++ .../drm/amd/display/modules/power/power_helpers.c | 2 + drivers/gpu/drm/bridge/aux-bridge.c | 3 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 16 +- drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 20 +- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 68 ++++--- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 7 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 5 +- drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 4 +- drivers/gpu/drm/panel/panel-himax-hx83102.c | 12 +- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 + drivers/gpu/drm/xe/xe_device.c | 4 +- drivers/gpu/drm/xe/xe_exec.c | 12 +- drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 + drivers/gpu/drm/xe/xe_gt_mcr.c | 2 +- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 29 ++- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h | 1 - drivers/gpu/drm/xe/xe_guc_submit.c | 7 +- drivers/gpu/drm/xe/xe_vm.c | 8 +- drivers/hwmon/jc42.c | 2 +- drivers/iio/accel/bma400_core.c | 3 +- drivers/iio/adc/Kconfig | 2 + drivers/iio/frequency/Kconfig | 31 ++-- drivers/infiniband/core/addr.c | 2 + drivers/infiniband/hw/bnxt_re/hw_counters.c | 2 +- drivers/infiniband/hw/bnxt_re/ib_verbs.h | 1 + drivers/infiniband/hw/bnxt_re/main.c | 29 ++- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 16 ++ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 3 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 +-- drivers/infiniband/hw/bnxt_re/qplib_sp.c | 11 +- drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 + drivers/infiniband/hw/cxgb4/cm.c | 9 +- drivers/infiniband/hw/irdma/cm.c | 2 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 80 ++++++-- drivers/irqchip/irq-renesas-rzg2l.c | 16 +- drivers/irqchip/irq-riscv-imsic-platform.c | 2 +- drivers/md/raid10.c | 7 +- drivers/net/dsa/microchip/ksz_common.c | 21 ++- drivers/net/dsa/mv88e6xxx/chip.c | 2 +- drivers/net/dsa/mv88e6xxx/chip.h | 6 +- drivers/net/dsa/mv88e6xxx/port.c | 1 + drivers/net/dsa/mv88e6xxx/ptp.c | 108 +++++++---- drivers/net/dsa/vitesse-vsc73xx-core.c | 1 - drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 + drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 22 ++- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 70 ++++--- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 12 +- drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/freescale/fman/mac.c | 68 +++++-- drivers/net/ethernet/freescale/fman/mac.h | 6 +- drivers/net/ethernet/i825xx/sun3_82586.c | 1 + drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 82 ++++++--- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +- .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 9 +- .../net/ethernet/microchip/sparx5/sparx5_mirror.c | 12 +- drivers/net/ethernet/realtek/r8169_main.c | 4 +- drivers/net/ethernet/renesas/ravb_main.c | 25 ++- drivers/net/ethernet/renesas/rtsn.c | 1 + drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 18 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 + drivers/net/hyperv/netvsc_drv.c | 30 +++ drivers/net/macsec.c | 18 -- drivers/net/netdevsim/dev.c | 15 +- drivers/net/phy/dp83822.c | 4 +- drivers/net/plip/plip.c | 2 +- drivers/net/pse-pd/pse_core.c | 4 +- drivers/net/usb/usbnet.c | 4 +- drivers/net/virtio_net.c | 2 +- drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +- drivers/net/wwan/wwan_core.c | 2 +- drivers/nvme/host/pci.c | 19 +- drivers/pci/probe.c | 2 + drivers/pci/pwrctl/pci-pwrctl-pwrseq.c | 58 +++++- drivers/platform/x86/dell/dell-wmi-base.c | 9 + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 + drivers/platform/x86/intel/pmc/core_ssram.c | 4 +- drivers/powercap/dtpm_devfreq.c | 2 +- drivers/reset/starfive/reset-starfive-jh71x0.c | 3 + drivers/soundwire/intel_ace2x.c | 19 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_user.c | 2 +- drivers/usb/host/xhci-dbgcap.h | 2 +- drivers/usb/host/xhci-dbgtty.c | 71 ++++++-- drivers/usb/typec/class.c | 3 + drivers/video/fbdev/Kconfig | 1 + fs/9p/v9fs.h | 34 +++- fs/9p/v9fs_vfs.h | 2 +- fs/9p/vfs_inode.c | 129 ++++++++----- fs/9p/vfs_inode_dotl.c | 112 ++++++++---- fs/9p/vfs_super.c | 2 +- fs/backing-file.c | 8 +- fs/btrfs/block-group.c | 2 + fs/btrfs/dir-item.c | 4 +- fs/btrfs/disk-io.c | 2 +- fs/btrfs/extent_map.c | 31 ++-- fs/btrfs/inode.c | 7 +- fs/btrfs/qgroup.c | 2 +- fs/btrfs/qgroup.h | 2 + fs/btrfs/super.c | 12 +- fs/fuse/passthrough.c | 8 +- fs/jfs/jfs_dmap.c | 2 +- fs/namespace.c | 4 +- fs/nfsd/nfs4state.c | 50 ++++- fs/nfsd/state.h | 2 + fs/nilfs2/page.c | 6 +- fs/notify/fsnotify.c | 21 ++- fs/notify/inotify/inotify_user.c | 2 +- fs/notify/mark.c | 8 +- fs/open.c | 2 + fs/overlayfs/file.c | 9 +- fs/select.c | 4 +- fs/smb/client/cifsfs.c | 2 +- fs/smb/client/fs_context.c | 7 + fs/smb/client/reparse.c | 23 +++ fs/smb/client/smb2ops.c | 3 +- fs/smb/client/smb2pdu.c | 9 + fs/udf/balloc.c | 38 ++-- fs/udf/directory.c | 23 ++- fs/udf/inode.c | 202 ++++++++++++++------- fs/udf/partition.c | 6 +- fs/udf/super.c | 3 +- fs/udf/truncate.c | 43 ++++- fs/udf/udfdecl.h | 15 +- fs/xfs/scrub/repair.c | 8 +- include/linux/backing-file.h | 2 +- include/linux/bpf.h | 14 +- include/linux/bpf_types.h | 1 + include/linux/huge_mm.h | 18 ++ include/linux/netdevice.h | 12 ++ include/linux/shmem_fs.h | 11 +- include/linux/task_work.h | 5 +- include/linux/uaccess.h | 7 + include/net/bluetooth/bluetooth.h | 1 + include/net/genetlink.h | 3 +- include/net/sock.h | 5 + include/net/xfrm.h | 28 +-- include/uapi/linux/bpf.h | 16 +- include/uapi/sound/asoc.h | 2 +- kernel/bpf/btf.c | 15 +- kernel/bpf/devmap.c | 11 +- kernel/bpf/helpers.c | 10 +- kernel/bpf/inode.c | 5 +- kernel/bpf/log.c | 3 +- kernel/bpf/ringbuf.c | 14 +- kernel/bpf/syscall.c | 33 +++- kernel/bpf/task_iter.c | 2 +- kernel/bpf/verifier.c | 107 ++++++----- kernel/sched/core.c | 4 +- kernel/task_work.c | 15 +- kernel/time/posix-clock.c | 6 +- kernel/trace/bpf_trace.c | 42 ++--- kernel/trace/fgraph.c | 15 +- kernel/trace/ring_buffer.c | 44 +++-- kernel/trace/trace_eprobe.c | 7 +- kernel/trace/trace_fprobe.c | 6 +- kernel/trace/trace_kprobe.c | 6 +- kernel/trace/trace_probe.c | 2 +- kernel/trace/trace_uprobe.c | 13 +- lib/Kconfig.debug | 2 +- lib/objpool.c | 2 +- lib/strncpy_from_user.c | 9 + lib/strnlen_user.c | 9 + mm/huge_memory.c | 24 +-- mm/memory.c | 9 + mm/shmem.c | 55 +++--- net/bluetooth/af_bluetooth.c | 22 +++ net/bluetooth/bnep/core.c | 3 +- net/bluetooth/hci_core.c | 24 ++- net/bluetooth/hci_sync.c | 12 +- net/bluetooth/iso.c | 18 +- net/bluetooth/sco.c | 18 +- net/core/filter.c | 50 ++--- net/core/sock_map.c | 8 + net/ipv4/devinet.c | 35 +++- net/ipv4/inet_connection_sock.c | 21 ++- net/ipv4/xfrm4_policy.c | 38 ++-- net/ipv6/xfrm6_policy.c | 31 ++-- net/l2tp/l2tp_netlink.c | 4 +- net/netfilter/nf_bpf_link.c | 7 +- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_TRACE.c | 1 + net/netfilter/xt_mark.c | 2 +- net/netlink/genetlink.c | 28 +-- net/sched/act_api.c | 23 ++- net/sched/sch_generic.c | 8 +- net/sched/sch_taprio.c | 21 ++- net/smc/smc_pnet.c | 2 +- net/smc/smc_wr.c | 6 +- net/vmw_vsock/virtio_transport_common.c | 14 +- net/vmw_vsock/vsock_bpf.c | 8 - net/wireless/nl80211.c | 8 +- net/xfrm/xfrm_device.c | 11 +- net/xfrm/xfrm_policy.c | 50 +++-- net/xfrm/xfrm_user.c | 10 +- sound/firewire/amdtp-stream.c | 3 + sound/pci/hda/Kconfig | 2 +- sound/pci/hda/patch_cs8409.c | 5 +- sound/pci/hda/patch_realtek.c | 48 ++--- sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/lpass-rx-macro.c | 2 +- sound/soc/codecs/max98388.c | 1 + sound/soc/fsl/fsl_micfil.c | 43 ++++- sound/soc/fsl/fsl_sai.c | 5 +- sound/soc/fsl/fsl_sai.h | 1 + sound/soc/loongson/loongson_card.c | 1 + sound/soc/qcom/Kconfig | 2 + sound/soc/qcom/lpass-cpu.c | 2 + sound/soc/qcom/sc7280.c | 10 +- sound/soc/qcom/sdm845.c | 7 +- sound/soc/qcom/sm8250.c | 1 + sound/soc/sh/rcar/core.c | 7 +- sound/soc/soc-dapm.c | 4 +- sound/soc/sof/intel/hda-dai-ops.c | 23 +-- sound/soc/sof/intel/hda-dai.c | 37 +++- sound/soc/sof/intel/hda-loader.c | 17 -- sound/soc/sof/ipc4-topology.c | 15 +- tools/include/uapi/linux/bpf.h | 3 + tools/testing/selftests/bpf/Makefile | 2 +- .../selftests/bpf/prog_tests/fill_link_info.c | 9 +- 275 files changed, 2655 insertions(+), 1271 deletions(-)

10 months, 4 weeks

16
277
0 0

[PATCH net] net: vertexcom: mse102x: Fix possible double free of TX skb

by Stefan Wahren

The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, also its pointer needs to be adjusted. Otherwise the already freed skb pointer would be freed again in mse102x_tx_work(), which leads to crashes: Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 Hardware name: chargebyte Charge SOM DC-ONE (DT) Workqueue: events mse102x_tx_work [mse102x] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_release_data+0xb8/0x1d8 lr : skb_release_data+0x1ac/0x1d8 sp : ffff8000819a3cc0 x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 x8 : fffffc00001bc008 x7 : 0000000000000000 x6 : 0000000000000008 x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 Call trace: skb_release_data+0xb8/0x1d8 kfree_skb_reason+0x48/0xb0 mse102x_tx_work+0x164/0x35c [mse102x] process_one_work+0x138/0x260 worker_thread+0x32c/0x438 kthread+0x118/0x11c ret_from_fork+0x10/0x20 Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660) Cc: stable(a)vger.kernel.org Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support") Signed-off-by: Stefan Wahren <wahrenst(a)gmx.net> --- drivers/net/ethernet/vertexcom/mse102x.c | 34 ++++++++++++------------ 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c index a04d4073def9..8b9e700a1e63 100644 --- a/drivers/net/ethernet/vertexcom/mse102x.c +++ b/drivers/net/ethernet/vertexcom/mse102x.c @@ -216,7 +216,7 @@ static inline void mse102x_put_footer(struct sk_buff *skb) *footer = cpu_to_be16(DET_DFT); } -static int mse102x_tx_frame_spi(struct mse102x_net *mse, struct sk_buff *txp, +static int mse102x_tx_frame_spi(struct mse102x_net *mse, struct sk_buff **txp, unsigned int pad) { struct mse102x_net_spi *mses = to_mse102x_spi(mse); @@ -226,29 +226,29 @@ static int mse102x_tx_frame_spi(struct mse102x_net *mse, struct sk_buff *txp, int ret; netif_dbg(mse, tx_queued, mse->ndev, "%s: skb %p, %d@%p\n", - __func__, txp, txp->len, txp->data); + __func__, *txp, (*txp)->len, (*txp)->data); - if ((skb_headroom(txp) < DET_SOF_LEN) || - (skb_tailroom(txp) < DET_DFT_LEN + pad)) { - tskb = skb_copy_expand(txp, DET_SOF_LEN, DET_DFT_LEN + pad, + if ((skb_headroom(*txp) < DET_SOF_LEN) || + (skb_tailroom(*txp) < DET_DFT_LEN + pad)) { + tskb = skb_copy_expand(*txp, DET_SOF_LEN, DET_DFT_LEN + pad, GFP_KERNEL); if (!tskb) return -ENOMEM; - dev_kfree_skb(txp); - txp = tskb; + dev_kfree_skb(*txp); + *txp = tskb; } - mse102x_push_header(txp); + mse102x_push_header(*txp); if (pad) - skb_put_zero(txp, pad); + skb_put_zero(*txp, pad); - mse102x_put_footer(txp); + mse102x_put_footer(*txp); - xfer->tx_buf = txp->data; + xfer->tx_buf = (*txp)->data; xfer->rx_buf = NULL; - xfer->len = txp->len; + xfer->len = (*txp)->len; ret = spi_sync(mses->spidev, msg); if (ret < 0) { @@ -368,7 +368,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) mse->ndev->stats.rx_bytes += rxlen; } -static int mse102x_tx_pkt_spi(struct mse102x_net *mse, struct sk_buff *txb, +static int mse102x_tx_pkt_spi(struct mse102x_net *mse, struct sk_buff **txb, unsigned long work_timeout) { unsigned int pad = 0; @@ -377,11 +377,11 @@ static int mse102x_tx_pkt_spi(struct mse102x_net *mse, struct sk_buff *txb, int ret; bool first = true; - if (txb->len < ETH_ZLEN) - pad = ETH_ZLEN - txb->len; + if ((*txb)->len < ETH_ZLEN) + pad = ETH_ZLEN - (*txb)->len; while (1) { - mse102x_tx_cmd_spi(mse, CMD_RTS | (txb->len + pad)); + mse102x_tx_cmd_spi(mse, CMD_RTS | ((*txb)->len + pad)); ret = mse102x_rx_cmd_spi(mse, (u8 *)&rx); cmd_resp = be16_to_cpu(rx); @@ -437,7 +437,7 @@ static void mse102x_tx_work(struct work_struct *work) while ((txb = skb_dequeue(&mse->txq))) { mutex_lock(&mses->lock); - ret = mse102x_tx_pkt_spi(mse, txb, work_timeout); + ret = mse102x_tx_pkt_spi(mse, &txb, work_timeout); mutex_unlock(&mses->lock); if (ret) { mse->ndev->stats.tx_dropped++; -- 2.34.1

10 months, 4 weeks

3
6
0 0

+ mm-resolve-faulty-mmap_region-error-path-behaviour.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: resolve faulty mmap_region() error path behaviour has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-resolve-faulty-mmap_region-error-path-behaviour.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: resolve faulty mmap_region() error path behaviour Date: Tue, 29 Oct 2024 18:11:48 +0000 The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Link: https://lkml.kernel.org/r/6e0becb36d2f5472053ac5d544c0edfe9b899e25.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Tested-by: Mark Brown <broonie(a)kernel.org> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mmap.c | 121 ++++++++++++++++++++++++++++------------------------ 1 file changed, 66 insertions(+), 55 deletions(-) --- a/mm/mmap.c~mm-resolve-faulty-mmap_region-error-path-behaviour +++ a/mm/mmap.c @@ -1358,20 +1358,18 @@ int do_munmap(struct mm_struct *mm, unsi return do_vmi_munmap(&vmi, mm, start, len, uf, false); } -unsigned long mmap_region(struct file *file, unsigned long addr, +static unsigned long __mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, struct list_head *uf) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; pgoff_t pglen = PHYS_PFN(len); - struct vm_area_struct *merge; unsigned long charged = 0; struct vma_munmap_struct vms; struct ma_state mas_detach; struct maple_tree mt_detach; unsigned long end = addr + len; - bool writable_file_mapping = false; int error; VMA_ITERATOR(vmi, mm, addr); VMG_STATE(vmg, mm, &vmi, addr, end, vm_flags, pgoff); @@ -1445,28 +1443,26 @@ unsigned long mmap_region(struct file *f vm_flags_init(vma, vm_flags); vma->vm_page_prot = vm_get_page_prot(vm_flags); + if (vma_iter_prealloc(&vmi, vma)) { + error = -ENOMEM; + goto free_vma; + } + if (file) { vma->vm_file = get_file(file); error = mmap_file(file, vma); if (error) - goto unmap_and_free_vma; - - if (vma_is_shared_maywrite(vma)) { - error = mapping_map_writable(file->f_mapping); - if (error) - goto close_and_free_vma; - - writable_file_mapping = true; - } + goto unmap_and_free_file_vma; + /* Drivers cannot alter the address of the VMA. */ + WARN_ON_ONCE(addr != vma->vm_start); /* - * Expansion is handled above, merging is handled below. - * Drivers should not alter the address of the VMA. + * Drivers should not permit writability when previously it was + * disallowed. */ - if (WARN_ON((addr != vma->vm_start))) { - error = -EINVAL; - goto close_and_free_vma; - } + VM_WARN_ON_ONCE(vm_flags != vma->vm_flags && + !(vm_flags & VM_MAYWRITE) && + (vma->vm_flags & VM_MAYWRITE)); vma_iter_config(&vmi, addr, end); /* @@ -1474,6 +1470,8 @@ unsigned long mmap_region(struct file *f * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) { + struct vm_area_struct *merge; + vmg.flags = vma->vm_flags; /* If this fails, state is reset ready for a reattempt. */ merge = vma_merge_new_range(&vmg); @@ -1491,7 +1489,7 @@ unsigned long mmap_region(struct file *f vma = merge; /* Update vm_flags to pick up the change. */ vm_flags = vma->vm_flags; - goto unmap_writable; + goto file_expanded; } vma_iter_config(&vmi, addr, end); } @@ -1500,26 +1498,15 @@ unsigned long mmap_region(struct file *f } else if (vm_flags & VM_SHARED) { error = shmem_zero_setup(vma); if (error) - goto free_vma; + goto free_iter_vma; } else { vma_set_anonymous(vma); } - if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { - error = -EACCES; - goto close_and_free_vma; - } - - /* Allow architectures to sanity-check the vm_flags */ - if (!arch_validate_flags(vma->vm_flags)) { - error = -EINVAL; - goto close_and_free_vma; - } - - if (vma_iter_prealloc(&vmi, vma)) { - error = -ENOMEM; - goto close_and_free_vma; - } +#ifdef CONFIG_SPARC64 + /* TODO: Fix SPARC ADI! */ + WARN_ON_ONCE(!arch_validate_flags(vm_flags)); +#endif /* Lock the VMA since it is modified after insertion into VMA tree */ vma_start_write(vma); @@ -1533,10 +1520,7 @@ unsigned long mmap_region(struct file *f */ khugepaged_enter_vma(vma, vma->vm_flags); - /* Once vma denies write, undo our temporary denial count */ -unmap_writable: - if (writable_file_mapping) - mapping_unmap_writable(file->f_mapping); +file_expanded: file = vma->vm_file; ksm_add_vma(vma); expanded: @@ -1569,23 +1553,17 @@ expanded: vma_set_page_prot(vma); - validate_mm(mm); return addr; -close_and_free_vma: - vma_close(vma); - - if (file || vma->vm_file) { -unmap_and_free_vma: - fput(vma->vm_file); - vma->vm_file = NULL; - - vma_iter_set(&vmi, vma->vm_end); - /* Undo any partial mapping done by a device driver. */ - unmap_region(&vmi.mas, vma, vmg.prev, vmg.next); - } - if (writable_file_mapping) - mapping_unmap_writable(file->f_mapping); +unmap_and_free_file_vma: + fput(vma->vm_file); + vma->vm_file = NULL; + + vma_iter_set(&vmi, vma->vm_end); + /* Undo any partial mapping done by a device driver. */ + unmap_region(&vmi.mas, vma, vmg.prev, vmg.next); +free_iter_vma: + vma_iter_free(&vmi); free_vma: vm_area_free(vma); unacct_error: @@ -1595,10 +1573,43 @@ unacct_error: abort_munmap: vms_abort_munmap_vmas(&vms, &mas_detach); gather_failed: - validate_mm(mm); return error; } +unsigned long mmap_region(struct file *file, unsigned long addr, + unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, + struct list_head *uf) +{ + unsigned long ret; + bool writable_file_mapping = false; + + /* Check to see if MDWE is applicable. */ + if (map_deny_write_exec(vm_flags, vm_flags)) + return -EACCES; + + /* Allow architectures to sanity-check the vm_flags. */ + if (!arch_validate_flags(vm_flags)) + return -EINVAL; + + /* Map writable and ensure this isn't a sealed memfd. */ + if (file && is_shared_maywrite(vm_flags)) { + int error = mapping_map_writable(file->f_mapping); + + if (error) + return error; + writable_file_mapping = true; + } + + ret = __mmap_region(file, addr, len, vm_flags, pgoff, uf); + + /* Clear our write mapping regardless of error. */ + if (writable_file_mapping) + mapping_unmap_writable(file->f_mapping); + + validate_mm(current->mm); + return ret; +} + static int __vm_munmap(unsigned long start, size_t len, bool unlock) { int ret; _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems-fix.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-remove-unnecessary-reset-state-logic-on-merge-new-vma.patch mm-defer-second-attempt-at-merge-on-mmap.patch mm-defer-second-attempt-at-merge-on-mmap-fix.patch mm-pagewalk-add-the-ability-to-install-ptes.patch mm-add-pte_marker_guard-pte-marker.patch mm-madvise-implement-lightweight-guard-page-mechanism.patch tools-testing-update-tools-uapi-header-for-mman-commonh.patch selftests-mm-add-self-tests-for-guard-page-feature.patch

10 months, 4 weeks

1
0
0 0

+ mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Date: Tue, 29 Oct 2024 18:11:47 +0000 Currently MTE is permitted in two circumstances (desiring to use MTE having been specified by the VM_MTE flag) - where MAP_ANONYMOUS is specified, as checked by arch_calc_vm_flag_bits() and actualised by setting the VM_MTE_ALLOWED flag, or if the file backing the mapping is shmem, in which case we set VM_MTE_ALLOWED in shmem_mmap() when the mmap hook is activated in mmap_region(). The function that checks that, if VM_MTE is set, VM_MTE_ALLOWED is also set is the arm64 implementation of arch_validate_flags(). Unfortunately, we intend to refactor mmap_region() to perform this check earlier, meaning that in the case of a shmem backing we will not have invoked shmem_mmap() yet, causing the mapping to fail spuriously. It is inappropriate to set this architecture-specific flag in general mm code anyway, so a sensible resolution of this issue is to instead move the check somewhere else. We resolve this by setting VM_MTE_ALLOWED much earlier in do_mmap(), via the arch_calc_vm_flag_bits() call. This is an appropriate place to do this as we already check for the MAP_ANONYMOUS case here, and the shmem file case is simply a variant of the same idea - we permit RAM-backed memory. This requires a modification to the arch_calc_vm_flag_bits() signature to pass in a pointer to the struct file associated with the mapping, however this is not too egregious as this is only used by two architectures anyway - arm64 and parisc. So this patch performs this adjustment and removes the unnecessary assignment of VM_MTE_ALLOWED in shmem_mmap(). Link: https://lkml.kernel.org/r/ec251b20ba1964fb64cf1607d2ad80c47f3873df.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Suggested-by: Catalin Marinas <catalin.marinas(a)arm.com> Reported-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/arm64/include/asm/mman.h | 10 +++++++--- arch/parisc/include/asm/mman.h | 5 +++-- include/linux/mman.h | 7 ++++--- mm/mmap.c | 2 +- mm/nommu.c | 2 +- mm/shmem.c | 3 --- 6 files changed, 16 insertions(+), 13 deletions(-) --- a/arch/arm64/include/asm/mman.h~mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling +++ a/arch/arm64/include/asm/mman.h @@ -6,6 +6,8 @@ #ifndef BUILD_VDSO #include <linux/compiler.h> +#include <linux/fs.h> +#include <linux/shmem_fs.h> #include <linux/types.h> static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot, @@ -31,19 +33,21 @@ static inline unsigned long arch_calc_vm } #define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey) -static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) +static inline unsigned long arch_calc_vm_flag_bits(struct file *file, + unsigned long flags) { /* * Only allow MTE on anonymous mappings as these are guaranteed to be * backed by tags-capable memory. The vm_flags may be overridden by a * filesystem supporting MTE (RAM-based). */ - if (system_supports_mte() && (flags & MAP_ANONYMOUS)) + if (system_supports_mte() && + ((flags & MAP_ANONYMOUS) || shmem_file(file))) return VM_MTE_ALLOWED; return 0; } -#define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) +#define arch_calc_vm_flag_bits(file, flags) arch_calc_vm_flag_bits(file, flags) static inline bool arch_validate_prot(unsigned long prot, unsigned long addr __always_unused) --- a/arch/parisc/include/asm/mman.h~mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling +++ a/arch/parisc/include/asm/mman.h @@ -2,6 +2,7 @@ #ifndef __ASM_MMAN_H__ #define __ASM_MMAN_H__ +#include <linux/fs.h> #include <uapi/asm/mman.h> /* PARISC cannot allow mdwe as it needs writable stacks */ @@ -11,7 +12,7 @@ static inline bool arch_memory_deny_writ } #define arch_memory_deny_write_exec_supported arch_memory_deny_write_exec_supported -static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) +static inline unsigned long arch_calc_vm_flag_bits(struct file *file, unsigned long flags) { /* * The stack on parisc grows upwards, so if userspace requests memory @@ -23,6 +24,6 @@ static inline unsigned long arch_calc_vm return 0; } -#define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) +#define arch_calc_vm_flag_bits(file, flags) arch_calc_vm_flag_bits(file, flags) #endif /* __ASM_MMAN_H__ */ --- a/include/linux/mman.h~mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling +++ a/include/linux/mman.h @@ -2,6 +2,7 @@ #ifndef _LINUX_MMAN_H #define _LINUX_MMAN_H +#include <linux/fs.h> #include <linux/mm.h> #include <linux/percpu_counter.h> @@ -94,7 +95,7 @@ static inline void vm_unacct_memory(long #endif #ifndef arch_calc_vm_flag_bits -#define arch_calc_vm_flag_bits(flags) 0 +#define arch_calc_vm_flag_bits(file, flags) 0 #endif #ifndef arch_validate_prot @@ -151,13 +152,13 @@ calc_vm_prot_bits(unsigned long prot, un * Combine the mmap "flags" argument into "vm_flags" used internally. */ static inline unsigned long -calc_vm_flag_bits(unsigned long flags) +calc_vm_flag_bits(struct file *file, unsigned long flags) { return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) | - arch_calc_vm_flag_bits(flags); + arch_calc_vm_flag_bits(file, flags); } unsigned long vm_commit_limit(void); --- a/mm/mmap.c~mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling +++ a/mm/mmap.c @@ -344,7 +344,7 @@ unsigned long do_mmap(struct file *file, * to. we assume access permissions have been handled by the open * of the memory object, so we don't do any here. */ - vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) | + vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(file, flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; /* Obtain the address to map to. we verify (or select) it and ensure --- a/mm/nommu.c~mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling +++ a/mm/nommu.c @@ -842,7 +842,7 @@ static unsigned long determine_vm_flags( { unsigned long vm_flags; - vm_flags = calc_vm_prot_bits(prot, 0) | calc_vm_flag_bits(flags); + vm_flags = calc_vm_prot_bits(prot, 0) | calc_vm_flag_bits(file, flags); if (!file) { /* --- a/mm/shmem.c~mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling +++ a/mm/shmem.c @@ -2733,9 +2733,6 @@ static int shmem_mmap(struct file *file, if (ret) return ret; - /* arm64 - allow memory tagging on RAM-based files */ - vm_flags_set(vma, VM_MTE_ALLOWED); - file_accessed(file); /* This is anonymous shared memory if it is unlinked at the time of mmap */ if (inode->i_nlink) _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems-fix.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-remove-unnecessary-reset-state-logic-on-merge-new-vma.patch mm-defer-second-attempt-at-merge-on-mmap.patch mm-defer-second-attempt-at-merge-on-mmap-fix.patch mm-pagewalk-add-the-ability-to-install-ptes.patch mm-add-pte_marker_guard-pte-marker.patch mm-madvise-implement-lightweight-guard-page-mechanism.patch tools-testing-update-tools-uapi-header-for-mman-commonh.patch selftests-mm-add-self-tests-for-guard-page-feature.patch

10 months, 4 weeks

1
0
0 0

+ mm-refactor-map_deny_write_exec.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: refactor map_deny_write_exec() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-refactor-map_deny_write_exec.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: refactor map_deny_write_exec() Date: Tue, 29 Oct 2024 18:11:46 +0000 Refactor the map_deny_write_exec() to not unnecessarily require a VMA parameter but rather to accept VMA flags parameters, which allows us to use this function early in mmap_region() in a subsequent commit. While we're here, we refactor the function to be more readable and add some additional documentation. Link: https://lkml.kernel.org/r/6be8bb59cd7c68006ebb006eb9d8dc27104b1f70.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mman.h | 21 ++++++++++++++++++--- mm/mmap.c | 2 +- mm/mprotect.c | 2 +- mm/vma.h | 2 +- 4 files changed, 21 insertions(+), 6 deletions(-) --- a/include/linux/mman.h~mm-refactor-map_deny_write_exec +++ a/include/linux/mman.h @@ -188,16 +188,31 @@ static inline bool arch_memory_deny_writ * * d) mmap(PROT_READ | PROT_EXEC) * mmap(PROT_READ | PROT_EXEC | PROT_BTI) + * + * This is only applicable if the user has set the Memory-Deny-Write-Execute + * (MDWE) protection mask for the current process. + * + * @old specifies the VMA flags the VMA originally possessed, and @new the ones + * we propose to set. + * + * Return: false if proposed change is OK, true if not ok and should be denied. */ -static inline bool map_deny_write_exec(struct vm_area_struct *vma, unsigned long vm_flags) +static inline bool map_deny_write_exec(unsigned long old, unsigned long new) { + /* If MDWE is disabled, we have nothing to deny. */ if (!test_bit(MMF_HAS_MDWE, &current->mm->flags)) return false; - if ((vm_flags & VM_EXEC) && (vm_flags & VM_WRITE)) + /* If the new VMA is not executable, we have nothing to deny. */ + if (!(new & VM_EXEC)) + return false; + + /* Under MDWE we do not accept newly writably executable VMAs... */ + if (new & VM_WRITE) return true; - if (!(vma->vm_flags & VM_EXEC) && (vm_flags & VM_EXEC)) + /* ...nor previously non-executable VMAs becoming executable. */ + if (!(old & VM_EXEC)) return true; return false; --- a/mm/mmap.c~mm-refactor-map_deny_write_exec +++ a/mm/mmap.c @@ -1505,7 +1505,7 @@ unsigned long mmap_region(struct file *f vma_set_anonymous(vma); } - if (map_deny_write_exec(vma, vma->vm_flags)) { + if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { error = -EACCES; goto close_and_free_vma; } --- a/mm/mprotect.c~mm-refactor-map_deny_write_exec +++ a/mm/mprotect.c @@ -810,7 +810,7 @@ static int do_mprotect_pkey(unsigned lon break; } - if (map_deny_write_exec(vma, newflags)) { + if (map_deny_write_exec(vma->vm_flags, newflags)) { error = -EACCES; break; } --- a/mm/vma.h~mm-refactor-map_deny_write_exec +++ a/mm/vma.h @@ -42,7 +42,7 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - /* 1 byte hole */ + /* 2 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ unsigned long nr_accounted; /* Number of VM_ACCOUNT pages */ _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems-fix.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-remove-unnecessary-reset-state-logic-on-merge-new-vma.patch mm-defer-second-attempt-at-merge-on-mmap.patch mm-defer-second-attempt-at-merge-on-mmap-fix.patch mm-pagewalk-add-the-ability-to-install-ptes.patch mm-add-pte_marker_guard-pte-marker.patch mm-madvise-implement-lightweight-guard-page-mechanism.patch tools-testing-update-tools-uapi-header-for-mman-commonh.patch selftests-mm-add-self-tests-for-guard-page-feature.patch

10 months, 4 weeks

1
0
0 0

+ mm-unconditionally-close-vmas-on-error.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: unconditionally close VMAs on error has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-unconditionally-close-vmas-on-error.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: unconditionally close VMAs on error Date: Tue, 29 Oct 2024 18:11:45 +0000 Incorrect invocation of VMA callbacks when the VMA is no longer in a consistent state is bug prone and risky to perform. With regards to the important vm_ops->close() callback We have gone to great lengths to try to track whether or not we ought to close VMAs. Rather than doing so and risking making a mistake somewhere, instead unconditionally close and reset vma->vm_ops to an empty dummy operations set with a NULL .close operator. We introduce a new function to do so - vma_close() - and simplify existing vms logic which tracked whether we needed to close or not. This simplifies the logic, avoids incorrect double-calling of the .close() callback and allows us to update error paths to simply call vma_close() unconditionally - making VMA closure idempotent. Link: https://lkml.kernel.org/r/28e89dda96f68c505cb6f8e9fc9b57c3e9f74b42.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 18 ++++++++++++++++++ mm/mmap.c | 5 ++--- mm/nommu.c | 3 +-- mm/vma.c | 14 +++++--------- mm/vma.h | 4 +--- 5 files changed, 27 insertions(+), 17 deletions(-) --- a/mm/internal.h~mm-unconditionally-close-vmas-on-error +++ a/mm/internal.h @@ -135,6 +135,24 @@ static inline int mmap_file(struct file return err; } +/* + * If the VMA has a close hook then close it, and since closing it might leave + * it in an inconsistent state which makes the use of any hooks suspect, clear + * them down by installing dummy empty hooks. + */ +static inline void vma_close(struct vm_area_struct *vma) +{ + if (vma->vm_ops && vma->vm_ops->close) { + vma->vm_ops->close(vma); + + /* + * The mapping is in an inconsistent state, and no further hooks + * may be invoked upon it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + } +} + #ifdef CONFIG_MMU /* Flags for folio_pte_batch(). */ --- a/mm/mmap.c~mm-unconditionally-close-vmas-on-error +++ a/mm/mmap.c @@ -1573,8 +1573,7 @@ expanded: return addr; close_and_free_vma: - if (file && !vms.closed_vm_ops && vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (file || vma->vm_file) { unmap_and_free_vma: @@ -1934,7 +1933,7 @@ void exit_mmap(struct mm_struct *mm) do { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); - remove_vma(vma, /* unreachable = */ true, /* closed = */ false); + remove_vma(vma, /* unreachable = */ true); count++; cond_resched(); vma = vma_next(&vmi); --- a/mm/nommu.c~mm-unconditionally-close-vmas-on-error +++ a/mm/nommu.c @@ -589,8 +589,7 @@ static int delete_vma_from_mm(struct vm_ */ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) { - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); put_nommu_region(vma->vm_region); --- a/mm/vma.c~mm-unconditionally-close-vmas-on-error +++ a/mm/vma.c @@ -323,11 +323,10 @@ static bool can_vma_merge_right(struct v /* * Close a vm structure and free it. */ -void remove_vma(struct vm_area_struct *vma, bool unreachable, bool closed) +void remove_vma(struct vm_area_struct *vma, bool unreachable) { might_sleep(); - if (!closed && vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); mpol_put(vma_policy(vma)); @@ -1115,9 +1114,7 @@ void vms_clean_up_area(struct vma_munmap vms_clear_ptes(vms, mas_detach, true); mas_set(mas_detach, 0); mas_for_each(mas_detach, vma, ULONG_MAX) - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); - vms->closed_vm_ops = true; + vma_close(vma); } /* @@ -1160,7 +1157,7 @@ void vms_complete_munmap_vmas(struct vma /* Remove and clean up vmas */ mas_set(mas_detach, 0); mas_for_each(mas_detach, vma, ULONG_MAX) - remove_vma(vma, /* = */ false, vms->closed_vm_ops); + remove_vma(vma, /* unreachable = */ false); vm_unacct_memory(vms->nr_accounted); validate_mm(mm); @@ -1684,8 +1681,7 @@ struct vm_area_struct *copy_vma(struct v return new_vma; out_vma_link: - if (new_vma->vm_ops && new_vma->vm_ops->close) - new_vma->vm_ops->close(new_vma); + vma_close(new_vma); if (new_vma->vm_file) fput(new_vma->vm_file); --- a/mm/vma.h~mm-unconditionally-close-vmas-on-error +++ a/mm/vma.h @@ -42,7 +42,6 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - bool closed_vm_ops; /* call_mmap() was encountered, so vmas may be closed */ /* 1 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ @@ -198,7 +197,6 @@ static inline void init_vma_munmap(struc vms->unmap_start = FIRST_USER_ADDRESS; vms->unmap_end = USER_PGTABLES_CEILING; vms->clear_ptes = false; - vms->closed_vm_ops = false; } #endif @@ -269,7 +267,7 @@ int do_vmi_munmap(struct vma_iterator *v unsigned long start, size_t len, struct list_head *uf, bool unlock); -void remove_vma(struct vm_area_struct *vma, bool unreachable, bool closed); +void remove_vma(struct vm_area_struct *vma, bool unreachable); void unmap_region(struct ma_state *mas, struct vm_area_struct *vma, struct vm_area_struct *prev, struct vm_area_struct *next); _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems-fix.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-remove-unnecessary-reset-state-logic-on-merge-new-vma.patch mm-defer-second-attempt-at-merge-on-mmap.patch mm-defer-second-attempt-at-merge-on-mmap-fix.patch mm-pagewalk-add-the-ability-to-install-ptes.patch mm-add-pte_marker_guard-pte-marker.patch mm-madvise-implement-lightweight-guard-page-mechanism.patch tools-testing-update-tools-uapi-header-for-mman-commonh.patch selftests-mm-add-self-tests-for-guard-page-feature.patch

10 months, 4 weeks

1
0
0 0

+ mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: avoid unsafe VMA hook invocation when error arises on mmap hook has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: avoid unsafe VMA hook invocation when error arises on mmap hook Date: Tue, 29 Oct 2024 18:11:44 +0000 Patch series "fix error handling in mmap_region() and refactor (hotfixes)", v4. mmap_region() is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. This series goes to great lengths to simplify how mmap_region() works and to avoid unwinding errors late on in the process of setting up the VMA for the new mapping, and equally avoids such operations occurring while the VMA is in an inconsistent state. The patches in this series comprise the minimal changes required to resolve existing issues in mmap_region() error handling, in order that they can be hotfixed and backported. There is additionally a follow up series which goes further, separated out from the v1 series and sent and updated separately. This patch (of 5): After an attempted mmap() fails, we are no longer in a situation where we can safely interact with VMA hooks. This is currently not enforced, meaning that we need complicated handling to ensure we do not incorrectly call these hooks. We can avoid the whole issue by treating the VMA as suspect the moment that the file->f_ops->mmap() function reports an error by replacing whatever VMA operations were installed with a dummy empty set of VMA operations. We do so through a new helper function internal to mm - mmap_file() - which is both more logically named than the existing call_mmap() function and correctly isolates handling of the vm_op reassignment to mm. All the existing invocations of call_mmap() outside of mm are ultimately nested within the call_mmap() from mm, which we now replace. It is therefore safe to leave call_mmap() in place as a convenience function (and to avoid churn). The invokers are: ovl_file_operations -> mmap -> ovl_mmap() -> backing_file_mmap() coda_file_operations -> mmap -> coda_file_mmap() shm_file_operations -> shm_mmap() shm_file_operations_huge -> shm_mmap() dma_buf_fops -> dma_buf_mmap_internal -> i915_dmabuf_ops -> i915_gem_dmabuf_mmap() None of these callers interact with vm_ops or mappings in a problematic way on error, quickly exiting out. Link: https://lkml.kernel.org/r/cover.1730224667.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/d41fd763496fd0048a962f3fd9407dc72dd4fd86.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 27 +++++++++++++++++++++++++++ mm/mmap.c | 6 +++--- mm/nommu.c | 4 ++-- 3 files changed, 32 insertions(+), 5 deletions(-) --- a/mm/internal.h~mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook +++ a/mm/internal.h @@ -108,6 +108,33 @@ static inline void *folio_raw_mapping(co return (void *)(mapping & ~PAGE_MAPPING_FLAGS); } +/* + * This is a file-backed mapping, and is about to be memory mapped - invoke its + * mmap hook and safely handle error conditions. On error, VMA hooks will be + * mutated. + * + * @file: File which backs the mapping. + * @vma: VMA which we are mapping. + * + * Returns: 0 if success, error otherwise. + */ +static inline int mmap_file(struct file *file, struct vm_area_struct *vma) +{ + int err = call_mmap(file, vma); + + if (likely(!err)) + return 0; + + /* + * OK, we tried to call the file hook for mmap(), but an error + * arose. The mapping is in an inconsistent state and we most not invoke + * any further hooks on it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + + return err; +} + #ifdef CONFIG_MMU /* Flags for folio_pte_batch(). */ --- a/mm/mmap.c~mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook +++ a/mm/mmap.c @@ -1422,7 +1422,7 @@ unsigned long mmap_region(struct file *f /* * clear PTEs while the vma is still in the tree so that rmap * cannot race with the freeing later in the truncate scenario. - * This is also needed for call_mmap(), which is why vm_ops + * This is also needed for mmap_file(), which is why vm_ops * close function is called. */ vms_clean_up_area(&vms, &mas_detach); @@ -1447,7 +1447,7 @@ unsigned long mmap_region(struct file *f if (file) { vma->vm_file = get_file(file); - error = call_mmap(file, vma); + error = mmap_file(file, vma); if (error) goto unmap_and_free_vma; @@ -1470,7 +1470,7 @@ unsigned long mmap_region(struct file *f vma_iter_config(&vmi, addr, end); /* - * If vm_flags changed after call_mmap(), we should try merge + * If vm_flags changed after mmap_file(), we should try merge * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) { --- a/mm/nommu.c~mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook +++ a/mm/nommu.c @@ -885,7 +885,7 @@ static int do_mmap_shared_file(struct vm { int ret; - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); if (ret == 0) { vma->vm_region->vm_top = vma->vm_region->vm_end; return 0; @@ -918,7 +918,7 @@ static int do_mmap_private(struct vm_are * happy. */ if (capabilities & NOMMU_MAP_DIRECT) { - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); /* shouldn't return success if we're not sharing */ if (WARN_ON_ONCE(!is_nommu_shared_mapping(vma->vm_flags))) ret = -ENOSYS; _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch mm-unconditionally-close-vmas-on-error.patch mm-refactor-map_deny_write_exec.patch mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch mm-resolve-faulty-mmap_region-error-path-behaviour.patch selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch maple_tree-do-not-hash-pointers-on-dump-in-debug-mode.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems.patch tools-testing-fix-phys_addr_t-size-on-64-bit-systems-fix.patch tools-testing-add-additional-vma_internalh-stubs.patch mm-isolate-mmap-internal-logic-to-mm-vmac.patch mm-refactor-__mmap_region.patch mm-remove-unnecessary-reset-state-logic-on-merge-new-vma.patch mm-defer-second-attempt-at-merge-on-mmap.patch mm-defer-second-attempt-at-merge-on-mmap-fix.patch mm-pagewalk-add-the-ability-to-install-ptes.patch mm-add-pte_marker_guard-pte-marker.patch mm-madvise-implement-lightweight-guard-page-mechanism.patch tools-testing-update-tools-uapi-header-for-mman-commonh.patch selftests-mm-add-self-tests-for-guard-page-feature.patch

10 months, 4 weeks

1
0
0 0

[PATCH] ARM: dts: omap36xx: declare 1GHz OPP as turbo again

by Andreas Kemnade

Operating stable without reduced chip life at 1Ghz needs several technologies working: The technologies involve - SmartReflex - DVFS As this cannot directly specified in the OPP table as dependecies in the devicetree yet, use the turbo flag again to mark this OPP as something special to have some kind of opt-in. So revert commit 5f1bf7ae8481 ("ARM: dts: omap36xx: Remove turbo mode for 1GHz variants") Practical reasoning: At least the GTA04A5 (DM3730) has become unstable with that OPP enabled. Furthermore nothing enforces the availability of said technologies, even in the kernel configuration, so allow users to rather opt-in. Cc: Stable(a)vger.kernel.org Fixes: 5f1bf7ae8481 ("ARM: dts: omap36xx: Remove turbo mode for 1GHz variants") Signed-off-by: Andreas Kemnade <andreas(a)kemnade.info> --- arch/arm/boot/dts/ti/omap/omap36xx.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/boot/dts/ti/omap/omap36xx.dtsi b/arch/arm/boot/dts/ti/omap/omap36xx.dtsi index c3d79ecd56e39..c217094b50abc 100644 --- a/arch/arm/boot/dts/ti/omap/omap36xx.dtsi +++ b/arch/arm/boot/dts/ti/omap/omap36xx.dtsi @@ -72,6 +72,7 @@ opp-1000000000 { <1375000 1375000 1375000>; /* only on am/dm37x with speed-binned bit set */ opp-supported-hw = <0xffffffff 2>; + turbo-mode; }; }; -- 2.39.2

10 months, 4 weeks

2
1
0 0

[PATCH] ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()

by Andrew Kanner

Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10 [ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0 [ 57.335164] ocfs2_xa_set+0x704/0xcf0 [ 57.335381] ? _raw_spin_unlock+0x1a/0x40 [ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20 [ 57.335915] ? trace_preempt_on+0x1e/0x70 [ 57.336153] ? start_this_handle+0x16c/0x500 [ 57.336410] ? preempt_count_sub+0x50/0x80 [ 57.336656] ? _raw_read_unlock+0x20/0x40 [ 57.336906] ? start_this_handle+0x16c/0x500 [ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0 [ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0 [ 57.337706] ? ocfs2_start_trans+0x13d/0x290 [ 57.337971] ocfs2_xattr_set+0xb13/0xfb0 [ 57.338207] ? dput+0x46/0x1c0 [ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338948] __vfs_removexattr+0x92/0xc0 [ 57.339182] __vfs_removexattr_locked+0xd5/0x190 [ 57.339456] ? preempt_count_sub+0x50/0x80 [ 57.339705] vfs_removexattr+0x5f/0x100 [...] Reproducer uses faultinject facility to fail ocfs2_xa_remove() -> ocfs2_xa_value_truncate() with -ENOMEM. In this case the comment mentions that we can return 0 if ocfs2_xa_cleanup_value_truncate() is going to wipe the entry anyway. But the following 'rc' check is wrong and execution flow do 'ocfs2_xa_remove_entry(loc);' twice: * 1st: in ocfs2_xa_cleanup_value_truncate(); * 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'. Fix this by skipping the 2nd removal of the same entry and making syzkaller repro happy. Cc: stable(a)vger.kernel.org Fixes: 399ff3a748cf ("ocfs2: Handle errors while setting external xattr values.") Reported-by: syzbot+386ce9e60fa1b18aac5b(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/671e13ab.050a0220.2b8c0f.01d0.GAE@google.com/T/ Tested-by: syzbot+386ce9e60fa1b18aac5b(a)syzkaller.appspotmail.com Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> --- fs/ocfs2/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index dd0a05365e79..5bc4d660e15a 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -2036,7 +2036,7 @@ static int ocfs2_xa_remove(struct ocfs2_xa_loc *loc, rc = 0; ocfs2_xa_cleanup_value_truncate(loc, "removing", orig_clusters); - if (rc) + if (rc == 0) goto out; } } -- 2.43.5

10 months, 4 weeks

1
0
0 0

[PATCH] KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation

by David Gstir

When sealing or unsealing a key blob we currently do not wait for the AEAD cipher operation to finish and simply return after submitting the request. If there is some load on the system we can exit before the cipher operation is done and the buffer we read from/write to is already removed from the stack. This will e.g. result in NULL pointer dereference errors in the DCP driver during blob creation. Fix this by waiting for the AEAD cipher operation to finish before resuming the seal and unseal calls. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 0e28bf61a5f9 ("KEYS: trusted: dcp: fix leak of blob encryption key") Reported-by: Parthiban N <parthiban(a)linumiz.com> Closes: https://lore.kernel.org/keyrings/254d3bb1-6dbc-48b4-9c08-77df04baee2f@linum… Signed-off-by: David Gstir <david(a)sigma-star.at> --- security/keys/trusted-keys/trusted_dcp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c index 4edc5bbbcda3..e908c53a803c 100644 --- a/security/keys/trusted-keys/trusted_dcp.c +++ b/security/keys/trusted-keys/trusted_dcp.c @@ -133,6 +133,7 @@ static int do_aead_crypto(u8 *in, u8 *out, size_t len, u8 *key, u8 *nonce, struct scatterlist src_sg, dst_sg; struct crypto_aead *aead; int ret; + DECLARE_CRYPTO_WAIT(wait); aead = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC); if (IS_ERR(aead)) { @@ -163,8 +164,8 @@ static int do_aead_crypto(u8 *in, u8 *out, size_t len, u8 *key, u8 *nonce, } aead_request_set_crypt(aead_req, &src_sg, &dst_sg, len, nonce); - aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, - NULL); + aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP, + crypto_req_done, &wait); aead_request_set_ad(aead_req, 0); if (crypto_aead_setkey(aead, key, AES_KEYSIZE_128)) { @@ -174,9 +175,9 @@ static int do_aead_crypto(u8 *in, u8 *out, size_t len, u8 *key, u8 *nonce, } if (do_encrypt) - ret = crypto_aead_encrypt(aead_req); + ret = crypto_wait_req(crypto_aead_encrypt(aead_req), &wait); else - ret = crypto_aead_decrypt(aead_req); + ret = crypto_wait_req(crypto_aead_decrypt(aead_req), &wait); free_req: aead_request_free(aead_req); -- 2.47.0

10 months, 4 weeks

2
2
0 0

[PATCH] jfs: xattr: check invalid xattr size more strictly

by Artem Sadovnikov

Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr") also addresses this issue but it only fixes it for positive values, while ea_size is an integer type and can take negative values, e.g. in case of a corrupted filesystem. This still breaks validation and would overflow because of implicit conversion from int to size_t in print_hex_dump(). Fix this issue by clamping the ea_size value instead. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Cc: stable(a)vger.kernel.org Signed-off-by: Artem Sadovnikov <ancowi69(a)gmail.com> --- fs/jfs/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c index 8ef8dfc3c194..95bcbbf7359c 100644 --- a/fs/jfs/xattr.c +++ b/fs/jfs/xattr.c @@ -557,7 +557,7 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) size_check: if (EALIST_SIZE(ea_buf->xattr) != ea_size) { - int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); + int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); printk(KERN_ERR "ea_get: invalid extended attribute\n"); print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, -- 2.43.0

10 months, 4 weeks

2
1
0 0

ZRAM - too much CPU usage with high number of user.

by adam langowicz

Hey. Need optimization ZRAM - on 1 or 2 user on machine ZRAM has low CPU usage - but on 175 or more user on shared machine has a HIGH CPU usage. Can anyone test ZRAM on high number of user - and add some patch to low CPU usage around of 10% to 15 % ?

10 months, 4 weeks

1
0
0 0

[PATCH 6.1.y v2] cpufreq: amd-pstate: Enable CPU boost in passive and guided modes

by Nabil S. Alramli

CPU frequency cannot be boosted when using the amd_pstate driver in passive or guided mode. On a host that has an AMD EPYC 7662 processor, while running with amd-pstate configured for passive mode on full CPU load, the processor only reaches 2.0 GHz. On later kernels the CPU can reach 3.3GHz. The CPU frequency is dependent on a setting called highest_perf which is the multiplier used to compute it. The highest_perf value comes from cppc_init_perf when the driver is built-in and from pstate_init_perf when it is a loaded module. Both of these calls have the following condition: highest_perf = amd_get_highest_perf(); if (highest_perf > __cppc_highest_perf_) highest_perf = __cppc_highest_perf; Where again __cppc_highest_perf is either the return from cppc_get_perf_caps in the built-in case or AMD_CPPC_HIGHEST_PERF in the module case. Both of these functions actually return the nominal value, whereas the call to amd_get_highest_perf returns the correct boost value, so the condition tests true and highest_perf always ends up being the nominal value, therefore never having the ability to boost CPU frequency. Since amd_get_highest_perf already returns the boost value, we have eliminated this check. The issue was introduced in v6.1 via commit bedadcfb011f ("cpufreq: amd-pstate: Fix initial highest_perf value"), and exists in stable v6.1 kernels. This has been fixed in v6.6.y and newer but due to refactoring that change isn't feasible to bring back to v6.1.y. Thus, v6.1 kernels are affected by this significant performance issue, and cannot be easily remediated. Signed-off-by: Nabil S. Alramli <dev(a)nalramli.com> Reviewed-by: Joe Damato <jdamato(a)fastly.com> Reviewed-by: Kyle Hubert <khubert(a)fastly.com> Fixes: bedadcfb011f ("cpufreq: amd-pstate: Fix initial highest_perf value") See-also: 1ec40a175a48 ("cpufreq: amd-pstate: Enable amd-pstate preferred core support") Cc: mario.limonciello(a)amd.com Cc: Perry.Yuan(a)amd.com Cc: li.meng(a)amd.com Cc: stable(a)vger.kernel.org # v6.1 --- v2: - Omit cover letter - Converted from RFC to PATCH - Expand commit message based on feedback from Mario Limonciello - Added Reviewed-by tags - No functional/code changes rfc: https://lore.kernel.org/lkml/20241025010527.491605-1-dev@nalramli.com/ --- drivers/cpufreq/amd-pstate.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c index 90dcf26f0973..c66086ae624a 100644 --- a/drivers/cpufreq/amd-pstate.c +++ b/drivers/cpufreq/amd-pstate.c @@ -102,9 +102,7 @@ static int pstate_init_perf(struct amd_cpudata *cpudata) * * CPPC entry doesn't indicate the highest performance in some ASICs. */ - highest_perf = amd_get_highest_perf(); - if (highest_perf > AMD_CPPC_HIGHEST_PERF(cap1)) - highest_perf = AMD_CPPC_HIGHEST_PERF(cap1); + highest_perf = max(amd_get_highest_perf(), AMD_CPPC_HIGHEST_PERF(cap1)); WRITE_ONCE(cpudata->highest_perf, highest_perf); @@ -124,9 +122,7 @@ static int cppc_init_perf(struct amd_cpudata *cpudata) if (ret) return ret; - highest_perf = amd_get_highest_perf(); - if (highest_perf > cppc_perf.highest_perf) - highest_perf = cppc_perf.highest_perf; + highest_perf = max(amd_get_highest_perf(), cppc_perf.highest_perf); WRITE_ONCE(cpudata->highest_perf, highest_perf); -- 2.35.1

10 months, 4 weeks

2
1
0 0

[PATCH v3 0/2] Fix KASAN crash when using KASAN_VMALLOC

by Linus Walleij

This problem reported by Clement LE GOFFIC manifest when using CONFIG_KASAN_IN_VMALLOC and VMAP_STACK: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db… After some analysis it seems we are missing to sync the VMALLOC shadow memory in top level PGD to all CPUs. Add some code to perform this sync, and the bug appears to go away. As suggested by Ard, also perform a dummy read from the shadow memory of the new VMAP_STACK in the low level assembly. Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> --- Changes in v3: - Collect Mark Rutlands ACK on patch 1 - Change the simplified assembly add r2, ip, lsr #n to the canonical add r2, r2, ip, lsr #n in patch 2. - Link to v2: https://lore.kernel.org/r/20241016-arm-kasan-vmalloc-crash-v2-0-0a52fd086ee… Changes in v2: - Implement the two helper functions suggested by Russell making the KASAN PGD copying less messy. - Link to v1: https://lore.kernel.org/r/20241015-arm-kasan-vmalloc-crash-v1-0-dbb23592ca8… --- Linus Walleij (2): ARM: ioremap: Sync PGDs for VMALLOC shadow ARM: entry: Do a dummy read from VMAP shadow arch/arm/kernel/entry-armv.S | 8 ++++++++ arch/arm/mm/ioremap.c | 25 +++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241015-arm-kasan-vmalloc-crash-fcbd51416457 Best regards, -- Linus Walleij <linus.walleij(a)linaro.org>

10 months, 4 weeks

2
12
0 0

[PATCH v3] drm/xe/xe_guc_ads: save/restore OA registers

by Jonathan Cavitt

Several OA registers and allowlist registers were missing from the save/restore list for GuC and could be lost during an engine reset. Add them to the list. v2: - Fix commit message (Umesh) - Add missing closes (Ashutosh) v3: - Add missing fixes (Ashutosh) Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2249 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Suggested-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> Suggested-by: John Harrison <john.c.harrison(a)intel.com> Signed-off-by: Jonathan Cavitt <jonathan.cavitt(a)intel.com> CC: stable(a)vger.kernel.org # v6.11+ Acked-by: Ashutosh Dixit <ashutosh.dixit(a)intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> --- drivers/gpu/drm/xe/xe_guc_ads.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_guc_ads.c b/drivers/gpu/drm/xe/xe_guc_ads.c index 4e746ae98888..a196c4fb90fc 100644 --- a/drivers/gpu/drm/xe/xe_guc_ads.c +++ b/drivers/gpu/drm/xe/xe_guc_ads.c @@ -15,6 +15,7 @@ #include "regs/xe_engine_regs.h" #include "regs/xe_gt_regs.h" #include "regs/xe_guc_regs.h" +#include "regs/xe_oa_regs.h" #include "xe_bo.h" #include "xe_gt.h" #include "xe_gt_ccs_mode.h" @@ -740,6 +741,11 @@ static unsigned int guc_mmio_regset_write(struct xe_guc_ads *ads, guc_mmio_regset_write_one(ads, regset_map, e->reg, count++); } + for (i = 0; i < RING_MAX_NONPRIV_SLOTS; i++) + guc_mmio_regset_write_one(ads, regset_map, + RING_FORCE_TO_NONPRIV(hwe->mmio_base, i), + count++); + /* Wa_1607983814 */ if (needs_wa_1607983814(xe) && hwe->class == XE_ENGINE_CLASS_RENDER) { for (i = 0; i < LNCFCMOCS_REG_COUNT; i++) { @@ -748,6 +754,14 @@ static unsigned int guc_mmio_regset_write(struct xe_guc_ads *ads, } } + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL0, count++); + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL1, count++); + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL2, count++); + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL3, count++); + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL4, count++); + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL5, count++); + guc_mmio_regset_write_one(ads, regset_map, EU_PERF_CNTL6, count++); + return count; } -- 2.43.0

10 months, 4 weeks

5
13
0 0

[PATCH 5.15.y 0/2] Backport fix for CVE-2024-38538

by Sherry Yang

The 2nd patch fixes CVE-2024-38538, but it requires the helper function pskb_may_pull_reason which is defined in the 1st patch. Backport both together. Eric Dumazet (1): net: add pskb_may_pull_reason() helper Nikolay Aleksandrov (1): net: bridge: xmit: make sure we have at least eth header len bytes include/linux/skbuff.h | 19 +++++++++++++++---- net/bridge/br_device.c | 6 ++++++ 2 files changed, 21 insertions(+), 4 deletions(-) -- 2.46.0

10 months, 4 weeks

3
5
0 0

[PATCH 0/2] leds: spi-byte: fix regression introduced in stable kernels

by Fedor Pchelkin

Upstream commit 7f9ab862e05c ("leds: spi-byte: Call of_node_put() on error path") after being backported to 5.10/5.15/6.1/6.6 stable kernels introduced an access-before-initialization error - it will most likely lead to a crash in the probe function of the driver if there is no default zero initialization for the stack values. The commit moved the initialization of `struct device_node *child` lower in code, while in stable kernels its value is used in between those places. Git context of the patch does not cover the situation so it was applied without any failures. Upstream commit which removed that intermediate access to the variable is ccc35ff2fd29 ("leds: spi-byte: Use devm_led_classdev_register_ext()"). I think it's worth a backport, too. The patches for the corresponding stable trees follow in this thread. Judging by Documentation/devicetree/bindings/leds/common.yaml, "label" leds property is deprecated at least since the start of 2020. So there should be no problem with switching from "label" to "function"+"color" device name generation in kernels down to 5.10.y. -- Fedor

10 months, 4 weeks

1
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror